[Kde-kiosk] [introduction] John Vestrum
Andreas Pour
kde-kiosk@mail.kde.org
Fri, 19 Apr 2002 13:53:26 -0500
Martijn Klingens wrote:
>
> On Tuesday 19 March 2002 10:52, Andreas Pour wrote:
> > Make /bin/sh a link to a setguid pre-shell program that denies
> > interactive shells and (1) compares scripts to a set of permitted
> > scripts, and/or (2) only runs scripts that are owned by root and in some
> > configurable PATH (/usr/bin, /bin, /opt/kde2/bin, etc.), and make the
> > actual shell only executable by that group (i.e., "chmod o -x
> > /bin/real_shell)? Of course the admins would be in this special group
> > and so be able to execute shell commands.
> >
> > Just a thought.
>
> Not very KDE-ish because it requires a lot of Unix shell and prompt fiddling,
Sorry? It's basically a mini-sudo idea. Sure, it requires some
adjustment to a box (install the pseudo-shell and update /etc/passwd to
have users use this as their shell and change permissions on the
installed shells).
> but clever nevertheless. (And it requires a hell of a lot of work to setup
> properly what commands are 'trusted'.)
Actually, come to think of it, all the scripts I run are in my PATH and
owned by root, so using just option (2) above would suffice. All you
need to check is ownership of the script, ownership of the dir its in
and whether that dir is in the PATH. To add a new script, just add it
to the PATH (e.g., startkde and so would already be in the PATH).
Ciao,
Dre