From owner-freebsd-isp Sun Aug 19 16: 5: 7 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mail.plug.cx (kypo.alfred.cx [150.101.93.134]) by hub.freebsd.org (Postfix) with ESMTP id 3E25537B414 for ; Sun, 19 Aug 2001 16:04:58 -0700 (PDT) (envelope-from andrew.reid@plug.cx) Received: from percible.alfred.cx (percible.alfred.cx [150.101.93.190]) by mail.plug.cx (Postfix) with ESMTP id 397572B8CB; Mon, 20 Aug 2001 18:31:40 +0930 (CST) Subject: Re: RADIUS Accounting with SQUID From: Andrew Reid To: Paul Robinson Cc: freebsd-isp@freebsd.org In-Reply-To: <20010816141325.C19104@jake.akitanet.co.uk> References: <997919908.1446.1202.camel@localhost> <20010815094331.B12922@jake.akitanet.co.uk> <997984620.1446.2253.camel@localhost> <20010816141325.C19104@jake.akitanet.co.uk> Content-Type: text/plain Content-Transfer-Encoding: 7bit Message-Id: <998149933.1602.360.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution/0.12.99 (Preview Release) Date: 20 Aug 2001 08:34:18 +0930 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 16 Aug 2001 14:13:26 +0100, Paul Robinson wrote: > I am assuming that a bandwidth cap would be out of the question, or perhaps > even the use of something like dummynet or whatever to do bandwidth > 'shaping'? (I love the 'phrase' shaping when used to mean 'restriction'. :) > ). The reason that it is not done this way is two-fold: 1. You've got to tie things down to the username. Seeing as the machines are somewhere else, that'd at least require the use of ident. Ident can be easily forged. That'd be bad. 2. We can't/don't/won't charge students for usage of internal sites. People get stroppy about being charged for using the Intranet et al. > > So, we've got something, working and I'm happy. I've decided that I want > > to be able to get some more information. Things like per-user MRTG-ish > > graphs and the like would be great. > > Personally, if there was more than just a few students, I'd find this > horrendous to look at, but each to their own. :-) I wanted to be able to give users graphs, rather than me :-) From that same data, I suppose I could generate year-level graphs etc. That's where I'm going. > > I've not had much to do with RADIUS, but I know that it provides some > > accounting functionality. I thought that the two (SQUID and RADIUS) > > could be mushed together somehow to provide a slightly more workable > > solution to Internet Quota. > > Well. Hmph. OK, this might be quite awkward. The only way I can think of > getting an Accounting-Start is with munging some sort of proxy > authentication. However, you will get a start saying 'this kid has just > started' but will get no more further information until they > de-authenticate, or log-off, thereby causing an accounting-stop which > contains all the information like how long they were logged in for, amount > of data moved, etc. This is because RADIUS is meant for dial-up work - the > fact that people have just managed to make it work elsewhere, particularly > for authentication doesn't mean to say it's the best way to handle this sort > of thing. Hrm... OK. Thanks for the explanations. My knowledge of RADIUS only extends as far as "It's used to do authentication and accounting" :-) > There is a need for this sort of stuff, but in an ISP context, you're going > to be able to get it off the RADIUS accounting from the dial-up port. In > this context there is a clear start and end to a session. In the situation > you're talking about, we're talking more 'hot-desking', and users may share > machines, or the end of a session might not be as easily visible to the > proxy. Yeah, a pain, eh? The more I read this, the more I think RADIUS isn't the most appropriate solution for this particular problem. > The only way I can think of reliably doing this is to take a list of network > login/logoff times and your bandwidth figures taken off the switch, or > whatever, and consider correlating the two - a Perl script to do this > shouldn't be more than an afternoon's work. :-) Again, it's a matter of differentiating between general traffic and Internet traffic, usernames, machines, etc. > In fact, I'm relatively new to Squid, but having just looked around the > logging it does, you could actually correlate the Squid logs with the user > login/logoff logs quite successfully. As to how you then stop a user > leeching bandwidth automatically, is another question... You might however > want to take a look at: [ ... ] We're currently using our own patched version of SquidGuard to stop people after they've used their quota. As to SQUID's logon/logoff's, I didn't think they existed in the sense you've mentioned here. Each HTTP request is marked with the username of the authenticated client. There isn't any marked "start" and/or "stop". [ ... ] > If I think of any other way of doing this, I'll post back, but I'm sure > there are others around here that will have ideas. Thanks, your help is greatly appreciated :-) I've been digging through the SQUID source code this evening, and I had a thought. src/logfile.c contains the functions that src/access_log.c uses to write the log information to $PREFIX/logs/access.log. If one was to engineer src/logfile.c to write to somewhere like, say, a database, you'd be half-way there. Doing this creates several other things to think about. src/logfile.c is used by more than just src/access_log.c (i.e., it's used to generate more than just $PREFIX/logs/access.log). I suppose it could be made to work in such a way that only src/access_log.c sent logs to the database, either in src/logfile.c or by changing the functions that src/access_log.c calls. I think the former would be a cleaner way of doing things, having only one file that needs patching. Then there's the issue of performance. I suppose on a SMP machine it's less of a worry, but logging directly to a database may prove to by fundementally slow. Some thought would have to be put into the coding to ensure as few TCP connections to the SQL server are made as possible. *Sigh*. Some thinking is going to be required on my part methinks.[1] - andrew [1] Thinking? What's that? [ :-) ] -- void signature () { cout << "Andrew Reid -- andrew.reid@plug.cx" << endl ; cout << "Cell: +61 401 946 813" << endl; cout << "Quidquid latine dictum sit, altum viditur" << endl; } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Sun Aug 19 21:16:17 2001 Delivered-To: freebsd-isp@freebsd.org Received: from nexusinternetsolutions.net (nx1.nexusinternetsolutions.net [204.50.158.10]) by hub.freebsd.org (Postfix) with SMTP id CDBB437B408 for ; Sun, 19 Aug 2001 21:16:12 -0700 (PDT) (envelope-from dave@nexusinternetsolutions.net) Received: (qmail 91745 invoked from network); 20 Aug 2001 04:12:08 -0000 Received: from unknown (HELO WS1) (204.50.158.15) by nx1.nexusinternetsolutions.net with SMTP; 20 Aug 2001 04:12:08 -0000 From: "Dave" To: Subject: security check - virtual host and mod php Date: Mon, 20 Aug 2001 00:13:30 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org posted here in relation to ISP type implementation. please hack apart this solution and point out the error/insecure nature of the setup. goal, provide php(and other scripts) access to name based virtual hosts on FreeBSD boxes problem, security of PHP access to base system and other user scripts, using PHP to browser other directories on server, retrieve database names and passwords stored within scripts and such from items that must be readable by the httpd server solution, apache compiled with suexec # set user and group to unique chown USERID:USERID /path/to/user/html/directory # no public access to any files under here that # you don't want public reading, like scripts # with database login information in them chmod -R 0750 /path/to/user/html/directory # set group sticky execution... we will run # apache as this unique group so may not be needed chmod -R g+s /path/to/user/html/directory >in apache's httpd.conf # set each virtual host to run any accesses # as the group USERID giving them only access # to this directory... defeats PHP directory # and shell scripts as long as no public read bits # are set ServerName whatever.com Group USERID Sufficient? you end up with http://test1.com and http://test2.com being unable to create PHP scripts or do listings of any other virtual user directory since they are not of the same group, but accesses to the site are made by invoking apache as that group for that session. directory tree drwxr-s--- 2 user1 user1 512 Aug 19 18:23 vtest1 drwxr-s--- 2 user2 user2 512 Aug 19 18:26 vtest2 with directory groups set in the httpd.conf for user1 in vtest1 and user2 in vtest2, neither user should be able to use PHP filesystem functions to browse the other directories as long as no public bits are set, and apache server requests still server the documents from the directories since each users directory has an Group user1 (or user2) set for his directory in the directory or virtual container, thus executing the apache requsts as the appropriate user and not the generic www user. Please feel free to point out any errors in my logic... it appears pretty solid from here. Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Mon Aug 20 7:32:48 2001 Delivered-To: freebsd-isp@freebsd.org Received: from seahorse.island.net.au (seahorse.island.net.au [203.28.142.35]) by hub.freebsd.org (Postfix) with ESMTP id 1D12037B61B for ; Mon, 20 Aug 2001 07:32:39 -0700 (PDT) (envelope-from hugh@island.net.au) Received: from r2d2 (rc.island.net.au [203.28.142.167]) by seahorse.island.net.au (8.11.3/8.11.3) with SMTP id f7KFU8F68062; Tue, 21 Aug 2001 01:30:08 +1000 (EST) (envelope-from hugh@island.net.au) Message-ID: <002001c12984$67378c00$0bdea8c0@island.net.au> From: "Hugh Blandford" To: "Andrew Reid" Cc: References: <997919908.1446.1202.camel@localhost><20010815094331.B12922@jake.akitanet.co.uk><997984620.1446.2253.camel@localhost> <20010816141325.C19104@jake.akitanet.co.uk> <998149933.1602.360.camel@localhost> Subject: Re: RADIUS Accounting with SQUID Date: Tue, 21 Aug 2001 00:28:37 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Andrew, maybe you can find something at: http://www.caida.org/tools/measurement/ They have various useful tools, though working out what student is on what particular IP address and tieing them to the flows could be interesting, though it is not impossible. This way you can measure all their traffic :)) Regards, Hugh ----- Original Message ----- From: "Andrew Reid" To: "Paul Robinson" Cc: Sent: Monday, August 20, 2001 9:04 AM Subject: Re: RADIUS Accounting with SQUID > On 16 Aug 2001 14:13:26 +0100, Paul Robinson wrote: > > > I am assuming that a bandwidth cap would be out of the question, or perhaps > > even the use of something like dummynet or whatever to do bandwidth > > 'shaping'? (I love the 'phrase' shaping when used to mean 'restriction'. :) > > ). > > The reason that it is not done this way is two-fold: > > 1. You've got to tie things down to the username. Seeing as the > machines are somewhere else, that'd at least require the use of > ident. Ident can be easily forged. That'd be bad. > > 2. We can't/don't/won't charge students for usage of internal sites. > People get stroppy about being charged for using the Intranet et al. > > > > So, we've got something, working and I'm happy. I've decided that I want > > > to be able to get some more information. Things like per-user MRTG-ish > > > graphs and the like would be great. > > > > Personally, if there was more than just a few students, I'd find this > > horrendous to look at, but each to their own. :-) > > I wanted to be able to give users graphs, rather than me :-) From that > same data, I suppose I could generate year-level graphs etc. That's > where I'm going. > > > > I've not had much to do with RADIUS, but I know that it provides some > > > accounting functionality. I thought that the two (SQUID and RADIUS) > > > could be mushed together somehow to provide a slightly more workable > > > solution to Internet Quota. > > > > Well. Hmph. OK, this might be quite awkward. The only way I can think of > > getting an Accounting-Start is with munging some sort of proxy > > authentication. However, you will get a start saying 'this kid has just > > started' but will get no more further information until they > > de-authenticate, or log-off, thereby causing an accounting-stop which > > contains all the information like how long they were logged in for, amount > > of data moved, etc. This is because RADIUS is meant for dial-up work - the > > fact that people have just managed to make it work elsewhere, particularly > > for authentication doesn't mean to say it's the best way to handle this sort > > of thing. > > Hrm... OK. Thanks for the explanations. My knowledge of RADIUS only > extends as far as "It's used to do authentication and accounting" :-) > > > There is a need for this sort of stuff, but in an ISP context, you're going > > to be able to get it off the RADIUS accounting from the dial-up port. In > > this context there is a clear start and end to a session. In the situation > > you're talking about, we're talking more 'hot-desking', and users may share > > machines, or the end of a session might not be as easily visible to the > > proxy. > > Yeah, a pain, eh? The more I read this, the more I think RADIUS isn't > the most appropriate solution for this particular problem. > > > The only way I can think of reliably doing this is to take a list of network > > login/logoff times and your bandwidth figures taken off the switch, or > > whatever, and consider correlating the two - a Perl script to do this > > shouldn't be more than an afternoon's work. :-) > > Again, it's a matter of differentiating between general traffic and > Internet traffic, usernames, machines, etc. > > > In fact, I'm relatively new to Squid, but having just looked around the > > logging it does, you could actually correlate the Squid logs with the user > > login/logoff logs quite successfully. As to how you then stop a user > > leeching bandwidth automatically, is another question... You might however > > want to take a look at: > > [ ... ] > > We're currently using our own patched version of SquidGuard to stop > people after they've used their quota. > > As to SQUID's logon/logoff's, I didn't think they existed in the sense > you've mentioned here. Each HTTP request is marked with the username of > the authenticated client. There isn't any marked "start" and/or "stop". > > [ ... ] > > > If I think of any other way of doing this, I'll post back, but I'm sure > > there are others around here that will have ideas. > > Thanks, your help is greatly appreciated :-) > > I've been digging through the SQUID source code this evening, and I had > a thought. src/logfile.c contains the functions that src/access_log.c > uses to write the log information to $PREFIX/logs/access.log. If one was > to engineer src/logfile.c to write to somewhere like, say, a database, > you'd be half-way there. > > Doing this creates several other things to think about. src/logfile.c is > used by more than just src/access_log.c (i.e., it's used to generate > more than just $PREFIX/logs/access.log). > > I suppose it could be made to work in such a way that only > src/access_log.c sent logs to the database, either in src/logfile.c or > by changing the functions that src/access_log.c calls. I think the > former would be a cleaner way of doing things, having only one file that > needs patching. > > Then there's the issue of performance. I suppose on a SMP machine it's > less of a worry, but logging directly to a database may prove to by > fundementally slow. Some thought would have to be put into the coding to > ensure as few TCP connections to the SQL server are made as possible. > > *Sigh*. Some thinking is going to be required on my part methinks.[1] > > - andrew > > [1] Thinking? What's that? [ :-) ] > > -- > void signature () { > cout << "Andrew Reid -- andrew.reid@plug.cx" << endl ; > cout << "Cell: +61 401 946 813" << endl; > cout << "Quidquid latine dictum sit, altum viditur" << endl; > } > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Mon Aug 20 13:47:34 2001 Delivered-To: freebsd-isp@freebsd.org Received: from vcnet.com (mail.vcnet.com [209.239.239.15]) by hub.freebsd.org (Postfix) with SMTP id 08BD537B41E for ; Mon, 20 Aug 2001 13:47:25 -0700 (PDT) (envelope-from jpr@vcnet.com) Received: (qmail 54937 invoked by uid 1001); 20 Aug 2001 20:47:07 -0000 Date: Mon, 20 Aug 2001 13:47:07 -0700 From: Jon Rust To: freebsd-isp@FreeBSD.ORG Subject: login class defs for web users Message-ID: <20010820134707.B42652@mail.vcnet.com> Mail-Followup-To: freebsd-isp@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Operating-System: http://www.freebsd.org/ Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I hadn't really paid much attention to login classes before. Recently however, I see the need for it cuz I've had a few runaway customer CGIs. So I'm looking at implementing some limits and was wondering what other hosting folks are using for their web users. I don't want to start throwing limits in there and adversely effect current users. Basically i want limits that prevent things like the runaway perl CGI process the other day that had my workload pegged at 8, and memory usage at 99%. Tips and 'gotchas' appreciated. Thanks, jon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Mon Aug 20 16:15:53 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mail.atbd.com (mail.atbd.com [206.190.141.129]) by hub.freebsd.org (Postfix) with SMTP id 5B26337B409 for ; Mon, 20 Aug 2001 16:15:47 -0700 (PDT) (envelope-from john@hei.net) Received: (qmail 20632 invoked from network); 19 Aug 2001 18:49:04 -0000 Received: from trout.hei.net (HELO trout) (209.222.163.131) by ftp.hei.net with SMTP; 19 Aug 2001 18:49:04 -0000 From: "John A. Hengstler" To: Subject: Virtual Apache and DNS Date: Sun, 19 Aug 2001 11:53:08 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Greetings, What is the generally accepted way of handling the following in named and apache: Where www.somehost.com and somehost.com get to the same pages. Should there be 2 VirtualHost entries in httpd.conf and dns as follows, or 1 in httpd.conf (www.somehost.com) and dns set differently? It works as is, but seems to me that their should only be 1 entry in httpd.conf Suggestions appreciated. John Hengstler httpd.conf: # www.somehost.com # somehost.com NameVirtualHost * ServerName www.somehost.com ServerName somehost.com named file: $ORIGIN com. somehost.com 3600 IN SOA somehost.com. root.somehost.net. ( 2001081901 1800 900 604800 3600 ) 3600 IN A xxx.xxx.xxx.xxx $ORIGIN somehost.com. www 3600 IN A xxx.xxx.xxx.xxx ftp 3600 IN A xxx.xxx.xxx.xxx smtp 3600 IN A xxx.xxx.xxx.xxx pop3 3600 IN A xxx.xxx.xxx.xxx mail 3600 IN A xxx.xxx.xxx.xxx To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Mon Aug 20 16:28:29 2001 Delivered-To: freebsd-isp@freebsd.org Received: from orbital.mtl.posixnet.org (orbital.mtl.posixnet.org [66.38.182.19]) by hub.freebsd.org (Postfix) with ESMTP id CE17037B409 for ; Mon, 20 Aug 2001 16:28:24 -0700 (PDT) (envelope-from paul@colba.net) Received: from colba.net (nat.MTL.distributel.NET [66.38.181.24]) by orbital.mtl.posixnet.org (8.11.4/8.11.4) with ESMTP id f7KNWiU01497 for ; Mon, 20 Aug 2001 19:32:45 -0400 (EDT) (envelope-from paul@colba.net) Message-ID: <3B81D733.C5894843@colba.net> Date: Mon, 20 Aug 2001 23:36:19 -0400 From: Paul Khavkine X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-isp@freebsd.org Subject: Re: Virtual Apache and DNS References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Well for DNS i usually do the same: somehost.com 3600 IN SOA somehost.com. root.somehost.net. ( 2001081901 1800 900 604800 3600 ) 3600 IN A xxx.xxx.xxx.xxx www 3600 IN A xxx.xxx.xxx.xxx for httpd.conf: NameVirtualHost 1.2.3.4 ServerName somehost.com ServerAlias *.somehost.com blahh... Cheers Paul "John A. Hengstler" wrote: > Greetings, > > What is the generally accepted way of handling the following in named and > apache: > Where www.somehost.com and somehost.com get to the same pages. Should > there be 2 VirtualHost entries in httpd.conf and dns as follows, or 1 in > httpd.conf (www.somehost.com) and dns set differently? > > It works as is, but seems to me that their should only be 1 entry in > httpd.conf > > Suggestions appreciated. > > John Hengstler > > httpd.conf: > > # www.somehost.com > # somehost.com > > NameVirtualHost * > > ServerName www.somehost.com > > > ServerName somehost.com > > > named file: > > $ORIGIN com. > somehost.com 3600 IN SOA somehost.com. root.somehost.net. ( > 2001081901 1800 900 604800 3600 ) > 3600 IN A xxx.xxx.xxx.xxx > $ORIGIN somehost.com. > www 3600 IN A xxx.xxx.xxx.xxx > ftp 3600 IN A xxx.xxx.xxx.xxx > smtp 3600 IN A xxx.xxx.xxx.xxx > pop3 3600 IN A xxx.xxx.xxx.xxx > mail 3600 IN A xxx.xxx.xxx.xxx > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message -- ************************************************* Paul Khavkine Network Administrator Distributel Communications 740 Notre Dame West, Suite 1135 Montreal, Quebec, Canada, H3C 3X6 1-514-877-0064 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Mon Aug 20 17: 8: 0 2001 Delivered-To: freebsd-isp@freebsd.org Received: from EnContacto.Net (adsl-63-205-16-205.dsl.mtry01.pacbell.net [63.205.16.205]) by hub.freebsd.org (Postfix) with ESMTP id 9F29037B407 for ; Mon, 20 Aug 2001 17:07:54 -0700 (PDT) (envelope-from eculp@EnContacto.Net) Received: (from root@localhost) by EnContacto.Net (8.11.5/8.11.4) id f7L07Z223941; Mon, 20 Aug 2001 17:07:35 -0700 (PDT) (envelope-from eculp@EnContacto.Net) Received: from 63.205.16.204 ( [63.205.16.204]) as user eculp@encontacto.net by Mail.SavvyWorld.Net with HTTP; Mon, 20 Aug 2001 17:07:35 -0700 Message-ID: <998352455.3b81a647a440c@Mail.SavvyWorld.Net> Date: Mon, 20 Aug 2001 17:07:35 -0700 From: Edwin Culp To: "John A. Hengstler" Cc: freebsd-isp@FreeBSD.ORG Subject: Re: Virtual Apache and DNS References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 2.3.7-cvs X-Originating-IP: 63.205.16.204 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Quoting "John A. Hengstler" : | Greetings, | | What is the generally accepted way of handling the following in named and | apache: | Where www.somehost.com and somehost.com get to the same pages. Should | there be 2 VirtualHost entries in httpd.conf and dns as follows, or 1 in | httpd.conf (www.somehost.com) and dns set differently? | | It works as is, but seems to me that their should only be 1 entry in | httpd.conf | | Suggestions appreciated. | | John Hengstler | | httpd.conf: | | # www.somehost.com | # somehost.com | | | NameVirtualHost * | | ServerName www.somehost.com ServerAlias somehost.com | or | | ServerName somehost.com ServerAlias www.somehost.com | But you only need one ed | | named file: | | $ORIGIN com. | somehost.com 3600 IN SOA somehost.com. root.somehost.net. ( | 2001081901 1800 900 604800 3600 ) | 3600 IN A xxx.xxx.xxx.xxx | $ORIGIN somehost.com. | www 3600 IN A xxx.xxx.xxx.xxx | ftp 3600 IN A xxx.xxx.xxx.xxx | smtp 3600 IN A xxx.xxx.xxx.xxx | pop3 3600 IN A xxx.xxx.xxx.xxx | mail 3600 IN A xxx.xxx.xxx.xxx | | | To Unsubscribe: send mail to majordomo@FreeBSD.org | with "unsubscribe freebsd-isp" in the body of the message | ----------------------------------------------------------------------- The illiterate of the 21st century will not be those who cannot read and write, but those who cannot learn, unlearn and relearn. --Alvin Toffler To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Mon Aug 20 18:45: 8 2001 Delivered-To: freebsd-isp@freebsd.org Received: from keep.scn.ru (SCN-SibInet.sibinet.ru [213.24.217.138]) by hub.freebsd.org (Postfix) with ESMTP id 3859837B40A for ; Mon, 20 Aug 2001 18:44:56 -0700 (PDT) (envelope-from alx@scn.ru) Received: from scn.ru (alx.sc.ten [10.0.7.13]) by keep.scn.ru (8.9.3/8.9.3) with ESMTP id JAA93274; Tue, 21 Aug 2001 09:44:42 +0800 (KRAST) (envelope-from alx@scn.ru) Message-ID: <3B81CA2C.3CA162E3@scn.ru> Date: Tue, 21 Aug 2001 09:40:44 +0700 From: "Alex N. Zhuravlev" X-Mailer: Mozilla 4.78 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: "John A. Hengstler" Cc: freebsd-isp@FreeBSD.ORG Subject: Re: Virtual Apache and DNS References: Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------msF90EEEFE646EE109E047E036" Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a cryptographically signed message in MIME format. --------------msF90EEEFE646EE109E047E036 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Look for ServerAlias under VirtualHost. Alex N. Zhuravlev "John A. Hengstler" wrote: > > Greetings, > > What is the generally accepted way of handling the following in named and > apache: > Where www.somehost.com and somehost.com get to the same pages. Should > there be 2 VirtualHost entries in httpd.conf and dns as follows, or 1 in > httpd.conf (www.somehost.com) and dns set differently? > > It works as is, but seems to me that their should only be 1 entry in > httpd.conf > > Suggestions appreciated. > > John Hengstler > > httpd.conf: > > # www.somehost.com > # somehost.com > > NameVirtualHost * > > ServerName www.somehost.com > > > ServerName somehost.com > > > named file: > > $ORIGIN com. > somehost.com 3600 IN SOA somehost.com. root.somehost.net. ( > 2001081901 1800 900 604800 3600 ) > 3600 IN A xxx.xxx.xxx.xxx > $ORIGIN somehost.com. > www 3600 IN A xxx.xxx.xxx.xxx > ftp 3600 IN A xxx.xxx.xxx.xxx > smtp 3600 IN A xxx.xxx.xxx.xxx > pop3 3600 IN A xxx.xxx.xxx.xxx > mail 3600 IN A xxx.xxx.xxx.xxx > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message --------------msF90EEEFE646EE109E047E036 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIHzAYJKoZIhvcNAQcCoIIHvTCCB7kCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC BZ8wggJuMIIB16ADAgECAgMFeCEwDQYJKoZIhvcNAQECBQAwgZIxCzAJBgNVBAYTAlpBMRUw EwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhh d3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwg RnJlZW1haWwgUlNBIDIwMDAuOC4zMDAeFw0wMTA4MjAwNjMzNTJaFw0wMjA4MjAwNjMzNTJa MDwxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxGTAXBgkqhkiG9w0BCQEWCmFs eEBzY24ucnUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMpGvXJwf0+w6VIgTYPDOkXr TzYdsprbfSCCDeb+whSxr+gK/3YCOpJ4fiQpkOjtj7t5IMufUk4IUxjfmv15ipkkNhJo7Z96 CTDdRn0DPx+cuMM6dO/YXBJJA8NCui1TES8JfiKZhdL92QoINU3icwqHFf7ElUppRFaYE1jJ y8hPAgMBAAGjJzAlMBUGA1UdEQQOMAyBCmFseEBzY24ucnUwDAYDVR0TAQH/BAIwADANBgkq hkiG9w0BAQIFAAOBgQDR7ytUJeY6RZLNP/i6BJUYEHw2jtmiyvUg8/1CPdLNH8cK18i2ZayU UEJHMO+ytiJ5vpJ04JMnAgPzEDnGIoVrN8tsUTjA+rU3jUMkYn8DpUSvuGvS6mXf8E6HCDa/ ldQO4EQYw0qT8mbKimutk5q+qHu8SNfdzdpBuqYIYzg71TCCAykwggKSoAMCAQICAQwwDQYJ KoZIhvcNAQEEBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQ BgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsT H0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJz b25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhh d3RlLmNvbTAeFw0wMDA4MzAwMDAwMDBaFw0wMjA4MjkyMzU5NTlaMIGSMQswCQYDVQQGEwJa QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xDzANBgNVBAoT BlRoYXd0ZTEdMBsGA1UECxMUQ2VydGlmaWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNv bmFsIEZyZWVtYWlsIFJTQSAyMDAwLjguMzAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB AN4zMqZjxwklRT7SbngnZ4HF2ogZgpcO40QpimM1Km1wPPrcrvfudG8wvDOQf/k0caCjbZjx w0+iZdsN+kvx1t1hpfmFzVWaNRqdknWoJ67Ycvm6AvbXsJHeHOmr4BgDqHxDQlBRh4M88Dm0 m1SKE4f/s5udSWYALQmJ7JRr6aFpAgMBAAGjTjBMMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQD ExFQcml2YXRlTGFiZWwxLTI5NzASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwIBBjAN BgkqhkiG9w0BAQQFAAOBgQBzG28mZYv/FTRLWWKK7US+ScfoDbuPuQ1qJipihB+4h2N0HG23 zxpTkUvhzeY42e1Q9DpsNJKs5pKcbsEjAcIJp+9LrnLdBmf1UG8uWLi2C8FQV7XsHNfvF7bV iJu3ooga7TlbOX00/LaWGCVNavSdxcORL6mWuAU8Uvzd6WIDSDGCAfUwggHxAgEBMIGaMIGS MQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRv d24xDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UECxMUQ2VydGlmaWNhdGUgU2VydmljZXMxKDAm BgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAyMDAwLjguMzACAwV4ITAJBgUrDgMCGgUA oIGxMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTAxMDgyMTAy NDA0NlowIwYJKoZIhvcNAQkEMRYEFCv+7DyMyyt6CLGuoGeySaIUb72eMFIGCSqGSIb3DQEJ DzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgFAMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIGAVTQzcc+yHsM9k7neiC09fKvC fOPibzssbnUoa3MEUMxE/a0mIKu8qKajTy3V+ejJxo1BxYPRNw6lIk1ABIjX2MkF/UCfBr7x ZfOKlrXvkQDx4w/PmgMVw8RllbGMyAmHYRAsthnuPYyznREy47N1gVwDsqW3EyzOhdGLIsiW R4o= --------------msF90EEEFE646EE109E047E036-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Mon Aug 20 19:35:49 2001 Delivered-To: freebsd-isp@freebsd.org Received: from shell.devco.net (shell.devco.net [196.15.188.7]) by hub.freebsd.org (Postfix) with ESMTP id 11B2537B405 for ; Mon, 20 Aug 2001 19:35:47 -0700 (PDT) (envelope-from bvi@shell.devco.net) Received: from bvi by shell.devco.net with local (Exim 3.20 #2) id 15Z1Oe-0008ld-00; Tue, 21 Aug 2001 04:36:04 +0200 Date: Tue, 21 Aug 2001 04:36:04 +0200 From: Barry Irwin To: Paul Robinson Cc: Andrew Reid , freebsd-isp@freebsd.org Subject: Re: RADIUS Accounting with SQUID Message-ID: <20010821043603.A33644@itouchlabs.com> References: <997919908.1446.1202.camel@localhost> <20010815094331.B12922@jake.akitanet.