LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 03-29-2005, 05:26 AM   #1
blueCow
Member
 
Registered: Feb 2004
Location: Florida
Distribution: FreeBSD, CentOS, Debian, Mint
Posts: 111

Rep: Reputation: 17
Shell Server Project Scripts


Hey All,

I am looking into running a free shell server that will be open to anyone who would like one on an extra dedicated server I have. The idea is simple. The box can have any OS I want (that will run on an x86). I just have a few questions.

1. Besides locking users to their own directories and taking away certain tools, what other security issues am I looking at?

2. All of the shell providers I have seen so far ahve an automated new user script. Anyone know where I can find one or a good site that explains this process.

3. Would anyone be interested in this? am i just wasting my time?

I figure, there are alot of people out there that may just want to test out the waters as far as linux/unix is concerned and this could be a good avanue for them.

Well, any info you can pass my way will help. Thanks in advance.
 
Old 03-29-2005, 04:28 PM   #2
auximini
Member
 
Registered: Dec 2003
Location: Calgary, AB
Distribution: Any!
Posts: 146

Rep: Reputation: 18
Other security issues involve stuff like possible exploits for breaking out of a chroot and kernel-level exploits.

An automated user script is pretty easy to create once you know the process of creating a single user. After you are comfortable with your system, go through the steps of creating a user. Simply transfer those steps to a script and that's about it.

I'm sure lots of people are interested in this .. and a lot of them might be the wrong type of crowd you're looking for. People looking for bounce-accounts, machines to do ddos's off of, etc... it could get messy.
 
Old 03-29-2005, 11:00 PM   #3
blueCow
Member
 
Registered: Feb 2004
Location: Florida
Distribution: FreeBSD, CentOS, Debian, Mint
Posts: 111

Original Poster
Rep: Reputation: 17
Thanks for the info.

I am comfortable with setting up users however i was wondering how I would automate that. The script would have to run as root, so i am guessing the best way to accomplish this is to set the SetUID bit on the login script for the "new" user to allow it to run as root.

Thanks again.
 
Old 03-30-2005, 05:29 AM   #4
auximini
Member
 
Registered: Dec 2003
Location: Calgary, AB
Distribution: Any!
Posts: 146

Rep: Reputation: 18
Correct... setuid it would have to be
 
Old 03-30-2005, 05:44 AM   #5
ahh
Member
 
Registered: May 2004
Location: UK
Distribution: Gentoo
Posts: 293

Rep: Reputation: 31
Quote:
Originally posted by blueCow
...The script would have to run as root, so i am guessing the best way to accomplish this is to set the SetUID bit on the login script for the "new" user to allow it to run as root.
This is not a good idea from a security perspective, and may not even be possible.

http://www.dwheeler.com/secure-progr...WTO/shell.html
http://www.faqs.org/faqs/unix-faq/fa...section-7.html
http://www.softlab.ece.ntua.gr/~tave...y/secur11.html
 
Old 03-30-2005, 05:47 AM   #6
auximini
Member
 
Registered: Dec 2003
Location: Calgary, AB
Distribution: Any!
Posts: 146

Rep: Reputation: 18
While it's not a good idea, it is one the few options to go by (and the easiest). He wants an automated script which means it'll be triggered after the person hits the 'signup' button. Apache doesn't run under root but will need some root privs. Sudo is another option, but then thats giving the apache user some admin rights.

The safest would be to just email a request and then manually add the user as root when the request comes in. But that takes the automated part out..
 
Old 03-30-2005, 06:04 AM   #7
ahh
Member
 
Registered: May 2004
Location: UK
Distribution: Gentoo
Posts: 293

Rep: Reputation: 31
Interesting point.

If its run by clicking a button, and the only input is a user name and password, the input fields could be checked before being sent to the script. I quess just not allowing spaces, or character sequences that could be interpreted as spaces, would prevent any manipulation of the script.
 
Old 04-12-2005, 07:55 PM   #8
Ashen
LQ Newbie
 
Registered: Apr 2004
Distribution: OpenBSD or Debian for servers, SuSE/MDK for desktops.
Posts: 2

Rep: Reputation: 0
I'm rather glad that there is no one 'guide' text that you can read and which pretends to tell you everything about starting up a new free shell service. New admins that followed it would gain a false sense of security and crackers would have an instant guide to their security setup. On the plus side, we get a lot of different setups between providers, but on the bad side, I've seen some truly terrible shells providers during my time as a user (and later, as an admin).

As most admin skill comes from experience and independent learning, I feel the best thing I can offer you is a short list of tips that are ways into your own learning experience.

1) Reading : Read the Debian Security Guide, and for that matter, all the 'secure server setup' guides you can find. Security starts with your install.
Don't be afraid to install many times until you have the best setup, your final install stays with you a LONG time in many cases, so it pays a lot to get it right. To be brutally honest, 90% of the work involved for a shell server is in the setup, only 10% is in the maintenance.

2) OS Choice : Debian and the *BSD distributions are the only *nix variants that I've used that I would reccomend for use as a public shell server. Make sure you avoid any 'desktop' distribution, even the better ones such as SuSE...... they're good, but the sad fact is they're just not secure enough to be a shell server. When you're giving a lot of completely unknown, untrusted people shell access to your powerful server, security is #1 priority. Your users may not tell you that it is, but I've had users leave other shell providers who value "freedom" (read : have lax security) and ask for accounts with my service because the other services were going up and down like yo-yos due to their lack of security.

3) Attitude : When setting up a public shell server, you're letting yourself in for a whole world of pain (aka : "users"). This world pretty much follows sod's law. Admins of public servers where users tend to fall into two groups in my experience, the paranoid, and the rooted. I've lost count of the number of providers that have started up with a fresh faced, newbie admin at the root prompt, trusted their users, and crashed and burned a few months later as someone roots them 'unexpectedly' and thrashes their system. Security is a process, not a product, a state of mind, not a method. When you start, go SLOWLY, and CAREFULLY. You can always do braver things later when you have more experience. Whatever you do, don't start off thinking "I don't really need to secure that......", and/or the classic "it won't happen to me", becuase sooner or later, it will!

4) People : Beware of unknown users who want to 'help'. Frequently, they just desire root access, or worse. You will probably need a lot of help in the first few months if you aim to setup a good shell service. Fortunately, there are a lot of existing shell service admins who are around and will help you if you ask. (by "help" I do not mean doing anything on your server, I mean offering suggestions as to how to solve some difficult problems which you have already read about extensively before asking for help).

One big tip is that the harder you make it to get an account on your system:
a) the more good users will respect your rules/accounts
b) the more difficult bad users will find it trying to get onto your system
c) the more effective deletions/bans are
d) the better the quality of users you tend to get
e) the more likely you are to get donations from your users
f) the more likely it will be that your users will be people you actually SEE, rather then people who only show up to ask support questions.

PLEASE, PLEASE do not have a fully automated signup process! I've seen a lot of providers do this, and I can't remember the last time where it did not lead to evil things happening later! Worst of all is signups via a suid root script you write yourself......... PLEASE don't do this! I've seen so many people do it and it lead to disaster, that there is just no way I'd ever suggest anyone do this! Checking users out before adding them is a GOOD IDEA!

If you want to chat to me or many of the other admins of large free shell providers currently on the internet, try hanging around ShellsNet.org, and making it known you are a new admin, and we will add you to the 'admin' forum/channels, that we use to help each other.

Admining can be really fun - I know I enjoy it
The most important thing to remember though, is that it comes with a lot of responsibility!
That, and you'd be welcome on ShellsNet We do try to help out the newer admins a lot, both directly (by offering them help with various things) and indirectly (by filtering out abusers from the IRC network so that the crackers/spammers/evildoers are kept away).

Good luck with your project, and I hope I'll see you around sometime

--Ashen
-Founder - moonlightglade.net, themlg.net - aka "MLG", the free shells provider
-Founder - shellsnet.org, aka "SN", the free shells network, as promoted by bylur.net
 
Old 04-12-2005, 08:08 PM   #9
auximini
Member
 
Registered: Dec 2003
Location: Calgary, AB
Distribution: Any!
Posts: 146

Rep: Reputation: 18
Well put
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Implications when giving out a shell account to execute halflife server scripts nistelrooy Linux - General 4 02-24-2006 12:00 AM
Project FFMpeg (SlackBuild scripts) shilo Slackware 3 10-05-2005 10:17 AM
how to write instal scripts for deployment of jsp project on linux neerajchaudhari Linux - Software 1 06-05-2005 09:02 AM
shell scripts newbie_m Linux - Newbie 3 01-18-2005 08:12 PM
Shell scripts??? F_ANTHONY Programming 2 10-27-2004 06:28 PM


All times are GMT -5. The time now is 05:10 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration