Re: How to lock user in his home.

To: debian-user@lists.debian.org
Subject: Re: How to lock user in his home.
From: Greg Folkert <greg@gregfolkert.net>
Date: Tue, 20 Sep 2005 17:06:26 -0400
Message-id: <[🔎] 1127250386.2131.16.camel@king.gregfolkert.net>
In-reply-to: <[🔎] eb5ae9cc05091306371e0c6b6d@mail.gmail.com>
References: <[🔎] eb5ae9cc05091306371e0c6b6d@mail.gmail.com>

On Tue, 2005-09-13 at 10:37 -0300, Leonardo Marques wrote:
> Hello people,
> 
> I wanna how to lock a user in his home, he cannot see any other
> directory, just his home. Someone how can i do this?
> 

Well, the problem here is that *NIX doesn't by default allow "users" to
write to the "system" directories.

Now, if you are talking about other userdirs, then make sure the the
homedirs of those users are chmod 0700. That is the easiest way to keep
him or her out of places he isn't supposed to be.

Now, for instance, I have a chmod of 0701 so that the Web-Server can get
into the directory and server the "website" dir that has the group of
www-data and chmod 0740. This allows the webserver access to place it
KNOWS about but nothing else. Plus it keep the other users from seeing
anything.

/--
  /home--
        /user1--
               /website--
                        /html
                        /cgi-bin
                        /otherstuff
/--
  /home--
        /user2--
               /website--
                        /html
                        /cgi-bin
                        /otherstuff

Now, look at that structure.

where I start changing defaults is the userdir

        chown user1.user1 user1
        chown user2.user2 user2
        chmod 0701 user1 user2
        chgrp -r www-data */website
        chmod 0740 */website

This effectively allows the user to get into the dir... but see nothing.

Think this through and try to understand what I just told you. It worked
very well for me to serve personal web-pages for the (14,000) student
e-mail and webserver machine for 5 years. Using Debian Stable, it
allowed me to upgrade through the various revisions, with Woody being
the last one I updated to, before leaving the educational institution.

If you are worried about other things like /tmp and so on, I suggest you
read into how the /tmp setup works. Also, most other things users can
only execute or read (as far as the system is concerned) so it really
makes your job harder (much harder) if you jail them. If you chroot
them, the login shell cannot go anywhere up from there, but that forces
you to put static executables in their homedir, significantly bloating
you storage requirements.
-- 
greg, greg@gregfolkert.net

The technology that is 
Stronger, Better, Faster: Linux

Use Debian GNU/Linux, its a bazaar thing.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

References:
- How to lock user in his home.
  - From: Leonardo Marques <surf3r0@gmail.com>

Prev by Date: RE: No Kernel updates via apt-get?
Next by Date: Fwd: What can I do with six new publicly available computers? now nis vs. rsync
Previous by thread: Re: How to lock user in his home.
Next by thread: Man-DB is crazy
Index(es):
- Date
- Thread