new user has access to whole system

hydro · 02-18-2003, 06:13 PM

Hey guys, I Installed proftpd so my comrades(

) could upload there files

adduser bob

passwd bob
- bobo
- bobo

now i ftp in, works, but if I click ".." up one root, i can access it, and acces /bin, /dev e.t.c

so i also tried to login to shell

it went! and I could hop into /bin , /home/otherusernames

but I decided to turn of shell access for that dude by adding "/sbin/nologin" in etc/passwd... but if he uses ftp.. he can still access teh whole system

how can I lock the user to /home/bob for the whole system(when i decide to give him shell acces)

I dont want him snooping in other users file along with /etc/passwd

MasterC · 02-18-2003, 06:30 PM

With a defaultRoot entry, see my proftpd.conf file at:
www.masterc.no-ip.org/share

Look near the top, it's the DefaultRoot ~

Cool

hydro · 02-18-2003, 06:42 PM

ok but how about if he telnet/ssh into a shell...

MasterC · 02-18-2003, 06:45 PM

Use rbash. Here's a clip of my /etc/passwd file:
swerv154:x:1001:100:Kelly:/home/swerv154:/bin/rbash

(That's my brother's account

)

Cool

MasterC · 02-18-2003, 06:47 PM

http://www.linuxquestions.org/questi...ighlight=rbash

That's a thread further explaining rbash

Cool

hydro · 02-18-2003, 06:49 PM

i cant catch the error.. but when i login under a /bin/rbash i get some error "no shell" or something

does this mean i dont have rbash?

MasterC · 02-18-2003, 06:57 PM

You may have to add /bin/rbash (after you do the symlink) to /etc/shells if it exists. However, if you read the thread above, I think you'll see why you are getting that (you haven't yet done the symlink /bin/bash /bin/rbash; or you have improperly done it, or symlinked something improperly).

Cool

Texicle · 02-18-2003, 07:16 PM

You could add all your ftp user accounts to a specific group, then make the permissions for that group a little more restricted. Your main user account can have more permissions locally if you want, just add that account to another group with a little more permissions. You can also specify which users have permission to "su" as well. If that user can only read from stuff other than his /home/user directory, he can't do any harm--however, if you deny him (and all others in that group) permission to read, write, or excute anything but what's in their respective /home/user directory, then your even safer. I would also deny everyone the ability to execute anything under /home/user as well just in case you get a malicious person on your system who uploads something to you, then runs it. Next thing you know you've got a rootkit on your box and someone's got a back door. Just a thought.