Re: hiding system directories

"Nico" <nkadel@xxxxxxxxx> writes:


nospam wrote:
jarqs schreef:
What do you mean by "access"?

i mean that common user (group "users" exactly) shouldnt read configuration
of my server.

What do you mean by "system directories"?

well i hope that /etc (and /var maybe) should be enough.

You will find that they are already prevented from modifying any system
files. You will also find that quite a few thing will break if users
*don't* have read access to at least /etc /bin & /usr/bin

sure i realize that, but i hope there is a way to hide it for user's eye and

No. read permission which is needed for loads of programs to work, means
read in all ways, including displaying on the screen.

not to break the system, isn't it?

file permission should enough to make sure that your user cannot break
your system or use acl

Sigh. This is an old, old desire by a lot of SSH admins, to basically
do what modern FTP and HTTP servers and restrict all access to the user
directory only.

The only way to do it vaguely properly with SSH is to build chroot
cages. There are several such projects at sourceforge.net, but it's
clear that OpenSSH is not going to have this feature, despite the
numerous attempts to incorporate it including some by me There may be
sound technical reasons for it, but the main reason seems to be
epitomized by the attitude that nospam voices.

a chroot jail means that ALL programs, libraries, etc, MUST be contained
within that jail. Ie you need to have a separate copy of /usr/bin,
/usr/lib, /etc,.... withing that jail for each user. This is a HUGE
duplication of resources. It is possible, but silly.




In security terms, it's extremely useful to keep users out of system
log files that are otherwise readable, /boot and /lib/modules and /proc
where kernel information resides under Linux, the C: drive under
Windows using Cygwin, /etc/passwd to look up likely user names to run
probes against, etc., etc.

No. It is relatively useless against a determined attacker.


Another approach I'm getting fond of is using Xen to create guest
domains, but that's a bit more work than using something like WebDAV
over HTTPS to provide read/write access to a secured directory and not
providing any shell.


Fine , if that is all they need.

.

Relevant Pages

  • Re: hiding system directories
    ... of my server. ... sound technical reasons for it, but the main reason seems to be ... epitomized by the attitude that nospam voices. ... over HTTPS to provide read/write access to a secured directory and not ...
    (comp.os.linux.security)
  • RE: Future development of Jail (was Re: corporate backers of freebsd)
    ... apparently never run the Microsot authentication server. ... have your answer as to why jail is a dead-end. ... Actually, somebody was paying the jail developer, and then ... FreeBSD server in a commercial corporate network over 13 years ago. ...
    (freebsd-questions)
  • Re: Spam Problem
    ... I'm lost on this jail stuff. ... Configuring a jail is pleasantly simple. ... To relay any domains - that is to let them use your server - you ... And the latest sendmail is picky and rejects things by default ...
    (comp.unix.bsd.freebsd.misc)
  • apache in "strange" jail getting permissions errors
    ... I create a master jail that I do not "boot". ... What I want to do is use my Solaris 10 server with 1.7TB ZFS file system exported through NFS as the root for each jail, with the same nullfs mounts as used above in the mdversion. ... So what I did is set up a local directory on the FBSD system with the normal / directories as I do above in the mdway of doing things and left a local directory for the apache stuff. ... The exact same apache config file when using the mdbacked space with all the same files and permissions, ...
    (freebsd-questions)
  • Re: Make a jail visible in different networks
    ... I need to have my jail serving in both LAN and VPN networks. ... static routes between your 10.5.1/24 subnet and your 192.168.1/24 subnet, or setting up additional VPN endpoint on the 192.168.1/24 network, or using NAT to map the jail IP onto the 10.5.1/24 netblock. ... 192.168.1.1 xl0 is linked to other remote server through tun0 with openvpn. ... As I said before, I'm also running mpd4 listening on ng0, and a jail with samba services on 192.168.1.10 xl0 alias. ...
    (freebsd-questions)