From owner-freebsd-questions@FreeBSD.ORG Fri Sep 24 11:53:31 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 89B3E16A4CE for ; Fri, 24 Sep 2004 11:53:31 +0000 (GMT) Received: from destiny.chrononomicon.com (mail.chrononomicon.com [65.193.73.208]) by mx1.FreeBSD.org (Postfix) with ESMTP id D25F343D2D for ; Fri, 24 Sep 2004 11:53:30 +0000 (GMT) (envelope-from bsilver@chrononomicon.com) Received: from [127.0.0.1] (destiny.chrononomicon.com [192.168.1.42]) by destiny.chrononomicon.com (Postfix) with ESMTP id D12451FE26 for ; Fri, 24 Sep 2004 07:53:21 -0400 (EDT) Mime-Version: 1.0 (Apple Message framework v619) In-Reply-To: <2D8BB15C7B5C214F81C32D3A83B32736013D45B3@idbexc01.americas.cpqcorp.net> References: <2D8BB15C7B5C214F81C32D3A83B32736013D45B3@idbexc01.americas.cpqcorp.net> Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <5480CBFA-0E20-11D9-B75A-000D9338770A@chrononomicon.com> Content-Transfer-Encoding: 7bit From: Bart Silverstrim Date: Fri, 24 Sep 2004 07:53:20 -0400 To: X-Mailer: Apple Mail (2.619) Subject: Re: Ultimately Safe User Account X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2004 11:53:31 -0000 > I have a production FreeBSD box. My friend is starting to learn Unix > essentials and is asking me for an account. He doesn't require any > special rights, but he certainly wants to be able to use shell and read > most manual pages. He'll access the server via Internet, SSH. > > How can I create an account, so that it is completely safe to let him > in? How can I jail/chroot him and do I need to do it this way? I want to > limit everything: disk space (~500Mb), RAM (~10%), processes (~30), cpu > (~5-10%), _internet connectivity_ (bandwidth is expensive and he must > not be able to download much). He is new to Unix but I have to suppose > that somebody very experienced can steal his account info. > > I'd be glad if he had only very basic ls, cp, mv, as well as sh and vi. > I don't want him to have any browser or fetch-like utility. > > I know that letting somebody log in is already a security hole, but I > want to minimize the risks. > As others had pointed out, a live boot CD is the best way to learn on his own hardware without you getting nasty surprises on your own. Alternatively, he (or you) could invest in VMWare and let him have free reign inside a virtual machine. Personally those would be the two options I'd look at first...preferably VMWare, since a screwup is as easy to recover from as copying a backup of the good image to a working drive image. Otherwise you're looking at investing a lot of time and effort in getting quotas configured, bandwidth monitoring, jails, etc. etc...the virtual machine route is the best way to give a budding "root" a chance to learn with less fear of mistakes (or killing your server/workstation)...especially if he gets clever with ssh redirection of ports :-) -Bart