Re: Limiting User Commands

To: debian-isp@lists.debian.org, debian-user@lists.debian.org
Subject: Re: Limiting User Commands
From: Stephen Gran <sgran@debian.org>
Date: Sun, 7 Nov 2004 14:41:42 -0500
Message-id: <[🔎] 20041107194142.GA1371@www.lobefin.net>
Mail-followup-to: debian-isp@lists.debian.org, debian-user@lists.debian.org
In-reply-to: <[🔎] 3f9fee51041107111219fb7222@mail.gmail.com>
References: <[🔎] 3f9fee5104110509315629b895@mail.gmail.com> <[🔎] 20041105231328.GB16508@aokiconsulting.com> <[🔎] 3f9fee510411051535a4ad332@mail.gmail.com> <[🔎] 20041107141416.GA11837@steve.org.uk> <[🔎] 3f9fee51041107111219fb7222@mail.gmail.com>

This one time, at band camp, Stephen Le said:
> On Sun, 7 Nov 2004 14:14:16 +0000, Steve Kemp <skx@debian.org> wrote:
> >   Lots of people have commented already, but I've not seen any
> >  discussion on why you might want to do this.  What kind of bad
> >  commands are you trying to prevent?
> > 
> >   Most of the dangerous commands like fdisk, etc, will be handled
> >  by the existing permissions setup.
> 
> For example, as I mentioned in an earlier reply, I might not want
> normal users to be able to run ftp, telnet, ssh, wget, gcc, or any
> other number of commands. I still want users to be able to run the
> bulk of the commands available on the system, though. I might also
> want to allow another set of users to be able to run the commands
> unavailable to normal users.

apt-get remove --purge ftp telnet wget gcc
rm /usr/bin/ssh /usr/bin/scp

I understand your point, but simply don't install the more dangerous
things before bending over backwards to make things difficult.  As with
services, programs not needed should just not be on a server.  Part of
my monthly audit of systems I look after is to make sure things like gcc
and a few others are not installed.

Note that neither my approach nor yours really stops someone who is
determined - all of the functionality of the above programs could be
replicated in perl, python, etc, so you've only made it difficult, not
impossible.  Then there is ~/bin, where users can stash anything they
like, if you don't also regularly search /home for questionable files.
Even mounting it noexec isn't really a help - perl /path/to/script works
as well as /lib/ld-linux.so.2 /path/to/binary

Does not help at all for your original problem, I'm afraid.  It looks to
me like what you want is filesystem acl's or SELinux to totally lock
things down, but others are going to be more helpful with those than I
will.
-- 
 -----------------------------------------------------------------
|   ,''`.					     Stephen Gran |
|  : :' :					 sgran@debian.org |
|  `. `'			Debian user, admin, and developer |
|    `-					    http://www.debian.org |
 -----------------------------------------------------------------

Attachment: pgpQxwT8xjcmO.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Limiting User Commands
  - From: Stephen Le <zeroion@gmail.com>

References:
- Limiting User Commands
  - From: Stephen Le <zeroion@gmail.com>
- Re: Limiting User Commands
  - From: Osamu Aoki <osamu@debian.org>
- Re: Limiting User Commands
  - From: Stephen Le <zeroion@gmail.com>
- Re: Limiting User Commands
  - From: Steve Kemp <skx@debian.org>
- Re: Limiting User Commands
  - From: Stephen Le <zeroion@gmail.com>

Prev by Date: Re: Limiting User Commands
Next by Date: Re: Limiting User Commands
Previous by thread: Re: Limiting User Commands
Next by thread: Re: Limiting User Commands
Index(es):
- Date
- Thread