On 18.11.2014 12:23, Martin Quinson wrote: > Woot, many thanks for these changes! I'll try to fill the TODO a bit > further to seek your help on the other points ;)
Ok, but I'm not cheap. :P > I just pushed my local changes to the the git, sorry about that. No problem. > I have one main question about the server started automatically. Will > it be given a specific user id? I would not certify the security of > that server, and I'd like to sandbox it as much as possible. I plan > since a long time to check how to do that, but you have just solved > all my questions but this one. I'm still testing the server in a real environment for my gaming project, linuxiuvat.de and the server appears to be working fine. The unprivileged system user is called Debian-minetest. This user is automatically created in postinst. The shell is set to /bin/false. The current setup is comparable to our openarena-server package. The home directory is /var/games/minetest-server and it is owned by that user and group games. I think this ensures reasonable security from our side and these measures are used by other multiplayer servers in the archive too. > Could you please check your changes to see if they are the most secure > ones, ie the ones that do not trust the server program but sandbox it > the most, please ? I think I have already taken care of all necessary configuration steps. I can't really tell how secure the Minetest server currently is but I am sure that the server uses sane default values now. I also plan to provide a .service and .socket file for systemd in the future as soon as I have more time to test them. > > Many many thanks for your work, > Mt. You're welcome. Cheers, Markus
signature.asc
Description: OpenPGP digital signature
