Preventing user access to /etc?

Obi-Lan · 2008-07-16 13:15:25

I'm running file server which has multiple users. I have already retricted these users to rssh shell but I'd like also prevent their read access to /etc. Can I just do

chmod g-rwx,o-rwx /etc -R

or do I get problems?

Mostly I'd just like to prevent them to read files like passwd or group.

iphitus · 2008-07-16 13:33:46

Try it?

Why do you want to hide those files?

Procyon · 2008-07-16 14:18:42

I think I tried this once. Not with Arch, but something on usb or floppy. If I remember correctly it makes it impossible for users to log in.

eXire · 2008-07-16 14:21:57

It is a bad idea. There are many utilities, that read files in the /etc dir. ls, for example, read /etc/passwd.

Obi-Lan · 2008-07-16 14:49:07

That servers is for our customers and I don't want to them know about others.

DonVla · 2008-07-16 14:54:01

Obi-Lan wrote:

That servers is for our customers and I don't want to them know about others.

if you want to have a running system, then it's not possible to restrict /etc permissions. for security reasons you could build a chroot environment for each of your users.
but i think with samba or nfs (though i have no experience with nfs) you can define the root directory or general directory access permissions.

Last edited by DonVla (2008-07-16 14:55:20)

Obi-Lan · 2008-07-16 15:13:16

They all come in with scp of sftp. I tested chroot but it seemed quite complex and troublesome to build everyone their own chroot environment. Of course I could just build static chroot enviroment but how do I keep those enviroments up-to-date.

DonVla · 2008-07-16 15:25:10

Obi-Lan wrote:

They all come in with scp of sftp. I tested chroot but it seemed quite complex and troublesome to build everyone their own chroot environment. Of course I could just build static chroot enviroment but how do I keep those enviroments up-to-date.

what sevices do you provide? i think that's the main question. if it's a simple file server you could restrict access to certain directories.

ps: do they need ssh? ftp is much easier to handle (serverside)

Last edited by DonVla (2008-07-16 15:29:16)

Obi-Lan · 2008-07-16 15:39:56

Just file server for customers off-site backups. And sftp because it encrypts all traffic.

DonVla · 2008-07-16 16:16:44

Obi-Lan wrote:

Just file server for customers off-site backups. And sftp because it encrypts all traffic.

google is ... you know
read this:
http://freshmeat.net/articles/view/1576/
-> Step 3 – Build a restricted shell for users using RSSH

logfacility = LOG_USER
allowsftp
umask = 022
chrootpath="/home"

it seems there is smth like chroot or similar...

Obi-Lan · 2008-07-16 16:39:28

I did miss that one. But according that guide theres no need to put passwd file into chroot environment? That changes things, have to try it out.

Obi-Lan · 2008-07-17 15:16:18

One quite important thing about rssh: it has umask line at config which defines default umask for new folders. I had it defined as umask=057 and all new folders users created got wrong permissions.It took a day before I figured that out. damn.

Last edited by Obi-Lan (2008-07-17 15:16:48)

Arch Linux

#1 2008-07-16 13:15:25

Preventing user access to /etc?

#2 2008-07-16 13:33:46

Re: Preventing user access to /etc?

#3 2008-07-16 14:18:42

Re: Preventing user access to /etc?

#4 2008-07-16 14:21:57

Re: Preventing user access to /etc?

#5 2008-07-16 14:49:07

Re: Preventing user access to /etc?

#6 2008-07-16 14:54:01

Re: Preventing user access to /etc?

#7 2008-07-16 15:13:16

Re: Preventing user access to /etc?

#8 2008-07-16 15:25:10

Re: Preventing user access to /etc?

#9 2008-07-16 15:39:56

Re: Preventing user access to /etc?

#10 2008-07-16 16:16:44

Re: Preventing user access to /etc?

#11 2008-07-16 16:39:28

Re: Preventing user access to /etc?

#12 2008-07-17 15:16:18

Re: Preventing user access to /etc?

Board footer