lynx-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LYNX-DEV System Compromised via Lynx


From: Nelson Henry Eric
Subject: Re: LYNX-DEV System Compromised via Lynx
Date: Tue, 22 Apr 1997 18:49:23 +0900 (JST)

> I would love to see a document which details the steps one must go thru
> to build a secure lynx account.  If you find useful documents, would you

I assume you're asking about a captive, anonymous account.

For unix the basic steps are (if you want details, ask):
1)  Write a script or better yet a compile a small wrapper program
    which _executes_ Lynx.
2)  In /etc/passwd, set the last field to be that script or binary.
    (My stupid question yesterday: don't forget to chmod a+x.)  This
    means the login will not be given a shell.  If your login does
    not require any environment settings nor any other information,
    step 1) can be omitted, and your lynx command line can go right
    into /etc/passwd.
3)  Optionally, but I'd recommend it, set the environment variables
    WWW_HOME and LYNX_CFG immediately prior to starting Lynx.  As
    another overkill precaution, there is no need to give write
    permission to the login directory (depending on settings in step 4).
4)  Before compiling Lynx, be sure to define ANONYMOUS_USER in userdefs.h
    to the login name.  ANONYMOUS_USER *MUST* be defined!!!  Edit the
    other anonymous settings (mail, telnet, goto, etc. etc. - there are
    many), and also things like jump file, SET_COOKIES, NEWS_POSTING,
    multi-bookmarks to give you the level of `security' you want.
    Nothing is 100%.  If you feel you must absolutely not allow a cracker
    to get into your system, it's best to not even try to set up an anonymous
    account.  It's a risk (but so is crossing the street :).
5)  On the Lynx command line use the -validate or -anonymous switch, set
    -cfg=, -homepage=, -restrictions=, and your startup URL.
6)  You will probably want to have syslog record some of the activity
    because you will eventually get some real crackpots using your
    account.

If I've left anything out, please fill me in.  I'd hate to lose my job.
Also, I'd like to ask,

Is there anyway to have telnet refuse connections from specific IPs or
domains?  If I need a particular telnet daemon, it would have to be
freeware since we have no money.  Off the list would probably be better.

TIA

__Henry
;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;

reply via email to

[Prev in Thread] Current Thread [Next in Thread]