Date: Thu, 17 Apr 2003 09:00:19 -0400 From: Bill Moran <wmoran@potentialtech.com> To: K Anderson <freebsduser@attbi.com> Cc: freebsd-questions@freebsd.org Subject: Re: System security - Freebsd 4.8RC Message-ID: <3E9EA563.1000700@potentialtech.com> In-Reply-To: <3E9E2C8D.3010406@attbi.com> References: <3E9E2C8D.3010406@attbi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
K Anderson wrote: > I read through the basic freebsd documention on security, or more so the > administration of users. I will probably be opening my system to several > users using ssh and ssh-ftp. > > This is for the purpose of doing PHP, MySQL and other web related stuff > using Apache. > > There are some things I am unsure about or would like guidance on: > I'm thinking that I want to keep the users within the bounds of their > own directory structure so they may not poke around looking for things > to pilfer, change, hack, slash or break. Is this something that some of > you more experienced administrators do to users to make sure they don't > break something? If so, got any suggestions as where I may start? http://chrootssh.sourceforge.net/ The standard ftp daemon has an ftpchroot file, I would hope that ssh-ftp can do the same. (see 'man ftpchroot') > Since I would like to allow the users to be able to do php stuff only > and perhaps block access to some wisenheimer that might allow them to > create mischief not only on my system but other systems as well, either > through CGI, PERL, PHP does anybody have ideas on how to restrict > certain things like creating sockets, inet connections and other stuff? > I know I can create a heafty firewall rule set to block some stuff so I > would have to do things like that, I just can't think of any gotchas or > something like that I might be overlooking. Check out the security docs for php. Safe mode is probably a good place to start. Additionally, you can restrict certain commands and other behaviour with directives in php.ini. See this page: http://www.php.net/manual/en/configuration.directives.php > If there's any other gotchas I should be aware of, I look forward to > getting feed back on user and security issues. As was pointed out already ... the ultimate will really be a jail environ. You need to determine if your security needs warrant that or not. -- Bill Moran Potential Technologies http://www.potentialtech.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E9EA563.1000700>