Home Explore Help
Register Sign In
EPuters_Mirrors
/
almanack_mirror
Watch 2
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: main
Branches Tags
almanack_mir...
/
wiki.d
/
Openbsd.FilePermissions

Openbsd.FilePermissions 23 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125 
  1. version=pmwiki-2.2.130 ordered=1 urlencoded=1
    2. 

  2. agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:85.0) Gecko/20100101 Firefox/85.0
    3. 

  3. author=Nate S
    4. 

  4. charset=UTF-8
    5. 

  5. csum=
    6. 

  6. ctime=1608358180
    7. 

  7. host=199.66.14.109
    8. 

  8. name=Openbsd.FilePermissions
    9. 

  9. rev=37
    10. 

  10. targets=Openbsd.Setuid
    11. 

  11. text=(:title Secure File Permissions:)%0a%0a!! Who Privacy%0a%0aOn shell accounts, it is possible to snoop around to see which users are logged in and what their home IPs are:%0a%0a[@%0a$ who%0ausername1 ttyp0    Jan 25 03:17   (192.168.0.1)%0ausername2  ttyp6    Jan 25 03:35   (10.0.0.1)%0a@]%0a%0aThis is quite dangerous for user privacy, so we recommend disabling world read access%0a%0a[@%0a$ doas chmod o-rwx /var/run/utmp /var/log/wtmp*%0a$ who%0awho: /var/run/utmp: Permission denied%0a@]%0a%0aNow users cannot see other IPs so easily. The downside is that commands like uptime break also:%0a%0a[@%0a$ uptime%0auptime: /var/run/utmp: Permission denied%0a@]%0a%0aThere is unfortunately no way to prevent users from viewing other processes. See the mailing list archive. ([[https://marc.info/?l=openbsd-tech&m=148089896932537&w=2|marc.info]] and [[http://openbsd-archive.7691.n7.nabble.com/KERNEL-PATCH-add-process-hiding-fixed-td309339.html|nabble.com]])%0a%0a!! Hiding logs%0a%0aWe want to hide our logs from prying eyes:%0a%0a[@%0a# chmod -R o-rwx /var/log/ /var/www/logs/%0a# chown -R _smtpd:_dovecot /etc/mail%0a# chmod -R o-rx /etc/mail%0a@]%0a%0a!! Hiding home folders%0a%0aMake sure to check file permissions for folders in /home:%0a%0a[@%0a# chmod o-rx /home/botnow%0a# usermod -G znc botnow%0a# usermod -G znc _identd%0a# chown -R znc:znc /home/znc%0a# chmod -R o-rx /home/znc/home/znc/.znc%0a@]%0a%0a!! Hiding /var%0a%0aHide data related to botnow:%0a%0a[@%0a# chown -R botnow:daemon /var/www/botnow/ /var/www/htdocs/botnow/%0a@]%0a%0a!! Hiding /etc%0a%0a[@%0a# cd /etc%0a# chmod -R o-rx X11 acme acme-client.conf adduser.conf amd authpf doas.conf%0a@]%0a%0a!! SUID Binaries%0a%0aCheck for any unexpected [[openbsd/setuid|SUID binaries]] with:%0a%0a[@%0a# find / -perm -4000%0a/usr/bin/chfn%0a/usr/bin/chpass%0a/usr/bin/chsh%0a/usr/bin/doas%0a/usr/bin/lpr%0a/usr/bin/lprm%0a/usr/bin/passwd%0a/usr/bin/su%0a/usr/libexec/auth/login_chpass%0a/usr/libexec/auth/login_lchpass%0a/usr/libexec/auth/login_passwd%0a/usr/libexec/lockspool%0a/usr/libexec/ssh-keysign%0a/usr/sbin/authpf%0a/usr/sbin/authpf-noip%0a/usr/sbin/pppd%0a/usr/sbin/traceroute%0a/usr/sbin/traceroute6%0a/sbin/ping%0a/sbin/ping6%0a/sbin/shutdown%0a@]%0a%0a'''WARNING''': If you see any other binaries, then watch out! You may want to delete packages that created those files, or delete the files themselves. These files may be a serious security risk to your server. %0a%0a'''WARNING''': If you installed LaTeX, this is the new setuid root program:%0a%0a[@%0a-rwsr-x---  1 root  _dbus  - 73.9K Apr 19 12:36 /usr/local/libexec/dbus-daemon-launch-helper%0a@]%0a%0aTo prevent this:%0a%0a[@%0a$ doas chmod 0750 /usr/local/libexec/dbus-daemon-launch-helper                     %0a$ ls -lh /usr/local/libexec/dbus-daemon-launch-helper                     %0a-rwxr-x---  1 root  _dbus  73.9K Apr 19 12:36 /usr/local/libexec/dbus-daemon-launch-helper%0a@]%0a%0a!! Checking Group Permissions%0a%0a# Check /etc/groups to make sure that no unauthorized user is a member of wheel. Otherwise, they could use su to get root powers.%0a# As soon as a team member leaves make sure to remove retired teammates from wheel and doas.conf.%0a%0aCheck /etc/doas.conf to make sure only authorized users are added, and don't allow others to read doas.conf:%0a[@%0a$ doas chmod o-r /etc/doas.conf%0a@]%0a%0aIn /etc/ssh/sshd_config, turn off X11 forwarding%0a
    12. 

