*BSD News Article 74878


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!nntp.coast.net!fu-berlin.de!irz401!orion.sax.de!uriah.heep!news
From: j@uriah.heep.sax.de (J Wunsch)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: Restricted shell or chrooted environment for users?
Date: 27 Jul 1996 22:54:39 GMT
Organization: Private BSD site, Dresden
Lines: 36
Message-ID: <4te6nf$2ts@uriah.heep.sax.de>
References: <31F8CFD1.2781E494@systemics.com>
Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch)
NNTP-Posting-Host: localhost.heep.sax.de
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Newsreader: knews 0.9.6
X-Phone: +49-351-2012 669
X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F  93 21 E0 7D F9 12 D6 4E

Gary Howland <gary@systemics.com> wrote:

> What is the "standard" FreeBSD method of restricting users?

Setting up a chroot environment.  Quite a bit of work, but rather
secure.

> There seems to be no facility to allow a login to chroot to
> the users directory, nor does there appear to be a standard
> restricted shell.

``Restricted shell considered harmful.''

Many people who are demanding a restricted shell intend to use it as a
login shell.  This is in NO WAY how it was supposed to be used at all.
Using a restricted shell as an (interactive) login shell gives you a
false feeling of security!

(Gimme a system with a restricted shell plus one hour of online time,
and i'll show you how to break the restriction.)

> Given the large no of ISPs running FreeBSD, there must be many
> who need to offer shell accounts - how are they doing this?

By setting up a chroot environment?  By not allowing shell accounts at
all?  Or, simplest of all, by actually _using_ the multiuser security
mechanism that is built into Unix systems?  (Why do i need to restrict
a user to not go beyond .. if there's actually nothing in .. he can
access at all?)

-- 
cheers, J"org

joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE
Never trust an operating system you don't have sources for. ;-)