UPDATE: I figured out what I wanted to do ultimately. See here: https://raspberrypi.stackexchange.com/questions/13401/locking-down-raspbian-to-only-allow-limited-features/58778#58778
I'm super confused by this answer here: https://stackoverflow.com/a/527976/4561887
It says:
The user will need read/execute rights to execute any command (ls, login shell, etc), so you can't easily take all rights away.
Usually it's enough to make sure they can't mess with the home directories of other users. To do this, put the user into a new group (like "untrusted"), chown his home directory and revoke the group and other rights on all home directories: chmod go-rwx /home/*/
But I don't really understand what he's saying. Someone please help me out. Here's what I've got so far, with some of my questions in bold below:
In full:
- Make a new user called "guest":
sudo adduser guest
- Make a new group called "untrusted":
sudo groupadd untrusted
- Add user "guest" to group "untrusted":
sudo usermod -a -G untrusted guest
Ensure user "guest" is now part of group "untrusted":
groups guest
Output is:
guest : guest untrusted
This means user "guest" is part of groups "guest" and "untrusted." Good.
- Take ownership of any directories you want "guest" to have access to. Note that since we used
adduser
above, guest already has access to his "/home/guest" home folder. However, giving user "guest" of other directories can be done as follows:sudo chown -hR guest /any/directory/you/want/guest/to/own
- ??? (did I do the above so far correctly???) --I still want other super users to be able to see guest's files. What's the point of making the "untrusted" group anyway? I don't see how it changes anything.
- Revoke the read, write, and execute (rwx) Group and Other rights on all other home directories: ??? If I do
chmod go-rwx /home/*/
, then other sudoers can't even read guest's directories--that's not what I want!--I just want guest to not be able to read others' directories, not quite the other way around, though if I make a guest2 he shouldn't be able to see guest1's directories either, nor should guest1 be able to see guest2's directories, but sudoers should be able to see both guest1's and guest2's directories.