[wellylug] Re :Sam permission on /

[JP]

 --- "E.Chalaron" wrote: > 

> I do not [want] anything else than joe writing or
reading a
> couple  of files access 
> to /home/joe (no mail, no web, no nothing....). 

If you can sort out a chroot solution, it might be a
simple one.  Not sure exactly how it would work
though, not having used chrooting a lot myself, and
particularly not automated.  

Here's some (hopefully) useful stuff:
http://www.tjw.org/chroot-login-HOWTO/

Otherwise, as you are probably aware, you can give
permission to a user to run a program based on their
username or group memberships.

So, for example, you could chown all your non-home
files and directories to
<current_owner>.allowed_users, where you leave the
owner unchanged from what it is now and allowed_users
is a group containing (surprise!) all the allowed
users (e.g. there is often a postgres user for running
a postgreSQL db, an Apache user for the webserver,
other users for other background processes).  Then as
root, chmod a-xrw all those files and dirs, then chmod
g+xr.

Even here:

a) you will need to be very careful not to prevent
other daemons etc. that you want, from running because
of changed permissions.  Changing the group for some
binaries might cause problems.

b) if users are allowed to store executable files in
their home dirs, they will probably be able to run
them.  I suppose you can cdmod ug-x on the /home dirs.

The simpler the install, the easier all the mucking
about will be.  You could try a Debian base install
(no X, no gcc, no daemons), then just add exactly what
you need (nfsd if it isn't there already?). 

Best of luck
Tony.

________________________________________________________________________
Yahoo! India Insurance Special: Be informed on the best policies, services, tools and more. 
Go to: http://in.insurance.yahoo.com/licspecial/index.html