[clue-admin] User setup for "member" accounts
David Anselmi
anselmi at anselmi.us
Wed Dec 29 15:47:23 MST 2004
Collins Richey wrote:
[...]
> Good point. That would eliminate a lot of the security exposure. What
> about email as a requirement?
Email should just be an entry in the aliases file so the CLUE address
automatically forwards to another account. I don't think shell access
is required for it.
>>If you want to prevent weak passwords, require public key authentication
>>(not that hard compared to managing passwords, and perhaps good training
>>for members who have never used ssh before).
>
> Yes, I brought up this question also. This would go a long ways down
> the path to the exclusion of intruders. Of course, if the members' own
> systems aren't secure then the public keys they are using aren't that
> secure either.
I think using PK authentication is a good improvement. Beyond that
you're into user training and/or token based systems that are
impractical. Still, you'll need a HOWTO for users to generate their
keys and provide the public one for their accounts (even if all they can
do is maintain their web space).
>>If you allow a shell, are you worried about members exploiting it? I
>>know a security guy who says if you give him a shell you've given him
>>root (i.e., there's sure to be a local root exploit). So to prevent
>>members from getting root you have to limit the commands they use (seems
>>that to do that with rbash is equivalent to doing it with chroot though
>>it might be a little easier conceptually).
>
> From my limited experience, rbash has too many holes, unless someone
> knows a way to plug them. For example 'rbash intermediate'.
> intermediate contains the text 'bash somedangerousscript'. Bam,
> restrictions overridden.
The way to plug them is to provide members a limited set of commands.
That means their PATH does not include /bin et. al. it only contains
/member/bin or whatever. Then you don't include bash in /member/bin.
Without a serious requirement for user shells I think this is too hard.
> I'm not as familiar with chroot jails, but this environment seems to
> be a little more bullet proof.
No, same deal. You have to make an environment that limits what a user
can do so theoretically they are the same. In practice it might be
harder to get out of a jail than rbash but it might also be harder to
set up the jail correctly.
Dave
More information about the clue-admin
mailing list