Previous Topic: Restricting File AccessNext Topic: Restrict Users from Getting File Information


Preventing File Access

Sometimes it is convenient to define a FILE record that has no owner. To define a FILE record that does not have an owner in selang, use the special owner “nobody.”

For example, to define the file /tmp/binary.bkup as a protected file and prevent all users from accessing the file, enter the following selang command:

newres FILE /tmp/binary.bkup owner(nobody) defaccess(N)

This newres command ensures that even the user who defined the command, whether root or otherwise, cannot access the file. After preventing all users from accessing a file, you must usually grant one or more users access to that file explicitly.

To explicitly permit a user access to a protected file, use the authorize command. For example, to grant the user “userJo” update access to all files in the /tmp directory beginning with Jo, enter the selang command:

authorize FILE /tmp/Jo* uid(userJo) acc(Update)

Note: CA ControlMinder protects only those files defined in its database.