01-18-2012
IMO you are going at it in the wrong way.
First off, create a chrooted user that has some privilege, not all.
In the chroot jail (new / root directory ) only populate /usr/bin (or whatever with commands you can live with). No commands can be a link outside the jail.
Next, grant whatever users you want the privilege of becoming that special user, via sudo and /etc/sudoers
Basically though I gave you and answer, this is a not a good idea overall. I would not do this. Why do you want ordinary users doing normally restricted operations on the system.
You can probably use /etc/sudoers to set up what you want, but DO'NT let everybody have access to everything. The model is grant access. The model is never deny access.
Which is what your question is all about. Deny access.
The reason is the negative approach has serious flaws, even though you may think otherwise. You will notice that the security model that comes with the system is the "grant access model". There lots of good reasons for that. Don't bypass 30 years of security work for no good reason.
*I like Frank's answer better,I was being too polite.
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
Hi Guys,
I wonder if one of you would have a list of dangerous commands on unix.
Regards (8 Replies)
Discussion started by: JBB873
8 Replies
2. Solaris
Dear All,
I am a new Administrator of Solaris in the company , I need a list of the commands pls ...
Regards
Adel (2 Replies)
Discussion started by: ArabOracle.com
2 Replies
3. Shell Programming and Scripting
Hi ,
I am having one situation in which I need to run some simple unix commands after doing "chroot" command in a shell script. Which in turn creates a new shell.
So scenario is that
- I need to have one shell script which is ran as a part of crontab
- in this shell script I need to do a... (2 Replies)
Discussion started by: hkapil
2 Replies
4. UNIX for Advanced & Expert Users
Hi,
I would like to have a list of commands in a table, see below example
Command description
HPUNIX
SUN UNIX
IBM AIX
all above i need comparison list of commands ASAP please..........
B.R (1 Reply)
Discussion started by: f_amshan
1 Replies
5. Shell Programming and Scripting
hi all scripting gurus,
need some guide and advise from you.
i'm trying to list all the files in the year 2004 and the file format is something like this: 11176MZ00004JV900004JVB00004JVCcDBU20041206.txt try to use the symbol ^ but somehow it does not help.
i try this as well: ls -ltr |... (12 Replies)
Discussion started by: lweegp
12 Replies
6. Shell Programming and Scripting
Dear Sir/Mam,
Can you tell me list of internal commands which are easy to implements...???
Means sir I am a beginner in unix shell programming. So, I just wanted to know that which internal commands are easy to implements in C language.
thanks.... (1 Reply)
Discussion started by: ranusahu
1 Replies
7. Shell Programming and Scripting
I want to log into a remote server transfer over a new config and then backup the existing config, replace with the new config.
I am not sure if I can do this with BASH scripting.
I have set up password less login by adding my public key to authorized_keys file, it works.
I am a little... (1 Reply)
Discussion started by: bash_in_my_head
1 Replies
8. Linux
I had a umount busy issue, that the usual fuser -mk did not solve, I did a umount -l and was able to unmount the device, I then got in trouble by the storage team staff:
Here was a snippet of their response:
Using "umount -l" is a potentially dangerous act.
The command combination for a lazy... (8 Replies)
Discussion started by: pastajet
8 Replies
9. Shell Programming and Scripting
basically i'm tired of hitting the left arrow a few dozen times when correcting a mistake or modifying a history command
i'd like to use vim style key shortcuts while on the command line so that a 55 moves the cursor 55 places to the left...
and i want all the other vi goodies, search of... (3 Replies)
Discussion started by: marqul
3 Replies
10. War Stories
Hello All,
I am posting a intresting story which is posted by Mark Brader but actual story is from Mario Wolczko. Original link is here
Thanks,
R. Singh (4 Replies)
Discussion started by: RavinderSingh13
4 Replies
LEARN ABOUT DEBIAN
sysprofile
SYSPROFILE(8) System Manager's Manual SYSPROFILE(8)
NAME
sysprofile - modular centralized shell configuration
DESCRIPTION
sysprofile is a generic approach to configure shell settings in a modular and centralized way mostly aimed at avoiding work for lazy sysad-
mins. It has only been tested to work with the bash shell.
It basically consists of the small /etc/sysprofile shell script which invokes other small shell scripts having a .bash suffix which are
contained in the /etc/sysprofile.d/ directory. The system administrator can drop in any script he wants without any naming convention
other than that the scripts need to have a .bash suffix to enable automagic sourcing by /etc/sysprofile.
This mechanism is set up by inserting a small shell routine into /etc/profile for login shells and optionally into /etc/bashrc and/or
/etc/bash.bashrc for non-login shells from where the actual /etc/sysprofile script is invoked:
if [ -f /etc/sysprofile ]; then
. /etc/sysprofile
fi
For using "sysprofile" under X11, one can source it in a similar way from /etc/X11/Xsession or your X display manager's Xsession file to
provide the same shell environment as under the console in X11. See the example files in /usr/share/doc/sysprofile/ for illustration.
For usage of terminal emulators with a non-login bash shell under X11, take care to enable sysprofile via /etc/bash.bashrc. If not set
this way, your terminal emulators won't come up with the environment defined by the scripts in /etc/sysprofile.d/.
Users not wanting /etc/sysprofile to be sourced for their environment can easily disable it's automatic mechanism. It can be disabled by
simply creating an empty file called $HOME/.nosysprofile in the user's home directory using e.g. the touch(1) command.
Any single configuration file in /etc/sysprofile.d/ can be overridden by any user by creating a private $HOME/.sysprofile.d/ directory
which may contain a user's own version of any configuration file to be sourced instead of the system default. It's names have just to
match exactly the system's default /etc/sysprofile.d/ configuration files. Empty versions of these files contained in the $HOME/.syspro-
file.d/ directory automatically disable sourcing of the system wide version.
Naturally, users can add and include their own private script inventions to be automagically executed by /etc/sysprofile at login time.
OPTIONS
There are no options other than those dictated by shell conventions. Anything is defined within the configuration scripts themselves.
SEE ALSO
The README files and configuration examples contained in /etc/sysprofile.d/ and the manual pages bash(1), xdm(1x), xdm.options(5), and
wdm(1x). Recommended further reading is everything related with shell programming.
If you need a similar mechanism for executing code at logout time check out the related package syslogout(8) which is a very close compan-
ion to sysprofile.
BUGS
sysprofile in its current form is mainly restricted to bash(1) syntax. In fact it is actually a rather embarrassing quick and dirty hack
than anything else - but it works. It serves the practical need to enable a centralized bash configuration until something better
becomes available. Your constructive criticism in making this into something better" is very welcome. Before i forget to mention it: we
take patches... ;-)
AUTHOR
sysprofile was developed by Paul Seelig <pseelig@debian.org> specifically for the Debian GNU/Linux system. Feel free to port it to and use
it anywhere else under the conditions of either the GNU public license or the BSD license or both. Better yet, please help to make it into
something more worthwhile than it currently is.
SYSPROFILE(8)