homepage Welcome to WebmasterWorld Guest from 54.167.173.250
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
Forum Library, Charter, Moderators: bakedjake

Linux, Unix, and *nix like Operating Systems Forum

    
Setting user permissions
Users can only see files in their home directory
trillianjedi




msg:909837
 3:12 pm on Sep 20, 2005 (gmt 0)

Is it possible to setup a user account on a Linux box, so that when that user logs in via SSH (or FTP) they can only access files in their home directory?

I assume this is just a simple permissions thing? Is there an easy way to do it, or do I need to manually set all the other directories on the server?

Thanks,

TJ

 

AbsintheSyringe




msg:909838
 3:56 pm on Sep 20, 2005 (gmt 0)

When you're already mantioning FTP, why dont you simply make a new FTP acccount with certain dir and he can use that given dir, no need to play with ownership. I find that the easiest solution.

Anyways, for changing permissions, all you need to do is put that user in the users group, or create a special group so they can only see that certain dir.

Or simply use "chown" and "chmod" to assign correct permissions for that user.

trillianjedi




msg:909839
 4:05 pm on Sep 20, 2005 (gmt 0)

why dont you simply make a new FTP acccount with certain dir

User needs SSH access.

Anyways, for changing permissions, all you need to do is put that user in the users group, or create a special group so they can only see that certain dir.

Ah, groups. OK, thanks I go take a look at setting one of those up.

TJ

MattyMoose




msg:909840
 5:11 pm on Sep 20, 2005 (gmt 0)

What you're looking for is a chroot. That way, when the user logs in, /home/username appears to be / to the user.

Most FTP servers will have a chroot option to lock users into their home directories.

SSH chroot is a little harder, SFTP/SCP chroot is a little easier than SSH, IIRC.

Google around for howtos for chroot'd SSHD.

MM

trillianjedi




msg:909841
 7:02 pm on Sep 20, 2005 (gmt 0)

Hi Matty - thanks.

I had a look around, and it does look a bit complex for SSH.

Is there not a simple way of doing this with permissions?

TJ

MattyMoose




msg:909842
 8:32 pm on Sep 20, 2005 (gmt 0)

Definitely!

By default, most UNIX systems will not allow a user to modify another users' home directories.

But, the easiest way is when you create the user, is to put them in their own group. So, for example, user jedi would belong only to the group jedi. This way, the permissions for your home directory would look like:

drwxr-x--- 79 jedi jedi /home/jedi

If it doesn't look like that, but more like:

drwxr-xr-x 79 jedi jedi /home/jedi

Then that means that "other" (ie: everyone else) can read that directory.

So, what you'd do is:

chmod 750 /home/jedi

That will set the permissions properly.

Then let's say you make a user for me, called moose. You put me only into the moose group, and repeat the above steps. Because I'm not the user 'jedi' and I'm not in the group 'jedi', I'm part of the 'other' group, when it comes to reading the contents of your /home/jedi. It will block me with an access denied.

This won't stop users from seeing what's in /tmp and any other directories that are misconfigured, or are intentionally left open.

If you wanted to have moose and jedi be friends, and be allowed to write to each others' directories, you could create a new group, called "moosejedi", and make them both a part of the "moosejedi" group, change the group ownership of /home/jedi and /home/moose to:

drwxrwx--- 79 jedi moosejedi /home/jedi
drwxrwx--- 79 jedi moosejedi /home/moose

That way anyone that's a member of 'moosejedi' can write to those directories.

Things get a little more complicated once you start wanting to assign multiple group permissions to a single file or folder. That's where Extended ACLs [en.wikipedia.org] come into play, but not all filesystems and Operating Systems use them or understand them.

Hope that helped!
Matt

trillianjedi




msg:909843
 9:51 pm on Sep 20, 2005 (gmt 0)

Hope that helped!

Heck Matt, it sure did!

Many thanks - I'll have a play with the moose group in the morning ;-)

TJ

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved