On Fri, Feb 20, 2004 at 10:20:26AM -0500, Grant Peel wrote: > In FreeBSD 4.4 and 4.7, is there a way to shut off email and or ftp > privledges? (Other than using quota that is). Using sendmail.
Yes -- those can both be done. To stop a user FTP'ing into the machine, add their username to the /etc/ftpusers file. Confusingly that's the list of people not permitted to be ftp users... See ftpusers(5) for some more fine grained controls you can have via that file. Note that this stops the users accessing their accounts on the FreeBSD box via any local FTP server -- it doesn't stop them from running an FTP client and downloading stuff from remote sites. If it's the latter that you want, then that's much harder to achieve. You can create a unix group for all of the people permitted to run ftp clients (ftp, fetch, wget, any web browsers, etc.), set the group ownership of those binaries to the ftp-allowed group and change the permissions to mode 0750. Even so, if the user can compile or otherwise obtain their own copy of one of those clients there's not a lot you can do to stop them using it. You can set up ipfw(8) or some other packet filter to prevent anyone making outgoing ftp connections to arbitrary sites -- you could also provide an FTP proxy service on your firewall (use ipfw rules to force everyone to use the proxy, or implement some form of transparent proxying) which requires authentication from the user. Squid can do that sort of thing, as can the fw-tk stuff (although you'll have to write some scripts to wrap around the components provided via fw-tk). Both available in ports. As for e-mail: to prevent a user sending or receiving e-mail, you need to use the access DB feature. Look at /usr/share/sendmail/cf/README, particularly the sections under 'blacklist_recipients' and the stuff under the heading "Finer control by using tags for the LHS of the access map". It's also possible to force your users to authenticate before they can submit a message to sendmail(8), but that's not generally done as it's too intrusive. It also entails recompiling sendmail with SASL support and quite a bit of setup work. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK
Description: PGP signature