Ssh and SFTP access control

[newbie14]

Dear All,
I have allowed remote user to log into the server via these two (SSH and SFTP) method. The problem now I have read on the net some are talking about chroot etc. What I want is actually say a particular user I want to allow only certain folder to be accessed when he/she logs in what is the best method to achieve this.

[flyingfsck]

Howdy,

There are various methods that can be enforced from outside of the SSH and FTP applications.

You should read up on groups, ACLs and SELinux.

Cheers,

F.

[newbie14]

Dear Flyingfsck,
I am confuse with these various method. As a newbie what is the best method you recommend for me? Can you guide me a bit in depth? Thank you.

[smr54]

For ACLs you can look at

http://www.vanemery.com/Linux/ACL/linux-acl.html

Even though it's old, it's still applicable.

Unfortunately, I doubt that anyone will really have the time to give you in depth training on this. These various methods are somewhat complex, and it's very seldom that someone has the patience to guide a beginner completely through something. There are various guides and howtos, some on this forum. However, in depth guidance is almost asking for a consultant.

[newbie14]

Dear Smr54,
I do understand but I do need something very heavy. I am looking for something simple where I would like to restrict the user to limited folders. So is there any other simple sites which can guide in depth. What different between acl,chroot or vsftpd?

Quote:

Originally Posted by smr54

For ACLs you can look at

http://www.vanemery.com/Linux/ACL/linux-acl.html

Even though it's old, it's still applicable.

Unfortunately, I doubt that anyone will really have the time to give you in depth training on this. These various methods are somewhat complex, and it's very seldom that someone has the patience to guide a beginner completely through something. There are various guides and howtos, some on this forum. However, in depth guidance is almost asking for a consultant.

[smr54]

Ah, I see. I think the easiest way to do it would be with sftp chroot. Darn, I saw a guide on that recently---hold on a minute

Hrrm, try this one.

http://v2.robbyt.com/2008/howto/chro...ith-openssh-5/

Ok, the difference. AD is Active Directory, a Windows way of doing things. It's actually quit good, LDAP made simple that works, but is only available on Windows servers.

ACL is Access Control List and can be useful when working with granular permissions, as described in the link in my other post. It's good when you want to give one group read permissions, and another group read/write, for example.

chroot is Change Root, and means that when someone logs in they are chrooted to a directory--that is, that directory is their root directory and they can't get any higher. For example, user john is chrooted to john's home directory. This means, when he logs in, he is in john's directory, but if he runs the command cd ../ to go up one directory, he cannot. It's often called a chroot jail, because the user is jailed, so to speak, in that directory.

The howto that I list in this post should explain how to do that.

[flyingfsck]

Howdy,

SSH has a chroot feature built in. Read the man pages and read the Snail Book:
http://www.snailbook.com/

Google has a special Linux related search engine: http://google.com/linux

Cheers,

F.

[SlowJet]

A user name under the USERS group log on account is restricted to a set of dir's with
chmod set on first attribute 7400 to not allow dir delete and read only on all the sub files 5400.

Selinux should label the files correctly during first log on except for any setuid on first attribute and exec on dirs.
and any more restrictive permissions. It is all about the planning.
And of course any user that knows of another user and there password can do what they do also.
If root pasword is known, they can't be stopped from doing anything and the root password can be changed from the grub boot up so if your buddy knows too much and has access to your computer, then it is his computer also.

See man pages for

chmod
fixfiles
setfiles
restorecon

SJ

[stevea]

If you really prevent access (read/execute on directories and execute on binaries) then the user can't execute any commands at all. I'm pretty sure that is not what you want. ssh would be useless.

Maybe you need to think through the consequences a little deeper. If a user can read-access a file then they can make a copy (by sftp of by ssh & cp). It really makes no sense to prevent read access to common binaries - the user could download the binary from another source. If you give users read-access to a directory, then they can access files under that dir. But if they have execute on the dir - then they can search it. Unless you are trying for "security by obscurity" then you don't want to restrict execute on the directories the user needs.

Maybe you should approach the problem a little differently - use 'find' to show all the directories owned (or group-owned) by the users outside their home directories . Then again use 'find' to show all the directories that anyone can write. Yo may want to tighten read/exceute directory access on user's and roots home directory, but who cares if a user does an ls on /etc/sysconfig ?

[SlowJet]

Yes, whatever the attr should be is needed.
My point was that it didn't take much in computer effort to make a very secure environment for a user, but a lot of reading and planning to get to that point.

SJ