-   Linux - Security (
-   -   user jailing ? (

SiLiCoN 10-09-2004 12:36 AM

user jailing ?

I would like to know if there is a way (well, there certainly is) to lock a particular user (or all users) in their home directory. This is exactly what i m looking for -
There is a centrally located Linux (RedHat 9.0) server to which users login to their shell accounts. Now what i want to do is to restrict the users to their home directory so that they cant move out of their home directory - in other words chroot $HOME - but that is only possible as r00t. i tried adding "chroot $HOME" line in /etc/bashrc but that can be executed only as root. So is there a way that whenever someone logs in - he cant move out of his home directory ----- both for FTP and shell...


veritas 10-09-2004 12:40 AM

Not sure how to lock them in the shell, but for FTP (if you are using proftpd) just add this towards the top of your proftpd.conf:

DefaultRoot ~

DaHammer 10-09-2004 02:07 AM

Yes, it can be done, but remember chroot restricts whomever or whatever is inside the jail to just what's in the jail with them. Meaning they can not access any applications or files not installed inside the jail. For instance, if you simply run "chroot /tmp" as root you will get an error about not being able to find /bin/bash because there is no /bin/bash inside the jail. But if you copy /bin/bash to /tmp/bin/bash and any dependancies it has into the jail as well, it will work. You can not simply prevent a user from moving about the file system while at the same time allowing the user to use those files. Make sense? Anyway here is a link to a project that sets it up for you.

You could also setup Virtual Machines which are completely separate systems all running on and sharing the same hardware. But at the end of the day the simpliest thing to do is to not give shell access to those you do not trust, else you are just asking for trouble.

SiLiCoN 10-09-2004 02:20 AM

Thanks for the help guys,

setting up a chroot "jail" is one of the most time consuming thing in linux... Is this the only way i can restrict shell commands (pfffft). Well then for each and every user i ll have to spend huge time (maybe i ll write a script?).

Is there any other way to do is this how all the website providers and free shell providers achieve doing it?

All times are GMT -5. The time now is 01:35 PM.