Hi,

I run a headless Mandrake/10.1 box on my home network. I have created an untrusted user account for a coworker of mine to access the box. I only want her to access a few services (squid) and I want to prohibit read and write access to the rest of the hard drive. Is there any way I can move her outside of the "other" group as to deny that account to the rest of the system? Of particular concern is /etc/fstab, which includes lines to connect to passworded shares on my home PC, and I noticed that from her account she can open the file in vi and poke around. Since she is quite computer literate (we work in a computer sales shop) I do not want her being able to access anything.

While normally I could just make squid a public, password-protected proxy, the security strategy of my box is to expose only a few services to the outside world and protect the rest of them behind SSH tunneling.

It's not that I don't trust her not to poke around, but I am not comfortable with letting even a limited set of keys into anyone else's hands. Perhaps I am just paranoid, but I can imagine that most everyone here knows how far an ounce of prevention will go.

Thanks,

Tom

You should fix your fstab, I believe smbfs and cifs (assuming Windows mounts) support reading the credentials from files. You would just need to point them to the proper file and have that file secured, any mounts will most likely be done as root so the permissions can be restrictive.

The "other" group is also known as "the rest of the world" in other words if you have rwx permissions in other then there is unrestricted access for anyone who has access to your system. You could create a separate localised environment for her and 'chroot" her into that environment. This is done with a number of ftp servers.