unsubscribe
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Security-Update of LISTAR broken...
I have had the package installed since it went into proposed-updates, it been working fine for me. Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "Volker Tanger" <[EMAIL PROTECTED]> To: Sent: Monday, April 01, 2002 1:47 AM Subject: Security-Update of LISTAR broken... > Greetings! > > Few days ago I updated the LISTAR maillist software (apt-get update; > ape-get dist-upgrade) with the latest security fix (a buffer overflow > IIRC). Since then, the program won't work anymore - does not produce > any output, returns with exit code 75 > > Seems the security fix is broken? > > Bye > Volker > > -- > > Volker Tanger [EMAIL PROTECTED] > -===- > Research & Development Division, WYAE > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
> On Mon, 01 Apr 2002 10:35:35 -0500, Jon McCain > <[EMAIL PROTECTED]> was runoured to have said: > All of this has gotten me to thinking about another flaw in the way I > have things set up. I'm preventing users from getting to a $ by running > a menu from their profile. > exec /usr/bin/menu > This works fine since the exec causes menu to become their shell > process. > But some smart user could get around this by using pscp to upload their > own .bash_profile. Even if I fix it so I have them chroot'd on their > home would not prevent this since this file is in their home. Their shell will already be chrooted by the time .bash_profile is run, so I don't see the problem here... Unless you don't want to give them a shell at all, for some reason? > But changing permissions on the .bash_profile so they don't own it (and > not in their group) should take care of that problem. They can read it > all they want, just not change it. But they can remove and replace it with something else, since they own the parent dir. You'd have to turn on the sticky bit of their home dir and take away the ownership, e.g. ownership root. and permissions 1770. This way they get a nice EPERM if they try to mess with anything they don't own in their home directory. Rgds, /-sb. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Security-Update of LISTAR broken...
I have had the package installed since it went into proposed-updates, it been working fine for me. Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "Volker Tanger" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, April 01, 2002 1:47 AM Subject: Security-Update of LISTAR broken... > Greetings! > > Few days ago I updated the LISTAR maillist software (apt-get update; > ape-get dist-upgrade) with the latest security fix (a buffer overflow > IIRC). Since then, the program won't work anymore - does not produce > any output, returns with exit code 75 > > Seems the security fix is broken? > > Bye > Volker > > -- > > Volker Tanger [EMAIL PROTECTED] > -===- > Research & Development Division, WYAE > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
> On Mon, 01 Apr 2002 10:35:35 -0500, Jon McCain > <[EMAIL PROTECTED]> was runoured to have said: > All of this has gotten me to thinking about another flaw in the way I > have things set up. I'm preventing users from getting to a $ by running > a menu from their profile. > exec /usr/bin/menu > This works fine since the exec causes menu to become their shell > process. > But some smart user could get around this by using pscp to upload their > own .bash_profile. Even if I fix it so I have them chroot'd on their > home would not prevent this since this file is in their home. Their shell will already be chrooted by the time .bash_profile is run, so I don't see the problem here... Unless you don't want to give them a shell at all, for some reason? > But changing permissions on the .bash_profile so they don't own it (and > not in their group) should take care of that problem. They can read it > all they want, just not change it. But they can remove and replace it with something else, since they own the parent dir. You'd have to turn on the sticky bit of their home dir and take away the ownership, e.g. ownership root. and permissions 1770. This way they get a nice EPERM if they try to mess with anything they don't own in their home directory. Rgds, /-sb. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
KONTAKT LENS FIYAT LISTES Lutfen karsilastirin.... -ughsrpqe
Akdeniz Göz Merkezi her zaman oldugu gibi tum lens cesitlerini en uygun fiyatlarla sizlere sunmaktadir. Ustelik bir telefon yada e-mail ile adresinize teslim. AKDENIZ GOZ MERKEZI www.akdenizgoz.com Fevzipasa cad. No:73 Fatih / Istanbul 0 212 635 74 74 Bausch & Lomb Soflens 66 (1 kutu=3 aylik)(aylik-numarali-seffaf) 35.000.000 TL Soflens 66 (4 kutu=1 yillik)(aylik-numarali-seffaf) 125.000.000 TL Soflens 38 (1 kutu=3 aylik)(aylik-numarali-seffaf) 40.000.000 TL Soflens 66 Toric (1 kutu=3 aylik)(astigmatik-seffaf) 75.000.000 TL Optima Colors (1 cift)(renkli - uzun süreli) 90.000.000 TL Ciba Focus Visitint (1 kutu=3 aylik) (aylik-numarali-seffaf) 35.000.000 TL Focus Visitint (4 kutu=1yillik ) (aylik-numarali-seffaf) 125.000.000 TL Night&Day (1 kutu=3 aylik) (aylik-numarali-seffaf) 80.000.000 TL Focus Toric (1 kutu=3 aylik)(astigmatik-seffaf) 85.000.000 TL Ciba Illusion (1 cift)(renkli - uzun süreli) 180.000.000 TL FreshLook FreshLook(1 cift)(renkli - kisa süreli) 33.000.000 TL FreshLook(1 cift)(renkli - kisa süreli - numarali) 42.000.000 TL Zeiss Contact Day 30 (1 kutu=3 aylik) (aylik-numarali-seffaf) 50.000.000 TL Biomediks Biomediks (1 kutu=3 aylik)(aylik-numarali-seffaf) 35.000.000 TL Tum lenslerimiz orijinal olup saglik bakanligi bandrolleri uzerindedir. Kredi kartina komisyon uygulanmaz. Bu maili bir daha almak istemiyorsaniz [EMAIL PROTECTED] mail adresine bos mail atiniz. If you want unsubscript from our list, please send empty mail [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
On Mon, Apr 01, 2002 at 10:35:35AM -0500, Jon McCain wrote: > But changing permissions on the .bash_profile so they don't own it (and > not in their group) should take care of that problem. They can read it > all they want, just not change it. A cleaner solution would be to make it immutable. (as root): chattr +i .bash_profile HTH -Rob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
KONTAKT LENS FIYAT LISTES Lutfen karsilastirin.... -ughsrpqe
Akdeniz Göz Merkezi her zaman oldugu gibi tum lens cesitlerini en uygun fiyatlarla sizlere sunmaktadir. Ustelik bir telefon yada e-mail ile adresinize teslim. AKDENIZ GOZ MERKEZI www.akdenizgoz.com Fevzipasa cad. No:73 Fatih / Istanbul 0 212 635 74 74 Bausch & Lomb Soflens 66 (1 kutu=3 aylik)(aylik-numarali-seffaf) 35.000.000 TL Soflens 66 (4 kutu=1 yillik)(aylik-numarali-seffaf) 125.000.000 TL Soflens 38 (1 kutu=3 aylik)(aylik-numarali-seffaf) 40.000.000 TL Soflens 66 Toric (1 kutu=3 aylik)(astigmatik-seffaf) 75.000.000 TL Optima Colors (1 cift)(renkli - uzun süreli) 90.000.000 TL Ciba Focus Visitint (1 kutu=3 aylik) (aylik-numarali-seffaf) 35.000.000 TL Focus Visitint (4 kutu=1yillik ) (aylik-numarali-seffaf) 125.000.000 TL Night&Day (1 kutu=3 aylik) (aylik-numarali-seffaf) 80.000.000 TL Focus Toric (1 kutu=3 aylik)(astigmatik-seffaf) 85.000.000 TL Ciba Illusion (1 cift)(renkli - uzun süreli) 180.000.000 TL FreshLook FreshLook(1 cift)(renkli - kisa süreli) 33.000.000 TL FreshLook(1 cift)(renkli - kisa süreli - numarali) 42.000.000 TL Zeiss Contact Day 30 (1 kutu=3 aylik) (aylik-numarali-seffaf) 50.000.000 TL Biomediks Biomediks (1 kutu=3 aylik)(aylik-numarali-seffaf) 35.000.000 TL Tum lenslerimiz orijinal olup saglik bakanligi bandrolleri uzerindedir. Kredi kartina komisyon uygulanmaz. Bu maili bir daha almak istemiyorsaniz [EMAIL PROTECTED] mail adresine bos mail atiniz. If you want unsubscript from our list, please send empty mail [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
On Mon, 2002-04-01 at 18:41, Jon McCain wrote: > Chris Reeves wrote: > > > > Why not change the users' shell to /usr/bin/menu? > > > > Because they need to be able to transfer files to their home > directories. If you do this, then ftp,pscp,etc won't work. My original > goal was to allow them transfer files to/from home directory with > something besides ftp (since they are going over the internet) but not > allow them to change to directories above the home. Proftp allowed me > to chroot them to the home but scp/sftp does not. Like I said in a previous post. SSH/SFTP/SCP will allow the same kind of chroot-ing proftp does, using the chroot-patch for openssh. You'll have to compile sshd yourself, and place some bins/libs in the user's homedirs (maybe hardlinks to some generic skeleton dir) Here is my ssh/chroot setup: . == chrooted users homedir: ./bin: total 660 drwxr-xr-x2 root root 4096 Mar 18 13:36 . drwxr-xr-x8 guestguest4096 Mar 15 16:53 .. -r-xr-xr-x1 root root 531160 Feb 6 22:36 bash -r-xr-xr-x1 root root43916 Nov 29 13:19 ls -r-xr-xr-x1 root root16684 Nov 29 13:19 mkdir -rwxr-xr-x1 root root23960 Mar 18 13:36 more -r-xr-xr-x1 root root 9916 Jul 26 2001 pwd -r-xr-xr-x1 root root24780 Nov 29 13:19 rm lrwxrwxrwx1 root root4 Mar 30 16:29 sh -> bash ./etc: total 24 drwxr-xr-x2 root root 4096 Mar 15 16:13 . drwxr-xr-x8 guestguest4096 Mar 15 16:53 .. -rw-r--r--1 root root 54 Mar 15 13:23 group -rw-r--r--1 root root 428 Mar 15 15:56 hosts -rw-r--r--1 root root 44 Mar 15 15:53 passwd -rw-r--r--1 root root 52 Mar 15 13:23 shells ./lib: total 1848 drwxr-xr-x2 root root 4096 Mar 18 13:37 . drwxr-xr-x8 guestguest4096 Mar 15 16:53 .. -rwxr-xr-x1 root root92511 Mar 15 12:49 ld-linux.so.2 -rwxr-xr-x1 root root 1170812 Mar 15 12:49 libc.so.6 -rw-r--r--1 root root20900 Mar 15 13:01 libcrypt.so.1 -rw-r--r--1 root root 9436 Mar 15 12:49 libdl.so.2 -rw-r--r--1 root root 248132 Mar 15 12:48 libncurses.so.5 -rw-r--r--1 root root71332 Mar 15 13:00 libnsl.so.1 -rw-r--r--1 root root34144 Mar 15 16:10 libnss_files.so.2 -rw-r--r--1 root root29420 Mar 15 12:57 libpam.so.0 -rw-r--r--1 root root 105498 Mar 15 12:51 libpthread.so.0 -rw-r--r--1 root root25596 Mar 15 12:51 librt.so.1 -rw-r--r--1 root root 7760 Mar 15 12:59 libutil.so.1 -rw-r--r--1 root root24328 Mar 15 12:57 libwrap.so.0 ./usr: total 16 drwxr-xr-x4 root root 4096 Mar 15 13:00 . drwxr-xr-x8 guestguest4096 Mar 15 16:53 .. drwxr-xr-x2 root root 4096 Mar 15 15:55 bin drwxr-xr-x2 root root 4096 Mar 15 15:37 lib ./usr/bin: total 340 drwxr-xr-x2 root root 4096 Mar 15 15:55 . drwxr-xr-x4 root root 4096 Mar 15 13:00 .. -rwxr-xr-x1 root root10332 Mar 15 15:55 env -rwxr-xr-x1 root root13052 Mar 15 13:13 id -r-xr-xr-x1 root root25432 Mar 15 12:40 scp -rwxr-xr-x1 root root43768 Mar 15 15:15 sftp -r-sr-xr-x1 root root 218456 Mar 15 12:40 ssh -rwxr-xr-x1 root root 9692 Mar 15 13:17 tty ./usr/lib: total 852 drwxr-xr-x2 root root 4096 Mar 15 15:37 . drwxr-xr-x4 root root 4096 Mar 15 13:00 .. -rw-r--r--1 root root 771088 Mar 15 13:01 libcrypto.so.0.9.6 -rw-r--r--1 root root54548 Mar 15 13:00 libz.so.1 -rwxr-xr-x1 root root23096 Mar 15 15:37 sftp-server Some of these can probably be removed in your case, (i also allow some local commands, not only sftp/scp) Just make sure all these files are owned by root (or some other user) and not writable by the chrooted user. > I can use vpn to let them safely use ftp over the internet. That's only > way they can use ftp since the firewall blocks ftp from the internet. > But that stills leaves the scp "hole". Fixed :) The chroot-patch is at: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=139047&repeatmerged=yes or: http://www.cag.lcs.mit.edu/~raoul/ -- Mark Janssen Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id: 357D2178 Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl] SyConOS.[com|nl] signature.asc Description: This is a digitally signed message part
Re: scp and sftp
Chris Reeves wrote: > > Why not change the users' shell to /usr/bin/menu? > Because they need to be able to transfer files to their home directories. If you do this, then ftp,pscp,etc won't work. My original goal was to allow them transfer files to/from home directory with something besides ftp (since they are going over the internet) but not allow them to change to directories above the home. Proftp allowed me to chroot them to the home but scp/sftp does not. I can use vpn to let them safely use ftp over the internet. That's only way they can use ftp since the firewall blocks ftp from the internet. But that stills leaves the scp "hole". -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
On Mon, Apr 01, 2002 at 10:35:35AM -0500, Jon McCain wrote: > But changing permissions on the .bash_profile so they don't own it (and > not in their group) should take care of that problem. They can read it > all they want, just not change it. A cleaner solution would be to make it immutable. (as root): chattr +i .bash_profile HTH -Rob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian mail server.
On Mon, Apr 01, 2002 at 02:45:30PM +0200, Lupe Christoph <[EMAIL PROTECTED]> wrote: > (ext3 had good marks in a recent test in c't. Most (all?) others > put bad data in files after a crash.) That's because most of the others only do meta-data journaling and not file-data journaling like ext3 does (by default; see http://lwn.net/2001/0802/a/ext3-modes.php3 for details). -- Tim van Erven <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
On Mon, Apr 01, 2002 at 10:35:35AM -0500, Jon McCain wrote: > All of this has gotten me to thinking about another flaw in the way I > have things set up. I'm preventing users from getting to a $ by running > a menu from their profile. > > exec /usr/bin/menu > > This works fine since the exec causes menu to become their shell > process. > > But some smart user could get around this by using pscp to upload their > own .bash_profile. Even if I fix it so I have them chroot'd on their > home would not prevent this since this file is in their home. > > But changing permissions on the .bash_profile so they don't own it (and > not in their group) should take care of that problem. They can read it > all they want, just not change it. Why not change the users' shell to /usr/bin/menu? Bye, Chris -- http://www.tuxedo.org/~esr/faqs/smart-questions.html __ _ -o)/ / (_)__ __ __ Chris Reeves /\\ /__/ / _ \/ // /\ \/ / ICQ# 22219005 _\_v __/_/_//_/\_,_/ /_/\_\ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
re: scp and sftp
All of this has gotten me to thinking about another flaw in the way I have things set up. I'm preventing users from getting to a $ by running a menu from their profile. exec /usr/bin/menu This works fine since the exec causes menu to become their shell process. But some smart user could get around this by using pscp to upload their own .bash_profile. Even if I fix it so I have them chroot'd on their home would not prevent this since this file is in their home. But changing permissions on the .bash_profile so they don't own it (and not in their group) should take care of that problem. They can read it all they want, just not change it. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
On Mon, Apr 01, 2002 at 10:04:50AM -0300, Pedro Zorzenon Neto wrote: > With the following commands, you can copy files without "scp": > > $ cat localfile | ssh somehost "cat > /somedir/remotefile" > $ ssh somehost "cat /somedir/remotefile" > localfile > > So, it seems unusefull to disable "scp" and enable "ssh"... You might want to enable ssh with /usr/bin/passwd as user's shell. Disabling scp then seems to make sense. Marcin -- Marcin Owsiany <[EMAIL PROTECTED]> http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: scp and ftp
On Mon, Apr 01, 2002 at 09:35:46AM -0500, Jon McCain wrote: > concern. Users can ssh into my machine but their profiles are fixed to > run a menu of things I allow them to do. Thus they can't get to the $ > prompt and thus can't cd to other directories to see what's there. And > even they did, permission are set so they could not overwrite important > files. I simply don't want them to be able to read stuff not in their > own home. Files like /etc/passwd,/etc/shadow,etc. Anything with I wouldn't worry about them overwriting things like /etc/shadow, or even reading it. Just make sure permissions are set properly on the files that you care about. Debian does not leave critical information world-readable by default, so provided you don't make a mess out of the default permissions, you should be fine. There are plenty of shell servers out there that support hundreds of concurrent users, and I've never come across one that tries to restrict access to files that would commonly be world-readable. Also, you should probably check to see if something like ssh /bin/cat /etc/passwd works. If it does, then that's the same as scp, and it's not likely that you'll be easily able to prevent this behavior. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgppcLLJ3vtPJ.pgp Description: PGP signature
re: scp and sftp
I think some of you misunderstood me. I was not clear about my concern. Users can ssh into my machine but their profiles are fixed to run a menu of things I allow them to do. Thus they can't get to the $ prompt and thus can't cd to other directories to see what's there. And even they did, permission are set so they could not overwrite important files. I simply don't want them to be able to read stuff not in their own home. Files like /etc/passwd,/etc/shadow,etc. Anything with information someone could use to locally exploit the machine. But you can use pscp from a windows machine and poke around and download files from places other than your home directory. If there is another email list that this is more appropriate for, let me know. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
> > > The user can change to directories above their home. > > Is there a way to chroot them > > Use restricted bash shell for the user (/bin/rbash) in the > /etc/passwd. > This does not seem to affect sshd. I changed a user to use rbash but I could still go to a windows machine and use the putty program pscp to get a file from /etc. pscp [EMAIL PROTECTED]:/etc/passwd passwd.txt Maybe it's simply just not a feature of openssh. I think I'll investigate that chroot patch to sshd someone mentioned. I think they said it was for woody, but I'll see if it works with potato. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
re: scp and ftp
I'm not sure if this message made it through. Our ISP was having problems this morning. Sorry if you get this message twice. I think some of you misunderstood me. I was not clear about my concern. Users can ssh into my machine but their profiles are fixed to run a menu of things I allow them to do. Thus they can't get to the $ prompt and thus can't cd to other directories to see what's there. And even they did, permission are set so they could not overwrite important files. I simply don't want them to be able to read stuff not in their own home. Files like /etc/passwd,/etc/shadow,etc. Anything with information someone could use to locally exploit the machine. But you can use pscp from a windows machine and poke around and download files from places other than your home directory. If there is another email list that this is more appropriate for, let me know. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian mail server.
On Monday, 2002-04-01 at 13:47:21 +0200, Lars Roland Kristiansen wrote: > I am going to configure an debian mail server for my company (only 20 > emplyes) i have 2 40 gigs disk witch are going to run raid 1. I am going > to configure it with wu-imap/pop3 and postfix. Is there any special > security thing i should consider (the server is placed in DMZ becuase 2-3 > people are going to get mail from it outside our internal network). What > about the size of the partitions i was thinking. I prefer cyrus IMAP, but that's a personal preference, i.e. no hard facts, just because WU FTPD is so bug-ridden. I'd recommend installing AMaViS along with some virus scanner. I'm using Kaspersky because it had a good recognition rate in a test and because those Russians care more about Linux than most other AV vendors. Also, AMaViS and the Kaspersky scanner can both run as daemons, saving repeated startups of heavy-weight programs. (Use amavisd, not amavis-perl, or even amavis-the-old-version ;-) Maybe also a filter that keeps obnoxious attachments away like scanmail. > 100 megs for /boot > 5000 meges for / > rest for /var I'd separate out the postfix hierarchy and the IMAP hierarchy on separate volumes and watch them (and the others) with mon for space usage. And then because it's hard to guess how much space those will need, I'd use lvm. And a log-based filesystem, like ext3 to get faster boots with large filesystems. (ext3 had good marks in a recent test in c't. Most (all?) others put bad data in files after a crash.) > I will also put up iptables, webmin and sshd but no X. I don't have to tell you that webmin is real dangerous in a DMZ. For remote access, I'd restrict to POP3 and IMAP over SSL. You could also tunnel POP3 and IMAP over SSL and relay them to an internal machine. Not much better, though. Maybe worse... Putting the IMAP server in a chroot jail would also give you an increase in security. HTH, Lupe Christoph -- | [EMAIL PROTECTED] |http://free.prohosting.com/~lupe | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