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010815094331.B12922@jake.akitanet.co.uk>; from paul@akita.co.uk on Wed, Aug 15, 2001 at 09:43:31AM +0100 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have a little app I wrote a while back that implements a quota system for squid. Provides progressive slowdowns as various quota levels are reached, with the option of denying access once a pre-determined cap is reached. Small and simple, uses perl and mysql. If anyone thinks this fits the bill, let me know and I'll dust the source off Barry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Mon Aug 20 21:14:57 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mail.plug.cx (kypo.alfred.cx [150.101.93.134]) by hub.freebsd.org (Postfix) with ESMTP id D009C37B408 for ; Mon, 20 Aug 2001 21:14:48 -0700 (PDT) (envelope-from andrew.reid@plug.cx) Received: from percible.alfred.cx (percible.alfred.cx [150.101.93.190]) by mail.plug.cx (Postfix) with ESMTP id 1F02E2B8CB; Tue, 21 Aug 2001 23:42:38 +0930 (CST) Subject: Re: RADIUS Accounting with SQUID From: Andrew Reid To: Barry Irwin Cc: Paul Robinson , freebsd-isp@freebsd.org In-Reply-To: <20010821043603.A33644@itouchlabs.com> References: <997919908.1446.1202.camel@localhost> <20010815094331.B12922@jake.akitanet.co.uk> <20010821043603.A33644@itouchlabs.com> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Evolution/0.12.99 (Preview Release) Date: 21 Aug 2001 13:43:46 +0930 Message-Id: <998367226.996.72.camel@localhost> Mime-Version: 1.0 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 21 Aug 2001 04:36:04 +0200, Barry Irwin wrote: > I have a little app I wrote a while back that implements a quota > system for > squid. Provides progressive slowdowns as various quota levels are reached, > with the option of denying access once a pre-determined cap is reached. > > Small and simple, uses perl and mysql. If anyone thinks this fits the bill, > let me know and I'll dust the source off Ooohh.. Please do.. - andrew -- void signature () { cout << "Andrew Reid -- andrew.reid@plug.cx" << endl ; cout << "Cell: +61 401 946 813" << endl; cout << "Quidquid latine dictum sit, altum viditur" << endl; } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Tue Aug 21 5:13:57 2001 Delivered-To: freebsd-isp@freebsd.org Received: from kermit.netivity.nl (wc-68.r-195-85-144.essentkabel.com [195.85.144.68]) by hub.freebsd.org (Postfix) with ESMTP id ECBE737B40A for ; Tue, 21 Aug 2001 05:13:53 -0700 (PDT) (envelope-from enriko.groen@netivity.nl) Received: by KERMIT with Internet Mail Service (5.5.2653.19) id ; Tue, 21 Aug 2001 14:13:52 +0200 Message-ID: <510EAC2065C0D311929200A02472526237A1E3@NETIVITY-FS> From: Enriko Groen To: "'freebsd-isp@freebsd.org'" Subject: Users in database Date: Tue, 21 Aug 2001 14:13:51 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm wondering if anyone here has experiences with usermanagment through a database. I would like to manage a certain part of my users (mail users) in a database (mysql?). Is this possible? Or should I stick to NIS/YP? -- Enriko Groen, Hosting manager -------------------------------------------------------- netivity bv www.netivity.nl enriko.groen@netivity.nl 038 - 850 1000 van nagellstraat 4 8011 eb zwolle -------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Tue Aug 21 5:56:30 2001 Delivered-To: freebsd-isp@freebsd.org Received: from hawk-systems.com (hawk-systems.com [161.58.152.235]) by hub.freebsd.org (Postfix) with ESMTP id E2D9537B406 for ; Tue, 21 Aug 2001 05:56:27 -0700 (PDT) (envelope-from dave@hawk-systems.com) Received: from WS1 (ws1.nexusinternetsolutions.net [204.50.158.15]) by hawk-systems.com (8.11.2) id f7LCuOI37579; Tue, 21 Aug 2001 06:56:25 -0600 (MDT) From: dave@hawk-systems.com (Dave) To: "Enriko Groen" , "'freebsd-isp@freebsd.org'" Subject: RE: Users in database Date: Tue, 21 Aug 2001 08:53:58 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <510EAC2065C0D311929200A02472526237A1E3@NETIVITY-FS> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org depends on solution you are using, though I am sure you could hack it apart for others... on option is qmail/vpopmail can be set to use MySQL as database... took some major mods to get it ti use PostgreSQL vice MySQL though. >-----Original Message----- >From: owner-freebsd-isp@FreeBSD.ORG >[mailto:owner-freebsd-isp@FreeBSD.ORG]On Behalf Of Enriko Groen >Sent: Tuesday, August 21, 2001 8:14 AM >To: 'freebsd-isp@freebsd.org' >Subject: Users in database > > >I'm wondering if anyone here has experiences with usermanagment through a >database. >I would like to manage a certain part of my users (mail users) in a database >(mysql?). > >Is this possible? Or should I stick to NIS/YP? > > >-- >Enriko Groen, Hosting manager >-------------------------------------------------------- >netivity bv www.netivity.nl enriko.groen@netivity.nl >038 - 850 1000 van nagellstraat 4 8011 eb zwolle >-------------------------------------------------------- > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-isp" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Tue Aug 21 14:58: 0 2001 Delivered-To: freebsd-isp@freebsd.org Received: from web13806.mail.yahoo.com (web13806.mail.yahoo.com [216.136.175.16]) by hub.freebsd.org (Postfix) with SMTP id D88BC37B407 for ; Tue, 21 Aug 2001 14:57:57 -0700 (PDT) (envelope-from ekgermann@yahoo.com) Message-ID: <20010821215757.62108.qmail@web13806.mail.yahoo.com> Received: from [209.45.128.102] by web13806.mail.yahoo.com; Tue, 21 Aug 2001 14:57:57 PDT Date: Tue, 21 Aug 2001 14:57:57 -0700 (PDT) From: Eric Germann To: freebsd-isp@freebsd.org Cc: ekgermann@cctec.com MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Looking to build a multiport router for some dedicated hosting customers. Thoughts are to build a FreeBSD box with a link facing the backbone and a link running 802.1q encap facing a switch fabric. We would define multiple VLAN interfaces on the 802.1q interface and then associate ports on the switch with the appropriate VLAN's. In theory, this should allow me to define different FW rules for different "segements", monitor bandwidth consumption on a per customer basis with their own servers, and potentially run IDS as a value add. Essentially, a multiport Ethernet card without having to figure out how to cram a bunch in a box. Questions: 1. How many VLAN's can be defined on a 4.3-RELEASE box on a 802.1q interface? 2. Suggestions on Ethernet NIC for the VLAN side, either 100M or Gig? I'm partial to 3Com, but open to whatever works. 3. Can snort running on the same box watch those VLAN interfaces as traffic comes through? Thanks Eric __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Tue Aug 21 22:21:49 2001 Delivered-To: freebsd-isp@freebsd.org Received: from backup.dagupan.com (www.psysc.org.ph [206.101.69.5]) by hub.freebsd.org (Postfix) with ESMTP id E332337B415 for ; Tue, 21 Aug 2001 19:33:36 -0700 (PDT) (envelope-from francisv@dagupan.com) Received: by chat.dagupan.com with Internet Mail Service (5.5.2653.19) id ; Wed, 22 Aug 2001 10:33:44 +0800 Message-ID: <10F29E27A956D511B0940050DA8D86A908F7AB@chat.dagupan.com> From: francisv@dagupan.com To: isp@freebsd.org Subject: Top and high interrupt percentage Date: Wed, 22 Aug 2001 10:33:44 +0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, What does an interrupt percentage of 15-22% tell you? This is happening to a FreeBSD 4.3-STABLE box running squid 2.4STABLE1 with 1.5GB RAM / P3 933 Mhz CPU. --- francis vidal [bitstop network services] streaming media + web services v(02)330-2872,(02)330-2873 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Wed Aug 22 0:45:30 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mail.netsi.net (ns.netsi.net [212.72.100.100]) by hub.freebsd.org (Postfix) with ESMTP id EA60237B409 for ; Wed, 22 Aug 2001 00:45:25 -0700 (PDT) (envelope-from damir@voljatel.si) Received: from pxna (unknown [212.13.239.2]) by mail.netsi.net (Postfix) with SMTP id 3FB5D4B229 for ; Wed, 22 Aug 2001 09:45:24 +0200 (CEST) Content-Type: text/plain; charset="iso-8859-1" From: Damir Horvat Reply-To: damir@voljatel.si To: freebsd-isp@freebsd.org Subject: secure DNS zone transfer Date: Wed, 22 Aug 2001 09:45:24 +0200 X-Mailer: KMail [version 1.2] MIME-Version: 1.0 Message-Id: <0108220945240L.00300@pxna> Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello! I have name servers on public network without any ip filternig (yet).=20 I would like to ensure secure zone transfers from master to slave.=20 One way is to setup IPSec between 2 hosts I've been told. I've never=20 done this, so for now it's my only solution.=20 I'm using named 8.2.3-REL. Does someone know some other solution? Thanks, damir To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Wed Aug 22 7:39:14 2001 Delivered-To: freebsd-isp@freebsd.org Received: from anaconda.acceleratedweb.net (anaconda.acceleratedweb.net [209.51.164.130]) by hub.freebsd.org (Postfix) with SMTP id 2C0A037B40E for ; Wed, 22 Aug 2001 07:38:59 -0700 (PDT) (envelope-from simon@optinet.com) Received: (qmail 84285 invoked by uid 106); 22 Aug 2001 14:39:29 -0000 Received: from 66-65-36-21.nyc.rr.com (HELO sharky) (66.65.36.21) by anaconda.acceleratedweb.net with SMTP; 22 Aug 2001 14:39:29 -0000 From: "Simon" To: "damir@voljatel.si" , "freebsd-isp@freebsd.org" Date: Wed, 22 Aug 2001 10:38:53 -0400 Reply-To: "Simon" X-Mailer: PMMail 2000 Professional (2.10.2010) For Windows 2000 (5.0.2195) In-Reply-To: <0108220945240L.00300@pxna> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: Re: secure DNS zone transfer Message-Id: <20010822143859.2C0A037B40E@hub.freebsd.org> Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You can use TSIG, here are a few docs i found by searching on google.com: http://www.oreilly.com/catalog/dns4/chapter/ch11.html http://www.asp.ogi.edu/people/paja/linux/dns/named.conf.slave Basically, you will have a key and then allow-transfer { key key_name; }; in your master config and server master_ip { keys { key_name; }; }; in your slave config along with the key PS: sync the time on your master & slave hosts or this won't work -Simon On Wed, 22 Aug 2001 09:45:24 +0200, Damir Horvat wrote: >Hello! > >I have name servers on public network without any ip filternig (yet). >I would like to ensure secure zone transfers from master to slave. > >One way is to setup IPSec between 2 hosts I've been told. I've never >done this, so for now it's my only solution. > >I'm using named 8.2.3-REL. > >Does someone know some other solution? > >Thanks, >damir > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Wed Aug 22 21:41:31 2001 Delivered-To: freebsd-isp@freebsd.org Received: from wantadilla.lemis.com (wantadilla.lemis.com [192.109.197.80]) by hub.freebsd.org (Postfix) with ESMTP id 9A3AE37B42B for ; Wed, 22 Aug 2001 17:45:59 -0700 (PDT) (envelope-from grog@lemis.com) Received: by wantadilla.lemis.com (Postfix, from userid 1004) id 7E2196ACE7; Thu, 23 Aug 2001 10:16:10 +0930 (CST) Date: Thu, 23 Aug 2001 10:16:10 +0930 From: Greg Lehey To: francisv@dagupan.com Cc: isp@freebsd.org Subject: Re: Top and high interrupt percentage Message-ID: <20010823101610.A69492@wantadilla.lemis.com> References: <10F29E27A956D511B0940050DA8D86A908F7AB@chat.dagupan.