Linux user to access and execute only on one location

Question

I am trying to figure out a solution for this:

I have some user which I created using command useradd. I want to allow this user do whatever he wants on a special location, say /var/www/. He might require to upload or download a file, extract a zipped folder, list the files and folders, change permissions etc.

He should be restricted to do anything else like creating another user/group, using sudo, install/uninstall anything or even accessing other folders or any other. Is it possible to achieve this? Can someone please help me at the earliest.

FYI: OS: Linux, any flavor Platform: AWS

What kind of file system `/var/www` is on? *ext3/4* or another esoteric flavor? — Déjà vu, Dec 14 '15 at 15:15
@ringø: ext3. I hope it wont vary across linux flavors like RHEL, Centos — serverstackqns, Dec 14 '15 at 15:27

score 0 · Answer 1 · edited Apr 13 '17 at 12:22

Users created with useradd do not have sudo access by default, and cannot install packages, add users etc... Only root can do that (via sudo or directly from a shell or script).

Give the user theuser a home dir, (several ways to do that, use a command for instance [look near the bottom]).

And set accesses

Eg in /home/theuser (sudo, or become root first)

sudo mkdir /home/theuser
sudo chmod 700 /home/theuser
# next create / move user home dir to /home/theuser
sudo usermod -m -d /home/theuser theuser
# give a password to the user
sudo passwd theuser

And the user will log in /home/theuser, can do, there, whatever he wants. Create, delete files and directories. Upload files (assuming he is allowed to use ssh to upload files via rsync for instance).

The last point from your question "even accessing other folders". Provided that other home dirs are - usually - only accessible by their owners (access like drwx------ or 0700), do you really want the user not being able to see the system files etc...?

In this case, you have to jail the user to its home dir, see this document on AskUbuntu, actually not specific to Ubuntu.

The reason I was asking about the file system, is because you could also use the ACL (Access Control Lists) to set a specific access to a given user at any level of the file system(s). E.g. preventing the user from visiting some particular areas of the system. More information on ACLs

There is little problem with jailing or chroot - you have to provide access to some files like bash, mv, cp, ls etc., so you have to copy it. Chroot for interactive user is not good way. — Ondra Sniper Flidr, Dec 14 '15 at 17:44

score 0 · Answer 2 · answered Dec 14 '15 at 17:33

0

You could put the user in a cgroup and a chroot. If you want SSH to be used as well, you could take a look at Jailkit which allows you to jail ssh users. In practice, a cgroup plus strict permissions on your server should be enough.

answered Dec 14 '15 at 17:33

John Keates

681
4
9

Linux user to access and execute only on one location

2 Answers2