Sinopa
Posts: 11
Joined: Wed Apr 24, 2013 1:28 pm

Create restricted user account

Fri May 10, 2013 12:29 pm

Could someone please explain to me how I can create a user account in RP with restricted access?
The user should only be allowed to add/remove files/directories in their account, and not be allowed to enter anything except their home account.

Joe Schmoe
Posts: 4277
Joined: Sun Jan 15, 2012 1:11 pm

Re: Create restricted user account

Fri May 10, 2013 12:33 pm

GUI or shell-only?

You can get close to what you want using "rsh", at the shell level.

But I have no ideas about how to do this sort of thing in a GUI environment.
And some folks need to stop being fanboys and see the forest behind the trees.

(One of the best lines I've seen on this board lately)

Sinopa
Posts: 11
Joined: Wed Apr 24, 2013 1:28 pm

Re: Create restricted user account

Fri May 10, 2013 12:49 pm

I ssh into my RP, and I don't use any GUI. So it have to be done from terminal. I'm a noob, so if you could explain in a way that even a noob could understand, that would be great :D

Joe Schmoe
Posts: 4277
Joined: Sun Jan 15, 2012 1:11 pm

Re: Create restricted user account

Fri May 10, 2013 1:07 pm

I ssh into my RP, and I don't use any GUI. So it have to be done from terminal.
OK. Basically, this should get you close:

1) use "adduser" to create a new user -

Code: Select all

man adduser
for the details.

2) use chsh to change the newly created user's shell to "/bin/rbash"

Then test out the new user and figure out what you can (and more importantly, can't) do.

P.S. "man adduser" says that /bin/rbash shouldn't be in /etc/shells, but (at least on my Pi), it is.
And some folks need to stop being fanboys and see the forest behind the trees.

(One of the best lines I've seen on this board lately)

Sinopa
Posts: 11
Joined: Wed Apr 24, 2013 1:28 pm

Re: Create restricted user account

Fri May 10, 2013 1:13 pm

That was WAY to complex for me. When there is to much text/info I get confused. I think I'll drop that little project. But thanks for the help anyways, Joe Schmoe :)

User avatar
RaTTuS
Posts: 9827
Joined: Tue Nov 29, 2011 11:12 am
Location: North West UK

Re: Create restricted user account

Fri May 10, 2013 1:55 pm

ssh into RPI
sudo adduser newbie
give password
exit

ssh newbie@RPI


you have now got a restricted account
How To ask Questions :- http://www.catb.org/esr/faqs/smart-questions.html
WARNING - some parts of this post may be erroneous YMMV

1QC43qbL5FySu2Pi51vGqKqxy3UiJgukSX
Covfefe

Joe Schmoe
Posts: 4277
Joined: Sun Jan 15, 2012 1:11 pm

Re: Create restricted user account

Fri May 10, 2013 2:01 pm

RaTTuS wrote:ssh into RPI
sudo adduser newbie
give password
exit

ssh newbie@RPI


you have now got a restricted account
In what sense is it "restricted"?
And some folks need to stop being fanboys and see the forest behind the trees.

(One of the best lines I've seen on this board lately)

Sinopa
Posts: 11
Joined: Wed Apr 24, 2013 1:28 pm

Re: Create restricted user account

Fri May 10, 2013 3:49 pm

I have no idea. Tried it, and it was everything but restricted.

User avatar
jojopi
Posts: 3041
Joined: Tue Oct 11, 2011 8:38 pm

Re: Create restricted user account

Fri May 10, 2013 5:26 pm

Joe Schmoe wrote:P.S. "man adduser" says that /bin/rbash shouldn't be in /etc/shells, but (at least on my Pi), it is.
I do not see that in my man page, but it is correct. With rbash in /etc/shells, nothing prevents the user from "chsh -s /bin/bash" again.

Restricted shells are a waste of time anyway though. First thing the user is going to try is:

Code: Select all

perl -e'exec bash'
To prevent every escape of this type you would need to uninstall all useful packages, not only making the system restricted for everyone, but very likely making it unbootable.

Really, restricted users would have to be given a different PATH, with only vetted binaries in it. If you were going to build such a directory, you would be much better to chroot into it instead of rely on a restricted shell.

Joe Schmoe
Posts: 4277
Joined: Sun Jan 15, 2012 1:11 pm

Re: Create restricted user account

Fri May 10, 2013 5:42 pm

You are completely wrong about this. It can be done, and it has been done. Really, saying it can't be done is just "hackerese" for "I don't like it; it is morally wrong to try to restrict what people do.". Don't bother denying it; I've seen it too many times.

And trust me, I know all the tricks and the fixes to those tricks.

To do it, you have to start with the (short) list of things that you want the user to be able to do. Not, the other way around - thinking of the list of things you don't want them to do. In any case, you certainly don't have to uninstall anything, nor do you have to mess around with "chroot".

Once you do that (come up with the short list), the follow-through is obvious; I won't bore you with the details.

But, I think we both agree that doing it is beyond the OP's abilities and plans.

And, of course, there's always the question of the actual realities of the instant situation; i.e., how determined is the user and how important is it that the solution be airtight.
And some folks need to stop being fanboys and see the forest behind the trees.

(One of the best lines I've seen on this board lately)

User avatar
jojopi
Posts: 3041
Joined: Tue Oct 11, 2011 8:38 pm

Re: Create restricted user account

Fri May 10, 2013 9:09 pm

Joe Schmoe wrote:You are completely wrong about this. It can be done, and it has been done.
Evidently I was not clear. I did not say it could not be done.

I demonstrated that it does not work out of the box, and that it is impractical even to create a minimal install where it works out of the box. I concluded that to make it work you have to provide a non-standard PATH with only vetted binaries. You appear to agree.

And for the record, I am not morally opposed to restricting access. But I do think the traditional restricted shell is a time-consuming and error-prone way to configure that. At the low-functioning end of the scale I would prefer a custom "shell", and at the high-functioning end a chroot or UML or VM. You could easily argue that those are time-consuming to configure as well.

JeremyF
Posts: 515
Joined: Wed Jan 25, 2012 9:06 pm
Contact: Website

Re: Create restricted user account

Fri May 10, 2013 9:30 pm

In my opinion, based on having tried many solutions in the past like restricted shells, chroot jails, and the like, I've found it all to be too much of hassle yielding results that aren't even close to perfect. I've found that keeping a restricted user out of the sudoers file (i.e. no way to become admin unless they know another user's password) is sufficient and requires zero setup. To some this may seem fairly insecure but recall that not being in the admin group is the standard for Windows security and no one ever complains too much about that. If you want you can always block specific programs.
{sig} Setup: Original version Raspberry Pi (B, rev1, 256MB), Dell 2001FP monitor (1600x1200), 8GB Class 4 SD Card with Raspbian and XBMC, DD-WRT wireless bridge

User avatar
RaTTuS
Posts: 9827
Joined: Tue Nov 29, 2011 11:12 am
Location: North West UK

Re: Create restricted user account

Sat May 11, 2013 6:42 am

Sinopa wrote:I have no idea. Tried it, and it was everything but restricted.
you cannot sudo
edit other things
how restricted do you want it to be
How To ask Questions :- http://www.catb.org/esr/faqs/smart-questions.html
WARNING - some parts of this post may be erroneous YMMV

1QC43qbL5FySu2Pi51vGqKqxy3UiJgukSX
Covfefe

Joe Schmoe
Posts: 4277
Joined: Sun Jan 15, 2012 1:11 pm

Re: Create restricted user account

Sat May 11, 2013 12:19 pm

Unix, by its nature, is a pretty open system. Unlike (classical) IBM OSes, its motto is "that which is not specifically prohibited is permitted" (rather than the converse).

So, a non-root user can often do a lot of damage (even without any special privs) ...
And some folks need to stop being fanboys and see the forest behind the trees.

(One of the best lines I've seen on this board lately)

JeremyF
Posts: 515
Joined: Wed Jan 25, 2012 9:06 pm
Contact: Website

Re: Create restricted user account

Sat May 11, 2013 12:28 pm

Joe Schmoe wrote:Unix, by its nature, is a pretty open system. Unlike (classical) IBM OSes, its motto is "that which is not specifically prohibited is permitted" (rather than the converse).

So, a non-root user can often do a lot of damage (even without any special privs) ...
I disagree. They can run a lot of programs that would make a Windows admin freak out but in the end most everything important is owned by root or at the very least, another user.
{sig} Setup: Original version Raspberry Pi (B, rev1, 256MB), Dell 2001FP monitor (1600x1200), 8GB Class 4 SD Card with Raspbian and XBMC, DD-WRT wireless bridge

sprinkmeier
Posts: 410
Joined: Mon Feb 04, 2013 10:48 am
Contact: Website

Re: Create restricted user account

Sat May 11, 2013 1:17 pm

Joe Schmoe wrote: So, a non-root user can often do a lot of damage (even without any special privs) ...
I don't think any current consumer OS is much different in this respect.

'user friendliness' tends to trump security in the default setup.

A non-root user on a Linux box can WRITE to their home directory and /tmp, and READ pretty much anything (some sensitive files (e.g. /etc/shadow), directories (e.g. /root) and some parts of the virtual filesystems (/proc, /sys) are exceptions).

If that can cause 'a lot of damage' on your system then there are ways to limit this.

I'm not too familiar with Windows or OS-X but I believe they're pretty much the same.

Return to “Beginners”

Who is online

Users browsing this forum: topguy and 35 guests