Ultimately Safe User Account

Dan Rue drue at therub.org
Thu Sep 23 15:38:50 PDT 2004

On Thu, Sep 23, 2004 at 04:18:21PM -0600, Sheets, Jason (OZ CEEDR) wrote:
> I'd suggest sending him a live CD of FreeBSD (LiveBSD at
> http://www.livebsd.com) or Linux (Knoppix at http://www.knoppix.org) are
> very good.
> This will keep him on his own hardware and let him become familiar with
> BSD in a fairly safe environment.
> When he feels comfortable he can attempt a full install on his hardware.
> Alternatively if he is just wanting to become proficient on the command
> line he can install Cygwin (http://www.cygwin.com) on Windows and
> Linux-like environment right on Windows and then progress to the real
> thing.
> I'd go with any of the above before giving him remote access but If you
> are deadest on allowing him access to your system look at
> man jail
> man security
> man login.conf
> Jason
> > -----Original Message-----
> > From: owner-freebsd-questions at freebsd.org [mailto:owner-freebsd-
> > questions at freebsd.org] On Behalf Of Andrew
> > Sent: Thursday, September 23, 2004 1:30 PM
> > To: freebsd-questions at freebsd.org
> > Subject: Ultimately Safe User Account
> > 
> > Hi,
> > 
> > I have a production FreeBSD box. My friend is starting to learn Unix
> > essentials and is asking me for an account. He doesn't require any
> > special rights, but he certainly wants to be able to use shell and
> read
> > most manual pages. He'll access the server via Internet, SSH.
> > 
> > How can I create an account, so that it is completely safe to let him
> > in? How can I jail/chroot him and do I need to do it this way? I want
> to
> > limit everything: disk space (~500Mb), RAM (~10%), processes (~30),
> cpu
> > (~5-10%), _internet connectivity_ (bandwidth is expensive and he must
> > not be able to download much). He is new to Unix but I have to suppose
> > that somebody very experienced can steal his account info.
> > 
> > I'd be glad if he had only very basic ls, cp, mv, as well as sh and
> vi.
> > I don't want him to have any browser or fetch-like utility.
> > 
> > I know that letting somebody log in is already a security hole, but I
> > want to minimize the risks.
> > 
> > 
> > Thanks,
> > Andrew P.

A live CD is a good suggestion. 

I have to disagree with the idea behind this whole thing, though.  I
mean, if this guy's really your friend, I don't see what you're so
worried about.  It's really pretty tough to 'accidently' break things as
a user on a system, as long as the system is moderately well

If you're concerned about him using a bad password, give him a
sufficient warning and run john the ripper against your password file
for a couple of days.  

Also, don't allow any clear-text protocols such as samba, ftp, telnet,
etc etc.  

Dang, man, I had a friend that ran an /open/ shell server in high
school.  He had over 100,000 users, and didn't get hacked (well, he did
at first, but that's when he was running linux :) ). 

How's he supposed to learn anything if all you give him is a jail with
ls cp mv sh and vi?  sheesh.  That'll turn him off unix pretty quick.


More information about the freebsd-questions mailing list