System security - Freebsd 4.8RC
Bill Moran
wmoran at potentialtech.com
Thu Apr 17 06:00:29 PDT 2003
K Anderson wrote:
> I read through the basic freebsd documention on security, or more so the
> administration of users. I will probably be opening my system to several
> users using ssh and ssh-ftp.
>
> This is for the purpose of doing PHP, MySQL and other web related stuff
> using Apache.
>
> There are some things I am unsure about or would like guidance on:
> I'm thinking that I want to keep the users within the bounds of their
> own directory structure so they may not poke around looking for things
> to pilfer, change, hack, slash or break. Is this something that some of
> you more experienced administrators do to users to make sure they don't
> break something? If so, got any suggestions as where I may start?
http://chrootssh.sourceforge.net/
The standard ftp daemon has an ftpchroot file, I would hope that ssh-ftp
can do the same. (see 'man ftpchroot')
> Since I would like to allow the users to be able to do php stuff only
> and perhaps block access to some wisenheimer that might allow them to
> create mischief not only on my system but other systems as well, either
> through CGI, PERL, PHP does anybody have ideas on how to restrict
> certain things like creating sockets, inet connections and other stuff?
> I know I can create a heafty firewall rule set to block some stuff so I
> would have to do things like that, I just can't think of any gotchas or
> something like that I might be overlooking.
Check out the security docs for php. Safe mode is probably a good place
to start. Additionally, you can restrict certain commands and other
behaviour with directives in php.ini. See this page:
http://www.php.net/manual/en/configuration.directives.php
> If there's any other gotchas I should be aware of, I look forward to
> getting feed back on user and security issues.
As was pointed out already ... the ultimate will really be a jail environ.
You need to determine if your security needs warrant that or not.
--
Bill Moran
Potential Technologies
http://www.potentialtech.com
More information about the freebsd-questions
mailing list