On Mon, 2002-04-01 at 18:41, Jon McCain wrote: > Chris Reeves wrote: > > > > Why not change the users' shell to /usr/bin/menu? > > > > Because they need to be able to transfer files to their home > directories. If you do this, then ftp,pscp,etc won't work. My original > goal was to allow them transfer files to/from home directory with > something besides ftp (since they are going over the internet) but not > allow them to change to directories above the home. Proftp allowed me > to chroot them to the home but scp/sftp does not. Like I said in a previous post. SSH/SFTP/SCP will allow the same kind of chroot-ing proftp does, using the chroot-patch for openssh. You'll have to compile sshd yourself, and place some bins/libs in the user's homedirs (maybe hardlinks to some generic skeleton dir) Here is my ssh/chroot setup: . == chrooted users homedir: ./bin: total 660 drwxr-xr-x2 root root 4096 Mar 18 13:36 . drwxr-xr-x8 guestguest4096 Mar 15 16:53 .. -r-xr-xr-x1 root root 531160 Feb 6 22:36 bash -r-xr-xr-x1 root root43916 Nov 29 13:19 ls -r-xr-xr-x1 root root16684 Nov 29 13:19 mkdir -rwxr-xr-x1 root root23960 Mar 18 13:36 more -r-xr-xr-x1 root root 9916 Jul 26 2001 pwd -r-xr-xr-x1 root root24780 Nov 29 13:19 rm lrwxrwxrwx1 root root4 Mar 30 16:29 sh -> bash ./etc: total 24 drwxr-xr-x2 root root 4096 Mar 15 16:13 . drwxr-xr-x8 guestguest4096 Mar 15 16:53 .. -rw-r--r--1 root root 54 Mar 15 13:23 group -rw-r--r--1 root root 428 Mar 15 15:56 hosts -rw-r--r--1 root root 44 Mar 15 15:53 passwd -rw-r--r--1 root root 52 Mar 15 13:23 shells ./lib: total 1848 drwxr-xr-x2 root root 4096 Mar 18 13:37 . drwxr-xr-x8 guestguest4096 Mar 15 16:53 .. -rwxr-xr-x1 root root92511 Mar 15 12:49 ld-linux.so.2 -rwxr-xr-x1 root root 1170812 Mar 15 12:49 libc.so.6 -rw-r--r--1 root root20900 Mar 15 13:01 libcrypt.so.1 -rw-r--r--1 root root 9436 Mar 15 12:49 libdl.so.2 -rw-r--r--1 root root 248132 Mar 15 12:48 libncurses.so.5 -rw-r--r--1 root root71332 Mar 15 13:00 libnsl.so.1 -rw-r--r--1 root root34144 Mar 15 16:10 libnss_files.so.2 -rw-r--r--1 root root29420 Mar 15 12:57 libpam.so.0 -rw-r--r--1 root root 105498 Mar 15 12:51 libpthread.so.0 -rw-r--r--1 root root25596 Mar 15 12:51 librt.so.1 -rw-r--r--1 root root 7760 Mar 15 12:59 libutil.so.1 -rw-r--r--1 root root24328 Mar 15 12:57 libwrap.so.0 ./usr: total 16 drwxr-xr-x4 root root 4096 Mar 15 13:00 . drwxr-xr-x8 guestguest4096 Mar 15 16:53 .. drwxr-xr-x2 root root 4096 Mar 15 15:55 bin drwxr-xr-x2 root root 4096 Mar 15 15:37 lib ./usr/bin: total 340 drwxr-xr-x2 root root 4096 Mar 15 15:55 . drwxr-xr-x4 root root 4096 Mar 15 13:00 .. -rwxr-xr-x1 root root10332 Mar 15 15:55 env -rwxr-xr-x1 root root13052 Mar 15 13:13 id -r-xr-xr-x1 root root25432 Mar 15 12:40 scp -rwxr-xr-x1 root root43768 Mar 15 15:15 sftp -r-sr-xr-x1 root root 218456 Mar 15 12:40 ssh -rwxr-xr-x1 root root 9692 Mar 15 13:17 tty ./usr/lib: total 852 drwxr-xr-x2 root root 4096 Mar 15 15:37 . drwxr-xr-x4 root root 4096 Mar 15 13:00 .. -rw-r--r--1 root root 771088 Mar 15 13:01 libcrypto.so.0.9.6 -rw-r--r--1 root root54548 Mar 15 13:00 libz.so.1 -rwxr-xr-x1 root root23096 Mar 15 15:37 sftp-server Some of these can probably be removed in your case, (i also allow some local commands, not only sftp/scp) Just make sure all these files are owned by root (or some other user) and not writable by the chrooted user. > I can use vpn to let them safely use ftp over the internet. That's only > way they can use ftp since the firewall blocks ftp from the internet. > But that stills leaves the scp "hole". Fixed :) The chroot-patch is at: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=139047&repeatmerged=yes or: http://www.cag.lcs.mit.edu/~raoul/ -- Mark Janssen Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id: 357D2178 Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl] SyConOS.[com|nl] signature.asc Description: This is a digitally signed message part
Re: scp and sftp
Chris Reeves wrote: > > Why not change the users' shell to /usr/bin/menu? > Because they need to be able to transfer files to their home directories. If you do this, then ftp,pscp,etc won't work. My original goal was to allow them transfer files to/from home directory with something besides ftp (since they are going over the internet) but not allow them to change to directories above the home. Proftp allowed me to chroot them to the home but scp/sftp does not. I can use vpn to let them safely use ftp over the internet. That's only way they can use ftp since the firewall blocks ftp from the internet. But that stills leaves the scp "hole". -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian mail server.
On Mon, Apr 01, 2002 at 02:45:30PM +0200, Lupe Christoph <[EMAIL PROTECTED]> wrote: > (ext3 had good marks in a recent test in c't. Most (all?) others > put bad data in files after a crash.) That's because most of the others only do meta-data journaling and not file-data journaling like ext3 does (by default; see http://lwn.net/2001/0802/a/ext3-modes.php3 for details). -- Tim van Erven <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
On Mon, Apr 01, 2002 at 10:35:35AM -0500, Jon McCain wrote: > All of this has gotten me to thinking about another flaw in the way I > have things set up. I'm preventing users from getting to a $ by running > a menu from their profile. > > exec /usr/bin/menu > > This works fine since the exec causes menu to become their shell > process. > > But some smart user could get around this by using pscp to upload their > own .bash_profile. Even if I fix it so I have them chroot'd on their > home would not prevent this since this file is in their home. > > But changing permissions on the .bash_profile so they don't own it (and > not in their group) should take care of that problem. They can read it > all they want, just not change it. Why not change the users' shell to /usr/bin/menu? Bye, Chris -- http://www.tuxedo.org/~esr/faqs/smart-questions.html __ _ -o)/ / (_)__ __ __ Chris Reeves /\\ /__/ / _ \/ // /\ \/ / ICQ# 22219005 _\_v __/_/_//_/\_,_/ /_/\_\ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
On Sat, Mar 30, 2002 at 10:24:28PM -0500, Jon McCain wrote: > I've been playing around with the scp and sftp components of putty and > noticed what I consider a security hole. Winscp does the same thing. > The user can change to directories above their home. Is there a way to > chroot them like you can in an ftp config file? I don't see anything in > the sshd config files. If you can't, how can I disable the scp > functionality? I'm not talking about scp from the linux box. The users > don't have shell access so that's not a problem. I'm referring to > remote people using a scp client to access my linux machine. You can > disable sftp ability by removing the sftp-server program but the scp > server part seems to be part of sshd. > > I did not see anything about this issue on the openssh web site. > Anybody got any suggestions? With the following commands, you can copy files without "scp": $ cat localfile | ssh somehost "cat > /somedir/remotefile" $ ssh somehost "cat /somedir/remotefile" > localfile So, it seems unusefull to disable "scp" and enable "ssh"... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
re: scp and sftp
All of this has gotten me to thinking about another flaw in the way I have things set up. I'm preventing users from getting to a $ by running a menu from their profile. exec /usr/bin/menu This works fine since the exec causes menu to become their shell process. But some smart user could get around this by using pscp to upload their own .bash_profile. Even if I fix it so I have them chroot'd on their home would not prevent this since this file is in their home. But changing permissions on the .bash_profile so they don't own it (and not in their group) should take care of that problem. They can read it all they want, just not change it. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
On Mon, Apr 01, 2002 at 10:04:50AM -0300, Pedro Zorzenon Neto wrote: > With the following commands, you can copy files without "scp": > > $ cat localfile | ssh somehost "cat > /somedir/remotefile" > $ ssh somehost "cat /somedir/remotefile" > localfile > > So, it seems unusefull to disable "scp" and enable "ssh"... You might want to enable ssh with /usr/bin/passwd as user's shell. Disabling scp then seems to make sense. Marcin -- Marcin Owsiany <[EMAIL PROTECTED]> http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian mail server.
hi ya lars - make sure the 2 disks is on 2 different ide cables.. - make sure its "fd" partition type - use secure pop3s or secure imap... http://www.Linux-Sec.net/Mail/secure_pop3.txt - since its pop ... supposedly internal corp users... i'd put the secure pop3s server inside the firewall - for those few that read mail from home... - let them in via ssh... maybe vpn them inside before secure pop3s connections to their mails ... - put sendmail on one machine and pop3s on a different machine - no common login name between pop3s accounts and user shell accts for size of partitions( everybody seems to have diff peferences and why its that way vs another.. ) / - small as possible 64MB - 128Mb /tmp- 128MB /var- 1GB for mail stuff /usr- 2048 or 4096MB for /usr stuff /opt- rest of the disk for user stuff ( /home, /usr/local ) more/collection of partition stuff ... http://www.Linux-1U.net/Installation/partition.gwif.html c ya alvin http://www.Linux-Sec.net On Mon, 1 Apr 2002, Lars Roland Kristiansen wrote: > I am going to configure an debian mail server for my company (only 20 > emplyes) i have 2 40 gigs disk witch are going to run raid 1. I am going > to configure it with wu-imap/pop3 and postfix. Is there any special > security thing i should consider (the server is placed in DMZ becuase 2-3 > people are going to get mail from it outside our internal network). What > about the size of the partitions i was thinking. > > 100 megs for /boot > 5000 meges for / > rest for /var > > (just to make raid easier) > > I will also put up iptables, webmin and sshd but no X. > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian mail server.
* Lars Roland Kristiansen <[EMAIL PROTECTED]> [020401 13:52]: > I am going to configure an debian mail server for my company (only 20 > emplyes) i have 2 40 gigs disk witch are going to run raid 1. I am going > to configure it with wu-imap/pop3 and postfix. Is there any special > security thing i should consider (the server is placed in DMZ becuase 2-3 > people are going to get mail from it outside our internal network). What > about the size of the partitions i was thinking. > 100 megs for /boot > 5000 meges for / > rest for /var > > (just to make raid easier) Not because of security, but because of stability, you might thing of putting /var/mail and/or spool-directries as extra partitions to avoid overruns rendiering the system unusable. If allowing imap/pop without ssl, you might either seperate postfix and imap/pop in some extra account-managment, or make the accounts unuseable otherwise (i.e. no shell, no procmail etc) Hochachtungsvoll, Bernhard R. Link -- "(C)2002 Google - Searching 2,073,418,204 web pages and skipping 4,475,243,576 pages under the DMCA" -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: scp and ftp
On Mon, Apr 01, 2002 at 09:35:46AM -0500, Jon McCain wrote: > concern. Users can ssh into my machine but their profiles are fixed to > run a menu of things I allow them to do. Thus they can't get to the $ > prompt and thus can't cd to other directories to see what's there. And > even they did, permission are set so they could not overwrite important > files. I simply don't want them to be able to read stuff not in their > own home. Files like /etc/passwd,/etc/shadow,etc. Anything with I wouldn't worry about them overwriting things like /etc/shadow, or even reading it. Just make sure permissions are set properly on the files that you care about. Debian does not leave critical information world-readable by default, so provided you don't make a mess out of the default permissions, you should be fine. There are plenty of shell servers out there that support hundreds of concurrent users, and I've never come across one that tries to restrict access to files that would commonly be world-readable. Also, you should probably check to see if something like ssh /bin/cat /etc/passwd works. If it does, then that's the same as scp, and it's not likely that you'll be easily able to prevent this behavior. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg06150/pgp0.pgp Description: PGP signature
re: scp and sftp
I think some of you misunderstood me. I was not clear about my concern. Users can ssh into my machine but their profiles are fixed to run a menu of things I allow them to do. Thus they can't get to the $ prompt and thus can't cd to other directories to see what's there. And even they did, permission are set so they could not overwrite important files. I simply don't want them to be able to read stuff not in their own home. Files like /etc/passwd,/etc/shadow,etc. Anything with information someone could use to locally exploit the machine. But you can use pscp from a windows machine and poke around and download files from places other than your home directory. If there is another email list that this is more appropriate for, let me know. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
> > > The user can change to directories above their home. > > Is there a way to chroot them > > Use restricted bash shell for the user (/bin/rbash) in the > /etc/passwd. > This does not seem to affect sshd. I changed a user to use rbash but I could still go to a windows machine and use the putty program pscp to get a file from /etc. pscp [EMAIL PROTECTED]:/etc/passwd passwd.txt Maybe it's simply just not a feature of openssh. I think I'll investigate that chroot patch to sshd someone mentioned. I think they said it was for woody, but I'll see if it works with potato. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
re: scp and ftp
I'm not sure if this message made it through. Our ISP was having problems this morning. Sorry if you get this message twice. I think some of you misunderstood me. I was not clear about my concern. Users can ssh into my machine but their profiles are fixed to run a menu of things I allow them to do. Thus they can't get to the $ prompt and thus can't cd to other directories to see what's there. And even they did, permission are set so they could not overwrite important files. I simply don't want them to be able to read stuff not in their own home. Files like /etc/passwd,/etc/shadow,etc. Anything with information someone could use to locally exploit the machine. But you can use pscp from a windows machine and poke around and download files from places other than your home directory. If there is another email list that this is more appropriate for, let me know. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian mail server.
On Monday, 2002-04-01 at 13:47:21 +0200, Lars Roland Kristiansen wrote: > I am going to configure an debian mail server for my company (only 20 > emplyes) i have 2 40 gigs disk witch are going to run raid 1. I am going > to configure it with wu-imap/pop3 and postfix. Is there any special > security thing i should consider (the server is placed in DMZ becuase 2-3 > people are going to get mail from it outside our internal network). What > about the size of the partitions i was thinking. I prefer cyrus IMAP, but that's a personal preference, i.e. no hard facts, just because WU FTPD is so bug-ridden. I'd recommend installing AMaViS along with some virus scanner. I'm using Kaspersky because it had a good recognition rate in a test and because those Russians care more about Linux than most other AV vendors. Also, AMaViS and the Kaspersky scanner can both run as daemons, saving repeated startups of heavy-weight programs. (Use amavisd, not amavis-perl, or even amavis-the-old-version ;-) Maybe also a filter that keeps obnoxious attachments away like scanmail. > 100 megs for /boot > 5000 meges for / > rest for /var I'd separate out the postfix hierarchy and the IMAP hierarchy on separate volumes and watch them (and the others) with mon for space usage. And then because it's hard to guess how much space those will need, I'd use lvm. And a log-based filesystem, like ext3 to get faster boots with large filesystems. (ext3 had good marks in a recent test in c't. Most (all?) others put bad data in files after a crash.) > I will also put up iptables, webmin and sshd but no X. I don't have to tell you that webmin is real dangerous in a DMZ. For remote access, I'd restrict to POP3 and IMAP over SSL. You could also tunnel POP3 and IMAP over SSL and relay them to an internal machine. Not much better, though. Maybe worse... Putting the IMAP server in a chroot jail would also give you an increase in security. HTH, Lupe Christoph -- | [EMAIL PROTECTED] |http://free.prohosting.com/~lupe | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Debian mail server.
