IBM i Global

 View Only

 IFS auth

Pino Mariotto's profile image
Pino Mariotto posted Thu September 04, 2025 06:05 AM

Hello everybody,

does someone know how I can restrict a user only to his /home/user dir (or some other dir) ?

He has to be unable to do any operation outside from there

Thank you

Andreu Rul's profile image
Andreu Rul IBM Champion posted Thu September 04, 2025 08:11 AM
Normally the IFS has the same security you’ll have for the rest of objects.
In that sense, the best practice can be to set the public authority for your directories to *EXCLUDE and then allow the access when you know that this access is correct. Here you have information;
Maybe a change for all the directories is not something that you can do in quickly, so, you have also the option to use an Exit Program to do what you want, checking the user profile and not giving access to a directory different that then ones that you determine:
Best Regards
Sylvain Manceau's profile image
Sylvain Manceau posted Fri September 05, 2025 01:38 AM

Hi,

Your question looks like you need a chroot, maybe this could be of help? https://ibmi-oss-docs.readthedocs.io/en/latest/yum/README.html?highlight=chroot#using-a-chroot

Kurt Thomas's profile image
Kurt Thomas posted Fri September 05, 2025 05:09 AM

@Pino Mariotto You can implement chroot for PASE shells ( @Sylvain Manceau's post), for FTP, and for SSH/SFTP. Do either of those work for you?

Or is this about accessing files through one of the file servers, e.g., through a shared IFS directory? For that, exit point-based solutions like Powertech Exit Point Manager will help.

Pino Mariotto's profile image
Pino Mariotto posted Fri September 05, 2025 05:54 AM

I have to restrict sftp access. Actually I had already tried to to follow this doc https://www.ibm.com/support/pages/using-chroot-ibm-i-restrict-ssh-sftp-and-scp-specific-directories .

Unfortunately when the home dir path of the user profile becomes /QOpenSys/QIBM/UserData/SC1/OpenSSH/chroot/./home/userX , when logging in with ssh the window closes immediately after having typed the password. Removing the dot (/.) from the home dir path lets the user login again but he is not restricted to that directory

Thank you for your responses

Kurt Thomas's profile image
Kurt Thomas posted Fri September 05, 2025 06:23 AM

Try:

Client-Side Verbose Logging Connect with maximum verbosity:

bash
ssh -vvv username@ibmi-system
# or
sftp -vvv username@ibmi-system

This will show:

  • Authentication process
  • Chroot activation
  • Where the connection fails

SSH Connection with Specific Commands Test what works in the chroot:

bash
# Try executing specific commands
ssh username@ibmi-system "ls -la"
ssh username@ibmi-system "/bin/sh -c 'echo test'"
ssh username@ibmi-system "pwd"
Pino Mariotto's profile image
Pino Mariotto posted Fri September 05, 2025 10:13 AM

           See ssh sftp logs                                                                                     

Attachments  View in library
sftp2@10.100.11.10.log 13 KB
SshLog.txt 25 KB
Kurt Thomas's profile image
Kurt Thomas posted Fri September 05, 2025 10:45 AM

It looks like the user profile has the bash shell set as its default shell, but the bash shell binary does not exist in the chroot'ed environment:

sftp2@10.100.11.10's password: /QOpenSys/pkgs/bin/bash: No such file or directory

The fix would be to adjust the IBM-provided script so it:

  • creates the directory in the chroot environment's directory tree
  • copies the bash shell binary into that

Related Content