Hello!
I want users in a certain group to be restricted to their home directory. So that they have full access to all files and folders in their home directory but the cant go to any directory above.
Does anyone know how to do this?
Anders (1 Reply)
Hi
I want to know which profile will be called when a user without home directory is created.
When I created a user without home directory(by setting in /etc/default/useradd), the user is able to login directly into the main "/" folder but with only read permissions.
Thanks
naina (3 Replies)
Hi,
I am looking for a shell script (or any other way), that puts a user in a home directory jail. So for example, I have a user named richard and I don't want him wandering outside /usr/users/richard. I don't want him to cd to anywhere including cd ..
Somebody said you can do that with... (3 Replies)
I'm using HPUX 11i. The other day a user logon to the workstation and was not able to find the /home/directory (tom is the directory) I login myself and it is the same thing.
The home directory is on the server, so I was thinking of using sam to map it again. does anyone know how to do it... (5 Replies)
Hi,
I am using Red Hat Enterprise Linux ES release 4 (Nahant Update 5). Here I have created one user with /sbin/nologin shll such that login is not possible only ftp is possible. But I want to do another thing that the user can not roam around after ftp.
I had tried one way.
in... (4 Replies)
Hi Guys,
I have a problem with configuring a server. this is a solaris 10 with sparc platform.
I have setup so that the server is Authenticating through NIS but I dont want the server to Mount the Home directories. The users need to logged in through the CDE/display.
I have over 200 users... (2 Replies)
Hey guys,
Hmm.. I'm not quite sure where to open this. If any mod thinks this is not the place, please move it to wherever its suited :)
So,
I want to allow some trusted users to scp files into my server (to an specific user), but I do not want to give these users a home, neither ssh... (1 Reply)
Hello,
I must close ssh users to the home directory.
It means the users musn't see anything inside their home directory.
For example after login to the os and type this command "cd .."
or "cd /" it musn't work.
How can I implement it?
(Probably chroot or rootsh but how?) (1 Reply)
In generally I use vsftp but I want to improve our security so I decide to use sftp instead of vsftp.
We know that ssh,scp and sftp are in openssh server.
How can I lock only sftp user to their home folder? And to prevent some users for sftp like root as such in vsftp daemon? (3 Replies)
Hi,
I have created a shared directory on /home, where all users on a certain group have read, write and execute permissions.
I did this using
chmod -R g+rwx /home/shared/
The problem is, when a particular user creates a directory within /home/shared, other users are not able to write to... (8 Replies)
Discussion started by: lost.identity
8 Replies
LEARN ABOUT CENTOS
selinux
selinux(8) SELinux Command Line documentation selinux(8)NAME
SELinux - NSA Security-Enhanced Linux (SELinux)
DESCRIPTION
NSA Security-Enhanced Linux (SELinux) is an implementation of a flexible mandatory access control architecture in the Linux operating sys-
tem. The SELinux architecture provides general support for the enforcement of many kinds of mandatory access control policies, including
those based on the concepts of Type Enforcement(R), Role- Based Access Control, and Multi-Level Security. Background information and tech-
nical documentation about SELinux can be found at http://www.nsa.gov/research/selinux.
The /etc/selinux/config configuration file controls whether SELinux is enabled or disabled, and if enabled, whether SELinux operates in
permissive mode or enforcing mode. The SELINUX variable may be set to any one of disabled, permissive, or enforcing to select one of these
options. The disabled option completely disables the SELinux kernel and application code, leaving the system running without any SELinux
protection. The permissive option enables the SELinux code, but causes it to operate in a mode where accesses that would be denied by pol-
icy are permitted but audited. The enforcing option enables the SELinux code and causes it to enforce access denials as well as auditing
them. Permissive mode may yield a different set of denials than enforcing mode, both because enforcing mode will prevent an operation from
proceeding past the first denial and because some application code will fall back to a less privileged mode of operation if denied access.
The /etc/selinux/config configuration file also controls what policy is active on the system. SELinux allows for multiple policies to be
installed on the system, but only one policy may be active at any given time. At present, multiple kinds of SELinux policy exist: tar-
geted, mls for example. The targeted policy is designed as a policy where most user processes operate without restrictions, and only spe-
cific services are placed into distinct security domains that are confined by the policy. For example, the user would run in a completely
unconfined domain while the named daemon or apache daemon would run in a specific domain tailored to its operation. The MLS (Multi-Level
Security) policy is designed as a policy where all processes are partitioned into fine-grained security domains and confined by policy.
MLS also supports the Bell And LaPadula model, where processes are not only confined by the type but also the level of the data.
You can define which policy you will run by setting the SELINUXTYPE environment variable within /etc/selinux/config. You must reboot and
possibly relabel if you change the policy type to have it take effect on the system. The corresponding policy configuration for each such
policy must be installed in the /etc/selinux/{SELINUXTYPE}/ directories.
A given SELinux policy can be customized further based on a set of compile-time tunable options and a set of runtime policy booleans.
system-config-selinux allows customization of these booleans and tunables.
Many domains that are protected by SELinux also include SELinux man pages explaining how to customize their policy.
FILE LABELING
All files, directories, devices ... have a security context/label associated with them. These context are stored in the extended
attributes of the file system. Problems with SELinux often arise from the file system being mislabeled. This can be caused by booting the
machine with a non SELinux kernel. If you see an error message containing file_t, that is usually a good indicator that you have a serious
problem with file system labeling.
The best way to relabel the file system is to create the flag file /.autorelabel and reboot. system-config-selinux, also has this capabil-
ity. The restorcon/fixfiles commands are also available for relabeling files.
AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
FILES
/etc/selinux/config
SEE ALSO booleans(8), setsebool(8), sepolicy(8), system-config-selinux(8), togglesebool(8), restorecon(8), fixfiles(8), setfiles(8), semanage(8),
sepolicy(8)
Every confined service on the system has a man page in the following format:
<servicename>_selinux(8)
For example, httpd has the httpd_selinux(8) man page.
man -k selinux
Will list all SELinux man pages.
dwalsh@redhat.com 29 Apr 2005 selinux(8)
07-05-2011
