Can I chroot a user to his/her home directory? Or something similar.. I want to block users from snooping around the files on the computer, but they should still have access via path to the standard set of applications that they normally has. Anders.
You can do that. http://olivier.sessink.nl/jailkit/
Anders Norrbring writes:
Can I chroot a user to his/her home directory? Or something similar..
I want to block users from snooping around the files on the computer, but they should still have access via path to the standard set of applications that they normally has.
Unfortunately, no. Once you 'chroot' a process, the "root directory" (top of the whole filesystem hierarchy) as seen by that process becomes where you chroot'ed it to. Unless you make copies of /bin, /usr/bin, /lib, /usr/lib, /dev, etc., into the user's home directory all those directories will be invisible to the user and the user will not be able to do anything. What you want is probably to change the user's shell to /usr/bin/rbash (do a "man rbash"). This places a number of restrictions on what the user is allowed to do, but does not hide all needed system files and apps. -Ti
Ti, Anders, On Saturday 18 September 2004 02:37, Ti Kan wrote:
Anders Norrbring writes:
Can I chroot a user to his/her home directory? Or something similar..
I want to block users from snooping around the files on the computer, but they should still have access via path to the standard set of applications that they normally has.
Unfortunately, no. Once you 'chroot' a process, the "root directory" (top of the whole filesystem hierarchy) as seen by that process becomes where you chroot'ed it to. Unless you make copies of /bin, /usr/bin, /lib, /usr/lib, /dev, etc., into the user's home directory all those directories will be invisible to the user and the user will not be able to do anything.
What you say is true, but that does not mean it's impossible to accomplish what Anders is attempting. It does mean that you have to replicate as much of an execution environment as you want the user to be able to access. That means executables, libraries, configuration files, etc., all as necessary to permit proper function of whatever software you _do_ want users to be able to successfully use. Unfortunately, you cannot use symbolic links,though hard links will work, assuming the other limitations of hard links are met, namely that they don't cross file system boundaries. Unless you want to set up an extremely restrictive environment, it can be pretty difficult to pull this off and it can easily require replicating enormous amounts of the system. Figuring out what's required and verifying that you've got everything that's needed can be pretty challenging. Creating statically linked executables can help out a little, by minimizing shared library dependencies.
...
-Ti
Randall Schulz
Hello. El Sábado, 18 de Septiembre de 2004 11:13, Anders Norrbring escribió:
Can I chroot a user to his/her home directory? Or something similar..
I want to block users from snooping around the files on the computer, but they should still have access via path to the standard set of applications that they normally has.
take a look at the kiosk tool of kde, you can restrict almost everything. we have users that are allowed to only click over the icons in their desktop for runing a reduced set of applications. No menus, no shells, etc.
Anders.
-- Un Saludo. Carlos Lorenzo Matés
Anders wrote regarding '[SLE] chroot a user?' on Sat, Sep 18 at 04:19:
Can I chroot a user to his/her home directory? Or something similar..
I want to block users from snooping around the files on the computer, but they should still have access via path to the standard set of applications that they normally has.
Rather than using a chroot environment, it'd probably be nearly as effective to set permissions a little differently. When I ran a public BSD lab in a school, I made groups for different "classes" of application, then went through and put users into the groups that were appropriate for them. After that, I went through the system and set the permissions for every directory and most files so as to restrict access appropriately. Most everything on the system was mode 750 or 640. It takes a little time to get everything set up that way, but it's pretty effective. Using /etc/permissions.local would be a good start. :) --Danny, noting that ACLs would be a lot handier than messing with a million different groups.
participants (6)
-
Anders Norrbring -
Carlos Lorenzo Matés -
Danny Sauer -
Randall R Schulz -
ti@amb.org -
Vladimir Potapov