sir i m using rhel 4.. i want some of my windows users to log into my system through winscp and just access the apache root directory.

so i created one newuser for them , and given them the access to apache root dir with the chown command.

now they can write,execute in that dir....

now i want they should not be able to cd into any other dir except that root dir of apache. now my question is

how can i just give permissions so that they cant cd to any other dir except /var/www/html.

i have created a user with name javanew, with password..

than given the command

chown -r javanew.javanew /var/www/html

but after this they can move up in any dir by going up in winscp like etc dir,bin dire .....and i want to restrict that

kindly help me up

As you may already know, the execute bit is what allows a user to cd into a directory. Remove the execute permission for others from all directories except /var/www/html (but leaving execute bits set for owner user and group). Then, only those that own the respective directories will be able to cd into them. That would be quick and easy.

You'll need to be careful not to remove the execute bits from files which aren't directories, though.

sir thanx for ur concern. u have given me the idea of the solution, but still think. it would be feasible to give permission to each dir..it would consume more time.. like there are too much dir in filesystem and also have to be careful about files.

is there any way that in single command the permissions of al dir
would be changed except /var/www/html.

i m also looking for this and searching the solution over the internet and trying commands myself but i cant take so much risk with my system.

thank you once again for ur concern

First, a WARNING:

If you try this, other local users on your system will not be able to read files or run programs in directories that they do not somehow own (as the owner user or as a member of the owner group). The most obvious potential problem is with the critical programs in /bin, /usr/bin, and so on. If the user can't even run his login shell, the only user that will be able to log in is root. Users will have to be added to these groups. You may even have to create groups for the directories currently owned by the root group, since it's usually a bad idea to add normal users to the root group.

There may be better, less drastic ways of doing this. A chroot jail would be one. Before you attempt this sort of large change to your system, I'd suggest at least googling for chroot jail to see if that is what you're looking for.

You may even want to ask in another LinuxQuestions forum, to see if others believe this is a Good Idea (others may have better insight that I).

Now, for the answer:

Single command to remove execute permissions from all directories which are not /var/www/html and are not within /var/www/html:
That needs to be run as root (of course). In case anything goes wrong, the last few arguments to find instruct it to print the current permissions of the file it's going to change with ls before it actually changes them with chmod. Since all this output will be saved in the file "previous permissions", there is a backup plan if something unanticipated goes wrong (you can restore the original permissions). Restoring those permissions by hand will be a major pain, though. Think this over before you try it.

I've tested that command on my system within a test directory, and I believe it will work... but if something does go wrong, refer back to that file.

The logic of the command is:

For each file in /

if the file is or is within /var/www/html, continue with the next file
otherwise:

if the file is a directory:

print the current permissions
remove execute permissions from other users

and put all output in the file "previous_permissions".

Good luck, and be careful when typing that command if you decide to use it. There is a great potential for problems if you aren't careful with this.

sir thank you ery much for ur help.... even i was thinkin to make some script for that.... now u have given me the solution.. i will be careful working with it..
thank you