Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Software
User Name
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.


  Search this Thread
Old 03-03-2005, 08:03 PM   #1
LQ Newbie
Registered: Jun 2004
Posts: 15

Rep: Reputation: 0
New User FTP/SHELL Limitations

I have a web server with RH9 installed. I have added a couple of users to make updates to the websites. I wanted to know how I can prevent shell access and / directory access.

For example, I have a website located in /home/sites/site1/web, I have made this the user's default directory. But the user is still able to go to /etc I want it so the user may only be able to go up to /home/sites/site1

Also the user is able to log in with ssh. I changed the shell to /bin/false and this solves the ssh problem but then ftp is also blocked.

All help is welcome.

Old 03-05-2005, 06:00 AM   #2
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677
If they only need to update the website through ftp, then you don't need to make them regular users. If they have accounts because they use their account to produce the changes (rather than offline), then they will need normal access to perform change the website. You can have a shell running in a jail. This would mean providing a scaled down version of the system inside of the jail.

You can have a non-anonymous ftp server running in a jail, and make these two people guest users.
This link could be a starting point for you:

Having read access to /etc is normal, as many programs require read access to the configuration files, such as when they login, their home directory and default shell are read from /etc/passwd.

If you put them in a ch-rooted jail, you need to be careful which commands you include. For example, with the restricted shell, the '/' character isn't allowed in pathnames. But just executing a script will remove the restrictions. Starting a regular bash shell, if you allow it would also remove restrictions. The restricted shell is intended to be used to run a server in a jail. It is insurance in case the service crashes.

Most distributions have security settings, and the highest is often called 'paranoid' settings. This may even restrict users from accessing man pages.

Also, if you have a storage partition mounted, such as an external vfat drive to store mp3's for instance, make yourself the owner and group owner of the partition, and use the 'noexec' and 'nodev' option.

Also, you can tighten up the password policy. This way, a user can't choose a weak password. This can help prevent a third party from guessing the passwords of one of the users.

If the strictest security level isn't enough, and they can't get their work done in a jail, maybe you don't want others accessing your computer in the first place. You would probably be safer in the long run concentrating on security issues in general, such as removing programs and commands that a web-server doesn't need, removing unnecessary suid programs, not running any services like mail that have shell hooks. Scanning your machine looking for open ports.

Last edited by jschiwal; 03-05-2005 at 06:20 AM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
I lose ftp access when I disable shell access for user captainObvious Linux - General 3 11-13-2004 06:49 PM
new user limitations Longinus Linux - Newbie 1 04-22-2004 04:02 AM
how to - ftp user with no login shell hnad Red Hat 3 04-13-2004 04:22 AM
Web/FTP/Shell user stats software? inspleak Linux - Software 1 04-03-2004 06:54 PM
Setting user limitations ... ETeria Linux - Newbie 16 03-26-2003 04:35 PM > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 02:54 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration