Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Revoke directory access for a particular user in Solaris

  • 15-11-2011 2:56pm
    #1
    Closed Accounts Posts: 6,075 ✭✭✭


    Hi all,

    I have a need to allow directory access to a particular user on my file system. I want this user to be unable to access any other directory in my file system (initially anyway. It may need access to some directories later).

    For example: I have a directory called /opt/mydir. - I want my dedicated user to only be able to access this directory, and nothing else. - I want all other users to be able to access this directory as normal.

    I'm new to Linux and its permissions. I've read a fair bit of background material but I'm a little confused.
    Is there anyway to revoke permissions to /opt/mydir for a single dedicated user?

    A possible flawed method would be to only allow access to /opt/mydir and exclude every other user. This won't work because I want all other users to work as normal; accessing the directory.

    I'm working on Solaris 10.

    Any suggestions are appreciated.


Comments

  • Closed Accounts Posts: 6,075 ✭✭✭IamtheWalrus


    OSI wrote: »
    I'm confused.

    You want the user to ONLY be able to access /opt/mydir ?

    If so why do you want to revoke their permissions to this directory?

    If you are looking to restrict the user to one folder, look at using a chrooted environment for them.

    Also, just a side note, Linux and Solaris are not the same. They share a lot of concepts and are pretty compatible but there are both unique OS' and do have differences.

    Yes, I am looking to restrict the user to one folder, but not affect other users who will also be using that folder but in a different, safe way. I think this chroot might be the best solution..


  • Registered Users, Registered Users 2 Posts: 1,414 ✭✭✭Fluffy88


    Not sure what chroot does and am too lazy to google it now :)

    But if you create a new user group for the user, then create the folder that you wish to give this user account access to and set the new user as the owner of that folder.

    This way they have full control of the folder and it's contents, you can allow other users access to the same folder and since the user is a member of only your newly created user group the user cannot access any other files in your filesystem.


  • Registered Users, Registered Users 2 Posts: 1,335 ✭✭✭Saganist


    Yes, I am looking to restrict the user to one folder, but not affect other users who will also be using that folder but in a different, safe way. I think this chroot might be the best solution..

    I think what you want to do here is to setup the user with a restricted shell. A restricted shell will lock the user to his $HOME.

    I've done this numerous times for certain users ( years ago :D ).

    You can even limit the user to just run a script on login.

    You'll need to do a little reading as I can't remember the exact syntax.

    useradd -u500 -g10 -d/opt/mydir -s/bin/rksh myuser

    Where rksh is the restricted shell...

    And modify the .profile to limit the users $PATH to the utilities you want him to run or not..

    That's from memory, so you might want to google it for more detail.


  • Moderators, Technology & Internet Moderators Posts: 1,336 Mod ✭✭✭✭croo


    You might use the group permissions to add & revoke access to the user.

    Ensure it's the group permissions that provides the users with rwx access, then add and remove the user to that group as needed.


  • Closed Accounts Posts: 6,075 ✭✭✭IamtheWalrus


    OSI wrote: »
    I'm confused.

    You want the user to ONLY be able to access /opt/mydir ?

    If so why do you want to revoke their permissions to this directory?

    If you are looking to restrict the user to one folder, look at using a chrooted environment for them.

    Also, just a side note, Linux and Solaris are not the same. They share a lot of concepts and are pretty compatible but there are both unique OS' and do have differences.

    I've had a look at the extremely limited documentation on chroot on Solaris and I still don't know how to use it.

    The syntax is:
    /usr/sbin/chroot newroot command

    Does anyone know what the 'command' would be in my case?

    For this to work for my problem, don't I just need to set the /opt/mydir as my home dir (/)?

    What I think should happen is I:

    1. Create a fake root for my application say /opt/myapproot.
    2. I then do 'chroot /opt/myapproot' to make /opt/myapproot look like '/'.
    3. I then can run my application in this 'jail', restricting it from any dir above /opt/myapproot.

    Does that sound correct?


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    The command is usually a shell (e.g. /bin/bash). I think it's optional and the default shell will be used in its place.


  • Closed Accounts Posts: 6,075 ✭✭✭IamtheWalrus


    Khannie wrote: »
    The command is usually a shell (e.g. /bin/bash). I think it's optional and the default shell will be used in its place.

    Sorry man. I still don't get that. Command is not optional.

    Basically my set up is this:

    1. Folder called /opt/mydir.
    2. In this folder, I have an application that is started via 2 shell scripts. One to start apache, the other to start weblogic.
    3. The application should only see /opt/mydir (and mandatory dirs) and nothing else.


  • Registered Users, Registered Users 2 Posts: 1,335 ✭✭✭Saganist


    Sorry man. I still don't get that. Command is not optional.

    Basically my set up is this:

    1. Folder called /opt/mydir.
    2. In this folder, I have an application that is started via 2 shell scripts. One to start apache, the other to start weblogic.
    3. The application should only see /opt/mydir (and mandatory dirs) and nothing else.

    If you set the restricted shell, all you need to do is set the users home dir to the same dir as your app.

    If the user then signs in and tries to move around, he'll get..

    $ cd /
    rksh: cd: restricted

    Is this not what you wanted to do ?

    The directory will also still be accessible to "normal" users...


Advertisement