User rules/privileges not applied properly?

AleXSR700 · May 16, 2021, 5:02pm

Hi everyone,
I wanted to add a new user for my media devices which only has access to /mnt/ and not the root folders.
So I created a new user etc.

/etc/passwd: kodi:x:1000:1000:kodi:/mnt:/bin/ash
/etc/group: kodi:x:1000:
/etc/shadow: kodi:x:16666:0:99999:7:::
passwd kodi

The credentials do work and I can connect via SFTP. Using WinSCP I am directed to the mnt folder.
But when I use KODI and do not specify the home folder, KODI starts in root. To my understanding, the user "kodi" should be limited to within /mnt/.

Did I miss something?

vgaetera · May 16, 2021, 6:02pm

This does not restrict the target user.
It is supposed to protect the directory/files owned by the user/group from other users.
So, this user can still read most of the file system and write at least to /tmp.
If you really need sandboxing, that likely requires replacing Dropbear with OpenSSH.

eduperez · May 16, 2021, 6:03pm

You specified the "home" folder.for that.user, but that is.not a restriction of the folders that user can access.

AleXSR700 · May 16, 2021, 7:00pm

Ah, okay. How can I restrict folder access then, please?