Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!nntp.coast.net!fu-berlin.de!irz401!orion.sax.de!uriah.heep!news From: j@uriah.heep.sax.de (J Wunsch) Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: Restricted shell or chrooted environment for users? Date: 27 Jul 1996 22:54:39 GMT Organization: Private BSD site, Dresden Lines: 36 Message-ID: <4te6nf$2ts@uriah.heep.sax.de> References: <31F8CFD1.2781E494@systemics.com> Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch) NNTP-Posting-Host: localhost.heep.sax.de Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Newsreader: knews 0.9.6 X-Phone: +49-351-2012 669 X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F 93 21 E0 7D F9 12 D6 4E Gary Howland <gary@systemics.com> wrote: > What is the "standard" FreeBSD method of restricting users? Setting up a chroot environment. Quite a bit of work, but rather secure. > There seems to be no facility to allow a login to chroot to > the users directory, nor does there appear to be a standard > restricted shell. ``Restricted shell considered harmful.'' Many people who are demanding a restricted shell intend to use it as a login shell. This is in NO WAY how it was supposed to be used at all. Using a restricted shell as an (interactive) login shell gives you a false feeling of security! (Gimme a system with a restricted shell plus one hour of online time, and i'll show you how to break the restriction.) > Given the large no of ISPs running FreeBSD, there must be many > who need to offer shell accounts - how are they doing this? By setting up a chroot environment? By not allowing shell accounts at all? Or, simplest of all, by actually _using_ the multiuser security mechanism that is built into Unix systems? (Why do i need to restrict a user to not go beyond .. if there's actually nothing in .. he can access at all?) -- cheers, J"org joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-)