On Sun, 7 Nov 2004 14:41:42 -0500, Stephen Gran <[EMAIL PROTECTED]> wrote: > apt-get remove --purge ftp telnet wget gcc > rm /usr/bin/ssh /usr/bin/scp
Unfortunately, I can't do that since I still want some users to be able to access those commands. I just want to restrict access to those commands from most users. I could install those utilities into another directory and set appropriate permissions, but I'd also like system accounts to be able to use them, which complicates matters... > Note that neither my approach nor yours really stops someone who is > determined - all of the functionality of the above programs could be > replicated in perl, python, etc, so you've only made it difficult, not > impossible. Then there is ~/bin, where users can stash anything they > like, if you don't also regularly search /home for questionable files. > Even mounting it noexec isn't really a help - perl /path/to/script works > as well as /lib/ld-linux.so.2 /path/to/binary I understand that users could still upload their own programs and run them, but users will do so at the risk of account suspension. > Does not help at all for your original problem, I'm afraid. It looks to > me like what you want is filesystem acl's or SELinux to totally lock > things down, but others are going to be more helpful with those than I > will. Well, after a couple of people mentioned filesystem ACLs, I took a look at them. They might be able to accomplish what I need, but I'll have to read more of the documentation. -Stephen Le -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]