A simple question:
Hi, How can I do a chroot when a user login in the server? My idea is that when somebody logs in (with ssh) he/she can't get access to my files. What about editing a script that when it makes a chroot, finaly runs the correct shell? That's creating a new shell that only includes the line "chroot ~" and finally runs sh. When I try it, it returns me that I have no permision. Is it a good idea? I'm new in linux world, and i supose it's a very simple question, but i don't find anything in manuals or texts... Thanks
Francesc Dantí wrote:
Hi,
How can I do a chroot when a user login in the server? My idea is that when somebody logs in (with ssh) he/she can't get access to my files.
What about editing a script that when it makes a chroot, finaly runs the correct shell? That's creating a new shell that only includes the line "chroot ~" and finally runs sh. When I try it, it returns me that I have no permision. Is it a good idea? I'm new in linux world, and i supose it's a very simple question, but i don't find anything in manuals or texts...
[Please wrap your lines at 72 characters. Thanks.]
From the debian security mailinglist:
-------- Original Message --------
Subject: Re: scp and sftp
Resent-From: debian-security@lists.debian.org
Date: Sun, 31 Mar 2002 00:11:28 -0800
From: "Christian G. Warden"
I've been playing around with the scp and sftp components of putty and noticed what I consider a security hole. Winscp does the same thing. The user can change to directories above their home. Is there a way to chroot them like you can in an ftp config file? I don't see anything in the sshd config files. If you can't, how can I disable the scp functionality? I'm not talking about scp from the linux box. The users don't have shell access so that's not a problem. I'm referring to remote people using a scp client to access my linux machine. You can disable sftp ability by removing the sftp-server program but the scp server part seems to be part of sshd.
I did not see anything about this issue on the openssh web site. Anybody got any suggestions?
For more on this topic take a look at the debian security list archive. HTH GTi
Francesc Dantí wrote:
My idea is that when somebody logs in (with ssh) he/she can't get access to my files.
You don't need any chroot's to let others get access or not to your files! Please explain what you really want to do! In a default Linux (or Unix) environment, everybody has always read access to other users files if you don't explicitly change permissions (see chmod, umask). So, if you want others to not have access to your files you should type something like: chmod -R go= ~ and perhaps set your umask to 077 (read and execute for user, nothing for group and others for new generated files or directories) umask 077 Hope this helps! (or perhaps some Unix/Linux manual ...) -- Richard Ems ... e-mail: r.ems@gmx.net ... Computer Science, University of Hamburg Unix IS user friendly. It's just selective about who its friends are.
participants (3)
-
Francesc Dantí
-
Martin Peikert
-
Richard Ems