From owner-freebsd-isp@FreeBSD.ORG Sun Jul 24 23:05:09 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B79B16A41F for ; Sun, 24 Jul 2005 23:05:09 +0000 (GMT) (envelope-from danger@rulez.sk) Received: from mail.rulez.sk (DaEmoN.RuLeZ.sK [84.16.32.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id C628D43D55 for ; Sun, 24 Jul 2005 23:05:07 +0000 (GMT) (envelope-from danger@rulez.sk) Received: from localhost (localhost [127.0.0.1]) by mail.rulez.sk (Postfix) with ESMTP id 37DBF1CC62; Mon, 25 Jul 2005 01:05:01 +0200 (CEST) Received: from danger.mcrn.sk (danger.mcrn.sk [84.16.37.254]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.rulez.sk (Postfix) with ESMTP id B2E351CC33; Mon, 25 Jul 2005 01:04:54 +0200 (CEST) Date: Mon, 25 Jul 2005 01:04:51 +0200 From: Daniel Gerzo X-Mailer: The Bat! (v3.5) UNREG / CD5BF9353B3B7091 X-Priority: 3 (Normal) Message-ID: <77588585.20050725010451@rulez.sk> To: Chris Buechler In-Reply-To: References: <42DEAE1F.8000702@novusordo.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at mail.rulez.sk X-Spam-Status: No, hits=-4.861 tagged_above=-999 required=5 tests=[ALL_TRUSTED=-3.3, AWL=1.038, BAYES_00=-2.599] X-Spam-Level: Cc: freebsd-isp@freebsd.org, Chris Jones , Todor Dragnev Subject: Re[2]: ssh brute force X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Daniel Gerzo List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Jul 2005 23:05:09 -0000 Hello Chris, Thursday, July 21, 2005, 2:43:08 AM, si tukal: > On 7/20/05, Chris Jones wrote: >> >> I'm looking at having a script look at SSH's log output for repeated >> failed connection attempts from the same address, and then blocking that >> address through pf (I'm not yet sure whether I want to do it temporarily >> or permanently). > Matt Dillon wrote an app in C to do just that, with ipfw. > http://leaf.dragonflybsd.org/mailarchive/users/2005-03/msg00008.html > Scott Ullrich modified it to work with pf. > http://pfsense.org/cgi-bin/cvsweb.cgi/tools/sshlockout_pf.c I have made security/bruteforceblocker It's a perl script that works with opensshd's logs and pf > -Chris -- sincerely... DanGer, ICQ: 261701668 | e-mail protecting at: http://www.2pu.net/ http://danger.rulez.sk | proxy list at: http://www.proxy-web.com/ | FreeBSD - The Power to Serve! From owner-freebsd-isp@FreeBSD.ORG Mon Jul 25 16:27:46 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1253E16A41F for ; Mon, 25 Jul 2005 16:27:46 +0000 (GMT) (envelope-from andpet@telia.com) Received: from pne-smtpout2-sn1.fre.skanova.net (pne-smtpout2-sn1.fre.skanova.net [81.228.11.159]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8FC9D43D45 for ; Mon, 25 Jul 2005 16:27:45 +0000 (GMT) (envelope-from andpet@telia.com) Received: from [192.168.2.2] (81.233.247.164) by pne-smtpout2-sn1.fre.skanova.net (7.2.060.1) id 42B937170053F839 for freebsd-isp@freebsd.org; Mon, 25 Jul 2005 18:27:44 +0200 Message-ID: <42E51310.60102@telia.com> Date: Mon, 25 Jul 2005 18:28:00 +0200 From: Andreas Pettersson User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-isp@freebsd.org References: <42DEAE1F.8000702@novusordo.net> <77588585.20050725010451@rulez.sk> In-Reply-To: <77588585.20050725010451@rulez.sk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: ssh brute force X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2005 16:27:46 -0000 Daniel Gerzo wrote: >Hello Chris, > >Thursday, July 21, 2005, 2:43:08 AM, si tukal: > > > >>On 7/20/05, Chris Jones wrote: >> >> >>>I'm looking at having a script look at SSH's log output for repeated >>>failed connection attempts from the same address, and then blocking that >>>address through pf (I'm not yet sure whether I want to do it temporarily >>>or permanently). >>> >>> >>Matt Dillon wrote an app in C to do just that, with ipfw. >>http://leaf.dragonflybsd.org/mailarchive/users/2005-03/msg00008.html >> >> >>Scott Ullrich modified it to work with pf. >>http://pfsense.org/cgi-bin/cvsweb.cgi/tools/sshlockout_pf.c >> >> > >I have made security/bruteforceblocker >It's a perl script that works with opensshd's logs and pf > > And here is another one, similar to Daniel's, but this one uses ipfw instead, AND another neat thing is that a block isn't permanent. There's a janitor cleaning up ipfw rules after a specified time. http://anp.ath.cx/sshit/ I made it the other day, so I haven't had time to hardcore test it. Let me know if it's not working, or if it is ;-) /Andreas From owner-freebsd-isp@FreeBSD.ORG Mon Jul 25 20:06:31 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2CBD916A41F for ; Mon, 25 Jul 2005 20:06:31 +0000 (GMT) (envelope-from freebsd-isp@chef-ingenieur.de) Received: from mta.webmatic.de (mta.webmatic.de [212.78.99.126]) by mx1.FreeBSD.org (Postfix) with ESMTP id 514D343D46 for ; Mon, 25 Jul 2005 20:06:29 +0000 (GMT) (envelope-from freebsd-isp@chef-ingenieur.de) Received: (qmail 45841 invoked by uid 1003); 25 Jul 2005 20:06:24 -0000 Received: from freebsd-isp@chef-ingenieur.de by mta.webmatic.de by uid 89 with qmail-scanner-1.22 (spamassassin: 2.63. Clear:RC:1(217.186.8.102):. Processed in 0.057281 secs); 25 Jul 2005 20:06:24 -0000 Received: from unknown (HELO ?172.21.1.12?) (freebsd-stable@chef-ingenieur.de@217.186.8.102) by mta.webmatic.de with (DHE-RSA-AES256-SHA encrypted) SMTP; 25 Jul 2005 20:06:24 -0000 Message-ID: <42E54654.1090705@chef-ingenieur.de> Date: Mon, 25 Jul 2005 22:06:44 +0200 From: Thomas Krause User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: de-DE, de, en-us, en MIME-Version: 1.0 To: freebsd-isp@freebsd.org Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Subject: preventing a user to start a process X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2005 20:06:31 -0000 Hello, is it possible to bar a user (www) from starting a process? I've a irc daemon running under the uid www. I think this was done by php. What would be the best way to prevent this (php should be remain usable)? I've installed ipfw rules, but this doesn't prevent the starting of the process. Kind regards, Thomas. From owner-freebsd-isp@FreeBSD.ORG Mon Jul 25 20:22:13 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6507816A41F for ; Mon, 25 Jul 2005 20:22:13 +0000 (GMT) (envelope-from anderson@centtech.com) Received: from mh1.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id CBC2743D49 for ; Mon, 25 Jul 2005 20:22:12 +0000 (GMT) (envelope-from anderson@centtech.com) Received: from [10.177.171.220] (neutrino.centtech.com [10.177.171.220]) by mh1.centtech.com (8.13.1/8.13.1) with ESMTP id j6PKM0Yd099981; Mon, 25 Jul 2005 15:22:02 -0500 (CDT) (envelope-from anderson@centtech.com) Message-ID: <42E549E7.4070606@centtech.com> Date: Mon, 25 Jul 2005 15:21:59 -0500 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.8) Gecko/20050603 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Thomas Krause References: <42E54654.1090705@chef-ingenieur.de> In-Reply-To: <42E54654.1090705@chef-ingenieur.de> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.82/991/Mon Jul 25 03:55:11 2005 on mh1.centtech.com X-Virus-Status: Clean Cc: freebsd-isp@freebsd.org Subject: Re: preventing a user to start a process X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2005 20:22:13 -0000 Thomas Krause wrote: > Hello, > is it possible to bar a user (www) from starting a process? > I've a irc daemon running under the uid www. I think > this was done by php. What would be the best way to prevent > this (php should be remain usable)? I've installed ipfw rules, > but this doesn't prevent the starting of the process. Change the permissions on the file to not allow world execution? chmod 750 /path/to/irc-daemon and make sure it isn't owner by www user, and the www user is not in the group that owns the daemon. Eric -- ------------------------------------------------------------------------ Eric Anderson Sr. Systems Administrator Centaur Technology A lost ounce of gold may be found, a lost moment of time never. ------------------------------------------------------------------------ From owner-freebsd-isp@FreeBSD.ORG Mon Jul 25 20:31:18 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1088D16A4D8 for ; Mon, 25 Jul 2005 20:31:17 +0000 (GMT) (envelope-from gbaratto@superb.net) Received: from master4.yvr1.superb.net (master4.yvr1.superb.net [209.82.78.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 81FB143D45 for ; Mon, 25 Jul 2005 20:31:16 +0000 (GMT) (envelope-from gbaratto@superb.net) Received: from guinness (fw.yvr1.superb.net [209.82.78.2]) by master4.yvr1.superb.net (8.12.9/8.12.9) with SMTP id j6PKV60d016723; Mon, 25 Jul 2005 13:31:06 -0700 (PDT) Message-ID: <01b001c59157$806bae10$7201a8c0@guinness> From: "Gustavo A. Baratto" To: "Thomas Krause" , References: <42E54654.1090705@chef-ingenieur.de> Date: Mon, 25 Jul 2005 13:29:00 -0700 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-15"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Cc: Subject: Re: preventing a user to start a process X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2005 20:31:19 -0000 Use php safe_mode. This will prevent the execution of external commands from php. Depending on you what you mean by "usable", this may be a problem. Or make sure php doesnt allow uploads to /tmp or /var/tmp (disable FTP in PHP). This will prevent the ircs or any other scripts to be uploaded in the first place. ----- Original Message ----- From: "Thomas Krause" To: Sent: Monday, July 25, 2005 1:06 PM Subject: preventing a user to start a process > Hello, > is it possible to bar a user (www) from starting a process? > I've a irc daemon running under the uid www. I think > this was done by php. What would be the best way to prevent > this (php should be remain usable)? I've installed ipfw rules, > but this doesn't prevent the starting of the process. > > Kind regards, > Thomas. > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > From owner-freebsd-isp@FreeBSD.ORG Mon Jul 25 23:10:49 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DBCDC16A41F for ; Mon, 25 Jul 2005 23:10:49 +0000 (GMT) (envelope-from freebsd-isp@chef-ingenieur.de) Received: from mta.webmatic.de (mta.webmatic.de [212.78.99.126]) by mx1.FreeBSD.org (Postfix) with ESMTP id 026D843D45 for ; Mon, 25 Jul 2005 23:10:48 +0000 (GMT) (envelope-from freebsd-isp@chef-ingenieur.de) Received: (qmail 58203 invoked by uid 1003); 25 Jul 2005 23:10:43 -0000 Received: from freebsd-isp@chef-ingenieur.de by mta.webmatic.de by uid 89 with qmail-scanner-1.22 (spamassassin: 2.63. Clear:RC:1(217.186.8.102):. Processed in 0.059439 secs); 25 Jul 2005 23:10:43 -0000 Received: from unknown (HELO ?172.21.1.12?) (freebsd-stable@chef-ingenieur.de@217.186.8.102) by mta.webmatic.de with (DHE-RSA-AES256-SHA encrypted) SMTP; 25 Jul 2005 23:10:43 -0000 Message-ID: <42E57187.50503@chef-ingenieur.de> Date: Tue, 26 Jul 2005 01:11:03 +0200 From: Thomas Krause User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: de-DE, de, en-us, en MIME-Version: 1.0 To: Eric Anderson References: <42E54654.1090705@chef-ingenieur.de> <42E549E7.4070606@centtech.com> In-Reply-To: <42E549E7.4070606@centtech.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-isp@freebsd.org Subject: Re: preventing a user to start a process X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2005 23:10:50 -0000 Eric Anderson schrieb: > Thomas Krause wrote: > >> Hello, >> is it possible to bar a user (www) from starting a process? >> I've a irc daemon running under the uid www. I think >> this was done by php. What would be the best way to prevent >> this (php should be remain usable)? I've installed ipfw rules, >> but this doesn't prevent the starting of the process. > > > Change the permissions on the file to not allow world execution? > > chmod 750 /path/to/irc-daemon the daemon was - downloaded - extracted - started by user www in dir /var/tmp, which has permission 1777 Regards, Thomas. > > and make sure it isn't owner by www user, and the www user is not in the > group that owns the daemon. > > Eric > > > From owner-freebsd-isp@FreeBSD.ORG Mon Jul 25 23:13:48 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7AE4E16A41F for ; Mon, 25 Jul 2005 23:13:48 +0000 (GMT) (envelope-from volfman@keystreams.com) Received: from mailbox.keystreams.com (mailbox.keystreams.com [207.158.28.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A97E43D46 for ; Mon, 25 Jul 2005 23:13:47 +0000 (GMT) (envelope-from volfman@keystreams.com) Received: (qmail 91296 invoked by uid 1012); 25 Jul 2005 16:10:29 -0700 Received: from 10.8.0.6 by mail.keystreams.com (envelope-from , uid 1009) with qmail-scanner-1.25-st-qms (ClamAV 0.86.1. spamassassin: 3.0.4. perlscan: 1.25-st-qms. Clear:RC:1(10.8.0.6):. Processed in 0.050223 secs); 25 Jul 2005 23:10:29 -0000 X-Antivirus-Keystreams-Mail-From: volfman@keystreams.com via mail.keystreams.com X-Antivirus-Keystreams: 1.25-st-qms (Clear:RC:1(10.8.0.6):. Processed in 0.050223 secs Process 91290) Received: from unknown (HELO ?10.8.0.6?) (volfman@keystreams.com@10.8.0.6) by mailbox.keystreams.com with AES256-SHA encrypted SMTP; 25 Jul 2005 16:10:29 -0700 Message-ID: <42E57228.6010506@keystreams.com> Date: Mon, 25 Jul 2005 16:13:44 -0700 From: Roman Volf User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Thomas Krause , freebsd-isp@freebsd.org References: <42E54654.1090705@chef-ingenieur.de> <42E549E7.4070606@centtech.com> <42E57187.50503@chef-ingenieur.de> In-Reply-To: <42E57187.50503@chef-ingenieur.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: preventing a user to start a process X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2005 23:13:48 -0000 Thomas Krause wrote: > > the daemon was > - downloaded > - extracted > - started > > by user www in dir /var/tmp, which has permission 1777 > > Regards, > Thomas. > remount /tmp with nosuid,noexec flags. rm -rf /var/tmp ln -s /tmp /var/tmp This will prevent a program from being executed from /tmp. However, if they upload a perl script they can still execute perl /tmp/script. -- Roman Volf Keystreams Internet Solutions volfman@keystreams.com From owner-freebsd-isp@FreeBSD.ORG Mon Jul 25 23:26:14 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 128ED16A41F for ; Mon, 25 Jul 2005 23:26:14 +0000 (GMT) (envelope-from freebsd-isp@chef-ingenieur.de) Received: from mta.webmatic.de (mta.webmatic.de [212.78.99.126]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F47E43D48 for ; Mon, 25 Jul 2005 23:26:12 +0000 (GMT) (envelope-from freebsd-isp@chef-ingenieur.de) Received: (qmail 15003 invoked by uid 1003); 25 Jul 2005 23:26:07 -0000 Received: from freebsd-isp@chef-ingenieur.de by mta.webmatic.de by uid 89 with qmail-scanner-1.22 (spamassassin: 2.63. Clear:RC:1(217.186.8.102):. Processed in 0.050688 secs); 25 Jul 2005 23:26:07 -0000 Received: from unknown (HELO ?172.21.1.12?) (freebsd-stable@chef-ingenieur.de@217.186.8.102) by mta.webmatic.de with (DHE-RSA-AES256-SHA encrypted) SMTP; 25 Jul 2005 23:26:07 -0000 Message-ID: <42E57524.3030200@chef-ingenieur.de> Date: Tue, 26 Jul 2005 01:26:28 +0200 From: Thomas Krause User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: de-DE, de, en-us, en MIME-Version: 1.0 To: "Gustavo A. Baratto" References: <42E54654.1090705@chef-ingenieur.de> <01b001c59157$806bae10$7201a8c0@guinness> In-Reply-To: <01b001c59157$806bae10$7201a8c0@guinness> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-isp@freebsd.org Subject: Re: preventing a user to start a process X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2005 23:26:14 -0000 Hi, Gustavo A. Baratto schrieb: > Use php safe_mode. This will prevent the execution of external commands > from php. Depending on you what you mean by "usable", this may be a > problem. I think, that is not usable on a running system - too much sites will not work. > > Or make sure php doesnt allow uploads to /tmp or /var/tmp (disable FTP > in PHP). This will prevent the ircs or any other scripts to be uploaded > in the first place. that's not the solution. The probleme is the possibility to execute commands via shell. With that, every user with access to the php files is able to do a - find / -type d -perm 1777 - mkdir /tmp/foo - fetch ... - tar xzf - run daemon (I found this on my webserver) I've searched all php-files for the system()-funktion - it's not possible for me do disable this function. Any ideas? Regards, Thomas. > > > ----- Original Message ----- From: "Thomas Krause" > > To: > Sent: Monday, July 25, 2005 1:06 PM > Subject: preventing a user to start a process > > >> Hello, >> is it possible to bar a user (www) from starting a process? >> I've a irc daemon running under the uid www. I think >> this was done by php. What would be the best way to prevent >> this (php should be remain usable)? I've installed ipfw rules, >> but this doesn't prevent the starting of the process. >> >> Kind regards, >> Thomas. >> _______________________________________________ >> freebsd-isp@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-isp >> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" >> > From owner-freebsd-isp@FreeBSD.ORG Tue Jul 26 03:53:53 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CDF7616A41F for ; Tue, 26 Jul 2005 03:53:53 +0000 (GMT) (envelope-from david@fundamentalit.com) Received: from mail.fundamentalit.com (mail.fundamentalit.com [202.160.128.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id 643F943D48 for ; Tue, 26 Jul 2005 03:53:53 +0000 (GMT) (envelope-from david@fundamentalit.com) Received: from [202.161.18.146] (helo=dev) by mail.fundamentalit.com with esmtpa (Exim 4.50) id 1DxGVp-0001sw-Er; Tue, 26 Jul 2005 13:53:49 +1000 From: "David Hogan" To: "'Thomas Krause'" , "'Gustavo A. Baratto'" Date: Tue, 26 Jul 2005 13:54:00 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 thread-index: AcWRcEpe1iMCJQMtQwqc3tVwryPBgQAJLPlQ In-Reply-To: <42E57524.3030200@chef-ingenieur.de> Message-Id: <20050726035353.643F943D48@mx1.FreeBSD.org> Cc: freebsd-isp@freebsd.org Subject: RE: preventing a user to start a process X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2005 03:53:53 -0000 > -----Original Message----- > From: owner-freebsd-isp@freebsd.org [mailto:owner-freebsd-isp@freebsd.org] > On Behalf Of Thomas Krause > I've searched all php-files for the system()-funktion - it's not > possible for me do disable this function. Can't you just use the 'disable_functions =' option in php.ini to disable the php functions that can be used to spawn processes ? You could use it to disable at least the following functions: system() exec() passthru() popen() pcntl_exec() shell_exec() Hope this helps, Dave ---- David Hogan Hosting & Development Manager Fundamental IT - 1300 882 395 http://www.fundamentalit.com From owner-freebsd-isp@FreeBSD.ORG Tue Jul 26 05:11:44 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9454016A41F for ; Tue, 26 Jul 2005 05:11:44 +0000 (GMT) (envelope-from nospam@mgedv.net) Received: from mgedv.at (www.mgedv.at [195.3.87.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A82C43D45 for ; Tue, 26 Jul 2005 05:11:43 +0000 (GMT) (envelope-from nospam@mgedv.net) Received: from metis (localhost [127.0.0.1]) by mgedv.at (SMTPServer) with ESMTP id 724D5186800 for ; Tue, 26 Jul 2005 07:11:41 +0200 (MEST) From: "mdff" To: Date: Tue, 26 Jul 2005 07:11:45 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 In-Reply-To: <42E54654.1090705@chef-ingenieur.de> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 thread-index: AcWRVF37+V3rMGCwSJmYqAJmStEb2QATB0rQ Message-Id: <20050726051141.724D5186800@mgedv.at> Subject: RE: preventing a user to start a process X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: nospam@mgedv.net List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2005 05:11:44 -0000 > > Hello, > is it possible to bar a user (www) from starting a process? > I've a irc daemon running under the uid www. I think > this was done by php. What would be the best way to prevent > this (php should be remain usable)? I've installed ipfw rules, > but this doesn't prevent the starting of the process. > jail the whole stuff and put only commands in there, that are required. also, remove write permissions almost everywhere, except where they are absolutely needed. mount a mfs for example with noexec to allow the webserver saving temp-files w/o executing stuff from there. and use php-safe-mode as mentioned before ;-) br From owner-freebsd-isp@FreeBSD.ORG Tue Jul 26 05:52:16 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7D1E116A41F for ; Tue, 26 Jul 2005 05:52:16 +0000 (GMT) (envelope-from andrew@scoop.co.nz) Received: from a2.scoop.co.nz (aurora.scoop.co.nz [202.50.109.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id D812343D45 for ; Tue, 26 Jul 2005 05:52:15 +0000 (GMT) (envelope-from andrew@scoop.co.nz) Received: from a2.scoop.co.nz (localhost [127.0.0.1]) by a2.scoop.co.nz (8.13.3/8.13.1) with ESMTP id j6Q5qEqO036350; Tue, 26 Jul 2005 17:52:14 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Received: from localhost (andrew@localhost) by a2.scoop.co.nz (8.13.3/8.13.1/Submit) with ESMTP id j6Q5qEa5036347; Tue, 26 Jul 2005 17:52:14 +1200 (NZST) (envelope-from andrew@scoop.co.nz) X-Authentication-Warning: a2.scoop.co.nz: andrew owned process doing -bs Date: Tue, 26 Jul 2005 17:52:14 +1200 (NZST) From: Andrew McNaughton To: Andreas Pettersson In-Reply-To: <42E51310.60102@telia.com> Message-ID: <20050726174743.S5699@a2.scoop.co.nz> References: <42DEAE1F.8000702@novusordo.net> <77588585.20050725010451@rulez.sk> <42E51310.60102@telia.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0 (a2.scoop.co.nz [127.0.0.1]); Tue, 26 Jul 2005 17:52:14 +1200 (NZST) X-Virus-Scanned: ClamAV 0.86.1/992/Tue Jul 26 09:48:49 2005 on a2.scoop.co.nz X-Virus-Status: Clean Cc: freebsd-isp@freebsd.org Subject: Re: ssh brute force X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2005 05:52:16 -0000 On Mon, 25 Jul 2005, Andreas Pettersson wrote: > Daniel Gerzo wrote: > > And here is another one, similar to Daniel's, but this one uses ipfw instead, > AND another neat thing is that a block isn't permanent. There's a janitor > cleaning up ipfw rules after a specified time. > > http://anp.ath.cx/sshit/ > > I made it the other day, so I haven't had time to hardcore test it. > Let me know if it's not working, or if it is ;-) > Rather than having a whole bunch of processes running doing this sort of thing, at least some of which are important enough to need monitoring themselves (eg in my case pop based smtp authentication), it would be nice to have a single process monitoring log activity, with some sort of plugin system for adding various functionality for monitoring different things and taking various actions. Anyone know of such a beast? Perl preferred. Andrew McNaughton From owner-freebsd-isp@FreeBSD.ORG Tue Jul 26 08:32:38 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 79D9F16A41F for ; Tue, 26 Jul 2005 08:32:38 +0000 (GMT) (envelope-from simond@irrelevant.org) Received: from home.irrelevant.org (dsl82-163-99-113.as15444.net [82.163.99.113]) by mx1.FreeBSD.org (Postfix) with ESMTP id F35AF43D46 for ; Tue, 26 Jul 2005 08:32:37 +0000 (GMT) (envelope-from simond@irrelevant.org) Received: from [83.244.151.172] (helo=localhost.localdomain) by home.irrelevant.org with esmtpsa (TLSv1:RC4-MD5:128) (Exim 4.51 (FreeBSD)) id 1DxKrO-000IMg-ON; Tue, 26 Jul 2005 09:32:32 +0100 From: Simon Dick To: Andrew McNaughton In-Reply-To: <20050726174743.S5699@a2.scoop.co.nz> References: <42DEAE1F.8000702@novusordo.net> <77588585.20050725010451@rulez.sk> <42E51310.60102@telia.com> <20050726174743.S5699@a2.scoop.co.nz> Content-Type: text/plain Date: Tue, 26 Jul 2005 09:33:27 +0100 Message-Id: <1122366807.93136.12.camel@laptop.lcn.com> Mime-Version: 1.0 X-Mailer: Evolution 2.2.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-Spam-Score: -2.8 (--) X-Spam-Report: Content analysis details: (-2.8 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -2.8 ALL_TRUSTED Did not pass through any untrusted hosts Cc: freebsd-isp@freebsd.org, Andreas Pettersson Subject: Re: ssh brute force X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2005 08:32:38 -0000 On Tue, 2005-07-26 at 17:52 +1200, Andrew McNaughton wrote: > On Mon, 25 Jul 2005, Andreas Pettersson wrote: > > > Daniel Gerzo wrote: > > > > And here is another one, similar to Daniel's, but this one uses ipfw instead, > > AND another neat thing is that a block isn't permanent. There's a janitor > > cleaning up ipfw rules after a specified time. > > > > http://anp.ath.cx/sshit/ > > > > I made it the other day, so I haven't had time to hardcore test it. > > Let me know if it's not working, or if it is ;-) > > > > Rather than having a whole bunch of processes running doing this sort of > thing, at least some of which are important enough to need monitoring > themselves (eg in my case pop based smtp authentication), it would be nice > to have a single process monitoring log activity, with some sort of plugin > system for adding various functionality for monitoring different things > and taking various actions. > > Anyone know of such a beast? Perl preferred. security/swatch perhaps? -- Simon Dick From owner-freebsd-isp@FreeBSD.ORG Tue Jul 26 14:12:16 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E6FC16A41F for ; Tue, 26 Jul 2005 14:12:16 +0000 (GMT) (envelope-from bv@bilver.wjv.com) Received: from wjv.com (fl-65-40-24-38.sta.sprint-hsd.net [65.40.24.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 92A1443D49 for ; Tue, 26 Jul 2005 14:12:15 +0000 (GMT) (envelope-from bv@bilver.wjv.com) Received: from bilver.wjv.com (localhost.wjv.com [127.0.0.1]) by wjv.com (8.12.11/8.13.1) with ESMTP id j6QEBpq9014645; Tue, 26 Jul 2005 10:11:52 -0400 (EDT) (envelope-from bv@bilver.wjv.com) Received: (from bv@localhost) by bilver.wjv.com (8.12.11/8.13.1/Submit) id j6QEBn6x014644; Tue, 26 Jul 2005 10:11:49 -0400 (EDT) (envelope-from bv) Date: Tue, 26 Jul 2005 10:11:49 -0400 From: Bill Vermillion To: Eric Anderson Message-ID: <20050726141149.GC14374@wjv.com> References: <42E54654.1090705@chef-ingenieur.de> <42E549E7.4070606@centtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <42E549E7.4070606@centtech.com> Organization: W.J.Vermillion / Orlando - Winter Park ReplyTo: bv@wjv.com User-Agent: Mutt/1.5.6i X-Spam-Status: No, score=-2.8 required=5.0 tests=ALL_TRUSTED autolearn=failed version=3.0.4 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on bilver.wjv.com Cc: freebsd-isp@freebsd.org Subject: Re: preventing a user to start a process X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: bv@wjv.com List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2005 14:12:16 -0000 -segmentation fault- press any key to reboot Damn damn damn Eric Anderson said, after restarting his PC and mailer on Mon, Jul 25, 2005 at 15:21 . > Thomas Krause wrote: > >Hello, > >is it possible to bar a user (www) from starting a process? > >I've a irc daemon running under the uid www. I think > >this was done by php. What would be the best way to prevent > >this (php should be remain usable)? I've installed ipfw rules, > >but this doesn't prevent the starting of the process. > Change the permissions on the file to not allow world execution? > chmod 750 /path/to/irc-daemon > and make sure it isn't owner by www user, and the www user is not in the > group that owns the daemon. Well that would mean that anyone else who might need to execute that file can only do so if they 1) own it or 2) are in the group. To get around this change the modes of the program in a way that is non-intuitive. Change the group of that daemon to www and the change the mode to 705. Since this evaluates left to right it will fail at www while all others will be able to use the file. This seems to be overlooked by many who think that 'world' means everyone, while it means everyone who doesn't match in owner or group. Bill -- Bill Vermillion - bv @ wjv . com From owner-freebsd-isp@FreeBSD.ORG Tue Jul 26 14:17:31 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5DAFA16A41F for ; Tue, 26 Jul 2005 14:17:31 +0000 (GMT) (envelope-from anderson@centtech.com) Received: from mh2.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE4A243D45 for ; Tue, 26 Jul 2005 14:17:30 +0000 (GMT) (envelope-from anderson@centtech.com) Received: from [10.177.171.220] (neutrino.centtech.com [10.177.171.220]) by mh2.centtech.com (8.13.1/8.13.1) with ESMTP id j6QEHKB8096283; Tue, 26 Jul 2005 09:17:20 -0500 (CDT) (envelope-from anderson@centtech.com) Message-ID: <42E645ED.8050408@centtech.com> Date: Tue, 26 Jul 2005 09:17:17 -0500 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.8) Gecko/20050603 X-Accept-Language: en-us, en MIME-Version: 1.0 To: bv@wjv.com References: <42E54654.1090705@chef-ingenieur.de> <42E549E7.4070606@centtech.com> <20050726141149.GC14374@wjv.com> In-Reply-To: <20050726141149.GC14374@wjv.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-isp@freebsd.org Subject: Re: preventing a user to start a process X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2005 14:17:31 -0000 Bill Vermillion wrote: > -segmentation fault- > press any key to reboot > Damn damn damn Eric Anderson said, after restarting his > PC and mailer on Mon, Jul 25, 2005 at 15:21 . > > >>Thomas Krause wrote: >> >>>Hello, >>>is it possible to bar a user (www) from starting a process? >>>I've a irc daemon running under the uid www. I think >>>this was done by php. What would be the best way to prevent >>>this (php should be remain usable)? I've installed ipfw rules, >>>but this doesn't prevent the starting of the process. > > >>Change the permissions on the file to not allow world execution? > > >>chmod 750 /path/to/irc-daemon > > >>and make sure it isn't owner by www user, and the www user is not in the >>group that owns the daemon. > > > Well that would mean that anyone else who might need to execute > that file can only do so if they 1) own it or 2) are in the group. > > To get around this change the modes of the program in a way that is > non-intuitive. > > Change the group of that daemon to www and the change the mode > to 705. Since this evaluates left to right it will fail at www > while all others will be able to use the file. This seems to be > overlooked by many who think that 'world' means everyone, while > it means everyone who doesn't match in owner or group. Ahh, great idea.. Unfortunately, his problem was worse than our solutions :( Eric -- ------------------------------------------------------------------------ Eric Anderson Sr. Systems Administrator Centaur Technology A lost ounce of gold may be found, a lost moment of time never. ------------------------------------------------------------------------ From owner-freebsd-isp@FreeBSD.ORG Tue Jul 26 16:48:55 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A297516A41F for ; Tue, 26 Jul 2005 16:48:55 +0000 (GMT) (envelope-from freebsd-isp@chef-ingenieur.de) Received: from mta.webmatic.de (mta.webmatic.de [212.78.99.126]) by mx1.FreeBSD.org (Postfix) with ESMTP id 70DC143D45 for ; Tue, 26 Jul 2005 16:48:53 +0000 (GMT) (envelope-from freebsd-isp@chef-ingenieur.de) Received: (qmail 24102 invoked by uid 1003); 26 Jul 2005 16:48:50 -0000 Received: from freebsd-isp@chef-ingenieur.de by mta.webmatic.de by uid 89 with qmail-scanner-1.22 (spamassassin: 2.63. Clear:RC:1(217.186.9.74):. Processed in 0.068049 secs); 26 Jul 2005 16:48:50 -0000 Received: from unknown (HELO ?172.21.1.12?) (freebsd-stable@chef-ingenieur.de@217.186.9.74) by mta.webmatic.de with (DHE-RSA-AES256-SHA encrypted) SMTP; 26 Jul 2005 16:48:50 -0000 Message-ID: <42E66986.4080004@chef-ingenieur.de> Date: Tue, 26 Jul 2005 18:49:10 +0200 From: Thomas Krause User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: de-DE, de, en-us, en MIME-Version: 1.0 To: David Hogan Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-isp@freebsd.org, "'Gustavo A. Baratto'" Subject: Re: preventing a user to start a process X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2005 16:48:55 -0000 David Hogan schrieb: >>-----Original Message----- >>From: owner-freebsd-isp@freebsd.org [mailto:owner-freebsd-isp@freebsd.org] >>On Behalf Of Thomas Krause > > > >>I've searched all php-files for the system()-funktion - it's not >>possible for me do disable this function. > > > Can't you just use the 'disable_functions =' option in php.ini to disable > the php functions that can be used to spawn processes ? > > You could use it to disable at least the following functions: > > system() > exec() > passthru() > popen() > pcntl_exec() > shell_exec() > Unfortunately, that is not possible. E.g. typo3 calls Imagemagick, so I need system(). Regards, Thomas. From owner-freebsd-isp@FreeBSD.ORG Tue Jul 26 17:01:05 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 30D1D16A41F for ; Tue, 26 Jul 2005 17:01:05 +0000 (GMT) (envelope-from adam@oxeo.com) Received: from mx1.oxeo.com (mx1.oxeo.com [66.230.153.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id D6BC743D45 for ; Tue, 26 Jul 2005 17:01:04 +0000 (GMT) (envelope-from adam@oxeo.com) Received: from mx1.oxeo.com (localhost.oxeo.com [127.0.0.1]) by mx1.oxeo.com (Postfix) with ESMTP id 5C30984413; Tue, 26 Jul 2005 12:24:06 -0500 (EST) Received: from [192.168.1.192] (newyork.oxeo.com [216.254.67.171]) by mx1.oxeo.com (Postfix) with ESMTP id B66D384412; Tue, 26 Jul 2005 12:24:05 -0500 (EST) In-Reply-To: <42E66986.4080004@chef-ingenieur.de> References: <42E66986.4080004@chef-ingenieur.de> Mime-Version: 1.0 (Apple Message framework v730) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <6B57C9BC-0815-4854-996A-F6AD3765DFEB@oxeo.com> Content-Transfer-Encoding: 7bit From: Adam Jacob Muller Date: Tue, 26 Jul 2005 12:59:20 -0400 To: Thomas Krause X-Mailer: Apple Mail (2.730) Cc: freebsd-isp@freebsd.org, David Hogan , "'Gustavo A. Baratto'" Subject: Re: preventing a user to start a process X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2005 17:01:05 -0000 Pretty much the only "secure" option is to either A. run in a chroot jail B. run with any writable directories mounted noexec or if your really paranoid, do both Adam On Jul 26, 2005, at 12:49 PM, Thomas Krause wrote: > > > David Hogan schrieb: > >>> -----Original Message----- >>> From: owner-freebsd-isp@freebsd.org [mailto:owner-freebsd- >>> isp@freebsd.org] >>> On Behalf Of Thomas Krause >>> >> >> >>> I've searched all php-files for the system()-funktion - it's not >>> possible for me do disable this function. >>> >> Can't you just use the 'disable_functions =' option in php.ini to >> disable >> the php functions that can be used to spawn processes ? >> You could use it to disable at least the following functions: >> system() >> exec() >> passthru() >> popen() >> pcntl_exec() >> shell_exec() >> > > Unfortunately, that is not possible. E.g. typo3 calls Imagemagick, > so I need system(). > > Regards, > Thomas. > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > From owner-freebsd-isp@FreeBSD.ORG Tue Jul 26 17:34:58 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 80D4516A41F for ; Tue, 26 Jul 2005 17:34:58 +0000 (GMT) (envelope-from gbaratto@superb.net) Received: from master4.yvr1.superb.net (master4.yvr1.superb.net [209.82.78.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id A912443D46 for ; Tue, 26 Jul 2005 17:34:57 +0000 (GMT) (envelope-from gbaratto@superb.net) Received: from guinness (fw.yvr1.superb.net [209.82.78.2]) by master4.yvr1.superb.net (8.12.9/8.12.9) with SMTP id j6QHYunc011727 for ; Tue, 26 Jul 2005 10:34:56 -0700 (PDT) Message-ID: <008901c59208$0f05d000$7201a8c0@guinness> From: "Gustavo A. Baratto" To: References: <42E66986.4080004@chef-ingenieur.de> <6B57C9BC-0815-4854-996A-F6AD3765DFEB@oxeo.com> Date: Tue, 26 Jul 2005 10:32:50 -0700 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Subject: Re: preventing a user to start a process X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2005 17:34:58 -0000 Although jailing is a good thing, I don't think it will prevent unwanted processes to be spawned, if php allows it. And having writable directories mounted noexec doesn't help much either, because one can just run: /usr/bin/sh /path/to/writable/dir/script.sh Since most of the times script kiddies use /tmp or /var/tmp (which are usually noexec) to upload their scripts, the sh or perl binaries are located in file systems that allow execution. So, you can either tell php not to spawn processes (safe_mode or disable_functions), or to have all file systems in contact with php mounted noexec (not just the writable directories). This will probably make your life hell. Or even disallow any kind of uploads in php (which is not very effective against code execution, as a bug in your code could allow execution like phpBB exploit a while ago). If you cannot do any of these because you require the functionality, you can write a cron'ed script that checks for processes owned by www that are running for a certain period of time and are not the apache. You can either kill these processes or e-mail yourself, and then you take an action. Cheers ----- Original Message ----- From: "Adam Jacob Muller" To: "Thomas Krause" Cc: "David Hogan" ; ; "'Gustavo A. Baratto'" Sent: Tuesday, July 26, 2005 9:59 AM Subject: Re: preventing a user to start a process > Pretty much the only "secure" option is to either > A. run in a chroot jail > B. run with any writable directories mounted noexec > or if your really paranoid, do both > > Adam > > > On Jul 26, 2005, at 12:49 PM, Thomas Krause wrote: > >> >> >> David Hogan schrieb: >> >>>> -----Original Message----- >>>> From: owner-freebsd-isp@freebsd.org [mailto:owner-freebsd- >>>> isp@freebsd.org] >>>> On Behalf Of Thomas Krause >>>> >>> >>> >>>> I've searched all php-files for the system()-funktion - it's not >>>> possible for me do disable this function. >>>> >>> Can't you just use the 'disable_functions =' option in php.ini to >>> disable >>> the php functions that can be used to spawn processes ? >>> You could use it to disable at least the following functions: >>> system() >>> exec() >>> passthru() >>> popen() >>> pcntl_exec() >>> shell_exec() >>> >> >> Unfortunately, that is not possible. E.g. typo3 calls Imagemagick, so I >> need system(). >> >> Regards, >> Thomas. >> _______________________________________________ >> freebsd-isp@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-isp >> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" >> > From owner-freebsd-isp@FreeBSD.ORG Tue Jul 26 20:44:40 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1326816A41F for ; Tue, 26 Jul 2005 20:44:40 +0000 (GMT) (envelope-from freebsd-isp@chef-ingenieur.de) Received: from mta.webmatic.de (mta.webmatic.de [212.78.99.126]) by mx1.FreeBSD.org (Postfix) with ESMTP id 66A8643D45 for ; Tue, 26 Jul 2005 20:44:38 +0000 (GMT) (envelope-from freebsd-isp@chef-ingenieur.de) Received: (qmail 20316 invoked by uid 1003); 26 Jul 2005 20:44:34 -0000 Received: from freebsd-isp@chef-ingenieur.de by mta.webmatic.de by uid 89 with qmail-scanner-1.22 (spamassassin: 2.63. Clear:RC:1(217.186.9.74):. Processed in 0.259153 secs); 26 Jul 2005 20:44:34 -0000 Received: from unknown (HELO ?172.21.1.12?) (freebsd-stable@chef-ingenieur.de@217.186.9.74) by mta.webmatic.de with (DHE-RSA-AES256-SHA encrypted) SMTP; 26 Jul 2005 20:44:34 -0000 Message-ID: <42E6A0B2.1030308@chef-ingenieur.de> Date: Tue, 26 Jul 2005 22:44:34 +0200 From: Thomas Krause User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: de-DE, de, en-us, en MIME-Version: 1.0 To: freebsd-isp@freebsd.org References: <42E66986.4080004@chef-ingenieur.de> <6B57C9BC-0815-4854-996A-F6AD3765DFEB@oxeo.com> <008901c59208$0f05d000$7201a8c0@guinness> In-Reply-To: <008901c59208$0f05d000$7201a8c0@guinness> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: preventing a user to start a process X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2005 20:44:40 -0000 Gustavo A. Baratto schrieb: > Although jailing is a good thing, I don't think it will prevent unwanted > processes to be spawned, if php allows it. And having writable > directories mounted noexec doesn't help much either, because one can > just run: > /usr/bin/sh /path/to/writable/dir/script.sh > > Since most of the times script kiddies use /tmp or /var/tmp (which are > usually noexec) to upload their scripts, the sh or perl binaries are > located in file systems that allow execution. > > So, you can either tell php not to spawn processes (safe_mode or > disable_functions), or to have all file systems in contact with php > mounted noexec (not just the writable directories). This will probably > make your life hell. Or even disallow any kind of uploads in php (which > is not very effective against code execution, as a bug in your code > could allow execution like phpBB exploit a while ago). > > If you cannot do any of these because you require the functionality, you > can write a cron'ed script that checks for processes owned by www that > are running for a certain period of time and are not the apache. You can > either kill these processes or e-mail yourself, and then you take an > action. I think, I should do so. But how to identify the process? The ircd was renamed to "sh", to make it harder to find in the process list. It should be possible with the PGID (from /var/run/httpd.pid) and the UID. Does anyone know a usable (or recyclable) script for that job? Regards, Thomas. > > Cheers > > ----- Original Message ----- From: "Adam Jacob Muller" > To: "Thomas Krause" > Cc: "David Hogan" ; ; > "'Gustavo A. Baratto'" > Sent: Tuesday, July 26, 2005 9:59 AM > Subject: Re: preventing a user to start a process > > >> Pretty much the only "secure" option is to either >> A. run in a chroot jail >> B. run with any writable directories mounted noexec >> or if your really paranoid, do both >> >> Adam >> >> >> On Jul 26, 2005, at 12:49 PM, Thomas Krause wrote: >> >>> >>> >>> David Hogan schrieb: >>> >>>>> -----Original Message----- >>>>> From: owner-freebsd-isp@freebsd.org [mailto:owner-freebsd- >>>>> isp@freebsd.org] >>>>> On Behalf Of Thomas Krause >>>>> >>>> >>>> >>>>> I've searched all php-files for the system()-funktion - it's not >>>>> possible for me do disable this function. >>>>> >>>> Can't you just use the 'disable_functions =' option in php.ini to >>>> disable >>>> the php functions that can be used to spawn processes ? >>>> You could use it to disable at least the following functions: >>>> system() >>>> exec() >>>> passthru() >>>> popen() >>>> pcntl_exec() >>>> shell_exec() >>>> >>> >>> Unfortunately, that is not possible. E.g. typo3 calls Imagemagick, >>> so I need system(). >>> >>> Regards, >>> Thomas. >>> _______________________________________________ >>> freebsd-isp@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-isp >>> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" >>> >> > > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" From owner-freebsd-isp@FreeBSD.ORG Tue Jul 26 22:04:22 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 746F916A41F for ; Tue, 26 Jul 2005 22:04:22 +0000 (GMT) (envelope-from gbaratto@superb.net) Received: from master4.yvr1.superb.net (master4.yvr1.superb.net [209.82.78.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 034BD43D48 for ; Tue, 26 Jul 2005 22:04:21 +0000 (GMT) (envelope-from gbaratto@superb.net) Received: from guinness (fw.yvr1.superb.net [209.82.78.2]) by master4.yvr1.superb.net (8.12.9/8.12.9) with SMTP id j6QM4C8l018916; Tue, 26 Jul 2005 15:04:13 -0700 (PDT) Message-ID: <018901c5922d$ad881f10$7201a8c0@guinness> From: "Gustavo A. Baratto" To: "Thomas Krause" , References: <42E66986.4080004@chef-ingenieur.de> <6B57C9BC-0815-4854-996A-F6AD3765DFEB@oxeo.com><008901c59208$0f05d000$7201a8c0@guinness> <42E6A0B2.1030308@chef-ingenieur.de> Date: Tue, 26 Jul 2005 15:02:07 -0700 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Cc: Subject: Re: preventing a user to start a process X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2005 22:04:22 -0000 ps aux | grep www | grep -v /usr/local/bin/httpd The above returns all processes that user www is running, that are not apache itself. You can use some perl to split the lines to find out how long the processes have been running based on the STARTED column of the command above. If I had such code ready, I'd just send to you, but unfortunately I dont. Cheers. ----- Original Message ----- From: "Thomas Krause" To: Sent: Tuesday, July 26, 2005 1:44 PM Subject: Re: preventing a user to start a process > > > Gustavo A. Baratto schrieb: >> Although jailing is a good thing, I don't think it will prevent unwanted >> processes to be spawned, if php allows it. And having writable >> directories mounted noexec doesn't help much either, because one can just >> run: >> /usr/bin/sh /path/to/writable/dir/script.sh >> >> Since most of the times script kiddies use /tmp or /var/tmp (which are >> usually noexec) to upload their scripts, the sh or perl binaries are >> located in file systems that allow execution. >> >> So, you can either tell php not to spawn processes (safe_mode or >> disable_functions), or to have all file systems in contact with php >> mounted noexec (not just the writable directories). This will probably >> make your life hell. Or even disallow any kind of uploads in php (which >> is not very effective against code execution, as a bug in your code could >> allow execution like phpBB exploit a while ago). >> >> If you cannot do any of these because you require the functionality, you >> can write a cron'ed script that checks for processes owned by www that >> are running for a certain period of time and are not the apache. You can >> either kill these processes or e-mail yourself, and then you take an >> action. > > I think, I should do so. But how to identify the process? The ircd > was renamed to "sh", to make it harder to find in the process list. > It should be possible with the PGID (from /var/run/httpd.pid) and > the UID. Does anyone know a usable (or recyclable) script for that > job? > > Regards, > Thomas. > > >> >> Cheers >> >> ----- Original Message ----- From: "Adam Jacob Muller" >> To: "Thomas Krause" >> Cc: "David Hogan" ; ; >> "'Gustavo A. Baratto'" >> Sent: Tuesday, July 26, 2005 9:59 AM >> Subject: Re: preventing a user to start a process >> >> >>> Pretty much the only "secure" option is to either >>> A. run in a chroot jail >>> B. run with any writable directories mounted noexec >>> or if your really paranoid, do both >>> >>> Adam >>> >>> >>> On Jul 26, 2005, at 12:49 PM, Thomas Krause wrote: >>> >>>> >>>> >>>> David Hogan schrieb: >>>> >>>>>> -----Original Message----- >>>>>> From: owner-freebsd-isp@freebsd.org [mailto:owner-freebsd- >>>>>> isp@freebsd.org] >>>>>> On Behalf Of Thomas Krause >>>>>> >>>>> >>>>> >>>>>> I've searched all php-files for the system()-funktion - it's not >>>>>> possible for me do disable this function. >>>>>> >>>>> Can't you just use the 'disable_functions =' option in php.ini to >>>>> disable >>>>> the php functions that can be used to spawn processes ? >>>>> You could use it to disable at least the following functions: >>>>> system() >>>>> exec() >>>>> passthru() >>>>> popen() >>>>> pcntl_exec() >>>>> shell_exec() >>>>> >>>> >>>> Unfortunately, that is not possible. E.g. typo3 calls Imagemagick, so >>>> I need system(). >>>> >>>> Regards, >>>> Thomas. >>>> _______________________________________________ >>>> freebsd-isp@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-isp >>>> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" >>>> >>> >> >> _______________________________________________ >> freebsd-isp@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-isp >> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > From owner-freebsd-isp@FreeBSD.ORG Tue Jul 26 23:44:42 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E2B1816A463 for ; Tue, 26 Jul 2005 23:44:41 +0000 (GMT) (envelope-from adam@oxeo.com) Received: from mx1.oxeo.com (mx1.oxeo.com [66.230.153.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E6B143D4C for ; Tue, 26 Jul 2005 23:44:41 +0000 (GMT) (envelope-from adam@oxeo.com) Received: from mx1.oxeo.com (localhost.oxeo.com [127.0.0.1]) by mx1.oxeo.com (Postfix) with ESMTP id 69CB984413; Tue, 26 Jul 2005 19:07:48 -0500 (EST) Received: from [10.0.1.128] (pcp09971858pcs.narlington.nj.comcast.net [68.37.190.16]) by mx1.oxeo.com (Postfix) with ESMTP id 2553384412; Tue, 26 Jul 2005 19:07:48 -0500 (EST) In-Reply-To: <018901c5922d$ad881f10$7201a8c0@guinness> References: <42E66986.4080004@chef-ingenieur.de> <6B57C9BC-0815-4854-996A-F6AD3765DFEB@oxeo.com><008901c59208$0f05d000$7201a8c0@guinness> <42E6A0B2.1030308@chef-ingenieur.de> <018901c5922d$ad881f10$7201a8c0@guinness> Mime-Version: 1.0 (Apple Message framework v733) X-Priority: 3 Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Adam Jacob Muller Date: Tue, 26 Jul 2005 19:44:36 -0400 To: Gustavo A. Baratto X-Mailer: Apple Mail (2.733) Cc: freebsd-isp@freebsd.org Subject: Re: preventing a user to start a process X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2005 23:44:42 -0000 Yes, I know this can be fixed. Just want to make sure you include this in the final solution :-) ps aux | grep nobody | awk '$11!="/usr/local/apache/bin/httpd"' will probably work Adam On Jul 26, 2005, at 6:02 PM, Gustavo A. Baratto wrote: > ps aux | grep www | grep -v /usr/local/bin/httpd > > The above returns all processes that user www is running, that are > not apache itself. > > You can use some perl to split the lines to find out how long the > processes have been running based on the STARTED column of the > command above. If I had such code ready, I'd just send to you, but > unfortunately I dont. > > Cheers. > > ----- Original Message ----- From: "Thomas Krause" isp@chef-ingenieur.de> > To: > Sent: Tuesday, July 26, 2005 1:44 PM > Subject: Re: preventing a user to start a process > > > >> >> >> Gustavo A. Baratto schrieb: >> >>> Although jailing is a good thing, I don't think it will prevent >>> unwanted processes to be spawned, if php allows it. And having >>> writable directories mounted noexec doesn't help much either, >>> because one can just run: >>> /usr/bin/sh /path/to/writable/dir/script.sh >>> >>> Since most of the times script kiddies use /tmp or /var/tmp >>> (which are usually noexec) to upload their scripts, the sh or >>> perl binaries are located in file systems that allow execution. >>> >>> So, you can either tell php not to spawn processes (safe_mode or >>> disable_functions), or to have all file systems in contact with >>> php mounted noexec (not just the writable directories). This will >>> probably make your life hell. Or even disallow any kind of >>> uploads in php (which is not very effective against code >>> execution, as a bug in your code could allow execution like phpBB >>> exploit a while ago). >>> >>> If you cannot do any of these because you require the >>> functionality, you can write a cron'ed script that checks for >>> processes owned by www that are running for a certain period of >>> time and are not the apache. You can either kill these processes >>> or e-mail yourself, and then you take an action. >>> >> >> I think, I should do so. But how to identify the process? The ircd >> was renamed to "sh", to make it harder to find in the process list. >> It should be possible with the PGID (from /var/run/httpd.pid) and >> the UID. Does anyone know a usable (or recyclable) script for that >> job? >> >> Regards, >> Thomas. >> >> >> >>> >>> Cheers >>> >>> ----- Original Message ----- From: "Adam Jacob Muller" >>> >>> To: "Thomas Krause" >>> Cc: "David Hogan" ; >> isp@freebsd.org>; "'Gustavo A. Baratto'" >>> Sent: Tuesday, July 26, 2005 9:59 AM >>> Subject: Re: preventing a user to start a process >>> >>> >>> >>>> Pretty much the only "secure" option is to either >>>> A. run in a chroot jail >>>> B. run with any writable directories mounted noexec >>>> or if your really paranoid, do both >>>> >>>> Adam >>>> >>>> >>>> On Jul 26, 2005, at 12:49 PM, Thomas Krause wrote: >>>> >>>> >>>>> >>>>> >>>>> David Hogan schrieb: >>>>> >>>>> >>>>>>> -----Original Message----- >>>>>>> From: owner-freebsd-isp@freebsd.org [mailto:owner-freebsd- >>>>>>> isp@freebsd.org] >>>>>>> On Behalf Of Thomas Krause >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> I've searched all php-files for the system()-funktion - it's not >>>>>>> possible for me do disable this function. >>>>>>> >>>>>>> >>>>>> Can't you just use the 'disable_functions =' option in php.ini >>>>>> to disable >>>>>> the php functions that can be used to spawn processes ? >>>>>> You could use it to disable at least the following functions: >>>>>> system() >>>>>> exec() >>>>>> passthru() >>>>>> popen() >>>>>> pcntl_exec() >>>>>> shell_exec() >>>>>> >>>>>> >>>>> >>>>> Unfortunately, that is not possible. E.g. typo3 calls >>>>> Imagemagick, so I need system(). >>>>> >>>>> Regards, >>>>> Thomas. >>>>> _______________________________________________ >>>>> freebsd-isp@freebsd.org mailing list >>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-isp >>>>> To unsubscribe, send any mail to "freebsd-isp- >>>>> unsubscribe@freebsd.org" >>>>> >>>>> >>>> >>>> >>> >>> _______________________________________________ >>> freebsd-isp@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-isp >>> To unsubscribe, send any mail to "freebsd-isp- >>> unsubscribe@freebsd.org" >>> >> _______________________________________________ >> freebsd-isp@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-isp >> To unsubscribe, send any mail to "freebsd-isp- >> unsubscribe@freebsd.org" >> > > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > From owner-freebsd-isp@FreeBSD.ORG Wed Jul 27 06:58:44 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5232216A41F for ; Wed, 27 Jul 2005 06:58:44 +0000 (GMT) (envelope-from david@fundamentalit.com) Received: from mail.fundamentalit.com (mail.fundamentalit.com [202.160.128.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F30543D46 for ; Wed, 27 Jul 2005 06:58:43 +0000 (GMT) (envelope-from david@fundamentalit.com) Received: from [203.206.239.179] (helo=dev) by mail.fundamentalit.com with esmtpa (Exim 4.50) id 1DxfsE-0000vx-6X; Wed, 27 Jul 2005 16:58:38 +1000 From: "David Hogan" To: "'Thomas Krause'" Date: Wed, 27 Jul 2005 16:58:50 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 In-Reply-To: <42E66986.4080004@chef-ingenieur.de> Thread-Index: AcWSAjeU9HX2v7dETiaVKbQ7PkSMWQAdiLYQ Message-Id: <20050727065843.8F30543D46@mx1.FreeBSD.org> Cc: freebsd-isp@freebsd.org, "'Gustavo A. Baratto'" Subject: RE: preventing a user to start a process X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jul 2005 06:58:44 -0000 > Unfortunately, that is not possible. E.g. typo3 calls Imagemagick, so I > need system(). Hmmm ... ok are you aware you can override many php.ini settings on a per directory basis or even per vhost basis (I think) ? If you didn't have too many exceptions, you could deny system() globally, then allow it just for trusted users or scripts. Hope this is practical, Dave From owner-freebsd-isp@FreeBSD.ORG Wed Jul 27 14:01:56 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 38F4B16A41F for ; Wed, 27 Jul 2005 14:01:56 +0000 (GMT) (envelope-from todor.dragnev@gmail.com) Received: from mail.sistechnology.com (torro.sistechnology.com [217.79.65.