Re: [Cooker] limiting access
Lonnie Cumberland wrote: >Well, I was just thinking back to the days of Novell and seem to remember that >when a user logged in, they were mapped into their own user space and generally >did not have access to other areas. > Well the days of Novell are not over yet. This OS still works in many places and preforms marvelously the task it is meant for. Besides, today one can easily use it from a Linux box. At least Mandrake 8 costed me less than 10 minutes to connect to our Novell 5 server. Btw, I think Mandrake people could help those in need to connect to a Novell server. All that is needed is to load the ipx module and make a small script where: ipx_configure --auto_primary on --auto_interface on ncpmount -S YOURSERVER -U user.context.context /mountpoint In some cases there is the need to forcefully specify the interface. This seems true for cases when your machine is not in the same LAN segment of the file server: ipx_interface add -p eth0 802.2 In most cases it is better to specify the server you wanna connect to. And obligatory to write your user name in full, context included. Ex. john.finances.acme.usa Et voila. Transfer speeds look worser on Linux but not much. In much cases they are acceptable. Now turning the theme to other aspect. Lonnie, don't mess a _file_server_ with an application server. The philosophy beyond Novell is a great one. But that's for file servers. In most cases, Novell is meant just for centralized massive storage with high preformance transfers. For users, there is nothing to do there, except store and retrieve files. And most apps in a Novell server are for administrative purposes only. Now UNIX is an application server system. Yes, today we use it as a desktop workhorse but even the user-friendly Mandrake still lives in the app-server world. And that's why we have mega-folders like /usr/bin and /usr/share or /usr/lib. Because applications are meant for general and broad use. This is good and bad. The good is that this is more economical than the Windows clobbering system. Yes, Windows had a good idea to divide apps on different folders. However it does not differ things on executables, libraries, documents or data. In result, you may fell that Windows is more organized than Linux but in fact you are getting doubling libraries, conflicts on installs, and a mess where God knows where that super-needed *.zzz file went to. Unix and Linux make the other way. They rarely divide applications from each other. However alll gurus, penguins and demons do hate to see a shared library in the wrong place. Or a program laying on some /opt/apt/ept/bin/sbin. There is a standard and the *NIX world does love it. This manages to make installs, upgrades and use much easier. The bad thing is that you get some super-mega directories to administrate. For the eye, it is a hell to look around more than 1500 files (right now I have 2111 in /usr/bin). If there is a task to restrict certain apps to different classes of users, then one may have a serious problem here. There are some solutions for this like using /usr/local or /opt. Well, /usr/local was made for such a thing. However, this can be used only in cases when you have three classes of users - administrative, advanced users and the not so advanced aka local users. That was the primordial idea of the Unix file hierarchy. Well, in most cases, such hierarchy is quite useful. but there are always exceptions that spoil the picture. I have seen situations where there is a need to make a division of users in 5 classes with a complex mix of rights. On Windows world, one can achieve such divisions by the use of such tools like Novell ZenWorks and Novell NDS. On Unix/Linux, the task may be achievable, but, it demands some good expertise and it will not be easy to administrate. Well, it is a pitty that Novell is mostly a demand-money corporation (they even started to charge their Novell 6Beta). So it is hard to predict that we will one day see NDSes or ZenWorkes in use here. But there is a light in the tunnel. First, it is the appearence of Ganymede, finally on version 1.0. This tool pretends to fill the gap of not having a free NDS system on *NIXes. It is still a far step away from NDS but I believe that it is already worth a use. Second, we are seeing the emergence of a true access control system on Linux. I hate partisan discussions, so I will mention several tools that I believe are worth a great future, sorry if I forget some other great ones: RSBAC, SELinux, LOMAC, LIDS, ACL for Linux. Some are still in the forge, other are already pretty workable. None of them may claim an universal answer "for anything, for everything". In fact, all these and other admin tools, like atsar, have a "red corner" where they will shine. For example RSBAC may be useful to administer some large networks of workstations, the fascist SELinux looks good for server administration, while LOMAC or LID
Re: [Cooker] limiting access
You can run their shell in restricted mode. If the user's shell is bash then the restricted counterpart is rbash or bash -r. The user wont be able the move outside his home dir. For more info see the man page. Cheers, Atha On August 9, 2001 04:18 pm, you wrote: > Hi All, > > The small distro link was exactly what I think that I am look for. I will > investigate it further. > > I know that you can change permissions on directories to prevent a user > from entering a specific directory tree, but is there a way to prevent a > user from exiting out of a specific directory? > > For example, is there a way to prevent the users from leaving their own > home directories? > > Thanks Again, > Lonnie > > > Lonnie Cumberland > OutStep Technologies Incorporated > > URL: http://www.outstep.com > EMAIL: [EMAIL PROTECTED] > > : [EMAIL PROTECTED]
