On Wed, Nov 15, 2000 at 03:32:20PM +1300, Nick Clifford wrote: > Pedro Zorzenon Neto wrote: > > > Hi, all > > > > I put /bin/rbash as the default shell (in /etc/passwd) for some users > > that > > I just want them to use a restricted login. > > > > <snip> > > Ok, I'm assuming you only want users who have this shell to only be able > to access certian things, run only a limited set of commands? > > If thats the case, then you'd be best to setup a chroot jail. That way > they can't breakout (unless they are root). > > Personally, a chroot jail is the only thing I trust when I need to setup > an isolated or restricted environment. Its difficult to break out of a > chroot jail even when you are root, but it can be done. So ensure they > can't get root. :) chroot is also a very large pain in the backside to setup for interative sessions, i tinkered with the pam_chroot module and ssh and got it barly but messily working. Ben Collins (hope i spelled that right) mentioned he had patched OpenSSH to do a neat trick with chroot logins on debian machines, so developers can login to either a woody or potato chroot. he was going to post the details of what he did but either has not yet or i missed it. Ben? -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgp6R4QIG_sZi.pgp
Description: PGP signature