On Tue, 2008-07-29 at 13:05 +0200, Dirk H. Schulz wrote: > Hi folks, > > is it possible to restrict the rights of a user to only do few, defined > actions, e.g. only look up cpu and memory usage, but not walk around in the > file system, not see any other hardware details, run any binaries/scripts? > I know several different techniques to achieve parts of this (like > chrooting him), but is there one technique to get it all? "Man bash". /-r and /RESTRICTED SHELL It'll take a little setup to custom taylor it. Permissions, PATH and a user or group specific bin directory (new one, not one of the standards) in their PATH. Some copy/symlink (careful with that) of existing executables may be useful. Be careful with scripts made available. There is a caveat that restrictions are removed when a script is being processed. Carefully constructed .bashrc, bash_profile. IMO, this is easier to setup than selinux, *may* meet all your needs and will not be affected by upgrades. > > Dirk > <snip sig stuff> HTH -- BILL