  12. time=1629426028
    13. 

  13. title=Secure File Permissions
    14. 

  14. author:1629426028=Nate S
    15. 

  15. diff:1629426028:1629425839:=115c115%0a%3c # As soon as a team member leaves make sure to remove retired teammates from wheel and doas.conf.%0a---%0a> # Every month or so, make sure to remove retired teammates from wheel and doas.conf.%0a
    16. 

  16. host:1629426028=199.66.14.109
    17. 

  17. author:1629425839=jrmu
    18. 

  18. diff:1629425839:1627997823:=114,115c114%0a%3c # Check /etc/groups to make sure that no unauthorized user is a member of wheel. Otherwise, they could use su to get root powers.%0a%3c # Every month or so, make sure to remove retired teammates from wheel and doas.conf.%0a---%0a> # Check /etc/groups to make sure that no user is a member of wheel. This will prevent them from su to root even if they know the password.%0a
    19. 

  19. host:1629425839=125.231.22.17
    20. 

  20. author:1627997823=jrmu
    21. 

  21. diff:1627997823:1623222446:=97,110d96%0a%3c %0a%3c '''WARNING''': If you installed LaTeX, this is the new setuid root program:%0a%3c %0a%3c [@%0a%3c -rwsr-x---  1 root  _dbus  - 73.9K Apr 19 12:36 /usr/local/libexec/dbus-daemon-launch-helper%0a%3c @]%0a%3c %0a%3c To prevent this:%0a%3c %0a%3c [@%0a%3c $ doas chmod 0750 /usr/local/libexec/dbus-daemon-launch-helper                     %0a%3c $ ls -lh /usr/local/libexec/dbus-daemon-launch-helper                     %0a%3c -rwxr-x---  1 root  _dbus  73.9K Apr 19 12:36 /usr/local/libexec/dbus-daemon-launch-helper%0a%3c @]%0a
    22. 

  22. host:1627997823=38.87.162.8
    23. 

  23. author:1623222446=jrmu
    24. 

  24. diff:1623222446:1622797780:=36c36%0a%3c # chown -R _smtpd:_dovecot /etc/mail%0a---%0a> # chown -R _smtpd:_mail /etc/mail%0a
    25. 

  25. host:1623222446=38.81.163.143
    26. 

  26. author:1622797780=jrmu
    27. 

  27. diff:1622797780:1612103535:=36c36%0a%3c # chown -R _smtpd:_mail /etc/mail%0a---%0a> # chown -R root:_dovecot /etc/mail%0a107c107%0a%3c In /etc/ssh/sshd_config, turn off X11 forwarding%0a---%0a> In /etc/ssh/sshd_config, turn off X11 forwarding%0a\ No newline at end of file%0a
    28. 

  28. host:1622797780=38.81.163.143
    29. 

  29. author:1612103535=jrmu
    30. 

  30. diff:1612103535:1612102234:=64c64%0a%3c # chmod -R o-rx X11 acme acme-client.conf adduser.conf amd authpf doas.conf%0a---%0a> # chmod -R o-rx X11 acme acme-client.conf adduser.conf amd authpf%0a
    31. 

  31. host:1612103535=125.224.24.163
    32. 

  32. author:1612102234=jrmu
    33. 

  33. diff:1612102234:1612097762:=60,61c60,61%0a%3c !! Hiding /etc%0a%3c %0a---%0a> Then hide:%0a> %0a63,64c63%0a%3c # cd /etc%0a%3c # chmod -R o-rx X11 acme acme-client.conf adduser.conf amd authpf%0a---%0a> %0a
    34. 

  34. host:1612102234=125.224.24.163
    35. 

  35. author:1612097762=jrmu
    36. 

  36. diff:1612097762:1612009151:=
    37. 

  37. host:1612097762=125.224.24.163
    38. 

  38. author:1612009151=fizi
    39. 

  39. diff:1612009151:1611818376:=45c45%0a%3c # chmod o-rx /home/botnow%0a---%0a> # chown o-rx /home/botnow%0a
    40. 

  40. host:1612009151=39.42.17.173
    41. 

  41. author:1611818376=jrmu
    42. 

  42. diff:1611818376:1611818332:=54,55d53%0a%3c Hide data related to botnow:%0a%3c %0a57,63c55%0a%3c # chown -R botnow:daemon /var/www/botnow/ /var/www/htdocs/botnow/%0a%3c @]%0a%3c %0a%3c Then hide:%0a%3c %0a%3c [@%0a%3c %0a---%0a> $ doas chown -R botnow:daemon /var/www/botnow/ /var/www/htdocs/botnow/%0a
    43. 

  43. host:1611818376=125.231.24.226
    44. 

  44. author:1611818332=jrmu
    45. 

  45. diff:1611818332:1611817793:=55c55%0a%3c $ doas chown -R botnow:daemon /var/www/botnow/ /var/www/htdocs/botnow/%0a---%0a> %0a
    46. 

  46. host:1611818332=125.231.24.226
    47. 

  47. author:1611817793=jrmu
    48. 

  48. diff:1611817793:1611817371:=50,55d49%0a%3c @]%0a%3c %0a%3c !! Hiding /var%0a%3c %0a%3c [@%0a%3c %0a
    49. 

  49. host:1611817793=125.231.24.226
    50. 

  50. author:1611817371=jrmu
    51. 

  51. diff:1611817371:1611817075:=83,87c83,92%0a%3c !! Checking Group Permissions%0a%3c %0a%3c # Check /etc/groups to make sure that no user is a member of wheel. This will prevent them from su to root even if they know the password.%0a%3c %0a%3c Check /etc/doas.conf to make sure only authorized users are added, and don't allow others to read doas.conf:%0a---%0a> First make sure to set quotas%0a> %0a> /home/username%0a> %0a> We symlinked /htdocs inside each user's home folder to /var/www/htdocs/%3cusername>%0a> %0a> We installed%0a> %0a> To set the user's default prompt to  "username$ ", stick this into /etc/profile:%0a> %0a89c94%0a%3c $ doas chmod o-r /etc/doas.conf%0a---%0a> export PS1="`whoami`$ "%0a92c97,133%0a%3c In /etc/ssh/sshd_config, turn off X11 forwarding%0a\ No newline at end of file%0a---%0a> add login.conf rules%0a> %0a> For each new user:%0a> %0a> any new suid binary's with %0a> %0a> Check /etc/groups to make sure that no user is a member of wheel. This will prevent them from su to root even if they know the password.%0a> %0a> In /etc/ssh/sshd_config, turn off X11 forwarding%0a> %0a> Create symlinks for users so they don't complain:%0a> %0a> %3ccode>%0a> ln -s /usr/local/bin/tclsh8.6 /usr/local/bin/tclsh%0a> ln -s /usr/local/bin/python3.7 /usr/local/bin/python%0a> %3c/code>%0a> %0a> You will want to have /var/www/etc/resolv.conf to allow DNS lookup inside the chroot:%0a> %0a> %3ccode>%0a> # mkdir /var/www/etc/%0a> # cp /etc/resolv.conf /var/www/etc/%0a> # chown -R www:daemon /var/www/etc%0a> %3c/code>%0a> %0a> %0a> [@%0a> $ doas chown :daemon /etc/mail/passwd%0a> $ doas chmod o-rx /etc/mail/passwd%0a> $ ls -lha /etc/mail/passwd%0a> -rw-r-----   1 root  daemon   737B Oct 20 16:16 passwd%0a> @]%0a> %0a> Don't allow others to read doas.conf:%0a> [@%0a> $ doas chmod o-r /etc/doas.conf%0a> @]%0a\ No newline at end of file%0a
    52. 