I am going to configure an debian mail server for my company (only 20 emplyes) i have 2 40 gigs disk witch are going to run raid 1. I am going to configure it with wu-imap/pop3 and postfix. Is there any special security thing i should consider (the server is placed in DMZ becuase 2-3 people are going to get mail from it outside our internal network). What about the size of the partitions i was thinking. 100 megs for /boot 5000 meges for / rest for /var (just to make raid easier) I will also put up iptables, webmin and sshd but no X. ___ Mvh./Yours sincerely Lars Lars Roland Kristiansen | Email:[EMAIL PROTECTED] Stu. Sci. Math/Computer science | TLF(home):39670663 Copenhagen University - | Home address: Emdrupvej 175 Institute for Mathematical Sciences | C/O Rune Bruhn 2400 Copenhagen NV Url: www.math.ku.dk | "Politics is for the moment, equations are forever" - Albert Einstein -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
On Sat, Mar 30, 2002 at 10:24:28PM -0500, Jon McCain wrote: > I've been playing around with the scp and sftp components of putty and > noticed what I consider a security hole. Winscp does the same thing. > The user can change to directories above their home. Is there a way to > chroot them like you can in an ftp config file? I don't see anything in > the sshd config files. If you can't, how can I disable the scp > functionality? I'm not talking about scp from the linux box. The users > don't have shell access so that's not a problem. I'm referring to > remote people using a scp client to access my linux machine. You can > disable sftp ability by removing the sftp-server program but the scp > server part seems to be part of sshd. > > I did not see anything about this issue on the openssh web site. > Anybody got any suggestions? With the following commands, you can copy files without "scp": $ cat localfile | ssh somehost "cat > /somedir/remotefile" $ ssh somehost "cat /somedir/remotefile" > localfile So, it seems unusefull to disable "scp" and enable "ssh"... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian mail server.
hi ya lars - make sure the 2 disks is on 2 different ide cables.. - make sure its "fd" partition type - use secure pop3s or secure imap... http://www.Linux-Sec.net/Mail/secure_pop3.txt - since its pop ... supposedly internal corp users... i'd put the secure pop3s server inside the firewall - for those few that read mail from home... - let them in via ssh... maybe vpn them inside before secure pop3s connections to their mails ... - put sendmail on one machine and pop3s on a different machine - no common login name between pop3s accounts and user shell accts for size of partitions( everybody seems to have diff peferences and why its that way vs another.. ) / - small as possible 64MB - 128Mb /tmp- 128MB /var- 1GB for mail stuff /usr- 2048 or 4096MB for /usr stuff /opt- rest of the disk for user stuff ( /home, /usr/local ) more/collection of partition stuff ... http://www.Linux-1U.net/Installation/partition.gwif.html c ya alvin http://www.Linux-Sec.net On Mon, 1 Apr 2002, Lars Roland Kristiansen wrote: > I am going to configure an debian mail server for my company (only 20 > emplyes) i have 2 40 gigs disk witch are going to run raid 1. I am going > to configure it with wu-imap/pop3 and postfix. Is there any special > security thing i should consider (the server is placed in DMZ becuase 2-3 > people are going to get mail from it outside our internal network). What > about the size of the partitions i was thinking. > > 100 megs for /boot > 5000 meges for / > rest for /var > > (just to make raid easier) > > I will also put up iptables, webmin and sshd but no X. > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian mail server.
* Lars Roland Kristiansen <[EMAIL PROTECTED]> [020401 13:52]: > I am going to configure an debian mail server for my company (only 20 > emplyes) i have 2 40 gigs disk witch are going to run raid 1. I am going > to configure it with wu-imap/pop3 and postfix. Is there any special > security thing i should consider (the server is placed in DMZ becuase 2-3 > people are going to get mail from it outside our internal network). What > about the size of the partitions i was thinking. > 100 megs for /boot > 5000 meges for / > rest for /var > > (just to make raid easier) Not because of security, but because of stability, you might thing of putting /var/mail and/or spool-directries as extra partitions to avoid overruns rendiering the system unusable. If allowing imap/pop without ssl, you might either seperate postfix and imap/pop in some extra account-managment, or make the accounts unuseable otherwise (i.e. no shell, no procmail etc) Hochachtungsvoll, Bernhard R. Link -- "(C)2002 Google - Searching 2,073,418,204 web pages and skipping 4,475,243,576 pages under the DMCA" -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Debian mail server.
I am going to configure an debian mail server for my company (only 20 emplyes) i have 2 40 gigs disk witch are going to run raid 1. I am going to configure it with wu-imap/pop3 and postfix. Is there any special security thing i should consider (the server is placed in DMZ becuase 2-3 people are going to get mail from it outside our internal network). What about the size of the partitions i was thinking. 100 megs for /boot 5000 meges for / rest for /var (just to make raid easier) I will also put up iptables, webmin and sshd but no X. ___ Mvh./Yours sincerely Lars Lars Roland Kristiansen | Email:[EMAIL PROTECTED] Stu. Sci. Math/Computer science | TLF(home):39670663 Copenhagen University - | Home address: Emdrupvej 175 Institute for Mathematical Sciences | C/O Rune Bruhn 2400 Copenhagen NV Url: www.math.ku.dk | "Politics is for the moment, equations are forever" - Albert Einstein -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
