Re: [gentoo-user] Users with access to shell!
On Thu, 2005-05-12 at 08:34 -0500, [EMAIL PROTECTED] wrote: [stuff] apart from all the other great suggestions, another good trick is to mount the /home partition as "noexec" which stops users running apps they download and install locally. HTH, -- Iain Buchanan <[EMAIL PROTECTED]> -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Users with access to shell!
[EMAIL PROTECTED] wrote: >[EMAIL PROTECTED] wrote: > > >>I have users accessing to the bash shell of my Gentoo Server, my >>question is: >> >>How can secure my server with this users accessing to shell? , >> >>How can I monitor this server to see what users have done? Is there >>available tools for that? >> >>I'd like to allow every user to access ONLY its home directory, I mean >>he only can work in his directory... >> >> > >This isn't a great situation, but the only thing I can think of that >comes close is to use mandatory access controls, such as grsecurity's >RBAC. > > > > Hi, An addition to the above suggestion: try out some of Gentoo's hardened projects: RSBAC or SELinux. Some months ago there were a testing install (public-access) of an RSBAC-system (adamantix == Gentoo-RSBAC) with user access to the machine and the goal was to hack/attack it and bring down the machine. Lasted quite a week, nobody broke in. At the end there were logs, info etc. Something more, during the last one/two days a Security Advisory was on a way to public and before releasing it the author tried it on the machine - no luck (he succeeded only after asking the people running the test to disable a feature) all this info was only announced after the advisory went public with patches. So this project has some protection against new bugs too. PS: think there is a public SElinux machine too, or at least there was. HTH. Rumen -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Users with access to shell!
[EMAIL PROTECTED] wrote: > I have users accessing to the bash shell of my Gentoo Server, my > question is: > > How can secure my server with this users accessing to shell? , > > How can I monitor this server to see what users have done? Is there > available tools for that? > > I'd like to allow every user to access ONLY its home directory, I mean > he only can work in his directory... This isn't a great situation, but the only thing I can think of that comes close is to use mandatory access controls, such as grsecurity's RBAC. -- [EMAIL PROTECTED]http://www.chemoelectric.org pgptgBvC178K6.pgp Description: PGP signature
Re: [gentoo-user] Users with access to shell!
On May 12, 2005, at 2:34 pm, <[EMAIL PROTECTED]> wrote: I'd like to allow every user to access ONLY its home directory, I mean he only can work in his directory... My web-hosting provider provides me with ssh access - when I log in the prompt says "jailshell $" * app-misc/jail Latest version available: 1.9-r1 Latest version installed: [ Not Installed ] Size of downloaded files: [no/bad digest] Homepage:http://www.jmcresearch.com/projects/jail/ Description: Jail Chroot Project is a tool that builds a chrooted environment and automagically configures and builds all the required files, directories and libraries Might be worth a look. Stroller. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Users with access to shell!
<[EMAIL PROTECTED]> writes: > How can secure my server with this users accessing to shell? , If you can't trust your users you always have a problem as shell access and/or compiler-access are the first steps to installing a root-kit if they are really up to this kind of things. Putting them in a changeroot might help in some cases but there are often ways out of the jail. In my opinion: if you can't trust your users you should not give them shell access. At least that is what I am doing with my users on my servers. Just my 2 cents, Martin -- gentoo-user@gentoo.org mailing list
RE: [gentoo-user] Users with access to shell!
> > I'd like to allow every user to access ONLY its home directory, I mean > > he only can work in his directory... > > Well, this can be done, but in a pretty complex way. Allowing users to > see other files isn't that harmful, provided permissions on critical > files are correctly set. Hmm, I suppose you could set up a chroot session for each user. Would limit their access to other people's values, properties, etc... -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Users with access to shell!
On 12/05/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > List, > > I have users accessing to the bash shell of my Gentoo Server, my > question is: > > How can secure my server with this users accessing to shell? , You can't trust your users. That's the idea. 1. they may use a simple password 2. even if they were given a quality password, how do u know the password didn't end up on a piece of sticker on their monitors? > How can I monitor this server to see what users have done? Is there > available tools for that? Tripwire can monitor file changes, can't think of other tools, but I'm sure ppl on the list will provide you with a handful. > I'd like to allow every user to access ONLY its home directory, I mean > he only can work in his directory... Well, this can be done, but in a pretty complex way. Allowing users to see other files isn't that harmful, provided permissions on critical files are correctly set. HTH -- Joe -- Money can't buy everything. Sometimes money can't even buy a gun... -- gentoo-user@gentoo.org mailing list