Disabling certain things for users

AimarPL · n00b Joined: 25 Oct 2008 Posts: 9 Location: .pl

Hi there,
I'm wondering how can I disable certain commands for users like for example I can do with cron by adding or removing user from group using gpasswd -a user cron ... how do I disable user from using "ps" command? or gcc compiler...?

Thanks in advance for any kind help

NeddySeagoon · Posted: Sat Jan 09, 2010 10:58 am Post subject:

AimarPL,

To take commands away from all users change the permissions/ownweship on the binaries to 750 root:root.
You can make a group called say, expert that you trust and change the settings to 750 root:expert
Add the trusted users to the expert group and they can use the commands.

You might also consider mounting /home and /tmp with the noexec option. This prevents programs that are in those filesystems from being executed. It also requires that /home and /tmp be seperate filesystems. I've not fully thought that through. It may interfere with normal system operation, since root can't execute things there either.

Longer term, you cannot stop users uploading a gcc that runs in their home, so think through your approach to security.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

Hu · Administrator Joined: 06 Mar 2007 Posts: 23082

Mounting /tmp with noexec works fine on most systems. I have done it for years on a variety of systems with no problems. Mounting /home with noexec is a bit more system-specific. If you have users who have a legitimate need to develop programs, or if you build kernels using the KBUILD_OUTPUT support and store the objects under /home, you may break legitimate usage by mounting /home with noexec.

wthrowe · Tux's lil' helper Joined: 19 Aug 2009 Posts: 141

To actually prevent users from running arbitrary binaries, you need to make sure every writeable directory on the system is noexec. /var/tmp and /var/cache/fonts come to mind, in addition to /home and /tmp. This could impact some legitimate programs (a default configuration of portage, for example).

Preventing particular programs from being run is pointless from a security point of view unless you close all these holes, since users could always copy the binaries over from another machine. gcc probably doesn't even have to be run on the local machine to cause you worry.

Even if you manage to prevent users from executing their own binaries, you probably can't prevent them from running scripts. I suspect perl < foo.pl would work even on a noexec filesystem.

As regards ps, I believe there is a grsecurity kernel option that will only let users see their own processes. You should consider using a hardened profile and kernel and read the Gentoo docs on hardened. See various pages linked from http://www.gentoo.org/doc/.