|CCFreak2K|Colleg||My desktop continues to run Slackware.|
|bluszcz||CCFreak2K|Colleg: we have problems with new dell machines, dell optiplex 300|
only kernel >=2.6.18 and only lilo
|CCFreak2K|Colleg||bluszcz, it used to work fine, but I installed Windows Vista before (I signed up for the RC phase but never got around to actually using it), and the bootloader seemed to be installed in such a way as to prevent GRUB from working correctly.|
|CCFreak2K|Colleg||LILO works fine, though.|
|tiny||as long as it works|
|bluszcz||everything is fine as long it works|
|FernandoMM||Hello, I have some servers running CentOS with lots of users. I was wondering how can i jail a user inside his home. Not only ssh access but his php/python scripts. Is it possible?|
|bluszcz||FernandoMM: it depends|
FernandoMM: how do you want run that scripts? shell or with apache or other http daemon?
|FernandoMM||I'm running PHP with apache module and Python as a CGI Script.|
|bluszcz||FernandoMM: i had similar config, but i gave my users chroot environment with full http server - it works|
|Evolution||FernandoMM: you need to use httpd-suexec and selinux for this.|
it can be done, but it's tricky.
|FernandoMM||bluszcz: I was wondering if a user create a PHP script with the following command system( 'rm -rf /');. I know that the apache server doesn't have access to all files, but it would destroy a lot of files, wouldn't it?|
|Evolution||you can only do it with php/python as cgi's.. not as apache modules.|
|CCFreak2K|Colleg||chroot is primitive man's virtual machine. ;)|
|Evolution||FernandoMM: selinux will prevent that.|
FernandoMM: and it wouldn't do much, because apache doesn't have system access.
|FernandoMM||Evolution: what do you mean with system access?|
|Evolution||FernandoMM: the apache user doesn't have rights to most things in /|
so a script running as apache, can't delete most of /
but you could nuke most of the webroot.
selinux and mod_security + httpd-suexec can eliminate 99.999% of that danger.
*Disclaimer: when used properly.
|FernandoMM||Evolution: what i have seen is that some users "like" to use chmod 777 to everything. That's my main problem.|
|Evolution||FernandoMM: yeah. selinux will prevent one user from screwing with another user's stuff.|
httpd-suexec tells apache which user to run things as
and mod_security helps verify web requests (GET/POST...etc) so that you don't get sql injections, or other idiocy in there.
|FernandoMM||I'll take a look into httpd-suexec. I already have mod-security installed. Thanks for your answers.|
|CCFreak2K|Colleg||From what I've read, SELinux increases the granularity of security in Linux, which is simple at best.|
|Evolution||CCFreak2K|Colleg: not really.|
CCFreak2K|Colleg: linux (and *nix in general) uses discretionary access control (DAC security). I can set permissions on my files any way I want, and so can other users.
|Evolution||selinux layers on an implementation of MAC (Mandatory access control) security on top of that, so restricted users and applications can *only* open certain things in certain locations with certain permissions.|
it's by no means full MAC control, but it's a good implementation for the needs it suits.
|DAddYE||Evolution: do u know a good firewall for prevent attack on ssh?|
|Evolution||DAddYE: yes. iptables.|