# Jailing a certain user

## Zucca

I'd want to create a quite restricted user account. The purpose of this user is for media consuming. Pictures, videos, music (via mpd and locally also) and some simple games (emulators mainly).

For starters this user, called media, will be created on my Raspberry Pi 3 system (later on my server too). I've actually created that user already along with the group bearing the same name. I've also added it to the list of DenyUsers in /etc/ssh/sshd_config. The user will not have password so it's usable by anyone who uses the computer locally.

I have planned to use very stripped down xfce (maybe only the window manager from it) or Openbox (more suitable suggestions are welcome) with [url=https://www.linux.com/var/uploads/Image/articles/128892-1(1).png]wbar[/url] for lauching programs/actions. The media user should not be able to reboot or poweroff the machine if there's an open ssh, tmux or screen session open by another user. But that's after I have managed to create otherwise proper jail for the media user. So I'll concentrate on jailing first.

What method I should use to jail (chroot maybe) a user? I can create bind mounts inside the /home/media so that shared files from other computer are reachable by the media user. There exist a interesting program called lshell. But does it become too complicated to use that as a login shell for the user? I'd like to use it since the configuration looks plain simple.

Suggestions? Experiences? Your methods?

----------

## FlorianSchmidt

Hi Zucca,

I just stumbled accross your post, although it is a few days old already.

Have you thought about ACLs?

something like

```

setfacl -R -m d:u:media:--- /

setfacl -R -m u:media:--- /

```

And then re-enable whatever is needed? (like it's homedir :-) )

Setting an alternative shell as the login shell for the user is not that complicated, keeping him from changing the shell could be, but if lshell can restrict the user from that, I'd try it out.

br

Florian

----------

## FlorianSchmidt

I was curious about lshell and tested it out.

I took it from here: https://github.com/ghantoos/lshell

build it on a test machine and configured it as the login shell for "testy"

```

florian@flos-delle ~ $ ssh testy@build.home

testy@build.home's password: 

You are in a limited shell.

Type '?' or 'help' to get the list of allowed commands

testy:~$ pwd

*** forbidden command: pwd

testy:~$ help

cd  clear  echo  exit  help  history  ll  lpath  ls  lsudo

testy:~$ ls

testy:~$ lsudo

No sudo commands allowed

testy:~$

```

looks quite restricted already, getting it to work with xfce might be tricky, but looks possible

br

Florian

----------

## Zucca

Thanks for your reply!

I'll think I'll set openbox+lshell environment for the media user. And maybe even move it's home directory to (small) tmpfs.

----------

## Syl20

Perhaps rbash can help ? With a minimal PATH (just one directory containing symlinks to the commands you want to allow, for example), the user has a very limited access to the system. But I don't know how to use that with a graphical session...

----------

## The Doctor

The real question is how much of a jail do you really need? An unprivileged user seems to fit the need. It can't go outside of its group so other user's data is safe.

You can do the halt thing with a bash script and use sudo to only allow the user to use the script. All you need to do is figure out how to detect when you conditions are met.

----------

