Date: Wed, 19 Dec 2001 17:45:43 -0500 (EST) From: Joe Clarke <marcus@marcuscom.com> To: lonnie@outstep.com Cc: Dan Nelson <dnelson@allantgroup.com>, "'freebsd-questions@freebsd.org'" <freebsd-questions@FreeBSD.ORG> Subject: Re: FreeBSD and restricting users Message-ID: <20011219174239.K78518-100000@shumai.marcuscom.com> In-Reply-To: <1008800406.3c2112967d195@mail.outstep.com>
next in thread | previous in thread | raw e-mail | index | archive | help
You may want to have a look at FreeBSD's jail(8) feature. There's also a good article on jail internals at http://www.daemonnews.org/200109/jailint.html This should sufficiently lock your users down. Joe On Wed, 19 Dec 2001 lonnie@outstep.com wrote: > Thanks Dan, > > This is the same solution that I have already found from the Linux side as well > and is currently not an option for our particular impolementation. > > We really need to be able to limit the users from navigaiting out of their HOME > directories for this particular SPECIAL project. > > I just saw something on the FreeBSD website about "sandboxes" that might be > interesting in this respect, but I am not sure if it would be possible to put > each user graphicl login session into a "sandbox". > > Best Regards, > Lonnie > > Quoting Dan Nelson <dnelson@allantgroup.com>: > > > In the last episode (Dec 19), Lonnie Cumberland said: > > > The basic problem is this. It is very easy to keep a user from > > > entering into a directory after they have logged in, but it is VERY > > > hard to keep a user locked into their HOME directory. > > > > > > We have looked at chrooted solutions as well, but they fail when a > > > user logs in through XDM and start up an application like Netscape > > or > > > StarOffice. Once that happens, they are free to navigate throughout > > > the system. > > > > > > Can FreeBSD solve the problem of preventing a user from leaving > > their > > > HOME directory while still allowing them to run OpenOffice? > > > > If you really truly don't want them seeing anything outside their > > $HOME, chroot is your only choice. Create a minimal /etc, /lib, /bin > > etc in each homedir and you should be set. Note you'll have to > > replicate most of /usr/X11R6 for any X app to work. > > > > What exactly are you trying to keep users from doing? A standard > > install should not expose any private info or leave directories > > incorrectly writable. Just because they can browse into /etc doesn't > > mean they can do anything. > > > > -- > > Dan Nelson > > dnelson@allantgroup.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011219174239.K78518-100000>