Home Directory Jail for Users

mz043 · #1 (**permalink**) 04-18-2007

Hi,

I am looking for a shell script (or any other way), that puts a user in a home directory jail. So for example, I have a user named richard and I don't want him wandering outside /usr/users/richard. I don't want him to cd to anywhere including cd ..

Somebody said you can do that with chroot, but I looked it up on the man pages and it says it is used to change the root directory.

Any help will be greatly appreciated.

Thanks
.Michael

grial · #2 (**permalink**) 04-18-2007

Hi, mz043.
As far as I know, you have two options:

- One is to create a chroot jail for your users (As you've been told). This involves several tasks: create a dummy "root filesystem", copy libs, binaries, etc... The use of sudo, and some shell scripting among others. There are lots of info on the Net, depending on your OS.

- The other is the use of a restricted shell. I don't know what OS you are using but perhaps a "man -k restricted" would give you some clues

Regards.

mz043 · #3 (**permalink**) 04-18-2007

Thanks for the reply.

I want to avoid chroot, as I don't have much experience with UNIX sysadmin and chroot sounds like the kinda thing that if you get wrong, you quietly pack up your stuff, take a cab to the airport and board the first avail flight

I use tru64 unix --- to be honest I think I'll use Access Control Lists. With them I can restrict access to areas I want. I can do that on the group level as well, so no need to do it for each user individually.

Thanks anyway.
M

pressy · #4 (**permalink**) 04-18-2007

what's about rksh?

Code:

$ rksh
$ cd ..
rksh: cd: restricted
$ cd /
rksh: cd: restricted
$ /usr/sbin/ifconfig
rksh: /usr/sbin/ifconfig: restricted
$

from the man page:

rksh is used to set up login names and execution environ-
ments whose capabilities are more controlled than those of
the standard shell. The actions of rksh are identical to
those of ksh, except that the following are disallowed:

o changing directory (see cd(1))

o setting the value of SHELL, ENV, or PATH

o specifying path or command names containing /

o redirecting output (>, >|, <>, and >>)

o changing group (see newgrp(1)).

The restrictions above are enforced after .profile and the
ENV files are interpreted.

When a command to be executed is found to be a shell pro-
cedure, rksh invokes ksh to execute it. Thus, it is possi-
ble to provide to the end-user shell procedures that have
access to the full power of the standard shell, while impos-
ing a limited menu of commands; this scheme assumes that the
end-user does not have write and execute permissions in the
same directory.
The net effect of these rules is that the writer of the
.profile has complete control over user actions, by perform-
ing guaranteed setup actions and leaving the user in an
appropriate directory (probably not the login directory).

The system administrator often sets up a directory of com-
mands (that is, /usr/rbin) that can be safely invoked by
rksh.

still it's not perfect, but a good way to start...

regards pressy

Other UNIX.COM Threads You Might Find Helpful
Thread	Thread Starter	Forum	Replies	Last Post
Can't create users in /home	sdspawankumar	SUN Solaris	3	02-04-2008 09:32 AM
Home dir for users	qfwfq	HP-UX	2	01-12-2007 10:18 AM
Profiles for users without home directory	naina	UNIX for Dummies Questions & Answers	3	02-05-2006 12:41 AM
Monitor which users enter my home directory	mnpradeep	High Level Programming	1	03-21-2002 01:08 AM
Restrict users to ther home directory	alfabetman	UNIX for Dummies Questions & Answers	1	10-04-2001 11:31 AM

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode