0

Is there a method to restrict SSH users to certain access rights for certain programs (such as Python, Perl, Ruby, Java, etc), but also a method to restrict them from leaving their /home/ directories?

Thomas Ward
  • 80,112

1 Answers1

1

Well, if you want to restrict a user to /home, ssh is not really the right tool. For example, /bin/bash is not in /home. A better tool would be something like NFS, sshfs, ftp, etc (we could debate which one to use).

You could build a chroot in /home, but LXC is, IMO, a better more modern tool.

Your other option would be to write an apparmor profile. This would be somewhat similar to a chroot in that you would need to specify what a user would and would not have access to in a profile.

What you would do is make a link to /bin/bash , I call it jailbash

sudo ln /bin/bash /usr/local/jailbash

You then change the users log in shell from bash to jailbash

sudo chsh <user>

Now write an apparmor profile for jailbash. Here is an example. You will need to review and update it, but it gives you a starting point.

tanius
  • 6,650
  • 2
  • 43
  • 53
Panther
  • 104,796
  • Given that this is on a shell server, i need to at least get restrictions done for programs, would you recommend apparmor profiles, or LXC, for a low-spec shells server? – Thomas Ward May 30 '12 at 17:40
  • Hard to answer your question without more details on what you want your users to do. In general, Apparmor if your users need to interact with the main system (start/stop services, edit config files, manage web content, backups, etc) and LXC if they need only ssh/shell access (sshfs, port forwarding). – Panther May 30 '12 at 17:57
  • the ssh/shell access is all they'd need, but i'd like to restrict the running of non-admin-installed python programs, i.e. python ./IAmAScript.py, from the shell. – Thomas Ward May 30 '12 at 18:10
  • My advice would be to use apparmor. – Panther May 30 '12 at 18:37