LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Securing folders (https://www.linuxquestions.org/questions/linux-newbie-8/securing-folders-730979/)

Pengoo 06-05-2009 01:41 PM
Securing folders
 
I must say thanx to all who help us noobs, youve helped me alot in these past days, yet ill probably be a noob for some time :-p

Ive searched the net (always do b4 asking) and i guess it must be a common knowledge thing as its not very well documented.

If i create say a user named bob, and he logs in via ssh, he can browse around and view directory structures and contents, but cant execute anything or modify anything correct?

If not, how can i remove all there abilities?

Im using ssh as a tunnel, so all they need to do is connect, rest is taken care of.

So if all they can do is look arround, is there any way to limit them to there directory and root, so can only dir root and see folders for system, but not enter?

Thanx a stack !!!

TB0ne 06-05-2009 02:18 PM
Quote:
Originally Posted by Pengoo (Post 3564471)
I must say thanx to all who help us noobs, youve helped me alot in these past days, yet ill probably be a noob for some time :-p

Ive searched the net (always do b4 asking) and i guess it must be a common knowledge thing as its not very well documented.

If i create say a user named bob, and he logs in via ssh, he can browse around and view directory structures and contents, but cant execute anything or modify anything correct?

If not, how can i remove all there abilities?

Im using ssh as a tunnel, so all they need to do is connect, rest is taken care of.

So if all they can do is look arround, is there any way to limit them to there directory and root, so can only dir root and see folders for system, but not enter?

Thanx a stack !!!
This is a common permissions thing you're asking about. And all of it is documented clearly, but it's hard to put your finger on which piece to look at when you're new... :)

If you create a user bob, bob will be a member of a group too (let's say "users"). You can be a member of multiple groups, too, but for now, let's stay with one.

If bob creates a file, and you look at it ("ls -l" will show the 'long' listing, showing permissions), you'll see something like this:
Code:
-rwxrw-r-- 1 bob users        31 2009-06-02 15:00 file.txt
The "rwxrw-r--" are the permissions. They stand for (r)ead,(w)rite,e(x)ecute, in groups of three. The first three are for the user (or owner), the second three are for the group, the third is for others (or global). In the case of the file above, the user bob (the files owner), is allowed to read, write, and execute. Any member of the group "users", is allowed to read and write it, but NOT execute it. Anyone else can just read it. The permissions also have numerical values assigned to them...4 for read, 2 for write, and 1 for execute. So to set the file as above, you can run "chmod 764 file.txt". Want everyone to be able to do everything? That's 777. Read only for everyone? 444....take a look at the chmod and chown command man pages for more on that.

Now the SSH thing...you can also do something called a CHROOT 'jail'. That means that a user that logs in will see their home directory as "/". So naturally, they can't go 'up' a level, since the system says they're already there. They can then only see what's in their home directory. But a 'normal' user can enter the system directories (like /bin, /sbin, etc.), but can't change things there. And the commands that need root privs to run still won't....

Pengoo 06-09-2009 02:42 PM
CHROOT Jail was the clincher, tnks TB0ne!!!

http://www.howtoforge.com/chroot_ssh...debian_etch_p2

for all those wanting to secure there systems.


All times are GMT -5. The time now is 09:53 PM.