Mikkel L. Ellertson
mellertson at gmail.com
Mon Oct 17 00:00:37 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
On 10/16/2011 08:06 AM, Don Quixote de la Mancha wrote:
> Chroot is great for securing certain kinds of things, but if the
> intended user is an administrator, he won't be able to administer any
> of the files outside of his chroot jail.
> I'm pretty sure bash doesn't provide a facility like this, but there
> should be a different shell that does.
> A simple hack that would work for any shell would be to remove the
> "others execute" permission from all of your executable programs,
> other than the commands you want him to be able to use. You will also
> need to place him in his own group.
> chmod o-x
> will do it.
> But some daemons run as unpriveliged users, either their own username
> or as "nobody". You will need these daemons to be in a group that can
> run the commands.
> Wholesale alteration of executable permissions could break your system
> in a big way, though. The permissions might get reset by software
> updates. It's probably best to keep looking for a shell that does
> what you really need.
You may want to look at the -r option of bash, or bash invoked as
rbash. Unfortunately, there are ways to get around the restrictions
of rbash, or most other restricted shells.
Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the users