How Do I... Make sure a particular user only has access rights to one application?

How Do I... Make sure a particular user only has access rights to one application?

Post by Roberto Leibma » Sun, 05 Aug 2001 02:06:30



Hi there!

Sorry for the cross-posting, but I wasn't exactly sure which of the many
linux newsgroups this question belonged to.

I'm writing a java (swing) application for data entry. The users that will
be using the application are not that technical, plus I really don't want to
give them access to anything else in the computer (I know, this sounds
fascists, but believe me, if I were to tell you what the application is it
would make perfect sense to you as well, but think of a kiosk or an embedded
'puter).

Basically I want to make it so that when they log in the application starts,
fills the WHOLE screen, and makes sure that it stays there until they decide
to log out (from within the application, of course). I want to make sure
that they can't ctrl-z, or anything else.

What do you think is the best way to approach this? What are the sequence of
steps?
How secure will the resulting environment be from tampering?

Thanks a lot for the help!!!!

Roberto Leibman.

P.S. Some additional information: I was planning to use Redhat 7.1 (it's
just the distro I'm most familiar with), latest jdk (1.3 as of this moment),
swing. Since the application is written in swing I don't think I need gnome
or kde running at all, but tell me if you think otherwise. The resulting
application also needs access to selected hardware connected to the machine,
and network access will only be by a dedicated lan which won't be available
from the outside.

 
 
 

How Do I... Make sure a particular user only has access rights to one application?

Post by Swif » Sun, 05 Aug 2001 18:34:00


On Fri, 03 Aug 2001 17:06:30 GMT, Roberto Leibman


>  I'm writing a java (swing) application for data entry. The users that will
>  be using the application are not that technical, plus I really don't want to
>  give them access to anything else in the computer (I know, this sounds
>  fascists, but believe me, if I were to tell you what the application is it
>  would make perfect sense to you as well, but think of a kiosk or an embedded
>  'puter).

>  Basically I want to make it so that when they log in the application starts,
>  fills the WHOLE screen, and makes sure that it stays there until they decide
>  to log out (from within the application, of course). I want to make sure
>  that they can't ctrl-z, or anything else.

Make that program the shell of the user. You do that as follows (~# is the
root-prompt):
        ~# chsh username
and you give the path to the program. You said it is a java-program. If you
have to run it as "java /path/to/program" you better make a little script
that reads:
        #!/bin/sh
        #
        # Start the Java program
        /usr/bin/java /path/to/program
and save it as (f.i.) /usr/bin/javashell

Then you do
        ~# chsh username
and give "/usr/bin/javashell" as shell.

If the user logs in, he will only be able to do things with that program.
When he exits it, he logs out.

But don't forget, if the program has the ability to run other programs if the
user wants it, the user will be able to do so.

--
 SwifT                     -    Key-ID CDBA2FDB
 LUG: http://www.lugwv.be  -    http://www.keyserver.net

 
 
 

How Do I... Make sure a particular user only has access rights to one application?

Post by Steve Holdowa » Sun, 05 Aug 2001 23:53:51


On top of that, I'd put all users of this program into a separate
group, and then use group ownership and access rights to provide a
'belt and braces' approach... even if they manage to shell out, they
still can't run anything.

This will take a lot of work to get right, though! There will be a lot
of files that the users need access to, data files, etc, that you'll
forget about, and any setuid/gid programs that are used will need
looking at.

HTH

Paranoid Steve


>On Fri, 03 Aug 2001 17:06:30 GMT, Roberto Leibman

>>  I'm writing a java (swing) application for data entry. The users that will
>>  be using the application are not that technical, plus I really don't want to
>>  give them access to anything else in the computer (I know, this sounds
>>  fascists, but believe me, if I were to tell you what the application is it
>>  would make perfect sense to you as well, but think of a kiosk or an embedded
>>  'puter).

>>  Basically I want to make it so that when they log in the application starts,
>>  fills the WHOLE screen, and makes sure that it stays there until they decide
>>  to log out (from within the application, of course). I want to make sure
>>  that they can't ctrl-z, or anything else.

>Make that program the shell of the user. You do that as follows (~# is the
>root-prompt):
>    ~# chsh username
>and you give the path to the program. You said it is a java-program. If you
>have to run it as "java /path/to/program" you better make a little script
>that reads:
>    #!/bin/sh
>    #
>    # Start the Java program
>    /usr/bin/java /path/to/program
>and save it as (f.i.) /usr/bin/javashell

>Then you do
>    ~# chsh username
>and give "/usr/bin/javashell" as shell.

>If the user logs in, he will only be able to do things with that program.
>When he exits it, he logs out.

>But don't forget, if the program has the ability to run other programs if the
>user wants it, the user will be able to do so.

 
 
 

How Do I... Make sure a particular user only has access rights to one application?

Post by Swif » Mon, 06 Aug 2001 00:18:32




Quote:>  On top of that, I'd put all users of this program into a separate
>  group, and then use group ownership and access rights to provide a
>  'belt and braces' approach... even if they manage to shell out, they
>  still can't run anything.

>  This will take a lot of work to get right, though!

Indeed. I've tried it once, took me a day and a half to get things running,
and afterwards a dozen of changes to get things running optimally.

If you really want to make all other things unavailable, let them chroot into
a jail. That's a *lot* easier to manage, and a *lot* harder for them to hack.

--
  SwifT
  |- LUG : http://www.lugwv.be
  |- PGP Key-# : 0xCDBA2FDB
  `- "Happy GU/Linux-user :)"

 
 
 

1. restrict file access to only one particular user who enters correct password in web

Hi all,
I want to restrict tomcatserver files to particularly one client that
who enters username and password correctly anywhere in web(specifically
in another system).But nobody without username and password cannot
access the those files. We had redhat 9.0.In redhat i am working on
netbean.

For example,
I have avi files in tomcatserver.If any client enters username and
password correctly only can access those avi files and others cannot
able to access those files even by using
the(http://xxx.xxx.x.x/dir/filename.avi ).

thankQ in advance

2. ifconfig -alias ?????

3. How to set a limit on number of user runing a particular application ??

4. Building a dll lib depending on libf2c?

5. Slow access to one particular web site

6. Removing a HP workstation from a network

7. How to assign super-user access right to a user?

8. Quake Help

9. One less XP user for sure

10. user having exactly the same rights as another

11. limiting user access to particular ethernet interfaces

12. Disabling telnet access for particular users

13. ACCESS RIGHTS to one person in the Group.