admin question

admin question

Post by nosp » Sat, 03 Aug 2002 16:23:22



Hello,

I'm using RH7.3.
When I create a new user, how do I restrict him to only his own home
directory?  I know about chmodding the permissions to something other
than read/executable, but I would like to avoid that.  

Also, how do I give a new user some root abilities.  I want to be able
to execute such tools as ping, traceroute, etc., but only root has
permissions to run that.

Any help appreciated,

ww

 
 
 

admin question

Post by dav.. » Sat, 03 Aug 2002 17:00:29



> When I create a new user, how do I restrict him to only his own home
> directory?

Removing 'cd' would be an idea... or chroot his home dir.

Quote:> Also, how do I give a new user some root abilities.  I want to be able
> to execute such tools as ping, traceroute, etc., but only root has
> permissions to run that.

Use sudo. See the documentation for sudo.

Davide

 
 
 

admin question

Post by Nico Kadel-Garci » Sat, 03 Aug 2002 21:48:06




Quote:> Hello,

> I'm using RH7.3.
> When I create a new user, how do I restrict him to only his own home
> directory?  I know about chmodding the permissions to something other
> than read/executable, but I would like to avoid that.

In most situations, you can't. It just doesn't work that way for lots of
reasons.

It should be possible to build a "chroot" cage, if you wish. Such things
exist for ftp, and now for OpenSSH, so users logging in can be so
restricted. Take a look at my notes at http://www.merl.com/people/nkadel/.
for hints.

Quote:> Also, how do I give a new user some root abilities.  I want to be able
> to execute such tools as ping, traceroute, etc., but only root has
> permissions to run that.

*EXCELLENT* question. Read the man pages on "sudo".
 
 
 

admin question

Post by David Efflan » Sun, 04 Aug 2002 10:47:26



> Hello,

> I'm using RH7.3.
> When I create a new user, how do I restrict him to only his own home
> directory?  I know about chmodding the permissions to something other
> than read/executable, but I would like to avoid that.  

Chroot is not usually easy, because they would need all necessary
binaries, libs, etc. in their home dir.  I have never been and would not
want to be on such a system because it makes it impossible to help or get
help from your peers.  An experienced person can often spot a newbie
mistake, that the newbie might not know enough to see or mention.

I have been on a Solaris ISP since 1995 and have never been locked up.  
The only accounts that were ever broken into that I know of were using an
irc client with a security flaw at the time (years ago).  Let the users
set their own file permissions as they want.

Quote:> Also, how do I give a new user some root abilities.  I want to be able
> to execute such tools as ping, traceroute, etc., but only root has
> permissions to run that.

Unless you have very strict security settings, users DO have permission to
run ping, traceroute, route, ifconfig, etc.  It is just that some of those
commands are not in their PATH and require full path to execute.  
However, such commands that change system settings like route, ifconfig,
arp, etc. will only display info to users, and not allow them to change
anything.

"sudo" has already been mentioned to control user running of root only
commands.

--
David Efflandt - All spam ignored  http://www.de-srv.com/
http://www.autox.chicago.il.us/  http://www.berniesfloral.net/
http://cgi-help.virtualave.net/  http://hammer.prohosting.com/~cgi-wiz/

 
 
 

admin question

Post by mjt » Mon, 05 Aug 2002 07:29:08


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message


> I'm using RH7.3.
> When I create a new user, how do I restrict him to only his own home
> directory?  I know about chmodding the permissions to something other
> than read/executable, but I would like to avoid that.

... why ???

Quote:> Also, how do I give a new user some root abilities.  I want to be able
> to execute such tools as ping, traceroute, etc., but only root has
> permissions to run that.

"man sudo" ,   "man su"
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Michael J. Tobler: motorcyclist, surfer,  #    Black holes result
 skydiver, and author: "Inside Linux",     #   when God divides the  
 "C++ HowTo", "C++ Unleashed"              #     universe by zero

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9TFWXtTveLPAHcDIRAr4BAKCF1VX3cHOcxm79bwKHoJpGtArBvwCeKjA7
M1yulOkGFIjVt3m9MfJBPPI=
=t4ck
-----END PGP SIGNATURE-----

 
 
 

1. new solaris admin question

: where can I gain understanding of the products that are installed
: on a solaris 2.5.1
: and what they are.  I want to install the motif libs, but don't know
: where they are to install them and where to install them from, and
: system requirements.

: Thanks.
: ===============================================================

ok, found it, pkginfo              
===============================================================

2. The save command

3. Organization of Java class files (admin question).

4. How connect a E1 line to Unix Host ???????

5. Looking for answers to basic Solaris 2.5.1 admin questions

6. Load partial imagedata?

7. FreeBSD Admin Questions

8. Voodoo 3 2000

9. User Admin Question

10. various first-time admin questions.

11. Remote Admin Question

12. Simple Mail Admin question (I hope)...

13. Admin questions