?
Solved

need to lock a user

Posted on 2014-03-11
6
Medium Priority
?
361 Views
Last Modified: 2014-03-17
Hi,

I need to jailroot or limit a user in his home folder only - means not able to access or read any other folder in solaris - please help me with?
0
Comment
Question by:apunkabollywood
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39921623
If you just want to keep the user from navigating out of their HOME directory with "cd" and to keep them from issuing arbitrary commands found in some obscure directory, then a restricted shell would be the right thing.

In such a shell "cd" is just as forbidden as issuing commands containing a slash ( / ) thus effectively allowing only commands which are in the PATH.

The only things you'll have to do (as root) are:

- Change the shell to /bin/rksh or /bin/rbash as desired.

- Make the user's .profile owned by root with permissions "640".

- Set the desired PATH in this .profile and make the PATH variable readonly:

export PATH=/usr/bin/:...( add any desired elements)....
readonly PATH

 That should do the trick.

Please note that there is no straightforward way to keep this user from reading files in other directories as long as the path to the respective file is known and the file's permissions allow reading for the user or their group.

If the user comes from a remote location via ssh there are options for "chrooting" - but you'll need the OpenSSH server on the host machine.

wmp
0
 
LVL 16

Expert Comment

by:Joseph Gan
ID: 39921734
There is no simple way to do it, unless you have to change any other folder to "770" or something like that, which meant to remove anyone else except owner and group to access.
If this is impossible, you may want to have a look this link:
http://www.unix.com/solaris/146507-how-restrict-user-specific-directory-solaris-10-a.html
0
 

Author Comment

by:apunkabollywood
ID: 39922676
Hi Woolmilkproc,

Thanks could you help with procedure to do it with Openssh ?
0
Understanding Linux Permissions

Linux for beginners: How to view the permissions associated with files and directories and also how you can change them.

 
LVL 68

Accepted Solution

by:
woolmilkporc earned 1600 total points
ID: 39923147
OK, that's not as easy as it might sound, but we can try.

Let's assume that the user in question is "userA", the group is "groupA" and the HOME directory is /home/userA.

All of the following must be done as "root".

1) Change the HOME of "userA" from "/home/userA"  to just "/userA" in /etc/passwd.
Very important: "/home/userA" itself must exist and must be owned by root and writeable by root only! We'll create a second level directory "userA" later.

2) Prepare the chroot environment

mkdir -m 755 /home/userA/bin
mkdir -m 755 /home/userA/lib
mkdir -m 755 /home/userA/dev
mkdir -m 755 /home/userA/var
mkdir -m 755 /home/userA/opt
mkdir -m 1777 /home/userA/tmp
mkdir -m 755 /home/userA/usr
mkdir -m 755 /home/userA/usr/bin
mkdir -m 755 /home/userA/usr/lib

mkdir -m 755 /home/userA/userA
chown userA:groupA userA

2.1) Populate "dev"

cd /home/userA/dev
mknod arandom c 45 4
mknod null c 2 2
mknod zero c 2 12
mknod stderr c 22 2
mknod stdin c 22 0
mknod stdout c 22 1
mknod tty c 1 0

NOTE: The major/minor numbers might be different on your system. Please check your original /dev/ directory and use the values found there!

2.2) Populate "bin"

cd /home/userA/bin
cp -p /bin/ksh .
cp -p /bin/cp .
cp -p /bin/ls .
cp -p /bin/mkdir .
cp -p /bin/mv .
cp -p /bin/rm .
cp -p /bin/rmdir .
cp -p /bin/sleep .
cp -p /bin/test .
cp -p /bin/tar .
ln ksh sh
ln ksh rksh
ln test [

The above is a very basic "bin" setup. You will probably need more binaries!

2.3) Populate "etc" with "passwd" and "group".

cd /home/userA/etc

cp -p /etc/passwd .
cp -p /etc/group .

2.4) Populate "usr/bin"

The binaries in "usr/bin" will need some libraries being present in "usr/lib".
Please check with "ldd binary_name" and copy the required libraries from /usr/lib to /home/userA/usr/lib!


cd /home/userA/usr/bin
# Example:
cp -p /usr/bin/grep .
ldd /usr/bin/grep
# depending on the above output, but most probably:
cp -p /usr/lib/libc* /home/userA/usr/lib/

---> Now copy all the commands/tools you think userA must have at hand. Please remember to check the libraries!


3) Configure OpenSSH

Add to the very end of /etc/ssh/sshd_config

Match User userA
  ChroootDirectory /home/userA
  AllowTCPForwarding no



Restart sshd and try to log in as userA from remote via ssh.
You'll probably get some errors which we'll have to eliminate step by step.

Good luck!
0
 
LVL 30

Assisted Solution

by:serialband
serialband earned 400 total points
ID: 39923551
I see woolmilkporc has already gone over chroot jail.
http://www.cs.bgu.ac.il/~arik/usail/man/solaris/chroot.1.html


You can use restricted ssh if it's only for file access.  In conjunction with chroot, you would be able to lock the user down to just rssh.
http://dragontoe.org/rssh/
0
 

Author Closing Comment

by:apunkabollywood
ID: 39934913
Thank you for your expert advices
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you do backups in the Solaris Operating System, the file system must be inactive. Otherwise, the output may be inconsistent. A file system is inactive when it's unmounted or it's write-locked by the operating system. Although the fssnap utility…
I have been running these systems for a few years now and I am just very happy with them.   I just wanted to share the manual that I have created for upgrades and other things.  Oooh yes! FreeBSD makes me happy (as a server), no maintenance and I al…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question