Re: ipop3d delays
On Thu, Mar 07, 2002 at 02:18:48PM +0800, Anthony Wishart wrote: Hi All, I'm experiencing delays of around 1 - 1.5 minutes during/right after the authentication stage of ipop3d on a debian stable system. Everything works fine if i check mail locally (through the eth0 interface, or localhost). However if any external machines go to check their mail, they connect fine, put in user, put in pass, then there is a delay before you can list messages. Has anyone seen this before? i thought it could be a host lookup issue, however this has been working fine for months and the problem has only cropped up in a day or so. I dont think its a disk access issue on the mail file either. Perhaps a firewall between the machine and the remote hosts you were testing from has been reconfigured to drop (not reject) outbound requests for the ident service? It is common for pop daemons to check ident for anyone who connects to them (but I don't know about ipop3d specifically). The 1 - 1.5 minute is about the right amount of time for the tcp connection to time out if it's dropped somewhere along the way. If that is the problem, your solution is either to fix the firewall to not drop ident lookups (reject will usually work), or to configure ipop3d to not do to lookups in the first place. I would say that the first is probably better as many other services (SMTP comes to mind) also do ident lookups on anyone who connects to them. Hope that helps. -- Steven Barker [EMAIL PROTECTED] Do not think by infection, catching an opinion like a cold. Get my GnuPG public key at: http://www.blckknght.org/publickey.asc Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B
Re: Two questions about /etc/apt/sources.list
On Tue, Oct 23, 2001 at 02:43:48PM +0800, Zhenguang Mo (163) wrote: Hi, Q1: is http://security.debian.org/dists/ and http://security.debian.org/debian-security/dists/ the same thing? I'm pretty sure they are. I can't seem to check as ftp won't let me ls currently (I think that machine is still being upgraded, but maybe it just doesn't like me tonight). Q2: do i also need to have a line saying deb http://security.debian.org/debian-non-US potato/non-US main contrib non-free for non-us update? You discovered the wonders of virtual hosting. Both non-us.debian.org and security.debian.org are on the same machine (also known as pandora.debian.org). Depending on what hostname you use to access it, you get a slightly different directory hierarchy. I'm not quite sure what your question is however. You won't get non-us security updates by putting deb http://security.debian.org/debian-non-US potato/non-US main in sources.list because that is the same as the line deb http://non-us.debian.org/debian-non-US potato/non-US main which I presume you already have. I think (and I hope somebody will correct me if I'm wrong) that as the security updates are already being provided on a non-us machine, they include non-us packages along with the regular ones. -- Steven Barker [EMAIL PROTECTED] You will stop at nothing to reach your objective, but only because your brakes are defective. GnuPG public key: http://www.students.uiuc.edu/~scbarker/pubkey.asc Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Two questions about /etc/apt/sources.list
On Tue, Oct 23, 2001 at 04:51:13PM +0800, Zhenguang Mo (163) wrote: thanks for your help. basicaly, the following three line is good enough to keep my potato debian up to date? deb http://http.us.debian.org/debian stable main contrib non-free (#for standard us debian) deb http://non-us.debian.org/debian-non-US stable/non-US main contrib non-free (#for non-us debian) deb http://security.debian.org stable/updates main contrib non-free (# for security update) Yes, these three lines are good. the last line is for BOTH standard us debian update AND non-us debian update, right? Yes, stable/updates does include non-us packages (like ssh) so you should be kept up on all security updates. -- Steven Barker [EMAIL PROTECTED] The bigger they are, the harder they hit. Get my GnuPG public key at: http://www.blckknght.org/pubkey.asc Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Two questions about /etc/apt/sources.list
On Tue, Oct 23, 2001 at 02:43:48PM +0800, Zhenguang Mo (163) wrote: Hi, Q1: is http://security.debian.org/dists/ and http://security.debian.org/debian-security/dists/ the same thing? I'm pretty sure they are. I can't seem to check as ftp won't let me ls currently (I think that machine is still being upgraded, but maybe it just doesn't like me tonight). Q2: do i also need to have a line saying deb http://security.debian.org/debian-non-US potato/non-US main contrib non-free for non-us update? You discovered the wonders of virtual hosting. Both non-us.debian.org and security.debian.org are on the same machine (also known as pandora.debian.org). Depending on what hostname you use to access it, you get a slightly different directory hierarchy. I'm not quite sure what your question is however. You won't get non-us security updates by putting deb http://security.debian.org/debian-non-US potato/non-US main in sources.list because that is the same as the line deb http://non-us.debian.org/debian-non-US potato/non-US main which I presume you already have. I think (and I hope somebody will correct me if I'm wrong) that as the security updates are already being provided on a non-us machine, they include non-us packages along with the regular ones. -- Steven Barker [EMAIL PROTECTED] You will stop at nothing to reach your objective, but only because your brakes are defective. GnuPG public key: http://www.students.uiuc.edu/~scbarker/pubkey.asc Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B
Re: Two questions about /etc/apt/sources.list
On Tue, Oct 23, 2001 at 04:51:13PM +0800, Zhenguang Mo (163) wrote: thanks for your help. basicaly, the following three line is good enough to keep my potato debian up to date? deb http://http.us.debian.org/debian stable main contrib non-free (#for standard us debian) deb http://non-us.debian.org/debian-non-US stable/non-US main contrib non-free (#for non-us debian) deb http://security.debian.org stable/updates main contrib non-free (# for security update) Yes, these three lines are good. the last line is for BOTH standard us debian update AND non-us debian update, right? Yes, stable/updates does include non-us packages (like ssh) so you should be kept up on all security updates. -- Steven Barker [EMAIL PROTECTED] The bigger they are, the harder they hit. Get my GnuPG public key at: http://www.blckknght.org/pubkey.asc Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B
Re: TREAT URGENT
On Wed, Oct 17, 2001 at 09:55:39AM +0400, Nugzar Nebieridze wrote: Dansuki == Dansuki Ahmed [EMAIL PROTECTED] writes: Dansuki I am prepared to invest 20m pounds sterling in your company if Sorry for off-topic, but I'm curious, WHY do people write such messages? WHAT do they need? My account information? Can anybody answer me? This is a version of the Nigerian Scam also known as the 419 Fraud which is used to launder and/or steal money through a well meaning business person found by an unsolicited email or fax. There are lots of details online about it (http://home.rica.net/alphae/419coal/ would be a good place to start). -- Steven Barker [EMAIL PROTECTED] The universe is like a safe to which there is a combination -- but the combination is locked up in the safe. -- Peter DeVries GnuPG public key: http://www.students.uiuc.edu/~scbarker/pubkey.asc Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B
Re: TREAT URGENT
On Wed, Oct 17, 2001 at 09:55:39AM +0400, Nugzar Nebieridze wrote: Dansuki == Dansuki Ahmed [EMAIL PROTECTED] writes: Dansuki I am prepared to invest 20m pounds sterling in your company if Sorry for off-topic, but I'm curious, WHY do people write such messages? WHAT do they need? My account information? Can anybody answer me? This is a version of the Nigerian Scam also known as the 419 Fraud which is used to launder and/or steal money through a well meaning business person found by an unsolicited email or fax. There are lots of details online about it (http://home.rica.net/alphae/419coal/ would be a good place to start). -- Steven Barker [EMAIL PROTECTED] The universe is like a safe to which there is a combination -- but the combination is locked up in the safe. -- Peter DeVries GnuPG public key: http://www.students.uiuc.edu/~scbarker/pubkey.asc Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: listen on tcp port and log input ??
On Wed, Sep 05, 2001 at 08:56:59AM +0800, Marcel Welschbillig wrote: Dose anybody know of any programs i could use to open a port on a debian box and log the data that comes in to a file ?? Well, for totally raw data you could use netcat. Try nc -lp PORT FILE This will only listen for one connection then quit, however. I'm not sure if thats what you want. Its a place to start, anyway. -- Steven Barker [EMAIL PROTECTED] Goldenstern's Rules: (1) Always hire a rich attorney (2) Never buy from a rich salesman. GnuPG public key: http://www.students.uiuc.edu/~scbarker/pubkey.asc Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B
Re: A thought on Layne
On Sat, Sep 01, 2001 at 05:05:18PM +1000, Steve wrote: Y'know, if[1] I were a script-kiddie it would really appeal to my sense of irony to start subscribing people on boxes I rooted to misc. security mailing lists. That would certainly explain how he ended up on this one. Damn, that would be funny. Of course, he's using MS Outlook Express (judging from his headers) so it would probably be have to be his ISP that got rooted. -- Steven Barker [EMAIL PROTECTED] God is a comedian playing to an audience too afraid to laugh. - Voltaire GnuPG public key: http://www.students.uiuc.edu/~scbarker/pubkey.asc Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Layne (was: Re: Is ident secure?)
