Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
So I've got a slackware 10.2 box up and running with a webserver. I put the webpage files in /home/www, created a user "webadmin" in the group "webmasters", set /home/www as his home (and chown'd it webadmin:webmasters) and set /home/www to 775. What I want to do now is lock "webadmin" into /home/www (and below) so that the user can do what it wants with the webpage but can't do jack else. What's the best way to go about doing that, or something similar?
You can simply change the permission of every directory other than "/home" and "/home/www" so that they wont have permissions to do anything or go anywhere.
It's not that hard at all. All you have to do is make sure that all the execute permissions of every directory for "world" are disallowed and also make sure that the user is not in any groups.
To remove the execute permission for "world" from every directory you'd just type (as root) chmod o-x `find / -type d`. Then it's a simple matter to change the permissions for "/home" and "/home/www" (and all subdirectories) back to what they were.
Mind you, regardless of whether you do the above or not, a regular user cannot affect anything outside their home directory anyway. They can see all (or most) of the other files but can't do anything with them. So the above step may be unnecessary unless you're concerned about letting your users know anything about the rest of the system.
You can simply change the permission of every directory other than "/home" and "/home/www" so that they wont have permissions to do anything or go anywhere.
This is not a good ideea...
If you change the permissions of every directory of your system, your system will become unuseable for the users. There are files which are and should remain world executable: ls, cat, login etc.
You sould find another aproach. Maybe SELinux or grsecurity or something like this...
Originally posted by ddaas This is not a good ideea...
If you change the permissions of every directory of your system, your system will become unuseable for the users. There are files which are and should remain world executable: ls, cat, login etc.
You sould find another aproach. Maybe SELinux or grsecurity or something like this...
That's what I was thinking. Doing ls or cd would be a bit tough. I wonder if su would work too? May not even be able to change to a user that can use the commands. Exit may not work either, can't logout then. That could be bad. May I suggest more before you do anything.
If you change the permissions of every directory of your system, your system will become unuseable for the users. There are files which are and should remain world executable: ls, cat, login etc.
You may have a point. However, users in the appropriate groups ("root" and "staff" in the case of Debian) will retain their access rights - it will really only affect new users. Also, the */bin (and possibly */etc) directories can have their permissions restored similarly to the home directories.
The way I always configure this is to add a user, edit /etc/passwd and change the users shell to /bin/deny.
Install vsftpd, there is an option to chroot the users so they can't escape from there home directory's.
Now the user can only change files by logging in with ftp and they can't get out of their home directory.
You may have a point. However, users in the appropriate groups ("root" and "staff" in the case of Debian) will retain their access rights - it will really only affect new users. Also, the */bin (and possibly */etc) directories can have their permissions restored similarly to the home directories.
I don't understand how this is supposed to work? You're suggesting removing all permissions for 'others' and changing the group ownership to 'staff' or 'users' or something to everywhere outside of /home?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.