Date: Wed, 16 Apr 2003 21:48:03 -0700 (PDT) From: Jeff Jirsa <jeff@unixconsults.com> To: K Anderson <freebsduser@attbi.com> Cc: freebsd-questions@freebsd.org Subject: Re: System security - Freebsd 4.8RC Message-ID: <20030416213635.N49914-100000@boris.st.hmc.edu> In-Reply-To: <3E9E2C8D.3010406@attbi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 16 Apr 2003, K Anderson wrote: > I read through the basic freebsd documention on security, or more so the > administration of users. I will probably be opening my system to several > users using ssh and ssh-ftp. There's a shell called 'scponly' floating around. It basically allows people to copy files into their own appropriate directory, but keeps them from browsing around or running commands... You may be interested in something like that. (ports/shells/scponly) > > There are some things I am unsure about or would like guidance on: > I'm thinking that I want to keep the users within the bounds of their > own directory structure so they may not poke around looking for things > to pilfer, change, hack, slash or break. Is this something that some of > you more experienced administrators do to users to make sure they don't > break something? If so, got any suggestions as where I may start? > The sledgehammer approach would be to use 'jail' (man 8 jail). It's likely much, much more than you need, but it's typically how webhosting companies separate clients on the same physical FreeBSD server. (jail will create a small, isolated prison to which your users will have access: snooping around will show them nothing but what's in the jail, and even rooting the jail won't root the box underneath). There may be easier, lighter approaches. I'll leave those to someone who has more experience. > Since I would like to allow the users to be able to do php stuff only > and perhaps block access to some wisenheimer that might allow them to > create mischief not only on my system but other systems as well, either > through CGI, PERL, PHP does anybody have ideas on how to restrict > certain things like creating sockets, inet connections and other stuff? > I know I can create a heafty firewall rule set to block some stuff so I > would have to do things like that, I just can't think of any gotchas or > something like that I might be overlooking. It's widely believed that PHP has a poor security model, although there are a few extras built into later versions that make it 'nicer' in multi-user systems. You'll want to read up on 'safe mode', at the very least. You'll want to set up apache such that scripts run as the user who owns them, not as the user running apache. SuEXEC is your friend. Issues such as creating sockets and internet connections are harder to control, but reasonable limits in /etc/login.conf will (hopefully) keep one dumb user from killing the system. Once again, there's probably many different ways to accomplish everything you want to do, and I'm sure someone else on the list will mention something. - - Jeff Jirsa -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+njIK1ZEy6nYcOF4RAnnlAKDY3hdlgLS+6JAeuBLIXCC/XVfpFgCg/Idh jOwfFYPaLNuHlCdwebxvXzs= =W8/Z -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030416213635.N49914-100000>