Permissions, permissions, permissionsEdit

Please understand that the bbsadmin account was removed in favor of simplifying the permissions issues that plague linux bbs software. My recommendation is to take a few extra steps when working on your setup to harden your security and keep things running smoothly. I'll outline those here.

First, create an ownership script. This is something that should run periodically to conduct a quick sanity-check-and-fix procedure on your bbs directory. For the sake of documentation, the user account in question will be 'bbs' and also 'zipcheck' and the install location will be in '/home/bbs' just like in the rest of the documentation. My ownership script example will be called '/home/bbs/' and it looks like this:


chown -R bbs.bbs /home/bbs

chmod 775 /home/bbs

chown zipcheck /home/bbs/utils/runas

chmod u+s /home/bbs/utils/runas

Afer you save that file, make it executable

chmod +x /home/bbs/

And add it as an hourly cronjob for your 'root' account. Change to your root user

sudo su

Open your crontab

crontab -e

And add in the hourly job to run the script

0 * * * * /home/bbs/

Now you're set with permissions. I also add this script as part of my login sequence, and after I change anything in the bbs file system (art, menus, compile daydream.cfg, etc) I always run this script.

Security HardeningEdit

Forgive me for insulting anyone's intelligence here, but I just wanted a quick place to touch on some security hardening. If you open your bbs up to encrypted SSH access, you'll have to publicize the password or otherwise share rsa keys with people. This seems more secure, and it is, but there are other considerations. First, you'll need to turn off sftp. Open your /opt/ssh/etc/sshd_config file and comment out this line

# Subsystem sftp /opt/ssh/libexec/sftp-server

Since we've changed the user's shell to be a specific DayDream executable, the user shouldn't be able to use scp. However, if you're conerned, either completely remove scp by deleting the file, renaming it, or ACL'ing the file off from the BBS user. You'll have to figure that one out on your own :)

Furthermore, you'll want to lock down the daydream user's access to any other ports on localhost, you'll probably want the user to be unable to reach any extxernal IPs in your iptables, and if you're super paranoid, you can lock down the user's file system access to make him have to stay in your /home/bbs directory.

This is a working document, I plan to add significant information here in the future.