Re: hiding system directories


nospam wrote:
jarqs schreef:
What do you mean by "access"?

i mean that common user (group "users" exactly) shouldnt read configuration
of my server.

What do you mean by "system directories"?

well i hope that /etc (and /var maybe) should be enough.

You will find that they are already prevented from modifying any system
files. You will also find that quite a few thing will break if users
*don't* have read access to at least /etc /bin & /usr/bin

sure i realize that, but i hope there is a way to hide it for user's eye and
not to break the system, isn't it?

file permission should enough to make sure that your user cannot break
your system or use acl

Sigh. This is an old, old desire by a lot of SSH admins, to basically
do what modern FTP and HTTP servers and restrict all access to the user
directory only.

The only way to do it vaguely properly with SSH is to build chroot
cages. There are several such projects at sourceforge.net, but it's
clear that OpenSSH is not going to have this feature, despite the
numerous attempts to incorporate it including some by me There may be
sound technical reasons for it, but the main reason seems to be
epitomized by the attitude that nospam voices.

In security terms, it's extremely useful to keep users out of system
log files that are otherwise readable, /boot and /lib/modules and /proc
where kernel information resides under Linux, the C: drive under
Windows using Cygwin, /etc/passwd to look up likely user names to run
probes against, etc., etc.

Another approach I'm getting fond of is using Xen to create guest
domains, but that's a bit more work than using something like WebDAV
over HTTPS to provide read/write access to a secured directory and not
providing any shell.

.

Relevant Pages

  • Re: hiding system directories
    ... of my server. ... sound technical reasons for it, but the main reason seems to be ... within that jail. ... over HTTPS to provide read/write access to a secured directory and not ...
    (comp.os.linux.security)
  • Re: Configuring Outlook Express 6.0 for Broadband?
    ... I think that the RR server settings might be geographically influenced. ... >> Remove [NoSpam] to reply ... call your isp or consult their website. ...
    (microsoft.public.windowsxp.general)
  • Re: XP Password..
    ... Win 2003SBS, about 10 XP machines which are kind of old like 1.7Ghz and no dual core even, also an older Win2000 server running accounting software. ... "Terry R." ... Anti-spam measures are included in my email address. ... Delete NOSPAM from the email address after clicking Reply. ...
    (microsoft.public.windowsxp.general)
  • Re: Magazines to give away
    ... I removed the NOSPAM in your email address but my server won't let my email ... Kathy A. (Woodland, CA) ... Queen of Fabric Tramps ...
    (rec.crafts.textiles.quilting)
  • Re: WHY? "HTTP/1.1 400 Bad Request" error login page -all browsers except IE/PC
    ... I think the host has some problems with their server - a simple POST ... using any browser except IE/PC throws the error - bizarre ... >> To reply via email remove the 'nospam' ...
    (microsoft.public.inetserver.iis.security)