[英]Restricting linux user to a folder
I need to create a seperate folder for an user where he is allowed to execute only one binary. 我需要为用户创建一个单独的文件夹,允许他只执行一个二进制文件。 He can call python/perl and run a program also.
他可以调用python / perl并运行程序。 But the user should not be able to delete any folder in his directory and should not be able to view any other directory.
但是用户不应该删除其目录中的任何文件夹,也不应该能够查看任何其他目录。 How can i achieve this ?
我怎样才能实现这一目标?
If they are accessing only over ssh, then a ChrootDirectory
is the way to go. 如果他们只通过ssh访问,那么
ChrootDirectory
就是你要走的路。 Simply put, you create a fake /
system in another directory, with all the programs the user is allowed to run & the libraries they need. 简而言之,您在另一个目录中创建一个假
/
系统,允许用户运行所有程序及其所需的库。
See the ChrootDirectory
section of the sshd_config
man page, or somewhere like Here for a fuller guide if needed. 有关更全面的指南,请参阅
sshd_config
手册页的ChrootDirectory
部分,或者像Here这样的地方。
CHMOD does the job CHMOD完成这项工作
chmod 755 directory/filename
7 user (**owner**) has full access.
5 allows **group** user "read" and "execute" permissions, but
not "write" permissions.
5 allows **others** "read" and "execute" permissions,
but not "write" permissions.
For your reference : 供你参考 :
The 5 allows "read" and "execute" permissions, but not "write" permissions. 5允许“读取”和“执行”权限,但不允许“写入”权限。 A 6 would allow read and write permissions, but not "execute".
A 6允许读写权限,但不允许“执行”。 A 4 would be "read" only.
4将仅“读取”。 A 2 would be "write" only, and a 1 would be "execute" only.
A 2只是“写”,1只是“执行”。
You could also consider configuring and using a restricted shell like eg a restricted bash . 您还可以考虑配置和使用受限制的shell ,例如受限制的bash 。
However, notice that if you enable the user to run a scripting language like Python
he will be able to circumvent these restrictions (using some clever scripts). 但是,请注意,如果您允许用户运行像
Python
这样的脚本语言,他将能够绕过这些限制(使用一些聪明的脚本)。 So a chroot is probably preferable. 所以chroot可能更可取。
You could define a separate group for that user to refrain him from doing a lot more. 您可以为该用户定义一个单独的组,以避免他做更多事情。 See also the nobody username , SELinux , etc.
另请参阅nobody用户名 , SELinux等。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.