[Ilugc] Restricting Access

Raja Subramanian rajasuperman at gmail.com
Wed Jun 21 18:59:31 IST 2006


On 6/21/06, T.R.Shashwath <trshash84 at gmail.com> wrote:
> On Wednesday 21 June 2006 11:26, Pranavam S wrote:
> > i need to revoke the rights to access those applications from userb
> > and userc whereas usera must have the rights.
>
> Add usera to a group, change the ownership of those programs to that group and
> give execute permissions for that program only to user and group.
>
> Example:
> (as root)
> # groupadd groupa
> # gpasswd -a usera groupa
> # chown root:groupa /usr/bin/foo # Where foo is the program you want to
> restrict
> # chmod 754 /usr/bin/foo
>
> 7 = read, write and execute (for root), 5 = read, execute (for group members),
> 4 = read only (for non-group members)


Enabling global read access will allow users to copy the binary to say /tmp,
"fix" the permissions and run the app anyway.  You probably want mode 750.
In any case, this is not the way to restrict users from running apps.

Binand's post with restricted shells is The Right Way(tm).

- Raja


More information about the ilugc mailing list