From owner-freebsd-questions Wed Dec 19 16:19:42 2001 Delivered-To: freebsd-questions@freebsd.org Received: from sage-american.com (sage-american.com [216.122.141.44]) by hub.freebsd.org (Postfix) with ESMTP id D0C9137B416 for ; Wed, 19 Dec 2001 16:19:35 -0800 (PST) Received: from SAGEONE (adsl-64-219-21-136.dsl.crchtx.swbell.net [64.219.21.136]) by sage-american.com (8.9.3/8.9.3) with SMTP id SAA20246; Wed, 19 Dec 2001 18:19:25 -0600 (CST) Message-Id: <3.0.5.32.20011219181923.01629508@mail.sage-american.com> X-Sender: jacks@mail.sage-american.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Wed, 19 Dec 2001 18:19:23 -0600 To: "Anthony Atkielski" , From: jacks@sage-american.com Subject: Re: FreeBSD and restricting users Cc: "'freebsd-questions@freebsd.org'" In-Reply-To: <00f401c188ea$d0829c70$0a00000a@atkielski.com> References: <01C188B0.4CDDA3E0@VAIO> <20011219223131.GC30574@dan.emsphone.com> <1008800406.3c2112967d195@mail.outstep.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > and I'm not sure that it actually allows you to lock >users out of the rest of the machine. ..." ...it doesn't... At 01:10 AM 12.20.2001 +0100, Anthony Atkielski wrote: >What about virtual servers? Rather high overhead, but it's practically like >giving them their own machine. I don't know how well it would support X >applications, though, and I'm not sure that it actually allows you to lock >users out of the rest of the machine. > >----- Original Message ----- >From: >To: "Dan Nelson" >Cc: "'freebsd-questions@freebsd.org'" >Sent: Wednesday, December 19, 2001 23:20 >Subject: Re: FreeBSD and restricting users > > >> Thanks Dan, >> >> This is the same solution that I have already found from the Linux side as >well >> and is currently not an option for our particular impolementation. >> >> We really need to be able to limit the users from navigaiting out of their >HOME >> directories for this particular SPECIAL project. >> >> I just saw something on the FreeBSD website about "sandboxes" that might >be >> interesting in this respect, but I am not sure if it would be possible to >put >> each user graphicl login session into a "sandbox". >> >> Best Regards, >> Lonnie >> >> Quoting Dan Nelson : >> >> > In the last episode (Dec 19), Lonnie Cumberland said: >> > > The basic problem is this. It is very easy to keep a user from >> > > entering into a directory after they have logged in, but it is VERY >> > > hard to keep a user locked into their HOME directory. >> > > >> > > We have looked at chrooted solutions as well, but they fail when a >> > > user logs in through XDM and start up an application like Netscape >> > or >> > > StarOffice. Once that happens, they are free to navigate throughout >> > > the system. >> > > >> > > Can FreeBSD solve the problem of preventing a user from leaving >> > their >> > > HOME directory while still allowing them to run OpenOffice? >> > >> > If you really truly don't want them seeing anything outside their >> > $HOME, chroot is your only choice. Create a minimal /etc, /lib, /bin >> > etc in each homedir and you should be set. Note you'll have to >> > replicate most of /usr/X11R6 for any X app to work. >> > >> > What exactly are you trying to keep users from doing? A standard >> > install should not expose any private info or leave directories >> > incorrectly writable. Just because they can browse into /etc doesn't >> > mean they can do anything. >> > >> > -- >> > Dan Nelson >> > dnelson@allantgroup.com >> > >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-questions" in the body of the message >> > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > > Best regards, Jack L. Stone, Server Admin Sage-American http://www.sage-american.com jacks@sage-american.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message