RE: [Freebsd-security] Re: Multi-User Security

From: Remko Lodder (remko_at_elvandar.org)
Date: 05/18/04

  • Next message: David E. Meier: "Re: Multi-User Security" 
    To: "Dan Rue" <drue@therub.org>, "David E. Meier" <dev@eth0.ch>
Date: Tue, 18 May 2004 18:08:52 +0200

    Ahem,

    On Mon, May 17, 2004 at 02:08:40PM +0200, David E. Meier wrote:
    > Hello list.
    >
    > I would like to get your opinion on what is a safe multi-user environment.
    > The scenario:
    >
    > We would like to offer to some customers of ours some sort of network
    > backup/archive. They would put daily or weekly backups from their local
    > machine on our server using rsync and SSH. Therefore, they all have a user
    > account on our server. However, we must ensure that they would absolutely
    > not be able to access any data of each other at all.
    >
    > What is the "best and safest" way to do so? Regular UNIX permission
    > settings? File system ACL's? User jails? Restricting commands in their
    > path environment? Or would it even make sense to encrypt the file system?
    > How would some of the solutions affect data backups/restore on our side?

    D> You generally would like to avoid giving people shell (ssh) access if
    D> you can avoid it. If you must give shell access, it is best to set up a
    D> jail.

    D> However, if you're just doing backup/file access - shell access isn't
    D> necessary. You can do ftps, (ports/ftp/bsdftpd-ssl), and easily use
    D> that to chroot users. You can do sftp (without ssh shell access), but
    D> that's trickier to set up.

    real tricky :-> scponly-3.8_1|/usr/ports/shells/scponly|/usr/local|A tiny
    shell that only permits scp and
    sftp|/usr/ports/shells/scponly/pkg-descr|rushani@FreeBSD.org|shells|||http:/
    /www.sublimation.org/scponly/
    But not that hard.... ;-) 

    --
Kind regards,
Remko Lodder
Elvandar.org/DSINet.org
www.mostly-harmless.nl Dutch community for helping newcomers on the
hackerscene
mrtg.grunn.org Dutch mirror of MRTG
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: David E. Meier: "Re: Multi-User Security"

    Relevant Pages

    • Re: Multi-User Security
      ... > I would like to get your opinion on what is a safe multi-user environment. ... They would put daily or weekly backups from their local ... Or would it even make sense to encrypt the file system? ... if you're just doing backup/file access - shell access isn't ...
      (FreeBSD-Security)
    • Re: date problem on web hosting providers server
      ... I'll install a php shell access. ... ask your hosting provider for it. ... > that that PHP script will be running on a publicly available URL, ... > will be unencrypted, so it'll be way, way, way less secure than SSH. ...
      (alt.os.linux)
    • Re: Looking for linux-based web hosting
      ... > linux that offers shell access via ssh and provides procmail and ... > perl for mail filtering? ...
      (comp.os.linux.misc)
    • [Fwd: Re: ssh session to a computer with a non-routable ip]
      ... believe the concept has merit. ... unroutablebox$ ssh -L 22:localhost:33333 routableuser@routablebox ... > i am wondering if it is possible to get shell access to a computer with ... > a non-routable ip if that computer initiates the ssh ...
      (Debian-User)
    • Re: Newbie - is this connection secure
      ... with SSH, authenticate yourself, and start up SFTP. ... with WinSCP; this assumes that the messages generated from PuTTY-derived ... Perhaps they mean _shell_ access is only for root? ... SFTP access without having shell access over SSH. ...
      (comp.security.ssh)