1

I am trying to do some security levels on my linux system. For example, deny access to ping command or disk utility application can be easly done by restricting permissions to 750 for binaries:

/bin/ping

/usr/bin/gnome-disks

and a user won't be able to run them. But the problem is that user can somehow obtain the same binary from outside and place that binary in it's home folder. Because user cannot be stopped from grantng permissions to it's own files, he can run the binary files and avoid the permissions granted on system files.

How can I stop user from doing it?

Marko Farkas
  • 13
  • 2

1 Answers1

0

Firstly we'll remove the execute bit from all files in $HOME:

chmod a-x $HOME/*

Then we make sure that any new files created in home, don't have the execute bit set:

umask 006 $HOME

However users can still manually set something to +x so they can execute it manually themselves. Stopping them doing this is more complicated, as you'll need to take ownership of any files they create, and then add them to a group which gives them read/write access but not the ability to change the permissions.

djsmiley2kStaysInside
  • 1,326
  • 1
  • 10
  • 15