Home > Articles > Operating Systems, Server > Linux/UNIX/Open Source

  • Print
  • + Share This

Determining User Access

Once we have running only what we want running (all starting via TCPD), let's make sure that only the systems/users that we want to use a service can use it. We're going to allow a local Web program to use IMAPD to access users' mail, so we need to allow access to IMAPD from the local system but deny access from anywhere else. So, our line in /etc/hosts.allow looks like this:

imapd:  ALL except localhost, 127.0.0.1: DENY

Let's also allow only david on localhost or 127.0.0.1 to run the Samba Web Administration Tool (swat):

swat:  ALL except david@localhost, david@127.0.0.1 : DENY

We now have two lines we can test, so we pull out our handy-dandy checker tool, tcpdmatch, and check out our rules:

# tcpdmatch imapd pananix.com
client:   hostname mail.pananix.com
client:   address  209.127.112.154
server:   process  imapd
matched:  /etc/hosts.allow line 8
option:   DENY 

access:   denied

Well, that looks good. Anyone coming from the foreign address of either mail.pananix.com or IP 209.127.112.154 will be denied access to IMAPD per line 8 of the hosts.allow file.

Now lets see if this service will run locally:

# tcpdmatch imapd localhost  
client:   hostname localhost
client:   address  127.0.0.1
server:   process  imapd
access:   granted

Well, I'd say that's a ROGER. Now let's see how swat holds up to the rules:

# tcpdmatch swat localhost
client:   hostname localhost
client:   address  127.0.0.1
server:   process  swat
matched:  /etc/hosts.allow line 7
option:   DENY 
access:   denied

Okay, so it appears no one can access swat, even locally. But we want user david to be able to run swat (at least locally):

]# tcpdmatch swat david@localhost
warning: /etc/inetd.conf, line 75: in.tftpd: not found in /usr/sbin: No such file or directory
client:   hostname localhost
client:   address  127.0.0.1
client:   username david
server:   process  swat
access:   granted

We've got success. But let's make sure it's not a fluke:

# tcpdmatch swat david@chiriqui.pananix.com
client:   hostname chiriqui.pananix.com
client:   address  192.168.0.2
client:   username david
server:   process  swat
matched:  /etc/hosts.allow line 7
option:   DENY 
access:   denied

Looks like we're cooking with gas.

  • + Share This
  • 🔖 Save To Your Account

Related Resources

There are currently no related titles. Please check back later.