Displaying 1 result from an estimated 1 matches for "jail_web_devfs_ruleset".
2007 Feb 18
1
Secure shared web hosting using MAC Framework
...ld have a limited view of the systems
Solution:
use the follwing sysctl variable
security.bsd.see_other_uids=0
security.bsd.unprivileged_read_msgbuf=0
Since the web users are in a jail, set restricted devfs ruleset (this is easily done via rc.conf)
jail_web_devfs_enable="YES"
jail_web_devfs_ruleset="devfsrules_jail"
- Web users and executed web scripts shouldn't be able to read important system files
Solution:
use ufs_acl to prevent the users from accessing the following:
/boot /root
/sbin /usr/sbin /usr/local/sbin
/var
/etc/(apart from resolv.conf, group, hosts, p...