On Sun, Mar 09, 2008 at 07:33:00PM +0200, Markus Viitam?ki wrote: > Hello all debian users, I am in a little need of help. Some weeks back I > got this "task" to plan a server for shell-accounts. And now I have started > searching for solutions, and I have found some. For example > www.debian-hardened.org. But they've stopped their development so I got no > use of that. So now I ask you guys how you would run a server that will > have many shell-accounts and a regular users should only be allowed to run > some of the binary's in the system and they all have diskquota. > I would like to run Debian as the base system and then use maybe somekind > of grsec or something, and on the something i need your help. I would > really appreciate your help.
Hasn't unix been used for years as a box for users to have shell accounts? The only wrinkle you give is that "users should only be allowed to run some of the binary's in the system". Why? If somthing in the system allows an unprivledged normal user to do something nasty, then its a bug in the system. What binaries were you thinking of forbidding? I would understand mounting /home noexec and a bunch of other mount options if you don't want user's compiling or copying their own binaries there; remember that just because you don't provide them with a binary they can execute, doesn't mean that they can't download one from another system (or if this is debian, from downloading the appropriate deb) and unpacking into a directory tree in their own home directory. If you have lots of disk space, pam has a chroot module where every user gets their own chroot. You don't mention how these users will be accessing their shell accounts: dial-up, ssh, serial terminals or term emulators? Most debian and linux books focus on either the personal desktop or server. You may want to get a Unix book (such as Unix System Administration Handbook) to cover issues of dealing with shell account users. Doug. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
