Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 03 Jun 2002 13:55:00 +1000
From:      Jacob Rhoden <jrhoden@unimelb.edu.au>
To:        <leroy@3dmasters.net>, <freebsd-questions@freebsd.org>
Subject:   Re: Restrict user access on freebsd
Message-ID:  <B92125B4.F4C%jrhoden@unimelb.edu.au>
In-Reply-To: <000201c20aa3$710d9de0$0264a8c0@3dmdomain.local>

next in thread | previous in thread | raw e-mail | index | archive | help
on 3/6/2002 12:07 PM, Admin/Manager at leroy@3dmasters.net wrote:
> I am starting a College Web server.  I would like to know if i could
> change all file permintions on the system to root access only.
> All the user are going to have ssh access and would like to stop users from
> looking at folders /etc/  /etc/named/   will this work ok?

Short answer, no.

Long answer:
You can do it to some but not all. Users need the ability to read files in
/etc, for example /etc/group. The best thing to do is to remove the x flag
on most directories, ie /etc /bin /sbin and so on, so that normal users can
execute things like 'ls' and read files like 'group'.  (The x flag on
directories means that a user cannot list the directory but can still access
files in it). If you are unsure about the nescessity of a command, then I
suggest you simply get a test system and login as a normal user, and remove
flags of various binaries as required, then test as the normal user.

You may also want to investigate restricted shells, so instead of using
'bash' or 'tcsh' you can get shells which dont let the user 'cd' out of
their directory. Also you can chroot ftp, so that the users cant ftp out of
their own directory (see /etc/ftpchroot).

Regards,
Jacob Rhoden

NB: you can remove global access to /etc/named but if you do it to /etc/mail
or other such mail config files then sendmail or will complain.

----------------------------------------------------
Jacob Rhoden           Phone: +61 3 9844 6102
ITS Division           Email: jrhoden@unimelb.edu.au
Melbourne University  Mobile: +61 403 788 386



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B92125B4.F4C%jrhoden>