Restricting access to specific commands

Well, you can't stop them easily using their OWN version of rcp, but you can stop them using yours.

Change the group owner of the command to "rpc" sic (make the group first), make the command executable only by group, and put your users in that group. Fin.

Eh? Shum mishtake shurely?

In more detail, nothing stops them writing their own code for rcp and compiling it and using it (if tehy have exec perms on their own home directory ortmp or somewhere else they can compile), except a block on outgoing packets (and incoming replies). To make that block dependent on the user is extremely difficult in linux, because by the time the packet hits the filtering layer, it carries no trace of its process ancestry.

There are some non-firealling avenues open to you via tcpwrappers, but they don't stop the users compiling their own rcp which doesn't take any notice. And even if you had a firewall up, they could perfectly well procy their rcp through a forwarded tunneled ssh connection on an open outgoing port (there must be SOME or they couldn't reach the internet).

How to get the locale information
BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Please don't top post, and trim unnecessary quoted materiel. I've rearranged the post properly. s-there-their If the messages are going to be translated...

So all in all, looks like you have to turn off their exec perms on home and tmp! Unless somebdy has a better idea.

Oh ... yes. You could attempt to sabotage RPC with libpam, but they can still compile their on.

Peter

List | Previous | Next

How to get the locale information

Linux groups from Newsgroups

The #1 Usenet Provider on the Internet

Saving and restoring sessions across logins

PLEX86 x86- Virtual Machine (VM) Program


	Plex86 \| CVS \| Mailing List \| Download \| Linux \| Newsgroups

		Restricting access to specific commands Well, you can't stop them easily using their OWN version of rcp, but you can stop them using yours. Change the group owner of the command to "rpc" sic (make the group first), make the command executable only by group, and put your users in that group. Fin. Eh? Shum mishtake shurely? In more detail, nothing stops them writing their own code for rcp and compiling it and using it (if tehy have exec perms on their own home directory ortmp or somewhere else they can compile), except a block on outgoing packets (and incoming replies). To make that block dependent on the user is extremely difficult in linux, because by the time the packet hits the filtering layer, it carries no trace of its process ancestry. There are some non-firealling avenues open to you via tcpwrappers, but they don't stop the users compiling their own rcp which doesn't take any notice. And even if you had a firewall up, they could perfectly well procy their rcp through a forwarded tunneled ssh connection on an open outgoing port (there must be SOME or they couldn't reach the internet). How to get the locale information BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Please don't top post, and trim unnecessary quoted materiel. I've rearranged the post properly. s-there-their If the messages are going to be translated... So all in all, looks like you have to turn off their exec perms on home and tmp! Unless somebdy has a better idea. Oh ... yes. You could attempt to sabotage RPC with libpam, but they can still compile their on. Peter List \| Previous \| Next



		How to get the locale information Linux groups from Newsgroups The #1 Usenet Provider on the Internet Saving and restoring sessions across logins