from:"ea"

Re: Limiting User Commands

2004-11-07 Thread ea

 On Fri, Nov 05, 2004 at 07:53:33PM +0200, [EMAIL PROTECTED] wrote:
 In regards to the latter method, would it be possible for me to change
 the group ownership of the commands I don't want users to have access
 to
 and revoke execute permission from that group?

 Yes, you can make something like that: addgroup(access), then change
 groupname of commands that you want with that group (access), remember
 to
 remove execute/search by others from commands that are with
 group(access), also don't forget to add group(access) to every user that
 you want to have access to this commands.




 The only problem with this approach would be that you'd revoke it from
 system accounts too, not just your users. It might break in unexpected
 places.

 It seems to me that this should be possible with SELinux. What you need
 would be a role for your users where they are only able to run the
 commands you want them to run, whereas system accounts would remain
 unblocked.


You just need to add group(access) to that system accounts that you want
or that you think that they'll break in unexpected places... Don't you
think?




 --
  EARTH
  smog  |   bricks
  AIR  --  mud  -- FIRE
 soda water |   tequila
  WATER
  -- with thanks to fortune




--
SELLINET Internet Services Provider - http://www.sellinet.net/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Limiting User Commands

2004-11-06 Thread ea

 On Fri, 5 Nov 2004 19:53:33 +0200 (EET), [EMAIL PROTECTED]
 [EMAIL PROTECTED] wrote:
 Yes, you can make something like that: addgroup(access), then change
 groupname of commands that you want with that group (access), remember
 to
 remove execute/search by others from commands that are with
 group(access), also don't forget to add group(access) to every user that
 you want to have access to this commands.

 The only thing I'm worried about with that method is whether a user
 would be able to run commands that they aren't supposed to have access
 to if they write a Perl script calling one of the banned commands and
 getting Apache to execute that script. In other words, would the
 script execute with the script owner's priviledges or with Apache's
 priviledges?



If the user who execute forbidden command have no additional-group(access)
then he'll get permission denied no matter that he execute command from
perl, php and etc. Just remember that user who can execute forbidden
command s must have addition-group(access) any other users that don't have
this group have no access to forbidden commands, including user that run
apache.

And one more thing you need to remove read by others and execute/search
by others from forbidden commands, also you need to change theire
groupname.

Example:  chmod 750 /bin/rm ; chown root.access /bin/rm ; usermod -G
access user




 Thanks,
 Stephen Le


 --
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact
 [EMAIL PROTECTED]





--
SELLINET Internet Services Provider - http://www.sellinet.net/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Limiting User Commands

2004-11-05 Thread ea

 Hello all,

 Is there an easy way to limit the commands a certain group of users
 can execute? I've looked at chroot, and it's too complicated for my
 needs and seems too easy to circumvent; users will be able to upload
 their own Perl scripts, so it seems that they'll be able to access
 commands outside their chroot by getting Apache w/ mod_perl to execute
 the script.

 I'd like to be able to compile a list of commands/programs that users
 in a certain group will be able to execute (ex. cp, mv, rm, etc).
 However, I'd also be happy to compile a list of commands users
 shouldn't be able to execute.



In regards to the latter method, would it be possible for me to change
the group ownership of the commands I don't want users to have access to
and revoke execute permission from that group?

Yes, you can make something like that: addgroup(access), then change
groupname of commands that you want with that group (access), remember to
remove execute/search by others from commands that are with
group(access), also don't forget to add group(access) to every user that
you want to have access to this commands.




 Thanks,
 Stephen Le


 --
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact
 [EMAIL PROTECTED]





--
SELLINET Internet Services Provider - http://www.sellinet.net/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Some words for evms/lvm2

2004-07-08 Thread ea


Hello

Do someone who have experience with evms/lvm2 can say some words.
Impressions and etc. I think to setup one of them on machine under
extremely high load but  I think also this is not a good idea to use them
on high load servers.


--
SELLINET Internet Services Provider - http://www.sellinet.net/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Some words for evms/lvm2

2004-07-08 Thread ea


Hello

Do someone who have experience with evms/lvm2 can say some words.
Impressions and etc. I think to setup one of them on machine under
extremely high load but  I think also this is not a good idea to use them
on high load servers.


--
SELLINET Internet Services Provider - http://www.sellinet.net/

Suggestions for system with infortrend fibre storage.

2004-07-02 Thread ea



Hello guys,

I have a system with debian-sarge kernel 2.6.6, with three jbod's 10TB
and fibre storage switch. My questions are regarding how is the best way
to mount this;

1. To make five partitions each with size of 2TB, and mount each partition
in separate dir.
2. To make five partitions each with size of 2TB, unite them in
LVM/LVM2/EVMS and mount in one dir.

Please help me with this decision.

What you'll say about lvm/lvm2 or evms?

And one more question. I read lot's about mounting filesystem  2TB. And
as I understand in kernel 2.6.x with support for LBD you can mount
filesystem  2TB is that correct?

Any help will be appreciated.


--
SELLINET Internet Services Provider - http://www.sellinet.net/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Suggestions for system with infortrend fibre storage.

2004-07-02 Thread ea



Hello guys,

I have a system with debian-sarge kernel 2.6.6, with three jbod's 10TB
and fibre storage switch. My questions are regarding how is the best way
to mount this;

1. To make five partitions each with size of 2TB, and mount each partition
in separate dir.
2. To make five partitions each with size of 2TB, unite them in
LVM/LVM2/EVMS and mount in one dir.

Please help me with this decision.

What you'll say about lvm/lvm2 or evms?

And one more question. I read lot's about mounting filesystem  2TB. And
as I understand in kernel 2.6.x with support for LBD you can mount
filesystem  2TB is that correct?

Any help will be appreciated.


--
SELLINET Internet Services Provider - http://www.sellinet.net/

Re: Limiting User Commands

Re: Limiting User Commands

Re: Limiting User Commands

Some words for evms/lvm2

Some words for evms/lvm2

Suggestions for system with infortrend fibre storage.

Suggestions for system with infortrend fibre storage.

7 matches

Site Navigation

Mail list logo

Footer information