[CentOS] Restricting User Rights massively
William L. Maltby
CentOS4Bill at triad.rr.com
Tue Jul 29 13:40:31 UTC 2008
On Tue, 2008-07-29 at 13:05 +0200, Dirk H. Schulz wrote:
> Hi folks,
> is it possible to restrict the rights of a user to only do few, defined
> actions, e.g. only look up cpu and memory usage, but not walk around in the
> file system, not see any other hardware details, run any binaries/scripts?
> I know several different techniques to achieve parts of this (like
> chrooting him), but is there one technique to get it all?
"Man bash". /-r and /RESTRICTED SHELL
It'll take a little setup to custom taylor it. Permissions, PATH and a
user or group specific bin directory (new one, not one of the standards)
in their PATH. Some copy/symlink (careful with that) of existing
executables may be useful.
Be careful with scripts made available. There is a caveat that
restrictions are removed when a script is being processed.
Carefully constructed .bashrc, bash_profile.
IMO, this is easier to setup than selinux, *may* meet all your needs and
will not be affected by upgrades.
> <snip sig stuff>
More information about the CentOS