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id B807D43D45 for ; Wed, 27 Jul 2005 14:01:55 +0000 (GMT) (envelope-from todor.dragnev@gmail.com) Received: from localhost (localhost [127.0.0.1]) by mail.sistechnology.com (Postfix) with ESMTP id D12DD46BEC; Wed, 27 Jul 2005 17:01:51 +0300 (EEST) Received: from mail.sistechnology.com ([217.79.65.130]) by localhost (torro [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 05520-02; Wed, 27 Jul 2005 17:01:49 +0300 (EEST) Received: from nova.sistechnology.com (unknown [192.168.7.3]) by mail.sistechnology.com (Postfix) with ESMTP id E6BFF46BE8; Wed, 27 Jul 2005 17:01:48 +0300 (EEST) From: Todor Dragnev To: "'Thomas Krause'" Date: Wed, 27 Jul 2005 17:01:46 +0300 User-Agent: KMail/1.6.2 References: <20050727065843.8F30543D46@mx1.FreeBSD.org> In-Reply-To: <20050727065843.8F30543D46@mx1.FreeBSD.org> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200507271701.46118.todor.dragnev@gmail.com> X-Virus-Scanned: by the vKeeper at sistechnology.com Cc: freebsd-isp@freebsd.org Subject: Re: preventing a user to start a process X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: todor.dragnev@gmail.com List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jul 2005 14:01:56 -0000 Before years I do a lot of testings with LIDS and grsecurity on linux. With these tools is possible to set rules what system commands or which files(by inodes) can be accessed from user or process (pid or name). I have no experience with freebsd, but maybe it is possible to solve problem in same way. On Wednesday 27 July 2005 09:58, David Hogan wrote: > > Unfortunately, that is not possible. E.g. typo3 calls Imagemagick, so I > > need system(). > > Hmmm ... ok > > are you aware you can override many php.ini settings on a per directory > basis or even per vhost basis (I think) ? If you didn't have too many > exceptions, you could deny system() globally, then allow it just for > trusted users or scripts. > > Hope this is practical, > Dave > > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" From owner-freebsd-isp@FreeBSD.ORG Thu Jul 28 10:22:48 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C20616A41F for ; Thu, 28 Jul 2005 10:22:48 +0000 (GMT) (envelope-from nospam@mgedv.net) Received: from mgedv.at (www.mgedv.at [195.3.87.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id BDCDC43D4C for ; Thu, 28 Jul 2005 10:22:47 +0000 (GMT) (envelope-from nospam@mgedv.net) Received: from metis (localhost [127.0.0.1]) by mgedv.at (SMTPServer) with ESMTP id 80B27186800 for ; Thu, 28 Jul 2005 12:22:46 +0200 (MEST) From: "mdff" To: Date: Thu, 28 Jul 2005 12:22:46 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 Thread-Index: AcWSIuDrNUlNP3QNQF+deNiPsvpjggBOB5vQ In-Reply-To: <42E6A0B2.1030308@chef-ingenieur.de> Message-Id: <20050728102246.80B27186800@mgedv.at> Subject: RE: preventing a user to start a process X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: nospam@mgedv.net List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2005 10:22:48 -0000 > > Although jailing is a good thing, I don't think it will > prevent unwanted > > processes to be spawned, if php allows it. And having writable > > directories mounted noexec doesn't help much either, > because one can > > just run: > > /usr/bin/sh /path/to/writable/dir/script.sh > > mount-man-page: noexec Do not allow execution of any binaries on the mounted file system. This option is useful for a server that has file systems containing binaries for architectures other than its own. tried this as root: # h_dir=/test; h_sh=/tmp/foo-test.sh # mkdir $h_dir # mdmfs -M -S -o noexec,async -s 16m md1 $h_dir && mount|grep $h_dir /dev/md1 on /test (ufs, asynchronous, local, noexec) # cp -p /bin/date $h_dir # echo "#!/bin/sh" >$h_sh # echo "\$SHELL -c $h_dir/date" >>$h_sh # $h_sh /test/date: Permission denied. so i believe this is not really dangerous (chrooted of course) but theres another issue, what if someone stores a malicious php-script that opens sockets? you don't really need to write C-deamons, if you can use php... there should be at least a firewall blocking outgoing packets from ports where no daemons are normally running. and restrictions on php's options and possibilities, too... From owner-freebsd-isp@FreeBSD.ORG Fri Jul 29 00:33:05 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CCB4316A420 for ; Fri, 29 Jul 2005 00:33:05 +0000 (GMT) (envelope-from root@datas.zapto.org) Received: from postino4.prima.com.ar (postino4.prima.com.ar [200.42.0.162]) by mx1.FreeBSD.org (Postfix) with SMTP id A736B43D6E for ; Fri, 29 Jul 2005 00:33:03 +0000 (GMT) (envelope-from root@datas.zapto.org) Received: (qmail 79710 invoked from network); 29 Jul 2005 00:32:58 -0000 Received: from unknown (HELO datas.zapto.org) (200.42.68.78) by postino4.prima.com.ar with SMTP; 29 Jul 2005 00:32:58 -0000 Received: by datas.zapto.org (Postfix, from userid 0) id 50E1111DB7A; Thu, 28 Jul 2005 21:00:17 -0300 (ART) To: freebsd-isp@freebsd.org Message-Id: <20050729000017.50E1111DB7A@datas.zapto.org> Date: Thu, 28 Jul 2005 21:00:17 -0300 (ART) From: root@datas.zapto.org (root) Subject: Atencion!! X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jul 2005 00:33:05 -0000 DATAS COMPUTACIÓN - CEL.: 15-5748-9820 MASTERLINUX@CIUDAD.COM.AR TODO PARA SU EMPRESA - DATAS LE OFRECE LO MEJOR EN LINUX * INSTALACIÓN DE FILE & PRINT SERVERS GNU/LINUX INSTALACIÓN SERVIDORES LINUX COMO SERVIDORES DE ARCHIVOS E IMPRESIÓN: CON SOLUCIONES GNU UD. PUEDE COMPARTIR SUS ARCHIVOS E IMPRESIONES FÁCILMENTE, AHORRÁNDOSE FORTUNAS EN LICENCIAS DE SOFTWARE PROPIETARIO, TANTO DEL LADO DEL SERVER, COMO LICENCIAS DE ACCESO DE CLIENTES. INSTALAMOS SERVIDORES GNU/LINUX , DE LAS DISTRIBUCIONES MAS POPULARES DEL MERCADO: * SERVIDOR WEB : (WEB SERVER) APACHE, ES EL SERVIDOR WEB MAS UTILIZADO DEL MUNDO. CERCA DEL 65% DE LOS ISP LO UTILIZAN PARA BRINDAR SOLUCIONES A SUS CLIENTES. DE HECHO GOOGLE, CUENTA CON CERCA DE 10.000 SERVIDORES LINUX CORRIENDO APACHE. TANTO EN SU VERSIÓN 1.3.XX COMO EN LA MODERNA VERSIÓN 2.0 . PONGA A FUNCIONAR APACHE EN SU INTRANET O EN SU SERVIDOR WEB CORPORATIVO , OPTIMIZANDO AL MÁXIMO SUS RECURSOS. * FIREWALL GNU/LINUX: TRIALWAREZ. BRINDA CONSULTORÍA SOBRE SEGURIDAD INFORMÁTICA. SIN DUDA , EL FIREWALL CONSTITUYE UNA DE LAS HERRAMIENTAS MAS IMPORTANTES A LA HORA DE PROTEGERNOS SOBRE LOS CADA VEZ MAYORES ATAQUES EXTERNOS. UNA VEZ QUE CONECTAMOS NUESTRA EMPRESA A INTERNET, ENTRAMOS EN UNA ZONA HOSTIL. LA VERSATILIDAD DE LINUX HACE QUE LA SOLUCIÓN DE FIREWALLING QUE TRAE, SEA IMPLEMENTABLE TANTO EN REDES HOGAREÑAS, PEQUEÑAS LAN, O EMPRESAS CON CIENTOS DE MÁQUINAS. TRIALWAREZ, IMPLEMENTA Y CONFIGURA SOLUCIONES FIREWALL UTILIZANDO TANTO PRODUCTOS GNU COMO IPTABLES A PARTIR DEL KERNEL 2.4, COMO SOLUCIONES NO GNU PERO DENTRO DE LAS DISTRIBUCIONES LINUX COMO SUSE, MANDRAKE, RED HAT ETC. * SERVIDOR PROXY CACHE INSTALACIÓN DE SQUID PROXY CACHÉ SERVER: ¿DESEA COMPARTIR UNA ÚNICA CONEXIÓN A INTERNET CON TODA SU EMPRESA.? QUIERE OPTIMIZAR SU CONEXIÓN ADSL UTILIZANDO UNA PC EN DESUSO , Y ADEMÁS, SIN COSTO DE LICENCIAS ADICIONALES ? ¿NECESITA ALMACENAR LAS PÁGINAS MAS VISTAS PARA OPTIMIZAR ANCHO DE BANDA Y ACELERAR LA NAVEGACIÓN.? DESEA REALIZAR UN CONTROL SOBRE LOS SITIOS QUE SUS EMPLEADOS VISITAN, ESTABLECIENDO UN ESQUEMA DE USUARIO Y CONTRASEÑA, QUE ADEMÁS DE FILTRAR LOS CONTENIDOS INDEBIDOS, LE PERMITIRÁ SACAR TODO TIPO DE ESTADÍSTICAS POR USUARIO, SITIOS NAVEGADOS, KBYTES ETC. ? NO LO DUDE MAS, ENTONCES, NECESITA INSTALAR UN SERVIDOR SQUID PROXY CACHE. NOSOTROS LE INSTALAMOS UN SERVIDOR CON UN CACHE DEL TAMAÑO QUE SU ORGANIZACIÓN REQUIERE Y , SIN ABONARLE LICENCIAS A NADIE, DISFRUTE DE TODAS ESA VENTAJAS YA!. * SERVIDORES DE CORREO BRINDELE A SU ORGANIZACIÓN LA POSIBILIDAD DE CONTAR CON UN SERVIDOR DE CORREO CORPORATIVO, CON CONTROL DE VIRUS Y SPAM, SIN TENER QUE DESENBOLSAR FORTUNAS EN SOFTWARE, NI DEDICAR EQUIPOS MONSTRUOSOS PARA MANEJAR SU MENSAJERÍA. GNU/LINUX CUENTA CON NUMEROSAS SOLUCIONES PARA MANEJAR EL CORREO CORPORATIVO: SENDMAIL, QMAIL, POSTFIX ETC. * REDES PRIVADAS VIRTUALES (VPNS) EL PROPÓSITO DE UNA V.P.N. (VIRTUAL PRIVATE NETWORK) ES LA DE OFRECER SERVICIOS DE CONECTIVIDAD , EN FORMA SEGURA, UTILIZANDO PARA TAL FIN, MEDIOS QUE NO SON SEGUROS, COMO POR EJEMPLO LA INTERNET PÚBLICA. ESTO ES ÚTIL PARA CUANDO LA EMPRESA CUENTA CON SUCURSALES QUE REQUIEREN COMUNICACIONES DE DATOS, UTILIZANDO POR EJEMPLO LA TECNOLOGÍA DSL. GNU/LINUX NOS PUEDE AYUDAR EN ESTE CAMPO TAMBIÉN, CON HERRAMIENTAS OPEN SOURCE. * ESTACIONES DE MONITOREO DE REDES EL MONITOREO DE REDES, ES UN SERVICIO QUE IMPLEMENTAMOS, QUE CONSISTE EN LA IMPLEMENTACIÓN DE UN CONJUNTO DE HERRAMIENTAS Y TECNOLOGÍAS QUE LE PERMITIRÁ MONITOREAR TANTO SU RED LAN/WAN COMO SUS VÍNCULOS A INTERNET, PUDIENDO VER EL ESTADO DE TODOS LOS DISPOSITIVOS Y DISPARAR ALARMAS GRÁFICAS, SONORAS, Ó ENVIAR MENSAJES POR E-MAIL Ó PAGER EN CASO DE PROBLEMAS, COMO ASÍ TAMBIÉN AGENDANDO TAREAS AUTOMÁTICAS PARA LA SOLUCIÓN DE LOS MISMOS. CON ÉSTOS RECURSOS LOGRARÁ POSEER EL CONTROL DE SU RED AL "ALCANCE DE SU MOUSE". * MIGRACIONES A GNU/LINUX PARA QUE SU PASO AL MUNDO DE LA LIBERTAD OPENSOURCE SEA LO MENOS PROBLEMÁTICO POSIBLE, LE OFRECEMOS NUESTRA EXPERIENCIA EN MIGRACIONES DE WINDOWS (TM) HACIA GNU/LINUX. DESDE SERVIDORES CON BASES DE DATOS, HACIA WORKSTATIONS CON ENTORNOS MS OFFICE(TM) . ELABORAMOS UN PLAN DE MIGRACIÓN Y REALIZAMOS LOS CAMBIOS GRADUALMENTE PARA QUE SU EMPRESA NO PIERDA PRODUCTIVIDAD, LOS USUARIOS, NO EXPERIMENTEN EL FENÓMENO DE LA RESISTENCIA AL CAMBIO, Y FUNDAMENTALMENTE UD. SE AHORRE FORTUNAS EN COSTOS EXORBITANTES EN MATERIA DE LICENCIAS DE SOFTWARE. SI TIENE PROBLEMAS DE LICENCIAS, Y QUIERE REGULARIZAR LA SITUACIÓN , SIN PERDER PRODUCTIVIDAD NI CIFRAS SIDERALES: LLÁMENOS. SABREMOS ASESORARLO. * FTP SERVERS LA MANERA MAS EFICIENTE DE TRANSFERIR ARCHIVOS GRANDES A TRAVES DE SU LAN O , HACIA INTERNET, ES SIN DUDA EL FTP. GNU/LINUX NOS PRESENTA DIVERSAS ALTERNATIVAS PARA AFRONTAR ESTA TAREA. LE CONFIGURAMOS UN ROBUSTO SERVIDOR PARA QUE SE OLVIDE DE LOS PROBLEMAS DE TRANSFERENCIAS QUE NO LLEGAN, O USUARIOS QUE SATURAN EL CORREO CON ARCHIVOS GIGANTES. PONGA A FUNCIONAR EN SU EMPRESA, EL MÉTODO DE TRANSFERENCIA DE ARCHIVOS MAS POPULAR EN INTERNET. * IMPLEMENTACIONES ESPECIALES GNU/LINUX TRABAJOS ESPECIALES DE INSTALACIÓN DE APLICACIONES EN PARTICULAR. MIGRACIONES DE REDES COMPLETAS DEL ENTORNO WINDOWS(TM) HACIA GNU LINUX , OBTENIENDO COMO RESULTADO REDES MAS ROBUSTAS, AHORRANDO SU EMPRESA FORTUNAS EN LICENCIAS DE SOFTWARE . MIGRACIONES DE WORKSTATIONS , E INSTALACIÓN DE SERVIDORES DE ARCHIVOS, SERVIDORES WEB, DE IMPRESIÓN, BASES DE DATOS, DE MENSAJERÍA, FIREWALLS, DNS SERVERS, FTP SERVERS, PROXY SERVERS, CACHE SERVERS, ANALIZADORES DE LOGS ETC. CIERRE LAS VENTANAS, ABRALE LAS PUERTAS A GNU LINUX Y SEA LIBRE!!!! From owner-freebsd-isp@FreeBSD.ORG Fri Jul 29 03:18:32 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3548C16A41F for ; Fri, 29 Jul 2005 03:18:32 +0000 (GMT) (envelope-from kwoody@citytel.net) Received: from ns3.citytel.net (ns3.citytel.net [209.145.111.