[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] pam_limit.so question



On Tue, 24 Feb 2004, Philippe Vogel wrote:

> Hello!
>
> I want to restrict user rights but give users ssh access.
> The users may use ssh, scp, sftp, but should not alter the server, if
> someone doesn't know much about scripting and for securing the server to
> possible kiddies with console-account.
> I setup following:
>
> /etc/security/limits.conf
>
> @admin        -
> @users          hard    priority        17
> @users          hard    maxlogins       2
> @users          hard    core            0
> @users          hard    cpu             10
> @users          hard    data            8196
> @users          hard    fsize           8196
> @users          hard    memlock         2048
> @users          hard    nofile          64
> @users          hard    nproc           8
> @users          hard    rss             8196
> @users          hard    stack           2048
> @users          hard    as              16384
>
> What setting is needed, what settings are O.K. and what makes working
> impossibles canot be found in the manpage.
>
> Is there a possibility to secure the server, that users in group users
> cannot open socket without a kernel-patch?
>
> Any hints?
>
> Philippe
>
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>
>


  If you have concerns about your users and you have to give shell
accounts, you might want to look at chrooting (jailing) their home
directories. If you have *really* serious concerns and you can't avoid
giving shell accounts, you might consider sealing the kernel with
GRsecurity or LIDS. You may also want to consider deploying the bash
restricted shell, which makes it tough for them to get out of their home
dirs.

-- 
-linux_lad public key on request

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here