Cees van de Griend wrote:
On Wed, Feb 02, 2000 at 10:25:23PM +0100, Rogier Maas wrote:
Dear List,
I have a couple of Shell-Account-users who can chdir to the root, and dir everything in my filesystem. Is there any way to confine them to their homedirectory like ProFTPd can?
Yes, but why bother...
If they realy can 'dir' everything, you have a bigger problem: you have no security. If they can read and change /etc/passwd and /etc/shadow, you realy have a big problem. If they can read 'almost' all, as in the default SuSE configuration, you should be oke.
It is posible to confine a user to his/her homedir (see: man (1) chroot), but then you should also make quite a lot binairies (like /bin/cp and /bin/ls) and libraries (like: /lib/...) available in their homedir. It almost never is worth the trouble. With ProFTPd (I guess a FTP-daemon), you users only have to ftp files and and have only a few simple needs: (cd, ls). A shell account users has a lot more needs (like shells, mail-readers, etc.).
Take a look at chmod (see: man (1) chmod) and learn how to change the permissions on important files/directories.
You should buy a Unix book and learn somethings about basic Unix security. Your question indicates that you lack a lot of simple SysAdmin skils. In a Dutch bookstore, you can find quite a few Linux-books in Dutch. Today, I counted more than 10 different books...
Thanks,
Rogier Maas
Cees.
I've always found that basic UNIX security is not *really* what it was meant for. You must perform quite some tricks to get even the most simple thing done. Take Novell's NetWare for instance. They've got a much more secure security-model. Why doesn't UNIX have one? (Because it wasn't meant for that, ok). For instance: Why is it that users can read everything? I cannot just say: I don't want that user to be able to look in that directory. If I'd do that, I'd create quite a mess for him/her. If he/she logs in, all kinds of errormessages popup saying that it can't find the root path, etc. I'll look into the chroot stuff, but I'm already thinking about my next step: linking the binaries to their original paths. Of course, they can't see them, because they have only their own 'private' filesystem... Problems, problems, problems... Rogier -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/