Re: Security issue - just getting started
From: rick (rick.shelton_at_gmail.com)
Date: 12/31/04
- Previous message: Olivier Gautherot: "Re: Shell Games"
- Maybe in reply to: Jeff Lewis: "Security issue - just getting started"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Fri, 31 Dec 2004 11:15:13 -0700 To: freebsd-newbies@freebsd.org
i'm sure there are better explanations of these concepts than i can provide.
> I don't understand the concept of userland? (Userland vs ???)
userland and kernelspace has to do with which code is being executed.
system calls and lower level functionality comes from the kernel.
> Throw in "chroot" and "jail" and I'm just completely lost.
jailing a process is the idea of creating a false virtual environment for a
program. the program believes that its environment is something completely
different from the real environment that is the entire system provided by the
operating system and its utilities.
for example, say i want to run a ftp server. running it straight from a
non-jailed environment means that the entire system environment is visible to
the service. but running the service from a chroot-ed environment would limit
what was visible to the ftp service. the ftp service would believe that the root
of the file system was something like /var/ftp/ instead of just /. then, no
matter what tomfoolery occurs, nothing above the /var/ftp/ directory would ever
be available to the ftp service. of course, breaking out of a jailed environment
is one of the goals of malicious users.
>
> Where can I get started on understanding FreeBSD security?
there are incredible amounts of information available on this subject online.
search for things like "freebsd security" and "unix security." but the real
first step is getting to know your system. log in as a regular user and see what
you can and can't do. look at your shell environment and see how it differs from
the root user's environment. things like that. understand file and directory
permissions and how they can be used with owner/group id's.
>
> I want to lock down my Apache based webserver properly.
> I don't want to JUST run a script like Bastille, except
> to learn from it. I need the understanding to move forward.
apache.org has some information about securing your installation. again, there
are incredible amounts of information available on this subject. i have read
that running apache in a chroot environment is a bad idea and that there are
better ways of securing the server. you may also want to read the apache bible.
it has lots of advice and examples. because it is geared toward someone who is
starting out, i would also recommend finding more involved discussion once
you're familiar with the basics. but it does seem like a fair enough starting
point. once you're running your service, try it out. see how much you can make
it do. then ask yourself if you really want it to do that.
as always, have a healthy mistrust of any service you run on your system. be
vigilent by watching out for security announcements and inspecting log files.
and never enable or allow for more than is necessary.
-- ~rick _______________________________________________ freebsd-newbies@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-newbies To unsubscribe, send any mail to "freebsd-newbies-unsubscribe@freebsd.org"
- Previous message: Olivier Gautherot: "Re: Shell Games"
- Maybe in reply to: Jeff Lewis: "Security issue - just getting started"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
