Setup restricted user account.

Similar Messages

• Restrict user account, prevent intruder from doing bad things

  Hello,
  I am currently planning and setting up a backup-server with ZFS. There will be daily snapshots of the filesystem (cron job).
  Different machines connect automatically without a password via ssh (public/private key) and rsync their stuff to the backup server.
  Each machine will connect to it's specific user (and therefore to it's own home directory) on the backup server. I thought that if one of the machines gets compromised (e.g. someone gets access to the private key) he only could access one home folder, nothing more. As there are daily snapshots, even it he deletes all files, they will still be there.
  Is just adding a normal user per machine enough or should / can be done more to enhance security? As I said the user account is only for logging in and rsyncing stuff to the home directory.
  E.g. disabling executing of applications except of rsync? Preventing fork bombs? Making it harder to run exploits? Other stuff I didn't think about?
  Thanks
  Last edited by cyberius (2013-02-17 08:23:39)

  -Syu wrote:
  You might also want to limit those user accounts themselves. If you only use them vor rsyncing, remove them from all unnecessary user groups (the "users" group in particular) and take away their shells.
  On top of that, you may want to give each user a chroot jail, so they can't even write to /tmp for example.
  I'm not too familliar with rsync yet. If you really need to make your other machines log in and execute rsync themselves over SSH, you might want to take a look at limited shells like lshell to only allow execution of that program.
  Great, thank you! This was something I was looking for!
  But if I take away the shell completely (e.g. chsh -s /sbin/nologin username), I think I won't be able to rsync via ssh right?
  lshell sounds very promissing for my case, I will have a look at it!
  edit: I found out that there is also a "--restricted" option for "bash", where one can disable PATH variables, changing directories. I will have a look.
  Last edited by cyberius (2013-02-18 10:14:36)

• How to setup a user account for brtools backup

  Dear Sir,
  We have SAP running on Unix (AIX) and ORACLE Database . For the backup , we take the backup using brtools . At present , I am able to take the backup from the  dba user account .
  DBA user account (at os level) is oradv and group name is sapsys .
  For taking the routine backup using brtools , I want to create a seperate user account . For this I created a user , named bkup . For this user , I have defined primery group as sapsys .
  During execution of brtools command , I am getting following error :
  BR0252E Function stat() failed for '/usr/sap/DEV/SYS/exe/run/brarchive' at location BrFileStatGet-1
  BR0253E errno 13: Permission denied
  BR0273E Determination of file status for /usr/sap/DEV/SYS/exe/run/brarchive failed
  Kindly guide us , as what parameters / authorization etc need to be changed for user account bkup , so that brtools command can work without any error .
  With Thanks and Rgds
  Sonia Agarwal

  do lsuser oradv, check it's authorizations and give same auths to new user bkup

• How do I setup multiple user accounts on my iPad2?

  I would like to have two users on iMessages on my iPad2.  When I attempt to enter the second user email address it errors-out with 'email already in use'?

  Mikey,
  Could the second email address be associated with a defferent Apple ID?
  Matt

• How to setup a user account?

  i am new to the macbook air and have logged in and made an account but now i want to make another and have no idea how to.

  http://support.apple.com/kb/PH11468
  The process is the same for Mavericks.

• Can I setup multiple user login accounts?

  1. Like a normal macbook computer, can I setup multiple user account with password?
  2. If it's single user only, can I setup password on an ipad? thanks

  You cannot setup multiple user accounts like on a computer. You can set up a passcode to lock the device. Settings>General>Passcode Lock.
  iOS: Understanding passcodes

• Cannot log in to new user accounts

  I am a long time Apple user and am completely confounded by a problem I am having creating new user accounts on my G4/400 PowerMac running OX 10.4.11. I've been attempting to setup some user accounts for my kids to use. I have no problems setting up the accounts but when I log out of mine and try to log in as them the login window shakes from side to side indicating an incorrect password. This is something that I had a problem a year ago and never solved and today I am trying once again with out success. I feel like I am doing everything correctly since I've been able to do this on my G3 iBook and MacBook.
  Here are a few things I've also done.
  -repaired permissions on the drive ( I have 2 in the machine right now but the other is just my iTunes LIbrary drive)
  -deleted the old user accounts that I setup but couldn't access.
  -tried setting up more new accounts
  -repeated the process several times without ever being able to successfully login to any of the new accounts that I created.
  Any advice to solve this problem would be appreciated.
  Thanks
  Chris

