[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: override write protection?

On Sat, Aug 12, 2000 at 11:12:37AM -0500, Charles Menzes wrote:
> okay, here is my issue, i have some users on a machine that will need only
> specific privs. i have them set up as:
> shell /bin/rbash
> dir   /home/guests/~user
> path  /usr/local/guests/bin
> i would like to make sure that they are unable to edit their .bash_profile
> so that they can alter their path.
> dir perms	700 owned by user
> .bash_properms	640 owned by root group is user's group
> in order for them to not write to their profile, do i need a
> 2700 on their directory
> or
> 4700 on their dir?


Assuming user "foo"...

shell:        /bin/rbash
homedir:      /home/guests/foo
writable dir: /home/guests/foo/data

Ownership of ~foo: user root (or whatever), group foo.
Permissions of ~foo: 0750.

Ownership of ~foo/data: user foo, group foo.
Permissions of ~foo/data: 6770 or 6700.

Ownership of ~foo/.bash_profile: user root, group foo.
Permissions of ~foo/.bash_profile: 0640.

(Also protect .profile, .cshrc, .bashrc, etc. the same way as

You realize, of course, that securing shell access to the box is
almost futile.  But, this is better.
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.