On Fri, Aug 31, 2001 at 11:33:06PM -0400, Ed Street wrote: Hello, Already sent mail to the list admin on the bottom of each email. On 2001-08-31, Layne wrote: SEND ME NO MORE E-MAIL YOU SPERM BURPING GUTTER SLUT. FUCK YOU. Couldn't list-admins blackhole this moron? Please? :) I forwarded one of the messages to [EMAIL PROTECTED] Perhaps they'll respond faster if they get more than one complaint? -- Steven Barker [EMAIL PROTECTED] ultima netgod: My calculator has more registers than the x86, and -thats- sad GnuPG public key: http://www.students.uiuc.edu/~scbarker/pubkey.asc Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B
Re: Is ident secure?
On Sat, Sep 01, 2001 at 12:30:54AM -0400, Layne wrote: I'M JUST JOKING .RIGHT. I GOT 80 SPAM MESSAGES YOSTERDAY AND 80 MORE TODAY I DIDN'T SUBSCRIBE TOWHAT GIVES. THIS IS NUTS. Well, this is an improvement. Maybe your next post will have lowercase letters too? Seriously, if there's some mistake about being subscribed, email [EMAIL PROTECTED] and explain. Easier yet, unsubscribe yourself (instructions are in the footer of every message). You might want to email your ISP and explain to them too, as at least one other reader and I have submitted your posts to them as net abuse. -- Steven Barker [EMAIL PROTECTED] In Tennessee, it is illegal to shoot any game other than whales from a moving automobile. GnuPG public key: http://www.students.uiuc.edu/~scbarker/pubkey.asc Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B
Re: HARASS ME MORE.........
On Sat, Sep 01, 2001 at 01:58:53AM -0400, Layne wrote: I sent my server several complaints about all this harassment. I have 227 messages on my in box right now from solicitors like you who I never even subscribed to. If i click on receive messages right now I bet I get 80 more. Do you think that's fair? Do you blame me for being mad? Well, you're now replying to yourself I'm not sure what you mean when you say that we are solicitors. This is the debian-security mailing list. We do not know how you got subscribed. If you don't want to be subscribed, there are simple instructions to unsubscribe on the bottom of every message. I don't blame to for being mad. I do blame you for ranting obscenly in reply to every message. You may get 50 messages from this list, but 35 of them are from you. Please stop flaming everyone and unsubscribe yourself. - Original Message - From: Layne [EMAIL PROTECTED] To: debian-security@lists.debian.org; Steven Barker [EMAIL PROTECTED] Sent: Saturday, September 01, 2001 12:44 AM Subject: HARASS ME MORE. I ASKED YOU MORONS NOT TO SEND ME ANYMORE E-MAIL BUT HERE YOU GO AGAIN. IS THERE ANY INTELLIGENT PEOPLE THERE OR IS THE PLACE RUN BY BABOONS. i'M SENDING AN E-MAIL TO THE ABUSE PLACE TOO. YOU FUCKERS SENT ME 80 E-MAIL MESSAGES YESTERDAY AND 80 MORE TODAY AND I DIDN'T SUBSCRIBE TO ANY OF THEM. THAT IS HARRASSMENT. -- Steven Barker [EMAIL PROTECTED] You may have heard that a dean is to faculty as a hydrant is to a dog. -- Alfred Kahn GnuPG public key: http://www.students.uiuc.edu/~scbarker/pubkey.asc Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B
Re: A thought on Layne
On Sat, Sep 01, 2001 at 05:05:18PM +1000, Steve wrote: Y'know, if[1] I were a script-kiddie it would really appeal to my sense of irony to start subscribing people on boxes I rooted to misc. security mailing lists. That would certainly explain how he ended up on this one. Damn, that would be funny. Of course, he's using MS Outlook Express (judging from his headers) so it would probably be have to be his ISP that got rooted. -- Steven Barker [EMAIL PROTECTED] God is a comedian playing to an audience too afraid to laugh. - Voltaire GnuPG public key: http://www.students.uiuc.edu/~scbarker/pubkey.asc Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B
Re: Layne (was: Re: Is ident secure?)
On Fri, Aug 31, 2001 at 11:33:06PM -0400, Ed Street wrote: Hello, Already sent mail to the list admin on the bottom of each email. On 2001-08-31, Layne wrote: SEND ME NO MORE E-MAIL YOU SPERM BURPING GUTTER SLUT. FUCK YOU. Couldn't list-admins blackhole this moron? Please? :) I forwarded one of the messages to [EMAIL PROTECTED] Perhaps they'll respond faster if they get more than one complaint? -- Steven Barker [EMAIL PROTECTED] ultima netgod: My calculator has more registers than the x86, and -thats- sad GnuPG public key: http://www.students.uiuc.edu/~scbarker/pubkey.asc Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Is ident secure?
On Sat, Sep 01, 2001 at 12:30:54AM -0400, Layne wrote: I'M JUST JOKING .RIGHT. I GOT 80 SPAM MESSAGES YOSTERDAY AND 80 MORE TODAY I DIDN'T SUBSCRIBE TOWHAT GIVES. THIS IS NUTS. Well, this is an improvement. Maybe your next post will have lowercase letters too? Seriously, if there's some mistake about being subscribed, email [EMAIL PROTECTED] and explain. Easier yet, unsubscribe yourself (instructions are in the footer of every message). You might want to email your ISP and explain to them too, as at least one other reader and I have submitted your posts to them as net abuse. -- Steven Barker [EMAIL PROTECTED] In Tennessee, it is illegal to shoot any game other than whales from a moving automobile. GnuPG public key: http://www.students.uiuc.edu/~scbarker/pubkey.asc Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: gnupg fingerprint
On Wed, Aug 29, 2001 at 09:46:29PM -0300, Eduardo Gargiulo wrote: Hi all. I´m using gnupg and I want to know if is possible to add a key to my trusted ring from a key fingerprint. I'm not sure what you mean by your trusted ring. If you just want to get their public key into your keyring, try doing gpg --recv-key followed by their key ID. The key ID is the last 8 characters of the fingerprint (so my key ID, as seen in the fingerprint in my sig, is EBD5936B). I hope that helps. -- Steven Barker [EMAIL PROTECTED] Non-Determinism is not meant to be reasonable. -- M.J. 0'Donnell GnuPG public key: http://www.students.uiuc.edu/~scbarker/pubkey.asc Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B
Re: Running root commands by http
On Thu, Aug 23, 2001 at 03:21:23PM +0100, Karl E. Jorgensen wrote: Sounds like you're getting into doing normal remote admin of a box. But why over HTTP ? If you have network connectivity to it, ssh should do the job (ssh in as yourself and su/sudo to root?). If you can get to via HTTP (e.g. you're behind some company firewall?), then httptunnel might help. YMMV. But if you can get SSH over HTTP running, you should be able to use all the existing tools. Better than writing new tools from scratch... Another possibility would be to install the Mindterm java applet. It will let you ssh into a host from any web browser. Once they're logged in, you can let them do admin stuff with setuid programs, or sudo, or something of that nature. -- Steven Barker [EMAIL PROTECTED] When you're dining out and you suspect something's wrong, you're probably right. PGP Key Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B Get it at http://www.students.uiuc.edu~/scbarker/pubkey.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: File transfer using ssh
On Thu, Aug 23, 2001 at 02:13:47PM +0900, Curt Howland wrote: Is there a file transfer method for utilizing ssh? I'm sure ftp could be tunneled, but for security reasons ftp is turned off. Until now, with zmodem, I didn't need it. Try scp or sftp. They transfer files over ssh using the interfaces of rcp and ftp respectively. Neither require anything other than sshd to be running on the server. -- Steven Barker [EMAIL PROTECTED] If you can count your money, you don't have a billion dollars. -- J. Paul Getty PGP Key Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B Get it at http://www.students.uiuc.edu~/scbarker/pubkey.asc
Re: Running root commands by http
On Thu, Aug 23, 2001 at 03:21:23PM +0100, Karl E. Jorgensen wrote: Sounds like you're getting into doing normal remote admin of a box. But why over HTTP ? If you have network connectivity to it, ssh should do the job (ssh in as yourself and su/sudo to root?). If you can get to via HTTP (e.g. you're behind some company firewall?), then httptunnel might help. YMMV. But if you can get SSH over HTTP running, you should be able to use all the existing tools. Better than writing new tools from scratch... Another possibility would be to install the Mindterm java applet. It will let you ssh into a host from any web browser. Once they're logged in, you can let them do admin stuff with setuid programs, or sudo, or something of that nature. -- Steven Barker [EMAIL PROTECTED] When you're dining out and you suspect something's wrong, you're probably right. PGP Key Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B Get it at http://www.students.uiuc.edu~/scbarker/pubkey.asc
Re: File transfer using ssh
On Thu, Aug 23, 2001 at 02:13:47PM +0900, Curt Howland wrote: Is there a file transfer method for utilizing ssh? I'm sure ftp could be tunneled, but for security reasons ftp is turned off. Until now, with zmodem, I didn't need it. Try scp or sftp. They transfer files over ssh using the interfaces of rcp and ftp respectively. Neither require anything other than sshd to be running on the server. -- Steven Barker [EMAIL PROTECTED] If you can count your money, you don't have a billion dollars. -- J. Paul Getty PGP Key Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B Get it at http://www.students.uiuc.edu~/scbarker/pubkey.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: strangelog
On Sun, Aug 12, 2001 at 05:33:34PM +0200, Rudy Gevaert wrote: This weekend I got a strange log: Unusual System Events =-=-=-=-=-=-=-=-=-=-= Aug 11 06:25:03 alhandra su[3584]: + ??? root-nobody Aug 11 06:25:03 alhandra PAM_unix[3584]: (su) session opened for user nobody by +(uid=0) This is root (uid=0) becoming nobody. It's surely a cron job that is setup to change user to nobody before running. The locate package runs updatedb as nobody every day, for example. -- Steven Barker [EMAIL PROTECTED] Woolsey-Swanson Rule: People would rather live with a problem they cannot solve rather than accept a solution they cannot understand. PGP Key Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B Get it at http://www.students.uiuc.edu~/scbarker/pubkey.asc
Re: red worm amusement
On Sat, Jul 21, 2001 at 08:51:23PM -0700, Jacob Meuser wrote: snip No, I'm simply saying not to start services immediately. snip Well, I'm going to wade into this growing flamewar to point out what I think is a sound idea. The trouble with the current system is that installed daemons automatically start running with a default configuration. This is not always bad, but does not allow a paranoid sysadmin to protect themselves (short of ugly workarounds like taking down the network interface until the server is shut off). I think that there should be a way to install a debian server packages without having the installation scripts start the server. This need not be default, but it should be possible. I'm sure there are many ways this could work. Perhaps: root@foobar:/etc# apt-get install --no-run apache would download, install and configure apache, but not run it. When the sysadmin was satisfied with the configureation files, etc, then update-rc.d and such could be run by hand (or by another call to apt-get/dpkg with another flag). This would have to be both a policy change and a technical change in apt and/or dpkg. I think it would be a good compromise between security and the simplicity of apt-get install foo. -- Steven Barker [EMAIL PROTECTED] Perhaps, after all, America never has been discovered. I myself would say that it had merely been detected. -- Oscar Wilde PGP Key Fingerprint: 1A33 9F2E 368D 24B1 81D4 60BF E928 9E28 958F 2058 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sat, Jul 21, 2001 at 08:51:23PM -0700, Jacob Meuser wrote: snip No, I'm simply saying not to start services immediately. snip Well, I'm going to wade into this growing flamewar to point out what I think is a sound idea. The trouble with the current system is that installed daemons automatically start running with a default configuration. This is not always bad, but does not allow a paranoid sysadmin to protect themselves (short of ugly workarounds like taking down the network interface until the server is shut off). I think that there should be a way to install a debian server packages without having the installation scripts start the server. This need not be default, but it should be possible. I'm sure there are many ways this could work. Perhaps: [EMAIL PROTECTED]:/etc# apt-get install --no-run apache would download, install and configure apache, but not run it. When the sysadmin was satisfied with the configureation files, etc, then update-rc.d and such could be run by hand (or by another call to apt-get/dpkg with another flag). This would have to be both a policy change and a technical change in apt and/or dpkg. I think it would be a good compromise between security and the simplicity of apt-get install foo. -- Steven Barker [EMAIL PROTECTED] Perhaps, after all, America never has been discovered. I myself would say that it had merely been detected. -- Oscar Wilde PGP Key Fingerprint: 1A33 9F2E 368D 24B1 81D4 60BF E928 9E28 958F 2058
Re: red worm amusement
On Sat, Jul 21, 2001 at 11:59:17PM -0700, Mike Fedyk wrote: On Sun, Jul 22, 2001 at 02:50:14AM -0400, Steven Barker wrote: I think that there should be a way to install a debian server packages without having the installation scripts start the server. This need not be default, but it should be possible. But that doesn't change the default. If you do something like this, you should add an option apt-get --run install foo Yes, that would make sense. Both --run and --no-run could be avalable as options with the default behavior determined by apt/dpkg configuration. As for what the default for apt/dpkg's config, that's for us to flame each other over... ;-) Personally, I think there should either be a /etc/do-not-start/package dir that packages' init scripts check for non-existance before starting, or a commented entry in the config file that the init script checks for non-existance before starting... Well, now we're getting into heavy policy stuff I think it would be hard enough to get all the daemon postinst scripts to work in run and no-run mode. -- Steven Barker [EMAIL PROTECTED] There's so much to say but your eyes keep interrupting me. PGP Key Fingerprint: 1A33 9F2E 368D 24B1 81D4 60BF E928 9E28 958F 2058
Re: --no-run option (was: Re: red worm amusement)
On Sun, Jul 22, 2001 at 04:00:43PM +0200, Bernhard R. Link wrote: On Sun, 22 Jul 2001, Steven Barker wrote: I think that there should be a way to install a debian server packages without having the installation scripts start the server. This need not be default, but it should be possible. Why should anyone want to install a server without letting it run? Security, customibility, flexability The standard-config is normally sane, and when you do not think so, place another config-file there before installing it. You are right, and I don't think that running with a default configuration would be a problem would be a problem often. But an option to prevent servers (or perhaps all daemons, networked or not) from running on install would let anyone who does not want the default configuration the chance to change settings before starting it up. Another problem with the current system is that disabled (as in, not running and removed from /etc/rc?.d) daemons restart themselves when they are upgraded. Often they are in packages that are so fundamental that they cannot realistically be removed (ie: inetd). The same mechanism in apt/dpgk that allows non-run installations could also permit non-run upgrades (perhaps even automatically detected). I'm not planning to hacking this into dpkg, but perhaps it will be a future project. I'm always interested in other opinions as well. -- Steven Barker [EMAIL PROTECTED] I will make no bargains with terrorist hardware. -- Peter da Silva I have a new PGP key! It's ID is EBD5936B. Get it at http://www.students.uiuc.edu~/scbarker/pubkey.asc PGP Key Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B
Re: shared root account
On Sat, Jul 07, 2001 at 12:11:44AM -0600, Will Aoki wrote: On Sat, Jul 07, 2001 at 02:10:09AM +0100, Eric E Moore wrote: [cut] I would be very shocked if you could compromise a system with a sudoers entry of: me hostname = (root) /bin/cat Depends on what's on the system. I've thought of four similar ways. Hmm, you forgot the obvious: sudo cat /etc/shadow foo -- Steven Barker [EMAIL PROTECTED] It'll be just like Beggars' Canyon back home. -- Luke Skywalker PGP Key Fingerprint: 1A33 9F2E 368D 24B1 81D4 60BF E928 9E28 958F 2058