Solved

need to lock a user

Posted on 2014-03-11
6
344 Views
Last Modified: 2014-03-17
Hi,

I need to jailroot or limit a user in his home folder only - means not able to access or read any other folder in solaris - please help me with?
0
Comment
Question by:apunkabollywood
6 Comments
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39921623
If you just want to keep the user from navigating out of their HOME directory with "cd" and to keep them from issuing arbitrary commands found in some obscure directory, then a restricted shell would be the right thing.

In such a shell "cd" is just as forbidden as issuing commands containing a slash ( / ) thus effectively allowing only commands which are in the PATH.

The only things you'll have to do (as root) are:

- Change the shell to /bin/rksh or /bin/rbash as desired.

- Make the user's .profile owned by root with permissions "640".

- Set the desired PATH in this .profile and make the PATH variable readonly:

export PATH=/usr/bin/:...( add any desired elements)....
readonly PATH

 That should do the trick.

Please note that there is no straightforward way to keep this user from reading files in other directories as long as the path to the respective file is known and the file's permissions allow reading for the user or their group.

If the user comes from a remote location via ssh there are options for "chrooting" - but you'll need the OpenSSH server on the host machine.

wmp
0
 
LVL 16

Expert Comment

by:Joseph Gan
ID: 39921734
There is no simple way to do it, unless you have to change any other folder to "770" or something like that, which meant to remove anyone else except owner and group to access.
If this is impossible, you may want to have a look this link:
http://www.unix.com/solaris/146507-how-restrict-user-specific-directory-solaris-10-a.html
0
 

Author Comment

by:apunkabollywood
ID: 39922676
Hi Woolmilkproc,

Thanks could you help with procedure to do it with Openssh ?
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 68

Accepted Solution

by:
woolmilkporc earned 400 total points
ID: 39923147
OK, that's not as easy as it might sound, but we can try.

Let's assume that the user in question is "userA", the group is "groupA" and the HOME directory is /home/userA.

All of the following must be done as "root".

1) Change the HOME of "userA" from "/home/userA"  to just "/userA" in /etc/passwd.
Very important: "/home/userA" itself must exist and must be owned by root and writeable by root only! We'll create a second level directory "userA" later.

2) Prepare the chroot environment

mkdir -m 755 /home/userA/bin
mkdir -m 755 /home/userA/lib
mkdir -m 755 /home/userA/dev
mkdir -m 755 /home/userA/var
mkdir -m 755 /home/userA/opt
mkdir -m 1777 /home/userA/tmp
mkdir -m 755 /home/userA/usr
mkdir -m 755 /home/userA/usr/bin
mkdir -m 755 /home/userA/usr/lib

mkdir -m 755 /home/userA/userA
chown userA:groupA userA

2.1) Populate "dev"

cd /home/userA/dev
mknod arandom c 45 4
mknod null c 2 2
mknod zero c 2 12
mknod stderr c 22 2
mknod stdin c 22 0
mknod stdout c 22 1
mknod tty c 1 0

NOTE: The major/minor numbers might be different on your system. Please check your original /dev/ directory and use the values found there!

2.2) Populate "bin"

cd /home/userA/bin
cp -p /bin/ksh .
cp -p /bin/cp .
cp -p /bin/ls .
cp -p /bin/mkdir .
cp -p /bin/mv .
cp -p /bin/rm .
cp -p /bin/rmdir .
cp -p /bin/sleep .
cp -p /bin/test .
cp -p /bin/tar .
ln ksh sh
ln ksh rksh
ln test [

The above is a very basic "bin" setup. You will probably need more binaries!

2.3) Populate "etc" with "passwd" and "group".

cd /home/userA/etc

cp -p /etc/passwd .
cp -p /etc/group .

2.4) Populate "usr/bin"

The binaries in "usr/bin" will need some libraries being present in "usr/lib".
Please check with "ldd binary_name" and copy the required libraries from /usr/lib to /home/userA/usr/lib!


cd /home/userA/usr/bin
# Example:
cp -p /usr/bin/grep .
ldd /usr/bin/grep
# depending on the above output, but most probably:
cp -p /usr/lib/libc* /home/userA/usr/lib/

---> Now copy all the commands/tools you think userA must have at hand. Please remember to check the libraries!


3) Configure OpenSSH

Add to the very end of /etc/ssh/sshd_config

Match User userA
  ChroootDirectory /home/userA
  AllowTCPForwarding no



Restart sshd and try to log in as userA from remote via ssh.
You'll probably get some errors which we'll have to eliminate step by step.

Good luck!
0
 
LVL 28

Assisted Solution

by:serialband
serialband earned 100 total points
ID: 39923551
I see woolmilkporc has already gone over chroot jail.
http://www.cs.bgu.ac.il/~arik/usail/man/solaris/chroot.1.html


You can use restricted ssh if it's only for file access.  In conjunction with chroot, you would be able to lock the user down to just rssh.
http://dragontoe.org/rssh/
0
 

Author Closing Comment

by:apunkabollywood
ID: 39934913
Thank you for your expert advices
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

My previous tech tip, Installing the Solaris OS From the Flash Archive On a Tape (http://www.experts-exchange.com/articles/OS/Unix/Solaris/Installing-the-Solaris-OS-From-the-Flash-Archive-on-a-Tape.html), discussed installing the Solaris Operating S…
Introduction Regular patching is part of a system administrator's tasks. However, many patches require that the system be in single-user mode before they can be installed. A cluster patch in particular can take quite a while to apply if the machine…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now