Creating Limited User Accounts on Ubuntu Server

accounts linux ubuntu service-accounts

Solution 1:

Everything the user does requires access to large portions of the filesystem. To prove this to yourself, run the following command:

strace -e trace=file /bin/ls/$HOME

You'll see that listing the contents of your own home directory requires opening and reading at least 40 other files scattered around your system. Other commands, like sftp and such require far broader access.

Unix systems are designed around the concept of users having read-only access to the majority of the OS. With careful permissions and groups, you can easily prohibit them from seeing the contents of each other's directories. With pam_apparmor you would be able to restrict what applications they can run.

EDIT: I just re-read your requirements. It doesn't sound like you need them to be able to log in to a fully interactive shell. If this is the case, there are two ways you could proceed:

  1. aptitude install scponly. Then set the user's shell to be 'scponly'. Don't let it's name full you; it works with sftp as well. If you want to lock them down even more, look at the documentation in /usr/local/share/doc/scponly concerning setting up a per-user "chroot".

  2. If you need to allow access to more commands than just sftp/scp (like rsync) then you'll need to roll your own command validator and set up an ssh "forced command". Add a block that looks like this to your /etc/ssh/sshd_config:

    Match group sftponly
    ForceCommand /usr/local/bin/validate_sftp

    Then write the /usr/local/bin/validate_sftp script. Something similar to this:

    #!/bin/bash
if [[ $SSH_ORIGINAL_COMMAND = "rsync --server" ]]
then
    exec $SSH_ORIGINAL_COMMAND
elif [[ $SSH_ORIGINAL_COMMAND = "/usr/lib/openssh/sftp-server" ]]
then
    exec $SSH_ORIGINAL_COMMAND
else
    echo "You are only allowed rsync or sftp access to this server."
fi

    Add the user(s) to the "sftponly" group (you'll have to add the group, of course) and they will be restricted to the commands allowed by your script.

Solution 2:

I don't know, if this could fit your requirements, but since you say, this should be a server machine, it may be worth thinking about tackling the problem from a different side:

  • Maybe the users don't need a unix account on the system.
  • Could a similar thing be achieved by setting up e.g. an sftp server (or something similar, e.g. WebDAV) on that system? And the system provides an automated backup solution? (If you want, you can even provide auto versioning with Subversion + WebDAV.)

... Just an idea, because there's always a certain security risk involved (and it requires managing user and file permissions) when giving users a system account - at least as long as you don't set up a virtual server for everyone.

Related

Open source server monitoring [closed]
With more mobile users, my geo ip database is becoming useless
How to list environmental variables on Windows Server 2008 R2
Linux: Blocking Huge List of IPs?
mv ,,, to *?
Is testing every Anti-Virus definition before deployment feasible?
ASA 5505, is BGP supported?
Limit disk I/O one program creates?
What is a good tool to scan a FTP directory and show disk usage visually ala KDirStat/WinDirStat? [closed]
Remapping Linux serial port device names
Extracting a SQLCLR assembly
Encrypt remote linux server