From owner-freebsd-questions Sun Jun 2 20:56:53 2002 Delivered-To: freebsd-questions@freebsd.org Received: from ariel.ucs.unimelb.edu.au (ariel.ucs.unimelb.edu.au [128.250.20.3]) by hub.freebsd.org (Postfix) with ESMTP id B79CA37B400 for ; Sun, 2 Jun 2002 20:56:47 -0700 (PDT) Received: from [128.250.18.60] (ws18-60.its.unimelb.edu.au [128.250.18.60]) by ariel.ucs.unimelb.edu.au (8.12.3/8.12.3) with ESMTP id g533ueW3008717; Mon, 3 Jun 2002 13:56:40 +1000 (EST) User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Date: Mon, 03 Jun 2002 13:55:00 +1000 Subject: Re: Restrict user access on freebsd From: Jacob Rhoden To: , Message-ID: In-Reply-To: <000201c20aa3$710d9de0$0264a8c0@3dmdomain.local> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG on 3/6/2002 12:07 PM, Admin/Manager at leroy@3dmasters.net wrote: > I am starting a College Web server. I would like to know if i could > change all file permintions on the system to root access only. > All the user are going to have ssh access and would like to stop users from > looking at folders /etc/ /etc/named/ will this work ok? Short answer, no. Long answer: You can do it to some but not all. Users need the ability to read files in /etc, for example /etc/group. The best thing to do is to remove the x flag on most directories, ie /etc /bin /sbin and so on, so that normal users can execute things like 'ls' and read files like 'group'. (The x flag on directories means that a user cannot list the directory but can still access files in it). If you are unsure about the nescessity of a command, then I suggest you simply get a test system and login as a normal user, and remove flags of various binaries as required, then test as the normal user. You may also want to investigate restricted shells, so instead of using 'bash' or 'tcsh' you can get shells which dont let the user 'cd' out of their directory. Also you can chroot ftp, so that the users cant ftp out of their own directory (see /etc/ftpchroot). Regards, Jacob Rhoden NB: you can remove global access to /etc/named but if you do it to /etc/mail or other such mail config files then sendmail or will complain. ---------------------------------------------------- Jacob Rhoden Phone: +61 3 9844 6102 ITS Division Email: jrhoden@unimelb.edu.au Melbourne University Mobile: +61 403 788 386 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message