Re: [Leaf-devel] Weblet Enhancements
Hi, I may be missing something in this, so do CMIIW, but; On Tue, Jul 02, 2002 at 09:18:31AM -0500, Charles Steinkuehler wrote: there is a *=* case which resets the parameter list in sh-httpd, it disables constructs like foo=barbaz=foo I guess parameters without a value would pass fine Thanks for the detail...I'll see if I can remember why this was specifically added when reviewing the code (hopefully sometime in the near future). OK, I dug out my CGI references, and what I have indicates the command line arguments should only be parsed and provided to scripts if the GET or HEAD request does *NOT* contain an unencoded equals sign, which is why the arguments are cleared if there's an equal sign present. Knowing nothing at all about any of these issues, I went ahead and built the form for setting times etc. on my blinder-thingie using how-to's and a couple of similar pages as template. This is on the weblet that comes with bering 1.0rc2. It's GET, plain and simple, it works nicely, and the sort of string that is passed to my script by weblet in $QUERY_STRING is: SelDAY=1SUNUP=0630SUNRISE=30SUNDOWN=2230SUNSET=1ONOFF=1 Just to be sure, I went and checked the script that parses this, and it does indeed look for the '='s (and the '?'s) in order to break it up. I looked at sh-httpd, and I see the place in do-cgi() where it checks for '*=*', but either: There's something I don't understand, or It doesn't work as intended... (?) I just thought I should mention this, in case someone is about to go over sh-httpd, and passing multiple arguments in this fashion is a no-no... My understanding is cgi scripts recieving data like the above example via a GET or HEAD request are supposed to refer to the QUERY_STRING variable, which should be properly exported by sh-httpd. - or maybe this explains it? In any case, FWIW I agree that authentication, however nice it would be, can't compete with tunneling through ssh... 0.02 currency Regards, Jon --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] sh-httpd weblet web-config
Lynn
At 04:11 03.07.2002, you wrote:
On Tuesday 02 July 2002 08:33, Charles Steinkuehler wrote:
First, a point of order. In my view of the world, there are two
major issues currently being discussed:
snip
I think it would probably help prevent confusion if mods to the web
server itself refer to sh-httpd, while issues related to making
html/cgi code to monitor or configure the system use the weblet
moniker.
Agreed, I attempted to clarify this earilier. I considered anything with
configuration a seperate entity, but if Weblet is modularized the
argument is moot.
...
I don't have a huge amount of time myself, but I can work on the
core integration with the present Release(s) configuration to a
script-based one. In honesty, I really haven't gone through much
of the present CGI/Weblet scripts yet. If I can catch up with Richard's
changes, I'll be happy to help in any manner there as well.
It appears that I was working in a reverse order to everyone else... ;-)
I believe most of the stuff Richard has done is accessing the existing
information and reorganizing the config files. This will make it easier to
do the actual config stuff. I am concentrating (with what little time I
have left) right now on the weblet stuff, e.g. being able to present the
parameters to the cgi script in a standardised way. I am still looking for
a working patch to my sh-httpd (0.4.1, from DCD 1.02). I have not been able
to apply the one Peter mailed, it probably got mangled by the mail client
on the way, so if anyone has a patched sh-httpd 0.4.1 or later would you
please mind sharing it with me :-)
My suggestion is to present the parameters from the HTTP form in
environment variables of the same name prefixed with something you can set
in weblet.conf, e.g.
in GET format
./whatever.cgi?foo=barbaz=baf
${prefix}${foo} will have a value of bar
${prefix}${baz} will have a value of baf
Ideas,critics...
thanks
Erich
THINK
Püntenstrasse 39
8143 Stallikon
mailto:[EMAIL PROTECTED]
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16
---
This sf.net email is sponsored by:ThinkGeek
No, I will not fix your computer.
http://thinkgeek.com/sf
___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] OpenSSH security
Nathan Angelacos wrote: I'm curious about /etc/group modification? I've upgraded two (2) potato's and two (2) woody's. Yes, there is a new user in passwd/shadow; but, I do not have any new group for sshd. Yes, I have seen the instructions for installing manually; but, I cannot find a reason for the special group. What do you think? Good question. I wondered the same thing, figured 'cause Theo said so.. and dismissed it. But after you asked, I checked the source... :-) sshd.c in privsep_preauth_child does a setgid() from the sshd's primary group (in passwd) when setting up the chroot jail. The manual instructions make sure that the uid:gid is sshd:sshd. So I guess 'cause Theo said so works. :-) I'm curious though, on your debian systems, what is the gid for the sshd user? The sshd.c source seems to indicate that sshd will fail if the group doesn't exist. OK, here is the debian position: [a] # grep ssh /etc/passwd /etc/passwd:sshd:x:103:65534::/home/sshd:/bin/false [b] # grep 65534 /etc/group nogroup:x:65534: [c] According to the openssh sshd.8 manpage: /var/empty chroot(2) directory used by sshd during privilege separation in the pre-authentication phase. The directory should not contain any files and must be owned by root and not group or world- writable. [d] debian changed this at compile time to: /var/run/sshd [e] So, there is *NO* requirement for group sshd. [f] There is a requirement for an existing directory to which to chroot -- he default is /var/empty . Therefore, in my ssh v3.4p1 distribution for LEAF, I adding the sshd user and using the debian nogroup group. Regardless which way to go, an *empty* /var/empty directory *MUST* exist! hth -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] Weblet Enhancements
My understanding is cgi scripts recieving data like the above
example
via a GET or HEAD request are supposed to refer to the QUERY_STRING
variable, which should be properly exported by sh-httpd.
- or maybe this explains it?
I does indeed, one can use QUERY_STRING instead of $1
I believe the easiest way (for the user) is to implement all the
variables
in sh-hddpd so it will provide
your parameters as
${SelDAY}
${SUNUP}
...
this is quite easy to do in sh-httpd, I will start with it as soon as
I get
the patched version for POST.
If this is how apache, and other web servers work, I have no problem
with making sh-httpd follow suit. I think, however, that the behavior
you describe is not part of the normal CGI interface, so any scripts
depending on the above functionality will only work on sh-httpd, and
would not work on something like thttpd, apache, boa, c...
NOTE: Parsing of the QUERY_STRING for form data can be easily done by a
few shell routines in a cgi.include file (or similar)...it doesn't have
to be done by the web-server for convinence.
Should we maybe troll the leaf-user list for someone with extensive
web/cgi design experience? I don't have anything that indicates form
data should be pre-processed by the web-server and provided as command
line arguments, but I'm a cgi neophyte.
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
---
This sf.net email is sponsored by:ThinkGeek
No, I will not fix your computer.
http://thinkgeek.com/sf
___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] Weblet Enhancements
Hi Charles
At 16:36 03.07.2002, you wrote:
My understanding is cgi scripts recieving data like the above
example
via a GET or HEAD request are supposed to refer to the QUERY_STRING
variable, which should be properly exported by sh-httpd.
- or maybe this explains it?
I does indeed, one can use QUERY_STRING instead of $1
I believe the easiest way (for the user) is to implement all the
variables
in sh-hddpd so it will provide
your parameters as
${SelDAY}
${SUNUP}
...
this is quite easy to do in sh-httpd, I will start with it as soon as
I get
the patched version for POST.
If this is how apache, and other web servers work, I have no problem
with making sh-httpd follow suit. I think, however, that the behavior
you describe is not part of the normal CGI interface, so any scripts
depending on the above functionality will only work on sh-httpd, and
would not work on something like thttpd, apache, boa, c...
The CGI source http://hoohoo.ncsa.uiuc.edu/cgi/ you mentioned yesterday is
the actual reference. There is no other format defined but as you find in
the examples section there are libraries ready to provide access to the
parameters. Actually it's been quite a while since I coded CGI's in shell.
Perl for example has a multitude of CGI interfaces available which take the
burden out of decoding the CGI stream.
NOTE: Parsing of the QUERY_STRING for form data can be easily done by a
few shell routines in a cgi.include file (or similar)...it doesn't have
to be done by the web-server for convinence.
Correct, but it would be a very central location and easy to maintain.
Should we maybe troll the leaf-user list for someone with extensive
web/cgi design experience? I don't have anything that indicates form
data should be pre-processed by the web-server and provided as command
line arguments, but I'm a cgi neophyte.
Sounds sensible
take care
Erich
THINK
Püntenstrasse 39
8143 Stallikon
mailto:[EMAIL PROTECTED]
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16
---
This sf.net email is sponsored by:ThinkGeek
No, I will not fix your computer.
http://thinkgeek.com/sf
___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel
[Leaf-devel] Introducing myself
Hi all, my name is Luigi Capriotti, and I've been using LEAF-based routers (all varieties) for more than one year. Recently I've become more and more interested in LEAF development and begun to create packages myself. I've a working virtual environment, which which I've recently upgraded openssh packages (to 3.4p1) and squid (to 2.4S6). I've been following the list being silently for a while, but since I'm experiencing more and more with LEAF development I'm taking the opportunity to introduce myself to the members of this list, and link my pico-site with my Bering-based cd-rom with the two aforementioned packages: http://web.tiscali.it/l_capriotti/ or the italian mirror: http://khazad-dum.orson.it/~usergroup/lc_firewall/ (possibly faster) Looking forward to contribute to the list. Cheers, Luigi --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
[Leaf-devel] lrp partition size...
Just subscribed to this list... but I have been browsing the archives. I'm working on an lrp image, and I clearly don't have the partitioning down right. # df -h FilesystemSize Used Available Use% Mounted on /dev/root 6.0M 3.4M 2.6M 57% / tmpfs30.7M 0 30.7M 0% /tmp tmpfs 2.0M 2.0M 0 100% /var/log How does one go about changing them? This is a Bering distro. Also I noticed the new ssh looks like it can be compiled without zlib, saving ~24k. Anyone more experienced putting that together? // George -- GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 Security Services, Web, Mail,mailto:[EMAIL PROTECTED] File, Print, DB and DNS Servers. http://www.galis.org/george --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] lrp partition size...
Am Mittwoch 03 Juli 2002 19:26 schrieb George Georgalis: Just subscribed to this list... but I have been browsing the archives. I'm working on an lrp image, and I clearly don't have the partitioning down right. # df -h FilesystemSize Used Available Use% Mounted on /dev/root 6.0M 3.4M 2.6M 57% / tmpfs30.7M 0 30.7M 0% /tmp tmpfs 2.0M 2.0M 0 100% /var/log What's wrong? mountpoints / and /var/log can be changed in /linuxrc. To add partitions modify /etc/fstab. Don't worry about /tmp this is just what's available for /tmp but could be shared with your RAM needs. kp --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] lrp partition size...
On Wed, Jul 03, 2002 at 07:40:45PM +0200, K.-P. Kirchdörfer wrote: Am Mittwoch 03 Juli 2002 19:26 schrieb George Georgalis: Just subscribed to this list... but I have been browsing the archives. I'm working on an lrp image, and I clearly don't have the partitioning down right. # df -h FilesystemSize Used Available Use% Mounted on /dev/root 6.0M 3.4M 2.6M 57% / tmpfs30.7M 0 30.7M 0% /tmp tmpfs 2.0M 2.0M 0 100% /var/log What's wrong? mountpoints / and /var/log can be changed in /linuxrc. To add partitions modify /etc/fstab. Don't worry about /tmp this is just what's available for /tmp but could be shared with your RAM needs. Thanks, I'm sure /linuxrc will solve my problem. I ran a loop that filled the partition with wtmp entries, actually is wtmp necessary at all? // George -- GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 Security Services, Web, Mail,mailto:[EMAIL PROTECTED] File, Print, DB and DNS Servers. http://www.galis.org/george --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] lrp partition size...
On Wed, Jul 03, 2002 at 07:40:45PM +0200, K.-P. Kirchdörfer wrote: Am Mittwoch 03 Juli 2002 19:26 schrieb George Georgalis: Just subscribed to this list... but I have been browsing the archives. I'm working on an lrp image, and I clearly don't have the partitioning down right. # df -h FilesystemSize Used Available Use% Mounted on /dev/root 6.0M 3.4M 2.6M 57% / tmpfs30.7M 0 30.7M 0% /tmp tmpfs 2.0M 2.0M 0 100% /var/log What's wrong? mountpoints / and /var/log can be changed in /linuxrc. To add partitions modify /etc/fstab. Don't worry about /tmp this is just what's available for /tmp but could be shared with your RAM needs. Where is /linuxrc stored? I normally edit the *.lrp files, but I can't find it in root.lrp or etc.lrp? // George -- GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 Security Services, Web, Mail,mailto:[EMAIL PROTECTED] File, Print, DB and DNS Servers. http://www.galis.org/george --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] lrp partition size...
On Wed, 3 Jul 2002, George Georgalis wrote: On Wed, Jul 03, 2002 at 07:40:45PM +0200, K.-P. Kirchdörfer wrote: Am Mittwoch 03 Juli 2002 19:26 schrieb George Georgalis: Just subscribed to this list... but I have been browsing the archives. I'm working on an lrp image, and I clearly don't have the partitioning down right. # df -h FilesystemSize Used Available Use% Mounted on /dev/root 6.0M 3.4M 2.6M 57% / tmpfs30.7M 0 30.7M 0% /tmp tmpfs 2.0M 2.0M 0 100% /var/log What's wrong? mountpoints / and /var/log can be changed in /linuxrc. To add partitions modify /etc/fstab. Don't worry about /tmp this is just what's available for /tmp but could be shared with your RAM needs. Where is /linuxrc stored? I normally edit the *.lrp files, but I can't find it in root.lrp or etc.lrp? Bering is a little bit different than the other LEAF variants, in that it splits the initrd capability from the root filesystem capability in a more linux-standard fashion. Edit /linuxrc and backup initrd.lrp, which is not a compressed tar like all the other lrp files. --- Jeff NewmillerThe . . Go Live... DCN:[EMAIL PROTECTED]Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
[Leaf-devel] DHCP Client TTL Too Small (ATT Broadband)
I recompiled dhclient (dhcp-2.0pl5) with ip.ip_tos=0 and ip.ip_ttl=128 on a Debian Slink with a 2.2.19 kernel upgrade and a few sym links problems in /usr/include fixed before it will compile and function without the send_packet errors on a LRP 2.2.19 kernel built. Please try it, download the hacked version of dhcpc.lrp from my web site http://pigtail.net/LRP/hd/lrpfile.html I'll also upload the dhcpc.lrp to the leaf site in the Tracker-Patches section. Nicholas Fong [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
[Leaf-devel] [ leaf-Patches-577274 ] dhcpc.lrp with TTL=128
Patches item #577274, was opened at 2002-07-03 21:25 You can respond by visiting: https://sourceforge.net/tracker/?func=detailatid=313751aid=577274group_id=13751 Category: packages Group: None Status: Open Resolution: None Priority: 5 Submitted By: Nicholas Fong (nfong) Assigned to: Nobody/Anonymous (nobody) Summary: dhcpc.lrp with TTL=128 Initial Comment: recompiled dhclient (dhcp-2.0pl5 from www.isc.org) with ip.ip_tos=0 and ip.ip_ttl=128 on a Debian Slink with a 2.2.19 kernel upgraded and a few sym links problems in /usr/include fixed before it will compile and function without the send_packet errors on a LRP 2.2.19 kernel built. http://pigtail.net/LRP/hd/lrpfile.html Recent changes in ATT Broadband causes some users to loose connections because of the 16 hops limit of the original dhclient, their DHCP server is 16 hops. If you are in that category and your kernel is 2.2.19, this hacked dhclient should work now. Nicholas Fong -- You can respond by visiting: https://sourceforge.net/tracker/?func=detailatid=313751aid=577274group_id=13751 --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] OpenSSH security
Interesting observations in the logs. When the SSH zlib problem came up, I had lots of port 22 entries in the logs for awhile. Until Monday I had not been nmaped port scanned in a long long time. It appears like the hackers like to use class C range scans on one port. I have two dachstein firewalls on @cox network. I see the same ip addresses hitting on port, say, 21 about one hour and a half a part from each other. Both firewalls use the same time server to keep the clocks maintained. When the privilege escalation OpenSSH problem was announced there were no new 22 port scans noted. In fact I had 11 port scans for port 21 over two days on July 1 and 2. That was out of 16 logged. July 3 is a pre holiday day and the Deny messages are light. I finally have 4 port 22 denies, and 2 port 21 deny out of 8 denies logged. Greg Morgan --- This sf.net email is sponsored by:ThinkGeek Caffeinated soap. No kidding. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
