Re: user limits
Mihai Velicu [EMAIL PROTECTED] writes: Can someone tell me where I can find some resources for limiting user account. As example to not execute some programs to not see the content of some folders and so on. The traditional Unix approach is with file permissions: see the FreeBSD Handbook section on Permissions and the chmod(1) manual page (which you can access by typing man 1 chmod). For more complicated permission schemes, you way want to use ACLs. See the Handbook section on File System Access Control Lists. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: user limits
On Thursday 03 August 2006 16:53, Lowell Gilbert wrote: Mihai Velicu [EMAIL PROTECTED] writes: Can someone tell me where I can find some resources for limiting user account. As example to not execute some programs to not see the content of some folders and so on. The traditional Unix approach is with file permissions: see the FreeBSD Handbook section on Permissions and the chmod(1) manual page (which you can access by typing man 1 chmod). For more complicated permission schemes, you way want to use ACLs. See the Handbook section on File System Access Control Lists. And for addition: if You want for limit system resources for user processes - look at the login.conf(5) manpage for details. -- Best regards, Simon Phoenix (Phoenix Lab.) --- KeyID: 0x2569D30B Fingerprint: 78FC 5C40 07CC D331 148E CC79 84B8 D514 2569 D30B --- pgpnmUtJuG2QD.pgp Description: PGP signature
Re: user limits
On Tue, Nov 01, 2005 at 05:24:19PM -0500, kalin mintchev wrote: hi all... i was reading the login.conf man to figure out a way to limit user from a class to only certain directories. apparently that isn't possible there. there is a path, but thats $PATH for the particular user... not really what s/he can see or not... if i can not restrict user cd-ing into certain directories using login.conf how can i do it? chmod 750 directory/ Now only the owner and members of the group can access the directory. Roland -- R.F.Smith (http://www.xs4all.nl/~rsmith/) Please send e-mail as plain text. public key: http://www.xs4all.nl/~rsmith/pubkey.txt pgpb8F80cuyyY.pgp Description: PGP signature
Re: user limits
chmod 750 directory/ thanks... i can't do that to /etc or /usr.. -- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: user limits
On Tue, Nov 01, 2005 at 05:55:48PM -0500, kalin mintchev wrote: chmod 750 directory/ thanks... i can't do that to /etc or /usr.. No you can't. But those directories cannot be written to by normal users. For finer-graines access control, you can try Mandatory Access Control, see .e.g. mac(4) and ugidfw(8) or mac_mls(4) and setfmac(8). Roland -- R.F.Smith (http://www.xs4all.nl/~rsmith/) Please send e-mail as plain text. public key: http://www.xs4all.nl/~rsmith/pubkey.txt pgpUa43F3UDLr.pgp Description: PGP signature
Re: user limits
No you can't. But those directories cannot be written to by normal users. aware of that... For finer-graines access control, you can try Mandatory Access Control, see .e.g. mac(4) and ugidfw(8) or mac_mls(4) and setfmac(8). thank you.. will try those... -- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: user limits
For finer-graines access control, you can try Mandatory Access Control, see .e.g. mac(4) and ugidfw(8) or mac_mls(4) and setfmac(8). thank you.. will try those... there is one problem: HISTORY Support for Mandatory Access Control was introduced in FreeBSD 5.0 as part of the TrustedBSD Project. this is 4.10 -- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: user limits
On Nov 1, 2005, at 4:24 PM, kalin mintchev wrote: hi all... i was reading the login.conf man to figure out a way to limit user from a class to only certain directories. apparently that isn't possible there. there is a path, but thats $PATH for the particular user... not really what s/he can see or not... if i can not restrict user cd-ing into certain directories using login.conf how can i do it? thanks -- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions- [EMAIL PROTECTED] You need either MAC (Mandatory Access Control) or jail. I would probably recommend jails for your purpose. - Eric F Crist Secure Computing Networks http://www.secure-computing.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: User Limits
Simon [EMAIL PROTECTED] writes: I can't seem to find a way to limit FD per UID nor a way to limit memory per UID Both of these can only be applied per process basis. Is there a reason why FreeBSD still doesn't support these limits per UID? it would very useful to be able to limit per UID as well as per process. My current problem is that I have some user processes which need, let's say, 50mb of memory, but I also want to make sure that no single user is using more than 500mb of memory at any given time. Unfortunately, I also need to give users ability to spawn more than 10 processes and without per UID limits, if I set a limit of 20 processes per UID, 20 x 50mb would yield usage over 2x that of 500mb. I've been able to solve such problems by adding a limit on the number of processes per user, but that really only works because my environment is limited. I can imagine trying to write a daemon that would monitor usage and kill processes if they exceeded usage. It's a clunky solution, though. PS: I wasn't sure if I could address this on freebsd-arch, so it's going here. If you're offering to write kernel modifications to do it, then you should take it there. Otherwise, this probably is the right place. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]