On 2017-02-02 Grigory Shamov wrote:
Hi All,
somehow locked to the particular users and perhaps even particular apps?
Particular users can probably be handled with custom pam rules/settings. Particular apps is much harder. I think you'd need to create an install (perhaps virtual) that just has the apps you want those users to use.
I.e., so that any Filemanager would stay under selected paths the user has access to?
That's chroot-y if you want the OS to only show the user what's in /home/foo in a secure way. However, there's no chroot method that will lock them in one data path without requiring copies of the relevant bins/libs/etc for the apps you want to run. I don't even think any of the recent developments like cgroups, docker, etc, can help you here.
Even trying to hardlink everything into a chroot environment under the user's home dir wouldn't work I don't think because of the complexity of login managers, and X in general.
Now you might be able to find a file manager that can be set to limit views to certain paths, but without something at the OS layer locking things down they can always escape somehow if they know what they are doing (or bring up a shell).
If I'm understanding what it is you're trying to do correctly, I'm afraid there may be no solution. However, if you perhaps redefine your policy goals of what exactly you're trying to protect against, perhaps you can achieve those goals without locking things down as drastically as you think you need to.