[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] pam_limit.so question
On Tue, 24 Feb 2004, Philippe Vogel wrote:
> I want to restrict user rights but give users ssh access.
> The users may use ssh, scp, sftp, but should not alter the server, if
> someone doesn't know much about scripting and for securing the server to
> possible kiddies with console-account.
> I setup following:
> @admin -
> @users hard priority 17
> @users hard maxlogins 2
> @users hard core 0
> @users hard cpu 10
> @users hard data 8196
> @users hard fsize 8196
> @users hard memlock 2048
> @users hard nofile 64
> @users hard nproc 8
> @users hard rss 8196
> @users hard stack 2048
> @users hard as 16384
> What setting is needed, what settings are O.K. and what makes working
> impossibles canot be found in the manpage.
> Is there a possibility to secure the server, that users in group users
> cannot open socket without a kernel-patch?
> Any hints?
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
If you have concerns about your users and you have to give shell
accounts, you might want to look at chrooting (jailing) their home
directories. If you have *really* serious concerns and you can't avoid
giving shell accounts, you might consider sealing the kernel with
GRsecurity or LIDS. You may also want to consider deploying the bash
restricted shell, which makes it tough for them to get out of their home
-linux_lad public key on request
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here