From owner-freebsd-questions Wed Dec 19 14:31:36 2001 Delivered-To: freebsd-questions@freebsd.org Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by hub.freebsd.org (Postfix) with ESMTP id C755E37B416 for ; Wed, 19 Dec 2001 14:31:33 -0800 (PST) Received: (from dan@localhost) by dan.emsphone.com (8.11.6/8.11.6) id fBJMVVe58187; Wed, 19 Dec 2001 16:31:31 -0600 (CST) (envelope-from dan) Date: Wed, 19 Dec 2001 16:31:31 -0600 From: Dan Nelson To: Lonnie Cumberland Cc: "'freebsd-questions@freebsd.org'" Subject: Re: FreeBSD and restricting users Message-ID: <20011219223131.GC30574@dan.emsphone.com> References: <01C188B0.4CDDA3E0@VAIO> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <01C188B0.4CDDA3E0@VAIO> User-Agent: Mutt/1.3.23.2i X-OS: FreeBSD 5.0-CURRENT X-message-flag: Outlook Error Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In the last episode (Dec 19), Lonnie Cumberland said: > The basic problem is this. It is very easy to keep a user from > entering into a directory after they have logged in, but it is VERY > hard to keep a user locked into their HOME directory. > > We have looked at chrooted solutions as well, but they fail when a > user logs in through XDM and start up an application like Netscape or > StarOffice. Once that happens, they are free to navigate throughout > the system. > > Can FreeBSD solve the problem of preventing a user from leaving their > HOME directory while still allowing them to run OpenOffice? If you really truly don't want them seeing anything outside their $HOME, chroot is your only choice. Create a minimal /etc, /lib, /bin etc in each homedir and you should be set. Note you'll have to replicate most of /usr/X11R6 for any X app to work. What exactly are you trying to keep users from doing? A standard install should not expose any private info or leave directories incorrectly writable. Just because they can browse into /etc doesn't mean they can do anything. -- Dan Nelson dnelson@allantgroup.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message