Topic: Lock Users to there Home Directory

[Smitro]

Hi,

I just noticed the other day that if a user logs in using SSH they are put straight into there home directory. But a simple "cd .." will take them down the tree and from there, they are off wondering the system. Is there anyway to stop them from leaving there home directory?

[cc_skavenger]

have you actually logged in with a username other than root or admin?  This is not allowed on a normal system.  Have you modified your system to give users shell access??  This is what I get when I use a regular username to login to my server over ssh:

-------------------------
Mitel Networks SME Server
-------------------------


Standard user login services have been disabled.


Terminating connection.

[Smitro]

Sorry, my bad. I used the following package which created a Sever manager panel to allow me to turn on and off certian users.

http://www.ibiblio.org/pub/Linux/distributions/smeserver/contribs/star/mitel/contrib/user-shell-access/

I enabled the user to be able to SSH, and said no to sudo. But the user is able to roam freely around the system now.

[cc_skavenger]

Locking a user into their home directory is called chroot(ing).  It is done with ftp so that the user can only login to their home directory.  I am not sure how to impliment this on the ssh level.

[CharlieBrady]

I just noticed the other day that if a user logs in using SSH they are put straight into there home directory. But a simple "cd .." will take them down the tree and from there, they are off wondering the system.

They are restricted in what they can see and touch by normal file permission restrictions.

Is there anyway to stop them from leaving there home directory?

There wouldn't be much point in doing that. From their home directory they can access various other files using ftp, or smbclient, or http - just as they would be from another system  on the LAN.

If you don't want them to see other files on the system, don't add them to any of the groups which own those files.

[Smitro]

There wouldn't be much point in doing that. From their home directory they can access various other files using ftp, or smbclient, or http - just as they would be from another system  on the LAN.

Not true. My system is locked down so they can't.

Now tell me how to lock down ssh.

[CharlieBrady]

There wouldn't be much point in doing that. From their home directory they can access various other files using ftp, or smbclient, or http - just as they would be from another system  on the LAN.

Not true. My system is locked down so they can't.

You're quite sure of that? How do they run the ls command if they can't read the /bin/ls file?

Now tell me how to lock down ssh.

Sorry, I don't know the answer to that.

If you don't trust your users, don't give them access.

[Smitro]

what I'm saying is... All ports are blocked to the outside world, except web and secure web and email. I now want to allow access to ssh, but I don't want allow access to files other than what is in there home directory.

Guess it will have to go into the too hard basket.