Date: Fri, 02 Apr 2004 18:02:54 +0900 From: Ganbold <ganbold@micom.mng.net> To: David Taylor <davidt@yadt.co.uk> Cc: freebsd-current@freebsd.org Subject: Re: Re[2]: Question regarding shell user creation at login time Message-ID: <6.0.3.0.2.20040402175037.02acfde8@202.179.0.80> In-Reply-To: <20040402001531.GA2388@gattaca.yadt.co.uk> References: <6.0.3.0.2.20040329102508.029f5670@202.179.0.80> <142839937.20040330074923@mail.ru> <20040402001531.GA2388@gattaca.yadt.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, I already found the problem. I mounted /home partition with nosuid option before. That is why it couldn't succeed setuid call. This machine has ipfw2 and all traffics are filtered except ports 21,22,80. This machine doesn't have any important data except some Linux/BSD ISO images. I also implemented user quota and login class. One of the main reason of putting shell server is to help others to learn Unix:) Others mainly means Mongolians:) thanks, Ganbold At 09:15 AM 02.04.2004, you wrote: >But in theory he should be root, since ~new/new is suid root. Since >setuid(0) is failing, you are presumably correct that he is not, though. > >In any case, ~new/new.pl is owned by group wheel, so g+x won't help, >without also changing the group to 'new'. Also, I think for scripts at >least, read permission is required in addition to execute permission. >(Since you're executing the interpreter, which then reads the script) > >I'd suggest checking get[e]uid() in ~new/new, and figuring out what it's >running as (presumably 'new' group 'new'), and why it's not running as >'root', which it should be. If you give 'new' a "real" shell and log in, >then execute ~new/new, what uid does it run as? If that works, I guess >it's something ssh is doing (or a bug/feature in the kernel tickled by ssh) > >As for whether it's a good idea to be trying to set up an automated free >shell server without being able to make the above work with your eyes >closed... well... > >Assuming it's just a spare box with some spare network bandwidth to it, >and no important data or access to important hosts on the same network, >you probably don't care what happens to it. Just remember that _you_ will >be held responsible if people start sending worms/spam/abuse from your >host, or start installing irc bots (which are can be the target of large >denial of service attacks). > >Personally, trying to keep a shell service running for paying (some of >them at least, the rest were using stolen credit cards) customers was >enough of a nightmare to encourage me never to give anyone I wouldn't >explicitly trust with root on my box any access at all. > >-- >David Taylor >davidt@yadt.co.uk >"The future just ain't what it used to be"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.0.3.0.2.20040402175037.02acfde8>