From owner-freebsd-questions@FreeBSD.ORG Wed Jan 10 17:11:00 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 62BF616A412 for ; Wed, 10 Jan 2007 17:11:00 +0000 (UTC) (envelope-from njt@ayvali.org) Received: from starfish.geekisp.com (mail.geekisp.com [216.168.135.169]) by mx1.freebsd.org (Postfix) with ESMTP id E7ECE13C465 for ; Wed, 10 Jan 2007 17:10:59 +0000 (UTC) (envelope-from njt@ayvali.org) Received: (qmail 17532 invoked by uid 1003); 10 Jan 2007 16:44:18 -0000 Received: from clam.int.geekisp.com (HELO clam.geekisp.com) (192.168.4.38) by mail.geekisp.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 10 Jan 2007 16:44:18 -0000 Received: from clam.geekisp.com (njt@localhost.geekisp.com [127.0.0.1]) by clam.geekisp.com (8.13.8/8.12.11) with ESMTP id l0AGiHZJ005568; Wed, 10 Jan 2007 11:44:17 -0500 (EST) Received: (from njt@localhost) by clam.geekisp.com (8.13.8/8.13.3/Submit) id l0AGiHM0001270; Wed, 10 Jan 2007 11:44:17 -0500 (EST) X-Authentication-Warning: clam.geekisp.com: njt set sender to njt@ayvali.org using -f Date: Wed, 10 Jan 2007 11:44:17 -0500 From: "N.J. Thomas" To: VeeJay , FreeBSD-Questions Message-ID: <20070110164417.GB579@ayvali.org> References: <2cd0a0da0701100424y1f15717es81a7536c1e1e5a9a@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2cd0a0da0701100424y1f15717es81a7536c1e1e5a9a@mail.gmail.com> User-Agent: Mutt/1.5.9i Cc: Subject: Re: How dangerous a Standard User could be to a FreeBSD box? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jan 2007 17:11:00 -0000 * VeeJay [2007-01-10 13:24:22 +0100]: > How dangerous a Standard User could be to a FreeBSD box? Like another poster mentioned, it depends on a variety of factors. Three things I can suggest to help you minimize security risks from local users: - keep your machine and software packages updated - have policies and procedures in place detailing an Acceptable Use Policy (AUP) and the consequences of violating them; and use it when you have to (a lot of places have a ton of elaborate and well-written AUPs which are never enforced) - keep your user "shell" machines completely separate from your other servers (web, imap, et al.), separate boxes, separate subnet, separate passwords, etc.; this should be obvious, but a lot of people run a lot of critical services on the same machines that they allow users access to and then they are surprised when a fork bomb takes down their mail infrastructure hth, Thomas -- N.J. Thomas njt@ayvali.org Etiamsi occiderit me, in ipso sperabo