From owner-freebsd-isp Tue Nov 6 7:13:58 2001 Delivered-To: freebsd-isp@freebsd.org Received: from sanyu1.sanyutel.com (sanyu1.sanyutel.com [216.250.215.14]) by hub.freebsd.org (Postfix) with ESMTP id 9114937B416 for ; Tue, 6 Nov 2001 07:12:52 -0800 (PST) Received: from localhost (ksemat@localhost) by sanyu1.sanyutel.com (8.11.3/) with ESMTP id fA6FF6M02955; Tue, 6 Nov 2001 18:15:09 +0300 X-Authentication-Warning: sanyu1.sanyutel.com: ksemat owned process doing -bs Date: Tue, 6 Nov 2001 18:15:06 +0300 (EAT) From: X-X-Sender: To: Sven Huster Cc: Subject: Re: restrict shell access In-Reply-To: <00f701c166b5$c6546d20$fe00fa0a@venus> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Simple chroot I use: mkdir /usr/rbin chmod 0755 /usr/rbin Put commands you would like users to be able to execute in /usr/rbin edit /etc/skel/.profile put an explicit path in there: PATH = /usr/rbin That way all new users will get this by default. Create a symbolic link /usr/bin/rbash to /usr/local/bin/bash use this as the login shell for these users. And also remember to chflags noschg /home/$user/.profile so that the user will not be bale to edit his .profile and change the oath settings or even be able to delete it. not perfect but it works for me. The restricted bash shell prevents users form being able to explicitly specify commands with a leading slash and lots of other things. And because they are restricted to a certain directory, they cannot specify another shell on the command line. Noah. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message