Next Previous Contents

3. NEW GUIDE: Step-by-step guide

3.1 Install RH

Install RedHat (further just RH) Linux on the box. Make sure shadow and MD5 passwords are enabled. And have a nice long root password! Refer to corresponding installation guides.

3.2 Clean-up packages

RH Linux was and is *really* buggy out of the box (both local and remote exploits are discovered every day, see BugTRAQ database), and many software packages installed by default can be used to obtain root shell from non-privileged account or in the worst cases across the network (or just mess up the box). Thus special attention should be given to package selection on the browser workstation.

3.3 Install ssh

Install ssh-server RPM for remote administration. Do NOT use inetd daemon mode, make sshd run standalone and use /etc/hosts.allow for access control (ssh daemon will read the file upon startup)

3.4 Make a boot floppy

Make sure you create a boot floppy using a mkbootdisk command as errors in LILO configuration might render the system unbootable.

3.5 Modify configs

Make the following modifications to configuration files

3.6 Create user

Create user netscape, his home directory will be /home/netscape.

3.7 Change Netscape settings

Start netscape and apply a restricted settings as:

3.8 Chown the home directory

Do chown to root on /home/netscape (by chown -R root.root /home/netscape). Make sure that his home directory belongs to root, there are no world-writable files and subdirectories there and permission are at least

/home/netscape/:
total 9
drwxr-xr-x    4 root     root         1024 Sep  7 18:29 .
drwxr-xr-x    4 root     root         1024 Sep  7 18:30 ..
-rw-r--r--    1 root     root           16 Sep  7 18:29 .bash_history
-rw-r--r--    1 root     root           24 Sep  5 08:21 .bash_logout
-rw-r--r--    1 root     root          230 Sep  5 08:21 .bash_profile
-rw-r--r--    1 root     root          124 Sep  5 08:21 .bashrc
-rw-r--r--    1 root     root           93 Sep  7 18:25 .mailcap
-rw-r--r--    1 root     root            0 Sep  7 18:25 .mime.types
drwxr-xr-x    4 root     root         1024 Sep 10 08:38 .netscape
drwxr--r--    2 root     root         1024 Sep  6 00:04 .xauth

/home/netscape/.netscape:
total 264
drwxr-xr-x    4 root     root         1024 Sep 10 08:38 .
drwxr-xr-x    4 root     root         1024 Sep  7 18:29 ..
drwxr--r--    2 root     root         1024 Sep  6 00:04 archive
-rw-------    1 root     root        14757 Sep  7 18:38 bookmarks.html
drwxr--r--    3 root     root         1024 Sep  7 18:24 cache
-rw-r--r--    1 root     root       188416 Sep  6 00:05 cert7.db
-rw-r--r--    1 root     root        16384 Sep  7 18:30 history.dat
-rw-r--r--    1 root     root          111 Sep  7 16:20 history.list
-rw-r--r--    1 root     root        16384 Sep  6 00:05 key3.db
-rw-r--r--    1 root     root            0 Sep  6 00:04 nswrapper.copy_defs
-rw-r--r--    1 root     root          279 Sep 10 08:38 plugin-list
-rw-r--r--    1 root     root         3398 Sep  7 18:29 preferences.js
-rw-r--r--    1 root     root          741 Sep  7 18:29 registry
-rw-r--r--    1 root     root        16384 Sep  7 18:29 secmodule.db

Carefully test netscape functionality upon doing the chown to root! At present, I have not found a way to avoid periodic Netscape complaints about "Can't write preferences".

Another note is appropriate. Netscape is VERY buggy (last example is Red Hat Linux Security Advisory presents a way to crash and exploit netscape using a specially crafted JPEG image) and is likely to crash periodically, possibly producing a buffer overflow with shell access for the intruder. This shell will have the netscape user as owner. Thus the absence of xterm and rxvt on the system is absolutely crucial as it provides another line of defense. Permission on the system should also be set very conservatively (no world-writable files). Ideally, NO files should be owned by user "netscape" on the system AT ALL (do a find / -user netscape command to confirm this, also check for world writable files with find / -perm -2 ! -type l -ls).

3.9 Config lilo

Modify /etc/lilo.conf


boot=/dev/hda
map=/boot/map
install=/boot/boot.b
prompt
timeout=50
default=linux

image=/boot/vmlinuz-2.2.14-5.0
        label=linux
        read-only
        root=/dev/hda1
        restricted
The word restricted will cause password prompting in order to enter non-standard runlevel (e.g. linux init 0 from LILO: prompt).

That implies using stock RH 6.2 kernel. Kernel upgrade to 2.2.16 might be a good idea as some bugs were found in early 2.2.14 kernels (low risk).

3.10 REMOVE binaries

REMOVE /usr/X11R6/bin/xterm xterm executable COMPLETELY! This is REALLY IMPORTANT as shell will be much harder to obtain in this case. Make sure its clone, rxvt, is not installed! Ideally, all programs that can spawn a shell should be removed.

3.11 Physical security

Some physical security

3.12 Some final touches

Some final touches (nice but not essential for system functionality)


Next Previous Contents