On Sat, Jul 14, 2007 at 04:11:28PM -0500, Scott Berry wrote: > Hello guys and gals, > > I just downloaded the teamspeak server and it recommends that it not > be ran under root. So I chowned and chgrped all the files and put > it under my group and user's home directory called teamspeak. Is > this enough to ensure it runs under the right user and group or is > ther more involved if so can some one help to ensure it runs under > the teamspeak user please? That's marginally better, but you can do much, much better. You have conflated two concepts, file ownership and the user under which a process executes. I suspect your teamspeak process is still running as root. If so, your precaution is likely useless. Instead create a new user, say "teamspeak:teamspeak" (System-> Administration-> Users and Groups). Don't give it a password or a home directory, and change its shell to /sbin/nologin. Do give it its own private group. Having done that, change the ownership of the files for it back to root:root, and make the files the teamspeak process has to read readable but not writable by others. Any files it has to write (log files, e.g.) should be owned and writable by teamspeak:teamspeak. The idea is to minimize the damage a malicious attacker can do by denying the process every possible privilege. "man chown" and "man chmod" are your friends. If teamspeak is designed to be run as a daemon, there should be a script to place into /etc/rc.d/init.d. do so, then run: chkconfig --add teamspeak then: service teamspeak start Of course, this discussion ignores selinux issues entirely. -- Charles Curley /"\ ASCII Ribbon Campaign Looking for fine software \ / Respect for open standards and/or writing? X No HTML/RTF in email http://www.charlescurley.com / \ No M$ Word docs in email Key fingerprint = CE5C 6645 A45A 64E4 94C0 809C FFF6 4C48 4ECD DFDB
Attachment:
pgpI5Fq5vn6vR.pgp
Description: PGP signature