Thanks to all who helped - rbash seems to be a good starting point since
selinux is quite complex and takes some time to get into.
Dirk
--On 29. Juli 2008 09:40:31 -0400 "William L. Maltby"
<CentOS4Bill@xxxxxxxxxxxx> wrote:
On Tue, 2008-07-29 at 13:05 +0200, Dirk H. Schulz wrote:
Hi folks,
is it possible to restrict the rights of a user to only do few, defined
actions, e.g. only look up cpu and memory usage, but not walk around in
the file system, not see any other hardware details, run any
binaries/scripts? I know several different techniques to achieve parts
of this (like chrooting him), but is there one technique to get it all?
"Man bash". /-r and /RESTRICTED SHELL
It'll take a little setup to custom taylor it. Permissions, PATH and a
user or group specific bin directory (new one, not one of the standards)
in their PATH. Some copy/symlink (careful with that) of existing
executables may be useful.
Be careful with scripts made available. There is a caveat that
restrictions are removed when a script is being processed.
Carefully constructed .bashrc, bash_profile.
IMO, this is easier to setup than selinux, *may* meet all your needs and
will not be affected by upgrades.
Dirk
<snip sig stuff>
HTH
--
BILL
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
--------------------------------------------------------------
Dirk H. Schulz
IT Systems Service
Wiesenweg 12, 85567 Grafing
Tel. 0 80 92/86 25 68
Fax. 0 80 92/86 25 72
--------------------------------------------------------------
Technik vom Feinsten - und das nötige Tuning
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
