> -----Original Message----- > From: James Melin [mailto:[EMAIL PROTECTED] > Sent: Monday, October 11, 2004 04:49 PM > To: [EMAIL PROTECTED] > Subject: Confining a user to the home directory specified in the user record > > How do you set a user account up so that the ID cannot traverse 'above' > their assigned home directory? Our developers want me to setup a dozen > user accounts with access to their application log dir. I wanna set up one, > and only one, and confine it to the log directory. I know how to set the > 'home' dir in the user record, I just don't know how to stop them from > getting out of it >
One way to get the net effect would be to set the permissions so that the users cannot "read" the directory tree leading up to their home directory, for example (assumes you are doing this as root): mkdir /applications cd /applications mkdir logdir <- now you have /applications/logdir chown someuser:app-group logdir <- now logdir is owned by the group. chmod og-r . <- now only root can "read" /applications so the permissions on the directories would look something like this: drwx--x--x 3 root root 182 Oct 12 08:15 applications/ drwxr-xr-x 2 someuser app-group 117 Oct 12 08:15 user_dir/ Since they have "execute" permissions they can traverse the directory, but if they try to list anything in there, they will get a permission denied message. Not perfect but it sounds like it will suite your needs and avoids having to create a complete environment, which you would have to do if you tried to "chroot" the users there. ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
