From owner-freebsd-security@FreeBSD.ORG  Wed May 19 20:30:39 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DE2C416A4CE
	for <freebsd-security@freebsd.org>;
	Wed, 19 May 2004 20:30:39 -0700 (PDT)
Received: from therub.org (pantheon-ws-13.direct.hickorytech.net
	[216.114.200.206])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 77D3143D49
	for <freebsd-security@freebsd.org>;
	Wed, 19 May 2004 20:30:39 -0700 (PDT)	(envelope-from drue@therub.org)
Received: from drue by therub.org with local (Exim 3.35 #1 (Debian))
	id 1BQeGH-0007EA-00; Wed, 19 May 2004 22:30:25 -0500
Date: Wed, 19 May 2004 22:30:25 -0500
From: Dan Rue <drue@therub.org>
To: Remko Lodder <remko@elvandar.org>
Message-ID: <20040520033024.GA26640@therub.org>
References: <20040518160517.GA10067@therub.org>
	<OPEPILILPLAKPFCNKOKAGEGHCBAA.remko@elvandar.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <OPEPILILPLAKPFCNKOKAGEGHCBAA.remko@elvandar.org>
User-Agent: Mutt/1.3.28i
cc: freebsd-security@freebsd.org
cc: "David E. Meier" <dev@eth0.ch>
Subject: Re: [Freebsd-security] Re: Multi-User Security
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 20 May 2004 03:30:40 -0000

*Cough *Cough, 

On Tue, May 18, 2004 at 06:08:52PM +0200, Remko Lodder wrote:
> Ahem,
> 
> D> You generally would like to avoid giving people shell (ssh) access if
> D> you can avoid it.  If you must give shell access, it is best to set up a
> D> jail.
> 
> D> However, if you're just doing backup/file access - shell access isn't
> D> necessary.  You can do ftps, (ports/ftp/bsdftpd-ssl), and easily use
> D> that to chroot users.  You can do sftp (without ssh shell access), but
> D> that's trickier to set up.
> 
> real tricky :-> scponly-3.8_1|/usr/ports/shells/scponly|/usr/local|A tiny
> shell that only permits scp and
> sftp|/usr/ports/shells/scponly/pkg-descr|rushani@FreeBSD.org|shells|||http:/
> /www.sublimation.org/scponly/
> But not that hard.... ;-)

You obviously havn't tried to chroot scponly users.. _that's_ the tricky
part.  Especially if you want it to scale up beyond a handful of users.
If i'm wrong - fill me in i'd love to hear how to do it.

Dan