Sorry for the late followup, but this is backwards. If you want people
to be able to access files only if they already know them, then you want to *enable* execute and *disable* read and right, e.g.

chmod 751 /some/dir

will allow users to access files in /some/dir but not list the contents of /some/dir..

Also, to k3rnel, let me reiterate what the others have said: it's almost impossible (with the standard Linux kernel, anyway) to provide useful functionality to arbitrary users *and* prevent a hostile users from executing arbitrary code.

_________________
The irony is that Bill Gates claims to be making a stable operating system and Linus Torvalds claims to be trying to take over the world.
-- seen on the net

I applaud anyone who's idea is to further Linux/Unix usage, and that's what offering shells is....furthering Linux, whether it be paid or free shells.

I know of at least one Linode member who is offering free shells and is doing a VERY good job of screening and admin'ing. Being proactive in monitoring usage and logs helps a LOT. Screening (as best you can) helps alot also. Not offering shells to people you don't physically know helps also. There are tons of ways to serve shells and yet be intelligent about who has access to those shells. If I had 30 sincere friends that wanted shell access to my box and I felt they were trustworthy, why shouldn't I offer them access when I know it wouldn't pose a security risk?

Associating free shells with insecurity is a niave thought, IMO.
Not offering free shells does NOT guarantee that you won't be cracked. Regardless of how you secure your box, there will always be ways a cracker could gain unauthorized access. No box is every 100% secure.

I'm a network security analyst by trade, working for Northrop Grumman. I've seen some interesting things. I'd worry about bad users on free shells least of all. Software with vulnerabilities that worms and such take advantage of is the story of the last year and a half. There will be risks to any given box in the world that's connected to the internet (and even boxes with no access to the net can still be cracked, if you're at the box's physical location and know a bit of social engineering).

ANY errant service on a linode will affect its neighboring linodes...a node with a service that's hogging resources isn't all that much different from cracker who's conducting activity that will hog resources. The only difference is perception...you won't even know its a cracker until it's found that it WAS a cracker that was responsible for the activity.

From what I saw of the TOS and AUP, it's not even mentioned, so I'm assuming its OK to offer shells on your linode. Just wondering why everyone is so concerned when his ideas aren't really violating any rules of usage.

This is true. Locked down boxes can be cracked and many public shell providers have never been hacked. However, allowing people local access on your system greatly increases your chances of having your Linode compromised. Many exploits require local access to the system. Furthermore it sounds like the original poster lacked a thorough knowledge that it takes to tightly secure one's Linode. I think the combination of these two features would add up to spell "rooted" very quickly.

I dunno. I just tend to treat people as adults since he's obviously paid for his account and he's (big assumption here) read the TOS/AUP. I feel that as long as he hasn't violated any of the rules and since he has yet to have his linode compromised, then its a 100% total assumption, just an assumption, that his linode will be compromised, regardless of if he's coming across as lacking knowledged.

If and when something happens and I'm sharing a machine with him and lose data or bandwidth or resources, then I'll be upset, not before. If I myself became so concerned about what everyone else is running on their linode, worrying about how it would affect my own linode, I'd always be upset or paranoid....and I know if I knew what you guys WERE running, I'd probably be upset. I'd be paranoid that some 'neighbor' of mine would be running some vulnerable software package that would affect my share of the machine.

Basically, if I don't see caker worrying about people running IRC servers or shell accounts, I'm not going to worry about it either. I'm just wondering why so many people feel so strongly against this guy running a shell service instead of helping him be more knowledgeable about it, especially since offering shells isn't outlawed. I think I saw like 3 people that offered him good feedback.

<shrug>

Go back and read the thread again. Plenty of people gave him very good advice (I count 5 out of the original 8 or 9 posts that were very informative), but everyone came to the same undeniable conclusion: it's just much more risky than it is worth. It seemed like everyone was trying to save the original poster headaches as well as save us all the headache of dealing with a shared resource that has been compromised. I'm sure that if you asked the original poster if he felt that he got good advice in this thread, that he would say yes.

Obviously no one cares much what others run on their Linodes - there isn't even any real discussion on this topic on these boards. But most people recognize that as a shared resource it's to everyone's benefit to make sure that no one Linode hogs too many resources and causes problems. You can call it selfish if you want (which is what it sounds like you are trying to do) but it's not just in my personal interest that your Linode doesn't thrash the system and make Linode users unhappy - it's in your own as well, as you are likely to have a better and happier experience with your Linode if you're not subject to derision from other users for making their lives more difficult. Note that I'm not talking about *you* specifically, I'm talking about "you all" in general here.

I went back and reread the thread...I still count only three people that offered original help. Another mentioned something that someone had mentioned already. That's a far cry from 5 out of 8.

I'm sorry if you thought I was calling it selfish. I wasn't. I do think it's a bit nosey though. While everyone should have SOME concern about what everyone else is running on their linode, that's about all it should be...a concern. Everything to do with hosting or services will involve shared resources, so I don't understand why the argument that we all have to be grossly concerned about some guy who wants to offer shells is valid. If I've a rogue process on my linode that involves an HTTP service, I'll be just as guilty as someone who's offered a shell on their linode to someone and that person is DOS'ing someone in China. Its just a matter of circumstances...in the end, both examples still amount to resource abuse.

And, as I've said, I already know of one linode person running a shell service. It could be a linode neighbor of anyone in here. You'll never know, unless their linode is hogging resources or some other bad indicator occurs.

I've yet to see the original poster offer further correspondence after his initial post. It seems as if he were run from the forums because what he wanted to do went against a perceived consensus. That's what I'm feeling, not what I'm accusing anyone of.

I'm 100% agreeing with the mentioned security concerns (its not something I'd do myself,on a linode), but I just feel that the responses to the original poster were....I dunno....heavy-handed?

Oh well, that's enough of this matter for me. I'm on to better things with my linode.

There are a number of successful, mature, non-policy violating shell providers using Linodes, but I should say that in this particular case the user voluntarily left Linode.com's services, because he wanted to do "root-wars" with his buddies, thereby violating the AUP (basically the entire [System and Network Security] section).

So far, I haven't had problems with any of the other shell providers.

-Chris

Part of this is that the original poster didn't say he just wanted to offer shells. He wanted to offer shells and restrict his users to a subset of programs.

From the original post:



This sounds like he wanted users to only be able to use programs from a whitelist. Most privileged programs are written with security in mind, but many unprivileged ones are not. Any security hole in any whitelisted program will let the users execute arbitrary code. Sure, it's executed with normal user privileges, but that still violates the security policy that the original poster had in mind.

Honestly, I'm not concerned with what other people do with their Linodes as long as it doesn't impact mine. My concern is with the feasibility of implementing this security policy on a Linode, or on any other machine for that matter. If there's a good way to do it without resorting to kernel modifications, I don't see it. (I hope it exists, but I don't see it.)

Personally, I could care less what others do with their Linodes. The insulation that the host provides is getting better and better (see caker's post about the 2.6 kernel on the hosts). Even though I felt the odds of his Linode getting compromised were much higher than the rest of ours, I wasn't worried that someone would break out and then compromise the host. I was more concerned that the environment he was creating was ideal as an intermediate host for those who would launch attacks against others. Clearly, as confirmed by caker's last post, the the user was not prepared for offering shells as a robust, safe, and mature solution and thus was exposing himself to liability he was not prepared for.

OK, I'll count them for you. Here is a summary of the posts before your first post:

1. Original question
2. Helpful info from Bill Clinton
3. Helpful info from inkblot
4. Helpful info from smerritt
5. Discouragement from ne0shell
6. Helpful info from smerritt
7. Discouragement from ne0shell
8. Response from original poster
9. Discouragement from blahrus
10. Discouragement from jmeyers
11. Discussion from Bill Clinton
12. Discussion from proane
13. Discussion from blahrus
14. Discussion from jmeyers
15. Discussion from rjp
16. Helpful info from SteveG

The "Discussion" posts were discussion about the bad things which have happened to other people which have tried to do shell hosting, and I'm not going to call this discouragement because it really is helpful info, but I just won't count it at all.

So we have 10 posts which were directly addressing the question, and 5 of them were helpful. Make it 5 out of 10 then.



The tone of your emails is kind of obvious to anyone who can read between the lines. You think that other people posting on these boards are being nosy or in some way out of line by trying to convince the original poster that it's not worth it. I didn't see anyone post anything in this thread other than concerns, which is exactly what you state people should have. Your posts themselves are "concerns" that other people are too "concerned". Except that when it's other people's concerns, you call them "grossly concerned". I'm not trying to berate you personally, I don't even know you and I am sure you are a nice and well-meaning person. But you're being hypocritical here, and I kind of resented your original implication that the other well-meaning posters to this thread were being too nosy or otherwise misbehaving by trying to give the guy equal amounts of information and discouragement from doing something that would likely have caused more trouble than it was worth, for him or for the rest of us. Nobody here is paid to help this guy out (except caker), and I think that people on these groups have gone way above and beyond the call of duty in trying to provide help wherever possible.

Even nice guys can sometimes get it wrong, and I'm just saying, you got it wrong.



I guess I didn't see that at all. He said "thanks for the great replies", and then said that he would talk to people on IRC directly before giving them free shells, presumably as his mechanism of weeding out the bad apples, and the discussion continued on after that. He never posted back, but I can hardly see where what people said drove him out.



But they weren't. They were good advice, both about the mechanics of how you would try to prevent users from abusing free shells, and restrict them to only certain executables (which is what the original poster wanted to know about), and about how unlikely this was to work well, and about how likely it was that his experience in trying to do so would be bad. All good stuff, from people who are not paid to help anyone but did so very well anway. I say good job everyone.

5 posts ago, I said I was finished with this, but it seems that someone won't let things go...

It's pretty obvious that your definition of help is quite different from mine, because after going back and checking your work, I'm still at a loss as to how some of what you considered help was actually help. After your analysis of the thread, I still only see 3 posts that offered help. Seems that all debating is highly subjective and in no way objective, which is actually wasting my time. That being said, the TONE of SOME of the posts seemed in no way supportive, IMO (IMO is heavily stressed). You're probably going to go back through every post and analyse every one of them and post how you think which one is help and which isn't...be my guest, but after this post, I'm done, so it'll probably be a wasted effort on your part.



I feel my concern is justified. Is it justified to be so concerned about someone else's linode that you basically suggest that he not run shell hosting? I feel, no. Is my concern of this thread justified? Uhmmm...IMO, yes. Why am I concerned of the tone of these posts? I'm new here. I've just purchased a linode for my personal use. I saw this thread and read the original poster's request. Let's put aside caker's comment, as that was information that all of us were not privy to until he posted. The original poster asked legit questions and his goals for his linode weren't even close to borderline TOS-breakers. It was ASSUMED, based on his post, that he wasn't knowledgeable enough to host shells on his linode and it almost seemed (to me) to turn into a witchhunt, by the tone of the responses to his posts. The responses weren't aggressive at all but I still perceived an overall feeling that this guy was leaned on a bit hard. We didn't know what he actually wanted to do until caker added his input as to what the original poster actually had in mind, so judging him was a bit immature. Even caker's post suggested that hosting shells wasn't out of the norm. Judging a guy's overall knowledge of Linux and Linux security based on one post is quite unfair, IMO, and it really rubbed me the wrong way. My thought was this: if the linode community were so concerned with this guy and his request, then what's to stop them from showing that same concern when I wanted to deploy some law-abiding service that went against the linode community's unspoken security concerns. If I'm a paying member and I'm breaking no terms, yet get heavily lectured about what or what I shouldn't be using on my PAID hosting....doesn't sound fair at all. If I were the original poster, I'd have considered requesting a refund and just found another provider (and keep in mind, still, that I'm keeping out caker's input about the original poster wanting something that wasn't acceptable by AUP...that knowledge wasn't available until just a few posts back, AFTER people expressed their views...the thread was winding down by then).



