Date: Thu, 23 Sep 2004 17:38:49 -0500 From: Dan Rue <drue@therub.org> To: "Sheets, Jason (OZ CEEDR)" <jason.sheets@hp.com> Cc: freebsd-questions@freebsd.org Subject: Re: Ultimately Safe User Account Message-ID: <20040923223849.GK40647@therub.org> In-Reply-To: <2D8BB15C7B5C214F81C32D3A83B32736013D45B3@idbexc01.americas.cpqcorp.net> References: <2D8BB15C7B5C214F81C32D3A83B32736013D45B3@idbexc01.americas.cpqcorp.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Sep 23, 2004 at 04:18:21PM -0600, Sheets, Jason (OZ CEEDR) wrote: > I'd suggest sending him a live CD of FreeBSD (LiveBSD at > http://www.livebsd.com) or Linux (Knoppix at http://www.knoppix.org) are > very good. > > This will keep him on his own hardware and let him become familiar with > BSD in a fairly safe environment. > > When he feels comfortable he can attempt a full install on his hardware. > > Alternatively if he is just wanting to become proficient on the command > line he can install Cygwin (http://www.cygwin.com) on Windows and > Linux-like environment right on Windows and then progress to the real > thing. > > I'd go with any of the above before giving him remote access but If you > are deadest on allowing him access to your system look at > > man jail > man security > man login.conf > > Jason > > > > > > -----Original Message----- > > From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd- > > questions@freebsd.org] On Behalf Of Andrew > > Sent: Thursday, September 23, 2004 1:30 PM > > To: freebsd-questions@freebsd.org > > Subject: Ultimately Safe User Account > > > > Hi, > > > > I have a production FreeBSD box. My friend is starting to learn Unix > > essentials and is asking me for an account. He doesn't require any > > special rights, but he certainly wants to be able to use shell and > read > > most manual pages. He'll access the server via Internet, SSH. > > > > How can I create an account, so that it is completely safe to let him > > in? How can I jail/chroot him and do I need to do it this way? I want > to > > limit everything: disk space (~500Mb), RAM (~10%), processes (~30), > cpu > > (~5-10%), _internet connectivity_ (bandwidth is expensive and he must > > not be able to download much). He is new to Unix but I have to suppose > > that somebody very experienced can steal his account info. > > > > I'd be glad if he had only very basic ls, cp, mv, as well as sh and > vi. > > I don't want him to have any browser or fetch-like utility. > > > > I know that letting somebody log in is already a security hole, but I > > want to minimize the risks. > > > > > > Thanks, > > Andrew P. A live CD is a good suggestion. I have to disagree with the idea behind this whole thing, though. I mean, if this guy's really your friend, I don't see what you're so worried about. It's really pretty tough to 'accidently' break things as a user on a system, as long as the system is moderately well administered. If you're concerned about him using a bad password, give him a sufficient warning and run john the ripper against your password file for a couple of days. Also, don't allow any clear-text protocols such as samba, ftp, telnet, etc etc. Dang, man, I had a friend that ran an /open/ shell server in high school. He had over 100,000 users, and didn't get hacked (well, he did at first, but that's when he was running linux :) ). How's he supposed to learn anything if all you give him is a jail with ls cp mv sh and vi? sheesh. That'll turn him off unix pretty quick. dan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040923223849.GK40647>