tom callaway (spot) wrote,
tom callaway
spot

Things an Unprivileged Linux User Must Not Be Able To Do

An Unprivileged Linux User Must Not Be Able to:

* Add, Remove, or Upgrade system software (packaged or otherwise)
* Read or Write directly to/from system memory
* Load or Unload kernel modules
* Start or Stop System Daemons
* Edit System-wide configuration files
* Access other users home directories (unless explicitly granted permission by another user)
* View or Change another users password
* Add or Remove User accounts
* Change the System Clock
* Shutdown or Reboot the System (unless they are the only user logged in, and they are logged in locally)
* Read from System Logs containing any information about user activities (System logs live in /var/log/*)
* Write to System Logs (directly)
* Write a file outside of /tmp or their user home directory (unless explicitly granted permission by another user)
* Load or Modify PolicyKit or SELinux policies
* Change SELinux Enforcement levels
* Listen on a network port lower than 1024
* Mount or Unmount Partitions or Network Shares (excluding automounted local devices such as USB flash drives, and devices explicitly configured by the root user for unprivileged use)
* Change or Disable firewall settings

What else am I missing?

Note: A user with sudo access is not an unprivileged user. A user who knows the root password is not an unprivileged user. A user placed into an "admin" group is not an unprivileged user.
Subscribe

  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 47 comments
Previous
← Ctrl ← Alt
Next
Ctrl → Alt →
Previous
← Ctrl ← Alt
Next
Ctrl → Alt →