Re: limiting user access
On Thu, 12 Feb 1998, Paul Miller wrote:
:
: hmm... how would that stop users from running programs they copied onto my
: server?
Mount the /home partition noexec. In fact, make sure any user writable
partition is mounted noexec. If your users can copy files to /usr, then
you've got a fairly big problem.
Note that this doesn't keep the user from running shell scripts, or perl
scripts, or any other interpreted scripts, unless you limit access to
interpreters (including shells). Of course, you could mount the /home
directory read-only, but that limits its utility.
In other words, it requires a lot of planning and work.
If you have users you don't trust that much, why are you giving them
shell access in the first place?
:
: On Thu, 12 Feb 1998, A. M. Varon wrote:
:
: > On Wed, 11 Feb 1998, Paul Miller wrote:
: >
: > > Is there any way to do this for only certain groups?
: >
: > what I do is chmod 550 and chown root.staff the /bin, /sbin, /usr/sbin,
: > and /usr/bin etc.
: >
: > Where the group staff could be you. All others connot access the binaries
: > or whatever.
: >
: > regards,
: >
: > == ========== Andre M. Varon Lasaltech Incorporated
: > == == ==== Technical Head Fax-Tel: (034)435-0836
: > == ===== ==
: > == == == E-mail : andrelst@mozcom.com
: > ======== == WebPage : www.lasaltech.com/andre.html
: >
: >
:
:
: --
: TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
: debian-user-request@lists.debian.org .
: Trouble? e-mail to templin@bucknell.edu .
:
:
--
Nathan Norman
MidcoNet - 410 South Phillips Avenue - Sioux Falls, SD 57104
phone: (605) 334-4454 fax: (605) 335-1173
mailto://finn@midco.net http://www.midco.net
PGP Key ID: 0xA33B86E9 - Public key available at keyservers
PGP Key fingerprint: CE03 10AF 3281 1858 9D32 C2AB 936D C472
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: