limiting users to their home directory

Loïc Grenié loic.grenie at gmail.com
Tue Dec 23 14:50:13 UTC 2008


On Mon, Dec 22, 2008 at 10:53 PM, Nick Smith <nick.smith79 at gmail.com> wrote:
> I run a small webserver with ubuntu 7.04 and would like to lock each
> user down to be able to see/edit only files in his directory,
> and disable ssh access.

> Seems like that would be a huge security risk to have a user able to
> browse to any directory he wishes and open/download the
> contents.

    It should not be so huge. If your system is pretty standard, like
  an Ubuntu system, the user can find most of the files on the web
  anyway. Neither the cryptographic keys nor the passwords are
  accessible to a normal user. If some tools feel sensitive to you
  you can disallow read to those files to the users, for instance

chmod go-r /etc/ssh/sshd_config

  would disallow reading by the users of the sshd_config which
  is, arguably, a sensitive file (by default readable).

    An Ubuntu system is pretty secure by default.

    You can have a better security if you have a running-but-limited
  system in a directory (something similar to an embedded system),
  and use something similar to:

mount -o bind -r /opt/securesystem /var/username
mount -t tmpfs tmpfs /var/username/tmp
mount -o bind /home/username /var/username/home/username
chroot /var/username sudo -u username -i /bin/sh

  where /opt/securesystem contains the abovementioned "secure"
  system and username is the name of the user (the sudo will
  probably fail as is, it needs some tweaking). After logout,
  umount /var/username/home/username, /var/username/tmp and
  /var/username.

     You can also use a virtual host.

          Hope this helps,

               Loïc




More information about the ubuntu-users mailing list