Re: A few thoughts..

From: c0ldbyte (c0ldbyte_at_myrealbox.com)
Date: 03/30/05

Next message: c0ldbyte: "Re: ABV.BG אגעמלאעטקום מעדמגמנ"

Previous message: Richard Sharpe: "Possible problems with mmap/munmap on FreeBSD ..."
In reply to: H. S.: "Re: A few thoughts.."
Next in thread: Mike Meyer: "Re: A few thoughts.."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Tue, 29 Mar 2005 19:43:52 -0500 (EST)
To: freebsd-hackers@freebsd.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 29 Mar 2005, H. S. wrote:

>> If you don't want users to run random binaries put /home and /tmp on
>> their own partitions and mount them noexec. Also note that users can
>> still read that info by accessing /var/log/messages and /var/run/
>> dmesg.boot
>>
>
> I do want them to run random binaries, such as psybncs, eggdrops,
> shoutcast servers, etc. Mounting /home noexec isn't an option, /tmp is
> noexec tho.

On another hand, you could provide safe and secure system provided
binaries that they would have to use instead of compiling their own.
which would solve the case and ultimately when upgrading the package
provided to them would upgrade all the users at once without you
having to worry about insecurities being scattered throughout your
system. Now I could see if this was a development server then you
obviously would want to allow your users to do such a thing but since
you mentioned things like psybnc, shoutcast, etc... the thought to me
doesnt resemble a development server. So my suggestion would be
provide the software they need on a as-is-basis and take requests and
mount the user partition with the [noexec] option and tune sysctl
and operate in a secure level + chmod/chflag the proper files and
make 1 jail for the whole user based part of the system for all that
to run out of.

Best of luck,
--c0ldbyte

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQFCSfZKsmFQuvffl58RAsw0AJkB6cLDGL4dsY9FAGrKZatn8+MotQCfeEX3
5R8zcR7nyVJQL1dgub0/nj0=
=h8hs
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"

Next message: c0ldbyte: "Re: ABV.BG אגעמלאעטקום מעדמגמנ"

Previous message: Richard Sharpe: "Possible problems with mmap/munmap on FreeBSD ..."
In reply to: H. S.: "Re: A few thoughts.."
Next in thread: Mike Meyer: "Re: A few thoughts.."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]