• 0 Posts
  • 5 Comments
Joined 3 years ago
Cake day: June 10th, 2023
  • Goingdown@sopuli.xyztoLinux@lemmy.mlApp Lock under Linux?
    7·
    2 days ago

    Creating a different user account for it is out of the question btw, since you can still change the password for that user via the primary admin account.

    First of all, if users have admin rights, nothing really prevents them to run that app. Even if you encrypt the app itself, they can just reinstall/replace it from standard repository.

    Few ways this can be done:

    1. If app needs internet connection, you may use firewall rules to block said connections, or even application firewall (Opensnitch). Create script which unloads said rules via su (create diffrent accounts with passwords the user must know) then runs app, and after closing app loads rules again. Users must not have admin rights or they can just unload fw rules.

    2. Create encrypted container/directory, protected by password, and manually install said app under there (probably needs manual recompile of the app). Create script which asks password, unlocks the encrypted location, runs app, and locks container after use. Again, no admin rights for users or they just install same app from repositories.

    3. Use apparmor or selinux to block said app. And again create script which by using su (create diffrent accounts with passwords the user must know) allows app via selinux/apparmor policies and runs app, and blocks it again afterwards. I repeat, users must not have admin rights or they can just unload those blocks.

    What app it is?

    EDIT: Clarification for su usage

    To have user asked password before app can be done via su + sudo like this

    • create user demouser
    • give password of that user to end user
    • give demouser sudo rights to run particular command as root without password (to unload fw rules, unload apparmor/selinux policy etc).