Re: Limiting User Commands
On Fri, Nov 05, 2004 at 07:53:33PM +0200, [EMAIL PROTECTED] wrote: In regards to the latter method, would it be possible for me to change the group ownership of the commands I don't want users to have access to and revoke execute permission from that group? Yes, you can make something like that: addgroup(access), then change groupname of commands that you want with that group (access), remember to remove execute/search by others from commands that are with group(access), also don't forget to add group(access) to every user that you want to have access to this commands. The only problem with this approach would be that you'd revoke it from system accounts too, not just your users. It might break in unexpected places. It seems to me that this should be possible with SELinux. What you need would be a role for your users where they are only able to run the commands you want them to run, whereas system accounts would remain unblocked. You just need to add group(access) to that system accounts that you want or that you think that they'll break in unexpected places... Don't you think? -- EARTH smog | bricks AIR -- mud -- FIRE soda water | tequila WATER -- with thanks to fortune -- SELLINET Internet Services Provider - http://www.sellinet.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Limiting User Commands
On Fri, 5 Nov 2004 19:53:33 +0200 (EET), [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Yes, you can make something like that: addgroup(access), then change groupname of commands that you want with that group (access), remember to remove execute/search by others from commands that are with group(access), also don't forget to add group(access) to every user that you want to have access to this commands. The only thing I'm worried about with that method is whether a user would be able to run commands that they aren't supposed to have access to if they write a Perl script calling one of the banned commands and getting Apache to execute that script. In other words, would the script execute with the script owner's priviledges or with Apache's priviledges? If the user who execute forbidden command have no additional-group(access) then he'll get permission denied no matter that he execute command from perl, php and etc. Just remember that user who can execute forbidden command s must have addition-group(access) any other users that don't have this group have no access to forbidden commands, including user that run apache. And one more thing you need to remove read by others and execute/search by others from forbidden commands, also you need to change theire groupname. Example: chmod 750 /bin/rm ; chown root.access /bin/rm ; usermod -G access user Thanks, Stephen Le -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- SELLINET Internet Services Provider - http://www.sellinet.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Limiting User Commands
Hello all, Is there an easy way to limit the commands a certain group of users can execute? I've looked at chroot, and it's too complicated for my needs and seems too easy to circumvent; users will be able to upload their own Perl scripts, so it seems that they'll be able to access commands outside their chroot by getting Apache w/ mod_perl to execute the script. I'd like to be able to compile a list of commands/programs that users in a certain group will be able to execute (ex. cp, mv, rm, etc). However, I'd also be happy to compile a list of commands users shouldn't be able to execute. In regards to the latter method, would it be possible for me to change the group ownership of the commands I don't want users to have access to and revoke execute permission from that group? Yes, you can make something like that: addgroup(access), then change groupname of commands that you want with that group (access), remember to remove execute/search by others from commands that are with group(access), also don't forget to add group(access) to every user that you want to have access to this commands. Thanks, Stephen Le -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- SELLINET Internet Services Provider - http://www.sellinet.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Some words for evms/lvm2
Hello Do someone who have experience with evms/lvm2 can say some words. Impressions and etc. I think to setup one of them on machine under extremely high load but I think also this is not a good idea to use them on high load servers. -- SELLINET Internet Services Provider - http://www.sellinet.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Some words for evms/lvm2
Hello Do someone who have experience with evms/lvm2 can say some words. Impressions and etc. I think to setup one of them on machine under extremely high load but I think also this is not a good idea to use them on high load servers. -- SELLINET Internet Services Provider - http://www.sellinet.net/
Suggestions for system with infortrend fibre storage.
Hello guys, I have a system with debian-sarge kernel 2.6.6, with three jbod's 10TB and fibre storage switch. My questions are regarding how is the best way to mount this; 1. To make five partitions each with size of 2TB, and mount each partition in separate dir. 2. To make five partitions each with size of 2TB, unite them in LVM/LVM2/EVMS and mount in one dir. Please help me with this decision. What you'll say about lvm/lvm2 or evms? And one more question. I read lot's about mounting filesystem 2TB. And as I understand in kernel 2.6.x with support for LBD you can mount filesystem 2TB is that correct? Any help will be appreciated. -- SELLINET Internet Services Provider - http://www.sellinet.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Suggestions for system with infortrend fibre storage.
Hello guys, I have a system with debian-sarge kernel 2.6.6, with three jbod's 10TB and fibre storage switch. My questions are regarding how is the best way to mount this; 1. To make five partitions each with size of 2TB, and mount each partition in separate dir. 2. To make five partitions each with size of 2TB, unite them in LVM/LVM2/EVMS and mount in one dir. Please help me with this decision. What you'll say about lvm/lvm2 or evms? And one more question. I read lot's about mounting filesystem 2TB. And as I understand in kernel 2.6.x with support for LBD you can mount filesystem 2TB is that correct? Any help will be appreciated. -- SELLINET Internet Services Provider - http://www.sellinet.net/