Solved

How can I restrict users in Solaris 8?

Posted on 2004-08-09
5
448 Views
Last Modified: 2013-12-21
I am running a small web hosting service on a Unix server running solaris 8.  I want to be able to restrict users to a certain "folder" or area in the server when they ftp in to the system to load their web pages.  I know how to add a user to the system but I have not been able to figure out how to keep them from going outside of their particular folder.  I imagine that there is a way to do this on Solaris.  Any guidance is much appreciated!

0
Comment
Question by:roduno
5 Comments
 
LVL 38

Expert Comment

by:yuzh
ID: 11759277
You need to set the proper dir permisions, eg: you web server Document Root is
/www
under /www
you have dir1, dir2, dir3..., dirN etc

and you want user1 can only put files in dir1, userN, put files in dirN etc.
the Document Root  is own by admuser or root.

you login as root (or su as root), and then do the followings:

cd /www
chmod 750 dir1
chmod g+s dir1
chown user1:nobody dir1

do the similar thing for dir2...dirN

then user1 can only FTP to dir1, user2 FTP to dir2....
0
 
LVL 48

Expert Comment

by:Tintin
ID: 11759322
The safest way is to set up a chrooted ftp environment.

man ftpd

and look for the section on how to set up a chrooted environment.
0
 
LVL 38

Expert Comment

by:yuzh
ID: 11759443
You can also use "scponly"
    http://www.sublimation.org/scponly/

    also see:
    http:Q_20975062.html
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11762310
Also, if the users do not actually access a shell account on the system, you can set their account home directory to the document directory where they are permitted to upload files (that is, their home directory does not NEED to be /home/user or /export/home/user). This is not really a security measure, just a system administration nicety.
0
 
LVL 3

Accepted Solution

by:
Mike R. earned 500 total points
ID: 11768240
1. Use chroot (as advised by TinTin) to change the user's "root" dir to their data directory.  Then, they cannot move backwards into the main server dirs.  You will need to create a /bin dir for the commands they will need (like ls, chmod, ETC.)  See web pages and man pages about setting up "anonymous" ftp.  You DON'T want anonymous FTP, but the concepts are the same.

2. In the /etc/passwd file, change the users shell to "/dev/null" or "/usr/bin/none".  This will prevent them from having a login ability.

3. Make sure you use proper permissions on all the dirs.  I.e. ...
rw-------  /www/clienthtdocs  root  root
rw-rw-r--  /www/clienthtdocs/user1  user1  root
rw-rw-r--  /www/clienthtdocs/user2  user2  root
rw-rw-r--  /www/clienthtdocs/user3  user3  root

You can change the "root" group on the client dirs to something like "ftpadmin" too...making the admin (or root) the only member.

Be cautious of allowing "x" (execute) in the permissions structure.  This will be necessary for certain types of web pages, however creates an opening for a classic hack (user FTPs in an executable script designed to cd backwards, or run vicious code, and then triggers it from the web or other source.)

Best of Luck!
M
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Attention: This article will no longer be maintained. If you have any questions, please feel free to mail me. jgh@FreeBSD.org Please see http://www.freebsd.org/doc/en_US.ISO8859-1/articles/freebsd-update-server/ for the updated article. It is avail…
In tuning file systems on the Solaris Operating System, changing some parameters of a file system usually destroys the data on it. For instance, changing the cache segment block size in the volume of a T3 requires that you delete the existing volu…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now