LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-09-2004, 12:36 AM   #1
SiLiCoN
Member
 
Registered: Sep 2004
Location: India
Distribution: Solaris 9, FreeBSD 4.10, Slackware, RedHat, Knoppix,
Posts: 84

Rep: Reputation: 15
user jailing ?


hi,

I would like to know if there is a way (well, there certainly is) to lock a particular user (or all users) in their home directory. This is exactly what i m looking for -
There is a centrally located Linux (RedHat 9.0) server to which users login to their shell accounts. Now what i want to do is to restrict the users to their home directory so that they cant move out of their home directory - in other words chroot $HOME - but that is only possible as r00t. i tried adding "chroot $HOME" line in /etc/bashrc but that can be executed only as root. So is there a way that whenever someone logs in - he cant move out of his home directory ----- both for FTP and shell...


Thanks
 
Old 10-09-2004, 12:40 AM   #2
veritas
Member
 
Registered: Aug 2003
Location: Dallas,TX
Distribution: Ubuntu Server, Slackware, Red Hat 6.1
Posts: 241

Rep: Reputation: 30
Not sure how to lock them in the shell, but for FTP (if you are using proftpd) just add this towards the top of your proftpd.conf:
Code:
DefaultRoot ~
 
Old 10-09-2004, 02:07 AM   #3
DaHammer
Member
 
Registered: Oct 2003
Location: Planet Earth
Distribution: Slackware, LFS
Posts: 561

Rep: Reputation: 30
Yes, it can be done, but remember chroot restricts whomever or whatever is inside the jail to just what's in the jail with them. Meaning they can not access any applications or files not installed inside the jail. For instance, if you simply run "chroot /tmp" as root you will get an error about not being able to find /bin/bash because there is no /bin/bash inside the jail. But if you copy /bin/bash to /tmp/bin/bash and any dependancies it has into the jail as well, it will work. You can not simply prevent a user from moving about the file system while at the same time allowing the user to use those files. Make sense? Anyway here is a link to a project that sets it up for you.

http://www.jmcresearch.com/projects/jail/

You could also setup Virtual Machines which are completely separate systems all running on and sharing the same hardware. But at the end of the day the simpliest thing to do is to not give shell access to those you do not trust, else you are just asking for trouble.

Last edited by DaHammer; 10-09-2004 at 02:13 AM.
 
Old 10-09-2004, 02:20 AM   #4
SiLiCoN
Member
 
Registered: Sep 2004
Location: India
Distribution: Solaris 9, FreeBSD 4.10, Slackware, RedHat, Knoppix,
Posts: 84

Original Poster
Rep: Reputation: 15
Thanks for the help guys,


setting up a chroot "jail" is one of the most time consuming thing in linux... Is this the only way i can restrict shell commands (pfffft). Well then for each and every user i ll have to spend huge time (maybe i ll write a script?).

Is there any other way to do it.....like is this how all the website providers and free shell providers achieve doing it?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Jailing a user to a specific folder ONLY GUIPenguin Linux - Security 3 09-23-2005 06:16 AM
Jailing users with ProFTPd bullium Linux - Security 4 03-25-2005 03:00 PM
Jailing an user SiLiCoN Linux - General 4 10-09-2004 04:49 AM
chrooting or jailing inetd or inetd started daemons ? MasterC Linux - Security 2 07-15-2003 05:28 PM
Jailing SFTP Users to Home directory Jason_25 Linux - Networking 3 01-06-2002 08:32 PM


All times are GMT -5. The time now is 02:33 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration