Hello everyone,

I'm in a bit of a jam. I'll make this short and simple. I made a directory for a remote user. The directory is /home/usr/<usr's name>. For security reasons, I do not want them to see anything below ~/<usr's name>. This is a feature UNIX (DOS) and Novell Netware (NOS) uses by default, but not Linux. Can I set Linux to do the same? If so, could someone help me do this?

I'm using Red Hat Linux 9. The user will be accessing the computer from remote SSH and SFTP. The system is set up for all directories except /home... to be _ _ X _ _ X _ _ X.

I think this would depend on the user account settings. If you put these people in a separate user group, making them 'others' to the rest of the system files and directories, they could use their home directories but that's all.
If you set up the home directory for them and take away their 'w' access to it, they could never create another file or directory to view within their home directory...but I assume you want them to be able to create files and folders or is this just for reading?
Take that approach - the separate group, e.g., martians - and you should be good. Does that make sense? Does it work for what you want to do?

I don't entirely follow. If you are referring to making both usr/group for that one usr, that's already been done. My group has adm (admin) in it, none of the others do.

As for User/group/other settings; If they connect through SSH, even though they are the user, and they are in the group, they are being classified as other. If I disable Usr/group entirely, shouldn't they still be able to visually see everything if they are granted it through */*/other? Also, if I set /home to 000, but set /home/usr/<user dir>, they can not access there home directory because Linux is filtering through /home, to get to /home/usr/<usr dir>.

This is really important to me, and I greatly thank you for the help, but I need more please. Thanks again.

Every user needs a local account. Therefore, if you add these users to a completely different group other than the standard 'users' group they will only have the rights of 'others'. If you don't give 'others' any access to any of the files, all they can get to is the files they own, or that they're group member to.
Does that make sense? Otherwise, I don't have the answer for you.

Okay, this is what I have come up with.

The following is what I did:
If I go to command line, I can still go to any of those directories listed above. I just can't do anything. I would like to prevent access all together from anyone going into those directories. Assuming I had another user under /home/myname, and user from /home/usr/name tried to find myname. Even though he can not see my directory, he could do the following.

Assuming the following:
I ran a server not native to Linux somewhere under the home directory.
The user at /home/usr/name knew much about my server.
I do not want that user knowing where my server is.
The user does the code examples I gave above under /home.

The user would know where my files are, and could try using many methods to hack into that directory. I am able to prevent this in UNIX.

If I did the following:
User 1 would not be able to go into /home/usr2
User 2 would not be able to go into /home/usr1
But User 2 could go to /
However, User 2 could not see or write, but he could execute at /.
If I set /home to 000, usr1 and usr2 can not access there home directory.

So now no one can write or execute in the / directory, not even local users. Is that going to work for what you're doing?

I do not want anyone, local, group, or other users to access anything below /home, except programs needed to do there job. Thus why I allow them to execute.

Things I needed to change however:
Setting home to 550 and taking ownership allows me to completely control who has access at all. They can only read and execute in the home. Without x in 550 (440) on home, users can not see there own home directory.

Setting usr1 to 750 allows them to do what ever the hell they want in there home. It also allows people in there group to access and download files via ftp.

Same with user2.

myserver allows local control and read/execute access only to those in the group myserver. This means that I can block out usr1 and usr2 from myserver. They can see the directory there, but they simply can not enter.

I set my rights to add myname under myserver group and I can access files and execute them.

The problem I was having is; I do not want any users able to retract back into the /home directory. If I set up groups and rights to prevent this, all user's home directory is effect because it branches off of the /home directory.

In UNIX, if you are in ~/usr1 (which is /home/usr1) and you type cd .. (or cd /home) you are denied. In Linux, you are able to do this. You just can't do this: "cd /home/usr2"

No, you are not. I'm not sure about which "UNIX" you are talking about but that simply isn't true.
You can never be denied to cd .. because, as you write yourself, one must be allowed to access parent directory to be allowed to access a subdirectory. Linux didn't invent this, it is a general *-x principle.
If your user usr1 is in group others and when all files outside his home directory are owned by other users and other groups and they are chmoded to 751 (directories and executables) or 640 (other files not needed for the others), then you are ok.
HTH,
R.

have a look at man chroot

Two words: Novell Netware. It is true.

I am talking about ScoUNIX. I am talking about a feature in ScoUNIX which has a very familiar feature that Novell Netware has. I am talking about something that Microsoft's Active Directory team could not figure out, which not only makes Novell Netware really good, but also gave Novell a rating of #1 by the DOD. I am talking about an OS which also has this feature. I am talking about the truth.

My question was simple. I wanted to know if Linux does have the ability to do this, then how do you do it? I had my reasons to believe Linux could not do this. I wanted to be sure. It sounds as if you know enough about linux to answer my first question. However, discrediting me was not part of the question. Thank you very much.

Also, I found out something very useful. After perfecting the user/group/other rights, I've noticed you can not access a parent directory under certain conditions. One such condition is SFTP. After further research and recalled, that ScoUNIX used KSH as a default shell. I have also founded that several shells, which prevent access to parent directories could be used as a default shell when making the user under the user and group settings in X. By setting the default shell and adding scripts to prevent users changing the shell they are in, I can refuse access to the parent directory. This is a theory, and I am going to test it. If the theory is true, it means not only UNIX, but Linux too, can support security policies preventing users from retracting back into a parent directory not assigned to there home.

The theory failed on Linux however, further research has provided me an possible alternative. If I create a script which prevents a users from using any other shell other then what the user was given, then I can add a script on the shell environment which alters the unique definition of how cd would work. If I add the script that does the following:
Verify path (pwd)
Create an if statement
Calculate path and changed directory. (only if users uses cd ..)
Change cd to ls if user is moving to a parent of there home.
If the user can not use ls in that directory, refuse change of directory.

I can provide the same effect I am getting on SFTP, which would prevent changing to a parent of the home directory if a users was not given the rights to it. The only down side is, though it can be done, it would be far more difficult to set this up on the X Windows. Thus, I have to refrain access to users from using X until I can get that done.