How to link home directory to different file-system
 

Hello all,
I'm looking for some advice about how to implement the following functionality in my pet project.

There are two users on my system, user1 and user2. When user1 logs in he can do what he wants etc.. when user2 logs in I want to somehow link the entire file system to another place. In more detail when user2 logs in and does something like ls ~, he should see contents of /home/user1/extra/home/user2/ instead of /home/user2/
and when user2 does ls /usr/bin he should see contents of /home/user1/extra/usr/bin/

Is there a simple way to do this kind of operation. I have looked up the ln command, but I am a little unsure about how to show a completely different file structure to a particular user.

I did play around with ln and found that you can make "soft links" to directories. The problem being how can I link the user2 home directory /home/user2 to something like /home/user1/buffer/home/user2 . can I use something like ln -s /home/user1/buffer/home/user2 /home/user2 .. I guess not. I didn't want to try it as I wasn't sure so as to not hose my system.

Thanks in advance for any advice/pointers

How about doing a usermod -d on that particular user??

usermod -d /home/user1/buffer/home/user2 <user2>
usermod -d /home/user1 <user1>

Try this.

If you explained to us exactly why you want to do this, we might be able to offer a simple solution.

@kdelover

You are right about using usermod, however it will only be useful in the case where I want to change the home directory of user2 to some other location. Useful, nonetheless.

The problem being can I somehow point user2 to a completely different file structure

@tredegar

I want to do this because I want to maintain a file structure on a USB stick (just as an example). I do not want the file structure and the files in it to be known to every programmer on my system. Thereby if I can figure out a way to let user2, who is a special programmer and can get access to the file-system on the USB disk I should be able to give it to him.

The point being I want user2 to feel as if he is working on the main computer itself. Thereby the question about "Can I link the entire filesystem for a particular user to somewhere else"

I want user2 to seamlessly log in to my computer, I will decide if user2 is a special person, based on the username..etc.. and then somehow hive off user2 to a different file system where he feels as if he is on the main computer but entries in (say) the /usr/bin on the USB stick will be different than the entries in /usr/bin on my machine but user2 ned not be bothered as he will only see file system on usb stick.

Any pointers :-)

how about mounting that usb drive to /home? what i do on my server is create a parition called /fs and NFS export it and mount it as /home on client remote systems :) It just looks like /home is locally present where as its actually nfs mounted.

@kdelover

that a very decent idea, I will definitely explore it with the usermod option. However the problem in this case still remains that if user2 types in ls /usr/bin he is still going to see the setup on my computer instead of the one on the usb disk..correct me if I am wrong :-)

you want to restrict your users to just he usb pen drive that is they shouldn't be able to browse outside their home directories? is that what you are inferring? If thats the case i can only think of setting up acl on per user basis :)

@kdelover

Yes you are right, that user2 should be able to only be in the pen drive based file structure. With ACLs I can cut off access to my machines /usr/bin etc..

However if user2 does type in ls /usr/bin it still won't let him see the USB drive's file system. he has to explicitly type ls /mnt/pendrive/usr/bin/.... etc. I want to make this transparent such that user2 types in /usr/bin and I can show him /mnt/pendrive/usr/bin/.

I'm thinking of a hammer and tongs approach: what if I modify the ls command, basically wrap a script around it and add /mnt/pendrive to all locations user2 types in. So ls /usr/bin would become ls /mnt/pendrive/usr/bin . The complication being thre are just so many possibilities, such as ls ~, the cd command, ln command etc..

I'm not sure if you can set up an acl on /

setfacl -m user:<username>:--- /


Test it yourself and let me know i cannot test it as of now.

@kdelover

I get setfacl: /: Operation not supported

even though I modified /etc/fstab to contain
LABEL=/ / ext3 defaults,acl 0 2

so that / itself now uses acls

@kdelover

I get setfacl: /: Operation not supported

even though I made entries in /etc/fstab to mount / as using acl

Try remounting the / after you edit the fstab file .

mount -o acl remount /

then do mount and grep for acl,as far as i know it must work.

@kdelover

sorry, but I got

mount: special device remount does not exist

try this out,

there should be a config file in /boot grep for acl from that and see if the acl option is enabled or not you should see a Y what you see,you should se something like

grep ACL /boot/config-<your kernel version>

CONFIG_EXT2_FS_POSIX_ACL=y
CONFIG_EXT3_FS_POSIX_ACL=y
CONFIG_JFS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
CONFIG_XFS_POSIX_ACL=y


after you have edited the fstab file just remount your parition

mount -o remount /

then do mount | grep -i acl or may be

then do a getfacl on / and see what it shows

Yes I see this

/etc/fstab has
LABEL=/ / ext3 defaults,acl 0 2

I see
# file: .
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

Thanks for the awesome responses!

well do this mount -o remount / and then

setfacl -m user:<some user name>:r-- /

Does it still say operation not permitted?

I believe that's what you wanted.

OP - if all you want to do is give that user a different set of binaries, have you considered setting PATH=/media/usb/bin:$PATH? You could enforce that by adding a UID check and putting it in /etc/profile or similar, and you could use permissions or acls to prevent other users from seeing/running the directories where those new binaries were stored.

Yep, unfortunately, I still get

setfacl: /: Operation not supported

Dang!

are you doing it from root account or normal user? :) and do what karamarisan said there should be a comma there.

It looks like you want to chroot the users, or at least user2. You might want search on Google for chroot howto's. Having user2's system inside user1's home directory isn't a good idea. Especially as you want the the chroot environment there as well. You have to enable read and execute rights for the parent directories, which allows user2 access to user1's files. User1 on the other hand can unlink user2's directories, since user1 has write access to /home/user1/ and deleting files and directories is an operation on the parent directory. Also pendrives don't make the best device for an operating system.

Maybe you could explain why you need to do this. That might help us suggest a better solution.

@kdelover
I'm using sudo..and still getting the same msg! arrrgh!! (eating my fist)

@karamarisan
Thats a good idea. However, excuse my naiveness, but what you are saying is to add the place where binaries are on the USB disk to the user's path, right?

basically will using PATH=/media/usb/bin:$PATH? force an ls binary to run from /media/usb/bin/ rather than /bin/? for that user.

@jschiwal

I will look up chroot

acl should work as far as i know,my bad i cant test it now :(

@kdelover

are you kidding me! you've been awesomely helpful! no worries.

If the files you want alternates of are just binaries, then PATH modification is probably your best bet. Note that this is purely a convenience thing. With PATH=/media/usb/bin:..., if there is an ls in /media/usb/bin, that ls will be run instead of the system one, but user2 will still be able to run the system ls with /bin/ls if he wants to. Also note that is important that no more than root and possibly user2 be able to write to /media/usb/bin or any other directory you add this way, as you could otherwise be opening a serious local security hole.

chroot is overkill if all you want are alternate binaries. It would also affect a number of other things, as the root filesystem outside /media/usb would no longer be visible until the chroot was exited.

From what the OP describes, I agree with jschiwal, chroot is a nice all encompassing solution.

@karamarisan

I totally agree with your point, modifying the path so that the binaries in the USB stick run instead of the system is a great soln.

I am intrigued by chroot though I will look more into it.

Thanks again everyone.

I haven't read the whole thread, but, seriously, you are describing what chroot does in the first post.

OP: Take this as a lesson in presenting your problem rather than what you think is a solution. If all you need is alternate binaries for this user, you would have gotten the PATH business a lot sooner and that'd likely be it. You framed it like you need an entire filesystem, and a number of people have given chroot as a way to make that happen (as that's what it does).

Ok i got back home and i tested what you were trying to do and it works for me :|

The Result

And it seems to be working for me,hmmm since i gave ryan --- permissions that is no permission nothing seems to be working :)

Everyone,
Thanks so much for the helpful pointers and code snippets. I have implemented the PATH solution and am looking at chroot now. I have got it working. I found some excellent tutorials via google about chroot.

One question though, as the root user of my system, if I grant a programmer access into a chroot jail, how can I move him back to the normal /home/user2 filesystem on m computer. I have found articles on "how to get out of chroot jail" and "how to break out of jail" etc.. but they don't seem to be quite elegant. They all use the fact that the root user can't be jailed and so the chrooted guy performs actions to elevate himself to root level and hence gets out or maybe follows a hard link..etc..

Can someone please suggest a clean way to allow a chrooted user back into the main filesystem.

Situation: User2 logs into my computer and is hived off to a chrooted environment, he does some stuff, and then I as the root user decide it is time to move user2 onto the main file system.

One possible way, I thought of, based on this thread is to possibly go and put links in the chrooted environment for user2 pointing to the /home/user2 on the main filesystem. But chroot won't allow user2 to follow those soft links (as it should). Also it seems hard links can't be made to directories.

Can anyone give me some advice about bringing a user back from a chrooted environment to the main filesystem.

Thanks again in advance.

EDIT============

I mean moving user2 into the main file system in a transparent manner if possible. For example: user2 logs in and is thrown into chrooted env, he does some stuff, and then automatically (magically, after 20 seconds or completing some tasks etc..) is now able to browse the main file system, thereby not being restricted by chroot, without having to do any "jailbreaking" explicitly.

I dunno; what you're asking for doesn't really make sense. If the actual chroot is put into user2's .shellrc, he could exit out of it whenever...?

If you want to get back out to the main filesystem, a chroot isn't what you want. Think about this - it's designed to limit users. Conversations about how to get out of a chroot are typically discussions of why you shouldn't be relying on this for security, not how to add more functionality to it.

Agree with karamarisan: what the OP is asking for makes no sense.
Either you want user2 jailed or you don't
In either case, don't even think of putting him 'under' another user.
Give him his own user.
If you want him to usually be a normal user, but sometimes needs higher privs, you should be looking at sudo.

Thanks all.