From owner-freebsd-questions@FreeBSD.ORG Mon Jul 21 14:04:00 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF04037B404 for ; Mon, 21 Jul 2003 14:04:00 -0700 (PDT) Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id E6F8C43FA3 for ; Mon, 21 Jul 2003 14:03:59 -0700 (PDT) (envelope-from freebsd-questions-local@be-well.no-ip.com) Received: from be-well.ilk.org (be-well.no-ip.com[66.30.200.37]) by comcast.net (rwcrmhc11) with ESMTP id <2003072121035901300oci77e>; Mon, 21 Jul 2003 21:03:59 +0000 Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com [66.30.200.37] (may be forged)) by be-well.ilk.org (8.12.9/8.12.9) with ESMTP id h6LL3vik088899; Mon, 21 Jul 2003 17:03:57 -0400 (EDT) (envelope-from freebsd-questions-local@be-well.no-ip.com) Received: (from lowell@localhost) by be-well.ilk.org (8.12.9/8.12.6/Submit) id h6LL3u3M088835; Mon, 21 Jul 2003 17:03:57 -0400 (EDT) X-Authentication-Warning: be-well.ilk.org: lowell set sender to freebsd-questions-local@be-well.ilk.org using -f Sender: lowell@be-well.no-ip.com To: Mark References: <1058637268.1308.0.camel@donburi> From: Lowell Gilbert Date: 21 Jul 2003 17:03:56 -0400 In-Reply-To: <1058637268.1308.0.camel@donburi> Message-ID: <44n0f7iocj.fsf@be-well.ilk.org> Lines: 28 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-questions@freebsd.org Subject: Re: Security of adding users for "accounts" ?? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jul 2003 21:04:01 -0000 Mark writes: > i hope this isn't too silly a question, but one of the really easy > ways we've found to manage "accounts" for customers is to just go and > create actual unix accounts for them on our FreeBSD boxes, which helps > us organise everything from directories to where programs look for > their info, etc ... > > now, to keep things "safer", we always deny the accounts shell > access by setting the shell field in /etc/passwd to /sbin/nologin > > > but .... > > > we're still wondering if there are any security implications to > consider from doing this, and if there are any other, perhaps better > ways to manage non-trivial numbers of customer accounts ... we're > only in the dozens now, but it may get into the hundreds in the > future. There's an ISP list that would probably cover this better, but my answer would be that it depends on what you want to *permit* these users to do. If there are several functions they need to access, then giving them real accounts is probably the best way. If all you want is to give them FTP access (for example), though, then you might do better by finding an FTP daemon that supports its own idea of a user database.