Pann McCuaig wrote:
On Mon, Jan 07, 2008 at 16:21, Daniel Widyono wrote:
I liked the simplicity and robustness of Ken's answer: use unix groups.
We would like to create accounts for restricted users
To be sure we understand the requirements, what precisely do you mean by
"restricted users"? Do you *only* mean the following?
These users would have access to the filesystem
as appropriate, but would not be allowed to run the applications living
under /opt and /usr/local.
That's pretty much it.
If you only mean the above, then in the context of "primarily for data
sharing purposes", what precisely do you mean by "access to the filesystem as
appropriate"?
They would have access to their own home directories and to special
group directories set up explicitly for file sharing among members of a
(unix) group.
They would be able to run standard binaries, but would be explicitly not
able to run the applications (mostly for statistical analysis) installed
under /usr/local (globally) and /opt (local to specific nodes).
To illustrate Ken's suggestion:
As root
groupadd statisticians
Add your statisticians to this group
chown root.statisticians /opt /usr/local
chmod 750 /opt /usr/local
At this point statisticians can't access /opt or /usr/local until they
logoff and login again. A reboot solves this.
Probably you can do it with greater elegance using an selinux policy,
but I try to avoid them until I know I need them.
As I understand it, selinux policy takes effect after Unix permissions
allow the access, so you'd have Unix permissions as they are now, and
add your own policy to deny people who are not statisticians and who are
not root (etc).
--
Cheers
John
-- spambait
[EMAIL PROTECTED] [EMAIL PROTECTED]
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)