  52. host:1611817371=125.231.24.226
    53. 

  53. author:1611817075=jrmu
    54. 

  54. diff:1611817075:1611804814:=54,55c54,55%0a%3c Check for any unexpected [[openbsd/setuid|SUID binaries]] with:%0a%3c %0a---%0a> Check any new SUID binaries with:%0a> %0a58,78d57%0a%3c /usr/bin/chfn%0a%3c /usr/bin/chpass%0a%3c /usr/bin/chsh%0a%3c /usr/bin/doas%0a%3c /usr/bin/lpr%0a%3c /usr/bin/lprm%0a%3c /usr/bin/passwd%0a%3c /usr/bin/su%0a%3c /usr/libexec/auth/login_chpass%0a%3c /usr/libexec/auth/login_lchpass%0a%3c /usr/libexec/auth/login_passwd%0a%3c /usr/libexec/lockspool%0a%3c /usr/libexec/ssh-keysign%0a%3c /usr/sbin/authpf%0a%3c /usr/sbin/authpf-noip%0a%3c /usr/sbin/pppd%0a%3c /usr/sbin/traceroute%0a%3c /usr/sbin/traceroute6%0a%3c /sbin/ping%0a%3c /sbin/ping6%0a%3c /sbin/shutdown%0a80,81d58%0a%3c %0a%3c '''WARNING''': If you see any other binaries, then watch out! You may want to delete packages that created those files, or delete the files themselves. These files may be a serious security risk to your server. %0a
    55. 

  55. host:1611817075=125.231.24.226
    56. 

  56. author:1611804814=jrmu
    57. 

  57. diff:1611804814:1611804447:=40,41d39%0a%3c !! Hiding home folders%0a%3c %0a52,59d49%0a%3c !! SUID Binaries%0a%3c %0a%3c Check any new SUID binaries with:%0a%3c %0a%3c [@%0a%3c # find / -perm -4000%0a%3c @]%0a%3c %0a68,69c58,59%0a%3c To set the user's default prompt to  "username$ ", stick this into /etc/profile:%0a%3c %0a---%0a> Inside /etc/httpd.conf:%0a> %0a71c61,64%0a%3c export PS1="`whoami`$ "%0a---%0a>         location "/~username/*" {%0a>                 root "/htdocs/username"%0a>                 request strip 1%0a>         }%0a73a67,76%0a> %0a> To set the user's default prompt to  "username$ ", stick this into /etc/profile:%0a> %0a> [@%0a> export PS1="`whoami`$ "%0a> @]%0a> %0a> %0a> to turn accounting on.. only users love making use of it too%0a> %0a77a81,82%0a> In nsd zone files, create 1 subdomain per user so users get: username.shell.ircnow.org%0a> %0a78a84,86%0a> %3ccode>%0a>              # find / -perm -4000%0a> %3c/code>%0a
    58. 

  58. host:1611804814=125.231.24.226
    59. 

  59. author:1611804447=jrmu
    60. 

  60. diff:1611804447:1611802080:=47c47%0a%3c # chmod -R o-rx /home/znc/home/znc/.znc%0a---%0a> # chmod -R o-rx /home/znc%0a
    61. 

  61. host:1611804447=125.231.24.226
    62. 

  62. author:1611802080=jrmu
    63. 

  63. diff:1611802080:1611801795:=81,83d80%0a%3c In nsd zone files, create 1 subdomain per user so users get: username.shell.ircnow.org%0a%3c %0a%3c any new suid binary's with %0a85c82,88%0a%3c              # find / -perm -4000%0a---%0a> # adduser%0a> # chmod 700 /home/username /home/username/.ssh%0a> # chmod 600 /home/username/{.Xdefaults,.cshrc,.cvsrc,.login,.mailrc,.profile}%0a> # mkdir /var/www/htdocs/username%0a> # ln -s /var/www/htdocs/username /home/username/htdocs%0a> # chown username:username /var/www/htdocs/username /home/username/htdocs%0a> # edquota username%0a88,93c91,92%0a%3c Check /etc/groups to make sure that no user is a member of wheel. This will prevent them from su to root even if they know the password.%0a%3c %0a%3c In /etc/ssh/sshd_config, turn off X11 forwarding%0a%3c %0a%3c Create symlinks for users so they don't complain:%0a%3c %0a---%0a> In /etc/httpd.conf:%0a> %0a95,96c94,97%0a%3c ln -s /usr/local/bin/tclsh8.6 /usr/local/bin/tclsh%0a%3c ln -s /usr/local/bin/python3.7 /usr/local/bin/python%0a---%0a>         location "/~username/*" {%0a>                 root "/htdocs/username"%0a>                 request strip 1 %0a>         }%0a99,100c100,102%0a%3c You will want to have /var/www/etc/resolv.conf to allow DNS lookup inside the chroot:%0a%3c %0a---%0a> In nsd zone files, create 1 subdomain per user so users get: username.shell.ircnow.org%0a> %0a> any new suid binary's with %0a102,104c104%0a%3c # mkdir /var/www/etc/%0a%3c # cp /etc/resolv.conf /var/www/etc/%0a%3c # chown -R www:daemon /var/www/etc%0a---%0a>              # find / -perm -4000%0a107c107,126%0a%3c %0a---%0a> Check /etc/groups to make sure that no user is a member of wheel. This will prevent them from su to root even if they know the password.%0a> %0a> In /etc/ssh/sshd_config, turn off X11 forwarding%0a> %0a> Create symlinks for users so they don't complain:%0a> %0a> %3ccode>%0a> ln -s /usr/local/bin/tclsh8.6 /usr/local/bin/tclsh%0a> ln -s /usr/local/bin/python3.7 /usr/local/bin/python%0a> %3c/code>%0a> %0a> You will want to have /var/www/etc/resolv.conf to allow DNS lookup inside the chroot:%0a> %0a> %3ccode>%0a> # mkdir /var/www/etc/%0a> # cp /etc/resolv.conf /var/www/etc/%0a> # chown -R www:daemon /var/www/etc%0a> %3c/code>%0a> %0a> %0a117a137,143%0a> @]%0a> %0a> Don't allow others to read inside .znc:%0a> %0a> [@%0a> $ doas chown -R znc:daemon /home/znc/home/znc/.znc/%0a> $ doas chmod -R o-rx /home/znc/home/znc/.znc/%0a
    64. 

  64. host:1611802080=125.231.24.226
    65. 

  65. author:1611801795=jrmu
    66. 

  66. diff:1611801795:1611801768:=47c47%0a%3c # chmod -R o-rx /home/znc%0a---%0a> # chmod o-rx /home/znc%0a
    67. 

  67. host:1611801795=125.231.24.226
    68. 

  68. author:1611801768=jrmu
    69. 

  69. diff:1611801768:1611801465:=
    70. 

  70. host:1611801768=125.231.24.226
    71. 

  71. author:1611801465=jrmu
    72. 

  72. diff:1611801465:1611801381:=47c47%0a%3c # chmod o-rx /home/znc%0a---%0a> # chown o-rx /home/znc%0a
    73. 

  73. host:1611801465=125.231.24.226
    74. 

  74. author:1611801381=jrmu
    75. 

  75. diff:1611801381:1611801256:=43,47c43%0a%3c # chown o-rx /home/botnow%0a%3c # usermod -G znc botnow%0a%3c # usermod -G znc _identd%0a%3c # chown -R znc:znc /home/znc%0a%3c # chown o-rx /home/znc%0a---%0a> # chown o-rx /home/{botnow,znc}%0a
    76. 

  76. host:1611801381=125.231.24.226
    77. 

  77. author:1611801256=jrmu
    78. 

  78. diff:1611801256:1611800924:=43c43%0a%3c # chown o-rx /home/{botnow,znc}%0a---%0a> %0a
    79. 

  79. host:1611801256=125.231.24.226
    80. 

  80. author:1611800924=jrmu
    81. 

  81. diff:1611800924:1611800853:=29a30%0a> %0a40,45d40%0a%3c Make sure to check file permissions for folders in /home:%0a%3c %0a%3c [@%0a%3c %0a%3c @]%0a%3c %0a47a43,44%0a> Second, make sure to change file permissions for%0a> %0a62a60,64%0a> Update: hiding logs was causing problems%0a> %0a> We also hide logs in /var/logs and /var/www/logs%0a> %0a> [[Guava/Packages|Packages installed]]%0a
    82. 

  82. host:1611800924=125.231.24.226
    83. 

  83. author:1611800853=jrmu
    84. 

  84. diff:1611800853:1611581528:=37d36%0a%3c # chown -R root:_dovecot /etc/mail%0a
    85. 

  85. host:1611800853=125.231.24.226
    86. 

  86. author:1611581528=jrmu
    87. 

  87. diff:1611581528:1611580680:=36c36,40%0a%3c # chmod -R o-rwx /var/log/ /var/www/logs/%0a---%0a> # chmod -R o-rwx /var/log/%0a> # chmod -R o-rwx /var/www/logs/%0a> # chmod 640 /var/www/logs/*%0a> # chmod 750 /var/log%0a> # chmod o-rx /var/log/*%0a38a43%0a> %0a
    88. 

  88. host:1611581528=125.231.20.163
    89. 

  89. author:1611580680=jrmu
    90. 

  90. diff:1611580680:1611580053:=16c16%0a%3c $ doas chmod o-rwx /var/run/utmp /var/log/wtmp*%0a---%0a> $ doas chmod o-rx /var/run/utmp /var/log/wtmp*%0a36,37c36,41%0a%3c # chmod -R o-rwx /var/log/%0a%3c # chmod -R o-rwx /var/www/logs/%0a---%0a> # chmod -R o-rx /var/log/%0a> @]%0a> %0a> %0a> [@%0a> # chmod 750 /var/www/logs/%0a
    91. 

  91. host:1611580680=125.231.20.163
    92. 

  92. author:1611580053=jrmu
    93. 

  93. diff:1611580053:1611579892:=28c28%0a%3c There is unfortunately no way to prevent users from viewing other processes. See the mailing list archive. ([[https://marc.info/?l=openbsd-tech&m=148089896932537&w=2|marc.info]] and [[http://openbsd-archive.7691.n7.nabble.com/KERNEL-PATCH-add-process-hiding-fixed-td309339.html|nabble.com]])%0a---%0a> There is unfortunately no way to prevent users from viewing other processes. See the mailing list archive. http://openbsd-archive.7691.n7.nabble.com/KERNEL-PATCH-add-process-hiding-fixed-td309339.html%0a
    94. 

  94. host:1611580053=125.231.20.163
    95. 

  95. author:1611579892=jrmu
    96. 

  96. diff:1611579892:1611576507:=28,30d27%0a%3c There is unfortunately no way to prevent users from viewing other processes. See the mailing list archive. http://openbsd-archive.7691.n7.nabble.com/KERNEL-PATCH-add-process-hiding-fixed-td309339.html%0a%3c %0a%3c %0a33,34d29%0a%3c We want to hide our logs from prying eyes:%0a%3c %0a36c31%0a%3c # chmod -R o-rx /var/log/%0a---%0a> # chmod -R o-rx /var/log%0a38a34,36%0a> Seems like there is no way to hide processes from users:%0a> %0a> http://openbsd-archive.7691.n7.nabble.com/KERNEL-PATCH-add-process-hiding-fixed-td309339.html%0a
    97. 

  97. host:1611579892=125.231.20.163
    98. 

  98. author:1611576507=jrmu
    99. 

  99. diff:1611576507:1611575852:=3,4c3,4%0a%3c !! Who Privacy%0a%3c %0a---%0a> !! User Privacy%0a> %0a13,14c13,14%0a%3c This is quite dangerous for user privacy, so we recommend disabling world read access%0a%3c %0a---%0a> This is quite dangerous for user privacy, so we recommend%0a> %0a16,31c16,18%0a%3c $ doas chmod o-rx /var/run/utmp /var/log/wtmp*%0a%3c $ who%0a%3c who: /var/run/utmp: Permission denied%0a%3c @]%0a%3c %0a%3c Now users cannot see other IPs so easily. The downside is that commands like uptime break also:%0a%3c %0a%3c [@%0a%3c $ uptime%0a%3c uptime: /var/run/utmp: Permission denied%0a%3c @]%0a%3c %0a%3c !! Hiding logs%0a%3c %0a%3c [@%0a%3c # chmod -R o-rx /var/log%0a---%0a> # chmod -R o-rx /var/log%0a> # chmod o-rx /var/run/utmp%0a> # chmod o-r /var/log/wtmp*%0a
    100. 

  100. host:1611576507=125.231.20.163
    101. 

  101. author:1611575852=jrmu
    102. 

  102. diff:1611575852:1611575137:=3,33d2%0a%3c !! User Privacy%0a%3c %0a%3c On shell accounts, it is possible to snoop around to see which users are logged in and what their home IPs are:%0a%3c %0a%3c [@%0a%3c $ who%0a%3c username1 ttyp0    Jan 25 03:17   (192.168.0.1)%0a%3c username2  ttyp6    Jan 25 03:35   (10.0.0.1)%0a%3c @]%0a%3c %0a%3c This is quite dangerous for user privacy, so we recommend%0a%3c %0a%3c [@%0a%3c # chmod -R o-rx /var/log%0a%3c # chmod o-rx /var/run/utmp%0a%3c # chmod o-r /var/log/wtmp*%0a%3c @]%0a%3c %0a%3c Seems like there is no way to hide processes from users:%0a%3c %0a%3c http://openbsd-archive.7691.n7.nabble.com/KERNEL-PATCH-add-process-hiding-fixed-td309339.html%0a%3c %0a%3c [@%0a%3c # chmod 750 /var/www/logs/%0a%3c # chmod 640 /var/www/logs/*%0a%3c # chmod 750 /var/log%0a%3c # chmod o-rx /var/log/*%0a%3c # chmod -R o-rx /etc/mail%0a%3c @]%0a%3c %0a%3c %0a46c15%0a%3c [@%0a---%0a> %3ccode>%0a51,52c20,21%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a61c30%0a%3c [@%0a---%0a> %3ccode>%0a63,64c32,50%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a> %3ccode>%0a>              # chmod -R o-rx /var/log%0a>              # chmod o-rx /var/run/utmp%0a>              # chmod o-r /var/log/wtmp*%0a> %3c/code>%0a> %0a> Seems like there is no way to hide processes from users:%0a> %0a> http://openbsd-archive.7691.n7.nabble.com/KERNEL-PATCH-add-process-hiding-fixed-td309339.html%0a> %0a> %3ccode>%0a> # chmod 750 /var/www/logs/%0a> # chmod 640 /var/www/logs/*%0a> # chmod 750 /var/log%0a> # chmod o-rx /var/log/*%0a> # chmod -R o-rx /etc/mail%0a> %3c/code>%0a
    103. 

  103. host:1611575852=125.231.20.163
    104. 

  104. author:1611575137=jrmu
    105. 

  105. diff:1611575137:1610103342:=1,2d0%0a%3c (:title Secure File Permissions:)%0a%3c %0a
    106. 

  106. host:1611575137=125.231.20.163
    107. 

  107. author:1610103342=jrmu
    108. 

  108. diff:1610103342:1610028178:=112,118d111%0a%3c @]%0a%3c %0a%3c Don't allow others to read inside .znc:%0a%3c %0a%3c [@%0a%3c $ doas chown -R znc:daemon /home/znc/home/znc/.znc/%0a%3c $ doas chmod -R o-rx /home/znc/home/znc/.znc/%0a
    109. 

  109. host:1610103342=125.224.19.86
    110. 

  110. author:1610028178=jrmu
    111. 

  111. diff:1610028178:1610027869:=107,111d106%0a%3c @]%0a%3c %0a%3c Don't allow others to read doas.conf:%0a%3c [@%0a%3c $ doas chmod o-r /etc/doas.conf%0a
    112. 

  112. host:1610028178=125.231.63.134
    113. 

  113. author:1610027869=jrmu
    114. 

  114. diff:1610027869:1609861668:=103d102%0a%3c $ doas chown :daemon /etc/mail/passwd%0a106c105%0a%3c -rw-r-----   1 root  daemon   737B Oct 20 16:16 passwd%0a---%0a> -rw-r-----   1 root  wheel   737B Oct 20 16:16 passwd%0a
    115. 

  115. host:1610027869=125.231.63.134
    116. 

  116. author:1609861668=jrmu
    117. 

  117. diff:1609861668:1608358313:=99,106c99%0a%3c %3c/code>%0a%3c %0a%3c %0a%3c [@%0a%3c $ doas chmod o-rx /etc/mail/passwd%0a%3c $ ls -lha /etc/mail/passwd%0a%3c -rw-r-----   1 root  wheel   737B Oct 20 16:16 passwd%0a%3c @]%0a\ No newline at end of file%0a---%0a> %3c/code>%0a\ No newline at end of file%0a
    118. 

  118. host:1609861668=125.231.63.134
    119. 

  119. author:1608358313=jrmu
    120. 

  120. diff:1608358313:1608358180:=24c24%0a%3c [[Guava/Packages|Packages installed]]%0a---%0a> [[shell/packages|Packages installed]]%0a
    121. 

  121. host:1608358313=198.251.81.119
    122. 

  122. author:1608358180=jrmu
    123. 

  123. diff:1608358180:1608358180:=1,99d0%0a%3c First make sure to set quotas%0a%3c %0a%3c Second, make sure to change file permissions for%0a%3c %0a%3c /home/username%0a%3c %0a%3c We symlinked /htdocs inside each user's home folder to /var/www/htdocs/%3cusername>%0a%3c %0a%3c We installed%0a%3c %0a%3c Inside /etc/httpd.conf:%0a%3c %0a%3c %3ccode>%0a%3c         location "/~username/*" {%0a%3c                 root "/htdocs/username"%0a%3c                 request strip 1%0a%3c         }%0a%3c %3c/code>%0a%3c %0a%3c Update: hiding logs was causing problems%0a%3c %0a%3c We also hide logs in /var/logs and /var/www/logs%0a%3c %0a%3c [[shell/packages|Packages installed]]%0a%3c %0a%3c To set the user's default prompt to  "username$ ", stick this into /etc/profile:%0a%3c %0a%3c %3ccode>%0a%3c export PS1="`whoami`$ "%0a%3c %3c/code>%0a%3c %0a%3c %3ccode>%0a%3c              # chmod -R o-rx /var/log%0a%3c              # chmod o-rx /var/run/utmp%0a%3c              # chmod o-r /var/log/wtmp*%0a%3c %3c/code>%0a%3c %0a%3c Seems like there is no way to hide processes from users:%0a%3c %0a%3c http://openbsd-archive.7691.n7.nabble.com/KERNEL-PATCH-add-process-hiding-fixed-td309339.html%0a%3c %0a%3c %3ccode>%0a%3c # chmod 750 /var/www/logs/%0a%3c # chmod 640 /var/www/logs/*%0a%3c # chmod 750 /var/log%0a%3c # chmod o-rx /var/log/*%0a%3c # chmod -R o-rx /etc/mail%0a%3c %3c/code>%0a%3c %0a%3c to turn accounting on.. only users love making use of it too%0a%3c %0a%3c add login.conf rules%0a%3c %0a%3c For each new user:%0a%3c %0a%3c %3ccode>%0a%3c # adduser%0a%3c # chmod 700 /home/username /home/username/.ssh%0a%3c # chmod 600 /home/username/{.Xdefaults,.cshrc,.cvsrc,.login,.mailrc,.profile}%0a%3c # mkdir /var/www/htdocs/username%0a%3c # ln -s /var/www/htdocs/username /home/username/htdocs%0a%3c # chown username:username /var/www/htdocs/username /home/username/htdocs%0a%3c # edquota username%0a%3c %3c/code>%0a%3c %0a%3c In /etc/httpd.conf:%0a%3c %0a%3c %3ccode>%0a%3c         location "/~username/*" {%0a%3c                 root "/htdocs/username"%0a%3c                 request strip 1 %0a%3c         }%0a%3c %3c/code>%0a%3c %0a%3c In nsd zone files, create 1 subdomain per user so users get: username.shell.ircnow.org%0a%3c %0a%3c any new suid binary's with %0a%3c %3ccode>%0a%3c              # find / -perm -4000%0a%3c %3c/code>%0a%3c %0a%3c Check /etc/groups to make sure that no user is a member of wheel. This will prevent them from su to root even if they know the password.%0a%3c %0a%3c In /etc/ssh/sshd_config, turn off X11 forwarding%0a%3c %0a%3c Create symlinks for users so they don't complain:%0a%3c %0a%3c %3ccode>%0a%3c ln -s /usr/local/bin/tclsh8.6 /usr/local/bin/tclsh%0a%3c ln -s /usr/local/bin/python3.7 /usr/local/bin/python%0a%3c %3c/code>%0a%3c %0a%3c You will want to have /var/www/etc/resolv.conf to allow DNS lookup inside the chroot:%0a%3c %0a%3c %3ccode>%0a%3c # mkdir /var/www/etc/%0a%3c # cp /etc/resolv.conf /var/www/etc/%0a%3c # chown -R www:daemon /var/www/etc%0a%3c %3c/code>%0a\ No newline at end of file%0a
    124. 

  124. host:1608358180=198.251.81.119
    125. 

  125.