So here is something I could not find any reference to, I have this user, user_A, I want to remove its access to this directory entirely /log/dirA As far as I understand, chmod is used to modify the access in this order user/group/others. Others is general and does not care who this is, just anyone other than the user, while not a member of group will be "other(s)", so I don't want to mess with other users access to this path, but I want to limit user_A from accessing it. Does **setfacl** work for directories too? because I used this command, which I think should deny read/write/execute access of the mentioned Directory to the user_A, but the user is still able to cd into the mentioned dir. Does setfacl apply only to files?? Command:

setfacl -Rdm u:user_A:--- /log/dirA

ls -lhtr of the mentioned path:

rwxr-xr-x+  3 Mainuser Mainuser   19 Apr 17  2018 dirA

getfacl /log/dirA :

# file: dirA/
# owner: Mainuser
# group: Mainuser
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:user_A:---
default:group::r-x
default:mask::r-x
default:other::r-x

How can I restrict a user on the SSH server to allow them **only** the privileges for SSH tunneling ? i.e. So they cannot run commands even if they log in via SSH. My Linux servers are Ubuntu 11.04 and OpenWrt.

I am new to linux and interested in only allow in login via direct access to the machine (active user). I don't even want to be able to log in remotely myself. Can someone please point me in the right direction on how to do this? I am using Ubuntu.

I want to whitelist some of the commands for users. I am getting solution using LShell Limited Shell but I want to restrict subcommands as well.
I want user to access docker ps and docker logs only. How can I achieve it via LShell?

I'm allowing a friend a local account on my machine, exclusively for SCP. Can I specify his account's shell as /bin/true, or in any other way limit the account, while still allowing SCP?

I want to lock user account after 3 failed attempts, I am following this guide . I am using Ubuntu 14.04 (for jumphost purposes only). However, the automatic unlock is not happening after 10 minutes. To unlock I have to manually execute the following command sudo pam_tally2 -u devops --reset

When I work on Linux test server (Debian 11) I have root, and want block other users open new session to this server during my work. Is it possible?

Background: We have a policy in the company to deactivate the login possibility as much as possible, which is understandable. I am just wondering if there are any other side effects if you specify /usr/sbin/nologin as the login shell of an account? Apart from the login capability are there any other capabilities or features which will be deactivated? Any other known side effects?

I'm setting up an Ubuntu server to receive ssh connections from clients so I will then be able to connect back to their machine (reverse SSH tunneling). I searched for a way to prohibit any action from the client on the server, and I found different solutions, but none seems as simple as just configuring the authorized_key of a specific client on the server by adding: command="sleep x seconds" Am I missing something important that would make that solution not a good one?

How can I restrict some users/groups to some directories? I mean different users, different directories. - What I have: Ubuntu 14. - Experience with Ubuntu: Just started. What I have tried: 1. I read [this page](https://www.digitalocean.com/community/tutorials/how-to-set-up-vsftpd-on-ubuntu-12-04) . This was working till a bit extent, what the problem is that, the user can do things only in his folder/directory, which is read/write and edit, but the user can also go elsewhere, and open files and copy scripts from there, which can be risky as while having a game server on the VPS. He can't delete/edit or add files but can VIEW files other than his directory. 2. And, then [this page](http://www.krizna.com/ubuntu/setup-ftp-server-on-ubuntu-14-04-vsftpd/) . This worked fine, but the problem is, I couldn't find a way to add more users to different directories. Like, I could only add one user to directory which was specified in sshd_config file. There is only one directory which can be restricted for one group. I want it to be flexible, able to add different users to different directories... groups. Here is what I'm talking about: sshd_config Subsystem sftp internal-sftp Match group shooter ChrootDirectory /home/shooter/shooter/mods X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp That shooter group can only access that ChrootDirectory. If I add different users to that group, they'll be able to view only that path. I want other users to view other directories, how is that possible? Please help me, It's really important for me, as I've many game-servers to handle on a VPS, working with different developers.

I know that root can modify any config file. As a best practice, I would like to disable the capacity for root to su on accounts which authenticates against NIS or Active Directory. As a best practice, I would like to allow root to su only on local accounts. *My* definition of a local account is any line with an id in /etc/passwd (because of the +user:::::: for NIS access). I guess it would involve modifying the pam config, but I'm not clear on the how.

In Linux distributions like RedHat you can create a user with options --disabled-login and ---disabled-password (see man page for command adduser link ). I wonder if it is possible to check for an administrator after user creation if the login and password is disabled for a given user? Exists there any possibility?

When you install software on linux often users and groups get automatically created. I am wondering if during this user creation a "default" or "random" password will be set and if not if you still will be able to login through the console (assumption is that a shell entry got created in /etc/password and it is not set to nologin). Normally when you call "adduser" you have to provide a password. How does this work for automatic created users through software installations?

A small family setup... I have a color printer, and a Linux computer, with CUPS installed. I wan to allow the kids to print, but only in draft mode, and only in greyscale. With CUPS I prevented the kids' account from accessing the printer. Then I set up a second printer, for the same hardware printer, but with different default options (draft and greyscale), and allowed the kids to access this new printer. It works, when they print the default options for this new printer are indeed draft and greyscale. But they are just that, default options. They can change it. Is there a way to prevent users from changing the options of a printer ?

How do I completely disable an account? passwd -l will not allow anyone to log into an account using a password but you can still log in via private/public keys. How would I disable the account completely? As a quickfix I renamed the file to authorized_keys_lockme. Is there another way?

I have searched on google for restrict a user to a specific directory but mostly appeared about ssh user, ftp user and etc that not local user. How do we do that for local user?

I would like to limit a user to only two commands: cat and exit. I've tried to edit visudo but it does not work. My OS version is CentOS 8.

If a user has loginShell=/sbin/nologin is it still possible to ssh user@machine [command] assuming that the user has proper ssh keys in its home directory that can be used to authenticate? My goal is to keep the user as a nologin, but still able to execute commands on a few other machines on the network (similar to its use through 'sudo -u'), and am wondering if this is a reasonable course.

I want to create group and want to allow the group to run all available commands except few commands. Can you please help me configure sudoers for the same. I checked but only found how to allow some commands. But I want to restrict some commands and allow remaining all. Thanks

I am working on configuring an SFTP server on Ubuntu Server 18.04. I want to create SFTP accounts that point directly to their working directory without listing others. For example if the real working directory on the server is /sftpdir1/sftpdir2/user1, the user should see it as / and not /user1 like when using chrootdirectory: when I login via FileZilla I should find as shown in the image below where I can upload and download files. Update: why not setting chrootdirectory in /etc/ssh/sshd_config If I have more then on user assigned to the same group, so having the same chrootdirectory, any user among will see others' working directory. Or by logging in I don't want the user to see others' dir nor the tree of his/her own working directory: just find / like shown in the image.