654 lines
21 KiB
HTML
654 lines
21 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
|
|
<TITLE>Linux web browser station (formerly "The Linux Public Web Browser mini-HOWTO"): NEW GUIDE: Step-by-step guide</TITLE>
|
|
<LINK HREF="Public-Web-Browser-4.html" REL=next>
|
|
<LINK HREF="Public-Web-Browser-2.html" REL=previous>
|
|
<LINK HREF="Public-Web-Browser.html#toc3" REL=contents>
|
|
</HEAD>
|
|
<BODY>
|
|
<A HREF="Public-Web-Browser-4.html">Next</A>
|
|
<A HREF="Public-Web-Browser-2.html">Previous</A>
|
|
<A HREF="Public-Web-Browser.html#toc3">Contents</A>
|
|
<HR>
|
|
<H2><A NAME="s3">3. NEW GUIDE: Step-by-step guide</A></H2>
|
|
|
|
<P>
|
|
<H2><A NAME="ss3.1">3.1 Install RH</A>
|
|
</H2>
|
|
|
|
<P>Install RedHat (further just RH) Linux on the box. Make sure shadow and MD5
|
|
passwords are enabled. And have a nice long root password! Refer to
|
|
corresponding installation guides.
|
|
<H2><A NAME="ss3.2">3.2 Clean-up packages</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<P>RH Linux was and is *really* buggy out of the box (both local and remote exploits are
|
|
discovered every day, see
|
|
<A HREF="http://www.securityfocus.com">BugTRAQ database</A>), and many software packages installed by default can
|
|
be used to obtain root shell from non-privileged account or in the worst cases
|
|
across the network (or just mess up the box). Thus special attention should be given to package
|
|
selection on the browser workstation.
|
|
<P>
|
|
<UL>
|
|
<LI>Use workstation or custom installation mode. The latter is recommended, when
|
|
selecting groups of packages, only choose <I>base-system</I>, <I>networked workstation</I>,
|
|
<I>mail/www services</I> (make sure you later replace Communicator with
|
|
Navigator) and
|
|
<I>X packages</I> and then
|
|
erase the unneeded RPMs. If using workstation mode you will have to (possibly
|
|
manually) remove about 300 packages.</LI>
|
|
<LI>When partitioning the disk follow the scheme below. The sizes are appropriate
|
|
for the 3 GB disk, scale the sizes accordingly for bigger drive but this is really
|
|
not needed for this setup as the whole Linux system is squeezed to under 200MB.
|
|
Make sure those partitions (<B>/,/home,/var and /tmp</B>) are present! Separate /usr
|
|
is not necessary! Remember to create a generous swap partition (at least the
|
|
size of RAM).
|
|
|
|
<P>Partitions mount points and sizes used for a test system:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
|
|
Filesystem 1k-blocks Used Available Use% Mounted on
|
|
/dev/hda1 1571528 184184 1307512 12% /
|
|
/dev/hda7 300603 309 284773 0% /home
|
|
/dev/hda6 300603 20 285062 0% /tmp
|
|
/dev/hda5 809556 4640 763792 1% /var
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</LI>
|
|
<LI>Remove all RPMs but those (list might be shortened later and automatic RPM-removal
|
|
shell script might be written as well)
|
|
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
|
|
MAKEDEV-2.5.2-1
|
|
SysVinit-2.78-5
|
|
X11R6-contrib-3.3.2-11
|
|
XFree86-100dpi-fonts-3.3.6-20
|
|
XFree86-3.3.6-20
|
|
XFree86-75dpi-fonts-3.3.6-20
|
|
XFree86-S3-3.3.6-20
|
|
XFree86-SVGA-3.3.6-20
|
|
XFree86-VGA16-3.3.6-20
|
|
XFree86-libs-3.3.6-20
|
|
XFree86-xfs-3.3.6-20
|
|
Xconfigurator-4.3.5-1
|
|
apmd-3.0final-2
|
|
ash-0.2-20
|
|
at-3.1.7-14
|
|
audiofile-0.1.9-3
|
|
authconfig-3.0.3-1
|
|
basesystem-6.0-4
|
|
bash-1.14.7-22
|
|
bc-1.05a-5
|
|
bdflush-1.5-11
|
|
binutils-2.9.5.0.22-6
|
|
bzip2-0.9.5d-2
|
|
chkconfig-1.1.2-1
|
|
chkfontpath-1.7-2
|
|
console-tools-19990829-10
|
|
cracklib-2.7-5
|
|
cracklib-dicts-2.7-5
|
|
crontabs-1.7-7
|
|
dev-2.7.18-3
|
|
diffutils-2.7-17
|
|
e2fsprogs-1.18-5
|
|
ed-0.2-13
|
|
eject-2.0.2-4
|
|
etcskel-2.3-1
|
|
file-3.28-2
|
|
filesystem-1.3.5-1
|
|
fileutils-4.0-21
|
|
findutils-4.1-34
|
|
freetype-1.3.1-5
|
|
gawk-3.0.4-2
|
|
gd-1.3-6
|
|
gdbm-1.8.0-3
|
|
getty_ps-2.0.7j-9
|
|
glib-1.2.6-3
|
|
glib10-1.0.6-6
|
|
glibc-2.1.3-15
|
|
gmp-2.0.2-13
|
|
gpm-1.18.1-7
|
|
grep-2.4-3
|
|
groff-1.15-8
|
|
gtk+-1.2.6-7
|
|
gzip-1.2.4a-2
|
|
hdparm-3.6-4
|
|
imlib-1.9.7-3
|
|
indexhtml-6.2-1
|
|
info-4.0-5
|
|
initscripts-5.00-1
|
|
iputils-20000121-2
|
|
isapnptools-1.21b-1
|
|
kbdconfig-1.9.2.4-1
|
|
kernel-2.2.14-5.0
|
|
kernel-utils-2.2.14-5.0
|
|
krb5-configs-1.1.1-9
|
|
krb5-libs-1.1.1-9
|
|
kudzu-0.36-2
|
|
ld.so-1.9.5-13
|
|
ldconfig-1.9.5-16
|
|
less-346-2
|
|
libc-5.3.12-31
|
|
libgr-2.0.13-23
|
|
libgr-progs-2.0.13-23
|
|
libjpeg-6b-10
|
|
libpng-1.0.5-3
|
|
libstdc++-2.9.0-30
|
|
libtermcap-2.0.8-20
|
|
libtiff-3.5.4-5
|
|
libungif-4.1.0-4
|
|
libxml-1.8.6-2
|
|
lilo-0.21-15
|
|
logrotate-3.3.2-1
|
|
losetup-2.10f-1
|
|
mailcap-2.0.6-1
|
|
man-1.5h1-1
|
|
mingetty-0.9.4-11
|
|
mkbootdisk-1.2.5-3
|
|
mkinitrd-2.4.1-2
|
|
mktemp-1.5-2
|
|
modutils-2.3.9-6
|
|
mount-2.10f-1
|
|
mouseconfig-4.4-1
|
|
ncompress-4.2.4-15
|
|
ncurses-5.0-11
|
|
net-tools-1.54-4
|
|
netscape-common-4.72-6
|
|
netscape-navigator-4.72-6
|
|
newt-0.50.8-2
|
|
ntsysv-1.1.2-1
|
|
pam-0.72-6
|
|
passwd-0.64.1-1
|
|
pciutils-2.1.5-2
|
|
popt-1.5-0.48
|
|
procps-2.0.6-5
|
|
psmisc-19-2
|
|
pwdb-0.61-0
|
|
raidtools-0.90-6
|
|
rdate-1.0-1
|
|
readline-2.2.1-6
|
|
redhat-logos-1.1.0-2
|
|
redhat-release-6.2-1
|
|
rootfiles-5.2-5
|
|
rpm-3.0.4-0.48
|
|
rpmfind-1.4-3
|
|
rxvt-2.6.1-8
|
|
sash-3.4-2
|
|
sed-3.02-6
|
|
setup-2.1.8-1
|
|
setuptool-1.2-5
|
|
sh-utils-2.0-5
|
|
shadow-utils-19990827-10
|
|
slang-1.2.2-5
|
|
slocate-2.1-2
|
|
stat-1.5-12
|
|
sysklogd-1.3.31-16
|
|
tar-1.13.17-3
|
|
tcl-8.0.5-35
|
|
tcp_wrappers-7.6-10
|
|
termcap-10.2.7-9
|
|
textutils-2.0a-2
|
|
time-1.7-9
|
|
timeconfig-3.0.3-2
|
|
tmpwatch-2.2-1
|
|
utempter-0.5.2-2
|
|
util-linux-2.10f-7
|
|
vixie-cron-3.0.1-40
|
|
which-2.9-2
|
|
words-2-12
|
|
xinitrc-2.9-1
|
|
xpm-3.4k-2
|
|
zlib-1.1.3-6
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
|
|
Unfortunately, some of the packages above might also be redundant and
|
|
potentially unsafe (even glibc, the main runtime Linux library, was recently
|
|
found to have locally exploitable bugs! And so was PAM module library).
|
|
More candidates for elimination
|
|
include gpm (console mouse services, had some exploit history last year) and
|
|
many others.
|
|
Xlib has a buffer overflow but can't be eliminated. Make sure the latest
|
|
version is used.</LI>
|
|
</UL>
|
|
<P>
|
|
<H2><A NAME="ss3.3">3.3 Install ssh</A>
|
|
</H2>
|
|
|
|
<P>Install ssh-server RPM for remote administration. Do NOT use inetd daemon
|
|
mode, make sshd run standalone and use <B>/etc/hosts.allow</B> for access
|
|
control (ssh daemon will read the file upon startup)
|
|
<P>
|
|
<H2><A NAME="ss3.4">3.4 Make a boot floppy</A>
|
|
</H2>
|
|
|
|
<P>Make sure you create a boot floppy using a <B>mkbootdisk</B> command as errors
|
|
in LILO configuration might render the system unbootable.
|
|
<P>
|
|
<H2><A NAME="ss3.5">3.5 Modify configs</A>
|
|
</H2>
|
|
|
|
<P>Make the following modifications to configuration files
|
|
<UL>
|
|
<LI><B>/etc/inittab</B>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
#
|
|
# inittab This file describes how the INIT process should set up
|
|
# the system in a certain run-level.
|
|
#
|
|
# Author: Miquel van Smoorenburg, <miquels@drinkel.nl.mugnet.org>
|
|
# Modified for RHS Linux by Marc Ewing and Donnie Barnes
|
|
#--fixed by anton for browser station
|
|
|
|
# Default runlevel. The runlevels used by RHS are:
|
|
# 0 - halt (Do NOT set initdefault to this)
|
|
# 1 - Single user mode
|
|
# 2 - Multiuser, without NFS (The same as 3, if you do not have networking)
|
|
# 3 - Full multiuser mode
|
|
# 4 - unused
|
|
# --anton--
|
|
# 4 - browser X
|
|
# 5 - X11
|
|
# 6 - reboot (Do NOT set initdefault to this)
|
|
#
|
|
#id:3:initdefault:
|
|
#--anton: default runlevel now 4! other levels protected by LILO password
|
|
id:4:initdefault:
|
|
|
|
# System initialization.
|
|
si::sysinit:/etc/rc.d/rc.sysinit
|
|
|
|
l0:0:wait:/etc/rc.d/rc 0
|
|
l1:1:wait:/etc/rc.d/rc 1
|
|
l2:2:wait:/etc/rc.d/rc 2
|
|
l3:3:wait:/etc/rc.d/rc 3
|
|
l4:4:wait:/etc/rc.d/rc 4
|
|
l5:5:wait:/etc/rc.d/rc 5
|
|
l6:6:wait:/etc/rc.d/rc 6
|
|
|
|
# Things to run in every runlevel.
|
|
ud::once:/sbin/update
|
|
|
|
# Trap CTRL-ALT-DELETE
|
|
#anton -- not here, disable
|
|
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now
|
|
|
|
# When our UPS tells us power has failed, assume we have a few minutes
|
|
# of power left. Schedule a shutdown for 2 minutes from now.
|
|
# This does, of course, assume you have powerd installed and your
|
|
# UPS connected and working correctly.
|
|
pf::powerfail:/sbin/shutdown -f -h +2 "Power Failure; System Shutting Down"
|
|
|
|
# If power was restored before the shutdown kicked in, cancel it.
|
|
pr:12345:powerokwait:/sbin/shutdown -c "Power Restored; Shutdown Cancelled"
|
|
|
|
# Run gettys in standard runlevels
|
|
1:2345:respawn:/sbin/mingetty tty1
|
|
#--anton -- only one is needed! comment out the rest
|
|
#2:2345:respawn:/sbin/mingetty tty2
|
|
#3:2345:respawn:/sbin/mingetty tty3
|
|
#4:2345:respawn:/sbin/mingetty tty4
|
|
#5:2345:respawn:/sbin/mingetty tty5
|
|
#6:2345:respawn:/sbin/mingetty tty6
|
|
|
|
# Run xdm in runlevel 5
|
|
# xdm is now a separate service
|
|
x:5:respawn:/etc/X11/prefdm -nodaemon
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
|
|
The file above disables Ctrl-Alt-Del combination and makes new runlevel 4 a default
|
|
runlevel. It also eliminates virtual consoles (all but 1).
|
|
</LI>
|
|
<LI><B>/etc/fstab</B>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
|
/dev/hda1 / ext2 defaults,ro 1 1
|
|
/dev/hda7 /home ext2 defaults,nodev,noexec,nosuid 1 2
|
|
/dev/hda6 /tmp ext2 defaults,nodev,noexec,nosuid 1 2
|
|
/dev/hda5 /var ext2 defaults,nodev,noexec,nosuid 1 2
|
|
|
|
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
|
#/dev/cdrom /mnt/cdrom iso9660 noauto,owner,ro 0 0
|
|
#/dev/fd0 /mnt/floppy auto noauto,owner 0 0
|
|
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
|
none /proc proc defaults 0 0
|
|
none /dev/pts devpts gid=5,mode=620 0 0
|
|
/dev/hda8 swap swap defaults 0 0
|
|
|
|
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
Brief explanation for the options (see <I>man mount</I> for more)
|
|
<UL>
|
|
<LI>For / : mounted read-only (<B>ro</B>), just to make it a little bit harder to do Bad Things</LI>
|
|
<LI>For <B>/home, /tmp</B> and <B> /var</B> : <B>nodev,noexec,nosuid</B> will prevent (a)
|
|
starting executable from them (download and run through netscape attack),
|
|
(b)running suid executables (well, redundant in presence of the above but nice
|
|
to have too) (c)creating devices by makedev (no faked /dev/mem for kernel
|
|
module attack)
|
|
<P>Making <B>/home</B> read-only might be good idea too as no netscape is not supposed
|
|
to write anything while running.
|
|
<P>
|
|
</LI>
|
|
<LI>Remember to REMOVE floppy and CDROM physically and disable partitions
|
|
(commented out)!</LI>
|
|
</UL>
|
|
|
|
<P>
|
|
<P>
|
|
</LI>
|
|
<LI><B>/etc/rc.d/</B> directory
|
|
<P>Create file <B>xbrowser</B> in <B>/etc/rc.d/init.d</B> and symlink
|
|
(<CODE>cd /etc/rc.d/rc4.d ; ln -s /etc/rc.d/init.d/xbrowser S99xbrowser</CODE>)it as
|
|
<B>S99xbrowser</B> in <B>/etc/rc.d/rc4.d</B>
|
|
so that directory <B>/etc/rc.d/rc4.d</B> looks like this
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
drwxrwxrwx 2 root root 4096 Sep 10 15:30 .
|
|
drwxrwxrwx 10 root root 4096 Sep 10 15:30 ..
|
|
lrwxrwxrwx 1 root root 1179 Sep 10 15:30 S05kudzu-> ../init.d/kudzu
|
|
lrwxrwxrwx 1 root root 5094 Sep 10 15:30 S10network-> ../init.d/network
|
|
lrwxrwxrwx 1 root root 1367 Sep 10 15:30 S16apmd-> ../init.d/apmd
|
|
lrwxrwxrwx 1 root root 1542 Sep 10 15:30 S20random-> ../init.d/random
|
|
lrwxrwxrwx 1 root root 3217 Sep 10 15:30 S25netfs-> ../init.d/netfs
|
|
lrwxrwxrwx 1 root root 1024 Sep 10 15:30 S30syslog-> ../init.d/syslog
|
|
lrwxrwxrwx 1 root root 989 Sep 10 15:30 S40atd-> ../init.d/atd
|
|
lrwxrwxrwx 1 root root 1031 Sep 10 15:30 S40crond-> ../init.d/crond
|
|
lrwxrwxrwx 1 root root 1203 Sep 10 15:30 S75keytable-> ../init.d/keytable
|
|
lrwxrwxrwx 1 root root 1261 Sep 10 15:30 S85gpm-> ../init.d/gpm
|
|
lrwxrwxrwx 1 root root 1956 Sep 10 15:30 S90xfs-> ../init.d/xfs
|
|
lrwxrwxrwx 1 root root 650 Sep 10 15:30 S99xbrowser-> ../init.d/xbrowser
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
This init files are run upon entering runlevel 4 (either at reboot or when
|
|
typing <B>init 4</B> from root prompt). Files are run in order of increasing
|
|
numbers so that our <B>xbrowser</B> runs in the end.
|
|
<P><B>xbrowser</B> file looks like this
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
#!/bin/bash
|
|
# --anton: Init the box into X with browser, no login script
|
|
echo "Starting standalone browser....."
|
|
|
|
#put a mark into log
|
|
echo %%%%%%Reboot%%%%% >> /var/log/xlog
|
|
|
|
#this file marks X startrup using out xinitrc
|
|
touch /tmp/startOK
|
|
|
|
#--main loop, indefinite with the presence of /tmp/startOK file ------------------
|
|
while [ -f /tmp/startOK ] ; do
|
|
|
|
#put a mark into log
|
|
echo %%%%%%Restart%%%%% >> /var/log/xlog
|
|
|
|
#kill stuck netscape if any (this doesnt help if it turn zombie)
|
|
killall -9 netscape >& /dev/null
|
|
|
|
#clear netscape lock
|
|
if [ -f ~netscape/.netscape/lock ]; then
|
|
/bin/rm ~netscape/.netscape/lock
|
|
fi
|
|
|
|
#start X windows, no winman, using the config that starts only netscape
|
|
#config is in root home dir!!
|
|
#X server runs as root, sort of BAD
|
|
/usr/X11R6/bin/xinit /root/.xinitrc -- /usr/X11R6/bin/X bc
|
|
|
|
done
|
|
#main loop end-------------------------------
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
This file will start X server upon boot up with no prompting (after LILO
|
|
prompt). The X server will follow the directions in <I>/root/.xinitrc</I>,
|
|
below. X server config is shown below too.
|
|
</LI>
|
|
<LI>Make sure <B>/etc/sysctl.conf</B> looks like this
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
# Disables packet forwarding
|
|
net.ipv4.ip_forward = 0
|
|
# Enables source route verification
|
|
net.ipv4.conf.all.rp_filter = 1
|
|
# Disables automatic defragmentation (needed for masquerading, LVS)
|
|
net.ipv4.ip_always_defrag = 0
|
|
# Disables the magic-sysrq key
|
|
#--anton: this IS important
|
|
kernel.sysrq = 0
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
This disable kernel interaction keys (aka Magic SysRQ keys) on startup.</LI>
|
|
<LI><B>/etc/X11/XF86Config</B>
|
|
<P>Make changes to <B>/etc/X11/XF86Config</B> that was automatically created
|
|
during install to look have those in:
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
# File generated by XConfigurator.
|
|
|
|
...whatever...
|
|
|
|
# **********************************************************************
|
|
# Server flags section.
|
|
# **********************************************************************
|
|
|
|
Section "ServerFlags"
|
|
|
|
# Uncomment this to cause a core dump at the spot where a signal is
|
|
# received. This may leave the console in an unusable state, but may
|
|
# provide a better stack trace in the core dump to aid in debugging
|
|
#NoTrapSignals
|
|
|
|
# Uncomment this to disable the <Ctrl><Alt><BS> server abort sequence
|
|
# This allows clients to receive this key event.
|
|
#--anton -- no X server kill
|
|
#--another option is to have a kill as a means to fight broken/stuck netscape,
|
|
#--restart will bring it back after cleanup
|
|
DontZap
|
|
|
|
# Uncomment this to disable the <Crtl><Alt><KP_+>/<KP_-> mode switching
|
|
# sequences. This allows clients to receive these key events.
|
|
#--anton -- kinda bad too
|
|
DontZoom
|
|
|
|
EndSection
|
|
|
|
...whatever...
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
Now, the <B>DontZap</B> is a questionable choice. The Crtl-Alt-Backspace
|
|
sequence might be the only way to kill stuck netscape or the one with some
|
|
window overlapping netscape controls (like, View Source or View Page Info) as
|
|
no automatic netscape fixing is implemented. Disabling Java and JavaScript
|
|
will decrease the likelihood of it crashing, but will not eliminate this
|
|
miserable occurrence altogether. In the current setup pressing
|
|
Crtl-Alt-Backspace if <B>DontZap</B> is commented out will cause X server to
|
|
restart, killing netscape and doing a lock file cleanup.
|
|
<P>
|
|
</LI>
|
|
<LI><B>/root/.xinitrc</B>
|
|
<P>Make sure that <B>/root/.xinitrc</B>
|
|
looks like
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
|
|
/bin/rm -f ~netscape/.netscape/lock >& /dev/null
|
|
|
|
#--anton: otherwise non-root netscape cant run
|
|
#--anton only allow local but from all users
|
|
#--anton the name of test box was "afc" thus the line below
|
|
xhost +afc
|
|
#--anton:starts netscape as user "netscape" and full screen!!
|
|
#make sure 1024x768 matches your monitor
|
|
su netscape -c "netscape -no-about-splash -geometry 1024x768+0+0"
|
|
|
|
#---------------TESTING---------------------------
|
|
#these commands were used in testing to set netscpae preferences
|
|
#same as having "netscape" uiser home dir writable for this user
|
|
#export HOME=/home/netscape
|
|
#netscape -no-about-splash -geometry 1024x768+0+0 >& /tmp/LOG
|
|
#---------------TESTING---------------------------
|
|
|
|
#also needed: X as user "guest" eventually
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
See comments in file for explanation
|
|
</LI>
|
|
</UL>
|
|
<P>
|
|
<H2><A NAME="ss3.6">3.6 Create user</A>
|
|
</H2>
|
|
|
|
<P>Create user <I>netscape</I>, his home directory will be <B>/home/netscape</B>.
|
|
<H2><A NAME="ss3.7">3.7 Change Netscape settings</A>
|
|
</H2>
|
|
|
|
<P>Start netscape and apply a restricted settings as:
|
|
<UL>
|
|
<LI>no Java (known big risks,
|
|
recently really big holes discovered in Netscape Java implementation),</LI>
|
|
<LI>no
|
|
JavaScript (some risks with password stealing and web mail hijacking),</LI>
|
|
<LI>no
|
|
cache (some Java bugs will access cache objects and then bypass JVM
|
|
restrictions),</LI>
|
|
<LI>no cookies (might not be possible though, low risk),</LI>
|
|
<LI>remove all launches of nonstandard applications (ideally-all applications) with
|
|
file types (by going to Netscape->Edit->Preferences->Navigator->Applications),</LI>
|
|
<LI>history length set to 0 (next user can't see what previous was doing,
|
|
the risk is in seeing URL-encoded passwords sometimes)</LI>
|
|
</UL>
|
|
<H2><A NAME="ss3.8">3.8 Chown the home directory</A>
|
|
</H2>
|
|
|
|
<P>Do chown to root on <B>/home/netscape</B> (by <CODE>chown -R root.root /home/netscape</CODE>).
|
|
Make sure that his home directory belongs to root, there are no world-writable
|
|
files and subdirectories there and permission are at least
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
/home/netscape/:
|
|
total 9
|
|
drwxr-xr-x 4 root root 1024 Sep 7 18:29 .
|
|
drwxr-xr-x 4 root root 1024 Sep 7 18:30 ..
|
|
-rw-r--r-- 1 root root 16 Sep 7 18:29 .bash_history
|
|
-rw-r--r-- 1 root root 24 Sep 5 08:21 .bash_logout
|
|
-rw-r--r-- 1 root root 230 Sep 5 08:21 .bash_profile
|
|
-rw-r--r-- 1 root root 124 Sep 5 08:21 .bashrc
|
|
-rw-r--r-- 1 root root 93 Sep 7 18:25 .mailcap
|
|
-rw-r--r-- 1 root root 0 Sep 7 18:25 .mime.types
|
|
drwxr-xr-x 4 root root 1024 Sep 10 08:38 .netscape
|
|
drwxr--r-- 2 root root 1024 Sep 6 00:04 .xauth
|
|
|
|
/home/netscape/.netscape:
|
|
total 264
|
|
drwxr-xr-x 4 root root 1024 Sep 10 08:38 .
|
|
drwxr-xr-x 4 root root 1024 Sep 7 18:29 ..
|
|
drwxr--r-- 2 root root 1024 Sep 6 00:04 archive
|
|
-rw------- 1 root root 14757 Sep 7 18:38 bookmarks.html
|
|
drwxr--r-- 3 root root 1024 Sep 7 18:24 cache
|
|
-rw-r--r-- 1 root root 188416 Sep 6 00:05 cert7.db
|
|
-rw-r--r-- 1 root root 16384 Sep 7 18:30 history.dat
|
|
-rw-r--r-- 1 root root 111 Sep 7 16:20 history.list
|
|
-rw-r--r-- 1 root root 16384 Sep 6 00:05 key3.db
|
|
-rw-r--r-- 1 root root 0 Sep 6 00:04 nswrapper.copy_defs
|
|
-rw-r--r-- 1 root root 279 Sep 10 08:38 plugin-list
|
|
-rw-r--r-- 1 root root 3398 Sep 7 18:29 preferences.js
|
|
-rw-r--r-- 1 root root 741 Sep 7 18:29 registry
|
|
-rw-r--r-- 1 root root 16384 Sep 7 18:29 secmodule.db
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>Carefully test netscape functionality upon doing the chown to root!
|
|
At present, I have not found a way to avoid periodic Netscape complaints about
|
|
"Can't write preferences".
|
|
<P>Another note is appropriate. Netscape is VERY buggy (last example is
|
|
<A HREF="http://www.redhat.com/support/errata/RHSA-2000-046-02.html">Red Hat Linux Security Advisory</A>
|
|
presents a way to crash and exploit netscape using a specially crafted JPEG
|
|
image)
|
|
and is likely to crash periodically,
|
|
possibly producing a buffer overflow with shell access for the intruder. This
|
|
shell will have the netscape user as owner. Thus the absence of xterm and rxvt
|
|
on the system is absolutely crucial as it provides another line of defense.
|
|
Permission on the system should also be set very conservatively (no
|
|
world-writable files). Ideally, NO files should be owned by user "netscape" on
|
|
the system AT ALL (do a <B>find / -user netscape </B> command to confirm
|
|
this, also check for world writable files with <B>find / -perm -2 ! -type l -ls</B>).
|
|
<P>
|
|
<H2><A NAME="ss3.9">3.9 Config lilo</A>
|
|
</H2>
|
|
|
|
<P>Modify <B>/etc/lilo.conf</B>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
|
|
boot=/dev/hda
|
|
map=/boot/map
|
|
install=/boot/boot.b
|
|
prompt
|
|
timeout=50
|
|
default=linux
|
|
|
|
image=/boot/vmlinuz-2.2.14-5.0
|
|
label=linux
|
|
read-only
|
|
root=/dev/hda1
|
|
restricted
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
The word <I>restricted</I> will cause password prompting in order to
|
|
enter non-standard runlevel (e.g. <B>linux init 0</B> from LILO: prompt).
|
|
<P>That implies using stock RH 6.2 kernel. Kernel upgrade to 2.2.16 might be a
|
|
good idea as some bugs were found in early 2.2.14 kernels (low risk).
|
|
<P>
|
|
<H2><A NAME="ss3.10">3.10 REMOVE binaries</A>
|
|
</H2>
|
|
|
|
<P><B>REMOVE /usr/X11R6/bin/xterm xterm executable COMPLETELY!</B> This is REALLY IMPORTANT
|
|
as shell will be much harder to obtain in this case. Make sure its clone,
|
|
rxvt, is not installed! Ideally, all programs that can spawn a shell should be
|
|
removed.
|
|
<P>
|
|
<H2><A NAME="ss3.11">3.11 Physical security</A>
|
|
</H2>
|
|
|
|
<P>Some physical security
|
|
<UL>
|
|
<LI>Secure reset button</LI>
|
|
<LI>Remove CDROM and floppy disk drive</LI>
|
|
<LI>Prevent access to the box to avoid hard drive replacement</LI>
|
|
</UL>
|
|
<P>
|
|
<H2><A NAME="ss3.12">3.12 Some final touches</A>
|
|
</H2>
|
|
|
|
<P>Some final touches (nice but not essential for system functionality)
|
|
<UL>
|
|
<LI>Implement free disk space monitor top avoid partition overflows</LI>
|
|
<LI>Enable remote logging (preferably to some dedicated box with host-based IDS
|
|
that analyzes the logs)</LI>
|
|
</UL>
|
|
<HR>
|
|
<A HREF="Public-Web-Browser-4.html">Next</A>
|
|
<A HREF="Public-Web-Browser-2.html">Previous</A>
|
|
<A HREF="Public-Web-Browser.html#toc3">Contents</A>
|
|
</BODY>
|
|
</HTML>
|