[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: override write protection?



On Sat, Aug 12, 2000 at 11:12:37AM -0500, Charles Menzes wrote:
> okay, here is my issue, i have some users on a machine that will need only
> specific privs. i have them set up as:
> 
> shell /bin/rbash
> dir   /home/guests/~user
> 
> path  /usr/local/guests/bin
> 
> i would like to make sure that they are unable to edit their .bash_profile
> so that they can alter their path.
> 
> dir perms	700 owned by user
> .bash_properms	640 owned by root group is user's group
> 
> in order for them to not write to their profile, do i need a
> 
> 2700 on their directory
> or
> 4700 on their dir?

Neither.

Assuming user "foo"...

shell:        /bin/rbash
homedir:      /home/guests/foo
writable dir: /home/guests/foo/data

Ownership of ~foo: user root (or whatever), group foo.
Permissions of ~foo: 0750.

Ownership of ~foo/data: user foo, group foo.
Permissions of ~foo/data: 6770 or 6700.

Ownership of ~foo/.bash_profile: user root, group foo.
Permissions of ~foo/.bash_profile: 0640.

(Also protect .profile, .cshrc, .bashrc, etc. the same way as
.bash_profile.)

You realize, of course, that securing shell access to the box is
almost futile.  But, this is better.
-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.