(shell) How to lock the user in his directory?

enCyde · Aug 4, 2011

I searched the forum but did not get a hit so I'm trying here.

I have added a user on my server to learn how stuff works, It seems that the user can go out from his directory and browse the files on the system such as /home . How do I lock the user to only be in his directory when I created his account.

thanks.

valsorym · Aug 4, 2011

Interest in the subject for me.
enCyde sorry I can not help.

enCyde · Aug 4, 2011

okey thanks anyway. I only want to lock them into their home dir and make them not available to browse the system files.

jrm@ · Aug 5, 2011

You need to change the permissions of the directories you don't want the user to go. If you have /some/path/to/exclude you can set its permissions with

# chmod 0700 /some/path/to/exclude. You can also get more control by using groups. For more details see chmod() and the users section of the handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/.

One other point.. Assuming you have home directories under /home you can't prevent the user from entering /home, because he wouldn't be able to enter his own home directory, but you can prevent the new user from entering other users' directories with appropriate permissions.

fonz · Aug 5, 2011

enCyde said:
How do I lock the user to only be in his directory when I created his account.

FreeBSD has a powerful mechanism for that: jails. This section of the handbook should get you started but feel free to ask followup questions if you get stuck.

Fonz

rusty · Aug 5, 2011

You could also look at ugidfw.
http://www.freebsd.org/doc/handbook/mac-bsdextended.html

olav · Aug 5, 2011

It's called chroot
You can setup the SSH service to jail the user inside his home folder.

in /etc/ssh/sshd_config

Code:

130 Match user olav
131    ChrootDirectory %h

The chrooted folder needs to be owned by root, so you need to create an additional folder for the user.
For example /home/olav/olav
home is owned by root, olav owned by root and is the chrooted folder, finally the last olav folder is owned by the olav user.

enCyde · Aug 5, 2011

thank you everyone.

jalla · Aug 5, 2011

olav said:
It's called chroot
You can setup the SSH service to jail the user inside his home folder.

This is extremely limiting for a general user (or cumbersome to set up).

You need to create devices and copy any necessary apps and libraries into the chrooted environment.