Limiting local users to their home directory.

beatlelane · 09-07-2003, 12:20 AM

I consider myself a newbie to Linux, have been starting using this OS for just two weeks, I found it interesting, although it was quite hard learning this system, I would say a good alternative to windows anyway.

Maybe this concern was ask for so many times here...but unfortunately i have searched forums including this, and haven't found any solution...sorry for that, i might have enter the wrong keyword…but anyway i hope someone out there could help.

I have noticed that when local users log to the system, if they enter the command “cd ..” they can easily access these directories “ /usr, etc, bin …and others” although its read only I just want these users not even set eyes on its configuration, well of course, nothing else but for security reason.

I have done this in “vsftpd” service using chroot_local_users key…and got an idea if I could set the same with local users, and of course I know it will be applied also for those accessing this system remotely using SSH.

Is it possible?

I hope somebody would give me input on this…thank you very much in advance.

MABUHAY ANG MGA LINUX USERS!

phoeniXflame · 09-07-2003, 06:13 AM

this is possible by using rbash then setting the PATH env to whatever dir you want the user chrooted to

unSpawn · 09-07-2003, 11:04 AM

There's a basically three generic ways to provide chroot or chroot-like functions: using PAM, using "rbash" (bash -r) like PhoeniXflame offered and using a chroot. Then there's ACL's (Grsecurity/LIDS, not the bestbits.at stuff) which can help restrict processes from accessing data, aid in building stronger chroots and allow you to deny users to access binaries outside the $PATH. Docs about most of these you can find in the 1st sticky thread of this forum.

Apart from OpenSSH's own safety-enhancing features, there is a chroot patch available. If you want to minimize user interaction with the system you can also set up accounts to only use scp or sftp with a shell like rssh or scp-only.

phoeniXflame · 09-07-2003, 12:30 PM

but at the end of the day ...... should you REALLY be offering shells to people who you dont trust in the first place

beatlelane · 09-08-2003, 12:00 AM

At least I realize now this concern is possible, although I have to read more info about this based on what you have said people, we’ll get into that later. For now, I have to get something more important features of this system.

Perhaps my system is not really as exposed, am I right?

And thanks anyway for your time phoeniXflame and unspawn! Long live!