Is there any way to set up an account that can only run a certain selection of applications?

Here's my situation. My wife and I control our kids' computer time by not giving them the password to their computer (which runs Debian). Basically we want them to do something other than sit in front of the screen playing games all day. My oldest is now in 1st grade and I would like to be able to give her an account on the computer that is only allowed access to apps she needs to do homework. That way she can enter her own password and we don't have to worry about it.

If it's not possible to do it through security then I suppose I can just remove all the menu entries for what I don't want her accessing, but that's a short term solution as I don't think it will be long before she discovers the shell.

Don't let her log in from the console, don't let her switch Desktop Environments, don't let her kill Xorg, don't give her a terminal window, audit (as in service) what she accesses and use KDE Kiosk mode?


If your auditing shows she gained shell access first of all be happy she was interested to venture that far. If you can show her how to use it the right way. And BTW what can go wrong? You encrypted the stuff she shouldn't see and besides, you regularly make backups, don't you?..

man chmod(1)?

i.e. you could use normal Unix file permissions and take execute permission off of "other" for the programs that are most of a problem. Put those programs in a group and leave exec on for the group (look out for any games that use groups for their own purposes though -- maybe you don't need to add a group at all, but just use the games group for this, which maybe the programs of interest already have as their group [ooh, except then she could mess with high scores, whoops]). Then put her in the group and take her out of the group as needed. I guess you'll have to make her log out when you're taking the privilege away (my pet peeve about groups).

Not on that computer, but it would only take me about 15 minutes to rebuild the system from someone running rm -r / on it. I'm really not at all worried about her damaging it. I'm more worried about her sitting on her computer playing Elsa and Anna Paper Dolls and Minecraft all day or calling random people on Skype. And yeah, the Skype thing is already a problem. Just last week I forgot to shut down and/or lock my machine before I went to bed and she was up at 4am calling everyone on my contact list. Thankfully there's no one on my list I'd be worried to let my kids talk to, but still...

Time to sit down and talk to those kids. Not only to teach them that "you're the parents around here," but also to talk about what's nice and what's not-so-nice about the Internet. It would be quite difficult to set up an account with a limited-shell that can only run certain applications, and I frankly think that it would be a technical solution to an educational problem.

It is possible to control every application from file system permissions. Generally you take or don't give access to those files. It isn't as easy as it might be in Microsoft actually. You'd have to do it one at a time or get entire directories at at time.

What most people might do is something like a kiosk mode but that may be too restrictive.

Guess you could create a new distro with just what she needs and add in what she needs later. Dual boot.