version=pmwiki-2.2.130 ordered=1 urlencoded=1 agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:85.0) Gecko/20100101 Firefox/85.0 author=Nate S charset=UTF-8 csum= ctime=1608358180 host=199.66.14.109 name=Openbsd.FilePermissions rev=37 targets=Openbsd.Setuid text=(:title Secure File Permissions:)%0a%0a!! Who Privacy%0a%0aOn shell accounts, it is possible to snoop around to see which users are logged in and what their home IPs are:%0a%0a[@%0a$ who%0ausername1 ttyp0 Jan 25 03:17 (192.168.0.1)%0ausername2 ttyp6 Jan 25 03:35 (10.0.0.1)%0a@]%0a%0aThis is quite dangerous for user privacy, so we recommend disabling world read access%0a%0a[@%0a$ doas chmod o-rwx /var/run/utmp /var/log/wtmp*%0a$ who%0awho: /var/run/utmp: Permission denied%0a@]%0a%0aNow users cannot see other IPs so easily. The downside is that commands like uptime break also:%0a%0a[@%0a$ uptime%0auptime: /var/run/utmp: Permission denied%0a@]%0a%0aThere is unfortunately no way to prevent users from viewing other processes. See the mailing list archive. ([[https://marc.info/?l=openbsd-tech&m=148089896932537&w=2|marc.info]] and [[http://openbsd-archive.7691.n7.nabble.com/KERNEL-PATCH-add-process-hiding-fixed-td309339.html|nabble.com]])%0a%0a!! Hiding logs%0a%0aWe want to hide our logs from prying eyes:%0a%0a[@%0a# chmod -R o-rwx /var/log/ /var/www/logs/%0a# chown -R _smtpd:_dovecot /etc/mail%0a# chmod -R o-rx /etc/mail%0a@]%0a%0a!! Hiding home folders%0a%0aMake sure to check file permissions for folders in /home:%0a%0a[@%0a# chmod o-rx /home/botnow%0a# usermod -G znc botnow%0a# usermod -G znc _identd%0a# chown -R znc:znc /home/znc%0a# chmod -R o-rx /home/znc/home/znc/.znc%0a@]%0a%0a!! Hiding /var%0a%0aHide data related to botnow:%0a%0a[@%0a# chown -R botnow:daemon /var/www/botnow/ /var/www/htdocs/botnow/%0a@]%0a%0a!! Hiding /etc%0a%0a[@%0a# cd /etc%0a# chmod -R o-rx X11 acme acme-client.conf adduser.conf amd authpf doas.conf%0a@]%0a%0a!! SUID Binaries%0a%0aCheck for any unexpected [[openbsd/setuid|SUID binaries]] with:%0a%0a[@%0a# find / -perm -4000%0a/usr/bin/chfn%0a/usr/bin/chpass%0a/usr/bin/chsh%0a/usr/bin/doas%0a/usr/bin/lpr%0a/usr/bin/lprm%0a/usr/bin/passwd%0a/usr/bin/su%0a/usr/libexec/auth/login_chpass%0a/usr/libexec/auth/login_lchpass%0a/usr/libexec/auth/login_passwd%0a/usr/libexec/lockspool%0a/usr/libexec/ssh-keysign%0a/usr/sbin/authpf%0a/usr/sbin/authpf-noip%0a/usr/sbin/pppd%0a/usr/sbin/traceroute%0a/usr/sbin/traceroute6%0a/sbin/ping%0a/sbin/ping6%0a/sbin/shutdown%0a@]%0a%0a'''WARNING''': If you see any other binaries, then watch out! You may want to delete packages that created those files, or delete the files themselves. These files may be a serious security risk to your server. %0a%0a'''WARNING''': If you installed LaTeX, this is the new setuid root program:%0a%0a[@%0a-rwsr-x--- 1 root _dbus - 73.9K Apr 19 12:36 /usr/local/libexec/dbus-daemon-launch-helper%0a@]%0a%0aTo prevent this:%0a%0a[@%0a$ doas chmod 0750 /usr/local/libexec/dbus-daemon-launch-helper %0a$ ls -lh /usr/local/libexec/dbus-daemon-launch-helper %0a-rwxr-x--- 1 root _dbus 73.9K Apr 19 12:36 /usr/local/libexec/dbus-daemon-launch-helper%0a@]%0a%0a!! Checking Group Permissions%0a%0a# Check /etc/groups to make sure that no unauthorized user is a member of wheel. Otherwise, they could use su to get root powers.%0a# As soon as a team member leaves make sure to remove retired teammates from wheel and doas.conf.%0a%0aCheck /etc/doas.conf to make sure only authorized users are added, and don't allow others to read doas.conf:%0a[@%0a$ doas chmod o-r /etc/doas.conf%0a@]%0a%0aIn /etc/ssh/sshd_config, turn off X11 forwarding%0a time=1629426028 title=Secure File Permissions author:1629426028=Nate S diff:1629426028:1629425839:=115c115%0a%3c # As soon as a team member leaves make sure to remove retired teammates from wheel and doas.conf.%0a---%0a> # Every month or so, make sure to remove retired teammates from wheel and doas.conf.%0a host:1629426028=199.66.14.109 author:1629425839=jrmu diff:1629425839:1627997823:=114,115c114%0a%3c # Check /etc/groups to make sure that no unauthorized user is a member of wheel. Otherwise, they could use su to get root powers.%0a%3c # Every month or so, make sure to remove retired teammates from wheel and doas.conf.%0a---%0a> # Check /etc/groups to make sure that no user is a member of wheel. This will prevent them from su to root even if they know the password.%0a host:1629425839=125.231.22.17 author:1627997823=jrmu diff:1627997823:1623222446:=97,110d96%0a%3c %0a%3c '''WARNING''': If you installed LaTeX, this is the new setuid root program:%0a%3c %0a%3c [@%0a%3c -rwsr-x--- 1 root _dbus - 73.9K Apr 19 12:36 /usr/local/libexec/dbus-daemon-launch-helper%0a%3c @]%0a%3c %0a%3c To prevent this:%0a%3c %0a%3c [@%0a%3c $ doas chmod 0750 /usr/local/libexec/dbus-daemon-launch-helper %0a%3c $ ls -lh /usr/local/libexec/dbus-daemon-launch-helper %0a%3c -rwxr-x--- 1 root _dbus 73.9K Apr 19 12:36 /usr/local/libexec/dbus-daemon-launch-helper%0a%3c @]%0a host:1627997823=38.87.162.8 author:1623222446=jrmu diff:1623222446:1622797780:=36c36%0a%3c # chown -R _smtpd:_dovecot /etc/mail%0a---%0a> # chown -R _smtpd:_mail /etc/mail%0a host:1623222446=38.81.163.143 author:1622797780=jrmu diff:1622797780:1612103535:=36c36%0a%3c # chown -R _smtpd:_mail /etc/mail%0a---%0a> # chown -R root:_dovecot /etc/mail%0a107c107%0a%3c In /etc/ssh/sshd_config, turn off X11 forwarding%0a---%0a> In /etc/ssh/sshd_config, turn off X11 forwarding%0a\ No newline at end of file%0a host:1622797780=38.81.163.143 author:1612103535=jrmu diff:1612103535:1612102234:=64c64%0a%3c # chmod -R o-rx X11 acme acme-client.conf adduser.conf amd authpf doas.conf%0a---%0a> # chmod -R o-rx X11 acme acme-client.conf adduser.conf amd authpf%0a host:1612103535=125.224.24.163 author:1612102234=jrmu diff:1612102234:1612097762:=60,61c60,61%0a%3c !! Hiding /etc%0a%3c %0a---%0a> Then hide:%0a> %0a63,64c63%0a%3c # cd /etc%0a%3c # chmod -R o-rx X11 acme acme-client.conf adduser.conf amd authpf%0a---%0a> %0a host:1612102234=125.224.24.163 author:1612097762=jrmu diff:1612097762:1612009151:= host:1612097762=125.224.24.163 author:1612009151=fizi diff:1612009151:1611818376:=45c45%0a%3c # chmod o-rx /home/botnow%0a---%0a> # chown o-rx /home/botnow%0a host:1612009151=39.42.17.173 author:1611818376=jrmu diff:1611818376:1611818332:=54,55d53%0a%3c Hide data related to botnow:%0a%3c %0a57,63c55%0a%3c # chown -R botnow:daemon /var/www/botnow/ /var/www/htdocs/botnow/%0a%3c @]%0a%3c %0a%3c Then hide:%0a%3c %0a%3c [@%0a%3c %0a---%0a> $ doas chown -R botnow:daemon /var/www/botnow/ /var/www/htdocs/botnow/%0a host:1611818376=125.231.24.226 author:1611818332=jrmu diff:1611818332:1611817793:=55c55%0a%3c $ doas chown -R botnow:daemon /var/www/botnow/ /var/www/htdocs/botnow/%0a---%0a> %0a host:1611818332=125.231.24.226 author:1611817793=jrmu diff:1611817793:1611817371:=50,55d49%0a%3c @]%0a%3c %0a%3c !! Hiding /var%0a%3c %0a%3c [@%0a%3c %0a host:1611817793=125.231.24.226 author:1611817371=jrmu diff:1611817371:1611817075:=83,87c83,92%0a%3c !! Checking Group Permissions%0a%3c %0a%3c # Check /etc/groups to make sure that no user is a member of wheel. This will prevent them from su to root even if they know the password.%0a%3c %0a%3c Check /etc/doas.conf to make sure only authorized users are added, and don't allow others to read doas.conf:%0a---%0a> First make sure to set quotas%0a> %0a> /home/username%0a> %0a> We symlinked /htdocs inside each user's home folder to /var/www/htdocs/%3cusername>%0a> %0a> We installed%0a> %0a> To set the user's default prompt to "username$ ", stick this into /etc/profile:%0a> %0a89c94%0a%3c $ doas chmod o-r /etc/doas.conf%0a---%0a> export PS1="`whoami`$ "%0a92c97,133%0a%3c In /etc/ssh/sshd_config, turn off X11 forwarding%0a\ No newline at end of file%0a---%0a> add login.conf rules%0a> %0a> For each new user:%0a> %0a> any new suid binary's with %0a> %0a> Check /etc/groups to make sure that no user is a member of wheel. This will prevent them from su to root even if they know the password.%0a> %0a> In /etc/ssh/sshd_config, turn off X11 forwarding%0a> %0a> Create symlinks for users so they don't complain:%0a> %0a> %3ccode>%0a> ln -s /usr/local/bin/tclsh8.6 /usr/local/bin/tclsh%0a> ln -s /usr/local/bin/python3.7 /usr/local/bin/python%0a> %3c/code>%0a> %0a> You will want to have /var/www/etc/resolv.conf to allow DNS lookup inside the chroot:%0a> %0a> %3ccode>%0a> # mkdir /var/www/etc/%0a> # cp /etc/resolv.conf /var/www/etc/%0a> # chown -R www:daemon /var/www/etc%0a> %3c/code>%0a> %0a> %0a> [@%0a> $ doas chown :daemon /etc/mail/passwd%0a> $ doas chmod o-rx /etc/mail/passwd%0a> $ ls -lha /etc/mail/passwd%0a> -rw-r----- 1 root daemon 737B Oct 20 16:16 passwd%0a> @]%0a> %0a> Don't allow others to read doas.conf:%0a> [@%0a> $ doas chmod o-r /etc/doas.conf%0a> @]%0a\ No newline at end of file%0a host:1611817371=125.231.24.226 author:1611817075=jrmu diff:1611817075:1611804814:=54,55c54,55%0a%3c Check for any unexpected [[openbsd/setuid|SUID binaries]] with:%0a%3c %0a---%0a> Check any new SUID binaries with:%0a> %0a58,78d57%0a%3c /usr/bin/chfn%0a%3c /usr/bin/chpass%0a%3c /usr/bin/chsh%0a%3c /usr/bin/doas%0a%3c /usr/bin/lpr%0a%3c /usr/bin/lprm%0a%3c /usr/bin/passwd%0a%3c /usr/bin/su%0a%3c /usr/libexec/auth/login_chpass%0a%3c /usr/libexec/auth/login_lchpass%0a%3c /usr/libexec/auth/login_passwd%0a%3c /usr/libexec/lockspool%0a%3c /usr/libexec/ssh-keysign%0a%3c /usr/sbin/authpf%0a%3c /usr/sbin/authpf-noip%0a%3c /usr/sbin/pppd%0a%3c /usr/sbin/traceroute%0a%3c /usr/sbin/traceroute6%0a%3c /sbin/ping%0a%3c /sbin/ping6%0a%3c /sbin/shutdown%0a80,81d58%0a%3c %0a%3c '''WARNING''': If you see any other binaries, then watch out! You may want to delete packages that created those files, or delete the files themselves. These files may be a serious security risk to your server. %0a host:1611817075=125.231.24.226 author:1611804814=jrmu diff:1611804814:1611804447:=40,41d39%0a%3c !! Hiding home folders%0a%3c %0a52,59d49%0a%3c !! SUID Binaries%0a%3c %0a%3c Check any new SUID binaries with:%0a%3c %0a%3c [@%0a%3c # find / -perm -4000%0a%3c @]%0a%3c %0a68,69c58,59%0a%3c To set the user's default prompt to "username$ ", stick this into /etc/profile:%0a%3c %0a---%0a> Inside /etc/httpd.conf:%0a> %0a71c61,64%0a%3c export PS1="`whoami`$ "%0a---%0a> location "/~username/*" {%0a> root "/htdocs/username"%0a> request strip 1%0a> }%0a73a67,76%0a> %0a> To set the user's default prompt to "username$ ", stick this into /etc/profile:%0a> %0a> [@%0a> export PS1="`whoami`$ "%0a> @]%0a> %0a> %0a> to turn accounting on.. only users love making use of it too%0a> %0a77a81,82%0a> In nsd zone files, create 1 subdomain per user so users get: username.shell.ircnow.org%0a> %0a78a84,86%0a> %3ccode>%0a> # find / -perm -4000%0a> %3c/code>%0a host:1611804814=125.231.24.226 author:1611804447=jrmu diff:1611804447:1611802080:=47c47%0a%3c # chmod -R o-rx /home/znc/home/znc/.znc%0a---%0a> # chmod -R o-rx /home/znc%0a host:1611804447=125.231.24.226 author:1611802080=jrmu diff:1611802080:1611801795:=81,83d80%0a%3c In nsd zone files, create 1 subdomain per user so users get: username.shell.ircnow.org%0a%3c %0a%3c any new suid binary's with %0a85c82,88%0a%3c # find / -perm -4000%0a---%0a> # adduser%0a> # chmod 700 /home/username /home/username/.ssh%0a> # chmod 600 /home/username/{.Xdefaults,.cshrc,.cvsrc,.login,.mailrc,.profile}%0a> # mkdir /var/www/htdocs/username%0a> # ln -s /var/www/htdocs/username /home/username/htdocs%0a> # chown username:username /var/www/htdocs/username /home/username/htdocs%0a> # edquota username%0a88,93c91,92%0a%3c Check /etc/groups to make sure that no user is a member of wheel. This will prevent them from su to root even if they know the password.