Tag Archives: security

logrotate complains about insecure parent directory permissions

I’ve received this message recently:

error: skipping "/var/log/exim/mainlog" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

…and a few other of similar nature. Turns out /var/log/exim/ were indeed group-writable. Easy to fix.

Stock FTP with chroot (FreeBSD 7.0)

I was having really weird problems trying to set up a user that would be properly chrooted. Here are some traps/pitfalls.

1) The stock ftpd is not native! It’s merged in from NetBSD (I think). If you look for /usr/share/examples/ftpd/ftpd.conf, you won’t find it.

2) Make sure /home can be executed by anyone. I had everything (“rwx”) disabled for “others”, so that users can’t see who else exists on the system. Well, I had to put the “x” permission back on (in my case, “r” suffices).

3) There might be confusion on what the /etc/ftpXXX files actually do. man ftpchroot says:

The ftpusers file provides user access control for ftpd(8) by defining which users may login.

But if you read further, the file actually defines which users may not login.

Funny thing is, it also says the ftpchroot has the same format; but putting

retard yes

in it caused user retard not to be able to be chrooted upon entering the password. Putting a simple

retard

did the trick.

Simple SSH account blocking, FreeBSD

Read the man page! There you’ll find that it’s performed in /etc/ssh/sshd_config by a troup of four directives:

DenyUsers
AllowUsers
DenyGroups
AllowGroups

In that order.

Say you’ve got group users with users jack, off, and jill, and group assholes with jack and jill.

If you want only jill to be able to login, you could specify:

AllowUsers jill

or

AllowUsers jill
AllowGroups assholes

and both of these wouldn’t allow (sic!) jack in!

If you wanted all the users of group assholes to be authorized, you’d put:

AllowUsers *
AllowGroups assholes

in the file. With only the second line, you’d lock everybody out (like I just did with my remote machine… oops!).

After you’re done, restart the server with

sudo /etc/rc.d/sshd restart

/usr/local/src for user’s sources

I use it so that users can store sources out of their home directory. Don’t know how secure it is, considering users’ tendency to leave everything world-writable – it isn’t. Anyway:

cd /usr/local
sudo mkdir src
sudo chown -R root:users src
sudo chmod -R o-rwx src
sudo chmod -R g+w src