Solved

How can I restrict users in Solaris 8?

Posted on 2004-08-09
5
453 Views
Last Modified: 2013-12-21
I am running a small web hosting service on a Unix server running solaris 8.  I want to be able to restrict users to a certain "folder" or area in the server when they ftp in to the system to load their web pages.  I know how to add a user to the system but I have not been able to figure out how to keep them from going outside of their particular folder.  I imagine that there is a way to do this on Solaris.  Any guidance is much appreciated!

0
Comment
Question by:roduno
5 Comments
 
LVL 38

Expert Comment

by:yuzh
ID: 11759277
You need to set the proper dir permisions, eg: you web server Document Root is
/www
under /www
you have dir1, dir2, dir3..., dirN etc

and you want user1 can only put files in dir1, userN, put files in dirN etc.
the Document Root  is own by admuser or root.

you login as root (or su as root), and then do the followings:

cd /www
chmod 750 dir1
chmod g+s dir1
chown user1:nobody dir1

do the similar thing for dir2...dirN

then user1 can only FTP to dir1, user2 FTP to dir2....
0
 
LVL 48

Expert Comment

by:Tintin
ID: 11759322
The safest way is to set up a chrooted ftp environment.

man ftpd

and look for the section on how to set up a chrooted environment.
0
 
LVL 38

Expert Comment

by:yuzh
ID: 11759443
You can also use "scponly"
    http://www.sublimation.org/scponly/

    also see:
    http:Q_20975062.html
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11762310
Also, if the users do not actually access a shell account on the system, you can set their account home directory to the document directory where they are permitted to upload files (that is, their home directory does not NEED to be /home/user or /export/home/user). This is not really a security measure, just a system administration nicety.
0
 
LVL 3

Accepted Solution

by:
Mike R. earned 500 total points
ID: 11768240
1. Use chroot (as advised by TinTin) to change the user's "root" dir to their data directory.  Then, they cannot move backwards into the main server dirs.  You will need to create a /bin dir for the commands they will need (like ls, chmod, ETC.)  See web pages and man pages about setting up "anonymous" ftp.  You DON'T want anonymous FTP, but the concepts are the same.

2. In the /etc/passwd file, change the users shell to "/dev/null" or "/usr/bin/none".  This will prevent them from having a login ability.

3. Make sure you use proper permissions on all the dirs.  I.e. ...
rw-------  /www/clienthtdocs  root  root
rw-rw-r--  /www/clienthtdocs/user1  user1  root
rw-rw-r--  /www/clienthtdocs/user2  user2  root
rw-rw-r--  /www/clienthtdocs/user3  user3  root

You can change the "root" group on the client dirs to something like "ftpadmin" too...making the admin (or root) the only member.

Be cautious of allowing "x" (execute) in the permissions structure.  This will be necessary for certain types of web pages, however creates an opening for a classic hack (user FTPs in an executable script designed to cd backwards, or run vicious code, and then triggers it from the web or other source.)

Best of Luck!
M
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Why Shell Scripting? Shell scripting is a powerful method of accessing UNIX systems and it is very flexible. Shell scripts are required when we want to execute a sequence of commands in Unix flavored operating systems. “Shell” is the command line i…
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question