[luau] restricting directory access
Warren Togami
warren at togami.com
Fri Apr 26 02:27:45 PDT 2002
----- Original Message -----
From: "Jimen Ching" <jching at flex.com>
To: <luau at videl.ics.hawaii.edu>
Sent: Thursday, April 25, 2002 10:51 PM
Subject: Re: [luau] restricting directory access
> On Thu, 25 Apr 2002, Rodney Kanno wrote:
> >How do I restrict a user to their home directory? I have a guest user
> >account which is used mainly for ssh, is there a way to restrict them to
> >their home directory only? (cannot view/write/cd to any other
directories).
> >So far I have gotten as far as setting up a guest group, but I see no
> >setting to restrict directories.
You can't. There isn't a clean way of doing it.
The best you can do is use a chroot jail or vserver, and mount --bind the
/home directory into that chroot system. vserver would probably be easier
to implement, and it works very well.
>
> What can a user do with a shell account without access to outside of their
> home directory?
Plenty. They can poke around the filesystem looking for local root
exploits, or they can use programs on the server (or upload their own) to
use the server as an relay from which they can scan and attack other
machines.
SSH also introduces new problems in that any user can tunnel to any other
location on the Internet, making it look like it came from the SSH server
itself. This is a HUGE security risk because it is incredibly difficult to
trace for the server administrator. There are ways of stopping people from
doing this with iptables, but they are fairly difficult to implement and I'm
not exactly sure how to do it at the moment.
(MonMotha, you have any clue how to use iptables login user based
restrictions?)
More information about the LUAU
mailing list