Search results

Re: Change root user shell, but only in interactive mode You could try adding the following line to the top of /root/.profile:{ [ "$0" = '-su' ] || [ "$0" = '-sh' ]; } && [ -x "`which bash`" ] && exec bash -lKevin Barry

I've been trying to figure out how to do this for over a year, even without using ZFS. I've decided that it's way too painful to attempt to fully prevent a rogue root process from reading certain data; that would essentially involve locking your system down to a point that you can't effectively...

pam_unix.so is used in both cases, because /etc/pam.d/system is included by /etc/pam.d/login. Just add authtok_prompt in /etc/pam.d/system. I always comment out pam_self.so, however. As far as the change in default prompt, here is where it happened. Kevin Barry

I think the actual cause of the problem is the fork and wait, rather than just doing an execv. The fork code really just sets the process group and terminal control, then waits, and there's really no need to do that unless you want the original @root process to stick around. The GNU version of...

If I eliminate tcsetpgrp altogether, I can't kill the process with [Ctrl]+C when su isn't part of a pipe. I therefore modified su so that it calls tcsetpgrp on STDOUT_FILENO rather than STDERR_FILENO, which gives me the expected behavior. But, I like to be able to do things without modifying the...

That was just to demonstrate the effect; the output of the su command is used for other things within the script, and the script has separate output. I can't include less, etc. in the su calls. It's more like this:#!/usr/bin/env bash find /home | su -m ta0kira -c 'script-that-does-something.sh'...

I tried to search the forums for this topic, but unfortunately "su" isn't a valid search term. I have a set of scripts that need to run as root, and at times they su to a normal user to execute other commands, e.g., su -m ta0kira -c 'find .' or the like. This is fine in most cases, but I...

I've also been getting ssh connections that don't trigger any logging, other than ipfw logging the connection. That's strange, because for that to happen, the client must at least pretend to be ssh; otherwise, I'd get "Did not receive identification string" in /var/log/auth.log. I've managed to...

I assumed that for quite a while; however, it doesn't look like they're using passwords. When I give a bad password, or any password when attempting to use an invalid user, I get "error: PAM: authentication error for" in /var/log/auth.log, but when I disconnect before I attempt to authenticate...

I have a server running 9.1-RELEASE-p10. Periodically I get what appear to be brute-force attacks, based on /var/log/auth.log entries. There seems to be no attempt to authenticate, however, because I don't have any PAM authentication errors in my system logs. In fact, I don't think I've ever...

I solved a few problems with this sort of approach, although I had to manually edit the database with pkg shell, because at least one package I have installed lists both lang/gcc and lang/gcc47 as dependencies, which results in a uniqueness violation. There are a few suggestions for how to fix...

You should use -a rather than -R so that timestamps are preserved, otherwise you could have serious problems later on. You should also mtree the jail before and after, then make sure they match. And, of course, copy the appropriate parts of /etc/jail.conf and /etc/rc.conf, taking into account...

liba directly depends on libb independently of main's dependencies; therefore, the -rpath of liba should let the dynamic linker find libb. In other words, it isn't good form for a program to resolve the locations of its dependencies' dependencies. Kevin Barry

This is probably related to reading or writing less data than was expected. The read and write system calls won't always read/write the exact amount you tell them to. When using either system call directly, you need to assume that it's going to do less than you asked it to and retry until the...

It really depends on what you're trying to get out of it. The things you do after installation will be a lot different if you're running a server, workstation, laptop, or home desktop. You should start by deciding the purpose of the machine and how important the different aspects of security are...

Pipes and sockets are just shared memory that use the file API. If you only need one-way communication, it might be easiest to pipe(2), fork, dup2(2) the output end of the pipe over STDOUT_FILENO, and execvp the program that reads from the camera. The program that reads from the camera would...

I looked over the MiniDLNA code briefly, and I think you'd need to rewrite the functions in inotify.c with kevent calls. The good news is that the code is already set up to take filesystem changes into account. Kevin Barry

I have this problem frequently. If you're using sh or bash, you can have the shell insert the special character with e.g. $'\n' or $'\t'. Unfortunately this is a little awkward if your expression is '-quoted, so you'd need something like sed -E -e 's/:/&'$'\t''/g'. Alternatively, you can use...

If you know even a little C, kevent is pretty easy to work with. Kevin Barry

But you'd have to copy all of them to your root partition to chroot to it. Just copying sh wouldn't be sufficient. Kevin Barry