[CentOS] Restricting User Rights massively
Dirk H. Schulz
dirk.schulz at kinzesberg.de
Tue Jul 29 15:59:37 UTC 2008
Thanks to all who helped - rbash seems to be a good starting point since
selinux is quite complex and takes some time to get into.
Dirk
--On 29. Juli 2008 09:40:31 -0400 "William L. Maltby"
<CentOS4Bill at triad.rr.com> wrote:
>
> On Tue, 2008-07-29 at 13:05 +0200, Dirk H. Schulz wrote:
>> Hi folks,
>>
>> is it possible to restrict the rights of a user to only do few, defined
>> actions, e.g. only look up cpu and memory usage, but not walk around in
>> the file system, not see any other hardware details, run any
>> binaries/scripts? I know several different techniques to achieve parts
>> of this (like chrooting him), but is there one technique to get it all?
>
> "Man bash". /-r and /RESTRICTED SHELL
>
> It'll take a little setup to custom taylor it. Permissions, PATH and a
> user or group specific bin directory (new one, not one of the standards)
> in their PATH. Some copy/symlink (careful with that) of existing
> executables may be useful.
>
> Be careful with scripts made available. There is a caveat that
> restrictions are removed when a script is being processed.
>
> Carefully constructed .bashrc, bash_profile.
>
> IMO, this is easier to setup than selinux, *may* meet all your needs and
> will not be affected by upgrades.
>
>>
>> Dirk
>> <snip sig stuff>
>
> HTH
> --
> BILL
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
--------------------------------------------------------------
Dirk H. Schulz
IT Systems Service
Wiesenweg 12, 85567 Grafing
Tel. 0 80 92/86 25 68
Fax. 0 80 92/86 25 72
--------------------------------------------------------------
Technik vom Feinsten - und das nötige Tuning
More information about the CentOS
mailing list