Dissallowing view on directories

[LuKreme]

On 27-Nov-2007, at 09:27, Gino Pacitti wrote:
> I know about permissions and how to chmod directories and files but  
> I have a small issue when I allow users to scp to the server...
>
> Although they are not admin group or any group in fact they can  
> still cd up and around their home direcories.... How can I allow a  
> home directory and only limit them to stay there?

A ssh user has the same permissions on ssh that they would have  
locally.  Generally, the majority of the files on the system are  
readable.  Sensitive files (like /var/log/maillog) are not generally  
readable.

What is readable that you consider a risk?  Or is this just general 'I  
don't want you looking at anything outside $HOME' for some reason?

To do that you would have to setup a 'jail' which would involve  
creating aliases to the commands that you DO want your ssh users to  
access.  Things like, can your ssh list a directory?  Then you need  
ls.  can they use vi/vim/nvi? how about chpasswd or chsh? ln? find?  
ping? xargs? grep?  This is a rather large task, since without read  
access to /usr/bin /bin and /sbin the ssh user can't actually DO  
anything.

I'd start with a perusal of the google results from a search of:  
chroot jail ssh


-- 
<http://en.wikipedia.org/wiki/TOFU>