Re: [Vserver] sshd creates /dev/pts/*, how can I create a /dev/pts/rob with an init.d script?
On Thu, Jul 06, 2006 at 06:44:12PM +0200, Robert Michel wrote: Salve Herbert! Herbert Poetzl schrieb am Donnerstag, den 06. Juli 2006 um 13:10h: but on the next day /usr/sbin/safe_asterisk does not found /dev/tty9. /dev/pts/31 exist only for my bash, after exiting this bash, also /dev/pts/31 has been gone, and so this hack does not work... ;( precisely, either you _want_ that output to go somewhere, then you have to 'provide' a real vc terminal or to make asterisk 'create' it on startup (by requesting a new one, like e.g. screen does) Exactly. you could, for example, use screen to provide that pseudo terminal without modifying asterisk I have to play more with screen/dtach - could screen create performance or other problems? IMHO does screen does much more than to just create a pseudo terminal and to slow asterik significant. better use /dev/vc/9 (c:4:9 or the udev equiv) but basically you 'could' create the device for the guest on the host side, and the guest will be able to use it, just be careful _what_ you give to your guests :) So [EMAIL PROTECTED] can indirectly create dumy devices and there is still no tool like mknode for vserver - because it is not so neccessary and does not have such a high priority - right? no, because it is a big can of worms and a security issue, just imagine somebody creating a block device which 'accidentially' is identical to your host's root partition, and then starts modifying stuff at a very low level :) You mean [EMAIL PROTECTED] could do things with the power of [EMAIL PROTECTED] I can understand that it is good that [EMAIL PROTECTED] can't dump the RAM, read the bios etc... and everybody who setup his own vserver is happy about a securiy gain - but it is a bit different for people who rent a vserver and are only [EMAIL PROTECTED] BTW I'm in favor that by default every vserver installation creates a Vserver-README inside the root directory for every guest instance and a [EMAIL PROTECTED] I agree, and this could be something the community provides to the actual 'providers', but, as they build their own environments, with a multitude of different tools, there is no real way to 'force' that into a guest (which IMHO would be wrong anyways) ISP are promoting vserver with full root access As far as I know yet root-guest can't use: iptables, this one is not yet possible without help from the provider, but some provers allow you to do that via some web interface (in a secure way) ping, should work quite fine with all recent versions of Linux-VServer if the proper context capability is set (raw_icmp, see http://linux-vserver.org/Caps+and+Flags) tracerout, traceroute is a very misguided tool, and can be replaced by (the much newer) tracepath which should work out of the box (and give more information) ntp, ntp uses the linux kernel to keep track of the time which doesn't really make sense on a per guest basis, it is much better to have only a single ntpd instance on the host (or in a special time guest) which keeps the entire system in sync mknod is disabled (via a capability) for security reasons as you do not want folks to mess with devices they do not own ... so some misunderstandings or noise on mailinglist will come automaticaly. yes, from a 'customer' point of view it is completely understandable When I know more about vservers, I will try to contribute in that way... But back to the topic could [EMAIL PROTECTED] use mknod. Theoreticaly would it possible to add this feature with a vmknode and a tool for [EMAIL PROTECTED] that guest could create a block devices of their own without harming other guests or the host itself but it seems not to be a planed feature for vserver. well, what kind of 'devices' would you like to create inside a guest? It's unthankful that people asking everytime about errors or thinks that are not supported no problem with that, all the issues and/or feature requests reported back will be considered, and if there is a good way to do it, we will probably add it in the next version (as we already did with many inspired features, like the per guest time base :) But I'm thankful about the vserver project and that you have the focus on security you're very welcome! best, Herbert Greetings, rob ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] sshd creates /dev/pts/*, how can I create a /dev/pts/rob with an init.d script?
On Wed, Jul 05, 2006 at 11:44:54PM +0200, Robert Michel wrote: Salve Herbert, ML! Herbert Poetzl schrieb am Sonntag, den 02. Juli 2006 um 17:59h: What should I read to learn what fd,pts stands for and to know what /dev/pts/[14|20|21|31-34] are? *phew* good question, probably a lot of source code :) thing is, fd and pts (/14,/20 ...) are 'just' names used for character and block device nodes, identified by the unique major and minor identifiers ... so, basically c:136:14 means the 14th pseudo terminal (regardless of the name, could as well be named hansi) Could it by that I'm allowed to remove devices, but not allowed to create one? Exactly. Giving guests the ability to create devices is a huge security risk, basically equivalent to just giving access to the host directly. Whats about the pseudo terminals? sshd, screen ... and some others can create new ones as [EMAIL PROTECTED] :) asterisk seems like to have an own terminal: # from [Asterist-Users] ML Tzafrir Cohen wrote on # Tue Jul 4 09:05:46 MST 2006 # safe_asterisk has a flawed logic: it assumes that the tty device will # always exist. Thus it is not suited for use with screen. I used ln -s /dev/pts/31 /dev/tty9 successful, /dev/pts is very dynamic, i.e. it is assigned when you ask /dev/ptmx for a new terminal, and it will lose its connection and meaning when you close it but on the next day /usr/sbin/safe_asterisk does not found /dev/tty9. /dev/pts/31 exist only for my bash, after exiting this bash, also /dev/pts/31 has been gone, and so this hack does not work... ;( precisely, either you _want_ that output to go somewhere, then you have to 'provide' a real vc terminal or to make asterisk 'create' it on startup (by requesting a new one, like e.g. screen does) How can I create with /etc/init.d/asterisk a new pseudo terminal, e.g. /dev/pts/ast and ln -s /dev/pts/ast /dev/tty9 you could, for example, use screen to provide that pseudo terminal without modifying asterisk Dirty trick would be to start with /etc/init.d/asterisk a ssh or telnet connection to 127.0.0.1, is there a smart way to create pseudo terminal, especialy that this terminal is durable and do not fade away when something crashed? device nodes are always local, so they cannot be 'forwarded' to another host, OTOH, you are free to create fifos (pipes) and symlinks to 'redirect' stuff remotely and local [EMAIL PROTECTED] mknode . /dev/pts/asterisk [EMAIL PROTECTED] ln -s /dev/pts/asterisk /dev/tty9 ??? #mknod /dev/tty9 c 7 7 mknod: »/dev/tty9«: Die Operation ist nicht erlaubt (operatin is not allowed) better use /dev/vc/9 (c:4:9 or the udev equiv) but basically you 'could' create the device for the guest on the host side, and the guest will be able to use it, just be careful _what_ you give to your guests :) And mknod /dev/tty9 -p as FIFO does not help to run asterisk with a console. I found this: # From: Herbert Poetzl herbert_at_13thfloor.at # Date: Wed 17 May 2006 - 18:13:50 BST # Message-ID: [EMAIL PROTECTED] # On Sun, May 14, 2006 at 09:48:20PM -0700, EKC wrote: # I'm running a perl script inside of a linux vserver, and the script # requires access to tty and pty devices. However /dev/MAKEDEV and # mknod # cannot create pty devices from within a vserver. [...] # Is there a way to add devices from within a vserver itself? #pts/ptmx is auto created inside a guest, with proper #permissions and security (tty and pty are not required #inside a guest, unless you want to assign certain 'real' #consoles to the guest, like vt0/1/2 etc) ok and how can I use this magic auto creation inside a guest with/for /etc/init.d/asterisk? ;) man ptmx getpt(3), grantpt(3), ptsname(3), unlockpt(3) still a little bit too comlex for me ;( man expect man screen Well I could write #!/bin/sh # ttydumy.sh rm /dev/tty9 ln -s $tty /dev/tty9 and call screen .../ttydumy.sh inside safe_asterisk, but it seems that screen inside slows asterisk. (and this is ugly for ssh login and screen -r with multiple screens...) So [EMAIL PROTECTED] can indirectly create dumy devices and there is still no tool like mknode for vserver - because it is not so neccessary and does not have such a high priority - right? no, because it is a big can of worms and a security issue, just imagine somebody creating a block device which 'accidentially' is identical to your host's root partition, and then starts modifying stuff at a very low level :) Dont't get me wrong, I don't want to be unpolite and I don't want to be missunderstood that expecting support and including of that feature It's just that I want to understand the power of vserver and to do the best with them and also try to document/promote them that it is possible to run an umpached asterisk with a colord CLI (Patching asterisk would be a
Re: [Vserver] sshd creates /dev/pts/*, how can I create a /dev/pts/rob with an init.d script?
On 7/6/06, Herbert Poetzl [EMAIL PROTECTED] wrote: PS: I assume you know that there is a project which uses Linux-VServer to isolate several asterisk instances on a single host I didn't, do you have more information about this? D. blaze your trail -- redhat ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[asterik] Re: [Vserver] sshd creates /dev/pts/*, how can I create a /dev/pts/rob with an init.d script?
Salve Daniel! On Thu, 06 Jul 2006, Daniel W. Crompton wrote: On 7/6/06, Herbert Poetzl [EMAIL PROTECTED] wrote: PS: I assume you know that there is a project which uses Linux-VServer to isolate several asterisk instances on a single host I didn't, do you have more information about this? With Herbert's tipp I found some information very quick: http://www.telephreak.org/papers/vpa/ Web search engine and asterisk vserver virtual Private virtual private asterisk http://linux.slashdot.org/article.pl?sid=05/07/25/2038216 supi.. this is report about http://www.telephreak.org/papers/vpa/ ;) telephreak vserver asterisk Greetings, rob ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [asterik] Re: [Vserver] sshd creates /dev/pts/*, how can I create a /dev/pts/rob with an init.d script?
On 7/6/06, Robert Michel [EMAIL PROTECTED] wrote: On Thu, 06 Jul 2006, Daniel W. Crompton wrote: Web search engine and asterisk vserver virtual Private You are absolutely right, I should have just searched for it. Appologies. D. blaze your trail -- redhat ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] sshd creates /dev/pts/*, how can I create a /dev/pts/rob with an init.d script?
Salve Herbert! Herbert Poetzl schrieb am Donnerstag, den 06. Juli 2006 um 13:10h: but on the next day /usr/sbin/safe_asterisk does not found /dev/tty9. /dev/pts/31 exist only for my bash, after exiting this bash, also /dev/pts/31 has been gone, and so this hack does not work... ;( precisely, either you _want_ that output to go somewhere, then you have to 'provide' a real vc terminal or to make asterisk 'create' it on startup (by requesting a new one, like e.g. screen does) Exactly. you could, for example, use screen to provide that pseudo terminal without modifying asterisk I have to play more with screen/dtach - could screen create performance or other problems? IMHO does screen does much more than to just create a pseudo terminal and to slow asterik significant. better use /dev/vc/9 (c:4:9 or the udev equiv) but basically you 'could' create the device for the guest on the host side, and the guest will be able to use it, just be careful _what_ you give to your guests :) So [EMAIL PROTECTED] can indirectly create dumy devices and there is still no tool like mknode for vserver - because it is not so neccessary and does not have such a high priority - right? no, because it is a big can of worms and a security issue, just imagine somebody creating a block device which 'accidentially' is identical to your host's root partition, and then starts modifying stuff at a very low level :) You mean [EMAIL PROTECTED] could do things with the power of [EMAIL PROTECTED] I can understand that it is good that [EMAIL PROTECTED] can't dump the RAM, read the bios etc... and everybody who setup his own vserver is happy about a securiy gain - but it is a bit different for people who rent a vserver and are only [EMAIL PROTECTED] BTW I'm in favor that by default every vserver installation creates a Vserver-README inside the root directory for every guest instance and a [EMAIL PROTECTED] ISP are promoting vserver with full root access As far as I know yet root-guest can't use: iptables, ping, tracerout, ntp, mknod so some misunderstandings or noise on mailinglist will come automaticaly. When I know more about vservers, I will try to contribute in that way... But back to the topic could [EMAIL PROTECTED] use mknod. Theoreticaly would it possible to add this feature with a vmknode and a tool for [EMAIL PROTECTED] that guest could create a block devices of their own without harming other guests or the host itself but it seems not to be a planed feature for vserver. It's unthankful that people asking everytime about errors or thinks that are not supported But I'm thankful about the vserver project and that you have the focus on security Greetings, rob ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [asterik] Re: [Vserver] sshd creates /dev/pts/*, how can I create a /dev/pts/rob with an init.d script?
Salve Daniel! On Thu, 06 Jul 2006, Daniel W. Crompton wrote: You are absolutely right, I should have just searched for it. Appologies. That was not my point - I was in a hurry and found some pages, and had only time to read them very fast. Virtual private asterisk (vpa) stress (again) the advantage to use vserver on a server and give server demons their own enviroment: Devide Et Impera! :) I was happy that also other people here on the list are interested in asterisk - could be usefull for exchanging knowhow/ideas... ;) Greetings, rob ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [asterik] Re: [Vserver] sshd creates /dev/pts/*, how can I create a /dev/pts/rob with an init.d script?
On 7/6/06, Robert Michel [EMAIL PROTECTED] wrote: Virtual private asterisk (vpa) stress (again) the advantage to use vserver on a server and give server demons their own enviroment: Devide Et Impera! :) I agree. ;) I was happy that also other people here on the list are interested in asterisk - could be usefull for exchanging knowhow/ideas... ;) I'd be happy to exchange any know how/ideas I have. D. blaze your trail -- redhat ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] sshd creates /dev/pts/*, how can I create a /dev/pts/rob with an init.d script?
