LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-09-2005, 12:59 PM   #1
lozza1978
LQ Newbie
 
Registered: Feb 2005
Posts: 23

Rep: Reputation: 15
securing users to certain directories ?


Hi All,

I run a server http, ssh, etc,

Now I have never needed to share my server, but recently a few friends of mine want to host some pictures from my server, no problem as i already run a website from home,

I created a user ie, james, I then created a symlink from his home directory to /var/www/html/james

great, tested it all out allworks, but the user has access to the whole server via ssh, how can I only allow him to use, his home dir, and the sym link i created in there to var/www/html/james


would love to know how to restrict him,



cheers all
 
Old 05-09-2005, 03:07 PM   #2
rose_bud4201
Member
 
Registered: Aug 2002
Location: St Louis, MO
Distribution: Xubuntu, RHEL, Solaris 10
Posts: 929

Rep: Reputation: 30
Unfortunately, jailing users over ssh isn't nearly as simple as it ought to be.
There's lots of information on the subject, though -

http://wiki.linuxquestions.org/wiki/OpenSSH_chrooting

http://www.linuxquestions.org/questi...light=ssh+jail

http://www.debiansec.com/linux/papers/chrooting.html

and so on...

The reason it's all so tricky is that jailing a user to a certain directory tree involves 'chroot'ing' them - physically changing what their session views as the "root" of the system's directory structure. This means that done improperly, they can type "cd /" and they'll actually get to /var/www/html (or whatever you've got it set up to be). They won't be able to see any other parts of your directory structure... which include /bin/, /usr/bin, /dev, /home, etc - and without those, most commands won't work at all. Take a look at just what would be off-limits were they not allowed access to /bin, and you'll see what I mean.
So chroot'ing involves rerouting a lot of that stuff into whatever directory you want the user jailed into, so they can have a more or less usable system.

G'luck!
 
Old 05-09-2005, 11:04 PM   #3
JimBass
Senior Member
 
Registered: Oct 2003
Location: New York City
Distribution: Debian Sid 2.6.32
Posts: 2,100

Rep: Reputation: 49
Something else to check is what he can actually DO with the rest of the server. Chances are good he can read everything, but that in and of itself isn't a problem. He most likely can't write most of the other places.Just make sure you lock him down if you give him sudo ability. Check out man sudo (if you are aven going to allow him sudo access), and restrict his ability to not do anything other than restart httpd and anything along those lines that he may need.

Peace,
JimBass
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
securing /home directories danimalz Debian 21 11-30-2005 04:30 AM
new directories for new users kvtournh Mandriva 1 09-07-2005 11:07 AM
Securing individual directories (SSL) Trent Hatred Linux - Software 1 10-07-2004 11:50 PM
Skeleton directories for new users? jungatheart Linux - Newbie 2 04-24-2004 04:44 PM
Enter other users' directories MasterC Linux - General 14 11-27-2002 01:57 AM


All times are GMT -5. The time now is 10:42 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration