1

I want to have a user to be able to login with ssh, but only be able to read files from a specific directory.

I did some research. Is it true that this is only possible with chroot and home directories?

Running Debian 10.

ctrl-alt-delor
  • 27,993
Vernox Vernax
  • 25
  • Does it matter if they can read system programs (the stuff that is already published on the inter-web)? – ctrl-alt-delor Apr 22 '20 at 09:27
  • you mean stuff like the top command. no I just dont want that it can read see or do anything to other directories. – Vernox Vernax Apr 22 '20 at 09:45
  • 1
    So not write to other directories, not read "secret" information from other directories? If so then you need to use a separate user account, and file-permissions. see https://unix.stackexchange.com/q/101263/4778 – ctrl-alt-delor Apr 22 '20 at 10:06

1 Answers1

1

Done this recently with restricted bash (rbash). https://www.gnu.org/software/bash/manual/html_node/The-Restricted-Shell.html One of it's restrictions: Changing directories with the cd builtin.

Set user's default shell to /bin/rbash and directory to the directory that you wan't to limit him to in /etc/passwd and he will not be able to cd out of it.

Alternatively you could add an alias in the user's shell profile file: alias cd='printf ""'

shiftas
  • 326
  • 1
    I just tried rbash. It doesn't allow me to cd to a directory outside the initial directory but it doesn't restrict the access to files as an argument to commands, e.g. using cat ../somefile. I can even start an unrestricted bash. As written in the documentaition of rbash, you need additional means to really restrict the environment. – Bodo Apr 22 '20 at 14:32
  • adding aliases to .bash_profile will prevent that. You can also prevent certain options for a command by creating a script checking if input has / and add that script via an alias. Example alias cat='./checkforabsolutepaths.sh'. All other commands that you might not want the user to have access to can be turned of with alias cd='printf ""'. Don't forget to remove write permissions from .bash_profile though. – shiftas Apr 23 '20 at 07:22
  • These are some examples for what I wrote: "you need additional means to really restrict the environment". If you use alias cat='./checkforabsolutepaths.sh' you have to prevent the user from using command cat to call the command instead of the alias. – Bodo Apr 23 '20 at 09:53
  • Also bypassed by specifying the command to run in the SSH invocation: ssh host cat ../somefile or even better: ssh host bash. As @Bodo said: "you need additional means to really restrict the environment." – xOneca Mar 26 '21 at 08:54