From owner-freebsd-questions Wed Dec 19 16:11:21 2001 Delivered-To: freebsd-questions@freebsd.org Received: from freebie.atkielski.com (ASt-Lambert-101-2-1-14.abo.wanadoo.fr [193.251.59.14]) by hub.freebsd.org (Postfix) with ESMTP id A42D937B41B for ; Wed, 19 Dec 2001 16:11:09 -0800 (PST) Received: from contactdish ([10.0.0.10]) by freebie.atkielski.com (8.11.3/8.11.3) with SMTP id fBK0B3R26047; Thu, 20 Dec 2001 01:11:04 +0100 (CET) (envelope-from anthony@freebie.atkielski.com) Message-ID: <00f401c188ea$d0829c70$0a00000a@atkielski.com> From: "Anthony Atkielski" To: Cc: "'freebsd-questions@freebsd.org'" References: <01C188B0.4CDDA3E0@VAIO> <20011219223131.GC30574@dan.emsphone.com> <1008800406.3c2112967d195@mail.outstep.com> Subject: Re: FreeBSD and restricting users Date: Thu, 20 Dec 2001 01:10:57 +0100 Organization: Anthony's Home Page (development site) MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG What about virtual servers? Rather high overhead, but it's practically like giving them their own machine. I don't know how well it would support X applications, though, and I'm not sure that it actually allows you to lock users out of the rest of the machine. ----- Original Message ----- From: To: "Dan Nelson" Cc: "'freebsd-questions@freebsd.org'" Sent: Wednesday, December 19, 2001 23:20 Subject: Re: FreeBSD and restricting users > Thanks Dan, > > This is the same solution that I have already found from the Linux side as well > and is currently not an option for our particular impolementation. > > We really need to be able to limit the users from navigaiting out of their HOME > directories for this particular SPECIAL project. > > I just saw something on the FreeBSD website about "sandboxes" that might be > interesting in this respect, but I am not sure if it would be possible to put > each user graphicl login session into a "sandbox". > > Best Regards, > Lonnie > > Quoting Dan Nelson : > > > In the last episode (Dec 19), Lonnie Cumberland said: > > > The basic problem is this. It is very easy to keep a user from > > > entering into a directory after they have logged in, but it is VERY > > > hard to keep a user locked into their HOME directory. > > > > > > We have looked at chrooted solutions as well, but they fail when a > > > user logs in through XDM and start up an application like Netscape > > or > > > StarOffice. Once that happens, they are free to navigate throughout > > > the system. > > > > > > Can FreeBSD solve the problem of preventing a user from leaving > > their > > > HOME directory while still allowing them to run OpenOffice? > > > > If you really truly don't want them seeing anything outside their > > $HOME, chroot is your only choice. Create a minimal /etc, /lib, /bin > > etc in each homedir and you should be set. Note you'll have to > > replicate most of /usr/X11R6 for any X app to work. > > > > What exactly are you trying to keep users from doing? A standard > > install should not expose any private info or leave directories > > incorrectly writable. Just because they can browse into /etc doesn't > > mean they can do anything. > > > > -- > > Dan Nelson > > dnelson@allantgroup.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message