[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Limiting User Commands

Don't give them shell access, and don't let them ftp to the server. 
Make them email you all the changes so you can browse for bad code. 
Then you 
can upload the changes.   You will get tired of that real quick.  Other
than this method there is always a what if factor selinux,chroot,
virtual server etc...  Even if they do upload a bad script they
shouldn't have perms to do anything.  You could allow the apache user to
rm -rf /* and nothing would happen if setup correctly.  

>>> Stephen Le <zeroion@gmail.com> 11/09/04 5:16 PM >>>
On Mon, 8 Nov 2004 09:28:10 -0900, Christopher Swingley
<cswingle@iarc.uaf.edu> wrote:
> Make symbolic links between allowed commands and '/usr/local/rbin'
> As I said before, this is just a simple attempt to reduce priviledge.
> There are undoubtably ways around it, some easier than others
> on what's in /usr/local/rbin.

This won't prevent users from executing banned commands with Perl
scripts called by Apache. I'm opposed to using rbash for this reason
and because some users might want to use a non-bash shell.

-Stephen Le

To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact

Reply to: