[EMAIL PROTECTED] asked: > How do I restrict users from CD .. out of their directory?
I said: > That's a meaningless question. Michael Conlen wrote: > > As far as ssh is concerned it's not relevant, however there are ways to keep > > a user from changing down a directory. You just have to setup a complete > > environment for the user in their home directory. This can be accomplished > > with FreeBSD pretty easily using some make world options. The idea is that > > you create an entire UNIX environment in their home directory and chroot > > them to their home dir when they log in. Brandon Fitch <[EMAIL PROTECTED]> said: > or just use restricted bash. Has to be version 2.x at minimum. If > you create a link called rbash to bash, it will be restricted. Or > run it "bash -r". This also doesn't allow users to change their > path, so make sure anything they need is in their path. Just like I said, the question is ill defined (meaningless). A restricted shell does not prevent anything: [pascal@thalassa pascal]$ rbash [pascal@thalassa pascal]$ cd / rbash: cd: restricted [pascal@thalassa pascal]$ ls /tmp/a /tmp/a [pascal@thalassa pascal]$ csh /home/pascal> cd / /> And while a chroot jails may prevent the user to access files in parent and cousin directories, it does not prevent the user to change the working directory (within the chroot jail). Anyway, the working directory is only used to specify files with relative paths. You can always access all accessible files with absolute paths. That's why it's useless to try to prevent changing the working directory. That's only convenience operation. Now if only pruittr would reformulate his question and express exactly what that is he wants to archive... Note that as soon as the "shell" the user is connected to allows to create any executable file (or allow the execution of a programm that allows to create any executable file), that is if it allows the creation of arbitrary files and the execution of the same, then anything you can setup in the environment can be circumvented if not implemented at the OS level (file system protections, chroot jails, etc). That means that either you have to give the users access to an extremely restricted application (a "shell" would be too permissive), or you have to severely restrict the _access_rights_ to the files and directories both above and bellow the directory in which you want the user confined. -- __Pascal_Bourguignon__ (o_ Software patents are endangering () ASCII ribbon against html email //\ the computer industry all around /\ and Microsoft attachments. V_/ the world http://lpf.ai.mit.edu/ 1962:DO20I=1.100 2001:my($f)=`fortune`; http://petition.eurolinux.org/ -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GCS/IT d? s++:++(+++)>++ a C+++ UB+++L++++$S+X++++>$ P- L+++ E++ W++ N++ o-- K- w------ O- M++$ V PS+E++ Y++ PGP++ t+ 5? X+ R !tv b++(+) DI+++ D++ G++ e+++ h+(++) r? y---? UF++++ ------END GEEK CODE BLOCK------ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
