From owner-freebsd-questions Fri Aug 30 12: 4:36 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F26A37B400 for ; Fri, 30 Aug 2002 12:04:34 -0700 (PDT) Received: from smtp3.acsu.buffalo.edu (smtp3.acsu.buffalo.edu [128.205.6.86]) by mx1.FreeBSD.org (Postfix) with SMTP id 9B7CB43E86 for ; Fri, 30 Aug 2002 12:04:33 -0700 (PDT) (envelope-from cd9@buffalo.edu) Received: (qmail 23964 invoked from network); 30 Aug 2002 19:04:32 -0000 Received: from ubppp234-207.dialin.buffalo.edu (HELO selvirjin.buffalo.edu) (128.205.234.207) by smtp3.acsu.buffalo.edu with SMTP; 30 Aug 2002 19:04:32 -0000 Received: from dragon by selvirjin.buffalo.edu with local (Exim 3.36 #1) id 17kr3m-0008Zf-00; Fri, 30 Aug 2002 15:03:58 -0400 Date: Fri, 30 Aug 2002 15:03:58 -0400 From: "C. A. Daelhousen" To: freebsd-questions@FreeBSD.ORG Cc: Gerard Samuel Subject: Re: Restricting user Message-ID: <20020830150358.A25578@selvirjin.buffalo.edu> Mail-Followup-To: freebsd-questions@FreeBSD.ORG, Gerard Samuel References: <3D6F9A15.5020308@trini0.org> <20020830183418.A69753@gicco.cablecom.ch> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020830183418.A69753@gicco.cablecom.ch>; from hanspeter_roth@hotmail.com on Fri, Aug 30, 2002 at 06:34:18PM +0200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Aug 30, 2002 at 06:34:18PM +0200, Hanspeter Roth wrote: > On Aug 30 at 12:15, Gerard Samuel spoke: > > > I would like to restrict a user to their home directory. > > jail seems to be just for processes. > > What else is there that I can look at. > > Maybe a restricted shell such as bash -r. > > -Hanspeter > If you do this, be careful about the dotfiles that the shell reads when it starts up. A college I used to attend didn't remove 'PATH=${PATH}:${HOME}/bin' from one of those dotfiles--allowing any user to write a shell script to give them an unrestricted shell. ~/bin/foo: #!/bin/sh exec /bin/csh (Another lesson to be learned: don't make your policies so draconian that people can't report what they find.) -- ..: Chad Daelhousen == cd9@buffalo.edu :.........: sig v3.1 :... : Programming for 10 +/- 2 years (50 +/- 10% of a lifetime) : :.............Perl will be the first to implement mind reading.: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message