| Posted by user_204207, 06-23-2009, 10:19 AM | | I may have this wrong, but I think it's possible. I have a friend who wants to run a process on one of my servers, now I don't particularly 'care' about this server, it's just used for a couple of unimportant things so I'm okay with him running it, but I don't want the hassle of sorting out things if he decides to delete everything, so I'm hoping it's possible to limit his directory.
For example, I have the folder "people" in the top most directory, inside that I have "arthur", I want to limit the ssh user "arthur" to the folder "arthur", I don't want him to be able to cd ../../ and delete stuff, is this possible?
thanks.
|
| Posted by mwatkins, 06-23-2009, 10:39 AM | | What OS are you running?
If a BSD such as FreeBSD, you have two approaches, one of which involves the built in feature - jail. FreeBSD jail is a tool of that OS which allow you to create a "chroot'd" environment that can look like an entire OS installation or just what the user needs and nothing more. It is possible to create an environment that looks like an entire server, rather like an OpenVZ VPS in many respects.
If running a Linux, google on "OpenSSH chroot" and you'll find a variety of solutions, many of which involve installing a patched OpenSSH. You do not need to patch OpenSSH as newer versions (> 4.8 - introduced last year) of OpenSSH contain a chroot feature. Check what version of SSH you are running and update to the latest if necessary.
BSD's of course also run OpenSSH (OpenBSD project develops OpenSSH) so this approach is available on FreeBSD as well.
man sshd_config for more details on configuration file settings.
Last edited by mwatkins; 06-23-2009 at 10:44 AM.
|
| Posted by user_204207, 06-23-2009, 10:40 AM | | I thought I mentioned my OS, obviously not. centOS 5. I'll take a look at openSSH, thanks!
|
| Posted by mwatkins, 06-23-2009, 10:58 AM | | Chances are you are running a version that can handle it:
$ ssh -v
OpenSSH_5.1p1 Debian
% ssh -v
OpenSSH_5.1p1 FreeBSD-20080901
man sshd_config will contain the term ChrootDirectory if your version supports this. There is some setup required on your part - you'll need to put shells and other necessary files for the user in that location; hopefully their system needs for this app are minimal and they can look after the userland stuff on their own.
|
|
 Add to Favourites
 Print this Article
|
