#centos - Tue 6 Mar 2007 between 09:08 and 09:46

NY Lost Funds



CCFreak2K|CollegMy desktop continues to run Slackware.
bluszczCCFreak2K|Colleg: we have problems with new dell machines, dell optiplex 300
only kernel >=2.6.18 and only lilo
CCFreak2K|Collegbluszcz, it used to work fine, but I installed Windows Vista before (I signed up for the RC phase but never got around to actually using it), and the bootloader seemed to be installed in such a way as to prevent GRUB from working correctly.
tinybluszcz: heh
CCFreak2K|CollegLILO works fine, though.
tinyas long as it works
bluszczeverything is fine as long it works
FernandoMMHello, I have some servers running CentOS with lots of users. I was wondering how can i jail a user inside his home. Not only ssh access but his php/python scripts. Is it possible?
bluszczFernandoMM: it depends
FernandoMM: how do you want run that scripts? shell or with apache or other http daemon?
FernandoMMI'm running PHP with apache module and Python as a CGI Script.
bluszczFernandoMM: i had similar config, but i gave my users chroot environment with full http server - it works
EvolutionFernandoMM: you need to use httpd-suexec and selinux for this.
it can be done, but it's tricky.
FernandoMMbluszcz: I was wondering if a user create a PHP script with the following command system( 'rm -rf /');. I know that the apache server doesn't have access to all files, but it would destroy a lot of files, wouldn't it?
Evolutionyou can only do it with php/python as cgi's.. not as apache modules.
CCFreak2K|Collegchroot is primitive man's virtual machine. ;)
EvolutionFernandoMM: selinux will prevent that.
FernandoMM: and it wouldn't do much, because apache doesn't have system access.
FernandoMMEvolution: what do you mean with system access?
EvolutionFernandoMM: the apache user doesn't have rights to most things in /
so a script running as apache, can't delete most of /
but you could nuke most of the webroot.
selinux and mod_security + httpd-suexec can eliminate 99.999% of that danger.
*Disclaimer: when used properly.
FernandoMMEvolution: what i have seen is that some users "like" to use chmod 777 to everything. That's my main problem.
EvolutionFernandoMM: yeah. selinux will prevent one user from screwing with another user's stuff.
httpd-suexec tells apache which user to run things as
and mod_security helps verify web requests (GET/POST...etc) so that you don't get sql injections, or other idiocy in there.
FernandoMMI'll take a look into httpd-suexec. I already have mod-security installed. Thanks for your answers.
CCFreak2K|CollegFrom what I've read, SELinux increases the granularity of security in Linux, which is simple at best.
EvolutionCCFreak2K|Colleg: not really.
CCFreak2K|Colleg: linux (and *nix in general) uses discretionary access control (DAC security). I can set permissions on my files any way I want, and so can other users.
DAddYEhello world
Evolutionselinux layers on an implementation of MAC (Mandatory access control) security on top of that, so restricted users and applications can *only* open certain things in certain locations with certain permissions.
it's by no means full MAC control, but it's a good implementation for the needs it suits.
DAddYEEvolution: do u know a good firewall for prevent attack on ssh?
EvolutionDAddYE: yes. iptables.
DAddYE;)

Page: 2 9 16 23 

IrcArchive

NY Lost Funds