Jump to content

Directory caging (or similar)...probably a simple question


Recommended Posts

Hi

 

I am running a small Redhat 9 Linux system for a home network, with a very basic setup, i. e. no NIS, no shadowing of the /etc/passwd etc. Reasonable level of security with no root login, iptables and such simple measures.

 

So far I have only granted my own user account access to login via ssh or file transfer via scp. Other users (mail users) have been disallowed to login by setting the shell in /etc/passwd to /sbin/nologin.

 

Now I need to create an account for a person, so that he can upload files via scp. I have concluded that I can't use /sbin/nologin for this account so I need to state a shell.

 

To create the user and give scp access is no problem, but my small but very annoying problem is that when loggin into this account with a scp client, there seems to be no restriction for where I can walk in the directory hierarchy.

 

I want to configure it so that the user can not go "up" in the hierarchy if he is in is $HOME directory. Only access his own subfolders.

 

I have surfed around on the net for a simple instruction on how to do this (can't really be rocket science?!) but to my big surprise I haven't found anything. At least not a simple way to do it and certainly no good step-by-step instruction.

 

I guess that if finding a way to do this when accessing the user $HOME directory, it would have the same effect as is the user logged in via ssh. That would certainly be an advantage, otherwise I would be happy to learn also how to do that since I can not restrict shell login with the /sbin/nologin dummy shell.

 

Thanks

/D

 

 

 

Take a look at scponly. It works well for me. I'm not sure can you disallow upward directory traversal though. Its worth a look. Its on apt in Debian and ubuntu. There might be a handy rpm for redhat.

 

-steve

I think what your after is a 'chroot jail'. Google should find you plenty of scripts.

 

This basically makes the users $HOME directory look like a little system. You need to place the commands you want users to have access to within the chroot, but it will prevent them from leaving this directory.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.