making secure limitations for non-root users

Tyler Littlefield tyler at tysdomain.com
Sat Sep 20 17:50:43 EDT 2008 

that sounds fun... I'll do that.
Thanks a ton,

Thanks,
_|_|_|_|_|  _|        _|_|_|_|
    _|      _|_|_|    _|          _|_|_|
    _|      _|    _|  _|_|_|    _|
    _|      _|    _|  _|        _|
    _|      _|    _|  _|_|_|_|    _|_|_|
Visit TDS for quality software and website production
http://tysdomain.com
msn: tyler at tysdomain.com
aim: st8amnd2005
skype: st8amnd127
----- Original Message ----- 
From: "Jim Kutsch" <jimkutsch at yahoo.com>
To: "Speakup is a screen review system for Linux." <speakup at braille.uwo.ca>
Sent: Saturday, September 20, 2008 3:40 PM
Subject: Re: making secure limitations for non-root users


> In the 1980s, I had a Unix system  connected to a ham radio via packet 
> radio
> interface hardware.  I was using it myself but wanted the users via radio 
> to
> run email and Netnews and be isolated from the rest of the system where I
> kept my stuff.  I set up a chroot environment in which users had a very
> little piece of the entire system.  It required only an amazingly few 
> things
> to be available in the root of the chroot directory.  If I remember
> correctly, I had to have /etc/passwd, /etc/group, /etc/getty, a few things
> in /bin and /usr/bin, and the software I allowed these remote users to
> access.  There was even a login called "newuser" with no password that ran 
> a
> customized add user script so a user could create his/her own account.
>
> Since you are learning Linux, I'd recommend you go explore chroot and 
> start
> thinking about how very little you really need in the isolated 
> environment.
>
> Have fun.
>
> Jim
>
>
> ----- Original Message ----- 
> From: "Tyler Littlefield" <tyler at tysdomain.com>
> To: "Speakup is a screen review system for Linux." 
> <speakup at braille.uwo.ca>
> Sent: Friday, September 19, 2008 5:40 PM
> Subject: Re: making secure limitations for non-root users
>
>
> I'll dig around for that kernel patch.
> Like, limiting them to viewing home dirs, other people's dirs. I can do
> chmod a-r /home, and then chmod o-rx /home/user, but would there be 
> anything
> else I'd need to limit for security reasons? I'd not like to scrue up 
> perms
> on logs, but would rather not them see /var/log.
>
>
> Thanks,
> _|_|_|_|_|  _|        _|_|_|_|
>    _|      _|_|_|    _|          _|_|_|
>    _|      _|    _|  _|_|_|    _|
>    _|      _|    _|  _|        _|
>    _|      _|    _|  _|_|_|_|    _|_|_|
> Visit TDS for quality software and website production
> http://tysdomain.com
> msn: tyler at tysdomain.com
> aim: st8amnd2005
> skype: st8amnd127
> ----- Original Message ----- 
> From: "Gregory Nowak" <greg at romuald.net.eu.org>
> To: "Speakup is a screen review system for Linux." 
> <speakup at braille.uwo.ca>
> Sent: Friday, September 19, 2008 3:38 PM
> Subject: Re: making secure limitations for non-root users
>
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Tom has already told you what the best approach would be. However, let
>> me try to specifically answer your questions.
>>
>> On Thu, Sep 18, 2008 at 12:39:40PM -0600, Tyler Littlefield wrote:
>>> I would, however like to limit them in disk space (I can figure that
>> one out),
>>
>> Ok.
>>
>>> in port usage (not sure how to do this one, would like to limit what
>> ports they can open),
>>
>> The only thing I can think of for that is the obvious, a
>> firewall. However, that would apply to everyone on the system. There
>> is something called owner match support, when you're configuring the
>> firewall stuff in the kernel, however, I'm not sure if that does what
>> it actually suggests, or something else. Sorry, that's all I can tell
>> you there, maybe a firewall howto somewhere would tell you more.
>>
>>> programs they can run,
>>
>> The best way I can think of to do that, is to create a group on your
>> system, where all the binaries you want users to access are a part of
>> that group. Then, add the users you want to be able to access those
>> binaries to that group as well, and leave the rest binaries/users
>> out. On my debian system, there is a group called bin, but most of my
>> binaries are in root's group. I'm not sure if the bin group is
>> reserved for something else, or if it is there for what its name
>> suggests, and it's up to the system admin to use it as he/she wishes.
>>
>>> and also what they can view on the system.
>>
>> You need to be more specific. What do you want them to be able to
>> view, man pages, text files, contents of specific directories, what?
>>
>> Greg
>>
>>
>> - --
>> web site: http://www.romuald.net.eu.org
>> gpg public key: http://www.romuald.net.eu.org/pubkey.asc
>> skype: gregn1
>> (authorization required, add me to your contacts list first)
>>
>> - --
>> Free domains: http://www.eu.org/ or mail dns-manager at EU.org
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (GNU/Linux)
>>
>> iEYEARECAAYFAkjUG8gACgkQ7s9z/XlyUyDY8QCeMyiUbYUWG+XeixZqmeq2vnxW
>> zckAoLvhv/znPYpTPB1hr6BxFVZl81/r
>> =+v8G
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> Speakup mailing list
>> Speakup at braille.uwo.ca
>> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>>
>> __________ NOD32 3457 (20080919) Information __________
>>
>> This message was checked by NOD32 antivirus system.
>> http://www.eset.com
>>
>>
>
> _______________________________________________
> Speakup mailing list
> Speakup at braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
> _______________________________________________
> Speakup mailing list
> Speakup at braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
> __________ NOD32 3457 (20080919) Information __________
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
>
>

More information about the Speakup mailing list