I have to Implement a scenario that 1. Root user or any other user can read the system files and OS files but are not allowed to change or deletes the files. 2. The restriction should be applied to folder not on individual files so that new files added to the folder should have the same policy.
Please guide me. any help regarding the scripts and rules would be appreciated.
Just to be clear, NPUM typically is NOT used for the 'root' user, and really should not be. The reason is that 'root' runs everything. If you really want your entire box to be read-only then mount your filesystem as read-only, but otherwise everything that ever happens does so because of some call through root. Even NPUM can do what it does because it runs as 'root' directly and then delegates out permissions based on policies to OTHER privileged users.
Now going to your questions:
1. Most system files are readable by default. You could easily use NPUM to give privileged users access to read those which are not (/etc/shadow, for example). For that matter, you could do this using FACLs in the filesystem too I think, but it may be more work, wouldn't be audited as well, and would need to be implemented on every system individually in a way that is probably more painful than implementing PUM.
2. Sure.... and one policy in NPUM could probably do this. Give the "privileged users" who should have rights the ability to use 'cat' as a privileged user. One check you may want to do after setting this up is to ensure that they cannot redirect their output to overwrite files (thus changing or deleting them) when using NPUM. For example (backup any read files before doing these tests):
usrun cat /etc/shadow > /etc/shadow.new
I'm pretty sure the way that the shell works everything after the redirection of output happens back as the regular user, but again testing is called for.
Good luck. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/