Community Forum

Resolved
0 votes
Hello,

I need a user to have ssh access to his virtual directory to manage his website.

I installed the Shell Extension to grant user shell access using ssh.
I edited a user and set the Login Shell selector "Shell" to /bin/bash (I find it have to be set like this in the forum)

I tried to login, success !

BUT, the user land in his /home/folder (I want to decide where he goes) and can browse anything.
That’s not what I had in mind of course and I wonder how you restrict a user to a specific directory (it may be not a pure ClearOS question).

Bernard

PS: By the way, I’m new here and with ClearOS and the community did a awesome work, great product !
Wednesday, March 15 2017, 07:12 AM

Location [ View Larger Map ]

Share this post:
Responses (10)
  • Accepted Answer

    Tuesday, May 23 2017, 06:49 AM - #Permalink
    Resolved
    0 votes
    Changing file and group ownership should work fine. Just make a note of ownership before you start changing anything so if you get problems you can roll them back
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, May 18 2017, 09:01 AM - #Permalink
    Resolved
    0 votes
    These users are going to be local to the Clearos server only.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, May 18 2017, 06:29 AM - #Permalink
    Resolved
    0 votes
    Are these users going to be local to the Clearos server or are they created in in LDAP?

    You will only break website publishing if Apache loses access to the files it needs
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, May 17 2017, 10:02 AM - #Permalink
    Resolved
    0 votes
    ok I understand:

    I change the home directory for user1. (usermod -m -d /var/www/virtual/thedir user1
    I change user from "allusers" to "user1" for this directory. (chown -R user1:group1 /thedir)
    This won’t break website publishing ?

    but... still user1 has gid=63000(allusers) groups=63000(allusers)
    Doesn’t that give him permission for allusers dir and files ?
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, May 17 2017, 09:17 AM - #Permalink
    Resolved
    0 votes
    File permissions are trivial, but setting them is going to have to be done from the command line.

    e.g home directory is /home/user1 and user1 belongs to group group1 directory permissions should look like this

    drwxr-x--- user1 group1 with this only members of group1 will be able to enter the directory and only user1 will be able to add or remove files from the directory

    Files inside the directory should have permissions

    -rw-rw---- user1 group1

    which means any member of group group1 can edit (and owner user1 can too)
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, May 17 2017, 07:02 AM - #Permalink
    Resolved
    0 votes
    I have little knowledge with Linux and linux file permissions.
    But I chose ClearOS that offer an easy to manage web interface (control panel) because of this. :)

    In my mind, if I have a user that is assigned to a group what he should see and be able to edit should be assigned to this group.
    This is pretty trivial in most control panel that help no-techies to manage hosting.


    To answer your first question, I would like both option, terminal editing with putty, nano or vi and sftp using third party software (ftp or IDE).

    But as start sftp will be great progress !
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, May 17 2017, 06:43 AM - #Permalink
    Resolved
    0 votes
    How is the user going to edit the files? In a terminal window using a command line editor such as vi or nano? Or is the users going to copy files using sftp to another machine then edit and copy back? The method using sftp can be fairly easily set up and the user does need access to commands (nano/vi) on the server and the user has only access to a single directory - see here for an idea of the set up - http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/

    Creating an ssh user that can only access one directory and a limited set of commands is doable but more complicated see here for some idea of the set up http://linuxpitstop.com/chroot-ssh-users-on-centos-7/ (generic Centos)

    The most simple is to allow the user to access the server via ssh and then control what they do via file/directory permissions - the issue here is that the user will be able to move around the directory structure. How familiar are you with Linux file permissions?
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, May 16 2017, 05:30 PM - #Permalink
    Resolved
    0 votes
    Thanks for your help Duncan,

    ssh username@ip.ip.ip.ip
    username@ip.ip.ip.ip's password:
    Last login: Mon May 15 09:01:50 2017 from .......
    -sh-4.2$ ls -l
    total 1592
    -rw-r--r-- 1 username allusers 1624110 Feb 22 09:42 _E540036.jpg
    -sh-4.2$ pwd
    /home/username


    id username
    uid=2002(username) gid=63000(allusers) groups=63000(allusers),60000(ftp_plugin),60002(workinggroup)

    ("workinggroup" is what I want him to see and edit)

    As it is someone from another team to who I want to give ssh access to edit only files within the group I assigned him to.

    I would like him to land directly in : /var/www/virtual/ (ok he will see all the other domain names)
    And him to be able to open only directories and edit files where group = workinggroup
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, May 16 2017, 11:44 AM - #Permalink
    Resolved
    0 votes
    On any Linux system users can generally move around the directory structure, but are limited by the permissions on files and /or directories

    Can you post the output of
    ls -la
    for the directory in question?

    and
    id username
    of the user concerned
    The reply is currently minimized Show
  • Accepted Answer

    Monday, May 15 2017, 05:48 AM - #Permalink
    Resolved
    0 votes
    Bumping/Updating this one...

    Update; the user can read files within the group he is assigned to but he cannot edit them.

    So this is pretty unusfull...
    The reply is currently minimized Show
Your Reply