Re: Limiting User Commands
> On Fri, 5 Nov 2004 19:53:33 +0200 (EET), ea@sellinet.net
> <ea@sellinet.net> wrote:
>> Yes, you can make something like that: addgroup(access), then change
>> groupname of commands that you want with that group (access), remember
>> to
>> remove "execute/search by others" from commands that are with
>> group(access), also don't forget to add group(access) to every user that
>> you want to have access to this commands.
>
> The only thing I'm worried about with that method is whether a user
> would be able to run commands that they aren't supposed to have access
> to if they write a Perl script calling one of the banned commands and
> getting Apache to execute that script. In other words, would the
> script execute with the script owner's priviledges or with Apache's
> priviledges?
>
If the user who execute forbidden command have no additional-group(access)
then he'll get "permission denied" no matter that he execute command from
perl, php and etc. Just remember that user who can execute forbidden
command s must have addition-group(access) any other users that don't have
this group have no access to forbidden commands, including user that run
apache.
And one more thing you need to remove "read by others" and "execute/search
by others" from forbidden commands, also you need to change theire
groupname.
Example: chmod 750 /bin/rm ; chown root.access /bin/rm ; usermod -G
access user
> Thanks,
> Stephen Le
>
>
> --
> To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
--------------------------------------------------------------
SELLINET Internet Services Provider - http://www.sellinet.net/
Reply to: