Date: Wed, 21 Jan 2004 12:55:18 -0500 (EST) From: Robert Watson <rwatson@FreeBSD.org> To: Josef Karthauser <joe@FreeBSD.org> Cc: freebsd-current@FreeBSD.org Subject: Re: Policy for a user that can't write any files (apart from in /tmp). Message-ID: <Pine.NEB.3.96L.1040121125108.36551B-100000@fledge.watson.org> In-Reply-To: <20040121173956.GH68003@genius.tao.org.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 21 Jan 2004, Josef Karthauser wrote: > Is it possible now-a-days with MAC, etc, to set a per user policy such > that the user doesn't have permissions to write to the file system? > I've got a remote user that's logging in to make backup, and it would be > really cool to prevent them from modifying anything with out futzing > with file permissions and groups. Take a look at mac_bsdextended. The policy rule language isn't very mature, but should be able to do pretty much what you're looking for. Be aware, however, that what you want is probably not what you're asking for. For example, regardless of wanting them to write to a file system, you probably do want them to be able to write to their terminal device, /dev/null, etc. If you're interested in looking more at mac_bsdextended and how to enhance the rule language, I'd be happy to help out. The goal was to allow policy rules to be set n a type-enforcement like way, but without introducing domains and types, which have a high administrative overhead. One of the things it reall needs is a notion of user/group set, so that you can define sets of users and groups affected by rules in a more administrator-friendly way (not to mention more rule-efficient). Also, if it had a 'self' identifier, you could more easily express notions like "Users can only write to things they own". Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Senior Research Scientist, McAfee Research
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1040121125108.36551B-100000>