Re: Limiting User Commands

To: <zeroion@gmail.com>, <debian-isp@lists.debian.org>, <debian-user@lists.debian.org>
Subject: Re: Limiting User Commands
From: "Doug Griswold" <griswld@cio.sc.gov>
Date: Tue, 09 Nov 2004 17:43:19 -0500
Message-id: <[🔎] s19101be.069@gw.state.sc.us>

Don't give them shell access, and don't let them ftp to the server. 
Make them email you all the changes so you can browse for bad code. 
Then you 
can upload the changes.   You will get tired of that real quick.  Other
than this method there is always a what if factor selinux,chroot,
virtual server etc...  Even if they do upload a bad script they
shouldn't have perms to do anything.  You could allow the apache user to
rm -rf /* and nothing would happen if setup correctly.  

>>> Stephen Le <zeroion@gmail.com> 11/09/04 5:16 PM >>>
On Mon, 8 Nov 2004 09:28:10 -0900, Christopher Swingley
<cswingle@iarc.uaf.edu> wrote:
> Make symbolic links between allowed commands and '/usr/local/rbin'
> 
> As I said before, this is just a simple attempt to reduce priviledge.
> There are undoubtably ways around it, some easier than others
depending
> on what's in /usr/local/rbin.

This won't prevent users from executing banned commands with Perl
scripts called by Apache. I'm opposed to using rbash for this reason
and because some users might want to use a non-bash shell.

-Stephen Le

-- 
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org

Reply to:

Prev by Date: Re: Get directories names
Next by Date: Re: debian-user Jun 2002
Previous by thread: Re: Limiting User Commands
Next by thread: Re: Limiting User Commands
Index(es):
- Date
- Thread