limiting users to their home directory
Loïc Grenié
loic.grenie at gmail.com
Tue Dec 23 14:50:13 UTC 2008
On Mon, Dec 22, 2008 at 10:53 PM, Nick Smith <nick.smith79 at gmail.com> wrote:
> I run a small webserver with ubuntu 7.04 and would like to lock each
> user down to be able to see/edit only files in his directory,
> and disable ssh access.
> Seems like that would be a huge security risk to have a user able to
> browse to any directory he wishes and open/download the
> contents.
It should not be so huge. If your system is pretty standard, like
an Ubuntu system, the user can find most of the files on the web
anyway. Neither the cryptographic keys nor the passwords are
accessible to a normal user. If some tools feel sensitive to you
you can disallow read to those files to the users, for instance
chmod go-r /etc/ssh/sshd_config
would disallow reading by the users of the sshd_config which
is, arguably, a sensitive file (by default readable).
An Ubuntu system is pretty secure by default.
You can have a better security if you have a running-but-limited
system in a directory (something similar to an embedded system),
and use something similar to:
mount -o bind -r /opt/securesystem /var/username
mount -t tmpfs tmpfs /var/username/tmp
mount -o bind /home/username /var/username/home/username
chroot /var/username sudo -u username -i /bin/sh
where /opt/securesystem contains the abovementioned "secure"
system and username is the name of the user (the sudo will
probably fail as is, it needs some tweaking). After logout,
umount /var/username/home/username, /var/username/tmp and
/var/username.
You can also use a virtual host.
Hope this helps,
Loïc
More information about the ubuntu-users
mailing list