How to restrict user to a particular directory?

aaron8667 · March 30, 2015, 11:57am

hi,

I want to restrict some user access to only 1 directory (including all sub-directories/files in it).
can you please explain me, how can we do this?

example;

Filesystem    GB blocks      Used      Free %Used Mounted on
/dev/hd4           2.61      1.02      1.59   40% /
/dev/hd2           9.45      4.71      4.74   50% /usr
/dev/hd9var        2.42      0.57      1.85   24% /var
/dev/hd3           5.00      0.00      5.00    1% /tmp
/dev/hd1           0.72      0.02      0.70    3% /home
/dev/hd11admin      0.12      0.00      0.12    1% /admin
/proc                 -         -         -    -  /proc
/dev/hd10opt       3.05      0.36      2.69   12% /opt
/dev/newlv1         0.72      0.02      0.70    3% /abc1

If i create a USER (aixuser1) on AIX, they should be able to see everyting along with /abc1.

I want aixuser1 to see only the "/abc1" directory. And they should not access other directories except /tmp & /abc1.

Corona688 · March 30, 2015, 12:35pm

How about chroot?

jim_mcnamara · March 30, 2015, 12:42pm

Per this thread AIX chroot is meant for FTP and SFTP users....
https://www.ibm.com/developerworks/community/forums/html/topic?id=77777777-0000-0000-0000-000014933869

So IBM AIX is different from what I've worked with. Maybe rsh is the AIX answer. I'm not sure. Anyway we need an answer from the AIX guys.

aaron8667 · March 30, 2015, 1:18pm

Thanks for your replies Corona688 & Jim.

manual page for chroot says "The chroot command can be used only by a user operating with root user authority"

In my case, i am not providing root authority to user "aixuser1". this is normal user.

id aixuser1
uid=205(aixuser1) gid=1(staff)

And i've used rsh long back, i think rsh will allow users to run few commands which we specify.

but my requirement is, aixuser1 should be able to login as normal. And this user should be able to run all normal user commands on /abc1 directory.

user should not access any other content.

please suggest.

jim_mcnamara · March 30, 2015, 8:53pm

It requires root o set up a chroot jail. Not to be the user trapped in one. If it was not AIX I would suggest chroot.

A chroot jail is:

user is limited to the commands you provide
user is trapped in his/her directory.

chroot comes from the fact that the root directory for a normal user is the / directory. chrrot manes to change the root directory, such that /home/joe becomes joe's / directory. He can only go down that directory tree to subdirectories.

The reason I am not taking a solid position is that AIX has some 'interesting' features that other UNIX flavors do not have. So for all I know that post I cited is correct. For solaris, for Linux, and for HPUX the answer is chroot jail. Since none of the AIX guys havde answered:

This is for a login account to a chroot jail using openssh.

The Best Linux Tutorials: Openssh with AIX chroot

aaron8667 · March 31, 2015, 3:49pm

Thank you Jim, I will check this article/post.

smurphy_it · April 2, 2015, 11:34am

Good day. If this user is going to be connecting remotely by say ssh, then you can use the "chroot" functionality of openssh itself. You won't have to go through the whole configuration of setting up a 'chroot environment' as openssh will take care of that for you.

Take a look at your /etc/ssh/sshd_config file. You'll see the example section at the end of the file dealing with chroot's.

aaron8667 · April 2, 2015, 1:30pm

Thank you smurphy_it. Sure, i will check this. Thank you.