Limiting User Access
I have a user on my system. What I want to do to that user is limit his read access to his home directory and three other directories, with write access only to his home directory.
How would I go about doing this, because I have no idea? Thanks. |
I don't think you can have write access without read access if that is what you are asking, but read 'man chmod' that should do what you are asking
|
It sounds like you want a chroot jail (also called a sandbox).
This is usually accomplished by placing all the directories to be accessable in one directory, then forcing the user into that directory using the chroot command. mkdir /sandbox /sandbox/bin /sandbox/lib /sandbox/home/user ... # Give the user ownership (or just write access to this director) chown user /sandbox/home/user # Give users access to common bin and lib files # will probably also need /usr/lib, If you want to limit commands, just # copy those you want them to be able to user. cp -rp /bin /sandbox/bin cp -rp /lib /sandbox/lib cp -rp /usr/bin /sandbox/usr/bin cp -rp /usr/lib /sandbox/usr/lib # Note, You will have to "allow this user" to run change root chroot /sandbox /bin/bash # If you want the user to be able to access live directories # other users are creating file in, look at mount --bind /somedir /sandbox/somedir |
Set the other directories' permissions so that the "other" users (you can set permissions to "owner user", "owner group" and "others") don't have any permissions (especially not read) on them, and that's done. Then only the directory owners, or users who belong to a group who has permissions to read the directory, can read it (same goes for write/execute). Then if you want that user to have access to some other directories, you can either set their "other" permissions suitable, or if that's not possible (like it typically isn't, because that would mean allowing anybody read them), add the user to a group that has read permissions on that directory.
In other words: basically there are three levels of permissions on every file (directory too) on the system: u (owner user), g (group) and o (other users). Each of these can be set permissions of r (read), w (write) and x (execute). In addition there are some other bits you can set, like suid bit (set user id), but they're not relevant now - read a good book or articles on the web about them if you like to know more (you can read about user permissions as well). Any user on the system is either an owner of a file (affected by 'u'), belongs to a group that has permissions set for a file (affected by 'g') or is "just another user" (affected by 'o'). Combining these you can get different users different sorts of access to files (including directories). You can set ownerships either graphically (right-click, select Properties) or using commands chown (ownership change), chgrp (group-ownership change) and chmod (permissions change). For example Code:
chown julia /home/julia Code:
ls -ld /home/julia You can change permissions with chmod like this: Code:
chmod o+rwx /home/julia You can also use numbers to represent the permissions, which makes it shorter if you remember them (or calcaulate them very quickly in your head); instead of nine letters you can use three digits to set full permissions (user/group/others) on a file, for example Code:
chmod 700 /home/julia Code:
chmod u+rwx,g-rwx,o-rwx Just a note: you need to allow read access to some system directories, like bin/ directories, or otherwise let the user access certain programs or otherwise the user can't do anything, maybe even log in (it depends) :) With chroot (mentioned in the above post) you can change what the user "sees" as the root directory, but be aware: it's not bullet-proof, there are several ways to get around it and hands on the real root directory. |
Actually, there might be another way: Access Control Lists (ACLs).
If your Linux distro supports them (as most now do), ACLs allow you to define more fine-grained permissions than the usual "rwx" system allows. There are other choices. Some enterprising soul has ported the NetWare "trustee" concept to Linux. A good general topic to Google on is role-based security; ditto policy-based security. Another one is hardened Linux. |
All times are GMT -5. The time now is 09:52 PM. |