From owner-freebsd-questions@FreeBSD.ORG Thu Apr 10 13:50:49 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 38EEB37B489 for ; Thu, 10 Apr 2003 13:50:49 -0700 (PDT) Received: from ntli.com (pc1-glfd2-4-cust59.glfd.cable.ntl.com [81.99.187.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A5A143FBF for ; Thu, 10 Apr 2003 13:50:47 -0700 (PDT) (envelope-from william@palfreman.com) Received: from aqua.lan.palfreman.com (localhost [127.0.0.1]) by ntli.com (8.12.3p2/8.12.3) with ESMTP id h3AKvRuG058985; Thu, 10 Apr 2003 21:57:28 +0100 (BST) (envelope-from william@palfreman.com) Received: from localhost (william@localhost)h3AKvRMT058982; Thu, 10 Apr 2003 21:57:27 +0100 (BST) X-Authentication-Warning: aqua.lan.palfreman.com: william owned process doing -bs Date: Thu, 10 Apr 2003 21:57:27 +0100 (BST) From: William Palfreman To: Ian Barnes In-Reply-To: Message-ID: <20030410213146.N40826@ndhn.yna.cnyserzna.pbz> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-questions@freebsd.org Subject: Re: Shell Server X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2003 20:50:49 -0000 On Thu, 10 Apr 2003, Ian Barnes wrote: > Hi, > > I am looking at setting up a shell server. This server will host shells for > various people. > > What i would like to know is how i could chroot the users to their own dir's > and only allow certain users to use certain programs. What is the easiest > way of giving them certain space on the server and a domainname.com/~user > web site ? What would be the best way of doing this?? Would it be best to > use ssh ? Something else i havent thought about with regards to security ??? I know people do chroot users to their own dirs, but I don't because I think it degrades the user experience. You could set up a jail system, but I don't tend to bother, because it interferes with the ability of users to work on common files, and it wastes disk space IMO. If I were you, I would use ssh normal logins, and treat the machine as basically sacrificial. What I would be tempted to do is have the webserver on another machine and use an NFS to store their www stuff, either from the webserver or even from another storage orientated server altogether. Then if worst comes to the worst they can damage each others data, but not effect the actual webserver. You might find you still have to give them unencrypted FTP access, in which case someone sniffing passwords it is quite likely, and being rooted is also more likely. With your users data elsewhere, if/when that happens you can do a nice reinstall without real loss. -- W. Palfreman. I'm looking for a job. Read my CV at: Tel: 0771 355 0354 www.palfreman.com/william/cv-wfp2.html