Solved

How can I restrict users in Solaris 8?

Posted on 2004-08-09
5
454 Views
Last Modified: 2013-12-21
I am running a small web hosting service on a Unix server running solaris 8.  I want to be able to restrict users to a certain "folder" or area in the server when they ftp in to the system to load their web pages.  I know how to add a user to the system but I have not been able to figure out how to keep them from going outside of their particular folder.  I imagine that there is a way to do this on Solaris.  Any guidance is much appreciated!

0
Comment
Question by:roduno
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 38

Expert Comment

by:yuzh
ID: 11759277
You need to set the proper dir permisions, eg: you web server Document Root is
/www
under /www
you have dir1, dir2, dir3..., dirN etc

and you want user1 can only put files in dir1, userN, put files in dirN etc.
the Document Root  is own by admuser or root.

you login as root (or su as root), and then do the followings:

cd /www
chmod 750 dir1
chmod g+s dir1
chown user1:nobody dir1

do the similar thing for dir2...dirN

then user1 can only FTP to dir1, user2 FTP to dir2....
0
 
LVL 48

Expert Comment

by:Tintin
ID: 11759322
The safest way is to set up a chrooted ftp environment.

man ftpd

and look for the section on how to set up a chrooted environment.
0
 
LVL 38

Expert Comment

by:yuzh
ID: 11759443
You can also use "scponly"
    http://www.sublimation.org/scponly/

    also see:
    http:Q_20975062.html
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11762310
Also, if the users do not actually access a shell account on the system, you can set their account home directory to the document directory where they are permitted to upload files (that is, their home directory does not NEED to be /home/user or /export/home/user). This is not really a security measure, just a system administration nicety.
0
 
LVL 3

Accepted Solution

by:
Mike R. earned 500 total points
ID: 11768240
1. Use chroot (as advised by TinTin) to change the user's "root" dir to their data directory.  Then, they cannot move backwards into the main server dirs.  You will need to create a /bin dir for the commands they will need (like ls, chmod, ETC.)  See web pages and man pages about setting up "anonymous" ftp.  You DON'T want anonymous FTP, but the concepts are the same.

2. In the /etc/passwd file, change the users shell to "/dev/null" or "/usr/bin/none".  This will prevent them from having a login ability.

3. Make sure you use proper permissions on all the dirs.  I.e. ...
rw-------  /www/clienthtdocs  root  root
rw-rw-r--  /www/clienthtdocs/user1  user1  root
rw-rw-r--  /www/clienthtdocs/user2  user2  root
rw-rw-r--  /www/clienthtdocs/user3  user3  root

You can change the "root" group on the client dirs to something like "ftpadmin" too...making the admin (or root) the only member.

Be cautious of allowing "x" (execute) in the permissions structure.  This will be necessary for certain types of web pages, however creates an opening for a classic hack (user FTPs in an executable script designed to cd backwards, or run vicious code, and then triggers it from the web or other source.)

Best of Luck!
M
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Installing FreeBSD… FreeBSD is a darling of an operating system. The stability and usability make it a clear choice for servers and desktops (for the cunning). Savvy?  The Ports collection makes available every popular FOSS application and packag…
I promised to write further about my project, and here I am.  First, I needed to setup the Primary Server.  You can read how in this article: Setup FreeBSD Server with full HDD encryption (http://www.experts-exchange.com/OS/Unix/BSD/FreeBSD/A_3660-S…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question