Date: Fri, 15 Oct 2004 19:59:22 -0600 From: Danny MacMillan <flowers@users.sourceforge.net> To: Grant Cooper <gcooper@mhc.ab.ca> Cc: freebsd-questions@freebsd.org Subject: Re: locking down a users privileges Message-ID: <20041016015922.GA738@procyon.nekulturny.org> In-Reply-To: <04Oct15.165046mdt.328355@gate.mhc.ab.ca> References: <04Oct15.165046mdt.328355@gate.mhc.ab.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Oct 15, 2004 at 04:52:32PM -0600, Grant Cooper wrote: > I am trying to prevent a user from leaving his directory. I set something up > last year where I just added a name to a file. But I forgot the name of the > file. > > For another box I wanted to use putty to connect to my freebsd server and > was wondering if there was a shell I could use where the user couldn't do > anything in his account. Only want the user to be able to login and use the > mysql program. > > Should I use jail or chroot or something else? Some shells have options that allow them to start as "restricted shells" that do exactly the sort of thing you describe. For example, my favourite shell, zsh, will be a restricted shell if the command used to start it (e.g. a symbolic link) starts with the letter 'r'; when restricted the shell will prohibit changing directories with cd and numerous other potentially hazardous actions. bash does the same thing when invoked with a -r option. You can change a user's login shell using vipw(8) or pw(8). Ensure that the shell you choose is listed in /etc/shells. Also note that this does not in and of itself provide absolute restrictions on what a user can do. It merely restricts the shell. You have to take care to include only safe commands in the restricted user's path. The shell will prevent the user from changing the path, but if they're able to run cc(1) (as an extreme example) restricting the shell is a pointless exercise. -- Danny
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041016015922.GA738>