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0570F43D48 for ; Fri, 29 Jul 2005 03:18:31 +0000 (GMT) (envelope-from kwoody@citytel.net) Received: from pop.citytel.net (pop.citytel.net [204.244.98.50]) by ns3.citytel.net (Postfix) with ESMTP id B52439A8C6 for ; Thu, 28 Jul 2005 20:18:30 -0700 (PDT) Date: Thu, 28 Jul 2005 20:19:19 -0700 (PDT) From: Keith Woodworth To: freebsd-isp@freebsd.org Message-ID: <20050728201237.Y98333@pop.citytel.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Mounting BSD/OS 4.1 disk under FreeBSD 4.10 X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jul 2005 03:18:32 -0000 Had a BSD/OS 4.1 disk go flaky the other day. So using this as my chance to upgrade another one of our machines to FreeBSD I isntalled FBSD on a new drive and there is some data I'd like to pull off the old BSD/OS drive (its BSD/OS 4.1). BSD/OS drive is seen by FBSD as ad2, new drive is ad0. I added some entries into /etd/fstab for ad2 in various combos and tried to mount ad2 but I get: ad2s2 slice starts beyond end of disk. incorrect superblock. Ive tried ad2s1a, ad2s1, ad2a and pretty much get the same thing. Wonder if its possible? I could do this other ways but it involved network restores, scp etc and I'm lazy and though it would be quicker and cleaner to just mount the old disk of possible. Anyone know? Or wonder if BSD/OS can mount a FBSD disk? Thanks, Keith From owner-freebsd-isp@FreeBSD.ORG Fri Jul 29 03:27:32 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 465A316A41F for ; Fri, 29 Jul 2005 03:27:32 +0000 (GMT) (envelope-from anderson@centtech.com) Received: from mh1.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id D703643D46 for ; Fri, 29 Jul 2005 03:27:31 +0000 (GMT) (envelope-from anderson@centtech.com) Received: from [192.168.42.23] (andersonbox3.centtech.com [192.168.42.23]) by mh1.centtech.com (8.13.1/8.13.1) with ESMTP id j6T3RRTh095291; Thu, 28 Jul 2005 22:27:27 -0500 (CDT) (envelope-from anderson@centtech.com) Message-ID: <42E9A219.7000504@centtech.com> Date: Thu, 28 Jul 2005 22:27:21 -0500 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.8) Gecko/20050603 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Keith Woodworth References: <20050728201237.Y98333@pop.citytel.net> In-Reply-To: <20050728201237.Y98333@pop.citytel.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.82/995/Wed Jul 27 15:13:50 2005 on mh1.centtech.com X-Virus-Status: Clean Cc: freebsd-isp@freebsd.org Subject: Re: Mounting BSD/OS 4.1 disk under FreeBSD 4.10 X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jul 2005 03:27:32 -0000 Keith Woodworth wrote: > Had a BSD/OS 4.1 disk go flaky the other day. So using this as my chance > to upgrade another one of our machines to FreeBSD I isntalled FBSD on a > new drive and there is some data I'd like to pull off the old BSD/OS drive > (its BSD/OS 4.1). > > BSD/OS drive is seen by FBSD as ad2, new drive is ad0. > > I added some entries into /etd/fstab for ad2 in various combos and tried > to mount ad2 but I get: > > ad2s2 slice starts beyond end of disk. > incorrect superblock. > > Ive tried ad2s1a, ad2s1, ad2a and pretty much get the same thing. > > Wonder if its possible? I could do this other ways but it involved network > restores, scp etc and I'm lazy and though it would be quicker and cleaner > to just mount the old disk of possible. > > Anyone know? Or wonder if BSD/OS can mount a FBSD disk? What does disklabel report on ad2? I think BSD/OS ran regular UFS (1), so it seems very possible to be able to mount it. I would highly suggest only doing ro mounts on it anyhow. You might also try ad2(a,c,e) and see if there are labels on any of them. Eric -- ------------------------------------------------------------------------ Eric Anderson Sr. Systems Administrator Centaur Technology Anything that works is better than anything that doesn't. ------------------------------------------------------------------------ From owner-freebsd-isp@FreeBSD.ORG Fri Jul 29 03:41:41 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2828B16A41F for ; Fri, 29 Jul 2005 03:41:41 +0000 (GMT) (envelope-from kwoody@citytel.net) Received: from ns3.citytel.net (19conn62.rupert.net [209.145.111.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id E42F143D45 for ; Fri, 29 Jul 2005 03:41:40 +0000 (GMT) (envelope-from kwoody@citytel.net) Received: from pop.citytel.net (pop.citytel.net [204.244.98.50]) by ns3.citytel.net (Postfix) with ESMTP id 16A0C9A8C3; Thu, 28 Jul 2005 20:41:40 -0700 (PDT) Date: Thu, 28 Jul 2005 20:42:29 -0700 (PDT) From: Keith Woodworth To: Eric Anderson In-Reply-To: <42E9A219.7000504@centtech.com> Message-ID: <20050728203625.E46303@pop.citytel.net> References: <20050728201237.Y98333@pop.citytel.net> <42E9A219.7000504@centtech.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-isp@freebsd.org Subject: Re: Mounting BSD/OS 4.1 disk under FreeBSD 4.10 X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jul 2005 03:41:41 -0000 On Thu, 28 Jul 2005, Eric Anderson wrote: |->Keith Woodworth wrote: |->> Had a BSD/OS 4.1 disk go flaky the other day. So using this as my chance |->> to upgrade another one of our machines to FreeBSD I isntalled FBSD on a |->> new drive and there is some data I'd like to pull off the old BSD/OS drive |->> (its BSD/OS 4.1). |->> |->> Anyone know? Or wonder if BSD/OS can mount a FBSD disk? |-> |->What does disklabel report on ad2? I think BSD/OS ran regular UFS (1), |->so it seems very possible to be able to mount it. I would highly |->suggest only doing ro mounts on it anyhow. |-> |->You might also try ad2(a,c,e) and see if there are labels on any of them. Yes BSD/OS is regular UFS and I thought it would be possible as well. And yes ro is what I was trying. Ive tried various incantations of ad2 and disklabel says: unknown error 0 in a few cases and in one case bad disk label on ad2c. This disk is good as BSD/OS on it does boot fine. I'll keep hunting around and see what I can come up with. I may end up after all getting the data I need the old fashioned way and restore...hate doing that over the network. Thanks, Keith From owner-freebsd-isp@FreeBSD.ORG Fri Jul 29 10:29:54 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0D95216A41F for ; Fri, 29 Jul 2005 10:29:54 +0000 (GMT) (envelope-from 000.fbsd@quip.cz) Received: from smtp.etmail.cz (smtp.etmail.cz [160.218.43.220]) by mx1.FreeBSD.org (Postfix) with ESMTP id A7C5F43D45 for ; Fri, 29 Jul 2005 10:29:51 +0000 (GMT) (envelope-from 000.fbsd@quip.cz) Received: from [192.168.0.111] (ip-85-160-18-106.eurotel.cz [85.160.18.106]) by smtp.etmail.cz (Postfix) with ESMTP id 6ADE2194027 for ; Fri, 29 Jul 2005 12:29:48 +0200 (CEST) Message-ID: <42EA051E.1020808@quip.cz> Date: Fri, 29 Jul 2005 12:29:50 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.10) Gecko/20050716 X-Accept-Language: cs, cz, en, en-us MIME-Version: 1.0 To: freebsd-isp@freebsd.org References: <20050727065843.8F30543D46@mx1.FreeBSD.org> In-Reply-To: <20050727065843.8F30543D46@mx1.FreeBSD.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: preventing a user to start a process X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jul 2005 10:29:54 -0000 David Hogan wrote: >>Unfortunately, that is not possible. E.g. typo3 calls Imagemagick, so I >>need system(). > > > Hmmm ... ok > > are you aware you can override many php.ini settings on a per directory > basis or even per vhost basis (I think) ? If you didn't have too many > exceptions, you could deny system() globally, then allow it just for trusted > users or scripts. > disable_functions directive works only globally (IMHO) -- Miroslav Lachman From owner-freebsd-isp@FreeBSD.ORG Fri Jul 29 17:02:04 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 392E416A41F for ; Fri, 29 Jul 2005 17:02:04 +0000 (GMT) (envelope-from sellis@d154-20-93-49.bchsia.telus.net) Received: from priv-edtnes51.telusplanet.net (outbound04.telus.net [199.185.220.223]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8247B43D46 for ; Fri, 29 Jul 2005 17:02:03 +0000 (GMT) (envelope-from sellis@d154-20-93-49.bchsia.telus.net) Received: from d154-20-93-49.bchsia.telus.net ([154.20.93.49]) by priv-edtnes51.telusplanet.net (InterMail vM.6.01.04.04 201-2131-118-104-20050224) with ESMTP id <20050729170202.KUNM3877.priv-edtnes51.telusplanet.net@d154-20-93-49.bchsia.telus.net> for ; Fri, 29 Jul 2005 11:02:02 -0600 Received: from d154-20-93-49.bchsia.telus.net (localhost [127.0.0.1]) by d154-20-93-49.bchsia.telus.net (8.13.3/8.13.3) with ESMTP id j6TH1lpb043034 for ; Fri, 29 Jul 2005 10:01:52 -0700 (PDT) (envelope-from sellis@d154-20-93-49.bchsia.telus.net) Received: (from sellis@localhost) by d154-20-93-49.bchsia.telus.net (8.13.3/8.13.3/Submit) id j6TH1koD043033 for freebsd-isp@freebsd.org; Fri, 29 Jul 2005 10:01:46 -0700 (PDT) (envelope-from sellis) Date: Fri, 29 Jul 2005 10:01:46 -0700 From: Sean Ellis To: freebsd-isp@freebsd.org Message-ID: <20050729170146.GA41622@telus.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.9i Subject: multiple mysql servers X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: sellis@telus.net List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jul 2005 17:02:04 -0000 Hello, 4.11-STABLE FreeBSD 4.11-STABLE #2: Fri May 13 17:43:58 PDT 2005 can anyone recommend a good online resource for implementing a second mysql daemon on freebsd? Or, perish the thought, any gotchas with this, thanks, Sean From owner-freebsd-isp@FreeBSD.ORG Fri Jul 29 17:08:13 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 248E416A41F for ; Fri, 29 Jul 2005 17:08:13 +0000 (GMT) (envelope-from john@essenz.com) Received: from beck.quonix.net (beck.quonix.net [146.145.66.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4AB7043D45 for ; Fri, 29 Jul 2005 17:08:12 +0000 (GMT) (envelope-from john@essenz.com) Received: from beck.quonix.net (localhost [127.0.0.1]) by beck.quonix.net (8.13.4/8.13.4) with ESMTP id j6TH876X018063; Fri, 29 Jul 2005 13:08:07 -0400 (EDT) Received: from localhost (essenz@localhost) by beck.quonix.net (8.13.4/8.13.4/Submit) with ESMTP id j6TH87Fl018060; Fri, 29 Jul 2005 13:08:07 -0400 (EDT) X-Authentication-Warning: beck.quonix.net: essenz owned process doing -bs Date: Fri, 29 Jul 2005 13:08:07 -0400 (EDT) From: John Von Essen X-X-Sender: essenz@beck.quonix.net To: Sean Ellis In-Reply-To: <20050729170146.GA41622@telus.net> Message-ID: <20050729130750.P18002@beck.quonix.net> References: <20050729170146.GA41622@telus.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-SpamAssassin-3.0.3-Score: -2.82/8.5 ALL_TRUSTED X-MimeDefang-2.51: beck.quonix.net X-Scanned-By: MIMEDefang 2.51 on 146.145.66.90 Cc: freebsd-isp@freebsd.org Subject: Re: multiple mysql server X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jul 2005 17:08:13 -0000 Check out: http://dev.mysql.com/doc/mysql/en/multiple-servers.html -john On Fri, 29 Jul 2005, Sean Ellis wrote: > Hello, > > 4.11-STABLE FreeBSD 4.11-STABLE #2: Fri May 13 17:43:58 PDT 2005 > > can anyone recommend a good online resource for implementing a second > mysql daemon on freebsd? > > Or, perish the thought, any gotchas with this, > > thanks, > > Sean > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > From owner-freebsd-isp@FreeBSD.ORG Fri Jul 29 20:15:14 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A8E6B16A41F for ; Fri, 29 Jul 2005 20:15:14 +0000 (GMT) (envelope-from nanard@tou.nu) Received: from smtp-ft4.fr.colt.net (smtp-ft4.fr.colt.net [213.41.78.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id D807743D48 for ; Fri, 29 Jul 2005 20:15:13 +0000 (GMT) (envelope-from nanard@tou.nu) Received: from portable (lan-crysto.rev.coltfrance.com [62.23.202.89] (may be forged)) by smtp-ft4.fr.colt.net (8.13.4/8.13.4/Debian-3) with SMTP id j6TKFCjx001423; Fri, 29 Jul 2005 22:15:13 +0200 Message-ID: <023401c5947a$2f15b580$1401a8c0@portable> From: "nanard" To: , References: <20050729170146.GA41622@telus.net> Date: Fri, 29 Jul 2005 22:14:53 +0200 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Cc: Subject: Re: multiple mysql servers X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jul 2005 20:15:14 -0000 Hi, You just have to specify a different port , different socket, and different data directory to run it a second mysql server on the same box. : I didn't try this but you can: - Copy /var/db/mysql /var/db/mysql2 (and give same owner/perm than the other) - Create a my.cnf in /var/db/mysql2 and configure it. - Copy /usr/local/etc/rc.d/mysql-server.sh to /usr/local/etc/rc.d/mysql-server2.sh - In /usr/local/etc/rc.d/mysql-server2.sh, change in it "mysql_dbdir" variable to the new path and set mysql_enable to YES directly in it. Other solutions that i did, is to configure JAILS. Regards ----- Original Message ----- From: "Sean Ellis" To: Sent: Friday, July 29, 2005 7:01 PM Subject: multiple mysql servers > Hello, > > 4.11-STABLE FreeBSD 4.11-STABLE #2: Fri May 13 17:43:58 PDT 2005 > > can anyone recommend a good online resource for implementing a second > mysql daemon on freebsd? > > Or, perish the thought, any gotchas with this, > > thanks, > > Sean > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > From owner-freebsd-isp@FreeBSD.ORG Fri Jul 29 22:26:10 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5494216A41F for ; Fri, 29 Jul 2005 22:26:10 +0000 (GMT) (envelope-from sellis@d154-20-93-49.bchsia.telus.net) Received: from priv-edtnes56.telusplanet.net (outbound01.telus.net [199.185.220.220]) by mx1.FreeBSD.org (Postfix) with ESMTP id A0AEF43D46 for ; Fri, 29 Jul 2005 22:26:09 +0000 (GMT) (envelope-from sellis@d154-20-93-49.bchsia.telus.net) Received: from d154-20-93-49.bchsia.telus.net ([154.20.93.49]) by priv-edtnes56.telusplanet.net (InterMail vM.6.01.04.04 201-2131-118-104-20050224) with ESMTP id <20050729222608.CDRT1913.priv-edtnes56.telusplanet.net@d154-20-93-49.bchsia.telus.net>; Fri, 29 Jul 2005 16:26:08 -0600 Received: from d154-20-93-49.bchsia.telus.net (localhost [127.0.0.1]) by d154-20-93-49.bchsia.telus.net (8.13.3/8.13.3) with ESMTP id j6TMPpY3060365; Fri, 29 Jul 2005 15:25:53 -0700 (PDT) (envelope-from sellis@d154-20-93-49.bchsia.telus.net) Received: (from sellis@localhost) by d154-20-93-49.bchsia.telus.net (8.13.3/8.13.3/Submit) id j6TMPekR060364; Fri, 29 Jul 2005 15:25:40 -0700 (PDT) (envelope-from sellis) Date: Fri, 29 Jul 2005 15:25:40 -0700 From: Sean Ellis To: John Von Essen Message-ID: <20050729222540.GD41622@telus.net> References: <20050729170146.GA41622@telus.net> <20050729130750.P18002@beck.quonix.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050729130750.P18002@beck.quonix.net> User-Agent: Mutt/1.5.9i Cc: freebsd-isp@freebsd.org Subject: Re: multiple mysql server X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: sellis@telus.net List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jul 2005 22:26:10 -0000 On Fri, Jul 29, 2005 at 01:08:07PM -0400, John Von Essen wrote: John, > > > > can anyone recommend a good online resource for implementing a second > > http://dev.mysql.com/doc/mysql/en/multiple-servers.html > Thanks for the response. Quite a lot of detail there. To refresh my memory; I know how to supply make with options such as 'WITH_CHARSET=utf8' when building the port, but how do I give a configure option like '--prefix=/usr/local/mysql-4.0.17'? -- Sean From owner-freebsd-isp@FreeBSD.ORG Sat Jul 30 07:29:13 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50E0716A41F for ; Sat, 30 Jul 2005 07:29:13 +0000 (GMT) (envelope-from unixtools@hotmail.com) Received: from hotmail.com (bay106-f33.bay106.hotmail.com [65.54.161.43]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D52743D45 for ; Sat, 30 Jul 2005 07:29:13 +0000 (GMT) (envelope-from unixtools@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat, 30 Jul 2005 00:29:12 -0700 Message-ID: Received: from 65.54.161.204 by by106fd.bay106.hotmail.msn.com with HTTP; Sat, 30 Jul 2005 07:29:12 GMT X-Originating-IP: [202.68.143.68] X-Originating-Email: [unixtools@hotmail.com] X-Sender: unixtools@hotmail.com In-Reply-To: <20050729222540.GD41622@telus.net> From: "Sunil Sunder Raj" To: sellis@telus.net, john@essenz.com Date: Sat, 30 Jul 2005 07:29:12 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 30 Jul 2005 07:29:12.0848 (UTC) FILETIME=[62083900:01C594D8] Cc: freebsd-isp@freebsd.org Subject: Re: multiple mysql server X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Jul 2005 07:29:13 -0000 Hi, 1) install mysql 2) copy the mysql data directory to say mysql1 So you have /var/db/mysql and /var/db/mysql1 3) Open the first mysql /var/db/mysql/my.cnf Change port = bind-address = 4) start the first mysql server 5) Open the second mysql /var/db/mysql1/my.cnf Change port = bind-address = 6) Write the startup command for the second mysql server /usr/local/bin/mysqld_safe --bind-address= --user=mysql --socket=/tmp/mysql1.sock --datadir=/var/db/mysql1 --pid-file=/var/run/mysql1.pid & This works great for n number of mysql servers. Tested and working on one of my live servers. -Sunil Sunder Raj >From: Sean Ellis >Reply-To: sellis@telus.net >To: John Von Essen >CC: freebsd-isp@freebsd.org >Subject: Re: multiple mysql server >Date: Fri, 29 Jul 2005 15:25:40 -0700 > >On Fri, Jul 29, 2005 at 01:08:07PM -0400, John Von Essen wrote: > >John, > > > > > > > can anyone recommend a good online resource for implementing a second > > > > http://dev.mysql.com/doc/mysql/en/multiple-servers.html > > > >Thanks for the response. Quite a lot of detail there. > >To refresh my memory; I know how to supply make with options such as >'WITH_CHARSET=utf8' when building the port, but how do I give a configure >option like '--prefix=/usr/local/mysql-4.0.17'? > >-- > >Sean >_______________________________________________ >freebsd-isp@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-isp >To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" From owner-freebsd-isp@FreeBSD.ORG Sat Jul 30 10:06:43 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 769D116A41F for ; Sat, 30 Jul 2005 10:06:43 +0000 (GMT) (envelope-from david@fundamentalit.com) Received: from mail.fundamentalit.com (mail.fundamentalit.com [202.160.128.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D50843D45 for ; Sat, 30 Jul 2005 10:06:42 +0000 (GMT) (envelope-from david@fundamentalit.com) Received: from [203.206.239.179] (helo=dev) by mail.fundamentalit.com with esmtpa (Exim 4.50) id 1DyoEr-0006Gy-VM; Sat, 30 Jul 2005 20:06:42 +1000 From: "David Hogan" To: "'Miroslav Lachman'" <000.fbsd@quip.cz>, Date: Sat, 30 Jul 2005 20:06:40 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 In-Reply-To: <42EA051E.1020808@quip.cz> Thread-Index: AcWUKIAtK4FobUVWQwyY2exQAOF4FAAxc7mA Message-Id: <20050730100642.1D50843D45@mx1.FreeBSD.org> Cc: Subject: RE: preventing a user to start a process X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Jul 2005 10:06:43 -0000 > -----Original Message----- > From: owner-freebsd-isp@freebsd.org [mailto:owner-freebsd-isp@freebsd.org] > On Behalf Of Miroslav Lachman > disable_functions directive works only globally (IMHO) So it does. Bugger Dave From owner-freebsd-isp@FreeBSD.ORG Sat Jul 30 14:31:08 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A43E316A41F for ; Sat, 30 Jul 2005 14:31:08 +0000 (GMT) (envelope-from sellis@d154-20-93-49.bchsia.telus.net) Received: from priv-edtnes57.telusplanet.net (outbound01.telus.net [199.185.220.220]) by mx1.FreeBSD.org (Postfix) with ESMTP id 27CC843D45 for ; Sat, 30 Jul 2005 14:31:07 +0000 (GMT) (envelope-from sellis@d154-20-93-49.bchsia.telus.net) Received: from d154-20-93-49.bchsia.telus.net ([154.20.93.49]) by priv-edtnes57.telusplanet.net (InterMail vM.6.01.04.04 201-2131-118-104-20050224) with ESMTP id <20050730143102.BTOM14932.priv-edtnes57.telusplanet.net@d154-20-93-49.bchsia.telus.net>; Sat, 30 Jul 2005 08:31:02 -0600 Received: from d154-20-93-49.bchsia.telus.net (localhost [127.0.0.1]) by d154-20-93-49.bchsia.telus.net (8.13.3/8.13.3) with ESMTP id j6UEUpOg062404; Sat, 30 Jul 2005 07:30:56 -0700 (PDT) (envelope-from sellis@d154-20-93-49.bchsia.telus.net) Received: (from sellis@localhost) by d154-20-93-49.bchsia.telus.net (8.13.3/8.13.3/Submit) id j6UEUksf062403; Sat, 30 Jul 2005 07:30:46 -0700 (PDT) (envelope-from sellis) Date: Sat, 30 Jul 2005 07:30:46 -0700 From: Sean Ellis To: Sunil Sunder Raj Message-ID: <20050730143046.GG41622@telus.net> References: <20050729222540.GD41622@telus.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.9i Cc: freebsd-isp@freebsd.org Subject: Re: multiple mysql server X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: sellis@telus.net List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Jul 2005 14:31:08 -0000 On Sat, Jul 30, 2005 at 07:29:12AM +0000, Sunil Sunder Raj wrote: Hi Sunil, thanks for your reply. My need for a second mysql server is to allow me to implement a database that will use the utf-8 character set, whilst maintaining some existing databases that are using the default Latin1 character set. I've ammended what you suggest below based on what I've read in the documentation. Does this look sound? Anybody? I realize that this is more of a mysql question. > 1) install mysql Build with --with-extra-charsets to include utf-8 > 2) copy the mysql data directory to say mysql1 > So you have /var/db/mysql and /var/db/mysql1 > > 3) Open the first mysql /var/db/mysql/my.cnf > Change > port = > bind-address = > > 4) start the first mysql server > > 5) Open the second mysql /var/db/mysql1/my.cnf > Change > port = > bind-address = > > 6) Write the startup command for the second mysql server > /usr/local/bin/mysqld_safe --bind-address= the second mysql server to> --user=mysql --socket=/tmp/mysql1.sock > --datadir=/var/db/mysql1 --pid-file=/var/run/mysql1.pid --default-character-set=utf8 --default-collation=utf8_general_ci & Easy enough for me to try out on a test machine. If anyone has any comments though I would be interested, cheers, Sean