[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LYNX-DEV System Compromised via Lynx
From: |
Nelson Henry Eric |
Subject: |
Re: LYNX-DEV System Compromised via Lynx |
Date: |
Tue, 22 Apr 1997 18:49:23 +0900 (JST) |
> I would love to see a document which details the steps one must go thru
> to build a secure lynx account. If you find useful documents, would you
I assume you're asking about a captive, anonymous account.
For unix the basic steps are (if you want details, ask):
1) Write a script or better yet a compile a small wrapper program
which _executes_ Lynx.
2) In /etc/passwd, set the last field to be that script or binary.
(My stupid question yesterday: don't forget to chmod a+x.) This
means the login will not be given a shell. If your login does
not require any environment settings nor any other information,
step 1) can be omitted, and your lynx command line can go right
into /etc/passwd.
3) Optionally, but I'd recommend it, set the environment variables
WWW_HOME and LYNX_CFG immediately prior to starting Lynx. As
another overkill precaution, there is no need to give write
permission to the login directory (depending on settings in step 4).
4) Before compiling Lynx, be sure to define ANONYMOUS_USER in userdefs.h
to the login name. ANONYMOUS_USER *MUST* be defined!!! Edit the
other anonymous settings (mail, telnet, goto, etc. etc. - there are
many), and also things like jump file, SET_COOKIES, NEWS_POSTING,
multi-bookmarks to give you the level of `security' you want.
Nothing is 100%. If you feel you must absolutely not allow a cracker
to get into your system, it's best to not even try to set up an anonymous
account. It's a risk (but so is crossing the street :).
5) On the Lynx command line use the -validate or -anonymous switch, set
-cfg=, -homepage=, -restrictions=, and your startup URL.
6) You will probably want to have syslog record some of the activity
because you will eventually get some real crackpots using your
account.
If I've left anything out, please fill me in. I'd hate to lose my job.
Also, I'd like to ask,
Is there anyway to have telnet refuse connections from specific IPs or
domains? If I need a particular telnet daemon, it would have to be
freeware since we have no money. Off the list would probably be better.
TIA
__Henry
;
; To UNSUBSCRIBE: Send a mail message to address@hidden
; with "unsubscribe lynx-dev" (without the
; quotation marks) on a line by itself.
;