Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Restricting a user account to his/her own directory in Redhat

Posted on 2009-04-02
Medium Priority
Last Modified: 2013-12-16
I need to limit a user account to only be able to make changes to his home directory and only view his own directory and nothing else. Can someone please advise.
Question by:LinuxDuke
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +2
LVL 29

Expert Comment

ID: 24048834
By default a normal user has access only to his own home directory, he does not have access to any other's file

so you dont have to do anything

useradd user1

user1 will have access only /home/user1 directory, if he try to access /home/user2 directory, he will get access denyed message

Author Comment

ID: 24050017
Hi experts,

I have an account upload this account should be restricted to sftp access only. The account must be jailed SFTP account (jailed to /home/upload directory). The account should have full write access to the /upload/test_upload directory and read access to the /apps_test directory and all its subdirectories.
below is the current configurations:
upload@testserv upload]$ mkdir test_upload
upload@testserv upload]$ ls
upload@testserv upload]$ cd test_upload/
upload@testserv test_upload]$ touch test
upload@testserv test_upload]$ ls
upload@testserv test_upload]$ cd /
upload@testserv /]$ ls
apps_test  boot  etc   initrd  lost+found  misc  opt   root  selinux  sys  usr
bin         dev   home  lib     media       mnt   proc  sbin  srv      tmp  var
upload@testserv /]$ cd apps_test/
upload@testserv apps_test]$ touch test2
touch: cannot touch `test2': Permission denied
upload@testserv apps_test]$
LVL 29

Expert Comment

ID: 24050082
then you need to give permission to read that directory

who is the owner of that apps_test directory ??

can you do

ls -l | grep apps_test
to allow upload user to read on that directory , you need to put upload user in the group who owns that directory

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!


Author Comment

ID: 24075748
The user is only suppose to see the test_upload directory and when changing directory using cd / he should not be allowed. This means he is not suppose to see this list including apps_test.

upload@testserv test_upload]$ cd /
upload@testserv /]$ ls
apps_test  boot  etc   initrd  lost+found  misc  opt   root  selinux  sys  usr
bin         dev   home  lib     media       mnt   proc  sbin  srv      tmp  var
LVL 29

Expert Comment

ID: 24075812
no it would not work that way

if you check the permission of those files suppose
ls -l |grep etc

you will see permission are Red+Write+execute for Root
   Read and Execute for groups
   Read for othrs
if you check other file which generated by linux
you will see they got atlest
Read+write+execute by root
Read by grups
read by others

so you cant restrict user go has Shell access to view your system file unless you have changed the file permission by yourself (| which is not recomended)
but normal user would not be able to modify any file

normal user would not be able to view any folder or files
if the permission set to
only Read+write+execute by root or other user
suppose Home directory which is only Readable by home user, not accessable by other user

now the way you are trying to do, you can enter each directory but you wold not be able to modify any files

the Upload user would be able to see those directory

but if he enter to inside one directory he would not be able to

try cd
LVL 14

Expert Comment

by:Monis Monther
ID: 24080938
Hi LinuxDuke:

To implement what you want
The user only gets access to test_upload dir and can not cd / or any other place

If you are runnig vsftpd then jailroot the user by putting this line in the vsftpd.conf


This will actually jail him to his home , so he cant access anything accept his home, you have to look farther in the config to make point to your test_upload dir, but this is the directive you need.

Best Regards

Author Comment

ID: 24085848
Hi Small student,

I'm using vsftp and have created users in /etc/passwd that will have ftp access. I not sure if I should update my etc password to be different from this upload:x:520:100::/home/upload/bin/bash as before it was upload:x:520:100::/home/upload/./:/bin/bash but I still get full access when using sftp from a different server to this server I can get a file under /etc and this is what I'm avoiding.

I did change the following directive  chroot_local_user=YES  but still could access the whole file system.
I even changed the following and created the file following the man page but still my user can access the file system and get files under /etc and that is why I need him to access only the directory he logs on or a directory above his own one.


Author Comment

ID: 24091782
Hi Experts,

Will you kindly provide me with a solution step by step for jailing a user to a directory created in home directory. I need the user to be unable to see any other directory when he cd / "the root directory and type in ls" as the is a folder ander root that the user has access on as he is part of a group that has access to that drive. I have used vsftp to do this an nothing seems to work, I don't want to change permissions on the file system level.

Any help will be highly appreciated.
LVL 20

Accepted Solution

Gns earned 400 total points
ID: 24096111
SFTP and VSFTP are quite different things. SFTP isn't ftp at all, it is file transfer *looking* like ftp (to the user), but actually using the SSH protocol (and the secure copy part of it (SCP)). VSFTP, on the other hand, is a server package implementing the file transfer protocol (FTP), which is clear-text. Not the same at all.

The definition you had for your upload user (where the "home directory" specification included the "/./" string) was quite correct for the VSFTP setup... It instructs the vsftp server to restrict that user to its "home directory" (a chroot jail).

It used to be that the OpenSSH implementation of SFTP didn't contain any such jail functionality (well, it didn't last I looked, at least... which was a while back, so I've gotten another look and things look more promising ... now:-). If you had a need for this, you needed buy SSH (not use OpenSSH) from http://www.ssh.com ... which does include chroot jailing facilities.

Now, as can be seen at:
... this is quite doable these day, and, depending on your version of OpenSSH, quite simple to achieve. Note that the best suggestions have an OpenSSH with inbuilt funtionality and doesn't rely on futzy details like specific spawned shells etc (the last one(s)).

-- Glenn
LVL 29

Expert Comment

by:Michael Worsham
ID: 24096235
I haven't tried using these steps, but perhaps these articles will help guide you in the right direction.

How to: Restrict Users to SCP and SFTP and Block SSH Shell Access with rssh

How to: Configure User Account to Use a Restricted Shell ( rssh )
LVL 20

Expert Comment

ID: 24097354
@mwecomputers ... as mentioned in the links I provided, you don't need a specific "chroot shell" hack if you run OpenSSH 4.8 or later. Then you can just follow the setup suggestions in the last link (theyäre pretty generic:).

-- Glenn

Author Comment

ID: 24097444
Thanks Gns I used the make_chroot_jail.sh script and this solved my problem.
Thanks guys for the assistence.


Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question