Limiting folders and commands for a user

eluzi · 03-02-2006, 08:31 AM

Gentleman,

i'd like to add a user that will conect to my host by FTP and execute some commands, but I want to limit his activity to a specific folder (he can't even leave that folder) and also limit his commands (he can't create files, delete anything, etc...). Thnx people.

nx5000 · 03-02-2006, 09:31 AM

http://vsftpd.beasts.org/

Configure your user to be in a chroot (he can't move out of a folder) and put proper permissions (only read and list for example)

eluzi · 03-02-2006, 11:03 AM

OK, but what if I wasn't using ftp ? How to reduce the commands a normal user can execute ? But thnx for the answer above, guess it solves the issue for this special case...

nx5000 · 03-02-2006, 12:02 PM

I see several methods:

*
Use Chrooted ssh.
http://www.linuxquestions.org/questi...d.php?t=415231
The user can only execute the commands that you have put in the jail, very restrictive.

*
Use PAM to restrict access to resources. I'm not very familiar yet with PAM so you will need help from someone else sorry.

*
Modify permissions on available binaries
Chmod o-x on a lot of sensitive files

eluzi · 03-02-2006, 01:43 PM

I found a JAIL script in PERL that does all the boring stuff like copying bash into the folder so that it works, and copying dependencies. It's doing what i wanted, but there's still one doubt...If I use CHROOT, how can I do so that when the user logs in the chroot runs and makes his / the folder I want...

nx5000 · 03-03-2006, 03:44 AM

Yes this perl script should do the job but I prefer to do it myself. Makejail?
To check if he is really chrooted, make a ps, take the pid of his bash. then go in /proc/<pid>
and look at the file root. this file should point to the root of the chroot.
Should display
root->/jail/