2

Normally, file such as /etc/passwd have the permissions 644 which means that everyone has a right to read the file (4) but only the owner has a right to read it and write to it (4+2=6).

I want to create a "limited" user on the system which only has read and write access to directories and files he actually owns. Even if system files such as /etc/passwd have read permissions, I don't want that user to be able to read them.

I could change all files on the computer to be unreadable by all users who don't own them, but I fear that will break a great many things.

Is there any way to limit one specific user from viewing all files not owned by him?

Improve this question
7
  • /usr/passwd is safe, it has no passwords in it. It is also needed for correct operation. Commented Dec 31, 2014 at 15:11
  • Why do you want to stop one user from accessing system files?, most of these files they can download off of the internet, others such as /etc/shadow have stronger permissions. Commented Dec 31, 2014 at 15:13
  • If you do make a user restricted, then you must ensure that they can not became someone else. Also consider restricted shell, chroot, etc. It all depends on what you are trying to do, can you tell us what you are trying to do (from a human point of view, not from computer point of view). Commented Dec 31, 2014 at 15:16
  • @richard That was just one example; I don't want them snooping around in others' user directories either. Commented Dec 31, 2014 at 15:24
  • You could change the read/execute permission (o-wrx) of all user home directories. Give us the scinario, and we may be able to help more. Is it a guest account, a sandbox …? Commented Dec 31, 2014 at 15:29

2 Answers 2

Reset to default
2

If your user is going to SSH to the system, it's a little bit difficult. If they will be using an SFTP client you could setup a chroot jail. This will allow you to set the ChrootDirectory to the folder you are referencing.

Improve this answer
3
  • Do you have a link to more details on how to set up a chroot jail in SFTP? Commented Dec 31, 2014 at 15:43
  • How did you know that questioner was doing sftp. There is no mention of this in the question? Commented Dec 31, 2014 at 15:50
  • 58bits.com/blog/2014/01/09/ssh-and-sftp-chroot-jail richard: I stated two "if" scenarios. He states that the user should only be able to access files that are owned by that user. Technically this implies not even being able to use system files. Anything in /usr/bin /usr/sbin, etc. would be out of the question, based on the criteria. To my knowledge, the only way to do this is with SFTP via a sshd subsystem. Commented Dec 31, 2014 at 16:07
2

One option that could work is setting up a chroot with a minimal installation of your system. In Debian and Ubuntu, this can be accomplished with debootstrap. In FreeBSD, this is accomplished more thoroughly through jails (I won't reference jails specifically other than here).

Once you have this step completed, start an sshd on a different port in the chroot environment. Something like this:

chroot /srv/chroot-for-user /usr/bin/sshd -p 2200

Add the user to the chroot's /etc/passwd and create a home directory for them.

They will login to the new environment and only see the files up to the chroot boundary. They will still have read access to all the system files in the chroot like before because without them, they won't be able to use normal system tools like ls, awk, and tee, but they will be their own copy shared with no one outside of the chroot.

There are other more clever ways to accomplish this kind of thing as well but chroot is the tried and true way to limit filesystem access.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.