Orlando Andico wrote: > but to what point? the users still need access to the other directories > for e.g. their common daily jobs (e.g. starting the most basic of > processes requires reading /etc/ld.so.cache) >
Remember, it's the shell doing this restricting. Other processes inside the path can still read these files. *It doesn't do a real chroot.* No restrictions are provided to any processes explicitly, so an admin would also need to be very careful not to provide commands in a user's path that can allow them to circumvent these restrictions. > IOW, you've removed their capability to "cd" to those directories, but > they can STILL access the contents of those directories by giving the > absolute path. so what is gained by inconveniencing them? > According to the bash man page, the following is further prohibited: the specification of any command that contains a slash. They can't access the contents of those directories unless a command they have in their path explicitly uses them. The shell will prevent them from doing, say cat /etc/passwd because the command line contains slashes, but it would not prevent a program that read some file in /etc as part of its operation, as what programs do on their own are outside the shell's control. -- While there is a lower class, I am in it, while there is a criminal element, I am of it, and while there is a soul in prison, I am not free. http://stormwyrm.blogspot.com/ _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph
