LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 01-25-2005, 10:17 PM   #1
novaprime
Member
 
Registered: Jan 2005
Posts: 39

Rep: Reputation: 15
restrict unix users to ~


is it possible to restrict a user to a directory?
ie, when a user logs in the shell chroot's to the users home or something?
 
Old 01-25-2005, 10:21 PM   #2
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
While this should probably be possible, ALL programs you want them to be able to run... and all shared libraries... must be located within the chroot. This includes bash. Also, in order for them to change their own password, they would need access to /etc/shadow.
 
Old 01-25-2005, 10:23 PM   #3
novaprime
Member
 
Registered: Jan 2005
Posts: 39

Original Poster
Rep: Reputation: 15
ok, but lets say all I want them to be able to do is log in remotely via SSH?
 
Old 01-25-2005, 10:26 PM   #4
quatsch
LQ Addict
 
Registered: Aug 2003
Location: New York, NY
Distribution: gentoo, gentooPPC
Posts: 1,661

Rep: Reputation: 47
you could use the restricted shell option for bash. The command is
rbash

You would specify that in /etc/passwd

The user then cannot cd into any directory other than $HOME (also not into its subdirectories!) and cannot execute programs using absolute paths.

look at
man bash
for more details. Maybe it's not quite what you want.
 
Old 01-25-2005, 10:28 PM   #5
novaprime
Member
 
Registered: Jan 2005
Posts: 39

Original Poster
Rep: Reputation: 15
thats pritty close to what I want, except access to subdirs in critical, i'll take a look at the man pages and see if it's possible, thanks.
 
Old 01-25-2005, 10:30 PM   #6
quatsch
LQ Addict
 
Registered: Aug 2003
Location: New York, NY
Distribution: gentoo, gentooPPC
Posts: 1,661

Rep: Reputation: 47
you can still access the files if you know their path. It's just that you cannot cd into them.
 
Old 01-25-2005, 10:36 PM   #7
novaprime
Member
 
Registered: Jan 2005
Posts: 39

Original Poster
Rep: Reputation: 15
hmm, well that didn't work - couldn't even login with SSH
 
Old 01-25-2005, 10:47 PM   #8
quatsch
LQ Addict
 
Registered: Aug 2003
Location: New York, NY
Distribution: gentoo, gentooPPC
Posts: 1,661

Rep: Reputation: 47
you can't login via ssh using rbash as shell? Hm. I didn't know that.

maybe you could login normally and then start rbash using the .~/.bashrc script (or some of the other bash scripts). The script would execute rbash and then exit right away once the rbash session is done. Might work. You should first probably check how your system behaves when you login normally and then execute
rbash
from the command line.
 
Old 01-25-2005, 10:50 PM   #9
quatsch
LQ Addict
 
Registered: Aug 2003
Location: New York, NY
Distribution: gentoo, gentooPPC
Posts: 1,661

Rep: Reputation: 47
just tried it, actually.

I added

rbash
logout

to the end of ~/.bash_profile and it gets me into a restricted shell and then logs me out when I do exit.
 
Old 01-25-2005, 11:02 PM   #10
novaprime
Member
 
Registered: Jan 2005
Posts: 39

Original Poster
Rep: Reputation: 15
yeah, the reason using rbash in the passwd file didn't work is because rbash doesn't exist on my system. I did what you did but used bash -r and it worked as expected.

Still not really an acceptable solution, cd needs to work and I can still access the rest of the file-system if I know what to look at.
 
Old 01-25-2005, 11:08 PM   #11
quatsch
LQ Addict
 
Registered: Aug 2003
Location: New York, NY
Distribution: gentoo, gentooPPC
Posts: 1,661

Rep: Reputation: 47
you could simply remove access permissions to the directories. Just remove read and execute permissions for others to the directories owned by root and nobody except root will have access to them. It's no good for the directories containing bash and the needed libraries though.
 
Old 01-25-2005, 11:08 PM   #12
novaprime
Member
 
Registered: Jan 2005
Posts: 39

Original Poster
Rep: Reputation: 15
huh, I just saw a similar thread with a link to the solution:
http://www.debian.org/doc/manuals/se...sh-env.en.html
 
Old 01-25-2005, 11:23 PM   #13
novaprime
Member
 
Registered: Jan 2005
Posts: 39

Original Poster
Rep: Reputation: 15
pfft.. ok, perhaps a simpler method would have been good. and for redhat, not debian
 
Old 01-25-2005, 11:36 PM   #14
quatsch
LQ Addict
 
Registered: Aug 2003
Location: New York, NY
Distribution: gentoo, gentooPPC
Posts: 1,661

Rep: Reputation: 47
what exactly are the restrictions you want? If you just don't want users to have read/write access to certain files, you can accomplish that by setting the permissions to these files and directories in the way you want.

If you want something like chroot, you will have to figure out which binaries and libraries are required at the minimum (it could quite a lot) and move them to your home directory. You can chroot if you set the sticky bit for chroot and then have it executed by .bash_profile. But it's gonna be a pain...
 
Old 01-25-2005, 11:45 PM   #15
novaprime
Member
 
Registered: Jan 2005
Posts: 39

Original Poster
Rep: Reputation: 15
yeah, thats what im after. All I want it for is SSH, if I execute chroot I get an "operation not allowed" - I assume that because of the lack of access to binaries?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
restrict/allow ssh users mike30188 Linux - Security 2 06-20-2005 09:37 PM
restrict space for some users in directories CleonII Linux - Security 5 02-25-2004 11:08 AM
Why did you experienced users of Unix change to unix over Windows? Laptop2250 Linux - General 11 10-28-2003 12:51 PM
Restrict Directories to users with SSH aeruzcar Linux - General 5 09-11-2003 04:28 PM
How to restrict email from users... Supp0rtLinux Linux - Software 1 01-08-2003 04:37 AM


All times are GMT -5. The time now is 04:30 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration