15

Is it possible to add a user and restrict him to run special programs?
For example after this user logs in, he can only open Firefox to use Internet and no other programs can be run by this user.
For example in a terminal, commands will not be accessible when you delete some environment variables like $HOME.
But is it possible to avoid running programs in a graphical shell, like Gnome? If yes, how?

Damien
  • 758
M0εiπ
  • 1,257
  • 4
    This is typically referred to as kiosk mode but i am not sure about the state in gnome 3. See http://tranzistors.wordpress.com/2012/05/23/progress-on-gnome-lockdown-1-feature-list/ for more details. According to http://fedoraproject.org/wiki/Features/InitialExperience gnome-shell has some kind of kiosk mode – Ulrich Dangel Jul 07 '12 at 21:13

1 Answers1

5

You can remove execute permissions for the binaries you don't want the user to run. Create a new group, change the execute permissions (chmod go-rwx), and add the desired user to the group. (This is similar to how only certain users are allowed to use the sudo command.)

Depending on what you want to achieve, chroot jail might also be useful. In case you're planning to have a kiosk-like setup, there are lockdown tools for both KDE (Kiosk Tool) and GNOME (Sabayon). If Firefox is all you want to allow, check out Webconverger. In case you're planning to set up a kiosk network, google Libki. If security is paramount, you can also refine the capabilities of individual programs using AppArmor or SELinux.

  • I'm not adding this as an answer because I haven't tried it in a long time, but you can change the user's login shell (in /etc/passwd, I believe) to run an arbitrary command or script instead of the default that allows them full normal user access. You just have to test your command/script to make sure the user can't break out of it. – Joe Jul 14 '12 at 20:30
  • "You can remove execute permissions for the binaries you don't want the user to run." <- what about other users??? – Konrad Gajewski Jan 10 '20 at 07:19