[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Limiting User Commands

On Wednesday 10 November 2004 21:49, "Ben Hutchings" 
<ben.hutchings@businesswebsoftware.com> wrote:
> > I feel the need to learn something new today. How could the user replace
> > the root owned files in a directory that they own?
> By renaming or unlinking them.  Linux treats this as an operation on the
> directory, not the file, so it's controlled by the directory's permissions.

SE Linux has finer grained access control.  So you can allow a user to have 
write access to their home directory but give ~/.bashrc etc a different type 
that permits only read, getattr, and execute access (but not write, append, 
unlink, link, rename, setattr, lock, ioctl, or create).

I periodically run SE Linux play machines setup in this manner.  I have some 
files in the root user's home directory that they can only read and execute, 
some that they can read and append to, and the default is for full access to 
files in the home directory.  I'll have my play machine back online soon, see 
my web page for the details.

http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to: