limiting users to their home directory
Chris Mohler
cr33dog at gmail.com
Tue Dec 23 04:27:57 UTC 2008
On Tue, Dec 23, 2008 at 9:53 PM, Nick Smith <nick.smith79 at gmail.com> wrote:
> I run a small webserver with ubuntu 7.04 and would like to lock each
> user down to be able to see/edit only files in his directory,
> and disable ssh access.
>
> Ive been playing with permissions for several hours and cant seem to
> accomplish this. His website is in /home/user/www so it
> would have to be a solution that apache2 can still read that directory.
>
> I found a program called scponly in one of my google searches, and
> that seems disable ssh access, but he can still use winscp
> or similar and browse the entire filesystem and open/download anything
> at will. It seems strange this would be default behavor.
> Seems like that would be a huge security risk to have a user able to
> browse to any directory he wishes and open/download the
> contents.
>
> What am i doing wrong here? What is the easiest way to accomplish this?
>
> Thanks for any help you can give.
> Ive googled all afternoon and searched the mailing list, but cant come
> up with anything that works.
First - you mentioned using SCP, which AFAIK *requires* SSH access.
The problem with limiting access to SSH is that SSH provides a "real"
shell (with the extra ability to transfer files via SCP). What you
probably want instead is a FTP server that uses a secure connection.
It's been awhile, but IIRC both proftpd and vsftp have a "chroot jail"
option you can set in the config - that will allow access to only the
home directory. Memory's fuzzy, but I seem to recall that it's
possible to have proftpd (vsftpd too?) listen on a secure port.
Google around for "ftp over tls" or "proftpd tls" or similar.
But if you want to stick with SCP, this might be useful:
http://ubuntuforums.org/showthread.php?t=451510
HTH,
Chris
More information about the ubuntu-users
mailing list