Re: Limiting User Commands

To: ea@sellinet.net
Cc: Stephen Le <zeroion@gmail.com>, debian-isp@lists.debian.org, debian-user@lists.debian.org
Subject: Re: Limiting User Commands
From: Wouter Verhelst <wouter@grep.be>
Date: Sun, 7 Nov 2004 11:50:01 +0100
Message-id: <[🔎] 20041107105001.GA26559@grep.be>
In-reply-to: <[🔎] 3082.82.199.192.18.1099677213.squirrel@82.199.192.18>
References: <[🔎] 3f9fee5104110509315629b895@mail.gmail.com> <[🔎] 3082.82.199.192.18.1099677213.squirrel@82.199.192.18>

On Fri, Nov 05, 2004 at 07:53:33PM +0200, ea@sellinet.net wrote:
> >In regards to the latter method, would it be possible for me to change 
> >the group ownership of the commands I don't want users to have access to
> >and revoke execute permission from that group?
> 
> Yes, you can make something like that: addgroup(access), then change
> groupname of commands that you want with that group (access), remember to
> remove "execute/search by others" from commands that are with
> group(access), also don't forget to add group(access) to every user that
> you want to have access to this commands.

The only problem with this approach would be that you'd revoke it from
system accounts too, not just your users. It might break in unexpected
places.

It seems to me that this should be possible with SELinux. What you need
would be a role for your users where they are only able to run the
commands you want them to run, whereas system accounts would remain
unblocked.

-- 
         EARTH
     smog  |   bricks
 AIR  --  mud  -- FIRE
soda water |   tequila
         WATER
 -- with thanks to fortune

Reply to:

Follow-Ups:
- Re: Limiting User Commands
  - From: ea@sellinet.net

References:
- Limiting User Commands
  - From: Stephen Le <zeroion@gmail.com>
- Re: Limiting User Commands
  - From: ea@sellinet.net

Prev by Date: Re: kjournald high cpu usage
Next by Date: Re: playing cds
Previous by thread: Re: Limiting User Commands
Next by thread: Re: Limiting User Commands
Index(es):
- Date
- Thread