how to restrict the user not to use cd to higher level folders

how to restrict the user not to use cd to higher level folders

Post by Ravi Nandibhat » Thu, 04 Apr 2002 17:26:36



Hello,

I would like to create a user in such a way that the user should not
be allowed to see the folders which are at higher level than his home
directory. One option is to give the login shell 'rsh'. But that
restricts the user from moving the folders under his home directory
too. I don't want that. I want to restrict him only to the folders
which are not in his HOME directory.

For Example:  if the user home directory is : /home/users/abcd

I would like to restrict that user to that particular folder
/home/users/abcd and its descendants only.

Please let me know if you have a solution to this.

Thanks in advance,
Ravi Nandibhatla.
India.

 
 
 

how to restrict the user not to use cd to higher level folders

Post by Tapani Tarvaine » Thu, 04 Apr 2002 22:29:21



> I would like to create a user in such a way that the user should not
> be allowed to see the folders which are at higher level than his home
> directory. One option is to give the login shell 'rsh'. But that
> restricts the user from moving the folders under his home directory
> too. I don't want that. I want to restrict him only to the folders
> which are not in his HOME directory.

> For Example:  if the user home directory is : /home/users/abcd

> I would like to restrict that user to that particular folder
> /home/users/abcd and its descendants only.

> Please let me know if you have a solution to this.

You don't really want to do that. Trust me. It will
break too many things.

Having said that, yes, it can be done if you insist, but first I'd
suggest you consider what you actually need. Do you really need to
keep the user away from _all_ other directories, including /tmp &c, or
would a bit less drastic action suffice?  (E.g., preventing cd to /tmp
or /var/tmp will break a surprising number of programs, but keeping
users away from each others' home directories is no problem.)

Anyway, there are three approaches I can think of:

(1) Build a chroot() jail for the user. This is probably the
safest way, but it's a major pain to set up if the user needs
to do anything much at all.

(2) Write a custom shell (or customize an existing one) - AND make
sure all utilities that allow opening files (editors &c) available are
also restricted in the similar fashion. This is probably impossible in
practice, unless you can restrict the user to just a few utilities.

(3) Change permissions in all directories the user should not get
into. For directories (s)he along the way to permissible ones
(including ones containing executable programs) you should leave just
x bit on, for the rest you can omit even that. If you really want
to hide all system directories you'll have to work hard to determine
which ones can be safely changed, but for example other users'
home directories can be hidden easily enough.
This will of course affect all users, not just one. You could,
however, use group permissions (or ACLs if your system has them) to
give some more rights.

--
Tapani Tarvainen

 
 
 

how to restrict the user not to use cd to higher level folders

Post by Jeremiah DeWitt Weine » Fri, 05 Apr 2002 02:01:02



> You don't really want to do that. Trust me. It will
> break too many things.
> Having said that, yes, it can be done if you insist, but first I'd
> suggest you consider what you actually need.

        I agree.  This seems to be something of an FAQ, but people almost
never say _why_ they want this.  Are they afraid somebody is going to cd
into /usr/bin?  If they don't want users seeing each others' data,
permissions can take care of that.  It is annoying that rbash|rksh won't
let you cd into directories under your home directory, though.

JDW

--
If mail to me bounces, try removing the "+STRING" part of the address.

 
 
 

how to restrict the user not to use cd to higher level folders

Post by Dwai Lahir » Fri, 05 Apr 2002 02:03:27



> Hello,

> I would like to create a user in such a way that the user should not be
> allowed to see the folders which are at higher level than his home
> directory. One option is to give the login shell 'rsh'. But that
> restricts the user from moving the folders under his home directory too.
> I don't want that. I want to restrict him only to the folders which are
> not in his HOME directory.

> For Example:  if the user home directory is : /home/users/abcd

> I would like to restrict that user to that particular folder
> /home/users/abcd and its descendants only.

> Please let me know if you have a solution to this.

> Thanks in advance,
> Ravi Nandibhatla.
> India.

I remember having installed pretty much a virtual OS in a chroot prison
(copying the libraries, system utilities (/bin;/sbin,etc) into the chroot
jail.
When the user would get into the chroot jail, he would have simplistic
functionality (like a virtual machine) and wouldn't be able to do too
much harm.
Only problem is that it is too time consuming and I'm not sure if your
scenario would be aptly answered with this.
 
 
 

how to restrict the user not to use cd to higher level folders

Post by mars » Fri, 05 Apr 2002 04:06:58



> Hello,

> I would like to create a user in such a way that the user should not
> be allowed to see the folders which are at higher level than his home
> directory. One option is to give the login shell 'rsh'. But that
> restricts the user from moving the folders under his home directory
> too. I don't want that. I want to restrict him only to the folders
> which are not in his HOME directory.

> For Example:  if the user home directory is : /home/users/abcd

> I would like to restrict that user to that particular folder
> /home/users/abcd and its descendants only.

> Please let me know if you have a solution to this.

> Thanks in advance,
> Ravi Nandibhatla.
> India.

How about bash -r as their shell?