On Sat, 2005-02-05 at 19:28, Zacharie Elcor wrote: > I want to create a restricted user without password that can only use > a web browser. > I added a user named "visitor" and created in his home dir a file > .xsession that contains: > > firefox > > so that when he logs in, firefox is launched, and when he closes > firefox, he is logged out. > This works fine but he is still able to ctrl+alt+F(1-6) and log in to > browse the file system. > > To prevent that, I tried to set /bin/false as the default shell for > that user in /etc/passwd but this also prevented him to log in > graphically. > > Is there a way to be sure that "visitor" will only be able to browse > the web and not the file system ? any security issues ? > > Thanks for help You found the big problem with giving someone access to a program, most times they can find a way to escape that program and get a shell prompt. You should probably look at setting of a chroot jail for that user. If they do get to a shell prompt they will not really have access to the real system. Solaris 10 has a very nice system for creating multiple virtual systems on a box that are segregated from everything else. Similar type thing can be setup under linux but not as easy. Of course if you have a user that you don't trust with shell access why do you want to give them browser access? -- Scot L. Harris webid@xxxxxxxxxx A day without sunshine is like night.
