Pann McCuaig <[log in to unmask]> writes:

> We would like to create accounts for restricted users, primarily for
> data sharing purposes. These users would have access to the filesystem
> as appropriate, but would not be allowed to run the applications living
> under /opt and /usr/local.

I can think of several options, maybe one will fit:

You can use a restricted shell like scponly so only scp/sftp will be
alowed.  

You can use ssh/authorized_keys commands to limit certain keys to
certain executables.  This is good for a CVS+SSH server.  See "man
sshd" for what is possible.

I've never tried this last one, but I think you can set up users in a
chroot environment.  You could "mount -bind" just those filesystems
that you want visible.  Maybe PAM has a module for chroot logins.

Last, you could set up a virtual machine and only mount the file
systems you want to expose.

-Brett.