From owner-freebsd-questions@FreeBSD.ORG Thu Apr 17 06:00:28 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB84C37B401 for ; Thu, 17 Apr 2003 06:00:28 -0700 (PDT) Received: from pa-plum1b-166.pit.adelphia.net (pa-plum1b-122.pit.adelphia.net [24.53.161.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id 578EA43FBD for ; Thu, 17 Apr 2003 06:00:25 -0700 (PDT) (envelope-from wmoran@potentialtech.com) Received: from potentialtech.com (working [172.16.0.95]) h3HD0JJP018670; Thu, 17 Apr 2003 09:00:23 -0400 (EDT) (envelope-from wmoran@potentialtech.com) Message-ID: <3E9EA563.1000700@potentialtech.com> Date: Thu, 17 Apr 2003 09:00:19 -0400 From: Bill Moran User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.2.1) Gecko/20030301 X-Accept-Language: en-us, en MIME-Version: 1.0 To: K Anderson References: <3E9E2C8D.3010406@attbi.com> In-Reply-To: <3E9E2C8D.3010406@attbi.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re: System security - Freebsd 4.8RC X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2003 13:00:29 -0000 K Anderson wrote: > I read through the basic freebsd documention on security, or more so the > administration of users. I will probably be opening my system to several > users using ssh and ssh-ftp. > > This is for the purpose of doing PHP, MySQL and other web related stuff > using Apache. > > There are some things I am unsure about or would like guidance on: > I'm thinking that I want to keep the users within the bounds of their > own directory structure so they may not poke around looking for things > to pilfer, change, hack, slash or break. Is this something that some of > you more experienced administrators do to users to make sure they don't > break something? If so, got any suggestions as where I may start? http://chrootssh.sourceforge.net/ The standard ftp daemon has an ftpchroot file, I would hope that ssh-ftp can do the same. (see 'man ftpchroot') > Since I would like to allow the users to be able to do php stuff only > and perhaps block access to some wisenheimer that might allow them to > create mischief not only on my system but other systems as well, either > through CGI, PERL, PHP does anybody have ideas on how to restrict > certain things like creating sockets, inet connections and other stuff? > I know I can create a heafty firewall rule set to block some stuff so I > would have to do things like that, I just can't think of any gotchas or > something like that I might be overlooking. Check out the security docs for php. Safe mode is probably a good place to start. Additionally, you can restrict certain commands and other behaviour with directives in php.ini. See this page: http://www.php.net/manual/en/configuration.directives.php > If there's any other gotchas I should be aware of, I look forward to > getting feed back on user and security issues. As was pointed out already ... the ultimate will really be a jail environ. You need to determine if your security needs warrant that or not. -- Bill Moran Potential Technologies http://www.potentialtech.com