How to prevent a non-admin user from executing any files?

I want to prevent a non-admin user from executing any program except a few default ones. This includes program files which the user himself may create and own, or download or copy from removable media. How do I do this in Ubuntu?

задан 25 July 2020 в 21:20

1 ответ

You can't. Not effectively at least.

You can mount all user-writable disks as noexec, which will disallow running any binaries places on those disks. This would typically be /var, /home and /tmp. Other places should normally not be writable for the user.

This will preclude any pre-compiled binaries from running. But it will not stop someone running a python script or similar. And you can do almost everything you can in C++ in Python...

Trying to stop users from using things like python and bash will likely render the system more or less entirely broken for them.

You could look into apparmour as well to restrict user permissions. Ultimately, you should set up a threat and risk model, and get a more detailed description of the problem than simply allowing a simple white list. Otherwise you risk ending up with breaking the system by accident, or leaving in stuff that effectively negates the benefits of all your work...

ответ дан 30 July 2020 в 22:02

Другие вопросы по тегам:

Похожие вопросы: