Guest account on console w/X and basic tools

[MrWoody]

Im completely new to *nix X-windows, so please, if there's an answer out there or keywords to search for, help me if you have time.

Id like to create a guest account, maybe even with no password, accessible on the console, for people other than me to have at least basic access to a browser and maybe a couple other tools.

Im not paranoid but I tend to logout or always lock my screen. I would like to have a restricted shell account, like 'login:guest passwd:guest' and have that account thrown into a sandbox where no harm could be done.

Is there a safe way to do it?

If I had my way, their login would 'exec startx' with a single firefox browser running, and when they quit they'd be logged out. I dont need help getting that setup. I need help, or opinions, on how to force them into a sandbox where they could do no harm.

no access to usb/cdrom/floppy/pcmcia.
no access to guest account remotely.
not even access to change /home/guest/.configuration-files.

Am I crazy, is there a fullproof way to create an account where you list what the account can do and everything else is denied?

Thank you for your time,
-MrWoody

[Xipher]

actually, Im pretty sure its possible. a few things, first make sure they aren't a member of any groups besides maybe their own little sandbox group.
I don't think it would be to difficult to lockdown remote access, as I think you can do that in pams config files, or by adding it to a specific group (not sure on that one exactly) Also both gdm and kdm I believe have autologin settings.
Next, make sure you configure X not to allow the ctrl+alt+function key combo, and ctrl+alt+backspace, thats just a couple of lines, of which I don't remeber the exact syntax, but Im sure you can look it up online in their documentation.
as for staring up with just firefox, don't think it would be too hard to setup a simple session file for gdm to use for the users session that simply starts up firefox, this also means once firefox is closed, it will stop the session, but I think you could probably get around that, and get it to just restart firefox every time its closed.

Now, to keep them from editing their config files, well you could make them readable to them, but owned by root, which they won't be able to edit then, or delete, and just make sure to change the permsisions in all the other directories and subdirs so they can access binaries needed, but can't actually get into and look at the contents (remove the readable flag for every one but owner, which will normally be root in those directories like /usr /opt/ /tmp) and other in which they don't need to touch at all, well remove all permisions for others (last digit if your using the numeric chmod style)

Now, Im guessing thats extreamly vauge for a newcomer, but going into actuall details determines on alot, and I want to leave a little bit of work up to you so you can learn. The whole idea of "give a man a fish, he will eat for a day, teach a man to fish, he will eat for a lifetime, and get asked to teach" idea.
_________________
Xipher

[MrWoody]

Hi Xipher,

Thank you for taking the time to reply. Im going to give it a shot and will try to keep things as simple as possible.

Here's my plan:

a separate new group,
a restricted shell and a new user,
chown all files/dirs under the home so it does not own anything and chmod
so it cannot write anywhere.

Then Ill login to hopefully find nothing works at all.

Ill carefully relax permissions on a few files and dot directories and play with config files until only the basics for a quick web session are working.

Thanks again for your time to read and more to reply,
-MrWoody

p.s. I thought if you teach a man to fish, he'll sit in a boat and drink beer all day. cheers!