Re: Policy for a user that can't write any files (apart from in /tmp).

From: Robert Watson (rwatson_at_FreeBSD.org)
Date: 01/21/04

  • Next message: Poul-Henning Kamp: "Re: LOC per committer?" 
    Date: Wed, 21 Jan 2004 12:55:18 -0500 (EST)
To: Josef Karthauser <joe@FreeBSD.org>

    On Wed, 21 Jan 2004, Josef Karthauser wrote:

    > Is it possible now-a-days with MAC, etc, to set a per user policy such
    > that the user doesn't have permissions to write to the file system?
    > I've got a remote user that's logging in to make backup, and it would be
    > really cool to prevent them from modifying anything with out futzing
    > with file permissions and groups.

    Take a look at mac_bsdextended. The policy rule language isn't very
    mature, but should be able to do pretty much what you're looking for. Be
    aware, however, that what you want is probably not what you're asking for.
    For example, regardless of wanting them to write to a file system, you
    probably do want them to be able to write to their terminal device,
    /dev/null, etc. If you're interested in looking more at mac_bsdextended
    and how to enhance the rule language, I'd be happy to help out. The goal
    was to allow policy rules to be set n a type-enforcement like way, but
    without introducing domains and types, which have a high administrative
    overhead. One of the things it reall needs is a notion of user/group set,
    so that you can define sets of users and groups affected by rules in a
    more administrator-friendly way (not to mention more rule-efficient).
    Also, if it had a 'self' identifier, you could more easily express notions
    like "Users can only write to things they own".

    Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
    robert@fledge.watson.org Senior Research Scientist, McAfee Research

    _______________________________________________
    freebsd-current@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-current
    To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"

  • Next message: Poul-Henning Kamp: "Re: LOC per committer?"

    Relevant Pages

    • Re: Permissions on filesystem via Group policy
      ... can use the Resultant Set of Policy mmc snapin to see exactly what Group ... you want to disable "inherited permissions" in the advanced page if you only ... > Right-click File System and press Add File. ... Use the security settings of that GPO to specify ...
      (microsoft.public.windows.group_policy)
    • Re: Linux for Kids
      ... so this is equivalent to Olin file and directory permissions then. ... Olin keeps it's permissions in the file system, ... Is it sort of attached to each file and folder? ...
      (comp.os.linux)
    • Re: Is it possible to run as administrator without password?
      ... Access Control Lists aren't exposed through the GUI in this version of Vista ... You can make a list of the registry and file system ... actually saw the Permissions locations in the properties dialogs for various ... If there are restricted registry locations involved, ...
      (microsoft.public.windows.vista.administration_accounts_passwords)
    • Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon access scanning
      ... turns out to be malware. ... outside filesystem permissions from the grouping. ... from native file system to inodes currently the permissions on the ... So TALPA might save Linux ...
      (Linux-Kernel)
    • Re: List local group members
      ... cleanup and documentation. ... There are applets designed to list group ... trustees have permissions, where they are assigned, and what they are. ... of these tools are very useful for getting ahold of your file system. ...
      (microsoft.public.windows.server.general)