Hello, I am a windows network admin and new to Linux. I have been given the task of setting up Fedora Core 1 workstations in a public environment. So far I have installed Fedora Core 1 and setup a user other than the root. I would like this user to only be able to run the programs on the machine and access the internet. I need to restrict this user from changing any and all preferences on the machine. Also, I would like to prevent the user from accessing anything on the machine where they could do harm (for instance restricting the terminal and denying them access to program files). In windows I am able to control this using group policies. I would appreciate a step-by-step process (since I am new to Linux) on how I can achieve this. Any help would be greatly appreciated. Thanks!

plenty of ways, theirs group policies in linux to (m$ stole the idea from UNIX to begin with ... like so many other things)

or you could use RSBAC for more control (and more hardace)

owell, again here it is... the only config files the user can manipulate will be his own, if you are dead serious about them not editing these (which is impossible, a lot of programs require to write to these just for them to work)

also, no user (on any sane distro) can install (this also means uninstall) any programs, or even edit any system files (they can still trash there own, but you can set it up so that every time a user logs in, every file he owns is deleted, and copy the contents from another "safe" directory over to the users making the files nice and clean).. tho you really cant prevent users from running other programs, ... ok, you can, but its hard work (points to the group stuff) you'll have to change, and set those up, and add the changes to a startup script so that each time the system boots the selected programs get there permissions changed so only someone like the almighty root user can use them (needs to be placed in startup scripts so that if you update the programs, a simple reboot will "fix' the updates into your twisted computer

when you compile the kernel, be sure to include grsec patch's, and restrict the /proc system (grsec patch's allow this) so users can see what other users are doing, or see what the network is doing (they can still use it, just not see things like who is using it) ..... also make sure you have trusted path execution enabled, to prevent people from running programs you don't want them running

and its sad to say, there really is no step by step guide, the best way to learn is to just dive in and hope you can learn to swim before you drown ....... so, go dive in

Wow, OK - How do I get rid of the preferences folder (under the redhat) for the user I create? Also how do I restrict the terminal so they can not do too much in it? Thanks for your help!

i guess you could always try to restrict access to bash (and any other shells) to root ..... that would prevent any access thru the terminals, or use of terminal's .............. it might also tho break lots of programs, and prevent users from logging on in graphical mode (or in text mode)

...... but would be kinda pointless as it would only make it harder to mess up your system (if they wanted) but no were near impossible...

still, its not recommended as most people couldn't do anything in Linuxes command line anyway, and for those that can, theres really no point in restricting there access since they wouldn't be able to do anything all that harmful (delete there files or corrupt there file on purpose is about as much harm they can do if you set your system up right) ........ but if you are really worried about it, then don't install development tools (compilers, debuggers, etc) as then they cant compile or make there own hacks on your system ... also don't install emacs or vi (you can leave ed , as if someone wanted to, they could use cat (a very important command, needed just to run a system) to simulate ed ) also leave out any text editors that you don't want (except ed, ok well , you might be able to get away with deleting it, but its so unusable as a text editor that you might as well leave it)