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <10F29E27A956D511B0940050DA8D86A908F7AB@chat.dagupan.com>; from francisv@dagupan.com on Wed, Aug 22, 2001 at 10:33:44AM +0800 Organization: The FreeBSD Project Phone: +61-8-8388-8286 Fax: +61-8-8388-8725 Mobile: +61-418-838-708 WWW-Home-Page: http://www.FreeBSD.org/ X-PGP-Fingerprint: 6B 7B C3 8C 61 CD 54 AF 13 24 52 F8 6D A4 95 EF Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wednesday, 22 August 2001 at 10:33:44 +0800, francisv@dagupan.com wrote: > Hi all, > > What does an interrupt percentage of 15-22% tell you? This is happening to a > FreeBSD 4.3-STABLE box running squid 2.4STABLE1 with 1.5GB RAM / P3 933 Mhz > CPU. Without knowing what's going on, not much. Could be Ethernet, could be IDE running in PIO mode, could be something else. Greg -- See complete headers for address and phone numbers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Thu Aug 23 8:57:14 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mail.cableaz.com (mail.cableaz.com [63.241.154.20]) by hub.freebsd.org (Postfix) with ESMTP id 12E7E37B40E for ; Thu, 23 Aug 2001 08:57:11 -0700 (PDT) (envelope-from jeremy@cableaz.com) Received: from caz ([63.241.154.8]) by mail.cableaz.com (Build 101 8.9.3/NT-8.9.3) with SMTP id IAA32092 for ; Thu, 23 Aug 2001 08:54:07 -0700 Message-ID: <001301c12bec$340e1960$0c0aa8c0@caz> From: "Jeremy Buckner" To: Subject: need help with mail server Date: Thu, 23 Aug 2001 08:56:41 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, I had my mail server run out of room in /var today. No mail could be sent or received. (Don' laugh to hard) Anyway to remedy the problem I moved everything from /var to /usr/var and did the whole ln- s thing too. Now everyone can send just fine but not receive. This is the error I get: -ERR [SYS/TEMP] maillock error 'Other lock error' (5) on '/var/mail/usermailbox': No such file or directory (2) What is that and how do I fix it? I assume when the problem occurred, a lock file of somesort was created to stop mail. Maybe? Also I am running FreeBSD 4.3 with sendmail and qpopper. Thanks Jeremy Buckner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Thu Aug 23 9:11:32 2001 Delivered-To: freebsd-isp@freebsd.org Received: from bilver.wjv.com (dhcp-1-96.n01.orldfl01.us.ra.verio.net [157.238.210.96]) by hub.freebsd.org (Postfix) with ESMTP id 09EE337B409 for ; Thu, 23 Aug 2001 09:11:25 -0700 (PDT) (envelope-from bill@bilver.wjv.com) Received: (from bill@localhost) by bilver.wjv.com (8.11.5/8.11.1) id f7NGB0s07074; Thu, 23 Aug 2001 12:11:00 -0400 (EDT) (envelope-from bill) Date: Thu, 23 Aug 2001 12:10:59 -0400 From: Bill Vermillion To: Jeremy Buckner Cc: freebsd-isp@FreeBSD.ORG Subject: Re: need help with mail server Message-ID: <20010823121058.A5663@wjv.com> Reply-To: bv@wjv.com References: <001301c12bec$340e1960$0c0aa8c0@caz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001301c12bec$340e1960$0c0aa8c0@caz>; from jeremy@cableaz.com on Thu, Aug 23, 2001 at 08:56:41AM -0700 Organization: W.J.Vermillion / Orlando - Winter Park Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Aug 23, 2001 at 08:56:41AM -0700, Jeremy Buckner thus sprach: > Hello, I had my mail server run out of room in /var today. > No mail could be sent or received. (Don' laugh to hard) > Anyway to remedy the problem I moved everything from /var to > /usr/var and did the whole ln- s thing too. Now everyone can > send just fine but not receive. This is the error I get: > -ERR [SYS/TEMP] maillock error 'Other lock error' (5) on > '/var/mail/usermailbox': No such file or directory (2) Since we can't see your drive it's hard to tell. But I've done the same. I made /usr/mail. I moved /var/mail /var/mail.old then made a new symbolic link to that /var/mail points to /usr/mail. If that is how you've done than, then check the permissions of all the files and directories. If that's not how you did it then you probably have something still pointing to /var. The endpoint directory should be 775 with root/mail owner/group in a typical install > What is that and how do I fix it? I assume when the problem > occurred, a lock file of somesort was created to stop mail. > Maybe? > Also I am running FreeBSD 4.3 with sendmail and qpopper. -- Bill Vermillion - bv @ wjv . com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Thu Aug 23 9:50:28 2001 Delivered-To: freebsd-isp@freebsd.org Received: from hawk-systems.com (hawk-systems.com [161.58.152.235]) by hub.freebsd.org (Postfix) with ESMTP id 1E13837B442 for ; Thu, 23 Aug 2001 09:50:23 -0700 (PDT) (envelope-from dave@hawk-systems.com) Received: from WS1 (ws1.nexusinternetsolutions.net [204.50.158.15]) by hawk-systems.com (8.11.2) id f7NGoJf00157; Thu, 23 Aug 2001 10:50:19 -0600 (MDT) From: dave@hawk-systems.com (Dave) To: "Jeremy Buckner" , Subject: RE: need help with mail server Date: Thu, 23 Aug 2001 12:48:14 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <001301c12bec$340e1960$0c0aa8c0@caz> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Person opinion here... did you drop to single user mode first? Not usre if it is required, but I recommend always dropping to single user mode when relocating /var/* files. I find that all the log files and system processes that are writing in there regularly (especially on busy systems) can create havoc during the relocation... and in your case could have resulted in orphaned lock files. so in single user mode (and you indicated you have done these steps) cd /var mkdir /usr/var mv /var/mail /usr/var/ ln -s /usr/var/mail . then restart never had a problem with things, and must have done this 3 or 4 dozen times. >Hello, I had my mail server run out of room in /var today. >No mail could be sent or received. (Don' laugh to hard) >Anyway to remedy the problem I moved everything from /var to >/usr/var and did the whole ln- s thing too. Now everyone can >send just fine but not receive. This is the error I get: > >-ERR [SYS/TEMP] maillock error 'Other lock error' (5) on >'/var/mail/usermailbox': No such file or directory (2) > >What is that and how do I fix it? I assume when the problem >occurred, a lock file of somesort was created to stop mail. >Maybe? > >Also I am running FreeBSD 4.3 with sendmail and qpopper. > >Thanks >Jeremy Buckner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Thu Aug 23 11:51:43 2001 Delivered-To: freebsd-isp@freebsd.org Received: from user.nunanet.com (user.nunanet.com [199.247.47.5]) by hub.freebsd.org (Postfix) with ESMTP id DBB9F37B408 for ; Thu, 23 Aug 2001 11:51:28 -0700 (PDT) (envelope-from mmason@nunanet.com) Received: from nunanet.com (nia.nunanet.com [199.247.47.10]) by user.nunanet.com (8.9.2/8.9.2) with ESMTP id OAA11418; Thu, 23 Aug 2001 14:51:08 -0400 (EDT) Message-ID: <3B855F54.4468F7B8@nunanet.com> Date: Thu, 23 Aug 2001 14:53:56 -0500 From: Marcel Mason Reply-To: mmason@nunanet.com Organization: Nunanet Communications Ltd. X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.4.2-2 i586) X-Accept-Language: en MIME-Version: 1.0 To: Jeremy Buckner Cc: freebsd-isp@FreeBSD.ORG Subject: Re: need help with mail server References: <001301c12bec$340e1960$0c0aa8c0@caz> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Just was there & did that, ran into probs and got the following from another kind soul to help me out :-) unplug server from network (can be done while connected but adds extra steps) kill -9 `cat /where/ever/sendmailpid/is/sendmail.pid` mv /location/of/popper /location/of/popper.hold ps ax to look for any left over pop or sendmail processes - kill them mv /current/mail/dir/* /new/mail/dir set up symlink so it all works restart sendmail, rename popper.hold back to popper Bob's yer uncle, or at least it worked for me M Jeremy Buckner wrote: > > Hello, I had my mail server run out of room in /var today. > No mail could be sent or received. (Don' laugh to hard) > Anyway to remedy the problem I moved everything from /var to > /usr/var and did the whole ln- s thing too. Now everyone can > send just fine but not receive. This is the error I get: > > -ERR [SYS/TEMP] maillock error 'Other lock error' (5) on > '/var/mail/usermailbox': No such file or directory (2) > > What is that and how do I fix it? I assume when the problem > occurred, a lock file of somesort was created to stop mail. > Maybe? > > Also I am running FreeBSD 4.3 with sendmail and qpopper. > > Thanks > Jeremy Buckner > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Thu Aug 23 22: 6: 0 2001 Delivered-To: freebsd-isp@freebsd.org Received: from wari.semo.net (216-41-128-73.semo.net [216.41.128.73]) by hub.freebsd.org (Postfix) with SMTP id 886E737B403 for ; Thu, 23 Aug 2001 22:05:53 -0700 (PDT) (envelope-from butch@sheltonbbs.com) Received: (qmail 15214 invoked from network); 24 Aug 2001 05:03:50 -0000 Received: from mail.sheltonbbs.com (206.196.109.2) by 216-41-128-73.semo.net with SMTP; 24 Aug 2001 05:03:50 -0000 Received: (qmail 13042 invoked from network); 24 Aug 2001 05:06:36 -0000 Received: from unknown (HELO 216-41-137-20.semo.net) (216.41.137.20) by mail.sheltonbbs.com with SMTP; 24 Aug 2001 05:06:36 -0000 Date: Fri, 24 Aug 2001 00:06:02 -0500 (CDT) From: Butch Evans X-Sender: root@216-41-137-20.semo.net To: Freebsd-ISP Subject: CyberCafe Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I am in the process of planning an Internet Cafe. What I plan is setting up some Windows workstations for the customers, and then set up a freebsd box as the router. Are there some folks out there that have run this type of business that would be willing to share some info with me? What type of software would be recommended to handle the billing/timers (at the BSD box)? I am in the very early stages of planning, but would like to solve the technical aspects first (at least understand what I have to do to solve them). Any help or pointers would be appreciated. -- Butch Evans http://www.ChristInVerse.com/ http://www.HeIsComingSoon.com/ (in the works) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Thu Aug 23 23:48: 7 2001 Delivered-To: freebsd-isp@freebsd.org Received: from zehn.mine.nu (ad202.166.108.41.magix.com.sg [202.166.108.41]) by hub.freebsd.org (Postfix) with ESMTP id 886F437B40D for ; Thu, 23 Aug 2001 23:48:04 -0700 (PDT) (envelope-from bennyc@magix.com.sg) Received: (from bennyc@localhost) by zehn.mine.nu (8.9.3/8.9.3) id OAA32211 for freebsd-isp@FreeBSD.ORG; Fri, 24 Aug 2001 14:48:05 +0800 Date: Fri, 24 Aug 2001 14:48:05 +0800 From: Benny Chee To: freebsd-isp@FreeBSD.ORG Subject: timezone in apache Message-ID: <20010824144805.A32194@magix.com.sg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i-nntp Organization: Singapore Telecommunications Ltd Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hi, i have set my timezone on my bsd box to SGT (GMT+8), and almost all applications worked well with it, except apache. my apache is still returning me GMT+0, this is seen at my accesslog as well as my cgi scripts. anyone knows how can i work this out? -- benny To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Fri Aug 24 0:12:26 2001 Delivered-To: freebsd-isp@freebsd.org Received: from kermit.netivity.nl (wc-68.r-195-85-144.essentkabel.com [195.85.144.68]) by hub.freebsd.org (Postfix) with ESMTP id 52F4437B407 for ; Fri, 24 Aug 2001 00:12:21 -0700 (PDT) (envelope-from enriko.groen@netivity.nl) Received: by KERMIT with Internet Mail Service (5.5.2653.19) id ; Fri, 24 Aug 2001 09:12:16 +0200 Message-ID: <510EAC2065C0D311929200A02472526237A200@NETIVITY-FS> From: Enriko Groen To: 'Benny Chee' , freebsd-isp@FreeBSD.ORG Subject: RE: timezone in apache Date: Fri, 24 Aug 2001 09:12:06 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > -----Original Message----- > From: Benny Chee [mailto:bennyc@magix.com.sg] > > i have set my timezone on my bsd box to SGT (GMT+8), > and almost all applications worked well with it, except > apache. my apache is still returning me GMT+0, this is seen > at my accesslog as well as my cgi scripts. > > anyone knows how can i work this out? I'm not 100% sure but this might have something to do with W3C's requirement for logfiles to be logged at UMT/GMT. I think they require this to avoid confusion about time in logfiles. -- Enriko Groen, Hosting manager -------------------------------------------------------- netivity bv www.netivity.nl enriko.groen@netivity.nl 038 - 850 1000 van nagellstraat 4 8011 eb zwolle -------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Fri Aug 24 11:19:56 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mail.cableaz.com (mail.cableaz.com [63.241.154.20]) by hub.freebsd.org (Postfix) with ESMTP id 9630937B408 for ; Fri, 24 Aug 2001 11:19:46 -0700 (PDT) (envelope-from jeremy@cableaz.com) Received: from caz ([63.241.154.8]) by mail.cableaz.com (Build 101 8.9.3/NT-8.9.3) with SMTP id LAA32320 for ; Fri, 24 Aug 2001 11:16:40 -0700 Message-ID: <002201c12cc9$491a6600$0c0aa8c0@caz> From: "Jeremy Buckner" To: Subject: Mail Quotas Date: Fri, 24 Aug 2001 11:19:16 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In light of my adventures yesterday (feel free to read the thread) which I got fixed thanks to all of you, I believe it is now time to implement quotas on my mail server. I am running 4.3 with sendmail and qpopper (which I understand doesn't support quotas). I have build a custom kernel with quotaon and everything there works great for limiting directory size. The goal here is to limit mail box sizes and make this switch with little or no downtime. Is it doable? Your input is apperciated. Jeremy Buckner IT Administrator CableAmerica Corp. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Fri Aug 24 13:18:19 2001 Delivered-To: freebsd-isp@freebsd.org Received: from sasami.jurai.net (sasami.jurai.net [64.0.106.45]) by hub.freebsd.org (Postfix) with ESMTP id 0336B37B401 for ; Fri, 24 Aug 2001 13:18:15 -0700 (PDT) (envelope-from winter@jurai.net) Received: from localhost (winter@localhost) by sasami.jurai.net (8.9.3/8.8.7) with ESMTP id QAA80350; Fri, 24 Aug 2001 16:18:11 -0400 (EDT) Date: Fri, 24 Aug 2001 16:18:11 -0400 (EDT) From: "Matthew N. Dodd" To: Holtor Cc: freebsd-isp@FreeBSD.ORG Subject: Re: virtusertable In-Reply-To: <20010817194448.15858.qmail@web11607.mail.yahoo.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 17 Aug 2001, Holtor wrote: > Does anyone know of a good way to give web hosting customers access to > modify their own e-mail aliases for their domain using virtusertable? http://www.jurai.net/~winter/virtual/ http://www.jurai.net/~winter/virtual/email.html I wrote this years ago. Ignore the bits on configuring sendmail as the builtin rules are better then the ones I provide on the page. -- | Matthew N. Dodd | '78 Datsun 280Z | '75 Volvo 164E | FreeBSD/NetBSD | | winter@jurai.net | 2 x '84 Volvo 245DL | ix86,sparc,pmax | | http://www.jurai.net/~winter | For Great Justice! | ISO8802.5 4ever | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Sat Aug 25 0: 3:16 2001 Delivered-To: freebsd-isp@freebsd.org Received: from gatekeeper.viper.net.au (gatekeeper.viper.net.au [203.31.238.1]) by hub.freebsd.org (Postfix) with ESMTP id 0142637B401 for ; Sat, 25 Aug 2001 00:03:12 -0700 (PDT) (envelope-from mark@viper.net.au) Received: from localhost (mark@localhost) by gatekeeper.viper.net.au (8.9.3/8.9.3) with ESMTP id RAA69881; Sat, 25 Aug 2001 17:03:02 +1000 (EST) (envelope-from mark@viper.net.au) Date: Sat, 25 Aug 2001 17:03:02 +1000 (EST) From: Mark Russell To: Holtor Cc: Subject: Re: virtusertable In-Reply-To: <20010817194448.15858.qmail@web11607.mail.yahoo.com> Message-ID: <20010825170136.M11152-100000@gatekeeper.viper.net.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 17 Aug 2001, Holtor wrote: > Hello all, > > Does anyone know of a good way to give web hosting > customers access to modify their own e-mail aliases > for their domain using virtusertable? > > I was thinking something like > > /etc/mail/virtusertable: > @domain.com /usr/home/$user/.aliases > > Then in .aliases > user1 user@hotmail.com > user4 user@yahoo.com > > Of course this does not work .. any ideas? Have a look at http://www.empnet.com/mdmod/ it does soemthing like you want I think +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Mark Russell mark@viper.net.au ph 61 + 2 + 9699 3837 viper.net.au http://www.viper.net.au fax 61 + 2 + 9699 3841 +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ The best things in life are free, thats why Windoze costs so much ###################################################################### If I have received your email in error then it's your fault. I have now paid for it so I can do what the hell I like with it, this includes publishing on the web, giving it to journos or any media person. If you dont like this tough ###################################################################### To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Sat Aug 25 2:38:18 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mailout01.sul.t-online.de (mailout01.sul.t-online.com [194.25.134.80]) by hub.freebsd.org (Postfix) with ESMTP id 60FB237B406 for ; Sat, 25 Aug 2001 02:38:11 -0700 (PDT) (envelope-from haribeau@gmx.de) Received: from fwd07.sul.t-online.de by mailout01.sul.t-online.de with smtp id 15aZtJ-0005bt-06; Sat, 25 Aug 2001 11:38:09 +0200 Received: from asterix.local (320080844193-0001@[217.80.84.60]) by fmrl07.sul.t-online.com with smtp id 15aZt6-1ckUymC; Sat, 25 Aug 2001 11:37:56 +0200 Received: (qmail 461 invoked from network); 25 Aug 2001 09:37:54 -0000 Received: from homer.local (HELO homer.local.nlocal) (192.168.1.50) by 0 with SMTP; 25 Aug 2001 09:37:54 -0000 Received: (nullmailer pid 1276 invoked by uid 1100); Sat, 25 Aug 2001 09:37:54 -0000 Date: Sat, 25 Aug 2001 11:37:54 +0200 From: Clemens Hermann To: BSD-ISP Subject: apache jail Message-ID: <20010825113754.A1025@homer.local> Mail-Followup-To: Clemens Hermann , BSD-ISP Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Mailer: Mutt 1.2.5i (FreeBSD 4.3-RELEASE i386) Organization: Linuxlupe InternetSolutions X-Sender: 320080844193-0001@t-dialin.net Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, how can I send each apach virtual-host into somthing like a jail? I have several vhosts sharing one IP so the apache could not be run inside the jails, right? Furthermore I would like to keep things as much as possible as they are, the only goal is to avoid, that php-scripts and thelike can access the system (e.g access the /etc/passwd to read it etc.). is there any information available how to do this? tia /ch -- "Contrary to popular belief, Unix is user friendly. It just happens to be selective about who it makes friends with." