3.14.3 Notes
-
No format checking is performed on this definition file.
-
If there is no definition file, the function for limiting directory access is disabled.
-
If the definition file does not contain any valid definitions, the function for limiting directory access is disabled.
-
The function for limiting directory access is disabled for (not applied to) a user that is not specified in the definition file.
-
If [all] is specified, that definition applies to all users.
-
The definition of [disable_list] takes precedence over the definition of [enable_list]. For this reason, the function for limiting directory access is disabled for (not applied to) a user that is specified in both [enable_list] and [disable_list].
-
When the function for limiting directory access is used, a user's home directory is changed to the root directory. If you use the absolute path to specify file and directory names at the client or the auto-start programs that are used at the server, delete the part that indicates the user's home directory.
-
If a user to whom the function for limiting directory access is applied is to start auto-start programs, check in advance that the shell and programs that are to be started can actually start in the directory-limited environment. Use the chroot command for this checking (for details about the chroot command, see the OS documentation).
- Example
-
This example checks the execution of sample.sh immediately under the home directory of user user1 for whom the function for limiting directory access is enabled (operation performed as a superuser):
# chroot ~user1 /sample.sh
-
When the function for limiting directory access is used, the user can execute only those programs under the user's home directory. If an automatically executed program is used, place the program and the shared libraries used by that program appropriately under the user's home directory.
-
The location of the program will be the directory that is obtained by adding the path name defined in the PATH environment variable to the user's home directory. The location of the shared libraries will be the path that is obtained by adding the library search path to the user's home directory path.
-
If a user controlled by the function for limiting directory access restarts a log daemon while being logged in to the FTP server, that user's event logs will no longer be output after the restart.
-
In AIX, create a /dev/null device under the home directory of the user for whom the function for limiting directory access is enabled. Set the file type, major and minor numbers, and access permissions of the copied dev/null to the same values as for the original /dev/null device.
- Example
-
When user1 is a user to whom the function for limiting directory access is applied (operation performed as a superuser):
# ls -l /dev/null
crw-rw-rw- 1 root system 2, 2 Nov 20 13:10 /dev/null
# mkdir ~user1/dev
# mknod ~user1/dev/null c 2 2
# chmod 0666 ~user1/dev/null
# chown -R root:system ~user1/dev
-
In AIX, if you select Link with JP1/IM in the environment definition, copy the files listed below as is including the path under the home directory of the user to whom the function for limiting directory access is applied. Set the settings, such as file access permissions and link status, to the same values as for the source.
-
All files under /opt/jp1_fts/lib/nls
- Example
-
When user1 is a user to whom the function for limiting directory access is applied (operation performed as a superuser):
# cd /
# tar cvf /tmp/work.tar opt/jp1_fts/lib/nls
# cd ~user1
# tar xvf /tmp/work.tar
-
-
In Linux, create a copy of the /etc/localtime file under the home directory of the user to whom the function for limiting directory access is applied. Set the same access permissions to the copied etc/localtime file as for the original /etc/localtime file. If the /etc/localtime file is a symbolic link, also copy the entity file in the same manner.
- Example
-
When user1 is a user to whom the function for limiting directory access is applied (operation performed as a superuser):
# cd /
# tar cvf /tmp/work.tar etc/localtime
# cd ~user1
# tar xvf /tmp/work.tar