[DNG] [OT] Restricting user capabilities after ssh login
Hi, I m wondering about the best way to restrict a user after he has ssh'd into his web folder. Up to now, the users I had were using only FTP to log into their web folder, and upload stuff in there (chrooted in their folder with vsftpd). I m considering giving ssh access but I realized that chroot for ssh looks quite involved. So, I m wondering if using 'chmod o-r' for folders(and subfolders), and files on /etc, /home, /root, /usr and /var is a viable solution. Restricting read privilege would allowed me to stop that user from copying files I don t want he copies, as well as listing directories I don t want he lists. Still the user would be able to access system and other users' folders, but if he cannot do anything in there, then there is no point for him to do it. What do you think? The setup is a devuan server under jessie with apache2 providing http server. Then, I use php-fpm to tie user, web-server and php processes. The passwd files is as below: 'user01:x:::user01,,,:/home/www/example.com/:/bin/bash'. TIA ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [OT] Restricting user capabilities after ssh login
Quoting mett (m...@pmars.jp): > I m wondering about the best way to restrict a user after > he has ssh'd into his web folder. Try a chroot jail. https://www.tecmint.com/restrict-ssh-user-to-directory-using-chrooted-jail/ or https://www.cyberciti.biz/faq/debian-ubuntu-restricting-ssh-user-session-to-a-directory-chrooted-jail/ If the users doesn't _need_ ssh access per se, you might consider WebDAV, instead. -- Cheers, "I am a member of a civilization (IAAMOAC). Step back Rick Moenfrom anger. Study how awful our ancestors had it, yet r...@linuxmafia.com they struggled to get you here. Repay them by appreciating McQ! (4x80) the civilization you inherited." -- David Brin ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [OT] Restricting user capabilities after ssh login
On Sun, Aug 12, 2018 at 01:55:00PM +0900, mett wrote: > Hi, > > I m wondering about the best way to restrict a user after > he has ssh'd into his web folder. > > Up to now, the users I had were using only FTP > to log into their web folder, > and upload stuff in there > (chrooted in their folder with vsftpd). > > I m considering giving ssh access but I realized that > chroot for ssh looks quite involved. > > So, I m wondering if using 'chmod o-r' > for folders(and subfolders), and files on > /etc, /home, /root, /usr and /var is a viable solution. Maybe use a restricted shell, allowing only the bunch of commands you would like the users to be able to run. Beware of cat(s), though. My2Cents KatolaZ -- [ ~.,_ Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab ] [ "+. katolaz [at] freaknet.org --- katolaz [at] yahoo.it ] [ @) http://kalos.mine.nu --- Devuan GNU + Linux User ] [ @@) http://maths.qmul.ac.uk/~vnicosia -- GPG: 0B5F062F ] [ (@@@) Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ ] signature.asc Description: PGP signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] maintaining packages (was Re: systemd and ssh-server)
On 07/27/2018 01:33 PM, KatolaZ wrote: > On Fri, Jul 27, 2018 at 01:18:41PM +0300, Lars Nood�n wrote: > [cut] >> Can you please (re-)post the link to the new Devuan build process? [cut] > > and the relevant link is the fourth one: > > https://dev1galaxy.org/viewtopic.php?pid=1110#p1110 > The manual of d1h, the Devuan packaging helper will help you build Devuan > packages for Devuan or at home for your own use. > > Please feel free to ask if you need. Please also consider that the > current version of d1h has a problem with the "cache" function, which > I have to update to use the new salsa.debian.org. Sorry for the > inconvenience. Ok. Thanks. I've not forgotten, just slow, and have been working out which hardware to use and working through several options for what to load (or not load) on the system and general work flow. It's looking like the main way to reduce the probability of end-point compromise for such a juicy target is to not have any X11 applications, but especially not usual desktop stuff like a browser. Once I've got some more prerequisites out of the way, I'll be practicing with d1h. /Lars signature.asc Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [OT] Restricting user capabilities after ssh login
On 08/12/2018 09:10 AM, KatolaZ wrote: > On Sun, Aug 12, 2018 at 01:55:00PM +0900, mett wrote: [snip]>> I m considering giving ssh access but I realized that >> chroot for ssh looks quite involved. >> >> So, I m wondering if using 'chmod o-r' >> for folders(and subfolders), and files on >> /etc, /home, /root, /usr and /var is a viable solution. > > Maybe use a restricted shell, allowing only the bunch of commands you > would like the users to be able to run. Beware of cat(s), though. With restricted shell the main thing is to make a separate directory for the rshell user and replace $PATH with it so they can't access the normal directories. There you put links (symbolic or hard) to the original applications they are allowed to run, how ever few those are but the fewer the better. However, why vsftpd instead of using chrooted SFTP for the file transfers? /Lars ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
