hi
i have centos5.3 i want to create user with non admin privilges
he is unable to see contents of server only he will able to login nothing else

AMar

Hi,

Could you be more specific? A normal user does not have admin privileges.

When you create a user in centos this user will have a group associated with it that is unique for that user (if you create user foo it will get group foo as well). This makes the privileges of that user more restrictive. Have a look here: Chapter 32. Users and Groups

You mention that this user should be able to log in and nothing else. So this user cannot execute any commands once logged in?

Could you explain this part. Is this a user who can access the ftp or sftp service, and you don't want them to be able to cd above the public/ directory?

A normal user doesn't have admin rights, but being able to access libraries and some files in /etc/ or /usr/ is needed to run programs as a normal user.

Thanks for reply

i want user are able to login to server througt ssh from internet ,but i want this user not able to view directory, not fired any command do not delete anything only pure login through ssh from internet

Hi,

Although I don't see the point in letting a user have access to a machine and then deny this user any actions, maybe this will do what you want:

In general a user has a shell he logs into (most commonly /bin/bash), the system knows which shell to use by looking at the appropriate line in /etc/passwd.

If you create the following file, called dead.stop.sh, in /bin: and replace the /bin/bash part with /bin/dead.stop.sh in /etc/passwd, this user can log in, but cannot do anything but log out again.

Steps to take to accomplish this (as root):
1) create the above script and give it execute permissions (chmod 555 /bin/dead.stop.sh),
2) create a normal user with useradd/adduser or the GUI (user is called foobar in this example),
3) give this user a valid password (passwd foobar),
4) open /etc/passwd and look for the foobar entry (probably the last line) which looks something like this: foobar:x:1000:1000::/home/foobar:/bin/bash. Change the bold part to /bin/dead.stop.sh.

If all went as planned the following should happen when trying to log into that user (ssh or normal login): Although I might have overlooked something I do believe you cannot break out of this script and gain shell access (please correct me if I'm wrong).

Hope this is what you are looking for.

Could you explain what the users will be doing after they log in?

For services where you want user names and permissions, but not shell access, you can use a restricted shell or nologin shell in the shell entry of /etc/passwd for that account.

Also look at chroot'ing. That is to copy only essential files & libraries needed by the user to a subdirectory, and running that service in a chroot'ed jail. This is often done for services such as apache and mail servers.

amartlk
can you pleaseexplain what it is you want and what you want the user to do
from the sound of it what the user can do is nothing nothing at all .

I suppose it's possible that the OP wants the remote user to be able to login to his machine to set up an SSH proxy to another host, but not to run any commands on the box. Using a restricted shell or chroot jail as suggested above seem like the best method for accomplishing this, but maybe SSH has another way.

I am gunna also suggest this user is probably after proxy or tunneling. I suppose if you wanted to allow somebody to SSH tunnel to the server for another service, say for an application or service then this might be a more secure route... else wise I don't see the point in this either.

thanks for reply

i wants the remote user to be able to login throught internet in the local server through SSH , but not to run any commands on that server


AMAR .

Thanks it work for me

Hi,

Glad to see this is solved.

And: You're welcome