Quote:
Originally Posted by Z0sickx
Can only access his home directory
Can only access a specific folder directory (/opt)
Run specific commands ( Ifconfig, top, etc)
Run specific scripts we custom made that need access to specific folder path
|
It's complicated because the systems default open. The main way I can think of would be to use "rbash" for his shell and "mount --bind" to duplicate various target directories under his home.
Keeping him from reading the other /home directories could be done by modifying their permissions o= with chmod to turn of access for "other" If this presents issues for people that are used to sharing, then make a group for the sharers and, if the group permissions are already in use, then consider ACLs as in the link above.
Then make a symbolic link from inside his account to the /opt directory or else use "mount --bind" to make the content accessible in two places at once.
To only run specific commands, you'll have to empty out his $PATH settings and point it to a path directory made just for him, such as /usr/local/jr/bin/ Then in that directory make hardlinks to the filnames of the programs you want him to be allowed to use, such as "ifconfig", "top", and so on. If JR is to modify anything with "ifconfig" or other programs that require root, then you'll have to add at least one specially crafted formula per program in /etc/sudoers and let them use "sudo". The formulas will have to be very specific to prevent abuse, so avoid any use of * anywhere in the formulas.
About the scripts, just add hard links to them to the $PATH for the JR account. Accessing the specific scripts that need access to specific paths might be harder. You'll have to test the scripts under "rbash" and modify them accordingly because they won't likely work with absolute paths. You may have to use modified scripts for him and place the target directories in his home directory using "mount --bind"