From owner-freebsd-current@FreeBSD.ORG Fri Apr 2 00:57:49 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ACC3716A4CE for ; Fri, 2 Apr 2004 00:57:49 -0800 (PST) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C7CC43D58 for ; Fri, 2 Apr 2004 00:57:48 -0800 (PST) (envelope-from ganbold@micom.mng.net) Received: from [202.179.0.164] (helo=ganbold.micom.mng.net) by publicd.ub.mng.net with asmtp (Exim 4.30; FreeBSD) id 1B9LLt-000B3Z-6W; Fri, 02 Apr 2004 17:52:41 +0800 Message-Id: <6.0.3.0.2.20040402175037.02acfde8@202.179.0.80> X-Sender: ganbold@micom.mng.net@202.179.0.80 X-Mailer: QUALCOMM Windows Eudora Version 6.0.3.0 Date: Fri, 02 Apr 2004 18:02:54 +0900 To: David Taylor From: Ganbold In-Reply-To: <20040402001531.GA2388@gattaca.yadt.co.uk> References: <6.0.3.0.2.20040329102508.029f5670@202.179.0.80> <142839937.20040330074923@mail.ru> <20040402001531.GA2388@gattaca.yadt.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: freebsd-current@freebsd.org Subject: Re: Re[2]: Question regarding shell user creation at login time X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Apr 2004 08:57:49 -0000 Hi, I already found the problem. I mounted /home partition with nosuid option before. That is why it couldn't succeed setuid call. This machine has ipfw2 and all traffics are filtered except ports 21,22,80. This machine doesn't have any important data except some Linux/BSD ISO images. I also implemented user quota and login class. One of the main reason of putting shell server is to help others to learn Unix:) Others mainly means Mongolians:) thanks, Ganbold At 09:15 AM 02.04.2004, you wrote: >But in theory he should be root, since ~new/new is suid root. Since >setuid(0) is failing, you are presumably correct that he is not, though. > >In any case, ~new/new.pl is owned by group wheel, so g+x won't help, >without also changing the group to 'new'. Also, I think for scripts at >least, read permission is required in addition to execute permission. >(Since you're executing the interpreter, which then reads the script) > >I'd suggest checking get[e]uid() in ~new/new, and figuring out what it's >running as (presumably 'new' group 'new'), and why it's not running as >'root', which it should be. If you give 'new' a "real" shell and log in, >then execute ~new/new, what uid does it run as? If that works, I guess >it's something ssh is doing (or a bug/feature in the kernel tickled by ssh) > >As for whether it's a good idea to be trying to set up an automated free >shell server without being able to make the above work with your eyes >closed... well... > >Assuming it's just a spare box with some spare network bandwidth to it, >and no important data or access to important hosts on the same network, >you probably don't care what happens to it. Just remember that _you_ will >be held responsible if people start sending worms/spam/abuse from your >host, or start installing irc bots (which are can be the target of large >denial of service attacks). > >Personally, trying to keep a shell service running for paying (some of >them at least, the rest were using stolen credit cards) customers was >enough of a nightmare to encourage me never to give anyone I wouldn't >explicitly trust with root on my box any access at all. > >-- >David Taylor >davidt@yadt.co.uk >"The future just ain't what it used to be"