In article <983130226.25873@phzzzt.atww.org> you wrote:
: 1) With regards to the recent buffer-overflow exploit and the
: recommendation of running icecast as a non-root user, how exactly does
: one do that?
I do it via "su". I use a pseudo user named "ice" and have
this in a
shell program that starts icecast:
exec su --login -c "/usr/local/icecast/bin/icecast" ice &
NOTE: root needs to run this, so it won't be prompted for a password.
Once run, the icecast process itself will be owned by user "ice".
: I've compiled icecast with both encryption and tcp_wrappers enabled.
: I've added to my /etc/hosts.deny file the line
[...]
: I believe that those files however are readable only by root
They shouldn't be. Generally /etc/hosts.allow and /etc/hosts.deny have
permissions of 644 and owned by user root and group root. This will be
fine if icecast is run as an unprivledged user as it only needs to be
able to read those files--not write or modify them.
--
------------------------------------------------------------------------------
Michael | mfaurot | You have the power to influence all with whom you come
Faurot | atww.net | in contact.
--- >8 ----
List archives: http://www.xiph.org/archives/
icecast project homepage: http://www.icecast.org/
To unsubscribe from this list, send a message to
'icecast-request@xiph.org'
containing only the word 'unsubscribe' in the body. No subject is
needed.
Unsubscribe messages sent to the list will be ignored/filtered.
Great - thank you for the info! =) Will try out your suggestions. Andrew On Sun, 25 Feb 2001, Michael Faurot wrote:> In article <983130226.25873@phzzzt.atww.org> you wrote: > > : 1) With regards to the recent buffer-overflow exploit and the > : recommendation of running icecast as a non-root user, how exactly does > : one do that? > > I do it via "su". I use a pseudo user named "ice" and have this in a > shell program that starts icecast: > > exec su --login -c "/usr/local/icecast/bin/icecast" ice & > > NOTE: root needs to run this, so it won't be prompted for a password. > Once run, the icecast process itself will be owned by user "ice". > > : I've compiled icecast with both encryption and tcp_wrappers enabled. > : I've added to my /etc/hosts.deny file the line > [...] > : I believe that those files however are readable only by root > > They shouldn't be. Generally /etc/hosts.allow and /etc/hosts.deny have > permissions of 644 and owned by user root and group root. This will be > fine if icecast is run as an unprivledged user as it only needs to be > able to read those files--not write or modify them. > > -- > ------------------------------------------------------------------------------ > Michael | mfaurot | You have the power to influence all with whom you come > Faurot | atww.net | in contact. > > --- >8 ---- > List archives: http://www.xiph.org/archives/ > icecast project homepage: http://www.icecast.org/ > To unsubscribe from this list, send a message to 'icecast-request@xiph.org' > containing only the word 'unsubscribe' in the body. No subject is needed. > Unsubscribe messages sent to the list will be ignored/filtered. >--- >8 ---- List archives: http://www.xiph.org/archives/ icecast project homepage: http://www.icecast.org/ To unsubscribe from this list, send a message to 'icecast-request@xiph.org' containing only the word 'unsubscribe' in the body. No subject is needed. Unsubscribe messages sent to the list will be ignored/filtered.
You're going to need root access. Presumably you have it if you have control over icecast. You could do a simple adduser. Then use your favorite editor and open up the /etc/passwd file (again as root). You'll need to read up on what each of the fields are, but in short you'll want to * the password field for that new user. You'll also want to change the shell to /bin/false. Basically at that point you should have a non-priv'd acct. Anyone else have any suggestions? On Sun, 25 Feb 2001, Andrew M. Wu wrote:> One question though - how do I create a pseudo user? > > Thanks, > > Andrew > > On Sun, 25 Feb 2001, Michael Faurot wrote: > > > In article <983130226.25873@phzzzt.atww.org> you wrote: > > > > : 1) With regards to the recent buffer-overflow exploit and the > > : recommendation of running icecast as a non-root user, how exactly does > > : one do that? > > > > I do it via "su". I use a pseudo user named "ice" and have this in a > > shell program that starts icecast: > > > > exec su --login -c "/usr/local/icecast/bin/icecast" ice & > > > > NOTE: root needs to run this, so it won't be prompted for a password. > > Once run, the icecast process itself will be owned by user "ice". > > > > : I've compiled icecast with both encryption and tcp_wrappers enabled. > > : I've added to my /etc/hosts.deny file the line > > [...] > > : I believe that those files however are readable only by root > > > > They shouldn't be. Generally /etc/hosts.allow and /etc/hosts.deny have > > permissions of 644 and owned by user root and group root. This will be > > fine if icecast is run as an unprivledged user as it only needs to be > > able to read those files--not write or modify them. > > > > -- > > ------------------------------------------------------------------------------ > > Michael | mfaurot | You have the power to influence all with whom you come > > Faurot | atww.net | in contact. > > > > --- >8 ---- > > List archives: http://www.xiph.org/archives/ > > icecast project homepage: http://www.icecast.org/ > > To unsubscribe from this list, send a message to 'icecast-request@xiph.org' > > containing only the word 'unsubscribe' in the body. No subject is needed. > > Unsubscribe messages sent to the list will be ignored/filtered. > > > > > --- >8 ---- > List archives: http://www.xiph.org/archives/ > icecast project homepage: http://www.icecast.org/ > To unsubscribe from this list, send a message to 'icecast-request@xiph.org' > containing only the word 'unsubscribe' in the body. No subject is needed. > Unsubscribe messages sent to the list will be ignored/filtered. >-- Sean... A flute with no holes is not a flute. A donut with no hole is a danish. --Chevy Chase, Caddyshack _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ www.rimboy.com <-- Your source for the crap you know you need. www.rimboy.com/rimdistro/rimiradio <-- Icecast server on a floppy! (i486+) --- >8 ---- List archives: http://www.xiph.org/archives/ icecast project homepage: http://www.icecast.org/ To unsubscribe from this list, send a message to 'icecast-request@xiph.org' containing only the word 'unsubscribe' in the body. No subject is needed. Unsubscribe messages sent to the list will be ignored/filtered.
One question though - how do I create a pseudo user? Thanks, Andrew On Sun, 25 Feb 2001, Michael Faurot wrote:> In article <983130226.25873@phzzzt.atww.org> you wrote: > > : 1) With regards to the recent buffer-overflow exploit and the > : recommendation of running icecast as a non-root user, how exactly does > : one do that? > > I do it via "su". I use a pseudo user named "ice" and have this in a > shell program that starts icecast: > > exec su --login -c "/usr/local/icecast/bin/icecast" ice & > > NOTE: root needs to run this, so it won't be prompted for a password. > Once run, the icecast process itself will be owned by user "ice". > > : I've compiled icecast with both encryption and tcp_wrappers enabled. > : I've added to my /etc/hosts.deny file the line > [...] > : I believe that those files however are readable only by root > > They shouldn't be. Generally /etc/hosts.allow and /etc/hosts.deny have > permissions of 644 and owned by user root and group root. This will be > fine if icecast is run as an unprivledged user as it only needs to be > able to read those files--not write or modify them. > > -- > ------------------------------------------------------------------------------ > Michael | mfaurot | You have the power to influence all with whom you come > Faurot | atww.net | in contact. > > --- >8 ---- > List archives: http://www.xiph.org/archives/ > icecast project homepage: http://www.icecast.org/ > To unsubscribe from this list, send a message to 'icecast-request@xiph.org' > containing only the word 'unsubscribe' in the body. No subject is needed. > Unsubscribe messages sent to the list will be ignored/filtered. >--- >8 ---- List archives: http://www.xiph.org/archives/ icecast project homepage: http://www.icecast.org/ To unsubscribe from this list, send a message to 'icecast-request@xiph.org' containing only the word 'unsubscribe' in the body. No subject is needed. Unsubscribe messages sent to the list will be ignored/filtered.