That's your opinion. Me, I wasn't even trying to be right or wrong. I've yet to blatantly accuse anyone of anything here. I'm just offering my perceptions and feelings. Actually, whether every poster here offered help or not, a majority of them DID offer concerns regarding security or performance hits on shared resources. That's what concerned me as a new user of a linode. As soon as I saw the post, I was concerned about having to watch my back for accusations about what I was doing with my linode. In fact, that's about all I've been concerned with. I'm frozen in my choices of using my linode because I don't want someone complaining because they think I've not deployed some server properly. That's my biggest concern as a new linode user since reading this post, but its just an opinion, and a highly subjective one at that...not based on any pure fact or such, just my feelings.



Well, I can. I've already explained it above. Whether or not he actually felt that way, we'll never know. But if I were someone like caker who was offering a paid service and this happened, I'd be concerned of potential customers reading this, getting turned off, and looking elsewhere. Besides, I never said he was actually run off. I said: "It seems as if he were run from the forums because what he wanted to do went against a perceived consensus," which is at http://www.linode.com/forums/viewtopic.php?p=3301#3301



Yes, I saw the advice, but there was also alot of security concerns voiced, concerns that hinted that maybe he shouldn't host shells at all. Let me explain who I am and what I do. I'm no newbie to Linux or technology. I've been using Linux since 1997, starting with Slackware 3.3. I'm still no guru...no human is, yet I try to help anyway I can. I'm involved with sharing ideas and helping people via forums and IRC. I'm an established member of several IRC channels on irc.freenode.net. I've dedicated much of my time and server bandwidth hosting web pages that contain HowTos and FAQs on my own dime. I take time that could probably be better spent elsewhere to help those who ask for help with their Linux problems. I use Linux and Unix professionally. I can analyse raw dumped network traffic. I'm a IT security consultant. I work for Northrop Grumman. I've worked for other big tech companies and I've worked for a startup. To sum it up, again, I'm no newb to technology. I too saw help, but not all was help. Helping someone is to answer their asked question. Maybe a few helped TOO much by giving very opinionated and skewed info on their perceptions of hosting shells. As caker stated, "There are a number of successful, mature, non-policy violating shell providers using Linodes."

You said, "They were good advice, both about the mechanics of how you would try to prevent users from abusing free shells, and restrict them to only certain executables (which is what the original poster wanted to know about), and about how unlikely this was to work well, and about how likely it was that his experience in trying to do so would be bad." Well, letting him know how bad running a shell hosting service was bad, IMO, as there are successful shell providers using linodes. You may not have said his whole idea was bad, but others did. Again, that's just my opinion.

I thought I'd be able to drop all this a few posts up, but I was drawn back in by your comments. I've said in all my posts that all I post is my perceptions. I've singled no one out and actually haven't accused anyone of doing anything grossly offensive. Someone being worried about what I run on my piece of linode.com...that's a bit offensive. Is anyone worried about me running something I shouldn't or me hogging resources? Did anyone accuse me of that? NO. Do I have a general feeling that it could happen to me, maybe falsely, especially after reading and participating in this thread? YES. I felt I should voice that. I've a concern of your concerns. LOL...that sums it up, I guess.

Yeah, this is my last post on the issue. I felt I was baited to respond this time, as I felt I HAD to answer some statements and misunderstandings but this is truly it. My feeling stands that if caker doesn't bitch about it and I'm within the written limits of the AUP, I'm good. I'll not worry about what people may be concerned with, regarding my linode.

Regards,
unixfool

Well in the spirit of letting things go then, let me just say that we disagree but both have good points. So we'll just have to agree to disagree.

Best wishes,
Bryan

I'm coming a little late to the party here, but this is one case where a grsec-patched kernel (http://www.grsecurity.org/) might be rather cool.

I'm in the process of playing with it on my non-Linode boxen, and it's a big security win. In its default state it helps with a lot of the common exploit methods - randomising address space and making stacks non-executable to help stop buffer overflows causing pain, that sort of thing. With some work analyzing what you're system is supposed to be doing, you can set it up so that only designated programs can run as network servers, access files in certain directories, only certain groups can make network connections at all, even to the point where no users can run executables from anywhere other than the approved system directories (/bin, /usr/bin et al.)

I've not no idea how nicely it plays with the UML patches, though. If there's interest, and if Chris is amenable, I could probably find some time to help build / test.

Regards,
Tim.