13

I'm setting up a new user account, and I want to allow access to only certain programs for just that account. How would I go around doing that?

Bruno Pereira
  • 73,643
Lyrositor
  • 1,018
  • You might want to explain what type of programs (e.g. are you talking about using a GUI or just commandline shell access?). – JanC Oct 18 '10 at 19:35
  • Do you want the new account to be able to (1) execute only a part of the programs everyone else can use (e.g., you want the new user not to run Firefox), or do you want the new account to (2) run everything plus some programs of its own exclusive access? (I.e., in case 2. only the new account would be able to run program "foobar", other people would not.) – Riccardo Murri Oct 18 '10 at 20:16
  • Any programs, and I want to 1) prevent them from running Firefox, for example. – Lyrositor Oct 18 '10 at 23:24

2 Answers2

15

Here is a quick way to do it with firefox as an example:

  1. Create a group webusers
  2. change the rights of the firefox binary to 750 (root:rwx, webusers:r-x) and the ownership to root:webusers
  3. add all users who should be allowed to use firefox to the group webusers

You can, of course, create groups for all individual programs. Here are the commands for doing it.

sudo addgroup webusers
sudo chmod 750 /usr/bin/firefox
sudo chown root:webusers /usr/bin/firefox
sudo adduser alice webusers
sudo adduser bob webusers
Community
  • 1
mniess
  • 10,546
  • 1
    As far as I understand, this is a blacklisting solution, isn't it? This means I'd have to blacklist all applications - which is not very practical. Also: What happens after the next firefox update? Will I have to reset the permissions on /usr/bin/firefox? – Thomas W. Oct 10 '15 at 06:20
  • An update shouldn't affect the permissions on the file. This is a blacklisting solution in the sense that you need to blacklist apps users shouldn't be able to run and a whitelisting solution in the sense that you need to whitelist the users who should be able to run the blacklisted apps. – mniess Oct 11 '15 at 15:44
  • This solution has helped me restrict the forbidden user from accessing the programs successfully, but the permitted users (Alice and Bob in this example) also aren't allowed to access the programs... What have I done wrong? – Abraham Murciano Benzadon Aug 06 '17 at 17:40
4

You might want to have a look at Pessulus and Gnome Nanny to lock down user accounts.

To lock down specific programs you can use AppArmor. There is no simple configuration to accomplish what you want, but the official Wiki has a nice article on AppArmor: https://help.ubuntu.com/community/AppArmor

mniess
  • 10,546