that sounds fun... I'll do that.
Thanks a ton,
Thanks,
_|_|_|_|_| _| _|_|_|_|
_| _|_|_| _| _|_|_|
_| _| _| _|_|_| _|
_| _| _| _| _|
_| _| _| _|_|_|_| _|_|_|
Visit TDS for quality software and website production
http://tysdomain.com
msn: tyler at tysdomain.com
aim: st8amnd2005
skype: st8amnd127
----- Original Message -----
From: "Jim Kutsch" <jimkutsch@xxxxxxxxx>
To: "Speakup is a screen review system for Linux." <speakup at braille.uwo.ca>
Sent: Saturday, September 20, 2008 3:40 PM
Subject: Re: making secure limitations for non-root users
> In the 1980s, I had a Unix system connected to a ham radio via packet
> radio
> interface hardware. I was using it myself but wanted the users via radio
> to
> run email and Netnews and be isolated from the rest of the system where I
> kept my stuff. I set up a chroot environment in which users had a very
> little piece of the entire system. It required only an amazingly few
> things
> to be available in the root of the chroot directory. If I remember
> correctly, I had to have /etc/passwd, /etc/group, /etc/getty, a few things
> in /bin and /usr/bin, and the software I allowed these remote users to
> access. There was even a login called "newuser" with no password that ran
> a
> customized add user script so a user could create his/her own account.
>
> Since you are learning Linux, I'd recommend you go explore chroot and
> start
> thinking about how very little you really need in the isolated
> environment.
>
> Have fun.
>
> Jim
>
>
> ----- Original Message -----
> From: "Tyler Littlefield" <tyler at tysdomain.com>
> To: "Speakup is a screen review system for Linux."
> <speakup at braille.uwo.ca>
> Sent: Friday, September 19, 2008 5:40 PM
> Subject: Re: making secure limitations for non-root users
>
>
> I'll dig around for that kernel patch.
> Like, limiting them to viewing home dirs, other people's dirs. I can do
> chmod a-r /home, and then chmod o-rx /home/user, but would there be
> anything
> else I'd need to limit for security reasons? I'd not like to scrue up
> perms
> on logs, but would rather not them see /var/log.
>
>
> Thanks,
> _|_|_|_|_| _| _|_|_|_|
> _| _|_|_| _| _|_|_|
> _| _| _| _|_|_| _|
> _| _| _| _| _|
> _| _| _| _|_|_|_| _|_|_|
> Visit TDS for quality software and website production
> http://tysdomain.com
> msn: tyler at tysdomain.com
> aim: st8amnd2005
> skype: st8amnd127
> ----- Original Message -----
> From: "Gregory Nowak" <greg at romuald.net.eu.org>
> To: "Speakup is a screen review system for Linux."
> <speakup at braille.uwo.ca>
> Sent: Friday, September 19, 2008 3:38 PM
> Subject: Re: making secure limitations for non-root users
>
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Tom has already told you what the best approach would be. However, let
>> me try to specifically answer your questions.
>>
>> On Thu, Sep 18, 2008 at 12:39:40PM -0600, Tyler Littlefield wrote:
>>> I would, however like to limit them in disk space (I can figure that
>> one out),
>>
>> Ok.
>>
>>> in port usage (not sure how to do this one, would like to limit what
>> ports they can open),
>>
>> The only thing I can think of for that is the obvious, a
>> firewall. However, that would apply to everyone on the system. There
>> is something called owner match support, when you're configuring the
>> firewall stuff in the kernel, however, I'm not sure if that does what
>> it actually suggests, or something else. Sorry, that's all I can tell
>> you there, maybe a firewall howto somewhere would tell you more.
>>
>>> programs they can run,
>>
>> The best way I can think of to do that, is to create a group on your
>> system, where all the binaries you want users to access are a part of
>> that group. Then, add the users you want to be able to access those
>> binaries to that group as well, and leave the rest binaries/users
>> out. On my debian system, there is a group called bin, but most of my
>> binaries are in root's group. I'm not sure if the bin group is
>> reserved for something else, or if it is there for what its name
>> suggests, and it's up to the system admin to use it as he/she wishes.
>>
>>> and also what they can view on the system.
>>
>> You need to be more specific. What do you want them to be able to
>> view, man pages, text files, contents of specific directories, what?
>>
>> Greg
>>
>>
>> - --
>> web site: http://www.romuald.net.eu.org
>> gpg public key: http://www.romuald.net.eu.org/pubkey.asc
>> skype: gregn1
>> (authorization required, add me to your contacts list first)
>>
>> - --
>> Free domains: http://www.eu.org/ or mail dns-manager at EU.org
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (GNU/Linux)
>>
>> iEYEARECAAYFAkjUG8gACgkQ7s9z/XlyUyDY8QCeMyiUbYUWG+XeixZqmeq2vnxW
>> zckAoLvhv/znPYpTPB1hr6BxFVZl81/r
>> =+v8G
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> Speakup mailing list
>> Speakup at braille.uwo.ca
>> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>>
>> __________ NOD32 3457 (20080919) Information __________
>>
>> This message was checked by NOD32 antivirus system.
>> http://www.eset.com
>>
>>
>
> _______________________________________________
> Speakup mailing list
> Speakup at braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
> _______________________________________________
> Speakup mailing list
> Speakup at braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
> __________ NOD32 3457 (20080919) Information __________
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
>
>
