On 11/01/2017 03:05 PM, ST wrote as excerpted: >> However, it's important to know that if your users have shell access, >> they can bypass qgroups. Normal users can create subvolumes, and new >> subvolumes aren't added to an existing qgroup by default (and unless I'm >> mistaken, aren't constrained by the qgroup set on the parent subvolume), >> so simple shell access is enough to bypass quotas.
> I never did it before, but shouldn't it be possible to just whitelist > commands users are allowed to use in the SSH config (and so block > creation of subvolumes/cp --reflink)? I actually would have restricted > users to sftp if I knew how to let them change their passwords once they > wish to. As far as I know it is not possible with OpenSSH... Possible only via a rather custom setup, I guess. You could a) force users into a chroot via the sshd configuration (chroots need allowed binaries plus their libs and configs etc.), b) solve the problem with file permissions on all binaries (probably a terrible pain to setup (users, groups, …) and maintain) Cheers, Lukas -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html