There is a way to protect different directories with different username/password under Lighttpd server.

If you use different userfile files for authenticating in different directories, you can attach each to the correct directory by using conditionals.

Let us see how to protect two different directories using conditionals directives:
/docs/ with username tom
/sales/ with username jerry

Open lighttpd configuration file:
# vi lighttpd.conf
Make sure mod_auth is loaded:
server.modules += ( "mod_auth" )
Now add first conditionals directive to protect /docs/:

$HTTP["url"] =~ "^/docs/" {
auth.backend = "plain"
auth.backend.plain.userfile = "/home/lighttpd/.lighttpdpassword-DOCS"
auth.require = ( "/docs/" =>
 	(
	"method" => "basic",
	"realm" => "Password protected area",
	"require" => "user=tom"
	)
   )
}

Add second conditionals directive to protect /sales/:

$HTTP["url"] =~ "^/sales/" {
auth.backend = "plain"
auth.backend.plain.userfile = "/home/lighttpd/.lighttpdpassword-SALES"
auth.require = ( "/sales/" =>
 	(
	"method" => "basic",
	"realm" => "Password protected area",
	"require" => "user=jerry"
	)
   )
}

Save and close the file. Now create a password for tom user:
# vi /home/lighttpd/.lighttpdpassword-DOCS
Append username:password for tom:
tom:TomsPassword
Save and close the file. Also, create a password for jerry user:
vi /home/lighttpd/.lighttpdpassword-SALES
Append username:password for jerry:
jerry:JerrysPassword
Save and close the file. Restart lighttpd:
# /etc/init.d/lighttpd restart

Security is an important aspect of the IBM AIX operating system. Follow along with this quick reference guide on AIX user security commands to learn more.

From the article:

AIX provides a vast array of commands to handle user and group management. This article discusses some of these core security commands and provides a list that you can use as a ready reference. The behavior of these commands should be identical in all releases of AIX.

=> AIX security commands

rssh is a restricted shell for providing limited access to a host via ssh. It also allows system wide configuration and per user configuration. From the man page:
The user configuration directive allows for the configuration of options on a per-user basis. THIS KEYWORD OVERRIDES ALL OTHER KEYWORDS FOR THE SPECIFIED USER. That is, if you use a user keyword for user foo, then foo will use only the settings in that user line, and not any of the settings set with the keywords above. The user keyword’s argument consists of a group of fields separated by a colon (:), as shown below. The fields are, in order:

• username : The username of the user for whom the entry provides options
• umask : The umask for this user, in octal, just as it would be specified to the shell access bits. Five binary digits, which indicate whether the user is allowed to use rsync, rdist, cvs, sftp, and scp, in that order. One means the command is allowed, zero means it is not.
• path : The directory to which this user should be chrooted (this is not a command, it is a directory name).

rssh examples of configuring per-user options

Open /etc/rssh.conf file:
# vi /etc/rssh.conf
All user tom to bypass our chroot jail:
user=tom:077:00010
Provide jerry cvs access with no chroot:
user=jerry:011:00100
Provide spike rsync access with no chroot:
user=spike:011:10000
Provide tyke access with chroot jail located at /users
user="tyke:011:00001:/users" # whole user string can be quoted
if your chroot_path contains spaces, it must be quoted. Provide nibbles scp access with chroot directory:
user=nibbles:011:00001:"/usr/local/tv/shows/tom and jerry"

Recommended readings:

=> rssh home page
=> Redhat specific chroot jail script (outdated)
=> Refer man pages: rssh.conf, rssh, ssh, sshd, sftp, scp, rsync, sshd_config

I was writing and testing few python scripts (yes I’m moving lot of stuff from shell / perl to python these days) and accidentally I renamed my own user account from vivek to test. However, I did not noticed change until I rebooted my box. Now I cannot run sudo (or become a root user) and cannot access special devices such as sound or video.

By default your first account has all power via sudo under Ubuntu Linux. There is a special group called adm and admin which grants unlimited power via sudo.

The only solution was to boot computer in emergency mode (reboot computer and at grub menu select recovery mode kernel), open /etc/group file and add user vivek to admin and adm group:
# vi /etc/group
Add user vivek to admin and adm group:
admin:x:117:vivek
adm:x:4:vivek

Save and close the file.

Now I’m able to run sudo and do other stuff. Luckily, my scripts always backup critical files before modification. So I was able to restore permission instantly. Here is my group membership with all power and glory 😉
$ id
$ groups
Output:

vivek adm dialout cdrom floppy audio dip video plugdev scanner netdev lpadmin powerdev admin

Under Linux password related utilities and config file(s) comes from shadow password suite. The /etc/login.defs file defines the site-specific configuration for this suite. This file is a readable text file, each line of the file describing one configuration parameter. The lines consist of a configuration name and value, separated by whitespace.

You need to set default password expiry using /etc/login.defs file (password aging controls parameters):

1. PASS_MAX_DAYS : Maximum number of days a password may be used. If the password is older than this, a password change will be forced.
2. PASS_MIN_DAYS : Minimum number of days allowed between password changes. Any password changes attempted sooner than this will be rejected
3. PASS_WARN_AGE : Number of days warning given before a password expires. A zero means warning is given only upon the day of expiration, a negative value means no warning is given. If not specified, no warning will be provided.

Open file /etc/login.defs using text editor:
# vi /etc/login.defs
Setup (sample) values as follows:
PASS_MAX_DAYS 30
PASS_MIN_DAYS 1
PASS_WARN_AGE 7
Close and save the file.

See also:

• Understanding /etc/shadow file
• Read man page of login.defs for more information.

Please note that much of the functionality that used to be provided by the shadow password suite is now handled by PAM suite. Next time I will write about PAM configuration.

For security reason you must enable Password expiry policy on FreeBSD box. Linux comes with chage command, which changes the number of days between password changes and the date of the last password change.

FreeBSD pw command

Use pw command to setup password expiry date for existing user account. Syntax is as follows:
pw user mod USERNAME -p DD-MMM-YY

Where,

• -p DD-MMM-YY: Set the account’s password expiration date.

For example, expire user rocky’s password on 31-Mar-2006:
# pw user mod USERNAME -p 31-mar-06
Use pw command to setup password expiry while creating new user account.
pw user add USERNAME -p DATE -e DAYS:
Where,

• -p DAYS: Set default account expiration period in days
• -e DAYS: Set the account’s expiration date.

For example create a user called didi and Set the default password expiration to 30 days.
# pw user add didi -p 30 -d /home/didi -m
# passwd didi
This is good if you have small number of users. For large installation base (such as University computers) you need to define user login class. With login class you can control the following :

• Resource limits
• Accounting limits
• Authentication limits
• Default user environment settings.

You need to use autofs. It is use to mount file system on demand. Usually autofs is invoked at system boot time with the start parameter and at shutdown time with the stop parameter. The autofs script can also manually be invoked by the system administrator to shut down, restart or reload the automounters.

autofs will consult a configuration file /etc/auto.master to find mount points on the system.

i) Install autofs if not installed. if you are using Debian / Ubuntu Linux, enter:
# apt-get install autofs
ii) Create dekstop group and add user jimmy to this group:
# groupadd desktop
# usermod -G video,desktop jimmy
# chmod -R a+rx /var/autofs/misc

iii) Configure autofs so that usb stick can be accessed:
# vi /etc/auto.misc

iv) Append following text to auto.misc:
usb -fstype=auto, user, sync, nodev, nosuid, gid=desktop, umask=002 :/dev/sda1
d -fstype=vfat, user, sync, nodev, nosuid,gid=desktop, umask=002 :/dev/hda2
Where,

• usb : Is directory name, which can be accessed via /var/autofs/misc/usb directory. User in desktop group just need to type cd command (cd /var/autofs/misc/usb) to change the directory.
• -fstype- auto, user, sync, nodev, nosuid, gid-desktop, umask-002 :- All these are options used to mount the file system by automounter.
• auto: File system is automatically determined by kernel.
• user: Normal user are allowed to mount devices
• nodev: Do not interpret character or block special devices on the file system.
• nosuid: Do not allow set-user-identifier or set-group-identifier bits to take effect. This is security feature.
• gid=desktop: This allows file system mounted as as group dekstop. As we have added user jimmy to this group already.
• umask=002: Setup umask so that users in group desktop can write data to device.

Please note that without gid and umask option normal user cannot write data to device.

v)Restart the autofs:
#/etc/init.d/autofs restart
vi) Test it as user jimmy (make sure usb stick/pen is inserted into usb port):
$ ls /var/autofs/misc/usb
$ cd /var/autofs/misc/usb
$ mkdir testdir
$ ls -l