Restricting users, commands...

[qstraza]

Hello! ;>

 

i would like to restrict users so that they cannot use specific commands. Like user cant execute "top" or "irssi".

I dont want that root will be the only user who could execute binaries. But that i could restrict only that users that i want to.

 

I know about iptables, to block outbound ports... but this is not what i want.

 

I have some script to restrict that but it is not so secure...

 

Code:

#!/bin/sh
if [ $USER == "user_name" ]; then
echo "Permission denied";
else
/usr/bin/irssi1 $@ # real irssi executable
fi;

 

i renamed "irssi" to "irssi1" and named this script "irssi"

 

So my question is how to restrict users that cannot execute commands on some other way;>

 

thx

[anyweb]

you should be able to restrict users from using certain commands by using file permissions on the commands themselves

 

Code:

[root@www ~]# which top
/usr/bin/top
[root@www ~]# ls -al /usr/bin/top
-r-xr-xr-x  1 root root 53944 Jul 11  2005 /usr/bin/top
[root@www ~]#

 

 

After the first -, there are 9 characters defining the file permissions. These permissions aregiven in groups of 3 each. The first 3 characters are the permissions for

the owner of the file or directory. The next 3 are permissions for the

group that the file is owned by and the final 3 characters define the

access permissions for everyone not part of the group. There are 3

possible attributes that make up file access permissions.

 

r - Read permission. Whether the file may be read. In the case of a

directory, this would mean the ability to list the contents of the

directory.

 

w - Write permission. Whether the file may be written to or modified. For

a directory, this defines whether you can make any changes to the contents

of the directory. If write permission is not set then you will not be able

to delete, rename or create a file.

 

x - Execute permission. Whether the file may be executed. In the case of a

directory, this attribute decides whether you have permission to enter,

run a search through that directory or execute some program from that

directory.

borrowed from [/url][url=http://www.freeos.com/articles/3127/]http://www.freeos.com/articles/3127/ - understanding linux file permissions 

 

right, in the above example the permissions for top are

 

-r-xr-xr-x

 

so you can see that 'top' is given executable permissions by owner, group and users,

 

if you use chmod to change the permissions on this file you could for example only allow 'root' access to execute the 'top' command.

 

remember,

the final 3 characters define theaccess permissions for everyone not part of the group

 

so you can see that in the 'top' example the last three characters are listed as 'r-x' which is the ability to

 

read and execute

 

so, if you remove the ability to 'execute' for 'users' then only root, and members of root's group can execute the command 'top'

 

have a look at the below example

 

Code:

[root@www ~]# chmod 550 /usr/bin/top
[root@www ~]# ls -al /usr/bin/top
-r-xr-x---  1 root root 53944 Jul 11  2005 /usr/bin/top

 

now, the 'execute' and for that matter 'read' attribute for 'top' have been removed from non-root users, and that means that non-root users

 

1. will not be able to read 'top'

2. will not be able to execute 'top'

 

unless they login as root

 

i'm not going into too much detail here but hopefully this will give you an idea of one way of achieving your goal, if you want more details then let us know

 

cheers

anyweb

[znx]

i would like to restrict users so that they cannot use specific commands.

 

restriction based on renaming is not "secure" as you correctly pointed out, although if it is to stop the new users .. it can be quite successful. another simple idea is to create another area to place the binaries into and not give the information to the user, but again that is not a secure method.

 

doing what anyweb suggests is useful if you are root, however it can be tiresome if you only wish to restrict a batch of users and not all.

 

the best (actually the only real solution) is to use a "jail" or "chroot" enviroment. basically what this does is places the user into a smaller "mini" system within you main system. this mini system has a set of files that you wish to be there.

 

I found this example which will make a mini system in EVERY individual users home directory. It a way that you can be truely selective per user.

 

Another one I found builds one jail for ALL the users. It is simpler in its maintence etc as you only need to rebuild one jail each time. Unfortunately it does require making some C code etc. So maybe use it as an idea rather than the solution.

 

There is a nice utility called JailIt which is the best thing for building jails.

 

If you need a more in-depth response I can sit down and build a jail and walk you through it step by step.

[qstraza]

anyweb thanks u wrote very nice tut. there and i am greatfull but i would like to restrict like just one user of 10. So i will check that jail thingie which znx wrote about. thanks to znx too :>

 

Once i tried some jail i think but on the end i just deleted it. I will try to use jail on my laptop fist then when i will manage it i will use it on server, cuz once i did some silly stuff :P

 

oh it was jailkit

 

thanks, gr8 help ;>

 

znx i will let u know when i will need help with jail :P probably u will have to show me how to do it.. but first i will check once again, this time slowly ;)

[znx]

i feel a howto make a chroot jail tutorial! :)

[qstraza]

if u have time and pation... :)i would be greatfull