-
Notifications
You must be signed in to change notification settings - Fork 1
Restricting a Linux User
The way Simverest works is by SSH'ing into a Varnish server and running the following commands at various times:
- varnishlog
- varnishstat
- grep
- cut
- top
- hostname
From the output of these commands, Simverest can determine the current state of the Varnish server. However, you don't want to give Simverest the same sort of access as a normal user because it only needs to perform a very small set of tasks. So what to do?
Well what you can do is limit the logged on Linux users to only the above commands. On my Ubuntu 10.04 machine, I followed the guide on bodhi zazen's blog and came up with the following script:
- Create and lock down a new user account
- login on to your linux machine
-
sudo -i
-
adduser simverest (enter password but otherwise, just accept defaults at prompts)
-
chsh -s /bin/rbash simverest
-
chown root.simverest /home/simverest
-
chmod 750 /home/simverest
- Lock down user environment
-
cd /home/simverest
-
rm -rf .bash_login .bashrc .profile .bash_profile .bash_logout
-
touch .bashrc
-
for i in .bash_login .bash_profile .bash_logout .profile; do echo '. .bashrc' > $i; done
-
echo 'export PATH=/home/simverest/usr/bin' >> .bashrc
-
mkdir -p /home/simverest/usr/bin
-
chown -R root.simverest .bash* .profile /home/simverest
-
chmod -R 750 usr/bin
-
- Restrict access to specific applications
-
ln -s /usr/bin/varnishlog /home/simverest/usr/bin/varnishlog
-
ln -s /usr/bin/varnishstat /home/simverest/usr/bin/varnishstat
-
ln -s /bin/grep /home/simverest/usr/bin/grep
-
ln -s /usr/bin/cut /home/simverest/usr/bin/cut
-
ln -s /usr/bin/top /home/simverest/usr/bin/top
-
ln -s /bin/hostname /home/simverest/usr/bin/hostname
-
You should now have a locked down user that can only run the 6 commands necessary for Simverest to function.