[hobbit] localhost, clamd, rights

John GALLET john.gallet at wanadoo.fr
Thu Aug 17 13:57:05 CEST 2006


Thanks to both of you for the answers.

I'll run clamd as a port socket daemon and try to check/tweak clamassassin 
to fall back on the standalone binary if need be.

> As Charles writes, you can use "sudo" to permit the hobbit user to run
> the privileged commands with root privs. The risk in doing that
> obviously is that if a user manages to break into your box and get 
> shell access as the "hobbit" user, then he can run those same commands
> with root privileges.

When it comes to security, a lot of things don't seem "obvious" to me ! 
The risk assesment of "how bad it can get" is in general not too hard to 
determine, but the risk level is not (IMHO). 
 
Especially the part about breaking into my box with the hobbit user. It's
not named "hobbit", neither is its group. I use iptable and only allow
INPUT on 1984 from my boxes, I htpassword protect all the hobbit cgi
directories and run them as "nobody/nobody" and the shell account passwd
is strong. But I can very easily have forgotten some *basic* security
measure that applies to Hobbit (and which I am not familiar with because I
don't run such daemons in general).

Sincerely,
JG





More information about the Xymon mailing list