Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 24 Dec 2006 02:34:19 +0100
From:      Armin Arh <armin@pubbox.net>
To:        Agus <agus.262@gmail.com>
Cc:        freebsd-questions <freebsd-questions@freebsd.org>
Subject:   Re: remove suid files question....
Message-ID:  <20061224013419.GE756@pubbox.net>
In-Reply-To: <fda61bb50612231241w5c5ab2fr676481e7021f9428@mail.gmail.com>
References:  <fda61bb50612231241w5c5ab2fr676481e7021f9428@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Sat, Dec 23, 2006 at 05:41:29PM -0300, Agus wrote:
> Hi all.....i installed a freebsd 6 and i am going to use it as a server with
> apache, ssh, ftp and other services....it is going to be of free access....u
> register in my page your account (free) and i create an account for u in the
> system....so i am trying to make it secure.....which setuid files should i
> take the setuid bit off???

Sounds interesting. Can i get an account? :)
btw: do you care for a real email address? (see below)

Giving the users shell access without a chroot environment is a potential
danger, possible though.
A plain BSD installation has several suid- bits set like for the 'passwd'
program, 'su' and other. These can't be used to corrupt the system, so you
should be safe.
Nevertheless, special care has to be taken for all third party software,
e.g. via the ports system.

On my box i can't afford giving users shell access, because cpu cycles
are a rare resource (OSes can be even freeze with naughty users).
And then i have no expirience about enforcing resource limits...

Another important point is:
You may trust your users, but unauthorized access (someone else logs in)
can arise if they do something wrong. Restricting them to cryptgraphically
authenticated entrance is a good countermeasure.

Armin
-- 
PUBBOX Postmaster + spam-killer. Free email addresses at http://pubbox.net/



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20061224013419.GE756>