making secure limitations for non-root users

Jim Kutsch jimkutsch at
Sat Sep 20 17:40:33 EDT 2008

In the 1980s, I had a Unix system  connected to a ham radio via packet radio 
interface hardware.  I was using it myself but wanted the users via radio to 
run email and Netnews and be isolated from the rest of the system where I 
kept my stuff.  I set up a chroot environment in which users had a very 
little piece of the entire system.  It required only an amazingly few things 
to be available in the root of the chroot directory.  If I remember 
correctly, I had to have /etc/passwd, /etc/group, /etc/getty, a few things 
in /bin and /usr/bin, and the software I allowed these remote users to 
access.  There was even a login called "newuser" with no password that ran a 
customized add user script so a user could create his/her own account.

Since you are learning Linux, I'd recommend you go explore chroot and start 
thinking about how very little you really need in the isolated environment.

Have fun.


----- Original Message ----- 
From: "Tyler Littlefield" <tyler at>
To: "Speakup is a screen review system for Linux." <speakup at>
Sent: Friday, September 19, 2008 5:40 PM
Subject: Re: making secure limitations for non-root users

I'll dig around for that kernel patch.
Like, limiting them to viewing home dirs, other people's dirs. I can do
chmod a-r /home, and then chmod o-rx /home/user, but would there be anything
else I'd need to limit for security reasons? I'd not like to scrue up perms
on logs, but would rather not them see /var/log.

_|_|_|_|_|  _|        _|_|_|_|
    _|      _|_|_|    _|          _|_|_|
    _|      _|    _|  _|_|_|    _|
    _|      _|    _|  _|        _|
    _|      _|    _|  _|_|_|_|    _|_|_|
Visit TDS for quality software and website production
msn: tyler at
aim: st8amnd2005
skype: st8amnd127
----- Original Message ----- 
From: "Gregory Nowak" <greg at>
To: "Speakup is a screen review system for Linux." <speakup at>
Sent: Friday, September 19, 2008 3:38 PM
Subject: Re: making secure limitations for non-root users

> Hash: SHA1
> Tom has already told you what the best approach would be. However, let
> me try to specifically answer your questions.
> On Thu, Sep 18, 2008 at 12:39:40PM -0600, Tyler Littlefield wrote:
>> I would, however like to limit them in disk space (I can figure that
> one out),
> Ok.
>> in port usage (not sure how to do this one, would like to limit what
> ports they can open),
> The only thing I can think of for that is the obvious, a
> firewall. However, that would apply to everyone on the system. There
> is something called owner match support, when you're configuring the
> firewall stuff in the kernel, however, I'm not sure if that does what
> it actually suggests, or something else. Sorry, that's all I can tell
> you there, maybe a firewall howto somewhere would tell you more.
>> programs they can run,
> The best way I can think of to do that, is to create a group on your
> system, where all the binaries you want users to access are a part of
> that group. Then, add the users you want to be able to access those
> binaries to that group as well, and leave the rest binaries/users
> out. On my debian system, there is a group called bin, but most of my
> binaries are in root's group. I'm not sure if the bin group is
> reserved for something else, or if it is there for what its name
> suggests, and it's up to the system admin to use it as he/she wishes.
>> and also what they can view on the system.
> You need to be more specific. What do you want them to be able to
> view, man pages, text files, contents of specific directories, what?
> Greg
> - --
> web site:
> gpg public key:
> skype: gregn1
> (authorization required, add me to your contacts list first)
> - --
> Free domains: or mail dns-manager at
> Version: GnuPG v1.4.9 (GNU/Linux)
> iEYEARECAAYFAkjUG8gACgkQ7s9z/XlyUyDY8QCeMyiUbYUWG+XeixZqmeq2vnxW
> zckAoLvhv/znPYpTPB1hr6BxFVZl81/r
> =+v8G
> _______________________________________________
> Speakup mailing list
> Speakup at
> __________ NOD32 3457 (20080919) Information __________
> This message was checked by NOD32 antivirus system.

Speakup mailing list
Speakup at 

More information about the Speakup mailing list