Granting shell access in a shared environment
Granting shell user access in a shared environment is extremely dangerous.
Think of it like having an open door policy into your house. Sure you may have rooms locked, and important
belongings in safe areas; however, the strangers coming into your home can learn about what you have and what you
have not, and use that knowledge against you.
Furthermore, especially on the Internet, you have no knowledge or control over who is sharing what information
with whom. Your most trusted customer may have shell access, but you don't know what they write down, who
can see what they write down, and what information they share with whom.
If you must absolutely provide shell access, here are some common sense guidelines to increase the level of
protection:
- Moderate all shell requests.
- Demand the requestor to provide a copy of their passport (best case) or driver's license.
- Get their complete contact information (name, company, address, phone number, etc.).
- Verify all of the information they provided is correct, and the
information matches the person requesting shell access. Your verification should go beyond making
sure the address and phone number is correct as documents can be forged. You should contact the
appropriate authorities to verify the accuracy of the document(s) provided (Is the passport real?
Does the state / province that issued the driver's license acknowledge they issued that particular driver's
license? Etc.)
IMPORTANT NOTE: This document is based on FreeBSD. The concepts
should be similar across operating systems, but the commands will very likely be different. Also, never
assume the directory structures exist in your system as written in the document. Never blindly follow
security instructions -- read, review, compare, apply as it fits your system.
|
