[Wolves] Re: Restricting Users

Ron Wellsted ron at wellsted.org.uk
Sun Dec 12 11:42:54 GMT 2004 

On Sun, 2004-12-12 at 11:35 +0000, Simon Burke wrote:
> On Sun, 12 Dec 2004 11:16:00 +0000, Simon Burke <simon.burke at gmail.com> wrote:
> > On Sun, 12 Dec 2004 11:02:34 +0000, Simon Burke <simon.burke at gmail.com> wrote:
> > 
> > 
> > > Bit of a wierd question.
> > >
> > > I'm messing around a bit with my linux machine and (ubuntu, also the
> > > mrs' machine)
> > > Anyway does anyone know if it is possible to restrict users, as far as
> > > not permitting them to leave their /home/$USER dir. (ie they can
> > > navigate around the directories in their home directory but not go
> > > above their /home/$USER directory.
> > >
> > > I mean they can go
> > > /home/$USER/, /home/$USER/foo etc.
> > >
> > > but they cant go /home, /etc, /usr et al.
> > >
> > > Also is it possible to restrict the commands they can use, like stop
> > > them from using df (as an example)
> > > --
> > > Theres no place like ::1
> > >
> > > Thanks,
> > > SimonB
> > > 
> > Ok i'll do a bit of explaining. This is so i can sftp to my machine
> > and if someone gets my pwd and username they cant do damage.
> > AFAIK for the directory issue i would have to chroot sftp sessions.
> > Which im looking for a how-to at the momment as i'd want it chrooted
> > to a non-root user. The man page for chroot is still a bit cryptic to
> > me so im looking for a how-to at the momment.
> > 
> > The command restriction in this situation is primarily for ssh also,
> > is it possible to allow sftp sessions but not ssh ones??
> > 
> > 
> Ok, i figured it all out, the command bit ishnt that hard, its just a
> case of not copying over the relevant commands to /home$USER/bin/ and
> making sure that the copied commands are not suid. Ok that was a waste
> of time answering my own query but one thing still remains, breaking
> out of chroot. Is it possible to stop this?

try specifying ¨/bin/bash -r¨ as the user´s shell in /etc/passwd. This
will force a restricted shell with many commands like cd etc. disabled
or very restricted.

-- 
Ron Wellsted
http://www.wellsted.org.uk
ron at wellsted.org.uk
N 52.567623, W 2.137621
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 481 bytes
Desc: This is a digitally signed message part
Url : http://mailman.lug.org.uk/pipermail/wolves/attachments/20041212/8ade1aed/attachment.bin

More information about the Wolves mailing list