How can block a user to use his home directory alone

jsaravana87 · 01-05-2012, 11:34 PM

Hi
i have mount a filesystem to user home directory,But the customer account can able to view all / filesystem and /root filesystem ,How can i block the user to use the home directory of his alone,And he should int access ant thing off 777 permission of /

useradd customer
su - customer
mkdir /home/customer
mount --bind /opt /home/customer/

John VV · 01-05-2012, 11:43 PM

do not tell me that you ran chmod 777 on "/"
if so ,that's not good .

if you did the fastest way to fix is reinstall
if this is CentOS then that would cause all kinds of problems with SE

jsaravana87 · 01-06-2012, 03:31 AM

Hi
i achieve these thing by

setfacl -m u:customer:--- /
setfacl -m u:customer:rwx /var

sKaar · 01-09-2012, 03:21 AM

does that command on / recurse the directories?

jayakumar01 · 01-09-2012, 04:44 AM

setfacl -m u:customer:--- / makes the customer user not to access any things of / content
setfacl -m u:customer:rwx /var makes the customer have permission to these folder alone

deep27ak · 01-09-2012, 06:28 AM

Quote:

Originally Posted by jayakumar01

setfacl -m u:customer:--- / makes the customer user not to access any things of / content
setfacl -m u:customer:rwx /var makes the customer have permission to these folder alone

If we don't give any permission to any user for / then will he/she will be able to login??
I tried in my machine and this is what I get

Code:

# su - deepak
su: warning: cannot change directory to /home/deepak: Permission denied
su: /bin/bash: Permission denied

Code:

[root@server /]# getfacl /
getfacl: Removing leading '/' from absolute path names
# file: .
# owner: root
# group: root
user::rwx
user:deepak:---
group::r-x
mask::r-x
other::r-x

jayakumar01 · 01-09-2012, 07:23 AM

Hi Deepak,
In my condition the user are accessing by using filezilla thus i required the user not to login with the user credentials thus it i had enable ---/.i enable not to list the directory of 777 permission of root to user credentials but its working fine when u access it by filezilla .if u required the user to login u can enable

setfacl -m u:customer:--x /
setfacl -m u:customer:rwx /var

deep27ak · 01-09-2012, 07:28 AM

Quote:

Originally Posted by jayakumar01

Hi Deepak,
In my condition the user are accessing by using filezilla thus i required the user not to login with the user credentials thus it i had enable ---/.i enable not to list the directory of 777 permission of root to user credentials but its working fine when u access it by filezilla .if u required the user to login u can enable

setfacl -m u:customer:--x /
setfacl -m u:customer:rwx /var

Yes I have not tried with filezilla but atleast a user requires --x permission to login in cmd prompt as I can see

Code:

[root@server ~]# getfacl /
getfacl: Removing leading '/' from absolute path names
# file: .
# owner: root
# group: root
user::rwx
user:deepak:--x
group::r-x
mask::r-x
other::r-x

Code:

[root@server ~]# su - deepak
[deepak@server ~]$ ls
Mail  Maildir
[deepak@server ~]$ cd /
[deepak@server /]$ ls
ls: .: Permission denied
[deepak@server /]$

jayakumar01 · 01-09-2012, 08:45 AM

[root@loft~]# cd /

Thing which i had 777 permission like deploybkup,designer,opt

setfacl -m u:aviation:--- /opt
setfacl -m u:aviation:--- /deploybkup

[root@loft /]# ls -al
total 149
drwxrwxr-x+ 24 root root 4096 Jan 6 06:14 .
drwxrwxr-x+ 24 root root 4096 Jan 6 06:14 ..
-rw------- 1 root root 8192 Jan 9 14:25 aquota.group
-rw------- 1 root root 8192 Jan 9 14:25 aquota.user
-rw-r--r-- 1 root root 0 Jan 4 11:06 .autofsck
-rw-r--r-- 1 root root 0 Jan 4 10:58 .autorelabel
drwxr-xr-x 2 root root 4096 Jan 7 04:02 bin
drwxr-xr-x 4 root root 1024 Jan 4 11:04 boot

Quote:

drwxrwxrwx+ 3 root root 4096 Jan 5 07:51 deploybkup
drwxrwxrwx+ 2 root root 4096 Jan 6 06:15 designer

drwxr-xr-x 11 root root 3580 Jan 4 11:07 dev
drwxr-xr-x 84 root root 4096 Jan 7 04:02 etc
drwxr-xr-x 5 root root 4096 Jan 6 07:35 home
drwxr-xr-x 11 root root 4096 Jan 5 04:03 lib
drwxr-xr-x 9 root root 12288 Jan 5 04:03 lib64
drwx------ 2 root root 16384 Jan 4 10:54 lost+found
drwxr-xr-x 2 root root 4096 May 11 2011 media
drwxr-xr-x 3 root root 4096 Jan 4 11:03 mnt

Quote:

drwxrwxrwx+ 3 root root 4096 Jan 4 11:12 opt

dr-xr-xr-x 145 root root 0 Jan 4 11:06 proc
drwxr-x--- 4 root root 4096 Jan 5 15:35 root
drwxr-xr-x 2 root root 12288 Jan 5 04:03 sbin
drwxr-xr-x 4 root root 0 Jan 4 11:06 selinux
drwxr-xr-x 2 root root 4096 May 11 2011 srv
drwxr-xr-x 11 root root 0 Jan 4 11:06 sys
-rw-r--r-- 1 root root 1952 Jan 5 14:26 terms
drwxrwxrwx 9 root root 4096 Jan 9 08:38 tmp
drwxr-xr-x 15 root root 4096 Jan 4 11:27 usr
drwxrwxr-x+ 19 root root 4096 Jan 6 05:05 var