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Sat Aug 25 2:57:55 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mail5.speakeasy.net (mail5.speakeasy.net [216.254.0.205]) by hub.freebsd.org (Postfix) with ESMTP id 6180337B405 for ; Sat, 25 Aug 2001 02:57:50 -0700 (PDT) (envelope-from drakFB@drak.com) Received: (qmail 51689 invoked from network); 25 Aug 2001 09:57:50 -0000 Received: from unknown (HELO ?192.168.1.5?) ([64.81.163.89]) (envelope-sender ) by mail5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 25 Aug 2001 09:57:50 -0000 Mime-Version: 1.0 X-Sender: (Unverified) Message-Id: In-Reply-To: <20010825113754.A1025@homer.local> References: <20010825113754.A1025@homer.local> Date: Sat, 25 Aug 2001 02:57:48 -0700 To: Clemens Hermann From: Andrew Matheson Subject: Re: apache jail Cc: freebsd-isp@FreeBSD.ORG Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >how can I send each apach virtual-host into somthing like a jail? I have >several vhosts sharing one IP so the apache could not be run inside the >jails, right? >Furthermore I would like to keep things as much as possible as they are, >the only goal is to avoid, that php-scripts and thelike can access the >system (e.g access the /etc/passwd to read it etc.). > >is there any information available how to do this? I've never tried this before and have no idea if it will work, but you may be able to do the following: 1) Set up each apache virtual host in its own jail using internal network ip addresses. You'd need to have one apache per jail, which I think is what you're trying to accomplish. 2) Set up apache running on your main ip address. Configure VirtualHost directives for each of your domains so that apache acts as a proxy server, forwarding the requests to the appropriate jail ip addresses. Good Luck, Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Sat Aug 25 3:15:59 2001 Delivered-To: freebsd-isp@freebsd.org Received: from bilver.wjv.com (dhcp-1-229.n01.orldfl01.us.ra.verio.net [157.238.210.229]) by hub.freebsd.org (Postfix) with ESMTP id 3940037B40C for ; Sat, 25 Aug 2001 03:15:54 -0700 (PDT) (envelope-from bill@bilver.wjv.com) Received: (from bill@localhost) by bilver.wjv.com (8.11.5/8.11.1) id f7PAFSX05917 for freebsd-isp@freebsd.org; Sat, 25 Aug 2001 06:15:28 -0400 (EDT) (envelope-from bill) Date: Sat, 25 Aug 2001 06:15:27 -0400 From: Bill Vermillion To: freebsd-isp@freebsd.org Subject: Re: virtusertable Message-ID: <20010825061527.B5839@wjv.com> Reply-To: bv@wjv.com References: <20010817194448.15858.qmail@web11607.mail.yahoo.com> <20010825170136.M11152-100000@gatekeeper.viper.net.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010825170136.M11152-100000@gatekeeper.viper.net.au>; from mark@viper.net.au on Sat, Aug 25, 2001 at 05:03:02PM +1000 Organization: W.J.Vermillion / Orlando - Winter Park Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Aug 25, 2001 at 05:03:02PM +1000, Mark Russell thus sprach: > On Fri, 17 Aug 2001, Holtor wrote: > > > Hello all, > > Does anyone know of a good way to give web hosting > > customers access to modify their own e-mail aliases > > for their domain using virtusertable? > > I was thinking something like > > /etc/mail/virtusertable: > > @domain.com /usr/home/$user/.aliases > > Then in .aliases > > user1 user@hotmail.com > > user4 user@yahoo.com > > Of course this does not work .. any ideas? Using the exmple in virtusertable would not the correct syntax be like this @domian.com /usr/home/%1/.aliases. From the example given for sending an entire domains to users as another it looks like this should be the format. I don't have the original message - just this reply - so I'm reply to it. > > Have a look at http://www.empnet.com/mdmod/ it does soemthing like you > want I think > > > +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > Mark Russell mark@viper.net.au ph 61 + 2 + 9699 3837 > viper.net.au http://www.viper.net.au fax 61 + 2 + 9699 3841 > +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > The best things in life are free, thats why Windoze costs so much > > > ###################################################################### > If I have received your email in error then it's your fault. I have now > paid for it so I can do what the hell I like with it, this includes > publishing on the web, giving it to journos or any media person. > > If you dont like this tough > ###################################################################### > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > -- Bill Vermillion - bv @ wjv . com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Sat Aug 25 5:50:40 2001 Delivered-To: freebsd-isp@freebsd.org Received: from hawk-systems.com (hawk-systems.com [161.58.152.235]) by hub.freebsd.org (Postfix) with ESMTP id 1240C37B40C for ; Sat, 25 Aug 2001 05:50:36 -0700 (PDT) (envelope-from dave@hawk-systems.com) Received: from WS1 ([216.94.242.73]) by hawk-systems.com (8.11.2) id f7PCoWZ30944; Sat, 25 Aug 2001 06:50:32 -0600 (MDT) From: dave@hawk-systems.com (Dave) To: "Clemens Hermann" , "BSD-ISP" Subject: RE: apache jail Date: Sat, 25 Aug 2001 08:47:47 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20010825113754.A1025@homer.local> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >how can I send each apach virtual-host into somthing like a jail? I have >several vhosts sharing one IP so the apache could not be run inside the >jails, right? >Furthermore I would like to keep things as much as possible as they are, >the only goal is to avoid, that php-scripts and thelike can access the >system (e.g access the /etc/passwd to read it etc.). > >is there any information available how to do this? This doesn't truley jail them, but restricts access by Apache for the virtual host site from reading anything that isn't owned by that user... then you just need to police your "other" bits for the rest of your server. WARNING: Recently tried this on a test system, havn't ported it yet to production or given it a serious break test. Recent versions of Apache and suexec apache compiled with suexec # set user and group to unique chown USERID:USERID /path/to/user/html/directory # no public access to any files under here that # you don't want public reading, like scripts # with database login information in them chmod -R 0750 /path/to/user/html/directory >in apache's httpd.conf # set each virtual host to run any accesses # as the group USERID giving them only access # to this directory... defeats PHP directory # and shell scripts as long as no public read bits # are set ServerName whatever.com Group USERID you end up with http://test1.com and http://test2.com being unable to create PHP scripts or do listings of any other virtual user directory since they are not of the same group, but accesses to the site are made by invoking apache as that group for that session. directory tree drwxr-s--- 2 user1 user1 512 Aug 19 18:23 vtest1 drwxr-s--- 2 user2 user2 512 Aug 19 18:26 vtest2 with directory groups set in the httpd.conf for user1 in vtest1 and user2 in vtest2, neither user should be able to use PHP filesystem functions to browse the other directories as long as no public bits are set, and apache server requests still server the documents from the directories since each users directory has an Group user1 (or user2) set for his directory in the directory or virtual container, thus executing the apache requsts as the appropriate user and not the generic www user. Please feel free to point out any errors in my logic... it appears pretty solid from here and in the preliminary tests I have run... again I have not had the opportunity to really give this a hard look to determine if it only *appears* to limit each sites apache and associated script access to itself. Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Sat Aug 25 6:33:19 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mail4.txucom.net (mail4.txucom.net [207.70.175.17]) by hub.freebsd.org (Postfix) with SMTP id 857FB37B406 for ; Sat, 25 Aug 2001 06:33:15 -0700 (PDT) (envelope-from bob@buckhorn.net) Received: (qmail 6091 invoked from network); 25 Aug 2001 13:33:14 -0000 Received: from lfkn-adsl-dhcp-net1-159.txucom.net (HELO buckhorn.net) ([207.70.145.159]) (envelope-sender ) by mail4.txucom.net (qmail-ldap-1.03) with SMTP for ; 25 Aug 2001 13:33:14 -0000 Message-ID: <3B87A920.91B65648@buckhorn.net> Date: Sat, 25 Aug 2001 08:33:20 -0500 From: Bob Martin X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Clemens Hermann Cc: BSD-ISP Subject: Re: apache jail References: <20010825113754.A1025@homer.local> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Clemens Hermann wrote: > > Hi, > > how can I send each apach virtual-host into somthing like a jail? I have > several vhosts sharing one IP so the apache could not be run inside the > jails, right? > Furthermore I would like to keep things as much as possible as they are, > the only goal is to avoid, that php-scripts and thelike can access the > system (e.g access the /etc/passwd to read it etc.). > > is there any information available how to do this? > > tia > > /ch > The solution that Andrew Matheson post works well if you really want to use a jail. There is a lot of initial work in creating jails, and jails use a lot of hard drive space. The easiest approach is to use good security. There is an abundant amount of security documentation for apache and php on the net. More over, if you read all the docs that come with both apache and php, you'll find lots of useful information. Spend some time making sure that the base system is secure. Best practices like frequently changing privileged passwords, and reading logs will serve you well in the long run. Unfortunately, there are no shortcuts to security. Bob Martin -- But in our enthusiasm, we could not resist a radical overhaul of the system, in which all of its major weaknesses have been exposed, analyzed, and replaced with new weaknesses. -- Bruce Leverett, "Register Allocation in Optimizing Compilers" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Sat Aug 25 6:55:53 2001 Delivered-To: freebsd-isp@freebsd.org Received: from terra.ombra.org (terra.ombra.org [65.102.210.226]) by hub.freebsd.org (Postfix) with ESMTP id AA8B237B40A for ; Sat, 25 Aug 2001 06:55:50 -0700 (PDT) (envelope-from jgiacomoni@terra.ombra.org) Received: by terra.ombra.org (Postfix, from userid 1000) id EE7DA5D3C; Sun, 26 Aug 2001 07:54:39 -0600 (MDT) Date: Sun, 26 Aug 2001 07:54:39 -0600 From: John Giacomoni To: freebsd-isp@freebsd.org Subject: Re: apache jail Message-ID: <20010826075439.B76330@terra.ombra.org> References: <20010825113754.A1025@homer.local> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from "Andrew Matheson" on Sat, Aug 25, 2001 at 02:57:48AM Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I was going to suggest this as well, and have succeded in making this work between different hosts. however there is no real need to have different hosts. you can simply use different ports. Also, by using unprivileged ports, you get the ability to fire up the jailed vhosts without root. John G > I've never tried this before and have no idea if it will work, but you may be able to do the following: > > 1) Set up each apache virtual host in its own jail using internal network ip addresses. You'd need to have one apache per jail, which I think is what you're trying to accomplish. > > 2) Set up apache running on your main ip address. Configure VirtualHost directives for each of your domains so that apache acts as a proxy server, forwarding the requests to the appropriate jail ip addresses. > > Good Luck, > Andrew > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message -- Code is obstinate like a two year old... with logic To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Sat Aug 25 7:22:40 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mailout05.sul.t-online.de (mailout05.sul.t-online.com [194.25.134.82]) by hub.freebsd.org (Postfix) with ESMTP id 777C037B40C for ; Sat, 25 Aug 2001 07:22:37 -0700 (PDT) (envelope-from haribeau@gmx.de) Received: from fwd07.sul.t-online.de by mailout05.sul.t-online.de with smtp id 15aeKZ-0002yl-03; Sat, 25 Aug 2001 16:22:35 +0200 Received: from asterix.local (320080844193-0001@[217.80.84.60]) by fmrl07.sul.t-online.com with smtp id 15aeKQ-0afpPkC; Sat, 25 Aug 2001 16:22:26 +0200 Received: (qmail 819 invoked from network); 25 Aug 2001 14:22:25 -0000 Received: from homer.local (HELO homer.local.nlocal) (192.168.1.50) by 0 with SMTP; 25 Aug 2001 14:22:25 -0000 Received: (nullmailer pid 1173 invoked by uid 1100); Sat, 25 Aug 2001 14:22:25 -0000 Date: Sat, 25 Aug 2001 16:22:25 +0200 From: Clemens Hermann To: Bob Martin Cc: BSD-ISP Subject: Re: apache jail Message-ID: <20010825162224.A1051@homer.local> Mail-Followup-To: Clemens Hermann , Bob Martin , BSD-ISP References: <20010825113754.A1025@homer.local> <3B87A920.91B65648@buckhorn.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B87A920.91B65648@buckhorn.net> von Bob Martin am 25.Aug.2001 um 08:33:20 (-0500) X-Mailer: Mutt 1.2.5i (FreeBSD 4.3-RELEASE i386) X-Sender: 320080844193-0001@t-dialin.net Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Am 25.08.2001 um 08:33:20 schrieb Bob Martin: Hi, > The solution that Andrew Matheson post works well if you really want to > use a jail. There is a lot of initial work in creating jails, and jails > use a lot of hard drive space. furthermore there might be a huge overhead (cpu and memory) by running a complete httpd environment for each vhost. Adding a vhost will certainly be far more complicated. > The easiest approach is to use good security. that's what the whole approach is all about, right? :) Imho the system is quite secure so I do not expect great danger with the current situation, I just would like to keep people where they belong. Keeping everybody but root out of the system in general might increase the overall security a lot. > There is an abundant > amount of security documentation for apache and php on the net. I had a closer look, bothered google for the subject but did not find a solution. One of my bigger conderns is that apache/php allows scripts to dig around in my system as any shell-usr might do as well. There is no need (at least if you can offer the perl interpreter etc. anyways) so I would appreciate it a lot if no php/perl/etc-Script could leave what apache defines as document-root. Many ftp-servers offer this feature (chroot after login) which makes much sense in my opinion but if you can bypass this with php and friends it makes far less sense. > Spend some time making sure that the base system is secure. Garfinkel etc. right :) /ch -- "Contrary to popular belief, Unix is user friendly. It just happens to be selective about who it makes friends with." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Sat Aug 25 7:55:33 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mail4.txucom.net (mail4.txucom.net [207.70.175.17]) by hub.freebsd.org (Postfix) with SMTP id A3E0337B407 for ; Sat, 25 Aug 2001 07:55:29 -0700 (PDT) (envelope-from bob@buckhorn.net) Received: (qmail 21963 invoked from network); 25 Aug 2001 14:55:28 -0000 Received: from lfkn-adsl-dhcp-net1-159.txucom.net (HELO buckhorn.net) ([207.70.145.159]) (envelope-sender ) by mail4.txucom.net (qmail-ldap-1.03) with SMTP for ; 25 Aug 2001 14:55:28 -0000 Message-ID: <3B87BC66.680DABDF@buckhorn.net> Date: Sat, 25 Aug 2001 09:55:34 -0500 From: Bob Martin X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Clemens Hermann Cc: BSD-ISP Subject: Re: apache jail References: <20010825113754.A1025@homer.local> <3B87A920.91B65648@buckhorn.net> <20010825162224.A1051@homer.local> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Clemens Hermann wrote: --snip > I had a closer look, bothered google for the subject but did not find a > solution. One of my bigger conderns is that apache/php allows scripts to > dig around in my system as any shell-usr might do as well. There is no > need (at least if you can offer the perl interpreter etc. anyways) so I > would appreciate it a lot if no php/perl/etc-Script could leave what > apache defines as document-root. > Many ftp-servers offer this feature (chroot after login) which makes > much sense in my opinion but if you can bypass this with php and friends > it makes far less sense. This has been kicked around a lot over the years. If you chroot apache, then you either break SSI, or end up copying loads of stuff to the sandbox. If you modify permission, you end up with unmanagable group lists, and possible break other things as well. There just isn't a one size fits all solution. We've tried lots of solutions, and finally settled on this. The users directory is chown user:group, files are mode 644 (Traditional FBSD user==group). The only directory that has execute permissions is cgi-bin, and the user doesn't have write permissions to it. (owner webmaster:user, mode 755) That means the we have to put the [php] script in the cgi-bin for them. Right after we read it. If they want a binary in the cgi-bin, they have to furnish the code. All of this is enforced with chflags on the various directory structures. Also note that we don't grant shell access, and you can't change permissions with ftp. Once in a while, it's a real pain. And if you don't have a programmer laying around, it doesn't work. On the flip side, we have cought several malisious scripts, and more than a few that would have consumed large amounts of cpu and ram. http://www.apache.org/docs-2.0/misc/security_tips.html http://www.bignosebird.com/apache/a11.shtml http://www.devthreads.com/core/Languages/PHP/Scripts/Security_Systems/ Bob Martin -- But in our enthusiasm, we could not resist a radical overhaul of the system, in which all of its major weaknesses have been exposed, analyzed, and replaced with new weaknesses. -- Bruce Leverett, "Register Allocation in Optimizing Compilers" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Sat Aug 25 16:22:20 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mail.centeroil.com (mail.centeroil.com [216.87.35.22]) by hub.freebsd.org (Postfix) with ESMTP id 11B6F37B401 for ; Sat, 25 Aug 2001 16:22:17 -0700 (PDT) (envelope-from q410ph6osip@msn.com) Received: from iemfp.msn.com (root@inetpro.gpsinteractive.com [206.111.147.2]) by mail.centeroil.com (8.8.8/SCO5) with SMTP id SAA27942; Sat, 25 Aug 2001 18:16:48 -0500 (CDT) Date: Sat, 25 Aug 2001 18:16:48 -0500 (CDT) From: q410ph6osip@msn.com Message-Id: <200108252316.SAA27942@mail.centeroil.com> To: pr1xquuss9@msn.com Reply-To: gaylewohlenhaus4102@excite.com Subject: Get Out Of Debt! [zzc4p] Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Got debt? We can help using Debt Consolidation! If you owe $4,000 US or more, consolidate your debt into just 1 payment and let us handle the rest! Wouldn't it be nice to have to worry about just 1 monthly fee instead of half a dozen? We think so too. - No credit checks required - You do not have to own a home - You do not need another loan - Approval within 10 business days - Available to all US residents For a FREE, no obligation, consultation, please fill out the form below and return it to us. Paying bills should not be a chore, and your life should be as easy and simple as possible. So take advantage of this great offer! -=-=-=-=-=-=-=-=-=-=- (All fields are required) Full Name : Address : City : State : Zip Code : Home Phone : Work Phone : Best Time to Call : E-Mail Address : Estimated Debt Size : -=-=-=-=-=-=-=-=-=-=- If you are having difficulties filling out the form please do the following: highlight it (left mouse button and hold), press CTRL+C while its highlighted, hit the Reply button in your e-mail program, click once onto the Body/Message box, and press CTRL+V. You will then be able to fill out the form. Thank You ---------- To receive no further offers from our company regarding this matter or any other matter, please reply to this e-mail with the word 'Remove' in the subject line. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message