From owner-freebsd-questions  Tue Nov 25 10:57:16 1997
Return-Path: <owner-freebsd-questions>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id KAA08912
          for questions-outgoing; Tue, 25 Nov 1997 10:57:16 -0800 (PST)
          (envelope-from owner-freebsd-questions)
Received: from internet.panama.phoenix.net (internet.panama.c-com.net [204.95.131.253])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA08900
          for <freebsd-questions@FreeBSD.ORG>; Tue, 25 Nov 1997 10:57:10 -0800 (PST)
          (envelope-from ajohnson@panama.c-com.net)
Received: from lab2.phoenix.net ([207.43.32.8]) by internet.panama.phoenix.net (8.8.7/8.6.12) with SMTP id NAA07241 for <freebsd-questions@FreeBSD.ORG>; Tue, 25 Nov 1997 13:56:48 -0500 (EST)
Message-Id: <3.0.1.32.19971125135449.006d8b88@panama.c-com.net>
X-Sender: ajohnson@panama.c-com.net
X-Mailer: Windows Eudora Pro Version 3.0.1 (32)
Date: Tue, 25 Nov 1997 13:54:49 -0600
To: freebsd-questions@FreeBSD.ORG
From: Alberto Johnson <ajohnson@panama.c-com.net>
Subject: FTP inquiry
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-questions@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

	I'm a rookie on this big world of UNIX, I work for an ISP on Panama (just
for the records, Panama is on Central America.), i'm part of the staff of
Technichal Operations (please don't ask how I got this far in life).

	I have notice that my users are starting to think (not good for keeping
security). My users are becoming very clever every day, and they are trying
to pull a few tricks try to break in or gader information of my mail server
using ftp. for example:

1. they tried to download the password file
2. they tried to enter orther users directories
3. they tried to get a directory list form"/usr/home", paste this list on a
spread sheet, add the @domain.com, final result

user01@domain.com
user02@domain.com
user..@domain.com

Bingo... this guy has an mail list of all the users on my server he can try
to send bulk mail to them without autorization. or sell the list to some
marketing wizard that will add all this e-mail address for sending mail
regarding his business.

Now this server is also use to post Home pages, so i cannot deny access to
every body. because they would like to be able upload and download there
files from there "/usr/home/userXX" directory.

is there a way to keep a user on his home directory, where his html file
are, and prevent him from going out his home directory and start woundering
around. if this is not posible, at least deny him view (read) access to the
home directory structure.

Alberto Johnson
ajohnson@panama.c-com.net

Johnson