  Hi cc_mac,
  I don't know if you have solved this one yet, but I had exactly the same issue when I recently had a hard drive failure and had to re-install everything. I had copies of all my files, but when I went to set up the user accounts, I could create each account, but I couldn't log in.
  There is a simple solution, you will need to be in an admin account and you will need to use the command line, so open up a terminal window.
  Use the following command for each account you need to fix:
  sudo passwd <username>
  where <username> is the account name that you cannot currently log in to.
  You will need to enter your admin password to allow you to use sudo, so do that. Then you will be asked to type in the new password for the new account. Just to be absolutely sure, you will be asked to re-enter the new password, so do that, and you are done.
  Log out of your admin account, this should bring you back to the log in screen. Now, if everything has gone according to plan, you should have an operational user account.
  I'm not sure what the cause of this issue is but it might be some sort of permissions issue happening in the background. Nevertheless, manually setting the password this way seems to have fixed it for me. I sincerely hope this helps you too.
  Kind Regards,
  Mark D.

• Multiple Macs with multiple user accounts

  I have a Mac computer connected to airport and use Time Machine for backups. This works well.
  I have now purchased a second Mac and would like to include this second Mac so that I can move between Macs and work. There does not appear to be any mechanism to allow this.

  After searching the web and the discussion here, here's my minimal impact solution for multiple Macs with multiple users in a household:
  1) Set up Mac1 for myself only
  2) Set up Mac2 for the wife and kid
  3) Set up each Mac to backup to the Airport base station using Time Machine (this would create two separate backups on the Airport base station's drive, which from what I've read has its own problems)
  4) On Mac1 setup "empty user accounts" for the wife and kid. These will not have any files in them - just an access mechanism. If they want to access their files, they can use Time Machine's "The Browse Other Backup Disks Option" to get their file from Mac2, work on it and then drop it in the Shared Folder. Next time they are on Mac2, remember to copy the updated/created file from the Shared Folder into their Mac2 user account. If possible, get Time Machine to not backup the "empty user accounts".
  5) Do the same for me on Mac2.
  Not the most elegant solution, but until Apple get off their backside and make this seamless, I can't think of anything else :-( .
  P.S. iCloud is not a soluton since it costs hundreds of dollars a year, uses up intenet data allowance and is slow.

• Can't open AI VIs when logged in as a restricted user

  I have a VI that does simultaneuos analog I/O (LabVIEW 6.1, Windows XP). This VI works fine when I am logged in as administrator, but when I try to run this VI from a restricted user account LabVIEW can't find the AI VIs (AI Config, Start, Clear and Read). All AO VIs can be found. I have changed the restricted user's permissions to the National Instruments folder to full control, as described in http://digital.ni.com/public.nsf/allkb/BB393E7B361E939886256EFD007AC591 but I still can't run my VI.
  Does anybody know how to solve this problem?

  Thank you for your answer.
  Unfortunately I can't try your solution on the computer where the problem occurred because it is used in another course for the moment and is therefore not available. But I tried to recreate the problem on another computer. I created a restricted account and when logged in on that account I opened my VI and it worked fine... (all subVI:s were found). By default, the restricted account had Read & Execute, List Folder Contents and Read permissions for the MAX folder. So, I then unchecked the Allow-boxes in an attempt to recreate the problem, but the VI still worked on the restricted account. Then I checked the Deny-boxes for the permissions mentioned above, but the VI still worked. Since I couldn't recreate the problem I don't know if your solution is the right one, but at least I can draw the conclusion that it is possible to run my VI from a restricted account.
  But I will try your solution on the computer where the problem occurred when it is available and I will let you know whether the problem was solved or not.

• Sharing programs among several user accounts

  Hi,
  I've just bought my first mac mini and I've setup several user accounts for my family members. For myself I created an admin account
  Among others I've bought Microsoft Office, these programs are visible on my account, but not on the other accounts.
  How can I make these programs available on all accounts?
  Thanks in advance.
  Regards,
  Twan

  Log into the account which has access to them, control-click their Dock icons, move them to the Applications folder at the top level of the drive if needed, and open them in the other accounts.
  (123261)

• How to disable Wifi for one user account?

  Hi.
  I am setting up very restricted user account in Lion that I want to use on gigs when using Ableton Live 8 on stage.
  Basically, my user account should just allow to run Live 8 and nothing else.
  Is it possible that the airport get switched off when login into this particular user account?
  Thanks in advance for your help

  EDIT: If the stuff below seems more complicated than you wish to be involved in, feel free to ignore it.
  The Mac will send packets bound for the Internet to the Top-Most ACTIVE interface listed in the left side of the box at:
  System Preferences > Network
  If you set the 'Service Order' to have Ethernet at the top, whenever Ethernet is working, Wi-Fi will be ignored.
  Set Service order is available using the gear Icon at the bottom of that box.
  So all my Internet traffic is going over my Ethernet connection, even though Wi-Fi is still connected and nominally "active".

• Help...2 admin user accounts - Lion - only 1 has a Library folder

  Hello,
  I setup two user accounts with admin priviledges on new MacBook Air with Lion. For the first account I used setup assistant and that one has a Library folder (invisable). Then I used Migration Assistant to bring in most of my user account (not music or movies) from my MacBook. However there is no Library folder for that account (visable or invisable). ??? Does it share the other user account's Library? That would not make sense. I want to bring over some of my old files/folders from the Application Support folder. Can anyone adivse me? Thanks.

  Nevermind... I found it by holding option and clicking on the Go menu from Finder. Strange though that it did not show up when I did a find for folders named Library with File visibility: Visible or Invisible which is how I found the Library in the other user account...

• Unique audio/video settings per user account?

  I have a rather strange question...
  I recently purchased my first mac and love it so far, but being a windows user for 15 years is taking some getting used to.
  My situation:
  (VIDEO) I currently have a mac mini hooked up to a monitor utilizing the mini-port to DVI. Secondly I am using the HDMI port out to an HDTV.
  (AUDIO) I am using the headphone out to my DVI monitor and my HDMI obviously runs through the HDMI cable.
  I have setup 3 user accounts...mine, my wife's, and one for a "media center".
  My question:
  Is there any way that I can setup the "media center" user account to be the only account that will recognize only the HDMI port for video/audio? Since I have my mac in a different room from my HDTV, I do not want to be going back and forth every time I wish to utilize my "media center" account.
  I hope my issue is clear...thanks in advance for any help!
  MK

  ProRes ships with Final Cut Pro 6 - it does not come with 5.
  You can download the decoder separately but I don't know how well that will work on older versions of FCP:
  http://support.apple.com/downloads/AppleProRes_QuickTime_Decoder_1_0_forMac

• Execute script as restricted user

  I'm trying to execute a script that works under an administrator account but not under our student accounts, access is denied. The script changes some keys/values in the registry. I've tried several different options in ConsoleOne and Group Policy, but nothing seems to work, I might be missing something though. Is there anyway to get this to run and change the registry under a restricted user account? We are running Windows XP at the moment on our machines. I would greatly appreciate any help and getting this to work. If you need anymore information I'll be glad to provide. Thanks.

  Originally Posted by brpwll
  I'm trying to execute a script that works under an administrator account but not under our student accounts, access is denied. The script changes some keys/values in the registry. I've tried several different options in ConsoleOne and Group Policy, but nothing seems to work, I might be missing something though. Is there anyway to get this to run and change the registry under a restricted user account? We are running Windows XP at the moment on our machines. I would greatly appreciate any help and getting this to work. If you need anymore information I'll be glad to provide. Thanks.
  Simply set it to run as secure or unsecure sytem user.
  Thomas

• Iphoto/preview crashing with multiple user accounts

  Hi everybody,
  I'm stuck for a while now with my iMac and parental controlled user accounts.
  It's for a few months now iPhoto and Preview keep crashing at starting up in these other accounts.
  All works fine in my own administrator account. I'll copy a the first part of the crash state, maybe that will help.
  I think the problem started with connecting a photocamera (Sony W125) directly to the computer.
  It seems that viewing pictures (PDF/iphoto) is corrupted in this way.
  I'm working on an late 2011 iMac 2,5 Ghz Intel Core i5 /12GB 1333 / OSX 10.7.5
  Allready done:
  removed plists
  repaired permissions
  re-installed Lion
  re-installed iPhoto
  give full permissions too all other accounts (checking out parental control i.o.w.)
  made a new user acount with full permissions except administrator function (also crashes of iPhoto)
  tried some searching in Root-account but where afraid to damage stuff.
  looked around on the web but I couldn't find people with the same problem
  Thanks a lot for your help in advance.
  Michiel
  Process:         iPhoto [1058]
  Path: /Applications/iPhoto.app/Contents/MacOS/iPhoto
  Identifier:      com.apple.iPhoto
  Version:         9.4.2 (9.4.2)
  Build Info:      iPhotoProject-710042000000000~2
  Code Type:       X86 (Native)
  Parent Process:  launchd [807]
  Date/Time:       2012-11-05 10:30:59.667 +0100
  OS Version:      Mac OS X 10.7.5 (11G63)
  Report Version:  9
  Interval Since Last Report:          247 sec
  Crashes Since Last Report:           2
  Per-App Crashes Since Last Report:   1
  Anonymous UUID: 19E6D82E-8DD9-4044-B141-C67D09268E1F
  Crashed Thread:  0 Dispatch queue: com.apple.main-thread
  Exception Type:  EXC_BAD_INSTRUCTION (SIGILL)
  Exception Codes: 0x0000000000000001, 0x0000000000000000
  Application Specific Information:
  dyld: launch, running initializers
  /usr/lib/libSystem.B.dylib
  xpchelper reply message validation: code signature invalid
  The code signature is not valid: The operation couldn’t be completed. (OSStatus error 100005.)
  Application Specific Signatures:
  code signature invalid
  Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
  0 libxpc.dylib                      0x96b2254e runtime_init + 2014
  1 libdispatch.dylib                         0x92d10c27 dispatch_once_f + 50
  2 libxpc.dylib                      0x96b22d92 _xpc_runtime_set_domain + 350
  3 libxpc.dylib                      0x96b1f9af _libxpc_initializer + 578
  4 libSystem.B.dylib                        0x94ba77a7 libSystem_initializer + 199
  5 dyld                                  0x8fef1203 ImageLoaderMachO::doModInitFunctions(ImageLoader::LinkContext const&) + 251
  6 dyld                                  0x8fef0d68 ImageLoaderMachO::doInitialization(ImageLoader::LinkContext const&) + 64
  7 dyld                                  0x8feee2c8 ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, ImageLoader::InitializerTimingList&) + 256
  8 dyld                                  0x8feee25e ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, ImageLoader::InitializerTimingList&) + 150

  After searching the web and the discussion here, here's my minimal impact solution for multiple Macs with multiple users in a household:
  1) Set up Mac1 for myself only
  2) Set up Mac2 for the wife and kid
  3) Set up each Mac to backup to the Airport base station using Time Machine (this would create two separate backups on the Airport base station's drive, which from what I've read has its own problems)
  4) On Mac1 setup "empty user accounts" for the wife and kid. These will not have any files in them - just an access mechanism. If they want to access their files, they can use Time Machine's "The Browse Other Backup Disks Option" to get their file from Mac2, work on it and then drop it in the Shared Folder. Next time they are on Mac2, remember to copy the updated/created file from the Shared Folder into their Mac2 user account. If possible, get Time Machine to not backup the "empty user accounts".
  5) Do the same for me on Mac2.
  Not the most elegant solution, but until Apple get off their backside and make this seamless, I can't think of anything else :-( .
  P.S. iCloud is not a soluton since it costs hundreds of dollars a year, uses up intenet data allowance and is slow.