| View previous topic :: View next topic |
| Author |
Message |
WolfPack
n00b
Joined: 03 Aug 2004
Posts: 33
|
 Posted: Sat Sep 11, 2004 9:27 pm Post subject: Securing filesystem |
 |
|
I haven't been able to get an adequate response to this but this issue is very high up on the list for me.
I've noticed that a default gentoo installation leaves alot of stuff open for remote users to look at. Alot of things are world readable, including log files and conf files, etc. Now this is not that important for local users who are placed in 10 diff. groups (wheel, audio, cdrom, games etc..) but I'm running a small personal testing server for various applications that is serving a small private party, however I still wish to remain secure. The accts created for these people will probably be just under the users group. ftp, apache, ssh etc... I want them to be able to log in and have access to the usual unix commands /usr/bin but not be able to traverse and linger in my system.
now, i get some obvious stuff like making sure /bin or /usr/bin is owner and group rwx (they don't need to be world rwx do they?)... but i want a more thorough rundown.
I guess what I'm asking is, what and how do I need to chmod to leave a fully usable shell accts. to my friends but still remain secure.
Thx.
~Dan |
|
| Back to top |
|
 |
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Sat Sep 11, 2004 10:22 pm Post subject: Re: Securing filesystem |
|
|
| WolfPack wrote: | | i get some obvious stuff like making sure /bin or /usr/bin is owner and group rwx (they don't need to be world rwx do they?) |
They need to be world r-x, at least.
If everybody is not able to run the binaries in /bin and /usr/bin then they might as well not have an account on the system since it'll be pretty useless.
| WolfPack wrote: | | I guess what I'm asking is, what and how do I need to chmod to leave a fully usable shell accts. to my friends but still remain secure. |
The answer to that probably includes "forget about file permissions and start using RSBAC or some other sort of ACL system.".
File permissions are only a small part of securing your system.
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
WolfPack
n00b
Joined: 03 Aug 2004
Posts: 33
|
| Posted: Sun Sep 12, 2004 6:38 am Post subject: |
|
|
to the first part:
theres owner, group and world. if i chmod 770.. as long as the user is part users groups, shouldn't he still have access to it to be able to use the system (and therefore, have an account as you said? 
i realize you can't guarantee as the days of playing w/ gentoo come along, that all the files created by any app will be under the same group, potentially causing errors.
rsbac? acl? could you expand some more on the topic? This is gettin interesting.
what else besides file permissions then? |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Sun Sep 12, 2004 3:33 pm Post subject: |
|
|
| WolfPack wrote: | to the first part:
theres owner, group and world. if i chmod 770.. as long as the user is part users groups, shouldn't he still have access to it to be able to use the system |
No. The system binaries are not owned by any user group.
They are all owned by the root user and group.
| WolfPack wrote: | | i realize you can't guarantee as the days of playing w/ gentoo come along, that all the files created by any app will be under the same group, potentially causing errors. |
I'm not sure what you mean here by "any files", since it's only executables we are concerned with here, but probably not.
| WolfPack wrote: | | rsbac? acl? could you expand some more on the topic? This is gettin interesting. |
Rule-Set Based Access Control is an advanced authentication mechanism - available via patched kernels - that attempts to address this issue by requiring each and every publicly accessible file to have a rule set associated with it that determines who can do what to it.
This is per-user, like NTFS has.
It builds on file permissions, but is not really related to it.
Take note of the requiring part - it is not trivial to set up.
And ACL stands for a (generic) Access Control List - something you would need to read a bit about in case you intend to pursue any of these things.
| WolfPack wrote: | | what else besides file permissions then? |
Well, these are not file permissions, for a start.
And there's the limits imposed by the various normal unix system mechanisms, like ulimit, allow/deny stuff etc.
It comes down to what do you really want to protect, and why.
There is very little sense in chrooting normal users into their home dir just because you don't want them to see the rest of the directory structure.
In a normally installed Gentoo system they can not do any damage.
That is precisely the reason Unix permissions are set up the way they are.
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
WolfPack
n00b
Joined: 03 Aug 2004
Posts: 33
|
| Posted: Sun Sep 12, 2004 9:30 pm Post subject: |
|
|
will read up...
i'm headed out the door right now.. but i'll post again to this thread with some specific examples/inquiries.
thx for your help. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
