[clue-admin] User setup for "member" accounts
Collins Richey
crichey at gmail.com
Tue Dec 28 22:05:13 MST 2004
On Tue, 28 Dec 2004 21:43:30 -0700, Jeff Cann <j.cann at isuma.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Tuesday 28 December 2004 9:32 pm, Collins Richey wrote:
> >
> > As Jed mentioned, however, this isn't a perfectly secure environment.
> > Users can create scripts that run bash to do things outside their home
> > environment. They can't run ./xxx, but they can run bash xxx to do
> > some unrestricted things, i.e. stuff any normal user could do.
>
> I'm wondering what other options there are besides restricted shell?
>
> I asked Lynn about it and he seemed determined to make it work. In my
> experience with other ISPs, the offered ssh access to what appeared to be a
> 'normal' shell account - ie., I could run stuff, create directories, etc.
> However, due to UNIX permissions, I was unable to leave my directory.
>
> My point: was I using a normal bash account or some other type of restricted
> shell. Perhaps these ISPs figured that I wouldn't abuse the servers (since
> I'm paying for access).
I think you were using a normal shell account. Restricted accounts
can't even issue cd. Obviously, they had other directory level
restrictions and/or they provided a front end for some of the
commands.
>
> I don't care how you guys decide to set up the member accounts, just curious
> more than anything.
>
My impression at this point is that the restricted shell setup can
work, but according to the link Jed posted, there are some gotchas. I
would recommend that we think this over a little more carefully, or
the result may not be overly secure. Who in our group is the best
security guru? It would be nice to have a fairly rigid setup in place
before we fire this off to the users. The information from Debian
provides a couple of suggestions for locking things down, but I for
one would like to understand the security implications before
proceeding. One rootkit is enough fun for a while. Perhaps we could
get someone to try to crack the site after we've done the setup for a
handful of users?
--
Collins
More information about the clue-admin
mailing list