selective application access for users

logicalfuzz · 10-14-2006, 08:09 AM

I have FC5 (with KDE)installed on my machine .
I have 5 local users - user1, user2, user3, user4, user5 - on this machine.
Now i would like to restrict certain applications for only certain users.
eg- user1 can access only firefox, user2 can access only Gaim, user3 can access Firefox+gaim etc...

How i go about achieving this?
The purpose of doing this is that with various levels of privilages i want to give only selective application access to users.
I hope you understand the requirements... any alternate solutions in implementing this is welcome..

Thanks in advance...

stress_junkie · 10-14-2006, 09:49 AM

This is easily implemented with user groups. Make a user group for each application. Then make the executable file for that application owned by the root user account and the application's group. Then make the application's group permissions x or rx. If someone is allowed to use this application then give that user membership in the application's group.

For example, let's say that we want to restrict access to firefox. We want user01 to be able to use firefox. We don't want user02 to be able to use firefox. You need to be logged on as root to do these commands.
First, make a user group for firefox.

Code:

grpadd firefox

Now find the firefox executable and make it owned by the root account and the firefox group. Let's say that firefox is installed in /opt/firefox and the firefox executable is /opt/firefox/firefox.

Code:

chown root:firefox /opt/firefox/firefox

Now you make firefox executable for the firefox group and not for others.

Code:

chmod -c u+rx,g+rx,o-rwx /opt/firefox/firefox

Now give user01 membership in the firefox group. First we have to find out what groups user01 already belongs to so that we can copy them back when we issue the usermod command.

Code:

groups user01
   users  disk
usermod -G disk,firefox user01
groups user01
   users disk firefox

Now that user01 is a member of the firefox group it will be able to execute the firefox executable. Since user02 does not belong to the firefox group user02 will not be able to execute firefox.

In general, when you have a resource that you want to give access for some accounts and not others you can create a user group for that resource and then add or remove membership in that group to control access.

logicalfuzz · 10-15-2006, 10:51 AM

Thanks a lot for the solution!!!

One doubt... Kindly correct me if i am wrong...
The above solution would work when i _know_ the number of apps that i need to restrict.
e.g. i made a group of apps - Firefox, Gaim, Konqueror, Konsole, xterm, Kopete - and made groups of each of these. I assigned all five users the groups according to what was approved. Alls well as of yet..
The problem, would start now. I have missed out on Konversation. Isn't it that all five users would have access to Konversation even though i had not intended them to give that?

stress_junkie · 10-15-2006, 12:19 PM

Quote:

Originally Posted by logicalfuzz

The problem, would start now. I have missed out on Konversation. Isn't it that all five users would have access to Konversation even though i had not intended them to give that?

Yes that is correct. You have to know the applications that you want to restrict. It is possible to create a situation where all applications are denied by default. That could be a lot of trouble to implement because you might put a restriction on something that everyone needs to use, such as /bin/bash or something like that.

Basically you would make a user group for applications that are not approved. Then you would put all of the applications in that group. Then go back and fix the ones that have been approved buy putting them in their own group as described earlier. I can write some code to do this if you would like but I cannot guarantee that it will only affect the applications that you want to affect. In other words it could break utilities like the man utility.