You are not logged in.
- Topics: Active | Unanswered
#1 2009-02-07 15:23:57
- vertana
- Member
- Registered: 2009-01-31
- Posts: 26
[SOLVED]Know of a way to stop users from using certain commands?
Is there a simple way to lock out a specific user from using the commands cp/mv/rm? I want to make a user account for a friend that he can ssh into, but at the same time use a reasonable amount of security such as disabling the commands above. Is there a way to do so without changing group permissions around and having settings specific to his uid? I couldn't find anything on the Internet much in the way of this (all I found were suggestions on locking out users to the command su which involved shuffling group persmissions around). Thanks if anybody knows 
Last edited by vertana (2009-02-07 22:13:55)
Offline
#2 2009-02-07 15:33:30
- Xyne
- Administrator/PM
- Registered: 2008-08-03
- Posts: 6,965
- Website
Re: [SOLVED]Know of a way to stop users from using certain commands?
Why not lock him in a chroot jail instead so that he only has access to certain directories?
My Arch Linux Stuff • Forum Etiquette • Community Ethos - Arch is not for everyone
Offline
#3 2009-02-07 16:16:35
- fogobogo
- Member
- Registered: 2008-08-24
- Posts: 83
Re: [SOLVED]Know of a way to stop users from using certain commands?
sudo can do this.
Offline
#4 2009-02-07 18:36:50
- vertana
- Member
- Registered: 2009-01-31
- Posts: 26
Re: [SOLVED]Know of a way to stop users from using certain commands?
If I Chroot him into a jail, I would only copy certain commands into the /chrootdir/bin/ directory in order for his shell to be able to access those few commands correct? And how does sudo do this? I thought sudo was only for a user to assume root permissions temporarily, not restric a regular user from other commands.
Offline
#5 2009-02-07 19:47:24
- aglarond
- Member
- From: Texas, USA
- Registered: 2008-11-20
- Posts: 129
Re: [SOLVED]Know of a way to stop users from using certain commands?
SELinux can do what you're asking, but it's probably more than you want to deal with.
http://wiki.archlinux.org/index.php/SELinux
I don't run many SELinux boxes, but they are hell to get right. Once you get all of your policies worked out it's ok, but it's a huge pain to get to where everything's working right.
The chroot's probably the way to go. You may want to check out jailkit in AUR.
-mS
Last edited by aglarond (2009-02-07 19:49:27)
Offline
#6 2009-02-07 22:13:26
- vertana
- Member
- Registered: 2009-01-31
- Posts: 26
Re: [SOLVED]Know of a way to stop users from using certain commands?
Ok! Thanks for all the help I decided to go with the Chroot solution for now with symlinks leading to the actual binaries for commands. The SELinux was overdoing it for a single SSH user, but I will definitely mess with it to see if I can deploy it for servers (up front work probably beats long term maintenance). Thanks everyone ^^
Offline