NI Linux Real-Time Discussions

sorry

Why are there not "Disable labview project access" on system Hardware properties?

where do i find and change this?

Manuel

It looks like that's missing from the properties you can set, which is a bug. I've filed it in the bug tracker. Thanks for bringing it up.

i have more questions.

i don't understand the following behavior.

1)I created a new account by browser. This account must be limited.

i have deleted all permissions from everyone groups, a part of Reboot and "GetSystemConfiguration"

i have added on "users group" , FSread and GestDB.

I have added on new account the user group permissions.

If i use this account by browser it is all OK. I can't to write/create nothing.

But, if i connect by ssh shell (i use putty.exe). This account CAN  write/create in all folder of the system that they are everyone permission write is true.

This behavior is strange. I have created un account with limited access because i need to give at my client two level of security. The admin and guest account. The guest account has to access in only read.

Is it normal?

How can i block the ssh access to specific client, or enable ssh to only admin?

2) webDAV

why, to download files, does it not the account that I have logged in?

i see that all files downloaded have another owner and group.

in particular the owner is "webni" and group is "ni".

if the destination is not copatible for this owner or groups i can't  to download a file although i used the correct account.

it is normal?

why do i not see webni account by browser?

are there other occount hidden?

How can i block the ssh access to specific client, or enable ssh to only admin?

We don't currently have a way to restrict SSH access from either the web based configuration page (WIF) or MAX. If SSH is enabled, then all users who can log into WIF can also SSH to a target. However, only the `admin` user and members of the `administrators` group have privileged access to the file system. All other user have more limited access to files.

It's possible to restrict access by editing SSHd's config file from the console in a text editor. For example, appending "AllowUsers admin" to /etc/ssh/sshd_config should produce the desired behavior. There are similar directives for group restrictions, and it's also possible to blacklist instead of whitelist accounts and restrict by client hostname/address. See http://www.unixlore.net/articles/five-minutes-to-even-more-secure-ssh.html for more info. However, keep in mind that changing /etc/ssh/sshd_config only affects run mode. The SSHd config file, like the rest of /etc/*, reverts back to default while in safe mode. E.g. If the target boots back into safe mode for software install/upgrade or perhaps due to some error, then all users will regain log-in access.

i have added on "users group" , FSread and GestDB. I have added on new account the user group permissions.

The file system only observes user/group ownership and file permission flags when determining who can access files. NI-Auth permissions, like FSRead and GetDB, only apply to web-based (HTTP/S) access to the system.

FSRead allows users to read files via WebDAV and GetDB allows reading of the password database (I.e. password hashes, incl. admin's password hash). I highly recommended only giving system administrators GetDB and SetDB permissions. WIth GetDB, an otherwise unprivileged user could extract admin's password hash and crack it over time, then root the system. With SetDB, they could change any other user's password (incl. admin's) direclty from the WIF.

i see that all files downloaded have another owner and group. in particular the owner is "webni" and group is "ni".

WebDAV is hosted out of the NI System Web Server (SWS), which runs as user `webserv` and group `ni`. So any file created via WebDAV inherits those file system permissions from the SWS process. What you are seeing is expected behavior.

Furthermore, the only files accessible via WebDAV are those accessile by SWS itself. Since SWS runs as an unprivileged user on NI Linux RT, there are areas of the file system that WebDAV cannot access. This is much different than NI's VxWorks and ETS/PharLAP systems, which run on premission-less file systems.

You can read more about NI's WebDAV service here: http://digital.ni.com/public.nsf/allkb/4EBE45E8A816B19386257B6C0071D025

thank you for your reply.

i have created client account only to download log files that my application (they are acquisitions data).

the correct configuration is (correct me if necessary):

• i delete GetDB by users group
• i delete the access to SSH, by check. i can't risk to lose all if the system start in safe mode.
• what else?

i have see another post where the question is "Downsizing the default RT Linux installation"

i mind the same  question. is it possible to delete the account  not used?

without do great harm

thank you

Manuel

i delete GetDB by users group i delete the access to SSH, by check. i can't risk to lose all if the system start in safe mode. what else?

I also would do the following, if you haven't already:

Delete all permissions from the "everyone" group, including "Reboot" and "GetSystemConfguration" permissions. The everyone group includes anonymous users, so any permission given to that group is granted to everyone with network access to your system. For example, any client that can ping your target could also reboot it without logging in if "Reboot" is granted to "everyone".

You can grant permission on a per user basis instead of per group from the Users tab of the Security Configuration page. Click the Add button under the group permissions section and select the desired permission(s) to add.

i have created client account only to download log files that my application (they are acquisitions data).

Consider not granting "GetSystemConfguration" to "client". From the above description, it sounds like this user only downloads log files from the system via WebDAV, so "FSRead" should be sufficient for that task.

I don't think "GetSystemConfguration" returns any sensitive data, but it's just good practice to follow the principal of least privilege.

i have see another post where the question is "Downsizing the default RT Linux installation" i mind the same  question. is it possible to delete the account  not used? without do great harm

I can't click on your link, but I think you're referring to https://decibel.ni.com/content/thread/27286/.

We don't provide a way from either WIF (web-based configuration) or MAX to remove system accounts at this time. However, all systems accounts, including the "root" user, are disabled in the NI Linux RT distribution. It's not be possible to log-in as any of those users via network protocols like WebDAV, SSH, MAX, etc.