LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-06-2013, 06:22 AM   #1
Arun Kurian
LQ Newbie
 
Registered: Oct 2013
Posts: 23

Rep: Reputation: Disabled
Restrict the user access


Hi,

How could I limit the access of users to a directory. For example :

I am having some Designers and normal users. I would like to grant access the Designers only to the /home directory. That if, When the designer log into their machine their working directory will be /home/designer. If the designer execute the command # cd /etc it should not work and it returns a message permission denied and if it is cd /home it should work. They should have access to the servers /home directory. The server will be having cPanel in it. So is there anything else we could implement without changing the directory ownership.

Regards,
 
Old 11-06-2013, 06:35 AM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650
I think what you're trying to do is drop the designer into a chroot jail, however giving them access to /home may not be ideal as it could allow them to manipulate the environments of other users - can you restrict them to /home/designer instead?
 
Old 11-06-2013, 06:47 AM   #3
Arun Kurian
LQ Newbie
 
Registered: Oct 2013
Posts: 23

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by kbp View Post
I think what you're trying to do is drop the designer into a chroot jail, however giving them access to /home may not be ideal as it could allow them to manipulate the environments of other users - can you restrict them to /home/designer instead?

Thanks for the quick reply.
Unforntunately that is not the exact requirement

The exact requirement is it is a cPanel server so we cannot change any of the directory permissions
The developer/designer user shoud be able to full access to /home (ie under the /). but should not be able to view or access any other directories under /
 
Old 11-06-2013, 06:59 AM   #4
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650
Ok so you'll need to read up on chroot jails and see if they'll work for you, it may not be trivial depending on your requirements.
 
Old 11-06-2013, 07:20 AM   #5
redfox2807
Member
 
Registered: Jul 2012
Distribution: Debian testing/stable, Sailfish OS, Android
Posts: 131

Rep: Reputation: 20
If you restrict those users from reading system files and dirs they will only be able to run executables located in their home folders only (if /home isn't mounted with -noexec option of course). In Linux programs are run with exactly the same privileges that has the user that started them. So the programs won't be able to read system files and dirs either and would hardly work.
As far as I know you're only able to prevent users from getting access to other user's data in Linux. Why do you want to hide the root filesystem from a user?
 
Old 11-06-2013, 07:25 AM   #6
redfox2807
Member
 
Registered: Jul 2012
Distribution: Debian testing/stable, Sailfish OS, Android
Posts: 131

Rep: Reputation: 20
Quote:
Ok so you'll need to read up on chroot jails and see if they'll work for you, it may not be trivial depending on your requirements.
As far as I know chroot still has to have /etc /dev /lib and so on. So it's not exactly what is desired. Am I right?
 
Old 11-06-2013, 07:46 AM   #7
Arun Kurian
LQ Newbie
 
Registered: Oct 2013
Posts: 23

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by redfox2807 View Post
If you restrict those users from reading system files and dirs they will only be able to run executables located in their home folders only (if /home isn't mounted with -noexec option of course). In Linux programs are run with exactly the same privileges that has the user that started them. So the programs won't be able to read system files and dirs either and would hardly work.
As far as I know you're only able to prevent users from getting access to other user's data in Linux. Why do you want to hide the root filesystem from a user?
Isn't there any options using ACL? or combining two ore more ideas like chrooting,ACL,SSH chrooting, sudo powers etc? There is no issues on accessing the essential directories under / but the developer should not have the ability to edit those files&directories.

for eg:- they can 'cd' & ls to /etc /bin if it is required
but not able to 'cd' to /dev, /misc etc...
but should be able to access&edit /home

I have created a user called developer and setfacl rwx to home directory

Now the scenario is like the developer user have full access to /home also the user can ls & view all the files&directories under / but cannot perform any other operation under the directories and files rather than /home

I think the solution is half acheived
but needed to restrict the view of certain directories under /

Sound like a crazy idea!!!. but badly needed to implement this.
 
Old 11-06-2013, 09:21 AM   #8
redfox2807
Member
 
Registered: Jul 2012
Distribution: Debian testing/stable, Sailfish OS, Android
Posts: 131

Rep: Reputation: 20
Quote:
Isn't there any options using ACL? or combining two ore more ideas like chrooting,ACL,SSH chrooting, sudo powers etc? There is no issues on accessing the essential directories under / but the developer should not have the ability to edit those files&directories.
From what I've read this sounds more like what AppArmor/SELinux are intended for. Though I never tried to use them myself.

Quote:
but the developer should not have the ability to edit those files&directories.
That's how it is by default. An unprivileged user can view system files and dirs, but can't write into it:
Code:
andrew@P8P67-Lin:~$ rm -f /etc/fstab
rm: cannot remove ‘/etc/fstab’: Permission denied
andrew@P8P67-Lin:~$

andrew@P8P67-Lin:~$ ls -l /
total 124
drwxr-xr-x   2 root root  4096 Nov  4 13:59 bin
drwxr-xr-x   4 root root  4096 Nov  4 14:00 boot
drwxr-xr-x   2 root root  4096 Jun 18  2011 cdrom
drwxr-xr-x  17 root root  4580 Nov  6  2013 dev
drwxr-xr-x 167 root root 12288 Nov  6 19:09 etc
drwxr-xr-x   4 root root  4096 Oct 13  2011 home
Being able to cd into a directory means a user can execute the directory. To list files in the directory the user must have read access. I have no write access so the system didn't let me delete /etc/fstab.
 
Old 11-06-2013, 10:32 AM   #9
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,507

Rep: Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102Reputation: 2102
Stick them in a chroot jail and loopback mount /home into it.

Quote:
Originally Posted by redfox2807 View Post
As far as I know chroot still has to have /etc /dev /lib and so on. So it's not exactly what is desired. Am I right?
A chroot jail only needs what is actually needed for a user to log in and use the system. The only files in /etc /dev /lib are those that are critical in order for them to log in (without those files, they wouldn't be able to log in at all). They're also copies of the system files, not the systems files themselves, so if the user did somehow manage to bork them, they'd only lock out themselves, the rest of the system would be unaffected. IE: what the user sees as /etc/password, is really /path/to/chroot/jail/etc/password. They can screw up the jail environment all they want (within the permissions you set, at least), but they're just hurting themselves.

Last edited by suicidaleggroll; 11-06-2013 at 10:33 AM.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix authenticating user@domain and restrict user to access linux box LinuxGreen Linux - Newbie 1 12-16-2011 10:00 AM
VSFTPD - restrict user access? v00d00101 Linux - Security 2 08-09-2011 02:35 PM
Restrict access by domain per user lothario Linux - Networking 1 02-06-2009 08:37 PM
restrict access of a user to two directories only vikas027 Linux - Enterprise 5 04-15-2008 11:18 AM
how to restrict one particular user to access one particular folder? Xeratul Linux - Newbie 6 02-06-2007 01:01 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 07:25 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration