Thanks everyone. I'm cogitating and meditating. On Tue, Jan 08, 2008 at 09:00, John Summerfield wrote: > Pann McCuaig wrote: > >On Mon, Jan 07, 2008 at 16:21, Daniel Widyono wrote: > > > >>I liked the simplicity and robustness of Ken's answer: use unix groups. > >> > >>>We would like to create accounts for restricted users > >>To be sure we understand the requirements, what precisely do you mean by > >>"restricted users"? Do you *only* mean the following? > >> > >>>These users would have access to the filesystem > >>>as appropriate, but would not be allowed to run the applications living > >>>under /opt and /usr/local. > > > >That's pretty much it. > > > >>If you only mean the above, then in the context of "primarily for data > >>sharing purposes", what precisely do you mean by "access to the > >>filesystem as > >>appropriate"? > > > >They would have access to their own home directories and to special > >group directories set up explicitly for file sharing among members of a > >(unix) group. > > > >They would be able to run standard binaries, but would be explicitly not > >able to run the applications (mostly for statistical analysis) installed > >under /usr/local (globally) and /opt (local to specific nodes). > > To illustrate Ken's suggestion: > As root > groupadd statisticians > Add your statisticians to this group > chown root.statisticians /opt /usr/local > chmod 750 /opt /usr/local > > At this point statisticians can't access /opt or /usr/local until they > logoff and login again. A reboot solves this. > > Probably you can do it with greater elegance using an selinux policy, > but I try to avoid them until I know I need them. > > As I understand it, selinux policy takes effect after Unix permissions > allow the access, so you'd have Unix permissions as they are now, and > add your own policy to deny people who are not statisticians and who are > not root (etc). > > > > > -- > > Cheers > John > > -- spambait > [log in to unmask] [log in to unmask] > -- Advice > http://webfoot.com/advice/email.top.php > http://www.catb.org/~esr/faqs/smart-questions.html > http://support.microsoft.com/kb/555375 > > You cannot reply off-list:-) -- Pann McCuaig <[log in to unmask]> 212-854-8689 Systems Coordinator, Economics Department, Columbia University Department Computing Resources: http://www.columbia.edu/cu/economics/computing/