6

I'm creating a new user with the following details:

useradd -d /var/www/html/testuser.com -G users testuser

I proceed by creating a new password for the user and attempt to login via SSH, I land on /var/www/html/testuser.com but I can still go back in the directories. I want to restrict user permissions so that they can only manage the content inside the testuser.com and sibblings (so they can do all normal operations), I do not want the user to be able to navigate back in the directories and effectively have root access.

Gilles 'SO- stop being evil'
  • 829,060
Jorg Ancrath
  • 203
  • 3
    We need to define more carefully what you want to do -- this user does not have "root(-user) access", forex, they won't be able to write files in /etc; and you don't want to deny them access to /bin or /usr/bin, because they won't have any commands to run. Maybe you're looking for chroot? – Ulrich Schwarz Jun 13 '14 at 21:26
  • I guess! I want them to be able to create/remove directories, upload files via SFTP... it's basically a domain folder and they should be able to manage the files as they want, I'm not really interested in allowing users to run any otehr management commands – Jorg Ancrath Jun 13 '14 at 21:30
  • Maybe setfacl on the user account? – Ramesh Jun 13 '14 at 22:15

3 Answers3

7

Users don't “effectively have root access” just because they can browse other directories. All users with shell access can browse the software installation — this isn't confidential information after all, since it can be downloaded from any number of sites. If there are directories that you don't want to expose to all shell users, given them appropriately restrictive permissions.

If you want to have a second layer of safety, you can make the accounts more restricted. If you only want to allow these users to browse, upload and download files under /var/www/html/testuser.com, then don't give them a shell account, give them a restricted account that can only use SFTP. You can specify options for a specific account in sshd_config with a Match block. (Put this at the end of the file, since the Match directive extends to the next Match directive or to the end of the file.)

Match User testuser
    Force-command internal-sftp
    ChrootDirectory /var/www/html/testuser.com

If you want to allow the users to use a few more commands such as scp and rsync, but not general shell access, use rssh or scponly as the shell on their account, and install and configure rssh or scponly to specify which commands you want to allow (see Do you need a shell for SCP?).

If you want to give a shell account that only allows running a few whitelisted programs, make their shell a restricted shell. Note that these users will be able to access files outside their home directory, based on file permissions.

If you want to give full shell access, but make everything other than home directories invisible, then you need to create some form of jail. The weakest form of jail is a chroot jail, which restricts the user to a branch of the directory tree. Restricting a user to a chroot is as easy of specifying ChrootDirectory in sshd_config; however, since the user cannot exit the jail, the directory must contain all the programs that the user will use and their data. You can use bind mounts to make some directories (e.g. /usr) visible inside the jail.

Community
  • 1
Gilles 'SO- stop being evil'
  • 829,060
2

Have a look in man 5 sshd_config at the option ChrootDirectory.

Hauke Laging
  • 90,279
-1

You can change the permissions of /var/www/html so that only root can view/modify the files/folders.

Like:

chown root:root  /var/www/html
Joseph R.
  • 39,549
redoc
  • 183