6 Replies Latest reply: Mar 18, 2014 12:19 PM by Catch-22 RSS

    Linux user with access to home directory only.

    User498359-OC

      Hi,

       

      We need to create a Linux user who should have the access to his home directory only.

       

      when the linux user logs into winscp or any other sftp software, he should only have the access to his home and directory and not any other directories on the server.

       

      Regards,

      Fahim.

        • 1. Re: Linux user with access to home directory only.
          Ankur ...

          Fahim,

           

          The command used is: useradd “name of the user” ..

          Note – You must be logged-in as root to add, delete, and modify users

          useradd -d /home/oracle -m oracle

          • -d sets home directory for the user (if other than the default which is: /home/”user’s name”)
          • -m creates the home directory

           

          HTH

          Thanks

          -Ankur

          • 2. Re: Linux user with access to home directory only.
            User498359-OC

            Ankur,

             

            The user will still have the access to access other folders...

             

            When i login into winscp and go to the home folder....i am able to copy the files from other directories on my desktop which i dont want to give them the access.

             

            Note : those folders which the user is able to access has 777.

             

            Regards,

            Fahim.

            • 3. Re: Linux user with access to home directory only.
              tvCa-Oracle

              Not sure if that is possible, since if anybody on that server decides that some files/directores should be open to all, this would include access from that user as well.

               

              But, the best thing you can do I think, is this : create the user with a group that nobody else is also a member of. Obviously, this would be a new group.

              That way, access rights of this user fall into category "other" which would limit things largely.

               

              That's the best solution I can think of, from an OS view.

               

              Maybe there are some FTP specific setups that achieve similar results, but the above is when you start from a normal user, normal security rules.

              • 4. Re: Linux user with access to home directory only.
                tvCa-Oracle

                "Note : those folders which the user is able to access has 777."

                 

                Mode 777 on a directory = no security

                It may be part of another discussion, but if somebody is setting 777's all across the filesystem, he/she needs a basic training in Unix/Linux

                 

                If you behold my last update, things would work just perfectly if those directories would be 770

                Same for files

                • 5. Re: Linux user with access to home directory only.
                  Christopher L-Oracle

                  Fahim,

                   

                  You should look at Access Control Lists and Security-Enhanced Linux as options for restriction.

                  • 6. Re: Linux user with access to home directory only.
                    Catch-22

                    You can configure ssh to allow certain users to use sftp or scp only and restrict their home directory.

                     

                    The following should do the trick: (tested in OL 6.3)

                     

                    1. Modify /etc/ssh/sshd_config (pretty much at the end of the file):

                    #Subsystem      sftp    /usr/libexec/openssh/sftp-server

                    Subsystem sftp  internal-sftp

                     

                    Match Group sftpgroup

                       ChrootDirectory /home/sftpusers

                       ForceCommand internal-sftp

                       X11Forwarding no

                       AllowTcpForwarding no

                     

                    2. Restart the ssh server:

                    service sshd restart

                     

                    3. Create the home directory for sftpgroup:

                    mkdir -p /home/sftpusers/home

                    chown root:root /home/sftpusers

                    chown root:root /home/sftpusers/home

                     

                    4. Add the sftpgroup to the system:

                    groupadd sftpgroup

                     

                    5. Create the user (any user):

                    adduser joeshmoe -g sftpgroup -s /sbin/nologin

                    passwd joeshmoe

                    mkdir /home/sftpusers/home/joeshmoe

                    chown joeshmoe:sftpgroup /home/sftpusers/home/joeshmoe

                    chmod 750 /home/sftpusers/home/joeshmoe

                     

                     

                    6. If you use SELinux (/etc/selinux/config)

                    setsebool -P ssh_chroot_rw_homedirs on

                    (this may take a while)

                    restorecon -R /home/$USERNAME

                     

                    Test the login from another system:

                     

                    $ ssh joeshmoe@10.0.2.5

                    joeshmoe@10.0.2.5's password:

                    This service allows sftp connections only.

                    Connection to 10.0.2.5 closed.

                     

                    $ sftp joeshmoe@10.0.2.5

                    joeshmoe@10.0.2.5's password:

                    Connected to 10.0.2.5.

                    sftp> ls

                    sftp> put testfile

                    Uploading testfile to /home/joeshmoe/testfile

                    testfile                                                                                   100%  195     0.2KB/s   00:00 

                    sftp> cd /

                    sftp> ls

                    home

                    sftp> ls home

                    home/joeshmoe

                    sftp>

                     

                    That's all. Takes about 5 minutes to setup. Good luck!