• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 468
  • Last Modified:

How can I restrict users in Solaris 8?

I am running a small web hosting service on a Unix server running solaris 8.  I want to be able to restrict users to a certain "folder" or area in the server when they ftp in to the system to load their web pages.  I know how to add a user to the system but I have not been able to figure out how to keep them from going outside of their particular folder.  I imagine that there is a way to do this on Solaris.  Any guidance is much appreciated!

0
roduno
Asked:
roduno
1 Solution
 
yuzhCommented:
You need to set the proper dir permisions, eg: you web server Document Root is
/www
under /www
you have dir1, dir2, dir3..., dirN etc

and you want user1 can only put files in dir1, userN, put files in dirN etc.
the Document Root  is own by admuser or root.

you login as root (or su as root), and then do the followings:

cd /www
chmod 750 dir1
chmod g+s dir1
chown user1:nobody dir1

do the similar thing for dir2...dirN

then user1 can only FTP to dir1, user2 FTP to dir2....
0
 
TintinCommented:
The safest way is to set up a chrooted ftp environment.

man ftpd

and look for the section on how to set up a chrooted environment.
0
 
yuzhCommented:
You can also use "scponly"
    http://www.sublimation.org/scponly/

    also see:
    http:Q_20975062.html
0
 
PsiCopCommented:
Also, if the users do not actually access a shell account on the system, you can set their account home directory to the document directory where they are permitted to upload files (that is, their home directory does not NEED to be /home/user or /export/home/user). This is not really a security measure, just a system administration nicety.
0
 
Mike R.Commented:
1. Use chroot (as advised by TinTin) to change the user's "root" dir to their data directory.  Then, they cannot move backwards into the main server dirs.  You will need to create a /bin dir for the commands they will need (like ls, chmod, ETC.)  See web pages and man pages about setting up "anonymous" ftp.  You DON'T want anonymous FTP, but the concepts are the same.

2. In the /etc/passwd file, change the users shell to "/dev/null" or "/usr/bin/none".  This will prevent them from having a login ability.

3. Make sure you use proper permissions on all the dirs.  I.e. ...
rw-------  /www/clienthtdocs  root  root
rw-rw-r--  /www/clienthtdocs/user1  user1  root
rw-rw-r--  /www/clienthtdocs/user2  user2  root
rw-rw-r--  /www/clienthtdocs/user3  user3  root

You can change the "root" group on the client dirs to something like "ftpadmin" too...making the admin (or root) the only member.

Be cautious of allowing "x" (execute) in the permissions structure.  This will be necessary for certain types of web pages, however creates an opening for a classic hack (user FTPs in an executable script designed to cd backwards, or run vicious code, and then triggers it from the web or other source.)

Best of Luck!
M
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now