Thanks to all who replied.
I'm resuming what I wanted to achieve:
'rodolfo' is a normal user, but Rodolfo (me) is also the superuser,
whereas say, 'alberto' is only a normal user.
Then I wish to adopt for alberto a security level 4, i.e. alberto
should not be able to see the '/' directory nor its subdirs
(although he should be able to see and use the /mnt dir),
and for rodolfo a security level 2, i.e. he should be able to see
(but *not* to modify) the '/' dir and its subdirs.
Now, the command 'chmod' as far as I know cannot diversify different
permissions to different users: if I do, e.g., 'chmod -r /',
this will prevent *all* users (not only alberto) to read the '/' directory.
Even if I do 'chmod u-r /' or 'chmod g-r /' or 'chmod o-r /'
the problem remains.
That's what I tried to do to work the problem out:
Security level: 2 (standard).
I made the user rodolfo a member of the 'root' group
in addition to 'rodolfo' group, just with:
# usermod -g rodolfo -G root rodolfo
; then I adjusted the permissions of the '/' dir and its subdirs
trying to keep level 2 philosophy: so that the user rodolfo
(now a member of the root group)
could read but not write those directories except for the /mnt dir,
and that the other users could not even read those directories
(except for /mnt, again). I obtained the following output of 'ls -l /'
[EMAIL PROTECTED] rodolfo]$ ls -l /
total 52
drwxr-x--x 2 root root 4096 Dec 17 16:05 bin/
drwxr-x--x 3 root root 4096 Dec 20 11:41 boot/
drwxr-x--x 17 root root 3800 Dec 20 11:41 dev/
drwxr-x--x 71 root root 4096 Dec 20 11:40 etc/
drwxr-x--x 4 root root 4096 Dec 18 18:53 home/
drwxr-x--x 2 root root 4096 Dec 17 16:31 initrd/
drwxr-x--x 11 root root 4096 Dec 17 16:13 lib/
drwxr-xr-x 7 root root 4096 Dec 18 11:48 mnt/
drwxr-x--x 2 root root 4096 Jan 5 2004 opt/
dr-xr-x--x 77 root root 0 Dec 20 11:40 proc/
drwx------ 11 root root 4096 Dec 19 20:16 root/
drwxr-x--x 2 root root 4096 Dec 17 15:59 sbin/
drwxr-x--x 9 root root 0 Dec 20 11:40 sys/
drwxrwxrwt 11 root root 4096 Dec 20 11:41 tmp/
drwxr-x--x 12 root root 4096 Dec 17 16:07 usr/
drwxr-x--x 17 root root 4096 Dec 17 15:59 var/
. It seems to me (but I might be wrong) that such a solution would be quite
secure:
as we see from the above output, the user rodolfo as a member of the root
group
has no more privileges than he normally has with a sec level 2, in the sense
that
he cannot see the /root directory and he can only read the other '/' subdirs;
the other users cannot even see the '/' subdirs, just as I wanted
(/tmp though must be accessible to start kde).
There's only one problem: these changes are not permanent:
in fact, after rebooting the system I get a different output to 'ls-l /':
[EMAIL PROTECTED] rodolfo]$ ls -l /
total 52
drwxr-x--x 2 root root 4096 Dec 17 16:05 bin/
drwxr-x--x 3 root root 4096 Dec 20 11:57 boot/
drwxr-xr-x 17 root root 3800 Dec 20 11:57 dev/
drwxr-x--x 71 root root 4096 Dec 20 11:57 etc/
drwxr-x--x 4 root root 4096 Dec 18 18:53 home/
drwxr-x--x 2 root root 4096 Dec 17 16:31 initrd/
drwxr-x--x 11 root root 4096 Dec 17 16:13 lib/
drwxr-xr-x 7 root root 4096 Dec 18 11:48 mnt/
drwxr-x--x 2 root root 4096 Jan 5 2004 opt/
dr-xr-xr-x 78 root root 0 Dec 20 11:56 proc/
drwx------ 11 root root 4096 Dec 19 20:16 root/
drwxr-x--x 2 root root 4096 Dec 17 15:59 sbin/
drwxr-xr-x 9 root root 0 Dec 20 11:56 sys/
drwxrwxrwt 11 root root 4096 Dec 20 11:58 tmp/
drwxr-x--x 12 root root 4096 Dec 17 16:07 usr/
drwxr-x--x 17 root root 4096 Dec 17 15:59 var/
. The /dev, /proc and /sys dirs have turned back to be readable by other
users, what I don't want.
Any other hints will be appreciated.
Thanks,
Rodolfo
____________________________________________________________
Regala e regalati Libero ADSL: 3 mesi gratis e navighi veloce. 1.2 Mega di
musica, film, video e sport.
Abbonati subito senza costi di attivazione su http://www.libero.it
____________________________________________________
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
Join the Club : http://www.mandrakeclub.com
____________________________________________________
