User with read-only to entire filesystem

psychocandy · January 26, 2018, 6:19am

Is this even possible?

Its a request for external auditors to login remotely.

hicksd8 · January 26, 2018, 6:51am

Hmmmm........this is not easy to do but not too difficult either. Let me elaborate.

There's no standard way of achieving this with access rights, group rights, or different user setup.

What version of Solaris are we talking?

However, you can create a special read-only shell, a new mountpoint lower in the filesystem, and remount '/' on that mountpoint. A specially created userid can then login and be given a read-only shell and access to '/' remounted as read-only.

Look at this:
LNXHC: HowTo Create a read-only user (Solaris 10) - BigAdmin - wikis.sun.com

It depends whether you want to go to this amount of modification to achieve it.

rbatte1 · January 26, 2018, 7:51am

Another way might be to NFS mount the filesystem to a server you don't care about and give them access to that. You can set the share and/or the mount options to be read-only.

If you don't have a spare server, could you share/mount it back to yourself read-only and chroot the user account to that mount point. You need to make sure that they can't escape out again though without logging off. You might get away with exec chroot /read-only-fs in their normal .profile, but you'd need to test it. I haven't done this, it's just a theory.

I hope that this helps,
Robin

psychocandy · February 6, 2018, 9:29am

Sounds like a good idea. Remind me - if I share/mount it back to the other server (as RO) does it give me read permission to every file?

Peasant · February 6, 2018, 11:34am

Yes, If you share the share with root permissions.
I haven't actually tried to export the entire filesystem hierarchy via NFS...

Even with ro permission, the user will see all the files on the system, including password hashes from operating system files, host keys etc.

This should not be done as it compromises system security in so many ways ...

Auditors should not have or require access to those important security files.
If required, you should provide those files with hashes replaced/blanked.

Only if the requirement of audit is to compromise the trust of the server and its users.

Hope that helps
Regards
Peasant.

achenle · February 8, 2018, 7:58am

This sounds like a good use-case for a zone. You can mount the required filesystem(s) read-only in the zone, and create normal user(s) for the auditor(s) in just that zone.