From owner-freebsd-questions@FreeBSD.ORG Fri Sep 24 01:35:09 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DCA4416A4CF for ; Fri, 24 Sep 2004 01:35:09 +0000 (GMT) Received: from smtp16.wxs.nl (smtp16.wxs.nl [195.121.6.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D99243D49 for ; Fri, 24 Sep 2004 01:35:09 +0000 (GMT) (envelope-from freebsd@akruijff.dds.nl) Received: from kruij557.speed.planet.nl (ipd50a97ba.speed.planet.nl [213.10.151.186]) by smtp16.wxs.nl (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id <0I4I005B0V2KHV@smtp16.wxs.nl> for freebsd-questions@freebsd.org; Fri, 24 Sep 2004 03:35:08 +0200 (CEST) Received: from alex.lan (localhost [127.0.0.1]) by kruij557.speed.planet.nl (8.12.10/8.12.10) with ESMTP id i8O1Z5xZ038445; Fri, 24 Sep 2004 03:35:05 +0200 Received: (from akruijff@localhost) by alex.lan (8.12.10/8.12.10/Submit) id i8O1Z4Ex038444; Fri, 24 Sep 2004 03:35:04 +0200 Content-return: prohibited Date: Fri, 24 Sep 2004 03:35:04 +0200 From: Alex de Kruijff In-reply-to: <001101c4a1a3$bb731880$460011ac@SATPC> To: Andrew Message-id: <20040924013504.GD784@alex.lan> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.4.2.1i References: <001101c4a1a3$bb731880$460011ac@SATPC> X-Authentication-warning: alex.lan: akruijff set sender to freebsd@akruijff.dds.nl using -f cc: freebsd-questions@freebsd.org Subject: Re: Ultimately Safe User Account X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2004 01:35:10 -0000 Hi Andrey, On Thu, Sep 23, 2004 at 11:30:06PM +0400, Andrew wrote: > Hi, > > I have a production FreeBSD box. My friend is starting to learn Unix > essentials and is asking me for an account. He doesn't require any > special rights, but he certainly wants to be able to use shell and read > most manual pages. He'll access the server via Internet, SSH. Don't add him to the group wheel. If you paranoid then you can use one time passwords. (I only use this for persons with in the group wheel, and then only for non-ssh.) > How can I create an account, so that it is completely safe to let him > in? How can I jail/chroot him and do I need to do it this way? I want to > limit everything: disk space (~500Mb), RAM (~10%), processes (~30), cpu > (~5-10%), _internet connectivity_ (bandwidth is expensive and he must > not be able to download much). He is new to Unix but I have to suppose > that somebody very experienced can steal his account info. I don't think you need to use jail/chroot. You can limit the use of HD, RAM and CPU with quota's 1. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/quotas.html 2. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html And limit bandwith with ipfw & dummynet. 1. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html 2. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html 3. man ipfw Set your firewall so that it allows everthing out and nothing in exept ssh or http. If you like to have this so that he can use 100% for a short time and something like 20% then you can do this with a combination of ipfw & dummynet & ipa (a port). I have tree half finished article about this. The above is handy to read before these. > I'd be glad if he had only very basic ls, cp, mv, as well as sh and vi. > I don't want him to have any browser or fetch-like utility. This be done with jail/chroot. > I know that letting somebody log in is already a security hole, but I > want to minimize the risks. -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/FreeBSD/