Locking user into /home/user
 

So I've got a slackware 10.2 box up and running with a webserver. I put the webpage files in /home/www, created a user "webadmin" in the group "webmasters", set /home/www as his home (and chown'd it webadmin:webmasters) and set /home/www to 775. What I want to do now is lock "webadmin" into /home/www (and below) so that the user can do what it wants with the webpage but can't do jack else. What's the best way to go about doing that, or something similar?

You can simply change the permission of every directory other than "/home" and "/home/www" so that they wont have permissions to do anything or go anywhere.

That doesn't exactly sound as simple as it looks. Is there a less "modify the whole file system"ish approach?

It's not that hard at all. All you have to do is make sure that all the execute permissions of every directory for "world" are disallowed and also make sure that the user is not in any groups.

To remove the execute permission for "world" from every directory you'd just type (as root) chmod o-x `find / -type d`. Then it's a simple matter to change the permissions for "/home" and "/home/www" (and all subdirectories) back to what they were.

Mind you, regardless of whether you do the above or not, a regular user cannot affect anything outside their home directory anyway. They can see all (or most) of the other files but can't do anything with them. So the above step may be unnecessary unless you're concerned about letting your users know anything about the rest of the system.

This is not a good ideea...
If you change the permissions of every directory of your system, your system will become unuseable for the users. There are files which are and should remain world executable: ls, cat, login etc.
You sould find another aproach. Maybe SELinux or grsecurity or something like this...

That's what I was thinking. Doing ls or cd would be a bit tough. I wonder if su would work too? May not even be able to change to a user that can use the commands. Exit may not work either, can't logout then. That could be bad. :tisk: May I suggest more :study: before you do anything.

Later

:D :D :D :D

You may have a point. However, users in the appropriate groups ("root" and "staff" in the case of Debian) will retain their access rights - it will really only affect new users. Also, the */bin (and possibly */etc) directories can have their permissions restored similarly to the home directories.

The way I always configure this is to add a user, edit /etc/passwd and change the users shell to /bin/deny.
Install vsftpd, there is an option to chroot the users so they can't escape from there home directory's.

Now the user can only change files by logging in with ftp and they can't get out of their home directory.

That sounds like a perfect plan with the 'you can only login via this chrooted ftp'. Thanks!

also check out the 'scponly' shell

http://gentoo-wiki.com/HOWTO_chroot_login
And google around for "chroot a user into home directory" and phrases like that.

I don't understand how this is supposed to work? You're suggesting removing all permissions for 'others' and changing the group ownership to 'staff' or 'users' or something to everywhere outside of /home?