Date: Tue, 29 Mar 2005 19:43:52 -0500 (EST) From: c0ldbyte <c0ldbyte@myrealbox.com> To: freebsd-hackers@freebsd.org Subject: Re: A few thoughts.. Message-ID: <20050329193558.L33759@eleanor.us1.wmi.uvac.net> In-Reply-To: <62208.81.84.174.37.1112130745.squirrel@mail.revolutionsp.com> References: <61910.81.84.174.37.1112123946.squirrel@mail.revolutionsp.com> <20050329213528.59dab2e2.flynn@energyhq.es.eu.org> <62208.81.84.174.37.1112130745.squirrel@mail.revolutionsp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 29 Mar 2005, H. S. wrote: >> If you don't want users to run random binaries put /home and /tmp on >> their own partitions and mount them noexec. Also note that users can >> still read that info by accessing /var/log/messages and /var/run/ >> dmesg.boot >> > > I do want them to run random binaries, such as psybncs, eggdrops, > shoutcast servers, etc. Mounting /home noexec isn't an option, /tmp is > noexec tho. On another hand, you could provide safe and secure system provided binaries that they would have to use instead of compiling their own. which would solve the case and ultimately when upgrading the package provided to them would upgrade all the users at once without you having to worry about insecurities being scattered throughout your system. Now I could see if this was a development server then you obviously would want to allow your users to do such a thing but since you mentioned things like psybnc, shoutcast, etc... the thought to me doesnt resemble a development server. So my suggestion would be provide the software they need on a as-is-basis and take requests and mount the user partition with the [noexec] option and tune sysctl and operate in a secure level + chmod/chflag the proper files and make 1 jail for the whole user based part of the system for all that to run out of. Best of luck, --c0ldbyte -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCSfZKsmFQuvffl58RAsw0AJkB6cLDGL4dsY9FAGrKZatn8+MotQCfeEX3 5R8zcR7nyVJQL1dgub0/nj0= =h8hs -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050329193558.L33759>