Menu
▾
▴
Re: [webmin-l] user permissions
|
From: Marcos R. <we...@al...> - 2006-03-04 09:36:53
|
I pointed out that was possible... not easy ;) the question is... why do you need to give your users ssh access? Then, from there we can look for the best way to go... for webhosting I don't see any need at all to give ssh access... more over when we have webmin/usermin/virtualmin!!!!... that gives us a very nice ACL! if you still need a jail or chroot.. then you need to decide which tools your users can have... and you can replicate the directory structure of your binaries and libraries under /home/myuser/ (kind of /home/myuser/bin, /home/myuser/local/bin, /home/myuser/local/lib, and so on, plus /home/myuser/etc), and then you hard link the binaries and libraries you need... (kind of ln /bin/binary.prog /home/myuser/bin/). (perhaps a better way is to compile from source the binaries you need... indicating a path of /skell as the main directory in the ./Configure of each compilation... and then you can directly do something like cp -al /skell /home/myuser/) yes.. I know.. we could still have problems with some libraries!!!!.. but it should work for some basic ones, and probably it should be possible to create something that would allow some basic functioning for irc bots, and manipulating some cgi-bin scripts from the shell in any case..... before you do anything, you do need to know why you want to give your users ssh access.... even with chroot, it's easier to find holes and crack root from a shell!... in which case at least they will be able to change the libraries and binaries (and because they are hard linked.. then it changes in the whole server).. and eventually even free themselves from the jail... In the other hand... if you are in a situation where your users need to have access to a shell... and your main concern is that they should not be able to be around the homes of other users... well... that's why we have permissions ;) (modes) Cheers! Marcos On Sat, 4 Mar 2006, jca...@we... wrote: > Jailing an SSH login is very tricky - even though any process can > theoretically be run in a chroot environment, an interactive Unix shell > will run into a lot of problems, as the programs it runs (like ls and > cp) will not exist in the jail. And even if you do copy them in, you > also need to copy shared libraries, config files in /etc and so on .. > > - Jamie > > -----Original Message----- > > From: Marcos Rubinstein <we...@al...> > Subj: Re: [webmin-l] user permissions > Date: Sat 4 Mar 2006 4:35 am > Size: 1K > To: web...@li... > > mmmm.... if you use jail or chroot for your user's ssh connection... > could'nt you? > > Cheers! > Marcos > > On Fri, 3 Mar 2006, Jamie Cameron wrote: > >> That depends on what method the users are accessing the server with. For >> FTP and Usermin/Webmin's file manager, it is possible to lock users down >> to their home directories. But for SSH logins, it isn't possible.. >> >> - Jamie >> >> On Fri, 2006-03-03 at 17:19, RYAN vAN GINNEKEN wrote: >>> Does virtualmin have the ability to lock users out or each others >>> directories? If so how does it achive this? >> >> >> >> ------------------------------------------------------- >> This SF.Net email is sponsored by xPML, a groundbreaking scripting language >> that extends applications into web and mobile media. Attend the live webcast >> and join the prime developer group breaking into this new coding territory! >> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 >> - >> Forwarded by the Webmin mailing list at web...@li... >> To remove yourself from this list, go to >> http://lists.sourceforge.net/lists/listinfo/webadmin-list >> > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting language > that extends applications into web and mobile media. Attend the live webcast > and join the prime developer group breaking into this new coding territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > - > Forwarded by the Webmin mailing list at web...@li... > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-list > > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting language > that extends applications into web and mobile media. Attend the live webcast > and join the prime developer group breaking into this new coding territory! > http://sel.as-us.falkag.net/sel?cmd- > Forwarded by the Webmin mailing list at web...@li... > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-list > |
