You'll have to ask yourself *why* you would want to restrict users to /home, because the stuff in other dirs usually is owned by root (and/or other privileged accounts), which regular users can't mess with.
In general there are 2 options, both with their own cons/pros.
1. You could restrict a user to it's own homedir by either letting it use a chrooted env, or use a restricted bash shell.
The restricted bash shell you definately do not want, because it'll keep 'em busy in their ~/, but won't even allow dir traversal into subdirs :-]
The chroot option restricts them to their ~/, with full movement, but you will need to create a full environment (/bin, /dev, etc) for *each* user. To save diskspace and sanity when I need a solution like this I use rootjail, which will set you up with a bare skeleton, copying all necesary parts to the chrootdir, and busybox as a all-in-one solution for replacing necessary binaries, it's one compact package.
2. You could assure yourself regular users can't work in other dirs by either mounting them on separate (-o ro) partitions, (BSD does this by defining slices at installtime, dunno why Linux doesn't promote this behaviour...) or at least chattr +iu your binaries, configs etc, etc.
*Also look into PAM's user restrictions in /etc/security for defining login(times, places, hogging memory, max processes per user, etc etc)
**If you're going for option 2 at least patch your kernel with GRSecurity or LIDS, which in the case of GRS takes away capabilities from regular users, and in the case of LIDS even those of root. GRS is easier, LIDS has more restrictive settings, but in both cases they shield off processes from users.
Last edited by unSpawn; 02-04-2002 at 01:39 AM.
|