I'm running a server, and I need to give read/write access to a particular directory to a single user. I've tried the following:
sudo adduser abcd
sudo groupadd abcdefg
chown -R .abcdefg /var/www/allowfolder
chmod -R g+rw /var/www/allowfolder
usermod -a -G comments abcd
The above seems to work, however it gives the user read-only access to the rest of the server.
How can I set up permissions so that the user can only read and write to a particular folder? The user should also be able to run programs like mysql
.
Best Answer
Negative ACLs
You can prevent a user from accessing certain parts of the filesystem by setting access control lists. For example, to ensure that the user
abcd
cannot access any file under/home
:This approach is simple, but you must remember to block access to everything that you don't want
abcd
to be able to access.Chroot
To get positive control over what
abcd
can see, set up a chroot, i.e. restrict the user to a subtree of the filesystem.You need to make all the files that the user needs (e.g.
mysql
and all its dependencies, if you want the user to be able to runmysql
) under the chroot. Say the path to the chroot is/home/restricted/abcd
; themysql
program needs to be available under/home/restricted/abcd
. A symbolic link pointing outside the chroot is no good because symbolic link lookup is affected by the chroot jail. Under Linux, you can make good use of bind mounts:You can also copy files (but then you'll need to take care that they're up to date).
To restrict the user to the chroot, add a
ChrootDirectory
directive to/etc/sshd_config
.You can test it with:
chroot --userspec=abcd /home/restricted/abcd/ /bin/bash
Security framework
You can also use security frameworks such as SELinux or AppArmor. In both cases, you need to write a fairly delicate configuration, to make sure you aren't leaving any holes.