How to Setup a Secure Guest Account [was] Password-protecting fedora.
Tom Needs a Hat Mitchell
mitch48 at sbcglobal.net
Wed Mar 10 21:04:02 UTC 2004
On Wed, Mar 10, 2004 at 10:34:28AM +0800, Ow Mun Heng wrote:
> > -----Original Message-----
> > From: Matt Morgan [mailto:matt.morgan at brooklynmuseum.org]
> <SNIP>
> Talking about guest users. ANyone has any pointers on how,
> specifically to create a guest user? I mean, it must just be
> able to perform/access _normal_ stuffs (eg: web browsing, office
> etc) and not have access to anything else?
>
> Main keyword here I guess is _very_limited_access. Even more
> restrictive than normal users.
Have you looked at chroot and "rbash=bash -r"
Since a user has control over the permissions in their home dir and you
as system manager want to restrict this guy you will have to build a
sand box for guest which can be a pain.
For now add a user guest:guest and tighten the umask in /etc/bashrc
and perhaps /etc/csh.cshrc. Users can reset their umask.
If all the home dirs /home/* have 700 permissions most stuff
will be invisible. Do watch out for /var/www
Bottom line we need a better specification than this:
"(eg: web browsing, office etc) and not have access to anything else?"
The etc part is too unbounded ;-)
For example will incoming network access permitted for your guest
account ssh, telnet, ... (network guest access is BAD).
Of interest when SElinux is ready for mortals it will make setting up
a sandbox like this much nicer than chroot...
Still not easy but for sure nicer to manage.
--
T o m M i t c h e l l
/dev/null the ultimate in secure storage.
More information about the fedora-list
mailing list