Date: Mon, 03 Jun 2002 13:55:00 +1000 From: Jacob Rhoden <jrhoden@unimelb.edu.au> To: <leroy@3dmasters.net>, <freebsd-questions@freebsd.org> Subject: Re: Restrict user access on freebsd Message-ID: <B92125B4.F4C%jrhoden@unimelb.edu.au> In-Reply-To: <000201c20aa3$710d9de0$0264a8c0@3dmdomain.local>
next in thread | previous in thread | raw e-mail | index | archive | help
on 3/6/2002 12:07 PM, Admin/Manager at leroy@3dmasters.net wrote: > I am starting a College Web server. I would like to know if i could > change all file permintions on the system to root access only. > All the user are going to have ssh access and would like to stop users from > looking at folders /etc/ /etc/named/ will this work ok? Short answer, no. Long answer: You can do it to some but not all. Users need the ability to read files in /etc, for example /etc/group. The best thing to do is to remove the x flag on most directories, ie /etc /bin /sbin and so on, so that normal users can execute things like 'ls' and read files like 'group'. (The x flag on directories means that a user cannot list the directory but can still access files in it). If you are unsure about the nescessity of a command, then I suggest you simply get a test system and login as a normal user, and remove flags of various binaries as required, then test as the normal user. You may also want to investigate restricted shells, so instead of using 'bash' or 'tcsh' you can get shells which dont let the user 'cd' out of their directory. Also you can chroot ftp, so that the users cant ftp out of their own directory (see /etc/ftpchroot). Regards, Jacob Rhoden NB: you can remove global access to /etc/named but if you do it to /etc/mail or other such mail config files then sendmail or will complain. ---------------------------------------------------- Jacob Rhoden Phone: +61 3 9844 6102 ITS Division Email: jrhoden@unimelb.edu.au Melbourne University Mobile: +61 403 788 386 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B92125B4.F4C%jrhoden>