Re: Solaris home directories & Firewall test server??

From: Rich Henning (vulnerable@fast.net)
Date: 06/12/02


Date: Wed, 12 Jun 2002 09:53:30 -0400
From: Rich Henning <vulnerable@fast.net>
To: Joseph Taylor <joseph_taylor_mail@yahoo.com>

On Tue, Jun 11, 2002 at 07:42:59AM -0000, Joseph Taylor wrote:
> Is there any security concern about assigning home directories to each
> user in Unix like operating systems? What would we loose (or gain) by not
> creating these directories?

        That all depends on whether or not the permissions are set
correctly. Unix practice says that default umask on file permissions is
such that new files created will be readable by everyone on the system.

$man umask

and change it in /etc/profile if you don't like this idea.

As for what you lose or gain, that also depends on some things, like
whether or not these accounts exist just so administrators can su to
root, or whether they're actual nonprivileged users that need to get
into the shell or transfer data there. If you don't create home dirs,
and said user with no home directory shells in, they'll be greeted with
a nice little message warning that they have no home directory, and
their home directory will be forced to the root (/). Now you have a
user logged in with nowhere to store any data, other than /tmp, which is
usually world-writable.

I think we need more information on what exactly you are trying to
accomplish here.

> What kind of security risks would we face by using/allowing passive
> FTP?

FTP, in any standard form, is a plain-text protocol, meaning
authentication happens in a viewable form over the wire, ie:

USER somebody
PASS mypassword

Thus, if a machine on the same segment is compromised, you run the risk
of having FTP or telnet authentication sniffed out.

Better alternatives for shell services and file transfer include SSH and
SFTP, which do all their authentication in an encrypted form, making
sniffing auth strings much more difficult (provided you are using
version 2 of the SSH protocol).

If you are providing FTP services to end-users outside of your
enterprise, getting them to use SFTP may prove difficult, so you may be
forced to allow plain-text FTP, but for shell access, i would (and do)
insist on SSH2 only.

> 4-) Is it practically possible to have a test environment (test server)
> for firewall rulebase or configuration changes?

Certainly; It's both possible and recommended. Making drastic firewall
rulebase changes without testing them first can be catastrophic,
especially if the rules get out of order somehow and you end up with a
DROP policy somewhere in the middle of one of the chains. Best
practice is to have a small network in a lab where you can test your
firewall rules with a subset of different IPs. Remember to always save
firewall rule chains to disk before they are modified, and back them up
somewhere other than the firewall machine itself.

-- 
[ rich henning      ]                                             /"\
[ henninrp@fast.net ]                                             \ /
                                                                   X
support the ascii ribbon campaign against html e-mail             / \



Relevant Pages

  • Re: Execute the Linux command on remote machine
    ... It looks like you are behind a firewall that doesn't allow ftp nor http ... and switching to the shell of a box with a newer ...
    (perl.beginners)
  • Re: FTP - Local or Redirect?
    ... Running FTP on your firewall requires resources (CPU, memory, hard disk ... only allow ftp connections from ... users WITHOUT a valid shell. ...
    (microsoft.public.win2000.security)
  • Re: FTP - Local or Redirect?
    ... Running FTP on your firewall requires resources (CPU, memory, hard disk ... only allow ftp connections from ... users WITHOUT a valid shell. ...
    (comp.security.firewalls)
  • Re: FTP - Local or Redirect?
    ... Running FTP on your firewall requires resources (CPU, memory, hard disk ... only allow ftp connections from ... users WITHOUT a valid shell. ...
    (comp.security.unix)
  • Re: how to change user in shell
    ... in a shell X, i want to run shell Y in name of userB, ... I had a home directory on a system that was archived on remote ... The tape was left laying unprotected ...
    (comp.unix.shell)