Blame
Date:
Sun Oct 2 04:00:24 2022
UTC
Message:
Daily backup
002
2021-12-17
agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:85.0) Gecko/20100101 Firefox/85.0
011
2021-12-17
text=(:title Secure File Permissions:)%0a%0a!! Who Privacy%0a%0aOn shell accounts, it is possible to snoop around to see which users are logged in and what their home IPs are:%0a%0a[@%0a$ who%0ausername1 ttyp0 Jan 25 03:17 (192.168.0.1)%0ausername2 ttyp6 Jan 25 03:35 (10.0.0.1)%0a@]%0a%0aThis is quite dangerous for user privacy, so we recommend disabling world read access%0a%0a[@%0a$ doas chmod o-rwx /var/run/utmp /var/log/wtmp*%0a$ who%0awho: /var/run/utmp: Permission denied%0a@]%0a%0aNow users cannot see other IPs so easily. The downside is that commands like uptime break also:%0a%0a[@%0a$ uptime%0auptime: /var/run/utmp: Permission denied%0a@]%0a%0aThere is unfortunately no way to prevent users from viewing other processes. See the mailing list archive. ([[https://marc.info/?l=openbsd-tech&m=148089896932537&w=2|marc.info]] and [[http://openbsd-archive.7691.n7.nabble.com/KERNEL-PATCH-add-process-hiding-fixed-td309339.html|nabble.com]])%0a%0a!! Hiding logs%0a%0aWe want to hide our logs from prying eyes:%0a%0a[@%0a# chmod -R o-rwx /var/log/ /var/www/logs/%0a# chown -R _smtpd:_dovecot /etc/mail%0a# chmod -R o-rx /etc/mail%0a@]%0a%0a!! Hiding home folders%0a%0aMake sure to check file permissions for folders in /home:%0a%0a[@%0a# chmod o-rx /home/botnow%0a# usermod -G znc botnow%0a# usermod -G znc _identd%0a# chown -R znc:znc /home/znc%0a# chmod -R o-rx /home/znc/home/znc/.znc%0a@]%0a%0a!! Hiding /var%0a%0aHide data related to botnow:%0a%0a[@%0a# chown -R botnow:daemon /var/www/botnow/ /var/www/htdocs/botnow/%0a@]%0a%0a!! Hiding /etc%0a%0a[@%0a# cd /etc%0a# chmod -R o-rx X11 acme acme-client.conf adduser.conf amd authpf doas.conf%0a@]%0a%0a!! SUID Binaries%0a%0aCheck for any unexpected [[openbsd/setuid|SUID binaries]] with:%0a%0a[@%0a# find / -perm -4000%0a/usr/bin/chfn%0a/usr/bin/chpass%0a/usr/bin/chsh%0a/usr/bin/doas%0a/usr/bin/lpr%0a/usr/bin/lprm%0a/usr/bin/passwd%0a/usr/bin/su%0a/usr/libexec/auth/login_chpass%0a/usr/libexec/auth/login_lchpass%0a/usr/libexec/auth/login_passwd%0a/usr/libexec/lockspool%0a/usr/libexec/ssh-keysign%0a/usr/sbin/authpf%0a/usr/sbin/authpf-noip%0a/usr/sbin/pppd%0a/usr/sbin/traceroute%0a/usr/sbin/traceroute6%0a/sbin/ping%0a/sbin/ping6%0a/sbin/shutdown%0a@]%0a%0a'''WARNING''': If you see any other binaries, then watch out! You may want to delete packages that created those files, or delete the files themselves. These files may be a serious security risk to your server. %0a%0a'''WARNING''': If you installed LaTeX, this is the new setuid root program:%0a%0a[@%0a-rwsr-x--- 1 root _dbus - 73.9K Apr 19 12:36 /usr/local/libexec/dbus-daemon-launch-helper%0a@]%0a%0aTo prevent this:%0a%0a[@%0a$ doas chmod 0750 /usr/local/libexec/dbus-daemon-launch-helper %0a$ ls -lh /usr/local/libexec/dbus-daemon-launch-helper %0a-rwxr-x--- 1 root _dbus 73.9K Apr 19 12:36 /usr/local/libexec/dbus-daemon-launch-helper%0a@]%0a%0a!! Checking Group Permissions%0a%0a# Check /etc/groups to make sure that no unauthorized user is a member of wheel. Otherwise, they could use su to get root powers.%0a# As soon as a team member leaves make sure to remove retired teammates from wheel and doas.conf.%0a%0aCheck /etc/doas.conf to make sure only authorized users are added, and don't allow others to read doas.conf:%0a[@%0a$ doas chmod o-r /etc/doas.conf%0a@]%0a%0aIn /etc/ssh/sshd_config, turn off X11 forwarding%0a
015
2021-12-17
diff:1629426028:1629425839:=115c115%0a%3c # As soon as a team member leaves make sure to remove retired teammates from wheel and doas.conf.%0a---%0a> # Every month or so, make sure to remove retired teammates from wheel and doas.conf.%0a
018
2021-12-17
diff:1629425839:1627997823:=114,115c114%0a%3c # Check /etc/groups to make sure that no unauthorized user is a member of wheel. Otherwise, they could use su to get root powers.%0a%3c # Every month or so, make sure to remove retired teammates from wheel and doas.conf.%0a---%0a> # Check /etc/groups to make sure that no user is a member of wheel. This will prevent them from su to root even if they know the password.%0a
021
2021-12-17
diff:1627997823:1623222446:=97,110d96%0a%3c %0a%3c '''WARNING''': If you installed LaTeX, this is the new setuid root program:%0a%3c %0a%3c [@%0a%3c -rwsr-x--- 1 root _dbus - 73.9K Apr 19 12:36 /usr/local/libexec/dbus-daemon-launch-helper%0a%3c @]%0a%3c %0a%3c To prevent this:%0a%3c %0a%3c [@%0a%3c $ doas chmod 0750 /usr/local/libexec/dbus-daemon-launch-helper %0a%3c $ ls -lh /usr/local/libexec/dbus-daemon-launch-helper %0a%3c -rwxr-x--- 1 root _dbus 73.9K Apr 19 12:36 /usr/local/libexec/dbus-daemon-launch-helper%0a%3c @]%0a
024
2021-12-17
diff:1623222446:1622797780:=36c36%0a%3c # chown -R _smtpd:_dovecot /etc/mail%0a---%0a> # chown -R _smtpd:_mail /etc/mail%0a
027
2021-12-17
diff:1622797780:1612103535:=36c36%0a%3c # chown -R _smtpd:_mail /etc/mail%0a---%0a> # chown -R root:_dovecot /etc/mail%0a107c107%0a%3c In /etc/ssh/sshd_config, turn off X11 forwarding%0a---%0a> In /etc/ssh/sshd_config, turn off X11 forwarding%0a\ No newline at end of file%0a
030
2021-12-17
diff:1612103535:1612102234:=64c64%0a%3c # chmod -R o-rx X11 acme acme-client.conf adduser.conf amd authpf doas.conf%0a---%0a> # chmod -R o-rx X11 acme acme-client.conf adduser.conf amd authpf%0a
033
2021-12-17
diff:1612102234:1612097762:=60,61c60,61%0a%3c !! Hiding /etc%0a%3c %0a---%0a> Then hide:%0a> %0a63,64c63%0a%3c # cd /etc%0a%3c # chmod -R o-rx X11 acme acme-client.conf adduser.conf amd authpf%0a---%0a> %0a
039
2021-12-17
diff:1612009151:1611818376:=45c45%0a%3c # chmod o-rx /home/botnow%0a---%0a> # chown o-rx /home/botnow%0a
042
2021-12-17
diff:1611818376:1611818332:=54,55d53%0a%3c Hide data related to botnow:%0a%3c %0a57,63c55%0a%3c # chown -R botnow:daemon /var/www/botnow/ /var/www/htdocs/botnow/%0a%3c @]%0a%3c %0a%3c Then hide:%0a%3c %0a%3c [@%0a%3c %0a---%0a> $ doas chown -R botnow:daemon /var/www/botnow/ /var/www/htdocs/botnow/%0a
045
2021-12-17
diff:1611818332:1611817793:=55c55%0a%3c $ doas chown -R botnow:daemon /var/www/botnow/ /var/www/htdocs/botnow/%0a---%0a> %0a
048
2021-12-17
diff:1611817793:1611817371:=50,55d49%0a%3c @]%0a%3c %0a%3c !! Hiding /var%0a%3c %0a%3c [@%0a%3c %0a
051
2021-12-17
diff:1611817371:1611817075:=83,87c83,92%0a%3c !! Checking Group Permissions%0a%3c %0a%3c # Check /etc/groups to make sure that no user is a member of wheel. This will prevent them from su to root even if they know the password.%0a%3c %0a%3c Check /etc/doas.conf to make sure only authorized users are added, and don't allow others to read doas.conf:%0a---%0a> First make sure to set quotas%0a> %0a> /home/username%0a> %0a> We symlinked /htdocs inside each user's home folder to /var/www/htdocs/%3cusername>%0a> %0a> We installed%0a> %0a> To set the user's default prompt to "username$ ", stick this into /etc/profile:%0a> %0a89c94%0a%3c $ doas chmod o-r /etc/doas.conf%0a---%0a> export PS1="`whoami`$ "%0a92c97,133%0a%3c In /etc/ssh/sshd_config, turn off X11 forwarding%0a\ No newline at end of file%0a---%0a> add login.conf rules%0a> %0a> For each new user:%0a> %0a> any new suid binary's with %0a> %0a> Check /etc/groups to make sure that no user is a member of wheel. This will prevent them from su to root even if they know the password.%0a> %0a> In /etc/ssh/sshd_config, turn off X11 forwarding%0a> %0a> Create symlinks for users so they don't complain:%0a> %0a> %3ccode>%0a> ln -s /usr/local/bin/tclsh8.6 /usr/local/bin/tclsh%0a> ln -s /usr/local/bin/python3.7 /usr/local/bin/python%0a> %3c/code>%0a> %0a> You will want to have /var/www/etc/resolv.conf to allow DNS lookup inside the chroot:%0a> %0a> %3ccode>%0a> # mkdir /var/www/etc/%0a> # cp /etc/resolv.conf /var/www/etc/%0a> # chown -R www:daemon /var/www/etc%0a> %3c/code>%0a> %0a> %0a> [@%0a> $ doas chown :daemon /etc/mail/passwd%0a> $ doas chmod o-rx /etc/mail/passwd%0a> $ ls -lha /etc/mail/passwd%0a> -rw-r----- 1 root daemon 737B Oct 20 16:16 passwd%0a> @]%0a> %0a> Don't allow others to read doas.conf:%0a> [@%0a> $ doas chmod o-r /etc/doas.conf%0a> @]%0a\ No newline at end of file%0a
054
2021-12-17
diff:1611817075:1611804814:=54,55c54,55%0a%3c Check for any unexpected [[openbsd/setuid|SUID binaries]] with:%0a%3c %0a---%0a> Check any new SUID binaries with:%0a> %0a58,78d57%0a%3c /usr/bin/chfn%0a%3c /usr/bin/chpass%0a%3c /usr/bin/chsh%0a%3c /usr/bin/doas%0a%3c /usr/bin/lpr%0a%3c /usr/bin/lprm%0a%3c /usr/bin/passwd%0a%3c /usr/bin/su%0a%3c /usr/libexec/auth/login_chpass%0a%3c /usr/libexec/auth/login_lchpass%0a%3c /usr/libexec/auth/login_passwd%0a%3c /usr/libexec/lockspool%0a%3c /usr/libexec/ssh-keysign%0a%3c /usr/sbin/authpf%0a%3c /usr/sbin/authpf-noip%0a%3c /usr/sbin/pppd%0a%3c /usr/sbin/traceroute%0a%3c /usr/sbin/traceroute6%0a%3c /sbin/ping%0a%3c /sbin/ping6%0a%3c /sbin/shutdown%0a80,81d58%0a%3c %0a%3c '''WARNING''': If you see any other binaries, then watch out! You may want to delete packages that created those files, or delete the files themselves. These files may be a serious security risk to your server. %0a
057
2021-12-17
diff:1611804814:1611804447:=40,41d39%0a%3c !! Hiding home folders%0a%3c %0a52,59d49%0a%3c !! SUID Binaries%0a%3c %0a%3c Check any new SUID binaries with:%0a%3c %0a%3c [@%0a%3c # find / -perm -4000%0a%3c @]%0a%3c %0a68,69c58,59%0a%3c To set the user's default prompt to "username$ ", stick this into /etc/profile:%0a%3c %0a---%0a> Inside /etc/httpd.conf:%0a> %0a71c61,64%0a%3c export PS1="`whoami`$ "%0a---%0a> location "/~username/*" {%0a> root "/htdocs/username"%0a> request strip 1%0a> }%0a73a67,76%0a> %0a> To set the user's default prompt to "username$ ", stick this into /etc/profile:%0a> %0a> [@%0a> export PS1="`whoami`$ "%0a> @]%0a> %0a> %0a> to turn accounting on.. only users love making use of it too%0a> %0a77a81,82%0a> In nsd zone files, create 1 subdomain per user so users get: username.shell.ircnow.org%0a> %0a78a84,86%0a> %3ccode>%0a> # find / -perm -4000%0a> %3c/code>%0a
060
2021-12-17
diff:1611804447:1611802080:=47c47%0a%3c # chmod -R o-rx /home/znc/home/znc/.znc%0a---%0a> # chmod -R o-rx /home/znc%0a
063
2021-12-17
diff:1611802080:1611801795:=81,83d80%0a%3c In nsd zone files, create 1 subdomain per user so users get: username.shell.ircnow.org%0a%3c %0a%3c any new suid binary's with %0a85c82,88%0a%3c # find / -perm -4000%0a---%0a> # adduser%0a> # chmod 700 /home/username /home/username/.ssh%0a> # chmod 600 /home/username/{.Xdefaults,.cshrc,.cvsrc,.login,.mailrc,.profile}%0a> # mkdir /var/www/htdocs/username%0a> # ln -s /var/www/htdocs/username /home/username/htdocs%0a> # chown username:username /var/www/htdocs/username /home/username/htdocs%0a> # edquota username%0a88,93c91,92%0a%3c Check /etc/groups to make sure that no user is a member of wheel. This will prevent them from su to root even if they know the password.%0a%3c %0a%3c In /etc/ssh/sshd_config, turn off X11 forwarding%0a%3c %0a%3c Create symlinks for users so they don't complain:%0a%3c %0a---%0a> In /etc/httpd.conf:%0a> %0a95,96c94,97%0a%3c ln -s /usr/local/bin/tclsh8.6 /usr/local/bin/tclsh%0a%3c ln -s /usr/local/bin/python3.7 /usr/local/bin/python%0a---%0a> location "/~username/*" {%0a> root "/htdocs/username"%0a> request strip 1 %0a> }%0a99,100c100,102%0a%3c You will want to have /var/www/etc/resolv.conf to allow DNS lookup inside the chroot:%0a%3c %0a---%0a> In nsd zone files, create 1 subdomain per user so users get: username.shell.ircnow.org%0a> %0a> any new suid binary's with %0a102,104c104%0a%3c # mkdir /var/www/etc/%0a%3c # cp /etc/resolv.conf /var/www/etc/%0a%3c # chown -R www:daemon /var/www/etc%0a---%0a> # find / -perm -4000%0a107c107,126%0a%3c %0a---%0a> Check /etc/groups to make sure that no user is a member of wheel. This will prevent them from su to root even if they know the password.%0a> %0a> In /etc/ssh/sshd_config, turn off X11 forwarding%0a> %0a> Create symlinks for users so they don't complain:%0a> %0a> %3ccode>%0a> ln -s /usr/local/bin/tclsh8.6 /usr/local/bin/tclsh%0a> ln -s /usr/local/bin/python3.7 /usr/local/bin/python%0a> %3c/code>%0a> %0a> You will want to have /var/www/etc/resolv.conf to allow DNS lookup inside the chroot:%0a> %0a> %3ccode>%0a> # mkdir /var/www/etc/%0a> # cp /etc/resolv.conf /var/www/etc/%0a> # chown -R www:daemon /var/www/etc%0a> %3c/code>%0a> %0a> %0a117a137,143%0a> @]%0a> %0a> Don't allow others to read inside .znc:%0a> %0a> [@%0a> $ doas chown -R znc:daemon /home/znc/home/znc/.znc/%0a> $ doas chmod -R o-rx /home/znc/home/znc/.znc/%0a
066
2021-12-17
diff:1611801795:1611801768:=47c47%0a%3c # chmod -R o-rx /home/znc%0a---%0a> # chmod o-rx /home/znc%0a
072
2021-12-17
diff:1611801465:1611801381:=47c47%0a%3c # chmod o-rx /home/znc%0a---%0a> # chown o-rx /home/znc%0a
075
2021-12-17
diff:1611801381:1611801256:=43,47c43%0a%3c # chown o-rx /home/botnow%0a%3c # usermod -G znc botnow%0a%3c # usermod -G znc _identd%0a%3c # chown -R znc:znc /home/znc%0a%3c # chown o-rx /home/znc%0a---%0a> # chown o-rx /home/{botnow,znc}%0a
078
2021-12-17
diff:1611801256:1611800924:=43c43%0a%3c # chown o-rx /home/{botnow,znc}%0a---%0a> %0a
081
2021-12-17
diff:1611800924:1611800853:=29a30%0a> %0a40,45d40%0a%3c Make sure to check file permissions for folders in /home:%0a%3c %0a%3c [@%0a%3c %0a%3c @]%0a%3c %0a47a43,44%0a> Second, make sure to change file permissions for%0a> %0a62a60,64%0a> Update: hiding logs was causing problems%0a> %0a> We also hide logs in /var/logs and /var/www/logs%0a> %0a> [[Guava/Packages|Packages installed]]%0a
087
2021-12-17
diff:1611581528:1611580680:=36c36,40%0a%3c # chmod -R o-rwx /var/log/ /var/www/logs/%0a---%0a> # chmod -R o-rwx /var/log/%0a> # chmod -R o-rwx /var/www/logs/%0a> # chmod 640 /var/www/logs/*%0a> # chmod 750 /var/log%0a> # chmod o-rx /var/log/*%0a38a43%0a> %0a
090
2021-12-17
diff:1611580680:1611580053:=16c16%0a%3c $ doas chmod o-rwx /var/run/utmp /var/log/wtmp*%0a---%0a> $ doas chmod o-rx /var/run/utmp /var/log/wtmp*%0a36,37c36,41%0a%3c # chmod -R o-rwx /var/log/%0a%3c # chmod -R o-rwx /var/www/logs/%0a---%0a> # chmod -R o-rx /var/log/%0a> @]%0a> %0a> %0a> [@%0a> # chmod 750 /var/www/logs/%0a
093
2021-12-17
diff:1611580053:1611579892:=28c28%0a%3c There is unfortunately no way to prevent users from viewing other processes. See the mailing list archive. ([[https://marc.info/?l=openbsd-tech&m=148089896932537&w=2|marc.info]] and [[http://openbsd-archive.7691.n7.nabble.com/KERNEL-PATCH-add-process-hiding-fixed-td309339.html|nabble.com]])%0a---%0a> There is unfortunately no way to prevent users from viewing other processes. See the mailing list archive. http://openbsd-archive.7691.n7.nabble.com/KERNEL-PATCH-add-process-hiding-fixed-td309339.html%0a
096
2021-12-17
diff:1611579892:1611576507:=28,30d27%0a%3c There is unfortunately no way to prevent users from viewing other processes. See the mailing list archive. http://openbsd-archive.7691.n7.nabble.com/KERNEL-PATCH-add-process-hiding-fixed-td309339.html%0a%3c %0a%3c %0a33,34d29%0a%3c We want to hide our logs from prying eyes:%0a%3c %0a36c31%0a%3c # chmod -R o-rx /var/log/%0a---%0a> # chmod -R o-rx /var/log%0a38a34,36%0a> Seems like there is no way to hide processes from users:%0a> %0a> http://openbsd-archive.7691.n7.nabble.com/KERNEL-PATCH-add-process-hiding-fixed-td309339.html%0a
099
2021-12-17
diff:1611576507:1611575852:=3,4c3,4%0a%3c !! Who Privacy%0a%3c %0a---%0a> !! User Privacy%0a> %0a13,14c13,14%0a%3c This is quite dangerous for user privacy, so we recommend disabling world read access%0a%3c %0a---%0a> This is quite dangerous for user privacy, so we recommend%0a> %0a16,31c16,18%0a%3c $ doas chmod o-rx /var/run/utmp /var/log/wtmp*%0a%3c $ who%0a%3c who: /var/run/utmp: Permission denied%0a%3c @]%0a%3c %0a%3c Now users cannot see other IPs so easily. The downside is that commands like uptime break also:%0a%3c %0a%3c [@%0a%3c $ uptime%0a%3c uptime: /var/run/utmp: Permission denied%0a%3c @]%0a%3c %0a%3c !! Hiding logs%0a%3c %0a%3c [@%0a%3c # chmod -R o-rx /var/log%0a---%0a> # chmod -R o-rx /var/log%0a> # chmod o-rx /var/run/utmp%0a> # chmod o-r /var/log/wtmp*%0a
102
2021-12-17
diff:1611575852:1611575137:=3,33d2%0a%3c !! User Privacy%0a%3c %0a%3c On shell accounts, it is possible to snoop around to see which users are logged in and what their home IPs are:%0a%3c %0a%3c [@%0a%3c $ who%0a%3c username1 ttyp0 Jan 25 03:17 (192.168.0.1)%0a%3c username2 ttyp6 Jan 25 03:35 (10.0.0.1)%0a%3c @]%0a%3c %0a%3c This is quite dangerous for user privacy, so we recommend%0a%3c %0a%3c [@%0a%3c # chmod -R o-rx /var/log%0a%3c # chmod o-rx /var/run/utmp%0a%3c # chmod o-r /var/log/wtmp*%0a%3c @]%0a%3c %0a%3c Seems like there is no way to hide processes from users:%0a%3c %0a%3c http://openbsd-archive.7691.n7.nabble.com/KERNEL-PATCH-add-process-hiding-fixed-td309339.html%0a%3c %0a%3c [@%0a%3c # chmod 750 /var/www/logs/%0a%3c # chmod 640 /var/www/logs/*%0a%3c # chmod 750 /var/log%0a%3c # chmod o-rx /var/log/*%0a%3c # chmod -R o-rx /etc/mail%0a%3c @]%0a%3c %0a%3c %0a46c15%0a%3c [@%0a---%0a> %3ccode>%0a51,52c20,21%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a61c30%0a%3c [@%0a---%0a> %3ccode>%0a63,64c32,50%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a> %3ccode>%0a> # chmod -R o-rx /var/log%0a> # chmod o-rx /var/run/utmp%0a> # chmod o-r /var/log/wtmp*%0a> %3c/code>%0a> %0a> Seems like there is no way to hide processes from users:%0a> %0a> http://openbsd-archive.7691.n7.nabble.com/KERNEL-PATCH-add-process-hiding-fixed-td309339.html%0a> %0a> %3ccode>%0a> # chmod 750 /var/www/logs/%0a> # chmod 640 /var/www/logs/*%0a> # chmod 750 /var/log%0a> # chmod o-rx /var/log/*%0a> # chmod -R o-rx /etc/mail%0a> %3c/code>%0a
105
2021-12-17
diff:1611575137:1610103342:=1,2d0%0a%3c (:title Secure File Permissions:)%0a%3c %0a
108
2021-12-17
diff:1610103342:1610028178:=112,118d111%0a%3c @]%0a%3c %0a%3c Don't allow others to read inside .znc:%0a%3c %0a%3c [@%0a%3c $ doas chown -R znc:daemon /home/znc/home/znc/.znc/%0a%3c $ doas chmod -R o-rx /home/znc/home/znc/.znc/%0a
111
2021-12-17
diff:1610028178:1610027869:=107,111d106%0a%3c @]%0a%3c %0a%3c Don't allow others to read doas.conf:%0a%3c [@%0a%3c $ doas chmod o-r /etc/doas.conf%0a
114
2021-12-17
diff:1610027869:1609861668:=103d102%0a%3c $ doas chown :daemon /etc/mail/passwd%0a106c105%0a%3c -rw-r----- 1 root daemon 737B Oct 20 16:16 passwd%0a---%0a> -rw-r----- 1 root wheel 737B Oct 20 16:16 passwd%0a
117
2021-12-17
diff:1609861668:1608358313:=99,106c99%0a%3c %3c/code>%0a%3c %0a%3c %0a%3c [@%0a%3c $ doas chmod o-rx /etc/mail/passwd%0a%3c $ ls -lha /etc/mail/passwd%0a%3c -rw-r----- 1 root wheel 737B Oct 20 16:16 passwd%0a%3c @]%0a\ No newline at end of file%0a---%0a> %3c/code>%0a\ No newline at end of file%0a
120
2021-12-17
diff:1608358313:1608358180:=24c24%0a%3c [[Guava/Packages|Packages installed]]%0a---%0a> [[shell/packages|Packages installed]]%0a
123
2021-12-17
diff:1608358180:1608358180:=1,99d0%0a%3c First make sure to set quotas%0a%3c %0a%3c Second, make sure to change file permissions for%0a%3c %0a%3c /home/username%0a%3c %0a%3c We symlinked /htdocs inside each user's home folder to /var/www/htdocs/%3cusername>%0a%3c %0a%3c We installed%0a%3c %0a%3c Inside /etc/httpd.conf:%0a%3c %0a%3c %3ccode>%0a%3c location "/~username/*" {%0a%3c root "/htdocs/username"%0a%3c request strip 1%0a%3c }%0a%3c %3c/code>%0a%3c %0a%3c Update: hiding logs was causing problems%0a%3c %0a%3c We also hide logs in /var/logs and /var/www/logs%0a%3c %0a%3c [[shell/packages|Packages installed]]%0a%3c %0a%3c To set the user's default prompt to "username$ ", stick this into /etc/profile:%0a%3c %0a%3c %3ccode>%0a%3c export PS1="`whoami`$ "%0a%3c %3c/code>%0a%3c %0a%3c %3ccode>%0a%3c # chmod -R o-rx /var/log%0a%3c # chmod o-rx /var/run/utmp%0a%3c # chmod o-r /var/log/wtmp*%0a%3c %3c/code>%0a%3c %0a%3c Seems like there is no way to hide processes from users:%0a%3c %0a%3c http://openbsd-archive.7691.n7.nabble.com/KERNEL-PATCH-add-process-hiding-fixed-td309339.html%0a%3c %0a%3c %3ccode>%0a%3c # chmod 750 /var/www/logs/%0a%3c # chmod 640 /var/www/logs/*%0a%3c # chmod 750 /var/log%0a%3c # chmod o-rx /var/log/*%0a%3c # chmod -R o-rx /etc/mail%0a%3c %3c/code>%0a%3c %0a%3c to turn accounting on.. only users love making use of it too%0a%3c %0a%3c add login.conf rules%0a%3c %0a%3c For each new user:%0a%3c %0a%3c %3ccode>%0a%3c # adduser%0a%3c # chmod 700 /home/username /home/username/.ssh%0a%3c # chmod 600 /home/username/{.Xdefaults,.cshrc,.cvsrc,.login,.mailrc,.profile}%0a%3c # mkdir /var/www/htdocs/username%0a%3c # ln -s /var/www/htdocs/username /home/username/htdocs%0a%3c # chown username:username /var/www/htdocs/username /home/username/htdocs%0a%3c # edquota username%0a%3c %3c/code>%0a%3c %0a%3c In /etc/httpd.conf:%0a%3c %0a%3c %3ccode>%0a%3c location "/~username/*" {%0a%3c root "/htdocs/username"%0a%3c request strip 1 %0a%3c }%0a%3c %3c/code>%0a%3c %0a%3c In nsd zone files, create 1 subdomain per user so users get: username.shell.ircnow.org%0a%3c %0a%3c any new suid binary's with %0a%3c %3ccode>%0a%3c # find / -perm -4000%0a%3c %3c/code>%0a%3c %0a%3c Check /etc/groups to make sure that no user is a member of wheel. This will prevent them from su to root even if they know the password.%0a%3c %0a%3c In /etc/ssh/sshd_config, turn off X11 forwarding%0a%3c %0a%3c Create symlinks for users so they don't complain:%0a%3c %0a%3c %3ccode>%0a%3c ln -s /usr/local/bin/tclsh8.6 /usr/local/bin/tclsh%0a%3c ln -s /usr/local/bin/python3.7 /usr/local/bin/python%0a%3c %3c/code>%0a%3c %0a%3c You will want to have /var/www/etc/resolv.conf to allow DNS lookup inside the chroot:%0a%3c %0a%3c %3ccode>%0a%3c # mkdir /var/www/etc/%0a%3c # cp /etc/resolv.conf /var/www/etc/%0a%3c # chown -R www:daemon /var/www/etc%0a%3c %3c/code>%0a\ No newline at end of file%0a