Restrict users' access on Linux systems

In a recent article, I told you how to force Windows users to log off at a specific time by using a third-party utility. Here's how to implement a similar solution for Linux users.

In a recent article, "Force users to log off when their time is up," I told you how to force home and workgroup users to log off at a specific time by using a third-party utility. But this solution targeted Windows machines, and one of my loyal readers asked how to implement a similar solution for Linux users.

When we talk about forcing a user to log off, what we're really talking about is implementing time restrictions on the account for system access or services. The easiest way I've found to implement time restrictions is using a plug-in module called Linux-PAM.

Pluggable Authentication Module (PAM) is a mechanism for authenticating users. Specifically, we're going to use the pam_time module to control timed access for users to services.

Using the pam_time module, we can set access restrictions to a system and/or specific applications at various times of the day as well as on specific days or over various terminal lines. Depending on the configuration, you can use this module to deny access to individual users based on their name, the time of day, the day of week, the service they're applying for, and their terminal from which they're making the request.

When using pam_time, you must terminate the syntax of each line (or rule) in the /etc/security/time.conf file with a newline. You can comment each line with the pound sign [#], and the system will ignore that text until the newline.

Here's the syntax for a rule:


  1. The first field --  services -- is a logic list of PAM service names.
  2. The second field -- tty -- is a logic list of terminal names.
  3. The third field -- users -- is a logic list of users or a netgroup of users.
  4. The fourth field -- times -- indicates the applicable times.

Here's an example of a typical set of rules:

login ; * ; !bobby ; MoTuWeThFr0800-2000

login ; * ; !root ; !Al0000-2400

http ; * ; !bobby ; MoTuWeThFr0800-2000

http ; * ; !root; !Al0000-2400

These rules restrict user bobby from logging on between the hours of 0800 and 2000, and they also restrict Internet access during these hours. Root would be able to logon at any time and browse the Internet during all times as well.

Note: The system logs errors with these rules as syslog(3).

Final thoughts

Linux offers a great deal of control over services, and it's pretty easy to using a module such as PAM to restrict access and control session usage if you take the time to enforce user restrictions.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.