Click to See Complete Forum and Search --> : A question regarding Linux security: An expiration time field in security token?
natasha
07-26-2006, 05:27 AM
Good evening,
in Windows' access token there's a field, present since Windows NT 3.1 but currently unused, which sets expiration time for a security context.
When I knew, I imagined suuuuuuuuuuuuuch situations in which it could be useful.... e.g.: you setted an account to expire, account is still logged when it expires, account can still accesses system resources. Only way you have is forcing an explicit logoff.
Do you know if in Linux's security tokens there's such a possibility? If yes, how can one access it programmatically?
Kisses,
Nat
bwkaz
07-26-2006, 06:28 PM
There's no such thing in Linux as a "security token", at least not that I know of. The equivalent of Windows's token is your process's UID/primary GID/supplementary GIDs, which you can look at from various system calls. But there's nothing that uses those for security. If you have Kerberos set up, then you have some tickets stored in a file in your home directory, but those tickets already expire (and you have to reauthenticate to the KDC to renew them). So that might work, but most people probably don't run Kerberos.
Apart from Kerberos, there's no way to do that AFAIK. Once a process is running as a user, it can spawn any number of other processes (subject to the current ulimit in effect for that user) as that user, and AFAIK there's no way to put a time limit on that capability.
However, you can kill off the user's shell at a certain time, using at and a shell script. Various options to the ps command would probably be helpful, to get the list of PIDs to kill, then of course the kill command. Probably not foolproof, though; there's a race between getting the list of processes to kill and actually killing them.
dkeav
07-28-2006, 01:07 AM
if you are just looking for mandatory user access controls selinux which is rather complex might be something to look into outside of that locally only really filesystem ACL's and process MAC with selinux will provide much help, network wise kerberos is a "token/ticket" system as bwkaz eluded you to
obviously unix is not windows, so if you can tell us the basic goal you are looking to accomplish we can more easily tell you how to accomplish it
EDIT: oh yea grsecurity is another option, basically the same as selinux but some different approaches enhancements possibly less complexity in implementation
http://www.grsecurity.net/