Limiting local users to their home directory.
I consider myself a newbie to Linux, have been starting using this OS for just two weeks, I found it interesting, although it was quite hard learning this system, I would say a good alternative to windows anyway.
Maybe this concern was ask for so many times here...but unfortunately i have searched forums including this, and haven't found any solution...sorry for that, i might have enter the wrong keyword…but anyway i hope someone out there could help. I have noticed that when local users log to the system, if they enter the command “cd ..” they can easily access these directories “ /usr, etc, bin …and others” although its read only I just want these users not even set eyes on its configuration, well of course, nothing else but for security reason. I have done this in “vsftpd” service using chroot_local_users key…and got an idea if I could set the same with local users, and of course I know it will be applied also for those accessing this system remotely using SSH. Is it possible? I hope somebody would give me input on this…thank you very much in advance. MABUHAY ANG MGA LINUX USERS!:) |
this is possible by using rbash then setting the PATH env to whatever dir you want the user chrooted to
|
There's a basically three generic ways to provide chroot or chroot-like functions: using PAM, using "rbash" (bash -r) like PhoeniXflame offered and using a chroot. Then there's ACL's (Grsecurity/LIDS, not the bestbits.at stuff) which can help restrict processes from accessing data, aid in building stronger chroots and allow you to deny users to access binaries outside the $PATH. Docs about most of these you can find in the 1st sticky thread of this forum.
Apart from OpenSSH's own safety-enhancing features, there is a chroot patch available. If you want to minimize user interaction with the system you can also set up accounts to only use scp or sftp with a shell like rssh or scp-only. |
but at the end of the day ...... should you REALLY be offering shells to people who you dont trust in the first place ;)
|
At least I realize now this concern is possible, although I have to read more info about this based on what you have said people, we’ll get into that later. For now, I have to get something more important features of this system.:study:
Perhaps my system is not really as exposed, am I right? And thanks anyway for your time phoeniXflame and unspawn! Long live! ;) |
All times are GMT -5. The time now is 12:25 AM. |