[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Limiting User Commands

> On Fri, Nov 05, 2004 at 07:53:33PM +0200, ea@sellinet.net wrote:
>> >In regards to the latter method, would it be possible for me to change
>> >the group ownership of the commands I don't want users to have access
>> to
>> >and revoke execute permission from that group?
>>
>> Yes, you can make something like that: addgroup(access), then change
>> groupname of commands that you want with that group (access), remember
>> to
>> remove "execute/search by others" from commands that are with
>> group(access), also don't forget to add group(access) to every user that
>> you want to have access to this commands.
>



> The only problem with this approach would be that you'd revoke it from
> system accounts too, not just your users. It might break in unexpected
> places.
>
> It seems to me that this should be possible with SELinux. What you need
> would be a role for your users where they are only able to run the
> commands you want them to run, whereas system accounts would remain
> unblocked.


You just need to add group(access) to that system accounts that you want
or that you think that they'll break in unexpected places... Don't you
think?



>
> --
>          EARTH
>      smog  |   bricks
>  AIR  --  mud  -- FIRE
> soda water |   tequila
>          WATER
>  -- with thanks to fortune
>



--------------------------------------------------------------
SELLINET Internet Services Provider - http://www.sellinet.net/
Reply to: