Directory caging (or similar)...probably a simple question

[dantillberg]

Hi

 

I am running a small Redhat 9 Linux system for a home network, with a very basic setup, i. e. no NIS, no shadowing of the /etc/passwd etc. Reasonable level of security with no root login, iptables and such simple measures.

 

So far I have only granted my own user account access to login via ssh or file transfer via scp. Other users (mail users) have been disallowed to login by setting the shell in /etc/passwd to /sbin/nologin.

 

Now I need to create an account for a person, so that he can upload files via scp. I have concluded that I can't use /sbin/nologin for this account so I need to state a shell.

 

To create the user and give scp access is no problem, but my small but very annoying problem is that when loggin into this account with a scp client, there seems to be no restriction for where I can walk in the directory hierarchy.

 

I want to configure it so that the user can not go "up" in the hierarchy if he is in is $HOME directory. Only access his own subfolders.

 

I have surfed around on the net for a simple instruction on how to do this (can't really be rocket science?!) but to my big surprise I haven't found anything. At least not a simple way to do it and certainly no good step-by-step instruction.

 

I guess that if finding a way to do this when accessing the user $HOME directory, it would have the same effect as is the user logged in via ssh. That would certainly be an advantage, otherwise I would be happy to learn also how to do that since I can not restrict shell login with the /sbin/nologin dummy shell.

 

Thanks

/D

 

 

 

[steviewdr]

Take a look at scponly. It works well for me. I'm not sure can you disallow upward directory traversal though. Its worth a look. Its on apt in Debian and ubuntu. There might be a handy rpm for redhat.

 

-steve

[trq]

I think what your after is a 'chroot jail'. Google should find you plenty of scripts.

 

This basically makes the users $HOME directory look like a little system. You need to place the commands you want users to have access to within the chroot, but it will prevent them from leaving this directory.