Re: Limiting User Commands

[Stephen Le <zeroion@gmail.com>]

On Sun, 7 Nov 2004 14:41:42 -0500, Stephen Gran <sgran@debian.org> wrote:
> apt-get remove --purge ftp telnet wget gcc
> rm /usr/bin/ssh /usr/bin/scp

Unfortunately, I can't do that since I still want some users to be
able to access those commands. I just want to restrict access to those
commands from most users. I could install those utilities into another
directory and set appropriate permissions, but I'd also like system
accounts to be able to use them, which complicates matters...
 
> Note that neither my approach nor yours really stops someone who is
> determined - all of the functionality of the above programs could be
> replicated in perl, python, etc, so you've only made it difficult, not
> impossible.  Then there is ~/bin, where users can stash anything they
> like, if you don't also regularly search /home for questionable files.
> Even mounting it noexec isn't really a help - perl /path/to/script works
> as well as /lib/ld-linux.so.2 /path/to/binary

I understand that users could still upload their own programs and run
them, but users will do so at the risk of account suspension.
 
> Does not help at all for your original problem, I'm afraid.  It looks to
> me like what you want is filesystem acl's or SELinux to totally lock
> things down, but others are going to be more helpful with those than I
> will.

Well, after a couple of people mentioned filesystem ACLs, I took a
look at them. They might be able to accomplish what I need, but I'll
have to read more of the documentation.

-Stephen Le