From owner-freebsd-questions@FreeBSD.ORG Fri Feb 20 08:55:36 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB64D16A4CE for ; Fri, 20 Feb 2004 08:55:36 -0800 (PST) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 27DEB43D1F for ; Fri, 20 Feb 2004 08:55:36 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1])i1KGtTuV006190 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 20 Feb 2004 16:55:29 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)id i1KGtTPw006189; Fri, 20 Feb 2004 16:55:29 GMT (envelope-from matthew) Date: Fri, 20 Feb 2004 16:55:29 +0000 From: Matthew Seaman To: Grant Peel Message-ID: <20040220165529.GC4997@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , Grant Peel , freebsd-questions@freebsd.org References: <007b01c3f7c5$116426a0$6501a8c0@grant> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="eqp4TxRxnD4KrmFZ" Content-Disposition: inline In-Reply-To: <007b01c3f7c5$116426a0$6501a8c0@grant> User-Agent: Mutt/1.5.6i X-Spam-Status: No, hits=-4.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on happy-idiot-talk.infracaninophile.co.uk cc: freebsd-questions@freebsd.org Subject: Re: No Email or FTP X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Feb 2004 16:55:37 -0000 --eqp4TxRxnD4KrmFZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Feb 20, 2004 at 10:20:26AM -0500, Grant Peel wrote: > In FreeBSD 4.4 and 4.7, is there a way to shut off email and or ftp > privledges? (Other than using quota that is). Using sendmail. Yes -- those can both be done. To stop a user FTP'ing into the machine, add their username to the /etc/ftpusers file. Confusingly that's the list of people not permitted to be ftp users... See ftpusers(5) for some more fine grained controls you can have via that file. Note that this stops the users accessing their accounts on the FreeBSD box via any local FTP server -- it doesn't stop them from running an FTP client and downloading stuff from remote sites. If it's the latter that you want, then that's much harder to achieve. You can create a unix group for all of the people permitted to run ftp clients (ftp, fetch, wget, any web browsers, etc.), set the group ownership of those binaries to the ftp-allowed group and change the permissions to mode 0750. Even so, if the user can compile or otherwise obtain their own copy of one of those clients there's not a lot you can do to stop them using it. You can set up ipfw(8) or some other packet filter to prevent anyone making outgoing ftp connections to arbitrary sites -- you could also provide an FTP proxy service on your firewall (use ipfw rules to force everyone to use the proxy, or implement some form of transparent proxying) which requires authentication from the user. Squid can do that sort of thing, as can the fw-tk stuff (although you'll have to write some scripts to wrap around the components provided via fw-tk). Both available in ports. As for e-mail: to prevent a user sending or receiving e-mail, you need to use the access DB feature. Look at /usr/share/sendmail/cf/README, particularly the sections under 'blacklist_recipients' and the stuff under the heading "Finer control by using tags for the LHS of the access map". It's also possible to force your users to authenticate before they can submit a message to sendmail(8), but that's not generally done as it's too intrusive. It also entails recompiling sendmail with SASL support and quite a bit of setup work. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --eqp4TxRxnD4KrmFZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFANjwBdtESqEQa7a0RAt8GAJ95/GTtGk4Z+/9wkfj6JvYaC4n61ACeJWBw fAQ971P57ieTt2BBGomkbnQ= =4bGH -----END PGP SIGNATURE----- --eqp4TxRxnD4KrmFZ--