|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Blocking A Program From Running
|
Thank you for all the responses. So cron it is.
I thought there would be a way to prevent any process matching certain
terms from running or launching at all (it seems that's what SELinux
can do).
I have to look into SELinux if this escalates. This is a learning
experience for both of us, too - if he circumvents the cron killall
then I'll have to try something else and it's low enough stakes that
we can both get smarter....this is a family member (someone who should
be using the computer for school work, not using Blender excessively.
Frankly Blender is fantastic and I have nothing against it but other
stuff has to get done sometimes too).
So that's why the HR/administrative/disciplinary option won't work in
this case too.
As a follow-up how do I do a wildcard in killall?
The blender binary is blender-bin. killall blender-bin works but I
have tried killall blend* without success, and I have tried killall
blend*.* too. I would prefer to make it more general and it's all part
of the getting smarter thing too. Any thoughts?
Thanks again,
-Andrew
On Fri, Oct 1, 2010 at 4:22 PM, Claude M. Schrader
<plug@claudeschrader.com> wrote:
> On 16:12 Fri 01 Oct , Matt Mossholder wrote:
>> On Fri, Oct 1, 2010 at 4:06 PM, Claude M. Schrader
>> <[1]plug@claudeschrader.com> wrote:
>>
>> I'm not sure theres any way really to prevent it from running, without
>> getting into the murky depths of SELinux, but the killall command in
>> cron
>> would be easy, and affective
>> Claude
>>
>>
>> Even that is easy to get around by renaming the program. Unless you are
>> willing to go to some lengths to lock down the user's home directory (e.g.
>> no executables in the home dir or temp directories, etc.) plus a boat load
>> of other stuff.
>> It would probably be a LOT easier and more effective to deal with it as an
>> HR or related issue.
>> --Matt
>
>
> you could always break /home off into its own LVM chunk and mount it and
> /tmp as noexec. You would need to lock down thumb drives too, but they may
> eventually run out of places to run it from if permssions on other
> directories are locked down.
>
> But yeah, by far the best way to deal with this is administratively.
> Claude
> ___________________________________________________________________________
> Philadelphia Linux Users Group -- http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
>
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|