Linux

Restrict users' access on Linux systems

In a recent article, I told you how to force Windows users to log off at a specific time by using a third-party utility. Here's how to implement a similar solution for Linux users.

In a recent article, "Force users to log off when their time is up," I told you how to force home and workgroup users to log off at a specific time by using a third-party utility. But this solution targeted Windows machines, and one of my loyal readers asked how to implement a similar solution for Linux users.

When we talk about forcing a user to log off, what we're really talking about is implementing time restrictions on the account for system access or services. The easiest way I've found to implement time restrictions is using a plug-in module called Linux-PAM.

Pluggable Authentication Module (PAM) is a mechanism for authenticating users. Specifically, we're going to use the pam_time module to control timed access for users to services.

Using the pam_time module, we can set access restrictions to a system and/or specific applications at various times of the day as well as on specific days or over various terminal lines. Depending on the configuration, you can use this module to deny access to individual users based on their name, the time of day, the day of week, the service they're applying for, and their terminal from which they're making the request.

When using pam_time, you must terminate the syntax of each line (or rule) in the /etc/security/time.conf file with a newline. You can comment each line with the pound sign [#], and the system will ignore that text until the newline.

Here's the syntax for a rule:

services;ttys;users;times

  1. The first field --  services -- is a logic list of PAM service names.
  2. The second field -- tty -- is a logic list of terminal names.
  3. The third field -- users -- is a logic list of users or a netgroup of users.
  4. The fourth field -- times -- indicates the applicable times.

Here's an example of a typical set of rules:

login ; * ; !bobby ; MoTuWeThFr0800-2000

login ; * ; !root ; !Al0000-2400

http ; * ; !bobby ; MoTuWeThFr0800-2000

http ; * ; !root; !Al0000-2400

These rules restrict user bobby from logging on between the hours of 0800 and 2000, and they also restrict Internet access during these hours. Root would be able to logon at any time and browse the Internet during all times as well.

Note: The system logs errors with these rules as syslog(3).

Final thoughts

Linux offers a great deal of control over services, and it's pretty easy to using a module such as PAM to restrict access and control session usage if you take the time to enforce user restrictions.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

13 comments
hanz
hanz

Mike, Not sure how this is possible but you wrote it. I don't think browsing has anything to do with PAM yet you wrote about preventing browsing with pam_time.so in your example. what do you mean by http service in this context as it does not exist in /etc/pam.d/ -hanz

sundarhp
sundarhp

This is really a part of the C2 level security complaince and already available in other UNIX dialects like HP-UX without any need for PAM. When you convert a HP-UX system to trusted, you can restrict the users to certain time of the day.

oz_ollie
oz_ollie

*nix configurations are much simpler than Mike's usual Windows tips but the explanations are wrong! login ; * ; !bobby ; MoTuWeThFr0800-2000 Allows users who are NOT bobby to login during MoTuWeThFr0800-2000 login ; * ; !root ; !Al0000-2400 Allows users who are NOT root to login NOT Al0000-2400 - I think you just locked everyone out! http ; * ; !bobby ; MoTuWeThFr0800-2000 Allows users who are NOT bobby access to http during MoTuWeThFr0800-2000 http ; * ; !root; !Al0000-2400 Allows users who are NOT root to access http NOT between Al0000-2400 - I think you just locked everyone out of the Internet! Tell Mike to go back to pretending he knows about security with Windows and leave *nix security to those of us who use *nix everyday. Note: Edited to correct my mistake with the time settings.

brian.mills
brian.mills

Thanks for the info! It doesn't do me a whole lot of good right now, since my wife and I are the only users on any of our computers, but once we have childredn this will come in very handy for keeping them from spending too much time on the computer.

Photogenic Memory
Photogenic Memory

Wow, Thanks for posting this great info! I just logged into my machine and read /etc/security.time.conf file. The format seemed really weird. The concept is very similar to crontab entries. I'm really excited about having just learned about this but since their just me on local system; there's no need to implement it, LOL! Once again, thanks for posting. I think this may come in handy for me in the very near future. Question? Will this work for users who have logged into your system via SSH?

Flash00
Flash00

He may be right but that's no excuse for being obnoxious. Jerks like him scare people away from even trying Linux, so they stick with Microsoft. What an ill-mannered moron.

carlo.a
carlo.a

Answer: sure yes. First field in time.conf entries is service name; you can have a look at available service names by ls-ing /etc/pam.d directory (and ssh is listed there).

j-mart
j-mart

Oz submitted his correction with out resorting to any personal attacks. I can't see how is professional and polite response is going to scare anyone. Thanks oz, the information you have passed on has been usefull unlike the post of Flash00

oz_ollie
oz_ollie

Incorrect information by so called "experts" scares people away from Linux. The number of times I've heard "but I followed these instructions and it didn't work so Linux must be too hard" is unbelievable. If you're going to provide "advice" online it needs to be correct and not understanding the "!" is Basic Programming 101 stuff.

seanferd
seanferd

But yeah, a bit of snark had been included in that post. Perhaps overboard, but had a point.

ken
ken

j-mart, When I read things like "Restrict users' access on Linux systems is GARBAGE" and "Tell Mike to go back to pretending he knows about security with Windows and leave *nix security to those of us who use *nix everyday", that IS a bit extreme. There are ways to point out someone's mistake without making it personal. That last sentence was very personal, and should have no place in friendly conversation or discourse in our community. It was exactly this kind of unwarranted "flaming" that turned me off of BBS systems back in the late 80's/early 90's. If the author of the article made a mistake (and it appears that he did), then a simple "ahem, but I think you got this particular thing wrong" can go a long way toward rectifying the problem. It is how everyone can learn and come away from here better for it. Blasting someone or in not so many words making it appear that the person is stupid does nothing but cause bad feelings. Who is going to want to post here and share if they are afraid that if they make one little mistake, someone is going to slice and dice them? I think that we can all work together here and share without the emotional baggage. Sound reasonable?

oz_ollie
oz_ollie

The "!" is well used to signify NOT or, from the time.conf man page[1] "anything but". The same information is also available from the docs for pam_time at kernel.org[2]. I'm currently using Ubuntu 7.04 and similar information is easily available in time.conf. Simply use less or cat to display the contents of the file: # was initially based heavily on that of the shadow package (shadow-960129). # # the syntax of the lines is as follows: # # services;ttys;users;times # # white space is ignored and lines maybe extended with '\\n' (escaped # newlines). As should be clear from reading these comments, # text following a '#' is ignored to the end of the line. # # the combination of individual users/terminals etc is a logic list # namely individual tokens that are optionally prefixed with '!' (logical # not) and separated with '&' (logical and) and '|' (logical or). # # services # is a logic list of PAM service names that the rule applies to. # # ttys # is a logic list of terminal names that this rule applies to. # # users # is a logic list of users to whom this rule applies. # # NB. For these items the simple wildcard '*' may be used only once. # # times # the format here is a logic list of day/time-range # entries the days are specified by a sequence of two character # entries, MoTuSa for example is Monday Tuesday and Saturday. Note # that repeated days are unset MoMo = no day, and MoWk = all weekdays # bar Monday. The two character combinations accepted are # # Mo Tu We Th Fr Sa Su Wk Wd Al # # the last two being week-end days and all 7 days of the week # respectively. As a final example, AlFr means all days except Friday. # # each day/time-range can be prefixed with a '!' to indicate "anything # but" # # The time-range part is two 24-hour times HHMM separated by a hyphen # indicating the start and finish time (if the finish time is smaller # than the start time it is deemed to apply on the following day). # # for a rule to be active, ALL of service+ttys+users must be satisfied # by the applying process. # # # Here is a simple example: running blank on tty* (any ttyXXX device), # the users 'you' and 'me' are denied service all of the time # #blank;tty* & !ttyp*;you|me;!Al0000-2400 # Another silly example, user 'root' is denied xsh access # from pseudo terminals at the weekend and on mondays. #xsh;ttyp*;root;!WdMo0000-2400 # # End of example file. [1] http://linux.die.net/man/5/time.conf [2] http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_time.html

Mike Mullins
Mike Mullins

ollie read the man page, it mirrors what's on the site.