From owner-freebsd-isp  Thu Jul 27  0:55:45 2000
Delivered-To: freebsd-isp@freebsd.org
Received: from workhorse.iMach.com (workhorse.iMach.com [206.127.77.89])
	by hub.freebsd.org (Postfix) with ESMTP id 84B7A37C06F
	for <freebsd-isp@FreeBSD.ORG>; Thu, 27 Jul 2000 00:55:41 -0700 (PDT)
	(envelope-from forrestc@imach.com)
Received: from localhost (forrestc@localhost)
	by workhorse.iMach.com (8.9.3/8.9.3) with ESMTP id AAA11509;
	Thu, 27 Jul 2000 00:58:24 -0600 (MDT)
Date: Thu, 27 Jul 2000 00:58:24 -0600 (MDT)
From: "Forrest W. Christian" <forrestc@imach.com>
To: "chem@i-p-d.nl" <chem@i-p-d.nl>
Cc: Kenn Martin <kmartin@infoteam.com>, freebsd-isp@FreeBSD.ORG
Subject: Re: limiting telnet-users
In-Reply-To: <200007270728.JAA09013@ns1.i-p-d.nl>
Message-ID: <Pine.BSF.4.21.0007270048130.11446-100000@workhorse.iMach.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

I probably missed this info which I am mentioning here from an earlier
post.

What exactly are you trying to prevent these users from doing?

About the only way to confine users to their own little private world is
chroot.   Period.

The problem with any other approach is that it is virtually impossible to
confine a user to a specific directory.  About the only way to do this is
to modify the shell (or provide a teency shell) to prevent access.  BUT,
as soon as you give them access to an editor, you have opened up an entire
can of worms.

Either you generally trust your users and you give them a shell account or
you don't and you put them in a chroot dir.

Any other restrictions you provide essentially serve to keep the clueless
honest.

Give me 5 mins on any non-chroot system and I'll be past the security.

Chroots are SIGIFICANTLY more difficult to break out of.

- Forrest W. Christian (forrestc@imach.com) AC7DE
----------------------------------------------------------------------
iMach, Ltd., P.O. Box 5749, Helena, MT 59604      http://www.imach.com
Solutions for your high-tech problems.                  (406)-442-6648
----------------------------------------------------------------------



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message