[luau] restricting directory access
Warren Togami
warren at togami.com
Sat Apr 27 03:40:49 PDT 2002
----- Original Message -----
From: "Jimen Ching" <jching at flex.com>
To: <luau at videl.ics.hawaii.edu>
Sent: Saturday, April 27, 2002 12:12 AM
Subject: Re: [luau] restricting directory access
>
> Like you said, you do not give your users ssh access because they do not
> need it. The question is, does Rodney need to give his users ssh access?
> If so, why? Would jailing them defeat the purpose of providing shell
> access in the first place?
>
> Maybe you haven't been on the receiving side of this. But I learned a lot
> about Unix because I had a regular shell account. If I was jailed in my
> home directory, I would not have learned as much. It all depends on your
> goals.
What if the jail contained all the useful tools that they would need? The
only difference here is that iptables and kernel restrictions prevents them
from opening ANY outgoing network connection except to localhost and certain
hosts that you specify, and it is impossible for them to modify files even
if they do manage to crack root (if you use read-only filesystem), or
Tripwire can easily detect compromises within the jail if you do leave
system files writable.
Nearly zero shell power and flexibility lost, much gained security. But I
do admit this is a bit paranoid.
More information about the LUAU
mailing list