[CentOS] Restricting User Rights massively

Tue Jul 29 22:35:50 UTC 2008
Nifty Cluster Mitch <niftycluster at niftyegg.com>

On Tue, Jul 29, 2008 at 05:59:37PM +0200, Dirk H. Schulz wrote:
> 
> Thanks to all who helped - rbash seems to be a good starting point since  
> selinux is quite complex and takes some time to get into.
>
> Dirk
>
> --On 29. Juli 2008 09:40:31 -0400 "William L. Maltby"  
> <CentOS4Bill at triad.rr.com> wrote:
>
>>
>> On Tue, 2008-07-29 at 13:05 +0200, Dirk H. Schulz wrote:
>>> Hi folks,
>>>
>>> is it possible to restrict the rights of a user to only do few, defined
>>> actions, e.g. only look up cpu and memory usage, but not walk around in
>>> the  file system, not see any other hardware details, run any
>>> binaries/scripts?  I know several different techniques to achieve parts
>>> of this (like  chrooting him), but is there one technique to get it all?
>>
>> "Man bash". /-r and /RESTRICTED SHELL
>>
>> It'll take a little setup to custom taylor it. Permissions, PATH and a
>> user or group specific bin directory (new one, not one of the standards)
>> in their PATH. Some copy/symlink (careful with that) of existing
>> executables may be useful.
>>
>> Be careful with scripts made available. There is a caveat that
>> restrictions are removed when a script is being processed.
>>
>> Carefully constructed .bashrc, bash_profile.
>>
>> IMO, this is easier to setup than selinux, *may* meet all your needs and
>> will not be affected by upgrades.
>>
>>>
>>> Dirk
>
> --------------------------------------------------------------
> Dirk H. Schulz

....
> Thanks to all who helped - rbash seems to be a good starting point since  
....

Getting this stuff correct correct is hard.

Starting "rbash" is a good place to start but since you
did not specify anything about the user (hostile, friendly)
temporary or what sort of data or interation will be involved
it is hard to be more helpful.

Absolutly require or set a good pass word on your "rbash" user account.

It may be possible to set up a web page that has a CGI script that
only lets them see what you permit and has an access control list.
Apache CGI scripting errors over time has educated the community
on good (and bad ways) to address some of this stuff.    Does
this box already have a web server running?

While CGI scripts can be hard to get correct, script generated static pages are 
not as hard and can be updated with cron.


-- 
	T o m  M i t c h e l l 
	Looking for a place to hang my hat.