Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I'm trying to set up all my server's key programs (ssh, httpd, cups, etc) to run under their own restricted user. The only problem is that, for example, when (as root) I enter "sudo -u sshd /usr/sbin/sshd" to start ssh without it ever having root priveleges, it fails to initialize and auth.log says that it can't bind to port 22 - access denied. (I'm using Mandrake 10.0, set to "higher security", system is also configured to be generally paranoid).
So, how can I give certain users (httpd, sshd, proftpd) access to only the ports they need to run?
Some daemons can be started as root and then, after binding to a privileged port, drop the root privileges and run as some unprivileged user, like sshd. Try reading manuals or googling. Btw, ssh has some intelligent privilege separation system, so if you're using the most recent version and if it won't offend your paranoia, you can just run it as root.
maybe you could do some iptables magic and redirect all the traffic that comes to the well known <1024 ports to higher ports so that you programs don't need to have setuid bit. And don't forget to redirect the output of those ports to the ports the cliente program expects or you will break comunications.
didn't actually test it, it is just supposed to get you going. Theorically it should redirect incoming web traffic to your apache to your apache that is running in port 6666 without the cliente browser noticing anything.
I tried using the IPtables suggestion, and then realized that on Mandrake I can just edit /etc/shorewall/rules - Added redirects for inbound/outbound port 80/6666 to 6666/80 respectively, just tested it, and it seems to work.. The main problem was that user apache lacked write access to the logfiles and /var/run/httpd - solved those. Now I just need to make sure that it works elsewhere and I can start changing ssh and cups over.
And yes, it's true that when I start httpd as root it creates one root process and then spawns other processes under user 'apache', and that I've enabled privelege separation for sshd, but I'm still uncomfortable with having any more root processes than absolutely necessary. (Presumably that'd be bad if the process table were corrupted by a cracker).
Anyway, thanks again for the inspiration! btw, the server is ejksdesktop.homelinux.com - can someone confirm that it works (ie loads)?