On Thu, 10 Aug 2000, [iso-8859-2] Grzegorz 'Silk' Soba=F1ski wrote:

> > This is a more interesting issue - what access are you trying to
> > grant via telnet?
>=20
> I want user to have acces to his own directory
> (and files in it) and only to that directrory.
> So he could put there some cgi for his www page
> (which would be in the same directory).
> But I don't want him to have access to system/other
> user's files and directories.
> He could not go out of his home directory.
>=20
> However I want to allow him to use some programs
> (like "at"; maybe ordering server to download some
> file to his directory, etc.).
>=20
> Oh, and i want do disallow him starting a bot.
>=20
=09Hmm. you would need to create a complete chroot()ed environment
=09for each user (probably creating a single master then using
=09hardlinks for all the files on each user would be best).=20

=09Stopping them from stating a bot would be interesting - you would
=09need some form of very restricted shell, and then audit all of
=09the tools available to stop them from being used to gain any
=09extra access. If you allow them cgi they could write a cgi script
=09that forks and the child sets a new session group to avoid being
=09killed by the webserver, then starts a 'bot. Theoretically.

=09You could have a cron job that kills any user process that has
=09been running for more than a certain time, but you have to not
=09kill the tools you allow them to run, but do kill any 'bot they
=09have renamed to look like one of those tools to ps...

=09Essentially its much fun - a challenging project :)

=09A quicker option might be to allow them some password protected
=09cgi scripts that manage their at jobs and similar, and do not
=09allow shell access except to those for whom you have a degree of
=09trust (no 'bot worries, etc).

                David/absolute
=09=09=09       -- www.netbsd.org: A pmap for every occasion --