[TriLUG] Limited Access User Account

Josh Vickery vickeryj at gmail.com
Wed Sep 14 09:08:26 EDT 2005


I've never done this, but from what you have posted, I think it could
be done more or less like so:

1.  set the user's shell in /etc/passwd to "rbash" which is the same as bash -r
2.  set the user's PATH to just the commands that you want (export
PATH=/usr/bin/vi:... in /etc/profile or some such place that the user
does not have write access to.
3.  setup sudo for the user with the root commands you would like them
to run, and add /usr/bin/sudo to the user's path

On 9/14/05, Dhruv Gami <gami at d10systems.com> wrote:
> Hello Everyone,
> 
> I am trying to setup an account for a user, who is to be given limited
> access. For example, this user should be able to run things like reboot,
> useradd, ifconfig, tail, emacs (or vi) ... essentially a list of
> programs that I specify, and only those programs.
> 
> Googling around for this got me to some posts on other mailing lists
> that mentioned something to the effect of using bash with the -r
> directive to get restricted shell which can execute only the programs in
> its bin directory. With this approach, I was unable to figure out how to
> set bash -r as the default shell for the user, and was confused whether
> or not i can set superuser programs like ifconfig to run from this
> user's account.
> 
> Is there any other way to do this ? I know theoretically i could define
> a group and set it up in some way to get this done, but i dont know how
> to get that done. Google didn't reveal much practical information, only
> theoretical capabilities.
> 
> Any pointers ?
> 
> regards,
> Gami
> 
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
>



More information about the TriLUG mailing list