You're going to need root access. Presumably you have it if you have control over icecast. You could do a simple adduser. Then use your favorite editor and open up the /etc/passwd file (again as root). You'll need to read up on what each of the fields are, but in short you'll want to * the password field for that new user. You'll also want to change the shell to /bin/false. Basically at that point you should have a non-priv'd acct. Anyone else have any suggestions? On Sun, 25 Feb 2001, Andrew M. Wu wrote:> One question though - how do I create a pseudo user? > > Thanks, > > Andrew > > On Sun, 25 Feb 2001, Michael Faurot wrote: > > > In article <983130226.25873@phzzzt.atww.org> you wrote: > > > > : 1) With regards to the recent buffer-overflow exploit and the > > : recommendation of running icecast as a non-root user, how exactly does > > : one do that? > > > > I do it via "su". I use a pseudo user named "ice" and have this in a > > shell program that starts icecast: > > > > exec su --login -c "/usr/local/icecast/bin/icecast" ice & > > > > NOTE: root needs to run this, so it won't be prompted for a password. > > Once run, the icecast process itself will be owned by user "ice". > > > > : I've compiled icecast with both encryption and tcp_wrappers enabled. > > : I've added to my /etc/hosts.deny file the line > > [...] > > : I believe that those files however are readable only by root > > > > They shouldn't be. Generally /etc/hosts.allow and /etc/hosts.deny have > > permissions of 644 and owned by user root and group root. This will be > > fine if icecast is run as an unprivledged user as it only needs to be > > able to read those files--not write or modify them. > > > > -- > > ------------------------------------------------------------------------------ > > Michael | mfaurot | You have the power to influence all with whom you come > > Faurot | atww.net | in contact. > > > > --- >8 ---- > > List archives: http://www.xiph.org/archives/ > > icecast project homepage: http://www.icecast.org/ > > To unsubscribe from this list, send a message to 'icecast-request@xiph.org' > > containing only the word 'unsubscribe' in the body. No subject is needed. > > Unsubscribe messages sent to the list will be ignored/filtered. > > > > > --- >8 ---- > List archives: http://www.xiph.org/archives/ > icecast project homepage: http://www.icecast.org/ > To unsubscribe from this list, send a message to 'icecast-request@xiph.org' > containing only the word 'unsubscribe' in the body. No subject is needed. > Unsubscribe messages sent to the list will be ignored/filtered. >-- Sean... A flute with no holes is not a flute. A donut with no hole is a danish. --Chevy Chase, Caddyshack _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ www.rimboy.com <-- Your source for the crap you know you need. www.rimboy.com/rimdistro/rimiradio <-- Icecast server on a floppy! (i486+) --- >8 ---- List archives: http://www.xiph.org/archives/ icecast project homepage: http://www.icecast.org/ To unsubscribe from this list, send a message to 'icecast-request@xiph.org' containing only the word 'unsubscribe' in the body. No subject is needed. Unsubscribe messages sent to the list will be ignored/filtered.
'nobody' is already an unpriveledged user on most systems. You could run icecast as nobody, and the only problem would be if you also ran a webserver (since a security violation in either could potentially damage the others files). In practice with icecast and a non-critical webserver, this is probably fine. As for the editing of /etc/passwd, remember that most systems, * the password there by default, and the real password is elsewhere. /etc/shadow is the place usually in linux. jack.> You're going to need root access. Presumably you have it if you have > control over icecast. > > You could do a simple adduser. Then use your favorite editor and open up > the /etc/passwd file (again as root). You'll need to read up on what each > of the fields are, but in short you'll want to * the password > field for that new user. You'll also want to change the shell to > /bin/false. > > Basically at that point you should have a non-priv'd acct. > > Anyone else have any suggestions? > > On Sun, 25 Feb 2001, Andrew M. Wu wrote: > > > One question though - how do I create a pseudo user?--- >8 ---- List archives: http://www.xiph.org/archives/ icecast project homepage: http://www.icecast.org/ To unsubscribe from this list, send a message to 'icecast-request@xiph.org' containing only the word 'unsubscribe' in the body. No subject is needed. Unsubscribe messages sent to the list will be ignored/filtered.
On Mon, 26 Feb 2001, Geoff Shang wrote:> On Sun, 25 Feb 2001, Sean /The RIMBoy/ wrote: > > > You could do a simple adduser. Then use your favorite editor and open up > > the /etc/passwd file (again as root). You'll need to read up on what each > > of the fields are, but in short you'll want to * the password > > field for that new user. You'll also want to change the shell to > > /bin/false. > > This would only work if passwords are stored in plain ASCII in the > /etc/passwd file.You mean crypted in plain ASCII in the /etc/passwd file. I've not heard of any *nix storing the passwd in unencrypted plain text for years. I'd be surprised if there is still one around.> Frankly, anyone who allows that is asking for trouble (IMHO).Got NIS? Across two different hardware platforms?> I'd highly recommend using the passwd and chsh commands to do the > same thing.Not a bad option. A quick glance at the passwd manpage yields two options, -l which stick a ! into the passwd field w/ the passwd, and -d.> Much less risky, since you don't really want to muck up > /etc/passwd, do you.Well, I assumed a certain amount of familiarity with *nix. My bad. -- Sean... A flute with no holes is not a flute. A donut with no hole is a danish. --Chevy Chase, Caddyshack _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ www.rimboy.com <-- Your source for the crap you know you need. www.rimboy.com/rimdistro/rimiradio <-- Icecast server on a floppy! (i486+) --- >8 ---- List archives: http://www.xiph.org/archives/ icecast project homepage: http://www.icecast.org/ To unsubscribe from this list, send a message to 'icecast-request@xiph.org' containing only the word 'unsubscribe' in the body. No subject is needed. Unsubscribe messages sent to the list will be ignored/filtered.
My understanding is that the '*' in the password field in the passwd file (or shadow file) tells the OS that it's a non-loginable acct. In other words you can't directly login as that user. So editing the passwd file manually is actually the easiest and most secure option. Please correct me if I'm wrong. matt On Mon, 26 Feb 2001, Geoff Shang wrote:> On Sun, 25 Feb 2001, Sean /The RIMBoy/ wrote: > > > You could do a simple adduser. Then use your favorite editor and open up > > the /etc/passwd file (again as root). You'll need to read up on what each > > of the fields are, but in short you'll want to * the password > > field for that new user. You'll also want to change the shell to > > /bin/false. > > > This would only work if passwords are stored in plain ASCII in the > /etc/passwd file. Frankly, anyone who allows that is asking for trouble > (IMHO). I'd highly recommend using the passwd and chsh commands to do the > same thing. Much less risky, since you don't really want to muck up > /etc/passwd, do you. > > Geoff. > > > > --- >8 ---- > List archives: http://www.xiph.org/archives/ > icecast project homepage: http://www.icecast.org/ > To unsubscribe from this list, send a message to 'icecast-request@xiph.org' > containing only the word 'unsubscribe' in the body. No subject is needed. > Unsubscribe messages sent to the list will be ignored/filtered. >--- >8 ---- List archives: http://www.xiph.org/archives/ icecast project homepage: http://www.icecast.org/ To unsubscribe from this list, send a message to 'icecast-request@xiph.org' containing only the word 'unsubscribe' in the body. No subject is needed. Unsubscribe messages sent to the list will be ignored/filtered.
On Sun, 25 Feb 2001, Sean /The RIMBoy/ wrote:> You could do a simple adduser. Then use your favorite editor and open up > the /etc/passwd file (again as root). You'll need to read up on what each > of the fields are, but in short you'll want to * the password > field for that new user. You'll also want to change the shell to > /bin/false.This would only work if passwords are stored in plain ASCII in the /etc/passwd file. Frankly, anyone who allows that is asking for trouble (IMHO). I'd highly recommend using the passwd and chsh commands to do the same thing. Much less risky, since you don't really want to muck up /etc/passwd, do you. Geoff. --- >8 ---- List archives: http://www.xiph.org/archives/ icecast project homepage: http://www.icecast.org/ To unsubscribe from this list, send a message to 'icecast-request@xiph.org' containing only the word 'unsubscribe' in the body. No subject is needed. Unsubscribe messages sent to the list will be ignored/filtered.