# How to create an offline user?

## Lars

Hi,

is there a way to create a user that have no network access?

This user should:

be able to open a browser but should not be able to access the internet.

be able to read a pdf with a pdf-reader which is not be able to access the network.

be able to access all my local files, but not the nfs shares.

not be able to get root.

 *Quote:*   

> This is easy, not be in the wheel group

 

Please, no answers like cap the cable. Everyone should be able to answer the reason for themselves.  :Cool: 

----------

## massimo

I suppose you can implement this by using iptables with -m owner.

----------

## havana8

I think so, yes

----------

## Roman_Gruber

Well assume its you, and the not so privileged son, I would recommend

That you start the network service as user root yourself everytime. I did that for quite a long time with pptp over the years. I also used startx for the x-server. Same for WIFI. Those network scripts do not even work reliable, on a SAMSUNG stock android tablet, custrom rom nexus 4 smartphone, notebook and such. So I prefer always to start it by myself anyway

----------

## jonathan183

 *Lars wrote:*   

> Hi,
> 
> is there a way to create a user that have no network access?
> 
> This user should:
> ...

 

iptables will allow you to limit access to the net. I dont use nfs but suspect you need to limit permissions during mounting. I don't think users would get root unless you grant it ... Is this for someone you trust and just want to restrict access or you are concerned about someone gaining unauthorised access?

----------

## nokilli

 *Lars wrote:*   

> 
> 
> be able to open a browser but should not be able to access the internet.
> 
> 

 

I'm pretty sure this is Firefox's ultimate goal.  Just give them time.

----------

## Ant P.

You could put the login session for that user in an isolated container, this doesn't even require root to set up:

```
~ $ ip link show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq state DOWN mode DEFAULT group default qlen 1000

    link/ether 01:23:45:67:89:ab brd ff:ff:ff:ff:ff:ff

3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DORMANT group default qlen 1000

    link/ether 01:23:45:11:23:58 brd ff:ff:ff:ff:ff:ff

~ $ unshare -nr -- ip link show

1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 1000

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
```

----------

