ALT Linux users (in English only)
 help / color / mirror / Atom feed
* [Comm-en] ALT Server 4.0 - Preventing Root Log-ins
@ 2010-03-02  2:05 Virtual Sky
  2010-03-02  7:34 ` Michael Shigorin
  0 siblings, 1 reply; 6+ messages in thread
From: Virtual Sky @ 2010-03-02  2:05 UTC (permalink / raw)
  To: community-en

How difficult would it be to configure my ALT Server 4.0 box to disallow 
'root' user log-ins and only allow a regular user log-in and then 'su' 
to the root account?

If easy enough to configure, how does this affect the web browser 
configurator interface?  Can you specify a regular user as the 
"administrator" to log in via the web interface?

David.


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Comm-en] ALT Server 4.0 - Preventing Root Log-ins
  2010-03-02  2:05 [Comm-en] ALT Server 4.0 - Preventing Root Log-ins Virtual Sky
@ 2010-03-02  7:34 ` Michael Shigorin
  2010-03-02  7:46   ` Alexey Rusakov
  0 siblings, 1 reply; 6+ messages in thread
From: Michael Shigorin @ 2010-03-02  7:34 UTC (permalink / raw)
  To: community-en

On Mon, Mar 01, 2010 at 08:05:44PM -0600, Virtual Sky wrote:
> How difficult would it be to configure my ALT Server 4.0 box to
> disallow 'root' user log-ins and only allow a regular user
> log-in and then 'su' to the root account?

I'd do something like this to invalidate root password:

cp -a /etc/tcb/root/shadow /etc/tcb/root/shadow-
echo 'root:x:14029::::::' > /etc/tcb/root/shadow

> If easy enough to configure, how does this affect the web
> browser configurator interface?  Can you specify a regular user
> as the "administrator" to log in via the web interface?

AFAIR no.

-- 
 ---- WBR, Michael Shigorin <mike@altlinux.ru>
  ------ Linux.Kiev http://www.linux.kiev.ua/


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Comm-en] ALT Server 4.0 - Preventing Root Log-ins
  2010-03-02  7:34 ` Michael Shigorin
@ 2010-03-02  7:46   ` Alexey Rusakov
  2010-03-02 12:06     ` Virtual Sky
    0 siblings, 2 replies; 6+ messages in thread
From: Alexey Rusakov @ 2010-03-02  7:46 UTC (permalink / raw)
  To: community-en

[-- Attachment #1: Type: text/plain, Size: 981 bytes --]

В Втр, 02/03/2010 в 09:34 +0200, Michael Shigorin пишет:
> On Mon, Mar 01, 2010 at 08:05:44PM -0600, Virtual Sky wrote:
> > How difficult would it be to configure my ALT Server 4.0 box to
> > disallow 'root' user log-ins and only allow a regular user
> > log-in and then 'su' to the root account?
> 
> I'd do something like this to invalidate root password:
> 
> cp -a /etc/tcb/root/shadow /etc/tcb/root/shadow-
> echo 'root:x:14029::::::' > /etc/tcb/root/shadow
> 
> > If easy enough to configure, how does this affect the web
> > browser configurator interface?  Can you specify a regular user
> > as the "administrator" to log in via the web interface?
> 
> AFAIR no.
AFAIK, this is technically possible to login into the web interface with
any valid user, but insufficient permissions handling is inconsistent.
Nothing destructive should happen though, so I'd try, if I were you.

-- 
  Alexey "Ktirf" Rusakov
  GNOME Project
  ALT Linux Team

[-- Attachment #2: Эта часть сообщения подписана цифровой подписью --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Comm-en] ALT Server 4.0 - Preventing Root Log-ins
  2010-03-02  7:46   ` Alexey Rusakov
@ 2010-03-02 12:06     ` Virtual Sky
    1 sibling, 0 replies; 6+ messages in thread
From: Virtual Sky @ 2010-03-02 12:06 UTC (permalink / raw)
  To: ALT Linux users (in English only)


