From owner-freebsd-current@FreeBSD.ORG  Wed Jan 21 09:40:05 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 273F516A4CE; Wed, 21 Jan 2004 09:40:05 -0800 (PST)
Received: from genius.tao.org.uk (genius.tao.org.uk [212.135.162.51])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id B586643D3F; Wed, 21 Jan 2004 09:39:57 -0800 (PST)
	(envelope-from joe@genius.tao.org.uk)
Received: by genius.tao.org.uk (Postfix, from userid 100)
	id ED34A4221; Wed, 21 Jan 2004 17:39:56 +0000 (GMT)
Date: Wed, 21 Jan 2004 17:39:56 +0000
From: Josef Karthauser <joe@FreeBSD.org>
To: freebsd-current@freebsd.org
Message-ID: <20040121173956.GH68003@genius.tao.org.uk>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="uc35eWnScqDcQrv5"
Content-Disposition: inline
User-Agent: Mutt/1.5.5.1i
cc: Robert Watson <rwatson@freebsd.org>
Subject: Policy for a user that can't write any files (apart from in /tmp).
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jan 2004 17:40:05 -0000


--uc35eWnScqDcQrv5
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Is it possible now-a-days with MAC, etc, to set a per user policy such
that the user doesn't have permissions to write to the file system?
I've got a remote user that's logging in to make backup, and it would be
really cool to prevent them from modifying anything with out futzing
with file permissions and groups.

Joe
--=20
Josef Karthauser (joe@tao.org.uk)	       http://www.josef-k.net/
FreeBSD (cvs meister, admin and hacker)     http://www.uk.FreeBSD.org/
Physics Particle Theory (student)   http://www.pact.cpes.sussex.ac.uk/
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D An eclectic mix of fact an=
d theory. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

--uc35eWnScqDcQrv5
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iEYEARECAAYFAkAOuWsACgkQXVIcjOaxUBYYIACdE8mTsT4hWug5wT3FN02kVo/X
2yQAn20dQop1Xjy2JEkfddgDeAQA/8rS
=/PK1
-----END PGP SIGNATURE-----

--uc35eWnScqDcQrv5--