Re: Ultimately Safe User Account
Andrew wrote: I have a production FreeBSD box. My friend is starting to learn Unix essentials and is asking me for an account. He doesn't require any special rights, but he certainly wants to be able to use shell and read most manual pages. He'll access the server via Internet, SSH. A slightly different take on this: Unless you're *REALLY* poor/underpaid, the time you would spend making a safe way for your friend to poke at a production box to learn would be a lot more expensive than a cheap-o eBay computer... Give him his own box with FreeBSD on it and let him be root -- He'll learn a heck of a lot more by screwing up things as root than any other way of learning. -- Like Music? http://l-i-e.com/artists.htm ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Ultimately Safe User Account
I have a production FreeBSD box. My friend is starting to learn Unix essentials and is asking me for an account. He doesn't require any special rights, but he certainly wants to be able to use shell and read most manual pages. He'll access the server via Internet, SSH. How can I create an account, so that it is completely safe to let him in? How can I jail/chroot him and do I need to do it this way? I want to limit everything: disk space (~500Mb), RAM (~10%), processes (~30), cpu (~5-10%), _internet connectivity_ (bandwidth is expensive and he must not be able to download much). He is new to Unix but I have to suppose that somebody very experienced can steal his account info. I'd be glad if he had only very basic ls, cp, mv, as well as sh and vi. I don't want him to have any browser or fetch-like utility. I know that letting somebody log in is already a security hole, but I want to minimize the risks. As others had pointed out, a live boot CD is the best way to learn on his own hardware without you getting nasty surprises on your own. Alternatively, he (or you) could invest in VMWare and let him have free reign inside a virtual machine. Personally those would be the two options I'd look at first...preferably VMWare, since a screwup is as easy to recover from as copying a backup of the good image to a working drive image. Otherwise you're looking at investing a lot of time and effort in getting quotas configured, bandwidth monitoring, jails, etc. etc...the virtual machine route is the best way to give a budding root a chance to learn with less fear of mistakes (or killing your server/workstation)...especially if he gets clever with ssh redirection of ports :-) -Bart ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Ultimately Safe User Account
On Sep 23, 2004, at 8:56 PM, Andrew wrote: Dan Rue wrote: How's he supposed to learn anything if all you give him is a jail with ls cp mv sh and vi? sheesh. That'll turn him off unix pretty quick. Thanks for your feedback. I guess I'll just let him in and try not to worry. Well, the trouble is that I am the one administering the box and that it was this summer when I started reading heaps of unix/bsd documentation - for the first time in my life. I'm still paranoid about my own actions, not to mention smb's else. I'll give him cygwin/livecd as well, though. If you're somewhat new (even if you're not...) I'd even more strongly suggest investing in VMWare or some other VM software using disk images to work from...it's the ultimate free reign learning environment and virtual jail. Even seasoned admins can get lazy or get hit by some new trick in the book that they didn't previously know about. No one I worked with was really familiar with SSH beyond the command line access...and they were impressed with X forwarding. Then I learned about port redirection using SSH, so any ssh-accessible machine on the Internet could potentially be used to see any other machines within the same subnet as the ssh server, allowing me access to some machines not visible with simple scans of a NATed network. Took a few times explaining how it worked, and it's come in handy for remote administration at times and the people I explained the technique to were impressed at the potential for this to be helpful as a tool (and as a potential security breach...) The point is that there are more things in system administration and user's minds than dreamt of in any single admin's philosophy, Horatio :-) -Bart ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Ultimately Safe User Account
I'd suggest sending him a live CD of FreeBSD (LiveBSD at http://www.livebsd.com) or Linux (Knoppix at http://www.knoppix.org) are very good. This will keep him on his own hardware and let him become familiar with BSD in a fairly safe environment. When he feels comfortable he can attempt a full install on his hardware. Alternatively if he is just wanting to become proficient on the command line he can install Cygwin (http://www.cygwin.com) on Windows and Linux-like environment right on Windows and then progress to the real thing. I'd go with any of the above before giving him remote access but If you are deadest on allowing him access to your system look at man jail man security man login.conf Jason -Original Message- From: [EMAIL PROTECTED] [mailto:owner-freebsd- [EMAIL PROTECTED] On Behalf Of Andrew Sent: Thursday, September 23, 2004 1:30 PM To: [EMAIL PROTECTED] Subject: Ultimately Safe User Account Hi, I have a production FreeBSD box. My friend is starting to learn Unix essentials and is asking me for an account. He doesn't require any special rights, but he certainly wants to be able to use shell and read most manual pages. He'll access the server via Internet, SSH. How can I create an account, so that it is completely safe to let him in? How can I jail/chroot him and do I need to do it this way? I want to limit everything: disk space (~500Mb), RAM (~10%), processes (~30), cpu (~5-10%), _internet connectivity_ (bandwidth is expensive and he must not be able to download much). He is new to Unix but I have to suppose that somebody very experienced can steal his account info. I'd be glad if he had only very basic ls, cp, mv, as well as sh and vi. I don't want him to have any browser or fetch-like utility. I know that letting somebody log in is already a security hole, but I want to minimize the risks. Thanks, Andrew P. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions- [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Ultimately Safe User Account
