You are not logged in.
I'm running file server which has multiple users. I have already retricted these users to rssh shell but I'd like also prevent their read access to /etc. Can I just do
chmod g-rwx,o-rwx /etc -R
or do I get problems?
Mostly I'd just like to prevent them to read files like passwd or group.
Offline
Try it?
Why do you want to hide those files?
Offline
I think I tried this once. Not with Arch, but something on usb or floppy. If I remember correctly it makes it impossible for users to log in.
Offline
It is a bad idea. There are many utilities, that read files in the /etc dir. ls, for example, read /etc/passwd.
Offline
That servers is for our customers and I don't want to them know about others.
Offline
That servers is for our customers and I don't want to them know about others.
if you want to have a running system, then it's not possible to restrict /etc permissions. for security reasons you could build a chroot environment for each of your users.
but i think with samba or nfs (though i have no experience with nfs) you can define the root directory or general directory access permissions.
Last edited by DonVla (2008-07-16 14:55:20)
Offline
They all come in with scp of sftp. I tested chroot but it seemed quite complex and troublesome to build everyone their own chroot environment. Of course I could just build static chroot enviroment but how do I keep those enviroments up-to-date.
Offline
They all come in with scp of sftp. I tested chroot but it seemed quite complex and troublesome to build everyone their own chroot environment. Of course I could just build static chroot enviroment but how do I keep those enviroments up-to-date.
what sevices do you provide? i think that's the main question. if it's a simple file server you could restrict access to certain directories.
ps: do they need ssh? ftp is much easier to handle (serverside)
Last edited by DonVla (2008-07-16 15:29:16)
Offline
Just file server for customers off-site backups. And sftp because it encrypts all traffic.
Offline
Just file server for customers off-site backups. And sftp because it encrypts all traffic.
google is ... you know
read this:
http://freshmeat.net/articles/view/1576/
-> Step 3 – Build a restricted shell for users using RSSH
logfacility = LOG_USER
allowsftp
umask = 022
chrootpath="/home"
it seems there is smth like chroot or similar...
Offline
I did miss that one. But according that guide theres no need to put passwd file into chroot environment? That changes things, have to try it out.
Offline
One quite important thing about rssh: it has umask line at config which defines default umask for new folders. I had it defined as umask=057 and all new folders users created got wrong permissions.It took a day before I figured that out. damn.
Last edited by Obi-Lan (2008-07-17 15:16:48)
Offline