From owner-freebsd-questions@FreeBSD.ORG Thu Sep 23 22:38:50 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5517A16A4CE for ; Thu, 23 Sep 2004 22:38:50 +0000 (GMT) Received: from corb.mc.mpls.visi.com (corb.mc.mpls.visi.com [208.42.156.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 26D7C43D41 for ; Thu, 23 Sep 2004 22:38:50 +0000 (GMT) (envelope-from drue@therub.org) Received: from egypt.therub.org (therub.org [209.98.146.43]) by corb.mc.mpls.visi.com (Postfix) with ESMTP id 83049844B; Thu, 23 Sep 2004 17:38:49 -0500 (CDT) Received: by egypt.therub.org (Postfix, from userid 1001) id 3AC0D455E09; Thu, 23 Sep 2004 17:38:49 -0500 (CDT) Date: Thu, 23 Sep 2004 17:38:49 -0500 From: Dan Rue To: "Sheets, Jason (OZ CEEDR)" Message-ID: <20040923223849.GK40647@therub.org> References: <2D8BB15C7B5C214F81C32D3A83B32736013D45B3@idbexc01.americas.cpqcorp.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2D8BB15C7B5C214F81C32D3A83B32736013D45B3@idbexc01.americas.cpqcorp.net> User-Agent: Mutt/1.4.2.1i cc: Andrew cc: freebsd-questions@freebsd.org Subject: Re: Ultimately Safe User Account X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Sep 2004 22:38:50 -0000 On Thu, Sep 23, 2004 at 04:18:21PM -0600, Sheets, Jason (OZ CEEDR) wrote: > I'd suggest sending him a live CD of FreeBSD (LiveBSD at > http://www.livebsd.com) or Linux (Knoppix at http://www.knoppix.org) are > very good. > > This will keep him on his own hardware and let him become familiar with > BSD in a fairly safe environment. > > When he feels comfortable he can attempt a full install on his hardware. > > Alternatively if he is just wanting to become proficient on the command > line he can install Cygwin (http://www.cygwin.com) on Windows and > Linux-like environment right on Windows and then progress to the real > thing. > > I'd go with any of the above before giving him remote access but If you > are deadest on allowing him access to your system look at > > man jail > man security > man login.conf > > Jason > > > > > > -----Original Message----- > > From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd- > > questions@freebsd.org] On Behalf Of Andrew > > Sent: Thursday, September 23, 2004 1:30 PM > > To: freebsd-questions@freebsd.org > > Subject: Ultimately Safe User Account > > > > Hi, > > > > I have a production FreeBSD box. My friend is starting to learn Unix > > essentials and is asking me for an account. He doesn't require any > > special rights, but he certainly wants to be able to use shell and > read > > most manual pages. He'll access the server via Internet, SSH. > > > > How can I create an account, so that it is completely safe to let him > > in? How can I jail/chroot him and do I need to do it this way? I want > to > > limit everything: disk space (~500Mb), RAM (~10%), processes (~30), > cpu > > (~5-10%), _internet connectivity_ (bandwidth is expensive and he must > > not be able to download much). He is new to Unix but I have to suppose > > that somebody very experienced can steal his account info. > > > > I'd be glad if he had only very basic ls, cp, mv, as well as sh and > vi. > > I don't want him to have any browser or fetch-like utility. > > > > I know that letting somebody log in is already a security hole, but I > > want to minimize the risks. > > > > > > Thanks, > > Andrew P. A live CD is a good suggestion. I have to disagree with the idea behind this whole thing, though. I mean, if this guy's really your friend, I don't see what you're so worried about. It's really pretty tough to 'accidently' break things as a user on a system, as long as the system is moderately well administered. If you're concerned about him using a bad password, give him a sufficient warning and run john the ripper against your password file for a couple of days. Also, don't allow any clear-text protocols such as samba, ftp, telnet, etc etc. Dang, man, I had a friend that ran an /open/ shell server in high school. He had over 100,000 users, and didn't get hacked (well, he did at first, but that's when he was running linux :) ). How's he supposed to learn anything if all you give him is a jail with ls cp mv sh and vi? sheesh. That'll turn him off unix pretty quick. dan