On Tue, 2005-09-13 at 10:37 -0300, Leonardo Marques wrote: > Hello people, > > I wanna how to lock a user in his home, he cannot see any other > directory, just his home. Someone how can i do this? > Well, the problem here is that *NIX doesn't by default allow "users" to write to the "system" directories. Now, if you are talking about other userdirs, then make sure the the homedirs of those users are chmod 0700. That is the easiest way to keep him or her out of places he isn't supposed to be. Now, for instance, I have a chmod of 0701 so that the Web-Server can get into the directory and server the "website" dir that has the group of www-data and chmod 0740. This allows the webserver access to place it KNOWS about but nothing else. Plus it keep the other users from seeing anything. /-- /home-- /user1-- /website-- /html /cgi-bin /otherstuff /-- /home-- /user2-- /website-- /html /cgi-bin /otherstuff Now, look at that structure. where I start changing defaults is the userdir chown user1.user1 user1 chown user2.user2 user2 chmod 0701 user1 user2 chgrp -r www-data */website chmod 0740 */website This effectively allows the user to get into the dir... but see nothing. Think this through and try to understand what I just told you. It worked very well for me to serve personal web-pages for the (14,000) student e-mail and webserver machine for 5 years. Using Debian Stable, it allowed me to upgrade through the various revisions, with Woody being the last one I updated to, before leaving the educational institution. If you are worried about other things like /tmp and so on, I suggest you read into how the /tmp setup works. Also, most other things users can only execute or read (as far as the system is concerned) so it really makes your job harder (much harder) if you jail them. If you chroot them, the login shell cannot go anywhere up from there, but that forces you to put static executables in their homedir, significantly bloating you storage requirements. -- greg, greg@gregfolkert.net The technology that is Stronger, Better, Faster: Linux Use Debian GNU/Linux, its a bazaar thing.
Attachment:
signature.asc
Description: This is a digitally signed message part