Date: Wed, 19 Dec 2001 17:20:06 -0500 (EST) From: lonnie@outstep.com To: Dan Nelson <dnelson@allantgroup.com> Cc: "'freebsd-questions@freebsd.org'" <freebsd-questions@FreeBSD.ORG> Subject: Re: FreeBSD and restricting users Message-ID: <1008800406.3c2112967d195@mail.outstep.com> In-Reply-To: <20011219223131.GC30574@dan.emsphone.com> References: <01C188B0.4CDDA3E0@VAIO> <20011219223131.GC30574@dan.emsphone.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks Dan, This is the same solution that I have already found from the Linux side as well and is currently not an option for our particular impolementation. We really need to be able to limit the users from navigaiting out of their HOME directories for this particular SPECIAL project. I just saw something on the FreeBSD website about "sandboxes" that might be interesting in this respect, but I am not sure if it would be possible to put each user graphicl login session into a "sandbox". Best Regards, Lonnie Quoting Dan Nelson <dnelson@allantgroup.com>: > In the last episode (Dec 19), Lonnie Cumberland said: > > The basic problem is this. It is very easy to keep a user from > > entering into a directory after they have logged in, but it is VERY > > hard to keep a user locked into their HOME directory. > > > > We have looked at chrooted solutions as well, but they fail when a > > user logs in through XDM and start up an application like Netscape > or > > StarOffice. Once that happens, they are free to navigate throughout > > the system. > > > > Can FreeBSD solve the problem of preventing a user from leaving > their > > HOME directory while still allowing them to run OpenOffice? > > If you really truly don't want them seeing anything outside their > $HOME, chroot is your only choice. Create a minimal /etc, /lib, /bin > etc in each homedir and you should be set. Note you'll have to > replicate most of /usr/X11R6 for any X app to work. > > What exactly are you trying to keep users from doing? A standard > install should not expose any private info or leave directories > incorrectly writable. Just because they can browse into /etc doesn't > mean they can do anything. > > -- > Dan Nelson > dnelson@allantgroup.com > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1008800406.3c2112967d195>