Add a user with permissions to install programs but without permissions to access the directories of other users

0

I need to create an user in a Linux system with permissions to install programs but without permissions to access the directories of other users.

I've tried to do this:

# Create restricted user user
adduser --home /home/restricted_user restricted_user

# Edit normal user dir permissions
chmod -R 700 /home/normal_user/

# Add restricted user to sudoers in order to allow program installation
sudo adduser restricted_user sudo

Then, I tried:

su restricted_user
sudo ls /home/normal_user

And finally the restricted user has access to the normal user's directory if he does it with sudo

How can I implement this restrictions?

Kroka

Posted 2019-11-15T12:29:23.833

Reputation: 101

Answers

0

Do not add the user to the sudo group, do not grant them general root access. Edit /etc/sudoers and specify a small set of executables the user can run as root. Example:

# in sudoers file
restricted_user ALL = (root) /usr/bin/apt-get
restricted_user ALL = (root) /sbin/reboot

Notes:

  • Depending on your Linux: apt-get/apt, dpkg, opkg, pacman, yum, …
  • Use full paths.
  • The right way to edit sudoers is visudo.
  • See man 5 sudoers for more information on the syntax.
  • When building more complex rules remember their order matters.

Keep in mind a determined user who can install arbitrary programs is able to prepare and install a setuid version of ls or "upgraded" sudo that will grant them root access regardless of /etc/sudoers. Or provide and install a package that performs arbitrary operations when being installed (possibly without actually installing anything). Preventing this may not be easy.

Kamil Maciorowski

Posted 2019-11-15T12:29:23.833

Reputation: 38 429

Asked: 2019-11-15T12:29:23.833

Viewed: 67 times

Active: 2019-11-16T00:43:20.897