Dear mail list members, I never thought that I'll face it but now I did. So my question is really simple, I need to prevet a user going anywhere outside his home catalog. ex: user catalog is /home/bla so he couldn't go to /home. Also how to prevent user login in via telnet, ssh, but letting him log in via ftp server. When I put /sbin/nologin. Ftp server is not allowing to log in. Any ideas? -- Regards, Ruslan O. Nesterov NP AE ASBISc Enterprises LTD http://www.asbis.com
Il 12:06, giovedì 7 febbraio 2002, NP AE Ruslan Nesterov ha scritto:
Dear mail list members,
I never thought that I'll face it but now I did. So my question is really simple, I need to prevet a user going anywhere outside his home catalog. ex: user catalog is /home/bla so he couldn't go to /home. Also how to prevent user login in via telnet, ssh, but letting him log in via ftp server. When I put /sbin/nologin. Ftp server is not allowing to log in. Any ideas?
Set the default shell to /bin/false and they wont be able to login with telnet or ssh. But if you do not need them, turn them off! Praise
Am 07.02.2002 15:18:21, schrieb Praise
Il 12:06, giovedì 7 febbraio 2002, NP AE Ruslan Nesterov ha scritto:
Dear mail list members,
I never thought that I'll face it but now I did. So my question is really simple, I need to prevet a user going anywhere outside his home catalog. ex: user catalog is /home/bla so he couldn't go to /home. Also how to prevent user login in via telnet, ssh, but letting him log in via ftp server. When I put /sbin/nologin. Ftp server is not allowing to log in. Any ideas?
Set the default shell to /bin/false and they wont be able to login with telnet or ssh. But if you do not need them, turn them off!
And you can put him in a own group which is only able to access his homedir, to prevent "traversal" and other tricks. Michael Appeldorn
Praise wrote:
Il 12:06, giovedì 7 febbraio 2002, NP AE Ruslan Nesterov ha scritto:
Dear mail list members,
I never thought that I'll face it but now I did. So my question is really simple, I need to prevet a user going anywhere outside his home catalog. ex: user catalog is /home/bla so he couldn't go to /home. Also how to prevent user login in via telnet, ssh, but letting him log in via ftp server. When I put /sbin/nologin. Ftp server is not allowing to log in. Any ideas?
Set the default shell to /bin/false and they wont be able to login with telnet or ssh. But if you do not need them, turn them off!
Praise
/bin/false is not always a good solution, some ftpds/other daemons want that the shell the login shell returns true, so /bin/true might be better. another nice thing is to point the login-shell to /bin/passwd, so your users can change their password an nothing else. if you need a shell login, but want them jailed in their home-dir you can use rbash as login shell (restricted bash). but the you must take care, that the users find everything they need in their homedir because rbash chrootes to that dir. if you only need ftp login turn the login shell to /bin/true and configure your ftpd so that they are jailed in their homedir. for example in proftpd you can use the DefaultRoot directive in the configfile. other ftpds (like wu-ftpd) can do the same, but unlike proftpd most of these don't have builtin commandos like ls, so that you must setup this tools in the users' home. AFAIK there is a suse package that contains all needed binaries for a chrooted ftp. hth robert -- ----------------------------------------------------------------------- Robert Pintarelli robert.pintarelli@serco-scs.de SERCO Service Center Sued GmbH www.serco-scs.de Individuelle Datenverarbeitung und Kommunikation D-89077 Ulm -----------------------------------------------------------------------
if you need a shell login, but want them jailed in their home-dir you can use rbash as login shell (restricted bash). but the you must take care, that the users find everything they need in their homedir because rbash chrootes to that dir.
doesn't really unless you also restrict them to a certain path otherwise a bright user will simmply type bash or csh or ksh and the shell will find it in their path and execute it without all your ncie restrictions. A suggestion is this: 1.set the shell to /usr/bin/rbash 2. Make a directory say /usr/rbin and put all commands the users may need in there or simply restrict them to /usr/bin 3. Edit /home/$user/.profile and put PATH=/usr/rbin or whatever you've set it to and do chattr +i /home/$user/.profile that way they cannot change their path since rbash restricts it, and they also will not be able to edit their .profile. Of course there are many much better solutions but I found this the easiest way. Noah.
participants (5)
-
ksemat@wawa.eahd.or.ug -
Michael Appeldorn -
NP AE Ruslan Nesterov -
Praise -
Robert Pintarelli