Restrict user access in Linux

Question

I am given a task to configure a RedHat Enterprise Linux 5 Gnome PC such that a specific user - say USER1 will have very limited desktop access. The requirements include:

1. Access to all of the desktop menus (Application, Places, System) and icons (Computer, User's Home etc.) must be restricted.
2. Restrict shell access to most of the folders but user's own home folder.
3. This user (USER1) should only have few pre-configured icons/shortcuts on their desktop and that's all he/she should be able to run/double-click.
4. This user (USER1) should not be able to run any shell commands that will affect any file/folder but their own.

Basically it's all locked-down PC with very limited functionality available to this particular user. If another authorized user or root logs in - then all usual bells and whistles should be available as normal.

We have achieved this on Windows using Local Security Settings but I am not sure how to do that in Linux.

I have heard of SELinux and have tried using 'SELinux Management Tool' but either it's not very useful or I don't know how to use it properly.

Answer 1

• Restrict shell access to most of the folders but user's own home folder.
• This user (USER1) should not be able to run any shell commands that will affect any file/folder but their own.

The standard Linux permissions scheme should account for this. Unprivileged users can't modify anything that doesn't belong to them, nor access to folders where important system information is stored.

• Access to all of the desktop menus (Application, Places, System) and icons (Computer, User's Home etc.) must be restricted.

1. Modify the panel and desktop so that none of the offending icons or applets are available.

2. Use gconftool2 to set the following keys (under apps/panel/global):

   • Checking disable_force_quit will prevent the users ability to forcibly close a panel applet.
   • Checking disable_lock_screen will prevent the user from displaying the screen saver and password protecting the screen.
   • Checking disable_log_out will prevent the user from logging out of, shutting down, or restarting the computer.
   • Checking locked_down will prevent the user from making any changes to the panels.

3. Set the following keys under desktop/gnome/lockdown:

   • Checking disable_command_line This also disable the "Run Program" dialog.
   • Checking disable_lock_screen will prevent the user from locking the screen.
   • Checking disable_printing will prevent the user from printing things to an attached printer.
   • Checking disable_print_setup will prevent access to all "Print Setup" dialogs.
   • Checking disable_save_to_disk will prevent the user from saving anything to the hard drive.
   • Checking disable_user_switching will prevent the user from switching to another account while the current session is active.
4. You will want to make these settings mandatory (otherwise a knowledgeable user can just un-set them). See the Gnome Deployment Guide for more information.

It sounds like what you're really looking for is a way to make Gnome behave like a kiosk. There's a few guides for that:

• http://users.telenet.be/mydotcom/howto/linuxkiosk/ubuntu01.htm
• http://library.gnome.org/admin/deployment-guide/

Answer 2

I think chrooting might be a start, you restrict the user to his own home folder and jail him there, he can't just go somewhere else, so he can only edit his own files. There is a very nice guide here : http://www.cyberciti.biz/tips/howto-linux-unix-rssh-chroot-jail-setup.html

Answer 3

In addition to what kce mentioned here is what I found:

RedHat Deployment Guide on Page 10 onwards explains almost exactly what I want to do. This page also explains a little bit.