Date: Wed, 19 Dec 2001 18:19:23 -0600 From: jacks@sage-american.com To: "Anthony Atkielski" <anthony@freebie.atkielski.com>, <lonnie@outstep.com> Cc: "'freebsd-questions@freebsd.org'" <freebsd-questions@FreeBSD.ORG> Subject: Re: FreeBSD and restricting users Message-ID: <3.0.5.32.20011219181923.01629508@mail.sage-american.com> In-Reply-To: <00f401c188ea$d0829c70$0a00000a@atkielski.com> References: <01C188B0.4CDDA3E0@VAIO> <20011219223131.GC30574@dan.emsphone.com> <1008800406.3c2112967d195@mail.outstep.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> and I'm not sure that it actually allows you to lock >users out of the rest of the machine. ..." ...it doesn't... At 01:10 AM 12.20.2001 +0100, Anthony Atkielski wrote: >What about virtual servers? Rather high overhead, but it's practically like >giving them their own machine. I don't know how well it would support X >applications, though, and I'm not sure that it actually allows you to lock >users out of the rest of the machine. > >----- Original Message ----- >From: <lonnie@outstep.com> >To: "Dan Nelson" <dnelson@allantgroup.com> >Cc: "'freebsd-questions@freebsd.org'" <freebsd-questions@FreeBSD.ORG> >Sent: Wednesday, December 19, 2001 23:20 >Subject: Re: FreeBSD and restricting users > > >> Thanks Dan, >> >> This is the same solution that I have already found from the Linux side as >well >> and is currently not an option for our particular impolementation. >> >> We really need to be able to limit the users from navigaiting out of their >HOME >> directories for this particular SPECIAL project. >> >> I just saw something on the FreeBSD website about "sandboxes" that might >be >> interesting in this respect, but I am not sure if it would be possible to >put >> each user graphicl login session into a "sandbox". >> >> Best Regards, >> Lonnie >> >> Quoting Dan Nelson <dnelson@allantgroup.com>: >> >> > In the last episode (Dec 19), Lonnie Cumberland said: >> > > The basic problem is this. It is very easy to keep a user from >> > > entering into a directory after they have logged in, but it is VERY >> > > hard to keep a user locked into their HOME directory. >> > > >> > > We have looked at chrooted solutions as well, but they fail when a >> > > user logs in through XDM and start up an application like Netscape >> > or >> > > StarOffice. Once that happens, they are free to navigate throughout >> > > the system. >> > > >> > > Can FreeBSD solve the problem of preventing a user from leaving >> > their >> > > HOME directory while still allowing them to run OpenOffice? >> > >> > If you really truly don't want them seeing anything outside their >> > $HOME, chroot is your only choice. Create a minimal /etc, /lib, /bin >> > etc in each homedir and you should be set. Note you'll have to >> > replicate most of /usr/X11R6 for any X app to work. >> > >> > What exactly are you trying to keep users from doing? A standard >> > install should not expose any private info or leave directories >> > incorrectly writable. Just because they can browse into /etc doesn't >> > mean they can do anything. >> > >> > -- >> > Dan Nelson >> > dnelson@allantgroup.com >> > >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-questions" in the body of the message >> > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > > Best regards, Jack L. Stone, Server Admin Sage-American http://www.sage-american.com jacks@sage-american.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.20011219181923.01629508>