> Turning this into a learning experience: Does anyone have any hints or > advice about hardening OpenBSD for shell accounts. Do people tweak > things other than the login.conf settings? I have to deal with student > shell accounts where students are learning to program and often create > problems by accident.
(Firsly, not mentioning restricted shells at all, because we all hate them, right? rksh? ) Back in the old days before umls or half a dozen other equally appropriate technologies which I would use in preference if I were doing it again today, I used to build a chroot environment with a minimal subset of commands and relevant data files for just this sort of thing. If y'all promise not to laugh, I found this code in my archives that I wrote in 1993. http://www.gtoal.com/historical/tcsh.c Obviously the layout of the filesystem will have changed over the years, but maybe there's something in there that's still salvagable. No, it's not hackproof, and I certainly would not write something like this nowadays, but the main reason I used this a dozen years ago was not to stop advanced hackers but to stop careless naive users (our customers, actually) doing something dangerous by accident, and to stop casual guest account visitors from browsing around the filesystem gratuitously. If you go the chroot route: this is from the linux world but probably adaptable: http://fakechroot.alioth.debian.org/ Also equally amusing in a historical sense is lsh.c in the same directory. Again, better ways exist to do that now (watch/ttysnoop). As well as full virtualization, you might look at copy-on-write filing systems to allow users to unwind mistakes. Nowadays I would use user mode linux or colinux to create a lightweight virtual machine and let them manage it completely, using c-o-ws as a quick way to revert if they screw it up. I don't what what the BSD equivalent of uml might be. A quick google search for 'virtual server bsd' shows that they do exist (http://www.esosoft.com/virtualserver/), at least for FreeBSD. If there's no specific OpenBSD lightweight virtualization then maybe you could use a more heavyweight emulation such as qemu (http://www.erikveen.dds.nl/qemupuppy/index.html) or plex86 (http://sourceforge.net/projects/plex86) or xen (http://www.xensource.com/, http://www.cl.cam.ac.uk/Research/SRG/netos/xen/) or vserver (http://www.solucorp.qc.ca/miscprj/s_context.hc) or many commercial products: virtualpc/vmware/openvz/serenity(svista)/ virtuozzo/parallels (microsoft, serenity and parallels have all had beta programs that allowed you to use their latest development products for an extended period, as opposed to the few weeks you usually get from a mere eval download. Of those I think parallels.com is the only one currently available) There's a pile of links on various subjects related to virtualization in my online bookmarks: http://www.gtoal.com/bookmarks/Computer_stuff/Virtual_PC/index.php (+ some misfiled under http://www.gtoal.com/bookmarks/Virtual_PC/index.php) and a lesser amount of relevant links in http://www.gtoal.com/bookmarks/Computer_stuff/Unix/index.php and http://www.gtoal.com/bookmarks/Computer_stuff/Security_backup_and_admin/index.php Another option is a live cd: http://www.freesbie.org/ or http://www.livebsd.com/ ... Maybe you'll find something of interest in there. If not, reading other people's bookmarks is almost as much fun as looking at their bookshelves :-) regards Graham
