similar to: Re: root in a chroot jail (was: Buffer Overflows: A Summary)

Phexro <ieure@linknet.kitsap.lib.wa.us> writes: > chroot()''d processes. So, important system calls could be modified thus: Since there are tons of syscalls and new ones appearing all the time, "Fixing" some of them doesn''t seem like a good idea. It seems more reasonbale to deny access to all of them, except for a few specific ones (that can moreover be

-----BEGIN PGP SIGNED MESSAGE----- > Date: Fri, 2 May 1997 12:33:00 -0500 > From: "Thomas H. Ptacek" <tqbf@ENTERACT.COM> > On almost all Unix operating systems, having superuser access in a > chroot() jail is still dangerous. In some recent revisions of 4.4BSD > operating systems, root can trivially escape chroot(), as well. I was thinking about possible attacks

Greetings, I have a pack of SunRay network computers in kiosk mode and I need to print to the Pharos printing system. Not surprisingly, Pharos runs on Windows. It is currently set up on Windows 2003 server. To print to this system you have to authenticate to the Activate Directory the Pharos server is a member of. I thought my best bet to pull this off was to use Samba. The

Hi a fellow debian developer pointed it out to me, that ssh itself does not check the username that is provided for login into a remote host, but that scp checks it. I could verify that the current openssh code from cvs still has a check for the username in scp.c but not in ssh.c. So I created the attached small patch to remove the username check from scp. I hope ?t's correct and that you

I'm curious how to go about submitting a suggestion that affects both the original BSD version and the portable release. A few days ago I sent off a BSD-relative patch to openssh at openssh.com. Is this the right thing to do? I didn't hear anything back, but it's only been 3 days, so I'm probably just being too antsy. In the meantime, maybe someone else out there would like to

If you've applied my previous scp patch with the tempfile options and the erase option, here's a diff that tweaks it a bit more. Previously I had decided to use getcwd() in a certain local-to-local special case (that needs to use scp rather than regular cp). This was because spawing scp via ssh resets the current directory. This patch choose to forego that in favor of a simpler

I have a client (Fedora 19) and a server (Fedora 14/Samba 3.5.11) which works fine. I'm now setting up a new server (Fedora 20/Samba 4.1.3) with more or less the same smb.conf 1. Issuing: sudo smbclient -L //srv001 -U suser list all shares correct. 2. Issuing: sudo mount -t cifs //srv/Share3 /mnt/share3/ -o username=suser Password for suser@//srv/Share3: **** Retrying with upper case share

Hey all, If you''re like me and use git submodules heavily (I vendor everything, and every plugin is a submodule), you might like to hear about code published this morning to make it easier to manage multiple git submodules in a shared-server environment. It''s imaginatively titled ''git-rake'', and it does Good Things like: * aggregates submodule commit logs into

Hi there, I have a need to have scp pass the -P option to ssh to "bypass" the packetfilters that doesn't allow connections to return to arbitary "priviledged" ports, ie. ports <1024. See attached context sensitive diffs against 2.2.0p1 to please integrate. Thanx Hendrik Visage -------------- next part -------------- *** 1.1 2000/10/11 13:31:45 --- scp.c 2000/10/11

> > Don't forget prover. :-) > > Say on that note here's something that I want to see: a formal > semantics > for LLVM in for example higher order logic. This would probably > not be > that difficult. > > The problem that this solves is that current verified compiler efforts > appear to be highly specific to both the language and the target. > >

Hi there, I've written some enhancements to scp.c and pathnames.h to enable the scp to arbitrarily set the remote scp path. (eg $ scp -e /usr/bin/scp foo user at bar:foo) I did read the "scp: command not found" FAQ entry but I'm not quite sure why we can't do this, unless it's because enhancements to scp are no longer a priority. Any other reason why it "is the

I've experienced some troubles using scp with remote files with spaces, amphersands or parantheses in their filenames on Linux hosts. This happens: stain at false:~$ scp "bender.linpro.no:blapp blapp" . scp: blapp: No such file or directory scp: blapp: No such file or directory stain at false:~$ scp "bender.linpro.no:blapp&blapp" . bash: blapp: command

Hey guys, I've got another C7 problem I was hoping to solve. I installed appdynamics-php-agent-4.0.5.0-1.x86_64 on a C7.1 host. It's failing to communicate with it's controller on another host. And this is the interesting part. Whether or not I have SELinux enabled, I have apache reporting SELinux problems. [root at web1:~] #getenforce Permissive May 10 20:47:56 web1 python[25735]:

As I can seen, there is the bind-chroot glue package, but is there a postfix-chroot.rpm glue ? I have looked for it, but I think there is not. If there is not, what is your opinion about creating one ? Thanks -- Vilela -------------- next part -------------- An HTML attachment was scrubbed... URL:

I have a need to have users SSH into a server where they are limited to a chroot jail (sandbox). Once they are there, they need to be able to execute 'ssh' and 'scp' to other systems. I've no problem setting up the basic chroot jail and providing basic functionality (ls, cat, less, etc). The part that is stopping me is setting it up so that that user can then 'ssh'

Good afternoon, I have been using OpenSSH 3.8p1 and added code to sftp-server.c so I could put users in chroot jail. When I setup a new system and downloaded OpenSSH 4.4p1 and tried the same patch it fails with the following in the /var/log/messages file: sftp-server[11001]: fatal: Couldn't chroot to user directory /home/newyork/ftpbcc: Operation not permitted I was wondering why one would

the configure option --program-prefix does not work although it is listed in teh configure --help output. The attached patch fixes these issues: 1) program prefix is not substituted in configure 2) program prefix is not present in Makefile 3) scp requires use of a known "scp" program -- bryan diff -cr openssh-2.9.9p2.orig/Makefile.in openssh-2.9.9p2/Makefile.in ***

Hi, I've been working at getting a tftp server up an running in a chroot jail, and I have finally succeed getting almost everything working. The server itself works fine, however, it is implemented as a tcpwrapper application (ie: in.tftpd) and I am having trouble getting it to resolve DNS names. I copied my /etc/hosts.allow and /etc/hosts.deny in my chroot/etc folder, however, they

Hi all, I'm enjoying using dovecot deliver with qmail+vpopmail+dspam. It works mostly fine, I like the indexing and sieve features with dovecot deliver. I would like to get more details on trouble, the log entry is just : " 2009-11-18_20:38:55.64778 delivery 50833: deferral: " As you see, there no reason for the deferral. How can I make deliver more verbose ? I also have a

On Thu, 2002-12-19 at 01:30, msmith@labyrinth.net.au wrote: > Alan Silvester <mascdman@shaw.ca> said: > > > Hi, > > > > (Sorry for the long email) > > > > As a bit of a learning exercise, I'm trying to place the icecast daemon > > in a chroot jail. I've been mostly sucessful: I can get icecast to > > serve the default stream from