Re: Locking down a multiuser system.

Glen Lee Edwards Sat, 07 Oct 2000 15:38:29 -0700
Steve,

My understanding is that you can't do this in a practical manner.  If each
user has a shell account and logs in via ssh, telnet, rlogin, then to
chroot them into their directory you have to place into each directory any
system commands that you want to allow them to run - they're refused
access to any commands/file systems outside of the files they are jailed
in.

Unix/Linux systems allow by default anyone to cd to almost anywhere.  You
can restrict what they can read/write by modifying permissions.  For
example, I have a shell account with my ISP on a Unix system:

Sun Microsystems Inc.   SunOS 5.5.1     Generic May 1996

Almost all 2,500 users have ~/ permissions set to :

drwxr-x--x   3 <cut>    user         4096 Nov  1  1999 <cut>/

which means that anyone can cd in and read their files.  I changed my ~/
permissions to 

drwx------   4 glenlee  user         4096 Oct  6 18:20 ./

I like my privacy.

Generally speaking, if you're using stock Red Hat, file permissions to
sensitive areas are already restricted to root access only.  Plus Red Hat
has a better setup user/group wise in that instead of having everyone auto
assigned to the group "users" as Unix does Red Hat assigns you to a group
that matches your username; user "fred" is assigned to the group "fred" as
the only member of the group.  This is also the default group he runs
under.  As such even with file permissions set to drwxr-x--x as my ISP
does Fred would still be the only person with permission to access his
home directory.

Glen



On Wed, 4 Oct 2000, Steve Curry wrote:

>List,
>
>
>First of all thanks ahead of time! I'm building a multiuser system that will
>be home to many untrusted user accounts. They are being setup in
>/home/username and I don't want them to be able to view any directory
>structures below their home directory. How do I do this? For example a user
>called ted in /home/ted shouldn't be able to 'cd' down to /home although he
>can add directorys in his own home directory like /home/ted/more.
>
>
>-scurry
>
>
>
>_______________________________________________
>Redhat-list mailing list
>[EMAIL PROTECTED]
>https://listman.redhat.com/mailman/listinfo/redhat-list
>



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Locking down a multiuser system.

Reply via email to
