Call for testers: www/shellinabox (Shell in a Box)
Vitaly Magerya
vmagerya at gmail.com
Mon Jun 28 09:57:05 UTC 2010
Olivier Cochard-Labbé wrote:
> I've just finished my port of Shell in a Box: It's a secure web server
> that provide ajax terminal emulator.
> More information on the official website: http://code.google.com/p/shellinabox/
After looking at the port for a while, I have some suggestions.
The port creates ${PREFIX}/etc/shellinabox directory, chowns it to
nobody and chmods it to 777. The reason for this is that shellinabox
creates certificates during the runtime and stores them into that
directory, but it only does that after dropping to "nobody" user.
As the author of shellinabox notes [1], this is a bad idea, because any
user can read and modify your keys this way. I also have a vague feeling
that storing variable files in ${PREFIX}/etc/shellinabox is a bad idea
as well (to compare, Debian port uses /var/lib/shellinabox).
So what I propose is this:
1. Create "shellinabox" user and group (via USERS and GROUPS).
2. Update rc script to start shellinaboxd with that user and group.
3. Make the certificate directory 700, owned by shellinabox:shellinabox.
4. Move the certificate directory to /var/shellinabox or similar
(what's our conventional location for this kind of files?).
I'm not sure on the 4 though. Any thoughts?
[1] http://code.google.com/p/shellinabox/issues/detail?id=22#c2
More information about the freebsd-ports
mailing list