Solved

need to lock a user

Posted on 2014-03-11
6
355 Views
Last Modified: 2014-03-17
Hi,

I need to jailroot or limit a user in his home folder only - means not able to access or read any other folder in solaris - please help me with?
0
Comment
Question by:apunkabollywood
6 Comments
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39921623
If you just want to keep the user from navigating out of their HOME directory with "cd" and to keep them from issuing arbitrary commands found in some obscure directory, then a restricted shell would be the right thing.

In such a shell "cd" is just as forbidden as issuing commands containing a slash ( / ) thus effectively allowing only commands which are in the PATH.

The only things you'll have to do (as root) are:

- Change the shell to /bin/rksh or /bin/rbash as desired.

- Make the user's .profile owned by root with permissions "640".

- Set the desired PATH in this .profile and make the PATH variable readonly:

export PATH=/usr/bin/:...( add any desired elements)....
readonly PATH

 That should do the trick.

Please note that there is no straightforward way to keep this user from reading files in other directories as long as the path to the respective file is known and the file's permissions allow reading for the user or their group.

If the user comes from a remote location via ssh there are options for "chrooting" - but you'll need the OpenSSH server on the host machine.

wmp
0
 
LVL 16

Expert Comment

by:Joseph Gan
ID: 39921734
There is no simple way to do it, unless you have to change any other folder to "770" or something like that, which meant to remove anyone else except owner and group to access.
If this is impossible, you may want to have a look this link:
http://www.unix.com/solaris/146507-how-restrict-user-specific-directory-solaris-10-a.html
0
 

Author Comment

by:apunkabollywood
ID: 39922676
Hi Woolmilkproc,

Thanks could you help with procedure to do it with Openssh ?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 68

Accepted Solution

by:
woolmilkporc earned 400 total points
ID: 39923147
OK, that's not as easy as it might sound, but we can try.

Let's assume that the user in question is "userA", the group is "groupA" and the HOME directory is /home/userA.

All of the following must be done as "root".

1) Change the HOME of "userA" from "/home/userA"  to just "/userA" in /etc/passwd.
Very important: "/home/userA" itself must exist and must be owned by root and writeable by root only! We'll create a second level directory "userA" later.

2) Prepare the chroot environment

mkdir -m 755 /home/userA/bin
mkdir -m 755 /home/userA/lib
mkdir -m 755 /home/userA/dev
mkdir -m 755 /home/userA/var
mkdir -m 755 /home/userA/opt
mkdir -m 1777 /home/userA/tmp
mkdir -m 755 /home/userA/usr
mkdir -m 755 /home/userA/usr/bin
mkdir -m 755 /home/userA/usr/lib

mkdir -m 755 /home/userA/userA
chown userA:groupA userA

2.1) Populate "dev"

cd /home/userA/dev
mknod arandom c 45 4
mknod null c 2 2
mknod zero c 2 12
mknod stderr c 22 2
mknod stdin c 22 0
mknod stdout c 22 1
mknod tty c 1 0

NOTE: The major/minor numbers might be different on your system. Please check your original /dev/ directory and use the values found there!

2.2) Populate "bin"

cd /home/userA/bin
cp -p /bin/ksh .
cp -p /bin/cp .
cp -p /bin/ls .
cp -p /bin/mkdir .
cp -p /bin/mv .
cp -p /bin/rm .
cp -p /bin/rmdir .
cp -p /bin/sleep .
cp -p /bin/test .
cp -p /bin/tar .
ln ksh sh
ln ksh rksh
ln test [

The above is a very basic "bin" setup. You will probably need more binaries!

2.3) Populate "etc" with "passwd" and "group".

cd /home/userA/etc

cp -p /etc/passwd .
cp -p /etc/group .

2.4) Populate "usr/bin"

The binaries in "usr/bin" will need some libraries being present in "usr/lib".
Please check with "ldd binary_name" and copy the required libraries from /usr/lib to /home/userA/usr/lib!


cd /home/userA/usr/bin
# Example:
cp -p /usr/bin/grep .
ldd /usr/bin/grep
# depending on the above output, but most probably:
cp -p /usr/lib/libc* /home/userA/usr/lib/

---> Now copy all the commands/tools you think userA must have at hand. Please remember to check the libraries!


3) Configure OpenSSH

Add to the very end of /etc/ssh/sshd_config

Match User userA
  ChroootDirectory /home/userA
  AllowTCPForwarding no



Restart sshd and try to log in as userA from remote via ssh.
You'll probably get some errors which we'll have to eliminate step by step.

Good luck!
0
 
LVL 29

Assisted Solution

by:serialband
serialband earned 100 total points
ID: 39923551
I see woolmilkporc has already gone over chroot jail.
http://www.cs.bgu.ac.il/~arik/usail/man/solaris/chroot.1.html


You can use restricted ssh if it's only for file access.  In conjunction with chroot, you would be able to lock the user down to just rssh.
http://dragontoe.org/rssh/
0
 

Author Closing Comment

by:apunkabollywood
ID: 39934913
Thank you for your expert advices
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When you do backups in the Solaris Operating System, the file system must be inactive. Otherwise, the output may be inconsistent. A file system is inactive when it's unmounted or it's write-locked by the operating system. Although the fssnap utility…
FreeBSD on EC2 FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question