Restricting users permission to a directory (Linux)

[codyhawkinz]

I'm wondering how I can create a user which would only have access to an existing directory and nothing else.

Example:
home > myname > folder > folder2

So he would only be able to be in 'folder2' and not in 'folder'. If I just write 'newuser', he will be able to access all folders, which I don't want.

with other words how can I chroot jail a user to its home directory?

[soja]

Would making a new usergroup and assigning "folder2" group rwx permission do it? Don't set "folder" to be in the same group.

[codyhawkinz]

Would making a new usergroup and assigning "folder2" group rwx permission do it? Don't set "folder" to be in the same group.

I'm sorry, I'm still a beginner at Linux.
However, I've been trying to use 'jailkit' to 'jail' the user inside that folder. I heard that's the correct way, but I can't find any proper tutorial that shows how it's done.

[codyhawkinz]

Bump!

Here's what I do but it doesnt work;

Code: Select all

cd ..
chmod g+rx /home/folder1/folder2
mkdir -p /home/folder1/folder2/folder3
chmod g+rwx /home/folder1/folder2/folder3
addgroup group1
chgrp -R group1 /home/folder1/folder2

Then I edit this file; /etc/ssh/sshd_config || adding this:
Match Group group1
  # Force the connection to use SFTP and chroot to the required directory.
  ForceCommand internal-sftp
  ChrootDirectory /home/folder1/folder2/folder3
  # Disable tunneling, authentication agent, TCP and X11 forwarding.
  PermitTunnel no
  AllowAgentForwarding no
  AllowTcpForwarding no
  X11Forwarding no

Then I add users with this cmd:
adduser --ingroup group1 user1

Then I use: service ssh restart || to reload the /etc/ssh/ folder.

After doing so, I test the 'user1' account with filezilla (same thing happens with WinSCP):

Code: Select all

Status: Connecting to 95.172.92.248...
Status: Connected to 95.172.92.248
Status: Retrieving directory listing...
Status: Listing directory /
Error: Unable to open .: permission denied
Error: Failed to retrieve directory listing

Then I tried:

Code: Select all

usermod -m -d /home/folder1/folder2 user1

to set the home directory of "user1", just in case. Although group1 was supposed to do so automaticly. I tried again and it didn't work. I checked passwd and the home directory was set where I asked it to, but not passwd-, so I edited it and it still doesn't work.

I've tried quite a few pays but it does not seem to work.

Disregard the jailkit thing I posted earlier, doesn't seem to work properly.

[Caliban55]

If the only thing you are interested in is setting up a FTP (server) enviroment for different users, each with his own directory and restricted access, I would recommend that you take a look at pure-ftpd.

Many Linux distributions come with it already, or you can install it without much problems. Simply set up the virtual users that you want/need, each with the appropiate directory access and you should be good to go. Make sure that you take a look at the provided documentation.

Pure-ftpd is a quite secure and efficient FTP server.

http://www.pureftpd.org/project/pure-ftpd
http://download.pureftpd.org/pub/pure-f ... tual-Users

[codyhawkinz]

If the only thing you are interested in is setting up a FTP (server) enviroment for different users, each with his own directory and restricted access, I would recommend that you take a look at pure-ftpd.

Many Linux distributions come with it already, or you can install it without much problems. Simply set up the virtual users that you want/need, each with the appropiate directory access and you should be good to go. Make sure that you take a look at the provided documentation.

Pure-ftpd is a quite secure and efficient FTP server.

http://www.pureftpd.org/project/pure-ftpd
http://download.pureftpd.org/pub/pure-f ... tual-Users

I tried the following:

Code: Select all

pure-pw useradd joe -u ftpuser -d /home/ftpusers/joe

It told me I should use a 'non-root' gid and uid... I have no idea what that is..

[Caliban55]

The reason for this error is that the user "joe" (and propably the group) does not exist, or that user is a root user. That was only an example from the documentation.

Please read through the complete documentation, at the top look for this and try it:

A good thing to do before using virtual users is to create a system user
for this. Of course, you can use any existing account like "nobody" (but not
root), but it's better to have a dedicated account.

Let's create an "ftpgroup" group and an "ftpuser" user.

Linux/OpenBSD/NetBSD/Solaris/HPUX/OSX/a lot of other Unix-like systems:

groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser

FreeBSD/DragonflyBSD:

pw groupadd ftpgroup
pw useradd ftpuser -g ftpgroup -d /dev/null -s /etc

Then, all maintenance of virtual users can be made with the "pure-pw"
command. You can also edit the files by hand if you want.

Files storing virtual users have one line per user. These lines have the
following syntax:

<account>:<password>:<uid>:<gid>:<gecos>:<home directory>:<upload
bandwidth>:<download bandwidth>:<upload ratio>:<download ratio>:<max number
of connections>:<files quota>:<size quota>:<authorized local IPs>:<refused
local IPs>:<authorized client IPs>:<refused client IPs>:<time
restrictions>

Fields can be left empty (exceptions: account, password, uid, gid, home
directory) .

Passwords are compatible with the hashing function used in /etc/passwd or
/etc/master.passwd . They are crypto hashed with blowfish, md5, multiple-des
and simple des, in this order, according to what your system has support fort.
...

[Caliban55]

Ooops, mistype . That has to be the user "ftpuser" of course, or whatever you name you used.

[codyhawkinz]

The reason for this error is that the user "joe" (and propably the group) does not exist, or that user is a root user. That was only an example from the documentation.

Please read through the complete documentation, at the top look for this and try it:

A good thing to do before using virtual users is to create a system user
for this. Of course, you can use any existing account like "nobody" (but not
root), but it's better to have a dedicated account.

Let's create an "ftpgroup" group and an "ftpuser" user.

Linux/OpenBSD/NetBSD/Solaris/HPUX/OSX/a lot of other Unix-like systems:

groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser

FreeBSD/DragonflyBSD:

pw groupadd ftpgroup
pw useradd ftpuser -g ftpgroup -d /dev/null -s /etc

Then, all maintenance of virtual users can be made with the "pure-pw"
command. You can also edit the files by hand if you want.

Files storing virtual users have one line per user. These lines have the
following syntax:

<account>:<password>:<uid>:<gid>:<gecos>:<home directory>:<upload
bandwidth>:<download bandwidth>:<upload ratio>:<download ratio>:<max number
of connections>:<files quota>:<size quota>:<authorized local IPs>:<refused
local IPs>:<authorized client IPs>:<refused client IPs>:<time
restrictions>

Fields can be left empty (exceptions: account, password, uid, gid, home
directory) .

Passwords are compatible with the hashing function used in /etc/passwd or
/etc/master.passwd . They are crypto hashed with blowfish, md5, multiple-des
and simple des, in this order, according to what your system has support fort.
...

I've been working on this for a whole week, of course I read through the whole documentation. I did everything it said, but when I got the point where I had to write:

Code: Select all

pure-pw useradd joe -u ftpuser -d /home/ftpusers/joe

I got an error, as mentioned above.

It's not like I'd just pick a random part of the documentation and write it in and hope it works.

[Caliban55]

Please try it with the following command syntax:

Code: Select all

pure-pw useradd joe -u uid -g gid-d /home/ftpusers/joe

uid being the created user id and gid being the created group id

For example:

Code: Select all

pure-pw useradd joe -u 1001 -g 1002 -d /home/ftpusers/joe