LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Limiting local users to their home directory. (https://www.linuxquestions.org/questions/linux-security-4/limiting-local-users-to-their-home-directory-90071/)

beatlelane 09-07-2003 12:20 AM
Limiting local users to their home directory.
 
I consider myself a newbie to Linux, have been starting using this OS for just two weeks, I found it interesting, although it was quite hard learning this system, I would say a good alternative to windows anyway.

Maybe this concern was ask for so many times here...but unfortunately i have searched forums including this, and haven't found any solution...sorry for that, i might have enter the wrong keyword…but anyway i hope someone out there could help.

I have noticed that when local users log to the system, if they enter the command “cd ..” they can easily access these directories “ /usr, etc, bin …and others” although its read only I just want these users not even set eyes on its configuration, well of course, nothing else but for security reason.

I have done this in “vsftpd” service using chroot_local_users key…and got an idea if I could set the same with local users, and of course I know it will be applied also for those accessing this system remotely using SSH.

Is it possible?

I hope somebody would give me input on this…thank you very much in advance.

MABUHAY ANG MGA LINUX USERS!:)

phoeniXflame 09-07-2003 06:13 AM
this is possible by using rbash then setting the PATH env to whatever dir you want the user chrooted to

unSpawn 09-07-2003 11:04 AM
There's a basically three generic ways to provide chroot or chroot-like functions: using PAM, using "rbash" (bash -r) like PhoeniXflame offered and using a chroot. Then there's ACL's (Grsecurity/LIDS, not the bestbits.at stuff) which can help restrict processes from accessing data, aid in building stronger chroots and allow you to deny users to access binaries outside the $PATH. Docs about most of these you can find in the 1st sticky thread of this forum.

Apart from OpenSSH's own safety-enhancing features, there is a chroot patch available. If you want to minimize user interaction with the system you can also set up accounts to only use scp or sftp with a shell like rssh or scp-only.

phoeniXflame 09-07-2003 12:30 PM
but at the end of the day ...... should you REALLY be offering shells to people who you dont trust in the first place ;)

beatlelane 09-08-2003 12:00 AM
At least I realize now this concern is possible, although I have to read more info about this based on what you have said people, we’ll get into that later. For now, I have to get something more important features of this system.:study:

Perhaps my system is not really as exposed, am I right?

And thanks anyway for your time phoeniXflame and unspawn! Long live!
;)


All times are GMT -5. The time now is 12:25 AM.