0
How To Let Certain Unix-User To Access Only One Directory, e.g.
I want to let the following username dimension to access the following directory only /var/opt/test/reports/*
How i can make that via Unix ?
0
How To Let Certain Unix-User To Access Only One Directory, e.g.
I want to let the following username dimension to access the following directory only /var/opt/test/reports/*
How i can make that via Unix ?
2
The simplest way to do that is use negative ACL, i.e., explicitly forbidding user (call him user_no) from using any directory, except the one you mentioned.
After installing ACL, the following command
setfacl -m user:user_no:0 /home/my_home
will prevent him access to your home. You must remember to block explicitly every place from you wish to bar him, but you must remember to allow use of some directorie s (/usr, /bin..) otherwise you will bar him also from using regular Unix commands.
You should also allow him use of his home directory (I do no think an account can work with that at all), and the directory you mentioned above.
Alternatively, you can chroot the account. This can be done in two ways: in the first, you only allow ssh access, in the second you chroot the shell account. The second method is more complicated, and I never tried it, so I can offer no guidance. You can Google chroot shell account. The first method is simple, just modify the file /etc/ssh/sshd_config introducing these lines at the very bottom:
Subsystem sftp internal-sftp
Match Group sftp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
This binds the user to his home directory (%h above) and ensures that he has access to internal-sftp help. Also, add the user_no to the sftp group as follows:
# usermod -G sftp user_no
# usermod -s /bin/false user_no
# chown root:root /home/user_no
# chmod 0755 /home/user_no
The important command is the second one: it makes sure the user will never get shell access.
Lastly, create a symbolic link, in the user home directory, to the directory to which you wish to allow him access:
# cd /home/user_no
# ln -s /var/opt/test/reports work
This creates a subdirectory to which he has access, but cannot create any file, only work on the existing ones. If you want to allow him to create files, you will have to change the permissions on /var/opt/test/reports.
Thanks for the feedback..
Actually i want the user called dimen to access the Unix machine to execute/run specific script only.
I have tried the following,
setfacl -m user:dimen:0 /var/opt/MobileCom/STP_REPORTS/Auto/
But Finally, the user dimen still able to access all directories :(
What i have to do so ? – ala.alzyadat – 2014-02-10T13:53:42.260