[ Enlarge Image ]

How to restrict users in linux to their /home

<< Back

by: fcruz. Linux - Unix Blogs.

This is typical situation, you created users that were intended to stay in their /home environment, however they can read around and look all the server directories, here is how to solve this situation

How do I restrict user's to their home dir in the telnet/shell?

Problem:

Is it possible to restrict users to their home directory in telnet and/or ssh ?

Solution:

Restricting Telnet/SSH/Shell User's To Thier Home Directory Problem:
Traditionally, the best way to "lock down" users to their home directory is to use a "change rooted environment". However, this is expensive (resource wise) and sometimes not a very "nice" way to secure a server on a user per user basis.

For V-hosters, most of your concern lies in the simple feat of keeping customers from poking around your system, and other user's home dirs--without limiting their ability to execute binaries in their normal system path.

Solution:
The "easy fix" for this is to use "restricted bash" (aka rbash or bash2) to stop their ability of "cd'ing" and limit their ability to do anything outside of their home directory. rbash is not the most secure way to do it, but will usually stop 80%-90% of the poking around that most users might like to normally do. Below is how you would accomplish this:

For restricting your shell user's directory access to /home/username (while allowing executing from the system path) you (the admin) can use bash2 or "rbash" instead of just bash. When a user uses bash2 via the sym-link "rbash", bash2 will note this and run in "restricted mode". Basically, it simply does not allow them to invoke anything above their own home directory from the command line... but all other spawned apps have normal system access. Type "info bash2" for more info on the restrictions. bash2 comes standard in our RedHat 6.2 and higher systems.

To set up your system to use it... just do this:

telnet/ssh in and become root

cd into /bin

Check out your current bash binary:

            # ls -la /bin/*bash*

if you see a "bash2" and don't see a sym-link for "rbash" then your system is ready to be secured. Just create the needed symlink from rbash to bash2:

            # ln -s bash2 rbash

NOTE: If you don't have "bash2" installed, you can get it from this location:
ftp://ftp.rackspace.com/pub/linux/redhat/X.Y/os/i386/RedHat/RPMS/bash2-*.i386.rpm (where X.Y is your version of Red Hat)

Now simply change your user's login shells in /etc/passwd from /bin/bash to /bin/rbash

Now the users (that you set up with "rbash" as their login) won't be able to cd out or do anything out of their home dir/system-path!

While this is still not a truly secure setup, it's better than just running plain old /bin/bash. If you would like to take this to the next level, you can set up a /rbin directory and make the appropriate system path changes... But please do not do this if you you're not intimately familiar with the inner workings of the various system paths.

Share This Blog |

Trackback URL |

[ Back ]

Add remove services from linux startup
Linux and Windows filesystem fragmentation
Using PAM on Linux for extra security
Usefull linux commands