ssh help, I want user to be able to access only specified folders

Sat Jul 3 16:12:44 UTC 2004

On Fri, Jul 02, 2004 at 09:01:22AM -0400, Jonathan Steadman wrote:
> T. Nifty Hat Mitchell wrote:
> >On Thu, Jul 01, 2004 at 12:49:57PM -0500, Jonathan S wrote:
> > 
> >
> >>I am new to Fedora, and Linux in general, I want users to be able to log 
> >>in to my computer via ssh, with FC-1 but I want to be able to specify 
> >>rules for each so they can only access specified folders is this 
> >>possable?  If so how would i go about doing this?
> >
> >This is almost easy if you understand unix/Linux style permissions,
> >ownership and groups.  See the man pages for chmod, chown, chgrp,
> >umask.
....
> >we could be more helpful.  The options are just too vast.  Stick with
> >simple stuff.  There are some 267933+ files in 1344+ packages that
> >have default locations and permissions and the system works.
....
> I guess what I want is for a user on a remote computer to not be able to 
> even see any files then those maybe in his home folder, or somewhere 
> else i specify, I haven't really got to reading about chroot yet, but it 
> looked like the solution i needed just by reading a couple of intros. to 
> it.  If there is a simpler solution though, please enlighten me I would 
> be much appreciative.

Hmmm... sounds as if the notion of a file is confusing us.
Can you see /etc/shadow on your machine?  Try:

    cat /etc/shadow
  and
    cat /etc/passwd

Can you see /bin/vi?
Can you use /bin/vi?

Can you make an extra user account and see the contents of that
users home directory from your own account.

Make a new in you home directory and give it restricted permissions

     mkdir ~/donotlook
     touch ~/donotlook/atme
     chmod 700 ~/donotlook
     chmod 600 ~/donotlook/atme

Can the file 'atme' in your home dir be discovered by the new user.
Can the new user view the contents of the file.

On key is that for most files it does not matter if the user can see it
or it's contents.

First make a list of the reasons that a user might login.
Make a list of the tools that user needs once they login.
Make a list of the nature of the files that you expect the user to have access to.
Make a list of the actions the user is to take on the files you permit access to.
Will ANY files be shared between users?
Can ANY person including you be allowed to see any of these files other
than the specific user?

Ask yourself why anyone would bother login to the machine at all when you are done
putting all these restrictions in place.

-- 
	T o m  M i t c h e l l 
	/dev/null the ultimate in secure storage.