home | list info | list archive | date index | thread index

Re: [OCLUG-Tech] jailing users?

jbuburuz [ at ] sce [ dot ] carleton [ dot ] ca wrote:
Hi folks,

I'm trying to find out if there is a way to jail users in the /home/$USER?
I am trying to set up a server that simply allows users to sftp to some
server and to retrieve files.

What I mean is this:

I have user called test.

passwd file would look like this:

(/home is a nfs mount)

Ok this works so far, user "test" sftp to server and he/she is able to
create/delete files.

How do I disable/prevent user from doing this: "cd .." "cd /"? Basically
leaving there home directory and view other peoples directories in /home?

I know if permissions are set correctly other users cannot see into each
other home directories. But I just want to prevent shell


After reading the discussion and your thoughts after people had posted I have a comment or two. All the comments posted were both good and valid.

It seems your _real_ functional requirement is a private remote individual file store that can be securely accessed from anywhere on the Internet. This file store does not appear to need to provide any remote computing functionality other than file creation/access/deletion.

If this is the case, perhaps you may be looking for virtual private networking capability rather than sftp. sftp requires users go through a process of establishing a connection, identifying themselves, authenticating themselves and then performing their file operations - all through userland tasks that require instruction and coaching. If you implement ssh PKI keys instead of passwords (a really good idea!), the overhead to administrate the function you require is significant. Users being users, this is a lot of ongoing work, and things that can be operationally screwed up.

VPN functionality can provide the same secure remote filestore functions with the operational user interface transparent to the end user - no need to manually execute either command line sftp functions, or graphical "explorer" functionality. Users just access a "drive" and manipulate their files as if they were local. Identity, authentication and ability to control access on a fine grained basis is a set-once and forget administrative task - eliminating the userland "fooling around" everytime they need to perform a file operation.

You may want to look at an SSL VPN like OpenVPN (http://www.openvpn.net) as it will give you the functionality you seem to require and may be less of an administrative (or help desk) burden over time.

Bill Strosberg, CISSP



message navigation