Date: Fri, 13 Sep 2002 14:09:20 +0100 From: Daniel Bye <dan@slightlystrange.org> To: Freebsd-Questions <freebsd-questions@FreeBSD.ORG> Subject: Re: Securing Servers Message-ID: <20020913130920.GA3367@catflap.home.slightlystrange.org> In-Reply-To: <DLEGKDJAPHEBLGOLCGEMMEAICJAA.katinka@magestower.com> References: <DLEGKDJAPHEBLGOLCGEMMEAICJAA.katinka@magestower.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Sep 13, 2002 at 08:43:23PM +0800, Katinka Mills wrote: > Hi all, > > I am not so much a newbie, but I am stumpped, how do I restrict useres to > only their home directories ? I do not want users wandering around my > servers, just log in their home directory and that is it. I force all my > users to use SSH, no telnet, and they can ftp in too (for web page uploades > etc) Check out chroot(8,2). You will (IIRC) need to make a copy of the files they are likely to need while logged in, in a directory under their new root. To save space and inodes, you can use hard links for the files (but not the directories, obviously), provided the home directories all live on the same file system. The list of files will probably include all the programs needed for a comfortable login session - ls, grep, etc etc. The other way to do it would be to establish a jail(8,2), but this is a lot more work... > Also how can I give them ftp access to their public_html dirtectory but not > shell access ? The file /etc/ftpchroot contains a list of users who are immediately chrott'ed to their home directory (if you want to limit this _exclusivley_ to /home/*/public_html, you can set their home directory to this dir. This means, though, that if you decide to grant them shell access, then they will get dropped in among all their html...) To prevent shell access, make sure /sbin/nologin is in /etc/shells, then give the restricted users a default shell of /sbin/nologin. If they do try to connect by any means other than ftp, they will be politely denied ;-) HTH Dan -- Daniel Bye PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc PGP Key fingerprint: 3D73 AF47 D448 C5CA 88B4 0DCF 849C 1C33 3C48 2CDC _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020913130920.GA3367>