# How to limit my users?



## Moti (May 19, 2016)

I'm running a FreeBSD machine for some friends to ssh into, and would like to prevent the users to find out more than they should about other accounts on the system.
For example: i can use `who` or `cat /etc/passwd` or `cd` to the /home directory and use `ls` to find out who has an account on the machine or currently using it.
Thank you in advance


----------



## SirDice (May 19, 2016)

You should start with security(7). It contains a lot of information. But note that some things can't be prevented without seriously breaking the system. So some information will always be available to _any_ user. If you don't trust them with that information they shouldn't get a shell account to begin with.


----------



## kitaman (May 20, 2016)

Set the users up with rbash as their shell, and set their path to ~/bin.  Add links in ~/bin to any programs that they are allowed access to.
Set the permissions on their .profile to 0644 and owned by root.


----------



## Chris_H (May 21, 2016)

You might also find the following, from sysctl.conf(5), helpful:

```
# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
```

HTH

--Chris


----------



## ANOKNUSA (May 21, 2016)

Moti, If you want advice on how to administer the system you ought to mention exactly what the purpose of giving your users SSH access is in the first place. Otherwise there's really no way for anyone to tell what scope of security might be necessary. You can easily prevent users from seeing or touching each others' directories and files; you can't easily prevent anyone from knowing what processes are running on the system, who's running them, and what ports they might be using. Preventing access to parts of the system is easier than preventing access to information about the system. And I suspect that if someone wants to log into a system via SSH, they probably expect a higher-than-usual degree of control over their accounts---something beyond simply storing and retrieving files.

It should certainly possible to separate accounts to a pretty high degree, but I would think the simplest way to get comprehensive security on your system while keeping all your friends happy is to create a jail for each user, and give them SSH access to their jails rather than your system. Creating jails isn't exactly simple, but once a jail is created and connected to the network, managing them would be much simpler and easier than managing accounts directly, while offering greater peace of mind. Installing and configuring security/sudo in each jail would allow users to have some administrative access (perhaps for installing ports/packages), yet keep each user from ever gathering any information at all about the host system or other users on it. You could reserve full root access to the jails---and any access to the host---for yourself for safety's sake.


----------

