As David said, look at what a restricted shell does for you. "man bash" and then look for RESTRICTED SHELL starting in column one. It should do what you want.
Mark Post -----Original Message----- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of James Melin Sent: Monday, October 11, 2004 1:36 PM To: [EMAIL PROTECTED] Subject: Re: Confining a user to the home directory specified in the user record Well, basically I want to define one user for the developers to use to view the log directory of their Java app, rather than defining a dozen. I will be doing the PAM authentication thing soon, so that's why I don't wanna define individual users. They have no business going into other directories in the system, and while yes, permission bits would prevent access, my boss was wanting me to prevent even getting out of the home directory to see any of the file system structure at all. (don't know why, just paranoia I guess). Thought perhaps there was something like rsh or some other restrictive shell that would allow that. Adam Thornton <[EMAIL PROTECTED] mine.net> To Sent by: Linux on [EMAIL PROTECTED] 390 Port cc <[EMAIL PROTECTED] IST.EDU> Subject Re: Confining a user to the home directory specified in the user 10/11/2004 12:03 record PM Please respond to Linux on 390 Port <[EMAIL PROTECTED] IST.EDU> On Mon, 2004-10-11 at 11:49, James Melin wrote: > How do you set a user account up so that the ID cannot traverse > 'above' their assigned home directory? Our developers want me to > setup a dozen user accounts with access to their application log dir. > I wanna set up one, > and only one, and confine it to the log directory. I know how to set > the 'home' dir in the user record, I just don't know how to stop them > from getting out of it You can do this with chroot, but then you need a copy of all the appropriate binaries that the user can get to. Basically, in order to have a useful shell login, at least the system public binaries must be available to that user. I don't see what you hope to gain by confining the user. Files that random users should not be able to view should not be accessible by "other": that is, the low three bits of the file mode should all be "0". Adam ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
