Re: [CentOS] Restricting User Rights massively
On Tue, Jul 29, 2008 at 05:59:37PM +0200, Dirk H. Schulz wrote: > > Thanks to all whio helped - rbash seems to be a good starting point since > selinux is quite complex and takes some time to get into. > > Dirk In this same list is a discussion worth a review. [CentOS] Re: securing rsync over ssh This may address your problem. While this use of ssh is new to me a quick read and there is a facility to run a specific command and associate that specific command with a specific ssh public/private key pair. In that post the OP was looking for ways to expand the limitations i.e. he was trying to work around a natural action that it sounds like the OP on this thread was looking for. So his problem looks like the solution to the initial post on this thread. Give it a look... It should also work with a Putty so an external windows user like your manager could use it too. -- T o m M i t c h e l l Looking for a place to hang my hat. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Restricting User Rights massively
On Tue, Jul 29, 2008 at 05:59:37PM +0200, Dirk H. Schulz wrote: > > Thanks to all who helped - rbash seems to be a good starting point since > selinux is quite complex and takes some time to get into. > > Dirk > > --On 29. Juli 2008 09:40:31 -0400 "William L. Maltby" > <[EMAIL PROTECTED]> wrote: > >> >> On Tue, 2008-07-29 at 13:05 +0200, Dirk H. Schulz wrote: >>> Hi folks, >>> >>> is it possible to restrict the rights of a user to only do few, defined >>> actions, e.g. only look up cpu and memory usage, but not walk around in >>> the file system, not see any other hardware details, run any >>> binaries/scripts? I know several different techniques to achieve parts >>> of this (like chrooting him), but is there one technique to get it all? >> >> "Man bash". /-r and /RESTRICTED SHELL >> >> It'll take a little setup to custom taylor it. Permissions, PATH and a >> user or group specific bin directory (new one, not one of the standards) >> in their PATH. Some copy/symlink (careful with that) of existing >> executables may be useful. >> >> Be careful with scripts made available. There is a caveat that >> restrictions are removed when a script is being processed. >> >> Carefully constructed .bashrc, bash_profile. >> >> IMO, this is easier to setup than selinux, *may* meet all your needs and >> will not be affected by upgrades. >> >>> >>> Dirk > > -- > Dirk H. Schulz > Thanks to all who helped - rbash seems to be a good starting point since Getting this stuff correct correct is hard. Starting "rbash" is a good place to start but since you did not specify anything about the user (hostile, friendly) temporary or what sort of data or interation will be involved it is hard to be more helpful. Absolutly require or set a good pass word on your "rbash" user account. It may be possible to set up a web page that has a CGI script that only lets them see what you permit and has an access control list. Apache CGI scripting errors over time has educated the community on good (and bad ways) to address some of this stuff.Does this box already have a web server running? While CGI scripts can be hard to get correct, script generated static pages are not as hard and can be updated with cron. -- T o m M i t c h e l l Looking for a place to hang my hat. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Restricting User Rights massively
Thanks to all who helped - rbash seems to be a good starting point since selinux is quite complex and takes some time to get into. Dirk --On 29. Juli 2008 09:40:31 -0400 "William L. Maltby" <[EMAIL PROTECTED]> wrote: On Tue, 2008-07-29 at 13:05 +0200, Dirk H. Schulz wrote: Hi folks, is it possible to restrict the rights of a user to only do few, defined actions, e.g. only look up cpu and memory usage, but not walk around in the file system, not see any other hardware details, run any binaries/scripts? I know several different techniques to achieve parts of this (like chrooting him), but is there one technique to get it all? "Man bash". /-r and /RESTRICTED SHELL It'll take a little setup to custom taylor it. Permissions, PATH and a user or group specific bin directory (new one, not one of the standards) in their PATH. Some copy/symlink (careful with that) of existing executables may be useful. Be careful with scripts made available. There is a caveat that restrictions are removed when a script is being processed. Carefully constructed .bashrc, bash_profile. IMO, this is easier to setup than selinux, *may* meet all your needs and will not be affected by upgrades. Dirk HTH -- BILL ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Dirk H. Schulz IT Systems Service Wiesenweg 12, 85567 Grafing Tel. 0 80 92/86 25 68 Fax. 0 80 92/86 25 72 -- Technik vom Feinsten - und das nötige Tuning ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Restricting User Rights massively
> > IMO, this is easier to setup than selinux, *may* meet all your needs and > will not be affected by upgrades. I would agree with this. Try just creating a user with "rbash" as his login shell and then "sudo /bin/su - username". Poke around and see what you are able to do, and you'll find out if it meets your needs. rbash is not as secure as SELinux or creating a chroot environment but it is a whole lot easier to set up. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Restricting User Rights massively
On Tue, 2008-07-29 at 13:05 +0200, Dirk H. Schulz wrote: > Hi folks, > > is it possible to restrict the rights of a user to only do few, defined > actions, e.g. only look up cpu and memory usage, but not walk around in the > file system, not see any other hardware details, run any binaries/scripts? > I know several different techniques to achieve parts of this (like > chrooting him), but is there one technique to get it all? "Man bash". /-r and /RESTRICTED SHELL It'll take a little setup to custom taylor it. Permissions, PATH and a user or group specific bin directory (new one, not one of the standards) in their PATH. Some copy/symlink (careful with that) of existing executables may be useful. Be careful with scripts made available. There is a caveat that restrictions are removed when a script is being processed. Carefully constructed .bashrc, bash_profile. IMO, this is easier to setup than selinux, *may* meet all your needs and will not be affected by upgrades. > > Dirk > HTH -- BILL ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Restricting User Rights massively
On Tue, 2008-07-29 at 13:05 +0200, Dirk H. Schulz wrote: > is it possible to restrict the rights of a user to only do few, defined > actions, e.g. only look up cpu and memory usage, but not walk around in the > file system, not see any other hardware details, run any binaries/scripts? > I know several different techniques to achieve parts of this (like > chrooting him), but is there one technique to get it all? SELinux. -- Ignacio Vazquez-Abrams <[EMAIL PROTECTED]> PLEASE don't CC me; I'm already subscribed signature.asc Description: This is a digitally signed message part ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Restricting User Rights massively
Hi folks, is it possible to restrict the rights of a user to only do few, defined actions, e.g. only look up cpu and memory usage, but not walk around in the file system, not see any other hardware details, run any binaries/scripts? I know several different techniques to achieve parts of this (like chrooting him), but is there one technique to get it all? Dirk ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
