Date: Wed, 7 Nov 2001 13:19:17 +0100 From: Walter Hop <walter@binity.com> To: "Sven Huster" <sven.huster@mailsurf.com> Cc: freebsd-isp@freebsd.org Subject: Re: restrict shell access Message-ID: <11341310391.20011107131917@binity.com> In-Reply-To: <00f701c166b5$c6546d20$fe00fa0a@venus> References: <00f701c166b5$c6546d20$fe00fa0a@venus>
next in thread | previous in thread | raw e-mail | index | archive | help
[in reply to sven.huster@mailsurf.com, 06-11-2001] > need to restrict them to their home or some other dir + subdir, sounds > like chroot ;-) I am using chrsh for this and am very happy with it: http://www.aarongifford.com/computers/chrsh.html I have set up a chroot for shell users so they cannot fiddle around too easily. (It must be noted that users can do pretty much whatever they want using the mail- or webservers permissions; if you run these servers and let people use them, a chroot should only be seen as a small "threshold" that will keep people from inadvertently viewing other people's files) Some problems arise when users cannot get to common files; these can be solved with using TCP/IP alternatives. For instance, users have to manage their mail through imap/smtp instead of just opening their mail spools and calling sendmail. If you place people in a chroot, you need to copy certain libraries into the chroot environment to make life easy for them. If you want to know, I can dig up a list with bins, devs and libs that I found useful to give to chrooted users so they can make proper use of the most needed utilities, without actually giving them too much power. Some tools like screen(1) have a habit of emitting strange error messages when devices or libraries are not present. -- Walter Hop <walter@binity.com> Updated contact information: http://www.binity.com/~walter/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?11341310391.20011107131917>