Home » Questions » Computers [ Ask a new question ]

How can I create a user with read-only access to all files? (ie root without writing permissions)

How can I create a user with read-only access to all files? (ie root without writing permissions)

For backing up my server, I would like to remotely access it via SSH. To minimize all risks, it want to user a user who only has read access, but to all files, just like root. However, he shouldn't have any write rights.

Asked by: Guest | Views: 96
Total answers/comments: 2
Guest [Entry]

"Might I suggest another method to solve your problem that's less maintenance intensive.

You can create ssh keys which have limited access to specific programs. I dislike granting root unrestricted access, but sometimes you need to enable certain commands to be run via remote. With ssh keys you can have your backup program run via ssh command.

Check out the 'AUTHORIZED_KEYS FILE FORMAT' section in your sshd man page (I'm assuming you're using OpenSSH).

Guest [Entry]

"There is a somewhat another way of creating this without using ACL's. But you need to practice caution here. Firstly, create a group, for example, called roroot (readonly root). Then apply that group id to all directories. Make the permissions for the group bits to be r-- or 400 octal, then you can create a user account just like an ordinary user, for example, rorootusr, with the next id set to whatever it is on your system, make it a member of a group roroot only, do not make it to be part of wheel,bin,etc, depending on what your groups are on your installation. The next bit is going to be kludgy. Open the /etc/passwd file using vim/nano/emacs/joe/ whatever editor rocks your boat, and look for the id you have just created, ie. rorootusr, the passwd file will look like this


Reading from left to right separated by colons you have user name, password (encrypted + shadowed), user id, group id, comment, home directory and shell. From the above example given

rorootusr:x:512:450:Root User RO:/home/rorootusr:/bin/bash

It is the 3rd field (512) that you change it to 0. 450 would be the group id for roroot. Save the edit session and you're done. Now rorootusr will have root access but is solely a member of the group roroot and has readonly access to the system.

Hope this helps,
Best regards,