Quote:

Remaining all the / content i had enable x permission alone

[root@loft /]#

root@loft ~]# getfacl /
getfacl: Removing leading '/' from absolute path names
# file: .
# owner: root
# group: root
user::rwx

Quote:

user:aviation:rwx

group::r-x
mask::rwx
other::r-x

root@loft ~]# su - aviation
[aviation@loft ~]$ ls -al /
total 149
drwxrwxr-x+ 24 root root 4096 Jan 6 06:14 .
drwxrwxr-x+ 24 root root 4096 Jan 6 06:14 ..
-rw------- 1 root root 8192 Jan 9 14:25 aquota.group
-rw------- 1 root root 8192 Jan 9 14:25 aquota.user
-rw-r--r-- 1 root root 0 Jan 4 11:06 .autofsck
-rw-r--r-- 1 root root 0 Jan 4 10:58 .autorelabel
drwxr-xr-x 2 root root 4096 Jan 7 04:02 bin
drwxr-xr-x 4 root root 1024 Jan 4 11:04 boot
drwxrwxrwx+ 3 root root 4096 Jan 5 07:51 deploybkup
drwxrwxrwx+ 2 root root 4096 Jan 6 06:15 designer
drwxr-xr-x 11 root root 3580 Jan 4 11:07 dev
drwxr-xr-x 84 root root 4096 Jan 7 04:02 etc
drwxr-xr-x 5 root root 4096 Jan 6 07:35 home
drwxr-xr-x 11 root root 4096 Jan 5 04:03 lib
drwxr-xr-x 9 root root 12288 Jan 5 04:03 lib64
drwx------ 2 root root 16384 Jan 4 10:54 lost+found
drwxr-xr-x 2 root root 4096 May 11 2011 media
drwxr-xr-x 3 root root 4096 Jan 4 11:03 mnt
drwxrwxrwx+ 3 root root 4096 Jan 4 11:12 opt
dr-xr-xr-x 147 root root 0 Jan 4 11:06 proc
drwxr-x--- 4 root root 4096 Jan 5 15:35 root
drwxr-xr-x 2 root root 12288 Jan 5 04:03 sbin
drwxr-xr-x 4 root root 0 Jan 4 11:06 selinux
drwxr-xr-x 2 root root 4096 May 11 2011 srv
drwxr-xr-x 11 root root 0 Jan 4 11:06 sys
-rw-r--r-- 1 root root 1952 Jan 5 14:26 terms
drwxrwxrwx 9 root root 4096 Jan 9 08:38 tmp
drwxr-xr-x 15 root root 4096 Jan 4 11:27 usr
drwxrwxr-x+ 19 root root 4096 Jan 6 05:05 var
[aviation@loft ~]$ cd /home/
[aviation@loft home]$ ls -al
total 24
drwxr-xr-x 5 root root 4096 Jan 6 07:35 .
drwxrwxr-x+ 24 root root 4096 Jan 6 06:14 ..
drwx------ 3 aviation aviation 4096 Jan 6 04:59 aviation
drwx------ 2 mailer mailer 4096 Jan 6 07:21 mailer
drwx------ 2 saravana saravana 4096 Jan 6 07:36 saravana
[aviation@loft home]$ cd aviation/
[aviation@loft ~]$ ls -al
total 28
drwx------ 3 aviation aviation 4096 Jan 6 04:59 .
drwxr-xr-x 5 root root 4096 Jan 6 07:35 ..
-rw------- 1 aviation aviation 106 Jan 9 14:25 .bash_history
-rw-r--r-- 1 aviation aviation 33 Jan 6 04:57 .bash_logout
-rw-r--r-- 1 aviation aviation 176 Jan 6 04:57 .bash_profile
-rw-r--r-- 1 aviation aviation 124 Jan 6 04:57 .bashrc
drwxrwxrwx 7 1000 users 4096 Jan 5 2008 campaign
[aviation@loft ~]$ cd campaign/
[aviation@loft campaign]$ ls -al
total 76
drwxrwxrwx 7 1000 users 4096 Jan 5 2008 .
drwx------ 3 aviation aviation 4096 Jan 6 04:59 ..
drwxrwxrwx 2 1000 users 4096 Jan 5 2008 backgrounds
-rwxrwxrwx 1 1000 users 2847 Jan 5 2008 bg_body.gif
-rwxrwxrwx 1 1000 users 106 Jan 5 2008 bg_header.gif
-rwxrwxrwx 1 1000 users 100 Jan 5 2008 bg_menu.gif
-rwxrwxrwx 1 1000 users 96 Jan 5 2008 bg_sidebar.gif
drwxrwxrwx 2 1000 users 4096 Jan 5 2008 dialog
drwxrwxrwx 2 1000 users 4096 Jan 5 2008 grid
drwxrwxrwx 2 1000 users 4096 Jan 12 2008 icons
-rwxrwxrwx 1 1000 users 875 Jan 5 2008 loader.gif
-rwxrwxrwx 1 1000 users 1174 Jan 5 2008 mailerbar-bg.gif
-rwxrwxrwx 1 1000 users 126 Jan 5 2008 mailerbar-single.gif
-rwxrwxrwx 1 1000 users 4877 Jan 5 2008 pommo.gif
-rwxrwxrwx 1 1000 users 1115 Jan 5 2008 slider_handle.png
-rwxrwxrwx 1 1000 users 637 Jan 13 2008 slider_track2.png
-rwxrwxrwx 1 1000 users 654 Jan 13 2008 slider_track.png
drwxrwxrwx 2 1000 users 4096 Jan 5 2008 table
[aviation@loft campaign]$