making secure limitations for non-root users
tyler at tysdomain.com
Fri Sep 19 17:40:18 EDT 2008
I'll dig around for that kernel patch.
Like, limiting them to viewing home dirs, other people's dirs. I can do
chmod a-r /home, and then chmod o-rx /home/user, but would there be anything
else I'd need to limit for security reasons? I'd not like to scrue up perms
on logs, but would rather not them see /var/log.
_|_|_|_|_| _| _|_|_|_|
_| _|_|_| _| _|_|_|
_| _| _| _|_|_| _|
_| _| _| _| _|
_| _| _| _|_|_|_| _|_|_|
Visit TDS for quality software and website production
msn: tyler at tysdomain.com
----- Original Message -----
From: "Gregory Nowak" <greg at romuald.net.eu.org>
To: "Speakup is a screen review system for Linux." <speakup at braille.uwo.ca>
Sent: Friday, September 19, 2008 3:38 PM
Subject: Re: making secure limitations for non-root users
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Tom has already told you what the best approach would be. However, let
> me try to specifically answer your questions.
> On Thu, Sep 18, 2008 at 12:39:40PM -0600, Tyler Littlefield wrote:
>> I would, however like to limit them in disk space (I can figure that
> one out),
>> in port usage (not sure how to do this one, would like to limit what
> ports they can open),
> The only thing I can think of for that is the obvious, a
> firewall. However, that would apply to everyone on the system. There
> is something called owner match support, when you're configuring the
> firewall stuff in the kernel, however, I'm not sure if that does what
> it actually suggests, or something else. Sorry, that's all I can tell
> you there, maybe a firewall howto somewhere would tell you more.
>> programs they can run,
> The best way I can think of to do that, is to create a group on your
> system, where all the binaries you want users to access are a part of
> that group. Then, add the users you want to be able to access those
> binaries to that group as well, and leave the rest binaries/users
> out. On my debian system, there is a group called bin, but most of my
> binaries are in root's group. I'm not sure if the bin group is
> reserved for something else, or if it is there for what its name
> suggests, and it's up to the system admin to use it as he/she wishes.
>> and also what they can view on the system.
> You need to be more specific. What do you want them to be able to
> view, man pages, text files, contents of specific directories, what?
> - --
> web site: http://www.romuald.net.eu.org
> gpg public key: http://www.romuald.net.eu.org/pubkey.asc
> skype: gregn1
> (authorization required, add me to your contacts list first)
> - --
> Free domains: http://www.eu.org/ or mail dns-manager at EU.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> -----END PGP SIGNATURE-----
> Speakup mailing list
> Speakup at braille.uwo.ca
> __________ NOD32 3457 (20080919) Information __________
> This message was checked by NOD32 antivirus system.
More information about the Speakup