From owner-freebsd-hackers@FreeBSD.ORG Wed Mar 30 00:43:58 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 35F8716A4CE for ; Wed, 30 Mar 2005 00:43:58 +0000 (GMT) Received: from mxsf20.cluster1.charter.net (mxsf20.cluster1.charter.net [209.225.28.220]) by mx1.FreeBSD.org (Postfix) with ESMTP id C395043D3F for ; Wed, 30 Mar 2005 00:43:57 +0000 (GMT) (envelope-from c0ldbyte@myrealbox.com) Received: from mxip08.cluster1.charter.net (mxip08a.cluster1.charter.net [209.225.28.138])j2U0huOd028203 for ; Tue, 29 Mar 2005 19:43:56 -0500 Received: from 24.247.253.134.gha.mi.chartermi.net (HELO eleanor.us1.wmi.uvac.net) (24.247.253.134) by mxip08.cluster1.charter.net with ESMTP; 29 Mar 2005 19:43:55 -0500 X-Ironport-AV: i="3.91,132,1110171600"; d="scan'208"; a="781478297:sNHT536541300" Date: Tue, 29 Mar 2005 19:43:52 -0500 (EST) From: c0ldbyte To: freebsd-hackers@freebsd.org In-Reply-To: <62208.81.84.174.37.1112130745.squirrel@mail.revolutionsp.com> Message-ID: <20050329193558.L33759@eleanor.us1.wmi.uvac.net> References: <61910.81.84.174.37.1112123946.squirrel@mail.revolutionsp.com> <20050329213528.59dab2e2.flynn@energyhq.es.eu.org> <62208.81.84.174.37.1112130745.squirrel@mail.revolutionsp.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: Re: A few thoughts.. X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Mar 2005 00:43:58 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 29 Mar 2005, H. S. wrote: >> If you don't want users to run random binaries put /home and /tmp on >> their own partitions and mount them noexec. Also note that users can >> still read that info by accessing /var/log/messages and /var/run/ >> dmesg.boot >> > > I do want them to run random binaries, such as psybncs, eggdrops, > shoutcast servers, etc. Mounting /home noexec isn't an option, /tmp is > noexec tho. On another hand, you could provide safe and secure system provided binaries that they would have to use instead of compiling their own. which would solve the case and ultimately when upgrading the package provided to them would upgrade all the users at once without you having to worry about insecurities being scattered throughout your system. Now I could see if this was a development server then you obviously would want to allow your users to do such a thing but since you mentioned things like psybnc, shoutcast, etc... the thought to me doesnt resemble a development server. So my suggestion would be provide the software they need on a as-is-basis and take requests and mount the user partition with the [noexec] option and tune sysctl and operate in a secure level + chmod/chflag the proper files and make 1 jail for the whole user based part of the system for all that to run out of. Best of luck, --c0ldbyte -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCSfZKsmFQuvffl58RAsw0AJkB6cLDGL4dsY9FAGrKZatn8+MotQCfeEX3 5R8zcR7nyVJQL1dgub0/nj0= =h8hs -----END PGP SIGNATURE-----