%0a%3c %0a%3c In /etc/ssh/sshd_config, turn off X11 forwarding%0a%3c %0a%3c Create symlinks for users so they don't complain:%0a%3c %0a---%0a> In /etc/httpd.conf:%0a> %0a95,96c94,97%0a%3c ln -s /usr/local/bin/tclsh8.6 /usr/local/bin/tclsh%0a%3c ln -s /usr/local/bin/python3.7 /usr/local/bin/python%0a---%0a> location "/~username/*" {%0a> root "/htdocs/username"%0a> request strip 1 %0a> }%0a99,100c100,102%0a%3c You will want to have /var/www/etc/resolv.conf to allow DNS lookup inside the chroot:%0a%3c %0a---%0a> In nsd zone files, create 1 subdomain per user so users get: username.shell.ircnow.org%0a> %0a> any new suid binary's with %0a102,104c104%0a%3c # mkdir /var/www/etc/%0a%3c # cp /etc/resolv.conf /var/www/etc/%0a%3c # chown -R www:daemon /var/www/etc%0a---%0a> # find / -perm -4000%0a107c107,126%0a%3c %0a---%0a> Check /etc/groups to make sure that no user is a member of wheel. This will prevent them from su to root even if they know the password.%0a> %0a> In /etc/ssh/sshd_config, turn off X11 forwarding%0a> %0a> Create symlinks for users so they don't complain:%0a> %0a> %3ccode>%0a> ln -s /usr/local/bin/tclsh8.6 /usr/local/bin/tclsh%0a> ln -s /usr/local/bin/python3.7 /usr/local/bin/python%0a> %3c/code>%0a> %0a> You will want to have /var/www/etc/resolv.conf to allow DNS lookup inside the chroot:%0a> %0a> %3ccode>%0a> # mkdir /var/www/etc/%0a> # cp /etc/resolv.conf /var/www/etc/%0a> # chown -R www:daemon /var/www/etc%0a> %3c/code>%0a> %0a> %0a117a137,143%0a> @]%0a> %0a> Don't allow others to read inside .znc:%0a> %0a> [@%0a> $ doas chown -R znc:daemon /home/znc/home/znc/.znc/%0a> $ doas chmod -R o-rx /home/znc/home/znc/.znc/%0a host:1611802080=125.231.24.226 author:1611801795=jrmu diff:1611801795:1611801768:=47c47%0a%3c # chmod -R o-rx /home/znc%0a---%0a> # chmod o-rx /home/znc%0a host:1611801795=125.231.24.226 author:1611801768=jrmu diff:1611801768:1611801465:= host:1611801768=125.231.24.226 author:1611801465=jrmu diff:1611801465:1611801381:=47c47%0a%3c # chmod o-rx /home/znc%0a---%0a> # chown o-rx /home/znc%0a host:1611801465=125.231.24.226 author:1611801381=jrmu diff:1611801381:1611801256:=43,47c43%0a%3c # chown o-rx /home/botnow%0a%3c # usermod -G znc botnow%0a%3c # usermod -G znc _identd%0a%3c # chown -R znc:znc /home/znc%0a%3c # chown o-rx /home/znc%0a---%0a> # chown o-rx /home/{botnow,znc}%0a host:1611801381=125.231.24.226 author:1611801256=jrmu diff:1611801256:1611800924:=43c43%0a%3c # chown o-rx /home/{botnow,znc}%0a---%0a> %0a host:1611801256=125.231.24.226 author:1611800924=jrmu diff:1611800924:1611800853:=29a30%0a> %0a40,45d40%0a%3c Make sure to check file permissions for folders in /home:%0a%3c %0a%3c [@%0a%3c %0a%3c @]%0a%3c %0a47a43,44%0a> Second, make sure to change file permissions for%0a> %0a62a60,64%0a> Update: hiding logs was causing problems%0a> %0a> We also hide logs in /var/logs and /var/www/logs%0a> %0a> [[Guava/Packages|Packages installed]]%0a host:1611800924=125.231.24.226 author:1611800853=jrmu diff:1611800853:1611581528:=37d36%0a%3c # chown -R root:_dovecot /etc/mail%0a host:1611800853=125.231.24.226 author:1611581528=jrmu diff:1611581528:1611580680:=36c36,40%0a%3c # chmod -R o-rwx /var/log/ /var/www/logs/%0a---%0a> # chmod -R o-rwx /var/log/%0a> # chmod -R o-rwx /var/www/logs/%0a> # chmod 640 /var/www/logs/*%0a> # chmod 750 /var/log%0a> # chmod o-rx /var/log/*%0a38a43%0a> %0a host:1611581528=125.231.20.163 author:1611580680=jrmu diff:1611580680:1611580053:=16c16%0a%3c $ doas chmod o-rwx /var/run/utmp /var/log/wtmp*%0a---%0a> $ doas chmod o-rx /var/run/utmp /var/log/wtmp*%0a36,37c36,41%0a%3c # chmod -R o-rwx /var/log/%0a%3c # chmod -R o-rwx /var/www/logs/%0a---%0a> # chmod -R o-rx /var/log/%0a> @]%0a> %0a> %0a> [@%0a> # chmod 750 /var/www/logs/%0a host:1611580680=125.231.20.163 author:1611580053=jrmu diff:1611580053:1611579892:=28c28%0a%3c There is unfortunately no way to prevent users from viewing other processes. See the mailing list archive. ([[https://marc.info/?l=openbsd-tech&m=148089896932537&w=2|marc.info]] and [[http://openbsd-archive.7691.n7.nabble.com/KERNEL-PATCH-add-process-hiding-fixed-td309339.html|nabble.com]])%0a---%0a> There is unfortunately no way to prevent users from viewing other processes. See the mailing list archive. http://openbsd-archive.7691.n7.nabble.com/KERNEL-PATCH-add-process-hiding-fixed-td309339.html%0a host:1611580053=125.231.20.163 author:1611579892=jrmu diff:1611579892:1611576507:=28,30d27%0a%3c There is unfortunately no way to prevent users from viewing other processes. See the mailing list archive. http://openbsd-archive.7691.n7.nabble.com/KERNEL-PATCH-add-process-hiding-fixed-td309339.html%0a%3c %0a%3c %0a33,34d29%0a%3c We want to hide our logs from prying eyes:%0a%3c %0a36c31%0a%3c # chmod -R o-rx /var/log/%0a---%0a> # chmod -R o-rx /var/log%0a38a34,36%0a> Seems like there is no way to hide processes from users:%0a> %0a> http://openbsd-archive.7691.n7.nabble.com/KERNEL-PATCH-add-process-hiding-fixed-td309339.html%0a host:1611579892=125.231.20.163 author:1611576507=jrmu diff:1611576507:1611575852:=3,4c3,4%0a%3c !! Who Privacy%0a%3c %0a---%0a> !! User Privacy%0a> %0a13,14c13,14%0a%3c This is quite dangerous for user privacy, so we recommend disabling world read access%0a%3c %0a---%0a> This is quite dangerous for user privacy, so we recommend%0a> %0a16,31c16,18%0a%3c $ doas chmod o-rx /var/run/utmp /var/log/wtmp*%0a%3c $ who%0a%3c who: /var/run/utmp: Permission denied%0a%3c @]%0a%3c %0a%3c Now users cannot see other IPs so easily. The downside is that commands like uptime break also:%0a%3c %0a%3c [@%0a%3c $ uptime%0a%3c uptime: /var/run/utmp: Permission denied%0a%3c @]%0a%3c %0a%3c !! Hiding logs%0a%3c %0a%3c [@%0a%3c # chmod -R o-rx /var/log%0a---%0a> # chmod -R o-rx /var/log%0a> # chmod o-rx /var/run/utmp%0a> # chmod o-r /var/log/wtmp*%0a host:1611576507=125.231.20.163 author:1611575852=jrmu diff:1611575852:1611575137:=3,33d2%0a%3c !! User Privacy%0a%3c %0a%3c On shell accounts, it is possible to snoop around to see which users are logged in and what their home IPs are:%0a%3c %0a%3c [@%0a%3c $ who%0a%3c username1 ttyp0 Jan 25 03:17 (192.168.0.1)%0a%3c username2 ttyp6 Jan 25 03:35 (10.0.0.1)%0a%3c @]%0a%3c %0a%3c This is quite dangerous for user privacy, so we recommend%0a%3c %0a%3c [@%0a%3c # chmod -R o-rx /var/log%0a%3c # chmod o-rx /var/run/utmp%0a%3c # chmod o-r /var/log/wtmp*%0a%3c @]%0a%3c %0a%3c Seems like there is no way to hide processes from users:%0a%3c %0a%3c http://openbsd-archive.7691.n7.nabble.com/KERNEL-PATCH-add-process-hiding-fixed-td309339.html%0a%3c %0a%3c [@%0a%3c # chmod 750 /var/www/logs/%0a%3c # chmod 640 /var/www/logs/*%0a%3c # chmod 750 /var/log%0a%3c # chmod o-rx /var/log/*%0a%3c # chmod -R o-rx /etc/mail%0a%3c @]%0a%3c %0a%3c %0a46c15%0a%3c [@%0a---%0a> %3ccode>%0a51,52c20,21%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a61c30%0a%3c [@%0a---%0a> %3ccode>%0a63,64c32,50%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a> %3ccode>%0a> # chmod -R o-rx /var/log%0a> # chmod o-rx /var/run/utmp%0a> # chmod o-r /var/log/wtmp*%0a> %3c/code>%0a> %0a> Seems like there is no way to hide processes from users:%0a> %0a> http://openbsd-archive.7691.n7.nabble.com/KERNEL-PATCH-add-process-hiding-fixed-td309339.html%0a> %0a> %3ccode>%0a> # chmod 750 /var/www/logs/%0a> # chmod 640 /var/www/logs/*%0a> # chmod 750 /var/log%0a> # chmod o-rx /var/log/*%0a> # chmod -R o-rx /etc/mail%0a> %3c/code>%0a host:1611575852=125.231.20.163 author:1611575137=jrmu diff:1611575137:1610103342:=1,2d0%0a%3c (:title Secure File Permissions:)%0a%3c %0a host:1611575137=125.231.20.163 author:1610103342=jrmu diff:1610103342:1610028178:=112,118d111%0a%3c @]%0a%3c %0a%3c Don't allow others to read inside .znc:%0a%3c %0a%3c [@%0a%3c $ doas chown -R znc:daemon /home/znc/home/znc/.znc/%0a%3c $ doas chmod -R o-rx /home/znc/home/znc/.znc/%0a host:1610103342=125.224.19.86 author:1610028178=jrmu diff:1610028178:1610027869:=107,111d106%0a%3c @]%0a%3c %0a%3c Don't allow others to read doas.conf:%0a%3c [@%0a%3c $ doas chmod o-r /etc/doas.conf%0a host:1610028178=125.231.63.134 author:1610027869=jrmu diff:1610027869:1609861668:=103d102%0a%3c $ doas chown :daemon /etc/mail/passwd%0a106c105%0a%3c -rw-r----- 1 root daemon 737B Oct 20 16:16 passwd%0a---%0a> -rw-r----- 1 root wheel 737B Oct 20 16:16 passwd%0a host:1610027869=125.231.63.134 author:1609861668=jrmu diff:1609861668:1608358313:=99,106c99%0a%3c %3c/code>%0a%3c %0a%3c %0a%3c [@%0a%3c $ doas chmod o-rx /etc/mail/passwd%0a%3c $ ls -lha /etc/mail/passwd%0a%3c -rw-r----- 1 root wheel 737B Oct 20 16:16 passwd%0a%3c @]%0a\ No newline at end of file%0a---%0a> %3c/code>%0a\ No newline at end of file%0a host:1609861668=125.231.63.134 author:1608358313=jrmu diff:1608358313:1608358180:=24c24%0a%3c [[Guava/Packages|Packages installed]]%0a---%0a> [[shell/packages|Packages installed]]%0a host:1608358313=198.251.81.119 author:1608358180=jrmu diff:1608358180:1608358180:=1,99d0%0a%3c First make sure to set quotas%0a%3c %0a%3c Second, make sure to change file permissions for%0a%3c %0a%3c /home/username%0a%3c %0a%3c We symlinked /htdocs inside each user's home folder to /var/www/htdocs/%3cusername>%0a%3c %0a%3c We installed%0a%3c %0a%3c Inside /etc/httpd.conf:%0a%3c %0a%3c %3ccode>%0a%3c location "/~username/*" {%0a%3c root "/htdocs/username"%0a%3c request strip 1%0a%3c }%0a%3c %3c/code>%0a%3c %0a%3c Update: hiding logs was causing problems%0a%3c %0a%3c We also hide logs in /var/logs and /var/www/logs%0a%3c %0a%3c [[shell/packages|Packages installed]]%0a%3c %0a%3c To set the user's default prompt to "username$ ", stick this into /etc/profile:%0a%3c %0a%3c %3ccode>%0a%3c export PS1="`whoami`$ "%0a%3c %3c/code>%0a%3c %0a%3c %3ccode>%0a%3c # chmod -R o-rx /var/log%0a%3c # chmod o-rx /var/run/utmp%0a%3c # chmod o-r /var/log/wtmp*%0a%3c %3c/code>%0a%3c %0a%3c Seems like there is no way to hide processes from users:%0a%3c %0a%3c http://openbsd-archive.7691.n7.nabble.com/KERNEL-PATCH-add-process-hiding-fixed-td309339.html%0a%3c %0a%3c %3ccode>%0a%3c # chmod 750 /var/www/logs/%0a%3c # chmod 640 /var/www/logs/*%0a%3c # chmod 750 /var/log%0a%3c # chmod o-rx /var/log/*%0a%3c # chmod -R o-rx /etc/mail%0a%3c %3c/code>%0a%3c %0a%3c to turn accounting on.. only users love making use of it too%0a%3c %0a%3c add login.conf rules%0a%3c %0a%3c For each new user:%0a%3c %0a%3c %3ccode>%0a%3c # adduser%0a%3c # chmod 700 /home/username /home/username/.ssh%0a%3c # chmod 600 /home/username/{.Xdefaults,.cshrc,.cvsrc,.login,.mailrc,.profile}%0a%3c # mkdir /var/www/htdocs/username%0a%3c # ln -s /var/www/htdocs/username /home/username/htdocs%0a%3c # chown username:username /var/www/htdocs/username /home/username/htdocs%0a%3c # edquota username%0a%3c %3c/code>%0a%3c %0a%3c In /etc/httpd.conf:%0a%3c %0a%3c %3ccode>%0a%3c location "/~username/*" {%0a%3c root "/htdocs/username"%0a%3c request strip 1 %0a%3c }%0a%3c %3c/code>%0a%3c %0a%3c In nsd zone files, create 1 subdomain per user so users get: username.shell.ircnow.org%0a%3c %0a%3c any new suid binary's with %0a%3c %3ccode>%0a%3c # find / -perm -4000%0a%3c %3c/code>%0a%3c %0a%3c Check /etc/groups to make sure that no user is a member of wheel. This will prevent them from su to root even if they know the password.%0a%3c %0a%3c In /etc/ssh/sshd_config, turn off X11 forwarding%0a%3c %0a%3c Create symlinks for users so they don't complain:%0a%3c %0a%3c %3ccode>%0a%3c ln -s /usr/local/bin/tclsh8.6 /usr/local/bin/tclsh%0a%3c ln -s /usr/local/bin/python3.7 /usr/local/bin/python%0a%3c %3c/code>%0a%3c %0a%3c You will want to have /var/www/etc/resolv.conf to allow DNS lookup inside the chroot:%0a%3c %0a%3c %3ccode>%0a%3c # mkdir /var/www/etc/%0a%3c # cp /etc/resolv.conf /var/www/etc/%0a%3c # chown -R www:daemon /var/www/etc%0a%3c %3c/code>%0a\ No newline at end of file%0a host:1608358180=198.251.81.119