LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 02-11-2007, 10:58 PM   #1
grob115
Member
 
Registered: Oct 2005
Posts: 528

Rep: Reputation: 32
Creating user account with no root privileges


Hello,

I have a few questions with regards to adding a new user to the system. I want to add an a user account that does not have admin (or root) privileges.

First, I checked that the /etc/default/useradd file contains the GROUP=100 entry:
[root@vps etc]# more default/useradd
# useradd defaults file
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel

However, when I created a user with "useradd normuser" it added the following entries:
"normuser:x:502:503::/home/normuser:/bin/bash" to etc/passwd
"normuser:$1$hdK3U4Tz$avwxY61df:13556:0:99999:7:::" to etc/shadow
"normuser:x:503:" to etc/group

Question 1:
Shouldn't the "useradd" command create the two respective entries in the etc/passwd and etc/shadow files with the GID = 100 as directed in the default/useradd file?

As we can see above, a new line was entered in the etc/group file to create a new GID of 503, and the normuser account was set to this group in etc/passwd.

Question 2:
How do I create a user account such that it can only have access to its home directory and nothing else?

The above created user have access even to mySQL when given the login name and password. It also can view contents of other directories such as /bin, /boot, /dev, /etc, /lib, etc. Though most of these directories have its owner set to root and have permission set as drwxr-xr-x so the user can't delete or modify its contents.

Thanks!

Last edited by grob115; 02-12-2007 at 06:25 AM.
 
Old 02-11-2007, 11:53 PM   #2
reddazz
Guru
 
Registered: Nov 2003
Location: N. E. England
Distribution: Fedora, CentOS, Debian
Posts: 16,298

Rep: Reputation: 73
Some of your questions would have accurate answers if you mention which distro you are using. Some distributions use a generic default group for all users whilst others create a private group for each user which explains the behaviour you mentioned above when you created the new user.

If you do not want a user to access certain directories, then you need to change permissions on those direcories so that they are limited to the user and group you want. I think locking down a user to their home directory can cause problems such as a user not being able to run certain commands.
 
Old 02-12-2007, 12:39 AM   #3
Micro420
Senior Member
 
Registered: Aug 2003
Location: Berkeley, CA
Distribution: Mac OS X Leopard 10.6.2, Windows 2003 Server/Vista/7/XP/2000/NT/98, Ubuntux64, CentOS4.8/5.4
Posts: 2,986

Rep: Reputation: 45
Just explicitly force everything when creating a new user.
Code:
useradd -m -s /bin/bash -u 100 -g 100 johndoe
Then, remove the user from the USERS group, which will give them ZERO permissions to anywhere on the system but their /home directory. Of course this does not apply if the permission already has READ for everyone.

You might be better off just creating an account with no shell and access. Set it to:
Code:
usermod -s /bin/false johndoe
The user will not be able to log on. Then just export their /home directory via NFS or SAMBA and you don't have to worry about the user snooping around the system. Problem solved???
 
Old 02-12-2007, 06:25 AM   #4
grob115
Member
 
Registered: Oct 2005
Posts: 528

Original Poster
Rep: Reputation: 32
Quote:
Then, remove the user from the USERS group, which will give them ZERO permissions to anywhere on the system but their /home directory
Do you mean modifying the /etc/group file by changing "USERS:x:100:johndoe" to "USERS:x:100:"?

In other words, the following files will have the following entries?
"johndoe:x:100:100::/home/johndoe:/bin/bash" for etc/passwd
"johndoe:$1$hdK3U4Tz$avwxY61df:13556:0:99999:7:::" for etc/shadow
"johndoe:x:100:" for etc/group

Quote:
I think locking down a user to their home directory can cause problems such as a user not being able to run certain commands.
What type of commands will not be able to run if users are locked to within their home directory?

Thanks

Last edited by grob115; 02-12-2007 at 06:29 AM.
 
Old 02-12-2007, 12:33 PM   #5
reddazz
Guru
 
Registered: Nov 2003
Location: N. E. England
Distribution: Fedora, CentOS, Debian
Posts: 16,298

Rep: Reputation: 73
Quote:
What type of commands will not be able to run if users are locked to within their home directory?
When I wrote that post, I was thinking that if you locked up the user too much, the user may not be able to execute programs in directories such as /usr/bin (or navigate to important directories such as /usr/share/doc). I am not so sure about this anymore, so when I get time, I am going to do a test on one of machines and post back the result.
 
Old 02-12-2007, 11:32 PM   #6
grob115
Member
 
Registered: Oct 2005
Posts: 528

Original Poster
Rep: Reputation: 32
Quote:
Then, remove the user from the USERS group, which will give them ZERO permissions to anywhere on the system but their /home directory
Actually, I guess I must have mis-intrepreted what you meant by this. Because the current entry in the /etc/group file also doesn't contain the user's account name at the end of the line. So can you please explain how to remove the user from the USERS group?
 
Old 02-13-2007, 12:29 AM   #7
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,133

Rep: Reputation: 320Reputation: 320Reputation: 320Reputation: 320
Each user must belong to at least one group (their primary group -- the 4th field in /etc/passwd). You could edit /etc/passwd and swap them to another primary group, but there's no way to have a user be a member of zero groups.

And yes, if you totally lock the user to their home directory so they can't see anything in /bin, /usr/bin, etc. then the account is essentially useless. It sounds to me like you want to chroot the user in a limited environment with a limited set of binaries.

Maybe if you told us why you want to do this someone could help out more.
 
Old 02-13-2007, 04:43 AM   #8
grob115
Member
 
Registered: Oct 2005
Posts: 528

Original Poster
Rep: Reputation: 32
Hello,

Well I remembered back in the university days when the admin setup account for us, we had limited access rights. Well, definitely no access to the database server.

All I want to do is create a user account so they can host their own website. For example, if the username is "john", then I want their site to be hosted at http://www.name.com/~john. They can upload files via FTP, login via SSH, but not do things that the admin can do, or see directories below the user home directory.

How do I do this? And how do I lock them to their local directory?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
creating user account with root power linux_lover2005 Linux - Newbie 6 01-04-2007 12:51 AM
is it legitimate and allowed and can be done to make another user account set uid and gid to null 0 to make another root account with different name and possibly not damage the debian system creating and using that new account BenJoBoy Linux - Newbie 12 01-29-2006 10:02 AM
creating user account similar to root neerajchaudhari Linux - Software 2 08-26-2005 09:23 AM
creating user account similar to root neerajchaudhari Linux - Newbie 4 08-26-2005 06:35 AM


All times are GMT -5. The time now is 03:36 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration