Re: Advice about server solution.
On Sun, Mar 09, 2008 at 07:33:00PM +0200, Markus Viitam?ki wrote:
> Hello all debian users, I am in a little need of help. Some weeks back I
> got this "task" to plan a server for shell-accounts. And now I have started
> searching for solutions, and I have found some. For example
> www.debian-hardened.org. But they've stopped their development so I got no
> use of that. So now I ask you guys how you would run a server that will
> have many shell-accounts and a regular users should only be allowed to run
> some of the binary's in the system and they all have diskquota.
> I would like to run Debian as the base system and then use maybe somekind
> of grsec or something, and on the something i need your help. I would
> really appreciate your help.
Hasn't unix been used for years as a box for users to have shell
accounts? The only wrinkle you give is that "users should only be
allowed to run some of the binary's in the system". Why? If somthing
in the system allows an unprivledged normal user to do something nasty,
then its a bug in the system. What binaries were you thinking of
forbidding?
I would understand mounting /home noexec and a bunch of other mount
options if you don't want user's compiling or copying their own binaries
there; remember that just because you don't provide them with a binary
they can execute, doesn't mean that they can't download one from another
system (or if this is debian, from downloading the appropriate deb) and
unpacking into a directory tree in their own home directory.
If you have lots of disk space, pam has a chroot module where every user
gets their own chroot.
You don't mention how these users will be accessing their shell
accounts: dial-up, ssh, serial terminals or term emulators?
Most debian and linux books focus on either the personal desktop or
server. You may want to get a Unix book (such as Unix System
Administration Handbook) to cover issues of dealing with shell account
users.
Doug.
Reply to: