deny browse access to users

iinfi · 01-13-2009, 11:53 AM

i m running RHEL 5 on my company system.

there is a client requirement that when users log into the system through SSH they should not be able to even browse through the directory other than their home directory.

is this possible?
i v referred http://www.fuschlberger.net/programs...p-chroot-jail/ but when i create a chroot the user is not able to log in at all!! be it normally on the system itself or thru ssh.

the end goal is to set up an SFTP server so that the client can send files securely to their customers.

set up an FTP server with vsftpd is an option but again I find that the ftp user (not anonymous users, not root user, <anon user login on FTP is disabled>) is able to go up the directories and view the contents of all the root directories. the client does not want this also.

am i clear? any workarnd? thanks

acid_kewpie · 01-13-2009, 12:26 PM

well you definitely want a chroot jail. vsftpd has many many good tutorials online to guide you through it, same for sftp too really. if you do get stuck, ask us specific questions and we'll see what we can suggest. Personally I'd probably suggest vsftpd with SSL/TLS, as it's more generic, but sftp is just as secure.

iinfi · 01-15-2009, 12:52 AM

thanks for your reply.
the requirement was, if i was configuring a FTP server the transfer of files should also be thru a secure channel. Whn i configured SSL for the same the client did not like it as they didnt want to spend money to get a proper certificate frm CA and didnt want pop ups in the browser or FTP client saying the SSL Certificate is not digitally signed by CA.

So i tried for SFTP. config was dont but the issue again is that, all users who login are able to browse thru the root directory as well. though they cannot make any changes the client did not want that also. so the resolution was to create a chroot jail. i tried a few utilities like jailkit and makejail which did create a jail like env but didnt allow any users added in the jail. I also ran this script which also successfully created chrooted users but didnt allow them to log in.
can you plz try to run this script and tell me if it works for you?
thanks again