Grant написа: >> I'd like to create a really restricted user on my laptop. I don't >> want the user to be able to do much of anything but browse the web, >> use skype, and maybe look at photos on a CD or something. I did this: >> >> useradd -m -G users,audio,cdrom -s /sbin/nologin newuser >> >> How does that look? I've noticed when adding this kind of a user in >> the past they are able to look at files all around the system that I'd >> prefer they can't. Is there a good method for restricting that? >> Maybe remove the users group? Is a weak password OK with this setup >> since there's no shell access? > > Apparently -s /sbin/nologin wasn't such a good idea since the user > then can't log in via GDM. Makes sense. I want the user to be able > to log in via GDM but not via ssh. Is that configured in ssh? > > - Grant Hi Grant,
Googling with 'restricted shell' returns some hints: 1.rsh (restricted shell) - looks that it's rather easy exit from it; 2.rssh - works with openssh (allows scp, sftp, rdist, rsync, and cvs); 3. rbash or bash with --restricted IIRC option; 4. check "zsh -r" vaguely remember the syntax, check about festures. HTH. Rumen
smime.p7s
Description: S/MIME Cryptographic Signature
