SCIENTIFIC-LINUX-USERS Archives

January 2008

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Second class users?
From:
Brett Viren <[log in to unmask]>
Reply To:
Brett Viren <[log in to unmask]>
Date:
Mon, 7 Jan 2008 14:39:32 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (25 lines) 
Pann McCuaig <[log in to unmask]> writes:

> We would like to create accounts for restricted users, primarily for
> data sharing purposes. These users would have access to the filesystem
> as appropriate, but would not be allowed to run the applications living
> under /opt and /usr/local.

I can think of several options, maybe one will fit:

You can use a restricted shell like scponly so only scp/sftp will be
alowed.  

You can use ssh/authorized_keys commands to limit certain keys to
certain executables.  This is good for a CVS+SSH server.  See "man
sshd" for what is possible.

I've never tried this last one, but I think you can set up users in a
chroot environment.  You could "mount -bind" just those filesystems
that you want visible.  Maybe PAM has a module for chroot logins.

Last, you could set up a virtual machine and only mount the file
systems you want to expose.

-Brett.

ATOM RSS1 RSS2