Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 05-04-2008, 08:28 AM   #1
Registered: Sep 2003
Location: Iceland
Distribution: Debian Lenny - Kernel
Posts: 331

Rep: Reputation: 30
Post Limiting User Access

I have a user on my system. What I want to do to that user is limit his read access to his home directory and three other directories, with write access only to his home directory.

How would I go about doing this, because I have no idea?

Old 05-04-2008, 08:49 AM   #2
Registered: Feb 2006
Posts: 30

Rep: Reputation: 2
I don't think you can have write access without read access if that is what you are asking, but read 'man chmod' that should do what you are asking
Old 05-04-2008, 08:54 AM   #3
Registered: Mar 2008
Posts: 73

Rep: Reputation: 16
It sounds like you want a chroot jail (also called a sandbox).

This is usually accomplished by placing all the directories
to be accessable in one directory, then forcing the
user into that directory using the chroot command.

mkdir /sandbox /sandbox/bin /sandbox/lib /sandbox/home/user ...

# Give the user ownership (or just write access to this director)
chown user /sandbox/home/user

# Give users access to common bin and lib files
# will probably also need /usr/lib, If you want to limit commands, just
# copy those you want them to be able to user.

cp -rp /bin /sandbox/bin
cp -rp /lib /sandbox/lib
cp -rp /usr/bin /sandbox/usr/bin
cp -rp /usr/lib /sandbox/usr/lib

# Note, You will have to "allow this user" to run change root
chroot /sandbox /bin/bash

# If you want the user to be able to access live directories
# other users are creating file in, look at
mount --bind /somedir /sandbox/somedir
Old 05-04-2008, 09:08 AM   #4
LQ Guru
Registered: Aug 2003
Distribution: CentOS, OS X
Posts: 5,131

Rep: Reputation: Disabled
Set the other directories' permissions so that the "other" users (you can set permissions to "owner user", "owner group" and "others") don't have any permissions (especially not read) on them, and that's done. Then only the directory owners, or users who belong to a group who has permissions to read the directory, can read it (same goes for write/execute). Then if you want that user to have access to some other directories, you can either set their "other" permissions suitable, or if that's not possible (like it typically isn't, because that would mean allowing anybody read them), add the user to a group that has read permissions on that directory.

In other words: basically there are three levels of permissions on every file (directory too) on the system: u (owner user), g (group) and o (other users). Each of these can be set permissions of r (read), w (write) and x (execute). In addition there are some other bits you can set, like suid bit (set user id), but they're not relevant now - read a good book or articles on the web about them if you like to know more (you can read about user permissions as well).

Any user on the system is either an owner of a file (affected by 'u'), belongs to a group that has permissions set for a file (affected by 'g') or is "just another user" (affected by 'o'). Combining these you can get different users different sorts of access to files (including directories). You can set ownerships either graphically (right-click, select Properties) or using commands chown (ownership change), chgrp (group-ownership change) and chmod (permissions change). For example
chown julia /home/julia
Would set user "julia" the owner of /home/julia. Then if you did
ls -ld /home/julia
you would see the permissions of that file (directory), for example drwxr-xr-- (or if it was a regular file and not a directory, -rwxr-xr--; note the 'd' in the beginning noting it's a directory). There's, if you don't mind the first letter, nine letters that tell the permissions of that file - three first for the owner user, three in the middle for the group and the last three for all other users (for all there are read, write and execute permissions, or a dash '-' if there is no permission for that). 'rwx' in the beginning means that the owner user has read, write and execute access for that file (directory); 'r-x' in the middle means that users who belong to the group that this file belongs to have read and execute permissions, but no write (there's a dash where there could be 'w'). And in the end, 'r--' means all other users have read permissions, but no write nor execute permissions for that file.

You can change permissions with chmod like this:
chmod o+rwx /home/julia
chmod g+w /home/julia
chmod o-r /home/julia
First command would add read, write and execute permissions for the owner of /home/julia. Second would add write permission for the group for that file (affecting all users who belong to that group), and the last would remove read permissions from other users for that file. Simple.

You can also use numbers to represent the permissions, which makes it shorter if you remember them (or calcaulate them very quickly in your head); instead of nine letters you can use three digits to set full permissions (user/group/others) on a file, for example
chmod 700 /home/julia
means the same as
chmod u+rwx,g-rwx,o-rwx
The numbers are actually a binary presentation of the permissions; zero means "---", seven "rwx". So one number sets all three permissions for one of the user, group or others.

Just a note: you need to allow read access to some system directories, like bin/ directories, or otherwise let the user access certain programs or otherwise the user can't do anything, maybe even log in (it depends) With chroot (mentioned in the above post) you can change what the user "sees" as the root directory, but be aware: it's not bullet-proof, there are several ways to get around it and hands on the real root directory.

Last edited by b0uncer; 05-04-2008 at 09:11 AM.
Old 05-05-2008, 10:26 PM   #5
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,715
Blog Entries: 4

Rep: Reputation: 3951Reputation: 3951Reputation: 3951Reputation: 3951Reputation: 3951Reputation: 3951Reputation: 3951Reputation: 3951Reputation: 3951Reputation: 3951Reputation: 3951
Actually, there might be another way: Access Control Lists (ACLs).

If your Linux distro supports them (as most now do), ACLs allow you to define more fine-grained permissions than the usual "rwx" system allows.

There are other choices. Some enterprising soul has ported the NetWare "trustee" concept to Linux.

A good general topic to Google on is role-based security; ditto policy-based security. Another one is hardened Linux.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Limiting Bind9 Access kemplej Linux - Security 5 11-25-2005 12:52 PM
Access control limiting antidelldude Fedora 0 08-21-2005 11:34 AM
Limiting Desktop access mysticpain Linux - Software 1 05-29-2004 05:13 PM
Limiting SSH access stevealarsen Linux - General 2 09-28-2002 08:18 PM
limiting users access iquadri1 Linux - Networking 1 09-04-2001 01:23 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:15 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration