Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How could I limit the access of users to a directory. For example :
I am having some Designers and normal users. I would like to grant access the Designers only to the /home directory. That if, When the designer log into their machine their working directory will be /home/designer. If the designer execute the command # cd /etc it should not work and it returns a message permission denied and if it is cd /home it should work. They should have access to the servers /home directory. The server will be having cPanel in it. So is there anything else we could implement without changing the directory ownership.
I think what you're trying to do is drop the designer into a chroot jail, however giving them access to /home may not be ideal as it could allow them to manipulate the environments of other users - can you restrict them to /home/designer instead?
I think what you're trying to do is drop the designer into a chroot jail, however giving them access to /home may not be ideal as it could allow them to manipulate the environments of other users - can you restrict them to /home/designer instead?
Thanks for the quick reply.
Unforntunately that is not the exact requirement
The exact requirement is it is a cPanel server so we cannot change any of the directory permissions
The developer/designer user shoud be able to full access to /home (ie under the /). but should not be able to view or access any other directories under /
If you restrict those users from reading system files and dirs they will only be able to run executables located in their home folders only (if /home isn't mounted with -noexec option of course). In Linux programs are run with exactly the same privileges that has the user that started them. So the programs won't be able to read system files and dirs either and would hardly work.
As far as I know you're only able to prevent users from getting access to other user's data in Linux. Why do you want to hide the root filesystem from a user?
If you restrict those users from reading system files and dirs they will only be able to run executables located in their home folders only (if /home isn't mounted with -noexec option of course). In Linux programs are run with exactly the same privileges that has the user that started them. So the programs won't be able to read system files and dirs either and would hardly work.
As far as I know you're only able to prevent users from getting access to other user's data in Linux. Why do you want to hide the root filesystem from a user?
Isn't there any options using ACL? or combining two ore more ideas like chrooting,ACL,SSH chrooting, sudo powers etc? There is no issues on accessing the essential directories under / but the developer should not have the ability to edit those files&directories.
for eg:- they can 'cd' & ls to /etc /bin if it is required
but not able to 'cd' to /dev, /misc etc...
but should be able to access&edit /home
I have created a user called developer and setfacl rwx to home directory
Now the scenario is like the developer user have full access to /home also the user can ls & view all the files&directories under / but cannot perform any other operation under the directories and files rather than /home
I think the solution is half acheived
but needed to restrict the view of certain directories under /
Sound like a crazy idea!!!. but badly needed to implement this.
Isn't there any options using ACL? or combining two ore more ideas like chrooting,ACL,SSH chrooting, sudo powers etc? There is no issues on accessing the essential directories under / but the developer should not have the ability to edit those files&directories.
From what I've read this sounds more like what AppArmor/SELinux are intended for. Though I never tried to use them myself.
Quote:
but the developer should not have the ability to edit those files&directories.
That's how it is by default. An unprivileged user can view system files and dirs, but can't write into it:
Code:
andrew@P8P67-Lin:~$ rm -f /etc/fstab
rm: cannot remove ‘/etc/fstab’: Permission denied
andrew@P8P67-Lin:~$
andrew@P8P67-Lin:~$ ls -l /
total 124
drwxr-xr-x 2 root root 4096 Nov 4 13:59 bin
drwxr-xr-x 4 root root 4096 Nov 4 14:00 boot
drwxr-xr-x 2 root root 4096 Jun 18 2011 cdrom
drwxr-xr-x 17 root root 4580 Nov 6 2013 dev
drwxr-xr-x 167 root root 12288 Nov 6 19:09 etc
drwxr-xr-x 4 root root 4096 Oct 13 2011 home
Being able to cd into a directory means a user can execute the directory. To list files in the directory the user must have read access. I have no write access so the system didn't let me delete /etc/fstab.
Stick them in a chroot jail and loopback mount /home into it.
Quote:
Originally Posted by redfox2807
As far as I know chroot still has to have /etc /dev /lib and so on. So it's not exactly what is desired. Am I right?
A chroot jail only needs what is actually needed for a user to log in and use the system. The only files in /etc /dev /lib are those that are critical in order for them to log in (without those files, they wouldn't be able to log in at all). They're also copies of the system files, not the systems files themselves, so if the user did somehow manage to bork them, they'd only lock out themselves, the rest of the system would be unaffected. IE: what the user sees as /etc/password, is really /path/to/chroot/jail/etc/password. They can screw up the jail environment all they want (within the permissions you set, at least), but they're just hurting themselves.
Last edited by suicidaleggroll; 11-06-2013 at 10:33 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.