> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
> Behalf Of Kelly
> Corbin
> >
> >
> > you can chroot users w/ssh. check the included docs.
>
> Chroot is not enough. I don't even want them to have a
> shell; too many
> opportunities for exploits. FTP access to the system only
> (even then,
> many FTP servers are riddled with latent security issues). Regular
> system users can shell in OK, I don't care about them. I want to
> severely restrict all other users. Specifically, I want my
> web users to
> be able to update their sites, but not have any other
> access to the system.
>
This is probably a dump question, but I need to know the answer!
Why can't you simply specify an invalid shell in /etc/passwd, and
add it to /etc/shells?
Something like
$ cat <<EOF > sleepshell
#!/bin/ksh
while [ true ]; do
sleep 3600
done
EOF
echo sleepshell >> /etc/shells
Or even
$ cat <<EOF > nullshell
> #!/bin/ksh
> /bin/false
> EOF
Is there a security risk to this?
Which services can you allow use of in this manner?
Regards
Kieran
