RE: [Freebsd-security] Re: Multi-User Security

From: Remko Lodder (remko_at_elvandar.org)
Date: 05/18/04

  • Next message: David E. Meier: "Re: Multi-User Security"
    To: "Dan Rue" <drue@therub.org>, "David E. Meier" <dev@eth0.ch>
    Date: Tue, 18 May 2004 18:08:52 +0200
    
    

    Ahem,

    On Mon, May 17, 2004 at 02:08:40PM +0200, David E. Meier wrote:
    > Hello list.
    >
    > I would like to get your opinion on what is a safe multi-user environment.
    > The scenario:
    >
    > We would like to offer to some customers of ours some sort of network
    > backup/archive. They would put daily or weekly backups from their local
    > machine on our server using rsync and SSH. Therefore, they all have a user
    > account on our server. However, we must ensure that they would absolutely
    > not be able to access any data of each other at all.
    >
    > What is the "best and safest" way to do so? Regular UNIX permission
    > settings? File system ACL's? User jails? Restricting commands in their
    > path environment? Or would it even make sense to encrypt the file system?
    > How would some of the solutions affect data backups/restore on our side?

    D> You generally would like to avoid giving people shell (ssh) access if
    D> you can avoid it. If you must give shell access, it is best to set up a
    D> jail.

    D> However, if you're just doing backup/file access - shell access isn't
    D> necessary. You can do ftps, (ports/ftp/bsdftpd-ssl), and easily use
    D> that to chroot users. You can do sftp (without ssh shell access), but
    D> that's trickier to set up.

    real tricky :-> scponly-3.8_1|/usr/ports/shells/scponly|/usr/local|A tiny
    shell that only permits scp and
    sftp|/usr/ports/shells/scponly/pkg-descr|rushani@FreeBSD.org|shells|||http:/
    /www.sublimation.org/scponly/
    But not that hard.... ;-)

    --
    Kind regards,
    Remko Lodder
    Elvandar.org/DSINet.org
    www.mostly-harmless.nl Dutch community for helping newcomers on the
    hackerscene
    mrtg.grunn.org Dutch mirror of MRTG
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    

  • Next message: David E. Meier: "Re: Multi-User Security"