Restricting users to their folders

[ayu]

This is related to my previous thread about sftp folder size limits per user.

Is it possible to also make it so that the users can't leave their folders?
As in, make it so that they can't cd into another users folder and see what files they have?
I mean even with low permissions, you can usually list files in a folder.

or maybe "chmod 700" would be sufficient on the user folders?

[bad_brain]

chroot is what you are looking for, here's a quick howto:
http://www.howtoforge.com/chrooted-ssh- ... bian-lenny" onclick="window.open(this.href);return false;

of course people can still log in via SSH then, so you would have to chrrot that too, which is a little more work, but in case you only want them to have SFTP access (which I assume) disallow shell logins:
http://www.debian-administration.org/articles/94" onclick="window.open(this.href);return false;

[ayu]

chroot is what you are looking for, here's a quick howto:
http://www.howtoforge.com/chrooted-ssh- ... bian-lenny" onclick="window.open(this.href);return false;

of course people can still log in via SSH then, so you would have to chrrot that too, which is a little more work, but in case you only want them to have SFTP access (which I assume) disallow shell logins:
http://www.debian-administration.org/articles/94" onclick="window.open(this.href);return false;

Nice thanks!

Well I was thinking about setting their shell to sftp, wouldn't that work as well?

[intern3t]

yea i have searched for this before and i found this link useful:

Code: Select all

http://www.felipecruz.com/blog_restricte-linux-users-to-their-home.php

[bad_brain]

@cats
yep, that's what is actually described in the 2nd link, so it's not really "disallowing SSH" as I wrote, just the effect is the same so my expression was not really precise...

[ayu]

@cats
yep, that's what is actually described in the 2nd link, so it's not really "disallowing SSH" as I wrote, just the effect is the same so my expression was not really precise...

Ah ok!

Thanks, both of you
Have been working on the xmpp server all day so didn't have time to fix my file server, but I will do that tomorrow instead

[ayu]

chroot is what you are looking for, here's a quick howto:
http://www.howtoforge.com/chrooted-ssh- ... bian-lenny" onclick="window.open(this.href);return false;

of course people can still log in via SSH then, so you would have to chrrot that too, which is a little more work, but in case you only want them to have SFTP access (which I assume) disallow shell logins:
http://www.debian-administration.org/articles/94" onclick="window.open(this.href);return false;

hmmm ...

If I jail the users to their home folders so that they can't see each others files, including the system ... how will I make it so that they all can visit the "public" folder.
You see, outside of all the user folders, there is one "public" folder that they all are supposed to be able to access.
Will a simple link be sufficient in each user directory?

EDIT: I tried that method to jail just one user to his home directory (just as a test), but he can still go outside of his folder and look around the system as he pleases =/
Can anyone try this method and confirm it maybe?

EDIT: Been trying this on: http://www.debian-administration.org/articles/590" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false; but I can't seem to understand how he is doing it.
As far as I understand, he sets the home directory of the user "user" to / and then the chroot directory to /home/user, but the /home/user is owned by root?
When I do this, by setting the users home to / and the chroot dir to /mnt/fileserver/users/user it only takes the user to /, and nothing else =/

[ayu]

oook, I managed to get it working now (the match rule in /etc/ssh/sshd_conf was missing, even though I am sure I added it).

But now I have a new problem
The chroot directory, which in this case is the users own home directory "must" be owned by root.
Why is this? I mean, this way the user wont own his own directory, so is there no other way to solve this?
Or it has to be that root owns all of the users directories?
Do I have to set the users directory to 777 for the user to be able to edit it?

[bad_brain]

well, the user only works inside the home directory, so he can't cd .. anyway to edit the home directory permissions. if he could access the permissions for his own home directory it would mean he could see the home directories of the other users too (by name).
so leave it that way, it's like it should be...

[ayu]

well, the user only works inside the home directory, so he can't cd .. anyway to edit the home directory permissions. if he could access the permissions for his own home directory it would mean he could see the home directories of the other users too (by name).
so leave it that way, it's like it should be...

Alright
Will have another look at it tonight ^^

[ayu]

Alright, so I managed to allocate some time to set this up now
Will write a small tutorial soon.

[intern3t]

@cats.ok.we are waiting for your experiences

[ayu]

@cats.ok.we are waiting for your experiences

yup yup, will take a little while though before I can put together anything.
I have work all week so.