ChrisMartino Posted August 21, 2010 Share Posted August 21, 2010 Hey there, so basically my problem is that I want to have a user but VERY limited privileges, I don't want them to be able to do anything outside of there home directory, like using CD to access files that are outside of there home directory, I've read some things on tutorials about how you can jail them but it requires you to clone /dev etc to the folder that there jailed in but that isn't a option in my situation, could somebody please help me out on this?. Thanks for your time. Quote Link to comment Share on other sites More sharing options...
trq Posted August 22, 2010 Share Posted August 22, 2010 Without creating a jail you'd need to deny the user permissions to the rest of the system manually. What is the actual problem? Quote Link to comment Share on other sites More sharing options...
ChrisMartino Posted August 22, 2010 Author Share Posted August 22, 2010 Without creating a jail you'd need to deny the user permissions to the rest of the system manually. What is the actual problem? Well I'm creating a game hosting service (GSP), and I want to run the client's server under a user that jails them to the servers directory so that they can't run system commands etc because you can upload plugins to the server that could cause some massive damage to the machine if they wanted to if i ran it under root, so i need to deny them to anything accept the folder they actually need. Quote Link to comment Share on other sites More sharing options...
trq Posted August 22, 2010 Share Posted August 22, 2010 Still, what's the problem? Quote Link to comment Share on other sites More sharing options...
ChrisMartino Posted August 22, 2010 Author Share Posted August 22, 2010 Still, what's the problem? Well I don't want to have a load of system files in there gameserver folder. Quote Link to comment Share on other sites More sharing options...
trq Posted August 22, 2010 Share Posted August 22, 2010 Still, what's the problem? Well I don't want to have a load of system files in there gameserver folder. Why would you need to do that? Quote Link to comment Share on other sites More sharing options...
ChrisMartino Posted August 22, 2010 Author Share Posted August 22, 2010 Still, what's the problem? Well I don't want to have a load of system files in there gameserver folder. Why would you need to do that? Well how can I jail the user to there folder?... Quote Link to comment Share on other sites More sharing options...
ChrisMartino Posted August 22, 2010 Author Share Posted August 22, 2010 Anyone know how? Quote Link to comment Share on other sites More sharing options...
trq Posted August 23, 2010 Share Posted August 23, 2010 I thought you said in your first post that this wasn't an option. So, in my very first reply I gave you an alternative. Quote Link to comment Share on other sites More sharing options...
ChrisMartino Posted August 23, 2010 Author Share Posted August 23, 2010 I thought you said in your first post that this wasn't an option. So, in my very first reply I gave you an alternative. How would I do that, I'm not entirely sure how. Quote Link to comment Share on other sites More sharing options...
trq Posted August 23, 2010 Share Posted August 23, 2010 Do what? Quote Link to comment Share on other sites More sharing options...
ChrisMartino Posted August 23, 2010 Author Share Posted August 23, 2010 Do what? Denying the user privileges to everything in the system except the folder in question Quote Link to comment Share on other sites More sharing options...
trq Posted August 23, 2010 Share Posted August 23, 2010 Sorry if this sounds harsh, but if you really need to ask these questions there is no way you should be doing this. It WILL blow up in your face. Anyway, you just need to make sure that all directories are only accessible by there owner. This generally means 700. Some directories however will need to be accessible by certain groups so you might need to use 770. Really, for this sort of thing, creating home directory jails is the best option. If this isn't an option, you'll be up for allot more work and the system will be allot less secure, though people who know what they are doing can usually break out of a jail depending on what tools are available to them. Are the users themselves going to have system accounts? Quote Link to comment Share on other sites More sharing options...
cliffdodger Posted August 25, 2010 Share Posted August 25, 2010 Sorry to say this thread almost reads like a who's on first base skit. And Thorpe is pretty much right. Another thing you'll run into if you manually adjust all the permissions is that sadly some gadgets only like to run with the permissions 777 - if you don't know what that means google is your friend, talk to google. Anyway that means the users will likely be able to see that file and change directory to any directory with 777 permissions. If there are any of these (often forum file upload directories and the like) be sure they're not web accessible - they reside above the web root or else they could dump a script in here as themselves but run it from the web with the same priveleges as the web user/apache and could start spamming from your server or uploading files to it, many things. Otherwise....as secure as you make things they could still exploit some buffer overflow in the game server program and attempt to gain root access or access to your servers password files to download them and try to crack them. More reason to try to jail them. Here's one man's attempt at a jail solution with brief discussion on it's limitations: http://www.felipecruz.com/blog_restricte-linux-users-to-their-home.php Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.