Re: Restricting a shell user to his home dir ?

From: Simon Kitching (simon_at_ecnetwork.co.nz)
Date: 08/05/04

  • Next message: Ryo Furue: "Re: Is Linux Unix?" 
    To: debi@niit.edu.pk
Date: Thu, 05 Aug 2004 18:40:47 +1200

    On Thu, 2004-08-05 at 18:16, debi@niit.edu.pk wrote:
    > Hi,
    >
    > I am learning a lot from this mailing list :). I have few shell users, i want to restrict their shell login to their home directories.
    >
    > Like they should not be able to move around in the system and see other user's home directories.
    >
    > Any suggestions would be usefull.

    Hi,

    When you installed debian, you should have been asked "should home dirs
    be readable by others". If you answered no, then when new users are
    created, their home dir will automatically have permissions of
    rwx------, which means that no other user on the system can see their
    files. I believe this is even the default setting. [NB: perms of
    rwxr-x--- are also secure, provided each user has their own personal
    group setting].

    If you answered "yes, home dirs should be readable by others" then when
    you added users, their home dir will be rwxr-xr-x, which allows others
    to see their files. This is often the default for "traditional" unix
    systems, like AIX. In this case, users (or you) can use chmod to make
    the home dirs unreadable.

    But generally, users *do* need access to the rest of the system. They
    need access to /bin, /usr/bin, etc or they won't be able to run even
    simple tasks like "cp", "more", etc. And unix is designed to allow users
    to access system dirs without any harm occurring. Note that users will
    be able to see that dirs /home/fred, /home/sue etc exist but won't be
    able to see anything in them if the permissions on those dirs are set
    appropriately.

    If you're really paranoid (and this can sometimes be healthy) you can
    look into something called "chroot", which means that when users log in,
    they get a special restricted view of the local filesystem. But this is
    a major pain to set up and administer. Only for the brave...

    Regards,

    Simon 

    -- 
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
  • Next message: Ryo Furue: "Re: Is Linux Unix?"