...making Linux just a little more fun!
Sindi Keesan [keesan at grex.cyberspace.org]
http://www.ibiblio.org/pub/linux/distributions/baslinux Current version 3.40 based on Slackware 4.0 and uClibc
http://www.ibiblio.org/pub/linux/distributions/baslinux/bl2/index.htm Previous version 2.1 based on Slackware 7.1
Basiclinux 2.1 comes with a 'user', 3.40 does not.
The author (Steven Darnold) and some highly experienced support mailing list members have not solved this problem in four years.
cat filename > /dev/lp0 works for root, so does gs used CLI without lpr, or pbmtolj from netpbm.
lpr used from Opera, lpr filename or even cat filename | lpr work for 'user', but for root they do not send anything to the print queue (lpq shows no entries). No error messages. I just get another prompt.
Permissions for lpr are unchanged from Slackware 7.1:
-r-s--s--x 1 root lp(Must be s to print as user).
lp0 is crw-r--r-- 1 root rootchmod a+w lp0 did not help (crw-rw-rw-) nor did chmod 777 (crwxrwxrwx). lp0 works for root except with lpr.
In order to work as user I have had to change permissions on /dev/null (w), ttyp* and ptyp* (rw), set suid XVESA and anything svgalib (links2, zgv, gs), make /var/lock writeable, make any scripts suid or executable as user, etc. An education. I can now suid user (or login as user), dial, load Xvesa, icewm, and rxvt and Opera and print as user.
ssh still says 'host key verification failed' though telnet works.
I would like to quit struggling with permissions every time I try to work as user, and be able to print as root. I do know I should not work as root online but I am not running any servers while online with my modem. If you scold me please explain why.
Also BL3.40 comes with only root not user, so it would be helpful to print as root. Both distributions were designed to be used as root, and the author is therefore not interested in solving the problem.
No other distribution seems to have this problem. I read your knowledge base and various HOWTOs.
Does lpr depend on some other program, library, or device that I need to change permissions for? Can YOU print with lpr as root?
Back around 2002 you explained how to use a 2-floppy disk Basiclinux 1 with mdacon when I had no modprobe or telinit. I am typing this on my dual-head system on the amber TTL monitor. You also helped me with OSS and I can now record midi files from the 1986 Yamaha electronic piano to libc5 Rosegarden.
Sindi Keesan
Kapil Hari Paranjape [kapil at imsc.res.in]
Hello,
On Thu, 25 Jan 2007, Sindi Keesan wrote:
> (I am sending a copy to one of our list members who has tried to figure > out this lpr problem, as well as to The Answer Gang.
Oops. Did I forget to include the list in my reply? Sorry about that.
> What I want help with is printing as root so I won't need to jump > through hoops to get every program working as 'user'. I must not > have made this clear.
I understand that you want to avoid doing things as "root" and prefer
to do things as "user". That is a very good thing 
> There is no .perm file listed in the lpr.tgz package which I added. > I don't think we have LPRng.
I'm still not clear on which print package you have. Perhaps it is the "classical" BSD lpr package. I don't recall that package disabling printing as root. However, this may have been added as a security measure --- explanation follows:
1. Some printing filters like "gs" are interpreters for the programming language that describes the page that they are about to print.
2. Files to be printed should then be treated as programs for these interpreters.
3. Since printing by "root" would lead (possibly inadvertently) to the execution of these "programs" it is often disabled.
> >>ssh still says 'host key verification failed' though telnet works. > > The key works for root, not user.
I didn't understand this. Which key works? Just a quick explanation of ssh host keys:
1. Each SSH server has a key called the "host" key.
2. When a client connects to the server it tries to verify this host key in order to ensure that it is connecting to the correct server by comparing the key presented to it with the key in its "known_hosts" file.
3. Users often ignore ignore this verification by using
rm ~/.ssh/known_hosts or ssh -o UserKnownHostsFile=/dev/null server-nameOf course this defeats half of the security of SSH
4. A better solution is to add the correct host key to the known hosts file.
I have simplified this somewhat but perhaps not too significantly!
Hope this helps,
Kapil. --
Sindi Keesan [keesan at grex.cyberspace.org]
On Thu, 25 Jan 2007, Kapil Hari Paranjape wrote:
>> What I want help with is printing as root so I won't need to jump >> through hoops to get every program working as 'user'. I must not have >> made this clear. > > I understand that you want to avoid doing things as "root" and prefer > to do things as "user". That is a very good thing
No, I want to do everything as root (which is how our distributions were designed to work) and nothing as user, which is much more complicated to set up. Right now I need to suid user to print with lpr.
>> I don't think we have LPRng.
> I'm still not clear on which print package you have. Perhaps it is > the "classical" BSD lpr package. I don't recall that package
The lpr man page refers to BSD4.
> disabling printing as root. However, this may have been added as a > security measure --- explanation follows: > 1. Some printing filters like "gs" are interpreters for the > programming language that describes the page that they are > about to print. > 2. Files to be printed should then be treated as programs > for these interpreters. > 3. Since printing by "root" would lead (possibly > inadvertently) to the execution of these "programs" it is > often disabled.
How is it disabled?
gs works as root if I print from the command line. lpr does not.
As root, I can print to a .ps file instead of the printer, and then print the .ps file with gs. But I am setting up small linuxes for friends who just want to print formatted files directly with a wordprocessor or browser, and it is complicated to make our linux work as user for every program when it is designed to be used as root only.
>>>> ssh still says 'host key verification failed' though telnet works. >> >> The key works for root, not user.
After it did not work for 'user' without known_hosts, I copied known_hosts from /root/.ssh to /home/user/.ssh without changing the permissions.
> I didn't understand this. Which key works? Just a quick explanation > of ssh host keys: > 1. Each SSH server has a key called the "host" key. > 2. When a client connects to the server it tries to verify > this host key in order to ensure that it is connecting to the > correct server by comparing the key presented to it with the > key in its "known_hosts" file. > 3. Users often ignore ignore this verification by using > rm ~/.ssh/known_hosts
I tried deleting this file again. It won't work with or without it. Thanks for the explanation.
> or > ssh -o UserKnownHostsFile=/dev/null server-name > Of course this defeats half of the security of SSH
This happened automatically when I went to any new URL as root. I was asked first whether to add that key. User was not asked whether to add a key and may not have the right to. Do I need to change permissions on the known_hosts file from /root/.ssh to use it as user?
> I have simplified this somewhat but perhaps not too significantly! > > Hope this helps,
Yes, I am starting to understand ssh, but not lpr ;=(
Running Linux lists a lot of permissions for printing-related files and user seems to always have more permissions than root. I have been changing permissions on one or two files at a time in /var/spool. Maybe I need to change several at once?
Would you like a complete list of permissions for /var/spool/* ?
Sindi Keesan
Kapil Hari Paranjape [kapil at imsc.res.in]
Hello,
On Thu, 25 Jan 2007, Sindi Keesan wrote:
> > 3. Since printing by "root" would lead (possibly > > inadvertently) to the execution of these "programs" it is > > often disabled. > > How is it disabled?
In one of (at least) three ways that I know of:
a. When lpr is run it checks whether it is being run as root and in that case it just drops the job. b. When lpr is run it checks whether it is being run as root and in that case it refuses to use any filters. c. The filters themselves check to see whether they are being run as root and in that case they refuse to run.I believe that (b) is quite common.
> But I am setting up small linuxes for friends who > just want to print formatted files directly with a wordprocessor or > browser, and it is complicated to make our linux work as user for every > program when it is designed to be used as root only.
As Ben has already pointed out: Running everything as root especially when the users are non-technical is probably not very safe.
> This happened automatically when I went to any new URL as root. I was > asked first whether to add that key. User was not asked whether to add a > key and may not have the right to. Do I need to change permissions on > the known_hosts file from /root/.ssh to use it as user?
Certainly, if the user wants to write to that file. The SSH client pobably wants to do this on behalf of the user if the user home directory is set as /root.
I still feel that you are conflating a lot of different issues:
a. Permissions (Running as root vs. running as user.) b. Problems with lpr. c. Problems with ssh.If you separated out these issues it might be easier to diagnose and solve the problems. (a) and (b) may be related but I tend to think that this is a configuration/program issue rather than a permissions issue. There may be a relation between (a) and (c) but again this may be because the $HOME directory of the user is configured in a non-standard way. (b) and (c) are most probably[*] un-related.
However, here is a general remark. Given the security-related history of "lpr" and the security-related use of "ssh", both are probably quite finicky about file permissions and access and will often refuse to run or give dire warnings (in their default configuration) if they find something "screwy" like unusual permissions on a directory or file.
Regards,
Kapil.
[*] I originally wrote "certainly" but the mathematician in me
prevailed to make it "most probably"
--
Sindi Keesan [keesan at grex.cyberspace.org]
On Thu, 25 Jan 2007, Kapil Hari Paranjape wrote:
> Hello, > > On Thu, 25 Jan 2007, Sindi Keesan wrote: >>> 3. Since printing by "root" would lead (possibly >>> inadvertently) to the execution of these "programs" it is >>> often disabled. >> >> How is it disabled? > > In one of (at least) three ways that I know of: > a. When lpr is run it checks whether it is being run > as root and in that case it just drops the job. > b. When lpr is run it checks whether it is being run > as root and in that case it refuses to use any filters. > c. The filters themselves check to see whether they are > being run as root and in that case they refuse to run. > I believe that (b) is quite common.
I hope it is just a permissions problem.
> >> But I am setting up small linuxes for friends who >> just want to print formatted files directly with a wordprocessor or >> browser, and it is complicated to make our linux work as user for every >> program when it is designed to be used as root only. > > As Ben has already pointed out: Running everything as root especially > when the users are non-technical is probably not very safe.
I will try to set them up as user. But I can always reinstall the 40MB of software if they break it (and keep a backup .tgz of it on their drive in a DOS partition).
>> This happened automatically when I went to any new URL as root. I was >> asked first whether to add that key. User was not asked whether to add a >> key and may not have the right to. Do I need to change permissions on >> the known_hosts file from /root/.ssh to use it as user? > > Certainly, if the user wants to write to that file. The SSH client > pobably wants to do this on behalf of the user if the user home > directory is set as /root.
known_hosts is -rw------- 1 root root I copied it to /home/user/.ssh I did a chown known_hosts user and now my error message is
Permission denied, please try again. Permission denied (publickey,password,keyboard-interactive)I do not need to run ssh as user, I was just using it as an example of how much more complicated it is to make things work as user in our distribution.
> I still feel that you are conflating a lot of different issues: > > a. Permissions (Running as root vs. running as user.)Not necessary if I can get lpr to run as root.
> b. Problems with lpr.This is what I wanted help with.
> c. Problems with ssh. > > If you separated out these issues it might be easier to diagnose and > solve the problems. (a) and (b) may be related but I tend to think > that this is a configuration/program issue rather than a permissions > issue. There may be a relation between (a) and (c) but again this > may be because the $HOME directory of the user is configured in a > non-standard way. (b) and (c) are most probably[*] un-related.
> However, here is a general remark. Given the security-related history > of "lpr" and the security-related use of "ssh", both are probably > quite finicky about file permissions and access and will often refuse > to run or give dire warnings (in their default configuration) if they > find something "screwy" like unusual permissions on a directory or > file.
Lots of things in our distribution are screwy. But it boots in 15 seconds and works well (once you get it working) on old hardware. I am trying to make the old hardware work for friends who want to print webpages.
Sindi Keesan
Kapil Hari Paranjape [kapil at imsc.res.in]
On Thu, 25 Jan 2007, Sindi Keesan wrote:
> On Thu, 25 Jan 2007, Kapil Hari Paranjape wrote: > >I understand that you want to avoid doing things as "root" and prefer > >to do things as "user". That is a very good thing
But you don't need a password to do that. So you can just do something like
alias lpr 'su user lpr'and your problem is solved!
As root you can do "su user" whenever you want to do less powerful things.
As user you can do "sudo" whenever you want to do more powerful things.
The difference is like that between a democracy, where the chief
executive can occasionally assume emergency powers, and a monarchy,
where the ruler sometimes travels "incognito" to gauge the mood of the
people.
Regards,
Kapil. --
Sindi Keesan [keesan at grex.cyberspace.org]
The author of Basiclinux suggested making a script ps-print and filling it in as 'printer program' in Opera instead of using 'lp' or another filter used by printcap, and printing with gs but without lpr (or su, or user, or adduser, or changes in permissions). It works.
gs -q -dSAFER -sDEVICE=deskjet -r300x300 -sPAPERSIZE=letter -sOutputFile=- - > /dev/lp0It worked (even with a missing space after letter).
I use the same script but with < $1 before the > to print ps or pdf from the command line. Or I convert a pdf or an image to a pbm and print with pbmtolj.
We have a script for printing plain text (involving dos2unix and cat). On an inkjet printer you may need to hit the paper feed button.
I am still curious why lpr won't work as root.
I will attempt to fix the permissions for ssh to work as user, and maybe use opera su user. Lynx and links already work for user without permission changes.
Thanks,
Sindi Keesan
Benjamin A. Okopnik [ben at linuxgazette.net]
On Thu, Jan 25, 2007 at 11:38:55PM -0500, Sindi Keesan wrote:
> The author of Basiclinux suggested making a script ps-print and filling it > in as 'printer program' in Opera instead of using 'lp' or another filter > used by printcap, and printing with gs but without lpr (or su, or user, or > adduser, or changes in permissions). It works. > > gs -q -dSAFER -sDEVICE=deskjet -r300x300 -sPAPERSIZE=letter -sOutputFile=- > - > /dev/lp0 > > It worked (even with a missing space after letter).
This may handle printing from Opera, but I doubt that it will handle the general problem of printing as root. E.g., printing an image or a PDF isn't going to work with the above method.
-- * Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *
Sindi Keesan [keesan at grex.cyberspace.org]
On Fri, 26 Jan 2007, Benjamin A. Okopnik wrote:
> On Thu, Jan 25, 2007 at 11:38:55PM -0500, Sindi Keesan wrote: >> The author of Basiclinux suggested making a script ps-print and filling it >> in as 'printer program' in Opera instead of using 'lp' or another filter >> used by printcap, and printing with gs but without lpr (or su, or user, or >> adduser, or changes in permissions). It works. >> >> gs -q -dSAFER -sDEVICE=deskjet -r300x300 -sPAPERSIZE=letter -sOutputFile=- >> - > /dev/lp0
> This may handle printing from Opera, but I doubt that it will handle the > general problem of printing as root. E.g., printing an image or a PDF > isn't going to work with the above method.
It printed a PDF file with xpdf when I entered ps-print as the printer command (rather than lp). Should work with Abiword similarly because Abiword converts to ps to print.
I print images with netpbm's pbmtolj after converting to pbm format. (I print color photos at the store on rare occasions.) But xv probably also converts to ps so would work with this script.
I just compiled convertors for Excel and Powerpoint formats to HTML and Opera can print HTML (via ps). Abiword can display/print RTF. To print WORD files I used pdfonline (via lynx at the shell account where I get mail) to convert to pdf first, and then downloaded the pdf files from my shell account, after Antiword could not handle complex formatting that I was required to preserve.
Antiword does a perfect job with other character sets in WORD, which WORD cannot export properly to text.
Who needs OpenOffice?
Someone will send me some format I cannot handle, I am sure.
Sindi Keesan
Benjamin A. Okopnik [ben at linuxgazette.net]
On Wed, Jan 24, 2007 at 11:43:43AM -0500, Sindi Keesan wrote:
> > cat filename > /dev/lp0 works for root, so does gs used CLI without lpr, > or pbmtolj from netpbm. > > lpr used from Opera, lpr filename or even cat filename | lpr work for > 'user', but for root they do not send anything to the print queue (lpq > shows no entries). No error messages. I just get another prompt. > > Permissions for lpr are unchanged from Slackware 7.1: > -r-s--s--x 1 root lp > (Must be s to print as user). > > lp0 is crw-r--r-- 1 root root
Just for comparison, mine are
ben at Fenrir:~$ ls -l `which lpr` /dev/lp0 crw-rw---- 1 root lp 6, 0 2004-04-28 23:43 /dev/lp0 -rwxr-xr-x 1 root root 9888 2006-11-17 20:46 /usr/bin/lprAt least a little different - although that's not necessarily the cause.
> chmod a+w lp0 did not help (crw-rw-rw-) nor did chmod 777 (crwxrwxrwx). > lp0 works for root except with lpr. > > In order to work as user I have had to change permissions on /dev/null > (w), ttyp* and ptyp* (rw), set suid XVESA and anything svgalib (links2, > zgv, gs), make /var/lock writeable, make any scripts suid or executable as > user, etc. An education. I can now suid user (or login as user), dial, > load Xvesa, icewm, and rxvt and Opera and print as user.
It sounds like BasicLinux still needs a bit of refining.
> ssh still says 'host key verification failed' though telnet works.
The two are, of course, unrelated.
> I would like to quit struggling with permissions every time I try to work > as user, and be able to print as root. I do know I should not work as > root online but I am not running any servers while online with my modem. > If you scold me please explain why.
No scolding, but just a note: as root, one tiny mistype is all it takes to wipe out your system. As well, any programs you execute that create an externally-accessible network socket (are you sure you know what all of those are?) are running with root privileges - meaning that if someone manages to crack one, they 0wn your system.
So, I'm not going to say "don't do that". I'm just going to note that the cost of doing so can be rather high.
> Does lpr depend on some other program, library, or device that I need to > change permissions for?
Maybe - or maybe not, depending on how yours is configured and what version of "lpr" you're using (in theory, you can minimize external processing by trying to print a plain text file, e.g., '/etc/passwd'.) In any case, it's a question that you yourself can answer by executing "lpr" with "strace", something like this:
ben at Fenrir:~$ su - Password: root at Fenrir:~# strace -o lpr.out /usr/bin/lpr fileAfter that, read the resulting file ('lpr.out', in the above case) and see where things failed. If you need a baseline for comparison, you can always run the above "strace" line as a non-root user.
> Can YOU print with lpr as root?
Yep. I don't recall that ever being a problem, although I've seen the opposite happen.
-- * Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *
Rick Moen [rick at linuxmafia.com]
Quoting Benjamin A. Okopnik (ben at linuxgazette.net):
> > I would like to quit struggling with permissions every time I try to work > > as user, and be able to print as root. I do know I should not work as > > root online but I am not running any servers while online with my modem. > > If you scold me please explain why. > > No scolding, but just a note: as root, one tiny mistype is all it takes > to wipe out your system. As well, any programs you execute that create > an externally-accessible network socket (are you sure you know what all > of those are?) are running with root privileges - meaning that if > someone manages to crack one, they 0wn your system. > > So, I'm not going to say "don't do that". I'm just going to note that > the cost of doing so can be rather high.
Also, I'd like to point out that the Unix world was ecstatic about the rise of CUPS specifically because it allowed us to finally get rid of lpd / lprNG, which was hopeless spaghetti code, derived from ancient BSD efforts among nameless student coders at University of California at Berkeley. One of the worst of the many bad aspects of lpd / lprNG is that its security profile and history were and are utterly dreadful.
Using either BSD lpd or its lprNG offshoot is, by itself, cause for alarm. Using it on a machine where you purposefully do everything as root seems to be not only courting catastrophe but also sending out formal catastrophe invitations and publishing announcements in the local catastrophe newsletter.
-- "Is it not the beauty of an asynchronous form of discussion that one can go and make cups of tea, floss the cat, fluff the geraniums, open the kitchen window and scream out it with operatic force, volume, and decorum, and then return to the vexed glowing letters calmer of mind and soul?" -- The Cube, forum3000.org
Benjamin A. Okopnik [ben at linuxgazette.net]
On Thu, Jan 25, 2007 at 09:38:24PM -0500, Sindi Keesan wrote:
> On Thu, 25 Jan 2007, Benjamin A. Okopnik wrote: > > >No scolding, but just a note: as root, one tiny mistype is all it takes > >to wipe out your system. As well, any programs you execute that create > >an externally-accessible network socket (are you sure you know what all > >of those are?) are running with root privileges - meaning that if > >someone manages to crack one, they 0wn your system. > > > >So, I'm not going to say "don't do that". I'm just going to note that > >the cost of doing so can be rather high. > > I have the same system on several computers so can easily restore it. > My super-duper full-size linux is about 1GB including a lot of music and > photos and kernel source code. The little one about 100MB.
That's not exactly the point. Skript kiddies aren't interested in destroying your system - they want your resources. E.g., once they crack in, they'll set up a mail relay on your machine and use it to broadcast spam - this is, in fact, how most spam is propagated these days.
> >>Does lpr depend on some other program, library, or device that I need to
> >>change permissions for?
> >
> >Maybe - or maybe not, depending on how yours is configured and what
> >version of "lpr" you're using (in theory, you can minimize external
> >processing by trying to print a plain text file, e.g., '/etc/passwd'.)
> >In any case, it's a question that you yourself can answer by executing
> >"lpr" with "strace", something like this:
> >
> >``
> >ben at Fenrir:~$ su -
> >Password:
> >root at Fenrir:~# strace -o lpr.out /usr/bin/lpr file
> >''
>
> I had to download the strace.tgz package first. Running it from a
> temporary directory without installing the package.
>
> ptrace: umoven: Input/output error (four lines of this).
>
> But it made lpr.out, a couple pages or more.
>
> >After that, read the resulting file ('lpr.out', in the above case) and
> >see where things failed. If you need a baseline for comparison, you can
> >always run the above "strace" line as a non-root user.
>
> I can't make much sense of the results.
> See attached lpr.out (root) and lpr2.out (user).
I'm afraid you forgot to attach them - but attaching large files to list email is a bad idea anyway. Put them up somewhere (if you don't have web space of your own, you can use, e.g., http://www.filewind.com/) and send us the URLs.
-- * Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *
Sindi Keesan [keesan at grex.cyberspace.org]
>> >> I have the same system on several computers so can easily restore it. >> My super-duper full-size linux is about 1GB including a lot of music and >> photos and kernel source code. The little one about 100MB. > > That's not exactly the point. Skript kiddies aren't interested in > destroying your system - they want your resources. E.g., once they crack > in, they'll set up a mail relay on your machine and use it to broadcast > spam - this is, in fact, how most spam is propagated these days. >
Please explain how they can get into my linux system when I am dialed in via modem, and set up a mail relay that will work when I don't have standard mailing programs. We use a 76K 'pmail' which is nonstandard. I am not running any telnet or ssh servers. Once in a while pure-ftpd or mini-httpd.
95% of the time I use the internet via ssh to a shell account (or direct dial to it).
Nobody has hijacked my system in four years. Unless there are some hidden files I have not run across.
If it were in fact safer to use ssh or browsers as 'user', I would figure out the permissions for that but probably dial as 'root' first. Is that okay?
>> I can't make much sense of the results. >> See attached lpr.out (root) and lpr2.out (user). > > I'm afraid you forgot to attach them - but attaching large files to list > email is a bad idea anyway. Put them up somewhere (if you don't have web > space of your own, you can use, e.g., http://www.filewind.com/) and send > us the URLs.
http://www.grex.org/~keesan/lpr.out (root) http://www.grex.org/~keesan/lpr2.out (user)
About 8K each.
The problem has become purely academic, since I will not be using lpr now that I can print with a script directly with gs.
Sindi Keesan
Kapil Hari Paranjape [kapil at imsc.res.in]
Hello,
On Fri, 26 Jan 2007, Sindi Keesan wrote:
> Nobody has hijacked my system in four years. Unless there are some hidden > files I have not run across.
Whatever works for you is of course what you should choose.
The following is a suggestion not to you specifically but to all those who ask questions on lists like this one.
Generally speaking the more "finely localised and tuned" the system, the harder it is to find someone to diagnose its problems over e-mail/IRC/Usenet.
For example, someone could make some tweaks to the Linux kernel so that it ignores access control (both for filesystems and processes) entirely. A system built with this "feature" might even be significantly smaller than the existing system as a number of utilities and library calls would be eliminated. But I think that a question about such a system could not really be called a "GNU/Linux system question" as most people answering would be mislead by this title.
I believe (and it is only a belief since I have not actually tried to build such a system recently[*]) that it is possible to take "standard" components of a "standard" distribution like Debian and build a "small" distribution which is standard-enough so that questions about it would be answerable by a large number of people and which is small enough to boot on old hardware.
Regards,
Kapil.
[*] The last time I built such a system was in 1996 when we had a single floppy boot of an "Xterm on a 386" --- it was built using Debian 0.9x. --
Kapil Hari Paranjape [kapil at imsc.res.in]
Hello,
On Wed, 24 Jan 2007, Sindi Keesan wrote:
> http://www.ibiblio.org/pub/linux/distributions/baslinux > Current version 3.40 based on Slackware 4.0 and uClibc > > http://www.ibiblio.org/pub/linux/distributions/baslinux/bl2/index.htm > Previous version 2.1 based on Slackware 7.1 > > Basiclinux 2.1 comes with a 'user', 3.40 does not.
I'm sure this has been suggested and tried but it would be nice to know the outcome.
"Can't we just add the user after booting the system?"
> lpr used from Opera, lpr filename or even cat filename | lpr work for > 'user', but for root they do not send anything to the print queue (lpq > shows no entries). No error messages. I just get another prompt.
The problem may be that "root" and other system accounts are prevented from printing. I know that this is possible in some print systems like LPRng for example. There is ".perm" file that lists those you are allowed/disallowed.
> ssh still says 'host key verification failed' though telnet works.
This may mean that you have the wrong key in your $HOME/.ssh/known_hosts or /etc/ssh/known_hosts. You might be able to remove the offending entry from this file with
ssh-keygen -R "the name of the host you are trying to connect to"Though all the problems that you list are in one sense or another "permission problems" they seem to originate from different causes.
Regards,
Kapil. --
Rick Moen [rick at linuxmafia.com]
----- Forwarded message from Sindi Keesan <keesan at grex.cyberspace.org> -----
Date: Thu, 25 Jan 2007 22:15:47 -0500 (EST) From: Sindi Keesan <keesan@grex.cyberspace.org> To: TAG <tag@lists.linuxgazette.net> To: Rick Moen <rick at linuxmafia.com> Subject: Re: [TAG] lpr works for user not root in Basiclinux 2.1On Thu, 25 Jan 2007, Rick Moen wrote:
>Courtesy copy, just in case you're not on the mailing list (though you >probably are).
This is the only copy I got of this mail from rick. I am not on a TAG mailing list.
> >----- Forwarded message from rick ----- > >Date: Thu, 25 Jan 2007 13:34:39 -0800 >To: tag at lists.linuxgazette.net >Subject: Re: [TAG] lpr works for user not root in Basiclinux 2.1 > >Quoting Benjamin A. Okopnik (ben at linuxgazette.net): > >>>I would like to quit struggling with permissions every time I try to work >>>as user, and be able to print as root. I do know I should not work as >>>root online but I am not running any servers while online with my modem. >>>If you scold me please explain why. >> >>No scolding, but just a note: as root, one tiny mistype is all it takes >>to wipe out your system. As well, any programs you execute that create >>an externally-accessible network socket (are you sure you know what all >>of those are?) are running with root privileges - meaning that if >>someone manages to crack one, they 0wn your system. >> >>So, I'm not going to say "don't do that". I'm just going to note that >>the cost of doing so can be rather high.
I don't even know what a network socket is. Nobody in their right mind would want my system. The software is 8 years out of date (the hardware is older than that) and the connection is dialup. Should I be worried anyway?
>Also, I'd like to point out that the Unix world was ecstatic about the >rise of CUPS specifically because it allowed us to finally get rid of >lpd / lprNG, which was hopeless spaghetti code, derived from ancient BSD >efforts among nameless student coders at University of California at >Berkeley. One of the worst of the many bad aspects of lpd / lprNG is >that its security profile and history were and are utterly dreadful.
Do I need security to print on my own single-user system?
>Using either BSD lpd or its lprNG offshoot is, by itself, cause for >alarm. Using it on a machine where you purposefully do everything as >root seems to be not only courting catastrophe but also sending out >formal catastrophe invitations and publishing announcements in the >local catastrophe newsletter.
No catastrophes have occurred among any of our distribution's users yet that I know of, in 4 years or so, apart from hardware failures. I have the same files on several computers in case I need to restore everything.
CUPS is said to be useful in a local network that has both linux and Windows computers. My win98 hard drive died a while ago and I never printed with Windows.
If I want to switch printers I use a printer switch box, and the deskjet driver works for both the deskjet and the laserjet. I use the dot-matrix printer only with plain text files (cat textfile > /dev/lp0 as root). I print images with pbmtolj (netpbm), as root.
The people we are giving 200MHz computers to don't have networks. But they do need to print formatted papers for school, and webpages.
I don't think I need CUPS.
>----- End forwarded message ----- >
Sindi Keesan
----- End forwarded message -----
Benjamin A. Okopnik [ben at linuxgazette.net]
On Fri, Jan 26, 2007 at 02:09:35AM -0800, Sindi Keesan wrote:
> > I don't even know what a network socket is.
That's pretty much my point. The majority of those who run their machines as root literally have no idea of how exposed and vulnerable they are.
Sockets and ports are methods by which local and remote clients can connect to your machine. Try running 'netstat'; this will show you a list of your currently-open sockets and ports.
> Nobody in their right mind > would want my system. The software is 8 years out of date (the hardware > is older than that) and the connection is dialup. Should I be worried > anyway?
See my earlier point about resources. There are Russian and Polish companies (and probably lots of others, but those seem to be at the forefront) who will sell you their spam-distribution services and boast of "thousands of 'captured' machines" that they use for the purpose. It's a popular dodge for spammers these days, since it essentially counters IP blocking.
> >Also, I'd like to point out that the Unix world was ecstatic about the > >rise of CUPS specifically because it allowed us to finally get rid of > >lpd / lprNG, which was hopeless spaghetti code, derived from ancient BSD > >efforts among nameless student coders at University of California at > >Berkeley. One of the worst of the many bad aspects of lpd / lprNG is > >that its security profile and history were and are utterly dreadful. > > Do I need security to print on my own single-user system?
I don't know how to emphasize this enough, but given that a very large percentage of system break-ins in the past occurred via 'lpr/lprng', the answer is a very definite "YES".
> The people we are giving 200MHz computers to don't have networks. But > they do need to print formatted papers for school, and webpages. > > I don't think I need CUPS.
Given the above, why are you using a print server/scheduler at all? I ran my system with nothing more than 'magicfilter' and a script to send it to the appropriate filter for a couple of years when I was in a similar situation, and it worked fine.
-- * Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *
Sindi Keesan [keesan at grex.cyberspace.org]
On Fri, 26 Jan 2007, Benjamin A. Okopnik wrote:
> On Fri, Jan 26, 2007 at 02:09:35AM -0800, Sindi Keesan wrote: >> >> I don't even know what a network socket is. > > That's pretty much my point. The majority of those who run their > machines as root literally have no idea of how exposed and vulnerable > they are. > > Sockets and ports are methods by which local and remote clients can > connect to your machine. Try running 'netstat'; this will show you a > list of your currently-open sockets and ports.
bash: netstat: command not foundYou are making too many assumptions about my linux ;=)
>> Nobody in their right mind >> would want my system. The software is 8 years out of date (the hardware >> is older than that) and the connection is dialup. Should I be worried >> anyway?
> See my earlier point about resources. There are Russian and Polish > companies (and probably lots of others, but those seem to be at the > forefront) who will sell you their spam-distribution services and boast > of "thousands of 'captured' machines" that they use for the purpose. > It's a popular dodge for spammers these days, since it essentially > counters IP blocking.
I thought they went after broadband. And Windows. How exactly would they attack a linux machine using dialup internet, without me noticing?
I do most of my browsing and emailing via a shell account to which I ssh as root. Am I still vulnerable to attack?
>>> Also, I'd like to point out that the Unix world was ecstatic about the >>> rise of CUPS specifically because it allowed us to finally get rid of >>> lpd / lprNG, which was hopeless spaghetti code, derived from ancient BSD >>> efforts among nameless student coders at University of California at >>> Berkeley. One of the worst of the many bad aspects of lpd / lprNG is >>> that its security profile and history were and are utterly dreadful. >> >> Do I need security to print on my own single-user system? > > I don't know how to emphasize this enough, but given that a very large > percentage of system break-ins in the past occurred via 'lpr/lprng', the > answer is a very definite "YES".
I had not been using lpr until now and now have a script to print with using gs directly, tested in Opera and xpdf.
> >> The people we are giving 200MHz computers to don't have networks. But >> they do need to print formatted papers for school, and webpages. >> >> I don't think I need CUPS. > > Given the above, why are you using a print server/scheduler at all? I > ran my system with nothing more than 'magicfilter' and a script to send > it to the appropriate filter for a couple of years when I was in a > similar situation, and it worked fine.
I don't know what magicfilter is, but I have a script that will let me print from within X programs now, and don't even need a filter. A few years ago people using our distribution worked out how to use lpr and printcap, but there is no need for them now. I guess I should stop being curious why lpr won't work for root.
Now I need to figure out why your email ended up in my spam folder....
Sindi Keesan
Benjamin A. Okopnik [ben at linuxgazette.net]
On Fri, Jan 26, 2007 at 01:18:56PM -0500, Sindi Keesan wrote:
> On Fri, 26 Jan 2007, Benjamin A. Okopnik wrote: > > >On Fri, Jan 26, 2007 at 02:09:35AM -0800, Sindi Keesan wrote: > >> > >>I don't even know what a network socket is. > > > >That's pretty much my point. The majority of those who run their > >machines as root literally have no idea of how exposed and vulnerable > >they are. > > > >Sockets and ports are methods by which local and remote clients can > >connect to your machine. Try running 'netstat'; this will show you a > >list of your currently-open sockets and ports. > > bash: netstat: command not found > > You are making too many assumptions about my linux ;=)
Perhaps you're making too few assumptions about the necessary tools that
belong on a Linux box.
> >> Nobody in their right mind > >>would want my system. The software is 8 years out of date (the hardware > >>is older than that) and the connection is dialup. Should I be worried > >>anyway? > > >See my earlier point about resources. There are Russian and Polish > >companies (and probably lots of others, but those seem to be at the > >forefront) who will sell you their spam-distribution services and boast > >of "thousands of 'captured' machines" that they use for the purpose. > >It's a popular dodge for spammers these days, since it essentially > >counters IP blocking. > > I thought they went after broadband. And Windows. How exactly would they > attack a linux machine using dialup internet, without me noticing?
None of these attacks would be problems if the user on the system
noticed when they happened. They happen without you noticing *by
definition*. As to how, the answer is "via ports and sockets". For a
longer answer, I teach a five-day security course for Sun Microsystems
on that, $3495 per student. Or you could study up via the resources
available in many places on the Net.
> I do most of my browsing and emailing via a shell account to which I ssh > as root. Am I still vulnerable to attack?
Are we still talking about your system, or did you just introduce another one into the equation? Every open port and socket that you have is a way for other systems to connect to yours. Each of them has its own pros and cons. I couldn't begin to estimate what your exposure is, except that everything I've heard from you so far tells me that you're pretty vulnerable.
> >>The people we are giving 200MHz computers to don't have networks. But > >>they do need to print formatted papers for school, and webpages. > >> > >>I don't think I need CUPS. > > > >Given the above, why are you using a print server/scheduler at all? I > >ran my system with nothing more than 'magicfilter' and a script to send > >it to the appropriate filter for a couple of years when I was in a > >similar situation, and it worked fine. > > I don't know what magicfilter is, but I have a script that will let me > print from within X programs now, and don't even need a filter. A few > years ago people using our distribution worked out how to use lpr and > printcap, but there is no need for them now. I guess I should stop being > curious why lpr won't work for root.
You can find out about "magicfilter" by searching for it, and you have a script that will print some things but not others. I've been answering the question that you asked initially; since you now appear to have changed the question in the middle of the discussion, and since I'm not interested in providing ongoing support for every possible problem in your system, I'm going to call my end of it finished. Good luck.
-- * Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *
Sindi Keesan [keesan at grex.cyberspace.org]
>>> Sockets and ports are methods by which local and remote clients can >>> connect to your machine. Try running 'netstat'; this will show you a >>> list of your currently-open sockets and ports. >> >> bash: netstat: command not found >> >> You are making too many assumptions about my linux ;=) > > Perhaps you're making too few assumptions about the necessary tools that > belong on a Linux box.
I did not create this distribution. Why is netstat necessary? Can I look in some directory under /proc instead? (I do this instead of lspci).
> >>>> Nobody in their right mind >>>> would want my system. The software is 8 years out of date (the hardware >>>> is older than that) and the connection is dialup. Should I be worried >>>> anyway? >> >>> See my earlier point about resources. There are Russian and Polish >>> companies (and probably lots of others, but those seem to be at the >>> forefront) who will sell you their spam-distribution services and boast >>> of "thousands of 'captured' machines" that they use for the purpose. >>> It's a popular dodge for spammers these days, since it essentially >>> counters IP blocking. >> >> I thought they went after broadband. And Windows. How exactly would they >> attack a linux machine using dialup internet, without me noticing? > > None of these attacks would be problems if the user on the system > noticed when they happened. They happen without you noticing *by > definition*. As to how, the answer is "via ports and sockets". For a > longer answer, I teach a five-day security course for Sun Microsystems > on that, $3495 per student.
Can you suggest an online primer on ports and sockets?
>> I do most of my browsing and emailing via a shell account to which I ssh >> as root. Am I still vulnerable to attack?
> Are we still talking about your system, or did you just introduce > another one into the equation? Every open port and socket that you have > is a way for other systems to connect to yours. Each of them has its own > pros and cons. I couldn't begin to estimate what your exposure is, > except that everything I've heard from you so far tells me that you're > pretty vulnerable.
I boot into DOS, thence with loadlin into linux, then dial an ISP, and then ssh to a shell account. Or dial directly to that shell account and ssh to another shell account. I can kermit files from the second shell account to my own computer. What part of this setup is vulnerable and why has nothing bad happened in four years? I am not running any servers (even lpd) on my own computer that I know of. Is Xvesa a server? I think it uses a socket.
>> I don't know what magicfilter is, but I have a script that will let me >> print from within X programs now, and don't even need a filter. A few >> years ago people using our distribution worked out how to use lpr and >> printcap, but there is no need for them now. I guess I should stop being >> curious why lpr won't work for root. > > You can find out about "magicfilter" by searching for it, and you have a > script that will print some things but not others. I've been answering > the question that you asked initially; since you now appear to have > changed the question in the middle of the discussion, and since I'm not > interested in providing ongoing support for every possible problem in > your system, I'm going to call my end of it finished. Good luck.
I can print any format that I need to now, with gs or netpbm.
Since I no longer need to print as root with lpr it is indeed time to drop the original discussion. Thanks for all your help, and for pointing out that lpr is a security risk. I will read online about linux and security and maybe ssh as user once I figure out how.
Sindi Keesan
Neil Youngman [ny at youngman.org.uk]
> On Fri, Jan 26, 2007 at 01:18:56PM -0500, Sindi Keesan wrote: > > I thought they went after broadband. And Windows. How exactly would > > they attack a linux machine using dialup internet, without me noticing?
They would attack a dialup machine in exactly the same way they would attack a broadband machine. How would they know your machine was on dialup? It's just another IP address to them.
Being on Linux is no guarantee either. There are enough Linux servers out there with a lot of bandwidth to be valuable targets and the programs that go scanning for vulnerable machines neither know, nor care, that yours is a puny little 200 MHz machine on dialup.
How would they attack without you noticing? Well, how would you notice? Are you even looking?
Do you monitor the logs? Do you run chkrootkit regularly? Do you monitor portscans?
Neil Youngman
Sindi Keesan [keesan at grex.cyberspace.org]
On Sat, 27 Jan 2007, Neil Youngman wrote:
>> On Fri, Jan 26, 2007 at 01:18:56PM -0500, Sindi Keesan wrote: >>> I thought they went after broadband. And Windows. How exactly would >>> they attack a linux machine using dialup internet, without me noticing? > > They would attack a dialup machine in exactly the same way they would attack a > broadband machine. How would they know your machine was on dialup? It's just > another IP address to them.
Okay. A friend said they could sniff my packets for my login and password. But how would they put any files onto my machine? I am not running lpd, telnetd, ftpd or even httpd. Can they transfer files when I simply run pppd and ssh or lynx?
> Being on Linux is no guarantee either. There are enough Linux servers out > there with a lot of bandwidth to be valuable targets and the programs that go > scanning for vulnerable machines neither know, nor care, that yours is a puny > little 200 MHz machine on dialup. > > How would they attack without you noticing? Well, how would you notice? Are > you even looking? > > Do you monitor the logs? Do you run chkrootkit regularly? Do you monitor > portscans?
/var/log/ shows which packages were installed not portscan info. We do not have chrootkit.
I found a Wiki-type entry about portscan, a series of probes sent to one or more ports of a target system looking for information. Most linux distributions don't include the tools to monitor them. (Not just ours).
We have an nmap add-on for scanning hosts on the network and determining which services they are running. Downloaded it. No documentation. 101 pages of man page online. I don't understand much of it.
nmap -A -T4 127.0.0.1 (localhost) All 1663 scanned ports are closed.I found lists of open ports at my two shell account providers.
I will ask on our list for instructions.
Sindi Keesan
Neil Youngman [ny at youngman.org.uk]
On or around Saturday 27 January 2007 15:16, Sindi Keesan reorganised a bunch of electrons to form the message:
> Okay. A friend said they could sniff my packets for my login and > password. But how would they put any files onto my machine? I am not > running lpd, telnetd, ftpd or even httpd. Can they transfer files when I > simply run pppd and ssh or lynx?
If your ssh package provides scp or sftp, then yes, if they've cracked your machine they would be able to copy stuff onto it.
> > How would they attack without you noticing? Well, how would you notice? > > Are you even looking? > > > > Do you monitor the logs? Do you run chkrootkit regularly? Do you monitor > > portscans? > > /var/log/ shows which packages were installed not portscan info. > We do not have chrootkit.
It sounds like you wouldn't notice.
> I found a Wiki-type entry about portscan, a series of probes sent to one > or more ports of a target system looking for information. Most linux > distributions don't include the tools to monitor them. (Not just ours). > > We have an nmap add-on for scanning hosts on the network and determining > which services they are running. Downloaded it. No documentation. > 101 pages of man page online. I don't understand much of it. > > nmap -A -T4 127.0.0.1 (localhost) > All 1663 scanned ports are closed.
I'm no expert either, but I would say that's encouraging.
Neil
Sindi Keesan [keesan at grex.cyberspace.org]
On Sat, 27 Jan 2007, Neil Youngman wrote:
> On or around Saturday 27 January 2007 15:16, Sindi Keesan reorganised a bunch > of electrons to form the message:
>> Okay. A friend said they could sniff my packets for my login and >> password. But how would they put any files onto my machine? I am not >> running lpd, telnetd, ftpd or even httpd. Can they transfer files when I >> simply run pppd and ssh or lynx?
> If your ssh package provides scp or sftp, then yes, if they've cracked your > machine they would be able to copy stuff onto it.
My 'package' consists of ssh.gz and ssh.1 (man page).
>> We have an nmap add-on for scanning hosts on the network and determining >> which services they are running. Downloaded it. No documentation. >> 101 pages of man page online. I don't understand much of it. >> >> nmap -A -T4 127.0.0.1 (localhost) >> All 1663 scanned ports are closed. > > I'm no expert either, but I would say that's encouraging.
The author of our distribution said to try this while running X (which is a server) and port 6000 was then open. I don't normally run X while I am online. Should I unload X before using ssh or lynx from a console? He advises using our X browser Opera as user. I could also load Xvesa as user.
Sindi Keesan
Rick Moen [rick at linuxmafia.com]
Quoting Sindi Keesan (keesan at grex.cyberspace.org):
> The author of our distribution said to try this while running X (which is > a server) and port 6000 was then open.
Please see my separate reply to Neil. Starting up the X11 server makes port 6000 and adjoining ports be reachable from localhost.
> I don't normally run X while I am online.
That's really rather pointless as a security measure, except in the sesne of minimising the amount of code you're running with root authority -- but you'd be smarter just not to run X11 as root at all.
Rick Moen [rick at linuxmafia.com]
Quoting Neil Youngman (ny at youngman.org.uk):
> > > Do you monitor the logs? Do you run chkrootkit regularly? Do you > > > monitor portscans? > > > > /var/log/ shows which packages were installed not portscan info. We > > do not have chrootkit. > > It sounds like you wouldn't notice.
Neil, chkrootkit (and/or rkhunter) is probably a good thing to suggest as a retroactive measure for someone like Sindi who might have reason to worry about system security. Although I have problems (to be detailed below) with its general approach, your suggestion is commendable in this (limited) context.
Sindi, one might describe chkrootkit / rkhunter (both of which you can easily find and download) as attempts at "paranoia in a can" -- tools that search your filesystems for patterns of files that typically exist as artifacts/after-effects of intruder breakin activity, e.g., replacements of system facilities with trojaned equivalents, malware installed that keeps UDP-based backdoor methods of re-entry open, etc.
Taking the longer view for a moment, both tools exemplify a losing strategy that Marcus J. Ranum dubs "enumerating badness" in his essay "The Six Dumbest Ideas in Computer Security" -- with that concept qualifying as one of the six: http://www.ranum.com/security/computer_security/editorials/dumb/
The problem with enumerating badness is that it comes in vastly too many varieties, and so you end up knowing only that known, i.e., sloppy and incompetent badness has been found. Which is better than nothing -- but should make one wonder if we can't do better.
I would suggest there definitely is -- but that the superior tools in that area are prospective-looking tools you need to install / configure when the system is new or at least healthy, i.e. file-based intrusion detection systems (IDSes), such as AIDE, Prelude-IDS, Samhain, etc.
It would be good if future distros installed with AIDE configured and issuing daily reports by default -- and less reliance on chkrootkit / rkhunter, which are in the final analysis just glorified virus-checkers, and we can sure do better than that. There are an increasing number of write-ups about how to configure AIDE manually, e.g., http://www.debuntu.org/intrusion-detection-with-aide .
My point about chkrootkit/rkhunter as opposed to IDSes in Sindi's particular situation is that IDSes require a normal-operation baseline for configuration. If you're already worried about intrusion, it's too late to set one up.
> > We have an nmap add-on for scanning hosts on the network and determining > > which services they are running. Downloaded it. No documentation. > > 101 pages of man page online. I don't understand much of it. > > > > nmap -A -T4 127.0.0.1 (localhost) > > All 1663 scanned ports are closed. > > I'm no expert either, but I would say that's encouraging.
Yes. That's a TCP-port scan of localhost (only one of several major scan modes nmap can do). Ordinarily, I would caution that nmap must always be run from a nearby-on-network node (which, yes, could be talking to one's temporary dial-up IP from elsewhere), and never used by a host to scan itself, because the report would include local-only network services, which obviously cannot be attacked from remote locations. (Thus, you tend to think you have remote vulnerabilities that really don't exist. This is a very common error.)
However, in this case, Sindi's results suggest there are zero TCP-based network services at all, so whether they're strictly local or not is entirely moot.
For the record, this is how I tend to do TCP-service, UDP-service, and TCP ACK Ping scans, respectively, using nmap:
# nmap -vv -sT -sR -O -o N /tmp/nmap-tcp.log -n 157.22.20.227 # nmap -vv -sU -sR -O -n -oN /tmp/nmap-udp.log -n 157.22.20.227 # nmap -vv -sA -sR -O -n -oN /tmp/nmap-ack.log -n 157.22.20.227
Sindi Keesan [keesan at grex.cyberspace.org]
On Sat, 27 Jan 2007, Rick Moen wrote:
> Quoting Neil Youngman (ny at youngman.org.uk): > >>>> Do you monitor the logs? Do you run chkrootkit regularly? Do you >>>> monitor portscans? >>> >>> /var/log/ shows which packages were installed not portscan info. We >>> do not have chrootkit. >> >> It sounds like you wouldn't notice. > > Neil, chkrootkit (and/or rkhunter) is probably a good thing to suggest > as a retroactive measure for someone like Sindi who might have reason to > worry about system security. Although I have problems (to be detailed > below) with its general approach, your suggestion is commendable in this > (limited) context. > > Sindi, one might describe chkrootkit / rkhunter (both of which you can > easily find and download) as attempts at "paranoia in a can" -- tools > that search your filesystems for patterns of files that typically exist > as artifacts/after-effects of intruder breakin activity, e.g., > replacements of system facilities with trojaned equivalents, malware > installed that keeps UDP-based backdoor methods of re-entry open, etc. > > Taking the longer view for a moment, both tools exemplify a losing > strategy that Marcus J. Ranum dubs "enumerating badness" in his essay > "The Six Dumbest Ideas in Computer Security" -- with that concept > qualifying as one of the six: > http://www.ranum.com/security/computer_security/editorials/dumb/ > > The problem with enumerating badness is that it comes in vastly too many > varieties, and so you end up knowing only that known, i.e., sloppy and > incompetent badness has been found. Which is better than nothing -- but > should make one wonder if we can't do better. >
But if I run chrootkit and it finds nothing, and I am not running any network services when I go online, can I continue as root without worrying? I have switched Opera to run as user (in the menu) because it uses an X server. After inserting modules and dialing as root.
> I would suggest there definitely is -- but that the superior tools in > that area are prospective-looking tools you need to install / configure > when the system is new or at least healthy, i.e. file-based intrusion > detection systems (IDSes), such as AIDE, Prelude-IDS, Samhain, etc. > > It would be good if future distros installed with AIDE configured and > issuing daily reports by default -- and less reliance on chkrootkit / > rkhunter, which are in the final analysis just glorified virus-checkers, > and we can sure do better than that. There are an increasing number > of write-ups about how to configure AIDE manually, e.g., > http://www.debuntu.org/intrusion-detection-with-aide . > > My point about chkrootkit/rkhunter as opposed to IDSes in Sindi's > particular situation is that IDSes require a normal-operation baseline > for configuration. If you're already worried about intrusion, it's too > late to set one up. >
I was told if I have no open ports I don't need to worry. I ran telnetd once for 30 seconds on another computer.
>>> We have an nmap add-on for scanning hosts on the network and determining >>> which services they are running. Downloaded it. No documentation. >>> 101 pages of man page online. I don't understand much of it. >>> >>> nmap -A -T4 127.0.0.1 (localhost) >>> All 1663 scanned ports are closed. >> >> I'm no expert either, but I would say that's encouraging. > > Yes. That's a TCP-port scan of localhost (only one of several major > scan modes nmap can do). Ordinarily, I would caution that nmap must > always be run from a nearby-on-network node (which, yes, could be > talking to one's temporary dial-up IP from elsewhere), and never used > by a host to scan itself, because the report would include local-only > network services, which obviously cannot be attacked from remote > locations. (Thus, you tend to think you have remote vulnerabilities > that really don't exist. This is a very common error.) > > However, in this case, Sindi's results suggest there are zero > TCP-based network services at all, so whether they're strictly local or > not is entirely moot.
I told you I had no servers running except sometimes X, and I usually go online with ssh or lynx.
> For the record, this is how I tend to do TCP-service, UDP-service, and > TCP ACK Ping scans, respectively, using nmap: > > # nmap -vv -sT -sR -O -o N /tmp/nmap-tcp.log -n 157.22.20.227 > # nmap -vv -sU -sR -O -n -oN /tmp/nmap-udp.log -n 157.22.20.227 > # nmap -vv -sA -sR -O -n -oN /tmp/nmap-ack.log -n 157.22.20.227
You are way beyond me already. It was a major accomplishment running nmap on localhost. Should I do the same as above but substitute the IP address assigned when I dial the ISP?
I will look for chrootkit. Thanks for all the info.
Is this discussion being archived so I can point other list members at it?
Sindi Keesan
Rick Moen [rick at linuxmafia.com]
Quoting Sindi Keesan (keesan at grex.cyberspace.org):
> But if I run chrootkit and it finds nothing, and I am not running any > network services when I go online, can I continue as root without > worrying?
No. Your question is a complete and total non-sequitur to what I just got through saying, and carrying out online activity as the root user, or indeed any activity at all that doesn't require root access, remains reckless and ill-advised for reasons that frankly should be obvious -- completely without regard to whether you're even running network daemons at all.
The non-sequitur nature of that question suggests to me that you probably are not really heeding what people are saying, in this thread, or it seems likely that you would not make such comments.
> ># nmap -vv -sT -sR -O -o N /tmp/nmap-tcp.log -n 157.22.20.227 > ># nmap -vv -sU -sR -O -n -oN /tmp/nmap-udp.log -n 157.22.20.227 > ># nmap -vv -sA -sR -O -n -oN /tmp/nmap-ack.log -n 157.22.20.227 > > You are way beyond me already.
No, I'm certainly not. For heaven's sake, if you're curious about what those options mean, they're detailed right in the manpage.
> Should I do the same as above but substitute the IP address > assigned when I dial the ISP?
You should re-read the explanation of why scanning a host from itself would normally be pointless.
> I will look for chrootkit.
chkrootkit is a last-gasp but highly fallible attempt to detect security disasters after all your real defences and precautions have failed. Your biggest problem is that you're going around defeating precautions (e.g., insisting on using the root account routinely) and eschewing defences. That is what should be getting your attention.
Sindi Keesan [keesan at grex.cyberspace.org]
> >>>> Do you monitor the logs? Do you run chkrootkit regularly? Do you >>>> monitor portscans?
I downloaded (about 40K) chkrootkit.tar.gz, unpackaged and typed make sense and it produced chkrootkit and some other files.
./chkrootkit wanted netstat. It was a 7 min download in a package and I extracted it with tar -zxvf tcpicp1.tgz bin/netstat and put into /bin.
chkrootkit then told me I had six infected files:
basename dirname echo env ifconfig and traceroute.
These are all part of busybox 1.1.0 compiled statically against uClibc. Are they really infected (with what?) or is uClibc confusing chkrootkit? They are not in the typical locations but are on the path.
telnetd and su in busybox are not infected.
``Checking 'date' ... bash /bin/csh INFECTED ''
(I have a /bin/bash but no csh. Command not found.)
How do I interpret the above?
Some things it could not find, some it said were not infected, such as cron. I don't have a cron. Same for ldsopreload and sshd and write.
'' Checking 'lkm'...You have 13 process hidden for ps command chkproc: Warning: Possible LKM Trojan installed. no rootkits or worms found.. ''
Rick Moen [rick at linuxmafia.com]
Quoting Sindi Keesan (keesan at grex.cyberspace.org):
> How do I interpret the above?
