How to lock user to one directory

How to lock user to one directory

I have built a few Virtual Hosts using nginx but now I want to have some users to modify them without them being able to edit anything else outside the host directory.


I have tried so many things but nothing is working!! This is where I am at, at the moment:

/etc/vsftpd.conf:

listen=YES
local_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
idle_session_timeout=600
data_connection_timeout=120
tpd_banner=Welcome to mikes company sFTP service. Play nice!
chroot_local_user=YES
#chroot_list_enable=YES
#chroot_list_file=/etc/vsftpd.chroot_list
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

shell script to create a user:

#!/bin/bash
user=$1
group=$2
directory=$3
if [ "$3" != "" ]; then
echo "You are creating an ftp user -> "$user" inside the group -> "$group" with privelidges for the domain "$directory
else
echo "ERROR!!!"
echo "please enter the command followed by the user and then group and then domain (example.co.uk)"
exit 1
fi

groupadd $group
useradd -G $group $user
sudo chown -vR :$group /NAS/$directory/
sudo chmod -vR g+w /NAS/$directory/
sudo adduser www-data $group
sudo chown -R www-data:$group /NAS/$directory/

usermod --home /NAS/$directory/ $user

passwd $user

But non of this is working. When I setup the user on dreamweaver they can read, access and edit most files on the whole computer which is not what I want!

在此处输入图片描述

What am I doing wrong?


/etc/group:

root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog,max
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:max
floppy:x:25:
tape:x:26:
sudo:x:27:max
audio:x:29:pulse
dip:x:30:max
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:max
sasl:x:45:
plugdev:x:46:max
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
libuuid:x:101:
netdev:x:102:
crontab:x:103:
syslog:x:104:
fuse:x:105:
messagebus:x:106:
ssl-cert:x:107:
lpadmin:x:108:max
scanner:x:109:saned
mlocate:x:110:
ssh:x:111:
utempter:x:112:
avahi-autoipd:x:113:
rtkit:x:114:
saned:x:115:
whoopsie:x:116:
avahi:x:117:
nopasswdlogin:x:119:
bluetooth:x:120:
colord:x:121:
pulse:x:122:
pulse-access:x:123:
max:x:1000:
sambashare:x:124:max
landscape:x:118:
maxy:x:1001:maxWeb,www-data
maxWeb:x:1002:
maxy2:x:1003:maxWeb2
maxWeb2:x:1004:
fax:x:21:
voice:x:22:
cdrom:x:24:max
floppy:x:25:
tape:x:26:
sudo:x:27:max
audio:x:29:pulse
dip:x:30:max
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:max
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
libuuid:x:101:
netdev:x:102:
crontab:x:103:
syslog:x:104:
fuse:x:105:
messagebus:x:106:
ssl-cert:x:107:
lpadmin:x:108:max
scanner:x:109:saned
mlocate:x:110:
ssh:x:111:
mlocate:x:110:
ssh:x:111:
utempter:x:112:
avahi-autoipd:x:113:
rtkit:x:114:
saned:x:115:
whoopsie:x:116:
avahi:x:117:
nopasswdlogin:x:119:
bluetooth:x:120:
colord:x:121:
pulse:x:122:
pulse-access:x:123:
max:x:1000:
sambashare:x:124:max
landscape:x:118:
maxy:x:1001:maxWeb,www-data
maxWeb:x:1002:
maxy2:x:1003:maxWeb2
maxWeb2:x:1004:
maxy3:x:1005:maxWeb3
maxWeb3:x:1006:
maxy4:x:1007:maxWeb4
maxWeb4:x:1008:
sftponly:x:1009:maxWeb7
ssh-users:x:1010:max
maxWeb7:x:1011:
maxWebb:x:1012:
sftp:x:1013:
ftpGroup:x:1014:maxwebb2,maxy1
maxwebb2:x:1015:
maxy1:x:1016:
ftp:x:125:
maximiliangroup:x:1017:maxymil
maxymil:x:1018:
maximiliangroup:x:1017:maxymil
maxymil:x:1018:
maximilianmitchell.info:x:1019:maxwebsite,www-data
maxwebsite:x:1020:
maximilianweb:x:1021:www-data
maximilianweb2:x:1022:www-data
maximilianweb4:x:1023:www-data,maxwebsite4
maxwebsite5:x:1024:www-data

Logging in as new user:

$ su - maxwebsite5
Password: 
$ ls
public_html
$ cd /home
$ cd max
$ mkdir test
mkdir: cannot create directory ‘test’: Permission denied

When I log in using dreamweaver and set the root directory as / I can see and edit most things including other virtual hosts directories: 在此处输入图片描述

Where as when I set the root directory as nothing it takes me straight to the /NAS/$directory/ which is kind of what I want!

But I really just want the user to think that their / directory is /NAS/$directory/

答案1

Try to use

useradd -g $group $user

or

useradd -N -g $group $user

instead of

useradd -G $group $user

Here's why: from Ubuntu.com: Ubuntu Manpage: useradd - create a new user or update default new user information :

-g, --gid GROUP The group name or number of the user's initial login group. The group name must exist. A group number must refer to an already existing group.

If not specified, the behavior of useradd will depend on the USERGROUPS_ENAB variable in /etc/login.defs. If this variable is set to yes (or -U/--user-group is specified on the command line), a group will be created for the user, with the same name as her loginname. If the variable is set to no (or -N/--no-user-group is specified on the command line), useradd will set the primary group of the new user to the value specified by the GROUP variable in /etc/default/useradd, or 100 by default.

-N, --no-user-group Do not create a group with the same name as the user, but add the user to the group specified by the -g option or by the GROUP variable in /etc/default/useradd.

The default behavior (if the -g, -N, and -U options are not specified) is defined by the USERGROUPS_ENAB variable in /etc/login.defs.

I believe that what happens is that any user created actually ends up belonging to two different groups, the default one created by omitting -g (which perhaps has read/write permissions on multiple directories) and the one specified by useradd -G $group $user

答案2

Right I have spent 3 or 4 days trying to sort this out. Here is a shell script for a user:

#!/bin/bash
user=$1
directory=$2
if [ "$2" != "" ]; then
echo "You are creating an ftp user -> "$user" with privelidges for the domain "$directory
else
echo "ERROR!!!"
echo "please enter the command followed by the user and then domain (example.co.uk)"
exit 1
fi

sudo useradd -d /NAS/$directory -m $user -s /usr/bin/rssh

passwd $user

echo "added user"

sudo chgrp -R www-data /NAS/$directory

echo $user >> /etc/ftpusers

echo "prevented ftp access for user"

echo -e "

Match user $user
        ChrootDirectory /NAS/$directory
        ForceCommand internal-sftp
        AllowTcpForwarding no
        GatewayPorts no
        X11Forwarding no
" >> /etc/ssh/sshd_config

echo "edited /etc/ssh/sshd_config"

sudo service ssh restart

You also have to download the package rssh and edit the /etc/rssh.conf and uncomment the line allowsftp

答案3

If i understand the question correctly you need to use local_root

local_root=/NAS/$USER/

and you will also need

allow_writeable_chroot=YES

if you wish the user to be able to write to their root folder

or if you wish to have more control you will probably was to use virtual users and user config files.

if so then try the following

How to setup virtual users for vsftpd with access to a specific sub directory?

相关内容