Re: Limiting User Commands
On Mon, Nov 08, 2004 at 03:14:53AM +0200, firstname.lastname@example.org wrote:
> > On Fri, Nov 05, 2004 at 07:53:33PM +0200, email@example.com wrote:
> >> >In regards to the latter method, would it be possible for me to change
> >> >the group ownership of the commands I don't want users to have access
> >> to
> >> >and revoke execute permission from that group?
> >> Yes, you can make something like that: addgroup(access), then change
> >> groupname of commands that you want with that group (access), remember
> >> to
> >> remove "execute/search by others" from commands that are with
> >> group(access), also don't forget to add group(access) to every user that
> >> you want to have access to this commands.
> > The only problem with this approach would be that you'd revoke it from
> > system accounts too, not just your users. It might break in unexpected
> > places.
> > It seems to me that this should be possible with SELinux. What you need
> > would be a role for your users where they are only able to run the
> > commands you want them to run, whereas system accounts would remain
> > unblocked.
> You just need to add group(access) to that system accounts that you want
> or that you think that they'll break in unexpected places... Don't you
Yes, that would work, but only for as long as you don't add other system
accounts. This would mean that you would have to remember to check
whether a newly-installed package created a new system account, and if
so, that you have to add it to the group, if required. I think this
would probably break at some point, whereas the same is not true with
the SELinux setup (additionally, this will give you increased security,
which is nice too)
smog | bricks
AIR -- mud -- FIRE
soda water | tequila
-- with thanks to fortune