View Single Post
Old 02-07-2014, 12:44 AM  
Yil
Too much time...
 
Join Date: May 2005
Posts: 1,194
Default

There isn't a trivial switch you can flip to lock a user to their home directory. I've thought about such a feature for a while, but never got around to it.

You can however do something like this: give all users who are supposed to be locked into just their home directory a user flag like J for jailed or something. Mark all the top level dirs (besides /GUESTS !) as private with perms like "!J *" so everybody but people with the J flag should be able to see/use it. Assuming guests shouldn't be able to see other guest's dirs you can mark them as hidden to all but them as well with something like "1 -<username> !*". The 1 means regular SiteOps can see the dir. V flagged VfsAdmins and Master accounts will always see the dir no matter what.

If you do that a guest user with the J flag should only see /GUESTS from the root, and under /GUESTS only their own home directory. I think that's what you want. The only tricky part is to remember after you create each new jailed user to mark their home directory as hidden to all but them. I'd just make a macro in your FTP client to do this for you. In FlashFXP for instance you can ask for a username then create that dir, hide it, and then create the user, change the home dir, etc.

I'd also suggest you create a new group like Guests and put all the guest users into it. If you do this you wouldn't technically even need the J user flag since you could just test for group membership in Guests via =Guests or !=Guests instead of J and !J. The benefit of the group is you can use site gadduser Guests in your macro to add guests right into the Guests group which could have custom user defaults. Check out site help gadduser and site help /Defaults but I believe it's /Default=<groupname>. The site groups command can show you which groups have been customized to not user the regular /Default.User template. Use 'site uinfo /Default.User' or /Default=<groupname> to see the defaults.

The one thing I can't prove without testing is what happens with relative symlinks. Only VfsAdmins can create them but if you use something like "../../foo" that may or may not allow you to link to a dir not under your home dir. The idea here was you could expose selective parts of your server to a user in a custom home directory. This was in preparation for the jailed user feature instead of this workaround I just described, but I just don't remember how it works or if it handles everything properly. I know it doesn't stand a chance of working unless the keep_symlinks or whatever option is enabled, but I only mention it in case it's really useful for you. There is a workaround that uses NTFS junctions / hard links but requires certain other settings be changed from their default and I don't really suggest using junctions this way unless you know what you are doing.
Yil is offline   Reply With Quote