Prohibit access for certain programs to specific user groups

Question

I am trying to do some security levels on my linux system. For example, deny access to ping command or disk utility application can be easly done by restricting permissions to 750 for binaries:

/bin/ping

/usr/bin/gnome-disks

and a user won't be able to run them. But the problem is that user can somehow obtain the same binary from outside and place that binary in it's home folder. Because user cannot be stopped from grantng permissions to it's own files, he can run the binary files and avoid the permissions granted on system files.

How can I stop user from doing it?

ping in particular needs to be setuid root to run, so for ping you're covered. But for binaries that don't need any particular privileges, you're just wasting your time. You shouldn't try to solve human problems with technical restrictions. — Satō Katsura, Oct 04 '17 at 10:43
selinux or removing the execute bit from being applied to files in $HOME would do it. — djsmiley2kStaysInside, Oct 04 '17 at 10:51
@djsmiley2k Mounting $HOME with the noexec option can be easily bypassed on Linux. — Satō Katsura, Oct 04 '17 at 10:58
@SatōKatsura don't give the users mount permissions, also care to explain 'how' ? — djsmiley2kStaysInside, Oct 04 '17 at 10:59

score 0 · Accepted Answer · answered Oct 04 '17 at 10:59

Firstly we'll remove the execute bit from all files in $HOME:

chmod a-x $HOME/*

Then we make sure that any new files created in home, don't have the execute bit set:

umask 006 $HOME

However users can still manually set something to +x so they can execute it manually themselves. Stopping them doing this is more complicated, as you'll need to take ownership of any files they create, and then add them to a group which gives them read/write access but not the ability to change the permissions.

Prohibit access for certain programs to specific user groups

1 Answers1