Preventing user from navigating filesystem

smokeslikeapoet

I know there is a way to prevent a user from navigating outside of his/her home directory, but I can't seem to find information on it. I still want the user to be able to read and execute files outside their home directory. TIA
_________________
-SmokesLikeaPoet

Folding@Home

Jimbow · Posted: Fri May 30, 2003 8:07 am Post subject:

Try removing their execute permissions on the directories you want them to be unable to navigate. They won't be able to see directory listings but will still be able to read/write files (if permissions allow).
_________________
After Perl everything else is just assembly language.

smokeslikeapoet · Posted: Fri May 30, 2003 10:31 pm Post subject:

Well I've removed the read permissions from my /home directory. I don't want users to be able to read each others files, but they will all be part of the "users" group. I'm wondering if is possible to stop them from using "cd" to move outside of their home directories. Due to mod userdir in apache everyone's home directory must be executable for everyone i.e. chmod 711 /home/*. If I remove the executable bit from /etc and /var to prevent users from cd-ing to those diretories, I'm afraid the services like apache won't be able to access their configuration files.
_________________
-SmokesLikeaPoet

Folding@Home

zhenlin · Veteran Joined: 09 Nov 2002 Posts: 1361

Why do this? Users will only be able to read, not write, anyway.

Here's a breakdown of directory permissions:

r - get directory listing
w - edit directory
x - access subdirectories, files

With rwx--x--x, only the owner can read and write the files, but everybody else can access subdirectories and files, if those are rw-r--r-- (or any other a+r) Simple solution: chmod a-rw,o+rw , -R /home

Jimbow · Posted: Sat May 31, 2003 1:11 am Post subject:

I am not clear on what you want to do. You originally said that you want users to be able to read and write files outside of their home directory. Be that as it may, another trick is to deny all group access to /home/* (and be sure that the apache user is not in the users group). That way people in the users group won't be able to see each other's home directory.

One drawback of this approach is that user a would be able to change the permissions of his/her home directory to let other users peek at his/her files. If you need something more secure LMK.
_________________
After Perl everything else is just assembly language.

smokeslikeapoet · Posted: Sat May 31, 2003 3:28 am Post subject:

This is my ultimate goal, provide shell access to friends at school so they can store notes and homework and practice Linux commands (This is a technical school and provides classes in Linux/Unix and Networking). All of the school's computers run Windows, except for one Linux and one Unix server. There is no mail access, no apache userdir access, no ftp access and your account is removed as soon as you drop the class or the semester ends. Fortunately the Windows 2000 systems have Putty installed which provides the only way out of the school's network other than HTTP.

I've read through the Security Howto on the Documentation page and have come to some conclusions. I can't have users traversing through my system and each others user directories. I don't want users (even though i trust them) reading my configuration files.

So far I've disabled group access to all of the files in the home directory. Users will not be able to read the /home directory only files in their own directory.

Do any of you have any more suggestions? I may be opening up a huge can of worms here, and all this work is really not necessary for me to do, but many of my friends aren't able or afraid to install Linux. I also feel it will give me some experience admistrating a dozen or so users.

OT: but I don't necessarly want to start a new thread. I'm assuming if I'm using XFS on my home directory, the steps to enable disk quotas on XFS is somewhat different because it is an separate option in the kernel config. Can someone point me to directions to do this?
_________________
-SmokesLikeaPoet

Folding@Home

Vancouverite · Posted: Sat May 31, 2003 8:18 am Post subject:

You may want to check out the Jail project for your users.
_________________
Screenshot

smokeslikeapoet · Posted: Sun Jun 01, 2003 5:17 am Post subject:

Jail seems to be exactly what I'm looking for. I didn't realize it was a program although I've heard people mention running a service from a "jailed, chrooted environment" and "jailing users." I thought it was some elaborate security configuration.

Oh well sometimes I try to make things harder than they have to be. I just have to remind myself - K.I.S.S. (keep it simple stupid).
_________________
-SmokesLikeaPoet

Folding@Home

bryon · Apprentice Joined: 14 Feb 2003 Posts: 163

I would suggest trying out Chroot for SSH You can read up on it but it is desigined as a patch to ssh to keep users in only there home directorites. Which is what you wan to do.

smokeslikeapoet · Posted: Thu Jun 05, 2003 5:01 am Post subject:

Will chroot for ssh still allow me to "su -" and not be chrooted? The documentation looks sparce.
_________________
-SmokesLikeaPoet

Folding@Home

zhenlin · Veteran Joined: 09 Nov 2002 Posts: 1361

When in jail, try not to break out. Even as root, you won't be able to break out of chroot, but if you do, you need to look into grsecurity.

Do not jail your users in. They will not be able to access the outside world, short of using hard links. Even if you do build a jail, it will have all the config files that you don't want them to read.

I think what you are looking for is an ACL based solution. ACLs are in beta now for ext2/3, and is a feature of XFS, I think.