> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Mike Hernandez > Sent: Wednesday, September 07, 2005 2:47 PM > To: Adam; misc@openbsd.org > Subject: Re: Shell account cgi script > > On 9/7/05, Adam <[EMAIL PROTECTED]> wrote: > > On Wed, 7 Sep 2005 13:37:45 -0400 Mike Hernandez <[EMAIL PROTECTED]> > > wrote: > > If someone is wanting to give people "shell accounts", then they > > generally want people to be able to access more than just the shell > > itself. The whole point is to let them use the system, if you chroot > > them then they can't do anything. > > > On the contrary, they can do anything that the administrator makes it > possible for them to do. Many of the web hosting accounts I've signed > up for came with a jailed shell that I could use to work with the > files on the server but nothing more. > > Mike
At least to start, a shell account should have limited access to memory, processor time, number of procs, files, disk space, etc. Also, any writable areas such as $HOME and /tmp should be on a partition with certain mount options such as no suid and maybe even noexec.
