Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Is there some way to setup a user account, such that all directories, besides those within their home directory are invisible and non-navigable from all apps? (symlinks will still give access to the removable drives) Preferred, the user should "feel" as if their home directory is all there is on the computer.
Is this Apache & php ? And will the same restrictions apply to all users? Google/look into 'chroot jail' and php's 'open_basedir()' restriction. If it's not Apache, or this doesn't help, sorry
Problem is you have to allow access (x) to system directories.
You can remove the read if you like unless an application uses readir() in its code and needs to read that directory.
/tmp /var are used by applications to write temporary or variable data, /etc is used to read system wide config details.
You could block out /sbin, /usr/sbin, /boot but they are about the only ones you can do, and /sbin and /usr/sbin can contain binaries a user may wish to use, so more often you find a lot of programs are open to all users.
Now you could chroot but then you will have to make that jail and populate it with /bin /etc etc
Have a look at the FHS and you will see why it is that way.
SELinux though and ACLs may help you more though in fine tuning your system. You don't mention your reason though so we are all shooting a bit blind here.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
