How to restrict a linux user to be only able to read /home/user and nothing else

views:

3404

answers:

How to restrict a linux user to be only able to read /home/user and nothing else

Hi,

I need to create a special linux user account that has a very limited set of permissions on the system. Essentially to have read-only permissions for his home dir (and sub dirs) and nothing else - i.e. this user has no write or execute permissions and should not be able to read/access other user dirs or indeed anything outside of his home directory, irrespective of rwx permissions.

What thoughts do stackers have on the easiest way to do this?

Thanks,

Richard.

+8 A:

use a special restricted shell
chroot the user into a minimal environment
use SE Linux

David Schmitt 2009-02-09 12:06:31

You might need to make use of setfacl as given in

http://www.cs.unc.edu/cgi-bin/howto?howto=linux-file-acls

http://www.vanemery.com/Linux/ACL/linux-acl.html

Best of luck.

lakshmanaraj 2009-02-09 12:12:59

Hi lakshmanaraj - thanks for this, taking a look

2009-02-09 12:31:33

If the user can't execute anything or write any files, why give them interactive access at all?

You might as well just give them a password protected web-interface into their directory.

Alnitak 2009-02-09 12:13:45

+1 A:

The user needs read permissions on certain commands and directories to do anything at all once logged in. So basically, you can't do it.

Maybe you should explain the real problem you are trying to solve by attempting to do this?

anon 2009-02-09 12:19:08

Hi zabzonk,I am trying to set up a user to rsync over ssh a set of dirs and files on my server. For script automation purposes, I am using pub/private rsa key so that rsync can login without a password. Given that this is a little insecure, i want to restrict the rsync user as described.

2009-02-09 12:29:09

Is the SSH bit strictly necessary? rsync can serve files using its own protocol from a specific directory tree perfectly well.

Alnitak 2009-02-09 13:21:29

He would want to use SSH to encrypt the data -- rsync doesn't do this on its own as far as I know.

Steve S 2009-02-10 18:47:18

rsync does transparently use ssh for encrypted sessions, but not when using the rsync daemon. The daemon, on the other hand, does have a 'use chroot = true' option which achieves the isolation originally requested, although sans encryption.

jmanning2k 2009-02-10 19:04:47

+6 A:

The user will need read/execute rights to execute any command (ls, login shell, etc), so you can't easily take all rights away.

Usually it's enough to make sure they can't mess with the home directories of other users. To do this, put the user into a new group (like "untrusted"), chown his home directory and revoke the group and other rights on all home directories: chmod go-rwx /home/*/

If that is not enough, create a chroot jail. This is basically a mini Linux where nothing outside a certain directory (the jail) is visible (or accessible). Jailkit might help you to set this up.

Aaron Digulla 2009-02-09 12:38:06

I guess you can just don't create any home folder...

Sybiam 2009-02-09 18:50:22

If you are worried about remote access and that is the main reason to lock the account down you might want to just add them to a list of banned ssh users.

The Digital Ninja 2009-02-10 18:39:15

It sort of sounds like you are trying to set up a place for someone to pick up files and the like. If so, may I suggest creating an ftp or sftp account rather than a regular user account. In addition to being an easy way for the user to get files, it ought to take care of most of the security issues your worried about.

Talk to your system administrator.

Jon Ericson 2009-02-10 18:50:02

ansaurus

tags:

views:

answers:

How to restrict a linux user to be only able to read /home/user and nothing else

related questions