On Sunday 19 December 2004 16:26, [EMAIL PROTECTED] wrote: : > > if I only allow the group 'rodolfo' to read those directories > and not to modify them in any way, then I don't see the danger. > Anyhow, if the system tries so hard to oppose to what I'm doing > it's quite clear that I'm trying to achieve what I want the wrong way. > What I wish to do though is quite simple. > 'rodolfo' is a normal user, but Rodolfo (me) is also the superuser, > whereas say, 'alberto' is only a normal user. > Then I wish to adopt for alberto a security level 4, i.e. alberto > should not be able to see the '/' nor the '/home' directory > (although he should be able to see and use the /mnt directory) > and for rodolfo a level security 2, i.e. he should be able to see > (but not to modify) the '/' dir and its subdirs. > Now, the command 'chmod' as far as I know cannot diversify different > permissions to different users: if I do, e.g., 'chmod -r /', > this will prevent *all* users (not only alberto) to read the '/' directory. > Even if I do 'chmod u-r /' or 'chmod g-r /' or 'chmod o-r /' > the problem remains unless I don't first change the ownership > of the dirs whose readability I want to attribute to rodolfo and not to > alberto. You are doing contradictory things. On the one hand you are increasing security by choosing security level 4. On the other hand you are completely ruining security by trying to give a user access to root files. Do you want this computer to be secure or not?
You (Rodolfo) may be the administrator, but you should still not give user rodolfo special access.If user rodolfo has access to the root file system, then any application you run as rodolfo such as a browser may have a security flaw attacked, and then your entire system is compromised. If you want to do admin then you can become root user temporarily with 'su'. If you want user rodolfo to have special powers then you can grant them with 'sudoers' See 'man sudoers' for details. As for limiting what user 'alberto' is allowed to see, one way to achieve that is remove read permissions for public users to those directories. You can create custom rules in drakperm to do that. (Do not remove 'execute' permission or else alberto cannot use the apps in those directories) It is important to use drakperm and not just change the permissions yourself because the Mandrake Security system 'msec' will check the directories match the correct permissions and will change them back again. If you do not like what msec is doing you can always turn it off, its not compulsory to have good security. derek -- www.jennings.homelinux.net http://twiki.mdklinuxfaq.org
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
