Last time I looked at this I decided I had two options (specific for my needs at the moment).
1) Chrooted jails. Basically give everyone a numbed down vps. Put them in home dirs and lock them out of everything else, and it's pretty simple. There's some complex configuration decisions to make, but it's a straightforward concept. 2) Locked down home directories. It makes some security testing involved, and certainly isn't ideal, but I didn't have that big of a security concern as the users all knew each other and it was fairly public info they were running there anyway. Keeping them from root stuff is easy. Keeping them from other people's stuff mostly lies in the needs of the user themselves, but apparmor might help significantly with that. I do avoid selinux, because I have never seen much of a need for it. Always seems to cause problems with a load of things I want to do with my server and working through them, while not impossible by any means, takes more time than I want to spend on the minor security buffs it offers. -Tod Hansmann On 4/18/2010 12:24 PM, Christer Edwards wrote: > I've been doing some research recently on securing and limiting shell > access to a server. I thought I would pose the question here. > Hopefully we'll all get something beneficial out of the discussion, > and it'll give us a break from name calling on the Net Neutrality > thread. :P > > Suppose you were given the task of building a system that would allow > dozens of users shell access. This system would be used for clients or > developers to run utilities, etc. Keeping security, privacy and > resource limitations in mind, consider the following questions: > > What operating system / distribution would you use? Why? > What would you use to ensure privacy between users (home folders, > personal files, etc) > What would you use to ensure users don't use too many resources (cpu, > memory, disk space, etc) > What would your partitioning scheme look like? Why? > What other security/privacy/resource utilities would you implement on > your system? > > (This is not a homework assignment and it is not a work project. I'm > simply interested in gathering information on the topic.) > > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
