On Fri, Feb 20, 2004 at 10:20:26AM -0500, Grant Peel wrote:

> In FreeBSD 4.4 and 4.7, is there a way to shut off email and or ftp
> privledges? (Other than using quota that is). Using sendmail.

Yes -- those can both be done.

To stop a user FTP'ing into the machine, add their username to the
/etc/ftpusers file.  Confusingly that's the list of people not
permitted to be ftp users...  See ftpusers(5) for some more fine
grained controls you can have via that file.  Note that this stops the
users accessing their accounts on the FreeBSD box via any local FTP
server -- it doesn't stop them from running an FTP client and
downloading stuff from remote sites.  If it's the latter that you
want, then that's much harder to achieve.  You can create a unix group
for all of the people permitted to run ftp clients (ftp, fetch, wget,
any web browsers, etc.), set the group ownership of those binaries to
the ftp-allowed group and change the permissions to mode 0750.  Even
so, if the user can compile or otherwise obtain their own copy of one
of those clients there's not a lot you can do to stop them using it.

You can set up ipfw(8) or some other packet filter to prevent anyone
making outgoing ftp connections to arbitrary sites -- you could also
provide an FTP proxy service on your firewall (use ipfw rules to force
everyone to use the proxy, or implement some form of transparent
proxying) which requires authentication from the user.  Squid can do
that sort of thing, as can the fw-tk stuff (although you'll have to
write some scripts to wrap around the components provided via fw-tk).
Both available in ports.

As for e-mail: to prevent a user sending or receiving e-mail, you need
to use the access DB feature.  Look at /usr/share/sendmail/cf/README,
particularly the sections under 'blacklist_recipients' and the stuff
under the heading "Finer control by using tags for the LHS of the
access map".  It's also possible to force your users to authenticate
before they can submit a message to sendmail(8), but that's not
generally done as it's too intrusive.  It also entails recompiling
sendmail with SASL support and quite a bit of setup work.



Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

Attachment: pgp00000.pgp
Description: PGP signature

Reply via email to