如何在 CentOS 6 中限制用户进入特定文件夹?

tag-icon tag-icon permissions centos6 user-permissions
如何在 CentOS 6 中限制用户进入特定文件夹?

我需要创建用户,以便开发人员可以登录并从类似 github 的平台克隆/拉取/推送更改/存储库。

我已成功向此 CentOS 机器添加了一个用户(使用 root 身份);现在 /etc/passwd 中有此行​​:

chris:x:32008:32010::/home/chris/public_html:/bin/bash

../etc/shadow 中有以下内容:

chris:$1$ruUeLtTu$onAY2hdu1J.UmHajEIlmR.:15385:0:99999:7:::

我能够通过 SSH 连接服务器,我有权限创建文件夹,我想这应该足够了。但我能够看到 public_html 之外的其他文件和文件夹。

我怎么能够实际上限制用户进入特定目录那么他不能从他的文件夹中“cd out”吗?

更新:

root@echo [~]# ls -ld /home/moove
drwx--x--x 21 moove moove 4096 Mar 22 16:16 /home/moove/
root@echo [~]# ls -ld /home/moove/public_html
drwxr-x--- 11 moove nobody 4096 Mar 27 11:29 /home/moove/public_html/
root@echo [~]# ls -ld /home/moove/public_html/dev
drwxr-x--- 12 moove nobody 4096 Mar 27 14:47 /home/moove/public_html/dev/
root@echo [~]# ls -ld /home/moove/public_html/dev/arsenal
drwxr-xr-x 3 arsenal moove 4096 Mar 27 14:53 /home/moove/public_html/dev/arsenal/

答案1

您可以 chroot 它们,但这会导致复杂情况和额外的设置。

如果您不需要完全 chroot,您可以尝试使用 bash 中的受限 shell 功能。

RESTRICTED SHELL
       If  bash  is  started  with  the name rbash, or the -r option is supplied at invocation, the
       shell becomes restricted.  A restricted shell is used to set up  an  environment  more  con-
       trolled than the standard shell.  It behaves identically to bash with the exception that the
       following are disallowed or not performed:

       ·      changing directories with cd
       ·      setting or unsetting the values of SHELL, PATH, ENV, or BASH_ENV
       ·      specifying command names containing /
       ·      specifying a file name containing a / as an argument to the .  builtin command
       ·      Specifying a filename containing a slash as an argument to the -p option to the  hash
              builtin command
       ·      importing function definitions from the shell environment at startup
       ·      parsing the value of SHELLOPTS from the shell environment at startup
       ·      redirecting output using the >, >|, <>, >&, &>, and >> redirection operators
       ·      using the exec builtin command to replace the shell with another command
       ·      adding  or deleting builtin commands with the -f and -d options to the enable builtin
              command
       ·      Using the enable builtin command to enable disabled shell builtins
       ·      specifying the -p option to the command builtin command
       ·      turning off restricted mode with set +r or set +o restricted.

       These restrictions are enforced after any startup files are read.

为了实现这一点,请在 /bin/rbash 和 /bin/bash 之间创建一个链接(因为 CentOS 默认不附带此链接):。ln /bin/bash /bin/rbash然后更改 /etc/passwd 以使用户的 shell 为/bin/rbash

相关内容