My current cyrus user in /etc/passwd looks like this:
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/sbin/nologin
I want to be able to give it shell access but restrict it to /var/lib/imap and /var/spool/imap. How do I enable the shell to allow this using usermod? And once this is done, will the cyrus user be able to ssh into the server or should I make changes in sshd_config?
Purpose: Need to rsync mail for backup using cyrus user
I would recommend you to use an ssh key like I did recommend here in the past. I'm in a bit of a rush, so I'll just lazily copy-paste my previous text and modify it for rsync purpose. :)
Using ssh keys do have one unique feature compared to password login: you can specify the allowed commands. This can be done by modifying ~/.ssh/authorized_keys file at the server.
For example,
command="/usr/bin/rsync", ssh-rsa auiosfSAFfAFDFJL1234214DFAfDFa...
would allow only the command `/usr/bin/rsync" with that particular key.
You can also specify the allowed hosts for the key:
from="yourclient,yourotherclient", ssh-rsa auiosfSAFfAFDFJL1234214DFAfDFa...
Or combine the two:
from="yourcyrusserver", command="/usr/bin/rsync", ssh-rsa auiosfSAFfAFDFJL1234214DFAfDFa...
With keys you can also grant temporary access to some user (say, a consultant) to a server without revealing the password for that particular account. After the consultant has finished his/her job, the temporary key can be removed.
Try usermod -s /bin/bash cyrus. Then, check to see if the nologin has changed using cat /etc/passwd. Then try ssh-ing into the server. You should be able to log in to the home directory, which in your example is /var/lib/imap
