ibsh-devel Mailing List for Iron Bars restricted Shell for Linux
Brought to you by:
nagyat
Menu
▾
▴
ibsh-devel — Development of ibsh
You can subscribe to this list here.
| 2005 |
Jan
|
Feb
|
Mar
(5) |
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|---|
|
From: na <na...@en...> - 2005-04-01 06:53:03
|
Hey guys ! I found this little code, that does stdin/stdout/stderr redirection ! It seems simple enough, but i dont know yet, how we could implement it. With this, we may wont need chroot, of course we still can put it in for added security. It looks like the prog can read the started software's stdout/err, and even stdin. What i dont know is, how we could make it work to intercept bad stdin for the program, that ibsh starts. I have a work to do, so no time for this, but you could check it out. Attila |
|
From: <st...@al...> - 2005-03-31 14:03:25
|
Actually I think Shy is right. Have a look at those URLs, interesting : http://www.redhat.com/archives/pam-list/2003-June/msg00021.html http://www.redhat.com/archives/pam-list/2003-June/msg00029.html > > I think this is not the job of ibsh to provide an authentification > system.... > This job is for PAM !!!!! There is lot of pam's module for databases > authentification.... > > -- Shy > > > > > ------------------------------------------------------- > This SF.net email is sponsored by Demarc: > A global provider of Threat Management Solutions. > Download our HomeAdmin security software for free today! > http://www.demarc.com/Info/Sentarus/hamr30 > _______________________________________________ > Ibsh-devel mailing list > Ibs...@li... > https://lists.sourceforge.net/lists/listinfo/ibsh-devel > |
|
From: <sh...@cp...> - 2005-03-31 05:04:14
|
I think this is not the job of ibsh to provide an authentification system.... This job is for PAM !!!!! There is lot of pam's module for databases authentification.... -- Shy |
|
From: na <na...@en...> - 2005-03-30 21:13:15
|
exactly, this is our case. Nothing to add, or to remove. This can not only be used for zigo's stuff, but otherwise as well, for any sysadmin, who wants to separate the restricted users from the system users . However, only ibsh can be used as a shell for the users stored in mysql, because of nobody. I think we can put nobody in the login.conf, so the admin may choose. Actually it maybe wiser to use another user, since with nobody a user could stop certain services, or read files, if the admin is stupid enough to give them the necessary tools. Lets make a user with a uid of 65000 or so for this purpose, if possible. Attila |
|
From: na <na...@en...> - 2005-03-30 20:54:38
|
check it out |
|
From: stazzz <st...@al...> - 2005-03-30 20:50:41
|
Hello there, let's use the list for discussing the idea that came tonight. This is a sum-up of the thoughts we had on the freenode channel. Extending the authentification with databases - hacked login program, that receives connection requests (user+pass), and looks into the classical /etc/passwd, and if it's not ok, it falls back on checking into a database. If the user+pass matches, it will spawn a new process, set*uid it to nobody (configurable?) and spawn an ibsh into it, giving this ibsh the user's records (user name, homedir, ...(?)) - this login program would be configured by a login.conf, giving the information of the account to be used to look in the database, the database IP. The name of the table to be looked up would be set in this .conf too, and the attribute names would be fixed, the same as the /etc/passwd entries. - this login program may accept to connect to different kind of databases (mysql, postgresql, oracle, ...), by the mean of flags given at compile time ime triggering some #ifdef MYSQL in the code. - if compiled with a USERRECORDCOMESFROMLOGIN flag, ibsh would accept arguments telling him the user information, and so it won't use the getpw functions to retrieve them. Whether the user authed with the /etc/passwd or the database, the login program will have to give ibsh all the info of the user ! Still to be discussed on and corrected... |
