[gentoo-server] Virtual ssh users

[gentoo-server] Virtual ssh users

[Yogesh Sharma]

Hi,

Can someone point me to documentation for creating chrooted virtual ssh
only users.

Thanks
YS

-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] Virtual ssh users

[Jeremy Brake]

Me too please. :)

Yogesh Sharma wrote:

>Hi,
>
>Can someone point me to documentation for creating chrooted virtual ssh
>only users.
>
>Thanks
>YS
>
>  
>

-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] Virtual ssh users

[Ben Munat]

This is in portage and I've used it a bit... pretty straightforward.

http://www.jmcresearch.com/projects/jail/

Just remember that *everything* needed by the user has to be in the jail... if you use any 
executable (apache, php, mysql, etc.) outside the jail, it is no longer secure.

b


Yogesh Sharma wrote:
> Hi,
> 
> Can someone point me to documentation for creating chrooted virtual ssh
> only users.
> 
> Thanks
> YS
> 
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] Virtual ssh users

[ysharma]

Hi,

I am trying to addjailuser with following syntax

addjailuser /home/chroot/jail /home/testys /bin/bash testys

and I am getting error:

addjailuser
A component of Jail (version 1.9 for linux)
http://www.gsyc.inf.uc3m.es/~assman/jail/
Juan M. Casillas <assman@gsyc.inf.uc3m.es>

Adding user testys in chrooted environment /home/chroot/jail
        Error: Can't add the user.
Done.

I already created jail env and added sw also

Any idea ?

Thanks
YS

> This is in portage and I've used it a bit... pretty straightforward.
>
> http://www.jmcresearch.com/projects/jail/
>
> Just remember that *everything* needed by the user has to be in the
> jail... if you use any
> executable (apache, php, mysql, etc.) outside the jail, it is no longer
> secure.
>
> b
>
>
> Yogesh Sharma wrote:
>> Hi,
>>
>> Can someone point me to documentation for creating chrooted virtual ssh
>> only users.
>>
>> Thanks
>> YS
>>
> --
> gentoo-server@gentoo.org mailing list
>
>


-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] Virtual ssh users

[Ben Munat]

Hmm, I haven't messed with jail in a while... Well, did you add the jailed user to the 
regular system with useradd? In other words, there are two steps to adding a jailed user: 
add the user to the regular system with useradd and a shell of /usr/bin/jail and then add 
the user to jail with addjailuser and a shell of /bin/bash. Oh, and the /usr/bin/jail 
shell needs to be in /etc/shells.

If that doesn't help, look around on the jail website and try the mailing list.

good luck,

Ben



ysharma@catprosystems.com wrote:
> Hi,
> 
> I am trying to addjailuser with following syntax
> 
> addjailuser /home/chroot/jail /home/testys /bin/bash testys
> 
> and I am getting error:
> 
> addjailuser
> A component of Jail (version 1.9 for linux)
> http://www.gsyc.inf.uc3m.es/~assman/jail/
> Juan M. Casillas <assman@gsyc.inf.uc3m.es>
> 
> Adding user testys in chrooted environment /home/chroot/jail
>         Error: Can't add the user.
> Done.
> 
> I already created jail env and added sw also
> 
> Any idea ?
> 
> Thanks
> YS
> 
> 
>>This is in portage and I've used it a bit... pretty straightforward.
>>
>>http://www.jmcresearch.com/projects/jail/
>>
>>Just remember that *everything* needed by the user has to be in the
>>jail... if you use any
>>executable (apache, php, mysql, etc.) outside the jail, it is no longer
>>secure.
>>
>>b
>>
>>
>>Yogesh Sharma wrote:
>>
>>>Hi,
>>>
>>>Can someone point me to documentation for creating chrooted virtual ssh
>>>only users.
>>>
>>>Thanks
>>>YS
>>>
>>
>>--
>>gentoo-server@gentoo.org mailing list
>>
>>
> 
> 
> 
-- 
gentoo-server@gentoo.org mailing list

[gentoo-server] prioritising security updates

[Jeremy Brake]

Hey,

Is there anything in Portage which will allow me to view security 
updates, seperate from general version updates?
At the moment i have a 5am cron job which runs "emerge --sync && emerge 
-upvD world" , and i just glance at it as soon as I i sit down at my pc 
for the day.
The problem here is that I cant tell if updates (eg, at the moment it 
wants to update openssh and apache2) are security patches, or just 
general version upgrades.

