limitation of user a/c ( telnet service )

[Les Mikesell]

Tim wrote:
> edwardspl at ita.org.mo:
>>> But when user "edward" login to the server by the telnet service, then he 
>>> can modify the dot file...
> 
> Sam Varshavchik:
>> 1) No, he can't.  Not if the file is owned by root, with no other 
>> permissions.
> 
> The user owns the directory, they can remove files and create new ones.
> You'd have to do more than change those file's ownership to root, and
> I'm still not sure whether that'd work in a user's homespace.

Make sure every user has a unique group (the default in fedora), then
for each home directory:
chown root directoryname
chmod g+rwx directoryname
chmod +t directoryname
and
chown root directoryname/dotfile_to_protect

Now the user can still create new files and delete his own because of 
the group rwx on the directory.  No one else has access because his 
group is unique.  He can't remove files he doesn't own because of the 
sticky bit (+t) on the directory.  So, he can't modify or remove files 
owned by root.  And he can't remove the sticky bit because his home 
directory is owned by root.

-- 
   Les Mikesell
    lesmikesell at gmail.com