I am trying to figure out a solution for this:
I have some user which I created using command useradd. I want to allow this user do whatever he wants on a special location, say /var/www/. He might require to upload or download a file, extract a zipped folder, list the files and folders, change permissions etc.
He should be restricted to do anything else like creating another user/group, using sudo, install/uninstall anything or even accessing other folders or any other. Is it possible to achieve this? Can someone please help me at the earliest.
FYI: OS: Linux, any flavor Platform: AWS
Users created with
useradddo not have sudo access by default, and cannot install packages, add users etc... Only root can do that (via sudo or directly from a shell or script).Give the user theuser a home dir, (several ways to do that, use a command for instance [look near the bottom]).
And set accesses
Eg in
/home/theuser(sudo, or become root first)And the user will log in /home/theuser, can do, there, whatever he wants. Create, delete files and directories. Upload files (assuming he is allowed to use ssh to upload files via rsync for instance).
The last point from your question "even accessing other folders". Provided that other home dirs are - usually - only accessible by their owners (access like
drwx------or0700), do you really want the user not being able to see the system files etc...?In this case, you have to jail the user to its home dir, see this document on AskUbuntu, actually not specific to Ubuntu.
The reason I was asking about the file system, is because you could also use the ACL (Access Control Lists) to set a specific access to a given user at any level of the file system(s). E.g. preventing the user from visiting some particular areas of the system. More information on ACLs
You could put the user in a cgroup and a chroot. If you want SSH to be used as well, you could take a look at Jailkit which allows you to jail ssh users. In practice, a cgroup plus strict permissions on your server should be enough.