1 |
Grant написа: |
2 |
>> I'd like to create a really restricted user on my laptop. I don't |
3 |
>> want the user to be able to do much of anything but browse the web, |
4 |
>> use skype, and maybe look at photos on a CD or something. I did this: |
5 |
>> |
6 |
>> useradd -m -G users,audio,cdrom -s /sbin/nologin newuser |
7 |
>> |
8 |
>> How does that look? I've noticed when adding this kind of a user in |
9 |
>> the past they are able to look at files all around the system that I'd |
10 |
>> prefer they can't. Is there a good method for restricting that? |
11 |
>> Maybe remove the users group? Is a weak password OK with this setup |
12 |
>> since there's no shell access? |
13 |
> |
14 |
> Apparently -s /sbin/nologin wasn't such a good idea since the user |
15 |
> then can't log in via GDM. Makes sense. I want the user to be able |
16 |
> to log in via GDM but not via ssh. Is that configured in ssh? |
17 |
> |
18 |
> - Grant |
19 |
Hi Grant, |
20 |
|
21 |
Googling with 'restricted shell' returns some hints: |
22 |
1.rsh (restricted shell) - looks that it's rather easy exit from it; |
23 |
2.rssh - works with openssh (allows scp, sftp, rdist, rsync, and cvs); |
24 |
3. rbash or bash with --restricted IIRC option; |
25 |
4. check "zsh -r" vaguely remember the syntax, check about festures. |
26 |
HTH. Rumen |