On Sun, Oct 26, 2008 at 08:19:51PM +0800, joeb wrote:
<snip>
>> > I don't want them to be able see any system directories or other users?
>> 
>> User directories are by default both owned by the user and belong to the
>> user's group. So you can set the umask for every user so that their
>> files are not accessible to others.
>> 
>> You cannot block read and execute access to a lot of system files
>> (binaries, libraries, /usr/[local/]share/) without making the system
>> useless.
>> 
>> What is the problem you're trying to solve? Blocking read access to
>> system files is almost certainly the wrong solution.
>> 
> Want to keep all the users from being able to see anything outside of
> their home directory using gnome or kde desktop. 

I ask again, why? 

As outlined above, you can easily keep users from poking around in
other's files.

Realize that if users cannot read anything outside their home directory, they
cannot start programs in the system directories! 

And since normal users do not have write access to system directories or
files, they can do little harm. System files that users shouldn't have
access to (e.g. /etc/master.passwd) are already chmod-ed so that only
root has access.

You could put every user in a jail(8), but that would be a significant
effort depending on the amount of applications they need. 

Realize that if the users have physical access to the machine, these
security measures are _useless_. A hostile user could take out the
harddisk, put it in a machine where he has a root account and read all
the disk's contents (unless it's encrypted).

Roland
-- 
R.F.Smith                                   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)

Attachment: pgpH6cpDlb9NA.pgp
Description: PGP signature

Reply via email to