Salve Herbert, ML! Herbert Poetzl schrieb am Sonntag, den 02. Juli 2006 um 17:59h: What should I read to learn what fd,pts stands for and to know what /dev/pts/[14|20|21|31-34] are? *phew* good question, probably a lot of source code :) thing is, fd and pts (/14,/20 ...) are 'just' names used for character and block device nodes, identified by the unique major and minor identifiers ... so, basically c:136:14 means the 14th pseudo terminal (regardless of the name, could as well be named hansi) Could it by that I'm allowed to remove devices, but not allowed to create one? Exactly. Giving guests the ability to create devices is a huge security risk, basically equivalent to just giving access to the host directly. Whats about the pseudo terminals? sshd, screen ... and some others can create new ones as [EMAIL PROTECTED] :) asterisk seems like to have an own terminal: # from [Asterist-Users] ML Tzafrir Cohen wrote on # Tue Jul 4 09:05:46 MST 2006 # safe_asterisk has a flawed logic: it assumes that the tty device will # always exist. Thus it is not suited for use with screen. I used ln -s /dev/pts/31 /dev/tty9 successful, but on the next day /usr/sbin/safe_asterisk does not found /dev/tty9. /dev/pts/31 exist only for my bash, after exiting this bash, also /dev/pts/31 has been gone, and so this hack does not work... ;( How can I create with /etc/init.d/asterisk a new pseudo terminal, e.g. /dev/pts/ast and ln -s /dev/pts/ast /dev/tty9 Dirty trick would be to start with /etc/init.d/asterisk a ssh or telnet connection to 127.0.0.1, is there a smart way to create pseudo terminal, especialy that this terminal is durable and do not fade away when something crashed? device nodes are always local, so they cannot be 'forwarded' to another host, OTOH, you are free to create fifos (pipes) and symlinks to 'redirect' stuff remotely and local [EMAIL PROTECTED] mknode . /dev/pts/asterisk [EMAIL PROTECTED] ln -s /dev/pts/asterisk /dev/tty9 ??? #mknod /dev/tty9 c 7 7 mknod: »/dev/tty9«: Die Operation ist nicht erlaubt (operatin is not allowed) And mknod /dev/tty9 -p as FIFO does not help to run asterisk with a console. I found this: # From: Herbert Poetzl herbert_at_13thfloor.at # Date: Wed 17 May 2006 - 18:13:50 BST # Message-ID: [EMAIL PROTECTED] # On Sun, May 14, 2006 at 09:48:20PM -0700, EKC wrote: # I'm running a perl script inside of a linux vserver, and the script # requires access to tty and pty devices. However /dev/MAKEDEV and # mknod # cannot create pty devices from within a vserver. [...] # Is there a way to add devices from within a vserver itself? #pts/ptmx is auto created inside a guest, with proper #permissions and security (tty and pty are not required #inside a guest, unless you want to assign certain 'real' #consoles to the guest, like vt0/1/2 etc) ok and how can I use this magic auto creation inside a guest with/for /etc/init.d/asterisk? ;) man ptmx getpt(3), grantpt(3), ptsname(3), unlockpt(3) still a little bit too comlex for me ;( man expect man screen Well I could write #!/bin/sh # ttydumy.sh rm /dev/tty9 ln -s $tty /dev/tty9 and call screen .../ttydumy.sh inside safe_asterisk, but it seems that screen inside slows asterisk. (and this is ugly for ssh login and screen -r with multiple screens...) So [EMAIL PROTECTED] can indirectly create dumy devices and there is still no tool like mknode for vserver - because it is not so neccessary and does not have such a high priority - right? Dont't get me wrong, I don't want to be unpolite and I don't want to be missunderstood that expecting support and including of that feature It's just that I want to understand the power of vserver and to do the best with them and also try to document/promote them that it is possible to run an umpached asterisk with a colord CLI (Patching asterisk would be a second solution, would work for me but I think many vserver user would not do this...) Greetings, rob This is OT for Vserver ML, more for vserver+asterisk user: PS: My personal workaround at the moment: start screen and one of that terminal is used to get asterisk colored inside this terminal: tty /etc/asterisk/tty ln -s /dev/pts/$tty /dev/tty9 inside safe_asterisk a test if that device still exist... if yes TTY=tt9 so when asterisk crash and there is no TTY9 it will run without a hangup ;) ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver