limiting the user

sophie · 09-04-2003, 05:46 PM

Hi, everyone..

I want to add a user who can only access his home directory but nowhere else. (running redhat 8.0)

I read alot about it and as much I read, I confused more...

Please help.

Here is what I did:

I added a new user (test)
/etc/passwd
test:x:506:506::/var/www/./test/:/bin/bash

then edit /etc/security/chroot.conf as below
# /etc/security/chroot.conf
# format:
# username_regex chroot_dir
#matthew /home
test /var/www/test

But, when I login (telnet or ssh) with this account, I can still access other directories..

Do I need to add any "pam_chroot.so" somewhere?

What am I doing wrong?

There will be more than 50 users like that in this system. Is this the best way?

Thanks for your help in advance.

trickykid · 09-04-2003, 05:54 PM

I'm not sure about editing the file by hand but have you tried to run the command to chroot them to a directory?

man chroot for more details.

sophie · 09-04-2003, 06:07 PM

Thanks for reply..

Yes, I did read the manual, but as I said I am more confused after all of that.

There must be a very basic solution for that

So, is it enough to run chroot command itself? How do I say that I just want to use it for a specific user?

What I understood is chroot command is for only running a command from a certain directory?

I got lost in that.. help!..

Thanks in advance..

unSpawn · 09-04-2003, 06:29 PM

Did you add a "session required /lib/security/pam_chroot.so" line to /etc/pam.d/login? And AFAIK it isn't necessary to specify a ftp-style chroot home in passwd like the /dir/dir./dir you added.
Also note for a chroot to work you need to add some basic config files, libraries and GNU utilities to the chroot. The 1st sticky thread in the Linux - Security forum has some docs on chrooting, it's the 4th post, titled "Chroot, chrooting, jailing, comparimization".

sophie · 09-04-2003, 07:06 PM

Thanks alot for your reply.. I search on the forum alot but I think I could see that one.

As you said, I add "session required /lib/security/pam_chroot.so" to /etc/pam.d/login.

But, in the documents I couldn't see anything what to do about :
"Also note for a chroot to work you need to add some basic config files, libraries and GNU utilities to the chroot"

Can you give me some more clue please?

As a newbie, it is really difficult to figure out it for me.. Probably I can not see it becuse I couldn't get the logic of it yet..

Thanks alot in advance..

jayakrishnan · 09-05-2003, 12:23 AM

AFAIK a normal user can only access his homw directory bt default

Azmeen · 09-05-2003, 01:27 AM

Quote:

Originally posted by jayakrishnan
AFAIK a normal user can only access his homw directory bt default

She wants the user to only be able to access his/her own directory. In a typical *nix system users can only write to their own homedir (and /tmp if given permission), but can still view most dirs like /bin /opt and so on... This is what she wants to avoid.

And the sanest way to do this is by chrooting the user to his/her own homedir. Therefore, when they do cd / it will actually take them to their homedir.

sophie · 09-05-2003, 07:24 PM

Ok, I am trying jail sw for chrooting now. I installed jail_1.9

I followed the document exactly.. Like this:

1) Create the user
/etc/passwd
test2:x:507:507::/var/chroot/:/usr/local/bin/jail

2) install the sw
3) create the chroot
/usr/local/bin/mkjailenv /var/chroot
adding sw on it
/usr/local/bin/addjailsw /var/chroot
adding users to chroot
/usr/local/bin/addjailuser /var/chroot /home/test2 /bin/bash test2
here is my user:
/var/chroot/etc/passwd
test2:x:507:507::/home/test2:/bin/sh

Thats all.. it is working.. But..

When I login with test2 user, I can change directory to /var/chroot (as my root directory) and I can see other user's directories and all directories under /var/chroot.

I don't want anyuser to see any other directory but his own home directory.

Can you please help?
What am I doing wrong?

Thanks..