|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Blocking A Program From Running
|
Ah, very interesting, Doug - I hadn't heard of pkill before now. That
should work.
Thank you.
-Andrew
On Fri, Oct 1, 2010 at 6:55 PM, Doug Stewart <zamoose@gmail.com> wrote:
> I think pkill supports wildcarding...
>
> --
> Doug Stewart
>
> On Oct 1, 2010, at 6:34 PM, Andrew Holden <ah@heliosltd.com> wrote:
>
>> Thank you for all the responses. So cron it is.
>>
>> I thought there would be a way to prevent any process matching certain
>> terms from running or launching at all (it seems that's what SELinux
>> can do).
>>
>> I have to look into SELinux if this escalates. This is a learning
>> experience for both of us, too - if he circumvents the cron killall
>> then I'll have to try something else and it's low enough stakes that
>> we can both get smarter....this is a family member (someone who should
>> be using the computer for school work, not using Blender excessively.
>> Frankly Blender is fantastic and I have nothing against it but other
>> stuff has to get done sometimes too).
>>
>> So that's why the HR/administrative/disciplinary option won't work in
>> this case too.
>>
>> As a follow-up how do I do a wildcard in killall?
>>
>> The blender binary is blender-bin. killall blender-bin works but I
>> have tried killall blend* without success, and I have tried killall
>> blend*.* too. I would prefer to make it more general and it's all part
>> of the getting smarter thing too. Any thoughts?
>>
>> Thanks again,
>>
>> -Andrew
>>
>> On Fri, Oct 1, 2010 at 4:22 PM, Claude M. Schrader
>> <plug@claudeschrader.com> wrote:
>>> On 16:12 Fri 01 Oct , Matt Mossholder wrote:
>>>> On Fri, Oct 1, 2010 at 4:06 PM, Claude M. Schrader
>>>> <[1]plug@claudeschrader.com> wrote:
>>>>
>>>> I'm not sure theres any way really to prevent it from running, without
>>>> getting into the murky depths of SELinux, but the killall command in
>>>> cron
>>>> would be easy, and affective
>>>> Claude
>>>>
>>>>
>>>> Even that is easy to get around by renaming the program. Unless you are
>>>> willing to go to some lengths to lock down the user's home directory (e.g.
>>>> no executables in the home dir or temp directories, etc.) plus a boat load
>>>> of other stuff.
>>>> It would probably be a LOT easier and more effective to deal with it as an
>>>> HR or related issue.
>>>> --Matt
>>>
>>>
>>> you could always break /home off into its own LVM chunk and mount it and
>>> /tmp as noexec. You would need to lock down thumb drives too, but they may
>>> eventually run out of places to run it from if permssions on other
>>> directories are locked down.
>>>
>>> But yeah, by far the best way to deal with this is administratively.
>>> Claude
>>> ___________________________________________________________________________
>>> Philadelphia Linux Users Group -- http://www.phillylinux.org
>>> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
>>> General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
>>>
>> ___________________________________________________________________________
>> Philadelphia Linux Users Group -- http://www.phillylinux.org
>> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
>> General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
> ___________________________________________________________________________
> Philadelphia Linux Users Group -- http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
>
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|