On Sun, Sep 23, 2007 at 10:54:06PM +0100, Rui Miguel Silva Seabra wrote: > On Sat, Sep 22, 2007 at 06:47:46PM -0500, L. V. Lammert wrote: > > OBSD is UNIX, .. SELinux is Linux. If you want a secure, efficient, > > compact OS done by folks you can trust and actually talk to, use OBSD; if > > you want 'fairly secure Linux' [which has had thousands of hand in it > > including NSA, as mentioned previousy], use OpenSUSE with ***AppArmor***. > > Simple and easy to implement, even by less senior Admins. > > Can you say "root can only run this and that application when su'ed from > that guy, and may not open any net connection, but open this file and none > else" in OpenBSD? If so, how can I do it? :)
You solve the problem a different way: - You don't give the guy root access, but their own userid - You set file permissions so this userid can read only the file of interest - You use pf rules so that this user ID cannot send network packets - If this guy needs root for something (e.g. to bind to port 80), then you write a three-line setuid root wrapper which binds to port 80 for them. If you have a lot of this to do, then consider an 'open server' which returns the open file descriptor. Regards, Brian.
