| CCFreak2K|Colleg | My desktop continues to run Slackware. |
| bluszcz | CCFreak2K|Colleg: we have problems with new dell machines, dell optiplex 300 only kernel >=2.6.18 and only lilo |
| CCFreak2K|Colleg | bluszcz, it used to work fine, but I installed Windows Vista before (I signed up for the RC phase but never got around to actually using it), and the bootloader seemed to be installed in such a way as to prevent GRUB from working correctly. |
| tiny | bluszcz: heh |
| CCFreak2K|Colleg | LILO works fine, though. |
| tiny | as long as it works |
| bluszcz | everything is fine as long it works |
| FernandoMM | Hello, I have some servers running CentOS with lots of users. I was wondering how can i jail a user inside his home. Not only ssh access but his php/python scripts. Is it possible? |
| bluszcz | FernandoMM: it depends FernandoMM: how do you want run that scripts? shell or with apache or other http daemon? |
| FernandoMM | I'm running PHP with apache module and Python as a CGI Script. |
| bluszcz | FernandoMM: i had similar config, but i gave my users chroot environment with full http server - it works |
| Evolution | FernandoMM: you need to use httpd-suexec and selinux for this. it can be done, but it's tricky. |
| FernandoMM | bluszcz: I was wondering if a user create a PHP script with the following command system( 'rm -rf /');. I know that the apache server doesn't have access to all files, but it would destroy a lot of files, wouldn't it? |
| Evolution | you can only do it with php/python as cgi's.. not as apache modules. |
| CCFreak2K|Colleg | chroot is primitive man's virtual machine. ;) |
| Evolution | FernandoMM: selinux will prevent that. FernandoMM: and it wouldn't do much, because apache doesn't have system access. |
| FernandoMM | Evolution: what do you mean with system access? |
| Evolution | FernandoMM: the apache user doesn't have rights to most things in / so a script running as apache, can't delete most of / but you could nuke most of the webroot. selinux and mod_security + httpd-suexec can eliminate 99.999% of that danger. *Disclaimer: when used properly. |
| FernandoMM | Evolution: what i have seen is that some users "like" to use chmod 777 to everything. That's my main problem. |
| Evolution | FernandoMM: yeah. selinux will prevent one user from screwing with another user's stuff. httpd-suexec tells apache which user to run things as and mod_security helps verify web requests (GET/POST...etc) so that you don't get sql injections, or other idiocy in there. |
| FernandoMM | I'll take a look into httpd-suexec. I already have mod-security installed. Thanks for your answers. |
| CCFreak2K|Colleg | From what I've read, SELinux increases the granularity of security in Linux, which is simple at best. |
| Evolution | CCFreak2K|Colleg: not really. CCFreak2K|Colleg: linux (and *nix in general) uses discretionary access control (DAC security). I can set permissions on my files any way I want, and so can other users. |
| DAddYE | hello world |
| Evolution | selinux layers on an implementation of MAC (Mandatory access control) security on top of that, so restricted users and applications can *only* open certain things in certain locations with certain permissions. it's by no means full MAC control, but it's a good implementation for the needs it suits. |
| DAddYE | Evolution: do u know a good firewall for prevent attack on ssh? |
| Evolution | DAddYE: yes. iptables. |
| DAddYE | ;) |