Re: How to Setup a Secure Guest Account [was] Password-protecting fedora.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Mar 10, 2004 at 10:34:28AM +0800, Ow Mun Heng wrote:
> > -----Original Message-----
> > From: Matt Morgan [mailto:matt.morgan@xxxxxxxxxxxxxxxxxx]

> <SNIP>
> Talking about guest users. ANyone has any pointers on how, 
> specifically to create a guest user? I mean, it must just be 
> able to perform/access _normal_ stuffs (eg: web browsing, office
> etc) and not have access to anything else?
> 
> Main keyword here I guess is _very_limited_access. Even more
> restrictive than normal users.

Have you looked at chroot and "rbash=bash -r"

Since a user has control over the permissions in their home dir and you
as system manager want to restrict this guy you will have to build a
sand box for guest which can be a pain.

For now add a user guest:guest and tighten the umask in /etc/bashrc
and perhaps /etc/csh.cshrc.  Users can reset their umask.

If all the home dirs /home/* have 700 permissions most stuff
will be invisible.  Do watch out for /var/www

Bottom line we need a better specification than this:
       "(eg: web browsing, office  etc) and not have access to anything else?"
The etc part is too unbounded ;-)

For example will incoming network access permitted for your guest
account ssh, telnet, ...  (network guest access is BAD).

Of interest when SElinux is ready for mortals it will make setting up
a sandbox like this much nicer than chroot...
Still not easy but for sure nicer to manage.

-- 
	T o m  M i t c h e l l 
	/dev/null the ultimate in secure storage.




[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux