LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices



Reply
 
Search this Thread
Old 10-24-2009, 07:47 PM   #1
damgar
Senior Member
 
Registered: Sep 2009
Location: dallas, tx
Distribution: Slackware - current multilib/gsb Arch
Posts: 1,949
Blog Entries: 8

Rep: Reputation: 201Reputation: 201Reputation: 201
Need help creating VERY LIMITED user accounts


Hi all,

I am putting together a system for the kids (3 and 5) and guests. I am just about to go live with this system, but there is one last thing that I am having trouble searching a good tutorial for, and that is user creation with defined permissions or a lack of permissions as the case may be. I would like to create for the kids an account that has no write permission to prevent the fifteen "untitled folder"s on the desktop (or deleting, say /etc) and for the guests that will prevent them browsing the file system.

Basically I want to create accounts that can use some programs like Gcompris for the kids and Firefox for the guests and nothing more.

Thanks.
 
Old 10-24-2009, 08:21 PM   #2
MrCode
Member
 
Registered: Aug 2009
Location: Oregon, USA
Distribution: Arch
Posts: 864
Blog Entries: 31

Rep: Reputation: 148Reputation: 148
So, basically you want to prevent any non-root user from writing to any files/folders on the file system? You shouldn't have to worry about critical system folders, as their write access is restricted to the root user by default (e.g. /etc, /usr, /bin, etc.). As for preventing write access to the /home directories, I believe you'll have to do this yourself. you should be able to do this:

Code:
chmod -w /home/(whatever)
as root. The folder will still be readable, but the user cannot write any new files to the directory, nor can they change existing ones.

I'm really no expert, but I hope this at least helps. And since this is done from the command line anyway, I don't think you'll need to worry much about your kids getting around this measure (unless they're familiar with the CLI, ).

BTW, this is assuming the accounts are already there...you should already have at least one non-root account on the system.
 
Old 10-24-2009, 09:20 PM   #3
damgar
Senior Member
 
Registered: Sep 2009
Location: dallas, tx
Distribution: Slackware - current multilib/gsb Arch
Posts: 1,949
Blog Entries: 8

Original Poster
Rep: Reputation: 201Reputation: 201Reputation: 201
For instance.....

For instance (Ubuntu 9.0.4) I created an account for myself at install called "test" which I use to administer the system using sudo and test's password when root privileges are needed and a second, "nonprivileged user" account for my kids called "kids". If I login as kids, I can still browse to /home and from there I can see test's home directory and from there view many if not all (I'm aiming for none) of the files in that directory.

In Ubuntu once logged in as some user, there is an option for "guest session" that does all this, even going so far as to keep "guest" out of /home. I would like that level of separation from the file system. The only reason this isn't an option is that it's only available from another account and there is no password required to go back to the original account and it's options.

I would assume that there's a way to set the permissions on the user side rather than on the file side?
 
Old 10-24-2009, 09:29 PM   #4
irishbitte
Senior Member
 
Registered: Oct 2007
Location: Brighton, UK
Distribution: Ubuntu Hardy, Ubuntu Jaunty, Eeebuntu, Debian, SME-Server
Posts: 1,213
Blog Entries: 1

Rep: Reputation: 82
All you have to do is log in as test, then do the following:
Code:
cd ~/..
ls
you should see the homes here, say kids and test:
Code:
sudo chmod -R 770 test/
That will change the permissions to USER + GROUP full permissions, GLOBAL no permissions. This means that the 'kids' can't navigate into the 'test' home directory anymore. Obviously, maybe tweak to 750 permissions, or something like that.
 
Old 10-24-2009, 10:06 PM   #5
damgar
Senior Member
 
Registered: Sep 2009
Location: dallas, tx
Distribution: Slackware - current multilib/gsb Arch
Posts: 1,949
Blog Entries: 8

Original Poster
Rep: Reputation: 201Reputation: 201Reputation: 201
i get this:

When i try that I get the following:

chmod: cannot access `test/.gvfs': Permission denied

???
 
Old 10-24-2009, 11:52 PM   #6
irishbitte
Senior Member
 
Registered: Oct 2007
Location: Brighton, UK
Distribution: Ubuntu Hardy, Ubuntu Jaunty, Eeebuntu, Debian, SME-Server
Posts: 1,213
Blog Entries: 1

Rep: Reputation: 82
did you do it as sudo?
 
Old 10-24-2009, 11:55 PM   #7
irishbitte
Senior Member
 
Registered: Oct 2007
Location: Brighton, UK
Distribution: Ubuntu Hardy, Ubuntu Jaunty, Eeebuntu, Debian, SME-Server
Posts: 1,213
Blog Entries: 1

Rep: Reputation: 82
Have just done that there myself. Try logging in now as a user other than test, you will find you have succeeded. Don't mind the error, that is a special file used to handle HAL and automounting of things, the system will not let you change those permissions.
 
Old 10-25-2009, 01:21 AM   #8
damgar
Senior Member
 
Registered: Sep 2009
Location: dallas, tx
Distribution: Slackware - current multilib/gsb Arch
Posts: 1,949
Blog Entries: 8

Original Poster
Rep: Reputation: 201Reputation: 201Reputation: 201
thanks that helped........

Thanks, that did help and access to my home file is now blocked from the other account, and since moving the mount point to my samba shares to my home directory, that is safe too.......but that account can still view for instance /etc/fstab which for now at least has my samba credentials in plain text...I know I should create a credentials file and I will later.......but for now I don't think I can chmod that low in the tree safely can I? I'm pretty sure that I can't since the delay in response came from typing:
#sudo chmod -R 770 / test

OUCH!

On the bright side though I've got a reinstall/reconfigue/reupdate down to an hour! HA!
 
Old 10-25-2009, 01:57 AM   #9
dv502
Member
 
Registered: Sep 2006
Location: USA - NYC
Distribution: Whatever icon you see!
Posts: 642

Rep: Reputation: 57
Don't chmod a system folder unless you know what you are doing. This can cause unpredictable results.

You can chmod individual files such as /etc/fstab like so

Code:
sudo chmod 600 /etc/fstab
Only root will be able to read and write this file and no one else.

Last edited by dv502; 10-25-2009 at 12:19 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Creating a template for new user accounts (like /etc/skel)? Richard Rasker Mandriva 0 07-08-2009 06:32 PM
trouble creating user accounts krsnachaitanya Linux - Networking 2 02-12-2005 11:01 AM
Create Limited User Accounts epihammer Mandriva 3 05-18-2004 03:52 PM
Creating User Accounts Winux Linux - Newbie 6 04-01-2003 06:35 AM
Creating user accounts Ricardo Linux - Newbie 3 05-19-2002 04:24 AM


All times are GMT -5. The time now is 04:42 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration