Linux-Development-Sys Digest #454, Volume #8 Tue, 30 Jan 01 17:13:13 EST
Contents:
Re: can Linux be secure? (Kasper Dupont)
Linux device driver (kernel module) written in C++ (az0te)
Re: Linux device driver (kernel module) written in C++ (Kaz Kylheku)
Re: Linux device driver (kernel module) written in C++ (Johan Kullstam)
Re: can Linux be secure? ([EMAIL PROTECTED])
tcp overhead measurement! ([EMAIL PROTECTED])
Help req in linux app dev ( network mon ) ([EMAIL PROTECTED])
What's wrong with my lilo.conf? (jtnews)
coredumped patch for 2.4 kernel needed (Alexander)
Re: can Linux be secure? ([EMAIL PROTECTED])
Re: Help req in linux app dev ( network mon ) (George Houpis)
Re: Help req in linux app dev ( network mon ) (Kasper Dupont)
Re: can Linux be secure? ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: Kasper Dupont <[EMAIL PROTECTED]>
Subject: Re: can Linux be secure?
Date: Tue, 30 Jan 2001 17:20:02 +0100
Toby Haynes wrote:
>
> Administration of the system once LIDS is in place is done with the lidsadm
> tool, which you should keep on a removable medium separate from the server
> during normal operation. (i.e. stick it on a floppy and only mount it when you
> need to rotate the logs, for example).
>
If a cracker did get root access he would
probably be able to get thoose tools from
the net. What does it help to keep them
on a floppy?
--
Kasper Dupont
------------------------------
From: az0te <[EMAIL PROTECTED]>
Subject: Linux device driver (kernel module) written in C++
Date: Mon, 29 Jan 2001 15:05:12 +0200
Reply-To: [EMAIL PROTECTED]
Hi,
Is this possible to write device driver or kennel module using C++? I
digged all the Sourceforge and many other resources but didn't find
any driver/kernel module written in C++. I'll very appreciate if
someone will provide me with answer or link to exsisting project.
Thanks,
az0te
------------------------------
From: [EMAIL PROTECTED] (Kaz Kylheku)
Subject: Re: Linux device driver (kernel module) written in C++
Reply-To: [EMAIL PROTECTED]
Date: Tue, 30 Jan 2001 18:22:27 GMT
On Mon, 29 Jan 2001 15:05:12 +0200, az0te <[EMAIL PROTECTED]> wrote:
>Hi,
>
>Is this possible to write device driver or kennel module using C++? I
Yes. However there are a few obstacles:
- Kernel header files using C++ keywords for types, struct members and
so on. This problem can be overcome by making a header file that
uses macros to rename the C++ keywords ``out of the way'', and
another header file that #undef's these macros. Include the first
header, then the kernel headers you need, and then the second header.
- There is missing C++ run time support in the kernel. Basically this
means that you cannot use exception handling, and will have to write
your own global operator new (whether or not you use it; g++ emits
some references operator new in code generated for class constructors).
- There is no support for global construction. So you should avoid
defining static class objects, or any declarations with non-trivial
initializers.
- The code for initialzing a block scope static class object is not
thread safe in g++. That is, if you write:
{
static myclass x;
}
the code that g++ emits is something like
{
static myclass x;
static bool __hidden_flag;
if (__hidden_flag == false) {
/* call x's constructor */
__hidden_flag = true;
}
}
If you do anything like this from multiple processors, or from an
interrupt, that could cause trouble.
------------------------------
Subject: Re: Linux device driver (kernel module) written in C++
From: Johan Kullstam <[EMAIL PROTECTED]>
Date: 30 Jan 2001 13:38:41 -0500
az0te <[EMAIL PROTECTED]> writes:
> Hi,
>
> Is this possible to write device driver or kennel module using C++?
in theory, yes, but in practice, no. C++ requires a fairly extensive
run-time environment which the kernel is not prepared to provide.
many names in the kernel conflict with C++ reserved words. linus does
not seem amenable to changing the kernel to allow/support C++.
people always suggest C++ but no one ever puts in enough
infrastructure into the kernel and restricts themselves from using
fancy features to make it work. don't ask someone else to do it for
you. if *you* really want C++ so badly, then *you* must do the work.
no one else wants it enough to bother.
