LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-11-2006, 01:01 PM   #1
codewolf
LQ Newbie
 
Registered: Feb 2006
Posts: 3

Rep: Reputation: 0
locking a user in his home dir


hello

i tryt google'ing for a answer but i dont really find what is mean.

i have a debain server overhere and want to give some users access to a ssh account.

now i know that user can access alot of dirs/files on the system and only read those.
bequase i dont really want people reading thrue my scripts sites and config files i would like to lock all users in there homedir
and only give them access to dirs i have mounted/sl't for them
so im in control of what they can read and what not

i found something with blocking access to cd bud thats not what i meant.

hope that you understand

thx for your trouble
 
Old 05-11-2006, 01:21 PM   #2
b0uncer
Guru
 
Registered: Aug 2003
Distribution: CentOS, OS X
Posts: 5,131

Rep: Reputation: Disabled
If you're not using any special software for that (I don't know if there is any, and if, then what), that would mean you'd have to set all the permissions so that the user has a read/write access to his/her homedir, and no permissions at all outside it. It might prove to be a bit of a job, since there are, as you said, quite a lot of places normal users can access. But..

First thing you do is remove the user from every group (except for those you want the user to be in) by editing /etc/group (or, when creating the account, not add the user to any group). This way he only has access to places where the permissions say that "others can read/write/do something". Then you would need to alter the permissions of the whole filesystem so that no place has "other" permissions; with this I mean that the permissions of a file can be written like this:

-rwxrwxrwx

where there might be "d" in place of "-" if the file is a directory (directories are only "special files"). now the first "rwx" tells if the owner has read/write/execute permissions. the middle "rwx" tells if the group (that owns the file) has read/write/execute permissions, and the last three letters "rwx" tell if all the other users (not owners, not part of the group that own the file) have read/write/execute permissions. Now you don't want the "others" have access to this file, so you'd change the rights as follows:

-rwxrwx---

(never mind the 7 first letters/marks, just have the "---" in the end); then your user would not have access to the file. You would need to do this for all the files on your filesystem. Then again, no other user would have access to some files they normally do, so for this case you would need to create new groups or add some users to the existing ones so they have access to files they need.

So, it does create some work to be done. I'm not sure whether there is an easier way, and probably there is, related to the server software; altering the permissions is the "hard way" and is quite difficult, long and probably creates problems. I'd advice you to read the documentation of your server software (say, if you use Apache for a web-server, read Apache docs) to see if it allows you to specify this kind of permissions you want to get.
 
Old 05-11-2006, 01:39 PM   #3
IsaacKuo
Senior Member
 
Registered: Apr 2004
Location: Baton Rouge, Louisiana, USA
Distribution: Debian 4.0 Etch
Posts: 1,349

Rep: Reputation: 49
As far as I know, the simple answer is that it can't be done--while still having a usable shell.

A more straightforward "solution" is to put together another computer with a minimal install, and let the users ssh into THAT computer. This computer has access to the directories you want via nfs file sharing.

A more complex variant on that idea is to use chroot to create a "virtual" second computer inside your computer. When a user logs in, he's caged in this chroot environment.

I'm not an expert with the details of chroot...
 
Old 05-11-2006, 02:00 PM   #4
codewolf
LQ Newbie
 
Registered: Feb 2006
Posts: 3

Original Poster
Rep: Reputation: 0
oke so there is no alternative shell or something that i use ?
o well if it comes down to it i will use bouncer's idea i think bequase i dont like useing chroot bequase i read how to do that and it was a lot of work to keep it working.

thx for the ideas IsaacKuo and bouncer
 
Old 05-11-2006, 05:07 PM   #5
HGeneAnthony
Member
 
Registered: Mar 2003
Posts: 178

Rep: Reputation: 30
Reply

If all you're trying to do is limit what users can access just take away their access to any files you don't want. If you keep a logical file structure (ie all scripts are kept under a certain directory) you can easily do this. Trying to block total access might be quite difficult. In all honesty it's not really necessary. If you really want tight access control lists you could set up SELinux. SELinux can have programs run under their own account with their own ACL. So even if you don't have access to read a file the program can (if properly set up). Although this is a bitch to setup. You should learn it use it though for any servers.
 
Old 05-11-2006, 05:17 PM   #6
javaroast
Member
 
Registered: Apr 2005
Posts: 130

Rep: Reputation: 18
You could try setting bash to bash -r or rbash. This should do what you are looking for. Here is a man page explaining it better than I can:

http://www.wlug.org.nz/rbash(1)
 
Old 05-11-2006, 07:42 PM   #7
riluve
Member
 
Registered: Nov 2004
Distribution: CentOS-4
Posts: 142

Rep: Reputation: 15
Um - are these users logging in remotely? If so just set up a control panel and only let them access through that (web interface).
 
  


Reply

Tags
account, help, locking, shell, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Lock user in home dir JJX Linux - General 9 06-28-2011 02:09 PM
user home dir doesn't create when new user add dev_mohamed Linux - Software 3 01-12-2007 01:08 AM
user home dir/permissions xilace Linux - Security 5 07-21-2004 12:33 PM
recover user and home dir powadha Linux - General 5 04-16-2004 09:08 AM
Lock user in their home dir MarleyGPN Linux - Software 1 04-26-2003 05:12 AM


All times are GMT -5. The time now is 05:30 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration