LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 09-04-2003, 06:46 PM   #1
sophie
LQ Newbie
 
Registered: Jun 2003
Posts: 9

Rep: Reputation: 0
limiting the user


Hi, everyone..

I want to add a user who can only access his home directory but nowhere else. (running redhat 8.0)

I read alot about it and as much I read, I confused more...

Please help.

Here is what I did:

I added a new user (test)
/etc/passwd
test:x:506:506::/var/www/./test/:/bin/bash

then edit /etc/security/chroot.conf as below
# /etc/security/chroot.conf
# format:
# username_regex chroot_dir
#matthew /home
test /var/www/test

But, when I login (telnet or ssh) with this account, I can still access other directories..

Do I need to add any "pam_chroot.so" somewhere?

What am I doing wrong?

There will be more than 50 users like that in this system. Is this the best way?

Thanks for your help in advance.
 
Old 09-04-2003, 06:54 PM   #2
trickykid
Guru
 
Registered: Jan 2001
Posts: 24,133

Rep: Reputation: 199Reputation: 199
I'm not sure about editing the file by hand but have you tried to run the command to chroot them to a directory?

man chroot for more details.
 
Old 09-04-2003, 07:07 PM   #3
sophie
LQ Newbie
 
Registered: Jun 2003
Posts: 9

Original Poster
Rep: Reputation: 0
Thanks for reply..

Yes, I did read the manual, but as I said I am more confused after all of that.

There must be a very basic solution for that

So, is it enough to run chroot command itself? How do I say that I just want to use it for a specific user?

What I understood is chroot command is for only running a command from a certain directory?

I got lost in that.. help!..

Thanks in advance..
 
Old 09-04-2003, 07:29 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
Did you add a "session required /lib/security/pam_chroot.so" line to /etc/pam.d/login? And AFAIK it isn't necessary to specify a ftp-style chroot home in passwd like the /dir/dir./dir you added.
Also note for a chroot to work you need to add some basic config files, libraries and GNU utilities to the chroot. The 1st sticky thread in the Linux - Security forum has some docs on chrooting, it's the 4th post, titled "Chroot, chrooting, jailing, comparimization".
 
Old 09-04-2003, 08:06 PM   #5
sophie
LQ Newbie
 
Registered: Jun 2003
Posts: 9

Original Poster
Rep: Reputation: 0
Thanks alot for your reply.. I search on the forum alot but I think I could see that one.

As you said, I add "session required /lib/security/pam_chroot.so" to /etc/pam.d/login.

But, in the documents I couldn't see anything what to do about :
"Also note for a chroot to work you need to add some basic config files, libraries and GNU utilities to the chroot"

Can you give me some more clue please?

As a newbie, it is really difficult to figure out it for me.. Probably I can not see it becuse I couldn't get the logic of it yet..

Thanks alot in advance..
 
Old 09-05-2003, 01:23 AM   #6
jayakrishnan
Member
 
Registered: Feb 2002
Location: India
Distribution: Slacky 12.1, XP
Posts: 991

Rep: Reputation: 30
AFAIK a normal user can only access his homw directory bt default
 
Old 09-05-2003, 02:27 AM   #7
Azmeen
Senior Member
 
Registered: May 2003
Location: Malaysia
Distribution: Slackware, LFS, CentOS
Posts: 1,307

Rep: Reputation: 46
Quote:
Originally posted by jayakrishnan
AFAIK a normal user can only access his homw directory bt default
She wants the user to only be able to access his/her own directory. In a typical *nix system users can only write to their own homedir (and /tmp if given permission), but can still view most dirs like /bin /opt and so on... This is what she wants to avoid.

And the sanest way to do this is by chrooting the user to his/her own homedir. Therefore, when they do cd / it will actually take them to their homedir.
 
Old 09-05-2003, 08:24 PM   #8
sophie
LQ Newbie
 
Registered: Jun 2003
Posts: 9

Original Poster
Rep: Reputation: 0
Ok, I am trying jail sw for chrooting now. I installed jail_1.9

I followed the document exactly.. Like this:

1) Create the user
/etc/passwd
test2:x:507:507::/var/chroot/:/usr/local/bin/jail

2) install the sw
3) create the chroot
/usr/local/bin/mkjailenv /var/chroot
adding sw on it
/usr/local/bin/addjailsw /var/chroot
adding users to chroot
/usr/local/bin/addjailuser /var/chroot /home/test2 /bin/bash test2
here is my user:
/var/chroot/etc/passwd
test2:x:507:507::/home/test2:/bin/sh

Thats all.. it is working.. But..

When I login with test2 user, I can change directory to /var/chroot (as my root directory) and I can see other user's directories and all directories under /var/chroot.

I don't want anyuser to see any other directory but his own home directory.

Can you please help?
What am I doing wrong?

Thanks..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Limiting user processes? RecoilUK Linux - Security 1 04-09-2005 02:33 PM
creating user limiting permission nistelrooy Linux - Security 4 02-10-2005 02:07 PM
Limiting user to very particular directories xEndymionx Linux - Security 1 07-19-2004 10:58 PM
limiting user by time dave37 Linux - Security 2 06-02-2004 07:38 AM
limiting proccesses and fd's for a user phant0m Linux - Software 1 01-30-2004 02:14 PM


All times are GMT -5. The time now is 11:46 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration