Restricting a user to their home directory and below | Unix Linux Forums | UNIX for Dummies Questions & Answers

  Go Back    


UNIX for Dummies Questions & Answers If you're not sure where to post a UNIX or Linux question, post it here. All UNIX and Linux newbies welcome !!

Restricting a user to their home directory and below

UNIX for Dummies Questions & Answers


Closed Thread    
 
Thread Tools Search this Thread Display Modes
    #1  
Old 09-29-2011
jjj0923 jjj0923 is offline
Registered User
 
Join Date: Sep 2011
Last Activity: 2 May 2012, 4:55 PM EDT
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Restricting a user to their home directory and below

I found this old closed thread:
I can do these things, but how to I change someone's profile - where do I find the profile? I'm running Centos 5.6

~~~~~~~~~
providing you have the password shell set to ksh,
you can put this in his .profile:
cd /opt/load
alias -x cd=:
Sponsored Links
    #2  
Old 09-29-2011
h@foorsa.biz h@foorsa.biz is offline
Registered User
 
Join Date: Jun 2008
Last Activity: 4 January 2014, 7:56 AM EST
Posts: 567
Thanks: 7
Thanked 46 Times in 44 Posts
You can find
Code:
.profile

under
Code:
$HOME/.profile

which is user's home directory if it doesn't exist create it by issuing the following command

Code:
$ touch .profile

Sponsored Links
    #3  
Old 09-29-2011
jjj0923 jjj0923 is offline
Registered User
 
Join Date: Sep 2011
Last Activity: 2 May 2012, 4:55 PM EDT
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
so - let me see if I have this correct ok?

is the user name is test

and their home directory is /usr/local/websites/test

I can create a file called test.profile in /usr/local/websites/test

and the commands in the test.profile will be executed once that user logs in?

thanks

---------- Post updated at 03:14 PM ---------- Previous update was at 03:06 PM ----------

Quote:
Originally Posted by jjj0923 View Post
so - let me see if I have this correct ok?

is the user name is test

and their home directory is /usr/local/websites/test

I can create a file called test.profile in /usr/local/websites/test

and the commands in the test.profile will be executed once that user logs in?

thanks
hmmm... well I know this doesn't work because I just tried logging in as test
    #4  
Old 09-29-2011
alister alister is offline
Registered User
 
Join Date: Dec 2009
Last Activity: 11 June 2014, 8:40 PM EDT
Posts: 3,231
Thanks: 179
Thanked 973 Times in 789 Posts
That alias command can be trivially undone with unalias cd , thereby restoring the ability to easily change the working directory. Since you haven't mentioned what you are actually trying to accomplish (only how you're trying to accomplish it), that may or may not be a problem.

Regards,
Alister
Sponsored Links
    #5  
Old 09-29-2011
jjj0923 jjj0923 is offline
Registered User
 
Join Date: Sep 2011
Last Activity: 2 May 2012, 4:55 PM EDT
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
I an going to allow a remote user to ssh into one of my servers and have access to the code on on of our websites. I would like to limit that users access to the direcotry in which the code for the website is located.

I am simply looking for the easiest way to limit his access to that directory (and it's subdirectories) alone.

any help would be truly appreciated.
Sponsored Links
    #6  
Old 09-29-2011
jgt's Avatar
jgt jgt is offline Forum Advisor  
Registered User
 
Join Date: Apr 2007
Last Activity: 13 October 2014, 7:55 PM EDT
Location: 44.21.48N 80.50.15W
Posts: 1,555
Thanks: 1
Thanked 158 Times in 150 Posts
Install 'rssh' or 'mysecureshell' and just give sftp access, the user can then only upload or download files within the top directory that you assign.
The user can download a file, modify it on his own system then replace it on yours.
Sponsored Links
    #7  
Old 09-29-2011
Corona688 Corona688 is offline Forum Staff  
Mead Rotor
 
Join Date: Aug 2005
Last Activity: 18 October 2014, 9:20 PM EDT
Location: Saskatchewan
Posts: 19,614
Thanks: 811
Thanked 3,329 Times in 3,118 Posts
It can be tempting to set up a chroot -- the promise of ultimate security and giving them absolutely nothing to work with but their own folder. As usual there's complications -- how about a demonstration of how chroot works.


Code:
$ cp /bin/bash ~/
$ sudo chroot / ~/bash
# It worked!  Useless but just an example.
$ exit
# Now to try a less useless example, restricting to ~/
$ sudo chroot ~/ ~/bash
chroot: failed to run command `/home/user/bash': No such file or directory
$ sudo chroot ~/ /bash
chroot: failed to run command `/bash': No such file or directory
$ sudo chroot ~/ ./bash
chroot: failed to run command `./bash': No such file or directory
$ ldd ./bash
        linux-gate.so.1 =>  (0xb77d8000)
        libncurses.so.5 => /lib/libncurses.so.5 (0xb778d000)
        libdl.so.2 => /lib/libdl.so.2 (0xb7789000)
        libc.so.6 => /lib/libc.so.6 (0xb7644000)
        /lib/ld-linux.so.2 (0xb77d9000)
# Whoops!  It needs libraries!  Let's try an emergency backup shell.
$ cp /bin/busybox ~/bb
$ sudo chroot ~/ /bb
# It worked!  We're stuck in /home/user/.
# Now that we're secure, let's get to work!
$ nano filename.txt
/bb: nano: not found
$ ssh username@host
/bb: ssh: not found
$
# ...oh dear. Those were in /usr/bin.
# At least we have ed:
$ ed filename.txt
"filename.txt", 0 lines, 0 chars

?
help
?
?
?
quit
?
exit
?
bye
?
hello?
?
eat flaming death
?
^C
?
^C
?
^D
?

In short, any shell user needs access to lots of things outside their home -- starting with, well, a shell. If you wanted sftp, that could be chrooted reasonably...

Let's see what mischief they can get up to without a chroot:


Code:
# Can't login without a shell.
$ whereis sh
sh: /bin/sh
# Oh no, they need access to /bin/.  Surely that's a recipe for disaster:
$ echo "TOTALLY NOT A ROOTKIT" > /bin/notarootkit.sh
-bash: /bin/notarootkit.sh: Permission denied
# Curses, foiled again!  But what if we CD there...
$ cd /bin/
$ echo "TOTALLY NOT A ROOTKIT" > notarootkit.sh
-bash: notarootkit.sh: Permission denied
# There seems to be some kind of force field...
$ ls -ld /bin/
drwxr-xr-x 2 root root 4096 Feb  8  2011 /bin/
# ...ah.  Only root can write.  The world is saved.
# But what about other users' folders?
$ cd /home/panic
-bash: cd: /home/panic/: Permission denied
# Friggn...
$ ls -l /home/panic
ls: cannot open directory /home/panic: Permission denied
# Rassafrassin..
$ cat /home/panic/public_html/index.html
cat: /home/panic/public_html/index.html: Permission denied
# $%^*$%^!!  Does it even exist?
$ ls -ld /home/panic/
drwx-----x 3 panic users 4096 Jun 17 13:27 /home/panic
# Yes...

We get asked all the time how to restrict someone to home, but a little thinking about your file and directory ownerships and permissions can go a long way in securing your system.

---------- Post updated at 03:28 PM ---------- Previous update was at 03:27 PM ----------

Quote:
Originally Posted by jgt View Post
Install 'rssh' or 'mysecureshell' and just give sftp access
Ah, but he said ssh.
Sponsored Links
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Restricting SFTP user to a defined directory and home directory sftpuser Solaris 1 10-16-2009 07:00 PM
how to find out the home directory of a user?? wrapster Shell Programming and Scripting 7 04-08-2008 03:05 PM
Specifying FTP user Home Directory annointed3 UNIX for Dummies Questions & Answers 0 04-05-2007 09:52 PM
user home directory problem BangYourWallnut UNIX for Dummies Questions & Answers 1 08-18-2005 05:59 PM
How can I forbid a user to go up his home directory MarcoW UNIX for Advanced & Expert Users 2 10-04-2001 10:14 AM



All times are GMT -4. The time now is 04:11 AM.