/ Markus Amersdorfer:home / university / about:me /
\ Say NO to Software-Patents! \


Miscellaneous Security Related Stuff

Crypto/Security Links

Basic GnuPG

The most important commands on handling keys and de-/encryptions using the "GNU Privacy Guard" (or GnuPG or GPG) can be found here: Basic GnuPG.

Being able to read files despite not being able to change into directory

The following scenario works at least on Debian Sarge, probabely on most *nix-sytems:

A:
  mkdir directory        [0755]
  touch directory/file   [0644]

B:
  ln directory/file ~/my_cracker_file

A:
  chmod 0700 directory
  echo "secret content" > directory/file

B:
  cat ~/my_cracker_file

Samba: Access to shares from clients not in the current domain

To be found here.

DO NOT trust the output of "w" and similar!

If your machine allows SSH-logins, it is possible for users to work on the machine without appearing in "w", "last" and similar:

  ssh username@ssh-server /bin/sh -i
  sh-2.05b$ w|grep username
  sh-2.05b$

The reason is that the user doesn't have a normal interactive shell (according to the SSHD, which just runs one command and then exits again). But: This command is "/bin/sh -i" which does give the user a shell it can work with.
Only /var/log/auth.log mentions, who logged in when.

SSH and X11-forwarding

Why it might be a bad idea to enable X11-forwarding by default is explained in this article: SSH Users beware: The hazards of X11 forwarding.

scp/sftp only

If you want users to be able to use scp/sftp but have no shell access on your server, you have several options:

  1. scponly.
    Debian users: From Sarge on there is the. .deb-package "scponly".
  2. chroot-patch for SSH.
    Debian users: Emmanuel Lacour maintains an unofficial chroot-patched SSH-package. Just add "deb http://debian.home-dn.net/woody ssh/" (and/or "deb-src ..." respectively) to your /etc/apt/sources.list. (04-03-15: There are packages for Sarge now as well, just replace "woody" with "sarge" in the mentioned sources.list entry.)
  3. HOWTO: configuring openssh for chrooted sessions on linux, and run applications from the chroot cage (scp, rsync).
  4. pam_chroot.
    Debian users: From Sarge on there is the .deb-package "libpam-chroot".
  5. nosh.
    The german Linux Magazin (2003/09) mentions the shell "nosh" (short for "Non-Operators Shell"). A Debian package can be found at http://www.gws-online.de/download/woody/. It's no real "chroot" environment, but you can specify which commands can be executed.
    Update -- 04-01-15: The package noshell has entered Debian Sarge. I don't know ('cause I didn't try it yet), but it might be the Debian default for "nosh"!?
  6. Jail Chroot Project.
  7. rssh - Restricted shell allowing only scp and/or sftp.

Anonymous Web-Browsing

Anonym.OS LiveCD, linked to from a German article from derstandard.at.


Valid HTML 4.01! Valid CSS! Created with Vim [Blue Ribbon Campaign icon]
© Markus Amersdorfer (markus<dott>amersdorfer<att>subnet<dott>at)
last modified: 2010-02-23 15:56:50
5089 hits