Linux Limit User

aznium · 12-06-2008, 09:20 PM

Is it possible to limit a user to not be able to run any executables?

ie. user account 'guest'

guest can read/write/add new files in /home/guest

however, guest may not execute any programs.

nflenz · 12-06-2008, 10:11 PM

What could that account possibly be used for then?

nflenz · 12-06-2008, 10:15 PM

I should be clearer. The software used to "read/write/add new files" are executables, so disabling the users ability to run executables would also disable their ability to do anything with files.

lumak · 12-07-2008, 01:18 AM

You could give them a custom shell (that is... program your own).. that would theoretically take away their ability and probably the best option.

You could also do something stupid like 'chown root:users' to all the files /bin/ /usr/bin and then 'chmod 754' to all regular files... anybody not in the users group would be excluded from executing the files.

I'm sure somebody has already made a specialized shell with stripped down abilities.

aznium · 12-07-2008, 01:35 AM

the usage is to allow them to SSH files in and out

Tinkster · 12-08-2008, 10:49 AM

Look here

nflenz · 12-09-2008, 11:03 AM

Why not just set up an ftp server?

aznium · 12-09-2008, 11:52 AM

Quote:

Originally Posted by nflenz

Why not just set up an ftp server?

ftp is not encrypted.

thanks tinkster, on 2nd thought - i would like to let the user have access to simple commands such as bzip2, dir, cp...but the motivation for it is to limit the user from being able to upload their own executable and run it...i guess this is pretty hard to do?

thanks

Quakeboy02 · 12-09-2008, 11:57 AM

Quote:

Originally Posted by aznium

the usage is to allow them to SSH files in and out

Then why not use rsync?

Tinkster · 12-09-2008, 12:57 PM

Quote:

Originally Posted by aznium

ftp is not encrypted.

thanks tinkster, on 2nd thought - i would like to let the user have access to simple commands such as bzip2, dir, cp...but the motivation for it is to limit the user from being able to upload their own executable and run it...i guess this is pretty hard to do?

thanks

No, that can be done with a forced command, too.
Just present them with a menu written in shell
that lets them choose from a set of given actions,
and that will not let them do anything from which
they can shell out (e.g. emacs, vim), and maybe
a second login that only permits the scp/sftp.
You'd have to do it that way because forced
commands and scp/sftp are mutually exclusive.

ssh FAQ