LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-30-2005, 12:23 AM   #1
zaimor
LQ Newbie
 
Registered: Oct 2005
Location: Fort Drum, NY
Distribution: Slackware 10.2
Posts: 10

Rep: Reputation: 0
Locking user into /home/user


So I've got a slackware 10.2 box up and running with a webserver. I put the webpage files in /home/www, created a user "webadmin" in the group "webmasters", set /home/www as his home (and chown'd it webadmin:webmasters) and set /home/www to 775. What I want to do now is lock "webadmin" into /home/www (and below) so that the user can do what it wants with the webpage but can't do jack else. What's the best way to go about doing that, or something similar?
 
Old 10-30-2005, 01:32 AM   #2
adz
Senior Member
 
Registered: Jun 2003
Location: Sydney
Distribution: Debian, FreeBSD
Posts: 1,713

Rep: Reputation: 53
You can simply change the permission of every directory other than "/home" and "/home/www" so that they wont have permissions to do anything or go anywhere.
 
Old 10-30-2005, 01:55 AM   #3
zaimor
LQ Newbie
 
Registered: Oct 2005
Location: Fort Drum, NY
Distribution: Slackware 10.2
Posts: 10

Original Poster
Rep: Reputation: 0
Quote:
of every directory other than
That doesn't exactly sound as simple as it looks. Is there a less "modify the whole file system"ish approach?
 
Old 10-30-2005, 01:35 AM   #4
adz
Senior Member
 
Registered: Jun 2003
Location: Sydney
Distribution: Debian, FreeBSD
Posts: 1,713

Rep: Reputation: 53
It's not that hard at all. All you have to do is make sure that all the execute permissions of every directory for "world" are disallowed and also make sure that the user is not in any groups.

To remove the execute permission for "world" from every directory you'd just type (as root) chmod o-x `find / -type d`. Then it's a simple matter to change the permissions for "/home" and "/home/www" (and all subdirectories) back to what they were.

Mind you, regardless of whether you do the above or not, a regular user cannot affect anything outside their home directory anyway. They can see all (or most) of the other files but can't do anything with them. So the above step may be unnecessary unless you're concerned about letting your users know anything about the rest of the system.

Last edited by adz; 10-30-2005 at 01:40 AM.
 
Old 10-30-2005, 03:41 AM   #5
ddaas
Member
 
Registered: Oct 2004
Location: Romania
Distribution: Ubuntu server, FreeBsd
Posts: 472

Rep: Reputation: 30
Quote:
You can simply change the permission of every directory other than "/home" and "/home/www" so that they wont have permissions to do anything or go anywhere.
This is not a good ideea...
If you change the permissions of every directory of your system, your system will become unuseable for the users. There are files which are and should remain world executable: ls, cat, login etc.
You sould find another aproach. Maybe SELinux or grsecurity or something like this...
 
Old 10-30-2005, 03:52 AM   #6
dalek
Senior Member
 
Registered: Jul 2003
Location: Mississippi USA
Distribution: Gentoo
Posts: 2,058
Blog Entries: 2

Rep: Reputation: 79
Quote:
Originally posted by ddaas
This is not a good ideea...
If you change the permissions of every directory of your system, your system will become unuseable for the users. There are files which are and should remain world executable: ls, cat, login etc.
You sould find another aproach. Maybe SELinux or grsecurity or something like this...
That's what I was thinking. Doing ls or cd would be a bit tough. I wonder if su would work too? May not even be able to change to a user that can use the commands. Exit may not work either, can't logout then. That could be bad. May I suggest more before you do anything.

Later

 
Old 10-30-2005, 04:00 AM   #7
adz
Senior Member
 
Registered: Jun 2003
Location: Sydney
Distribution: Debian, FreeBSD
Posts: 1,713

Rep: Reputation: 53
Quote:
If you change the permissions of every directory of your system, your system will become unuseable for the users. There are files which are and should remain world executable: ls, cat, login etc.
You may have a point. However, users in the appropriate groups ("root" and "staff" in the case of Debian) will retain their access rights - it will really only affect new users. Also, the */bin (and possibly */etc) directories can have their permissions restored similarly to the home directories.

Last edited by adz; 10-30-2005 at 04:02 AM.
 
Old 10-31-2005, 08:02 AM   #8
pk21
Member
 
Registered: Jun 2002
Location: Netherlands - Amsterdam
Distribution: RedHat 9
Posts: 549

Rep: Reputation: 30
The way I always configure this is to add a user, edit /etc/passwd and change the users shell to /bin/deny.
Install vsftpd, there is an option to chroot the users so they can't escape from there home directory's.

Now the user can only change files by logging in with ftp and they can't get out of their home directory.
 
Old 10-31-2005, 02:03 PM   #9
zaimor
LQ Newbie
 
Registered: Oct 2005
Location: Fort Drum, NY
Distribution: Slackware 10.2
Posts: 10

Original Poster
Rep: Reputation: 0
That sounds like a perfect plan with the 'you can only login via this chrooted ftp'. Thanks!
 
Old 11-01-2005, 06:28 AM   #10
|2ainman
Member
 
Registered: Mar 2004
Distribution: Slackware current, DSL 0.9.2
Posts: 133

Rep: Reputation: 15
also check out the 'scponly' shell
 
Old 11-06-2005, 06:34 PM   #11
tkedwards
Senior Member
 
Registered: Aug 2004
Location: Munich, Germany
Distribution: Opensuse 11.2
Posts: 1,549

Rep: Reputation: 52
http://gentoo-wiki.com/HOWTO_chroot_login
And google around for "chroot a user into home directory" and phrases like that.

Quote:
You may have a point. However, users in the appropriate groups ("root" and "staff" in the case of Debian) will retain their access rights - it will really only affect new users. Also, the */bin (and possibly */etc) directories can have their permissions restored similarly to the home directories.
I don't understand how this is supposed to work? You're suggesting removing all permissions for 'others' and changing the group ownership to 'staff' or 'users' or something to everywhere outside of /home?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
user home dir doesn't create when new user add dev_mohamed Linux - Software 3 01-12-2007 01:08 AM
Load kde profile from /mnt/removable/user instead of /home/user preacher.ca Linux - General 3 12-02-2005 03:00 PM
locking user julc Linux - Security 4 04-10-2005 07:54 AM
PHP List /home/'user' then finger 'user' Caboose Programming 1 09-22-2004 04:12 AM
How to lock user in /home/user herc Linux - Software 3 09-15-2003 11:50 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:50 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration