Easy methods to limit server customers to a particular listing in Linux
Must lock down that Linux server so sure distant customers can solely entry a particular listing and just for file add and obtain functions? Jack Wallen reveals you ways.
When you’ve a server with SSH entry, except you have configured it in any other case, any consumer with an account on that system can log in and, if they’ve the permissions and ability, wreak havoc in your server.
SEE: 40+ open supply and Linux phrases you want to know (TechRepublic Premium)
You don’t need that.
What you are able to do is limit these customers with a chroot jail. By doing this you severely restrict what these customers can do in your system. In actual fact, any consumer who is restricted to a chroot jail can:
- Solely entry the server through sftp
- Solely entry a particular listing
It is a nice safety addition to your Linux servers, and should you require such a use case, contemplate it a must-do. That is particularly necessary when you’ve got a server that homes delicate knowledge and you don’t need customers even viewing these recordsdata and folders.
This setup is not all that difficult. In actual fact, the configuration is way simpler than discovering methods to deploy the characteristic. However on these events once you do have to severely limit what a consumer can entry in your Linux servers, that is one sure-fire method of doing so.
What you will want
To make this work, you will want a working occasion of Linux and a consumer with sudo privileges. That is it. Let’s make some safety magic.
Easy methods to create a restricted group and add customers on a Linux server
The very first thing we should do is create a brand new group and add customers to it. Create the group with:
sudo groupadd restricted
Subsequent, add a consumer to the group with the command:
sudo usermod -g restricted USERNAME
The place USERNAME is the consumer you need to add to the restricted group.
SEE: Linux turns 30: Celebrating the open supply working system (free PDF) (TechRepublic)
Easy methods to configure SSH
Open the SSH daemon configuration file with:
sudo nano /and so on/ssh/sshd_config
Search for the road (close to the underside):
Subsystem sftp /usr/lib/openssh/sftp-server
Change that line to:
Subsystem sftp internal-sftp
On the backside of the file, add the next:
Match group restricted ChrootDirectory /dwelling/ ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no
Save and shut the file. Restart SSH with:
sudo systemctl restart ssh
Now, return to a different machine and try to SSH into the server with the consumer, reminiscent of:
ssh olivia@192.168.1.147
You will see the warning:
This service permits sftp connections solely. Connection to 192.168.1.147 closed.
To ensure that any consumer within the restricted group to log into the server, they need to use sftp like so:
sftp USERNAME@SERVER
The place USERNAME is the username and SERVER is the IP tackle or area of the server. As soon as they efficiently log in, they’re going to be on the sftp immediate the place they will switch recordsdata backwards and forwards with the put and get instructions. These restricted customers can solely add recordsdata to their dwelling directories. When a restricted consumer initially logs in, they’re going to be within the /dwelling listing. So, to efficiently add, they must develop into their dwelling listing with a command like:
cd olivia
As soon as of their dwelling listing, they will then difficulty a command like:
put file1
So long as that file is within the present working listing of the machine they logged into the server from, it will add simply advantageous. If these customers solely have to obtain recordsdata to their native machine, they’d use a command like:
get file1
I understand this can be a very limiting configuration with very restricted use circumstances, however in some unspecified time in the future in your Linux admin profession, you are going to run into an occasion the place you want to restrict customers to logging right into a chroot jail. That is one strategy to do it.
Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the newest tech recommendation for enterprise execs from Jack Wallen.