Restricting a user account to his/her own directory in Redhat
I need to limit a user account to only be able to make changes to his home directory and only view his own directory and nothing else. Can someone please advise.
ASKER
Hi experts,
I have an account upload this account should be restricted to sftp access only. The account must be jailed SFTP account (jailed to /home/upload directory). The account should have full write access to the /upload/test_upload directory and read access to the /apps_test directory and all its subdirectories.
below is the current configurations:
upload@testserv upload]$ mkdir test_upload
upload@testserv upload]$ ls
test_upload
upload@testserv upload]$ cd test_upload/
upload@testserv test_upload]$ touch test
upload@testserv test_upload]$ ls
test
upload@testserv test_upload]$ cd /
upload@testserv /]$ ls
apps_test boot etc initrd lost+found misc opt root selinux sys usr
bin dev home lib media mnt proc sbin srv tmp var
upload@testserv /]$ cd apps_test/
upload@testserv apps_test]$ touch test2
touch: cannot touch `test2': Permission denied
upload@testserv apps_test]$
I have an account upload this account should be restricted to sftp access only. The account must be jailed SFTP account (jailed to /home/upload directory). The account should have full write access to the /upload/test_upload directory and read access to the /apps_test directory and all its subdirectories.
below is the current configurations:
upload@testserv upload]$ mkdir test_upload
upload@testserv upload]$ ls
test_upload
upload@testserv upload]$ cd test_upload/
upload@testserv test_upload]$ touch test
upload@testserv test_upload]$ ls
test
upload@testserv test_upload]$ cd /
upload@testserv /]$ ls
apps_test boot etc initrd lost+found misc opt root selinux sys usr
bin dev home lib media mnt proc sbin srv tmp var
upload@testserv /]$ cd apps_test/
upload@testserv apps_test]$ touch test2
touch: cannot touch `test2': Permission denied
upload@testserv apps_test]$
then you need to give permission to read that directory
who is the owner of that apps_test directory ??
can you do
ls -l | grep apps_test
to allow upload user to read on that directory , you need to put upload user in the group who owns that directory
who is the owner of that apps_test directory ??
can you do
ls -l | grep apps_test
to allow upload user to read on that directory , you need to put upload user in the group who owns that directory
ASKER
The user is only suppose to see the test_upload directory and when changing directory using cd / he should not be allowed. This means he is not suppose to see this list including apps_test.
upload@testserv test_upload]$ cd /
upload@testserv /]$ ls
apps_test boot etc initrd lost+found misc opt root selinux sys usr
bin dev home lib media mnt proc sbin srv tmp var
upload@testserv test_upload]$ cd /
upload@testserv /]$ ls
apps_test boot etc initrd lost+found misc opt root selinux sys usr
bin dev home lib media mnt proc sbin srv tmp var
no it would not work that way
if you check the permission of those files suppose
ls -l |grep etc
you will see permission are Red+Write+execute for Root
Read and Execute for groups
Read for othrs
if you check other file which generated by linux
you will see they got atlest
Read+write+execute by root
Read by grups
read by others
so you cant restrict user go has Shell access to view your system file unless you have changed the file permission by yourself (| which is not recomended)
but normal user would not be able to modify any file
normal user would not be able to view any folder or files
if the permission set to
only Read+write+execute by root or other user
suppose Home directory which is only Readable by home user, not accessable by other user
now the way you are trying to do, you can enter each directory but you wold not be able to modify any files
the Upload user would be able to see those directory
but if he enter to inside one directory he would not be able to
try cd
if you check the permission of those files suppose
ls -l |grep etc
you will see permission are Red+Write+execute for Root
Read and Execute for groups
Read for othrs
if you check other file which generated by linux
you will see they got atlest
Read+write+execute by root
Read by grups
read by others
so you cant restrict user go has Shell access to view your system file unless you have changed the file permission by yourself (| which is not recomended)
but normal user would not be able to modify any file
normal user would not be able to view any folder or files
if the permission set to
only Read+write+execute by root or other user
suppose Home directory which is only Readable by home user, not accessable by other user
now the way you are trying to do, you can enter each directory but you wold not be able to modify any files
the Upload user would be able to see those directory
but if he enter to inside one directory he would not be able to
try cd
Hi LinuxDuke:
To implement what you want
The user only gets access to test_upload dir and can not cd / or any other place
If you are runnig vsftpd then jailroot the user by putting this line in the vsftpd.conf
chroot_local_user=YES
This will actually jail him to his home , so he cant access anything accept his home, you have to look farther in the config to make point to your test_upload dir, but this is the directive you need.
Best Regards
To implement what you want
The user only gets access to test_upload dir and can not cd / or any other place
If you are runnig vsftpd then jailroot the user by putting this line in the vsftpd.conf
chroot_local_user=YES
This will actually jail him to his home , so he cant access anything accept his home, you have to look farther in the config to make point to your test_upload dir, but this is the directive you need.
Best Regards
ASKER
Hi Small student,
I'm using vsftp and have created users in /etc/passwd that will have ftp access. I not sure if I should update my etc password to be different from this upload:x:520:100::/home/up
I did change the following directive chroot_local_user=YES but still could access the whole file system.
I even changed the following and created the file following the man page but still my user can access the file system and get files under /etc and that is why I need him to access only the directory he logs on or a directory above his own one.
chroot_local_user=YES
chroot_list_file=/etc/vsft
thanks
Duke
I'm using vsftp and have created users in /etc/passwd that will have ftp access. I not sure if I should update my etc password to be different from this upload:x:520:100::/home/up
I did change the following directive chroot_local_user=YES but still could access the whole file system.
I even changed the following and created the file following the man page but still my user can access the file system and get files under /etc and that is why I need him to access only the directory he logs on or a directory above his own one.
chroot_local_user=YES
chroot_list_file=/etc/vsft
thanks
Duke
ASKER
Hi Experts,
Will you kindly provide me with a solution step by step for jailing a user to a directory created in home directory. I need the user to be unable to see any other directory when he cd / "the root directory and type in ls" as the is a folder ander root that the user has access on as he is part of a group that has access to that drive. I have used vsftp to do this an nothing seems to work, I don't want to change permissions on the file system level.
Any help will be highly appreciated.
Will you kindly provide me with a solution step by step for jailing a user to a directory created in home directory. I need the user to be unable to see any other directory when he cd / "the root directory and type in ls" as the is a folder ander root that the user has access on as he is part of a group that has access to that drive. I have used vsftp to do this an nothing seems to work, I don't want to change permissions on the file system level.
Any help will be highly appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I haven't tried using these steps, but perhaps these articles will help guide you in the right direction.
How to: Restrict Users to SCP and SFTP and Block SSH Shell Access with rssh
http://www.cyberciti.biz/tips/rhel-centos-linux-install-configure-rssh-shell.html
How to: Configure User Account to Use a Restricted Shell ( rssh )
http://www.cyberciti.biz/tips/linux-unix-restrict-shell-access-with-rssh.html
How to: Restrict Users to SCP and SFTP and Block SSH Shell Access with rssh
http://www.cyberciti.biz/tips/rhel-centos-linux-install-configure-rssh-shell.html
How to: Configure User Account to Use a Restricted Shell ( rssh )
http://www.cyberciti.biz/tips/linux-unix-restrict-shell-access-with-rssh.html
@mwecomputers ... as mentioned in the links I provided, you don't need a specific "chroot shell" hack if you run OpenSSH 4.8 or later. Then you can just follow the setup suggestions in the last link (theyäre pretty generic:).
Cheers
-- Glenn
Cheers
-- Glenn
ASKER
Thanks Gns I used the make_chroot_jail.sh script and this solved my problem.
Thanks guys for the assistence.
Cheers
Duke
Thanks guys for the assistence.
Cheers
Duke
so you dont have to do anything
useradd user1
user1 will have access only /home/user1 directory, if he try to access /home/user2 directory, he will get access denyed message