Not sure if anyone has experience with this, but I would like to lock down the /etc directory so common users cannot run through the directory and read all the files. However, programs still need to be able to read the files to work. I'm trying to do this because we have several users on our system that like to peruse the files within /etc. Anyone have any suggestions? Thanks for your help, Justin
On Thu, 30 Dec 2004, Justin Odom wrote:
Not sure if anyone has experience with this, but I would like to lock down the /etc directory so common users cannot run through the directory and read all the files. However, programs still need to be able to read the files to work.
I'm trying to do this because we have several users on our system that like to peruse the files within /etc.
Anyone have any suggestions?
I don't know of any automated way to do it, but most critical files should already be locked down by default from prying eyes, and anything you specifically want to hide from users can be done easily by the normal permissions/ownership means for whatever user a daemon is running as. Are you trying to hide away that pesky /etc/hosts? ;) Brian J. Conway bconway(at)alum.wpi.edu "LINUX is obsolete" - Andrew S. Tanenbaum, creator of Minix - Jan 29, 1992
On Thu, Dec 30, 2004 at 01:54:20PM -0500, Justin Odom wrote:
I'm trying to do this because we have several users on our system that like to peruse the files within /etc.
Anyone have any suggestions?
SELinux with the strict policy may be able to help here, but it would require a lot of hand policy writing and domain transitions for every program. Another possibility is to chroot users to their home directories. This has its own problems.
yes....fire those users. Other than that...i got nothin' --- Justin Odom <justin.odom@gmail.com> wrote:
Not sure if anyone has experience with this, but I would like to lock down the /etc directory so common users cannot run through the directory and read all the files. However, programs still need to be able to read the files to work.
I'm trying to do this because we have several users on our system that like to peruse the files within /etc.
Anyone have any suggestions?
Thanks for your help,
Justin _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Haha, I think that Justin means is that he has some users who think they know about Linux and keep perusing the /etc files and telling him what is wrong with them. That's my best guess. Though I think the people might be right, maybe Justin is just tired of hearing from them :) CH On Thu, 30 Dec 2004 13:40:46 -0800 (PST), Mike Leo <mleo963@yahoo.com> wrote:
yes....fire those users.
Other than that...i got nothin'
--- Justin Odom <justin.odom@gmail.com> wrote:
Not sure if anyone has experience with this, but I would like to lock down the /etc directory so common users cannot run through the directory and read all the files. However, programs still need to be able to read the files to work.
I'm trying to do this because we have several users on our system that like to peruse the files within /etc.
Anyone have any suggestions?
Thanks for your help,
Justin _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
-- Chuck Haines chaines@gmail.com ------------------------------------------- Tau Kappa Epsilon Fraternity TKE-ZM Web Coordinator ECE Systems Administrator ------------------------------------------- AIM: CyberGrex YIM: CyberGrex_27 ICQ: 3707881 ------------------------------------------- GPG Fingerprint: 303A AB50 4EA9 70ED 2E30 2368 C9CD CCB5 4BD7 0989 GPG Key: http://www.maxslack.com/gpgkey.txt
On Thu, 30 Dec 2004 13:54:20 -0500, Justin Odom <justin.odom@gmail.com> wrote:
Not sure if anyone has experience with this, but I would like to lock down the /etc directory so common users cannot run through the directory and read all the files. However, programs still need to be able to read the files to work.
I'm not sure you can achieve what you're after--either a user can read the file or he can't. If you turn off read perms for a user, then programs running as that user also will be disallowed. If there's a way to distinguish between the two types of accesses I don't know what it is. Otherwise, maybe you should look into extended attributes--you'll need a filesystem that supports them. ReiserFS and ext3 both do, as do most others I'm sure. BR
participants (6)
-
Brett Russ -
Brian J. Conway -
Charles R. Anderson -
Chuck Haines -
Justin Odom -
Mike Leo