Re: [plug] deny regular users to change dir except thieir home

Sat, 24 Dec 2005 03:02:44 -0800

Anyone can tell me how to chroot a user so that he is permitted to go around only to his account and restricted all other folders? 
Orlando Andico wrote:



but to what point? the users still need access to the other directories
for e.g. their common daily jobs (e.g. starting the most basic of

processes requires reading /etc/ld.so.cache) 





Remember, it's the shell doing this restricting.  Other processes inside
the path can still read these files.  *It doesn't do a real chroot.*  No
restrictions are provided to any processes explicitly, so an admin would
also need to be very careful not to provide commands in a user's path
that can allow them to circumvent these restrictions.




IOW, you've removed their capability to "cd" to those directories, but
they can STILL access the contents of those  directories by giving the

absolute path. so what is gained by inconveniencing them? 





According to the bash man page, the following is further prohibited: the
specification of any command that contains a slash.  They can't access
the contents of those directories unless a command they have in their
path explicitly uses them.  The shell will prevent them from doing, say
cat /etc/passwd because the command line contains slashes, but it would
not prevent a program that read some file in /etc as part of its
operation, as what programs do on their own are outside the shell's >control.



-- While there is a lower class, I am in it, while there is a criminal >element, I am of it, and while there is a soul in prison, I am not free. >http://stormwyrm.blogspot.com/ _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph 

Regards,
Iris Lames
Brainbench Transcript no: 4387542
Linux user: 298456
_________________________________________________
Philippine Linux Users' Group (PLUG) Mailing List
[email protected] (#PLUG @ irc.free.net.ph)
Read the Guidelines: http://linux.org.ph/lists
Searchable Archives: http://archives.free.net.ph






















					Reply via email to