On Fri, Oct 15, 2004 at 04:52:32PM -0600, Grant Cooper wrote:
> I am trying to prevent a user from leaving his directory. I set something up
> last year where I just added a name to a file. But I forgot the name of the
> file.
> For another box I wanted to use putty to connect to my freebsd server and
> was wondering if there was a shell I could use where the user couldn't do
> anything in his account. Only want the user to be able to login and use the
> mysql program.
> Should I use jail or chroot or something else?

Some shells have options that allow them to start as "restricted shells"
that do exactly the sort of thing you describe.  For example, my favourite
shell, zsh, will be a restricted shell if the command used to start it
(e.g. a symbolic link) starts with the letter 'r'; when restricted
the shell will prohibit changing directories with cd and numerous other
potentially hazardous actions.  bash does the same thing when invoked
with a -r option.  You can change a user's login shell using vipw(8) or
pw(8).  Ensure that the shell you choose is listed in /etc/shells.

Also note that this does not in and of itself provide absolute restrictions
on what a user can do.  It merely restricts the shell.  You have to take
care to include only safe commands in the restricted user's path.  The shell
will prevent the user from changing the path, but if they're able to run
cc(1) (as an extreme example) restricting the shell is a pointless exercise.

[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to