[Solaris] 특정 user가 특정 디렉토리만 access 가능하게 하기

KBRC00008474              
User should only be able to access their own home-directory
Document Information Table
User should only be able to access their own home-directory DocId: KBRC00008474   Updated: 11/19/01 1:01:00 AM

PROBLEM
Independent of the way the user logs in, he should only be able to access his
own home-directory.

Ideas:
1. for rlogin and telnet the user should get a restricted shell.
other doc:

[3100571510/ESS-ACTIVE/English]
"... The restricted shell is useful when you wish users to have limited access
to the system. Make sure the directories in which the restricted users are
placed do not give them access to subdirectories in which they may do damage.
Also make sure they do not have commands available to them, such as chsh and
csh, that let them escape the restricted shell. (See sh(1) about provisions to
ensure this.)  ..."

2. for ftp set up the file: /etc/ftpd/ftpaccess
other doc:

BC0814KBRC00007719
How to setup a restricted user for FTP access

The problem here is that both need to be combined:

other doc:

[A5751180/TRAK/English]  [A5751180/RCEN/Japanese]  [A5751180/RCEN/English]
Can I use FTP in conjunction with a restricted shell?

" ... No, you cannot use FTP in conjunction with a restricted shell.  You
either don't give the user FTP access (via ftpusers), or you must restrict
the user via permissions and ownership of files and directories.

The ftpusers man page recommends that you place users with restricted
shells into the /etc/ftpusers file.  The ftpusers file restricts FTP
access on a host system. ..."

 

CONFIGURATION
HPUX 11.0
ftp, restricted shell
RESOLUTION
but I was able to create a user with restricted shell and with restricted ftp-
access, following the hints of doc BC0814KBRC00007719
and the man-page of ftpaccess:
here is what I suggested my customer. It works fine for her purpose:

0. to avoid known ftp problems I installed
[PHNE_23949/PACHRDME/English]  11.00 ftpd(1M) and ftp(1) patch

1. create a user with sam named test123 on system grcdg405
  Shell /usr/bin/rsh
  home directory: /home/test123/
  group ftptest.

2. edit file /etc/ftpd/ftpaccess
before I needed to copy it
# cp /usr/newconfig/etc/ftpd/ftpaccess /etc/ftpd/

# vi /etc/ftpd/ftpaccess
class all test123,guest *    <- line #1
guestgroup ftptest           <- line #2
...

3. edit /etc/inetd.conf e
ftp stream tcp nowait root /usr/lbin/ftpd -l -a

# inetd -c

4. to give the user the possibility to see his files:

# mkdir /home/test123/usr
# cd /home/test123
# chown -R bin:bin usr
# chmod 555 usr

# mkdir /home/test124/usr/bin
# cd /home/test123
# chown -R root:bin usr/bin
# chmod 555 usr/bin
# cp -p /sbin/ls /home/test124/usr/bin/ls

5. Test:

grcdg366:/$rlogin grcdg405 -l test123
Password:
Please wait...checking for disk quotas
(c)Copyright 1983-1997 Hewlett-Packard Co.,  All Rights Reserved.
....$ whoami
test123
$ cd ..
rsh: cd: The operation is not allowed in a restricted shell.
$ touch blubb
$ ls
bla    blubb  usr

next test:

grcdg366:/$ftp grcdg405
Connected to grcdg405.grc.hp.com.
220 grcdg405.grc.hp.com FTP server (Version 1.1.214.8 Fri Apr 20 07:27:42 GMT 20
01) ready.
Name (grcdg405:root): test123
331 Password required for test123.
Password:
230 User test123 logged in.  Access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.ftp> pwd
257 "/" is current directory.
ftp> cd ..
250 CWD command successful.
ftp> pwd
257 "/" is current directory.

(you see / as dir, but the user is in reality in /home/test123!!):

ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /usr/bin/ls.
total 0
-rw-rw-rw-   1 0          3                0 Nov  7 10:58 bla
-rw-rw-rw-   1 102        101              0 Nov  7 11:17 blubb
dr-xr-xr-x   3 2          2               96 Nov  7 10:59 usr
226 Transfer complete.

ftp> put README
200 PORT command successful.
150 Opening BINARY mode data connection for README.
226 Transfer complete.
1392 bytes sent in 0.02 seconds (81.92 Kbytes/s)
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /usr/bin/ls.
total 4
-rw-r-----   1 102        101           1392 Nov  7 11:20 README
-rw-rw-rw-   1 0          3                0 Nov  7 10:58 bla
-rw-rw-rw-   1 102        101              0 Nov  7 11:17 blubb
dr-xr-xr-x   3 2          2               96 Nov  7 10:59 usr
226 Transfer complete.

Perhaps I did not test all, but I suggested my customer to check and test
himself in her enviroment and she told me that is was working all fine!

* 기혀니님에 의해서 게시물 이동되었습니다 (2005-02-16 09:46)