LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   Creating user account with no root privileges (https://www.linuxquestions.org/questions/linux-general-1/creating-user-account-with-no-root-privileges-527702/)

grob115 02-11-2007 10:58 PM
Creating user account with no root privileges
 
Hello,

I have a few questions with regards to adding a new user to the system. I want to add an a user account that does not have admin (or root) privileges.

First, I checked that the /etc/default/useradd file contains the GROUP=100 entry:
[root@vps etc]# more default/useradd
# useradd defaults file
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel

However, when I created a user with "useradd normuser" it added the following entries:
"normuser:x:502:503::/home/normuser:/bin/bash" to etc/passwd
"normuser:$1$hdK3U4Tz$avwxY61df:13556:0:99999:7:::" to etc/shadow
"normuser:x:503:" to etc/group

Question 1:
Shouldn't the "useradd" command create the two respective entries in the etc/passwd and etc/shadow files with the GID = 100 as directed in the default/useradd file?

As we can see above, a new line was entered in the etc/group file to create a new GID of 503, and the normuser account was set to this group in etc/passwd.

Question 2:
How do I create a user account such that it can only have access to its home directory and nothing else?

The above created user have access even to mySQL when given the login name and password. It also can view contents of other directories such as /bin, /boot, /dev, /etc, /lib, etc. Though most of these directories have its owner set to root and have permission set as drwxr-xr-x so the user can't delete or modify its contents.

Thanks!

reddazz 02-11-2007 11:53 PM
Some of your questions would have accurate answers if you mention which distro you are using. Some distributions use a generic default group for all users whilst others create a private group for each user which explains the behaviour you mentioned above when you created the new user.

If you do not want a user to access certain directories, then you need to change permissions on those direcories so that they are limited to the user and group you want. I think locking down a user to their home directory can cause problems such as a user not being able to run certain commands.

Micro420 02-12-2007 12:39 AM
Just explicitly force everything when creating a new user.
Code:

useradd -m -s /bin/bash -u 100 -g 100 johndoe
Then, remove the user from the USERS group, which will give them ZERO permissions to anywhere on the system but their /home directory. Of course this does not apply if the permission already has READ for everyone.

You might be better off just creating an account with no shell and access. Set it to:
Code:
usermod -s /bin/false johndoe
The user will not be able to log on. Then just export their /home directory via NFS or SAMBA and you don't have to worry about the user snooping around the system. Problem solved???

grob115 02-12-2007 06:25 AM
Quote:
Then, remove the user from the USERS group, which will give them ZERO permissions to anywhere on the system but their /home directory
Do you mean modifying the /etc/group file by changing "USERS:x:100:johndoe" to "USERS:x:100:"?

In other words, the following files will have the following entries?
"johndoe:x:100:100::/home/johndoe:/bin/bash" for etc/passwd
"johndoe:$1$hdK3U4Tz$avwxY61df:13556:0:99999:7:::" for etc/shadow
"johndoe:x:100:" for etc/group

Quote:
I think locking down a user to their home directory can cause problems such as a user not being able to run certain commands.
What type of commands will not be able to run if users are locked to within their home directory?

Thanks

reddazz 02-12-2007 12:33 PM
Quote:
What type of commands will not be able to run if users are locked to within their home directory?
When I wrote that post, I was thinking that if you locked up the user too much, the user may not be able to execute programs in directories such as /usr/bin (or navigate to important directories such as /usr/share/doc). I am not so sure about this anymore, so when I get time, I am going to do a test on one of machines and post back the result.

grob115 02-12-2007 11:32 PM
Quote:
Then, remove the user from the USERS group, which will give them ZERO permissions to anywhere on the system but their /home directory
Actually, I guess I must have mis-intrepreted what you meant by this. Because the current entry in the /etc/group file also doesn't contain the user's account name at the end of the line. So can you please explain how to remove the user from the USERS group?

btmiller 02-13-2007 12:29 AM
Each user must belong to at least one group (their primary group -- the 4th field in /etc/passwd). You could edit /etc/passwd and swap them to another primary group, but there's no way to have a user be a member of zero groups.

And yes, if you totally lock the user to their home directory so they can't see anything in /bin, /usr/bin, etc. then the account is essentially useless. It sounds to me like you want to chroot the user in a limited environment with a limited set of binaries.

Maybe if you told us why you want to do this someone could help out more.

grob115 02-13-2007 04:43 AM
Hello,

Well I remembered back in the university days when the admin setup account for us, we had limited access rights. Well, definitely no access to the database server.

All I want to do is create a user account so they can host their own website. For example, if the username is "john", then I want their site to be hosted at http://www.name.com/~john. They can upload files via FTP, login via SSH, but not do things that the admin can do, or see directories below the user home directory.

How do I do this? And how do I lock them to their local directory?


All times are GMT -5. The time now is 09:49 PM.