From owner-freebsd-isp Thu Jul 27 0:55:45 2000 Delivered-To: freebsd-isp@freebsd.org Received: from workhorse.iMach.com (workhorse.iMach.com [206.127.77.89]) by hub.freebsd.org (Postfix) with ESMTP id 84B7A37C06F for ; Thu, 27 Jul 2000 00:55:41 -0700 (PDT) (envelope-from forrestc@imach.com) Received: from localhost (forrestc@localhost) by workhorse.iMach.com (8.9.3/8.9.3) with ESMTP id AAA11509; Thu, 27 Jul 2000 00:58:24 -0600 (MDT) Date: Thu, 27 Jul 2000 00:58:24 -0600 (MDT) From: "Forrest W. Christian" To: "chem@i-p-d.nl" Cc: Kenn Martin , freebsd-isp@FreeBSD.ORG Subject: Re: limiting telnet-users In-Reply-To: <200007270728.JAA09013@ns1.i-p-d.nl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I probably missed this info which I am mentioning here from an earlier post. What exactly are you trying to prevent these users from doing? About the only way to confine users to their own little private world is chroot. Period. The problem with any other approach is that it is virtually impossible to confine a user to a specific directory. About the only way to do this is to modify the shell (or provide a teency shell) to prevent access. BUT, as soon as you give them access to an editor, you have opened up an entire can of worms. Either you generally trust your users and you give them a shell account or you don't and you put them in a chroot dir. Any other restrictions you provide essentially serve to keep the clueless honest. Give me 5 mins on any non-chroot system and I'll be past the security. Chroots are SIGIFICANTLY more difficult to break out of. - Forrest W. Christian (forrestc@imach.com) AC7DE ---------------------------------------------------------------------- iMach, Ltd., P.O. Box 5749, Helena, MT 59604 http://www.imach.com Solutions for your high-tech problems. (406)-442-6648 ---------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message