My guess: Probably chkrootkit being stupid.
chkrootkit is built on an ultimately stupid approach -- stupid by design: It does pattern-matching in an attempt to, as Marcus J. Ranum puts it, "enumerate badness", which is an inherently fallible, losing strategy.
So, you read chkrootkit FAQs and other documentation about known false positives, if necessary you read the chkrootkit script to determine what it's checking, and you decide for yourself whether it's talking nonsense or not.
However, if you've put yourself in a position where you're actually relying on chkrootkit for anything but a quick cross-check against your primary security measures, I'd say you have a lot bigger problems.
Neil Youngman [ny at youngman.org.uk]
On or around Sunday 28 January 2007 08:58, Rick Moen reorganised a bunch of electrons to form the message:
> Quoting Sindi Keesan (keesan at grex.cyberspace.org): > > How do I interpret the above? > > My guess: Probably chkrootkit being stupid.
his thread on puppy Linux states that chkrootkit doesn't like busybox, so that's probably right.
http://murga-linux.com/puppy/viewtopic.php?t=10056
Neil
sindi keesan [keesan at sdf.lonestar.org]
On Sun, 28 Jan 2007, Rick Moen wrote:
> Quoting Sindi Keesan (keesan at grex.cyberspace.org): > >> How do I interpret the above? > > My guess: Probably chkrootkit being stupid.
The LKM Trojan thing is said to be a bug.
I ran chrootkit on a small ramdisk version of our distribution with an older busybox, after mounting the ext2 partition so I could symlink to the three missing binaries (netstat, awk and echo) and it found the same infected files except ifconfig was okay. I really doubt any hacker could have infected my DOS file that contains the files, which load to ramdisk.
Therefore my system, which I have been running as root for four years, seems not to have been hacked. I can still run Opera as su user just in case. (And in case I want to print with some other printer on my list of filters, such as draft or 600 dpi, without changing the custom script).
> chkrootkit is built on an ultimately stupid approach -- stupid by > design: It does pattern-matching in an attempt to, as Marcus J. Ranum > puts it, "enumerate badness", which is an inherently fallible, losing > strategy.
So it found the patterns of some known worms in uClibc-static busybox?
> So, you read chkrootkit FAQs and other documentation about known false > positives, if necessary you read the chkrootkit script to determine what > it's checking, and you decide for yourself whether it's talking nonsense > or not. > > However, if you've put yourself in a position where you're actually > relying on chkrootkit for anything but a quick cross-check against > your primary security measures, I'd say you have a lot bigger problems. >
I don't appear to have any security problems. I was warned again not to run the telnetd that I compiled. I would only do so offline. We have instructions on using ipchains and default gateways to hook up two computers now so both can go online over the same modem. (Or I can use a wireless laptop to pick up our free county wireless signal and a cable to convey it to a desktop).
I once used in.telnetd and a nullmodem cable and telnet with root access online for 30 sec to share a connection, but nobody seems to have successfully hacked my computers. Out little linux is recommended for making very old computers into terminals, with X.
I can thus make old linux computers for people to use the internet with, and not worry about them become spammers by accident.
Our author says busybox and uClibc and the lack of expected binaries would make it difficult for hackers to find their way around even if we did have open ports, but he goes online with Opera as 'user' in case of any vulnerabilities in the X server or Opera.
keesan at sdf.lonestar.org SDF Public Access UNIX System - http://sdf.lonestar.org
sindi keesan [keesan at sdf.lonestar.org]
> > Our author says busybox and uClibc and the lack of expected binaries would > make it difficult for hackers to find their way around even if we did have > open ports, but he goes online with Opera as 'user' in case of any > vulnerabilities in the X server or Opera.
List members suggested online port scanners, but I think the one I used at http://www.hq42.net/net_tools scanned my ISP though it listed my IPLOCAL number because it listed about 900 ports including netstat (which I am not running) and mentioned the name of the nearest large city.
http://bcheck.scanit.be found 0 vulnerabilities in Opera 8.52. I cannot check non-javascript browsers (lynx and probably links).
Another list member pointed out that startx allows only local access to the X server so is also not vulnerable. startxt is vulnerable (it allows us to use one old computer as a terminal, in X, to another faster one). I don't run that because I have plenty of 'new' computers now (200MHz and up).
Sindi Keesan
=?iso-8859-15?Q?Ren=E9?= Pfeiffer [lynx at luchs.at]
On Jan 28, 2007 at 1712 +0000, sindi keesan appeared and said:
> > Our author says busybox and uClibc and the lack of expected binaries would > > make it difficult for hackers to find their way around even if we did have > > open ports, but he goes online with Opera as 'user' in case of any > > vulnerabilities in the X server or Opera. > > List members suggested online port scanners, but I think the one I used at > http://www.hq42.net/net_tools scanned my ISP though it listed my IPLOCAL > number because it listed about 900 ports including netstat (which I am not > running) and mentioned the name of the nearest large city.
Open ports are not the only security problem. You already got many hints from the TAG subscribers. Security is not a state that is either switched on or off by configuration. It is a process and considering the code people usually run on workstations (graphically or not) it is next to impossible to predict what code will do in all possible circumstances.
> http://bcheck.scanit.be found 0 vulnerabilities in Opera 8.52. [...]
If you try http://www.securityfocus.com/vulnerabilities instead and enter "Opera Software" and then "Opera Web Browser" in the search form you get a long list of (known) bugs along with their security implications and possible fixes or upgrades. A Google search for '"opera 8.52" security bugs' has http://security.nnov.ru/soft/8550.html as first search result. This page says:
"Integer overflow on long stylsheet sttribute. Can potentially be used for hidden malware installation."A lot of online scanners are woefully incomplete and only check for the top 10 (100 or 1000) bugs and a good part of them is designed to work with MS Windows clients. These scanners are only a part of a security strategy and their output should be treated as such.
> Another list member pointed out that startx allows only local access to > the X server so is also not vulnerable.
Some GNU/Linux distributions (such as Debian) also deactivate X's port 6000 by default. Of course this doesn't protect you against running an X session with lots of software (which is not designed to run as root) with root privileges.
Apologies for repeating things others have said in this thread. The part
about online scanners and Opera 8.52 made a little noise on my email
radar.
Best wishes, René
sindi keesan [keesan at sdf.lonestar.org]
On Sun, 28 Jan 2007, [iso-8859-15] René Pfeiffer wrote:
......
> Open ports are not the only security problem. You already got many hints > from the TAG subscribers. Security is not a state that is either > switched on or off by configuration. It is a process and considering the > code people usually run on workstations (graphically or not) it is next > to impossible to predict what code will do in all possible > circumstances.
Sometimes even linux crashes.
>> http://bcheck.scanit.be found 0 vulnerabilities in Opera 8.52. [...] > > If you try http://www.securityfocus.com/vulnerabilities instead and > enter "Opera Software" and then "Opera Web Browser" in the search form > you get a long list of (known) bugs along with their security > implications and possible fixes or upgrades. A Google search for '"opera > 8.52" security bugs' has http://security.nnov.ru/soft/8550.html as first > search result. This page says: > > "Integer overflow on long stylsheet sttribute. Can potentially be > used for hidden malware installation."
Thanks.
> A lot of online scanners are woefully incomplete and only check for the > top 10 (100 or 1000) bugs and a good part of them is designed to work > with MS Windows clients. These scanners are only a part of a security > strategy and their output should be treated as such.
Okay.
>> Another list member pointed out that startx allows only local access to >> the X server so is also not vulnerable. > > Some GNU/Linux distributions (such as Debian) also deactivate X's port > 6000 by default. Of course this doesn't protect you against running an X > session with lots of software (which is not designed to run as root) > with root privileges.
How would this affect online security?
> Apologies for repeating things others have said in this thread. The part > about online scanners and Opera 8.52 made a little noise on my email > radar.
Thanks. I have already changed opera to su user. I could do the same for lynx. Make scripts. And move files that I download from /home/user to where I want them as root.
I shared your information with my linux list. We are having an interesting discussion now about security, portscanners, and nmap (which the author recently compiled for our use). This business of whether to run as root is important to our distribution. Several people here know much more than I do about security. (I know next to nothing).
Sindi
keesan at sdf.lonestar.org SDF Public Access UNIX System - http://sdf.lonestar.org
Rick Moen [rick at linuxmafia.com]
Quoting sindi keesan (keesan at sdf.lonestar.org):
> List members suggested online port scanners,
To reiterate: If you have to rely on vulnerability scanners as a primary security measure, you're already following a losing strategy.
Relying on remote Web-based scanners is particularly foolish, since you have no idea what port-blocking, proxying, etc. between you and them may tend to make results meaningless.
> Another list member pointed out that startx allows only local access to > the X server so is also not vulnerable.
For values of "vulnerable" entailing remote direct attack, yes.
Rick Moen [rick at linuxmafia.com]
Quoting sindi keesan (keesan at sdf.lonestar.org):
[chkrootkit:]
> The LKM Trojan thing is said to be a bug.
Picture me being extremely not surprised.
> Therefore my system, which I have been running as root for four years, > seems not to have been hacked.
Non sequitur. Of course, being both lucky and reckless is certainly not unheard-of.
> So it found the patterns of some known worms in uClibc-static busybox?
Sorry, you need to review the context in which you're asking me that question: I regard chkrootkit / rkhunter as a generally foolish approach, justified only as a last-gasp check when someone has suddenly woken up to a pattern of negligence and wants a quick'n'dirty check -- with the proviso that the onus is on the user to decide what scan results make sense, and why.
The "user" in this case would be you, not me.
I am also particularly disinclined to go to any special lengths to help such a user feel good about inherently bad system usage decisions such as running routinely as the root user. So, sorry, no, I will not help you patch up your bad model.
> I don't appear to have any security problems.
Good luck with that. You'll need it.
sindi keesan [keesan at sdf.lonestar.org]
On Sun, 28 Jan 2007, Rick Moen wrote:
> Quoting sindi keesan (keesan at sdf.lonestar.org): > > [chkrootkit:]
> >> Therefore my system, which I have been running as root for four years, >> seems not to have been hacked. > > Non sequitur. Of course, being both lucky and reckless is certainly not > unheard-of.
The system was designed to be safe to run as root, I think. Nobody else has reported being hacked either. Someone reported attempts at hacking when they were running some server and some program that logs things and probably something protective.
> >> So it found the patterns of some known worms in uClibc-static busybox? > > Sorry, you need to review the context in which you're asking me that > question: I regard chkrootkit / rkhunter as a generally foolish > approach, justified only as a last-gasp check when someone has suddenly > woken up to a pattern of negligence and wants a quick'n'dirty check -- > with the proviso that the onus is on the user to decide what scan > results make sense, and why.
Someone in TAG asked if I had run it so I went and got and compiled and ran it. I am following instructions, I think.
I am also following instructions from our group to use Opera as user and run other programs offline as root.
I tried to su user lynx and it would not but I could login as user then run lynx and then I could not save configuration file settings. I am sure there is some workaround.
> The "user" in this case would be you, not me. > > I am also particularly disinclined to go to any special lengths to help > such a user feel good about inherently bad system usage decisions such > as running routinely as the root user. So, sorry, no, I will not help > you patch up your bad model. > >> I don't appear to have any security problems. > > Good luck with that. You'll need it.
I don't think I was asking for patches, just grateful for any helpful info. It is interesting learning about these things.
Thank you.
Sindi
keesan at sdf.lonestar.org SDF Public Access UNIX System - http://sdf.lonestar.org
Rick Moen [rick at linuxmafia.com]
Quoting sindi keesan (keesan at sdf.lonestar.org):
> The system was designed to be safe to run as root, I think.
This remains nonsense, as it's been every other time you've said it, too. I can only suggest you learn some security, to figure out what the idea is foolish, as evidently we're not getting through to you -- and frankly I have more rewarding things to do.
Benjamin A. Okopnik [ben at linuxgazette.net]
----- Forwarded message from Sindi Keesan <keesan at grex.cyberspace.org> -----
Date: Thu, 25 Jan 2007 21:38:24 -0500 (EST) From: Sindi Keesan <keesan@grex.cyberspace.org> To: TAG <tag@lists.linuxgazette.net> To: "Benjamin A. Okopnik" <ben at linuxgazette.net> Subject: Re: [TAG] lpr works for user not root in Basiclinux 2.1Sender: Sindi Keesan <keesan at cyberspace.org>
On Thu, 25 Jan 2007, Benjamin A. Okopnik wrote:
>On Wed, Jan 24, 2007 at 11:43:43AM -0500, Sindi Keesan wrote: >> >>cat filename > /dev/lp0 works for root, so does gs used CLI without lpr, >>or pbmtolj from netpbm. >> >>lpr used from Opera, lpr filename or even cat filename | lpr work for >>'user', but for root they do not send anything to the print queue (lpq >>shows no entries). No error messages. I just get another prompt. >> >>Permissions for lpr are unchanged from Slackware 7.1: >>-r-s--s--x 1 root lp >>(Must be s to print as user). >> >>lp0 is crw-r--r-- 1 root root > >Just for comparison, mine are > >`` >ben at Fenrir:~$ ls -l `which lpr` /dev/lp0 >crw-rw---- 1 root lp 6, 0 2004-04-28 23:43 /dev/lp0 >-rwxr-xr-x 1 root root 9888 2006-11-17 20:46 /usr/bin/lpr >''
I think I tried making both these files rwx for everyone. Will try again to match yours.
> >At least a little different - although that's not necessarily the cause. > >>chmod a+w lp0 did not help (crw-rw-rw-) nor did chmod 777 (crwxrwxrwx). >>lp0 works for root except with lpr. >> >>In order to work as user I have had to change permissions on /dev/null >>(w), ttyp* and ptyp* (rw), set suid XVESA and anything svgalib (links2, >>zgv, gs), make /var/lock writeable, make any scripts suid or executable as >>user, etc. An education. I can now suid user (or login as user), dial, >>load Xvesa, icewm, and rxvt and Opera and print as user. > >It sounds like BasicLinux still needs a bit of refining.
Basiclinux is designed to work only as root, and to be small and fast.
>>ssh still says 'host key verification failed' though telnet works. > >The two are, of course, unrelated.
I know.
>>I would like to quit struggling with permissions every time I try to work >>as user, and be able to print as root. I do know I should not work as >>root online but I am not running any servers while online with my modem. >>If you scold me please explain why. > >No scolding, but just a note: as root, one tiny mistype is all it takes >to wipe out your system. As well, any programs you execute that create >an externally-accessible network socket (are you sure you know what all >of those are?) are running with root privileges - meaning that if >someone manages to crack one, they 0wn your system. > >So, I'm not going to say "don't do that". I'm just going to note that >the cost of doing so can be rather high.
I have the same system on several computers so can easily restore it. My super-duper full-size linux is about 1GB including a lot of music and photos and kernel source code. The little one about 100MB.
>>Does lpr depend on some other program, library, or device that I need to >>change permissions for? > >Maybe - or maybe not, depending on how yours is configured and what >version of "lpr" you're using (in theory, you can minimize external >processing by trying to print a plain text file, e.g., '/etc/passwd'.) >In any case, it's a question that you yourself can answer by executing >"lpr" with "strace", something like this: > >`` >ben at Fenrir:~$ su - >Password: >root at Fenrir:~# strace -o lpr.out /usr/bin/lpr file >''
I had to download the strace.tgz package first. Running it from a temporary directory without installing the package.
ptrace: umoven: Input/output error (four lines of this).
But it made lpr.out, a couple pages or more.
>After that, read the resulting file ('lpr.out', in the above case) and
>see where things failed. If you need a baseline for comparison, you can
>always run the above "strace" line as a non-root user.
I can't make much sense of the results. See attached lpr.out (root) and lpr2.out (user).
It is supposed to be writing a file to /var/spool/lpd/postscript, and the permissions on that directory are drwxr-xr-x. Should I change to drwxrwxrwx?
I probably created the directories after installing linux.
>>Can YOU print with lpr as root? > >Yep. I don't recall that ever being a problem, although I've seen the >opposite happen. >
I ran across several complaints of the opposite.
Sindi Keesan
----- End forwarded message -----
-- * Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *
Rick Moen [rick at linuxmafia.com]
----- Forwarded message from Sindi Keesan <keesan at grex.cyberspace.org> -----
Date: Sun, 28 Jan 2007 13:02:38 -0500 (EST) From: Sindi Keesan <keesan@grex.cyberspace.org> To: TAG <tag@lists.linuxgazette.net> To: Rick Moen <rick at linuxmafia.com> Subject: Re: [TAG] Re: lpr works for user not root in Basiclinux 2.1On Sun, 28 Jan 2007, Rick Moen wrote:
>Quoting Sindi Keesan (keesan at grex.cyberspace.org): > >>But if I run chrootkit and it finds nothing, and I am not running any >>network services when I go online, can I continue as root without >>worrying? > >No. Your question is a complete and total non-sequitur to what I just >got through saying, and carrying out online activity as the root user, >or indeed any activity at all that doesn't require root access, remains >reckless and ill-advised for reasons that frankly should be obvious -- >completely without regard to whether you're even running network daemons >at all.
I mentioned a while ago that I had clones of the same linux on several computers so I am not concerned about accidentally wiping out files. And from what various people have told me one cannot hack my system if I have no network daemons running and X only has local access and Opera has no vulnerabilities. And chkrootkit found nothing after four years. So it is not obvious. I am not trying to be intentionally stupid.
>The non-sequitur nature of that question suggests to me that you >probably are not really heeding what people are saying, in this thread, >or it seems likely that you would not make such comments.
I don't claim to understand it all.
>>># nmap -vv -sT -sR -O -o N /tmp/nmap-tcp.log -n 157.22.20.227 >>># nmap -vv -sU -sR -O -n -oN /tmp/nmap-udp.log -n 157.22.20.227 >>># nmap -vv -sA -sR -O -n -oN /tmp/nmap-ack.log -n 157.22.20.227 >> >>You are way beyond me already. > >No, I'm certainly not. For heaven's sake, if you're curious about what >those options mean, they're detailed right in the manpage.
I don't have enough background to understand 99% of what is in manpages starting with the vocabulary, and this one was about 100 pages long. I was rather surprised that I managed to use nmap at all. I am not a computer professional, just don't like MS or GUIs in general and am willing to work hard to bypass them. I found a chapter in Running Linux ver 3 about TCP UDP and ACK which I will read.
>>Should I do the same as above but substitute the IP address >>assigned when I dial the ISP? > >You should re-read the explanation of why scanning a host from itself >would normally be pointless.
I tried to scan from a website and it listed a lot of things that are probably at my ISP since I don't have them running here, even though it was using my IPLOCAL number. My linux list members will explain this.
>>I will look for chrootkit. > >chkrootkit is a last-gasp but highly fallible attempt to detect security >disasters after all your real defences and precautions have failed. >Your biggest problem is that you're going around defeating precautions >(e.g., insisting on using the root account routinely) and eschewing >defences. That is what should be getting your attention.
I understand this is like using f-prot rather than being careful not to download viruses in the first place.
Our linux was designed to be used as root. The author and other users who understand security say this is safe in our case. There is no evidence yet in 4 years that this makes it insecure. It did not come with network servers (I added the telnetd in busybox). And it is a great deal of trouble and is more likely to cause problems if I keep changing permissions on all sorts of things each time I want to use another program as user.
Which is why I asked for help with lpr.
Is this discussion online so other users of our linux can read it and comment?
I am grateful for the education and I apologize for my ignorance.
Sindi Keesan
----- End forwarded message -----
Thomas Adam [thomas.adam22 at gmail.com]
[ Hopefully I haven't completely messed up attribution. ]
On Sun, Jan 28, 2007 at 04:21:21PM -0800, Rick Moen wrote:
> ----- Forwarded message from Sindi Keesan <keesan at grex.cyberspace.org> ----- > > I mentioned a while ago that I had clones of the same linux on several > computers so I am not concerned about accidentally wiping out files.
That depends on the files you backup, and how you clone them. There are various filesystems out there which operate in this way to do just that.
> And from what various people have told me one cannot hack my system if I > have no network daemons running and X only has local access and Opera has > no vulnerabilities. And chkrootkit found nothing after four years. So > it is not obvious. I am not trying to be intentionally stupid.
Well, the X11 issue comes down to access control (see 'man xhost'). And it's still a bogus comment since it's not so much access control that's the issue, as it is having the program run as user root in the first place.
Take for example, a copy of gvim. Guess what happens if that's started as root.
-- Thomas Adam
-- "Wanting to feel; to know what is real. Living is a lie." -- Purpoise Song, by The Monkees.
Sindi Keesan [keesan at grex.cyberspace.org]
On Mon, 29 Jan 2007, Thomas Adam wrote:
> [ Hopefully I haven't completely messed up attribution. ] > > On Sun, Jan 28, 2007 at 04:21:21PM -0800, Rick Moen wrote: >> ----- Forwarded message from Sindi Keesan <keesan at grex.cyberspace.org> ----- >> >> I mentioned a while ago that I had clones of the same linux on several >> computers so I am not concerned about accidentally wiping out files. > > That depends on the files you backup, and how you clone them. There are > various filesystems out there which operate in this way to do just that.
cp -a /hda1/* /hdc1 ext2Is there something more suitable for copying 500-1000MB of files? I tried dd between identical drives, with bs=64k or larger.
I spend time in three places, have 2-3 computers with the same software at each place, and keep anything I need to access online at a shell account where I do not have root privileges.
The computers are all free because our friends need newer ones for Windows. We are setting up linux/Opera for other friends on 500MB drives, when their 20GB XP drive dies. I will set them up as user for added security.
>> And from what various people have told me one cannot hack my system if I >> have no network daemons running and X only has local access and Opera has >> no vulnerabilities. And chkrootkit found nothing after four years. So >> it is not obvious. I am not trying to be intentionally stupid.
> Well, the X11 issue comes down to access control (see 'man xhost'). And > it's still a bogus comment since it's not so much access control that's > the issue, as it is having the program run as user root in the first > place. > > Take for example, a copy of gvim. Guess what happens if that's started > as root.
