Fedora Security :: Xinetd And Bash Scripts - No Need For SSL
Jul 14, 2009
I've recently setup a simple service application using xinetd, which runs a bash script to allow users to check for specific events into a log file. The contents of this logfile is not sensitive, so no need for SSL or password protection. Though, my concern about it is the possibility of a malicious request to cause execution of arbitrary code. I've seen similar bash issues discussed briefly a couple times, but never actually seen any solid point of how much of this is a fact, or myth. I've tested some obvious things, like sending tricky characters into the request, but so far it looks ok. So my question here is, considering the following code below, would be possible for an attacker to exploit it? How safe it is to have this sort of application running as a service?
I installed Subversion and xinetd and added Subversion as a service to xinetd.conf as instructed at http://www.codeandcoffee.com/2007/06...rver-on-linux/
I restarted the xinetd service using /sbin/service. however, Subversion does not end up being listed in /etc/xinetd.d nor does it seem to be running and occupying the port altogether.
I need to launch a bash file in Linux from an unprivileged user session, file that will run bash commands as root. But I do not want to create an user with root privileges to do that.
I've been reading the RUTE Linux book and they recommend the use of xinetd to run services. However, this book is already a bit outdated, and I was wondering whether this still applies to today's circumstances?
i am working with fedora 9 i need to turn on services such as telnet,ftp,dns,nfs,dhcp etc. but the problem is i dont even find xinetd based service when i am giving this command
Code: #chkconfig --list|more nd some command is not working for me as well like
I would like some quick pointers to understanding service-daemon controlling and etc/initd.conf or /etc/xinetd.conf, if you prefer. read, a while back, I should be using...
[bash]# service "srv-dmon" start/stop/status/restart/reload/etc and to stop using... [bash]# /etc/init.d/"srv-dmon" start/stop/status/restart/panic/save/etc
I am facing the below problem:sudo /etc/init.d/xinetd reload sudo: /etc/init.d/xinetd: command not found. /etc/init.d/xinetd restart /etc/init.d/xinetd stop.
I am trying to configure SNMP server using xinetd on red hat. I am using non-standard port for it. My connection to server fails. I see the following log messages in /var/log:
Jan 26 17:23:31 [userid] xinetd[15023]: START: my-snmp pid=15047 from=192.128.11.21 Jan 26 17:23:31 [userid] xinetd[15023]: EXIT: my-snmp status=1 pid=15047 duration=0(sec) Jan 26 17:23:32 [userid] xinetd[15023]: START: my-snmp pid=15050 from=192.128.11.21 Jan 26 17:23:32 [userid] xinetd[15023]: EXIT: my-snmp status=1 pid=15050 duration=0(sec)
can anybody help to point out what is wrong in my config?
I recently installed Fedora 13 on VMware 7 environment without X window. sshd did work fine, but when I tried to put it into xinetd, it doesn't work any more. Here is what I have done so far :
I stopped sshd. #service sshd stop
and I configured xinetd.conf like below.
Quote:
# # This is the master xinetd configuration file. Settings in the # default section will be inherited by all service configurations # unless explicitly overridden in the service configuration. See # xinetd.conf in the man pages for a more detailed explanation of # these attributes.
[Code]....
I don't know what I did wrong with them. I configured xinetd.conf, and I made service configuration file 'ssh' in /etc/xinetd.d, and I restarted xinetd.
What am I supposed to do to make a life on my sshd within xinetd ?
I have setup a vnc server using the "every imagineable server" thread which setups up VPN using xinetd. I have also installed Beesu and its associated scripts so I can easily open root privileged nautilus windows.
beesu works a treat on the actual display. However whilst vnc'd into the box I get prompted for my root password (which it accepts) but a nautilus window never opens. No errors, it just doesn't open.
Where I redirect the file into the loop, for some reason, I can't do an su when I redirect a file like that. I get the error, "su: must be run from a terminal." Why is this? How can I fix it?
I have two cryptsetup volumes with the same password that I want to open in a bash script, and I want to avoid writing the passphrase twice. I was thinking of using read -s. Is there any security problems with this?The other alternative would be to have a password file on a small partition encrypted with a passphrase. Then only give the passphrase and let the script open up all encrypted volumes using the password file. However this seems overly complicated. But is it more secure?
how to write secure code for bash scripts in general? Strangely I didn't found anything in google and in the forum so far. If someone here is willing to review a bash script for me (about 600 lines).
If i run /usr/bin/foo through xinetd and have /etc/xinetd.d/foo conf file something like:
1 service foo 2 { 3 port = 3691 4 socket_type = stream 5 protocol = tcp 6 wait = no 7 user = www-data 8 server = /usr/bin/foo 9 server_args = -x 10 }
Is /usr/bin/foo supposed to be listed in the list of all processes on that machine (ps aux)? i added the conf file, bouced xinetd daemon via /sbin/service, yet foo does not seem to be running. the xinetd doc online seems pretty incomplete.
I am really not very experienced with linux and have only just started working off the command line in windows as well.
I know the basics but I am trying to install R-1 and I was having a lot of difficulties and figured out that it was that xinetd was not running.
So I tried to run it service xinetd start and it said unecognized service so then I installed xinetd and there was already a xinetd.d directory with all of the processes i needed with the .conf file but so when i run xinetd -d
Code:
My xinetd.conf file looks like this:
Code:
# All service files are stored in the /etc/xinetd.d directory # includedir /etc/xinetd.d # End /etc/xinetd EOF
This is what one of the files in xinetd.d looks like
Code:
I need to get xinetd running so that i can finish installing R-1.
http://www.pastebin.org/47041. pixelserv is a http-daemon which returns a pixel for every http-request. It was originally written in perl [url], but this is a tad too heavy for a small linux device like a DD-WRT router [url].
I was able to compile it and it runs fine standalone, but I want to run it under xinetd using this configuration-file.
Code:
When I do a "wget [url]" from the console of that router it will fail with this in /var/log/messages
Code:
It seems it's incompatible with xinetd, but I lack the knowledge and experience to modify this. A whole community will be grateful if someone is able to make this runable under xinetd.
I have an Ubuntu 10.04 machine at home and apache setup on it (files are located in a Truecrypt volume). The reason for the web server being that I wanted to access my files wherever I'm at (i.e. hotel, work, hotspots, etc...). So far, it's worked out great for me seeing as a I can http download my files (or stream media files). However, I am often on a public hotspot and I know it's a matter of time before someone finds the webserver on my computer. I have the machine firewalled and password protected (via .htaccess), but either way I don't want people looking in on my computer.
The problem: I have used Truecrypt for a long time and completely trust using the program to encrypt/unencrypt a volume container to store my files. Usually, I would remote desktop into my computer and mount/unmount the volume when I needed it. However, after time it get's really annoying to do this. So I eventually figured out how to setup a bash script to automatically do this for me (which I put on the usb part of my phone). What I wanted to do was to be able send the bash script to my Ubuntu machine (via ftp from my phone) and have Ubuntu automatically run the script. Is this possible? What programs do I need on Ubuntu?
I was thinking about using something like cron, but that is for scheduled times. I don't really have a set time in which I need my files, it's pretty sporadic depending on how much I travel. Thus the need for being able to remotely mount the volume when I need it.
Summary: I need a way for Ubuntu to read a folder every minute or so to check for bash scripts to run. I want to be able to send the bash script via ftp from my phone, have Ubuntu run the script, then delete itself (so as to not store the password). I already know the script in which to mount the Truecrypt volume and how to send the file via ftp from my phone. It's really a matter of what program to use in Ubuntu to find and run the script.
I have a small stats program that I am using to get some sys stats. I am trying to launch this program on a particular port, using the xinetd system deamon. Here is what I am doing ...
I've already installed centos 5.5 and checked the xinetd services using the command : service xinetd status and the reply is xinetd: unrecognized service.
I want to jail Skype into its own process and not the one I login with. That way, if a hacker breaks in, it's limited to this process and only the limited functionality that that user account has. The thing is this -- thousands of Linux guys run Skype, but Skype is hardly ever updated or have security patches, and we run it all the time. It seems like an easy avenue for an exploit. As well, my iptables firew all blocks input connections that I have not established, but Skype is an established connection. How do I create a Bash script that launches Skype under a separate user account?
I am trying to run svnserve on startup on an Ubuntu Server 10.04 machine using xinetd
My repositories are at /home/svn, so the directory should be the same as in the example. Following the example, the owner should be www-data, I assume. (Is that right?) I've also tried the admin user account as as the svnowner (the one used to set the svnserver up).
I've never done any shell scripting, so I tried xinetd instead of using the startup script. But if I don't get any feedback for using xinetd that will be my next course of option.
to the /etc/inetd.conf file, replacing svnowner and /home/svn to the appropriate values (although I'm not 100% sure what those should be). I assume since I did a chown on the repo to www-data that www-data is the owner I need to put in that line, but it doesn't work.
I want to look into disabling things like chargen, chargen-udp, daytime, daytime-udp, echo etc...I have found a manual at:which points me towards the xinetd.conf file. I cant seem to find it, im using ubuntu 8.10 LTS. Should I be looking else where?
But then, as I have read is a better option, I use xinetd with the following configuration:
Code: service vnc-1024x768x16 { protocol = tcp socket_type = stream wait = no
[Code].....
In fact, I was considering that the problem was with xinetd, but I have other services setted up with it (telnet & ftp for example) and I can use them correctly.
So now I'm lost with this, what else am I not considering with VNC service through xinetd? Where can I find logs or useful information to get a clue about this problems?
