Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Defining what an user can run
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
nihon-jin
n00b
n00b


Joined: 08 Jan 2004
Posts: 46
Location: Rennes {France}
PostPosted: Wed Jun 23, 2004 4:47 pm    Post subject: Defining what an user can run Reply with quote
hello.

I would like to know what is the best way of defining what applications can one user/group run. Let's say that I would like to have 2 groups of users like normal & priviledged where users in "normal" group should have access only to some commands (ie cp, mv, scp (all file handling stuff) and than mutt, irssi and few applications) whereas users in priviledged group should be able to access almost everything.

The method I was thinking about was to change permissions on files in /usr/bin and /bin (like chgrp them to 'priviledged' and than chmod them to 550 or so) but I don't know if this is really a good method.

thank you for any advice
Back to top
View user's profile Send private message
Gatta
n00b
n00b


Joined: 28 Mar 2004
Posts: 53
PostPosted: Wed Jun 23, 2004 5:37 pm    Post subject: Sounds good Reply with quote
That's probably the best method I can think of. For extra security, the NSA have made a securer kernel involving mandatory access control, but that might be overkill for you-your idea will work OK.
Back to top
View user's profile Send private message
spudicus
Apprentice
Apprentice


Joined: 05 Dec 2002
Posts: 177
Location: Geraldton, Australia
PostPosted: Thu Jun 24, 2004 12:03 am    Post subject: Re: Defining what an user can run Reply with quote
nihon-jin wrote:
I would like to know what is the best way of defining what applications can one user/group run. Let's say that I would like to have 2 groups of users like normal & priviledged where users in "normal" group should have access only to some commands (ie cp, mv, scp (all file handling stuff) and than mutt, irssi and few applications) whereas users in priviledged group should be able to access almost everything.

The method I was thinking about was to change permissions on files in /usr/bin and /bin (like chgrp them to 'priviledged' and than chmod them to 550 or so) but I don't know if this is really a good method.


The ?best? way would be to use some form of acl, e.g. SeLinux, Rsbac, Grsecurity. However, this is also the more complex way, as stated by Gatta.

The ?easiest? way would be to use Linux's built-in file permissions.
These two articles; 1, and 2,
could help refresh some of the intricacies of linux permissions.

If you take this route, I have a script and C code, here, for backing up and restoring your original permissions, if and when you break something.

One method you could take with linux file permissions, is to define a group unpriv (or something). Then select which programs/directories they aren't allowed to access, change them to the unpriv group, and chmod 705.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy