From owner-freebsd-isp Sun Dec 5 15:19:18 1999 Delivered-To: freebsd-isp@freebsd.org Received: from cliff.i-plus.net (cliff.i-plus.net [209.100.20.42]) by hub.freebsd.org (Postfix) with ESMTP id 4D4DE14CEC for ; Sun, 5 Dec 1999 15:19:07 -0800 (PST) (envelope-from st@i-plus.net) Received: from abyss (is.dashit.net [209.100.22.250]) by cliff.i-plus.net (8.9.3/8.9.3) with SMTP id SAA81858; Sun, 5 Dec 1999 18:19:04 -0500 (EST) From: "Troy Settle" To: "Aaron Sonntag" , Subject: RE: Shell shocked / a shell for every season? Date: Sun, 5 Dec 1999 18:18:01 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 In-Reply-To: Importance: Normal Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org For us, every account has email and a home directory (actually, mail is delivered to $HOME/.mail for every user). Everyone's shell is set to /sbin/nologin by default. We enable regular shell access on a case-by-case basis. Dialup users are assigned to a group called 'dialup', non dialup are assigned to group 'email.' Radius rejects dialup access to people in the 'email' group. For FTP, we use ncftpd, which restricts users in those groups to their home directories. If you want to limit FTP, you can do so by group (email only accounts don't have ftp access on our network). I believe you might be able to do it by giving users a shell not listed in /etc/shells (assuming that your FTP server looks for a valid shell, which I believe ncftpd does). I'm not sure how you would restrict people from using mail, or if you'd even want to. Most ISPs make use of email to make announcements to their users. With proper use of gid assignments and system configuration, you can have a very flexable set of services: dialup = dialup, email, ftp mlppp = 2 channel dialup, email, ftp email = email only ftp = email and ftp ftponly = ftp only (might require some hackery to prevent mail) You can create any number of groups, and use each to control access to the combination of services you want. Hell, now that I think about it, you're supposed to be able to use the class field in the passwd file to limit things as well. HTH, Troy ** -----Original Message----- ** From: owner-freebsd-isp@FreeBSD.ORG ** [mailto:owner-freebsd-isp@FreeBSD.ORG]On Behalf Of Aaron Sonntag ** Sent: Sunday, December 05, 1999 4:32 PM ** To: freebsd-isp@FreeBSD.ORG ** Subject: Shell shocked / a shell for every season? ** ** ** I have a variety of users I need to accommodate/limit ** ** By editing vipw myself I have been able to create mail only ** accounts using ** /noexistent for home directory and /usr/bin/passwd for the shell... ** Is there a better solution? ** I heard this solution is a security issue. ** ** How can I do something similar and limit certain accounts to ftp only? ** ** How can I do something similar and limit certain accounts to ftp and mail ** only? ** ** How do I keep users from leaving the /home partition? I don't ** want them to ** be able to cd to / or /etc or /root for example. ** I saw something about 'chmod 700 $HOME /home/averageuser' I really don't ** know. ** ** I have done the usual searching of deja and freebsd mail archives and did ** not get much in the way of specific answers. ** ** Thank you, ** ** Aaron ** ** ** ** ** ** To Unsubscribe: send mail to majordomo@FreeBSD.org ** with "unsubscribe freebsd-isp" in the body of the message ** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message