Creating user account with no root privileges
Hello,
I have a few questions with regards to adding a new user to the system. I want to add an a user account that does not have admin (or root) privileges. First, I checked that the /etc/default/useradd file contains the GROUP=100 entry: [root@vps etc]# more default/useradd # useradd defaults file GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL=/bin/bash SKEL=/etc/skel However, when I created a user with "useradd normuser" it added the following entries: "normuser:x:502:503::/home/normuser:/bin/bash" to etc/passwd "normuser:$1$hdK3U4Tz$avwxY61df:13556:0:99999:7:::" to etc/shadow "normuser:x:503:" to etc/group Question 1: Shouldn't the "useradd" command create the two respective entries in the etc/passwd and etc/shadow files with the GID = 100 as directed in the default/useradd file? As we can see above, a new line was entered in the etc/group file to create a new GID of 503, and the normuser account was set to this group in etc/passwd. Question 2: How do I create a user account such that it can only have access to its home directory and nothing else? The above created user have access even to mySQL when given the login name and password. It also can view contents of other directories such as /bin, /boot, /dev, /etc, /lib, etc. Though most of these directories have its owner set to root and have permission set as drwxr-xr-x so the user can't delete or modify its contents. Thanks! |
Some of your questions would have accurate answers if you mention which distro you are using. Some distributions use a generic default group for all users whilst others create a private group for each user which explains the behaviour you mentioned above when you created the new user.
If you do not want a user to access certain directories, then you need to change permissions on those direcories so that they are limited to the user and group you want. I think locking down a user to their home directory can cause problems such as a user not being able to run certain commands. |
Just explicitly force everything when creating a new user.
Code:
You might be better off just creating an account with no shell and access. Set it to: Code:
usermod -s /bin/false johndoe |
Quote:
In other words, the following files will have the following entries? "johndoe:x:100:100::/home/johndoe:/bin/bash" for etc/passwd "johndoe:$1$hdK3U4Tz$avwxY61df:13556:0:99999:7:::" for etc/shadow "johndoe:x:100:" for etc/group Quote:
Thanks |
Quote:
|
Quote:
|
Each user must belong to at least one group (their primary group -- the 4th field in /etc/passwd). You could edit /etc/passwd and swap them to another primary group, but there's no way to have a user be a member of zero groups.
And yes, if you totally lock the user to their home directory so they can't see anything in /bin, /usr/bin, etc. then the account is essentially useless. It sounds to me like you want to chroot the user in a limited environment with a limited set of binaries. Maybe if you told us why you want to do this someone could help out more. |
Hello,
Well I remembered back in the university days when the admin setup account for us, we had limited access rights. Well, definitely no access to the database server. All I want to do is create a user account so they can host their own website. For example, if the username is "john", then I want their site to be hosted at http://www.name.com/~john. They can upload files via FTP, login via SSH, but not do things that the admin can do, or see directories below the user home directory. How do I do this? And how do I lock them to their local directory? |
All times are GMT -5. The time now is 09:49 PM. |