Page 2 of 2 FirstFirst 12
Results 11 to 17 of 17

Thread: openSSH - Limiting access to users...

  1. #11
    Join Date
    Oct 2008
    Beans
    27

    Re: openSSH - Limiting access to users...

    Woahhhh Nelly!!! Brain Overload! Alert!

    I'm sorry. All I've done so far is set up several users (2 to 5) whom I would like them to be able to use puTTy so that they can use my sheevaplug first as a transparent proxy server. I'd like user1 to be able to use the sheevaplug as a proxy server and to be able to do other things such as access and or backup files onto an attached external HD using SFTP & rsync. I'd like the other users to have very limited access ie proxy sever only.

    I haven't created a "chroot prison" if that's what your chroot comment meant. I've just created users and the groups in a basic adduser/addgroup way.

    So, from your post I gather I now have to set up user1 for instance with these "various utilities". What I'm not understanding is why? Is this some sort of standard setup that everyone has to do? I sorry, but I'm stumped.

  2. #12
    Join Date
    Oct 2008
    Beans
    27

    Re: openSSH - Limiting access to users...

    I found this thread:

    http://erdelynet.com/archive/ssh-l/2003-10/1958.html

    which suggests that I may just need to modify the bash.exe permissions. Is this a possible solution? Or, is this not a good idea?

  3. #13
    Join Date
    Sep 2006
    Beans
    8,627
    Distro
    Ubuntu 14.04 Trusty Tahr

    Filezilla and PuTTY SFTP

    Quote Originally Posted by Badcam View Post
    Woahhhh Nelly!!! Brain Overload! Alert!
    Sorry. Leave chroot alone for at least a day or two. Probably longer. You probably don't need it.

    Now that you have the users and group memberships set, try instead using SFTP I mentioned to connect. You have that option in PuTTY and in Filezilla. Will that give you the file access you need?

  4. #14
    Join Date
    Sep 2006
    Beans
    8,627
    Distro
    Ubuntu 14.04 Trusty Tahr

    OT: description of chroot

    Last edited by Lars Noodén; October 5th, 2009 at 11:35 AM. Reason: duplicate post

  5. #15
    Join Date
    Sep 2006
    Beans
    8,627
    Distro
    Ubuntu 14.04 Trusty Tahr

    OT: description of chroot

    Again try using SFTP in PuTTY and in Filezilla. SFTP will be useful.

    If you look at the root file system, say using ls / you see something like this:


    afs cdrom home lib media proc selinux tmp vmlinuz
    bin dev initrd.img lib64 mnt root srv usr vmlinuz.old
    boot etc initrd.img.old lost+found opt sbin sys var

    And you will see that the program ls is located somewhere in that root file system, so is the program which:
    $ which ls
    /bin/ls
    $ which which
    /usr/bin/which

    And I happen to have a directory on that filesystem called /var/chroot-test/ which looks like this:


    bin dev lib lib64 usr var

    And the directory /var/chroot-test/bin looks like this, containing a single program 'rbash':



    rbash

    chroot changes the apparent location of the root file system from / to something else.

    So if I chroot to /var/chroot-test/, then it and its contents are all that I see for a file system. ls is not in /var/chroot-test, so it can't run if /var/chroot-test is the chroot jail



    sudo chroot /var/chroot-test/ /bin/rbash
    $ ls
    rbash: ls: command not found

    Now if I add ls using the steps described above



    # ldd /bin/ls
    linux-vdso.so.1 => (0x00007ffff0559000)
    librt.so.1 => /lib/librt.so.1 (0x00007fed85eaf000)
    libselinux.so.1 => /lib/libselinux.so.1 (0x00007fed85c91000)
    libacl.so.1 => /lib/libacl.so.1 (0x00007fed85a89000)
    libc.so.6 => /lib/libc.so.6 (0x00007fed8571a000)
    libpthread.so.0 => /lib/libpthread.so.0 (0x00007fed854fe000)
    /lib64/ld-linux-x86-64.so.2 (0x00007fed860b7000)
    libdl.so.2 => /lib/libdl.so.2 (0x00007fed852fa000)
    libattr.so.1 => /lib/libattr.so.1 (0x00007fed850f5000)
    # cp -i /lib/librt.so.1 /var/chroot-test/lib/librt.so.1
    # cp -i /lib/libselinux.so.1 /var/chroot-test/lib/libselinux.so.1
    # cp -i /lib/libacl.so.1 /var/chroot-test/lib/libacl.so.1
    # cp -i /lib/libc.so.6 /var/chroot-test/lib/libc.so.6
    # cp -i /lib/libpthread.so.0 /var/chroot-test/lib/libpthread.so.0
    # cp -i /lib/libattr.so.1 /var/chroot-test/lib/libattr.so.1

    then ls will run inside the jail. Other programs, such as touch and find, are not there in the chroot jail until they too are added.



    # chroot /var/chroot-test/ /bin/rbashrbash-4.0
    # ls
    bin dev lib lib64 usr var
    # touch
    rbash: touch: command not found
    # find
    rbash: find: command not found

    to use chroot is to build a new system inside a subdirectory

  6. #16
    Join Date
    Oct 2008
    Beans
    27

    Re: OT: description of chroot

    Quote Originally Posted by Lars Noodén View Post
    Again try using SFTP in PuTTY and in Filezilla. SFTP will be useful.

    If you look at the root file system, say using ls / you see something like this:


    afs cdrom home lib media proc selinux tmp vmlinuz
    bin dev initrd.img lib64 mnt root srv usr vmlinuz.old
    boot etc initrd.img.old lost+found opt sbin sys var

    And you will see that the program ls is located somewhere in that root file system, so is the program which:
    $ which ls
    /bin/ls
    $ which which
    /usr/bin/which

    And I happen to have a directory on that filesystem called /var/chroot-test/ which looks like this:


    bin dev lib lib64 usr var

    And the directory /var/chroot-test/bin looks like this, containing a single program 'rbash':



    rbash

    chroot changes the apparent location of the root file system from / to something else.

    So if I chroot to /var/chroot-test/, then it and its contents are all that I see for a file system. ls is not in /var/chroot-test, so it can't run if /var/chroot-test is the chroot jail



    sudo chroot /var/chroot-test/ /bin/rbash
    $ ls
    rbash: ls: command not found

    And now I realise what it is your showing me below here....and as per your bash example in the previous post:


    Now if I add ls using the steps described above



    # ldd /bin/ls
    linux-vdso.so.1 => (0x00007ffff0559000)
    librt.so.1 => /lib/librt.so.1 (0x00007fed85eaf000)
    libselinux.so.1 => /lib/libselinux.so.1 (0x00007fed85c91000)
    libacl.so.1 => /lib/libacl.so.1 (0x00007fed85a89000)
    libc.so.6 => /lib/libc.so.6 (0x00007fed8571a000)
    libpthread.so.0 => /lib/libpthread.so.0 (0x00007fed854fe000)
    /lib64/ld-linux-x86-64.so.2 (0x00007fed860b7000)
    libdl.so.2 => /lib/libdl.so.2 (0x00007fed852fa000)
    libattr.so.1 => /lib/libattr.so.1 (0x00007fed850f5000)
    # cp -i /lib/librt.so.1 /var/chroot-test/lib/librt.so.1
    # cp -i /lib/libselinux.so.1 /var/chroot-test/lib/libselinux.so.1
    # cp -i /lib/libacl.so.1 /var/chroot-test/lib/libacl.so.1
    # cp -i /lib/libc.so.6 /var/chroot-test/lib/libc.so.6
    # cp -i /lib/libpthread.so.0 /var/chroot-test/lib/libpthread.so.0
    # cp -i /lib/libattr.so.1 /var/chroot-test/lib/libattr.so.1

    then ls will run inside the jail. Other programs, such as touch and find, are not there in the chroot jail until they too are added.



    # chroot /var/chroot-test/ /bin/rbashrbash-4.0
    # ls
    bin dev lib lib64 usr var
    # touch
    rbash: touch: command not found
    # find
    rbash: find: command not found

    to use chroot is to build a new system inside a subdirectory

    It's amazing how taking a step back for a moment (well actually, a good nights sleep) can make you see things more clearly. I actually understand this

    Thanks for your patience Lars. So now:

    1) If I create a /var/chroot-test/ directory (I'll use another name though), I assume that that one directory can be set up to be used by, say, users 1 through 5, but

    2) How can I set that up for just users 2 through 5 only (not user1) and allow user1 to still have full access (ie sudo rights). Would I just create two versions of /var/chroot-test/ (chroot-test1 & chroot-test2)? Am I being clear?

    3) Or, would the group permissions be sufficient?

    What I'm needing is for users2 to 5 to be able to login remotely and use this device purely as a transparent proxy server. But, I want user1 (which will be me) to be able to login in and manage the device, access it fully with sudo rights.

    You've been a great help Lars and mighty patient with me.

    (I won't have free time to trial this until tonight [11 hours time] but I'll wokr on it first chance I get. Brilliant!)

  7. #17
    Join Date
    Sep 2006
    Beans
    8,627
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: OT: description of chroot

    sudo (actually /etc/sudoers) is for access to running programs.

    group permissions and membership would be for access to read or write files.

Page 2 of 2 FirstFirst 12

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •