Restriction Policy For root and other user


Hello Experts,

I have to Implement a scenario that
1. Root user or any other user can read the system files and OS files
but are not allowed to change or deletes the files.
2. The restriction should be applied to folder not on individual files
so that new files added to the folder should have the same policy.

Please guide me. any help regarding the scripts and rules would be
appreciated.

Regards,
Asim Khalid


--
asimkhalid
------------------------------------------------------------------------
asimkhalid's Profile: https://forums.netiq.com/member.php?userid=3169
View this thread: https://forums.netiq.com/showthread.php?t=46281

  • -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Just to be clear, NPUM typically is NOT used for the 'root' user, and
    really should not be. The reason is that 'root' runs everything. If
    you really want your entire box to be read-only then mount your
    filesystem as read-only, but otherwise everything that ever happens does
    so because of some call through root. Even NPUM can do what it does
    because it runs as 'root' directly and then delegates out permissions
    based on policies to OTHER privileged users.

    Now going to your questions:

    1. Most system files are readable by default. You could easily use
    NPUM to give privileged users access to read those which are not
    (/etc/shadow, for example). For that matter, you could do this using
    FACLs in the filesystem too I think, but it may be more work, wouldn't
    be audited as well, and would need to be implemented on every system
    individually in a way that is probably more painful than implementing PUM.

    2. Sure.... and one policy in NPUM could probably do this. Give the
    "privileged users" who should have rights the ability to use 'cat' as a
    privileged user. One check you may want to do after setting this up is
    to ensure that they cannot redirect their output to overwrite files
    (thus changing or deleting them) when using NPUM. For example (backup
    any read files before doing these tests):

    usrun cat /etc/shadow > /etc/shadow.new

    I'm pretty sure the way that the shell works everything after the
    redirection of output happens back as the regular user, but again
    testing is called for.

    Good luck.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.19 (GNU/Linux)
    Comment: Using GnuPG with undefined - http://www.enigmail.net/

    iQIcBAEBAgAGBQJQt2OpAAoJEF XTK08PnB5RGMP/2F iTqghJK jERY tKiEoiX
    dPbbd1rHykAxpvCVomvKCGa2duK8id3Exj3U/hhzf5gVrBIpX9iZ JJFqum8YDhs
    JUsU/6VxuiAa0N8Dioj89NR2mTT9XLb9VeN wzj9zSt/D2wm0kIeQYu8LBpA8fQX
    kZfyzeaigJK/V90BZ3aWt4LL8MWikUwyr5jhmE/1caRuGVfWaCJW3P8zjfBxvD9T
    xmL98nXUcVfrcTCIIF0qPwTVt6YOFTAAVSydRbQCZKf/27ubu6s qfqeEaau8Xkz
    KuXxT5ub6A66MYqV1B3lk3fLqL1AA9kq7Od3WC8LscDGifWdDzSemS5CurMBHREl
    xNfZBckTA46mtl57rckvX0Emds5d6J7YT2xAn AHHTRVy9IqfZ4XKakPbgdiIXeE
    iDdsoBvDjnVeJTWVBV22UgkYGFnx MSm qb68v/C YZGs HbB6dW5x7k2qhx8F3G
    NBrEEs72mmLEJdvCLsSUkBbtGythK 9/QwY6tJO7BqiLdjErKohY9r P2TzJIBO
    p9taJELtQvHItMJWRnZuF8gmLbq56E JgdrICyJ7A3zG6/H3ZEIIfszAIANpkz2s
    EBnWLjr6U0ivFM/3rzw4EJxY7CW76JqiTCSkYgD1pUv8iuIdBLND8 GsGh mc0Qz
    LXV3ud2Xo0LgqnIEuN Z
    =hEyf
    -----END PGP SIGNATURE-----