making secure limitations for non-root users

Tyler Littlefield tyler at
Fri Sep 19 17:40:18 EDT 2008

I'll dig around for that kernel patch.
Like, limiting them to viewing home dirs, other people's dirs. I can do 
chmod a-r /home, and then chmod o-rx /home/user, but would there be anything 
else I'd need to limit for security reasons? I'd not like to scrue up perms 
on logs, but would rather not them see /var/log.

_|_|_|_|_|  _|        _|_|_|_|
    _|      _|_|_|    _|          _|_|_|
    _|      _|    _|  _|_|_|    _|
    _|      _|    _|  _|        _|
    _|      _|    _|  _|_|_|_|    _|_|_|
Visit TDS for quality software and website production
msn: tyler at
aim: st8amnd2005
skype: st8amnd127
----- Original Message ----- 
From: "Gregory Nowak" <greg at>
To: "Speakup is a screen review system for Linux." <speakup at>
Sent: Friday, September 19, 2008 3:38 PM
Subject: Re: making secure limitations for non-root users

> Hash: SHA1
> Tom has already told you what the best approach would be. However, let
> me try to specifically answer your questions.
> On Thu, Sep 18, 2008 at 12:39:40PM -0600, Tyler Littlefield wrote:
>> I would, however like to limit them in disk space (I can figure that
> one out),
> Ok.
>> in port usage (not sure how to do this one, would like to limit what
> ports they can open),
> The only thing I can think of for that is the obvious, a
> firewall. However, that would apply to everyone on the system. There
> is something called owner match support, when you're configuring the
> firewall stuff in the kernel, however, I'm not sure if that does what
> it actually suggests, or something else. Sorry, that's all I can tell
> you there, maybe a firewall howto somewhere would tell you more.
>> programs they can run,
> The best way I can think of to do that, is to create a group on your
> system, where all the binaries you want users to access are a part of
> that group. Then, add the users you want to be able to access those
> binaries to that group as well, and leave the rest binaries/users
> out. On my debian system, there is a group called bin, but most of my
> binaries are in root's group. I'm not sure if the bin group is
> reserved for something else, or if it is there for what its name
> suggests, and it's up to the system admin to use it as he/she wishes.
>> and also what they can view on the system.
> You need to be more specific. What do you want them to be able to
> view, man pages, text files, contents of specific directories, what?
> Greg
> - --
> web site:
> gpg public key:
> skype: gregn1
> (authorization required, add me to your contacts list first)
> - --
> Free domains: or mail dns-manager at
> Version: GnuPG v1.4.9 (GNU/Linux)
> iEYEARECAAYFAkjUG8gACgkQ7s9z/XlyUyDY8QCeMyiUbYUWG+XeixZqmeq2vnxW
> zckAoLvhv/znPYpTPB1hr6BxFVZl81/r
> =+v8G
> _______________________________________________
> Speakup mailing list
> Speakup at
> __________ NOD32 3457 (20080919) Information __________
> This message was checked by NOD32 antivirus system.

More information about the Speakup mailing list