Re: restrict FreeBSD users to their home directory
On Sun, Oct 26, 2008 at 12:13:17PM +0800, FBSD1 wrote: How do it configure FreeBSD to restrict users to their home directory? You can give the users rbash as their shell. This will restrict them to their home directory. But this can be easily broken out of if the user starts another shell! So you should disable all other shells for normal users. Otherwise you could put the users in a jail of their own. But they will still need system files (which they can see) in the jail for it to be usable. I don't want them to be able see any system directories or other users? User directories are by default both owned by the user and belong to the user's group. So you can set the umask for every user so that their files are not accessible to others. You cannot block read and execute access to a lot of system files (binaries, libraries, /usr/[local/]share/) without making the system useless. What is the problem you're trying to solve? Blocking read access to system files is almost certainly the wrong solution. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpdbHY9hcHV8.pgp Description: PGP signature
RE: restrict FreeBSD users to their home directory
On Sun, Oct 26, 2008 at 12:13:17PM +0800, FBSD1 wrote: How do it configure FreeBSD to restrict users to their home directory? You can give the users rbash as their shell. This will restrict them to their home directory. But this can be easily broken out of if the user starts another shell! So you should disable all other shells for normal users. Otherwise you could put the users in a jail of their own. But they will still need system files (which they can see) in the jail for it to be usable. I don't want them to be able see any system directories or other users? User directories are by default both owned by the user and belong to the user's group. So you can set the umask for every user so that their files are not accessible to others. You cannot block read and execute access to a lot of system files (binaries, libraries, /usr/[local/]share/) without making the system useless. What is the problem you're trying to solve? Blocking read access to system files is almost certainly the wrong solution. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Roland Smith Sent: Sunday, October 26, 2008 4:54 PM To: FBSD1 Cc: [EMAIL PROTECTED] ORG Subject: Re: restrict FreeBSD users to their home directory Want to keep all the users from being able to see anything outside of their home directory using gnome or kde desktop. For a test I vipw a test user changing their /bin/csh to /usr/local/bin/rbash. I logged on ok to the test user and started gnome ok. But from the menu system filesystem app I still could access root and /etc directories. From the command line of the rbash test user a cd command responded with restricted comment. It seems rbash restrictions do not also restrict directory access from within gnome. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: restrict FreeBSD users to their home directory
On Sun, Oct 26, 2008 at 08:19:51PM +0800, joeb wrote: snip I don't want them to be able see any system directories or other users? User directories are by default both owned by the user and belong to the user's group. So you can set the umask for every user so that their files are not accessible to others. You cannot block read and execute access to a lot of system files (binaries, libraries, /usr/[local/]share/) without making the system useless. What is the problem you're trying to solve? Blocking read access to system files is almost certainly the wrong solution. Want to keep all the users from being able to see anything outside of their home directory using gnome or kde desktop. I ask again, why? As outlined above, you can easily keep users from poking around in other's files. Realize that if users cannot read anything outside their home directory, they cannot start programs in the system directories! And since normal users do not have write access to system directories or files, they can do little harm. System files that users shouldn't have access to (e.g. /etc/master.passwd) are already chmod-ed so that only root has access. You could put every user in a jail(8), but that would be a significant effort depending on the amount of applications they need. Realize that if the users have physical access to the machine, these security measures are _useless_. A hostile user could take out the harddisk, put it in a machine where he has a root account and read all the disk's contents (unless it's encrypted). Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpH6cpDlb9NA.pgp Description: PGP signature
Re: restrict FreeBSD users to their home directory
On Sun, 26 Oct 2008 14:14:50 +0100 Roland Smith [EMAIL PROTECTED] wrote: On Sun, Oct 26, 2008 at 08:19:51PM +0800, joeb wrote: snip I don't want them to be able see any system directories or other users? User directories are by default both owned by the user and belong to the user's group. So you can set the umask for every user so that their files are not accessible to others. You cannot block read and execute access to a lot of system files (binaries, libraries, /usr/[local/]share/) without making the system useless. What is the problem you're trying to solve? Blocking read access to system files is almost certainly the wrong solution. Want to keep all the users from being able to see anything outside of their home directory using gnome or kde desktop. I ask again, why? The only thing I can imagine is that he is worried about the privacy of other users files. If that is the case a chmod 700 on the directories and a chmod 600 on the (user) files would give a little privacy for others. It's very difficult to see each others files that way. As you already stated: system files are a totally different story. Users should not have to worry about them. Realize that if the users have physical access to the machine, these security measures are _useless_. A hostile user could take out the harddisk, put it in a machine where he has a root account and read all the disk's contents (unless it's encrypted). You're right here but I get the feeling this is beside the point of the OP question. ;-) -- Dick Hoogendijk -- PGP/GnuPG key: 01D2433D ++ http://nagual.nl/ + SunOS sxce snv99 ++ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
restrict FreeBSD users to their home directory
How do it configure FreeBSD to restrict users to their home directory? I don't want them to be able see any system directories or other users? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]