Cybersecurity

restricted access...
Hi
I need to restrict users shell access to only $HOME under /home for each user. I don't want them getting out of their own directories. From what I understand chroot is something I could use, but I want to avoid this since it involves creating symbolic links to a number of places and I'm not sure what would be involved to link mySQL and web server things since these users virtually host websites on this machine. I was thinking more of something in their profiles, .rbash ? How do I use this on Linux, Red Hat?

Many thanks for any help.

Regards

p.s. apologies I had posted this in a wholly innappropriate place previously

It is difficult to do this without using chroot. You might want to investigate using rsh (restricted shell) as their login shell.

Alternately, you could write your own shell or hack one to remove/alter "cd". A resourceful user could always find ways around that though.

Thanks PxT, I am going to consider that for users who need a command prompt, I wonder if you could help me I've been working on this all night with no luck...

I want to chroot ftp users to their home dir, I have set up /etc and /bin in their directories, modified the /etc/passwd to:

user:x:500:500::/home/./user:/etc/ftponly

So they should chroot to /home and then chdir to their directory, and sit in that jail and not be allowed out of /home. I created passwd and group in ~etc.

The final bit of the plot was to add the guest ftp entry into /etc/ftpaccess. Which I did as:

guestgroup group

Where group is the group of the user.

However when I attempt to login as that user it says invalid username or password, if I take out this entry from ftpaccess I can login and am taken to /home/user, but I can escape from /home which I would expect as it clearly hasnt been specified as a chrooted guest ftp account, its only taking the directory to land me in from /etc/passwd.

Do you know what the problem could be? I've tried changing owners, permissions, messing around with ftpaccess, nothing seems to work.

Thanks for any help, from anyone.

Regards

hi
I have sorted out ftpaccess and chroot works - but I cant see any files or dirs when I ftp in as a chrooted guest ftp user. I have copied /bin/ls to ~bin/ls, still the same. I guess I need to move the libraries into place in ~lib ? And then link them correctly - I can use the ldd to isolate the libraries but I think there is more to it than this, does anyone know how I would set up the libraries so that ls works? Im using Red Hat.

Thanks anyone.

Regards

Can you post your login scripts that call the chroot command and the login command you are using in the /etc/passwd file?

Let's work this openly with all files/details so those who follow will benefit from the trail blazed in this thread. Thanks!

When dealing with ftp, there are no login scripts involved. the ftp daemon itself calls the chroot command. You need to set up the home directories carefully. Full instructions are in the man page for ftpd:
http://www.wu-ftpd.org/man/ftpd.html

And more details on the 'guestgroup' configuration are in:
http://www.wu-ftpd.org/man/ftpaccess.html

3 possibilities:
1)
chroot directory given in your /etc/passwd file for the guest account must be to the directory where your ~/bin directory is located. That is, if your chroot directory is /home/user/ and your /etc/passwd account is:

user:x:500:500:guest:/home/./user:/etc/ftponly

it will not work, as the ~/bin directory is not under the chrooted directory. It must be set as follows.

user:x:500:500:guest:/home/user/./:/etc/ftponly

2)
find "ls" source somewhere (for example, GNU fileutils source package from ftp://gnu.org ), and compile it statically under your chroot'ed environment.

3)
The other option is, as you mentioned find out what libraries ls wants, and make copies of them in ~lib under your chroot'ed environment.

As Neo said please post you configuration stuff so that others may benefit from it!

HTH

[Edited by mib on 05-09-2001 at 03:38 PM]