堆栈内存溢出
  简体   繁体   English

将linux用户限制为一个文件夹

[英]Restricting linux user to a folder

 原文  2013-07-30 09:53:45       linux/ security/ shell/ unix

问题描述

I need to create a seperate folder for an user where he is allowed to execute only one binary. 我需要为用户创建一个单独的文件夹,允许他只执行一个二进制文件。 He can call python/perl and run a program also. 他可以调用python / perl并运行程序。 But the user should not be able to delete any folder in his directory and should not be able to view any other directory. 但是用户不应该删除其目录中的任何文件夹,也不应该能够查看任何其他目录。 How can i achieve this ? 我怎样才能实现这一目标?

3 个解决方案

解决方案1
 2  2013-07-30 10:02:06

If they are accessing only over ssh, then a ChrootDirectory is the way to go. 如果他们只通过ssh访问,那么ChrootDirectory就是你要走的路。 Simply put, you create a fake / system in another directory, with all the programs the user is allowed to run & the libraries they need. 简而言之,您在另一个目录中创建一个假/系统,允许用户运行所有程序及其所需的库。

See the ChrootDirectory section of the sshd_config man page, or somewhere like Here for a fuller guide if needed. 有关更全面的指南,请参阅sshd_config手册页的ChrootDirectory部分,或者像Here这样的地方。

解决方案2
 0  2013-07-30 10:10:23

CHMOD does the job CHMOD完成这项工作 

  chmod 755 directory/filename

7 user (**owner**) has full access.
5 allows **group** user "read" and "execute" permissions, but
  not "write" permissions. 
5 allows **others** "read" and "execute" permissions, 
  but not "write" permissions.

For your reference : 供你参考 :

The 5 allows "read" and "execute" permissions, but not "write" permissions. 5允许“读取”和“执行”权限,但不允许“写入”权限。 A 6 would allow read and write permissions, but not "execute". A 6允许读写权限,但不允许“执行”。 A 4 would be "read" only. 4将仅“读取”。 A 2 would be "write" only, and a 1 would be "execute" only. A 2只是“写”,1只是“执行”。

Further Reference : link 进一步参考: 链接

解决方案3
 0  2013-07-30 10:31:01

You could also consider configuring and using a restricted shell like eg a restricted bash . 您还可以考虑配置和使用受限制的shell ,例如受限制的bash

However, notice that if you enable the user to run a scripting language like Python he will be able to circumvent these restrictions (using some clever scripts). 但是,请注意,如果您允许用户运行像Python这样的脚本语言,他将能够绕过这些限制(使用一些聪明的脚本)。 So a chroot is probably preferable. 所以chroot可能更可取。

You could define a separate group for that user to refrain him from doing a lot more. 您可以为该用户定义一个单独的组,以避免他做更多事情。 See also the nobody username , SELinux , etc. 另请参阅nobody用户名SELinux等。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用Linux用户权限限制应用程序存储在磁盘中的数据访问 - restricting application stored data access in disk using Linux user permissions Unix:将目录限制为用户 - Unix : Restricting a directory to an user 限制Linux静态库中的符号 - Restricting symbols in a Linux static library 限制可用 memory 用于在 linux 上进行测试 - Restricting available memory for testing on linux 如何在Linux中允许其他用户的文件夹权限 - How allow folder permission for another user in Linux 使用sftp到特定文件夹的linux新用户 - linux new user with sftp to specific folder Linux 多个用户的用户权限文件夹 - Linux user permissions folder for multiple users 如何只允许登录用户访问linux服务器上文件夹中的文件 - How to allow only logged in user to access files in a folder on linux server 如何在 Linux 上管理两个用户帐户之间的文件或文件夹权限 - How to manage file or folder permissions between two user accounts on Linux 在Linux Centos上具有第二个用户权限创建文件夹/文件 - Creates folder/file with second user permission on linux Centos
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM