Restricting a user to their home directory and below
I found this old closed thread:
I can do these things, but how to I change someone's profile - where do I find the profile? I'm running Centos 5.6
~~~~~~~~~
providing you have the password shell set to ksh,
you can put this in his .profile:
cd /opt/load
alias -x cd=:
That alias command can be trivially undone with unalias cd, thereby restoring the ability to easily change the working directory. Since you haven't mentioned what you are actually trying to accomplish (only how you're trying to accomplish it), that may or may not be a problem.
I an going to allow a remote user to ssh into one of my servers and have access to the code on on of our websites. I would like to limit that users access to the direcotry in which the code for the website is located.
I am simply looking for the easiest way to limit his access to that directory (and it's subdirectories) alone.
Install 'rssh' or 'mysecureshell' and just give sftp access, the user can then only upload or download files within the top directory that you assign.
The user can download a file, modify it on his own system then replace it on yours.
It can be tempting to set up a chroot -- the promise of ultimate security and giving them absolutely nothing to work with but their own folder. As usual there's complications -- how about a demonstration of how chroot works.
Code:
$ cp /bin/bash ~/
$ sudo chroot / ~/bash
# It worked! Useless but just an example.
$ exit
# Now to try a less useless example, restricting to ~/
$ sudo chroot ~/ ~/bash
chroot: failed to run command `/home/user/bash': No such file or directory
$ sudo chroot ~/ /bash
chroot: failed to run command `/bash': No such file or directory
$ sudo chroot ~/ ./bash
chroot: failed to run command `./bash': No such file or directory
$ ldd ./bash
linux-gate.so.1 => (0xb77d8000)
libncurses.so.5 => /lib/libncurses.so.5 (0xb778d000)
libdl.so.2 => /lib/libdl.so.2 (0xb7789000)
libc.so.6 => /lib/libc.so.6 (0xb7644000)
/lib/ld-linux.so.2 (0xb77d9000)
# Whoops! It needs libraries! Let's try an emergency backup shell.
$ cp /bin/busybox ~/bb
$ sudo chroot ~/ /bb
# It worked! We're stuck in /home/user/.
# Now that we're secure, let's get to work!
$ nano filename.txt
/bb: nano: not found
$ ssh username@host
/bb: ssh: not found
$
# ...oh dear. Those were in /usr/bin.
# At least we have ed:
$ ed filename.txt
"filename.txt", 0 lines, 0 chars
?
help
?
?
?
quit
?
exit
?
bye
?
hello?
?
eat flaming death
?
^C
?
^C
?
^D
?
In short, any shell user needs access to lots of things outside their home -- starting with, well, a shell. If you wanted sftp, that could be chrooted reasonably...
Let's see what mischief they can get up to without a chroot:
Code:
# Can't login without a shell.
$ whereis sh
sh: /bin/sh
# Oh no, they need access to /bin/. Surely that's a recipe for disaster:
$ echo "TOTALLY NOT A ROOTKIT" > /bin/notarootkit.sh
-bash: /bin/notarootkit.sh: Permission denied
# Curses, foiled again! But what if we CD there...
$ cd /bin/
$ echo "TOTALLY NOT A ROOTKIT" > notarootkit.sh
-bash: notarootkit.sh: Permission denied
# There seems to be some kind of force field...
$ ls -ld /bin/
drwxr-xr-x 2 root root 4096 Feb 8 2011 /bin/
# ...ah. Only root can write. The world is saved.
# But what about other users' folders?
$ cd /home/panic
-bash: cd: /home/panic/: Permission denied
# Friggn...
$ ls -l /home/panic
ls: cannot open directory /home/panic: Permission denied
# Rassafrassin..
$ cat /home/panic/public_html/index.html
cat: /home/panic/public_html/index.html: Permission denied
# $%^*$%^!! Does it even exist?
$ ls -ld /home/panic/
drwx-----x 3 panic users 4096 Jun 17 13:27 /home/panic
# Yes...
We get asked all the time how to restrict someone to home, but a little thinking about your file and directory ownerships and permissions can go a long way in securing your system.
---------- Post updated at 03:28 PM ---------- Previous update was at 03:27 PM ----------
Quote:
Originally Posted by jgt
Install 'rssh' or 'mysecureshell' and just give sftp access
Hello,
I've just started using a Solaris machine with SunOS 5.10.
After the machine is turned on, I open a Console window and at the prompt, if I execute a pwd command, it tells me I'm at my home directory (someone configured "myuser" as default user after init).
... (2 Replies)
Good Afternoon,
I'm trying userdel -r username on Solaris 9 and getting
UX: userdel: ERROR: unable to find status about home directory: No such file or directory
I see the user's home directory and getent passwd shows the user
Anybody know what's causing it? (2 Replies)
I am trying to create Oracle user. I will install oracle after that. But my problem is /home/oracle directory is not being created.
bash-3.2# useradd -g oinstall -G dba,oper -d /home/oracle -m oracle
cp: /home/oracle: Operation not applicable
chown: /home/oracle: No such file or directory
... (3 Replies)
Hello all,
I am Installing Oracle 11g on my Solaris OS.
I created the below oracle user:
# /usr/sbin/useradd -g oinstall -G dba oracle
but when i am trying to to su - oracle it give me the below error
No directory
Do i have to setup a home directory for oracle user? and how can i do... (1 Reply)
Hi,
I've created solaris user which has both FTP and SFTP Access. Using the "ftpaccess" configuration file options "guest-root" and "restricted-uid", i can restrict the user to a specific directory. But I'm unable to restrict the user when the user is logged in using SFTP.
The aim is to... (1 Reply)
Hi all,
I would like to know how to find out the home directory of a particular user..
eg,
If am the root , then my Home directory will be /
if say am just a user logging into the terminal then my home dir would change,
so accordingly i would like to know how to find it out...
I know that... (7 Replies)
Hi,
I am running Solaris 10 and I am using the ftp server that comes with it. I would like to specify a specific directory as ftp user's home directory.
For example, if "ftpuserx" ftps into my solaris machine, they will automatically be taken to "/space/web" directory, even though there... (0 Replies)
The home directory for me on my system is on /home/kwon. It was created using "useradd kwon"
When i go to change the home directory for a user doing a usermod -d /home/test when they log on it gives them messages saying to generate new ssh keys, and it does. It gives me a thing that says... (1 Reply)
Hello
How do i restrict a user only to his own directory so that he wont be able to cd to other directories.
say for excample there is user called xiamin then xiamin should be restricted to /usr/xiamin only.
i am on redhat linux
regards
Hrishy (4 Replies)
