# Lock user in home directory



## DENOxCOOL (Dec 19, 2012)

Hi,

i have FreeBSD 9.1 and i want to lock my customers/users in their home directory.
How i do that?

Much say with chroot, but i don't know how to use it.

PS: I am from Germany

Thanks for help.

Greetings,
DENOxCOOL


----------



## drhowarddrfine (Dec 19, 2012)

When you create a new user, they are automatically locked into their own home directory, so I don't know what the problem is.


----------



## Uniballer (Dec 19, 2012)

Really?  It doesn't seem to work that way when I use the adduser script.  How do you create new users that can't simply `# cd somewhere_else`?


----------



## bbzz (Dec 19, 2012)

And why it shouldn't cd somewhere? Chrooting regular user into his own /home means he won't be able to access even the most basic tools, which is usually not what is wanted.
Instead rely on making sure you have proper permissions on the system.


----------



## rusty (Dec 19, 2012)

Not sure what you're trying to accomplish but mac_bsdextended may be worth looking at.
http://www.freebsd.org/doc/handbook/mac.html


----------



## johnd (Dec 19, 2012)

DENOxCOOL:

IÂ´m also not sure what you want but you can try to achieve that with OpenSSH. Here is a simple example how to do it:
First, you edit the configuration file of sshd(8):

```
Subsystem    sftp    internal-sftp

Match group sftpusers
    ChrootDirectory    %h
    ForceCommand    internal-sftp
    AllowTcpForwarding    no
```

Next, you need to set the directory permissions of the "chrooted" directories. Make sure they are not writeable by any other users than root:
`# chown root:wheel /home/some_user /home/some_other_user
# chmod 755 /home/some_user /home/some_other_user`

Now you can create a group for the users who should be "chrooted" and add them to that group:
`# pw groupadd -m some_user,some_other_user`

Also give them the nologin shell:
`# for i in some_user some_other_user; do chsh -s /usr/sbin/nologin $i; done`

Finally, (re)start the sshd daemon.


----------

