From owner-freebsd-isp Fri Jul 25 20:51:24 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id UAA12075 for isp-outgoing; Fri, 25 Jul 1997 20:51:24 -0700 (PDT) Received: from ns2.harborcom.net (root@ns2.harborcom.net [206.158.4.4]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id UAA12070 for ; Fri, 25 Jul 1997 20:51:22 -0700 (PDT) Received: from localhost (bradley@localhost) by ns2.harborcom.net (8.8.5/8.8.5) with SMTP id XAA23855 for ; Fri, 25 Jul 1997 23:51:20 -0400 (EDT) Date: Fri, 25 Jul 1997 23:51:20 -0400 (EDT) From: Bradley Dunn X-Sender: bradley@ns2.harborcom.net To: freebsd-isp@freebsd.org Subject: Re: FTP Problem Solved! In-Reply-To: <2.2.32.19970723004250.00908ac8@mail.morelr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 22 Jul 1997, Rick Morel wrote: > Assuming I'm not a dufus, get into the ISP business for a year or so and I > absolutely guarantee you'll know. You'll find things like your Majordomo > config files, complete with passwords posted on some web page and/or someone > else adminstering your lists. Anything that can be seen and read can be used > by some folks. It's a shame, it's not the "old 'net", but it is a fact. Well a lot of ISPs also offer shell accounts. It is significantly more difficult to make chrooted sandboxes for users to play in than it is to setup chrooted FTP. There has been some research into virtual machines and such...I seem to remember a web page at the Univeristy of Utah or somewhere. Setting up a shell server requires some thought, but it can be done securely. The short answer is: don't have your majordomo config. files on the same server that your users log into. Setup a box that does shell accounts and little to nothing else (certainly nothing mission critical). Setup your network in such a way that even if root were to be compromised on the shell machine no critical services would be affected. P.S. - Let's not get into whether offering shell accounts is 'good' or not. There is a market for that service. Some people provide it, some don't. It's a business decision. pbd -- Going to church does not make a person religious, nor does going to school make a person educated, any more than going to a garage makes a person a car.