Restrict the user access
 

Hi,

How could I limit the access of users to a directory. For example :

I am having some Designers and normal users. I would like to grant access the Designers only to the /home directory. That if, When the designer log into their machine their working directory will be /home/designer. If the designer execute the command # cd /etc it should not work and it returns a message permission denied and if it is cd /home it should work. They should have access to the servers /home directory. The server will be having cPanel in it. So is there anything else we could implement without changing the directory ownership.

Regards,

I think what you're trying to do is drop the designer into a chroot jail, however giving them access to /home may not be ideal as it could allow them to manipulate the environments of other users - can you restrict them to /home/designer instead?

Thanks for the quick reply.
Unforntunately that is not the exact requirement

The exact requirement is it is a cPanel server so we cannot change any of the directory permissions
The developer/designer user shoud be able to full access to /home (ie under the /). but should not be able to view or access any other directories under /

Ok so you'll need to read up on chroot jails and see if they'll work for you, it may not be trivial depending on your requirements.

If you restrict those users from reading system files and dirs they will only be able to run executables located in their home folders only (if /home isn't mounted with -noexec option of course). In Linux programs are run with exactly the same privileges that has the user that started them. So the programs won't be able to read system files and dirs either and would hardly work.
As far as I know you're only able to prevent users from getting access to other user's data in Linux. Why do you want to hide the root filesystem from a user?

As far as I know chroot still has to have /etc /dev /lib and so on. So it's not exactly what is desired. Am I right?

Isn't there any options using ACL? or combining two ore more ideas like chrooting,ACL,SSH chrooting, sudo powers etc? There is no issues on accessing the essential directories under / but the developer should not have the ability to edit those files&directories.

for eg:- they can 'cd' & ls to /etc /bin if it is required
but not able to 'cd' to /dev, /misc etc...
but should be able to access&edit /home

I have created a user called developer and setfacl rwx to home directory

Now the scenario is like the developer user have full access to /home also the user can ls & view all the files&directories under / but cannot perform any other operation under the directories and files rather than /home

I think the solution is half acheived
but needed to restrict the view of certain directories under /

Sound like a crazy idea!!!. but badly needed to implement this.

From what I've read this sounds more like what AppArmor/SELinux are intended for. Though I never tried to use them myself.

That's how it is by default. An unprivileged user can view system files and dirs, but can't write into it:
Being able to cd into a directory means a user can execute the directory. To list files in the directory the user must have read access. I have no write access so the system didn't let me delete /etc/fstab.

Stick them in a chroot jail and loopback mount /home into it.

A chroot jail only needs what is actually needed for a user to log in and use the system. The only files in /etc /dev /lib are those that are critical in order for them to log in (without those files, they wouldn't be able to log in at all). They're also copies of the system files, not the systems files themselves, so if the user did somehow manage to bork them, they'd only lock out themselves, the rest of the system would be unaffected. IE: what the user sees as /etc/password, is really /path/to/chroot/jail/etc/password. They can screw up the jail environment all they want (within the permissions you set, at least), but they're just hurting themselves.