Creating Limited User Accounts on Ubuntu Server

Solution 1:

Everything the user does requires access to large portions of the filesystem. To prove this to yourself, run the following command:

strace -e trace=file /bin/ls/$HOME

You'll see that listing the contents of your own home directory requires opening and reading at least 40 other files scattered around your system. Other commands, like sftp and such require far broader access.

Unix systems are designed around the concept of users having read-only access to the majority of the OS. With careful permissions and groups, you can easily prohibit them from seeing the contents of each other's directories. With pam_apparmor you would be able to restrict what applications they can run.

EDIT: I just re-read your requirements. It doesn't sound like you need them to be able to log in to a fully interactive shell. If this is the case, there are two ways you could proceed:

  1. aptitude install scponly. Then set the user's shell to be 'scponly'. Don't let it's name full you; it works with sftp as well. If you want to lock them down even more, look at the documentation in /usr/local/share/doc/scponly concerning setting up a per-user "chroot".
  2. If you need to allow access to more commands than just sftp/scp (like rsync) then you'll need to roll your own command validator and set up an ssh "forced command". Add a block that looks like this to your /etc/ssh/sshd_config:

    Match group sftponly
        ForceCommand /usr/local/bin/validate_sftp
    

    Then write the /usr/local/bin/validate_sftp script. Something similar to this:

    #!/bin/bash
    if [[ $SSH_ORIGINAL_COMMAND = "rsync --server" ]]
    then
        exec $SSH_ORIGINAL_COMMAND
    elif [[ $SSH_ORIGINAL_COMMAND = "/usr/lib/openssh/sftp-server" ]]
    then
        exec $SSH_ORIGINAL_COMMAND
    else
        echo "You are only allowed rsync or sftp access to this server."
    fi
    

    Add the user(s) to the "sftponly" group (you'll have to add the group, of course) and they will be restricted to the commands allowed by your script.

Solution 2:

I don't know, if this could fit your requirements, but since you say, this should be a server machine, it may be worth thinking about tackling the problem from a different side:

  • Maybe the users don't need a unix account on the system.
  • Could a similar thing be achieved by setting up e.g. an sftp server (or something similar, e.g. WebDAV) on that system? And the system provides an automated backup solution? (If you want, you can even provide auto versioning with Subversion + WebDAV.)

... Just an idea, because there's always a certain security risk involved (and it requires managing user and file permissions) when giving users a system account - at least as long as you don't set up a virtual server for everyone.