Hello everyone! As I was reading for the first time the Linux From Scratch books version 6.3 this weekend, I noticed that section:
"4.3. Adding the LFS User" http://www.linuxfromscratch.org/lfs/view/stable/chapter04/addinguser.html is lacking of notes on security issues about the creation of the "lfs" user and "lfs" group. I know the book just can't cover every aspect of security problems and errors it might occur if you do the things the book tells you to do. The sysadm should know what he is typing. However, IMHO it would be good to just have a box remembering the sysadm that as he creates the "lfs" user and group he may be exposing some security gaps that may be exploited. So he should see if the user "lfs" could lead his host services into danger. For example (and that's my case): If one has a sshd running in his host system that is exposed to any kind of network, creating the user "lfs" with a weak password could be dangerous. Notice that user "lfs" is a user which has access to some areas of the system that are not only under his home directory, and can run a compiler! In that case, putting the user "lfs" in the "DenyUsers" list of sshd_config is the solution. I don't want you to start caring about every possible problem that might occur if you do things in the book. This could lead in a lose of focus. I just believe that a box with a warning in this section, remembering the sysadm to evaluate his system and services in order to be free of danger. My suggestion is: "Notice that the user and group just created in this section could compromise the security of the host system. If any service running on your host system could be exploited by means of an user account you should be careful and configure the service to deny access to the "lfs" user and group. For example, if you run OpenSSH put the "lfs" configure it to dny access to "lfs" user and group (please refer to the OpenSSH documentation)." I hope you get the idea and don't flame me by being a little paranoid. ;) Maybe this discussion could be in HLFS or BLFS, but as it concerns all LFS projects I think it would be better to post it here and not to cross post it in the other mail-lists. Thank you very much. Egon Braun -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
