Posso criar um usuário SSH que possa acessar apenas determinados diretórios?

44

Eu tenho um servidor privado virtual ao qual eu posso conectar usando o SSH com minha conta root, sendo capaz de executar qualquer comando do Linux e acessar toda a área do disco, obviamente.

Eu gostaria de criar outra conta de usuário, que seria capaz de acessar este servidor usando SSH também, mas apenas para um determinado diretório, por exemplo /var/www/example.com/

Por exemplo, imagine que esse usuário tenha um arquivo error.log (500 MB) localizado em /var/www/example.com/logs/error.log Ao acessar este arquivo usando FTP, este usuário precisa baixar 500 MB para visualizar as últimas linhas do log, mas gostaria que ele fosse capaz de executar algo assim:

tail error.log

Portanto, preciso que ele acesse o servidor usando SSH, mas não desejo conceder acesso a todas as áreas do servidor.

Como posso fazer isso?

    
por Richard Rodriguez 19.06.2011 / 00:06

2 respostas

29

chroot o usuário.

Atualização:

Os Artigo da TechRepublic por Vincent Danen diz:

With the release of OpenSSH 4.9p1, you no longer have to rely on third-party hacks or complicated chroot setups to confine users to their home directories or give them access to SFTP services.

edit /etc/ssh/sshd_config (/etc/sshd_config on some distributions) and set the following options:

Subsystem     sftp   internal-sftp
Match Group sftp
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no

Ensure the “Match” directive is at the end of the file. This tells OpenSSH that all users in the sftp group are to be chrooted to their home directory (which %h represents in the ChrootDirectory command

For any users that you wish to chroot, add them to the sftp group by using:

# usermod -G sftp joe
# usermod -s /bin/false joe
# chown root:root /home/joe
# chmod 0755 /home/joe

The usermod command above will add user joe to the sftp group and set their shell to /bin/false so they absolutely cannot ever get shell access. The chown and chmod commands will set the required permissions for the directory. With these permissions set, the user will be allowed to upload and download files, but cannot create directories or files in the root directory

Chrooting shell accounts is a little more complicated as it requires that certain device files and a shell be available in the user’s home directory. The following commands will set up a very basic chroot system on Mandriva Linux:

# mkdir /chroot
# cd /chroot
# mkdir {bin,dev,lib}
# cp -p /bin/bash bin/
# cp -p /lib/{ld-linux.so.2,libc.so.6,libdl.so.2,libtermcap.so.2} lib/
# mknod dev/null c 1 3
# mknod dev/zero c 1 5
# chmod 0666 dev/{null,zero}
# mkdir -p /chroot/home/joe

With the above, user joe can ssh in and will be restricted to the chroot. Unfortunately, this doesn’t do much, but it gives you an idea of how it can be set up. Depending on what you want to provide, you will need to install additional libraries and binaries.

O Site da Comunidade Ubuntu diz

Creating a chroot

  1. Install the dchroot and debootstrap packages.

  2. As an administrator (i.e. using sudo), create a new directory for the chroot. In this procedure, the directory /var/chroot will be used. To do this, type sudo mkdir /var/chroot into a command line.

  3. As an administrator, open /etc/schroot/schroot.conf in a text editor. Type cd /etc/schroot, followed by gksu gedit schroot.conf. This will allow you to edit the file.

  4. Add the following lines into schroot.conf and then save and close the file. Replace your_username with your username.

    [lucid] description=Ubuntu Lucid location=/var/chroot priority=3 users=your_username groups=sbuild root-groups=root

Open a terminal and type:

sudo debootstrap --variant=buildd --arch i386 lucid /var/chroot/ \ 
http://mirror.url.com/ubuntu/

This will create a basic 'installation' of Ubuntu 10.04 (Lucid Lynx) in the chroot. It may take a while for the packages to be downloaded. Note: You can replace lucid with the Ubuntu version of your choice. Note: You must change the above mirror.url.com with the URL of a valid archive mirror local to you. A basic chroot should now have been created. Type sudo chroot /var/chroot to change to a root shell inside the chroot.

Setting-up the chroot

There are some basic steps you can take to set-up the chroot, providing facilities such as DNS resolution and access to /proc.

Note: Type these commands in a shell which is outside the chroot.

Type the following to mount the /proc filesystem in the chroot (required for managing processes):

sudo mount -o bind /proc /var/chroot/proc  

Type the following to allow DNS resolution from within the chroot (required for Internet access):

sudo cp /etc/resolv.conf /var/chroot/etc/resolv.conf 

Very few packages are installed by default in a chroot (even sudo isn't installed). Use apt-get install package_name to install packages.

    
por 19.06.2011 / 00:11
16

Sua melhor aposta, IMHO, é configurar uma cadeia chroot ssh, ou seja, um ambiente bash mínimo no /var/www/example.com/ dir. Para fazer isso, você pode seguir:

por 19.06.2011 / 00:14