Destroying "only" your home directory (was Re: Newbie question on permissions)
Daniel Carrera
daniel.carrera at zmsl.com
Sun Apr 2 09:02:03 UTC 2006
Matthew R. Dempsky wrote:
> On the servers I administer, almost every service runs as its own
> dedicated user with the bare minimum necessary permissions.
>
> However, it's not practical to do similarly as a regular user on my
> laptop, for example, how do I run mplayer such that I can safely watch
> any movie I download online? There have been exploits in mplayer
> before[1], who's to say they won't happen again?
>
> [1] http://tigger.uic.edu/~jlongs2/holes/mplayer.txt
In that case, what you want is Mandatory Access Control. Look into
SELinux. MACs provide a level of priviledge separation that is
orthogonal to the traditional user groups. You can decide that mplayer
can access the audio devide but (say) it can't write to the disk or use
the internet. And that "permission" will apply to mplayer even if root
is running it, because that permission has nothing to do with user groups.
Cheers,
Daniel.
--
/\/`) http://opendocumentfellowship.org
/\/_/
/\/_/ A life? Sounds great!
\/_/ Do you know where I could download one?
/
More information about the ubuntu-users
mailing list