From owner-freebsd-questions@FreeBSD.ORG  Sun Dec 24 01:34:12 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id D5F9E16A40F
	for <freebsd-questions@freebsd.org>;
	Sun, 24 Dec 2006 01:34:12 +0000 (UTC)
	(envelope-from arminius@pubbox.net)
Received: from pubbox.net (pubbox.net [81.169.167.142])
	by mx1.freebsd.org (Postfix) with ESMTP id A3DDF13C448
	for <freebsd-questions@freebsd.org>;
	Sun, 24 Dec 2006 01:34:12 +0000 (UTC)
	(envelope-from arminius@pubbox.net)
Received: from e180097228.adsl.alicedsl.de ([85.180.97.228] helo=pubbox.net)
	by pubbox.net with esmtpa (Exim 4.60 (FreeBSD))
	(envelope-from <arminius@pubbox.net>)
	id 1GyIFf-0009Jv-SI; Sun, 24 Dec 2006 02:34:11 +0100
Date: Sun, 24 Dec 2006 02:34:19 +0100
From: Armin Arh <armin@pubbox.net>
To: Agus <agus.262@gmail.com>
Message-ID: <20061224013419.GE756@pubbox.net>
References: <fda61bb50612231241w5c5ab2fr676481e7021f9428@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <fda61bb50612231241w5c5ab2fr676481e7021f9428@mail.gmail.com>
User-Agent: Mutt/1.5.11
Sender: arminius@pubbox.net
Cc: freebsd-questions <freebsd-questions@freebsd.org>
Subject: Re: remove suid files question....
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Dec 2006 01:34:12 -0000

On Sat, Dec 23, 2006 at 05:41:29PM -0300, Agus wrote:
> Hi all.....i installed a freebsd 6 and i am going to use it as a server with
> apache, ssh, ftp and other services....it is going to be of free access....u
> register in my page your account (free) and i create an account for u in the
> system....so i am trying to make it secure.....which setuid files should i
> take the setuid bit off???

Sounds interesting. Can i get an account? :)
btw: do you care for a real email address? (see below)

Giving the users shell access without a chroot environment is a potential
danger, possible though.
A plain BSD installation has several suid- bits set like for the 'passwd'
program, 'su' and other. These can't be used to corrupt the system, so you
should be safe.
Nevertheless, special care has to be taken for all third party software,
e.g. via the ports system.

On my box i can't afford giving users shell access, because cpu cycles
are a rare resource (OSes can be even freeze with naughty users).
And then i have no expirience about enforcing resource limits...

Another important point is:
You may trust your users, but unauthorized access (someone else logs in)
can arise if they do something wrong. Restricting them to cryptgraphically
authenticated entrance is a good countermeasure.

Armin
-- 
PUBBOX Postmaster + spam-killer. Free email addresses at http://pubbox.net/