Solved

Restricting a user account to his/her own directory in Redhat

Posted on 2009-04-02
14
751 Views
Last Modified: 2013-12-16
I need to limit a user account to only be able to make changes to his home directory and only view his own directory and nothing else. Can someone please advise.
0
Comment
Question by:LinuxDuke
  • 5
  • 3
  • 2
  • +2
14 Comments
 
LVL 29

Expert Comment

by:fosiul01
ID: 24048834
By default a normal user has access only to his own home directory, he does not have access to any other's file


so you dont have to do anything

useradd user1

user1 will have access only /home/user1 directory, if he try to access /home/user2 directory, he will get access denyed message
0
 

Author Comment

by:LinuxDuke
ID: 24050017
Hi experts,

I have an account upload this account should be restricted to sftp access only. The account must be jailed SFTP account (jailed to /home/upload directory). The account should have full write access to the /upload/test_upload directory and read access to the /apps_test directory and all its subdirectories.
below is the current configurations:
upload@testserv upload]$ mkdir test_upload
upload@testserv upload]$ ls
test_upload
upload@testserv upload]$ cd test_upload/
upload@testserv test_upload]$ touch test
upload@testserv test_upload]$ ls
test
upload@testserv test_upload]$ cd /
upload@testserv /]$ ls
apps_test  boot  etc   initrd  lost+found  misc  opt   root  selinux  sys  usr
bin         dev   home  lib     media       mnt   proc  sbin  srv      tmp  var
upload@testserv /]$ cd apps_test/
upload@testserv apps_test]$ touch test2
touch: cannot touch `test2': Permission denied
upload@testserv apps_test]$
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 24050082
then you need to give permission to read that directory

who is the owner of that apps_test directory ??

can you do

ls -l | grep apps_test
to allow upload user to read on that directory , you need to put upload user in the group who owns that directory

0
 

Author Comment

by:LinuxDuke
ID: 24075748
The user is only suppose to see the test_upload directory and when changing directory using cd / he should not be allowed. This means he is not suppose to see this list including apps_test.

upload@testserv test_upload]$ cd /
upload@testserv /]$ ls
apps_test  boot  etc   initrd  lost+found  misc  opt   root  selinux  sys  usr
bin         dev   home  lib     media       mnt   proc  sbin  srv      tmp  var
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 24075812
no it would not work that way

if you check the permission of those files suppose
ls -l |grep etc

you will see permission are Red+Write+execute for Root
   Read and Execute for groups
   Read for othrs
if you check other file which generated by linux
you will see they got atlest
Read+write+execute by root
Read by grups
read by others

so you cant restrict user go has Shell access to view your system file unless you have changed the file permission by yourself (| which is not recomended)
but normal user would not be able to modify any file

normal user would not be able to view any folder or files
if the permission set to
only Read+write+execute by root or other user
suppose Home directory which is only Readable by home user, not accessable by other user

now the way you are trying to do, you can enter each directory but you wold not be able to modify any files


the Upload user would be able to see those directory

but if he enter to inside one directory he would not be able to

try cd
0
 
LVL 14

Expert Comment

by:small_student
ID: 24080938
Hi LinuxDuke:

To implement what you want
The user only gets access to test_upload dir and can not cd / or any other place

If you are runnig vsftpd then jailroot the user by putting this line in the vsftpd.conf

chroot_local_user=YES

This will actually jail him to his home , so he cant access anything accept his home, you have to look farther in the config to make point to your test_upload dir, but this is the directive you need.

Best Regards
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:LinuxDuke
ID: 24085848
Hi Small student,

I'm using vsftp and have created users in /etc/passwd that will have ftp access. I not sure if I should update my etc password to be different from this upload:x:520:100::/home/upload/bin/bash as before it was upload:x:520:100::/home/upload/./:/bin/bash but I still get full access when using sftp from a different server to this server I can get a file under /etc and this is what I'm avoiding.

I did change the following directive  chroot_local_user=YES  but still could access the whole file system.
I even changed the following and created the file following the man page but still my user can access the file system and get files under /etc and that is why I need him to access only the directory he logs on or a directory above his own one.
chroot_local_user=YES
chroot_list_file=/etc/vsftpd.chroot_list

thanks
Duke
0
 

Author Comment

by:LinuxDuke
ID: 24091782
Hi Experts,

Will you kindly provide me with a solution step by step for jailing a user to a directory created in home directory. I need the user to be unable to see any other directory when he cd / "the root directory and type in ls" as the is a folder ander root that the user has access on as he is part of a group that has access to that drive. I have used vsftp to do this an nothing seems to work, I don't want to change permissions on the file system level.

Any help will be highly appreciated.
0
 
LVL 20

Accepted Solution

by:
Gns earned 100 total points
ID: 24096111
SFTP and VSFTP are quite different things. SFTP isn't ftp at all, it is file transfer *looking* like ftp (to the user), but actually using the SSH protocol (and the secure copy part of it (SCP)). VSFTP, on the other hand, is a server package implementing the file transfer protocol (FTP), which is clear-text. Not the same at all.

The definition you had for your upload user (where the "home directory" specification included the "/./" string) was quite correct for the VSFTP setup... It instructs the vsftp server to restrict that user to its "home directory" (a chroot jail).

It used to be that the OpenSSH implementation of SFTP didn't contain any such jail functionality (well, it didn't last I looked, at least... which was a while back, so I've gotten another look and things look more promising ... now:-). If you had a need for this, you needed buy SSH (not use OpenSSH) from http://www.ssh.com ... which does include chroot jailing facilities.

Now, as can be seen at:
http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/
http://www.brandonhutchinson.com/chroot_ssh.html
http://adamsworld.name/chrootjailv5.php
http://www.howtoforge.com/chrooted-ssh-sftp-tutorial-debian-lenny
... this is quite doable these day, and, depending on your version of OpenSSH, quite simple to achieve. Note that the best suggestions have an OpenSSH with inbuilt funtionality and doesn't rely on futzy details like specific spawned shells etc (the last one(s)).

Cheers
-- Glenn
0
 
LVL 29

Expert Comment

by:Michael W
ID: 24096235
I haven't tried using these steps, but perhaps these articles will help guide you in the right direction.

How to: Restrict Users to SCP and SFTP and Block SSH Shell Access with rssh
http://www.cyberciti.biz/tips/rhel-centos-linux-install-configure-rssh-shell.html

How to: Configure User Account to Use a Restricted Shell ( rssh )
http://www.cyberciti.biz/tips/linux-unix-restrict-shell-access-with-rssh.html
0
 
LVL 20

Expert Comment

by:Gns
ID: 24097354
@mwecomputers ... as mentioned in the links I provided, you don't need a specific "chroot shell" hack if you run OpenSSH 4.8 or later. Then you can just follow the setup suggestions in the last link (theyäre pretty generic:).

Cheers
-- Glenn
0
 

Author Comment

by:LinuxDuke
ID: 24097444
Thanks Gns I used the make_chroot_jail.sh script and this solved my problem.
Thanks guys for the assistence.

Cheers
Duke
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now