Re: [SLUG] My system can't find Java tools
G'day Andrew, Yeah, I think I can probably see it. In your /etc/bashrc you have a line near the bottom: PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/usr/share/pvm3/. If I'm right, thats your prob. Change to PATH=$PATH:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/usr/share/pvm3/ In my previous response I was going to mention that if PATH was being clobbered, the culprit might be identifiable from your existing PATH ie the pvm3. It seems to bear this out. And don't forget to clobber the person that put that line in :D Cheers, Daniel. On 29/09/06, Andrew Dunkin [EMAIL PROTECTED] wrote: Daniel, Thanks. Still no success, but here is the latest. # HERE IS MY ORIGINAL .bash_profile # # .bash_profile # Get the aliases and functions if [ -f ~/.bashrc ]; then . ~/.bashrc fi # User specific environment and startup programs PATH=$PATH:$HOME/bin export PATH unset USERNAME # # # I THEN EDITED .bash_profile AS FOLLOWS, LOGGED OUT IN; # # .bash_profile # Get the aliases and functions if [ -f ~/.bashrc ]; then . ~/.bashrc fi # User specific environment and startup programs PATH=$PATH:$HOME/bin export PATH unset USERNAME export PATH=$PATH:/usr/java/j2sdk1.4.2_07/bin/ ## THIS DID NOT WORK. JAVA COMMANDS NOT FOUND. ## ## ## SO I EDITED IT AS FOLLOWS, LOGGED OUT IN; # .bash_profile # Get the aliases and functions if [ -f ~/.bashrc ]; then . ~/.bashrc fi # User specific environment and startup programs PATH=$PATH:$HOME/bin export PATH=$PATH:/usr/java/j2sdk1.4.2_07/bin/ unset USERNAME ## THIS DID NOT WORK. JAVA COMMANDS NOT FOUND. # ## I THEN EDITED IT AS FOLLOWS, LOGGED OUT IN; # .bash_profile # Get the aliases and functions if [ -f ~/.bashrc ]; then . ~/.bashrc fi # User specific environment and startup programs PATH=$PATH:$HOME/bin:/usr/java/j2sdk1.4.2_07/bin/ export PATH unset USERNAME ## THIS DID NOT WORK EITHER. JAVA COMMANDS NOT FOUND. # # Below are my original files; /home/user/.bash_profile /home/user/.bashrc /etc/bashrc /etc/profile Can you see anywhere where the PATH is being reset in any of these? I am not quite sure how to interpret the contents of these files. Can you think of any other edits that may work? # # .bash_profile # Get the aliases and functions if [ -f ~/.bashrc ]; then . ~/.bashrc fi # User specific environment and startup programs PATH=$PATH:$HOME/bin export PATH unset USERNAME # # .bashrc # User specific aliases and functions # Source global definitions if [ -f /etc/bashrc ]; then . /etc/bashrc fi ### # # /etc/bashrc # System wide functions and aliases # Environment stuff goes in /etc/profile # by default, we want this to get set. # Even for non-interactive, non-login shells. if [ `id -gn` = `id -un` -a `id -u` -gt 99 ]; then umask 002 else umask 022 fi # are we an interactive shell? if [ $PS1 ]; then case $TERM in xterm*) PROMPT_COMMAND='echo -ne \033]0;[EMAIL PROTECTED]: ${PWD}\007' ;; *) ;; esac [ $PS1 = \\s-\\v\\\$ ] PS1=[EMAIL PROTECTED] \W]\\$ if [ -z $loginsh ]; then # We're not a login shell for i in /etc/profile.d/*.sh; do if [ -x $i ]; then . $i fi done fi fi unset loginsh # PVM environement export PVM_RSH=/usr/bin/rsh export PVM_ROOT=/usr/share/pvm3 export PVMD_NOHOLD=ON export PVM_TMP=/var/run/pvm3 export XPVM_ROOT=/usr/X11R6/lib/xpvm/ export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/usr/share/pvm3/ ## # # /etc/profile -*- Mode: shell-script -*- # (c) MandrakeSoft, Chmouel Boudjnah [EMAIL PROTECTED] loginsh=1 # Users generally won't see annoyng core files [ $UID = 0 ] ulimit -S -c 100 /dev/null 21 if ! echo ${PATH} |grep -q /usr/X11R6/bin ; then PATH=$PATH:/usr/X11R6/bin fi if [ $UID -ge 500 ] ! echo ${PATH} |grep -q /usr/games ; then export PATH=$PATH:/usr/games fi umask 022 USER=`id -un` LOGNAME=$USER MAIL=/var/spool/mail/$USER HISTCONTROL=ignoredups HOSTNAME=`/bin/hostname` HISTSIZE=1000 if [ -z $INPUTRC -a ! -f $HOME/.inputrc ]; then INPUTRC=/etc/inputrc fi # some old programs still use it (eg: man), and it is also # required for level1 compliance for LI18NUX2000
Re: [SLUG] d/l illicit files: wget, curl, what else ?
On Thu, September 28, 2006 8:40 am, Erik de Castro Lopo wrote: On Thu, 28 Sep 2006 08:33:47 +1000 (EST) Voytek Eymont [EMAIL PROTECTED] wrote: No. it won't. You need to run this in a chroot jail or a User Mode Linux or something like that. You would be better off making sure your machine is running a current version of your chosen distro (what are you running btw?) and then exploring chroot/UML/Xen/whatever solutions. thanks, Erik RH7.3 I suspect some of the solutions discussed might not be avaliable for it... -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] d/l illicit files: wget, curl, what else ?
On Thu, September 28, 2006 8:42 am, Zhasper wrote: On 9/28/06, Voytek Eymont [EMAIL PROTECTED] wrote: I'd suggest that a more effective strategy might be to talk to your users; tell them what you've found, why it's unacceptable, and what action you'll be taking if you discover anything similar in future. Also make it clear to them how they can check things with you before they install, and be proactive in helping them find solutions that don't compromise your security - for instance, sticking phpmyadmin behind a .htaccess file. thanks, Zhasper yes, I will, clearly, I need to spell it out, it's obvious I overestimated users' grasp of security, etc., or, in fact, his ability to understand what's good and proper: a php shell script the user installed had clear warning 'do not place this on your server without admin's permission' -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] d/l illicit files: wget, curl, what else ?
On Thu, September 28, 2006 10:32 am, Matthew Hannigan wrote: On Thu, Sep 28, 2006 at 08:40:38AM +1000, Erik de Castro Lopo wrote: I wonder if the best bang for buck is perhaps just have a iptables rule to prevent outgoing connections for the user running apache. Matt, thanks this seems like a worthwhile option... is it ? -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] d/l illicit files: wget, curl, what else ?
On Thu, September 28, 2006 11:45 am, Jamie Wilkinson wrote: This one time, at band camp, Erik de Castro Lopo wrote: You can add yourself the overhead of Xen for a shared hosting environment, but it's not necessary when you take the time to use a simple privilege separation technique, e.g. mod_suexec. -- is there anything like it for Apache 1.3x ? -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] dumb user check tool ?
On Wed, September 27, 2006 9:07 am, Penedo wrote: On 27/09/06, Voytek Eymont [EMAIL PROTECTED] wrote: Jail them - use one of multiple available segregation methods: 1. chroot 2. User Mode Linux (UML) 3. VMware 4. Xen 5. Virtuozoo 6. Maybe use SE-Linux to limit user's access at fine grain level I hope you don't give root access to your users - do you? no, they only have ftp access, anyway thanks for all the suggestions, though, given my current hardware and software constrainst, not sure if they'll fit -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] dumb user check tool ?
On Wed, September 27, 2006 11:12 am, Howard Lowndes wrote: ...but if these are on virtual guests then wouldn't they only affect that guest and not any of the others? Sure, it would be a problem for the user of that guest but not for the users of other guests. they're just virtual name hosts on Apache 1.3/RH73 -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] dumb user check tool ?
On 29/09/06, Voytek Eymont [EMAIL PROTECTED] wrote: no, they only have ftp access, anywayBut they can practically put any executable, or at least, any PHP code, on the server and invoke it, right?So what would prevent them from putting some SSH server and executing it, for instance? thanks for all the suggestions, though, given my current hardware andsoftware constrainst, not sure if they'll fit UML always sounded to heavy to my taste but Virtuozoo (which as far as I'm aware is similar in spirit to vserver (linux-vserver.org)) sounds like a pretty efficient way to separate users without requiring hardware virtualization support. Actually - maybe even Linux under Xen will do the trick on old hardware with acceptable performance penalty.Might worth a check considering that you don't want to invest in hardware.Cheers, --P -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] preventing stuff executed in /tmp
On Wed, September 27, 2006 8:45 am, Jeff Waugh wrote: Mount it as a separate partition with 'noexec'. On Wed, September 27, 2006 8:43 am, Alan Harper wrote: how can I protect/prevent attempt at executing stuff in /tmp ? Put it on a seperate partition (or even use tmpfs), and mount it with the noexec option (may as well use nodev and nosuid as well to be on the safe side) Alan, Jeff, thanks a 'noexec /tmp', is it a [d] ? a: a good idea b: a must have c: what are you waiting for ? d: all of above would a noexec /tmp prevent most of the web application vulnerabilities exploits ? I think I have enough RAM ?, how much should I give to temp ? or, should I add another IDE HD, and put /tmp there ? -- # free total used free sharedbuffers cached Mem: 1023120 955448 67672 0 152828 580616 -/+ buffers/cache: 222004 801116 Swap: 522104 95212 426892 -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] d/l illicit files: wget, curl, what else ?
On Fri, September 29, 2006 11:02 pm, Erik de Castro Lopo wrote: You mean like up-to-date security patches? :-) I thought they're doing it till end of this year for 7.3...? -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] d/l illicit files: wget, curl, what else ?
Voytek Eymont wrote: On Thu, September 28, 2006 8:40 am, Erik de Castro Lopo wrote: You would be better off making sure your machine is running a current version of your chosen distro (what are you running btw?) thanks, Erik RH7.3 I suspect some of the solutions discussed might not be avaliable for it... You mean like up-to-date security patches? :-) Erik -- +---+ Erik de Castro Lopo +---+ Microsoft, and other companies with shoddy security, . -- Bruce Schneier, cryto-guru, to a US Senate committee. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] d/l illicit files: wget, curl, what else ?
On 9/29/06, Voytek Eymont [EMAIL PROTECTED] wrote: On Fri, September 29, 2006 11:02 pm, Erik de Castro Lopo wrote: You mean like up-to-date security patches? :-)I thought they're doing it till end of this year for 7.3...? Eeep! You're close, only off by three years:http://www.auscert.org.au/render.html?it=3689 Red Hat Linux 7.1, 7.2, 7.3, and 8.0 distributions will reach theirend-of-life for errata maintenance on the 31st December 2003. This meansthat from 1st January 2004 we will not be producing new security, bugfix, or enhancement updates for these products. Red Hat Linux 9 reaches end of life on April 30, 2004.-- There is nothing more worthy of contempt than a man who quotes himself - Zhasper, 2004 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html