LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 09-11-2003, 12:07 PM   #1
niall0s
LQ Newbie
 
Registered: Sep 2003
Posts: 7

Rep: Reputation: 0
file transfer over ssh restrict directory browsing


Hi everyone,

I'm arelative newbie to linux (6 months) and i have a question about transferring files.

I have set up a RedHat 9 box and can successfully connect to it using ssh and transfer files using winSCP from a windoze box

I want to be able to give accounts to users so they can transfer files to a folder over ssh but not be able to browse outside that folder for example

The folder structure is as follows

/transfers/usera
/transfers/userb

etc.

So when usera connects they will be in the folder /transfers/usera by default and can upload files there but they should not be able to change the dir to /transfers or to / or browse any other folders.

Is this possible?
 
Old 09-11-2003, 12:20 PM   #2
trickykid
Guru
 
Registered: Jan 2001
Posts: 24,133

Rep: Reputation: 199Reputation: 199
man chroot

And its also a good idea to give them a non working shell as well.

Add something like /bin/false to your /etc/shells and assign that as their valid shell in /etc/passwd. This will disable them from logging in thru other means or services you have enabled, like ssh, telnet and so on..
 
Old 09-11-2003, 12:41 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,558
Blog Entries: 54

Rep: Reputation: 2925Reputation: 2925Reputation: 2925Reputation: 2925Reputation: 2925Reputation: 2925Reputation: 2925Reputation: 2925Reputation: 2925Reputation: 2925Reputation: 2925
Have a look at http://chrootssh.sourceforge.net/
 
Old 09-11-2003, 12:49 PM   #4
niall0s
LQ Newbie
 
Registered: Sep 2003
Posts: 7

Original Poster
Rep: Reputation: 0
Thanks for the quick reply trickykid but im still a bit lost here

i can only run chroot as root so how do i set the root / dir for each user to be their home directory, or am i missing the point here?

Also when i change their shell to /bin/false they can now longer login to the box to transfer files, as i mentioned they are currently using winSCP or is there a better way to transfer files?

I know i'm missing something here and i'd really appreciate it if you could give me an a-z for setting this up correctly
 
Old 09-11-2003, 02:38 PM   #5
Eqwatz
Member
 
Registered: May 2003
Distribution: Slack Puppy Debian DSL--at the moment.
Posts: 341

Rep: Reputation: 30
Look into the security for FTP--the secure shell version. It does involve chroot and other stuff, but it has been documented so many times by different people that the docs are getting understandable even to me.

Sorry I can't remember the name for the secure-shell version of FTP.

google it. There is also a client for windows. There is an open source one. You shouldn't have to pay. Once you get the name of it from google--google it. That should get you the documentation and downloads for it.

(The reason I mentioned this is that the Howto documentation goes into depth about the use of chroot I read the chroot documentation and it left me more confused than when I started.)

Last edited by Eqwatz; 09-11-2003 at 04:15 PM.
 
Old 09-11-2003, 02:39 PM   #6
Eqwatz
Member
 
Registered: May 2003
Distribution: Slack Puppy Debian DSL--at the moment.
Posts: 341

Rep: Reputation: 30
http://www.google.com/linux
 
Old 09-11-2003, 03:05 PM   #7
Eqwatz
Member
 
Registered: May 2003
Distribution: Slack Puppy Debian DSL--at the moment.
Posts: 341

Rep: Reputation: 30
Also, just like in Win2K, you have group and user permissions which you can set for their logon to your RH machine.

Group=Students
chroot for that group--if the set up of this is done properly, a student shouldn't be able to go above the "/./" directory. And you can pick the specific commands that they can run. They should not be able to run any shell scripts.

Owner/creator of the folders and files=student-group.

This means that you have to put yourself in as a member of the group (setting up groups is done as root.) Then, logging in on your non-root user account: create the directories and files.

Group permissions set to rwx on directory (owner and group only), rw- (no execute) on files (owner only). Others in the group could see the directory but not have access to the files.

A directory created by the student account to be seen by no one but root and the student (root can see anything) The permissions of rwx are for the owner only. Thus, anything in that account can only be seen by the owner of the directory. If another user can guess directoryname/filename--he will be able to see it unless the individual file permissions are set.

Read up on file permissions and write the stuff in your own words. I find the man-pages and Info pages confusing until I write it down. Even then I might have to do it several times to gain understanding. (I may be confused now.)

Last edited by Eqwatz; 09-11-2003 at 04:05 PM.
 
Old 09-11-2003, 03:19 PM   #8
Eqwatz
Member
 
Registered: May 2003
Distribution: Slack Puppy Debian DSL--at the moment.
Posts: 341

Rep: Reputation: 30
A new login non root-user account, with only membership to student group would be the surest way to keep from buggering up the permissions on the folders and such.

Just set-up a back-up set updated by cron every few minutes to protect the files from deletion. NO BLOODY LINKS.

You can even script an auto-magic recovery with cron and two bash scripts.

If you want to be truely evil-you can script an auto-matic e-mail generated by the need to recover the files with the name of the user who deleted them and the time of deletion--so they can check to see if any of their work is missing. Mwah-ha-ha-ha!!!!!!!!!!
 
Old 09-11-2003, 03:22 PM   #9
Eqwatz
Member
 
Registered: May 2003
Distribution: Slack Puppy Debian DSL--at the moment.
Posts: 341

Rep: Reputation: 30
BTW
Did I imply that the new user accounts (ie. the students) would only have membership to the student group strongly enough???
 
Old 09-11-2003, 03:35 PM   #10
trickykid
Guru
 
Registered: Jan 2001
Posts: 24,133

Rep: Reputation: 199Reputation: 199
Quote:
Originally posted by Eqwatz
BTW
Did I imply that the new user accounts (ie. the students) would only have membership to the student group strongly enough???
Just a reminder, you know we have an edit button to add anything or edit your threads, no need to keep adding new posts..
 
Old 09-11-2003, 03:37 PM   #11
Eqwatz
Member
 
Registered: May 2003
Distribution: Slack Puppy Debian DSL--at the moment.
Posts: 341

Rep: Reputation: 30
OOPS! If you want the students to have their own /home after you set-up their account create the folders with their own account. and set the permissions to rwx for the owner only.

If you want to do it the really easy way.

Google: community college computer science "intro to unix" or "Scripting for the web" or "intro to linux". Get the prof's name, ply him with praise/beer and get a copy of his set-up and scripts.

They automate all of the accounts and their creation/destruction for each semester. A few edits on a copy of the student list, three commands and you are done.

[[ I didn't notice the edit button. MY BAD. Sorry.]]

I am unfamiliar with chrootssh--and when I checked at the time it was a dead link. If you copy too much below /./ you can end up defeating the purpose by duplicating /. Frankly, chroot scared me because I always got confused or fell asleep while reading the docs. When you figure it out, please post it. Maybe if you explain it--I'll "get" it.

(My little brain cells start committing suicide when I read certain docs. I have to use cp -dpvR instead of cpio or dump because of that.)

Last edited by Eqwatz; 09-12-2003 at 01:20 PM.
 
Old 09-11-2003, 03:50 PM   #12
niall0s
LQ Newbie
 
Registered: Sep 2003
Posts: 7

Original Poster
Rep: Reputation: 0
Eqwatz, thanks for all the info but lay off the speed

As unSpawn suggested i went to http://chrootssh.sourceforge.net/ and installed chrootssh

Now the problem im having is i cannot get chroot to work correctly if i type chroot /transfers i get the error /bin/bash no such file or directory, i copied /bin/bash and all required libary files to /transfers/bin/bash and i still get the same error

[root@application bin]# chroot /transfers /transfers/bin/bash
chroot: /transfers/bin/bash: No such file or directory

[root@application bin]# ls -la /transfers
total 12
drwxr-xr-x 3 root root 4096 Sep 11 20:48 .
drwxr-xr-x 21 root root 4096 Sep 11 20:46 ..
drwxr-xr-x 3 root root 4096 Sep 11 20:55 bin

[root@application bin]# ls -la /transfers/bin
total 2164
drwxr-xr-x 3 root root 4096 Sep 11 20:55 .
drwxr-xr-x 3 root root 4096 Sep 11 20:48 ..
-rwxr-xr-x 1 root root 626028 Sep 11 20:48 bash
drwxr-xr-x 2 root root 4096 Sep 11 20:55 lib
-rwxr-xr-x 1 root root 1536292 Sep 11 20:55 libc.so.6
-rwxr-xr-x 1 root root 15900 Sep 11 20:54 libdl.so.2
-rwxr-xr-x 1 root root 11784 Sep 11 20:53 libtermcap.so.2

Anyone????

Last edited by niall0s; 09-11-2003 at 04:06 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
file transfer over ssh? jme Linux - Software 5 11-13-2006 02:30 AM
File transfer with SSH? Baix Linux - Newbie 5 01-28-2005 07:24 PM
ssh file transfer? Apostasy Linux - Newbie 11 07-30-2004 11:33 PM
how to restrict web browsing in the local lan qmesbah Linux - Security 5 09-16-2003 08:59 AM
Restrict directory access bdu Linux - Security 1 02-07-2002 01:13 PM


All times are GMT -5. The time now is 08:34 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration