locking down gnome.
plug@arcticmail.com
plug@arcticmail.com
Thu, 23 Nov 2000 10:41:48 -0700
I'm not so sure. Could you please verify that
on your own Unix system?
As "root":
ls -ld /home/luser
drwxr-xr-x 98 luser luser 1024 Apr 1 10:11 /home/luser
cd /home/luser
mkdir .foo
chown 0 .foo
chgrp 0 .foo
chmod 755 .foo
As normal user "luser":
cd /home/luser
ls -ld .foo*
drwxr-xr-x 2 root root 1024 Apr 1 10:11 .foo
mv .foo .foobar
ls -ld .foo*
drwxr-xr-x 2 root root 1024 Apr 1 10:11 .foobar
rmdir .foobar
ls -ld .foo*
ls: .foo*: No such file or directory
I'm pretty sure that "luser" couldn't do things within
the 755 directory owned by root:root, but since "luser"
owns the parent directory, /home/luser, and has full rwx
permissions, "luser" can rename the subdirectory.
D
* On Wed, Nov 22, 2000 at 10:38:01PM -0500, Deepak Saxena wrote:
>
> not if you change user:group of .gnome and .gnome-desktop to someone
> else and than chmod 755 on it. the user can't delete it or move it
> since he doesn't own it.
>
> ~ Deepak
>
>
> On Nov 22 2000, at 17:53, plug@arcticmail.com was caught saying:
> >
> > OK, I know that grandma won't know how to do this,
> > but using this method couldn't grandma as grandma
> > do the following:
> >
> > cd ~grandma
> > mv .gnome .gnome-grandmaubercracker
> > mv .gnome-desktop .gnome-i-want-the-grandkids-photos-on-my-desktop
> >
> > assuming that grandma has sufficient permissions
> > in her home directory?
> >
> > I would suspect that GNOME has a "system-wide" config
> > file or some such that tells it to make use of ~/.gnome
> > (and ~/.gnome-desktop) (or worst case I guess it could
> > be hard coded in the source code).
> >
> > Anyway, it would seem that GNOME should be reconfigured
> > NOT to use ~/.gnome and ~/.gnome-desktop, but rather it
> > should get what it needs from shared, system-wide config
> > directories /usr/local/etc/gnome and
> > /usr/local/etc/gnome-desktop, both of which are
> > locked down via chown and chmod.
> >
> > Of course, faced with this, grandma would have no
> > choice but to custom-compile the GNOME source in
> > her home directory. :)
> >
> >
> > D
> >
> > * On Wed, Nov 22, 2000 at 12:44:06PM -0700, Deepak Saxena wrote:
> > >
> > >
> > > create a "gnome" user/group.
> > > you can use root, but it's probably cleaner not to
> > >
> > > pseudo-code:
> > >
> > > foreach USER
> > > cd ~$USER/.gnome-desktop
> > > chown -R gnome:gnome .
> > >
> > > That will lock down the desktop. They can read it, but they can't write to
> > > it, so there's no way for them to add anything.
> > >
> > > You should be able to do the same sort of thing with the .gnome directory
> > > by locking down config files. You may have to play with that directory a
> > > little since certain files have to be written to by Gnome at logout.
> > > Thing like session management information and such.
> > >
> > > I would create a default .gnome-desktop and .gnome directory structure
> > > and then build a wrapper script around adduser so that they get automatically
> > > installed into a new user's $HOME
> > >
> > > ~ Deepak
> > >
> > > On Nov 22 2000, at 12:32, Icegryphon was caught saying:
> > > > I will be having Multiple users on a workstation with gnome.
> > > > Here is the problem I run in to. I need to make a user with a normal desktop
> > > > on gnome (i.e. Home Dir, floppy, Trash.) And also have Netscape and to
> > > > logout/shutdown. Now how do I configure a user so that they and only see those
> > > > and can use those. I Don't want them to be able to remove or del any icons
> > > > from their desktop. I don't want them to be able to add a panel or change the
> > > > background or any options. Pretty much a basic system that would only be able
> > > > to use netscape and their home directory and floppy.
> > > > Is there any good software around for creating policies like in windows NT?
> > > > Please E-mail your comments to me at Icegryphon@netscape.net
> > > > rather then posting them.
> > > > Thank you
> > > >
> > > > ____________________________________________________________________
> > > > Get your own FREE, personal Netscape WebMail account today at http://home.netscape.com/webmail
> > > >
> > > > ________________________________________________
> > > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> > > >
> > > > Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us
> > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > >
> > > --
> > > Deepak Saxena - deepak@csociety.purdue.edu
> > >
> > > I will not be pushed,filed,stamped,indexed,briefed,debriefed,or numbered!
> > > My life is my own - No. 6
> > >
> > > ________________________________________________
> > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> > >
> > > Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us
> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > >
> >
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> >
> > Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> --
> Deepak Saxena - deepak@csociety.purdue.edu - phone://602.790.0500
>
> "It is dangerous to confuse children with angels" - Magnolia
>
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>