From owner-freebsd-stable Mon Mar 27 8:19: 0 2000 Delivered-To: freebsd-stable@freebsd.org Received: from elwood.akitanet.co.uk (elwood.akitanet.co.uk [212.1.130.149]) by hub.freebsd.org (Postfix) with ESMTP id 57C4E37B918; Mon, 27 Mar 2000 08:18:03 -0800 (PST) (envelope-from wigstah@akitanet.co.uk) Received: from elwood.akitanet.co.uk (elwood.akitanet.co.uk [212.1.130.149]) by elwood.akitanet.co.uk (8.9.3/8.9.1) with ESMTP id RAA45458; Mon, 27 Mar 2000 17:16:48 +0100 (BST) Date: Mon, 27 Mar 2000 17:16:48 +0100 (BST) From: Paul Robinson To: dave@allunix.com Cc: freebsd-isp@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG Subject: Re: sandbox of virtual servers In-Reply-To: <200003271352.FAA01289@web1.allunix.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, 27 Mar 2000 dave@allunix.com wrote: > Has anyone out there setup a sandbox limiting users to their own > home directories in a telnet or ftp session? You mean a chroot(2) environemnt? I.e. you stop users getting out of their own hom directory? Are you talking more about the jail() call in FreeBSD 4.0? If all you need is to chroot them, take a look at the OpenBSD ftpd, or in fact proftpd, wu-ftpd etc. If you need to stop them running all over the place in telnet, then you need to write a restricted shell, although I hear there is already one around whose name escapes me. As far as sandboxing is concerned in terms of CGI's and so on, the best webserver I know to handle this is Zeus (which costs around $1500 but is worth every penny). Not only will it sandbox the CGI for you, but it also is easily around 5-10 times faster than Apache in my experience. It also has better stats, can handle a theoretical infinte number of virtual servers, and is generally far easier ot configure, run and maintain than any other piece of software I've encountered in the ISP game. Don't work for them, but I do like their code... :) they're at www.zeustechnology.com > chroot enviroment. Complete with their own sendmail and apache > configuration files? Sounds like jail() which is not really marked for production use at the moment as I understand it. I've also heard a whisper that some of the nasty hax0rs out there have already managed to find a way to break it, although that could all be just smoke and mirrors... :) > As I do not subscribe to the stable list, please cross post it to the > isp or questions list. If you don't subscribe to a list, don't post to it. It's rude. I'm almost tempted to not cross-post it, just to annoy you as much as that statement has annoyed me. :) -- Paul Robinson - Developer/Systems Administrator @ Akitanet Internet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message