Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: lists.debian.org > debian-user-digest > 07 > 070209.html (Request Expert lists.debian.org Support)

debian-user-digest Digest V2007 #2029

From: <debian-user-digest-request(at)lists.debian.org>
Date: Thu Jul 26 2007 - 15:56:55 EDT


Content-Type: text/plain

debian-user-digest Digest Volume 2007 : Issue 2029

Today's Topics: 

  Re: How to generate script with Apac  [ Andrew Sackville-West  ]
  Re: why do iceweasel et al have more  [ Hugo Vanwoerkom  ]
  Re: with etch, /etc/fstab root not n [ bob@proulx.com (Bob Proulx) ]

Date: Thu, 26 Jul 2007 10:54:03 -0700
From: Andrew Sackville-West <andrew@farwestbilliards.com> To: debian-user@lists.debian.org
Subject: Re: How to generate script with Apache and run it by root avoiding

        to "kill" security
Message-ID: <20070726175403.GL4520@localhost.localdomain> Content-Type: multipart/signed; micalg=pgp-sha1;

        protocol="application/pgp-signature"; boundary="p7S+EREVcBHk3zUG" Content-Disposition: inline

--p7S+EREVcBHk3zUG 

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Do you need help?X

On Thu, Jul 26, 2007 at 11:18:43AM -0400, Guillermo Garron wrote:
> Hi List,

>=20

> I am creating a PHP small program that will interact with MySQL and
> will have the policies for the people in my office, i.e.:
> Who can or can not access MSN messenger
> Who can or can not access WWW
>=20

> etc. once this is stored, a shell script with the iptables rules
> should be created, and then run.
>=20

> I do not want to run it with Apache, so I was thinking on creating a
> CRON job that will run it as root once every n minutes, but the issue
> i see here, is that if somebody "break" my Apache security he will be
> able to create any script he likes and my CRON will run it, killing my
> server security.

>=20
> any better ideas about how can I achieve my goal?

I don't see how you could possibly create a publicly available interface to change something as fundamental as your firewall and have it _not_ be a security risk.=20

maybe you could create a user that only has permissions to run one script and that one script is only allowed to change your firewall rules in specific ways, but even so I think you're asking for trouble.

and take that all with appropriate salt as I am no security expert, it just seems kind of obvious to me...

A

--p7S+EREVcBHk3zUG 

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGqN+7aIeIEqwil4YRAkCYAKC0DkvaWrdqKzI980c+QiHAETc78wCeMlO+ oj5VJbq54a9fk/Ts99gqHp4=
=BYZZ
-----END PGP SIGNATURE----- --p7S+EREVcBHk3zUG--

Do you need more help?X

Date: Thu, 26 Jul 2007 10:49:29 -0700
From: Andrew Sackville-West <andrew@farwestbilliards.com> To: debian-user@lists.debian.org
Subject: Re: How Debian BTS and its tools can be improved (user poll). Message-ID: <20070726174928.GK4520@localhost.localdomain> Content-Type: multipart/signed; micalg=pgp-sha1;

        protocol="application/pgp-signature"; boundary="d6d1KVhp94hk3Jrm" Content-Disposition: inline

--d6d1KVhp94hk3Jrm 

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Jul 26, 2007 at 03:34:58PM +0000, Oleg Verych wrote:
> What, on your opinion, can be done better in Debian BTS, reportbug?

1)I agree with kamaraju (sp?) that submitter should be automatically subscribed to the bug, or even better, given the option to subscribe =66rom within reportbug at submittal time.=20

2)also, I'd love to see a final option to change the From: address in reportbug as various times I've been an idiot and completed a whole report not realising that I had a bogus From:... but I can get pretty stupid sometimes...

>=20
> Why do you think it's better than current approach (if exists)?

Can we help you?X

1)it places the burden of subcribing on the submitter, but makes it dead-stupid easy to subscribe (you could bypass any confirmation email etc...) and takes work load of keeping track of CC's off the maintainer.=20

2) theres already a stupid_mode in the code, so why not more of the

   same? ;)

>=20
> What can you do to help with that?

I don't know, maybe hack reportbug to include this option, but I haven't looked at it closely.=20 

>=20
>=20

> Some related contex:
> ~~~~~~~~~~~~~~~~~~
> <http://mid.gmane.org/slrnfa13fp.anq.for.gmane@flower.upol.cz>

heh. I like that one...

A

--d6d1KVhp94hk3Jrm 

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
Can't find what you're looking for?X

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGqN6oaIeIEqwil4YRAhGlAKC7mlyI4I/xRhenGzBgWgEVAGrapgCeKAxL LXogzv+owUbb1mnvjDO8A/0=
=+Iki
-----END PGP SIGNATURE----- --d6d1KVhp94hk3Jrm--

Date: Thu, 26 Jul 2007 10:57:58 -0700
From: Andrew Sackville-West <andrew@farwestbilliards.com> To: debian-user@lists.debian.org
Subject: Re: how to restore bios password (PHEONIX on acer 5102) Message-ID: <20070726175758.GM4520@localhost.localdomain> Content-Type: multipart/signed; micalg=pgp-sha1;

        protocol="application/pgp-signature"; boundary="4oQnj4jcM03NhqPN" Content-Disposition: inline

--4oQnj4jcM03NhqPN 

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Jul 26, 2007 at 02:15:31PM +0200, Jabka Atu wrote:
> Thnx ,.
> but the issue is that afaik if i open the laptop i will lose my warrenty.
> what about flashing it ?
> (btw how do they know).

take it back to them and demand they fix it while you stand there and watch. How do you know they haven't installed from cracked bios? or some other crap that doesn't belong? I would demand nothing less than satisfaction because they have effectively stolen your laptop from you by locking you out of its BIOS, something which is fundamentally yours and not theirs.=20

Don't know where to look next?X

as to the warranty thing, well, if they aren't answering the phone or otherwise providing you the service you require (which is removing the password they installed without your permission) then what makes you think you'll get future warranty service?=20

A 

>
>
>

> On 7/26/07, Raj Kiran Grandhi <grajkiran@gmail.com> wrote:
>>
>> Jabka Atu wrote:
>> > Dear Debian list members,
>> >
>> >
>> > im sorry to ask such strange question here but still.
>> >
>> > i ve sent my laptop to local custumer servrice and they add a bios

Confused? Frustrated?X

>> > password on it.
>> >
>> Does you laptop contain a switch to clear the CMOS? Some laptops have
>> such a switch under the keyboard or bottom of the laptop using which you
>> might be able to clear the CMOS memory entirely and restore it to
>> factory default. Otherwise, if it is possible to access the CMOS
>> battery, try removing the CMOS battery and the laptop battery leave it
>> for some time, say 30minutes, and put them back in.
>>

--4oQnj4jcM03NhqPN 

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGqOCmaIeIEqwil4YRAtGUAKDeeQvs6XuzK9beUv/pfHEcpQ1hwQCg14Sw o6/BcAlKe+FSAIdgbwUudbI=
=P91L
-----END PGP SIGNATURE----- --4oQnj4jcM03NhqPN--

Date: Thu, 26 Jul 2007 11:07:06 -0700
From: Andrew Sackville-West <andrew@farwestbilliards.com> To: debian-user@lists.debian.org
Subject: Re: RAID1 Boot Partition
Message-ID: <20070726180706.GN4520@localhost.localdomain> Content-Type: multipart/signed; micalg=pgp-sha1;

        protocol="application/pgp-signature"; boundary="QGBKWVSgmlsIyJ+t" Content-Disposition: inline

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365X

--QGBKWVSgmlsIyJ+t 

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Jul 26, 2007 at 03:03:28PM +0300, Chaim Keren Tzion wrote:
> Hi,

>=20
> I have been trying to set up a software RAID1 system with two 320GB SATA=
=20
> disks.

>=20
> I have followed the instructions at both these links below (using lenny=
=20
> instead of etch because of what seems to be unsupported hardware in the o=
lder=20
> kernel):
> http://ads.wars-nicht.de/blog/archives/54-Install-Debian-Etch-on-a-Softwa=
re-Raid-1-with-S-ATA-disks.html
> and
> http://www.networkjack.info/blog/2007/01/03/debian-linux-etch-software-ra=
id-1/ 

>=20

> I had issues with both procedures.
> 1. Both of them failed when I chose to install the "Standard system" item=
 in=20
> the tasksel stage of the install.
>=20

> 2. When I chose to not install the "Standard system" I
> A) got a minimalistic system which uses lilo(yuck) as a boot loader

so install grub. (probably after the stuff below...)

> B) The RAID1 MD device that I created for the /boot partition exists but =
was=20
> not added to the /etc/fstab, no files were written to that device/partiti=
on=20
> and the system actually boots from the root MD device instead.

create a mount point: /newboot, mount the md0 device there, copy over the /boot stuff to /newboot. umount /newboot and remount it at /boot. manually install grub to each of the disks so that you can boot =66rom either one. Fix up your /boot/grub/menu.lst so that it points to the right devices...

root (hd0,0)
kernel vmlinuz... root=3D/dev/md1

adjust your devices accordingly

you may have to update-initramfs to ensure that the right stuff is setup in the initramfs...=20

Do you need help?X

>=20
> 3) The second URL above uses LVM which I wouldn't have used otherwise but=
 I=20
> was desperate to finally get the RAID to work and followed the instructio=
ns=20
> exactly. Is LVM any type of requirement for a software RAID system?

nope. 

>=20

> The system works but everything is on the root MD device.
> Any ideas/pointers on how to do it right?
> 1. I preffer Grub
> 2. Would like to boot off the first MD device/partition
> 3. I preffer not using LVM
> 4. I would like to have the "Standard system" packages install.

4. you can rerun tasksel and pick the standard system from there.

hth

A

--QGBKWVSgmlsIyJ+t 

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGqOLKaIeIEqwil4YRAgGXAKCHgd/X//PFZxdM67ojXAnPc3IrkQCfS+jf 52e+7vwuR/B3Algwby8YvYI=
=9mP3
-----END PGP SIGNATURE----- --QGBKWVSgmlsIyJ+t--

Do you need more help?X

Date: Thu, 26 Jul 2007 11:08:34 -0700
From: Andrew Sackville-West <andrew@farwestbilliards.com> To: debian-user@lists.debian.org
Subject: Re: Cron and mail
Message-ID: <20070726180833.GO4520@localhost.localdomain> Content-Type: multipart/signed; micalg=pgp-sha1;

        protocol="application/pgp-signature"; boundary="Y5wfsVCgeKAcINk2" Content-Disposition: inline

--Y5wfsVCgeKAcINk2 

Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Jul 26, 2007 at 08:33:30AM -0300, Sergio Belkin wrote:
> --- El Jue 26 Jul 2007, Marc encontr=F3 un teclado y tipe=F3 lo siguiente=
:=20
> > Ma: Hmmm.. one thing might be that the variable is called "MAILTO" and =
not
> > Ma: "MAIL"?
> > Ma: You can try with that, but in general, as the man page says:
> > Ma: "When executing commands, any output is mailed to the owner of
> > Ma: the crontab ..."
> > Ma:
> > Ma: Sergio Belkin wrote:
> > Ma: > Hi
> > Ma: > Non-root users are not getting information mail about scheduled
> > tasks. Ma: > I've included the line MAIL=3Djoendoe in jondoe user. Task=
 are
> > performed Ma: > but users are not notified.
> > Ma: >
> > Ma: > I am using Etch and exim4. What's wrong with this?
> > Ma:
> > Ma:

>=20
> Thanks, "MAIL" was a typo, but even if I issue MAILTO=3Djondoe in jondoe =
user=20
> crontab file, it doesn't work either...

does mail work on the system? can you mail from the command line? does the cron job produce any output to mail?=20

A

--Y5wfsVCgeKAcINk2 

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
Can we help you?X

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGqOMhaIeIEqwil4YRAj6XAKC5OIGYgVnU2yvamOIuuEutT9FAPACgjnRH bNQlFsocHzDsy9lhwZt5YZE=
=8sj+
-----END PGP SIGNATURE----- --Y5wfsVCgeKAcINk2--

Date: Thu, 26 Jul 2007 11:22:09 -0700
From: Andrew Sackville-West <andrew@farwestbilliards.com> To: debian-user@lists.debian.org
Subject: Re: [OT] Interview with Con Kolivas on Linux failures Message-ID: <20070726182209.GQ4520@localhost.localdomain> Content-Type: multipart/signed; micalg=pgp-sha1;

        protocol="application/pgp-signature"; boundary="yPSgZSQ6mfPWgZ9n" Content-Disposition: inline

--yPSgZSQ6mfPWgZ9n 

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Jul 26, 2007 at 05:36:43AM +0000, s. keeling wrote:
> Bob Proulx <bob@proulx.com>:
> > David Brodbeck wrote:
> > > To me it always smacked a little of "me-too-ism", too ... the GNU =20
> > > folks felt Linux wasn't GNU-ish enough, so they had to go write their=
 =20
> > > own kernel.
> >=20
> > The GNU Hurd has existed long before Linux existed. Hurd has been in
> > development for many years. (Hurd is technology of the future.
>=20
> aka. "Vapourware"?

well, no, because it does exist. It is unfortunately developing very slowly and has run into real problems with parts of its structure (namely the mach microkernel) being ultimately unsuitable for implementing some of the stuff the want to do. IIUC.

Can't find what you're looking for?X

A

--yPSgZSQ6mfPWgZ9n 

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGqOZRaIeIEqwil4YRAlIaAJ9AiJxEI8f+nUq9xsQTpQRQ11f00ACeOn97 ojtd/YTgICr2FHb+zR/K5Sw=
=yD2O
-----END PGP SIGNATURE----- --yPSgZSQ6mfPWgZ9n--

Date: Thu, 26 Jul 2007 11:17:35 -0700
From: Andrew Sackville-West <andrew@farwestbilliards.com> To: debian-user@lists.debian.org
Subject: Re: to lvm or not to lvm?
Message-ID: <20070726181735.GP4520@localhost.localdomain> Content-Type: multipart/signed; micalg=pgp-sha1;

        protocol="application/pgp-signature"; boundary="XFI+TFG+M3u0jUjZ" Content-Disposition: inline

--XFI+TFG+M3u0jUjZ 

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Don't know where to look next?X

On Thu, Jul 26, 2007 at 01:51:45PM +0300, Yuriy Padlyak wrote:
> Hi guys,

>

> No one can help me? :)
>

> Yuriy Padlyak wrote:
>> Hi again!
>>
>> Have found some time to do it all. Didn't want to reinstall everything,=
=20
>> done everything as you suggested except /boot is still on "160GB drive" >> without raid :-(, now I'm trying to find out how to put it on RAID :).

assuming you have two available identical partitions to use for the RAID setup, the way *I* would _attempt_ this is to...=20

  1. make sure I have a grub disk available in case I blow it and can't boot...
  2. create the RAID1 array using the two partitions.
  3. migrate my /boot to that new array
  4. fix up my /etc/fstab to point to it
  5. fix-up my /boot/grub/menu.lst entries to point to the right devices
  6. update-initramfs=20
  7. reboot and pray.=20

this procedure was tested by me several months ago, but I don't remember it exactly, so you are suitable warned...=20

if you are already booting to a / on some combination of LVM and RAID, then that's really the hard part. Its pretty straightforward to get /boot onto its own RAID1. You can manually install grub onto each disk that holds the partitions in your /boot array so that if a disk fails, you can still boot...=20

please study up on this before attempting as you don't want to blow it.

A

oh, an alternate procedure might be to go ahead and just make a fs on one of the partitions, migrate /boot and get that working, then make that partition into a degraded array (missing disks) and make sure it boots fromthere and then finally add the second (or more disks) to the degraded array and then it will mirror and be operational. 

