How to jail linux user

Question

Is there something similar to chroot, but for users?

We are about to grant access to our servers for a client and would like them to see only the directories we allow.

Answer 1

No easy way to jail users in their homedirs. BTW, I would NEVER give access to my systems to someone I don't trust a minimum.

Last time I did, I used an "unescapable" menu based on http://bash.cyberciti.biz/guide/A_menu_box The .bashrc launches this script you would not escape :

~/.bashrc :
(LAST LINE)
./menu.sh; exit 0

Yes, I had to write scripts for each and every menu item (get logs, check sys, ...) but nobody to run 'chown -R root:root /' instead of *. Priceless.

[EDIT] : create a dedicated user, don't do this as root !!!

Answer 2

An effective way to do this is to use lshell

Answer 3

The "best answer" from 2009 is outdated. OpenSSH now comes with the ChrootDirectory option. See http://www.debian-administration.org/articles/590 which is for an already-old version of ssh.

Answer 4

A Google search on "openssh jail" led me to SSHjail for openSSH. If your client uses ssh/scp to access the said servers, this might be what you are looking for.

Answer 5

It is important to note that chroot(2) is not meant for security purposes. It is incredibly easy to escape a chroot jail. See this article on abusing chroot for more information.

Answer 6

If you really want to go to that extreme, SE Linux (or any other mandatory access control) is a definite improvement of the default unix permissions.