Monthly Archives: March 2014

Security and Pen

Prompted by this:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741370

Summary: use non-default features but none of the security ones in Pen and you can end up with something not very secure. First I thought “why do that?” but realized that Debian ship Pen without a lot of configuration hints. So here are a few:

  • Don’t run Pen as root
  • Use a jail
  • Use access lists to limit access

 

Here’s what needs to be done to create a chroot jail for Pen and run it there as a non-root user. Start/stop script added.

useradd pen
mkdir -p /var/lib/pen/etc /var/lib/pen/tmp
chown pen /var/lib/pen/tmp
grep ^pen: /etc/passwd > /var/lib/pen/etc/passwd
cat << EOF > /var/lib/pen/etc/pen.cfg
acl 0 deny 0.0.0.0 0.0.0.0
control_acl 0
acl 1 deny 0.0.0.0 0.0.0.0
client_acl 1
server 0 address 127.0.0.1 port 88
EOF
cat << EOF > /etc/init.d/pen
#!/bin/sh

case "\$1" in
start )
        pen -j /var/lib/pen -C 10080 -F /etc/pen.cfg -p /tmp/pen.pid 8080
        ;;
stop )
        kill \`cat /var/lib/pen/tmp/pen.pid\`
        ;;
* )
        echo "Usage: \$0 start|stop"
        ;;
esac
EOF
chmod +x /etc/init.d/pen
Facebooktwittergoogle_plusredditpinterestlinkedinmail