I know i can use "system" instead of "world" and omit the -D option, but 
thats not targeting my issue exactly. Is there a way to see which 
updates are security patches, without having to manually trawl through 
webpages and changelogs?

Jeremy
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] prioritising security updates

[Paul Kölle]

Jeremy Brake wrote:
> Hey,
> 
> Is there anything in Portage which will allow me to view security
> updates, seperate from general version updates?

emerge gentoolkit && glsa-check -l all

hth
 Paul
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] prioritising security updates

[Michael Irey]

To make it easy I have added these 2 lines to my crontab

10 2 * * * /usr/bin/emerge --sync 2> /dev/null 
> /root/tmp/daily-emerge-sync.txt
50 2 * * * /usr/bin/glsa-check -ln 2> /dev/null | grep ' \[N\]'

Then every morning I get an email if there are packages with vulnerabilities.

I can decide manually the priority.  Because I dont want apache updating 
itself in the middle of the night... I do it manually, from my emailed list.


On Tuesday 06 September 2005 02:53 pm, Jeremy Brake wrote:
> Hey,
>
> Is there anything in Portage which will allow me to view security
> updates, seperate from general version updates?
> At the moment i have a 5am cron job which runs "emerge --sync && emerge
> -upvD world" , and i just glance at it as soon as I i sit down at my pc
> for the day.
> The problem here is that I cant tell if updates (eg, at the moment it
> wants to update openssh and apache2) are security patches, or just
> general version upgrades.
>
> I know i can use "system" instead of "world" and omit the -D option, but
> thats not targeting my issue exactly. Is there a way to see which
> updates are security patches, without having to manually trawl through
> webpages and changelogs?
>
> Jeremy
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] prioritising security updates

[W.Kenworthy]

or to reduce bandwidth try this as the crontab command:

rsync --recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
rsync://rsync.gentoo.org/gentoo-portage/metadata/glsa/* /usr/portage/metadata/glsa/ ;glsa-check -n -l|grep "\[N"

This syncs only the glsa metadata, and the cron email also shows updates
that it has synced, but do not apply to your system.  However, when you
do a glsa -f package to apply the fix, you must first "emerge sync" to
update the full tree.  As glsa's that affect my systems are few and far
between, there's quite a bandwidth saving.

e.g.,

___________________
...
 
MOTD brought to you by motd-o-matic, version 0.3

receiving file list ... done
glsa-200509-03.xml
timestamp.chk

Number of files: 539
Number of files transferred: 2
Total file size: 1406439 bytes
Total transferred file size: 2153 bytes
Literal data: 2153 bytes
Matched data: 0 bytes
File list size: 8682
Total bytes written: 199
Total bytes read: 11353

wrote 199 bytes  read 11353 bytes  2100.36 bytes/sec
total size is 1406439  speedup is 121.75
WARNING: This tool is completely new and not very tested, so it should
not be
used on production systems. It's mainly a test tool for the new GLSA
release
and distribution system, it's functionality will later be merged into
emerge
and equery.
Please read http://www.gentoo.org/proj/en/portage/glsa-integration.xml
before using this tool AND before reporting a bug.

[N] indicates that the system might be affected.


___________________
In the above case, a new glsa (glsa-200509-03) has been issued, but it
doesnt apply.  On my todo list is to filter and summarize so all I get
is whats new, and what applies to me!

BillK


On Tue, 2005-09-06 at 23:12 -0700, Michael Irey wrote:
> To make it easy I have added these 2 lines to my crontab
> 
> 10 2 * * * /usr/bin/emerge --sync 2> /dev/null 
> > /root/tmp/daily-emerge-sync.txt
> 50 2 * * * /usr/bin/glsa-check -ln 2> /dev/null | grep ' \[N\]'
> 
> Then every morning I get an email if there are packages with vulnerabilities.
> 
> I can decide manually the priority.  Because I dont want apache updating 
> itself in the middle of the night... I do it manually, from my emailed list.
> 
> 
> On Tuesday 06 September 2005 02:53 pm, Jeremy Brake wrote:
> > Hey,
> >
> > Is there anything in Portage which will allow me to view security
> > updates, seperate from general version updates?
> > At the moment i have a 5am cron job which runs "emerge --sync && emerge
> > -upvD world" , and i just glance at it as soon as I i sit down at my pc
> > for the day.
> > The problem here is that I cant tell if updates (eg, at the moment it
> > wants to update openssh and apache2) are security patches, or just
> > general version upgrades.
> >
> > I know i can use "system" instead of "world" and omit the -D option, but
> > thats not targeting my issue exactly. Is there a way to see which
> > updates are security patches, without having to manually trawl through
> > webpages and changelogs?
> >
> > Jeremy
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] prioritising security updates

[xyon]

I have a 'quick n dirty' script cron'd up that at the top lets me know
the security updates, below lets me know the version updates, and below
that displays the changelog of packages available for update:

-----------------------------------------------------------------------------

#!/bin/sh

emerge --sync

echo '***************************' > /tmp/updates.txt
echo '        System Updates     ' >> /tmp/updates.txt
echo '***************************' >> /tmp/updates.txt
echo ' ' >> /tmp/updates.txt
echo ' ' >> /tmp/updates.txt
echo 'Critical Updates:' >> /tmp/updates.txt
glsa-check -l 2>/dev/null | grep '\[N\]' | grep -v 'indicates that'|cut
-d ']' -f2 >> /tmp/updates.txt
echo ' ' >> /tmp/updates.txt
echo ' ' >> /tmp/updates.txt
echo ' ' >> /tmp/updates.txt
echo 'Non-Critical Updates:' >> /tmp/updates.txt
emerge -up world >> /tmp/updates.txt
echo ' ' >> /tmp/updates.txt
echo ' ' >> /tmp/updates.txt
echo ' ' >> /tmp/updates.txt
echo 'Changelogs:' >> /tmp/updates.txt
emerge -upl world >> /tmp/updates.txt
echo ' ' >> /tmp/updates.txt
echo ' ' >> /tmp/updates.txt
echo ' ' >> /tmp/updates.txt

mutt -s 'Server Updates' -i /tmp/updates.txt -x myuser@mydomain.com

rm /tmp/updates.txt

-----------------------------------------------------------------------


It actually comes out to a nicely formatted email. :)

HTH!

On Wed, 2005-09-07 at 09:53 +1200, Jeremy Brake wrote:
> Hey,
> 
> Is there anything in Portage which will allow me to view security 
> updates, seperate from general version updates?
> At the moment i have a 5am cron job which runs "emerge --sync && emerge 
> -upvD world" , and i just glance at it as soon as I i sit down at my pc 
> for the day.
> The problem here is that I cant tell if updates (eg, at the moment it 
> wants to update openssh and apache2) are security patches, or just 
> general version upgrades.
> 
> I know i can use "system" instead of "world" and omit the -D option, but 
> thats not targeting my issue exactly. Is there a way to see which 
> updates are security patches, without having to manually trawl through 
> webpages and changelogs?
> 
> Jeremy

-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] prioritising security updates

[Matthias Bethke]

[-- Attachment #1: Type: text/plain, Size: 597 bytes --]

Hi W.Kenworthy,
on Wednesday, 2005-09-07 at 14:48:08, you wrote:
> or to reduce bandwidth try this as the crontab command:
> 
> rsync --recursive --links --safe-links --perms --times --compress
                                                         ^^^^^^^^^^
IIRC you're not supposed to do this as it generates too much load on the
gentoo mirrors. Might depend on the individual server's policy but I
think that's the general rule.

regards
	Matthias
-- 
I prefer encrypted and signed messages.       KeyID: 90CF8389
Fingerprint: 8E 1F 10 81 A4 66 29 46  B9 8A B9 E2 09 9F 3B 91

[-- Attachment #2: Type: application/pgp-signature, Size: 481 bytes --]

Re: [gentoo-server] prioritising security updates

[William Kenworthy]

rattus src # grep -n compress `which emerge`
2425:                   "--compress",     # Compress the data
transmitted
rattus src #

Its in the arguments passed to rsync in the emerge script which is where
I got it from.  If emerge uses it ...

BillK


On Wed, 2005-09-07 at 17:28 +0200, Matthias Bethke wrote:
> Hi W.Kenworthy,
> on Wednesday, 2005-09-07 at 14:48:08, you wrote:
> > or to reduce bandwidth try this as the crontab command:
> > 
> > rsync --recursive --links --safe-links --perms --times --compress
>                                                          ^^^^^^^^^^
> IIRC you're not supposed to do this as it generates too much load on the
> gentoo mirrors. Might depend on the individual server's policy but I
> think that's the general rule.
> 
> regards
> 	Matthias
-- 
William Kenworthy <billk@iinet.net.au>
Home!
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] prioritising security updates

[Matthias Bethke]

[-- Attachment #1: Type: text/plain, Size: 469 bytes --]

Hi William,
on Thursday, 2005-09-08 at 06:56:59, you wrote:
> Its in the arguments passed to rsync in the emerge script which is where
> I got it from.  If emerge uses it ...

Uh...yeah :) You got me to check the rsync-mirror HOWTO again, and
you're right, it only applies to the rsync1.us.gentoo.org server.

regards
	Matthias
-- 
I prefer encrypted and signed messages.       KeyID: 90CF8389
Fingerprint: 8E 1F 10 81 A4 66 29 46  B9 8A B9 E2 09 9F 3B 91

[-- Attachment #2: Type: application/pgp-signature, Size: 481 bytes --]

Re: [gentoo-server] prioritising security updates

[A. Khattri]

On Wed, 7 Sep 2005, Jeremy Brake wrote:

> Is there anything in Portage which will allow me to view security
> updates, seperate from general version updates?
> At the moment i have a 5am cron job which runs "emerge --sync && emerge
> -upvD world" , and i just glance at it as soon as I i sit down at my pc
> for the day.
> The problem here is that I cant tell if updates (eg, at the moment it
> wants to update openssh and apache2) are security patches, or just
> general version upgrades.

Do a Google for "Gentoo glcu" - its a script that does all the updates and
security checks for you. I have it run from cron on all my servers.


-- 

-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] Virtual ssh users

[A. Khattri]

On Tue, 6 Sep 2005, Ben Munat wrote:

> Hmm, I haven't messed with jail in a while... Well, did you add the jailed user to the
> regular system with useradd? In other words, there are two steps to adding a jailed user:
> add the user to the regular system with useradd and a shell of /usr/bin/jail and then add
> the user to jail with addjailuser and a shell of /bin/bash. Oh, and the /usr/bin/jail
> shell needs to be in /etc/shells.

Incidently, you can use libnss-mysql to avoid having to create an actual
system account if you need "true" virtual users.


-- 

-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] Virtual ssh users

[Yogesh Sharma]

On 07:43 A. Khattri wrote:
> Incidently, you can use libnss-mysql to avoid having to create an
> actual
> system account if you need "true" virtual users.


Any link to documentation or example for implementing libnss-mysql based
virtual users ?
Database schema, user name, config file etc.


-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] Virtual ssh users

[Paul Kölle]

Yogesh Sharma wrote:
> On 07:43 A. Khattri wrote:
> 
>>Incidently, you can use libnss-mysql to avoid having to create an
>>actual
>>system account if you need "true" virtual users.
> 
> 
> 
> Any link to documentation or example for implementing libnss-mysql based
> virtual users ?
> Database schema, user name, config file etc.
> 
It's pretty straightforward. libnss-mysql configuration file takes a SQL
query for each get*() call, so there are no constraints for the db
schema. Examples are in /usr/share/doc after installing the package.
What I haven't figured out yet: Calls to NSS are made in the context of
the user running e.g. "id", so if you use a socket connection to mysql
you need to allow *every* user to read from the socket. I haven't
investigated the implications in terms of security yet.

cheers
 Paul
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] Virtual ssh users

[A. Khattri]

On Fri, 9 Sep 2005, Paul Kölle wrote:

> It's pretty straightforward. libnss-mysql configuration file takes a SQL
> query for each get*() call, so there are no constraints for the db
> schema. Examples are in /usr/share/doc after installing the package.
> What I haven't figured out yet: Calls to NSS are made in the context of
> the user running e.g. "id", so if you use a socket connection to mysql
> you need to allow *every* user to read from the socket. I haven't
> investigated the implications in terms of security yet.

If you look at the MySQL privileges for the libnss-mysql user (as set in
/etc/libnss-mysql.cfg) you will see that only SELECT priv is granted for
that user. (Granted, that might be a problem too ;-)


-- 

-- 
gentoo-server@gentoo.org mailing list