0

How can I make access to command line more secure? Is there any way to make it secure when using the system as a guest user? Once a user session is open then anyone can open terminal without any credentials. What want exactly is for a password to be requested before opening terminal.

Zanna
  • 70,465
Avani badheka
  • 2,436
  • 3
    The built-in restrictions seem sufficient. That's why we have administrator's privileges. Running terminal does not mean you can do just anything. What risks are you concerned about? – Jacob Vlijm Oct 25 '16 at 07:45
  • There are many more command can be executed without root privilege .I am still concern of confidential data on PC. At least guest user can see all data without requiring any permission. – Avani badheka Oct 25 '16 at 07:51
  • What confidential data do you mean? Whatever it is, that has nothing to do with using terminal. Just open gedit and browse to the file you want to look into. If it will work with the terminal without password, it will work with (e.g.) gedit. Realy curious however what data you are referring to. – Jacob Vlijm Oct 25 '16 at 07:57
  • "There are many more command can be executed without root privilege" Like what? Your problem is largely solved by the user and group permissions. A user can only mess up his own home. If a user can do something he should not remove the user permissions. – Rinzwind Oct 25 '16 at 08:13
  • either there is no permission of modifying the document , but they always have access to read any data. – Avani badheka Oct 25 '16 at 08:23
  • @Rinzwind users are always (specially guest user , group etc) free to read any file from system. they can't modify , but can read . I want to prevent that . I don't know how. if password for terminal is not the solution , then suggest me different. – Avani badheka Oct 25 '16 at 08:26
  • 1
    @Avanibadheka not true. a user can NOT access /var/log/ for instance. Oh and you do know a user can also access 6 tty's from the desktop? – Rinzwind Oct 25 '16 at 08:43
  • I think it's a good question... plus also dissallow Ctrl+Alt+F1...F8 would be a good follow up question. But I would word it differently disable Ctrl+Alt+T so help desk doesn't get silly questions. – WinEunuuchs2Unix Oct 26 '16 at 00:22

1 Answers1

3

This is addressing the content of your question.

How can I make access to command line more secure

It's hardly possible to restrict access to a commandline. While you might restrict access to the installed gnome-terminal there are other default installed terminals that can be access. These include xterm, uxterm,lxterm, and x-terminal-emulator. If you disabled or uninstall all defaulted installed terminals, a user could easily download a terminal to his personal space and run a commandline from there.

Commanlines don't need a terminal to be executed

Many of the commands I perform, I perform in a script... often a oneline script.

While the ways to browse the system and execute commands are to vase to contain in one message, I'll give an example of one easy method.

1. From the Ubuntu Dash search type gedit
2. In the window type:
   #!/bin/bash
   bash
3. Save the file as mytermial.
4. From the file browser right/cick the file -> (click) Properties -> (checkmark) Allow
   executing file as program -> Close
5. Now double click the file and you are in a terminal.

Instead of the command being bash it could be ls to browse anywhere on the system, as well as cat to list anything on the system, that the user has permission to access. That makes the only real solution to be check permissions of sensitive data.

Modifying your system files may break your system, making it hard for users (including your account) with access to perform their task.

For security purposes you should protect the data by placing restrictive access to the specific data, data files, and data directories. For instance, the mysql directory has sensitive data. It's located in the /var/lib/mysql area. The file mask permissions is 700. This means that only the database engine Mysql or some special root controller can access the directory or files there within. This is the permission scheme used for real security in Linux which is tested and works. Methods outside of this could create a harmful false sense of security.

There are alternatives that you could setup specifically for restricting users access on your system. For instance you could setup jails for the users you don't want to have access to browse the regular directory structure. This is done for the default guest account. The jailed user account will not be able to see outside of the provided directory stucture.

Look at: Jailkit. It's a set of utilities to limit user access to specific areas using Linux's chroot and or specific commands.

Some detail discussion on this can be found at:
Simple & easy way to jail users

I don't think the jailed alternative solution would be as good as make the access to the command line more secure being sure to secure the files and directories of the sensitive data

Example files showing permissions bits:

drwxr-xr-x 104 root root    4096 Oct 25 10:33 /etc
-rw-r-----   1 root shadow  1119 Oct 25 09:50 /etc/shadow

The permissions are grouped in threes. Starting with the second bit, the first group (of threes) is the owner of the item u. The second group is the group g, and the last group is others o. As long as you don't have any of the bits set on the last group of three bits, a regular user will not be able to access that area or file. Those bits are read, write, and execute. So remove the last bit from your sensitive data directory and others will not have access to it. This can be done with:

$ chmod o-x [directoryname]

Alternatively you could have is set where the user may be able to enter the directory but not actually browse (or see directly) the directory with:

$ chmod o-r [directoryname]

You can use that scheme to easily check and verify who has access to what.

The final answer is that you can't provide security by making changes to your various terminal emulators and the actual command line, because there are so many alternatives to access the data without using the commandline directly, such as a filebrowser. The real solution for security is through permissions control

Community
  • 1
L. D. James
  • 25,036