Jailing a certain user

Zucca · Posted: Wed Sep 13, 2017 11:52 am Post subject: Jailing a certain user

I'd want to create a quite restricted user account. The purpose of this user is for media consuming. Pictures, videos, music (via mpd and locally also) and some simple games (emulators mainly).

For starters this user, called media, will be created on my Raspberry Pi 3 system (later on my server too). I've actually created that user already along with the group bearing the same name. I've also added it to the list of DenyUsers in /etc/ssh/sshd_config. The user will not have password so it's usable by anyone who uses the computer locally.
I have planned to use very stripped down xfce (maybe only the window manager from it) or Openbox (more suitable suggestions are welcome) with [url=https://www.linux.com/var/uploads/Image/articles/128892-1(1).png]wbar[/url] for lauching programs/actions. The media user should not be able to reboot or poweroff the machine if there's an open ssh, tmux or screen session open by another user. But that's after I have managed to create otherwise proper jail for the media user. So I'll concentrate on jailing first.

What method I should use to jail (chroot maybe) a user? I can create bind mounts inside the /home/media so that shared files from other computer are reachable by the media user. There exist a interesting program called lshell. But does it become too complicated to use that as a login shell for the user? I'd like to use it since the configuration looks plain simple.

Suggestions? Experiences? Your methods?
_________________
..: Zucca :..
Gentoo IRC channels reside on Libera.Chat.
--

FlorianSchmidt · Posted: Sun Sep 24, 2017 7:27 pm Post subject:

Hi Zucca,

I just stumbled accross your post, although it is a few days old already.

Have you thought about ACLs?
something like

FlorianSchmidt · Posted: Sun Sep 24, 2017 8:06 pm Post subject:

I was curious about lshell and tested it out.

I took it from here: https://github.com/ghantoos/lshell
build it on a test machine and configured it as the login shell for "testy"

Zucca · Posted: Sun Sep 24, 2017 8:11 pm Post subject:

Thanks for your reply!
I'll think I'll set openbox+lshell environment for the media user. And maybe even move it's home directory to (small) tmpfs.
_________________
..: Zucca :..
Gentoo IRC channels reside on Libera.Chat.
--

Syl20 · l33t Joined: 04 Aug 2005 Posts: 619 Location: France

Perhaps rbash can help ? With a minimal PATH (just one directory containing symlinks to the commands you want to allow, for example), the user has a very limited access to the system. But I don't know how to use that with a graphical session...

The Doctor · Moderator Joined: 27 Jul 2010 Posts: 2678

The real question is how much of a jail do you really need? An unprivileged user seems to fit the need. It can't go outside of its group so other user's data is safe.

You can do the halt thing with a bash script and use sudo to only allow the user to use the script. All you need to do is figure out how to detect when you conditions are met.
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.