setting users' /home file privileges

C

contraversy

I set up a shell for me and my friends to host some IR bots. I want them to be restricted to their /home/ folder (/home/<username>) and not be able to cd out, or if that's not possible at least not able to ls any directory but their own.

I made a login.conf group for them called 'standard' and the users are of the wheel group.

What chmod command will do this?


Thanks ahead of time!
 
chown -R user folder
If user have not the permissions to ls any directory but their own, chown command give this permission to folder.
 
When the user logs in, they are in /home/<username>/ so if I use chown -R <user name> /home/<username> that means once they log in they are ONLY able to see and modify items inside their folder?

Do I need to set up all wheel users to login as chroot? Doesn't that mean they are confined to that folder? Sorry, just wanting to cover all bases.

I did what you said with chown -R. Now every time a user tries to connect it fails and says
Code: 
fatal: bad ownership for chroot /home/
 
May I ask, is it your intent that these users cannot affect your host system? If so, do you mind if they would, possibly, be able to affect each other?

Given that you want to protect your host system, but are fine with the users, possibly, affecting each other, I would recommend you create a jail(8) for them to use. This is a much better mechanism for protecting your host system than simply using chroot(8). You can take a look at jail(8), or check out the jails chapter of the FreeBSD handbook. You can enable security measures inside the jail, that may be an inconvenience too far outside. For example, you can mount large parts of the file system read-only, or raising the securelevel, and so on.

For clarity, by, "possibly, affecting each other," I am referring to all of these users being in the same jail(8) shell server. If this is roughly what you want, then feel free to ask further questions based upon it.
 
I have been searching consistently, and am reading the handbook about jails as I'm replying to this actually, here's a little more into what I want to do.

I currently have a shell account that I use, I pay maybe $3.50 US a month for it, and when I log in I have my home directory, I can cd .. to the /home/ directory, but if I type ls to see the listing of different user folders, it says
Code: 
access denied
or something like that.

I emailed them and all they said was "chmod r+o /home/" and I did that and ended up having to reinstall the OS because it wouldn't let anyone log in via ssh.
 
Well, what you want is actually much simpler than I interpreted. If all you want is for users to be unable to view a certain directory, then you just need a couple of tips about how directory permissions work.

The first problem you are probably running into is that /home on FreeBSD is, in fact, a symbolic link, not a directory. The actual directory is located at /usr/home. If your shell account host runs anything other than FreeBSD, then there is a good chance that this is not the case for them.

The next is a tip on how file permissions work for directories. Directories and files use the same permission set (Read, Write, Execute, Special). Both contain these settings for three different subjects: the owner, a group, and everybody else. However, directories are special. In a directory:

  1. Read access means you can see the contents of the directory
  2. Write access means you can create or remove files from the directory
  3. Execute access means you can traverse the directory

What you, therefore, essentially want is for the users to be unable to read, or write to the directory. However, you want them to be able to traverse the tree, to get to the directory that they need. In your case, I need execute access on /usr to get to /usr/home, and then /usr/home to get to /usr/home/<username>. However, I do not need read, or write access to these directories.

Since your intention is that users cannot read each others home directories, you just need to make /usr/home executable, but not readable, or writeable. However, /home is just a reference to that folder; you do not need to change permissions on /home. In fact, you need to be able to read a symbolic link to be able to resolve where it is pointing to.

Code: 
# ls -ld /home
lrwxr-xr-x 1 root wheel 8 Apr 30 11:05 /home -> usr/home
# ls -ld /usr/home
drwxr-xr-x 4 root wheel 512 Apr 30 11:05 /usr/home
# ls -l /usr/home
total 8
drwxr-xr-x 2 user_a user_a 512 Apr 30 11:05 user_a
drwxr-xr-x 2 user_b user_b 512 Apr 30 11:05 user_b

This is what the setup looks like by default. As you can see, all the directories (/usr/home, /usr/home/user_a, and /usr/home/user_b) are readable, and executable, by all parties. That is to say, the other field on all three is "r-x".

If we run,
# chmod o-r /usr/home # remove the read bit from other on the node

Then, we have this situation:
Code: 
$ whoami
user_a
$ ls -l /usr/home
total 0
ls: /usr/home: Permission denied
$ ls -la /usr/home/user_b
total 40
drwxr-xr-x 2 user_b user_b 512 Apr 30 11:05 .
drwxr-xr-x 2 user_b user_b 512 Apr 30 11:05 ..
[ -- skipped some output for brevity -- ]
-rw-r--r-- 1 user_b user_b 980 Apr 30 11:05 .shrc

The problem is that a user can still read the other user's directory, if he knows where it is. To stop this, all user directories must be set inaccessible by other. For example,
# chmod o-rx /usr/home/user_b

Delivers:
Code: 
$ whoami
user_a
$ ls -la /usr/home/user_b
total 0
ls: /usr/home/user_b: Permission denied

You would need to perform that for all directories. The problem is that users can change permissions on directories they own. Also, if you do not perform the step of making all the home directories inaccessible to other, then there are other means to enumerate the users than just /bin/ls in /usr/home. As you can see in the following, it is easy for a user to make their directory accessible again:
Code: 
$ whoami
user_b
$ chmod o+rx /usr/home/user_b
# ls -ld /usr/home/user_b
drwxr-xr-x 2 user_b user_b 512 Apr 30 11:05 /usr/home/user_b

One option is to do the following:
Code: 
# chown root /usr/home/user_b
# chmod g+w,o-rx /usr/home/user_b # let group write, remove read/execute from other
# ls -ld /usr/home/user_b
drwxrwx--- 2 root user_b 512 Apr 30 11:05 /usr/home/user_b
# su - user_b
$ chmod o+rx /usr/home/user_b
chmod: /usr/home/user_b: Operation not permitted
$ ls
$ touch file
$ ls -l 
total 0
-rw-r--r-- 1 user_b user_b 0 Apr 30 11:07 file

That will stop users changing permissions on their home directory. There are still areas of the system where they can share files, and they can still view most files on the system. They just would not be able to view each others' home directories.

A quick summary:

Stop users listing the contents of /usr/home. Do not remove the execute bit, as they will not be able to reach their home directories. Note that this alone is not much use, as there are many other ways to list users on a system. It literally just stops users that do not own the file, or are not in the group the file belongs to, from reading the contents on the directory. In this case, the owner is root, and the group wheel
# chmod o-r /usr/home

Change the ownership of the home directories to root.
# chown root /usr/home/<username>

Make the home directory group writeable, but not accessible to other.
# chmod g+w,o-rx /usr/home/<username>

IMPORTANT NOTE: This requires each user have their own primary group. If they share a primary group, then they will all be able to edit each others' home directories.

I know that was a bit long, so if you are unsure, ask before you enact any of the above advice. Hope this helps.
 
You must log in or register to reply here.
Back
Top