Users can only see home directory

bluenix · 03-04-2005, 03:22 PM

Hi,

On my Fedora system, I want users to be only able to see their home directory and all the subfolders.
Right now, when I add a new user using "useradd", they can all see the content in every directory, even the "/".
What can I do to achieve this?

Matir · 03-04-2005, 03:44 PM

You'll need to use a chroot in order to achieve this.

Note, however, if they are in a chroot, they need a copy of EVERY program, even things like /bin/ls, that they will want to run, in their home directory (i.e., /home/USERNAME/bin). This can be accomplished, I think, by using hardlinks to the real files. Of course, that would only work if /home and /bin reside on the same partition. Most likely, you'll need to make full copies (or explore alternatives, like using busybox, and creating a /home/bin to which you can make hardlinks for each user).

or1onas · 03-09-2005, 04:32 AM

One question about chroot:
I've managed to create a chrooted env for a user that i need in order to connect through ssh
so i copied all the needed files and created a second 'virtual hierarchy'.
The thing is:
When i connect through an ssh client, the hierarchy has:

/
|--bin
|
|--dev
|
|--home
|
|--lib
|
|--usr

Is there some way to make all the folders except home invisible?

JZL240I-U · 03-09-2005, 10:09 AM

Um, I simply would have removed the read flags of the directories for group users except on home and below...

DaFrawg · 03-09-2005, 10:14 AM

Are you able to run things when you can't see them? In other words, can one run /bin/ls when one doesn't have the permission to read the folder /bin?

JZL240I-U · 03-09-2005, 10:16 AM

Should be possible, there's the executeable flag as well. Why don't you try? (I'm sitting at a Windows box right now ...

).

or1onas · 03-09-2005, 11:15 AM

i thought you'd say that, so i've already tried but it seems that DaFrawg is right.
When i chmod o-r, nothing works...

Lakefall · 03-09-2005, 04:54 PM

You removed the read permission from all the executables, didn't you? That doesn't work. Try removing it from directories only.

Code:

chmod o-r `find / -type d`

I have no idea what kind of problems this might cause. Should be interesting.

Lakefall · 03-09-2005, 04:59 PM

The previous command might not work.

Code:

find / -type d -print0 | xargs -0 chmod o-r

This should be better.

or1onas · 03-10-2005, 02:18 AM

i'll try that later and i'll tell you if it works...
btw, i did 'chmod o-r' for /usr,/bin,/dev,/lib.
Does that make a recursive change on the files too?

or1onas · 03-10-2005, 02:43 AM

it seems i made some mistake yesterday.
i just chmoded the folders and now the user is not able to open them.
the only thing that remains now is to make them invisible...any ideas?

JZL240I-U · 03-10-2005, 02:47 AM

Did you also chmod / ?

or1onas · 03-10-2005, 02:56 AM

Quote:

Originally posted by JZL240I-U
Did you also chmod / ?

that was it! thank you all guys for helping me out!

Lakefall · 03-10-2005, 12:05 PM

Quote:

Originally posted by or1onas
i'll try that later and i'll tell you if it works...
btw, i did 'chmod o-r' for /usr,/bin,/dev,/lib.
Does that make a recursive change on the files too?

Not unless you did "chmod -R o-r [directory]".

I don't know if it matters, but I think you still have the subdirectories in /usr etc. listable as long as a user can guess their names (which shouldn't be too difficult for the standard directories). Why are you doing this anyhow?

or1onas · 03-10-2005, 01:49 PM

You're right about the directories being listable if guessed (which is not to difficult of course), but no dir listing access is given to them to by chmod -r.
So the user can only get inside his home folder and try to cd to /bin,/lib,etc but he gets a permission denied if he tries to do an ls...
I've already said that i set up an ssh server for sftp and i created a chrooted environment for security reasons...