Post Reply
purloi
Posts: 23
Joined: Thu Nov 13, 2014 8:27 pm

restrict user account

Tue Dec 16, 2014 9:37 pm

I'm still learning Linux (Raspbian) I'm used to dealing with windows accounts and permissions, so perhaps I am making this much harder than it needs to be.

I want to create accounts for sftp that will not be able to browse, read, and download nearly the entire file system. Creating a new account by default seems to have access to do nearly anything! I was very surprised to see Linux is set up this way by default.

Is there a simple command or set of commands I can type in, so specific users only have access to their home folders? This way I can create accounts, give them to users, and they can't see the other users home folders, or all my python scripts that act on the files they upload?

Thank you in advance. Thus far I am loving learning Linux and Python using this tiny little Raspberry Pi !
beta-tester
Posts: 1385
Joined: Fri Jan 04, 2013 1:57 pm
Location: de_DE

Re: restrict user account

Tue Dec 16, 2014 9:57 pm

that is normal, that a new created user can browse into many folders.
some of them are necessary to be able to access, to execute programs.
some folders can be browsed by the user, but is not able to open the files itself.

you can remove some group memberships to reduce access privileges...
the nobody group membership is the lowest and is equal to a guest.
{ I only give negative feedback }
RPi B (256MB), B (512MB), B+, ZeroW; 2B; 3B, 3B+; 4B (4GB)
purloi
Posts: 23
Joined: Thu Nov 13, 2014 8:27 pm

Re: restrict user account

Tue Dec 16, 2014 10:24 pm

beta-tester wrote:that is normal, that a new created user can browse into many folders.
some of them are necessary to be able to access, to execute programs.
some folders can be browsed by the user, but is not able to open the files itself.

you can remove some group memberships to reduce access privileges...
the nobody group membership is the lowest and is equal to a guest.
I tried to follow your advice and add Bob to the nobody group. I tried:

Code: Select all

sudo useradd -G nobody Bob
useradd: group 'nobody' does not exist
That did not work. If I can happen to somehow get Bob added to the nobody group, will I also have to remove him from some other group that is allowing him access to all files?
Joe Schmoe
Posts: 4277
Joined: Sun Jan 15, 2012 1:11 pm

Re: restrict user account

Tue Dec 16, 2014 10:39 pm

I think that master beta tester gave you some bad advice. Basically, groups have little to do with it.

The short answer to your original question is that yes, your perception is right. Unix/Linux has always had a default policy of let them do/see most everything, where as things like Windows/Netware have had a default of let them do nothing. This comes from Unix's roots as a research OS rather than a production OS. (Yes, I know this isn't strictly true, but it is close enough for my purposes). This is not to say that it can't be done, but it is tricky, and probably beyond the scope of a help forum.

I think the only safe way to do this (and, in fact, the way done by at least some "security oriented" FTP (and other) servers is to use the "chroot" and "jail" concepts, which put a user in, essentially, a private virtual machine.
And some folks need to stop being fanboys and see the forest behind the trees.

(One of the best lines I've seen on this board lately)
purloi
Posts: 23
Joined: Thu Nov 13, 2014 8:27 pm

Re: restrict user account

Tue Dec 16, 2014 10:48 pm

Thanks Joe!

This is probably why others seem to add a program for multiple users to sftp? I thought that was silly since sftp was already running on Raspbian by default. My first thought was just add users. Now I know better. I have learned much today!

Thank you all!
Post Reply

Return to “Raspberry Pi OS”