Arch Linux

Athenaeum

Member

Registered: 2012-01-10

Posts: 6

[SOLVED] Limiting Program Permissions

I currently have two users on my computer and would like to remove the permission of one user to run Deluge.
Is there any way this can be accomplished simply?

I have tried editing the permissions of the executable in /usr/bin from:

rwxrwxrwx root root ......

to

rwxrwxr-- root root ......

This removed permissions to start the program from the terminal (bash: /usr/bin/deluge: Permission denied), however Deluge could still be started by accessing it form the Openbox App Menu, or through Gnome-do.

Thanks in advance!

Last edited by Athenaeum (2012-01-11 01:02:52)

brebs

Member

Registered: 2007-04-03

Posts: 3,742

Re: [SOLVED] Limiting Program Permissions

I suppose you could make a "deluge" group, and exclude the bad user from it.

But that wouldn't stop the bad user from compiling deluge within his ~, and running that

hermes

Member

From: Lucca, Italy

Registered: 2010-05-19

Posts: 99

Re: [SOLVED] Limiting Program Permissions

What about AppArmor?

---

Linux Registered User #362737

Athenaeum

Member

Registered: 2012-01-10

Posts: 6

Re: [SOLVED] Limiting Program Permissions

Perhaps I should have clarified my situation a little better.
I am not very concerned about the other user being able to install programs.

The reason I would like to limit one user is that I have two separate user accounts for at home and for at work. Torrenting isn't exactly something they take to kindly at work, so I am simply trying to stop myself from accidentally starting Deluge on my work account (which has already happened).

@brebs

How would one implement the deluge group in a fashion that would stop a user not in the group from starting deluge via gnome-do or the application menu?
When I edited the deluge executable in /usr/bin I remove the execute permission, which stopped any non-root users from starting it via the terminal, but didn't stop them from starting it via the application menu or gnome-do.

@hermes

Thanks for the suggestion - will look into it when I have a little more time to read through it.

brebs

Member

Registered: 2007-04-03

Posts: 3,742

Re: [SOLVED] Limiting Program Permissions

How would one implement the deluge group

chgrp deluge /usr/bin/deluge

But, if this is to protect yourself from yourself (or really your employer's IT dept), maybe it would be better to call the group "nonworksafe"

I myself run AppArmor, and it could be used, but it's overkill for just this task.

alphaniner

Member

From: Ancapistan

Registered: 2010-07-12

Posts: 2,810

Re: [SOLVED] Limiting Program Permissions

I don't have deluge installed, but I find it quite strange that the default permissions were rwxrwxrwx rather than rwxr-xr-x.

More importantly, something is wrong if your GUI ignores permissions.  If I change gimp (for example) to rwxr-xr-- , I can't run it from the app menu any more than I can run it from the console.

Edit:

Deluge has several executables in /usr/bin, I think you probably didn't restrict the right one:

usr/bin/deluge
usr/bin/deluge-console
usr/bin/deluge-gtk
usr/bin/deluge-web
usr/bin/deluged

deluge-gtk is probably what the GUI launchers call.

Last edited by alphaniner (2012-01-10 22:42:51)

---

But whether the Constitution really be one thing, or another, this much is certain - that it has either authorized such a government as we have had, or has been powerless to prevent it. In either case, it is unfit to exist.
-Lysander Spooner

hermes

Member

From: Lucca, Italy

Registered: 2010-05-19

Posts: 99

Re: [SOLVED] Limiting Program Permissions

Not a very elegant solution, since point 3 would possibly need to be repeated at every deluge upgrade. Not tested, but should work though.
1) create a deluge group:

$ groupadd deluge

2) add your user to deluge group:

$ gpasswd -a YOURUSER deluge

3) change deluge executable permissions so that only root and users in deluge group can run it:

$ chmod 750 `which deluge`

4) logout/login.

Far simpler for what you're trying to accomplish.
Hope this helps!

EDIT:
Please follow alphaniner suggestion about narrowing down your deluge executable choice (apply point 3 to the ones you want to restrict access to). I don't use it myself, so I didn't figure out that the "strange" GUI behavior could be simply explained considering that deluge is likely just a link to deluge-gtk, or the former is a script that calls the latter.

Last edited by hermes (2012-01-10 23:09:52)

---

Linux Registered User #362737

Athenaeum

Member

Registered: 2012-01-10

Posts: 6

Re: [SOLVED] Limiting Program Permissions

OK guys, thanks a lot for the help.

Using alphaniner's and hermes' suggestions I was able to get everything working well.

As alphaniner suggested, it appears that gnome-do and the openbox-menu were linking to deluge-gtk instead of deluge.

For those interested, I set up the group/permissions as hermes suggested:

1) create a deluge group:
$ groupadd deluge
2) add your user to deluge group:
$ gpasswd -a YOURUSER deluge
3) change deluge executable permissions so that only root and users in deluge group can run it:
$ chmod 750 `which deluge`

Rather than applying it only to the deluge file in /usr/bin, I simply ran:

$chmod 750 GROUP deluge deluge-gtk deluge-console deluge-web deluged

Which gave me the permissions for each edited file as:

-rwxr-x--- 1 root deluge

Thank again for all the help!

fschiff

Member

Registered: 2011-10-06

Posts: 71

Re: [SOLVED] Limiting Program Permissions

Possible simpler solution:

on work account
create a deluge file in your $HOME/bin directory (assuming that's in your $PATH and your user bin comes before the system bins)

with

echo "Do not run deluge from work account!"

Last edited by fschiff (2012-01-11 01:11:14)