From owner-freebsd-questions@FreeBSD.ORG  Mon May  9 17:51:09 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 01240106564A
	for <freebsd-questions@freebsd.org>;
	Mon,  9 May 2011 17:51:09 +0000 (UTC)
	(envelope-from peter@vereshagin.org)
Received: from mx1.skyriver.ru (ns1.skyriver.ru [89.108.118.221])
	by mx1.freebsd.org (Postfix) with ESMTP id D1F9E8FC0C
	for <freebsd-questions@freebsd.org>;
	Mon,  9 May 2011 17:51:07 +0000 (UTC)
Received: from localhost (unknown [46.37.190.106])
	by mx1.skyriver.ru (Postfix) with ESMTPSA id 86E325C1C
	for <freebsd-questions@freebsd.org>;
	Mon,  9 May 2011 21:26:59 +0400 (MSD)
Date: Mon, 9 May 2011 21:50:48 +0400
From: Peter Vereshagin <peter@vereshagin.org>
To: freebsd-questions@freebsd.org
Message-ID: <20110509175048.GA8326@external.screwed.box>
References: <1304953326.6473.37.camel@ompc.insign>
MIME-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
In-Reply-To: <1304953326.6473.37.camel@ompc.insign>
Organization: '
X-Face: 8T>{1owI$Byj]]a;
	^G]kRf*dkq>E-3':F>4ODP[#X4s"dr?^b&2G@'3lukno]A1wvJ_L(~u
	6>I2ra/<,j1%@C[LN=>p#_}RIV+#:KTszp-X$bQOj,K
Subject: Re: restricted ssh shell for ruby on rails hosting ? (rake, git,
 etc.)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 09 May 2011 17:51:09 -0000

Nobody knows that you're in for that, freebsd-questions!
2011/05/09 17:02:06 +0200 Olivier Mueller <om-lists-bsd@omx.ch> => To FreeBSD Questions :

OM> but one of the thing I would like to prevent is for example accessing
OM> some files like /etc/passwd   (= listing all other customers domains in
OM> this specific case).  

I learned about the chroot option for some new flavor of sshd recently,
probably the chroot dir is capable to be assigned per user. With proper nullfs
plugging software features like binaries, libs and cron variables into every
such a directory for every such a user this should do the trick.

OM> Other things would be: 
OM> - prevent the launch of daemons  (-> screen, irssi, bots, etc.) -> ?

This particular should be achieved by mean of time-related ulimit capabilities
in login.conf(5)? If for ports to listen, the restrictions should be made via
mac(3) to restrict the certain system call, e. g., listen() for particular
system instances, e.  g., users?

73! Peter pgp: A0E26627 (4A42 6841 2871 5EA7 52AB  12F8 0CE1 4AAC A0E2 6627)
--
http://vereshagin.org