How to Restrict Permissions on Files Used by cron
1. Restrict the permissions on the primary system crontab file.
# chown root:root /etc/crontab
# chmod 600 /etc/crontab
2. If anacron has not been removed, restrict the permissions on its primary configuration.
# chown root:root /etc/anacrontab
# chmod 600 /etc/anacrontab
3. Restrict the permission on all system crontab directories:
# cd /etc
# chown -R root:root cron.hourly cron.daily cron.weekly cron.monthly cron.d
# chmod -R go-rwx cron.hourly cron.daily cron.weekly cron.monthly cron.d
4. Restrict the permissions on the spool directory for user crontab files.
# chown root:root /var/spool/cron
# chmod -R go-rwx /var/spool/cron
Cron and anacron make use of a number of configuration and directories. The system crontabs need only be edited by root, and user crontabs are edited using the setuid root crontab command. If unprivileged users can modify system configuration, they may be able to gain elevated privileges, so all unnecessary access to these files should be disabled.
Restrict Console Device Access
The default system configuration grants the console user enhanced privileges
normally reserved for the root user, including temporary ownership of most system devices.
If not necessary, these privileges should be removed and restricted to root only.
Restrict device ownership to root only.
Edit /etc/security/console.perms.d/50-default.perms and locate the section prefaced by the following comment:
# permission definitions
Prepend a # symbol to comment out each line in that section which starts with [console] or [xconsole]
Edit /etc/security/console.perms and make the following changes:
[console]=tty[0-9][0-9]* vc/[0-9][0-9]* :0\.[0-9] :0
[xconsole]=:0\.[0-9] :0
Restrict File Uploads in PHP configuration
Restricting all file uploads is an easy way to completely prevent attackers from exploiting your PHP configuration to inject their own PHP scripts. However, some developers will want to include the ability to upload files to your server via PHP. If you must allow file uploads, you should change the default temporary directory for file uploads using the upload_tmp_dir parameter.
Many administrators also choose to limit the maximum file size users can upload using the upload_max_filesize parameter. Setting this parameter is generally not intended to improve the security of your PHP configuration. Administrators choose to set this parameter to help manage the server’s PHP load.
How do I restrict the use of su command?
The su command is used to become another user during a login session. Invoked without a username, su defaults to becoming the superuser. The optional argument - may be used to provide an environment similar to what the user would expect had the user logged in directly.
You can SSH using a regular user account, then use the su command to obtain root access. This is true for any user that enters the su command and enters the root password. Root access means absolute access, thus, it is recommended that you limit the usernames that can use the su command and get root access.
We have a group called ‘wheel’ on the Linux system that we can utilize for this a special purpose. We can add usernames that you want to have su access to become a member of the wheel group and then restrict su so that only the members of the wheel group can use the su command.
Add a user with the id buddy to the wheel group:
Now we need to go to the directory /etc/pam.d
/etc/pam.d$ ls -l su
-rw-r–r– 1 root root 2303 May 26 19:53 su
Edit the PAM configuration file for su, /etc/pam.d/su, in a text editor and remove the comment (#) from the line shown below:
# auth required /lib/security/pam_wheel.so use_uid
So that is looks like this:
auth required /lib/security/pam_wheel.so use_uid
Doing this will permit only members of the group wheel to use the su command.
Below is the debian configuration file:
# The PAM configuration file for the Shadow `su’ service
#
# This allows root to su without passwords (normal operation)
auth sufficient pam_rootok.so
# Uncomment this to force users to be a member of group root
# before they can use `su’. You can also add “group=foo”
# to the end of this line if you want to use a group other
# than the default “root” (but this may have side effect of
# denying “root” user, unless she’s a member of “foo” or explicitly
# permitted earlier by e.g. “sufficient pam_rootok.so”).
# (Replaces the `SU_WHEEL_ONLY’ option from login.defs)
auth required pam_wheel.so
In Usermin’s MySQL Database module, how can I restrict the databases that each user can see and use?
By default the module will list all of the databases on your system on the main page, even if some are not actually usable by the logged-in user. To change this, follow these steps :
Login to Webmin on the same server, and enter the Usermin Configuration module.
Click on Usermin Module Configuration.
Click on MySQL Database in the list.
In the Database access control list field, remove the existing *: * line and enter one line per user, containing the username, a colon and
list of databases he is allowed to use. For example, you could enter :
jcameron: database1
fred: database2 database3
joe: *
A * in the database column means all databases, while a * in the username column means any user not listed so far.
Hit the Save button to activate the restrictions.
