From owner-freebsd-questions@FreeBSD.ORG Thu Sep 23 19:28:56 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 78BFC16A4CE for ; Thu, 23 Sep 2004 19:28:56 +0000 (GMT) Received: from mx2.mail.ru (mx2.mail.ru [194.67.23.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E4D943D31 for ; Thu, 23 Sep 2004 19:28:56 +0000 (GMT) (envelope-from infofarmer@mail.ru) Received: from [83.237.13.4] (port=1081 helo=SATPC) by mx2.mail.ru with smtp id 1CAZGx-000FOt-00 for freebsd-questions@freebsd.org; Thu, 23 Sep 2004 23:28:55 +0400 Message-ID: <001101c4a1a3$bb731880$460011ac@SATPC> From: "Andrew" To: Date: Thu, 23 Sep 2004 23:30:06 +0400 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Spam: Not detected Subject: Ultimately Safe User Account X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Sep 2004 19:28:56 -0000 Hi, I have a production FreeBSD box. My friend is starting to learn Unix essentials and is asking me for an account. He doesn't require any special rights, but he certainly wants to be able to use shell and read most manual pages. He'll access the server via Internet, SSH. How can I create an account, so that it is completely safe to let him in? How can I jail/chroot him and do I need to do it this way? I want to limit everything: disk space (~500Mb), RAM (~10%), processes (~30), cpu (~5-10%), _internet connectivity_ (bandwidth is expensive and he must not be able to download much). He is new to Unix but I have to suppose that somebody very experienced can steal his account info. I'd be glad if he had only very basic ls, cp, mv, as well as sh and vi. I don't want him to have any browser or fetch-like utility. I know that letting somebody log in is already a security hole, but I want to minimize the risks. Thanks, Andrew P.