On Thu, Nov 21, 2002 at 10:31:21PM -0600 or thereabouts, Ed Wilts wrote: > > Here's the problem, and I'll let you suggest some solutions that are > actually secure. If you can solve this, you're a better techie than I am. > Allow hundreds of authenticated users scattered throughout the > Internet to transfer files. Restrict uploads to pre-determined > directories and downloads to other pre-determined directories. Allow > automated processes to easily do this. Trivial to do with wu-ftpd and > the ftpaccess file, but I've never found a way to allow an scp to honor > any sort of directory restrictions. If any user has scp/sftp access,
> Did I mention that I don't trust these users, even though they're my > customers. I don't expect them to do anything nasty, but that doesn't > mean I trust them either. No user should *ever* be able to see the data > of any other user unless authorized (typically via group membership). > > > Failing that, the restricted shell approaches might help. > > If ssh is enabled, I believe that any user can simply do this from > another box: > ssh <remote-system> <command> > and the login shell is bypassed. I do not believe that you can prevent > the command line from being executed, even if the users have a > restricted shell. login is not used for remote command execution. Might try a different approach, that is using UML, user mode linux, which is basically Linux within Linux. This will allow you to set up a full virtual Linux safely within your main linux, and outside users will only have access to their areas and their FTP, in their Linux, leaving your RH untouched. This allows them their own virtual resources, including a root filesystem, swap, etc. Could very easily set up FTP within the virtual linux for this. http://usermodelinux.org/ > Suggestions greatly appreciated. -- Best regards, Gary sed '/^[when][coders]/!d /^...[discover].$/d /^..[real].[code]$/!d ' /usr/share/dict/words -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
