From owner-freebsd-questions  Wed Dec  5 17:48:51 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from indigo.quadrant.net (indigo.quadrant.net [207.195.92.9])
	by hub.freebsd.org (Postfix) with ESMTP id 3FF3137B41B
	for <freebsd-questions@FreeBSD.ORG>; Wed,  5 Dec 2001 17:48:47 -0800 (PST)
Received: from git2000 (56K78.quadrant.net [207.195.92.78])
	by indigo.quadrant.net (8.9.1/8.9.1) with SMTP id TAA00325
	for <freebsd-questions@FreeBSD.ORG>; Wed, 5 Dec 2001 19:48:46 -0600 (CST)
From: "Scott Gerhardt" <scott@gerhardt-it.com>
To: "FreeBSD" <freebsd-questions@FreeBSD.ORG>
Subject: Security Users and Groups
Date: Wed, 5 Dec 2001 19:48:54 -0600
Message-ID: <KPEMLBLEMPMHGLJOCDEGEEAKDCAA.scott@gerhardt-it.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Importance: Normal
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Is there a preferred User/Group configuration for FTP only and POP3 only
Webclients?

Here is what I have done so far:

To chroot FTP users, I have added "@webclient" to /etc/ftpchroot.

To restrict Logins I have added the following to /etc/login.access:
-:ALL EXCEPT wheel:console
-:ALL EXCEPT wheel staff:ALL

To deny FTP access to POP3 users I have added "@popclient" to
/etc/ftpusers.

All FTP and POP users are given nologin as their shell. Yes this is
rRedundant since login.access takes care of this already but you can't be
too safe.


QUESTION:
Which is the best scenario for setting users group parameters?:

1.) create each user as their own unique group (typical default) and make
them a member of webclient or pop client as required.

2.) make their login group = webclient or pop client as required.


To me it seems that #1 would be a better model with finer granularity and
that #2 will make the group file much smaller but with less control.



_________________________________

Scott Gerhardt, P.Geo.
Gerhardt Information Technologies
_________________________________


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message