Okay,

Now... I am not very fond of offering people shell access to my servers (mainly RaQ4's)... Why? Well, there are always files that contain passwords and such...

Now I wonder... Is there a way (like with FTP) that you can RESTRICT them from going UP a directory (so if /home/USERNAME is their homedir, that they can't go into /home or up?)....

I am talking about TELNET/SSH access here, not about apache or stuff like that...

Thanks guys!!

If you aren't worried about people completely bypassing this attempt to keep each other out of other people's directories, then I'm not sure how good a solution it is. However... it's better than nothing at all, I guess.

Create a user called something (whatever you want, but say "safegrp" for the sake of example). Then change your Apache web server GROUP user to "safegrp" to replace the user "nobody", or whatever it is.

Then, change all the groups of the /home users to safegrp. chgrp safegrp /home/* Then, change the permissions of all the /home users to 750 or 710 (depending). Restart Apache and you'll see that any user other than the account's own user and Apache's "safegrp" group have no access. Be sure to change ProFTPD's group to safegrp too, if you need to that is.

This solution best works with SuEXEC enabled and it would also mean that not only will user's CGI scripts not have permissions to use CGI to snoop around, but it can also save the people from the hassle of dealing with CGI generated files owned by the "nobody" group. So, watch that. But, other than that, it's about that simple. You might want to do a chmod 711 to all the dir's like /home, /, /etc, and so forth, so hide some paths. Also, you _might_ consider on doing some things with the passwd and group files, as well as Apache's config file, ProFTPD's config file, as well as any other file that people can view to see who's on the system and their dir names, etc., to prevent that from happening -- not just by hiding dir contents, but with permissions and ownership that will allow other things to read them and function, yet still deny user's in shell and CGI, PHP, etc. from viewing them. One idea might be to put all the user's in a "userblock" group, as well as "nobody", and deny that group from viewing the files in question -- and only allowing them access by using the correct permissions and ownership. Just some ideas. In fact, you can apply that same idea, putting all the account user's into a group, and denying that group from access to the /home/* dir's too. That will have pretty much the same effect. Good luck.