|Deletions are marked like this.||Additions are marked like this.|
|Line 64:||Line 64:|
| * By default, your UNIX user can't even create Internet sockets. This works out well for most members, and it removes possibilities for exploits that go through your account and need to create sockets. If you do need to create sockets, that's fine; just e-mail email@example.com with a brief explanation of why you need this.
* We can go even more paranoid than this and set up your UNIX user to be unable to execute programs that aren't located in root-owned directories. This would be a good setting for someone who only runs static web sites, for example. If you would like this extra protection, e-mail firstname.lastname@example.org about it.
* Even once you are allowed to create sockets, our firewall is going to restrict you to using just a few standard ports. If you want to use any other ports, let us know at, you guessed it, email@example.com. See FirewallRules for more information.
| * By default, your UNIX user can't even create Internet sockets. This works out well for most members, and it removes possibilities for exploits that go through your account and need to create sockets. If you do need to create sockets, that's fine; just [https://members.hcoop.net/portal/sec request a change in your security settings].
* We can go even more paranoid than this and set up your UNIX user to be unable to execute programs that aren't located in root-owned directories. This would be a good setting for someone who only runs static web sites, for example. You can request this [https://members.hcoop.net/portal/sec request a change at the same place] as in the last case.
* Even once you are allowed to create sockets, our firewall is going to restrict you to using just a few standard ports. You can [https://members.hcoop.net/portal/sec request more]. See FirewallRules for more information.
|Line 69:||Line 69:|
|* You aren't allowed to use `cron` by default. By now, you can probably guess what to do if you need to use it.||* You aren't allowed to use `cron` by default, but you can [https://members.hcoop.net/portal/sec request access].|
|Line 91:||Line 91:|
=== Security settings ===
We pointed you to [https://members.hcoop.net/portal/sec this page] above for requesting permissions related to network sockets and `cron` access.
OK, so it looks like you'll be joining us! In the descriptions below, we'll assume you've already been approved to join. Here's what you need to know about the process from here in.
To complete the joining process...
Each hcoop member has a balance, keeping track of unspent money that member has sent to the co-op. Most members prepay about a year's worth of estimated charges at a time and send new payments when they see their balances going low. Our policy is that every member must make a refundable "deposit" of $10 on joining. This is equivalent to requiring that your balance stay above that amount.
Before we give you an account on our servers, we need an initial payment from you. This should include the deposit amount and some additional amount, as determined by you. Like we said, prepaying an estimated year's costs is popular. If your balance goes below the deposit amount for too long a period, we'll be forced to cancel your membership, unless there are very extenuating circumstances. This means that paying the minimum amount will require that you remember to make frequent payments.
You can pay electronically using PayPal to the address firstname.lastname@example.org. Please send PayPal payments to the address just given instead of anyone's personal e-mail address; it's important for tax purposes to keep this separate. You can use any other reasonable payment method you want, as long as it involves United States dollars reaching our treasurer. However, please e-mail email@example.com about any non-PayPal method of payment before using it.
Keep in mind the service fees associated with each method. For example, PayPal's fees are such that you save money by sending as much money at once as possible.
MemberDues contains more information on payment policies.
Once you've paid, we can get started setting up your account. The big issue here is getting your initial password set. We don't want any unauthorized people to get ahold of your password and gain access to your account. Any unencrypted password sent over the Internet, including through e-mail, is vulnerable to interception by many people. Our two main approaches to this are:
If you create an ssh public key and e-mail it to us at firstname.lastname@example.org, we can create your account with your key pre-installed. You'll then be able to connect without needing to know a new password. We'll send you instructions on how to set your password from that point, since you do need to use a password for some services.
SshConfiguration contains a tutorial on how you can set up ssh public-key encryption. We're open to other crypto-based bootstrapping methods if you prefer them.
If cryptography scares you, then we can try to minimize the time from when we send you your random password in cleartext and when you log in to our server and change it over an encrypted connection.
This works best with a short meeting with an admin over IRC or an instant messaging service. Unencrypted e-mail is absolutely not acceptable, since there may be too long of a period when a password that has been sent in cleartext is still valid. A good way to initiate this set-up process is to drop into our IRC channel, #hcoop on [http://freenode.net/ Freenode], and ask if any admins are there.
Make sure you have an ssh client on hand, as you will be asked to ssh to hcoop.net within a minute or so to set your new password.
But, really, why not just use crypto? This is the 21st century, after all!
You should have chosen your e-mail preferences when you applied. What we're referring to is whether you want e-mail to your account to be stored on our servers (and accessed via IMAP or POP3) or forwarded to an existing e-mail address. If you don't choose to forward it away, please be sure to check your hcoop e-mail box as often as any other personal mailbox! We may need to contact all members with some time-critical announcements.
While there was a one-time way to set this preference when you applied, you can change it after joining by editing/deleting your ~/.forward file in usual UNIX fashion.
We'll send important announcements through the hcoop-announce mailing list. Every member is subscribed to this on joining. This is for on-topic announcements about the co-op and the services we provide. It's moderated, and we don't allow discussion or anything else high volume enough to encourage members to start ignoring the list.
Since we currently run based entirely on volunteer labor, we're unable to guarantee any uptime for your services if you don't read every message sent to the announcements list in a prompt manner! Sometimes we will need your help to keep your stuff going.
For less time-sensitive traffic, we have the hcoop-discuss list. It's meant for on-topic discussion. There's also hcoop-misc, for anything at all that you think might be of interest to hcoop members. Subscription to either of these lists is voluntary. You can also set preferences for them after subscribing, including switching them to digest mode. This means that you receive at most one message a day, containing everything sent to the list that day. This increases the average delay to receive a message but decreases volume, in terms of number of messages sent to you.
See the section on preferences below for information on setting your subscriptions.
We're pretty gung-ho about security. To the best of our knowledge, hcoop is unique in providing the level of hosted service flexibility that we do to the general public. Naturally, we have to make sure that we don't provide members enough "flexibility" to rain on other members' parades! We have a number of custom tools designed in an attempt to find the right balance between flexibility/ease of use and security.
There are a few things about our set-up that may surprise you in comparison to other Internet hosting and "shell server" providers. Let's start with the good surprises!
- After getting admin approval for setting up your domain names on our servers, you will be able to use them with standard, shared daemons in pretty much any way that you'd like, without needing to wait for a superuser to approve any more requests.
- You can even run novel services or daemons that you've written yourself!
Now the "bad news," which isn't really that bad, because it helps ensure the stability of our services.
By default, your UNIX user can't even create Internet sockets. This works out well for most members, and it removes possibilities for exploits that go through your account and need to create sockets. If you do need to create sockets, that's fine; just [https://members.hcoop.net/portal/sec request a change in your security settings].
We can go even more paranoid than this and set up your UNIX user to be unable to execute programs that aren't located in root-owned directories. This would be a good setting for someone who only runs static web sites, for example. You can request this [https://members.hcoop.net/portal/sec request a change at the same place] as in the last case.
Even once you are allowed to create sockets, our firewall is going to restrict you to using just a few standard ports. You can [https://members.hcoop.net/portal/sec request more]. See FirewallRules for more information.
We've had problems in the past with runaway user processes exhausting available memory and crashing just about everything running on the server. To help avoid this, we impose "ulimits" on how many processes you can run at once and how much RAM you can use. If you do anything resource-intensive, you'll likely run into this, in the form of mysterious program crashes. UsingResourceLimits has more information.
We also impose disk quotas, to prevent runaway disk-writing processes from filling up our disks. You can run quota -g to see your quota information. We're very unlikely to grant any requests for quota increases on our present server, since it's just too much work to get new disks added at the remote facility where our dedicated server lives.
You aren't allowed to use cron by default, but you can [https://members.hcoop.net/portal/sec request access].
- There are probably other things that we've forgotten to list that we are glad to allow you to do, but that you aren't allowed to do by default. Don't assume that any limitations you encounter are "hard limits." They're more likely to be default security choices, in the spirit of least privilege.
The web portal
[https://members.hcoop.net/portal/portal Our web portal] is your starting point for the information and services we can provide. We recommend following the link to it now and walking through the different parts as we discuss them here.
You won't be able to access the portal until you have an account, at which time you'll be able to run the webpasswd command-line program to set the password you use to access it.
[https://members.hcoop.net/portal/pref Here] you can set a number of important options.
First, you have the option to include yourself in the [http://hcoop.net/dyn/members.html public directory of hcoop members]. We recommend checking this if you feel comfortable doing so.
You can also set whether or not you are subscribed to our two optional mailing lists.
[https://members.hcoop.net/portal/money Here] you can keep track of your monetary balance and the history of transactions you've been involved in.
We pointed you to [https://members.hcoop.net/portal/sec this page] above for requesting permissions related to network sockets and cron access.
You can add information on [https://members.hcoop.net/portal/contact how to contact you] through a variety of media. For each entry, you can choose an access level to control who is allowed to see that entry. We recommend that you add at least a "Non-hcoop e-mail" that at least admins can see, so that it's easier to contact you if we're ever having trouble handling e-mail to your account.
Your geographic locations
[https://members.hcoop.net/portal/location This] is a "just for fun" kind of thing to help members and the general public get an idea of how hcoop members are distributed around the world. Information on where members live is [http://hcoop.net/dyn/locs.html published on the main site] without any association between locations and particular members. If willing, please mark where you spend most of your time, adding any locations that aren't already present.
Public URL directory
Here you can request that various administrative actions be performed on your behalf.
A brief comment on support: While many admins will be readily reachable on IRC or other such services, please resist the urge to expect them to help you in real-time. You place much less demand on these volunteers' time by using the portal's support system to submit requests. This allows the people who can help you to keep track of pending requests and schedule appropriately to handle them.
Request control of a domain with domtool
We have [http://hcoop.sf.net/ a system developed in-house] to help members manage their services, described in DomainTool. To be able to use it, you need to be granted access to one or more domains. This portal feature lets you [https://members.hcoop.net/portal/domain request that].
Request Debian apt packages
We run [http://www.debian.org/ Debian] [http://www.debian.org/devel/testing testing] on our servers. That means it's much easier for us to install and maintain software if it is in the main [http://packages.debian.org/ Debian testing package database]. [https://members.hcoop.net/portal/apt This portal feature] lets you request that we install some of these packages. It also validates your requests by making sure that all the packages you want exist and are not already installed, showing you their descriptions to make sure you are asking for the correct thing.
Request a Mailman mailing list
We have a shared installation of the [http://www.list.org/ Mailman] mailing list software. [https://members.hcoop.net/portal/list Here] you can request that we create a new list for you in that system.
Other support request
If your request doesn't fall into the above categories, [https://members.hcoop.net/portal/support this] is the place to go. You choose a category and submit an issue to be considered by the people in charge of that category.
In addition to what you'd expect from a support system with a commerical service, we also have a twist on the old ideas: Any member can subscribe to any support category. If you've subscribed to a category, you'll be notified of requests for help in that category, and you can participate just like an "admin." For requests when you desire privacy, we have an option to only make the issue accessible to admins.
Please subscribe to all the support categories you feel competent and willing to help with!
Review pending membership applications
For every new membership application, we have a two-day waiting period when current members can review the application. If you're interested, you can take a [https://members.hcoop.net/portal/apps look at these].
Contact information directory
Here you can list [https://members.hcoop.net/portal/dir member contact information] by type of contact.
This [https://members.hcoop.net/portal/poll public-ballot voting system] can be used both for formal and informal polls.
On the informal side, you can initiate a poll on any issue for which you'd like members' input.
On the formal side, this is the mechanism for handling votes described in our ["Bylaws"]. For "serious" votes like this, you should be sure to set the poll to start well enough after you create it, and you should announce it on hcoop-announce.
This wiki is our primary source for recording sundry information of interest to members. Take a look around before asking any question you have. You should be able to find instructions for most things a small number of clicks away from the FrontPage.