Posted on by phomlish

chroot

https://www.cyberciti.biz/faq/debian-ubuntu-restricting-ssh-user-session-to-a-directory-chrooted-jail/

Goal:
Allow users (fullstack, tom, jerry) to grab guestworkervisas data
Allow a user (guestworkervisas) to put guestworkervisas data
to/from /usr4/guestworkervisas/

To test:
sftp -P 2222 fullstack@a0
sftp -P 2222 guestworkervisas @a0
sftp -P 2222 tom@a0

To add a new user:

D=/home/jails
U=fullstack
U=tom
U=guestworkervisas

useradd $u
ls $D/home/$U/guestworkervisas
mkdir -p $D/home/$U/guestworkervisas
mount –bind /usr4/guestworkervisas $D/home/$U/guestworkervisas

# mount –bind /home/httpd/tom_web $D/home/tom/web
## update fstab file so that it can mount after server reboot ##
# echo “/home/httpd/tom_web/ $D/home/tom/web none bind”
# /source /destination none defaults,bind 0 0
echo “/usr4/guestworkervisas /home/jails/home/$U/guestworkervisas none bind” >> /etc/fstab

Warning: if you add or delete or made any changes to the user or password in /etc/passwd file, recopy /etc/{passwd,group} files again by running the following two commands:
D=/home/jails
cp -vf /etc/{passwd,group} $D/etc/

edit /etc/ssh/sshd_config
add
Match User tom,jerry,fullstack,guestworkervisas,NEWUSER
systemctl restart ssh.service

/etc/passwd
vmail:x:1013:1014::/home/vmail:/bin/sh
guestworkervisas:x:1014:1015::/usr4/guestworkervisas:/bin/sh
fullstack:x:1016:1015:David,,,:/home/fullstack:/bin/bash
tom:x:1017:1017:,,,:/home/tom:/bin/bash
jerry:x:1018:1018:,,,:/home/jerry:/bin/bash
fullstack:x:1019:1019:David,,,:/home/fullstack:/bin/bash
guestworkervisas:x:1020:1020::/usr4/guestworkervisas:/bin/sh

/etc/group
vmail:x:1014:
guestworkervisas:x:1015:
jail:x:1016:
tom:x:1017:
jerry:x:1018:
fullstack:x:1019:
guestworkervisas:x:1020:

sftp -P 2222 guestworkervisas@a0
sftp -P 2222 fullstack@a0

Old notes

groupadd jail
D=/home/jails

tom:x:1017:1016:,,,:/home/tom:/bin/bash
jerry:x:1018:1016:,,,:/home/jerry:/bin/bash

# mkdir $D/home/tom/web
# mount –bind /home/httpd/tom_web $D/home/tom/web
## update fstab file so that it can mount after server reboot ##
# echo “/home/httpd/tom_web/ $D/home/tom/web none bind” >> /etc/fstab

guestworkervisas:x:1015:
jail:x:1016:
tom:x:1017:
jerry:x:1018:

guestworkervisas:x:1014:1015::/usr4/guestworkervisas:/bin/sh
fullstack:x:1016:1015:David,,,:/home/fullstack:/bin/bash
tom:x:1017:1017:,,,:/home/tom:/bin/bash
jerry:x:1018:1018:,,,:/home/jerry:/bin/bash

Leave a Reply

Your email address will not be published. Required fields are marked *