O'Reilly Book Excerpts: Linux Security Cookbook
Secure Cooking with Linux, Part 2
|
Related Reading 
Linux Security Cookbook |
Editor's note: Last week's set of recipes from Linux Security Cookbook covered three basic security solutions to problems. This week, we offer recipes that fall into an intermediate-level category. Learn how to restrict access to network services by time of day, and how to use sudo to permit read-only access to a shared file.
Recipe 3.12. Restricting Access by Time of Day
Author's note: Most Linux systems control access to their network services using inetd or xinetd, two popular superdaemons. This recipe, excerpted from Chapter 3, "Network Access Control," demonstrates how to make inetd and xinet restrict access to those services depending on the time of day.
Problem
You want a service to be available only at certain times of day.
Solution
For xinetd, use its access_times attribute. For example, to make telnetd accessible from 8:00 a.m. until 5:00 p.m. (17:00) each
day:
/etc/xinetd.conf or /etc/xinetd.d/telnet:
service telnet
{
...
access_times = 8:00-17:00
}For inetd, we'll implement this manually using the m4 macro processor and cron. First, invent some strings to represent
times of day, such as "working" to mean 8:00 a.m. and "playing" to mean 5:00
p.m. Then create a script (say, inetd-services) that uses
m4 to select lines in a template file, creates the inetd configuration file, and signals inetd to reread it:
/usr/local/sbin/inetd-services:
#!/bin/sh
m4 "$@" /etc/inetd.conf.m4 > /etc/inetd.conf.$$
mv /etc/inetd.conf.$$ /etc/inetd.conf
kill -HUP `pidof inetd`Copy the original /etc/inetd.conf
file to the template file, /etc/inetd.conf.m4. Edit the
template to enable services conditionally according to the value of a parameter,
say, TIMEOFDAY. For example, the telnet service line that
originally looks like this:
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetdmight now look like:
ifelse(TIMEOFDAY,working,telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd)which means "if TIMEOFDAY is working, include the
telnet line, otherwise don't." Finally, set up crontab
entries to enable or disable services at specific times of day, by setting the
TIMEOFDAY parameter:
0 8 * * * /usr/local/sbin/inetd-services -DTIMEOFDAY=working
0 17 * * * /usr/local/sbin/inetd-services -DTIMEOFDAY=playingDiscussion
For xinetd, we can easily control each service using the
access_times parameter. Times are specified on a 24-hour
clock.
For inetd, we need to work a bit harder, rebuilding the
configuration file at different times of day to enable and disable services. The
recipe can be readily extended with additional parameters and values, like we do
with TIMEOFDAY. Notice that the xinetd solution uses time ranges, while the inetd solution uses time instants (i.e., the minute that cron triggers inetd-services).
See Also
xinetd.conf(5), inetd.conf(5), m4(1), crontab(5).
Pages: 1, 2 |
