Guest
[Entry]
"There is a somewhat another way of creating this without using ACL's. But you need to practice caution here. Firstly, create a group, for example, called roroot (readonly root). Then apply that group id to all directories. Make the permissions for the group bits to be r-- or 400 octal, then you can create a user account just like an ordinary user, for example, rorootusr, with the next id set to whatever it is on your system, make it a member of a group roroot only, do not make it to be part of wheel,bin,etc, depending on what your groups are on your installation. The next bit is going to be kludgy. Open the /etc/passwd file using vim/nano/emacs/joe/ whatever editor rocks your boat, and look for the id you have just created, ie. rorootusr, the passwd file will look like this
root:x:0:0::/root:/bin/sh
Reading from left to right separated by colons you have user name, password (encrypted + shadowed), user id, group id, comment, home directory and shell. From the above example given
rorootusr:x:512:450:Root User RO:/home/rorootusr:/bin/bash
It is the 3rd field (512) that you change it to 0. 450 would be the group id for roroot. Save the edit session and you're done. Now rorootusr will have root access but is solely a member of the group roroot and has readonly access to the system.
Hope this helps,
Best regards,
Tom."
|
