0

Follow up from: https://stackoverflow.com/questions/49703000/how-to-see-into-guest-account-filesystem-from-root

I am root, and I need to restrict write or read access to / directory for a certain user, that is not root. Is this possible via shell or a C progam?

udpcon
  • 3
  • 2
  • It is difficult to restrict root, however it is possible when using frameworks like SELinux. Note that there will often be ways to get around it if configured naively, for example using root to modify the kernel in /boot to disable the protections (meaning you will also have to protect the kernel, as well as other vital files from root if you want to protect any other arbitrary directory). – forest Apr 07 '18 at 04:14
  • Title and body of your question do not match. In the title you ask to disable access for guest, in the body you ask about restricting access for root. But in general: a low privileged user cannot deny root access to its data unless the system is specifically setup to limit what root can do. Ubuntu is not setup this way. – Steffen Ullrich Apr 07 '18 at 05:11
  • I see now my question might have been misinterpreted. I meant to say I want to restrict another user's (normal user, no root privileges) access, and not root's access. I have edited it for clarification. – udpcon Apr 07 '18 at 05:38
  • That makes sense. Retracting my close vote. – forest Apr 07 '18 at 05:58
  • Can you use chroot to sandbox the user? Make their login shell something that chroots and then runs their real login shell? – Neil Smithline Apr 07 '18 at 15:16

1 Answers1

1

restrict write or read access to / directory for a certain user, that is not root

Yes, use permissions. Every multi-user operating system (including MS Windows, Linux and Unix) has some capability for controlling file access.

While Stackoverflow encourages us to provide inline answers, a full explanation of how Unix permissions work would be a bit over the top in an answer here (don't panic - its not too complex) and I would struggle to do a better job than Paul Sheer does in "Linux:Rute User's Tutorial and Exposition" which is available in print and free pdf's on the internet (chapter 11).

As a taster, the standard Unix/Linux filesystem privileges are Read (r), Write (w) and Execute(d) and each can be applied to 3 categories of users - the designated owner of the file/directory, the designated user group of the file/directory, all users on the host.

symcbean
  • 18,625
  • 1
  • 41
  • 75