Unfortunately no one can be told what fun_plug is - you have to see it for yourself.
You are not logged in.
I'm currently using DNS-323 as a web server using lighttpd, php, and mysql and it's working very well. However, lighttpd and mldonkey were running as root, which is a security risk if I consider actually forwarding the port from the internet. I'm on fun_plug 0.5 and have moved mldonkey.sh and lighttpd.sh to a separate start folder (startnobody), modified the rc script to also check that folder and run as nobody using sudo/su. I've also had to make some permission changes to /tmp to ensure "nobody" can access it.
Right now everything seem to be running fine with the web server and mldonkey running as nobody, but there were a bit of script changes, so I wanted to know if anyone else has done this or if you can think of a simpler solution.
Offline
Another thing you can do for more security is run them in a chroot environment. This way access is limited to the root that you specify.
EDIT -- To clarify, I mean run it in a chroot as nobody, not just in a chroot.
Last edited by bq041 (2008-05-22 15:17:22)
Offline
bq041 wrote:
Another thing you can do for more security is run them in a chroot environment. This way access is limited to the root that you specify.
Adrian Bunk disagrees: http://kerneltrap.org/Linux/Abusing_chroot
Offline
I do not disagree with him, but the assumption is that the services are running as root in a chroot. If you start the service as nobody inside a chroot, then the service should be jailed effectively. This is why I said 'another thing you can do...' not 'do this instead'. It adds an extra couple of steps a hacker has to walk through. It is not perfect and any security can be hacked given a comptent hacker and enough time. My philosophy is to try to make it too hard for a novice, and too time consuming with small subtle things that an competant hacker doesn't want to deal with it.
Offline