[TriLUG] Limited Access User Account
Ian Kilgore
ian at trilug.org
Wed Sep 14 16:33:29 EDT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dhruv Gami wrote:
| Hello Everyone,
|
| I am trying to setup an account for a user, who is to be given limited
| access. For example, this user should be able to run things like reboot,
| useradd, ifconfig, tail, emacs (or vi) ... essentially a list of
| programs that I specify, and only those programs.
|
Whups. Be *very* careful with restricted shells. Many programs allow
the user to execute external programs (editors like vi and emacs, for
example)[1]. There are many different ways to get around a restricted
shell, or sudo. If you absolutely have to do this, spend lots of time
making sure it really is restricted. (Of course, if this user is
allowed to run useradd, they could just create a new unrestricted user,
and not bother fumbling about with rbash, rvim, etc ;])
[1] rvim is a restricted version of vim, that won't allow the user to
execute shell commands. I'm sure there is an equivalent for emacs,
though I've never actually heard of it (hey, it has everything else ;])
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFDKIkZwsRpgTiXSOERAgM6AJ4rgE7+ZYF7i9mRLowNjL0BO7fbnwCeIyl2
y6aJncnwfTpdbmRsJqXdgdw=
=y7PT
-----END PGP SIGNATURE-----
More information about the TriLUG
mailing list