From owner-freebsd-questions@FreeBSD.ORG Sun Oct 26 13:14:57 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5B4A4106566B for ; Sun, 26 Oct 2008 13:14:57 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from smtp-vbr5.xs4all.nl (smtp-vbr5.xs4all.nl [194.109.24.25]) by mx1.freebsd.org (Postfix) with ESMTP id CDD568FC1C for ; Sun, 26 Oct 2008 13:14:56 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from slackbox.xs4all.nl (slackbox.xs4all.nl [213.84.242.160]) by smtp-vbr5.xs4all.nl (8.13.8/8.13.8) with ESMTP id m9QDEp2b053769; Sun, 26 Oct 2008 14:14:52 +0100 (CET) (envelope-from rsmith@xs4all.nl) Received: by slackbox.xs4all.nl (Postfix, from userid 1001) id F0936BA98; Sun, 26 Oct 2008 14:14:50 +0100 (CET) Date: Sun, 26 Oct 2008 14:14:50 +0100 From: Roland Smith To: joeb Message-ID: <20081026131450.GA82837@slackbox.xs4all.nl> References: <20081026085332.GA97254@slackbox.xs4all.nl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="sdtB3X0nJg68CQEu" Content-Disposition: inline In-Reply-To: X-GPG-Fingerprint: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 X-GPG-Key: http://www.xs4all.nl/~rsmith/pubkey.txt X-GPG-Notice: If this message is not signed, don't assume I sent it! User-Agent: Mutt/1.5.18 (2008-05-17) X-Virus-Scanned: by XS4ALL Virus Scanner Cc: "freebsd-questions@FreeBSD. ORG" Subject: Re: restrict FreeBSD users to their home directory X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Oct 2008 13:14:57 -0000 --sdtB3X0nJg68CQEu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Oct 26, 2008 at 08:19:51PM +0800, joeb wrote: >> > I don't want them to be able see any system directories or other users? >>=20 >> User directories are by default both owned by the user and belong to the >> user's group. So you can set the umask for every user so that their >> files are not accessible to others. >>=20 >> You cannot block read and execute access to a lot of system files >> (binaries, libraries, /usr/[local/]share/) without making the system >> useless. >>=20 >> What is the problem you're trying to solve? Blocking read access to >> system files is almost certainly the wrong solution. >>=20 > Want to keep all the users from being able to see anything outside of > their home directory using gnome or kde desktop.=20 I ask again, why?=20 As outlined above, you can easily keep users from poking around in other's files. Realize that if users cannot read anything outside their home directory, th= ey cannot start programs in the system directories!=20 And since normal users do not have write access to system directories or files, they can do little harm. System files that users shouldn't have access to (e.g. /etc/master.passwd) are already chmod-ed so that only root has access. You could put every user in a jail(8), but that would be a significant effort depending on the amount of applications they need.=20 Realize that if the users have physical access to the machine, these security measures are _useless_. A hostile user could take out the harddisk, put it in a machine where he has a root account and read all the disk's contents (unless it's encrypted). Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --sdtB3X0nJg68CQEu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkEbUoACgkQEnfvsMMhpyV9/ACfacpZapelCNj0Od6Q4R47wcPM bfwAn28eHSoxhjaQQX6+z7egkpbgyQk7 =LxPF -----END PGP SIGNATURE----- --sdtB3X0nJg68CQEu--