Re: Confining a user to the home directory specified in the user record

Mon, 11 Oct 2004 10:36:26 -0700 

Well, basically I want to define one user for the developers to use to
view the log directory of their Java app, rather than defining a dozen. I
will be doing the PAM authentication thing soon, so that's why I don't
wanna define individual users.

They have no business going into other directories in the system, and while
yes, permission bits would prevent access, my boss was wanting me to
prevent even getting out of the home directory to see any of the file
system structure at all. (don't know why, just paranoia I guess). Thought
perhaps there was something like rsh or some other restrictive shell that
would allow that.





             Adam Thornton
             <[EMAIL PROTECTED]
             mine.net>                                                  To
             Sent by: Linux on         [EMAIL PROTECTED]
             390 Port                                                   cc
             <[EMAIL PROTECTED]
             IST.EDU>                                              Subject
                                       Re: Confining a user to the home
                                       directory specified in the user
             10/11/2004 12:03          record
             PM


             Please respond to
             Linux on 390 Port
             <[EMAIL PROTECTED]
                 IST.EDU>






On Mon, 2004-10-11 at 11:49, James Melin wrote:
> How do you set a user account up so that the ID cannot traverse 'above'
> their assigned home directory?  Our developers want me to setup a dozen
> user accounts with access to their application log dir. I wanna set up
one,
> and only one, and confine it to the log directory. I know how to set the
> 'home' dir in the user record, I just don't know how to stop them from
> getting out  of it

You can do this with chroot, but then you need a copy of all the
appropriate binaries that the user can get to.

Basically, in order to have a useful shell login, at least the system
public binaries must be available to that user.  I don't see what you
hope to gain by confining the user.  Files that random users should not
be able to view should not be accessible by "other": that is, the low
three bits of the file mode should all be "0".

Adam

----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or
visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Reply via email to