How to jail linux user

Question

Is there something similar to chroot, but for users?

We are about to grant access to our servers for a client and would like them to see only the directories we allow.

I want to go a bit further than just denying read / write access. — Andrei Serdeliuc ॐ, May 07 '09 at 07:30

score 7 · Accepted Answer · edited Jun 04 '11 at 11:40

7

A Google search on "openssh jail" led me to SSHjail for openSSH. If your client uses ssh/scp to access the said servers, this might be what you are looking for.

edited Jun 04 '11 at 11:40

huyz

2,297
3
25
34

answered May 07 '09 at 07:11

Tiberiu Ana

3,663
1
24
25

score 5 · Answer 2 · answered Jun 18 '11 at 15:40

5

The "best answer" from 2009 is outdated. OpenSSH now comes with the ChrootDirectory option. See http://www.debian-administration.org/articles/590 which is for an already-old version of ssh.

answered Jun 18 '11 at 15:40

huyz

2,297
3
25
34

score 4 · Answer 3 · answered May 07 '09 at 17:10

4

It is important to note that chroot(2) is not meant for security purposes. It is incredibly easy to escape a chroot jail. See this article on abusing chroot for more information.

answered May 07 '09 at 17:10

Chas. Owens

64,182
22
135
226

2

This should be a comment, not an answer. – nobody Aug 07 '14 at 13:23
Comment non-answer, link-only and link already dead (server down). – Palec Aug 07 '14 at 15:19

score 1 · Answer 4 · answered Oct 26 '13 at 09:50

1

An effective way to do this is to use lshell

answered Oct 26 '13 at 09:50

unwellmilles

45
1
7

score 1 · Answer 5 · answered May 07 '09 at 07:09

1

If you really want to go to that extreme, SE Linux (or any other mandatory access control) is a definite improvement of the default unix permissions.

answered May 07 '09 at 07:09

David Schmitt

58,259
26
121
165

user1293603 · Answer 6 · 2014-08-07T11:54:38.693

0

No easy way to jail users in their homedirs. BTW, I would NEVER give access to my systems to someone I don't trust a minimum.

Last time I did, I used an "unescapable" menu based on http://bash.cyberciti.biz/guide/A_menu_box The .bashrc launches this script you would not escape :

~/.bashrc :
(LAST LINE)
./menu.sh; exit 0

Yes, I had to write scripts for each and every menu item (get logs, check sys, ...) but nobody to run 'chown -R root:root /' instead of *. Priceless.

[EDIT] : create a dedicated user, don't do this as root !!!

edited Aug 07 '14 at 11:54

answered Aug 07 '14 at 11:46

user1293603

49
2

As mentioned in https://stackoverflow.com/a/21649384/2404541 a "user could simply script sending a bunch of ^Z or ^C characters to the client right after entering the password to completely abridge any efforts made in the bashrc". `lshell` seems like the best solution from my reading so far... – TheStoryCoder Apr 12 '18 at 11:26

How to jail linux user

6 Answers6