| 1 |
Grant написа: |
| 2 |
>> I'd like to create a really restricted user on my laptop. I don't |
| 3 |
>> want the user to be able to do much of anything but browse the web, |
| 4 |
>> use skype, and maybe look at photos on a CD or something. I did this: |
| 5 |
>> |
| 6 |
>> useradd -m -G users,audio,cdrom -s /sbin/nologin newuser |
| 7 |
>> |
| 8 |
>> How does that look? I've noticed when adding this kind of a user in |
| 9 |
>> the past they are able to look at files all around the system that I'd |
| 10 |
>> prefer they can't. Is there a good method for restricting that? |
| 11 |
>> Maybe remove the users group? Is a weak password OK with this setup |
| 12 |
>> since there's no shell access? |
| 13 |
> |
| 14 |
> Apparently -s /sbin/nologin wasn't such a good idea since the user |
| 15 |
> then can't log in via GDM. Makes sense. I want the user to be able |
| 16 |
> to log in via GDM but not via ssh. Is that configured in ssh? |
| 17 |
> |
| 18 |
> - Grant |
| 19 |
Hi Grant, |
| 20 |
|
| 21 |
Googling with 'restricted shell' returns some hints: |
| 22 |
1.rsh (restricted shell) - looks that it's rather easy exit from it; |
| 23 |
2.rssh - works with openssh (allows scp, sftp, rdist, rsync, and cvs); |
| 24 |
3. rbash or bash with --restricted IIRC option; |
| 25 |
4. check "zsh -r" vaguely remember the syntax, check about festures. |
| 26 |
HTH. Rumen |
Archives