Re: restricted accounts

[dgjs_(_at_)_acm_(_dot_)_org]

On 16 Sep, Benjamin Ellis wrote:
> How can I make a user account on my machine (OpenBSD 2.7) in which a user 
> can ftp and have read/write access to his home directory, but not be able to 
> have shell access?  I tried setting the user's shell to '/usr/bin/false' 
> which allowed them to log in and download, but they didn't have access to 
> write.
> 
> Does anyone have a solution?
> 

Use 'sh', 'ksh', or 'bash' in restricted mode for their shells.  From
the 'ksh' man page:

     A shell is ``restricted'' if the -r option is used or if either the base-
     name of the name the shell was invoked with or the SHELL parameter match
     the pattern ``*r*sh'' (e.g., ``rsh'', ``rksh'', ``rpdksh'', etc.).  The
     following restrictions come into effect after the shell processes any
     profile and ENV files:

     o   The cd command is disabled.
     o   The SHELL, ENV, and PATH parameters cannot be changed.
     o   Command names can't be specified with absolute or relative paths.
     o   The -p option of the built-in command command can't be used.
     o   Redirections that create files can't be used (i.e., `>', `>|', `>>',
         `<>').

You'll have to do some work in setting up their '~/.profile' files and,
and PATH that contains only the programs you want them to run.

David S.

> Thanks,
> Benjamin Ellis
> _________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
> 
> Share information about yourself, create your own public profile at 
> http://profiles.msn.com.
>