Timeline for Is it possible to forbid a specific user from executing files on /usr/bin without changing all files permission to 750?
Current License: CC BY-SA 4.0
21 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Mar 6, 2020 at 0:58 | comment | added | Charles Duffy |
@RafaelMuynarsk, you can always specify chmod o= ...files... to clear only the "other" field and leave u/g and the other bits like temp and set[ug]id alone. But to be very, very clear, doing that with /usr/bin is a horrible idea. I really do recommend the bind-mount approach to leave the rest of the system alone while changing a single user's view of it.
|
|
| Mar 5, 2020 at 23:04 | comment | added | Rafael Muynarsk | @JoL Good Point. Just as a curiosity, would you know a way of changing the permission of the last three octal digits of files while keeping the first octal as it is? Instead of just replacing it with 0? | |
| Mar 5, 2020 at 21:08 | answer | added | vonbrand | timeline score: 2 | |
| Mar 5, 2020 at 20:34 | comment | added | A.B |
@CharlesDuffy on 2nd thought, I drop this. This would go far from the initial question. Just to tell you that what you wrote works fine with pam_namespace. Documentation isn't that great but present (man pam_namespace + man namespace.conf)
|
|
| Mar 5, 2020 at 20:29 | comment | added | Charles Duffy | @A.B, by all means do write it up yourself. | |
| Mar 5, 2020 at 20:02 | comment | added | JoL | Just a heads up, but permissions are defined with 4 octal digits, not 3. You might be thinking that all your files are 755, but I have many that are 4755, 2755, 6755, etc. 750 is the same as 0750, so by changing them all to 750, you might be breaking quite a few executables (like sudo) by clearing their suid, sgid, and sticky bits. | |
| Mar 5, 2020 at 19:41 | comment | added | Daniel Schepler | My instincts would be to set the user's login shell to something very restricted - and then make sure that the SSH settings don't allow "ssh hostname ls /" to bypass that. Don't know off the top of my head if that's actually possible and if so what the exact sshd_config settings would be. | |
| Mar 5, 2020 at 19:28 | comment | added | A.B | @CharlesDuffy seems to have become something ubiquitous: manpages.debian.org/stable/libpam-modules/… . Are you over with this? I might write an alternate answer | |
| Mar 5, 2020 at 18:39 | history | edited | Paulo Tomé | CC BY-SA 4.0 |
Formatted text.
|
| Mar 5, 2020 at 17:40 | comment | added | Charles Duffy | See ibm.com/developerworks/library/l-mount-namespaces/index.html discussing a (different) private-namespace PAM module's implementation. | |
| Mar 5, 2020 at 17:38 | comment | added | Charles Duffy |
I'd implement this with a PAM module that does a bind mount of /var/empty over /usr/bin in a private filesystem namespace during login for the relevant user. Why do something that modifies the filesystem for everyone, when you can modify the filesystem only for the one user?
|
|
| Mar 5, 2020 at 17:00 | comment | added | Rafael Muynarsk |
@UlrichSchwarz You're right but for my case of use, it works fine... I'm giving ssh access to the user guest just so he can port forward the system to have access to specific web applications. Even with the terminal dead for running the shell, applications running on ports by other users on the system will still work fine after port forwarding.
|
|
| Mar 5, 2020 at 14:52 | history | became hot network question | |||
| Mar 5, 2020 at 8:42 | comment | added | Ulrich Schwarz |
That implies user guest won't even have a shell to start, because /usr/bin and /bin are identical in many modern distros. (My gut feeling would be to try and put them in a chroot jail; it's possible that systemd even gives you nice automatisms for that, like it does for services.)
|
|
| Mar 5, 2020 at 7:49 | comment | added | Chris Davies | @planetmaker no! You'll either break the entire system or else break distribution upgrades. | |
| Mar 5, 2020 at 7:27 | history | edited | Rafael Muynarsk | CC BY-SA 4.0 |
deleted 22 characters in body
|
| Mar 5, 2020 at 7:22 | history | edited | Rafael Muynarsk | CC BY-SA 4.0 |
deleted 22 characters in body
|
| Mar 5, 2020 at 7:08 | vote | accept | Rafael Muynarsk | ||
| Mar 5, 2020 at 7:00 | answer | added | muru | timeline score: 15 | |
| Mar 5, 2020 at 6:53 | comment | added | planetmaker | Use group permissions and have that user not be in that group | |
| Mar 5, 2020 at 6:44 | history | asked | Rafael Muynarsk | CC BY-SA 4.0 |