LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-14-2006, 09:09 AM   #1
logicalfuzz
Member
 
Registered: Aug 2005
Distribution: Arch Linux
Posts: 291

Rep: Reputation: 47
selective application access for users


I have FC5 (with KDE)installed on my machine .
I have 5 local users - user1, user2, user3, user4, user5 - on this machine.
Now i would like to restrict certain applications for only certain users.
eg- user1 can access only firefox, user2 can access only Gaim, user3 can access Firefox+gaim etc...

How i go about achieving this?
The purpose of doing this is that with various levels of privilages i want to give only selective application access to users.
I hope you understand the requirements... any alternate solutions in implementing this is welcome..

Thanks in advance...
 
Old 10-14-2006, 10:49 AM   #2
stress_junkie
Senior Member
 
Registered: Dec 2005
Location: Massachusetts, USA
Distribution: Ubuntu 10.04 and CentOS 5.5
Posts: 3,873

Rep: Reputation: 332Reputation: 332Reputation: 332Reputation: 332
This is easily implemented with user groups. Make a user group for each application. Then make the executable file for that application owned by the root user account and the application's group. Then make the application's group permissions x or rx. If someone is allowed to use this application then give that user membership in the application's group.

For example, let's say that we want to restrict access to firefox. We want user01 to be able to use firefox. We don't want user02 to be able to use firefox. You need to be logged on as root to do these commands.
First, make a user group for firefox.
Code:
grpadd firefox
Now find the firefox executable and make it owned by the root account and the firefox group. Let's say that firefox is installed in /opt/firefox and the firefox executable is /opt/firefox/firefox.
Code:
chown root:firefox /opt/firefox/firefox
Now you make firefox executable for the firefox group and not for others.
Code:
chmod -c u+rx,g+rx,o-rwx /opt/firefox/firefox
Now give user01 membership in the firefox group. First we have to find out what groups user01 already belongs to so that we can copy them back when we issue the usermod command.
Code:
groups user01
   users  disk
usermod -G disk,firefox user01
groups user01
   users disk firefox
Now that user01 is a member of the firefox group it will be able to execute the firefox executable. Since user02 does not belong to the firefox group user02 will not be able to execute firefox.

In general, when you have a resource that you want to give access for some accounts and not others you can create a user group for that resource and then add or remove membership in that group to control access.

Last edited by stress_junkie; 10-14-2006 at 10:54 AM.
 
Old 10-15-2006, 11:51 AM   #3
logicalfuzz
Member
 
Registered: Aug 2005
Distribution: Arch Linux
Posts: 291

Original Poster
Rep: Reputation: 47
Thanks a lot for the solution!!!

One doubt... Kindly correct me if i am wrong...
The above solution would work when i _know_ the number of apps that i need to restrict.
e.g. i made a group of apps - Firefox, Gaim, Konqueror, Konsole, xterm, Kopete - and made groups of each of these. I assigned all five users the groups according to what was approved. Alls well as of yet..
The problem, would start now. I have missed out on Konversation. Isn't it that all five users would have access to Konversation even though i had not intended them to give that?
 
Old 10-15-2006, 01:19 PM   #4
stress_junkie
Senior Member
 
Registered: Dec 2005
Location: Massachusetts, USA
Distribution: Ubuntu 10.04 and CentOS 5.5
Posts: 3,873

Rep: Reputation: 332Reputation: 332Reputation: 332Reputation: 332
Quote:
Originally Posted by logicalfuzz
The problem, would start now. I have missed out on Konversation. Isn't it that all five users would have access to Konversation even though i had not intended them to give that?
Yes that is correct. You have to know the applications that you want to restrict. It is possible to create a situation where all applications are denied by default. That could be a lot of trouble to implement because you might put a restriction on something that everyone needs to use, such as /bin/bash or something like that.

Basically you would make a user group for applications that are not approved. Then you would put all of the applications in that group. Then go back and fix the ones that have been approved buy putting them in their own group as described earlier. I can write some code to do this if you would like but I cannot guarantee that it will only affect the applications that you want to affect. In other words it could break utilities like the man utility.

Last edited by stress_junkie; 10-15-2006 at 01:27 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Selective Apache2.0 access control Gibsonist Linux - Software 6 01-26-2006 09:18 AM
Samba access by Windows users locking out directory access with Konqueror harry_fine SUSE / openSUSE 1 12-18-2004 06:33 AM
Enabling POP3 Access for Selective Users only topcat Linux - Software 1 11-23-2004 11:31 PM
Installing an application for all users brunnopessoa Linux - Newbie 4 10-12-2004 01:14 AM
Firewall (with selective access) KETrel Linux - Security 7 10-06-2004 01:05 PM


All times are GMT -5. The time now is 10:31 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration