From owner-freebsd-hackers@FreeBSD.ORG  Tue Mar  1 21:01:41 2005
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5163616A4CE
	for <freebsd-hackers@freebsd.org>;
	Tue,  1 Mar 2005 21:01:41 +0000 (GMT)
Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [204.127.202.64])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E39B043D39
	for <freebsd-hackers@freebsd.org>;
	Tue,  1 Mar 2005 21:01:39 +0000 (GMT)
	(envelope-from mhersant@comcast.net)
Received: from [192.168.2.102]
	(c-24-22-136-36.client.comcast.net[24.22.136.36])
	by comcast.net (sccrmhc13) with ESMTP
	id <2005030121013701600sgtsde>; Tue, 1 Mar 2005 21:01:38 +0000
Message-ID: <4224D830.4080401@comcast.net>
Date: Tue, 01 Mar 2005 13:01:36 -0800
From: Matt <mhersant@comcast.net>
User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103)
X-Accept-Language: en-us, en
MIME-Version: 1.0
Cc: freebsd-hackers@freebsd.org
References: <4224CF06.7060103@comcast.net>
	<200503012131.15528.max@love2party.net>
In-Reply-To: <200503012131.15528.max@love2party.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: retricted environment
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Mar 2005 21:01:41 -0000

Max Laier wrote:

>On Tuesday 01 March 2005 21:22, Matt wrote:
>  
>
>>When providing a shell environment for a larger number of users, what is
>>the best way to retrict access to commands/resources?  I've already
>>setup quotas.  I don't want users playing with system commands.  I've
>>read something about a retricted shell, but can't find any details.
>>    
>>
>
>I am not sure a restricted shell is the best sollution for interactive setups, 
>but one is availale from src/contrib/sendmail/smrsh.  See README for usage 
>and build information.  This, however, is more a thing for cvs-wrappers or 
>stuff like that.
>
>For interactive environments you can use the normal group/user permissions and 
>of course jail(8)s.
>
>  
>
Thanks, I'll look at that.  To allow retricted access using 
groups/users, is the normal procedure to remote o+rwx permissions from 
the selected commands/directories?  Hmm.  I thought the kernel secure 
level setting which helped restrict users.  I've much to learn.