From owner-freebsd-security@FreeBSD.ORG Mon May 17 06:27:01 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E61616A4CE for ; Mon, 17 May 2004 06:27:01 -0700 (PDT) Received: from dire.bris.ac.uk (dire.bris.ac.uk [137.222.10.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id E5D4743D39 for ; Mon, 17 May 2004 06:27:00 -0700 (PDT) (envelope-from Jan.Grant@bristol.ac.uk) Received: from mail.ilrt.bris.ac.uk ([137.222.16.62]) by dire.bris.ac.uk with esmtp (Exim 4.34) id 1BPi8v-0001sj-Fh; Mon, 17 May 2004 14:26:59 +0100 Received: from cmjg (helo=localhost) by mail.ilrt.bris.ac.uk with local-esmtp (Exim 3.16 #1) id 1BPi6X-0004b1-00; Mon, 17 May 2004 14:24:29 +0100 Date: Mon, 17 May 2004 14:24:29 +0100 (BST) From: Jan Grant X-X-Sender: cmjg@mail.ilrt.bris.ac.uk To: Frankye - ML In-Reply-To: <20040517151016.7b83fbe9@godzilla> Message-ID: References: <4985.217.162.71.141.1084795720.squirrel@serv04.inetworx.ch> <20040517151016.7b83fbe9@godzilla> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Jan Grant X-Spam-Score: 0.0 X-Spam-Level: / cc: freebsd-security@freebsd.org Subject: Re: Multi-User Security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 May 2004 13:27:01 -0000 On Mon, 17 May 2004, Frankye - ML wrote: > On Mon, 17 May 2004 14:08:40 +0200 (CEST) > "David E. Meier" wrote: > > | We would like to offer to some customers of ours some sort of network > | backup/archive. They would put daily or weekly backups from their local > | machine on our server using rsync and SSH. Therefore, they all have a > | user account on our server. However, we must ensure that they would > | absolutely not be able to access any data of each other at all. > > Just my 2 cents: I've found very useful some shells that permits just some > subset of commands, for example shells/scponly, sysutils/bksh or > sendmail's smrsh. > > Since you're using ssh you might also find useful the command= statement > in .ssh/authorized_keys However, if you are using rsync or some other complex endpoint on the server, you are also reliant on that having no way to subvert its protocol or operation from the client side. "command=" settings in the ssh config are a good starting point, but for defense in depth you probably want careful control of filesystem access, be it through a jail or some other mechanism. -- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44(0)117 9287088 Fax +44 (0)117 9287112 http://ioctl.org/jan/ Not as randy or clumsom as a blaster.