Pann McCuaig wrote:
> On Mon, Jan 07, 2008 at 16:21, Daniel Widyono wrote:
> 
>> I liked the simplicity and robustness of Ken's answer: use unix groups.
>>
>>> We would like to create accounts for restricted users
>> To be sure we understand the requirements, what precisely do you mean by
>> "restricted users"?  Do you *only* mean the following?
>>
>>> These users would have access to the filesystem
>>> as appropriate, but would not be allowed to run the applications living
>>> under /opt and /usr/local.
> 
> That's pretty much it.
> 
>> If you only mean the above, then in the context of "primarily for data
>> sharing purposes", what precisely do you mean by "access to the filesystem as
>> appropriate"?
> 
> They would have access to their own home directories and to special
> group directories set up explicitly for file sharing among members of a
> (unix) group.
> 
> They would be able to run standard binaries, but would be explicitly not
> able to run the applications (mostly for statistical analysis) installed
> under /usr/local (globally) and /opt (local to specific nodes).

To illustrate Ken's suggestion:
As root
groupadd statisticians
Add your statisticians to this group
chown root.statisticians /opt /usr/local
chmod 750 /opt /usr/local

At this point statisticians can't access /opt or /usr/local until they 
logoff and login again. A reboot solves this.

Probably you can do it with greater elegance using an selinux policy, 
but I try to avoid them until I know I need them.

As I understand it, selinux policy takes effect after Unix permissions 
allow the access, so you'd have Unix permissions as they are now, and 
add your own policy to deny people who are not statisticians and who are 
not root (etc).




-- 

Cheers
John

-- spambait
[log in to unmask]  [log in to unmask]
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)