[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Keeping users in their own home directory



Mark McCulligh writes....
> 
> chmod will keep other users from viewing the files, but not from knowing
> they are there. My original goal was to keep users  in their own home
> directory and don't let them view or edit system files. Using something like

By default, Linux is pretty good at locking down system files
that can be read.  NONE of them should be opened for edit.
What specific system files are you concerned with.

You can tighten up many of those that are open to read
if you need to.  And you can stop users from running programs
like 'nmap' or 'netstat' if you need to.  But I'm not user why you would.

> chmod will only stop them from changing other users files.  But they still
> can back out of their own directory and go into someone else's directory.

By default, a user created with 'adduser' will be chmod 700.
Only root and the user can get to it.
Now....if the user has a website, the /home/joe_user/public_html
has to be open as does /home/joe_user.  So the file names there can
seen, but not read/edited.  So I guess if joe_user has a file
in there called reasons.why.my.boss.fred.is.a.butthead might
cause a problem.  So joe_user might want to reconsider his file
naming convention, or stick them in a separate subdir.

Not to discourage you from doing what you asked how to do,
but can you give a specific example of a situation of what
has happened and why this is the solution?

I just think you might be spinning your wheels here.
And the cost may be your users.
In general, I WANT my users to become familiar with Linux/unix
and exploring around is encouraged.  (As long as they don't hurt
themselves and _I_ have you recover them.)  Locking them down
and making Linux a 'secret' will discourage that.`

--JC

> 
> Mark.
> 
> ----- Original Message -----
> From: "Jay Crews" <jpc jaycrews com>
> To: <redhat-install-list redhat com>
> Sent: Sunday, September 21, 2003 4:12 PM
> Subject: Re: Keeping users in their own home directory
> 
> 
> > Mark McCulligh writes....
> > >
> > > I got rbash working with a lot of google searches, but it doesn't really
> > > stop users, plus disables the "cd" command. I want my user to be able to
> > > move thought their own directories, just not outside of them.
> >
> > Just curious......but why do you want to do this?
> > Why not just chmod your files the way you want them?
> >
> > >
> > > Plus if a user knows were files are located on the system that can
> "more" or
> > > "vi" them.  Example: you can do a "more /etc/passwd" just fine. Or edit
> my
> > > httpd.conf file using vi. They can't execute anything but a user that
> knows
> > > a little about Linux can edit or view any of my files.
> > >
> > > >From what I have found chroot maybe want I am looking for. Can someone
> point
> > > me to a go tutorial on setting up chroot for ssh. Or can I custom
> configure
> > > rbash better.
> > >
> > > Thanks,
> > > Mark.
> > >
> > >
> > >
> > >
> > > ----- Original Message -----
> > > From: "Bob McClure Jr" <robertmcclure earthlink net>
> > > To: <redhat-install-list redhat com>
> > > Sent: Friday, September 19, 2003 7:41 PM
> > > Subject: Re: Keeping users in their own home directory
> > >
> > >
> > > > On Fri, Sep 19, 2003 at 07:28:46PM -0400, Tim Currie wrote:
> > > > > ...and if you do "/bin/bash -r" you get all sorts of bizarre
> behaviour
> > > like:
> > > > >
> > > > > (hamster:~)
> > > > > root $ bash -r
> > > > > bash: SHELL: readonly variable
> > > > > bash: PATH: readonly variable
> > > > > bash: BASH_ENV: readonly variable
> > > > > bash: id: No such file or directory
> > > > > bash: id: No such file or directory
> > > > > bash: id: No such file or directory
> > > > > bash: [: too many arguments
> > > > > bash: tput: No such file or directory
> > > > > bash: tput: No such file or directory
> > > > > bash: wc: No such file or directory
> > > > > bash: [: : integer expression expected
> > > > > bash: dircolors: No such file or directory
> > > > > bash: cut: No such file or directory
> > > > > bash: cut: No such file or directory
> > > > > (hamster:~)
> > > > > root $ ls
> > > > > bash: ls: No such file or directory
> > > > > (hamster:~)
> > > > > root $ pwd
> > > > > /root
> > > > > (hamster:~)
> > > > > root $ ls -la
> > > > > bash: ls: No such file or directory
> > > > > (hamster:~)
> > > > > root $ /bin/ls
> > > > > bash: /bin/ls: restricted: cannot specify `/' in command names
> > > > > (hamster:~)
> > > > > root $
> > > > >
> > > > > Isn't there a way to use chroot to do this?
> > > > >
> > > > > -Tim
> > > >
> > > > Yeah, but then you have to provide a usr/bin usr/lib and other cats
> > > > and dogs for the chrooted environment.  Not practical.
> > > >
> > > > According to the bash man page, there is supposedly a thing called
> > > > "rbash" that is the equivalent of "bash -r", but I've not found it on
> > > > my system.  Try hard-linking (or sym-linking, I don't think it
> > > > matters) /bin/bash to /bin/rbash, and make /bin/rbash the shell and
> > > > see what that does.
> > > >
> > > > Cheers,
> > > > --
> > > > Bob McClure, Jr.             Bobcat Open Systems, Inc.
> > > > robertmcclure earthlink net  http://www.bobcatos.com
> > > > Pessimists need a kick in the can'ts.
> > > >
> > > >
> > > > _______________________________________________
> > > > Redhat-install-list mailing list
> > > > Redhat-install-list redhat com
> > > > https://www.redhat.com/mailman/listinfo/redhat-install-list
> > > > To Unsubscribe Go To ABOVE URL or send a message to:
> > > > redhat-install-list-request redhat com
> > > > Subject: unsubscribe
> > > >
> > >
> > >
> > > _______________________________________________
> > > Redhat-install-list mailing list
> > > Redhat-install-list redhat com
> > > https://www.redhat.com/mailman/listinfo/redhat-install-list
> > > To Unsubscribe Go To ABOVE URL or send a message to:
> > > redhat-install-list-request redhat com
> > > Subject: unsubscribe
> > >
> >
> >
> > -- Jay Crews
> > jpc jaycrews com
> >
> >
> > _______________________________________________
> > Redhat-install-list mailing list
> > Redhat-install-list redhat com
> > https://www.redhat.com/mailman/listinfo/redhat-install-list
> > To Unsubscribe Go To ABOVE URL or send a message to:
> > redhat-install-list-request redhat com
> > Subject: unsubscribe
> >
> 
> 
> _______________________________________________
> Redhat-install-list mailing list
> Redhat-install-list redhat com
> https://www.redhat.com/mailman/listinfo/redhat-install-list
> To Unsubscribe Go To ABOVE URL or send a message to:
> redhat-install-list-request redhat com
> Subject: unsubscribe
> 


-- Jay Crews
jpc jaycrews com




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]