Subject: Re: Advice on setting up a shell server
To: None <netbsd-help@netbsd.org>
From: Martijn van Buul <pino@dohd.org>
List: netbsd-help
Date: 02/03/2007 12:50:10
* Stefan 'Kaishakunin' Schumacher:
> Use Systrace to systrace the login shell and restrict any access to
> evil[tm] binaries, such as ftp/telnet.
pray tell, what's evil[tm] about ftp/telnet? Are you going to restrict
browsers or things like wget/fetch too?
I'm not talking about ftpd or telnetd, but I *REALLY* don't see what's the
evilness of someone acessing a ftp site somewhere, or accessing one of the
few remaining telnet services
> You can also use systrace to forbid the use of binaries in the home dirs of
> students or to restrict=20 eg. SSH to your private network.
Why don't you also change the shell to /bin/nologin and pull the network plug?
:)
Security is one thing. Turning the whole project pointless, all for the
benefit of security is another. At least, I'm sure that the intention of
this project is to give students a usuable account, and not to give them
something they cannot sensibly use or access.
--
Martijn van Buul - pino@dohd.org