Ultimately Safe User Account

[Andrew]

Hi,

I have a production FreeBSD box. My friend is starting to learn Unix
essentials and is asking me for an account. He doesn't require any
special rights, but he certainly wants to be able to use shell and read
most manual pages. He'll access the server via Internet, SSH.

How can I create an account, so that it is completely safe to let him
in? How can I jail/chroot him and do I need to do it this way? I want to
limit everything: disk space (~500Mb), RAM (~10%), processes (~30), cpu
(~5-10%), _internet connectivity_ (bandwidth is expensive and he must
not be able to download much). He is new to Unix but I have to suppose
that somebody very experienced can steal his account info.

I'd be glad if he had only very basic ls, cp, mv, as well as sh and vi.
I don't want him to have any browser or fetch-like utility.

I know that letting somebody log in is already a security hole, but I
want to minimize the risks.


Thanks,
Andrew P.