Re: Secure File Transfer & Jailed user accounts

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Craig White
Date:  
To: Main PLUG discussion list
Subject: Re: Secure File Transfer & Jailed user accounts
On Fri, 2005-08-26 at 18:16 -0700, wrote:
> Quoting Craig White <>:
>
> > I thought that I had read if you put /./home/user as the users home
> > directory in /etc/passwd that it would chroot them to that directory
> > only. Don't recall where I read that info and it may not be at all
> > accurate.
> >
> > Most ftp programs should have a way to lock them into their home
> > directory though - I don't do much ftp these days.
> >
> > Craig
> >
> > ---------------------------------------------------
>
> Would have been great if it worked but, no.
> I created a new user with a home dir like you mentioned and it did nothing other
> then create a normal user
>
> # useradd -d /./home/test2 testme
> # passwd testme
> Changing password for user testme.
> New UNIX password:
> BAD PASSWORD: it is based on a dictionary word
> Retype new UNIX password:
> passwd: all authentication tokens updated successfully.

----
that could never work. You would have to enclose in quotes.

useradd -d "/./home/testme" testme
passwd testme

But I still don't think that this by itself will chroot that user to the
home directory. The problem is that when you give someone a shell, they
need access to the binary applications which comprise their shell at the
very least and those are in the filesystem itself (likely /usr/bin
and /bin) so to have a shell and be chrooted from those locations, would
pretty much render their login useless.

If I recall, the "/./home/user_home" home directory in /etc/passwd
related to some type of ftp - perhaps wu-ftpd (which I used to
occassionally use), perhaps some other ftp daemon server.

You have to define what it is that you want them to do - sftp (openssh)
require a valid shell and that means access to the filesystem.

If all they need is file transfer and not a shell, I think that Joseph
pretty much gave you a great way to go (he is a great source of info).

There has also been some discussion (probably mostly der.Hans) on UML
(User Mode Linux) which I presume is all about restricted shell
accounts.

Craig

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss