Revoke directory access for a particular user in Solaris

IamtheWalrus

Hi all,

I have a need to allow directory access to a particular user on my file system. I want this user to be unable to access any other directory in my file system (initially anyway. It may need access to some directories later).

For example: I have a directory called /opt/mydir. - I want my dedicated user to only be able to access this directory, and nothing else. - I want all other users to be able to access this directory as normal.

I'm new to Linux and its permissions. I've read a fair bit of background material but I'm a little confused.
Is there anyway to revoke permissions to /opt/mydir for a single dedicated user?

A possible flawed method would be to only allow access to /opt/mydir and exclude every other user. This won't work because I want all other users to work as normal; accessing the directory.

I'm working on Solaris 10.

Any suggestions are appreciated.

IamtheWalrus

OSI wrote: »

I'm confused.

You want the user to ONLY be able to access /opt/mydir ?

If so why do you want to revoke their permissions to this directory?

If you are looking to restrict the user to one folder, look at using a chrooted environment for them.

Also, just a side note, Linux and Solaris are not the same. They share a lot of concepts and are pretty compatible but there are both unique OS' and do have differences.

Yes, I am looking to restrict the user to one folder, but not affect other users who will also be using that folder but in a different, safe way. I think this chroot might be the best solution..

Fluffy88

Not sure what chroot does and am too lazy to google it now

But if you create a new user group for the user, then create the folder that you wish to give this user account access to and set the new user as the owner of that folder.

This way they have full control of the folder and it's contents, you can allow other users access to the same folder and since the user is a member of only your newly created user group the user cannot access any other files in your filesystem.

Saganist

IamtheWalrus wrote: »

Yes, I am looking to restrict the user to one folder, but not affect other users who will also be using that folder but in a different, safe way. I think this chroot might be the best solution..

I think what you want to do here is to setup the user with a restricted shell. A restricted shell will lock the user to his $HOME.

I've done this numerous times for certain users ( years ago ).

You can even limit the user to just run a script on login.

You'll need to do a little reading as I can't remember the exact syntax.

useradd -u500 -g10 -d/opt/mydir -s/bin/rksh myuser

Where rksh is the restricted shell...

And modify the .profile to limit the users $PATH to the utilities you want him to run or not..

That's from memory, so you might want to google it for more detail.

croo

You might use the group permissions to add & revoke access to the user.

Ensure it's the group permissions that provides the users with rwx access, then add and remove the user to that group as needed.

IamtheWalrus

OSI wrote: »

I'm confused.

You want the user to ONLY be able to access /opt/mydir ?

If so why do you want to revoke their permissions to this directory?

If you are looking to restrict the user to one folder, look at using a chrooted environment for them.

Also, just a side note, Linux and Solaris are not the same. They share a lot of concepts and are pretty compatible but there are both unique OS' and do have differences.

I've had a look at the extremely limited documentation on chroot on Solaris and I still don't know how to use it.

The syntax is:
/usr/sbin/chroot newroot command

Does anyone know what the 'command' would be in my case?

For this to work for my problem, don't I just need to set the /opt/mydir as my home dir (/)?

What I think should happen is I:

1. Create a fake root for my application say /opt/myapproot.
2. I then do 'chroot /opt/myapproot' to make /opt/myapproot look like '/'.
3. I then can run my application in this 'jail', restricting it from any dir above /opt/myapproot.

Does that sound correct?

Khannie

The command is usually a shell (e.g. /bin/bash). I think it's optional and the default shell will be used in its place.

IamtheWalrus

Khannie wrote: »

The command is usually a shell (e.g. /bin/bash). I think it's optional and the default shell will be used in its place.

Sorry man. I still don't get that. Command is not optional.

Basically my set up is this:

1. Folder called /opt/mydir.
2. In this folder, I have an application that is started via 2 shell scripts. One to start apache, the other to start weblogic.
3. The application should only see /opt/mydir (and mandatory dirs) and nothing else.

Saganist

IamtheWalrus wrote: »

Sorry man. I still don't get that. Command is not optional.

Basically my set up is this:

1. Folder called /opt/mydir.
2. In this folder, I have an application that is started via 2 shell scripts. One to start apache, the other to start weblogic.
3. The application should only see /opt/mydir (and mandatory dirs) and nothing else.

If you set the restricted shell, all you need to do is set the users home dir to the same dir as your app.

If the user then signs in and tries to move around, he'll get..

$ cd /
rksh: cd: restricted

Is this not what you wanted to do ?

The directory will also still be accessible to "normal" users...