permissions

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

permissions

nourdebian2016
Hi
We thank you very much for your efforts and great achievements.
I have a problem I want to solve.
I have created another group and want to prevent it from connecting to the whole machine except for one program either through the firewall or through the permissions.

I tried using chmod and removed the execute from the others but the result was as if I removed the execution from the user who is me.
What is the solution ?
Is there a firewall solution at the software level? what is it ?
Is there a solution using permissions?
Thank you
Reply | Threaded
Open this post in threaded view
|

Re: permissions

Roberto C. Sánchez-2
On Wed, Jun 05, 2019 at 01:40:49PM +0200, [hidden email] wrote:

>    Hi
>    We thank you very much for your efforts and great achievements.
>    I have a problem I want to solve.
>    I have created another group and want to prevent it from connecting to the
>    whole machine except for one program either through the firewall or
>    through the permissions.
>
>    I tried using chmod and removed the execute from the others but the result
>    was as if I removed the execution from the user who is me.
>    What is the solution ?
>    Is there a firewall solution at the software level? what is it ?
>    Is there a solution using permissions?
>    Thank you

To do what you describe requires a mandatory access control system
(SELinux and AppArmor are two popular choices).

Regards,

-Roberto
--
Roberto C. Sánchez

Reply | Threaded
Open this post in threaded view
|

Re: permissions

Ian Jackson-2
Roberto C. Sánchez writes ("Re: permissions"):

> On Wed, Jun 05, 2019 at 01:40:49PM +0200, [hidden email] wrote:
> >    Hi
> >    We thank you very much for your efforts and great achievements.
> >    I have a problem I want to solve.
> >    I have created another group and want to prevent it from connecting to the
> >    whole machine except for one program either through the firewall or
> >    through the permissions.
> >
> >    I tried using chmod and removed the execute from the others but the result
> >    was as if I removed the execution from the user who is me.
> >    What is the solution ?
> >    Is there a firewall solution at the software level? what is it ?
> >    Is there a solution using permissions?
> >    Thank you
>
> To do what you describe requires a mandatory access control system
> (SELinux and AppArmor are two popular choices).

I don't think this is correct.  For traffic originating with local
processes, iptables rules can select on uid and gid.  But this
question belongs on -user.

Ian.

--
Ian Jackson <[hidden email]>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

Reply | Threaded
Open this post in threaded view
|

Re: permissions

Roberto C. Sánchez-2
On Wed, Jun 05, 2019 at 02:34:30PM +0100, Ian Jackson wrote:

> Roberto C. Sánchez writes ("Re: permissions"):
> > On Wed, Jun 05, 2019 at 01:40:49PM +0200, [hidden email] wrote:
> > >    Hi
> > >    We thank you very much for your efforts and great achievements.
> > >    I have a problem I want to solve.
> > >    I have created another group and want to prevent it from connecting to the
> > >    whole machine except for one program either through the firewall or
> > >    through the permissions.
> > >
> > >    I tried using chmod and removed the execute from the others but the result
> > >    was as if I removed the execution from the user who is me.
> > >    What is the solution ?
> > >    Is there a firewall solution at the software level? what is it ?
> > >    Is there a solution using permissions?
> > >    Thank you
> >
> > To do what you describe requires a mandatory access control system
> > (SELinux and AppArmor are two popular choices).
>
> I don't think this is correct.  For traffic originating with local
> processes, iptables rules can select on uid and gid.  

I interpreted "connecting to the whole machine" as including users
logged in locally.

> But this
> question belongs on -user.
>

It certainly does.  My apologies for not redirecting appropriately.  It
seems that I have -user and -project mail going into the same folder and
I failed to take note of it previously.

Regards,

-Roberto

--
Roberto C. Sánchez

Reply | Threaded
Open this post in threaded view
|

Re: permissions

Semih Özlem
Hi

I have a problem regarding why debian live installers wont work on a specific machine the processor is intel i3 7th generation

who should I address the question to/ and to be able to run debian what specifications should I look into in choosing a machine

thank you

semih ozlem

On Wed, Jun 5, 2019 at 4:52 PM Roberto C. Sánchez <[hidden email]> wrote:
On Wed, Jun 05, 2019 at 02:34:30PM +0100, Ian Jackson wrote:
> Roberto C. Sánchez writes ("Re: permissions"):
> > On Wed, Jun 05, 2019 at 01:40:49PM +0200, [hidden email] wrote:
> > >    Hi
> > >    We thank you very much for your efforts and great achievements.
> > >    I have a problem I want to solve.
> > >    I have created another group and want to prevent it from connecting to the
> > >    whole machine except for one program either through the firewall or
> > >    through the permissions.
> > >
> > >    I tried using chmod and removed the execute from the others but the result
> > >    was as if I removed the execution from the user who is me.
> > >    What is the solution ?
> > >    Is there a firewall solution at the software level? what is it ?
> > >    Is there a solution using permissions?
> > >    Thank you
> >
> > To do what you describe requires a mandatory access control system
> > (SELinux and AppArmor are two popular choices).
>
> I don't think this is correct.  For traffic originating with local
> processes, iptables rules can select on uid and gid. 

I interpreted "connecting to the whole machine" as including users
logged in locally.

> But this
> question belongs on -user.
>

It certainly does.  My apologies for not redirecting appropriately.  It
seems that I have -user and -project mail going into the same folder and
I failed to take note of it previously.

Regards,

-Roberto

--
Roberto C. Sánchez

Reply | Threaded
Open this post in threaded view
|

Re: permissions

Omer Ozarslan
Hi Semih,

Please ask for support on debian-user mailing list or other channels provided in https://www.debian.org/support (alternatively see https://www.debian.org/support.tr.html if you prefer Turkish).

Best,
Omer

On Wed, Jun 5, 2019 at 9:53 AM Semih Özlem <[hidden email]> wrote:
Hi

I have a problem regarding why debian live installers wont work on a specific machine the processor is intel i3 7th generation

who should I address the question to/ and to be able to run debian what specifications should I look into in choosing a machine

thank you

semih ozlem

On Wed, Jun 5, 2019 at 4:52 PM Roberto C. Sánchez <[hidden email]> wrote:
On Wed, Jun 05, 2019 at 02:34:30PM +0100, Ian Jackson wrote:
> Roberto C. Sánchez writes ("Re: permissions"):
> > On Wed, Jun 05, 2019 at 01:40:49PM +0200, [hidden email] wrote:
> > >    Hi
> > >    We thank you very much for your efforts and great achievements.
> > >    I have a problem I want to solve.
> > >    I have created another group and want to prevent it from connecting to the
> > >    whole machine except for one program either through the firewall or
> > >    through the permissions.
> > >
> > >    I tried using chmod and removed the execute from the others but the result
> > >    was as if I removed the execution from the user who is me.
> > >    What is the solution ?
> > >    Is there a firewall solution at the software level? what is it ?
> > >    Is there a solution using permissions?
> > >    Thank you
> >
> > To do what you describe requires a mandatory access control system
> > (SELinux and AppArmor are two popular choices).
>
> I don't think this is correct.  For traffic originating with local
> processes, iptables rules can select on uid and gid. 

I interpreted "connecting to the whole machine" as including users
logged in locally.

> But this
> question belongs on -user.
>

It certainly does.  My apologies for not redirecting appropriately.  It
seems that I have -user and -project mail going into the same folder and
I failed to take note of it previously.

Regards,

-Roberto

--
Roberto C. Sánchez