Date: Sun, 26 Oct 2008 14:14:50 +0100 From: Roland Smith <rsmith@xs4all.nl> To: joeb <joeb@a1poweruser.com> Cc: "freebsd-questions@FreeBSD. ORG" <freebsd-questions@freebsd.org> Subject: Re: restrict FreeBSD users to their home directory Message-ID: <20081026131450.GA82837@slackbox.xs4all.nl> In-Reply-To: <NBECLJEKGLBKHHFFANMBGECCCMAA.joeb@a1poweruser.com> References: <20081026085332.GA97254@slackbox.xs4all.nl> <NBECLJEKGLBKHHFFANMBGECCCMAA.joeb@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Sun, Oct 26, 2008 at 08:19:51PM +0800, joeb wrote: <snip> >> > I don't want them to be able see any system directories or other users? >> >> User directories are by default both owned by the user and belong to the >> user's group. So you can set the umask for every user so that their >> files are not accessible to others. >> >> You cannot block read and execute access to a lot of system files >> (binaries, libraries, /usr/[local/]share/) without making the system >> useless. >> >> What is the problem you're trying to solve? Blocking read access to >> system files is almost certainly the wrong solution. >> > Want to keep all the users from being able to see anything outside of > their home directory using gnome or kde desktop. I ask again, why? As outlined above, you can easily keep users from poking around in other's files. Realize that if users cannot read anything outside their home directory, they cannot start programs in the system directories! And since normal users do not have write access to system directories or files, they can do little harm. System files that users shouldn't have access to (e.g. /etc/master.passwd) are already chmod-ed so that only root has access. You could put every user in a jail(8), but that would be a significant effort depending on the amount of applications they need. Realize that if the users have physical access to the machine, these security measures are _useless_. A hostile user could take out the harddisk, put it in a machine where he has a root account and read all the disk's contents (unless it's encrypted). Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkEbUoACgkQEnfvsMMhpyV9/ACfacpZapelCNj0Od6Q4R47wcPM bfwAn28eHSoxhjaQQX6+z7egkpbgyQk7 =LxPF -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081026131450.GA82837>