LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 03-04-2013, 11:15 AM   #1
ITTrucker
LQ Newbie
 
Registered: Mar 2013
Posts: 3

Rep: Reputation: Disabled
Create new user with limited folder access


I need to add a new user to our RHEL Release 5.7 (Tikanga) server so the new user has connect, read, copy access only to a folder that is not theirs.

This user is a Windows user that just needs access to files in one folder so they can connect and download some output files once a month.

That folder already exists, but I don't want the new user to be able to do anything other than to connect to that directory and download that file.

I was going to create them, and then set their home directory to that folder so it should default them right to where they need, but I don't want them to be able to do anything else to the server (cd, md, .sh, etc...)

1) # adduser [username] -M
2) # passwd [password]
3) # usermod -s /bin/false -d /path/to/dir [username]
4) ? Restrict access somehow ?

The folder they need to access isn't a home folder, it's just a folder on a drive. Root is not the owner of the folder, an installed program's admin is. The user can use either ftp or sftp whichever is easier to restrict access. (they'll only ever connect while on domain on site)

I'm very new to Linux security and I got lost reading some of the articles online about modifying/creating the chroot and sshd_config files, and everything seems to be related to restricting to the home directory under the user to only that user.

Any thoughts, links, answers appreciated.
Thanks
 
Old 03-04-2013, 11:31 AM   #2
shivaa
Senior Member
 
Registered: Jul 2012
Location: Grenoble, Fr.
Distribution: Sun Solaris, RHEL, Ubuntu, Debian 6.0
Posts: 1,797
Blog Entries: 4

Rep: Reputation: 285Reputation: 285Reputation: 285
Just follow:
Code:
~# groupadd newgrp                 # Creates a new group named newgrp
~# useradd -g newgrp <username>    # Creates a user with newgrp as main group
~# passwd <username>               # Change password
~# chmod rwx+a /path/to/folder     # Adding permission for shared folder
BTB, it's not possible to restrict user from invoking cd, md, .sh etc basic commands. So, whichever file(s) you don't want him to read or write, just remove read/write permissions from those folders for group and others.

Last edited by shivaa; 03-04-2013 at 11:35 AM.
 
Old 03-04-2013, 01:03 PM   #3
ITTrucker
LQ Newbie
 
Registered: Mar 2013
Posts: 3

Original Poster
Rep: Reputation: Disabled
Can you create a group or a user with zero permissions to anything and just add what they need?

Is there a difference between creating a group and adding a user to it and just creating the user and setting the home folder? Because it looks like either way, the user will be able to move around and access whatever they want unless I specifically remove access to the folders.
 
Old 03-04-2013, 02:02 PM   #4
suicidaleggroll
Senior Member
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 2,985

Rep: Reputation: 1045Reputation: 1045Reputation: 1045Reputation: 1045Reputation: 1045Reputation: 1045Reputation: 1045Reputation: 1045
It sounds like you want a chroot jail for the user. Then you can "mount --bind" any directories you want them to have access to into their home folder (or anywhere else in the jail). The only files/dirs they'll have access to are those required for login or those that you explicitly give them access to via mount --bind.

Some info:
http://www.cyberciti.biz/tips/howto-...ail-setup.html

I don't know if that site contains a complete list of all files/devices/directories that need to be copied over to the jail for it to work, but it's a start. I do know that it took a lot of experimenting and a lot of googling to finally get all of the necessary files mirrored over to the jail to permit the user to log in on my system, some sites and guides were incomplete.

One of the advantages of this approach is that once the jail is set up, adding more users into it is trivially easy. Just set up the new user, change their login shell to rssh, change their home directory to the jail, copy the updated /etc/passwd and /etc/group into the jail, and you're done.

Last edited by suicidaleggroll; 03-04-2013 at 02:20 PM.
 
Old 03-04-2013, 07:02 PM   #5
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,289

Rep: Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034
You want a chrooted sftp environment eg http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/
 
Old 03-05-2013, 10:13 AM   #6
ITTrucker
LQ Newbie
 
Registered: Mar 2013
Posts: 3

Original Poster
Rep: Reputation: Disabled
Ok, looks like I have a bunch of reading to do on the chroot setup. It looks like it's a machinewide change though, would I have to go through every user on the server and set up their existing permissions within the jail? This is for an Oracle db and app server machine running some warehouse management software so there's a ton of users that have been created by the WMS and I don't know what they all need access to.

Ok, so as I read further down it looks like this "should" only effect the users that you put into the newly created chroot group. Unfortunately because of the cost of the oracle licenses we don't have a test machine and I'm worried that making a ssh change and setting up the chroot jail that I'll break something in production.

Some weekend I'll take a snapshot and give it a try, but for now I think I'll just set up a scheduled task and download the file to a network drive for the user instead of giving them access directly to the machine.

Thanks for the info and reading material everyone, I've got a lot of work ahead of me.
 
Old 03-05-2013, 10:15 AM   #7
suicidaleggroll
Senior Member
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 2,985

Rep: Reputation: 1045Reputation: 1045Reputation: 1045Reputation: 1045Reputation: 1045Reputation: 1045Reputation: 1045Reputation: 1045
The jail is just a new sandbox that you set up somewhere on your filesystem. It only affects the users that you put into it, nobody else even knows it exists. They are not put into the sandbox by putting them into a group, they're put into it by setting up their login shell and home directory, that's it. Permissions are not touched, ssh is not touched.

If you want to experiment first, you can set up a VM.

It literally is just a matter of:
1) install rssh
2) make a directory somewhere
3) modify the rssh config file to set the chroot to the dir you made in #2 (and you can turn on/off ssh access, scp access, and rsync access for anybody using rssh)
4) copy the necessary libraries, binaries into the new dir
5) make a new user, set their login shell to rssh and their home directory inside the new dir

That's it. groups aren't affected, ssh isn't affected, existing users aren't affected in any way. If you want to undo it all, just remove the user, uninstall rssh, and remove the dir you made in #2.

Last edited by suicidaleggroll; 03-05-2013 at 10:21 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how create create extreme limited user ss4sgoku Linux - Newbie 5 10-28-2012 01:17 AM
create very limited linux user, only give access to rdesktop treyhphp Linux - Newbie 14 02-18-2009 02:19 PM
create limited user freebsd jack111 *BSD 6 02-07-2009 03:32 AM
create linux user with limitted access to one folder only AlaeddinB Linux - Security 9 07-02-2007 04:40 PM
Create Limited User Accounts epihammer Mandriva 3 05-18-2004 02:52 PM


All times are GMT -5. The time now is 07:44 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration