On Sat, 2005-02-05 at 19:28, Zacharie Elcor wrote:
I want to create a restricted user without password that can only
use
a web browser.
I added a user named "visitor" and created in his home dir a file
.xsession that contains:
firefox
so that when he logs in, firefox is launched, and when he closes
firefox, he is logged out.
This works fine but he is still able to ctrl+alt+F(1-6) and log in to
browse the file system.
To prevent that, I tried to set /bin/false as the default shell for
that user in /etc/passwd but this also prevented him to log in
graphically.
Is there a way to be sure that "visitor" will only be able to browse
the web and not the file system ? any security issues ?
Thanks for help
You found the big problem with giving someone access to a program, most
times they can find a way to escape that program and get a shell prompt.
You should probably look at setting of a chroot jail for that user. If
they do get to a shell prompt they will not really have access to the
real system. Solaris 10 has a very nice system for creating multiple
virtual systems on a box that are segregated from everything else.
Similar type thing can be setup under linux but not as easy.
Of course if you have a user that you don't trust with shell access why
do you want to give them browser access?
--
Scot L. Harris
webid(a)cfl.rr.com
A day without sunshine is like night.