我有一个Debian服务器,我想让几个用户只能读取该服务器上文件夹的一个子树。 有没有办法做到这一点,而无需手动更改所有文件和文件夹的权利?
如果你真的想尽可能地限制它们,我build议看一个chrooted的SSH安装。 这样,即使他们设法打破了他们的树,他们也无法在底层系统上拖网。
Debian的人有一个关于这个问题的指南。
原来的(从openbsd)sshd可以做一个完整的chroot,从sshd_config引用:
ChrootDirectory Specifies a path to chroot(2) to after authentication. This path, and all its components, must be root-owned directories that are not writable by any other user or group. After the chroot, sshd(8) changes the working directory to the user's home directo- ry. The path may contain the following tokens that are expanded at runtime once the connecting user has been authenticated: %% is replaced by a literal '%', %h is replaced by the home directory of the user being authenticated, and %u is replaced by the user- name of that user. The ChrootDirectory must contain the necessary files and directo- ries to support the user's session. For an interactive session this requires at least a shell, typically sh(1), and basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4), arandom(4) and tty(4) devices. For file transfer sessions using ``sftp'', no additional configuration of the environment is nec- essary if the in-process sftp server is used, though sessions which use logging do require /dev/log inside the chroot directory (see sftp-server(8) for details). The default is not to chroot(2). rssh确实如此。 来自pizzashack.org :
rssh是与OpenSSH一起使用的受限shell,只允许scp和/或sftp。 它现在还包括对rdist,rsync和cvs的支持。 例如,如果您只有一台服务器,只允许用户通过scp复制文件,而不提供shell访问权限,则可以使用rssh来执行此操作。 有关已知rssh工作的平台列表,请参阅平台支持页面。