add root user with restricted access
 

Hello, i have created a user on my linux box, with SSH access and added him to the sudoers file, i would like him to be able to install normally but his access be limited by the files he sees.
Adding him to the sudoers file gives him full access to the system.
This user should not have full access to the whole system i just want him to be able to install some packages, if you have any idea on how to go about this, please help me out.

http://stackoverflow.com/questions/5...sing-wireshark for an example.

Confine the user to only run allowed commands. If you follow the link Habitual posted please avoid using "NOPASSWD" unless you are absolutely sure you can trust this user (default answer: no).

Thanks guys for quick response, this is what i've so far to let some one install something
please tell me if its correct

And another thing i've given him "/bin/chroot"

Walter, did you add followiing line in sudoers for that user?
<username> ALL=(ALL) ALL
It will give that user full super-user privilages. So just remove this line, and add followig line, to give right for package installation only:
<username> ALL=/usr/bin/apt-get
Then user <username> will be able to invoke this command only with super-user privilages, like:
sudo apt-get
Enter sudo password:

So try it once, hopw this will help you!

Thanks very much meninvenus let me try that and will get back to you.

Is there a way of setting that user to only install packages and not remove them...

Ok guys that worked out fine, but now how do i restrict his movement, i want to confine him to his directory let's say /var/www/vhosts/domainname.com

Though the same command is used to install as well as remove packeges, so as far as I understand, if a user has add privilages then he can remove as well.

Confine means... do you want user to access /var/www/vhosts/domainname.com only? Apparently, it can be done by setting appropriate permissions. But it will not be so useful. So simply remove user from all important groups (check user groups using "id -a <username>" command) and set only read permission on crictical files/directories and restrict "write" permission for file owner only.

id -a ffeza
That's a plesk server, i don't want to mess up removing permissions from him as that might affect his access to his website and others like ftp.

and the problem if i apply chroot on him, i get:
So i have given him full bash for now.

OK. Let's not make it complicated, but keep it simple. My practical experience says that if you want to restrict a user from accessing your important data in Unix environment, then I am repeating, that remove user from important groups, so user cannot alter your important file/directories. I don't think that there's any need of using chroot, but on the other hand, you can use "setgid" or "sticky bit" permissions, which I have been using for years for protecting user's critical project data from non-group members and others. In your case, both "setgid" and "sticky-bit" could be magical. So why don't you once try it...

Yeah i've actually been trying them out and though user can see other files he cannot delete them. tnx alot...