Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
10-30-2005, 12:23 AM
|
#1
|
LQ Newbie
Registered: Oct 2005
Location: Fort Drum, NY
Distribution: Slackware 10.2
Posts: 10
Rep:
|
Locking user into /home/user
So I've got a slackware 10.2 box up and running with a webserver. I put the webpage files in /home/www, created a user "webadmin" in the group "webmasters", set /home/www as his home (and chown'd it webadmin:webmasters) and set /home/www to 775. What I want to do now is lock "webadmin" into /home/www (and below) so that the user can do what it wants with the webpage but can't do jack else. What's the best way to go about doing that, or something similar?
|
|
|
10-30-2005, 01:32 AM
|
#2
|
Senior Member
Registered: Jun 2003
Location: Sydney
Distribution: Debian, FreeBSD
Posts: 1,713
Rep:
|
You can simply change the permission of every directory other than "/home" and "/home/www" so that they wont have permissions to do anything or go anywhere.
|
|
|
10-30-2005, 01:55 AM
|
#3
|
LQ Newbie
Registered: Oct 2005
Location: Fort Drum, NY
Distribution: Slackware 10.2
Posts: 10
Original Poster
Rep:
|
Quote:
of every directory other than
|
That doesn't exactly sound as simple as it looks. Is there a less "modify the whole file system"ish approach?
|
|
|
10-30-2005, 01:35 AM
|
#4
|
Senior Member
Registered: Jun 2003
Location: Sydney
Distribution: Debian, FreeBSD
Posts: 1,713
Rep:
|
It's not that hard at all. All you have to do is make sure that all the execute permissions of every directory for "world" are disallowed and also make sure that the user is not in any groups.
To remove the execute permission for "world" from every directory you'd just type (as root) chmod o-x `find / -type d`. Then it's a simple matter to change the permissions for "/home" and "/home/www" (and all subdirectories) back to what they were.
Mind you, regardless of whether you do the above or not, a regular user cannot affect anything outside their home directory anyway. They can see all (or most) of the other files but can't do anything with them. So the above step may be unnecessary unless you're concerned about letting your users know anything about the rest of the system.
Last edited by adz; 10-30-2005 at 01:40 AM.
|
|
|
10-30-2005, 03:41 AM
|
#5
|
Member
Registered: Oct 2004
Location: Romania
Distribution: Ubuntu server, FreeBsd
Posts: 474
Rep:
|
Quote:
You can simply change the permission of every directory other than "/home" and "/home/www" so that they wont have permissions to do anything or go anywhere.
|
This is not a good ideea...
If you change the permissions of every directory of your system, your system will become unuseable for the users. There are files which are and should remain world executable: ls, cat, login etc.
You sould find another aproach. Maybe SELinux or grsecurity or something like this...
|
|
|
10-30-2005, 03:52 AM
|
#6
|
Senior Member
Registered: Jul 2003
Location: Mississippi USA
Distribution: Gentoo
Posts: 2,058
Rep:
|
Quote:
Originally posted by ddaas
This is not a good ideea...
If you change the permissions of every directory of your system, your system will become unuseable for the users. There are files which are and should remain world executable: ls, cat, login etc.
You sould find another aproach. Maybe SELinux or grsecurity or something like this...
|
That's what I was thinking. Doing ls or cd would be a bit tough. I wonder if su would work too? May not even be able to change to a user that can use the commands. Exit may not work either, can't logout then. That could be bad.  May I suggest more  before you do anything.
Later

|
|
|
10-30-2005, 04:00 AM
|
#7
|
Senior Member
Registered: Jun 2003
Location: Sydney
Distribution: Debian, FreeBSD
Posts: 1,713
Rep:
|
Quote:
If you change the permissions of every directory of your system, your system will become unuseable for the users. There are files which are and should remain world executable: ls, cat, login etc.
|
You may have a point. However, users in the appropriate groups ("root" and "staff" in the case of Debian) will retain their access rights - it will really only affect new users. Also, the */bin (and possibly */etc) directories can have their permissions restored similarly to the home directories.
Last edited by adz; 10-30-2005 at 04:02 AM.
|
|
|
10-31-2005, 08:02 AM
|
#8
|
Member
Registered: Jun 2002
Location: Netherlands - Amsterdam
Distribution: RedHat 9
Posts: 549
Rep:
|
The way I always configure this is to add a user, edit /etc/passwd and change the users shell to /bin/deny.
Install vsftpd, there is an option to chroot the users so they can't escape from there home directory's.
Now the user can only change files by logging in with ftp and they can't get out of their home directory.
|
|
|
10-31-2005, 02:03 PM
|
#9
|
LQ Newbie
Registered: Oct 2005
Location: Fort Drum, NY
Distribution: Slackware 10.2
Posts: 10
Original Poster
Rep:
|
That sounds like a perfect plan with the 'you can only login via this chrooted ftp'. Thanks!
|
|
|
11-01-2005, 06:28 AM
|
#10
|
Member
Registered: Mar 2004
Distribution: Slackware current, DSL 0.9.2
Posts: 133
Rep:
|
also check out the 'scponly' shell
|
|
|
11-06-2005, 06:34 PM
|
#11
|
Senior Member
Registered: Aug 2004
Location: Munich, Germany
Distribution: Opensuse 11.2
Posts: 1,549
Rep:
|
http://gentoo-wiki.com/HOWTO_chroot_login
And google around for "chroot a user into home directory" and phrases like that.
Quote:
You may have a point. However, users in the appropriate groups ("root" and "staff" in the case of Debian) will retain their access rights - it will really only affect new users. Also, the */bin (and possibly */etc) directories can have their permissions restored similarly to the home directories.
|
I don't understand how this is supposed to work? You're suggesting removing all permissions for 'others' and changing the group ownership to 'staff' or 'users' or something to everywhere outside of /home?
|
|
|
All times are GMT -5. The time now is 04:51 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|