For a user on a Linux host, I need to make everything inaccessible besides his home directory.
I have heard that this is usually done by changing the root directory for the user (and setting it to the user's home directory), however I couldn't find the way to do it.
I thought about the chroot command, but it seems it just runs the specified command, considering the specified directory as the root directory. So it seems chroot is not what i need.
So my question is: what is the command which changes the user's root directory?
58 Answers
It sounds like you want to change the HOME dir, not the root dir. Root will always be / or /root.
usermod -d /path/to/new/homedir/ usernameTo be sure that " everything inaccessible " behind this home directory, i would use chroot, but after you cannot do anything if you don't prepare the chrooted directory, you don't have any binaries or libs available.
The configuration of FTP server can be useful for you :
It is a full chroot settings set to restrict the ftp users to this chrooted directory.
I stand by this answer, and I don't care if I got a -1 over it. This isn't something Unix can do for you in any reasonable kind of way. You're asking for something that's practically impossible.
But there is sort of a way to get something like what you're asking for, kind of. Use a virtual machine. Set up an instance of the virtual machine for the user in question and only give them login rights on it, not the host OS.
Here is my original answer:
Just use permissions. That's what they're for. A user generally doesn't have access to write to anything other than /tmp and their home directory anyway. And they have to have read access to /bin/, /usr/bin, /usr/lib, and /lib or they aren't going to be able to do anything at all.
If you really want something more strict than permissions give you, then looking into setting up selinux so you can restrict them further.
Using chroot just isn't going to give you what you want. It's really complicated to set up, and there are ways of getting around it.
see the manual of useradd. You have to use the -d switch.
I think if you add
if grep "\\<${USER}\\>" /etc/jailbirds > /dev/null
then echo I am not a crook
else exec chroot $CWD
endifto the end of your /etc/profile you might get what you are asking for, but it may have some side effects I'm not aware of (taking over the shell running /etc/profile might cause problems). In this case you would need to create a file /etc/jailbirds which was a list of the users you wanted to chroot for. You'll also need to make sure that this file exists and decide what to do in the case of errors accessing it to make sure that other users (especially root) don't get locked up by chroot
Additionally, doing this is going to be difficult. The user will be unable to access /proc which will make many shell utilities (such as ps, top, and many others) not work. The user will also not be able to access /dev/null, which will break lots of stuff.
The user will also not be able to access /dev/tty which will break less and more when used with standard input. The user's applications will inherit the stdin, stdout, and stderr open file descriptors from before the chroot, but less opens /dev/tty so that it can get keystrokes from the user to deal with having stdin redirected from a pipe.
You will also not be able to access any programs or shared libraries or many files that live under /etc (such as /etc/protocols ) that many programs use.
All of these are things you can work around, but you will end up needing to do a lot more work to make the users' environment usable than I think you have considered.
If you do try my suggestion I suggest you be very careful. It would be easy to get it wrong and mess things up bad. I have not tested this, by the way.
usermod -d /path/to/new/homedir/ usernameThat answers your question but I'm not sure it's what you need?
1I think you are slightly confused. The directory /root will only be accessible by the root user. Each user generally has their own HOME directory in /home/, and the root user of the system will posses /root
If you want to change the HOME directory follow some of the other answers, or edit the /etc/passwd file
1Create a guest user
useradd -s /bin/sh -m guestInstall a shell for them that does not depend on third party libraries
cd /home/guest
apt-get download busybox-static
dpkg -x *.deb .
rm *.deb
cd bin
./busybox --install .Change your root directory to /home/guest and run as guest
mkdir /home/guest/etc
grep guest /etc/passwd > /home/guest/etc/passwd
chroot /home/guest /bin/sh
exec env -i login -f guestInside the chroot, you can install and spawn an ssh server, so that the user can log in remotely; although you may run into problems when certain applications want access to the /proc file system and friends; in that case you may begin to tread on lxc containers, namespaces, virtual machines, etc where something like schroot or qemu become an easier option.
If you stick with a home grown solution, you may run into security issues if you are not careful (such as accidentally giving ownership of /home/guest/bin to guest, in which case guest may get to run as root next time you invoke chroot).
I have no idea if the above commands are what you want and/or if they are vulnerable to any security holes. Hope they help though.
