Hi folks, is it possible to restrict the rights of a user to only do few, defined actions, e.g. only look up cpu and memory usage, but not walk around in the file system, not see any other hardware details, run any binaries/scripts? I know several different techniques to achieve parts of this (like chrooting him), but is there one technique to get it all? Dirk
On Tue, 2008-07-29 at 13:05 +0200, Dirk H. Schulz wrote:> is it possible to restrict the rights of a user to only do few, defined > actions, e.g. only look up cpu and memory usage, but not walk around in the > file system, not see any other hardware details, run any binaries/scripts? > I know several different techniques to achieve parts of this (like > chrooting him), but is there one technique to get it all?SELinux. -- Ignacio Vazquez-Abrams <ivazqueznet at gmail.com> PLEASE don't CC me; I'm already subscribed -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://lists.centos.org/pipermail/centos/attachments/20080729/13dfe441/attachment-0001.sig>
On Tue, 2008-07-29 at 13:05 +0200, Dirk H. Schulz wrote:> Hi folks, > > is it possible to restrict the rights of a user to only do few, defined > actions, e.g. only look up cpu and memory usage, but not walk around in the > file system, not see any other hardware details, run any binaries/scripts? > I know several different techniques to achieve parts of this (like > chrooting him), but is there one technique to get it all?"Man bash". /-r and /RESTRICTED SHELL It'll take a little setup to custom taylor it. Permissions, PATH and a user or group specific bin directory (new one, not one of the standards) in their PATH. Some copy/symlink (careful with that) of existing executables may be useful. Be careful with scripts made available. There is a caveat that restrictions are removed when a script is being processed. Carefully constructed .bashrc, bash_profile. IMO, this is easier to setup than selinux, *may* meet all your needs and will not be affected by upgrades.> > Dirk > <snip sig stuff>HTH -- BILL