Restricting users to their folders
Restricting users to their folders
This is related to my previous thread about sftp folder size limits per user.
Is it possible to also make it so that the users can't leave their folders?
As in, make it so that they can't cd into another users folder and see what files they have?
I mean even with low permissions, you can usually list files in a folder.
or maybe "chmod 700" would be sufficient on the user folders?
Is it possible to also make it so that the users can't leave their folders?
As in, make it so that they can't cd into another users folder and see what files they have?
I mean even with low permissions, you can usually list files in a folder.
or maybe "chmod 700" would be sufficient on the user folders?
"The best place to hide a tree, is in a forest"
- bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
Re: Restricting users to their folders
chroot is what you are looking for, here's a quick howto:
http://www.howtoforge.com/chrooted-ssh- ... bian-lenny" onclick="window.open(this.href);return false;
of course people can still log in via SSH then, so you would have to chrrot that too, which is a little more work, but in case you only want them to have SFTP access (which I assume) disallow shell logins:
http://www.debian-administration.org/articles/94" onclick="window.open(this.href);return false;
http://www.howtoforge.com/chrooted-ssh- ... bian-lenny" onclick="window.open(this.href);return false;
of course people can still log in via SSH then, so you would have to chrrot that too, which is a little more work, but in case you only want them to have SFTP access (which I assume) disallow shell logins:
http://www.debian-administration.org/articles/94" onclick="window.open(this.href);return false;
Re: Restricting users to their folders
Nice thanks!bad_brain wrote:chroot is what you are looking for, here's a quick howto:
http://www.howtoforge.com/chrooted-ssh- ... bian-lenny" onclick="window.open(this.href);return false;
of course people can still log in via SSH then, so you would have to chrrot that too, which is a little more work, but in case you only want them to have SFTP access (which I assume) disallow shell logins:
http://www.debian-administration.org/articles/94" onclick="window.open(this.href);return false;
Well I was thinking about setting their shell to sftp, wouldn't that work as well?
"The best place to hide a tree, is in a forest"
Re: Restricting users to their folders
yea i have searched for this before and i found this link useful:
Code: Select all
http://www.felipecruz.com/blog_restricte-linux-users-to-their-home.php
- bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
Re: Restricting users to their folders
@cats
yep, that's what is actually described in the 2nd link, so it's not really "disallowing SSH" as I wrote, just the effect is the same so my expression was not really precise...
yep, that's what is actually described in the 2nd link, so it's not really "disallowing SSH" as I wrote, just the effect is the same so my expression was not really precise...
Re: Restricting users to their folders
bad_brain wrote:@cats
yep, that's what is actually described in the 2nd link, so it's not really "disallowing SSH" as I wrote, just the effect is the same so my expression was not really precise...
Ah ok!
Thanks, both of you
Have been working on the xmpp server all day so didn't have time to fix my file server, but I will do that tomorrow instead
"The best place to hide a tree, is in a forest"
Re: Restricting users to their folders
bad_brain wrote:chroot is what you are looking for, here's a quick howto:
http://www.howtoforge.com/chrooted-ssh- ... bian-lenny" onclick="window.open(this.href);return false;
of course people can still log in via SSH then, so you would have to chrrot that too, which is a little more work, but in case you only want them to have SFTP access (which I assume) disallow shell logins:
http://www.debian-administration.org/articles/94" onclick="window.open(this.href);return false;
hmmm ...
If I jail the users to their home folders so that they can't see each others files, including the system ... how will I make it so that they all can visit the "public" folder.
You see, outside of all the user folders, there is one "public" folder that they all are supposed to be able to access.
Will a simple link be sufficient in each user directory?
EDIT: I tried that method to jail just one user to his home directory (just as a test), but he can still go outside of his folder and look around the system as he pleases =/
Can anyone try this method and confirm it maybe?
EDIT: Been trying this on: http://www.debian-administration.org/articles/590" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false; but I can't seem to understand how he is doing it.
As far as I understand, he sets the home directory of the user "user" to / and then the chroot directory to /home/user, but the /home/user is owned by root?
When I do this, by setting the users home to / and the chroot dir to /mnt/fileserver/users/user it only takes the user to /, and nothing else =/
"The best place to hide a tree, is in a forest"
Re: Restricting users to their folders
oook, I managed to get it working now (the match rule in /etc/ssh/sshd_conf was missing, even though I am sure I added it).
But now I have a new problem
The chroot directory, which in this case is the users own home directory "must" be owned by root.
Why is this? I mean, this way the user wont own his own directory, so is there no other way to solve this?
Or it has to be that root owns all of the users directories?
Do I have to set the users directory to 777 for the user to be able to edit it?
But now I have a new problem
The chroot directory, which in this case is the users own home directory "must" be owned by root.
Why is this? I mean, this way the user wont own his own directory, so is there no other way to solve this?
Or it has to be that root owns all of the users directories?
Do I have to set the users directory to 777 for the user to be able to edit it?
"The best place to hide a tree, is in a forest"
- bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
Re: Restricting users to their folders
well, the user only works inside the home directory, so he can't cd .. anyway to edit the home directory permissions. if he could access the permissions for his own home directory it would mean he could see the home directories of the other users too (by name).
so leave it that way, it's like it should be...
so leave it that way, it's like it should be...
Re: Restricting users to their folders
bad_brain wrote:well, the user only works inside the home directory, so he can't cd .. anyway to edit the home directory permissions. if he could access the permissions for his own home directory it would mean he could see the home directories of the other users too (by name).
so leave it that way, it's like it should be...
Alright
Will have another look at it tonight ^^
"The best place to hide a tree, is in a forest"
Re: Restricting users to their folders
Alright, so I managed to allocate some time to set this up now
Will write a small tutorial soon.
Will write a small tutorial soon.
"The best place to hide a tree, is in a forest"
Re: Restricting users to their folders
@cats.ok.we are waiting for your experiences
Re: Restricting users to their folders
intern3t wrote:@cats.ok.we are waiting for your experiences
yup yup, will take a little while though before I can put together anything.
I have work all week so.
"The best place to hide a tree, is in a forest"