On Fri, Feb 06, 2009 at 05:49:13PM -0500, Richard Edward Horner wrote: > I've deployed scponly to accomplish what you're attempting to do on a > few servers without using RSSH. Just install scponly and then, as > root, do: > > chsh username
Hmm... I'll admit it's been a while since I looked at scponly, but I think it works very much like rssh does. The main difference is that the author of that project tries a lot harder to make some of the chroot stuff nice, and also allows a number of additional programs beyond what rssh allows. In other words, as with scponly, rssh does not require the use of chroot jails, but the user is able to move about the filesystem freely within the confines of the filesystem permissions. Anything they can read can be transfered to their system, and anywhere that is world-writable (like /tmp generally) can be written to. I get the impression that the idea is to avoid this... I think the effect is very similar between the two programs, but rssh is just more draconian (which was what I wanted). It sounds to me like a better solution would be to set up either NFS or samba, making the area where the other person can write to a network share... But there again, you still need to invest some time and effort to understand the security model to make sure the other user(s) can't do things they aren't supposed to. I can't think of any "easy" solution for this problem that requires little time investment to set up properly. > As for getting outside of their home dir, that you'll control with > file permissions. Make sure the user is a member of their own group > and no other groups. You can't really do that... Well, there's a way to do it, but it will probably break a bunch of things that have special file permisisons needs in ways that will be hard for you to identify and fix. For example, there's nothing preventing the user from doing "cd /" and getting a list of files in the root directory, unless you go nuts with the chmod command. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D
pgpjBrLtESzUE.pgp
Description: PGP signature
------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
_______________________________________________ rssh-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rssh-discuss
