From owner-freebsd-questions@FreeBSD.ORG Sun Oct 26 08:53:37 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C32901065670 for ; Sun, 26 Oct 2008 08:53:37 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from smtp-vbr7.xs4all.nl (smtp-vbr7.xs4all.nl [194.109.24.27]) by mx1.freebsd.org (Postfix) with ESMTP id 407778FC13 for ; Sun, 26 Oct 2008 08:53:37 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from slackbox.xs4all.nl (slackbox.xs4all.nl [213.84.242.160]) by smtp-vbr7.xs4all.nl (8.13.8/8.13.8) with ESMTP id m9Q8rXSA034332; Sun, 26 Oct 2008 09:53:33 +0100 (CET) (envelope-from rsmith@xs4all.nl) Received: by slackbox.xs4all.nl (Postfix, from userid 1001) id 61AAFBA89; Sun, 26 Oct 2008 09:53:32 +0100 (CET) Date: Sun, 26 Oct 2008 09:53:32 +0100 From: Roland Smith To: FBSD1 Message-ID: <20081026085332.GA97254@slackbox.xs4all.nl> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="9jxsPFA5p3P2qPhR" Content-Disposition: inline In-Reply-To: X-GPG-Fingerprint: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 X-GPG-Key: http://www.xs4all.nl/~rsmith/pubkey.txt X-GPG-Notice: If this message is not signed, don't assume I sent it! User-Agent: Mutt/1.5.18 (2008-05-17) X-Virus-Scanned: by XS4ALL Virus Scanner Cc: "freebsd-questions@FreeBSD. ORG" Subject: Re: restrict FreeBSD users to their home directory X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Oct 2008 08:53:37 -0000 --9jxsPFA5p3P2qPhR Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Oct 26, 2008 at 12:13:17PM +0800, FBSD1 wrote: > How do it configure FreeBSD to restrict users to their home directory? You can give the users rbash as their shell. This will restrict them to the= ir home directory. But this can be easily broken out of if the user starts another shell! So you should disable all other shells for normal users. Otherwise you could put the users in a jail of their own. But they will still need system files (which they can see) in the jail for it to be usable. > I don't want them to be able see any system directories or other users? User directories are by default both owned by the user and belong to the user's group. So you can set the umask for every user so that their files are not accessible to others. You cannot block read and execute access to a lot of system files (binaries, libraries, /usr/[local/]share/) without making the system useles= s. What is the problem you're trying to solve? Blocking read access to system files is almost certainly the wrong solution. Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --9jxsPFA5p3P2qPhR Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkEMAwACgkQEnfvsMMhpyV0ZgCaAx5t15OuS2MduKwhW9Lr+BVB SP4AoJSzkdKF/Jn2Rf+YlHQ6AN+7Ooow =TfvD -----END PGP SIGNATURE----- --9jxsPFA5p3P2qPhR--