Date: Mon, 28 Jun 2010 13:02:38 +0300 From: Vitaly Magerya <vmagerya@gmail.com> To: =?ISO-8859-1?Q?Olivier_Cochard-Labb=E9?= <olivier@freenas.org> Cc: freebsd-ports-mailinglist <freebsd-ports@freebsd.org> Subject: Re: Call for testers: www/shellinabox (Shell in a Box) Message-ID: <4C28733E.9050003@gmail.com> In-Reply-To: <AANLkTil__Lw0uiFXKMI4o1TMoFBXbtQ3CPS1-yMl4edQ@mail.gmail.com> References: <AANLkTil__Lw0uiFXKMI4o1TMoFBXbtQ3CPS1-yMl4edQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Olivier Cochard-Labbé wrote: > I've just finished my port of Shell in a Box: It's a secure web server > that provide ajax terminal emulator. > More information on the official website: http://code.google.com/p/shellinabox/ After looking at the port for a while, I have some suggestions. The port creates ${PREFIX}/etc/shellinabox directory, chowns it to nobody and chmods it to 777. The reason for this is that shellinabox creates certificates during the runtime and stores them into that directory, but it only does that after dropping to "nobody" user. As the author of shellinabox notes [1], this is a bad idea, because any user can read and modify your keys this way. I also have a vague feeling that storing variable files in ${PREFIX}/etc/shellinabox is a bad idea as well (to compare, Debian port uses /var/lib/shellinabox). So what I propose is this: 1. Create "shellinabox" user and group (via USERS and GROUPS). 2. Update rc script to start shellinaboxd with that user and group. 3. Make the certificate directory 700, owned by shellinabox:shellinabox. 4. Move the certificate directory to /var/shellinabox or similar (what's our conventional location for this kind of files?). I'm not sure on the 4 though. Any thoughts? [1] http://code.google.com/p/shellinabox/issues/detail?id=22#c2
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C28733E.9050003>