From owner-freebsd-questions  Tue Nov 25 12:25:46 1997
Return-Path: <owner-freebsd-questions>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id MAA22051
          for questions-outgoing; Tue, 25 Nov 1997 12:25:46 -0800 (PST)
          (envelope-from owner-freebsd-questions)
Received: from gdi.uoregon.edu (gdi.uoregon.edu [128.223.170.30])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id MAA22032
          for <freebsd-questions@FreeBSD.ORG>; Tue, 25 Nov 1997 12:25:40 -0800 (PST)
          (envelope-from dwhite@gdi.uoregon.edu)
Received: from localhost (dwhite@localhost)
          by gdi.uoregon.edu (8.8.7/8.8.7) with SMTP id MAA17497;
          Tue, 25 Nov 1997 12:25:23 -0800 (PST)
          (envelope-from dwhite@gdi.uoregon.edu)
Date: Tue, 25 Nov 1997 12:25:23 -0800 (PST)
From: Doug White <dwhite@gdi.uoregon.edu>
Reply-To: Doug White <dwhite@resnet.uoregon.edu>
To: Alberto Johnson <ajohnson@panama.c-com.net>
cc: freebsd-questions@FreeBSD.ORG
Subject: Re: FTP inquiry
In-Reply-To: <3.0.1.32.19971125135449.006d8b88@panama.c-com.net>
Message-ID: <Pine.BSF.3.96.971125121907.17459D-100000@gdi.uoregon.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Tue, 25 Nov 1997, Alberto Johnson wrote:

> 	I have notice that my users are starting to think (not good for keeping
> security). My users are becoming very clever every day, and they are trying
> to pull a few tricks try to break in or gader information of my mail server
> using ftp. for example:
> 
> 1. they tried to download the password file

I assume that failed.

> 2. they tried to enter orther users directories

There isn't much you can do about that, other than make the home dirs with
perms 700, but that could create problems.  I'd have to try it.

> 3. they tried to get a directory list form"/usr/home", paste this list on a
> spread sheet, add the @domain.com, final result

Easy fix:  

chmod -r /usr/home

Now they can't see into /usr/home but they can chdir into it and into the
home directories as normal.  

> Now this server is also use to post Home pages, so i cannot deny access to
> every body. because they would like to be able upload and download there
> files from there "/usr/home/userXX" directory.

Well, /usr/home/userxx/public_html/ if you set up the web server properly.

> is there a way to keep a user on his home directory, where his html file
> are, and prevent him from going out his home directory and start woundering
> around. if this is not posible, at least deny him view (read) access to the
> home directory structure.

The Web server won't allow arbitrary access to the filesystem.  They
either go into your server_root or they go into ~user/public_html (in the
apache default setup).  If a user makes a link to /etc/passwd from a
personal homepage, then there isn't much you can do about that other than
remove read access to those files or directories. 

Doug White                              | University of Oregon  
Internet:  dwhite@resnet.uoregon.edu    | Residence Networking Assistant
http://gladstone.uoregon.edu/~dwhite    | Computer Science Major