Re: [cobalt-users] Securing shell access

[Kris Dahl <krislists@xxxxxxxxxxxxx>]

on 8/15/00 10:13 AM, Andy Miller at andy.miller@xxxxxxxxxxxxxx wrote:

> I may need to enable shell access for some users on my raq3, and am
> wondering how I can stop them from being able to move freely around the
> server.

First off let me say this: nothing is really compromised by allowing users
to 'move around the server' (i.e. reading readable files).  Standard
permissions apply: world readable is world readable.  Anything you don't
want anybody to read should be world readable (This often comes from
individuals who don't want people to be able to view files in their web
folders and think that turning directoryindexing off is a substitute for
security.  That would be an incorrect assumption).

> It seems that standard setup enables users to wander around and read many
> logs and config files when using SSH/telnet.

This is the nature of the beast.  Config files must be readable.  But like I
said, no harm is done by allowing your (for example) apache config file to
be read.

Log files shouldn't really contain sensative information, but I can
understand why you wouldn't really want them to be readble.  By setting up
some scripts you could archive the logs and make them readable only to the
specific users.

If you are really concerned, there are a couple of options: one is to
suggest to your client that they get their own server if they need shell
access.

Also there are several 'virtual server' projects that let you have an entire
distro for each clients.

-k