Linux user rights issues
I have created a new user in my system, such as aa
useradd aa
passwd aa
.
I now use root to create a new file such as bb
I created a new group
groupadd cc
/ / View cat / etc/group View Group cat / etc/passwd View all users
usermod-d / home/www-G cc aa I added user aa to the cc group and specified the login directory of aa as / home/www
now I log in to the server using aa
directly to / home/www
now I want to make it impossible for other directories to access aa. Users can only see things under / home/www, but can"t cd to its superior directory for detailed operation. Thank you
reference: https://www.tecmint.com/restr.
A simple way to constrain users in their home directory
1, make sure that the version of openssh you installed is 4.9p1 or higher
2, edit / etc/ssh/sshd_config
add the following
Subsystem sftp internal-sftp
Match Group sftp
ChrootDirectory% h
ForceCommand internal-sftp
AllowTcpForwarding no
make sure the "match" directive is at the end of the file, which tells openssh, all users in the sftp group to limit their home directories.
3, add the users you want to restrict to the sftp group
usermod-G sftp joe
usermod-s / bin/false joe
chown root:root / home/joe
chmod 0755 / home/joe
Group users do not have shell permissions. You can set directory permissions with chown and chmod. When setting these permissions, users can upload or download
files, but cannot create directories or files in the root directory. In other words, if these are used in web clusters, ensure that subdirectories are valid and owned by users such as / home/joe/public_html/. In this way, users can write and create directories under / home/joe/public_html, but they cannot change the root directory (/ home/joe)
.
create a basic system in chroot
< H1 > mkdir / chroot < / H1 >
< H1 > cd / chroot < / H1 >
< H1 > mkdir {bin,dev,lib} < / H1 >
< H1 > cp-p / bin/bash bin/ < / H1 >
< H1 > cp-p / lib/ {ld-linux.so.2,libc.so.6,libdl.so.2,libtermcap.so.2} lib/ < / H1 >
< H1 > mknod dev/null c 1 3 < / H1 >
< H1 > mknod dev/zero c 1 5 < / H1 >
< H1 > chmod 0666 dev/ {null,zero} < / H1 >
< H1 > mkdir-p / chroot/home/joe < / H1 >
users joe can remotely restrict directories, which is not common in general, but gives you an idea that you can install libraries and binaries in restricted directories.