>>
>> Does anyone have any idea how to make it safely?
>>
>> Also all file systems are in one VG now, wondering how to split them.
>>
>> Yuriy
>>
>> Douglas Allan Tutty wrote:
>>> On Fri, May 11, 2007 at 09:54:41AM +0300, Yuriy Padlyak wrote:

Confused? Frustrated?X

>>> =20
>>>> Douglas Allan Tutty wrote:
>>>>   =20
>>>>> On Sun, May 06, 2007 at 12:33:44PM +0300, Yuriy Padlyak wrote:
>>>>>     =20
>>>>>> Thank you for your reply. Looks like you're suggesting installation,=
=20
>>>>>> but I have Etch 4.0 installed already. Wondering if it's possible to= =20
>>>>>> put existent /boot on ext3 partition and LVM volume group on RAID1. = Or=20 
>>>>>> possibly it will be easier to reinstall and restore configuration.
>>>>>>        =20
>>>>> It all depends on how much extra space you have.  Its a little like a
>>>>> shell game with clear shells. If you give us your current drive(s)=20
>>>>> layout including free space, and
>>>>> your goal layout, perhaps we can help you with an implementation map.
>>>>> I've totally forgotton how your drives are currently set up so I won't
>>>>> make any if,then,else suggestions.
>>>>>       Have additional hard drive, which can store any data temporary,=
=20
>>>>> while      =20

>>>> I'm preparing main disks. I have 160GB and 60GB drives. I have plan to= =20
>>>> make 60GB raid1 and 100GB for not very valuable data on rest of the=20 >>>> 160GB drive. Now my VG(consisting all data) is on temporary 320GB driv= e=20 
>>>> and my /boot on ext3 partition is om 160GB.
>>>>
>>>> What I want is to put that /boot on raid1 along with very valuable dat=
a=20
>>>> from temporary drive (VG) and not very valuable data on that 100GB not= =20 
>>>> raid part. Everything except /boot should be on LVM.
>>>>
>>>> Hope my goal is clear now :)
>>>>    =20
>>>
>>> I don't have any experience setting up raid/LVM from anything other than
>>> the installer: I set it up there and haven't had to touch it.  So if it
>>> were me and I had the netinst.iso or CD-1, I would do a minimal
>>> reinstall on your two target disks and have ignore your 320 GB drive,
>>> BUT I also don't have any experience of verifying how to get a new
>>> install to find an existing LVM.  So read lots of man pages, and
>>> consider backing up your data to a tarball on either a raw device or a
>>> file on a filesystem, either way to that 320GB drive.  Either way, read
>>> the raid HOWTOs and the LVM HOWTO.
>>>
>>> Your disk layout seems good:
>>>
>>> 60 GB drive partitions:

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365X

>>>     1    32 MB        for raid1 md0
>>>     2    59968 MB     for raid1 md1
>>>
>>> 160 GB drive partitions:
>>>     1    32 MB        for raid1 md0
>>>     2    59968 MB    for raid1 md1
>>>     3    remainder    for LVM, VG-stripe
>>>         this allows you later to add a device to this VG either
>>>         to extend the size or migrate data if this drive starts
>>>         to fail.
>>>
>>> Raid setup:
>>>     md0    filesystem    /boot
>>>     md1    for LVM        VG-mirror
>>>
>>> LVM setup:
>>>     VG-mirror:
>>>         LV-root        384 MB        /
>>>         LV-usr        4 GB        /usr
>>>         LV-var        6 GB        /var
>>>         LV-home        ??        /home
>>>     VG-stripe:
>>>         LV-??        ??        ??
>>>
>>> Doug.
>>>
>>>
>>>  =20
>>
>>
>
>

> --=20
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a=20
> subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>

--XFI+TFG+M3u0jUjZ 

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
Do you need help?X

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGqOU/aIeIEqwil4YRAvzCAJ9xXiWPGDMKdjCRyiALDCjpLPPNJQCg49ZZ w3KAKi7V7PBXaHdHnnkhess=
=rV/O
-----END PGP SIGNATURE----- --XFI+TFG+M3u0jUjZ--

Date: Thu, 26 Jul 2007 11:28:52 -0700
From: Andrew Sackville-West <andrew@farwestbilliards.com> To: debian-user@lists.debian.org
Subject: Re: why do iceweasel et al have more frequent security issues? Message-ID: <20070726182852.GS4520@localhost.localdomain> Content-Type: multipart/signed; micalg=pgp-sha1;

        protocol="application/pgp-signature"; boundary="4PJudQiuYY5+cwwi" Content-Disposition: inline

