Re: [other] Re: [openbsd] public shell server

[Chris Zakelj <c_(_dot_)_zakelj_(_at_)_ieee_(_dot_)_org>]

Alex de Joode wrote:

> > Ok, now that that's out of the way, about all I can say is that choosing
> > OpenBSD will probably eliminate many of the possible remote exploits around,
> > so you've done well there.  Unless there's a specific reason not to, chroot
> > everybody to their home directory.  
>
> How do I do that ? via restricted shells, or has OpenBSD 'jails' ?

I've never had to worry about this (My usage of BSD is primarily 
firewalling stuff, with an occasional webserver (where chrooting is a 
real pain, but I'm relearning to work through it)), but I'd be willing 
to bet there's probably a FAQ or HOWTO written on it.  If all else 
fails, you can always check the chroot man page :)

> > Take anti-spam measures as appropriate, 
> I'll provide postfix+spamassasin+amavis+mcafee

Umm, actually, I meant this in the "make sure you don't become a spam 
source" sense.

> > and (as always) don't turn on any service you don't need.
>
> Well I was planning on providing php+mysql, donno if mysql and
> openbsd are 'friends' yet (there were problems previously).

Well, when I was working on my first webserver about a year ago, mysql 
and obsd got along fairly well when you built from the ports tree.  Just 
have to pay attention that you used the right makefile and command line 
options, or you were likely to forget a module you really wanted (like 
php4 support).  In the year since I did this, the structure of the port 
has changed, but I doubt compatibility went down because of it.