Solved

adding a user

Posted on 2004-04-13
10
293 Views
Last Modified: 2013-12-15
I am running a linux based server and want to add a user.

I want this user to only access a directory /var/www/consoles I dont want him to browse any of the other directories on the server.

I want him only to have ftp, I dont want him having any ssh access

What is the easiest way to do this? And I need full commands.

I need this urgently.
0
Comment
Question by:ccrilly
  • 5
  • 2
10 Comments
 
LVL 10

Expert Comment

by:Mercantilum
Comment Utility
1. create user

user useradd with -s and -d

   user -d /var/www/consoles -s rbash username

the user will be "chrooted" in its home directory, e.g. /var/www/consoles.
Ensure access rights are set...
  man useradd
for more info.

2.  ftp
once the user is chrooted, you dont have to worry much about what he cannot do (almost nothing),
so you have to create a .bashrc  (or other)  setting the PATH to be a directory where you put what he can use,
ensure the .bashrc and home dir have correct access rights! (not to modify it)
e.g.
  PATH=/var/www/hisbin
contains a link to  /usr/bin/ftp
  ( cd /var/www/hisbin ; ln -s /usr/bin/ftp )

Let me know if you need more help.

Regards
0
 
LVL 10

Expert Comment

by:Mercantilum
Comment Utility
Ooops the useradd line should be:

   useradd -d /var/www/consoles -s /usr/bin/rbash username

If rbash does not exist, go to /usr/bin and do
   ln  bash  rbash
0
 

Author Comment

by:ccrilly
Comment Utility
I tried your solution and it is not working.
Im running redHat release 7.3
0
 
LVL 10

Expert Comment

by:Mercantilum
Comment Utility
What is not working ?
What do you get ?
It works on mine.
- pb with useradd ?
- pb with rbash ?
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:ccrilly
Comment Utility
You lost me here:

2.  ftp
once the user is chrooted, you dont have to worry much about what he cannot do (almost nothing),
so you have to create a .bashrc  (or other)  setting the PATH to be a directory where you put what he can use,
ensure the .bashrc and home dir have correct access rights! (not to modify it)
e.g.
  PATH=/var/www/hisbin
contains a link to  /usr/bin/ftp
  ( cd /var/www/hisbin ; ln -s /usr/bin/ftp )
0
 
LVL 10

Accepted Solution

by:
Mercantilum earned 250 total points
Comment Utility
--- Ok, if you did the 1. part well, do

    su - newuser

as the new user this should be not working anymore ...

    cd /

do control-d to exit the new user restricted shell.


--- Regarding the 2nd part, ftp.

Edit the user home .bashrc file

    cd /var/www/consoles
    vi  .bashrc

Ensure the path of the user is restricted to what tou authorize only. So add a line like:

PATH=/var/www/hisbin

Save. now you have to create the directory hisbin, and create links to programs you want him to be able to use

   cd /var/www
   mkdir hisbin
   cd hisbin
   ln -s /usr/bin/ftp

Try again now

    su - newuser

Try to enter as the new user

    ftp

it should work, now try

   ssh

it should *not* work.


--- if you still have problem please provide the output of [newuser being your newuser login]
    grep  newuser  /etc/passwd
    ls -l  /var/www
    ls -l  /var/www/hisbin
    cat  /var/www/consoles/.bashrc
0
 
LVL 9

Assisted Solution

by:Alf666
Alf666 earned 250 total points
Comment Utility
Hem... This is much too complicated.

Just create the user without a shell (/dev/null), and install a really secure ftp server (vsftpd) :

http://vsftpd.beasts.org/

As he has no shell, he will not be able to connect. And the only application you need for him is ftp, so restrict him under the proper software.

0
 
LVL 10

Expert Comment

by:Mercantilum
Comment Utility
1 - Well, do you want an actual user able to login with no access to ssh but access to ftp, from your server
2 - or do you need a ftp account, accessible from outside through ftp? (but not ssh)

The solution proposed in my first answer for the 1st case.


If it is the 2nd case, and you install the vsftpd, ensure you have (at least) the following lines in your vsftpd.conf:

a) ensure this line is yes: [this is for users not to be able to go out of their home dir]

chroot_local_user=YES

b) ensure the following lines are present

userlist_enable=YES
userlist_file=/etc/vsftpd.auth     <== here put the path to list of users able to access ftp in the file vsftpd.auth
userlist_deny=NO

c) put in your /etc/vsftpd.auth (/etc or elsewhere) the list of users able to do ftp on your server, like (newuser is the name of your user)
newuser

Ensure you create the user in this case as

   useradd -d /var/www/consoles -s /bin/false  newuser

/bin/false is for no login (ssh), commonly used on linux to prevent login.

Please ask if you need more help, as it is exactly the setup I have on my server :)
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Network Interface Card (NIC) bonding, also known as link aggregation, NIC teaming and trunking, is an important concept to understand and implement in any environment where high availability is of concern. Using this feature, a server administrator …
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now