Date: Wed, 14 Jan 2004 16:33:48 -0500 From: Charles Swiger <cswiger@mac.com> Cc: freebsd-questions@freebsd.org Subject: Re: binary execute restrictions Message-ID: <56C71CB2-46D9-11D8-AA98-003065ABFD92@mac.com> In-Reply-To: <444quzs2uj.fsf@be-well.ilk.org> References: <000d01c3d980$5521b6e0$5858269e@JANELLE> <0D7DAA44-4615-11D8-AA98-003065ABFD92@mac.com> <444quzs2uj.fsf@be-well.ilk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jan 13, 2004, at 9:04 PM, Lowell Gilbert wrote: > I suspect that a restricted shell isn't going to be appropriate in > this case. Restricted shells are useful for avoiding shooting > yourself in the foot, but they're really not intended to be secure. You're probably right that my suggestion is only a partial solution, but using a restricted shell and chroot()ing these users to a home directory that isn't owned/writable by that UID should come pretty close to solving the Original Poster's problem. It might also be the case that the OP might be better off not generating "normal user accounts", but using application-specific user databases (such as found in software like Cyrus) to give controlled access to a particular service. -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56C71CB2-46D9-11D8-AA98-003065ABFD92>