Firstly, thanks for the in-depth answer. One of my favourite things about linux is/are the communities.
If you like LQ, please vote for us at JL.
Could I not restrict access to web browsers and ftp and only supply them the psybnc.tar.gz... that way they'd only be able to compile the psybnc and nothing more?
Yes, you're right: you could not :-]
I thought I read you're talking on the subject of shell accounts? How would you restrict them from downloading (read links,lynx,wget,HTTP PUT,ftp, scp,sftp) another tarball, compiling and running it? And I'm not even talking about exploiting conditions, like have ftp put something somewhere on the filesystem if you're not using Vsftp with chrooted users.
The reason for the tight security is to try and deter the idiots who decide that attacking my box would be amusing. I understand that there's no way you can stop a determined hacker, but you can at least put the n00bies off using security measures.
Where do I sign up for an account? :-]
Seriously, how would you be able to define what a newbie's capabilities are, and that at a time when you're not even done securing the base system? First take care of that I'd say.
I know, it seems a "daunting task" to do, and there's lotsa things under the sun you'll not be looking at, but take for instance simple measures you can provide like GRsecurity's TPE (trusted path execution). If I put a binary in /tmp (and it's mounted ro,noexec,nodev,nosuid) ld-linux.so might let you execute it. With TPE it just won't...
Also thanks for giving me a nudge in the right direction concerning resource hogging etc as I will have to approach that as soon as I am finished with the shell access.
Please don't make the mistake of prioritizing things in reverse.
First harden, secure the system itself, then secure the system users and daemons, the wetware comes after that.
Next to the first sticky thread, which may seem a bit overkill at a first glance,
this thread touches on the basics, like many other threads here in Linux - Security, just browse a few pages back and read.
So I could setup a chroot account which is designed only to compile the psybnc code? How would I create the script that would only compile psybnc? When you say a 'holding area' what do you mean?
I'd envision it goes something like this.
Make a regular chroot. Put in the gcc development packages.
Let user have a passphrase-less SSH account, and make it not execute login, but a script, run from a static shell. Busybox provide a good compact one, including most "std" tools.
Chattr +iu everything outside /home/user. In /home/user make a dir where the psy source will live and chattr +iu. Make a compilation dir and link in the source tree from the psy source dir except the files where people are allowed to make modifications for.
Now the fun part should go like this. User logs in, script gets executed asking for changes. If ok, save changes and logout user.
Validate input, sed, awk, copy changed files to compilation dir, do the compile limbo, tarball it up, including stuff they would want like the salt etc etc., and move to a place where they can download it, like your ftp server, IOW a holding area.
The *real* fun part should be making the input validation script, because there'll be a few who will try to see if they can sneak in commands or other stuff you don't want. If you find that is the case, stop parsing, suspend and remove their account. Simple.
Making the script shouldn't be hard, depending on what exactly needs changing, if you're willing to make a little project out of it and document it in a way other people at LQ can reuse it later on, I'm willing to help you write the script parts. Well, I'd be willing to help anyway, but a well-documented solution (doesn't need to be more than 2 pages) should earn your work a spot on linuxanswers.org as well if that counts as an incentive...
The other option of creating a ssl web interface is beyond my skills and I wouldn't know where to start.
Apache-SSL and a Perl script (by a Perl pro) most likely.
Its a stand off between what people want and want you can risk to give..
It'll only be a standoff if you take care of the system first, and then the users. Else it'll be an onslaught, a carnage, killing fields where the only Wailing and Gnashing of Teeth will be yours, or at least it'll be like leaving home w/o your pants or djebellah on (provided you're part of a society that supports, and is committed to, the general idea of clothing and you are accustomed to wearing any).
Good indications to look at for the project heading that way are phrases like "I'll look into it", "I'll do that after <excuse>", "but I first need to get <excuse> done NOW", "that's too much hassle", "that won't happen" and "but I've got (a firewall|portsentry|distro X)".
---
Vote for LQ at
Linuxjournal.com!