LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 03-03-2005, 08:03 PM   #1
kihtap
LQ Newbie
 
Registered: Jun 2004
Posts: 15

Rep: Reputation: 0
New User FTP/SHELL Limitations


I have a web server with RH9 installed. I have added a couple of users to make updates to the websites. I wanted to know how I can prevent shell access and / directory access.

For example, I have a website located in /home/sites/site1/web, I have made this the user's default directory. But the user is still able to go to /etc I want it so the user may only be able to go up to /home/sites/site1

Also the user is able to log in with ssh. I changed the shell to /bin/false and this solves the ssh problem but then ftp is also blocked.

All help is welcome.

kihtap
 
Old 03-05-2005, 06:00 AM   #2
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
If they only need to update the website through ftp, then you don't need to make them regular users. If they have accounts because they use their account to produce the changes (rather than offline), then they will need normal access to perform change the website. You can have a shell running in a jail. This would mean providing a scaled down version of the system inside of the jail.

You can have a non-anonymous ftp server running in a jail, and make these two people guest users.
This link could be a starting point for you: http://aplawrence.com/Bofcusm/1444.html

Having read access to /etc is normal, as many programs require read access to the configuration files, such as when they login, their home directory and default shell are read from /etc/passwd.

If you put them in a ch-rooted jail, you need to be careful which commands you include. For example, with the restricted shell, the '/' character isn't allowed in pathnames. But just executing a script will remove the restrictions. Starting a regular bash shell, if you allow it would also remove restrictions. The restricted shell is intended to be used to run a server in a jail. It is insurance in case the service crashes.

Most distributions have security settings, and the highest is often called 'paranoid' settings. This may even restrict users from accessing man pages.

Also, if you have a storage partition mounted, such as an external vfat drive to store mp3's for instance, make yourself the owner and group owner of the partition, and use the 'noexec' and 'nodev' option.

Also, you can tighten up the password policy. This way, a user can't choose a weak password. This can help prevent a third party from guessing the passwords of one of the users.

If the strictest security level isn't enough, and they can't get their work done in a jail, maybe you don't want others accessing your computer in the first place. You would probably be safer in the long run concentrating on security issues in general, such as removing programs and commands that a web-server doesn't need, removing unnecessary suid programs, not running any services like mail that have shell hooks. Scanning your machine looking for open ports.

Last edited by jschiwal; 03-05-2005 at 06:20 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
I lose ftp access when I disable shell access for user captainObvious Linux - General 3 11-13-2004 06:49 PM
new user limitations Longinus Linux - Newbie 1 04-22-2004 04:02 AM
how to - ftp user with no login shell hnad Red Hat 3 04-13-2004 04:22 AM
Web/FTP/Shell user stats software? inspleak Linux - Software 1 04-03-2004 06:54 PM
Setting user limitations ... ETeria Linux - Newbie 16 03-26-2003 04:35 PM


All times are GMT -5. The time now is 09:29 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration