Hello,
I'm managing a few hosting servers, mostly php-based: customers have SFTP access (via proftpd and mod_sftp), phpmyadmin, etc. They are "jailed" in their home directory on both levels:
for FTP, and open_basedir for PHP, and it's working fine like this.
Now I have added a few personal ruby on rails hosting on one of the servers (via mod_passenger), and I'd like to do so for other people. Problem: most of the RoR operations will require a ssh shell, for example for rake db:migrate, local gem installation, debugging, and local git repository management as well. I presume I am not the only one in this situation: if it is the case on your systems, may I ask how to you handle this case, to maintain the best overall system security?
I just saw shells/ibsh in the ports list which could have helped, but it doesn't really seem to be maintained (last update was in 2005).
The rails user can't browse other user's directories (solved simply with unix filesystem rights), and he can't see other processes (security.bsd.see_other_gids=0, security.bsd.see_other_uids=0, etc.), but one of the thing I would like to prevent is for example accessing some files like /etc/passwd (= listing all other customers domains in this specific case).
Other things would be:
- prevent the launch of daemons (-> screen, irssi, bots, etc.) -> ?
- prevent the use of crontab -e (for some people): /var/cron/allow|deny
The document under http://www.bsdguides.org/guides/freebsd/security/harden.php is a good help, but not for all points... And it's also from 2005.
Any suggestion welcome
Merci & regards,
Olivier
I'm managing a few hosting servers, mostly php-based: customers have SFTP access (via proftpd and mod_sftp), phpmyadmin, etc. They are "jailed" in their home directory on both levels:
Code:
DefaultRoot ~
Now I have added a few personal ruby on rails hosting on one of the servers (via mod_passenger), and I'd like to do so for other people. Problem: most of the RoR operations will require a ssh shell, for example for rake db:migrate, local gem installation, debugging, and local git repository management as well. I presume I am not the only one in this situation: if it is the case on your systems, may I ask how to you handle this case, to maintain the best overall system security?
I just saw shells/ibsh in the ports list which could have helped, but it doesn't really seem to be maintained (last update was in 2005).
The rails user can't browse other user's directories (solved simply with unix filesystem rights), and he can't see other processes (security.bsd.see_other_gids=0, security.bsd.see_other_uids=0, etc.), but one of the thing I would like to prevent is for example accessing some files like /etc/passwd (= listing all other customers domains in this specific case).
Other things would be:
- prevent the launch of daemons (-> screen, irssi, bots, etc.) -> ?
- prevent the use of crontab -e (for some people): /var/cron/allow|deny
The document under http://www.bsdguides.org/guides/freebsd/security/harden.php is a good help, but not for all points... And it's also from 2005.
Any suggestion welcome

Merci & regards,
Olivier