Subject: Re: Advice on setting up a shell server
To: Martijn van Buul <pino+gmane_os_netbsd_help@dohd.org>
From: Stefan 'Kaishakunin' Schumacher <stefan@net-tex.de>
List: netbsd-help
Date: 02/03/2007 14:54:23
--ReaqsoxgOBHFXBhH
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Also sprach Martijn van Buul (pino@dohd.org)
> * Stefan 'Kaishakunin' Schumacher:
> > Use Systrace to systrace the login shell and restrict any access to
> > evil[tm] binaries, such as ftp/telnet.
>=20
> pray tell, what's evil[tm] about ftp/telnet? Are you going to restrict
> browsers or things like wget/fetch too?
>=20
> I'm not talking about ftpd or telnetd, but I *REALLY* don't see what's the
> evilness of someone acessing a ftp site somewhere, or accessing one of the
> few remaining telnet services

It depends on your local security policy what is declared evil and
what not. Things you might find OK are forbidden on other sites. So
what?

> > You can also use systrace to forbid the use of binaries in the home dir=
s of
> > students or to restrict=3D20 eg. SSH to your private network.
>=20
> Why don't you also change the shell to /bin/nologin and pull the network =
plug?
> :)
>=20
> Security is one thing. Turning the whole project pointless, all for the=
=20
> benefit of security is another. At least, I'm sure that the intention of
> this project is to give students a usuable account, and not to give them
> something they cannot sensibly use or access.

First "usuable account" has to be defined, than one can create a
security policy for it. Or discuss single arrangements.
Like I said above, security is site-dependent and what I gave as
_example_ is useful on my servers. YMMV.=20

--=20
Pedites pugnas decernent    http://www.jaegerseiten.de    Horrido!


http://www.net-tex.de                                 http://www.cryptomanc=
er.de

--ReaqsoxgOBHFXBhH
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (NetBSD)

iD8DBQFFxJQPEfTEHrP7rjMRAmMHAJ9Rv8PxmJSnJFtw3WDCSXkILI4F2QCgq2eO
qa5W8mcURr/i06RhfJ2oij4=
=gnle
-----END PGP SIGNATURE-----

--ReaqsoxgOBHFXBhH--