1
I need to create a user in Fedora Linux(15) which only has privileges to print documents.
Our college issues a printer to each lab and I need to create a new user on my Fedora which only has privileges to print.
Network sharing is not an option, so is there any way by which I can a restrict a user from executing any commands except the necessary printing commands?
Khushman Patel
Posted 2011-08-05T12:39:50.803
Reputation: 111
1
I"m not sure if it's still used and tested much, but shells used to have a restricted shell option which might help what you need. It severely limits what a shell can break.
I'd consider a vmware instance or a chroot jail for this, both might be a lot of work.
Rich Homolka
Posted 2011-08-05T12:39:50.803
Reputation: 27 121
So for the user's shell setting would it be set to /bin/bash -r? – Mike Keller – 2011-08-05T16:22:23.107
1@Mike Keller - better would be /bin/rbash. You'd need to be root and either make a hard link or symlink from bash => rbash. Then set up their environment to be VERY restrictive. – Rich Homolka – 2011-08-05T16:33:54.907
Also as far as using a chroot jail, I've run across Jailkit before and didn't think about it till just now as I was re-reading your answer. That might simplify the process. – Mike Keller – 2011-08-05T17:04:21.447
0
You will have to create a new group and a new user. Assign the new user to that group only. Chown the printing commands to the new group.
I'd then recommend building out a script of some sort that then runs the commands needed as that printer only user transparently to the end user... if that made any sense.
Mike Keller
Posted 2011-08-05T12:39:50.803
Reputation: 211
Unfortuntately even this can't stop everything. You'd have to change every executable to not have execute for 'other' and change every file and every non-temp dir to not have write for 'other'. That may cause bigger problems. – Rich Homolka – 2011-08-05T15:58:44.160
I don't know if I'm following what you are saying. So long as the new user isn't assigned to any other groups than the new one they shouldn't be able to access any other executables as they should be attached to other system and user groups. (This is purely informational for me, not trying to be argumentative.) – Mike Keller – 2011-08-05T16:19:37.087
1I think you're forgetting 'other'. Yes, they won't be the user, or group, but other is everyone else. They'd get those 'other' perms. Anything with other-write would be writable, anything with other-executable would be runnable. – Rich Homolka – 2011-08-05T16:34:32.910
... do things like Xorg count, or are you just logging in under a TTY and running
lpr? – new123456 – 2011-08-05T13:43:00.887