add root user with restricted access
Hello, i have created a user on my linux box, with SSH access and added him to the sudoers file, i would like him to be able to install normally but his access be limited by the files he sees.
Adding him to the sudoers file gives him full access to the system. This user should not have full access to the whole system i just want him to be able to install some packages, if you have any idea on how to go about this, please help me out. |
http://stackoverflow.com/questions/5...sing-wireshark for an example.
|
Quote:
|
Thanks guys for quick response, this is what i've so far to let some one install something
Quote:
|
And another thing i've given him "/bin/chroot"
|
Walter, did you add followiing line in sudoers for that user?
<username> ALL=(ALL) ALL It will give that user full super-user privilages. So just remove this line, and add followig line, to give right for package installation only: <username> ALL=/usr/bin/apt-get Then user <username> will be able to invoke this command only with super-user privilages, like: sudo apt-get Enter sudo password: So try it once, hopw this will help you! |
Thanks very much meninvenus let me try that and will get back to you.
|
Is there a way of setting that user to only install packages and not remove them...
|
Ok guys that worked out fine, but now how do i restrict his movement, i want to confine him to his directory let's say /var/www/vhosts/domainname.com
|
Quote:
Quote:
|
id -a ffeza
Quote:
|
and the problem if i apply chroot on him, i get:
Quote:
|
OK. Let's not make it complicated, but keep it simple. My practical experience says that if you want to restrict a user from accessing your important data in Unix environment, then I am repeating, that remove user from important groups, so user cannot alter your important file/directories. I don't think that there's any need of using chroot, but on the other hand, you can use "setgid" or "sticky bit" permissions, which I have been using for years for protecting user's critical project data from non-group members and others. In your case, both "setgid" and "sticky-bit" could be magical. So why don't you once try it...
|
Yeah i've actually been trying them out and though user can see other files he cannot delete them. tnx alot...
|
All times are GMT -5. The time now is 02:32 AM. |