LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Restrict the user access (https://www.linuxquestions.org/questions/linux-newbie-8/restrict-the-user-access-4175483578/)

Arun Kurian 11-06-2013 07:22 AM

Restrict the user access
 
Hi,

How could I limit the access of users to a directory. For example :

I am having some Designers and normal users. I would like to grant access the Designers only to the /home directory. That if, When the designer log into their machine their working directory will be /home/designer. If the designer execute the command # cd /etc it should not work and it returns a message permission denied and if it is cd /home it should work. They should have access to the servers /home directory. The server will be having cPanel in it. So is there anything else we could implement without changing the directory ownership.

Regards,

kbp 11-06-2013 07:35 AM

I think what you're trying to do is drop the designer into a chroot jail, however giving them access to /home may not be ideal as it could allow them to manipulate the environments of other users - can you restrict them to /home/designer instead?

Arun Kurian 11-06-2013 07:47 AM

Quote:

Originally Posted by kbp (Post 5059308)
I think what you're trying to do is drop the designer into a chroot jail, however giving them access to /home may not be ideal as it could allow them to manipulate the environments of other users - can you restrict them to /home/designer instead?


Thanks for the quick reply.
Unforntunately that is not the exact requirement

The exact requirement is it is a cPanel server so we cannot change any of the directory permissions
The developer/designer user shoud be able to full access to /home (ie under the /). but should not be able to view or access any other directories under /

kbp 11-06-2013 07:59 AM

Ok so you'll need to read up on chroot jails and see if they'll work for you, it may not be trivial depending on your requirements.

redfox2807 11-06-2013 08:20 AM

If you restrict those users from reading system files and dirs they will only be able to run executables located in their home folders only (if /home isn't mounted with -noexec option of course). In Linux programs are run with exactly the same privileges that has the user that started them. So the programs won't be able to read system files and dirs either and would hardly work.
As far as I know you're only able to prevent users from getting access to other user's data in Linux. Why do you want to hide the root filesystem from a user?

redfox2807 11-06-2013 08:25 AM

Quote:

Ok so you'll need to read up on chroot jails and see if they'll work for you, it may not be trivial depending on your requirements.
As far as I know chroot still has to have /etc /dev /lib and so on. So it's not exactly what is desired. Am I right?

Arun Kurian 11-06-2013 08:46 AM

Quote:

Originally Posted by redfox2807 (Post 5059340)
If you restrict those users from reading system files and dirs they will only be able to run executables located in their home folders only (if /home isn't mounted with -noexec option of course). In Linux programs are run with exactly the same privileges that has the user that started them. So the programs won't be able to read system files and dirs either and would hardly work.
As far as I know you're only able to prevent users from getting access to other user's data in Linux. Why do you want to hide the root filesystem from a user?

Isn't there any options using ACL? or combining two ore more ideas like chrooting,ACL,SSH chrooting, sudo powers etc? There is no issues on accessing the essential directories under / but the developer should not have the ability to edit those files&directories.

for eg:- they can 'cd' & ls to /etc /bin if it is required
but not able to 'cd' to /dev, /misc etc...
but should be able to access&edit /home

I have created a user called developer and setfacl rwx to home directory

Now the scenario is like the developer user have full access to /home also the user can ls & view all the files&directories under / but cannot perform any other operation under the directories and files rather than /home

I think the solution is half acheived
but needed to restrict the view of certain directories under /

Sound like a crazy idea!!!. but badly needed to implement this.

redfox2807 11-06-2013 10:21 AM

Quote:

Isn't there any options using ACL? or combining two ore more ideas like chrooting,ACL,SSH chrooting, sudo powers etc? There is no issues on accessing the essential directories under / but the developer should not have the ability to edit those files&directories.
From what I've read this sounds more like what AppArmor/SELinux are intended for. Though I never tried to use them myself.

Quote:

but the developer should not have the ability to edit those files&directories.
That's how it is by default. An unprivileged user can view system files and dirs, but can't write into it:
Code:

andrew@P8P67-Lin:~$ rm -f /etc/fstab
rm: cannot remove ‘/etc/fstab’: Permission denied
andrew@P8P67-Lin:~$

andrew@P8P67-Lin:~$ ls -l /
total 124
drwxr-xr-x  2 root root  4096 Nov  4 13:59 bin
drwxr-xr-x  4 root root  4096 Nov  4 14:00 boot
drwxr-xr-x  2 root root  4096 Jun 18  2011 cdrom
drwxr-xr-x  17 root root  4580 Nov  6  2013 dev
drwxr-xr-x 167 root root 12288 Nov  6 19:09 etc
drwxr-xr-x  4 root root  4096 Oct 13  2011 home

Being able to cd into a directory means a user can execute the directory. To list files in the directory the user must have read access. I have no write access so the system didn't let me delete /etc/fstab.

suicidaleggroll 11-06-2013 11:32 AM

Stick them in a chroot jail and loopback mount /home into it.

Quote:

Originally Posted by redfox2807 (Post 5059341)
As far as I know chroot still has to have /etc /dev /lib and so on. So it's not exactly what is desired. Am I right?

A chroot jail only needs what is actually needed for a user to log in and use the system. The only files in /etc /dev /lib are those that are critical in order for them to log in (without those files, they wouldn't be able to log in at all). They're also copies of the system files, not the systems files themselves, so if the user did somehow manage to bork them, they'd only lock out themselves, the rest of the system would be unaffected. IE: what the user sees as /etc/password, is really /path/to/chroot/jail/etc/password. They can screw up the jail environment all they want (within the permissions you set, at least), but they're just hurting themselves.


All times are GMT -5. The time now is 01:02 PM.