Re: Limiting User Commands
On Wednesday 10 November 2004 21:49, "Ben Hutchings"
> > I feel the need to learn something new today. How could the user replace
> > the root owned files in a directory that they own?
> By renaming or unlinking them. Linux treats this as an operation on the
> directory, not the file, so it's controlled by the directory's permissions.
SE Linux has finer grained access control. So you can allow a user to have
write access to their home directory but give ~/.bashrc etc a different type
that permits only read, getattr, and execute access (but not write, append,
unlink, link, rename, setattr, lock, ioctl, or create).
I periodically run SE Linux play machines setup in this manner. I have some
files in the root user's home directory that they can only read and execute,
some that they can read and append to, and the default is for full access to
files in the home directory. I'll have my play machine back online soon, see
my web page for the details.
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page