Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 15 Oct 2004 19:59:22 -0600
From:      Danny MacMillan <flowers@users.sourceforge.net>
To:        Grant Cooper <gcooper@mhc.ab.ca>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: locking down a users privileges
Message-ID:  <20041016015922.GA738@procyon.nekulturny.org>
In-Reply-To: <04Oct15.165046mdt.328355@gate.mhc.ab.ca>
References:  <04Oct15.165046mdt.328355@gate.mhc.ab.ca>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Oct 15, 2004 at 04:52:32PM -0600, Grant Cooper wrote:
> I am trying to prevent a user from leaving his directory. I set something up
> last year where I just added a name to a file. But I forgot the name of the
> file.
> 
> For another box I wanted to use putty to connect to my freebsd server and
> was wondering if there was a shell I could use where the user couldn't do
> anything in his account. Only want the user to be able to login and use the
> mysql program.
> 
> Should I use jail or chroot or something else?

Some shells have options that allow them to start as "restricted shells"
that do exactly the sort of thing you describe.  For example, my favourite
shell, zsh, will be a restricted shell if the command used to start it
(e.g. a symbolic link) starts with the letter 'r'; when restricted
the shell will prohibit changing directories with cd and numerous other
potentially hazardous actions.  bash does the same thing when invoked
with a -r option.  You can change a user's login shell using vipw(8) or
pw(8).  Ensure that the shell you choose is listed in /etc/shells.

Also note that this does not in and of itself provide absolute restrictions
on what a user can do.  It merely restricts the shell.  You have to take
care to include only safe commands in the restricted user's path.  The shell
will prevent the user from changing the path, but if they're able to run
cc(1) (as an extreme example) restricting the shell is a pointless exercise.

-- 
Danny



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041016015922.GA738>