On Wed, Mar 10, 2004 at 10:34:28AM +0800, Ow Mun Heng wrote: > > -----Original Message----- > > From: Matt Morgan [mailto:matt.morgan@xxxxxxxxxxxxxxxxxx] > <SNIP> > Talking about guest users. ANyone has any pointers on how, > specifically to create a guest user? I mean, it must just be > able to perform/access _normal_ stuffs (eg: web browsing, office > etc) and not have access to anything else? > > Main keyword here I guess is _very_limited_access. Even more > restrictive than normal users. Have you looked at chroot and "rbash=bash -r" Since a user has control over the permissions in their home dir and you as system manager want to restrict this guy you will have to build a sand box for guest which can be a pain. For now add a user guest:guest and tighten the umask in /etc/bashrc and perhaps /etc/csh.cshrc. Users can reset their umask. If all the home dirs /home/* have 700 permissions most stuff will be invisible. Do watch out for /var/www Bottom line we need a better specification than this: "(eg: web browsing, office etc) and not have access to anything else?" The etc part is too unbounded ;-) For example will incoming network access permitted for your guest account ssh, telnet, ... (network guest access is BAD). Of interest when SElinux is ready for mortals it will make setting up a sandbox like this much nicer than chroot... Still not easy but for sure nicer to manage. -- T o m M i t c h e l l /dev/null the ultimate in secure storage.
