Solved

need to lock a user

Posted on 2014-03-11
6
359 Views
Last Modified: 2014-03-17
Hi,

I need to jailroot or limit a user in his home folder only - means not able to access or read any other folder in solaris - please help me with?
0
Comment
Question by:apunkabollywood
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39921623
If you just want to keep the user from navigating out of their HOME directory with "cd" and to keep them from issuing arbitrary commands found in some obscure directory, then a restricted shell would be the right thing.

In such a shell "cd" is just as forbidden as issuing commands containing a slash ( / ) thus effectively allowing only commands which are in the PATH.

The only things you'll have to do (as root) are:

- Change the shell to /bin/rksh or /bin/rbash as desired.

- Make the user's .profile owned by root with permissions "640".

- Set the desired PATH in this .profile and make the PATH variable readonly:

export PATH=/usr/bin/:...( add any desired elements)....
readonly PATH

 That should do the trick.

Please note that there is no straightforward way to keep this user from reading files in other directories as long as the path to the respective file is known and the file's permissions allow reading for the user or their group.

If the user comes from a remote location via ssh there are options for "chrooting" - but you'll need the OpenSSH server on the host machine.

wmp
0
 
LVL 16

Expert Comment

by:Joseph Gan
ID: 39921734
There is no simple way to do it, unless you have to change any other folder to "770" or something like that, which meant to remove anyone else except owner and group to access.
If this is impossible, you may want to have a look this link:
http://www.unix.com/solaris/146507-how-restrict-user-specific-directory-solaris-10-a.html
0
 

Author Comment

by:apunkabollywood
ID: 39922676
Hi Woolmilkproc,

Thanks could you help with procedure to do it with Openssh ?
0
Containers & Docker to Create a Powerful Team

Containers are an incredibly powerful technology that can provide you and/or your engineering team with huge productivity gains. Using containers, you can deploy, back up, replicate, and move apps and their dependencies quickly and easily.

 
LVL 68

Accepted Solution

by:
woolmilkporc earned 400 total points
ID: 39923147
OK, that's not as easy as it might sound, but we can try.

Let's assume that the user in question is "userA", the group is "groupA" and the HOME directory is /home/userA.

All of the following must be done as "root".

1) Change the HOME of "userA" from "/home/userA"  to just "/userA" in /etc/passwd.
Very important: "/home/userA" itself must exist and must be owned by root and writeable by root only! We'll create a second level directory "userA" later.

2) Prepare the chroot environment

mkdir -m 755 /home/userA/bin
mkdir -m 755 /home/userA/lib
mkdir -m 755 /home/userA/dev
mkdir -m 755 /home/userA/var
mkdir -m 755 /home/userA/opt
mkdir -m 1777 /home/userA/tmp
mkdir -m 755 /home/userA/usr
mkdir -m 755 /home/userA/usr/bin
mkdir -m 755 /home/userA/usr/lib

mkdir -m 755 /home/userA/userA
chown userA:groupA userA

2.1) Populate "dev"

cd /home/userA/dev
mknod arandom c 45 4
mknod null c 2 2
mknod zero c 2 12
mknod stderr c 22 2
mknod stdin c 22 0
mknod stdout c 22 1
mknod tty c 1 0

NOTE: The major/minor numbers might be different on your system. Please check your original /dev/ directory and use the values found there!

2.2) Populate "bin"

cd /home/userA/bin
cp -p /bin/ksh .
cp -p /bin/cp .
cp -p /bin/ls .
cp -p /bin/mkdir .
cp -p /bin/mv .
cp -p /bin/rm .
cp -p /bin/rmdir .
cp -p /bin/sleep .
cp -p /bin/test .
cp -p /bin/tar .
ln ksh sh
ln ksh rksh
ln test [

The above is a very basic "bin" setup. You will probably need more binaries!

2.3) Populate "etc" with "passwd" and "group".

cd /home/userA/etc

cp -p /etc/passwd .
cp -p /etc/group .

2.4) Populate "usr/bin"

The binaries in "usr/bin" will need some libraries being present in "usr/lib".
Please check with "ldd binary_name" and copy the required libraries from /usr/lib to /home/userA/usr/lib!


cd /home/userA/usr/bin
# Example:
cp -p /usr/bin/grep .
ldd /usr/bin/grep
# depending on the above output, but most probably:
cp -p /usr/lib/libc* /home/userA/usr/lib/

---> Now copy all the commands/tools you think userA must have at hand. Please remember to check the libraries!


3) Configure OpenSSH

Add to the very end of /etc/ssh/sshd_config

Match User userA
  ChroootDirectory /home/userA
  AllowTCPForwarding no



Restart sshd and try to log in as userA from remote via ssh.
You'll probably get some errors which we'll have to eliminate step by step.

Good luck!
0
 
LVL 30

Assisted Solution

by:serialband
serialband earned 100 total points
ID: 39923551
I see woolmilkporc has already gone over chroot jail.
http://www.cs.bgu.ac.il/~arik/usail/man/solaris/chroot.1.html


You can use restricted ssh if it's only for file access.  In conjunction with chroot, you would be able to lock the user down to just rssh.
http://dragontoe.org/rssh/
0
 

Author Closing Comment

by:apunkabollywood
ID: 39934913
Thank you for your expert advices
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In tuning file systems on the Solaris Operating System, changing some parameters of a file system usually destroys the data on it. For instance, changing the cache segment block size in the volume of a T3 requires that you delete the existing volu…
Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question