From owner-freebsd-isp  Tue Nov  6  7:21:48 2001
Delivered-To: freebsd-isp@freebsd.org
Received: from mail.cableaz.com (mail.cableaz.com [63.241.154.20])
	by hub.freebsd.org (Postfix) with ESMTP id D2D7737B416
	for <isp@FreeBSD.ORG>; Tue,  6 Nov 2001 07:21:42 -0800 (PST)
Received: from caz ([63.241.150.31])
	by mail.cableaz.com (Build 101 8.9.3/NT-8.9.3) with SMTP id IAA14203;
	Tue, 06 Nov 2001 08:15:03 -0700
Message-ID: <002201c166d6$854f8460$0c0aa8c0@caz>
From: "Jeremy Buckner" <jeremy@cableaz.com>
To: "Sven Huster" <sven.huster@mailsurf.com>
Cc: <isp@FreeBSD.ORG>
References: <00f701c166b5$c6546d20$fe00fa0a@venus>
Subject: Re: restrict shell access
Date: Tue, 6 Nov 2001 08:20:08 -0700
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-isp.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-isp>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-isp>
X-Loop: FreeBSD.org

I have a similar setup here where I'm at but I only allow users
to access my www server via ftp. Unless your users need to issue
commands to the box, I think this is the safest. Anyway, I
created a file called ftpchroot in /etc. I have assigned all
these users to the "users" group. So in my file I add the
following:   @users

Also because I don't let them invoke anything on the server
itself, I set their shell to pine so if they do try to ssh, they
only get to check mail that doesn't exist.

That's it, and they can only go to their own dirs.

Hope this helps some.

Jeremy Buckner


----- Original Message -----
From: "Sven Huster" <sven.huster@mailsurf.com>
To: <freebsd-isp@FreeBSD.ORG>
Sent: Tuesday, November 06, 2001 4:25 AM
Subject: restrict shell access


> Hi,
>
> I want users to be able to login my www server
> using telnet or ssh (preferred), but need to restrict
> them to their home or some other dir + subdir,
> sounds like chroot ;-)
>
> what you think will be the best solution for that?
> has someone a setup like this running?
>
> I thought about jail but I can't/won't do this for 100+ logins.
>
> thanks
> best regards
>
> Sven Huster
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-isp" in the body of the message
>
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message