On Sun, 12 Aug 2018 09:38:45 +0300 Lars Noodén <lars.noo...@gmail.com> wrote:
> On 08/12/2018 09:10 AM, KatolaZ wrote: > > On Sun, Aug 12, 2018 at 01:55:00PM +0900, mett wrote: > [snip]>> I m considering giving ssh access but I realized that > >> chroot for ssh looks quite involved. > >> > >> So, I m wondering if using 'chmod o-r' > >> for folders(and subfolders), and files on > >> /etc, /home, /root, /usr and /var is a viable solution. > > > > Maybe use a restricted shell, allowing only the bunch of commands > > you would like the users to be able to run. Beware of cat(s), > > though. > > With restricted shell the main thing is to make a separate directory > for the rshell user and replace $PATH with it so they can't access the > normal directories. There you put links (symbolic or hard) to the > original applications they are allowed to run, how ever few those are > but the fewer the better. > > However, why vsftpd instead of using chrooted SFTP for the file > transfers? > > /Lars > _______________________________________________ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng Thanks for the input. To be honest, rbash is what I thought of, first. 2 things refrain me from using it: -user cannot cd in his subdirectories (I could as Lars said, then put applications I d like the user has access to) -the wikipedia example of writing 'bash' at the command line and then being able to access everywhere(I tried it). Regarding vsftpd instead of SFTP, the only reason is I had no problem with ftp up to now. OK, the files transfer can be tapped by the wire provider but that is not a big concern to the users-base (of course, I explained to them already). Anyway, I think I ll move to SFTP at one point. So, you don't think, as well, that restricting read access to others (on the the files and folders I choose) is a viable solution? I should have say read and write by the way. Cheers, _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
