[clue-admin] User setup for "member" accounts
Collins Richey
crichey at gmail.com
Tue Jan 4 11:08:41 MST 2005
On Tue, 4 Jan 2005 08:46:34 -0700, Jed S. Baer <thag at frii.com> wrote:
> On Tue, 4 Jan 2005 07:23:19 -0700
> Collins Richey wrote:
>
> > We prefer to allow sftp so that members can modify their own
> > environment with ease, but only their own environment. sftp is ideal
> > for this use, but unfortunately it will allow the use to cd to any
> > visible directory (not what we want).
>
> Being able to use cd and ls is a pretty small thing. As long as we prevent
> modifications, that's the main thing. We can do a lot with umask and
> permissions. The other main thing, I think, are exploits to suid
> executables. But that's more a general hardening question, I think.
Here's the critical question. Do we care whether users can view system
directories and other users' directories? Using sftp, there's no way
that I have found to execute arbitray commands. I've also been
experimenting with seting up a chroot environment, but that's a
longterm pain in the butt I would prefer to avoid.
>
> > Apparenly authorized_keys2 is antequated. Our ssh setup only works
> > with aurhorized_keys.
>
> I'm using authorized_keys2. Just FYI.
>
Sorry,
It didn't work for me, but there must have been some "contributing factors".
--
Collins
More information about the clue-admin
mailing list