From owner-freebsd-security Wed Oct 24 23:47:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from sbtx.tmn.ru (sbtx.tmn.ru [212.76.160.49]) by hub.freebsd.org (Postfix) with ESMTP id A53D637B401 for ; Wed, 24 Oct 2001 23:47:05 -0700 (PDT) Received: from sv.tech.sibitex.tmn.ru (sv.tech.sibitex.tmn.ru [212.76.160.59]) by sbtx.tmn.ru (8.11.3/8.11.3) with ESMTP id f9P6l2k72039; Thu, 25 Oct 2001 12:47:03 +0600 (YEKST) (envelope-from serg@sbtx.tmn.ru) Received: (from serg@localhost) by sv.tech.sibitex.tmn.ru (8.11.6/8.11.6) id f9P6l2p41975; Thu, 25 Oct 2001 12:47:02 +0600 (YEKST) (envelope-from serg) Date: Thu, 25 Oct 2001 12:47:02 +0600 From: "Sergey N. Voronkov" To: Dave Cc: freebsd-security@FreeBSD.ORG Subject: Re: lowering uids, startup Message-ID: <20011025124702.A41897@sv.tech.sibitex.tmn.ru> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from mudman@R181172.resnet.ucsb.edu on Wed, Oct 24, 2001 at 11:36:16PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Oct 24, 2001 at 11:36:16PM -0700, Dave wrote: > > I am interested in learning how to start up a program (a 3rd party server > program, a daemon, whatever) automatically from boot up without using > inetd and without using a root uid. % man inetd.conf [skip] the beginning of a line. There must be an entry for each field. The fields of the configuration file are as follows: service name socket type protocol {wait|nowait}[/max-child[/max-connections-per-ip-per-minute]] user[:group][/login-class] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Exactly what do you need. server program server program arguments > I do know that /usr/local/etc/rc.d/ (mostly from my ports downloads) will > automatically run packages such as ssh and apache, and really anything you > put in there. Unfortunately, these things initially run as root, so I'm > skeptical about using it. % man su [skip] su [-] [-Kflm] [-c class] [login [args]] DESCRIPTION Su requests the Kerberos password for login (or for `login.root'', if no login is provided), and switches to that user and group ID after obtain- ing a Kerberos ticket granting ticket. A shell is then executed. Su will resort to the local password file to find the password for login if there is a Kerberos error. If su is executed by root, no password is requested and a shell with the appropriate user ID is executed; no addi- tional Kerberos tickets are obtained. [skip] -l Simulate a full login. The environment is discarded except for HOME, SHELL, PATH, TERM, and USER. HOME and SHELL are modified as above. USER is set to the target login. PATH is set to `/bin:/usr/bin''. TERM is imported from your current environ- ment. Environment variables may be set or overridden from the login class capabilities database according to the class of the target login. The invoked shell is the target login's, and su will change directory to the target login's home directory. Resource limits and session priority are modified to that for the target account's login class. - (no letter) The same as -l. Example to your usage: su - www telnetd -debug 2021 Good Luck! Serg N. Voronkov, Tyumen, Russia. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message