Andrew Holden on 1 Oct 2010 17:15:05 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Blocking A Program From Running


Ah, very interesting, Doug - I hadn't heard of pkill before now. That
should work.

Thank you.

-Andrew

On Fri, Oct 1, 2010 at 6:55 PM, Doug Stewart <zamoose@gmail.com> wrote:
> I think pkill supports wildcarding...
>
> --
> Doug Stewart
>
> On Oct 1, 2010, at 6:34 PM, Andrew Holden <ah@heliosltd.com> wrote:
>
>> Thank you for all the responses. So cron it is.
>>
>> I thought there would be a way to prevent any process matching certain
>> terms from running or launching at all (it seems that's what SELinux
>> can do).
>>
>> I have to look into SELinux if this escalates. This is a learning
>> experience for both of us, too - if he circumvents the cron killall
>> then I'll have to try something else and it's low enough stakes that
>> we can both get smarter....this is a family member (someone who should
>> be using the computer for school work, not using Blender excessively.
>> Frankly Blender is fantastic and I have nothing against it but other
>> stuff has to get done sometimes too).
>>
>> So that's why the HR/administrative/disciplinary option won't work in
>> this case too.
>>
>> As a follow-up how do I do a wildcard in killall?
>>
>> The blender binary is blender-bin. killall blender-bin works but I
>> have tried killall blend* without success, and I have tried killall
>> blend*.* too. I would prefer to make it more general and it's all part
>> of the getting smarter thing too. Any thoughts?
>>
>> Thanks again,
>>
>> -Andrew
>>
>> On Fri, Oct 1, 2010 at 4:22 PM, Claude M. Schrader
>> <plug@claudeschrader.com> wrote:
>>> On 16:12 Fri 01 Oct     , Matt Mossholder wrote:
>>>>    On Fri, Oct 1, 2010 at 4:06 PM, Claude M. Schrader
>>>>    <[1]plug@claudeschrader.com> wrote:
>>>>
>>>>      I'm not sure theres any way really to prevent it from running, without
>>>>      getting into the murky depths of SELinux, but the killall command in
>>>>      cron
>>>>      would be easy, and affective
>>>>      Claude
>>>>
>>>>
>>>>    Even that is easy to get around by renaming the program.  Unless you are
>>>>    willing to go to some lengths to lock down the user's home directory (e.g.
>>>>    no executables in the home dir or temp directories, etc.) plus a boat load
>>>>    of other stuff.
>>>>    It would probably be a LOT easier and more effective to deal with it as an
>>>>    HR or related issue.
>>>>         --Matt
>>>
>>>
>>> you could always break /home off into its own LVM chunk and mount it and
>>> /tmp as noexec. You would need to lock down thumb drives too, but they may
>>> eventually run out of places to run it from if permssions on other
>>> directories are locked down.
>>>
>>> But yeah, by far the best way to deal with this is administratively.
>>> Claude
>>> ___________________________________________________________________________
>>> Philadelphia Linux Users Group         --        http://www.phillylinux.org
>>> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
>>> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
>>>
>> ___________________________________________________________________________
>> Philadelphia Linux Users Group         --        http://www.phillylinux.org
>> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
>> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --        http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
>
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug