Date: Fri, 31 Dec 2004 11:15:13 -0700 From: rick <rick.shelton@gmail.com> To: freebsd-newbies@freebsd.org Subject: Re: Security issue - just getting started Message-ID: <41D59731.9070508@onr.com>
next in thread | raw e-mail | index | archive | help
i'm sure there are better explanations of these concepts than i can provide. > I don't understand the concept of userland? (Userland vs ???) userland and kernelspace has to do with which code is being executed. system calls and lower level functionality comes from the kernel. > Throw in "chroot" and "jail" and I'm just completely lost. jailing a process is the idea of creating a false virtual environment for a program. the program believes that its environment is something completely different from the real environment that is the entire system provided by the operating system and its utilities. for example, say i want to run a ftp server. running it straight from a non-jailed environment means that the entire system environment is visible to the service. but running the service from a chroot-ed environment would limit what was visible to the ftp service. the ftp service would believe that the root of the file system was something like /var/ftp/ instead of just /. then, no matter what tomfoolery occurs, nothing above the /var/ftp/ directory would ever be available to the ftp service. of course, breaking out of a jailed environment is one of the goals of malicious users. > > Where can I get started on understanding FreeBSD security? there are incredible amounts of information available on this subject online. search for things like "freebsd security" and "unix security." but the real first step is getting to know your system. log in as a regular user and see what you can and can't do. look at your shell environment and see how it differs from the root user's environment. things like that. understand file and directory permissions and how they can be used with owner/group id's. > > I want to lock down my Apache based webserver properly. > I don't want to JUST run a script like Bastille, except > to learn from it. I need the understanding to move forward. apache.org has some information about securing your installation. again, there are incredible amounts of information available on this subject. i have read that running apache in a chroot environment is a bad idea and that there are better ways of securing the server. you may also want to read the apache bible. it has lots of advice and examples. because it is geared toward someone who is starting out, i would also recommend finding more involved discussion once you're familiar with the basics. but it does seem like a fair enough starting point. once you're running your service, try it out. see how much you can make it do. then ask yourself if you really want it to do that. as always, have a healthy mistrust of any service you run on your system. be vigilent by watching out for security announcements and inspecting log files. and never enable or allow for more than is necessary. -- ~rick
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41D59731.9070508>