Re: [Cooker] limiting access
On Thursday 09 August 2001 04:53, Lonnie Cumberland wrote: > Well, I was just thinking back to the days of Novell and seem to remember > that when a user logged in, they were mapped into their own user space and > generally did not have access to other areas. you could eset up your linux box to have that proprty. I dont recommend it though. > I though that this was a nice security issue. Not really. Being able to see what's in /usr/bin doesnt really open secirty holes. It does ruin the security aspect called "unpredictability." > Also, the users could run applications by having a local "bin" link and > path setting. No, because links would resolve to directory the user cant access. > I was just playing with some ideas and wanted to investigate them. Try this: - [movits@movitslinux movits]$ su Password: [root@movitslinux movits]# cd / [root@movitslinux /]# mkdir /test [root@movitslinux /]# chmod 771 /test [root@movitslinux /]# cp /usr/bin/tree /test/ [root@movitslinux /]# ls -l|grep test drwxrwx--x2 root root 4096 Aug 9 17:43 test/ [root@movitslinux /]# exit [movits@movitslinux movits]$ cd /test [movits@movitslinux /test]$ ls ls: .: Permission denied [movits@movitslinux /test]$ ./tree / [SNIPPED LONG OUTPUT] - Understand it? Mordy -- Mordy Ovits Give a man a fish, he owes you one fish. Network Engineer Teach a man to fish, and you give up Bloomberg L.P. your monopoly on fisheries.
Re: [Cooker] limiting access
Sure... remove their mouse and keyboard :) -jm On Thursday 09 August 2001 03:18 pm, you wrote: > Hi All, > > The small distro link was exactly what I think that I am look for. I will > investigate it further. > > I know that you can change permissions on directories to prevent a user > from entering a specific directory tree, but is there a way to prevent a > user from exiting out of a specific directory? > > For example, is there a way to prevent the users from leaving their own > home directories? > > Thanks Again, > Lonnie > > > Lonnie Cumberland > OutStep Technologies Incorporated > > URL: http://www.outstep.com > EMAIL: [EMAIL PROTECTED] > > : [EMAIL PROTECTED] _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
Re: [Cooker] limiting access
Well, I was just thinking back to the days of Novell and seem to remember that when a user logged in, they were mapped into their own user space and generally did not have access to other areas. I though that this was a nice security issue. Also, the users could run applications by having a local "bin" link and path setting. I was just playing with some ideas and wanted to investigate them. Cheers, Lonnie Quoting Mordechai Ovits <[EMAIL PROTECTED]>: > On Thursday 09 August 2001 04:18, you wrote: > > I know that you can change permissions on directories to prevent a > user > > from entering a specific directory tree, but is there a way to prevent > a > > user from exiting out of a specific directory? > > No, not really. There's something called chroot, but it wont do what > you > want. Think about it: If they cant leave their home dir, how would > they run > things in /usr/bin ? > > > For example, is there a way to prevent the users from leaving their > own > > home directories? > > Please clarify what you mean by leave? Do you not want them to be able > to > see the contents of ANY other directory? And why?!?!? > > Mordy > -- > Mordy Ovits Give a man a fish, he owes you one fish. > Network Engineer Teach a man to fish, and you give up > Bloomberg L.P. your monopoly on fisheries. > Lonnie Cumberland OutStep Technologies Incorporated URL: http://www.outstep.com EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED]
Re: [Cooker] limiting access
On Thursday 09 August 2001 04:18, you wrote: > I know that you can change permissions on directories to prevent a user > from entering a specific directory tree, but is there a way to prevent a > user from exiting out of a specific directory? No, not really. There's something called chroot, but it wont do what you want. Think about it: If they cant leave their home dir, how would they run things in /usr/bin ? > For example, is there a way to prevent the users from leaving their own > home directories? Please clarify what you mean by leave? Do you not want them to be able to see the contents of ANY other directory? And why?!?!? Mordy -- Mordy Ovits Give a man a fish, he owes you one fish. Network Engineer Teach a man to fish, and you give up Bloomberg L.P. your monopoly on fisheries.
[Cooker] limiting access
Hi All, The small distro link was exactly what I think that I am look for. I will investigate it further. I know that you can change permissions on directories to prevent a user from entering a specific directory tree, but is there a way to prevent a user from exiting out of a specific directory? For example, is there a way to prevent the users from leaving their own home directories? Thanks Again, Lonnie Lonnie Cumberland OutStep Technologies Incorporated URL: http://www.outstep.com EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED]
