I have a situation where I need to allow an outside consultant to access one of our Ubuntu 18.04 systems. We would like to lock that user's account in a way so that when it logs in, they can only access three or four directories, and only use certain LINUX commands like cd, /bin/cp, more, less, cat, for example.
I know that using sudo, I can configure a list of commands that this user is allowed to use from their $HOME directory. But is there also a way (using sudo) to allow the user to access Directory X but not allow them into Directory Y? For example, the user $HOME is /home/outsider, but I have three folders I want them to also be able to copy files into and read files from:
/workdir
/software-repository
/logs
I know I can control access to these folders through the group access rights (chmod). But is there a way to NOT allow a specific user access to some directory or file in sudo despite having read access to it on the system?
For example, /etc/hosts file has the following privileges:
-rw-r--r-- 1 root root 277 Sep 11 18:09 /etc/hosts
So only root can edit this file, but anyone can read it. Is the solution for this example just to chmod 0600 the /etc/hosts? I'm afraid that would cause problems for other apps that may be trying to read the hosts file.
And I can't just chroot the user's account, because they will need to be able to place files in a directory that is outside their $HOME structure.
Right now the only thought is to create a menu that comes up when they log into that account that traps them into a limited number of choices, such as:
1) View log file
2) Copy XML template
3) Test print report
0) Log off
If anyone has done this before, is there a better way?
Thx,
Steve
0 Answers