Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
we do:
useradd -s /bin/rbash -d /home/dir/user1 -m user_1:user_1
rbash is not even a solution because you can browse all files with midnight commander.
then we create user_1.domain.com we assign this vhost user_1:user_1 our whole point is to disable this user poking into server’s other directories.
How do we do it?
is chmod o=- -R / a feasible solution to user restricting?
this doesn’t answer my problem.
How to restrict SSH users to a predefined set of commands after login?
First off, read access to the server’s “other directories” is generally required. That’s where the binaries and data files for the installed software live, after all.
If you want to disallow access to other users’ directories, you can always set default umasks such that only owners have read access and let the users decide what to enable for world readability. Or similarly, place every user into their own group, which is the default on most linux distros.
If you want to disallow access always, without the possibility of turning it on, you can play tricks with MAC tools like AppArmor (simple) or SELinux (complicated) to do that. Though this has significant administrative costs you need to think about.
It used to be that chroot was a common solution for this kind of problem, but that’s fallen out of favor in recent years as it doesn’t quite isolate things as much as you would expect.
Finally, the “proper” solution to user isolation is generally felt to be virtualization, either full-system stuff over vmware, kvm, xen, etc… or single-kernel solutions like BSD jails or Solaris Zones.