Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:security:secure.access [2023/09/15 10:53] – [Elevating privileges with sudo] vgaeteradocs:guide-user:security:secure.access [2023/09/15 16:33] – [Elevating privileges with sudo] split vgaetera
Line 63: Line 63:
 If you require remote SSH access, follow the hardening instructions on SSH mentioned above. If you require remote SSH access, follow the hardening instructions on SSH mentioned above.
  
-===== Creating an unprivileged user ===== +===== Protecting PPP credentials ===== 
-Create an unprivileged test user and set him a password.+When using PPP, protect its credentials from unprivileged users.
  
 <code bash> <code bash>
-# Install packages +PPP_IF="wan" 
-opkg update +PPP_USER="$(uci -q get network.${PPP_IF}.username)" 
-opkg install shadow-useradd +PPP_PASS="$(uci -q get network.${PPP_IF}.password)" 
- +cat << EOF >> /etc/ppp/options 
-# Create a user +user ${PPP_USER}
-useradd -m -s /bin/ash test +
- +
-# Set user password +
-passwd test +
-</code> +
- +
-Or add the user by hand using a unique UID and GID+
- +
-<code bash> +
-# Edit configs +
-vi /etc/passwd +
-vi /etc/group +
-vi /etc/shadow +
- +
-# Create home directory +
-mkdir -p /home/test +
- +
-# Set permissions +
-chown test:test /home/test +
- +
-# Set user password +
-passwd test +
-</code> +
- +
-Check the resulting configs. +
- +
-<code bash> +
-# Check configs +
-> grep -e test /etc/passwd /etc/group /etc/shadow +
-/etc/passwd:test:x:1000:1000::/home/test:/bin/ash +
-/etc/group:test:!:1000: +
-/etc/shadow:test:$1$uPzGJ3jI$n7ld4E73SPsIx0QTXPMfu1:19615:0:99999:7::: +
-</code> +
- +
-See also: +
-[[man>useradd]], +
-[[man>passwd]] +
- +
-===== Elevating privileges with sudo ===== +
-Create a privileged group and become its member. +
-Grant root privileges to the group with sudo. +
- +
-<code bash> +
-# Install packages +
-opkg update +
-opkg install shadow-groupadd shadow-usermod sudo +
- +
-# Create sudo group +
-groupadd -r sudo +
- +
-# Add user to group +
-usermod -a -G sudo test +
- +
-# Configure sudoers +
-cat << EOF > /etc/sudoers.d/00-custom +
-%sudo ALL=(ALLALL +
-EOF +
-</code> +
- +
-See also: +
-[[man>groupadd]], +
-[[man>usermod]], +
-[[man>sudo]], +
-[[man>visudo]] +
- +
-===== Protecting pppd credentials ===== +
-When using pppd, protect its credentials from unprivileged users. +
- +
-<code bash> +
-cat << "EOF>> /etc/ppp/options +
-user <username>+
 EOF EOF
-cat << "EOF>> /etc/ppp/chap-secrets +cat << EOF >> /etc/ppp/chap-secrets 
-<username> <password>+${PPP_USER} ${PPP_PASS}
 EOF EOF
-cat << "EOF>> /etc/ppp/pap-secrets +cat << EOF >> /etc/ppp/pap-secrets 
-<username> <password>+${PPP_USER} ${PPP_PASS}
 EOF EOF
 chmod go-rw /etc/ppp/*-secrets chmod go-rw /etc/ppp/*-secrets
-uci delete network.wan.username +uci -q delete network.${PPP_IF}.username 
-uci delete network.wan.password+uci -q delete network.${PPP_IF}.password
 uci commit network uci commit network
 /etc/init.d/network restart /etc/init.d/network restart
 </code> </code>
  
  • Last modified: 2023/09/15 17:59
  • by vgaetera