[CentOS] Restricting User Rights massively

Tue Jul 29 15:59:37 UTC 2008
Dirk H. Schulz <dirk.schulz at kinzesberg.de>

Thanks to all who helped - rbash seems to be a good starting point since 
selinux is quite complex and takes some time to get into.

Dirk

--On 29. Juli 2008 09:40:31 -0400 "William L. Maltby" 
<CentOS4Bill at triad.rr.com> wrote:

>
> On Tue, 2008-07-29 at 13:05 +0200, Dirk H. Schulz wrote:
>> Hi folks,
>>
>> is it possible to restrict the rights of a user to only do few, defined
>> actions, e.g. only look up cpu and memory usage, but not walk around in
>> the  file system, not see any other hardware details, run any
>> binaries/scripts?  I know several different techniques to achieve parts
>> of this (like  chrooting him), but is there one technique to get it all?
>
> "Man bash". /-r and /RESTRICTED SHELL
>
> It'll take a little setup to custom taylor it. Permissions, PATH and a
> user or group specific bin directory (new one, not one of the standards)
> in their PATH. Some copy/symlink (careful with that) of existing
> executables may be useful.
>
> Be careful with scripts made available. There is a caveat that
> restrictions are removed when a script is being processed.
>
> Carefully constructed .bashrc, bash_profile.
>
> IMO, this is easier to setup than selinux, *may* meet all your needs and
> will not be affected by upgrades.
>
>>
>> Dirk
>> <snip sig stuff>
>
> HTH
> --
> BILL
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos



--------------------------------------------------------------
Dirk H. Schulz
IT Systems Service
Wiesenweg 12, 85567 Grafing
Tel. 0 80 92/86 25 68
Fax. 0 80 92/86 25 72
--------------------------------------------------------------
Technik vom Feinsten - und das nötige Tuning