[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [rhn-users] restrict user's browsing area

From: Charith Perera <cperera intertechmedia com>
To: rhn-users redhat com
Subject: Re: [rhn-users] restrict user's browsing area
Date: Sun, 5 Oct 2003 22:02:26 -0400

Michael,

I'm glad you asked this question, I had a similar situation a few weeks ago, 
and I found a solution that was close to what I wanted. But it might seem 
like overkill. So if someone can give a better suggestion, I'm all ears. In 
the mean time, this is what I did.

You can use "chroot" to "jail" the user to his home directory, so to the user, 
"$HOME" appears like "/" and so to him nothing exists outside of his home 
directory. To do this, I replaced his default shell with a bogus bash script 
that contins the following line:

sudo /usr/sbin/chroot $HOME /bin/bash

where $HOME is the user's home directory. As you can see, only the super user 
can issue a chroot command, so chroot must be called via sudo, which will 
allow the user to call specified commands. This must be setup in 
"/etc/sudoers" by adding a line as follows:

$username 	ALL = NOPASSWD : /usr/sbin/chroot $HOME /bin/bash

I think this means that $username may issue the command "/usr/sbin/chroot 
$HOME /bin/bash" on "ANY" host without a password. If I'm wrong, please let 
me know, as I'm sure this'll be a security issue. 

Now if you look back at the chroot command, "/bin/bash" must exist in the new 
environment, which will be $HOME/bin/bash. So you'll have to copy /bin/bash 
to this location. Furthermore, to execute this you'll need a few libraries, 
which you can find with "ldd /bin/bash", and copy them to the new 
environment, and set $PATH so they can be found. Repeat this for any other 
commands you want the user to be able to issue. You'll end up creating 
atleast a "/bin", "/lib", and "/etc" in the home directory.

Now, THIS MUST BE OVERKILL. Is there a simpler way?

Charith.

On Sunday 05 October 2003 21:22, Michael Lai wrote:
> Hi.  I have a webserver using Apache2.  I would like to create a virtual
> domain for a friend for his own personal use.  That in itself isn't a
> problem.  The issue is, I would like him to upload files using scp, perhaps
> with a client like WinSCP but in doing so, I would like to limit what he
> can see when he does connects through scp.  That is, I do not want him to
> be able to browse around elsewhere in my server; just his webserver
> document root.  Is this possible?
>
> Thanks,
> Michael.
>
>
> _______________________________________________
> rhn-users mailing list
> rhn-users redhat com
> https://www.redhat.com/mailman/listinfo/rhn-users

Follow-Ups:
- Re: [rhn-users] restrict user's browsing area
  - From: Michael Lai

References:
- Re: [rhn-users] up2date didn't
  - From: Les Bell
- [rhn-users] restrict user's browsing area
  - From: Michael Lai

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]