Hi

I m new with Fedora 14, and i have a basic business case :

I want to setup a user which should
- only connect to the server with SSH (ex.: no X11 connection).
- cannot change its shell
- cannot do any SU / SUDO command

This user is very similar to a SERVICE user, as I expect him only to run a single program (its shell).

Thanks

Google for 'chroot jail howto' and read the first few links:

http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/ <- Quick setup
http://www.kegel.com/crosstool/current/doc/chroot-login-howto.html <- Some background
http://www.unixwiz.net/techtips/chroot-practices.html <- How to avoid escaping the chroot jail

useradd -Z guest_u myrestrictednonsuidsgidsshonlyuser

You do realize there are ways to make ssh forward the X protocol even if you disable the built in X forwarding. It is a bit of a pain, but possible. One thing of note is that it is similar to sshfs...

and changing your shell is as simple as an exec.

So unless you are going to write your own shell for the user, or go through the more elaborate jail (where the user cannot execute anything), you may be in for a bit of difficulty.

One thing you might also try is to mount his home directory noexec,nosuid,nosgid.

A user under the users group is pretyy much there do to selinux.

Sj

Might be simpler to just put the user in his own label, without the ability to transition to anything else...

sesearch -A -SC -s guest_t -T | grep type_transition | grep process
type_transition guest_t passwd_exec_t : process passwd_t;
type_transition guest_t chfn_exec_t : process chfn_t;
type_transition guest_t loadkeys_exec_t : process loadkeys_t;

Thats pretty much all guest can domain transition to:

passwd_t domain to change its password
chfn_t domain to change finder information
loadkeys_t domain to load keyboard mappings

But you could create a similar domain without access to those aswell.

Remember SELinux is a framework, the policy is what you make it.

Setting the shell to a restricted shell will help somewhat.

/bin/bash -r