![](/i/fill.gif) |
![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
Nicolas Calimet <pov### [at] free fr> wrote:
> Warp, I hope you realize IO restrictions have nothing to do with
> what Rafal is asking.
Well, he said:
"I would like allow user to log into my box via SSH and run povray there.
Its important to deny user to do anything "evil" including accessing
itnernet, running other applicaitons, etc."
Adding 1 and 1 made me believe he was saying "how to avoid povray from
running other applications?".
--
plane{-x+y,-1pigment{bozo color_map{[0rgb x][1rgb x+y]}turbulence 1}}
sphere{0,2pigment{rgbt 1}interior{media{emission 1density{spherical
density_map{[0rgb 0][.5rgb<1,.5>][1rgb 1]}turbulence.9}}}scale
<1,1,3>hollow}text{ttf"timrom""Warp".1,0translate<-1,-.1,2>}// - Warp -
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
war### [at] tag povray org news:41a34194@news.povray.org
> Adding 1 and 1 made me believe he was saying "how to avoid povray from
> running other applications?".
But the main problem is - that while logined as SSH, he could upload an
virus/trojan and run it there ;)
--
http://www.raf256.com/3d/
Rafal Maj 'Raf256', home page - http://www.raf256.com/me/
Computer Graphics
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
Rafal 'Raf256' Maj <spa### [at] raf256 com> wrote:
> But the main problem is - that while logined as SSH, he could upload an
> virus/trojan and run it there ;)
But he can only run programs on this account alone. You can't "infect"
a system if you don't have superuser privileges. You can only infect
your own files.
--
#macro N(D)#if(D>99)cylinder{M()#local D=div(D,104);M().5,2pigment{rgb M()}}
N(D)#end#end#macro M()<mod(D,13)-6mod(div(D,13)8)-3,10>#end blob{
N(11117333955)N(4254934330)N(3900569407)N(7382340)N(3358)N(970)}// - Warp -
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
war### [at] tag povray org news:41a493f2@news.povray.org
> But he can only run programs on this account alone. You can't "infect"
> a system if you don't have superuser privileges. You can only infect
> your own files.
He might for exampel send 100,000 spam eamils from my IP.
Or run some user to root exploit, they are realy meany of them, oly way to
be shure is to use grSecurity patch *and* gentoo disribution *and*
recompile every program in system with safelib / propolis gcc patches
(AFAIK).
--
http://www.raf256.com/3d/
Rafal Maj 'Raf256', home page - http://www.raf256.com/me/
Computer Graphics
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
Rafal 'Raf256' Maj <spa### [at] raf256 com> wrote:
> oly way to be shure
is to disconnect the computer from the internet altogether.
--
#macro M(A,N,D,L)plane{-z,-9pigment{mandel L*9translate N color_map{[0rgb x]
[1rgb 9]}scale<D,D*3D>*1e3}rotate y*A*8}#end M(-3<1.206434.28623>70,7)M(
-1<.7438.1795>1,20)M(1<.77595.13699>30,20)M(3<.75923.07145>80,99)// - Warp -
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On 23 Nov 2004 06:30:56 -0500, "Rafal 'Raf256' Maj" <spa### [at] raf256 com>
wrote:
>Hi,
>I would like allow user to log into my box via SSH and run povray there.
>
>Its important to deny user to do anything "evil" including accessing
>itnernet, running other applicaitons, etc.
>
>He olny can login, up/download own files, run povray(and moray), use
>kill/top/ps.
>
>How can I make something like this? In example - on Debian.
Perhaps that page can be useful
http://www.jmcresearch.com/projects/jail/
I have configured it on Redhat 8 without many problems. But you must
edit /etc/passwd and move some files manually.
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
Rafal 'Raf256' Maj wrote:
> Hi,
> I would like allow user to log into my box via SSH and run povray there.
>
> Its important to deny user to do anything "evil" including accessing
> itnernet, running other applicaitons, etc.
>
> He olny can login, up/download own files, run povray(and moray), use
> kill/top/ps.
>
> How can I make something like this? In example - on Debian.
>
>
The problem with chroot on modern unixes is that they tend to have a lot
of shared libraries and simply copying executables into ~/bin and chrooting
to ~/ doesn't work because the shared libs are outside of the jail.
At a minimum you need a statically linked shell inside the jail, many
systems have a /bin/bash_static or similar for emergencies. then you need
to build pov statically linked also, and any other utils you want to
provide.
This little test worked for me:
billh@Tarragon ~ $ sudo chroot ~/ /bin/bash_static
chroot: cannot run command `/bin/bash_static': No such file or directory
billh@Tarragon ~ $ cp /bin/bash_static ~/bin
billh@Tarragon ~ $ sudo chroot ~/ /bin/bash_static
I have no name!@Tarragon / # ls
bash_static: ls: command not found
--
Bill Hails
http://thyme.homelinux.net/
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
war### [at] tag povray org news:41a49b05@news.povray.org
> is to disconnect the computer from the internet altogether.
Then I wont be able to SSH to it in first place ;)
--
http://www.raf256.com/3d/
Rafal Maj 'Raf256', home page - http://www.raf256.com/me/
Computer Graphics
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
openbsd would be better......
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
Rafal 'Raf256' Maj wrote:
> Hi,
> I would like allow user to log into my box via SSH and run povray there.
>
> Its important to deny user to do anything "evil" including accessing
> itnernet, running other applicaitons, etc.
>
> He olny can login, up/download own files, run povray(and moray), use
> kill/top/ps.
2 solutions come to me :
1/ create a user where the login shell is program displaying a menu
where actions is allowed actions (launching pov, killing its process, ...).
2/ easiest : why don't you use a web interface ? It's quite easy to
manage processes for example in PHP. It can handle by itself downloading.
(I'm working - sssslllooowwwwwllly - on this kind of stuff)
Lolo
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |