From owner-freebsd-questions Fri Sep 13 6: 9:32 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD72037B400 for ; Fri, 13 Sep 2002 06:09:29 -0700 (PDT) Received: from catflap.home.slightlystrange.org (host217-35-52-99.in-addr.btopenworld.com [217.35.52.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id E3A7843E6A for ; Fri, 13 Sep 2002 06:09:28 -0700 (PDT) (envelope-from dan@slightlystrange.org) Received: from danielby by catflap.home.slightlystrange.org with local (Exim 3.36 #1) id 17pqCG-0000yS-00 for freebsd-questions@FreeBSD.ORG; Fri, 13 Sep 2002 14:09:20 +0100 Date: Fri, 13 Sep 2002 14:09:20 +0100 From: Daniel Bye To: Freebsd-Questions Subject: Re: Securing Servers Message-ID: <20020913130920.GA3367@catflap.home.slightlystrange.org> Reply-To: dan@slightlystrange.org Mail-Followup-To: Freebsd-Questions References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i X-Scanner: exiscan *17pqCG-0000yS-00*xNsg.AKTi0Y* (SlightlyStrange.org, Using NOD32 http://www.nod32.com) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Sep 13, 2002 at 08:43:23PM +0800, Katinka Mills wrote: > Hi all, > > I am not so much a newbie, but I am stumpped, how do I restrict useres to > only their home directories ? I do not want users wandering around my > servers, just log in their home directory and that is it. I force all my > users to use SSH, no telnet, and they can ftp in too (for web page uploades > etc) Check out chroot(8,2). You will (IIRC) need to make a copy of the files they are likely to need while logged in, in a directory under their new root. To save space and inodes, you can use hard links for the files (but not the directories, obviously), provided the home directories all live on the same file system. The list of files will probably include all the programs needed for a comfortable login session - ls, grep, etc etc. The other way to do it would be to establish a jail(8,2), but this is a lot more work... > Also how can I give them ftp access to their public_html dirtectory but not > shell access ? The file /etc/ftpchroot contains a list of users who are immediately chrott'ed to their home directory (if you want to limit this _exclusivley_ to /home/*/public_html, you can set their home directory to this dir. This means, though, that if you decide to grant them shell access, then they will get dropped in among all their html...) To prevent shell access, make sure /sbin/nologin is in /etc/shells, then give the restricted users a default shell of /sbin/nologin. If they do try to connect by any means other than ftp, they will be politely denied ;-) HTH Dan -- Daniel Bye PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc PGP Key fingerprint: 3D73 AF47 D448 C5CA 88B4 0DCF 849C 1C33 3C48 2CDC _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message