From owner-freebsd-questions@FreeBSD.ORG Wed Apr 16 21:24:49 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D8E7137B401 for ; Wed, 16 Apr 2003 21:24:49 -0700 (PDT) Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 41B8043FA3 for ; Wed, 16 Apr 2003 21:24:47 -0700 (PDT) (envelope-from freebsduser@attbi.com) Received: from attbi.com (12-225-141-88.client.attbi.com[12.225.141.88]) by rwcrmhc51.attbi.com (rwcrmhc51) with SMTP id <2003041704244505100hssn6e>; Thu, 17 Apr 2003 04:24:45 +0000 Message-ID: <3E9E2C8D.3010406@attbi.com> Date: Wed, 16 Apr 2003 21:24:45 -0700 From: K Anderson User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: System security - Freebsd 4.8RC X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2003 04:24:50 -0000 I read through the basic freebsd documention on security, or more so the administration of users. I will probably be opening my system to several users using ssh and ssh-ftp. This is for the purpose of doing PHP, MySQL and other web related stuff using Apache. There are some things I am unsure about or would like guidance on: I'm thinking that I want to keep the users within the bounds of their own directory structure so they may not poke around looking for things to pilfer, change, hack, slash or break. Is this something that some of you more experienced administrators do to users to make sure they don't break something? If so, got any suggestions as where I may start? Since I would like to allow the users to be able to do php stuff only and perhaps block access to some wisenheimer that might allow them to create mischief not only on my system but other systems as well, either through CGI, PERL, PHP does anybody have ideas on how to restrict certain things like creating sockets, inet connections and other stuff? I know I can create a heafty firewall rule set to block some stuff so I would have to do things like that, I just can't think of any gotchas or something like that I might be overlooking. If there's any other gotchas I should be aware of, I look forward to getting feed back on user and security issues. Thanks in advance..