Create new user with limited folder access

ITTrucker · 03-04-2013, 11:15 AM

I need to add a new user to our RHEL Release 5.7 (Tikanga) server so the new user has connect, read, copy access only to a folder that is not theirs.

This user is a Windows user that just needs access to files in one folder so they can connect and download some output files once a month.

That folder already exists, but I don't want the new user to be able to do anything other than to connect to that directory and download that file.

I was going to create them, and then set their home directory to that folder so it should default them right to where they need, but I don't want them to be able to do anything else to the server (cd, md, .sh, etc...)

1) # adduser [username] -M
2) # passwd [password]
3) # usermod -s /bin/false -d /path/to/dir [username]
4) ? Restrict access somehow ?

The folder they need to access isn't a home folder, it's just a folder on a drive. Root is not the owner of the folder, an installed program's admin is. The user can use either ftp or sftp whichever is easier to restrict access. (they'll only ever connect while on domain on site)

I'm very new to Linux security and I got lost reading some of the articles online about modifying/creating the chroot and sshd_config files, and everything seems to be related to restricting to the home directory under the user to only that user.

Any thoughts, links, answers appreciated.
Thanks

shivaa · 03-04-2013, 11:31 AM

Just follow:

Code:

~# groupadd newgrp                 # Creates a new group named newgrp
~# useradd -g newgrp <username>    # Creates a user with newgrp as main group
~# passwd <username>               # Change password
~# chmod rwx+a /path/to/folder     # Adding permission for shared folder

BTB, it's not possible to restrict user from invoking cd, md, .sh etc basic commands. So, whichever file(s) you don't want him to read or write, just remove read/write permissions from those folders for group and others.

ITTrucker · 03-04-2013, 01:03 PM

Can you create a group or a user with zero permissions to anything and just add what they need?

Is there a difference between creating a group and adding a user to it and just creating the user and setting the home folder? Because it looks like either way, the user will be able to move around and access whatever they want unless I specifically remove access to the folders.

suicidaleggroll · 03-04-2013, 02:02 PM

It sounds like you want a chroot jail for the user. Then you can "mount --bind" any directories you want them to have access to into their home folder (or anywhere else in the jail). The only files/dirs they'll have access to are those required for login or those that you explicitly give them access to via mount --bind.

Some info:
http://www.cyberciti.biz/tips/howto-...ail-setup.html

I don't know if that site contains a complete list of all files/devices/directories that need to be copied over to the jail for it to work, but it's a start. I do know that it took a lot of experimenting and a lot of googling to finally get all of the necessary files mirrored over to the jail to permit the user to log in on my system, some sites and guides were incomplete.

One of the advantages of this approach is that once the jail is set up, adding more users into it is trivially easy. Just set up the new user, change their login shell to rssh, change their home directory to the jail, copy the updated /etc/passwd and /etc/group into the jail, and you're done.

chrism01 · 03-04-2013, 07:02 PM

You want a chrooted sftp environment eg http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/

ITTrucker · 03-05-2013, 10:13 AM

Ok, looks like I have a bunch of reading to do on the chroot setup. It looks like it's a machinewide change though, would I have to go through every user on the server and set up their existing permissions within the jail? This is for an Oracle db and app server machine running some warehouse management software so there's a ton of users that have been created by the WMS and I don't know what they all need access to.

Ok, so as I read further down it looks like this "should" only effect the users that you put into the newly created chroot group. Unfortunately because of the cost of the oracle licenses we don't have a test machine and I'm worried that making a ssh change and setting up the chroot jail that I'll break something in production.

Some weekend I'll take a snapshot and give it a try, but for now I think I'll just set up a scheduled task and download the file to a network drive for the user instead of giving them access directly to the machine.

Thanks for the info and reading material everyone, I've got a lot of work ahead of me.

suicidaleggroll · 03-05-2013, 10:15 AM

The jail is just a new sandbox that you set up somewhere on your filesystem. It only affects the users that you put into it, nobody else even knows it exists. They are not put into the sandbox by putting them into a group, they're put into it by setting up their login shell and home directory, that's it. Permissions are not touched, ssh is not touched.

If you want to experiment first, you can set up a VM.

It literally is just a matter of:
1) install rssh
2) make a directory somewhere
3) modify the rssh config file to set the chroot to the dir you made in #2 (and you can turn on/off ssh access, scp access, and rsync access for anybody using rssh)
4) copy the necessary libraries, binaries into the new dir
5) make a new user, set their login shell to rssh and their home directory inside the new dir

That's it. groups aren't affected, ssh isn't affected, existing users aren't affected in any way. If you want to undo it all, just remove the user, uninstall rssh, and remove the dir you made in #2.