Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

need to lock a user

Posted on 2014-03-11
6
Medium Priority
?
363 Views
Last Modified: 2014-03-17
Hi,

I need to jailroot or limit a user in his home folder only - means not able to access or read any other folder in solaris - please help me with?
0
Comment
Question by:apunkabollywood
6 Comments
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39921623
If you just want to keep the user from navigating out of their HOME directory with "cd" and to keep them from issuing arbitrary commands found in some obscure directory, then a restricted shell would be the right thing.

In such a shell "cd" is just as forbidden as issuing commands containing a slash ( / ) thus effectively allowing only commands which are in the PATH.

The only things you'll have to do (as root) are:

- Change the shell to /bin/rksh or /bin/rbash as desired.

- Make the user's .profile owned by root with permissions "640".

- Set the desired PATH in this .profile and make the PATH variable readonly:

export PATH=/usr/bin/:...( add any desired elements)....
readonly PATH

 That should do the trick.

Please note that there is no straightforward way to keep this user from reading files in other directories as long as the path to the respective file is known and the file's permissions allow reading for the user or their group.

If the user comes from a remote location via ssh there are options for "chrooting" - but you'll need the OpenSSH server on the host machine.

wmp
0
 
LVL 16

Expert Comment

by:Joseph Gan
ID: 39921734
There is no simple way to do it, unless you have to change any other folder to "770" or something like that, which meant to remove anyone else except owner and group to access.
If this is impossible, you may want to have a look this link:
http://www.unix.com/solaris/146507-how-restrict-user-specific-directory-solaris-10-a.html
0
 

Author Comment

by:apunkabollywood
ID: 39922676
Hi Woolmilkproc,

Thanks could you help with procedure to do it with Openssh ?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 68

Accepted Solution

by:
woolmilkporc earned 1600 total points
ID: 39923147
OK, that's not as easy as it might sound, but we can try.

Let's assume that the user in question is "userA", the group is "groupA" and the HOME directory is /home/userA.

All of the following must be done as "root".

1) Change the HOME of "userA" from "/home/userA"  to just "/userA" in /etc/passwd.
Very important: "/home/userA" itself must exist and must be owned by root and writeable by root only! We'll create a second level directory "userA" later.

2) Prepare the chroot environment

mkdir -m 755 /home/userA/bin
mkdir -m 755 /home/userA/lib
mkdir -m 755 /home/userA/dev
mkdir -m 755 /home/userA/var
mkdir -m 755 /home/userA/opt
mkdir -m 1777 /home/userA/tmp
mkdir -m 755 /home/userA/usr
mkdir -m 755 /home/userA/usr/bin
mkdir -m 755 /home/userA/usr/lib

mkdir -m 755 /home/userA/userA
chown userA:groupA userA

2.1) Populate "dev"

cd /home/userA/dev
mknod arandom c 45 4
mknod null c 2 2
mknod zero c 2 12
mknod stderr c 22 2
mknod stdin c 22 0
mknod stdout c 22 1
mknod tty c 1 0

NOTE: The major/minor numbers might be different on your system. Please check your original /dev/ directory and use the values found there!

2.2) Populate "bin"

cd /home/userA/bin
cp -p /bin/ksh .
cp -p /bin/cp .
cp -p /bin/ls .
cp -p /bin/mkdir .
cp -p /bin/mv .
cp -p /bin/rm .
cp -p /bin/rmdir .
cp -p /bin/sleep .
cp -p /bin/test .
cp -p /bin/tar .
ln ksh sh
ln ksh rksh
ln test [

The above is a very basic "bin" setup. You will probably need more binaries!

2.3) Populate "etc" with "passwd" and "group".

cd /home/userA/etc

cp -p /etc/passwd .
cp -p /etc/group .

2.4) Populate "usr/bin"

The binaries in "usr/bin" will need some libraries being present in "usr/lib".
Please check with "ldd binary_name" and copy the required libraries from /usr/lib to /home/userA/usr/lib!


cd /home/userA/usr/bin
# Example:
cp -p /usr/bin/grep .
ldd /usr/bin/grep
# depending on the above output, but most probably:
cp -p /usr/lib/libc* /home/userA/usr/lib/

---> Now copy all the commands/tools you think userA must have at hand. Please remember to check the libraries!


3) Configure OpenSSH

Add to the very end of /etc/ssh/sshd_config

Match User userA
  ChroootDirectory /home/userA
  AllowTCPForwarding no



Restart sshd and try to log in as userA from remote via ssh.
You'll probably get some errors which we'll have to eliminate step by step.

Good luck!
0
 
LVL 31

Assisted Solution

by:serialband
serialband earned 400 total points
ID: 39923551
I see woolmilkporc has already gone over chroot jail.
http://www.cs.bgu.ac.il/~arik/usail/man/solaris/chroot.1.html


You can use restricted ssh if it's only for file access.  In conjunction with chroot, you would be able to lock the user down to just rssh.
http://dragontoe.org/rssh/
0
 

Author Closing Comment

by:apunkabollywood
ID: 39934913
Thank you for your expert advices
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Attention: This article will no longer be maintained. If you have any questions, please feel free to mail me. jgh@FreeBSD.org Please see http://www.freebsd.org/doc/en_US.ISO8859-1/articles/freebsd-update-server/ for the updated article. It is avail…
I have been running these systems for a few years now and I am just very happy with them.   I just wanted to share the manual that I have created for upgrades and other things.  Oooh yes! FreeBSD makes me happy (as a server), no maintenance and I al…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question