From owner-freebsd-isp  Sat May 26 22:43:57 2001
Delivered-To: freebsd-isp@freebsd.org
Received: from workhorse.iMach.com (workhorse.iMach.com [206.127.77.89])
	by hub.freebsd.org (Postfix) with ESMTP id 30FAD37B422
	for <freebsd-isp@FreeBSD.ORG>; Sat, 26 May 2001 22:43:53 -0700 (PDT)
	(envelope-from forrestc@imach.com)
Received: from localhost (forrestc@localhost)
	by workhorse.iMach.com (8.9.3/8.9.3) with ESMTP id XAA12320;
	Sat, 26 May 2001 23:26:47 -0600 (MDT)
Date: Sat, 26 May 2001 23:26:46 -0600 (MDT)
From: "Forrest W. Christian" <forrestc@imach.com>
To: Jorge Biquez <jbiquez@icsmx.com>
Cc: freebsd-isp@FreeBSD.ORG
Subject: Re: Advice on ISP services Please.
In-Reply-To: <5.0.2.1.2.20010526221708.02912720@icsmx.com>
Message-ID: <Pine.BSF.4.21.0105262317280.12299-100000@workhorse.iMach.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-isp.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-isp>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-isp>
X-Loop: FreeBSD.org

On Sat, 26 May 2001, Jorge Biquez wrote:

> - How to restrict the access of FTP to only the specified directory of the 
> user. And that they can not see other users directories.

List the user in /etc/ftpchroot (see man ftpd)

> - How to implement quotas with FTP so users only can have a limit on space.

Just use standard freebsd quotas.  man quota, quotaon, edquota, etc. etc.,
plus configuration options in /etc/rc.conf (as described in
/etc/defaults/rc.conf)

> - How to avoid users have access to telnet services.

Set shell as something listed in /etc/shells but not a valid shell.  I
believe /usr/bin/true is commonly used for this.... (You may have to edit
/etc/shells)

> - How to avoid that a script of a user can consume lot of resources and 
> could crash the machine.

Avoid scripts altogether, OR, do something else.

Scripts are a pain.  You essentially bypass almost all of your security if
you permit user-provided scripts.  There isn't a really good way to handle
them. 

If this is a must, then look at the apache stuff to set the uid running
the script to the user.  A script can still look at about everything on
the machine.

You may want to force user directories to be owned by the same group as
the web server runs as, and set the permissions on directories to 770.
Have the users in a different group.  That way, only the web server and
the user can read the directory.  

Did I mention scripts are a pain?

- Forrest W. Christian (forrestc@imach.com) AC7DE
----------------------------------------------------------------------
The Innovation Machine Ltd.                              P.O. Box 5749
http://www.imach.com/                                Helena, MT  59604
Home of PacketFlux Technogies and BackupDNS.com         (406)-442-6648
----------------------------------------------------------------------
      Protect your personal freedoms - visit http://www.lp.org/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message