Date: Sun, 26 Oct 2008 14:14:50 +0100 From: Roland Smith <rsmith@xs4all.nl> To: joeb <joeb@a1poweruser.com> Cc: "freebsd-questions@FreeBSD. ORG" <freebsd-questions@freebsd.org> Subject: Re: restrict FreeBSD users to their home directory Message-ID: <20081026131450.GA82837@slackbox.xs4all.nl> In-Reply-To: <NBECLJEKGLBKHHFFANMBGECCCMAA.joeb@a1poweruser.com> References: <20081026085332.GA97254@slackbox.xs4all.nl> <NBECLJEKGLBKHHFFANMBGECCCMAA.joeb@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--sdtB3X0nJg68CQEu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Oct 26, 2008 at 08:19:51PM +0800, joeb wrote: <snip> >> > I don't want them to be able see any system directories or other users? >>=20 >> User directories are by default both owned by the user and belong to the >> user's group. So you can set the umask for every user so that their >> files are not accessible to others. >>=20 >> You cannot block read and execute access to a lot of system files >> (binaries, libraries, /usr/[local/]share/) without making the system >> useless. >>=20 >> What is the problem you're trying to solve? Blocking read access to >> system files is almost certainly the wrong solution. >>=20 > Want to keep all the users from being able to see anything outside of > their home directory using gnome or kde desktop.=20 I ask again, why?=20 As outlined above, you can easily keep users from poking around in other's files. Realize that if users cannot read anything outside their home directory, th= ey cannot start programs in the system directories!=20 And since normal users do not have write access to system directories or files, they can do little harm. System files that users shouldn't have access to (e.g. /etc/master.passwd) are already chmod-ed so that only root has access. You could put every user in a jail(8), but that would be a significant effort depending on the amount of applications they need.=20 Realize that if the users have physical access to the machine, these security measures are _useless_. A hostile user could take out the harddisk, put it in a machine where he has a root account and read all the disk's contents (unless it's encrypted). Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --sdtB3X0nJg68CQEu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkEbUoACgkQEnfvsMMhpyV9/ACfacpZapelCNj0Od6Q4R47wcPM bfwAn28eHSoxhjaQQX6+z7egkpbgyQk7 =LxPF -----END PGP SIGNATURE----- --sdtB3X0nJg68CQEu--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081026131450.GA82837>