Hi all,

I am putting together a system for the kids (3 and 5) and guests. I am just about to go live with this system, but there is one last thing that I am having trouble searching a good tutorial for, and that is user creation with defined permissions or a lack of permissions as the case may be. I would like to create for the kids an account that has no write permission to prevent the fifteen "untitled folder"s on the desktop (or deleting, say /etc) and for the guests that will prevent them browsing the file system.

Basically I want to create accounts that can use some programs like Gcompris for the kids and Firefox for the guests and nothing more.

Thanks.

So, basically you want to prevent any non-root user from writing to any files/folders on the file system? You shouldn't have to worry about critical system folders, as their write access is restricted to the root user by default (e.g. /etc, /usr, /bin, etc.). As for preventing write access to the /home directories, I believe you'll have to do this yourself. you should be able to do this:

as root. The folder will still be readable, but the user cannot write any new files to the directory, nor can they change existing ones.

I'm really no expert, but I hope this at least helps. And since this is done from the command line anyway, I don't think you'll need to worry much about your kids getting around this measure (unless they're familiar with the CLI, ).

BTW, this is assuming the accounts are already there...you should already have at least one non-root account on the system.

For instance (Ubuntu 9.0.4) I created an account for myself at install called "test" which I use to administer the system using sudo and test's password when root privileges are needed and a second, "nonprivileged user" account for my kids called "kids". If I login as kids, I can still browse to /home and from there I can see test's home directory and from there view many if not all (I'm aiming for none) of the files in that directory.

In Ubuntu once logged in as some user, there is an option for "guest session" that does all this, even going so far as to keep "guest" out of /home. I would like that level of separation from the file system. The only reason this isn't an option is that it's only available from another account and there is no password required to go back to the original account and it's options.

I would assume that there's a way to set the permissions on the user side rather than on the file side?

All you have to do is log in as test, then do the following:
you should see the homes here, say kids and test:
That will change the permissions to USER + GROUP full permissions, GLOBAL no permissions. This means that the 'kids' can't navigate into the 'test' home directory anymore. Obviously, maybe tweak to 750 permissions, or something like that.

When i try that I get the following:

chmod: cannot access `test/.gvfs': Permission denied

???

did you do it as sudo?

Have just done that there myself. Try logging in now as a user other than test, you will find you have succeeded. Don't mind the error, that is a special file used to handle HAL and automounting of things, the system will not let you change those permissions.

Thanks, that did help and access to my home file is now blocked from the other account, and since moving the mount point to my samba shares to my home directory, that is safe too.......but that account can still view for instance /etc/fstab which for now at least has my samba credentials in plain text...I know I should create a credentials file and I will later.......but for now I don't think I can chmod that low in the tree safely can I? I'm pretty sure that I can't since the delay in response came from typing:
#sudo chmod -R 770 / test

OUCH!

On the bright side though I've got a reinstall/reconfigue/reupdate down to an hour! HA!

Don't chmod a system folder unless you know what you are doing. This can cause unpredictable results.

You can chmod individual files such as /etc/fstab like so

Only root will be able to read and write this file and no one else.