1

I did useradd -s /bin/rbash -d /var/www/html/directory USRNAME

and on ssh login with USRNAME (including ssh key), it goes to directory and cd doesnt go back. So that works... but

if they use nano /var/www/html/.env (before directory) it will say 

Unable to create directory /var/www/html/directory/.local/share/nano/: Permission denied
It is required for saving/loading search history or cursor positions.

Press Enter to continue

If they press enter it will allow them to read any file with nano.. anywhere in the system!

Any help to only allow this user to that specific directory only using google cloud?

CanadianLoonie
  • 13
  • 2

1 Answers1

1

rbash is not a secure method for restricting shell users. It only limits shell inputs and not filesystem access for executables. On a standard linux system there are plenty of tools accessible in the $PATH to work around those restrictions, not only nano.

Proper restricted access is done by creating a chroot environment or jail, but which also requires providing all needed executables and potentially even /dev, /sys, or /proc hardlinks.

You could modify $PATH to only include safe commands, but that's a minefield and essentially also requires you to create a separate collection of executables.

The error you're seeing is likely related to the user not being allowed to write to /var/www/html/directory, but is unrelated to the actual issue at hand.

Mantriur
  • 379
  • 2
  • 13