Ftp and telnet aren't going to be disallowed in this system's policy,  
instead every user will have a disk quota so that ftp and other  
things don't use too much space. Thanks to everyone for the great  
advice!

On Feb 3, 2007, at 7:54 AM, Stefan 'Kaishakunin' Schumacher wrote:

> Also sprach Martijn van Buul (pino@dohd.org)
>> * Stefan 'Kaishakunin' Schumacher:
>>> Use Systrace to systrace the login shell and restrict any access to
>>> evil[tm] binaries, such as ftp/telnet.
>>
>> pray tell, what's evil[tm] about ftp/telnet? Are you going to  
>> restrict
>> browsers or things like wget/fetch too?
>>
>> I'm not talking about ftpd or telnetd, but I *REALLY* don't see  
>> what's the
>> evilness of someone acessing a ftp site somewhere, or accessing  
>> one of the
>> few remaining telnet services
>
> It depends on your local security policy what is declared evil and
> what not. Things you might find OK are forbidden on other sites. So
> what?
>
>>> You can also use systrace to forbid the use of binaries in the  
>>> home dirs of
>>> students or to restrict=20 eg. SSH to your private network.
>>
>> Why don't you also change the shell to /bin/nologin and pull the  
>> network plug?
>> :)
>>
>> Security is one thing. Turning the whole project pointless, all  
>> for the
>> benefit of security is another. At least, I'm sure that the  
>> intention of
>> this project is to give students a usuable account, and not to  
>> give them
>> something they cannot sensibly use or access.
>
> First "usuable account" has to be defined, than one can create a
> security policy for it. Or discuss single arrangements.
> Like I said above, security is site-dependent and what I gave as
> _example_ is useful on my servers. YMMV.
>
> -- 
> Pedites pugnas decernent    http://www.jaegerseiten.de    Horrido!
>
>
> http://www.net-tex.de                                 http:// 
> www.cryptomancer.de




You will never amount to much.
                 -- Munich Schoolmaster, to Albert Einstein, age 10