From owner-freebsd-isp Wed Nov 7 4:20:45 2001 Delivered-To: freebsd-isp@freebsd.org Received: from smtpf.casema.net (smtpf.casema.net [195.96.96.173]) by hub.freebsd.org (Postfix) with SMTP id 183EF37B416 for ; Wed, 7 Nov 2001 04:20:37 -0800 (PST) Received: (qmail 24667 invoked by uid 0); 7 Nov 2001 12:20:33 -0000 Received: from unknown (HELO slash.diderius.nl) (212.64.78.201) by smtpf.casema.net with SMTP; 7 Nov 2001 12:20:33 -0000 Received: from silver.diderius.nl (silver.ftx.diderius.nl [172.19.3.10]) by slash.diderius.nl (Postfix) with ESMTP id 1692ED4 for ; Wed, 7 Nov 2001 13:20:32 +0100 (CET) Received: from 127.0.0.1 ([127.0.0.1]) by silver.diderius.nl with Microsoft SMTPSVC(5.0.2195.3779); Wed, 7 Nov 2001 13:19:17 +0100 Date: Wed, 7 Nov 2001 13:19:17 +0100 From: Walter Hop X-Mailer: The Bat! (v1.53d) Educational X-Priority: 3 (Normal) Message-ID: <11341310391.20011107131917@binity.com> To: "Sven Huster" Cc: freebsd-isp@freebsd.org Subject: Re: restrict shell access In-Reply-To: <00f701c166b5$c6546d20$fe00fa0a@venus> References: <00f701c166b5$c6546d20$fe00fa0a@venus> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 07 Nov 2001 12:19:17.0921 (UTC) FILETIME=[6C0DD910:01C16786] Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [in reply to sven.huster@mailsurf.com, 06-11-2001] > need to restrict them to their home or some other dir + subdir, sounds > like chroot ;-) I am using chrsh for this and am very happy with it: http://www.aarongifford.com/computers/chrsh.html I have set up a chroot for shell users so they cannot fiddle around too easily. (It must be noted that users can do pretty much whatever they want using the mail- or webservers permissions; if you run these servers and let people use them, a chroot should only be seen as a small "threshold" that will keep people from inadvertently viewing other people's files) Some problems arise when users cannot get to common files; these can be solved with using TCP/IP alternatives. For instance, users have to manage their mail through imap/smtp instead of just opening their mail spools and calling sendmail. If you place people in a chroot, you need to copy certain libraries into the chroot environment to make life easy for them. If you want to know, I can dig up a list with bins, devs and libs that I found useful to give to chrooted users so they can make proper use of the most needed utilities, without actually giving them too much power. Some tools like screen(1) have a habit of emitting strange error messages when devices or libraries are not present. -- Walter Hop Updated contact information: http://www.binity.com/~walter/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message