FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 07-29-2008, 01:40 PM
"William L. Maltby"
 
Default Restricting User Rights massively

On Tue, 2008-07-29 at 13:05 +0200, Dirk H. Schulz wrote:
> Hi folks,
>
> is it possible to restrict the rights of a user to only do few, defined
> actions, e.g. only look up cpu and memory usage, but not walk around in the
> file system, not see any other hardware details, run any binaries/scripts?
> I know several different techniques to achieve parts of this (like
> chrooting him), but is there one technique to get it all?

"Man bash". /-r and /RESTRICTED SHELL

It'll take a little setup to custom taylor it. Permissions, PATH and a
user or group specific bin directory (new one, not one of the standards)
in their PATH. Some copy/symlink (careful with that) of existing
executables may be useful.

Be careful with scripts made available. There is a caveat that
restrictions are removed when a script is being processed.

Carefully constructed .bashrc, bash_profile.

IMO, this is easier to setup than selinux, *may* meet all your needs and
will not be affected by upgrades.

>
> Dirk
> <snip sig stuff>

HTH
--
BILL

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-29-2008, 02:14 PM
"Sean Carolan"
 
Default Restricting User Rights massively

IMO, this is easier to setup than selinux, *may* meet all your needs and


will not be affected by upgrades.
I would agree with this.* Try just creating a user with "rbash" as his login shell and then "sudo /bin/su - username".* Poke around and see what you are able to do, and you'll find out if it meets your needs.* rbash is not as secure as SELinux or creating a chroot environment but it is a whole lot easier to set up.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-29-2008, 03:59 PM
"Dirk H. Schulz"
 
Default Restricting User Rights massively

Thanks to all who helped - rbash seems to be a good starting point since
selinux is quite complex and takes some time to get into.


Dirk

--On 29. Juli 2008 09:40:31 -0400 "William L. Maltby"
<CentOS4Bill@triad.rr.com> wrote:




On Tue, 2008-07-29 at 13:05 +0200, Dirk H. Schulz wrote:

Hi folks,

is it possible to restrict the rights of a user to only do few, defined
actions, e.g. only look up cpu and memory usage, but not walk around in
the file system, not see any other hardware details, run any
binaries/scripts? I know several different techniques to achieve parts
of this (like chrooting him), but is there one technique to get it all?


"Man bash". /-r and /RESTRICTED SHELL

It'll take a little setup to custom taylor it. Permissions, PATH and a
user or group specific bin directory (new one, not one of the standards)
in their PATH. Some copy/symlink (careful with that) of existing
executables may be useful.

Be careful with scripts made available. There is a caveat that
restrictions are removed when a script is being processed.

Carefully constructed .bashrc, bash_profile.

IMO, this is easier to setup than selinux, *may* meet all your needs and
will not be affected by upgrades.



Dirk
<snip sig stuff>


HTH
--
BILL

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos




--------------------------------------------------------------
Dirk H. Schulz
IT Systems Service
Wiesenweg 12, 85567 Grafing
Tel. 0 80 92/86 25 68
Fax. 0 80 92/86 25 72
--------------------------------------------------------------
Technik vom Feinsten - und das nötige Tuning
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-29-2008, 10:35 PM
Nifty Cluster Mitch
 
Default Restricting User Rights massively

On Tue, Jul 29, 2008 at 05:59:37PM +0200, Dirk H. Schulz wrote:
>
> Thanks to all who helped - rbash seems to be a good starting point since
> selinux is quite complex and takes some time to get into.
>
> Dirk
>
> --On 29. Juli 2008 09:40:31 -0400 "William L. Maltby"
> <CentOS4Bill@triad.rr.com> wrote:
>
>>
>> On Tue, 2008-07-29 at 13:05 +0200, Dirk H. Schulz wrote:
>>> Hi folks,
>>>
>>> is it possible to restrict the rights of a user to only do few, defined
>>> actions, e.g. only look up cpu and memory usage, but not walk around in
>>> the file system, not see any other hardware details, run any
>>> binaries/scripts? I know several different techniques to achieve parts
>>> of this (like chrooting him), but is there one technique to get it all?
>>
>> "Man bash". /-r and /RESTRICTED SHELL
>>
>> It'll take a little setup to custom taylor it. Permissions, PATH and a
>> user or group specific bin directory (new one, not one of the standards)
>> in their PATH. Some copy/symlink (careful with that) of existing
>> executables may be useful.
>>
>> Be careful with scripts made available. There is a caveat that
>> restrictions are removed when a script is being processed.
>>
>> Carefully constructed .bashrc, bash_profile.
>>
>> IMO, this is easier to setup than selinux, *may* meet all your needs and
>> will not be affected by upgrades.
>>
>>>
>>> Dirk
>
> --------------------------------------------------------------
> Dirk H. Schulz

....
> Thanks to all who helped - rbash seems to be a good starting point since
....

Getting this stuff correct correct is hard.

Starting "rbash" is a good place to start but since you
did not specify anything about the user (hostile, friendly)
temporary or what sort of data or interation will be involved
it is hard to be more helpful.

Absolutly require or set a good pass word on your "rbash" user account.

It may be possible to set up a web page that has a CGI script that
only lets them see what you permit and has an access control list.
Apache CGI scripting errors over time has educated the community
on good (and bad ways) to address some of this stuff. Does
this box already have a web server running?

While CGI scripts can be hard to get correct, script generated static pages are
not as hard and can be updated with cron.


--
T o m M i t c h e l l
Looking for a place to hang my hat.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-01-2008, 04:12 AM
Nifty Cluster Mitch
 
Default Restricting User Rights massively

On Tue, Jul 29, 2008 at 05:59:37PM +0200, Dirk H. Schulz wrote:
>
> Thanks to all whio helped - rbash seems to be a good starting point since
> selinux is quite complex and takes some time to get into.
>
> Dirk

In this same list is a discussion worth a review.

[CentOS] Re: securing rsync over ssh

This may address your problem.

While this use of ssh is new to me a quick read and there is a facility
to run a specific command and associate that specific command with a
specific ssh public/private key pair.

In that post the OP was looking for ways to expand the limitations i.e. he
was trying to work around a natural action that it sounds like the OP
on this thread was looking for. So his problem looks like the solution
to the initial post on this thread.

Give it a look...
It should also work with a Putty so an external windows user
like your manager could use it too.

--
T o m M i t c h e l l
Looking for a place to hang my hat.



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 03:41 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org