Creating Limited User Accounts on Ubuntu Server

Question

Using Ubuntu server, I need to create some user accounts that have the following limitations:

(1) User may only view and manipulate files in their home directory.

(2) User may only execute commands related to rsync and sftp.

I want users to be able to backup files using rsync, and I want them to be able retrieve files using an sftp client like FileZilla.

Other than this, I don't want users to be able to view other files on the system, or execute any commands that might mess with the system.

I'm more of an Ubuntu Desktop user, and have very little experience administering a linux server. Most tutorials I've found assume I know things that I don't know. So I'm having difficulty setting this up.

Answer 1

Everything the user does requires access to large portions of the filesystem. To prove this to yourself, run the following command:

strace -e trace=file /bin/ls/$HOME

You'll see that listing the contents of your own home directory requires opening and reading at least 40 other files scattered around your system. Other commands, like sftp and such require far broader access.

Unix systems are designed around the concept of users having read-only access to the majority of the OS. With careful permissions and groups, you can easily prohibit them from seeing the contents of each other's directories. With pam_apparmor you would be able to restrict what applications they can run.

EDIT: I just re-read your requirements. It doesn't sound like you need them to be able to log in to a fully interactive shell. If this is the case, there are two ways you could proceed:

1. aptitude install scponly. Then set the user's shell to be 'scponly'. Don't let it's name full you; it works with sftp as well. If you want to lock them down even more, look at the documentation in /usr/local/share/doc/scponly concerning setting up a per-user "chroot".

2. If you need to allow access to more commands than just sftp/scp (like rsync) then you'll need to roll your own command validator and set up an ssh "forced command". Add a block that looks like this to your /etc/ssh/sshd_config:

   Match group sftponly
       ForceCommand /usr/local/bin/validate_sftp
   

   Then write the /usr/local/bin/validate_sftp script. Something similar to this:

   #!/bin/bash
   if [[ $SSH_ORIGINAL_COMMAND = "rsync --server" ]]
   then
       exec $SSH_ORIGINAL_COMMAND
   elif [[ $SSH_ORIGINAL_COMMAND = "/usr/lib/openssh/sftp-server" ]]
   then
       exec $SSH_ORIGINAL_COMMAND
   else
       echo "You are only allowed rsync or sftp access to this server."
   fi
   

   Add the user(s) to the "sftponly" group (you'll have to add the group, of course) and they will be restricted to the commands allowed by your script.

Answer 2

I don't know, if this could fit your requirements, but since you say, this should be a server machine, it may be worth thinking about tackling the problem from a different side:

• Maybe the users don't need a unix account on the system.
• Could a similar thing be achieved by setting up e.g. an sftp server (or something similar, e.g. WebDAV) on that system? And the system provides an automated backup solution? (If you want, you can even provide auto versioning with Subversion + WebDAV.)

... Just an idea, because there's always a certain security risk involved (and it requires managing user and file permissions) when giving users a system account - at least as long as you don't set up a virtual server for everyone.