I have never heard of gvim before. I compiled busybox vi but have not learned to use it. I use pico in console mode and am trying to learn to write simple rtf, maybe by changing the keycodes for the function keys so F1 is bold-on and F2 is bold-off, etc., to avoid needing X at all. I could not find a console wordprocessor for linux, and wordperfect and VDE don't work correctly in dosemu or qemu.
If I do have to use Opera, does it matter whether I load X and dial as root or user before using Opera as user?
Thanks to all of you for the helpful ideas.
Sindi Keesan
Rick Moen [rick at linuxmafia.com]
Quoting Sindi Keesan (keesan at grex.cyberspace.org):
> Is there something more suitable for copying 500-1000MB of files?
"Copying Directory Trees" on http://linuxmafia.com/kb/Admin/
Sindi Keesan [keesan at grex.cyberspace.org]
On Sun, 28 Jan 2007, Rick Moen wrote:
> Quoting Sindi Keesan (keesan at grex.cyberspace.org): > >> Is there something more suitable for copying 500-1000MB of files? > > "Copying Directory Trees" on http://linuxmafia.com/kb/Admin/ > >
Sindi Keesan
Thanks. I will read this more carefully when it is not 2 am.
I have used dd to clone between two identical drives. I experimented with cloning partitions in order to copy Win98 and it created problems. (Windows would tell us the drive was full when it was not).
I have used tar -zcvf to copy files via a FAT-formatted USB flash drive without losing long file names. Or to make one big copy of a file system that was small enough to fit into a DOS partition on an old laptop. The gzipping takes a long time but might be worth it if you are copying via PLIP rather than ethernet.
I normally use cp without gzipping, on individual files or a .tar file, because the gzip takes longer than the file transfer on our older computers.
We do not have rsync, dump, or restore. I met TAG in the first place because we also do not have modprobe or telinit.
Sindi
Rick Moen [rick at linuxmafia.com]
Quoting Sindi Keesan (keesan at grex.cyberspace.org):
[running routinely as root:]
> So it is not obvious.
Please understand I have nothing particularly to gain from convincing you, so basically you're going to have to figure this out on your own.
You might wish to read "Firewalls" on http://linuxmafia.com/kb/Security/, which links to the complete 1994 book text of Cheswick & Bellovin's classic "Firewalls and Internet Security: Repelling the Wily Hacker", first edition, which explains basic principles of security such as why you want to always run processes with the minimum possible authority.
[nmap:]
> I don't have enough background to understand 99% of what is in manpages > starting with the vocabulary, and this one was about 100 pages long.
Obviously you don't read the whole thing. Looking up and understanding the options I cited would take you all of 15 minutes.
> >You should re-read the explanation of why scanning a host from itself > >would normally be pointless. > > I tried to scan from a website
That would be pointless for two different reasons: (1) Results would often be inherently meaningless because of port-blocking, proxying, etc., between you and the Web site. (2) You have no control or knowledge of how they're implementing their scans, and cannot know whether what they're doing is meaningless junk -- as is generally the case, with, e.g., Gibson Research's "Shields Up" site, for example.
> Our linux was designed to be used as root.
Which is a bad design, ab initio. Again, I have nothing to gain from convincing you of this. However, I can avoid wasting my time helping you tweak a setup I regard as misbegotten in the first place.
> Is this discussion online so other users of our linux can read it and > comment?
Ben would have to explain to you why our mailing list archive isn't accessible to the general public, since for the life of me I cannot.
Sindi Keesan [keesan at grex.cyberspace.org]
On Sun, 28 Jan 2007, Rick Moen wrote:
> Quoting Sindi Keesan (keesan at grex.cyberspace.org): > > [running routinely as root:] > >> So it is not obvious. > > Please understand I have nothing particularly to gain from convincing > you, so basically you're going to have to figure this out on your own. > > You might wish to read "Firewalls" on http://linuxmafia.com/kb/Security/, > which links to the complete 1994 book text of Cheswick & Bellovin's > classic "Firewalls and Internet Security: Repelling the Wily Hacker", > first edition, which explains basic principles of security such as why > you want to always run processes with the minimum possible authority.
Thanks.
> > [nmap:] > >> I don't have enough background to understand 99% of what is in manpages >> starting with the vocabulary, and this one was about 100 pages long. > > Obviously you don't read the whole thing. Looking up and > understanding the options I cited would take you all of 15 minutes.
But I don't understand the words they are using to explain the concepts. The only computer course I ever took was Fortran IV. I will try to start with some basic reading. I am not trying to be a system administrator, just to put together something I can use myself.
>>> You should re-read the explanation of why scanning a host from itself >>> would normally be pointless. >> >> I tried to scan from a website > > That would be pointless for two different reasons: (1) Results would > often be inherently meaningless because of port-blocking, proxying, > etc., between you and the Web site. (2) You have no control or > knowledge of how they're implementing their scans, and cannot know > whether what they're doing is meaningless junk -- as is generally the > case, with, e.g., Gibson Research's "Shields Up" site, for example.
If I cannot scan from my own computer or while online, how do I scan?
>> Our linux was designed to be used as root. > > Which is a bad design, ab initio. Again, I have nothing to gain from > convincing you of this. However, I can avoid wasting my time helping > you tweak a setup I regard as misbegotten in the first place. > >> Is this discussion online so other users of our linux can read it and >> comment? > > Ben would have to explain to you why our mailing list archive isn't > accessible to the general public, since for the life of me I cannot.
Okay. If you want to read our discussions of nmap and security bugs search on basiclinux archives for Jan 2007.
Sindi Keesan
Rick Moen [rick at linuxmafia.com]
Quoting Sindi Keesan (keesan at grex.cyberspace.org):
[nmap:]
> >_Obviously_ you don't read the whole thing. Looking up and > >understanding the options I cited would take you all of 15 minutes. > > But I don't understand the words they are using to explain the concepts.
[Rick reviews the manpage.]
No, that objection really isn't reasonable. Quoting the options' explanations:
-v: Increase verbosity level (use twice for more effect)
Show more detail.
-sT (TCP connect() scan)
TCP Connect() scan is the default TCP scan type when SYN scan
is not an option.... This is the same high-level system
call that web browsers, P2P clients, and most other
network-enabled applications use to establish a connection.
Test using the same TCP connection type most apps use.
-sR (RPC scan)
...takes all the TCP/UDP ports found open and floods them
with SunRPC program NULL commands in an attempt to
determine whether they are RPC ports....
So, adds a check for some particular -type- of connection (called
"SunRPC" -- which happens to be, FYI, used primarily for NFS/NIS).
-O: Enable OS detection
Self-explanatory.
-oN ...: Output scan in normal... format....
Self-explanatory.
/tmp/nmap-tcp.log
Where to log to, instead of just echoing to screen.
-n ...: Never do DNS resolution....
Self-explanatory.
157.22.20.227
What IP I, in my particular case, was telling nmap to scan, at that
time.
-sU (UDP scans)
Nmap can help inventory UDP ports. UDP scan is activated
with the -sU option.
Finds UDP-oriented services.
-sA (TCP ACK scan)
...is used to map out firewall rulesets, determining whether they
are stateful or not and which ports are filtered.
Self-explanatory.
Now, if you'd asked our help in interpreting results of such scans, that I could have respected. But saying "I can't deal with that" is difficult to respect.
> If I cannot scan from my own computer or while online, how do I scan?
A second, network-wise "nearby" machine would be best. It could be something as simple as a borrowed PC running a Knoppix live CD, connected to yours via a crossover cable between the two machines' ethernet ports. Or it could be a second dial-in machine connected to the same ISP point of presence, so that you have minimal circuitry between the machines.
Sindi Keesan [keesan at grex.cyberspace.org]
On Sun, 28 Jan 2007, Rick Moen wrote:
> Quoting Sindi Keesan (keesan at grex.cyberspace.org): > > [nmap:] > >>> Obviously you don't read the whole thing. Looking up and >>> understanding the options I cited would take you all of 15 minutes. >> >> But I don't understand the words they are using to explain the concepts. > > [Rick reviews the manpage.] > > No, that objection really isn't reasonable. Quoting the options' > explanations: > > -v: Increase verbosity level (use twice for more effect)
I understand this part.
> > Show more detail. > > -sT (TCP connect() scan) > TCP Connect() scan is the default TCP scan type when SYN scan > is not an option.... This is the same high-level system > call that web browsers, P2P clients, and most other > network-enabled applications use to establish a connection.
I never heard of SYN or P2P. I have heard of TCP but don't understand it.
Is P2P the same as pointopoint used by PLIP?
> Test using the same TCP connection type most apps use. > > -sR (RPC scan) > ...takes all the TCP/UDP ports found open and floods them > with SunRPC program NULL commands in an attempt to > determine whether they are RPC ports.... > > So, adds a check for some particular -type- of connection (called > "SunRPC" -- which happens to be, FYI, used primarily for NFS/NIS).
I never heard of any of this except NFS (something that lets you share files between computers) and Sun (a type of hardware). I am rather fuzzy about what a port is other than a number at the end of an IP address. (I am not asking you for an explanation here, just pointing out why I cannot make sense of the man pages).
> -O: Enable OS detection > > Self-explanatory. > > -oN ...: Output scan in normal... format.... > > Self-explanatory. > > /tmp/nmap-tcp.log > > Where to log to, instead of just echoing to screen. > > -n ...: Never do DNS resolution.... > > Self-explanatory. > > 157.22.20.227 > > What IP I, in my particular case, was telling nmap to scan, at that > time.
I still don't understand if I am supposed to be scanning my own system from my own system or from somewhere else or not scanning my own system at all - lots of apparently conflicting information from various people.
I spent about 15 minutes looking for my temporary IP number in my own computer. It was not in dmesg. The online site provided it. I was rather proud of myself for figuring out the local host IP number so I could scan that.
I do not have any formal computer training except a semester of Fortran IV. I never had any reason to study TCP stuff before on my own. I am teaching myself enough linux to do what I want it to do. I feel like I am usually in way over my head. Our little distribution is friendly to beginners. I contacted TAG when nobody in four years figured out why lpr was not working for root, partly because I got an email a year or two ago asking for new topics from people who had asked for help before, and I could not find any answers on the web. You are overestimating my abilities and experience.
> > -sU (UDP scans) > Nmap can help inventory UDP ports. UDP scan is activated > with the -sU option. > > Finds UDP-oriented services.
I don't know what UDP is other than a word that shows up in dmesg near TCP.
> -sA (TCP ACK scan) > ...is used to map out firewall rulesets, determining whether they > are stateful or not and which ports are filtered. > > Self-explanatory.
Not if you don't know what an ACK or ruleset is or what stateful means or what it means for a port to be filtered or what a port even is.
I have a vague idea what a firewall is because I was given instructions to type two lines to create one when I was trying to go online with two computers at the same time without a telnetd.
> Now, if you'd asked our help in interpreting results of such scans, that > I could have respected. But saying "I can't deal with that" is > difficult to respect.
I could give you a few sentences to translate from Turkish or Albanian using an online dictionary if you want to know what it is like to be faced with pages on pages of