[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Limiting User Commands

On Mon, Nov 08, 2004 at 03:14:53AM +0200, ea@sellinet.net wrote:
> > On Fri, Nov 05, 2004 at 07:53:33PM +0200, ea@sellinet.net wrote:
> >> >In regards to the latter method, would it be possible for me to change
> >> >the group ownership of the commands I don't want users to have access
> >> to
> >> >and revoke execute permission from that group?
> >>
> >> Yes, you can make something like that: addgroup(access), then change
> >> groupname of commands that you want with that group (access), remember
> >> to
> >> remove "execute/search by others" from commands that are with
> >> group(access), also don't forget to add group(access) to every user that
> >> you want to have access to this commands.
> >
> > The only problem with this approach would be that you'd revoke it from
> > system accounts too, not just your users. It might break in unexpected
> > places.
> >
> > It seems to me that this should be possible with SELinux. What you need
> > would be a role for your users where they are only able to run the
> > commands you want them to run, whereas system accounts would remain
> > unblocked.
> You just need to add group(access) to that system accounts that you want
> or that you think that they'll break in unexpected places... Don't you
> think?

Yes, that would work, but only for as long as you don't add other system
accounts. This would mean that you would have to remember to check
whether a newly-installed package created a new system account, and if
so, that you have to add it to the group, if required. I think this
would probably break at some point, whereas the same is not true with
the SELinux setup (additionally, this will give you increased security,
which is nice too)

     smog  |   bricks
 AIR  --  mud  -- FIRE
soda water |   tequila
 -- with thanks to fortune

Reply to: