Linux - How to restrict user account access to their HOME directory only

[corinthos]

I would like to create a user account that lets people surf the net using Firefox but not be able to roam around other directories aside from their HOME directory and its sub-directories. Is there any way to do this under Linux?

Thanks in advance.

 

[Nothinman]

How do you expect that user to run /usr/bin/firefox if they can't get to that directory?

 

[jhu]

are you allowing terminal access? if not, then it's pretty easy - only run x and firefox.

 

[corinthos]

Originally posted by: jhu
are you allowing terminal access? if not, then it's pretty easy - only run x and firefox.

yeah that's pretty much all i want to allow... so i would like to know what i have to do to associate with a user account only that access and set it up.. no terminal access or anything else.. thanks in advance.

 

[kamper]

Originally posted by: jhu
are you allowing terminal access? if not, then it's pretty easy - only run x and firefox.

Probably not good enough. They can use the open file dialog to browse the whole system. Or, when downloading a file and choosing what to open it with, they can probably execute arbitrary programs. Heck, someone could probably write an extension that gives you a full shell right inside firefox.

 

[jhu]

Originally posted by: kamper

Originally posted by: jhu
are you allowing terminal access? if not, then it's pretty easy - only run x and firefox.

Probably not good enough. They can use the open file dialog to browse the whole system. Or, when downloading a file and choosing what to open it with, they can probably execute arbitrary programs. Heck, someone could probably write an extension that gives you a full shell right inside firefox.

that really shouldn't be a problem either if permissions are set appropriately.

 

[Nothinman]

that really shouldn't be a problem either if permissions are set appropriately.

One wouldn't think so but if the OP is to be taken literally then it looks like he wants essentially chroot interactive users to their home directory. For what reason I can't see because 99% of the files outside of /home are freely available on the Internet so it's not like he's protecting much.

 

[jhu]

Originally posted by: Nothinman

that really shouldn't be a problem either if permissions are set appropriately.

One wouldn't think so but if the OP is to be taken literally then it looks like he wants essentially chroot interactive users to their home directory. For what reason I can't see because 99% of the files outside of /home are freely available on the Internet so it's not like he's protecting much.

perhaps he has some dwarf-on-obese-woman porn he doesn't want people to see. although with the appropriate permissions, no one but the owner should see it (yuck!).

so, to the op, here's what you do: 1) add a guest account, 2) go on and set those permissions appropriately

 

[Kakumba]

As jhu said:

1. Set up user with no extra group memberships. (ie, only a member if its own private group)
2. remove "other" access to everything (can't vouch that this wont break anything). effective, everything becomes 770 or 750. If you want to ensure they cannot get a shell on the machine, change their line in /etc/passwd from /bin/bash to /sbin/nologin or /bin/null.

If all you want is to ensure that they cant EDIT the other stuff, then just make sure noone other than you/ appropriate owner has write access.

Newbies remember, the numbers are made up by adding: read (4) write (2) and execute (1). So, if I had read and write, but not execute, it is 6. read and execute, but not write = 5. everything = 7. and first number is owner, then group, then others.