-   Linux - Security (
-   -   locking a user in his home dir (

codewolf 05-11-2006 01:01 PM

locking a user in his home dir

i tryt google'ing for a answer but i dont really find what is mean.

i have a debain server overhere and want to give some users access to a ssh account.

now i know that user can access alot of dirs/files on the system and only read those.
bequase i dont really want people reading thrue my scripts sites and config files i would like to lock all users in there homedir
and only give them access to dirs i have mounted/sl't for them
so im in control of what they can read and what not

i found something with blocking access to cd bud thats not what i meant.

hope that you understand :)

thx for your trouble

b0uncer 05-11-2006 01:21 PM

If you're not using any special software for that (I don't know if there is any, and if, then what), that would mean you'd have to set all the permissions so that the user has a read/write access to his/her homedir, and no permissions at all outside it. It might prove to be a bit of a job, since there are, as you said, quite a lot of places normal users can access. But..

First thing you do is remove the user from every group (except for those you want the user to be in) by editing /etc/group (or, when creating the account, not add the user to any group). This way he only has access to places where the permissions say that "others can read/write/do something". Then you would need to alter the permissions of the whole filesystem so that no place has "other" permissions; with this I mean that the permissions of a file can be written like this:


where there might be "d" in place of "-" if the file is a directory (directories are only "special files"). now the first "rwx" tells if the owner has read/write/execute permissions. the middle "rwx" tells if the group (that owns the file) has read/write/execute permissions, and the last three letters "rwx" tell if all the other users (not owners, not part of the group that own the file) have read/write/execute permissions. Now you don't want the "others" have access to this file, so you'd change the rights as follows:


(never mind the 7 first letters/marks, just have the "---" in the end); then your user would not have access to the file. You would need to do this for all the files on your filesystem. Then again, no other user would have access to some files they normally do, so for this case you would need to create new groups or add some users to the existing ones so they have access to files they need.

So, it does create some work to be done. I'm not sure whether there is an easier way, and probably there is, related to the server software; altering the permissions is the "hard way" and is quite difficult, long and probably creates problems. I'd advice you to read the documentation of your server software (say, if you use Apache for a web-server, read Apache docs) to see if it allows you to specify this kind of permissions you want to get.

IsaacKuo 05-11-2006 01:39 PM

As far as I know, the simple answer is that it can't be done--while still having a usable shell.

A more straightforward "solution" is to put together another computer with a minimal install, and let the users ssh into THAT computer. This computer has access to the directories you want via nfs file sharing.

A more complex variant on that idea is to use chroot to create a "virtual" second computer inside your computer. When a user logs in, he's caged in this chroot environment.

I'm not an expert with the details of chroot...

codewolf 05-11-2006 02:00 PM

oke so there is no alternative shell or something that i use ?
o well if it comes down to it i will use bouncer's idea i think bequase i dont like useing chroot bequase i read how to do that and it was a lot of work to keep it working.

thx for the ideas IsaacKuo and bouncer ;)

HGeneAnthony 05-11-2006 05:07 PM

If all you're trying to do is limit what users can access just take away their access to any files you don't want. If you keep a logical file structure (ie all scripts are kept under a certain directory) you can easily do this. Trying to block total access might be quite difficult. In all honesty it's not really necessary. If you really want tight access control lists you could set up SELinux. SELinux can have programs run under their own account with their own ACL. So even if you don't have access to read a file the program can (if properly set up). Although this is a bitch to setup. You should learn it use it though for any servers.

javaroast 05-11-2006 05:17 PM

You could try setting bash to bash -r or rbash. This should do what you are looking for. Here is a man page explaining it better than I can:

riluve 05-11-2006 07:42 PM

Um - are these users logging in remotely? If so just set up a control panel and only let them access through that (web interface).

All times are GMT -5. The time now is 09:28 PM.