Showing posts with label access-control. Show all posts
Showing posts with label access-control. Show all posts

Jan 14, 2013

Run a specific command as root without root password

In most Linux/Unix systems users need special privileges to run some command. Specially to stop a service, mount a device likewise. In these scenarios most old Linux/Unix systems used the command 'su -'. But this command requires the root users password. Sharing a root password with other users is not a good practice. Therefore, we need to use some other way to do this task.

'Sudo' command allows non-privileged users to run various commands as a root user without the root password. Root user can specify which user or the user group can run command(s) as root or any other user. Those information will be saved in a configurations file in '/etc/sudoers'. But I strongly advice you not to edit that file directly. Because if there is an error, that will cause a system malfunctioning. The best way to do these changes is to use the 'visudo' command. Though you edit the same file via this command, it will check the syntax before it save those changes to the configurations file permanently.

For an example, think that there is a Linux based proxy server running on your office environment. Normally you do lots of changes upon requests. (It's not a very good practice.) So you want to get the help of a new trainee person to handle the proxy server. But there are few problems. One is you need to restart the proxy service to activate a configuration change. And also you may have some other services running on the same host server. So the server is critical but you need to provide some high level privileges to a non-experienced user.

Now you need to provide some high privileges to the user but only to run some identified commands. According to the example you need to provide privileges to edit the "squid.conf" file, restart the squid service. So you can do this things in many different ways on the "sudoes" file.

Run 'visudo' and go to the line "root  ALL=(ALL) ALL". Add those commands on the next line.

bob squidhost= NOPASSWD: /usr/bin/vim /etc/squid/squid.conf, /sbin/service squid

In the first part you need to set the user name. In this case it's Bob. If you want to set a group you need to add a "%" sign in front of the group name.

Oh the second part you need to specify the hostname.

Then you can add " NOPASSWD: " in between the equal (=) sign and the command to not to ask the password when the user run that command. If you remove that, system will ask user to give the his/her password each time he/she runs a command out of these.

Then you can specify commands that you need to provide to the user. Absolute path is required when specifying commands and configuration files.











Jan 5, 2013

Open a Linux firewall port - IPTables

IPTables is the default firewall in any unix/linux system. If we host a service such as FTP or web server, we need to open some ports in order to use that service from remote hosts. For that we need to edit the configurations in this firewall.

First we can check the status of IPTables by running this command;

service iptables status

By default most systems open the ssh port 22. Now we need to get the running configurations to edit it. To do that;

iptables-save > /tmp/iptables

This command will dump the running iptables configurations in to a file and it will be like this.

# Generated by iptables-save v1.4.7 on ...
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [39:2878]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
COMMIT
# Completed on ...

Assume that we need to run a web server on this host. Web servers usually runs on port 80. Therefore, we need to allow port 80. To allow that we can add a line similar to the ssh rule.

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 

Then you need to feed this configurations to the iptables. To do that;

iptables-restore < /tmp/iptables

Now if you run the 'service iptables status' command, you can see port 80 is also allowed in it. But if you restart the service (service iptables restart) or reboot the machine, those changes will be not there. That's because it use a default configuration file on the service initialization. This default file is different from system to system. In CentOS systems that file is locates in '/etc/sysconfig/iptables'. After all the things are complete, you can save the running iptables configurations on that file it self.

But it is better if you use an alternative method like 'cron job' to run modify this iptables configurations. To do that you need to add a cron job as root by;

crontab -e

and add;

@reboot /sbin/iptables-restore < /root/myiptables

 The modified iptables rule set must be located on that location.

Note: In few Linux distributions there is a another firewall called 'SELinux'. If you have an issue even after changing those settings in IPTables, it is better to check SELinux settings too.

Jan 4, 2013

Deny Youtube in office hours using Squid proxy

We can use Squid-cache as a internet access controlling system. In this post I will show you how to configure squid-cache to do access controlling on youtube.com website.

You need to edit the '/etc/squid/squid.conf' file to these changes.

First we need to defined our local network (eg : 192.168.2.0/24 ). To do that we can edit the 'acl localnet src * ' line in the config file to;

acl localnet src 192.168.2.0/24

Then we assume that we need to block youtube access within working hours to all uses in the network. Therefore, we need to set the working hours in the configurations file. This configuration should come soon after defining 'Safe_ports'.

acl officehours time M T W H F 8:00-17:00

Now you can give the host name of the host machine by;

visible_hostname proxy.domain.com

If anyone need to access youtube within office hours we need to have a option for that. For an example, we can set a youtbe allowed IP range and/or some individual IP addressed like this.

acl allowyoutube src 192.168.2.21-192.168.2.40
acl allowyoutube src 192.168.2.75
acl allowyoutube src 192.168.2.65

Now we can block youtube to all users except special users by setting;

acl youtube dstdomain .youtube.com
http_access deny CONNECT youtube !allowyoutube officehours
http_access deny youtube !allowyoutube officehours

# deny access to not safe and non-ssl ports
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# allow only local network
http_access allow localnet
http_access deny all

Then restart the squid service  and see the logs on ' /var/log/squid/ ' for more information.