> I would like to create a user in such a way that the user should not
> be allowed to see the folders which are at higher level than his home
> directory. One option is to give the login shell 'rsh'. But that
> restricts the user from moving the folders under his home directory
> too. I don't want that. I want to restrict him only to the folders
> which are not in his HOME directory.
> For Example: if the user home directory is : /home/users/abcd
> I would like to restrict that user to that particular folder
> /home/users/abcd and its descendants only.
> Please let me know if you have a solution to this.
You don't really want to do that. Trust me. It will
break too many things.
Having said that, yes, it can be done if you insist, but first I'd
suggest you consider what you actually need. Do you really need to
keep the user away from _all_ other directories, including /tmp &c, or
would a bit less drastic action suffice? (E.g., preventing cd to /tmp
or /var/tmp will break a surprising number of programs, but keeping
users away from each others' home directories is no problem.)
Anyway, there are three approaches I can think of:
(1) Build a chroot() jail for the user. This is probably the
safest way, but it's a major pain to set up if the user needs
to do anything much at all.
(2) Write a custom shell (or customize an existing one) - AND make
sure all utilities that allow opening files (editors &c) available are
also restricted in the similar fashion. This is probably impossible in
practice, unless you can restrict the user to just a few utilities.
(3) Change permissions in all directories the user should not get
into. For directories (s)he along the way to permissible ones
(including ones containing executable programs) you should leave just
x bit on, for the rest you can omit even that. If you really want
to hide all system directories you'll have to work hard to determine
which ones can be safely changed, but for example other users'
home directories can be hidden easily enough.
This will of course affect all users, not just one. You could,
however, use group permissions (or ACLs if your system has them) to
give some more rights.