[TriLUG] Limited Access User Account

[Dhruv Gami]

Jon Carnes wrote:
> Looking at some of the examples it seems like the setup is for a user to
> do system maintenance/administration on system without compromising the
> security of user files/accounts (Paranoid Pointy-Haired Bosses don't
> like the fact that a sysadmin can read their all to valuable files)
> 
> Is this the problem you are trying to solve?

Essentially, yes. Its actually a complicated situation. We're trying to 
get a junior fellow to get limited access to one of our servers, and the 
idea is to delegate him tasks one by one, and give him enough access to 
do just those things. Giving him more access than that might make him 
curious and by mistake he might someday mess up something critical. 
Keeping him isolated on a non-production server doesnt help much, coz 
eventually this fellow will have administer these servers. In my 
opinion, all this paranoid approach might not be needed, as regular 
backups etc can bring us back in case of any mess up, but the Paranoid 
Pointy-Haired Bosses dont want this guy to get access till whenever.

So now its my responsibility to give him restricted access.

> Have you looked at using something like Webmin to admin the servers in
> question?  You can severely limit root access and only have normal
> Admins use web-based tools for monitoring/maintaining the services.
> 
> Just wondering if a different approach might not be more profitable.

I like the idea of webmin, and it will solve my problem to a certain 
extent. but then this guy still wouldnt know the command line ways of 
quickly doing things and identifying problems. In my opinion being able 
to work on command line to get any administrative task completed is 
needed for any system administrator at any level. any comments ?

regards,
Gami

PS: Thanks to everyone else who gave insightful information into setting 
up a restricted shell. I didnt think it would be as complicated as it 
really is.