Re: Restrict a user to a set of binaries?

To: debian-user@lists.debian.org
Subject: Re: Restrict a user to a set of binaries?
From: Claudius Hubig <nfs_2012@chubig.net>
Date: Sat, 3 Mar 2012 01:58:46 +0100
Message-id: <[🔎] 20120303015846.11bb0439@ares.home.chubig.net>
References: <[🔎] CACvomdSxda8BgrsA0Byhm3kh8-AFUXkS4XO2ZA1=LEZkvYCrBg@mail.gmail.com> <[🔎] 1330702814.18148.1.camel@lt-mazen.sequans.com> <[🔎] 20120302172258.GA10911@hysteria.proulx.com>

Bob Proulx <bob@proulx.com> wrote:
>Abou Al Montacir wrote:
>> Maybe create a new groups "trusted" and do the following
>> cd /bin
>> chown root.trusted *
>> chmod 750 *
>> for ff in $ {TRUSTED_BIN_LIST} ; do chmod o=rx $ff ; done
>
>With this users can still create files and copy the programs they want
>to run onto the system and run their own copy of them.

At least theoretically, it would be possible to restrict the areas
where this specific user can write to file systems mounted noexec.
But then one would probably have to get rid off the 777 on /tmp.

It might also be an idea to have a look at the restricted shells
(bash --restricted). Additionally, if there is any MAC system such as
AppArmor or SELinux, those might be of use, too.

Of course, the biggest/main problem is the OP not being very clear
with what he wants to achieve.

Best regards,

Claudius
-- 
Welcome to the Zoo!
Please use GPG: ECB0C2C7 4A4C4046 446ADF86 C08112E5 D72CDBA4
http://chubig.net/ http://nightfall.org

Reply to:

References:
- Restrict a user to a set of binaries?
  - From: Bijoy Lobo <bijoy.lobo@paladion.net>
- Re: Restrict a user to a set of binaries?
  - From: Abou Al Montacir <abou.almontacir@sfr.fr>
- Re: Restrict a user to a set of binaries?
  - From: Bob Proulx <bob@proulx.com>

Prev by Date: Re: rsync
Next by Date: yelp opens .xml or does not open help files at all
Previous by thread: Re: Restrict a user to a set of binaries?
Next by thread: Re: Restrict a user to a set of binaries?
Index(es):
- Date
- Thread