LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-18-2014, 05:44 PM   #1
sisk
LQ Newbie
 
Registered: Sep 2006
Posts: 24

Rep: Reputation: 0
Super-restricted account


Is there any way to set up an account that can only run a certain selection of applications?

Here's my situation. My wife and I control our kids' computer time by not giving them the password to their computer (which runs Debian). Basically we want them to do something other than sit in front of the screen playing games all day. My oldest is now in 1st grade and I would like to be able to give her an account on the computer that is only allowed access to apps she needs to do homework. That way she can enter her own password and we don't have to worry about it.

If it's not possible to do it through security then I suppose I can just remove all the menu entries for what I don't want her accessing, but that's a short term solution as I don't think it will be long before she discovers the shell.
 
Old 08-18-2014, 06:18 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Quote:
Originally Posted by sisk View Post
My oldest is now in 1st grade and I would like to be able to give her an account on the computer that is only allowed access to apps she needs to do homework. That way she can enter her own password and we don't have to worry about it.
Don't let her log in from the console, don't let her switch Desktop Environments, don't let her kill Xorg, don't give her a terminal window, audit (as in service) what she accesses and use KDE Kiosk mode?


Quote:
Originally Posted by sisk View Post
I don't think it will be long before she discovers the shell.
If your auditing shows she gained shell access first of all be happy she was interested to venture that far. If you can show her how to use it the right way. And BTW what can go wrong? You encrypted the stuff she shouldn't see and besides, you regularly make backups, don't you?..
 
Old 08-20-2014, 04:06 PM   #3
thirdm
Member
 
Registered: May 2013
Location: Massachusetts
Distribution: Slackware, OpenBSD
Posts: 154

Rep: Reputation: Disabled
man chmod(1)?

i.e. you could use normal Unix file permissions and take execute permission off of "other" for the programs that are most of a problem. Put those programs in a group and leave exec on for the group (look out for any games that use groups for their own purposes though -- maybe you don't need to add a group at all, but just use the games group for this, which maybe the programs of interest already have as their group [ooh, except then she could mess with high scores, whoops]). Then put her in the group and take her out of the group as needed. I guess you'll have to make her log out when you're taking the privilege away (my pet peeve about groups).

Last edited by thirdm; 08-20-2014 at 04:16 PM.
 
Old 08-27-2014, 04:11 PM   #4
sisk
LQ Newbie
 
Registered: Sep 2006
Posts: 24

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
you regularly make backups, don't you?..
Not on that computer, but it would only take me about 15 minutes to rebuild the system from someone running rm -r / on it. I'm really not at all worried about her damaging it. I'm more worried about her sitting on her computer playing Elsa and Anna Paper Dolls and Minecraft all day or calling random people on Skype. And yeah, the Skype thing is already a problem. Just last week I forgot to shut down and/or lock my machine before I went to bed and she was up at 4am calling everyone on my contact list. Thankfully there's no one on my list I'd be worried to let my kids talk to, but still...
 
Old 08-27-2014, 04:25 PM   #5
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177
Time to sit down and talk to those kids. Not only to teach them that "you're the parents around here," but also to talk about what's nice and what's not-so-nice about the Internet. It would be quite difficult to set up an account with a limited-shell that can only run certain applications, and I frankly think that it would be a technical solution to an educational problem.
 
Old 08-27-2014, 09:03 PM   #6
jefro
Moderator
 
Registered: Mar 2008
Posts: 19,290

Rep: Reputation: 2957Reputation: 2957Reputation: 2957Reputation: 2957Reputation: 2957Reputation: 2957Reputation: 2957Reputation: 2957Reputation: 2957Reputation: 2957Reputation: 2957
It is possible to control every application from file system permissions. Generally you take or don't give access to those files. It isn't as easy as it might be in Microsoft actually. You'd have to do it one at a time or get entire directories at at time.

What most people might do is something like a kiosk mode but that may be too restrictive.

Guess you could create a new distro with just what she needs and add in what she needs later. Dual boot.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Create restricted user account that can only administer printers davholla Linux - General 2 06-24-2009 09:54 AM
Doubt in super user account creation with SUSE-10.0 tcegrid Linux - General 1 04-06-2007 07:06 AM
crate a super user account sampathnd Linux - General 1 05-27-2005 12:32 PM
Create a New Super user account blazted Linux - Newbie 6 02-13-2005 04:56 PM
Setting Up a Restricted User Account MClayton Linux - Networking 2 10-19-2004 12:31 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:00 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration