From owner-freebsd-questions Wed Dec 19 14:38: 6 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail.outstep.com (a904j637.tower.wayne.edu [141.217.140.65]) by hub.freebsd.org (Postfix) with ESMTP id 790D837B405 for ; Wed, 19 Dec 2001 14:38:00 -0800 (PST) Received: by mail.outstep.com (Postfix, from userid 48) id 851F13BD9D; Wed, 19 Dec 2001 17:20:06 -0500 (EST) To: Dan Nelson Subject: Re: FreeBSD and restricting users Message-ID: <1008800406.3c2112967d195@mail.outstep.com> Date: Wed, 19 Dec 2001 17:20:06 -0500 (EST) From: lonnie@outstep.com Cc: "'freebsd-questions@freebsd.org'" References: <01C188B0.4CDDA3E0@VAIO> <20011219223131.GC30574@dan.emsphone.com> In-Reply-To: <20011219223131.GC30574@dan.emsphone.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: IMP/PHP IMAP webmail program 2.2.5 X-Originating-IP: 192.168.1.12 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Thanks Dan, This is the same solution that I have already found from the Linux side as well and is currently not an option for our particular impolementation. We really need to be able to limit the users from navigaiting out of their HOME directories for this particular SPECIAL project. I just saw something on the FreeBSD website about "sandboxes" that might be interesting in this respect, but I am not sure if it would be possible to put each user graphicl login session into a "sandbox". Best Regards, Lonnie Quoting Dan Nelson : > In the last episode (Dec 19), Lonnie Cumberland said: > > The basic problem is this. It is very easy to keep a user from > > entering into a directory after they have logged in, but it is VERY > > hard to keep a user locked into their HOME directory. > > > > We have looked at chrooted solutions as well, but they fail when a > > user logs in through XDM and start up an application like Netscape > or > > StarOffice. Once that happens, they are free to navigate throughout > > the system. > > > > Can FreeBSD solve the problem of preventing a user from leaving > their > > HOME directory while still allowing them to run OpenOffice? > > If you really truly don't want them seeing anything outside their > $HOME, chroot is your only choice. Create a minimal /etc, /lib, /bin > etc in each homedir and you should be set. Note you'll have to > replicate most of /usr/X11R6 for any X app to work. > > What exactly are you trying to keep users from doing? A standard > install should not expose any private info or leave directories > incorrectly writable. Just because they can browse into /etc doesn't > mean they can do anything. > > -- > Dan Nelson > dnelson@allantgroup.com > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message