> В Втр, 02/03/2010 в 09:34 +0200, Michael Shigorin пишет:
>   
>> On Mon, Mar 01, 2010 at 08:05:44PM -0600, Virtual Sky wrote:
>>     
>>> How difficult would it be to configure my ALT Server 4.0 box to
>>> disallow 'root' user log-ins and only allow a regular user
>>> log-in and then 'su' to the root account?
>>>       
>> I'd do something like this to invalidate root password:
>>
>> cp -a /etc/tcb/root/shadow /etc/tcb/root/shadow-
>> echo 'root:x:14029::::::' > /etc/tcb/root/shadow
>>
>>     
>>> If easy enough to configure, how does this affect the web
>>> browser configurator interface?  Can you specify a regular user
>>> as the "administrator" to log in via the web interface?
>>>       
>> AFAIR no.
>>     
> AFAIK, this is technically possible to login into the web interface with
> any valid user, but insufficient permissions handling is inconsistent.
> Nothing destructive should happen though, so I'd try, if I were you.
>
>   
> ------------------------------------------------------------------------
>
>  _______________________________________________
> community-en mailing list
> community-en@lists.altlinux.org
> https://lists.altlinux.org/mailman/listinfo/community-en

Thanks, everybody!  I figured that dis-allowing root log-in would be 
easy to do, but was concerned about the web configurator interface.  If 
I feel brave enough, perhaps I'll give your suggestions a try. ;o)

David.


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Comm-en] ALT Server 4.0 - Preventing Root Log-ins
  @ 2010-03-02 21:11       ` Michael Shigorin
  2010-03-02 23:28         ` Virtual Sky
  0 siblings, 1 reply; 6+ messages in thread
From: Michael Shigorin @ 2010-03-02 21:11 UTC (permalink / raw)
  To: ALT Linux users (in English only)

On Tue, Mar 02, 2010 at 11:34:01AM -0600, Virtual Sky Solutions wrote:
> Now, I'm not an expert on Apache or other such things - I just
> know enough to work my way around basic configurations.
> However, thinking about it some more, would I be correct in
> saying:  I could help prevent unwanted hacking of my server by
> changing the web configurator access port, from 8080 to another
> unused port?

Somewhat yes, since 8080 is well known http-related port;
but moreso with firewall setup blocking access to this or
another configured port by default and allowing it from a
few select IPs.

If feeling adventurous, you could also look into "knock"
package to employ so called port knocking technique on top
of "deny by default" firewall policy for web interface.

-- 
 ---- WBR, Michael Shigorin <mike@altlinux.ru>
  ------ Linux.Kiev http://www.linux.kiev.ua/


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Comm-en] ALT Server 4.0 - Preventing Root Log-ins
  2010-03-02 21:11       ` Michael Shigorin
@ 2010-03-02 23:28         ` Virtual Sky
  0 siblings, 0 replies; 6+ messages in thread
From: Virtual Sky @ 2010-03-02 23:28 UTC (permalink / raw)
  To: ALT Linux users (in English only)


> On Tue, Mar 02, 2010 at 11:34:01AM -0600, Virtual Sky Solutions wrote:
>   
>> Now, I'm not an expert on Apache or other such things - I just
>> know enough to work my way around basic configurations.
>> However, thinking about it some more, would I be correct in
>> saying:  I could help prevent unwanted hacking of my server by
>> changing the web configurator access port, from 8080 to another
>> unused port?
>>     
> Somewhat yes, since 8080 is well known http-related port;
> but moreso with firewall setup blocking access to this or
> another configured port by default and allowing it from a
> few select IPs.
>
> If feeling adventurous, you could also look into "knock"
> package to employ so called port knocking technique on top
> of "deny by default" firewall policy for web interface.
>
>   
Ah, yes... port "knocking".  I forgot all about that.  I'll look in to 
it for sure.  Thanks for the suggestion!

David.


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2010-03-02 23:28 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-03-02  2:05 [Comm-en] ALT Server 4.0 - Preventing Root Log-ins Virtual Sky
2010-03-02  7:34 ` Michael Shigorin
2010-03-02  7:46   ` Alexey Rusakov
2010-03-02 12:06     ` Virtual Sky
2010-03-02 21:11       ` Michael Shigorin
2010-03-02 23:28         ` Virtual Sky

ALT Linux users (in English only)

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://lore.altlinux.org/community-en/0 community-en/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 community-en community-en/ http://lore.altlinux.org/community-en \
		community-en@lists.altlinux.org community-en@lists.altlinux.ru community-en@lists.altlinux.com
	public-inbox-index community-en

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://lore.altlinux.org/org.altlinux.lists.community-en


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git