LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-26-2004, 07:31 AM   #1
pragti
LQ Newbie
 
Registered: Feb 2004
Posts: 16

Rep: Reputation: 0
restrict user to home directory at logon


Hi
Can we restrict user to his home directory only in (redhat linux7.2) .So that user can browse only files in his directory.
 
Old 02-26-2004, 08:29 AM   #2
Rounan
Member
 
Registered: Jun 2003
Location: Ontario
Distribution: Ubuntu, Gentoo, Debian
Posts: 416

Rep: Reputation: 30
Remove read, write and execute permissions for generic users from everywhere else:
chmod o-rwx <everything else>

Particularly, make sure no folders have execute permissions - this will present users browsing them.
You can then set group permissions and add users to groups as appropriate.

--Rounan
 
Old 02-26-2004, 08:32 AM   #3
pragti
LQ Newbie
 
Registered: Feb 2004
Posts: 16

Original Poster
Rep: Reputation: 0
i want that the particular user cannot even browse the /tmp folder (where the permission by default are 1777)

More so (Remove read, write and execute permissions for generic users from everywhere else:
chmod o-rwx <everything else>) doing this will make my many other process unworthy
 
Old 02-26-2004, 09:10 AM   #4
Rounan
Member
 
Registered: Jun 2003
Location: Ontario
Distribution: Ubuntu, Gentoo, Debian
Posts: 416

Rep: Reputation: 30
Well, as roundabout as it seems, so far as I know, permissions are positive-based and not negative-based. I'm a relative newbie and might be entirely wrong, but I don't know of a way to remove permissions from one specific user other than removing them, entirely, and then granting them to users you DO want to have them.

Quote:
i want that the particular user cannot even browse the /tmp folder (where the permission by default are 1777)
so chmod o-rwx /tmp

Quote:
More so (Remove read, write and execute permissions for generic users from everywhere else:
chmod o-rwx <everything else> ) doing this will make my many other process unworthy
I don't know what you mean by "unworthy", but it won't affect anything at all if you manage your groups properly. Add the users you want to have permissions in certain areas to the group that owns that directory/file, and the users shouldn't even notice the permissions change.

I agree that it seems like a pretty inelegant workaround jsut to lock out one user, but it will work and it will result in a more secure system overall.

--Rounan
 
Old 02-27-2004, 03:00 AM   #5
comp12345
Member
 
Registered: Feb 2004
Posts: 467

Rep: Reputation: 30
You have to create a chroot environment(jail) for the user. There is a tutorial which you can find here: http://tjw.org/chroot-login-HOWTO/
 
Old 02-27-2004, 03:16 AM   #6
iainr
Member
 
Registered: Nov 2002
Location: England
Distribution: Ubuntu 9.04
Posts: 631

Rep: Reputation: 30
Quote:
Originally posted by Rounan
Remove read, write and execute permissions for generic users from everywhere else:
chmod o-rwx <everything else>

Particularly, make sure no folders have execute permissions - this will present users browsing them.
You can then set group permissions and add users to groups as appropriate.

--Rounan
I'm afraid that one isn't going to work (hence the need for a chroot environment as comp12345 said).

For example, when you type the command "ls", it looks at the directories in your PATH variable for an executable file called ls, then executes it. If you don't have execute permission on the directory that contains ls, you can't see it so you can't run the command.

In fact, if you do chmod o-rwx you won't even be able to log on as that user.

Creating a chroot environment has the same effect, but you get round this problem by providing local copies of commands you want the user to be able to run, as well as local versions of configuration files they need (e.g. /etc/passwd).
 
Old 02-27-2004, 08:00 AM   #7
Rounan
Member
 
Registered: Jun 2003
Location: Ontario
Distribution: Ubuntu, Gentoo, Debian
Posts: 416

Rep: Reputation: 30
...true. Hadn't thought of that.

Thanks for clearing that up.

Yarrrrr.... I'm not a sysadmin.

--Rounan
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How restrict to home directory in telnet session cuencano Linux - Security 3 06-14-2005 05:01 PM
How to Restrict User Logon Times in Mandrake 10.0 XtremeNissan Mandriva 0 08-25-2004 09:34 PM
Restrict Logon Time javalino Linux - Security 2 04-27-2004 05:56 PM
Restrict Local logon, but allow network Dogface1SG Linux - Networking 1 11-19-2003 03:35 PM
restrict number of logon attempts depaul Linux - Security 5 07-28-2003 12:17 PM


All times are GMT -5. The time now is 08:14 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration