Re: [Leaf-devel] Weblet Enhancements
Hi, I may be missing something in this, so do CMIIW, but; On Tue, Jul 02, 2002 at 09:18:31AM -0500, Charles Steinkuehler wrote: there is a *=* case which resets the parameter list in sh-httpd, it disables constructs like foo=barbaz=foo I guess parameters without a value would pass fine Thanks for the detail...I'll see if I can remember why this was specifically added when reviewing the code (hopefully sometime in the near future). OK, I dug out my CGI references, and what I have indicates the command line arguments should only be parsed and provided to scripts if the GET or HEAD request does *NOT* contain an unencoded equals sign, which is why the arguments are cleared if there's an equal sign present. Knowing nothing at all about any of these issues, I went ahead and built the form for setting times etc. on my blinder-thingie using how-to's and a couple of similar pages as template. This is on the weblet that comes with bering 1.0rc2. It's GET, plain and simple, it works nicely, and the sort of string that is passed to my script by weblet in $QUERY_STRING is: SelDAY=1SUNUP=0630SUNRISE=30SUNDOWN=2230SUNSET=1ONOFF=1 Just to be sure, I went and checked the script that parses this, and it does indeed look for the '='s (and the '?'s) in order to break it up. I looked at sh-httpd, and I see the place in do-cgi() where it checks for '*=*', but either: There's something I don't understand, or It doesn't work as intended... (?) I just thought I should mention this, in case someone is about to go over sh-httpd, and passing multiple arguments in this fashion is a no-no... My understanding is cgi scripts recieving data like the above example via a GET or HEAD request are supposed to refer to the QUERY_STRING variable, which should be properly exported by sh-httpd. - or maybe this explains it? In any case, FWIW I agree that authentication, however nice it would be, can't compete with tunneling through ssh... 0.02 currency Regards, Jon --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] sh-httpd weblet web-config
Lynn At 04:11 03.07.2002, you wrote: On Tuesday 02 July 2002 08:33, Charles Steinkuehler wrote: First, a point of order. In my view of the world, there are two major issues currently being discussed: snip I think it would probably help prevent confusion if mods to the web server itself refer to sh-httpd, while issues related to making html/cgi code to monitor or configure the system use the weblet moniker. Agreed, I attempted to clarify this earilier. I considered anything with configuration a seperate entity, but if Weblet is modularized the argument is moot. ... I don't have a huge amount of time myself, but I can work on the core integration with the present Release(s) configuration to a script-based one. In honesty, I really haven't gone through much of the present CGI/Weblet scripts yet. If I can catch up with Richard's changes, I'll be happy to help in any manner there as well. It appears that I was working in a reverse order to everyone else... ;-) I believe most of the stuff Richard has done is accessing the existing information and reorganizing the config files. This will make it easier to do the actual config stuff. I am concentrating (with what little time I have left) right now on the weblet stuff, e.g. being able to present the parameters to the cgi script in a standardised way. I am still looking for a working patch to my sh-httpd (0.4.1, from DCD 1.02). I have not been able to apply the one Peter mailed, it probably got mangled by the mail client on the way, so if anyone has a patched sh-httpd 0.4.1 or later would you please mind sharing it with me :-) My suggestion is to present the parameters from the HTTP form in environment variables of the same name prefixed with something you can set in weblet.conf, e.g. in GET format ./whatever.cgi?foo=barbaz=baf ${prefix}${foo} will have a value of bar ${prefix}${baz} will have a value of baf Ideas,critics... thanks Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] OpenSSH security
Nathan Angelacos wrote: I'm curious about /etc/group modification? I've upgraded two (2) potato's and two (2) woody's. Yes, there is a new user in passwd/shadow; but, I do not have any new group for sshd. Yes, I have seen the instructions for installing manually; but, I cannot find a reason for the special group. What do you think? Good question. I wondered the same thing, figured 'cause Theo said so.. and dismissed it. But after you asked, I checked the source... :-) sshd.c in privsep_preauth_child does a setgid() from the sshd's primary group (in passwd) when setting up the chroot jail. The manual instructions make sure that the uid:gid is sshd:sshd. So I guess 'cause Theo said so works. :-) I'm curious though, on your debian systems, what is the gid for the sshd user? The sshd.c source seems to indicate that sshd will fail if the group doesn't exist. OK, here is the debian position: [a] # grep ssh /etc/passwd /etc/passwd:sshd:x:103:65534::/home/sshd:/bin/false [b] # grep 65534 /etc/group nogroup:x:65534: [c] According to the openssh sshd.8 manpage: /var/empty chroot(2) directory used by sshd during privilege separation in the pre-authentication phase. The directory should not contain any files and must be owned by root and not group or world- writable. [d] debian changed this at compile time to: /var/run/sshd [e] So, there is *NO* requirement for group sshd. [f] There is a requirement for an existing directory to which to chroot -- he default is /var/empty . Therefore, in my ssh v3.4p1 distribution for LEAF, I adding the sshd user and using the debian nogroup group. Regardless which way to go, an *empty* /var/empty directory *MUST* exist! hth -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] Weblet Enhancements
My understanding is cgi scripts recieving data like the above example via a GET or HEAD request are supposed to refer to the QUERY_STRING variable, which should be properly exported by sh-httpd. - or maybe this explains it? I does indeed, one can use QUERY_STRING instead of $1 I believe the easiest way (for the user) is to implement all the variables in sh-hddpd so it will provide your parameters as ${SelDAY} ${SUNUP} ... this is quite easy to do in sh-httpd, I will start with it as soon as I get the patched version for POST. If this is how apache, and other web servers work, I have no problem with making sh-httpd follow suit. I think, however, that the behavior you describe is not part of the normal CGI interface, so any scripts depending on the above functionality will only work on sh-httpd, and would not work on something like thttpd, apache, boa, c... NOTE: Parsing of the QUERY_STRING for form data can be easily done by a few shell routines in a cgi.include file (or similar)...it doesn't have to be done by the web-server for convinence. Should we maybe troll the leaf-user list for someone with extensive web/cgi design experience? I don't have anything that indicates form data should be pre-processed by the web-server and provided as command line arguments, but I'm a cgi neophyte. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] Weblet Enhancements
Hi Charles At 16:36 03.07.2002, you wrote: My understanding is cgi scripts recieving data like the above example via a GET or HEAD request are supposed to refer to the QUERY_STRING variable, which should be properly exported by sh-httpd. - or maybe this explains it? I does indeed, one can use QUERY_STRING instead of $1 I believe the easiest way (for the user) is to implement all the variables in sh-hddpd so it will provide your parameters as ${SelDAY} ${SUNUP} ... this is quite easy to do in sh-httpd, I will start with it as soon as I get the patched version for POST. If this is how apache, and other web servers work, I have no problem with making sh-httpd follow suit. I think, however, that the behavior you describe is not part of the normal CGI interface, so any scripts depending on the above functionality will only work on sh-httpd, and would not work on something like thttpd, apache, boa, c... The CGI source http://hoohoo.ncsa.uiuc.edu/cgi/ you mentioned yesterday is the actual reference. There is no other format defined but as you find in the examples section there are libraries ready to provide access to the parameters. Actually it's been quite a while since I coded CGI's in shell. Perl for example has a multitude of CGI interfaces available which take the burden out of decoding the CGI stream. NOTE: Parsing of the QUERY_STRING for form data can be easily done by a few shell routines in a cgi.include file (or similar)...it doesn't have to be done by the web-server for convinence. Correct, but it would be a very central location and easy to maintain. Should we maybe troll the leaf-user list for someone with extensive web/cgi design experience? I don't have anything that indicates form data should be pre-processed by the web-server and provided as command line arguments, but I'm a cgi neophyte. Sounds sensible take care Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
[Leaf-devel] Introducing myself
Hi all, my name is Luigi Capriotti, and I've been using LEAF-based routers (all varieties) for more than one year. Recently I've become more and more interested in LEAF development and begun to create packages myself. I've a working virtual environment, which which I've recently upgraded openssh packages (to 3.4p1) and squid (to 2.4S6). I've been following the list being silently for a while, but since I'm experiencing more and more with LEAF development I'm taking the opportunity to introduce myself to the members of this list, and link my pico-site with my Bering-based cd-rom with the two aforementioned packages: http://web.tiscali.it/l_capriotti/ or the italian mirror: http://khazad-dum.orson.it/~usergroup/lc_firewall/ (possibly faster) Looking forward to contribute to the list. Cheers, Luigi --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
[Leaf-devel] lrp partition size...
Just subscribed to this list... but I have been browsing the archives. I'm working on an lrp image, and I clearly don't have the partitioning down right. # df -h FilesystemSize Used Available Use% Mounted on /dev/root 6.0M 3.4M 2.6M 57% / tmpfs30.7M 0 30.7M 0% /tmp tmpfs 2.0M 2.0M 0 100% /var/log How does one go about changing them? This is a Bering distro. Also I noticed the new ssh looks like it can be compiled without zlib, saving ~24k. Anyone more experienced putting that together? // George -- GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 Security Services, Web, Mail,mailto:[EMAIL PROTECTED] File, Print, DB and DNS Servers. http://www.galis.org/george --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] lrp partition size...
Am Mittwoch 03 Juli 2002 19:26 schrieb George Georgalis: Just subscribed to this list... but I have been browsing the archives. I'm working on an lrp image, and I clearly don't have the partitioning down right. # df -h FilesystemSize Used Available Use% Mounted on /dev/root 6.0M 3.4M 2.6M 57% / tmpfs30.7M 0 30.7M 0% /tmp tmpfs 2.0M 2.0M 0 100% /var/log What's wrong? mountpoints / and /var/log can be changed in /linuxrc. To add partitions modify /etc/fstab. Don't worry about /tmp this is just what's available for /tmp but could be shared with your RAM needs. kp --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] lrp partition size...
On Wed, Jul 03, 2002 at 07:40:45PM +0200, K.-P. Kirchdörfer wrote: Am Mittwoch 03 Juli 2002 19:26 schrieb George Georgalis: Just subscribed to this list... but I have been browsing the archives. I'm working on an lrp image, and I clearly don't have the partitioning down right. # df -h FilesystemSize Used Available Use% Mounted on /dev/root 6.0M 3.4M 2.6M 57% / tmpfs30.7M 0 30.7M 0% /tmp tmpfs 2.0M 2.0M 0 100% /var/log What's wrong? mountpoints / and /var/log can be changed in /linuxrc. To add partitions modify /etc/fstab. Don't worry about /tmp this is just what's available for /tmp but could be shared with your RAM needs. Thanks, I'm sure /linuxrc will solve my problem. I ran a loop that filled the partition with wtmp entries, actually is wtmp necessary at all? // George -- GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 Security Services, Web, Mail,mailto:[EMAIL PROTECTED] File, Print, DB and DNS Servers. http://www.galis.org/george --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] lrp partition size...
On Wed, Jul 03, 2002 at 07:40:45PM +0200, K.-P. Kirchdörfer wrote: Am Mittwoch 03 Juli 2002 19:26 schrieb George Georgalis: Just subscribed to this list... but I have been browsing the archives. I'm working on an lrp image, and I clearly don't have the partitioning down right. # df -h FilesystemSize Used Available Use% Mounted on /dev/root 6.0M 3.4M 2.6M 57% / tmpfs30.7M 0 30.7M 0% /tmp tmpfs 2.0M 2.0M 0 100% /var/log What's wrong? mountpoints / and /var/log can be changed in /linuxrc. To add partitions modify /etc/fstab. Don't worry about /tmp this is just what's available for /tmp but could be shared with your RAM needs. Where is /linuxrc stored? I normally edit the *.lrp files, but I can't find it in root.lrp or etc.lrp? // George -- GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 Security Services, Web, Mail,mailto:[EMAIL PROTECTED] File, Print, DB and DNS Servers. http://www.galis.org/george --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] lrp partition size...
On Wed, 3 Jul 2002, George Georgalis wrote: On Wed, Jul 03, 2002 at 07:40:45PM +0200, K.-P. Kirchdörfer wrote: Am Mittwoch 03 Juli 2002 19:26 schrieb George Georgalis: Just subscribed to this list... but I have been browsing the archives. I'm working on an lrp image, and I clearly don't have the partitioning down right. # df -h FilesystemSize Used Available Use% Mounted on /dev/root 6.0M 3.4M 2.6M 57% / tmpfs30.7M 0 30.7M 0% /tmp tmpfs 2.0M 2.0M 0 100% /var/log What's wrong? mountpoints / and /var/log can be changed in /linuxrc. To add partitions modify /etc/fstab. Don't worry about /tmp this is just what's available for /tmp but could be shared with your RAM needs. Where is /linuxrc stored? I normally edit the *.lrp files, but I can't find it in root.lrp or etc.lrp? Bering is a little bit different than the other LEAF variants, in that it splits the initrd capability from the root filesystem capability in a more linux-standard fashion. Edit /linuxrc and backup initrd.lrp, which is not a compressed tar like all the other lrp files. --- Jeff NewmillerThe . . Go Live... DCN:[EMAIL PROTECTED]Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
[Leaf-devel] DHCP Client TTL Too Small (ATT Broadband)
I recompiled dhclient (dhcp-2.0pl5) with ip.ip_tos=0 and ip.ip_ttl=128 on a Debian Slink with a 2.2.19 kernel upgrade and a few sym links problems in /usr/include fixed before it will compile and function without the send_packet errors on a LRP 2.2.19 kernel built. Please try it, download the hacked version of dhcpc.lrp from my web site http://pigtail.net/LRP/hd/lrpfile.html I'll also upload the dhcpc.lrp to the leaf site in the Tracker-Patches section. Nicholas Fong [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
[Leaf-devel] [ leaf-Patches-577274 ] dhcpc.lrp with TTL=128
Patches item #577274, was opened at 2002-07-03 21:25 You can respond by visiting: https://sourceforge.net/tracker/?func=detailatid=313751aid=577274group_id=13751 Category: packages Group: None Status: Open Resolution: None Priority: 5 Submitted By: Nicholas Fong (nfong) Assigned to: Nobody/Anonymous (nobody) Summary: dhcpc.lrp with TTL=128 Initial Comment: recompiled dhclient (dhcp-2.0pl5 from www.isc.org) with ip.ip_tos=0 and ip.ip_ttl=128 on a Debian Slink with a 2.2.19 kernel upgraded and a few sym links problems in /usr/include fixed before it will compile and function without the send_packet errors on a LRP 2.2.19 kernel built. http://pigtail.net/LRP/hd/lrpfile.html Recent changes in ATT Broadband causes some users to loose connections because of the 16 hops limit of the original dhclient, their DHCP server is 16 hops. If you are in that category and your kernel is 2.2.19, this hacked dhclient should work now. Nicholas Fong -- You can respond by visiting: https://sourceforge.net/tracker/?func=detailatid=313751aid=577274group_id=13751 --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] OpenSSH security
Interesting observations in the logs. When the SSH zlib problem came up, I had lots of port 22 entries in the logs for awhile. Until Monday I had not been nmaped port scanned in a long long time. It appears like the hackers like to use class C range scans on one port. I have two dachstein firewalls on @cox network. I see the same ip addresses hitting on port, say, 21 about one hour and a half a part from each other. Both firewalls use the same time server to keep the clocks maintained. When the privilege escalation OpenSSH problem was announced there were no new 22 port scans noted. In fact I had 11 port scans for port 21 over two days on July 1 and 2. That was out of 16 logged. July 3 is a pre holiday day and the Deny messages are light. I finally have 4 port 22 denies, and 2 port 21 deny out of 8 denies logged. Greg Morgan --- This sf.net email is sponsored by:ThinkGeek Caffeinated soap. No kidding. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel