Highlighted
Anonymous_User Absent Member.
Absent Member.
425 views

Restriction Policy For root and other user


Hello Experts,

I have to Implement a scenario that
1. Root user or any other user can read the system files and OS files
but are not allowed to change or deletes the files.
2. The restriction should be applied to folder not on individual files
so that new files added to the folder should have the same policy.

Please guide me. any help regarding the scripts and rules would be
appreciated.

Regards,
Asim Khalid


--
asimkhalid
------------------------------------------------------------------------
asimkhalid's Profile: https://forums.netiq.com/member.php?userid=3169
View this thread: https://forums.netiq.com/showthread.php?t=46281

0 Likes
1 Reply
Anonymous_User Absent Member.
Absent Member.

Re: Restriction Policy For root and other user

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just to be clear, NPUM typically is NOT used for the 'root' user, and
really should not be. The reason is that 'root' runs everything. If
you really want your entire box to be read-only then mount your
filesystem as read-only, but otherwise everything that ever happens does
so because of some call through root. Even NPUM can do what it does
because it runs as 'root' directly and then delegates out permissions
based on policies to OTHER privileged users.

Now going to your questions:

1. Most system files are readable by default. You could easily use
NPUM to give privileged users access to read those which are not
(/etc/shadow, for example). For that matter, you could do this using
FACLs in the filesystem too I think, but it may be more work, wouldn't
be audited as well, and would need to be implemented on every system
individually in a way that is probably more painful than implementing PUM.

2. Sure.... and one policy in NPUM could probably do this. Give the
"privileged users" who should have rights the ability to use 'cat' as a
privileged user. One check you may want to do after setting this up is
to ensure that they cannot redirect their output to overwrite files
(thus changing or deleting them) when using NPUM. For example (backup
any read files before doing these tests):

usrun cat /etc/shadow > /etc/shadow.new

I'm pretty sure the way that the shell works everything after the
redirection of output happens back as the regular user, but again
testing is called for.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJQt2OpAAoJEF+XTK08PnB5RGMP/2F+iTqghJK+jERY+tKiEoiX
dPbbd1rHykAxpvCVomvKCGa2duK8id3Exj3U/hhzf5gVrBIpX9iZ+JJFqum8YDhs
JUsU/6VxuiAa0N8Dioj89NR2mTT9XLb9VeN+wzj9zSt/D2wm0kIeQYu8LBpA8fQX
kZfyzeaigJK/V90BZ3aWt4LL8MWikUwyr5jhmE/1caRuGVfWaCJW3P8zjfBxvD9T
xmL98nXUcVfrcTCIIF0qPwTVt6YOFTAAVSydRbQCZKf/27ubu6s+qfqeEaau8Xkz
KuXxT5ub6A66MYqV1B3lk3fLqL1AA9kq7Od3WC8LscDGifWdDzSemS5CurMBHREl
xNfZBckTA46mtl57rckvX0Emds5d6J7YT2xAn+AHHTRVy9IqfZ4XKakPbgdiIXeE
iDdsoBvDjnVeJTWVBV22UgkYGFnx+MSm+qb68v/C+YZGs+HbB6dW5x7k2qhx8F3G
+NBrEEs72mmLEJdvCLsSUkBbtGythK+9/QwY6tJO7BqiLdjErKohY9r+P2TzJIBO
p9taJELtQvHItMJWRnZuF8gmLbq56E+JgdrICyJ7A3zG6/H3ZEIIfszAIANpkz2s
EBnWLjr6U0ivFM/3rzw4EJxY7CW76JqiTCSkYgD1pUv8iuIdBLND8+GsGh+mc0Qz
LXV3ud2Xo0LgqnIEuN+Z
=hEyf
-----END PGP SIGNATURE-----
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.