1

I want to have a user to be able to login with ssh, but only be able to read files from a specific directory.

I did some research. Is it true that this is only possible with chroot and home directories?

Running Debian 10.

ctrl-alt-delor
  • 27,473
  • 9
  • 58
  • 102
Vernox Vernax
  • 25
  • 5
  • Does it matter if they can read system programs (the stuff that is already published on the inter-web)? – ctrl-alt-delor Apr 22 '20 at 09:27
  • you mean stuff like the top command. no I just dont want that it can read see or do anything to other directories. – Vernox Vernax Apr 22 '20 at 09:45
  • 1
    So not write to other directories, not read "secret" information from other directories? If so then you need to use a separate user account, and file-permissions. see https://unix.stackexchange.com/q/101263/4778 – ctrl-alt-delor Apr 22 '20 at 10:06

1 Answers1

1

Done this recently with restricted bash (rbash). https://www.gnu.org/software/bash/manual/html_node/The-Restricted-Shell.html One of it's restrictions: Changing directories with the cd builtin.

Set user's default shell to /bin/rbash and directory to the directory that you wan't to limit him to in /etc/passwd and he will not be able to cd out of it.

Alternatively you could add an alias in the user's shell profile file: alias cd='printf ""'

shiftas
  • 326
  • 1
  • 6
  • 1
    I just tried `rbash`. It doesn't allow me to `cd` to a directory outside the initial directory but it doesn't restrict the access to files as an argument to commands, e.g. using `cat ../somefile`. I can even start an unrestricted `bash`. As written in the documentaition of `rbash`, you need additional means to really restrict the environment. – Bodo Apr 22 '20 at 14:32
  • adding aliases to `.bash_profile` will prevent that. You can also prevent certain options for a command by creating a script checking if input has `/` and add that script via an alias. Example `alias cat='./checkforabsolutepaths.sh'`. All other commands that you might not want the user to have access to can be turned of with `alias cd='printf ""'`. Don't forget to remove write permissions from `.bash_profile` though. – shiftas Apr 23 '20 at 07:22
  • These are some examples for what I wrote: "you need additional means to really restrict the environment". If you use `alias cat='./checkforabsolutepaths.sh'` you have to prevent the user from using `command cat` to call the command instead of the alias. – Bodo Apr 23 '20 at 09:53
  • Also bypassed by specifying the command to run in the SSH invocation: `ssh host cat ../somefile` or even better: `ssh host bash`. As @Bodo said: "you need additional means to *really* restrict the environment." – xOneca Mar 26 '21 at 08:54