On Wed, 21 Jan 2004, Josef Karthauser wrote: > Is it possible now-a-days with MAC, etc, to set a per user policy such > that the user doesn't have permissions to write to the file system? > I've got a remote user that's logging in to make backup, and it would be > really cool to prevent them from modifying anything with out futzing > with file permissions and groups. Take a look at mac_bsdextended. The policy rule language isn't very mature, but should be able to do pretty much what you're looking for. Be aware, however, that what you want is probably not what you're asking for. For example, regardless of wanting them to write to a file system, you probably do want them to be able to write to their terminal device, /dev/null, etc. If you're interested in looking more at mac_bsdextended and how to enhance the rule language, I'd be happy to help out. The goal was to allow policy rules to be set n a type-enforcement like way, but without introducing domains and types, which have a high administrative overhead. One of the things it reall needs is a notion of user/group set, so that you can define sets of users and groups affected by rules in a more administrator-friendly way (not to mention more rule-efficient). Also, if it had a 'self' identifier, you could more easily express notions like "Users can only write to things they own". Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert_at_fledge.watson.org Senior Research Scientist, McAfee ResearchReceived on Wed Jan 21 2004 - 08:57:51 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:39 UTC