LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-04-2007, 11:16 PM   #1
General
Member
 
Registered: Aug 2005
Distribution: Debian 7
Posts: 526

Rep: Reputation: 31
Constrain user to /home/username directory


Is there some way to setup a user account, such that all directories, besides those within their home directory are invisible and non-navigable from all apps? (symlinks will still give access to the removable drives) Preferred, the user should "feel" as if their home directory is all there is on the computer.
 
Old 04-05-2007, 12:27 AM   #2
GrapefruiTgirl
LQ Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 556Reputation: 556Reputation: 556Reputation: 556Reputation: 556Reputation: 556
Is this Apache & php ? And will the same restrictions apply to all users? Google/look into 'chroot jail' and php's 'open_basedir()' restriction. If it's not Apache, or this doesn't help, sorry
 
Old 04-05-2007, 01:01 AM   #3
omnio
Member
 
Registered: Feb 2007
Location: $HOME
Distribution: Hardened Gentoo
Posts: 66
Blog Entries: 1

Rep: Reputation: 16
Try this:
http://olivier.sessink.nl/jailkit/index.html
 
Old 04-05-2007, 01:52 AM   #4
Zention
Member
 
Registered: Mar 2007
Posts: 119

Rep: Reputation: 16
Problem is you have to allow access (x) to system directories.

You can remove the read if you like unless an application uses readir() in its code and needs to read that directory.

/tmp /var are used by applications to write temporary or variable data, /etc is used to read system wide config details.

You could block out /sbin, /usr/sbin, /boot but they are about the only ones you can do, and /sbin and /usr/sbin can contain binaries a user may wish to use, so more often you find a lot of programs are open to all users.

Now you could chroot but then you will have to make that jail and populate it with /bin /etc etc

Have a look at the FHS and you will see why it is that way.

SELinux though and ACLs may help you more though in fine tuning your system. You don't mention your reason though so we are all shooting a bit blind here.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
why email INBOX directory is in /var/spool/mail instead of /home/username csjonathan Linux - General 4 11-06-2008 01:14 PM
Active Directory User Cannot Write to Samba Home Directory jonwatson Linux - Networking 2 12-19-2006 12:40 PM
Cannot find user in home directory shipon_97 Linux - Networking 2 10-15-2006 04:42 AM
jail user to /home/user directory confused_user Linux - Security 12 03-15-2006 09:56 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:41 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration