Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 27 Jul 2000 00:58:24 -0600 (MDT)
From:      "Forrest W. Christian" <forrestc@imach.com>
To:        "chem@i-p-d.nl" <chem@i-p-d.nl>
Cc:        Kenn Martin <kmartin@infoteam.com>, freebsd-isp@FreeBSD.ORG
Subject:   Re: limiting telnet-users
Message-ID:  <Pine.BSF.4.21.0007270048130.11446-100000@workhorse.iMach.com>
In-Reply-To: <200007270728.JAA09013@ns1.i-p-d.nl>

next in thread | previous in thread | raw e-mail | index | archive | help
I probably missed this info which I am mentioning here from an earlier
post.

What exactly are you trying to prevent these users from doing?

About the only way to confine users to their own little private world is
chroot.   Period.

The problem with any other approach is that it is virtually impossible to
confine a user to a specific directory.  About the only way to do this is
to modify the shell (or provide a teency shell) to prevent access.  BUT,
as soon as you give them access to an editor, you have opened up an entire
can of worms.

Either you generally trust your users and you give them a shell account or
you don't and you put them in a chroot dir.

Any other restrictions you provide essentially serve to keep the clueless
honest.

Give me 5 mins on any non-chroot system and I'll be past the security.

Chroots are SIGIFICANTLY more difficult to break out of.

- Forrest W. Christian (forrestc@imach.com) AC7DE
----------------------------------------------------------------------
iMach, Ltd., P.O. Box 5749, Helena, MT 59604      http://www.imach.com
Solutions for your high-tech problems.                  (406)-442-6648
----------------------------------------------------------------------



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007270048130.11446-100000>