Read-Only user via RBAC

[neuralnode]

Hi all,

I have an RBAC-related question.

The task I want to accomplish is to create a system user that:

1. has read-only privileges

2. can access only certain directories, e.g. /var/log and /export/home/someapp/logs

3. can use only limited set of commands (e.g. cat, more, less, date etc.)

4. alternatively, can do cp & scp, but can't do rm, mv, touch and any other modyfying/creating/deleting commands

My question is: how to implement such a feat?
I know I can use RBAC, problem is I don't know much about it, i.e. never used it. All PDFs about RBAC I could collect is purely theoretical gibberish with no real-life examples.

Anyone knows how to pull this off?

Thanx in advance!

 

[bfitzmai]

Neuralnode,
I may be over simplifying what you are trying to do or you may be over thinking it. This sound like a standard user to me. I normally create a group 15 users. These users have limited access to system files. They have read-only privileges on files and directories that are set up for different groups. Because the have read-only privileges, they can not delete files, create files or move files from the directory. But, they can copy files from these directories.