> I digged all the Sourceforge and many other resources but didn't
> find any driver/kernel module written in C++. I'll very appreciate
> if someone will provide me with answer or link to exsisting project.
ok. the answer is no.
--
J o h a n K u l l s t a m
[[EMAIL PROTECTED]]
sysengr
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: can Linux be secure?
Date: 30 Jan 2001 18:35:51 GMT
Erik de Castro Lopo <[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED] wrote:
>>
>> Note that the question is "can", not "is". Also note that I did
>> say "Linux" and not a distribution such as "Redhat", "SuSE", or
>> "Debian".
> Of course it can. The problem is that all of the major deistribution
> install everything by default.
This is no longer true. For example RH 7 in a "workstation"
configuration does not install various servers by default and even
if it does (an "Update" will update exisiting servers) then chances
are that they have 'disabled = yes' in a configuration file in
/etc/xinetd.d/ .
I already seen complaints in a style "This was a breeze in the past
and now they require that I am aware of what I am doing. That is
too difficult and not user-friendly." It is really hard to win that
game. :-)
Michal
------------------------------
From: [EMAIL PROTECTED]
Subject: tcp overhead measurement!
Date: Tue, 30 Jan 2001 19:33:05 GMT
Hi all!
I am interested in measuring the tcp overhead in linux operating system.
i dont know whether there is a benchmark for that or not... most of the
benchmarks i came across was for the network performance. or can anybody
help me out with links to go thru regarding this.
thank u all.
regards,
dxdxk
Sent via Deja.com
http://www.deja.com/
------------------------------
From: [EMAIL PROTECTED]
Subject: Help req in linux app dev ( network mon )
Date: Tue, 30 Jan 2001 19:31:28 GMT
hello ,
my name is hemen kapadia.
i am making a remote system monitoring and control application in linux.
Using this application a network admin. will be able to control any
linux box connected to the
network.
I am planing to create it in the following way in C language :
There will be a client part of the application ( only one with the
network admin. )
There will be various servers ( present on each and every box that is to
be administered )
The client is given the ip address of the linux box to be monitored and
the server part of the
application is running on the linux box.
once the connection is established it want to get the list of processes
on that box and if required
to shut down any one process on the remote system.
It should also have the option of shutting down the server completly.
* IF THERE IS ANY PROBLEM WITH THE DESIGN OF THE APPLICATION THEN PLEAS
E
SUGGEST THEM . ALSO I WANT TO KNOW WHETHER THIS IS POSSIBLE OR NOT. *
Also i want to include some security features in the application ;
i will ask for the root password form the user starting the client which
will be compared with the
root password of the system .
* I WANT TO KNOW HOW TO DO THIS .
IF YOU CAN GIVE SOME ROUTINE IN C IT WOULD BE HELPFUL. *
I also want to know if there is any way to execute commands like
"reboot" etc.
from a c program .
Also how to get a list of running processes of a system form a c
program.
It would be better if you could reply personally at :-->
[EMAIL PROTECTED]
Thanks.
Sent via Deja.com
http://www.deja.com/
------------------------------
Date: Tue, 30 Jan 2001 14:52:19 -0500
From: jtnews <[EMAIL PROTECTED]>
Subject: What's wrong with my lilo.conf?
I don't know what the "Fatal" error
message means. What's wrong with
my lilo.conf?
# cat /mnt/floppy/etc/lilo.conf
boot=/dev/fd0
root=/dev/hda1
timeout=100
message=/boot/message
prompt
image=/vmlinuz-2.2.16-22
label=linux
# lilo -r /mnt/floppy
Fatal: Not a number: "/dev/hda1"
------------------------------
From: Alexander <[EMAIL PROTECTED]>
Subject: coredumped patch for 2.4 kernel needed
Date: Tue, 30 Jan 2001 23:27:10 +0300
Hi, everybody!
Does anyone have a patch for the kerne 2.4 wich makes the kernel divide the
core file for each thread.
If you do, please e-mail me the URL or the patch itself.
Thanks in advance.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: can Linux be secure?
Date: Tue, 30 Jan 2001 21:03:59 -0000
On Tue, 30 Jan 2001 11:40:48 GMT Erik de Castro Lopo <[EMAIL PROTECTED]> wrote:
| The kernel has had a very small number of local exploits over the
| last few years. (I don't know of any remote exploits.) These have
| been found and fixed in a matter of hours. Its simply a matter of
| you, the administrator, applying the fixes if and when they are
| found.
How would you rank the kernel in terms of remote exploits with others
like FreeBSD, OpenBSD, and Solaris?
| You need to make a value judgement about what it is you are protecting.
| If its the server for a small business web page your approach is
| overkill. If you are trying to protect tens of thousands of credit
| card numbers then there is a better way. Machines with stroed credit
| card numbers should no be connected to the public internet.
Let's say that it is the firewall that protects the LAN which can
reach the LAN where the credit card numbers are stored ... and a
disgruntled ex-employee knows the topology.
| One way to protect against the script kiddies to to run Linux on
| a non-x86 computer. The scripts always come out with stack smashing
| code for x86 before its written for other architectures. By runnng
| Linux on PPC, Sparc or Alpha you give yourself just a little more
| time to secure your system.
This is true. I've experienced this myself when I was testing out an
old used Sun Sparc 5/70 I picked up by running Redhat 5.2 fairly wide
open. But this does increase costs, too, so if I can fnd a way with
Intelish architecture, I'd prefer that.
| All that aside, if you do the standard Debian and OpenBSD installs on
| two identical machine you will get one machine thats ready to run as a
| workstation or server on a secure LAN (but not the internet) and one
| machine that has almost nothing on it and is safe to connect to the
| public internet.
...
| You therefore start at different points. On Debian you have to disable
| things and turn off options until you get a safe and useful machine.
| With OpenBSD you start with a safe machine and add things until
| you get a useful one.
| This is due to the aims of the two projects being so different. The
| aim of the Debian project is to create a well debugged system,
| with a complete set of software to do just about anything. The aim
| of the OpenBSD project is to create the most secure out-of-the-box
| system on the planet.
I'm not interested in comparing distributions as my intent is to make
my own "distribution" which will be quite stripped down to the bare
essentials. What I am looking for is kernel specific. Apparently
the OpenBSD kernel is as well audited as the userland programs added
to it in the default install. But what about an auditing of the
Linux kernel (assuming I'm not running some "riskier" things like
khttpd)? Libraries will probably also be the next issue.
--
=================================================================
| Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ |
| [EMAIL PROTECTED] | Texas, USA | http://phil.ipal.org/ |
=================================================================
------------------------------
From: George Houpis <[EMAIL PROTECTED]>
Subject: Re: Help req in linux app dev ( network mon )
Date: Tue, 30 Jan 2001 15:10:48 -0600
[EMAIL PROTECTED] wrote:
> hello ,
> my name is hemen kapadia.
>
> i am making a remote system monitoring and control application in linux.
>
> Using this application a network admin. will be able to control any
> linux box connected to the
> network.
>
> I am planing to create it in the following way in C language :
>
> There will be a client part of the application ( only one with the
> network admin. )
> There will be various servers ( present on each and every box that is to
>
> be administered )
>
> The client is given the ip address of the linux box to be monitored and
> the server part of the
> application is running on the linux box.
>
> once the connection is established it want to get the list of processes
> on that box and if required
> to shut down any one process on the remote system.
> It should also have the option of shutting down the server completly.
This is possible (ps, top and shutdown are the console commands) by
redirecting output to
the given socket connection. Having the server program run with high
priviliage may dangerous.
If you have a password protection, the password may be sniffed on the
network, and hence a
security risk. You may want the encryption at the client end. RPC is
notorious for security issues.
>
> * IF THERE IS ANY PROBLEM WITH THE DESIGN OF THE APPLICATION THEN PLEAS
> E
> SUGGEST THEM . ALSO I WANT TO KNOW WHETHER THIS IS POSSIBLE OR NOT. *
>
> Also i want to include some security features in the application ;
>
> i will ask for the root password form the user starting the client which
You might be able to simplify this by allowing only root execution
priviliages. This
still would not eliminate the security risk on the server ends though.
>
>
> will be compared with the
> root password of the system .
>
> * I WANT TO KNOW HOW TO DO THIS .
> IF YOU CAN GIVE SOME ROUTINE IN C IT WOULD BE HELPFUL. *
>
> I also want to know if there is any way to execute commands like
> "reboot" etc.
> from a c program .
> Also how to get a list of running processes of a system form a c
> program.
For killing a process the Linux kill program is a fancy wrapper to kill
syscall.
kill( pid, SIGTERM); /* This is the graceful shutdown request. */
kill -9 on the command line is:
kill( pid, SIGKILL); /* Kill with exetreme prejudice. */
For reboot:
Learn the C system calls for program execution: exec?? group of functions.
(vfork before the exec call otherwise your server program is replaced with
the executed
program which is probably not what you want.)
The program you want to exec is shutdown (you choice on options.)
So you will have to have something like:
if( (pid = vfork()) == -1)
/* Error forking. */;
else if( pid)
waitpid( pid); /* Parent. */
else
execl( "/sbin/shutdown", "-g", "0", "-i", "6", "-y", NULL);
/* Child. */
Or if you dont care if there is a failure (which I think is less robust)
then just
do the execl directly.
>
>
> It would be better if you could reply personally at :-->
> [EMAIL PROTECTED]
>
> Thanks.
>
> Sent via Deja.com
> http://www.deja.com/
I am confident that there are programs out there than can do similiar or
completely the
same operations. If not, let me know how your progress goes... I am
curious how it can
work with other platforms as well.
George Houpis
[EMAIL PROTECTED]
------------------------------
From: Kasper Dupont <[EMAIL PROTECTED]>
Subject: Re: Help req in linux app dev ( network mon )
Date: Tue, 30 Jan 2001 22:58:15 +0100
This is a multi-part message in MIME format.
==============446B794B15FB
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
[EMAIL PROTECTED] wrote:
>
> hello ,
> my name is hemen kapadia.
>
> i am making a remote system monitoring and control application in linux.
>
> Using this application a network admin. will be able to control any
> linux box connected to the
> network.
>
> I am planing to create it in the following way in C language :
>
> There will be a client part of the application ( only one with the
> network admin. )
> There will be various servers ( present on each and every box that is to
>
> be administered )
>
> The client is given the ip address of the linux box to be monitored and
> the server part of the
> application is running on the linux box.
>
> once the connection is established it want to get the list of processes
> on that box and if required
> to shut down any one process on the remote system.
> It should also have the option of shutting down the server completly.
>
> * IF THERE IS ANY PROBLEM WITH THE DESIGN OF THE APPLICATION THEN PLEAS
> E
> SUGGEST THEM . ALSO I WANT TO KNOW WHETHER THIS IS POSSIBLE OR NOT. *
There is no major problems with the design.
I suggest you allow both IP addresses and
names, it is easy to do. I have attached a
small program using gethostbyname.
>
> Also i want to include some security features in the application ;
For security you need to use encryption and
authentication on the communication channel.
If you don't want to write that from scratch
I suggest you build it on top of either ssh
or ssl.
Ssl is a library that just allow a server
and a client to establish a secure
connection.
Ssh is a secure alternative to rlogin, rsh
and rcmd. If you choose to use ssh, your
program connects to an ssh server and send
commands to the shell. You can choose to
write a special helper program so you only
have to send one shell command.
>
> i will ask for the root password form the user starting the client which
>
> will be compared with the
> root password of the system .
>
> * I WANT TO KNOW HOW TO DO THIS .
> IF YOU CAN GIVE SOME ROUTINE IN C IT WOULD BE HELPFUL. *
If you build on top of ssh, you don't need
to do that. Ssh will prompt your program for
a password if needed. You just have to
forward that prompt to the user.
Otherwise you have to do it in the server
program. I think the right way to do it is
to use pam, but I don't know much about pam.
You could also just start su and see if it
would accept the password.
>
> I also want to know if there is any way to execute commands like
> "reboot" etc.
> from a c program .
> Also how to get a list of running processes of a system form a c
> program.
You can use the system() function, eg
system("shutdown -h now"); System is a
wrapper around execve.
But in your case I suggest you learn how
to use execve or one of the other wrappers:
execl, execv, execle, execlp, execvp.
It would also be a help to know how to use
pipe() and fork(). I will find an example
that uses pipe(), fork() and execv(), it
is not currently available online.
>
> It would be better if you could reply personally at :-->
> [EMAIL PROTECTED]
>
> Thanks.
>
> Sent via Deja.com
> http://www.deja.com/
--
Kasper Dupont
==============446B794B15FB
Content-Type: text/plain; charset=us-ascii; name="miniget.c"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="miniget.c"
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <arpa/inet.h>
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <netdb.h>
#define WIDTH 80
int main(int argc, char ** argv)
{
struct hostent * host;
char buf[4096];
host = gethostbyname("127.0.0.1");
while (*++argv)
if (**argv == '/') {
struct sockaddr_in hostaddr;
int sockfd,filefd,count,size=0,slen;
hostaddr.sin_family = AF_INET;
hostaddr.sin_port = htons(80);
hostaddr.sin_addr.s_addr = *(unsigned long int *)(host->h_addr);
sockfd=socket(PF_INET,SOCK_STREAM,0);
connect(sockfd,&hostaddr,sizeof(hostaddr));
sprintf(buf,"GET %s\n",*argv);
write(sockfd,buf,strlen(buf));
sprintf(buf,"http://%s%s ",host->h_name,*argv);
write(1,buf,slen=strlen(buf));
filefd=open(strrchr(*argv,'/')+1,O_WRONLY|O_CREAT|O_TRUNC,0777);
while ((count=read(sockfd,buf,4096))>0) size+=write(filefd,buf,count);
close(filefd);
close(sockfd);
memset(buf,'.',WIDTH);
sprintf(buf+WIDTH," %d\n",size);
size=(((slen+strlen(buf)-(2+WIDTH))%WIDTH)+2);
write(1,buf+size,strlen(buf)-size);
} else {
host = gethostbyname(*argv);
}
return 0;
}
==============446B794B15FB==
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: can Linux be secure?
Date: Tue, 30 Jan 2001 22:04:29 -0000
On 30 Jan 2001 10:03:14 -0500 Toby Haynes <[EMAIL PROTECTED]> wrote:
| If you are worried about exploits which attain root status and/or fiddle the
| kernel by trick-loading kernel modules, then I suggest you take a look at
| LIDS. http://www.lids.org/ details most of what you need to know. As a brief
| (and incomplete) summary:
There will be no users on the machine. Local exploits are not an
issue. I guess I neglected to mention this. Sorry.
| - Harden your system utilities by making them immutable and then removing the
| ability to remove the immutable flag (stops trojanned utilities).
| - Lock your log files so they can only be appended to, not editted (stops
| rootkits covering their tracks)
| - Harden the kernel so that after the boot sequence completes, no more kernel
| modules can be inserted to compromise the system.
|
| Administration of the system once LIDS is in place is done with the lidsadm
| tool, which you should keep on a removable medium separate from the server
| during normal operation. (i.e. stick it on a floppy and only mount it when you
| need to rotate the logs, for example).
Well, I guess this is ruled out since the machines will be in remote
locations requiring most administration be done via remote SSH access.
| There are also libraries to harden the stack against buffer overflow attacks,
| which will make life a lot harder for the average cracker.
In the kernel?
--
=================================================================
| Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ |
| [EMAIL PROTECTED] | Texas, USA | http://phil.ipal.org/ |
=================================================================
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to the
comp.os.linux.development.system newsgroup.
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Development-System Digest
******************************