--4PJudQiuYY5+cwwi 

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Jul 26, 2007 at 02:06:11PM -0400, Douglas Allan Tutty wrote:
> On Thu, Jul 26, 2007 at 07:13:48PM +0200, Mathias Brodala wrote:
> > Douglas Allan Tutty, 26.07.2007 18:23:
> > > It seems that the mozilla-derived browsers have security issues
> > > requiring updates far more frequently than other browsers like Konque=
ror
> > > or links2.
> >=20
> > Aside from the fact that one software really can be more secure than an=
other one
> > is this the result of an increased usage. The more people use Gecko bro=
wsers,
> > the more bugs can be found willingly or unwillingly. And the more peopl=
e use
> > Gecko browsers, the more lucrative is it to find security holes and dam=
age
> > systems this way.

>=20

> So this suggests that its a tradeoff: more users of Gecko means more
> people reporting bugs and therefore more bug fixes but also a more
> lucrative target for security threats; Konq may have more undiscovered
> security holes but they are undiscovered both by bug fixers and security
> threats? =20

>=20
> Is this the gist of the situation?

yes, but it amounts to security by obscurity... IOW, don't count on a smaller user base to provide security simply because its a less lucrative target... nothing prevents someone from looking for the security holes that are surely there even if its less lucrative.

Do you need more help?X

A

--4PJudQiuYY5+cwwi 

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGqOfkaIeIEqwil4YRAjKEAJ414nCDmG4QoSlIijOZ3Pet0/JicwCgpGb0 fepZ75pvhh7dyY17bNfoF5Q=
=C6QY
-----END PGP SIGNATURE----- --4PJudQiuYY5+cwwi--

Date: Thu, 26 Jul 2007 14:50:49 -0400
From: Michael Pobega <pobega@gmail.com>
To: debian-user@lists.debian.org
Subject: Re: How to generate script with Apache and run it by root avoiding

        to "kill" security 

Message-ID: <20070726185049.GA28648@digital-haze.net>
Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed
Content-Disposition: inline

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Can we help you?X

On Thu, Jul 26, 2007 at 11:18:43AM -0400, Guillermo Garron wrote:
> Hi List,
>
> I am creating a PHP small program that will interact with MySQL and
> will have the policies for the people in my office, i.e.:
> Who can or can not access MSN messenger
> Who can or can not access WWW
>
> etc. once this is stored, a shell script with the iptables rules
> should be created, and then run.
>
> I do not want to run it with Apache, so I was thinking on creating a
> CRON job that will run it as root once every n minutes, but the issue
> i see here, is that if somebody "break" my Apache security he will be
> able to create any script he likes and my CRON will run it, killing my
> server security.
>
> any better ideas about how can I achieve my goal?
>
> thanks in advance.
>
> best regards.
>

Make a user specifically for this job that can access /sbin/iptables through sudo, and make the script do just that, access iptables using sudo and this new account.

Then make sure the bash script is owned by the new accounts, and root's group, and chmod the script to r-xrwxr-- by doing:

chmod u+rx g+rwx o+r u-w o-wx /path/to/script

This *should* achieve what you are trying to do...It's a bit messy but in the end it will pay off, the only way I can see this being abusable is if someone gets access to your root account.

  • -- http://digital-haze.net/~pobega/ - My Website If programmers deserve to be rewarded for creating innovative programs, by the same token they deserve to be punished if they restrict the use of these programs.
    • Richard Stallman -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGqO0Jg6qL2BGnx4QRAmdmAJ4yfxhGZV6T59UtqmA2rusIu0Zh8QCgpqu/ F9khOM1a4jbHkIZXTCNxCvM=
=ZK00
-----END PGP SIGNATURE-----

Date: Thu, 26 Jul 2007 13:50:58 -0500
From: Hugo Vanwoerkom <hvw59601@care2.com> To: debian-user@lists.debian.org
Subject: Re: why do iceweasel et al have more frequent security issues? 

Message-ID: 
Content-Type:  text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding:  7bit

John Hasler wrote:
> Doug writes:

>> It seems that the mozilla-derived browsers have security issues requiring
>> updates far more frequently than other browsers like Konqueror or links2.

> 
>> I'm curious as to why this is.  Does anyone have any ideas?

>
> How many people are looking for holes in Konq or Links2?
Can't find what you're looking for?X

2?

Date: Thu, 26 Jul 2007 15:01:45 -0400
From: "Andrew J. Barr" <andrew.james.barr@gmail.com> To: "Mathias Brodala" <info@noctus.net>
Cc: debian-user@lists.debian.org
Subject: Re: why do iceweasel et al have more frequent security issues? 

Message-ID: <903e17bb0707261201m5165798bkcd80513cde34e5a8@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Don't know where to look next?X

Content-Transfer-Encoding: 7bit
Content-Disposition: inline

On 7/26/07, Mathias Brodala <info@noctus.net> wrote:
> Hi Douglas.

>

> Douglas Allan Tutty, 26.07.2007 18:23:
> > It seems that the mozilla-derived browsers have security issues
> > requiring updates far more frequently than other browsers like Konqueror
> > or links2.
>

> Aside from the fact that one software really can be more secure than another one
> is this the result of an increased usage. The more people use Gecko browsers,
> the more bugs can be found willingly or unwillingly. And the more people use
> Gecko browsers, the more lucrative is it to find security holes and damage
> systems this way.

Isn't this the same argument Windows weenies use against Linux when their platform of choice is rightfully chastised for being a complete and total security nightmare? And most of the time, it's laughed off...if I'm not mistaken, because of fundamental design differences between Linux and Windows--e.g. in Windows the vast majority of software will not run correctly without administrator privileges (yes, even in Vista) so you have a situation equivalent to running your desktop environment session as root, which, if more people did, perhaps we'd have a similar security situation on the Linux desktop?

> Regards, Mathias

>
>

> --
> debian/rules
>
>
>

-- 
Andrew Barr

We matter more than pounds and pence,
your economic theory makes no sense...

Date: Thu, 26 Jul 2007 20:07:05 +0100 (BST) From: Harvey Kelly <hrvyklly@yahoo.co.uk> To: Debian User <debian-user@lists.debian.org> Subject: resolv.conf getting overwritten Message-ID: <911438.23191.qm@web26913.mail.ukl.yahoo.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Hi all, I've seen this problem whilst looking through the archives, but can't find a solution... No matter what, /etc/resolv.conf will get overwritten with=20 nameserver 127.0.0.1 I added the lineprepend domain-name-servers 80.189.94.2; in /etc/dhcp3/dhclient.conf but it's still getting overwritten. Any clues? Thanks. Harvey ___________________________________________________________ Yahoo! Answers - Got a question? Someone out there knows the answer. Try = it now. http://uk.answers.yahoo.com/=20

Date: Thu, 26 Jul 2007 13:25:25 -0600 From: bob@proulx.com (Bob Proulx) To: debian-user@lists.debian.org Subject: Re: with etch, /etc/fstab root not needed? Message-ID: <20070726192525.GA12790@dementia.proulx.com> Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable J=F6rg-Volker Peetz wrote:
> Bob Proulx wrote:
> > Hmm... The stock Etch installer still creates the entry.
I think it is okay if the entry remains. It may not be strictly required, as you say, but not going to cause a problem.
> > I don't see an initscript that does this. Can you point it out? Or
> > is this something new in Sid but not Etch?
>
> I'm using testing now, but as I remember it was this way also in etch.
> The script is /etc/init.d/mountkernfs.sh
Yes. Thanks for that pointer. I had missed it. That is in 'initscripts' and is therefore a standard part of all systems. I see by the comments: # Mount proc filesystem on /proc domount proc "" /proc proc -onodev,noexec,nosuid ... # Called before mtab is writable to mount kernel and device file system= s. It then proceeds to make use of /proc in the script. So I can imagine that this needed an explicit action to get through the startup bootstrapping process. Bob End of debian-user-digest Digest V2007 Issue #2029 ************************************************** Received on Thu Jul 26 15:54:39 2007

Confused? Frustrated?X

This archive was generated by hypermail 2.1.8 : Thu Aug 09 2007 - 19:05:31 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library