6

I want to secure my linux server by not permitting the root user to login. For this I've created another user with:

useradd username
mkdir /home/username/
mkdir /home/username/.ssh
chmod 700 /home/username/..shh
chown username:username /home/username -R
passwd username

When I login with the new user the root directory is /home/username. This is the normal behavior at this point. But in general I need access to a different directory: /root/exampledirectory/. This access is denied.

How can I configure ssh that the user username can access to /root/exampledirectory and setting this directory as starting point when login with ssh?

chown username:username /root/exampledirectory -R is not working. The start directory always is home/username and I have no access to other directories.

How could I handle this?

Vueer
  • 163

1 Answers1

5

I imagine there is a better way to go about what you're doing. I would be careful when allowing access to my root, but here is one way to go about it:

To be able to access that directory under the root on your user, you will need permissions on directories all the way to the exampledirectory. I did an example of this to check things out. I think a good way to go about it would be to create a new group, maybe call it root-traverse: sudo groupadd root-traverse

After that add your user to that group: sudo usermod -aG root-traverse your-username. This will give your user access to whatever root-traverse has access to. Don't forget to either log out and log back in to make the group effective, or do su your-username and then check id to see if you are now in the group root-traverse.

After this you will want to add the group root-traverse to your root directory permissions, I prefer to do this as an ACL (if you have to at all). It's a way to access more fine-grained permissions. sudo setfacl -m g:root-traverse:rx /root. This will give that group only enough permissions to get into the root directory and list the files/folders inside. I still don't like this as far as security goes, but it is what it is.

Almost done, now for the directory you want access to: /root/exampledirectory you need to sudo chown -R root-traverse: /root/exampledirectory and sudo chmod -R 770 /root/exampledirectory

Now you can change directories into that directory and also add and edit files inside! To start an ssh session there, you can save a script into your /home/your-username/bin or wherever you prefer to keep it. vim ssh-script.sh

#!/bin/bash

Start ssh session in preferred directory

ssh -t xxx.xxx.xxx.xxx "cd /root/exampledirectory ; bash --login"

I believe that should do the trick. Don't forget to chmod +x ssh-script.sh on the script you create to make it executable. Then to run your stuff, ./ssh-script.sh or you can put it somewhere that is included in your path and run it just like a normal command ssh-script. Good luck!

Edit: After some thinking, you could use a bind mount to mount that exampledirectory into your home directory, then just set the ACL permissions on that from there. You wouldn't be giving any access to the root directory at that point.

  • Any idea why I'm getting chown: invalid spec: "root-traverse:"? – David Callanan Aug 30 '22 at 12:19
  • @DavidCallanan Sorry I'm just seeing this comment. Did you ever get that issue fixed? If not, could you please post the command(s) you're using? – ChrispyChris Oct 17 '22 at 17:43
  • @DavidCallanan if you have a new question, it's best to ask it separately; you can link to this question from yours if you think it would be helpful for context, but leaving comments here isn't the best way to get your particular problem solved. Thank you! – Jeff Schaller Nov 15 '22 at 14:46