How to change the root directory for a Linux user?
Solution 1
It sounds like you want to change the HOME dir, not the root dir. Root will always be / or /root.
usermod -d /path/to/new/homedir/ username
Solution 2
To be sure that " everything inaccessible " behind this home directory, i would use chroot, but after you cannot do anything if you don't prepare the chrooted directory, you don't have any binaries or libs available.
The configuration of FTP server can be useful for you : http://tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/chap29sec296.html
It is a full chroot settings set to restrict the ftp users to this chrooted directory.
Solution 3
I stand by this answer, and I don't care if I got a -1 over it. This isn't something Unix can do for you in any reasonable kind of way. You're asking for something that's practically impossible.
But there is sort of a way to get something like what you're asking for, kind of. Use a virtual machine. Set up an instance of the virtual machine for the user in question and only give them login rights on it, not the host OS.
Here is my original answer:
Just use permissions. That's what they're for. A user generally doesn't have access to write to anything other than /tmp and their home directory anyway. And they have to have read access to /bin/, /usr/bin, /usr/lib, and /lib or they aren't going to be able to do anything at all.
If you really want something more strict than permissions give you, then looking into setting up selinux so you can restrict them further.
Using chroot just isn't going to give you what you want. It's really complicated to set up, and there are ways of getting around it.
Solution 4
see the manual of useradd. You have to use the -d switch.
Solution 5
I think if you add
if grep "\\<${USER}\\>" /etc/jailbirds > /dev/null
then
echo I am not a crook
else
exec chroot $CWD
endif
to the end of your /etc/profile you might get what you are asking for, but it may have some side effects I'm not aware of (taking over the shell running /etc/profile might cause problems). In this case you would need to create a file /etc/jailbirds which was a list of the users you wanted to chroot for. You'll also need to make sure that this file exists and decide what to do in the case of errors accessing it to make sure that other users (especially root) don't get locked up by chroot
Additionally, doing this is going to be difficult. The user will be unable to access /proc which will make many shell utilities (such as ps, top, and many others) not work. The user will also not be able to access /dev/null, which will break lots of stuff.
The user will also not be able to access /dev/tty which will break less and more when used with standard input. The user's applications will inherit the stdin, stdout, and stderr open file descriptors from before the chroot, but less opens /dev/tty so that it can get keystrokes from the user to deal with having stdin redirected from a pipe.
You will also not be able to access any programs or shared libraries or many files that live under /etc (such as /etc/protocols ) that many programs use.
All of these are things you can work around, but you will end up needing to do a lot more work to make the users' environment usable than I think you have considered.
If you do try my suggestion I suggest you be very careful. It would be easy to get it wrong and mess things up bad. I have not tested this, by the way.
Related videos on Youtube
08 : 47
04 : 59
01 : 20
09 : 24
06 : 03
Dennis Williamson
Stackathlon Leader Boards #SOreadytohelp The Bridge Builder I am the first user to earn at least 50,000 reputation points each on all three of Stack Overflow, Server Fault and Super User. I was also the first user to surpass the 10K, 20K, 30K and 40K point levels each on all three of those sites. ###Are you a Stackathlete? ###Check the standings on Profile:I'm a Unix/Linux devops engineer/sysadmin/programmer Devotion to Duty Try my unofficial Printifier for xkcd.
Updated on September 17, 2022Comments
-
Dennis Williamson almost 2 years
For a user on a Linux host, I need to make everything inaccessible besides his home directory.
I have heard that this is usually done by changing the root directory for the user (and setting it to the user's home directory), however I couldn't find the way to do it.
I thought about the
chrootcommand, but it seems it just runs the specified command, considering the specified directory as the root directory. So it seemschrootis not what i need.So my question is: what is the command which changes the user's root directory?
-
Admin over 13 years@user257493 As i understood, at/etc/security/chroot.confi have add lines like:user1 /home/user1, and/home/user1will be the root for user1, right? Should i restart something to make the modifications at/etc/security/chroot.confto take effect? -
JT.WK over 13 yearsi think this question needs clarification...
-
nos over 13 yearsIf you make everything inaccessible except the home directory, the user can't even run commands, as those commands arn't in his homedirectory -
Omnifarious over 13 yearsI gave you a new answer to your question. I don't think you'll like it though.
-
-
Admin over 13 yearsI need to change the root not the home.
-
Admin over 13 yearsI need to change the root not the home.
-
rootkea over 13 yearsI need to change the root not the home. -
Ando over 13 years
@OmnifariousI need user1 not to be able to see the rest of world. Solving this issue with permissions means to modify the rest of world, rather then modify user1. I need a solution which solves the issue by modifying user1, not the rest of world. Yes, if the root directory of user1 is it's home, then it has no direct access to directories like/bin, but i can create a symbolic link to/binin user1's home directory, thus deciding what he can see and what he cant. -
Ando over 13 years@Vahagn: Symbolic links will let the user access things outside of their chroot jail. Hard links will, but they cannot span filesystems.
cd /home/new_guy ; ln -s /bin ./bin ; chroot . ls bin -
bbaja42 over 13 yearsroot user is god; can see and do anything anywhere. Puny user can only see and do his own domain; rest of muliverse is denied.