On Thu, Sep 23, 2004 at 04:18:21PM -0600, Sheets, Jason (OZ CEEDR) wrote: I'd suggest sending him a live CD of FreeBSD (LiveBSD at http://www.livebsd.com) or Linux (Knoppix at http://www.knoppix.org) are very good. This will keep him on his own hardware and let him become familiar with BSD in a fairly safe environment. When he feels comfortable he can attempt a full install on his hardware. Alternatively if he is just wanting to become proficient on the command line he can install Cygwin (http://www.cygwin.com) on Windows and Linux-like environment right on Windows and then progress to the real thing. I'd go with any of the above before giving him remote access but If you are deadest on allowing him access to your system look at man jail man security man login.conf Jason -Original Message- From: [EMAIL PROTECTED] [mailto:owner-freebsd- [EMAIL PROTECTED] On Behalf Of Andrew Sent: Thursday, September 23, 2004 1:30 PM To: [EMAIL PROTECTED] Subject: Ultimately Safe User Account Hi, I have a production FreeBSD box. My friend is starting to learn Unix essentials and is asking me for an account. He doesn't require any special rights, but he certainly wants to be able to use shell and read most manual pages. He'll access the server via Internet, SSH. How can I create an account, so that it is completely safe to let him in? How can I jail/chroot him and do I need to do it this way? I want to limit everything: disk space (~500Mb), RAM (~10%), processes (~30), cpu (~5-10%), _internet connectivity_ (bandwidth is expensive and he must not be able to download much). He is new to Unix but I have to suppose that somebody very experienced can steal his account info. I'd be glad if he had only very basic ls, cp, mv, as well as sh and vi. I don't want him to have any browser or fetch-like utility. I know that letting somebody log in is already a security hole, but I want to minimize the risks. Thanks, Andrew P. A live CD is a good suggestion. I have to disagree with the idea behind this whole thing, though. I mean, if this guy's really your friend, I don't see what you're so worried about. It's really pretty tough to 'accidently' break things as a user on a system, as long as the system is moderately well administered. If you're concerned about him using a bad password, give him a sufficient warning and run john the ripper against your password file for a couple of days. Also, don't allow any clear-text protocols such as samba, ftp, telnet, etc etc. Dang, man, I had a friend that ran an /open/ shell server in high school. He had over 100,000 users, and didn't get hacked (well, he did at first, but that's when he was running linux :) ). How's he supposed to learn anything if all you give him is a jail with ls cp mv sh and vi? sheesh. That'll turn him off unix pretty quick. dan ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Ultimately Safe User Account
Dan Rue wrote: A live CD is a good suggestion. I have to disagree with the idea behind this whole thing, though. I mean, if this guy's really your friend, I don't see what you're so worried about. It's really pretty tough to 'accidently' break things as a user on a system, as long as the system is moderately well administered. If you're concerned about him using a bad password, give him a sufficient warning and run john the ripper against your password file for a couple of days. Also, don't allow any clear-text protocols such as samba, ftp, telnet, etc etc. Dang, man, I had a friend that ran an /open/ shell server in high school. He had over 100,000 users, and didn't get hacked (well, he did at first, but that's when he was running linux :) ). How's he supposed to learn anything if all you give him is a jail with ls cp mv sh and vi? sheesh. That'll turn him off unix pretty quick. Thanks for your feedback. I guess I'll just let him in and try not to worry. Well, the trouble is that I am the one administering the box and that it was this summer when I started reading heaps of unix/bsd documentation - for the first time in my life. I'm still paranoid about my own actions, not to mention smb's else. I'll give him cygwin/livecd as well, though. Thanks again! Regards, Andrew P. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Ultimately Safe User Account
Hi Andrey, On Thu, Sep 23, 2004 at 11:30:06PM +0400, Andrew wrote: Hi, I have a production FreeBSD box. My friend is starting to learn Unix essentials and is asking me for an account. He doesn't require any special rights, but he certainly wants to be able to use shell and read most manual pages. He'll access the server via Internet, SSH. Don't add him to the group wheel. If you paranoid then you can use one time passwords. (I only use this for persons with in the group wheel, and then only for non-ssh.) How can I create an account, so that it is completely safe to let him in? How can I jail/chroot him and do I need to do it this way? I want to limit everything: disk space (~500Mb), RAM (~10%), processes (~30), cpu (~5-10%), _internet connectivity_ (bandwidth is expensive and he must not be able to download much). He is new to Unix but I have to suppose that somebody very experienced can steal his account info. I don't think you need to use jail/chroot. You can limit the use of HD, RAM and CPU with quota's 1. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/quotas.html 2. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html And limit bandwith with ipfw dummynet. 1. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html 2. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html 3. man ipfw Set your firewall so that it allows everthing out and nothing in exept ssh or http. If you like to have this so that he can use 100% for a short time and something like 20% then you can do this with a combination of ipfw dummynet ipa (a port). I have tree half finished article about this. The above is handy to read before these. I'd be glad if he had only very basic ls, cp, mv, as well as sh and vi. I don't want him to have any browser or fetch-like utility. This be done with jail/chroot. I know that letting somebody log in is already a security hole, but I want to minimize the risks. -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/FreeBSD/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]