Restrict folder sharing over cygwin sshd - cygwin

I recently installed a SSH server on my Windows 7 PC and created a separate user account for this. When i logged in using SSH, i could access all the windows directories.
/cygdrive/c
/cygdrive/d
/cygdrive/e
How do i prevent this user from accessing all the win directories other than its home directory under cygwin /home/chuck/ ?
Preferably i do not want the user to even view /cygdrive when the user types "mount".
Is there a easy way to do this?
I want to later allow remote users to log on to this machine and avoid messing up other things.I know i can setup a separate machine but this is a plan for later.

I don't know specifically about Cygwin but in Unix in general you could use the chroot.

try changing the group of the ssh_user_name to Guest, then specifically allow rwx perms for the Guest group through the security tab in Windows. I have not tried this before, which I am going to try soon. This should be easier than denying access to each drive by adding the ssh_user_name, which is highly inefficient if you have many drives like I do.
The reason why i chose guest is because by default it is denied all access, which makes it easier to specifically choose which drive you want the ssh_user_name to have access to.

Related

Raspberry Pi User Lockdown

I've been working with Pis for a few years now, but I've recently encountered something that I can't quite wrap my head around. I am working to set a few Pis as catalog machines for a local library, meaning that the patron user I created should only be able to access chromium from the desktop. Currently, I have denied the patron user all sudo permissions and locked down their access to their own file directories (execute only) and those of other users (no access). I have also disabled most of the desktop icons and further hidden x-terminal, so users won't accidentally stumble upon it. Luckily, these security measures will be acceptable for most of our users, but it isn't most users that concern me.
In some testing I've done so far, I've found that it is possible to use chmod u+rwx /home/USER on one's own user directory, even without sudo privileges. This obviously is not ideal, as it gives users that have sufficient pi experience the ability to modify anything within their directory. I then tried to limit chmod permissions in /bin to be executable by root users only, which worked perfectly to prevent patron from changing its own modifiers, but it also creates a boot loop on the initial login screen (Entering correct password generates blackscreen and reloads login screen).
Now that we've gotten that out of the way, I have a few questions, some for the furthering of this project, and some just to satiate my curiosity:
~Is there some reason that logging in to a user would call chmod?
~Is there any way to limit access to commands such as chmod that could potentially cause security threats?
~Are there any other breach possibilities that I have not considered? / Is there any way to protect against them?
And yes, I am aware that as long as a user has physical access to the Pi's, almost anything is possible through the USB ports, but the Pi's are unreachable, so I'm only looking for software workarounds.

Install software on Windows from Linux live usb

I'm a (noob) administrator of a little network. For business purpose I have some Windows 7 PCs and a 2008 Server.
While doing the setup, something has come to my mind: is it possible for a user without high privileges to install some kind of software using a live usb?
Ok, it's possible to reset admin password, manage partitions, etc. but can someone do that without change admin settings? just putting software in admin's (or else) directory and editing the windows register?
Thanks!
I would say: Yes. If someone manages to boot the machine from a live usb-stick, cd, dvd or whatever, he can:
Mount the disk with the windows-installation.
Read and Write to that disk.
Install software on that disk: Installing software is not much more than copying files from one place to another.
Possibly modify the registry: The registry must also be stored somewhere on the disc. If the user can access that file, he can modify it and therefore modify the registry (its another question if this are valid manipulations).
You can prevent access to the harddisk by using Windows 7 BitLocker.
It is not possible to mount the drive from a live system when it is activated:
Here is a guide how to do this:
BitLocker Guide

How to copy files on remote Windows to local Linux on a Linux machine?

Currently, I'm working on a local Linux machine. I'm trying to use scp or similar Linux command-line tools to copy files from a remote Windows machine to my local Linux. I did some searching and found that most of the solutions are for local Windows cases (like putty and winscp), which don't really help.
Please advise.Thank you.
[UPDATE] Solved by installing cygwin's sshd service on Windows.
If you really want to use SCP, you will need an SCP server (actually an SSH server) on the Windows machine.
For example freeSSHd.
You will need to choose one of the options based on your own needs, there are a number of similar tools and freeSSHd was the first in the list on Google. I've used the Bitvise SSH Server in the past but it is only free for non-commercial use.
They are usually very easy to set up. You install them the usual way and run them for the first time. Depending on the tool, they may pick up your existing Windows users or you may need to manually create some users with passwords within the tool. Then, armed with your PC's IP address, you should be able to connect to the PC using SSH from the Linux command line.
If the windows system has a shared folder you should be able access that with smbclient which is part of the terrific samba project.
Usually somthing like:
smbclient //winmachine/share
Possibly using the -U username options to specifiy the username on the windows box.
Once connected, you can use cd to change folders, and get to retrieve files.
If there is no file share.... I dunno. Create one?
Syntax for copying from remote Windows 10 machine with built-in SSH server. Note forward slashes and drive style. Domain is not necessary.
scp user#domain#example.com:c:/path/to/file.txt .

Changing root password in of Virtual Machine KVM

I was curious as DigitalOcean provide us with root password reset option, as I have been working towards virtualization about 3 months and never came across direct way to do so.
Like openstack offers such option only for xen, where as if I am not wrong Digital Ocean provides for KVM. Also proxmox and other stacks do not provide this option.
So I need to know how these guys managed to do so.
One thing I know is that if I can access the file system then I can edit the shadow file but, In virtual environment Machine is in templete form not in Open File system state.
I was wondering if there is any root backdoor in OS itself provided by DO using which they change password on request ?
Thanks
If you turn off your virtal machine, all you have is the whole "virtual hard drive" file on "real hard drive" in a real machine. It's a common file system that can be parsed and managed from outside with no problem (unless it is encrypted).
So there's no reason for you to NOT be able to access the filesystem of the virtual machine, including the shadow file.
This is typically done using cloudinit... No hackery involved

let users reboot from CL, or reboot from CL without being root

I am working on a kiosk gui, written in ruby/gtk and using ubuntu. I'd like to be able to reboot from within the ruby/gtk gui -- specifically, I want to let people who swipe administrative cards choose to reboot the machine as one of their administrative options. I do not want to give these users root access more generally. Is there a way to do one of the following:
1) reboot from command line without root permission, or
2) change/reduce the level of permission required to reboot from command line so I can let people click on a button to reboot without worrying about their broader access to the system, or
3) (I doubt this is possible) perhaps somehow from within gtk or however programmatically log in to root to use the reboot command without exposing the password to anyone who can view the source code.
You could configure your user to be allowed to use the shutdown command via sudo. That would probably do what you want.

Resources