|Setting user permissions|
Users can only see files in their home directory
Is it possible to setup a user account on a Linux box, so that when that user logs in via SSH (or FTP) they can only access files in their home directory?
I assume this is just a simple permissions thing? Is there an easy way to do it, or do I need to manually set all the other directories on the server?
When you're already mantioning FTP, why dont you simply make a new FTP acccount with certain dir and he can use that given dir, no need to play with ownership. I find that the easiest solution.
Anyways, for changing permissions, all you need to do is put that user in the users group, or create a special group so they can only see that certain dir.
Or simply use "chown" and "chmod" to assign correct permissions for that user.
|why dont you simply make a new FTP acccount with certain dir |
User needs SSH access.
|Anyways, for changing permissions, all you need to do is put that user in the users group, or create a special group so they can only see that certain dir. |
Ah, groups. OK, thanks I go take a look at setting one of those up.
What you're looking for is a chroot. That way, when the user logs in, /home/username appears to be / to the user.
Most FTP servers will have a chroot option to lock users into their home directories.
SSH chroot is a little harder, SFTP/SCP chroot is a little easier than SSH, IIRC.
Google around for howtos for chroot'd SSHD.
Hi Matty - thanks.
I had a look around, and it does look a bit complex for SSH.
Is there not a simple way of doing this with permissions?
By default, most UNIX systems will not allow a user to modify another users' home directories.
But, the easiest way is when you create the user, is to put them in their own group. So, for example, user jedi would belong only to the group jedi. This way, the permissions for your home directory would look like:
drwxr-x--- 79 jedi jedi /home/jedi
If it doesn't look like that, but more like:
drwxr-xr-x 79 jedi jedi /home/jedi
Then that means that "other" (ie: everyone else) can read that directory.
So, what you'd do is:
chmod 750 /home/jedi
That will set the permissions properly.
Then let's say you make a user for me, called moose. You put me only into the moose group, and repeat the above steps. Because I'm not the user 'jedi' and I'm not in the group 'jedi', I'm part of the 'other' group, when it comes to reading the contents of your /home/jedi. It will block me with an access denied.
This won't stop users from seeing what's in /tmp and any other directories that are misconfigured, or are intentionally left open.
If you wanted to have moose and jedi be friends, and be allowed to write to each others' directories, you could create a new group, called "moosejedi", and make them both a part of the "moosejedi" group, change the group ownership of /home/jedi and /home/moose to:
drwxrwx--- 79 jedi moosejedi /home/jedi
drwxrwx--- 79 jedi moosejedi /home/moose
That way anyone that's a member of 'moosejedi' can write to those directories.
Things get a little more complicated once you start wanting to assign multiple group permissions to a single file or folder. That's where Extended ACLs [en.wikipedia.org] come into play, but not all filesystems and Operating Systems use them or understand them.
Hope that helped!
Heck Matt, it sure did!
Many thanks - I'll have a play with the moose group in the morning ;-)