Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 9 May 2011 21:50:48 +0400
From:      Peter Vereshagin <peter@vereshagin.org>
To:        freebsd-questions@freebsd.org
Subject:   Re: restricted ssh shell for ruby on rails hosting ? (rake, git, etc.)
Message-ID:  <20110509175048.GA8326@external.screwed.box>
In-Reply-To: <1304953326.6473.37.camel@ompc.insign>
References:  <1304953326.6473.37.camel@ompc.insign>

next in thread | previous in thread | raw e-mail | index | archive | help
Nobody knows that you're in for that, freebsd-questions!
2011/05/09 17:02:06 +0200 Olivier Mueller <om-lists-bsd@omx.ch> => To FreeBSD Questions :

OM> but one of the thing I would like to prevent is for example accessing
OM> some files like /etc/passwd   (= listing all other customers domains in
OM> this specific case).  

I learned about the chroot option for some new flavor of sshd recently,
probably the chroot dir is capable to be assigned per user. With proper nullfs
plugging software features like binaries, libs and cron variables into every
such a directory for every such a user this should do the trick.

OM> Other things would be: 
OM> - prevent the launch of daemons  (-> screen, irssi, bots, etc.) -> ?

This particular should be achieved by mean of time-related ulimit capabilities
in login.conf(5)? If for ports to listen, the restrictions should be made via
mac(3) to restrict the certain system call, e. g., listen() for particular
system instances, e.  g., users?

73! Peter pgp: A0E26627 (4A42 6841 2871 5EA7 52AB  12F8 0CE1 4AAC A0E2 6627)
--
http://vereshagin.org



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110509175048.GA8326>