is chmod o=- -R / a feasible solution to user restricting?

Question

we do:

useradd -s /bin/rbash -d /home/dir/user1 -m user_1:user_1

rbash is not even a solution because you can browse all files with midnight commander.

then we create user_1.domain.com we assign this vhost user_1:user_1 our whole point is to disable this user poking into server's other directories.

How do we do it?

is chmod o=- -R / a feasible solution to user restricting?

this doesn't answer my problem. How to restrict SSH users to a predefined set of commands after login?

Answer 1

First off, read access to the server's "other directories" is generally required. That's where the binaries and data files for the installed software live, after all.

If you want to disallow access to other users' directories, you can always set default umasks such that only owners have read access and let the users decide what to enable for world readability. Or similarly, place every user into their own group, which is the default on most linux distros.

If you want to disallow access always, without the possibility of turning it on, you can play tricks with MAC tools like AppArmor (simple) or SELinux (complicated) to do that. Though this has significant administrative costs you need to think about.

It used to be that chroot was a common solution for this kind of problem, but that's fallen out of favor in recent years as it doesn't quite isolate things as much as you would expect.

Finally, the "proper" solution to user isolation is generally felt to be virtualization, either full-system stuff over vmware, kvm, xen, etc... or single-kernel solutions like BSD jails or Solaris Zones.