2

I want to let some of my friends access my computer by making them user accounts. They will mostly access my computer by sftp and ssh, but they could also sometimes access it at my home. However I don't want them to be able to see all my file (not my personal files from my home directory, I mean files that reside outside of the user directory, like etc, lib...)

I asked the question recently:

OpenSSH, chroot user: Root needs to own the user directory, is there any consequence?

And the awnser that was given to me was that if I chroot the user, I will need to create a complete environment for every user.

Is there a way to actually prevent users from going outside of their home directory and preventing them from an passing argument to a program like cp that would point outside of their home directory, or any way to actually keep my system private? What is the best solution? I want them to be able to fully use all my programs, but unable to copy or read files, or use programs to read or copy file outside of their home directory.

Community
  • 1
user1115057
  • 815
  • 2
    You are trying to do two mutually exclusive things. You can't give people "full access" while locking them down at the same time. – CodeGnome Apr 22 '12 at 01:59
  • It's hard to grant shell access and limit it to a directory without a full-blown chroot and even that is not fool-proof. Chroot environments are intended more for development and testing than for security. If you are willing to restrict users to sftp only without any shell access, if I remember correctly, that was not only possible but much easier to do by using the internal-sftp option with ChrootDirectory in sshd_config. You'll also want to consider setting up quotas if you share the same partition with the other users so they can't fill up your free drive space. – jw013 Apr 22 '12 at 02:45
  • 1
    http://olivier.sessink.nl/jailkit/ – kwarrick Apr 24 '12 at 03:07

5 Answers5

3

I doubt you could allow them to fully use all your programs but unable to read files outside of their home. All it would take is one program that depends on a configuration file to destroy that.

You could create a virtual machine and give them user (or root) access to the virtual machine.

Some common VM solutions are:

  1. Xen
  2. VirtualBox
  3. KVM
  4. OpenVZ
CodeGnome
  • 7,820
emory
  • 472
2

You have a few options that will make your home directory (or part of it) off limits.

  • Change your home directory to owner only access using chmod 700 ~. This will allow only you and root to access the directory.

  • Move your home directory to an encrypted file system. (This will prevent them from accessing it when you don't have it unencrypted. Combine with the above if they may have access while you have the file system unencrypted.)

  • Use a file encryption tool to prevent access to individual files.

  • Hide the private files in hidden directories. Use a name like .private to hide your private stuff. This is only security by obscurity. You will need to combine it with one or more of the above options to make it secure.

Remember, if you give your friends root access, they have a lot of power to bypass your security settings. (Sharing access to systems with files you don't want to share has risks.)

BillThor
  • 8,965
1

This sounds like basic ownership, group-ownership and permission bitss settings on the file.

Your personal files are protected by your personal user-ID and personal group-ID. Files you want to share get a GID for friends/public.

Check this website: http://catcode.com/teachmod/no_prob.html

jippie
  • 14,086
  • 1
    Agree. If OP's requirement is just that the friends can't access the OP's private files, then appropriate permissions and ownership are sufficient. chmod -R go-rwxs ~/my_private_dir would make the files in my_private_dir inaccessible to the friends. Setting umask 077 (in appropriate login script) would prevent newly created files being visible to friends. – Brian Swift Apr 23 '12 at 08:21
1

Iron Bars Shell might be just what you're looking for.

Iron Bars SHell, or short ibsh is my first attempt to create a restricted working environment for Linux/Unix. I'm sure that many system administrators wish or have wished for a way to lock some/all users into a safe dungeon, where they can only do harm to their own files.

Here is some more info on how to use it.

tkit
  • 2,408
1

Depending on what "fully use all my programs" means, the options are:

  • Use standard Unix file permissions to protect your files. The advantage here is that it's really easy to set up as it's just a matter of deciding which files you want protected and setting the appropriate permissions on them. The downside is that your friend will not be able to do everything on the system as they won't have root access

  • Run a FreeBSD jail. FreeBSD has jails that are designed for exactly this purpose. They take a little effort to set up, but you're giving your friend a full filesystem that they can use as they wish: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html

  • Run a true Virtual Machine. Xen or Virtualbox can be run to give a fully operational server to your friend. This can be quite resource-intensive in terms of memory, CPU and disk, but it's the most separate from your files.

Quetza
  • 1,036