create a restricted user
Scot L. Harris
webid at cfl.rr.com
Sun Feb 6 00:52:12 UTC 2005
On Sat, 2005-02-05 at 19:28, Zacharie Elcor wrote:
> I want to create a restricted user without password that can only use
> a web browser.
> I added a user named "visitor" and created in his home dir a file
> .xsession that contains:
>
> firefox
>
> so that when he logs in, firefox is launched, and when he closes
> firefox, he is logged out.
> This works fine but he is still able to ctrl+alt+F(1-6) and log in to
> browse the file system.
>
> To prevent that, I tried to set /bin/false as the default shell for
> that user in /etc/passwd but this also prevented him to log in
> graphically.
>
> Is there a way to be sure that "visitor" will only be able to browse
> the web and not the file system ? any security issues ?
>
> Thanks for help
You found the big problem with giving someone access to a program, most
times they can find a way to escape that program and get a shell prompt.
You should probably look at setting of a chroot jail for that user. If
they do get to a shell prompt they will not really have access to the
real system. Solaris 10 has a very nice system for creating multiple
virtual systems on a box that are segregated from everything else.
Similar type thing can be setup under linux but not as easy.
Of course if you have a user that you don't trust with shell access why
do you want to give them browser access?
--
Scot L. Harris
webid at cfl.rr.com
A day without sunshine is like night.
More information about the fedora-list
mailing list