Date: Wed, 8 May 2002 22:57:59 -0400 (EDT) From: Chris BeHanna <behanna@zbzoom.net> To: FreeBSD Security <security@freebsd.org> Subject: Re: 2 questions. permission and kde. Message-ID: <20020508224922.S62456-100000@topperwein.dyndns.org> In-Reply-To: <F42jkyqU7a0xtAEHLB80001aaed@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 8 May 2002, Chest Rockwell wrote:
> i have a remote webserver where i cant leave my home folder. ie
> /usr/home/marley, i'm not able to get out of the marley dir. is that just a
> permission setting, or a program or something else? how can i set it up on
> my machine so that someone would be set to 1 dir and not able to move out of
> it?
You're not able to browse out of the marley dir, or you're not
able to get a shell and cd out of ~marley?
If the former, it's trivial to set that up: add the following
snippet to httpd.conf, and then chmod o-rwx on /usr/home:
#
# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received.
#
UserDir public_html
<Directory /home/*/public_html>
AllowOverride none
Options IncludesNoExec
<Limit GET POST OPTIONS PROPFIND>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS PROPFIND>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>
That may be a little more restrictive than you need, or not quite
restrictive enough. Directory browsing is turned off in this example.
> the 2nd q is: i've setup my freebsd 4.5 machine and didn't install xwindows.
> is there any security risks in doing so? if i go through
> /stand/sysinstall, what would i have to setup to be able to run xwindows
> using kde. there is a whole list and i'm guessing that i only need a couple
> of them.
Block ports 6000-6063 on your external interface and you should be
OK. Install the Xwrapper port so that you don't have to run your X
server as root.
Sure, there can be security risks if you have malicious users on
your LAN who know what they're doing, or if you share the machine with
same. If this is your home machine, no worries unless you don't
trust your wife or kids (but still block those ports at the external
interface).
In the office, I typically only had one NIC, and I blocked X
traffic on the NIC, but allowed it on the loopback device. When I
needed to display remote applications back to my display, I tunnelled
X through ssh ('ssh -X hostname; xterm -display mybox:0') after
setting up xauth correctly.
To set up KDE, first set up XFree86-4. It's easiest just to build
the metaport: cd /usr/ports/x11/XFree86-4; make install clean
Then cd /usr/ports/x11/kde3; make install clean
It'll take awhile.
--
Chris BeHanna
Software Engineer (Remove "bogus" before responding.)
behanna@bogus.zbzoom.net
Turning coffee into software since 1990.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020508224922.S62456-100000>