From owner-freebsd-questions  Fri Feb 16  6: 9:29 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from post.mail.nl.demon.net (post-11.mail.nl.demon.net [194.159.73.21])
	by hub.freebsd.org (Postfix) with ESMTP id 36C2C37B65D
	for <freebsd-questions@freebsd.org>; Fri, 16 Feb 2001 06:09:27 -0800 (PST)
Received: from [195.11.243.26] (helo=Debug)
	by post.mail.nl.demon.net with smtp (Exim 3.14 #4)
	id 14TlZd-0008MR-00; Fri, 16 Feb 2001 14:09:25 +0000
To: Vlad Skvortsov <vss@ulstu.ru>, freebsd-questions@FreeBSD.ORG
From: Cliff Sarginson <cliff@raggedclown.net>
Subject: Re: read-only /
Date: Fri, 16 Feb 2001 14:09:25 GMT
X-Mailer: www.webmail.nl.demon.net
X-Sender: postmaster@btvs.demon.nl
X-Originating-IP: 192.250.25.251
Message-Id: <E14TlZd-0008MR-00@post.mail.nl.demon.net>
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> On Fri, Feb 16, 2001 at 01:20:32PM +0000, Cliff Sarginson wrote:

> 
> 	That is shell access server. The configuration has to be secure because
> we have not much time to watch this box. Everything what's possible is set
> to r/o; r/w partitions are quotas enabled, noexec and nodev flags are on.
> The only filesystem left "unsecure" is /.
> 
I would have sais that you should look into putting your users into
a "jail" or consider the use of a restricted shell; this should be 
enough to keep them locked up :)

Much less messy ...

Cliff

Since I have never tried it I must say I am slightly suprised
you can even logon at all if the /dev permissions cannot be
changed.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message