On Fri, Aug 21, 2015 at 08:25:56PM +1000, Daurnimator wrote: > On 21 August 2015 at 19:57, Dominick Grift <[email protected]> wrote: > > i think it kind of sucks that systemctl --user list-units can be used to > > determine who is currently logged in. > > You can see with `loginctl list-users` too
My restricted users currently cannot run loginctl. If they could then there may or may not be a way to transperantly deny access to that info using selinux (not sure i would have to try it) > > I once tried to prevent getting a list of users, but it's hard... I locked > out: > - `w` and `who` (uses /var/run/utmp; do chmod o-r) > - `grep -h '^Uid:' /proc/*/status | sort -u` (prevent with procfs > option hidepid=2) > - ls /run/user (do chmod o-r) I think i do have it working currently (at least mostly). Except for systemctl --user list-units I am basically using SELinux to isolate processes based on roles and types access to wtmp is denied with TE access to process state is isolated using RBACSEP access to df -h is restricted to generic file systems only (tmpfs fs doesnt show up access to pts/ttys and other "files" are isolated using RBACSEP -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift
pgprho2Dj9DuW.pgp
Description: PGP signature
_______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
