Why can I type Hebrew into forms/boxes in Galeon but not using any text
editor or word processor in KDE? - I just get lots of ???????????? instead
of Hebrew letters (I have a Hebrew keyboard and have configured KDE
[2.2.2] to use it - switching between the US and Israeli flags on the
right of the KDE panel). Will KDE 3 support Hebrew better?
I really would like to be able to encourage others on my kibbutz to try
Linux but without real support for Hebrew it's difficult.

Nigel.
Kibbutz Ramat Hakovesh

On Fri, 1 Mar 2002, Nigel Ridley wrote:

> Why can I type Hebrew into forms/boxes in Galeon but not using any text
> editor or word processor in KDE? - I just get lots of ???????????? instead
> of Hebrew letters (I have a Hebrew keyboard and have configured KDE
> [2.2.2] to use it - switching between the US and Israeli flags on the
> right of the KDE panel). Will KDE 3 support Hebrew better?

Do you have the same problem with mozilla?

What versions of Galeon and of Mozilla do you have?

Older versions of mozilla (<= 0.9.1 IIRC) had a similar problem. I'm not
sure if it should have affected galeon. I believe that forms and such are
not handled by gecko (the part of mozilla that galeon uses: the HTML
renderer)

This also may be an issue of keyboard mapping that is layers that are
lower than KDE. See:

   http://www.iglu.org.il/faq/cache/85.html

(the test with xev)

--
Tzafrir Cohen
mailto:tzafrir@...
http://www.technion.ac.il/~tzafrir

On Fri, 1 Mar 2002 23:02:14 +0200 (IST)
Tzafrir Cohen <tzafrir@...> wrote:

> On Fri, 1 Mar 2002, Nigel Ridley wrote:
>
> > Why can I type Hebrew into forms/boxes in Galeon but not using any
text> > editor or word processor in KDE? - I just get lots of ????????????
instead> > of Hebrew letters (I have a Hebrew keyboard and have configured
KDE> > [2.2.2] to use it - switching between the US and Israeli flags on
the> > right of the KDE panel). Will KDE 3 support Hebrew better?
>
> Do you have the same problem with mozilla?
>
> What versions of Galeon and of Mozilla do you have?
>
> Older versions of mozilla (<= 0.9.1 IIRC) had a similar problem. I'm not
> sure if it should have affected galeon. I believe that forms and such
are> not handled by gecko (the part of mozilla that galeon uses: the HTML
> renderer)
>
> This also may be an issue of keyboard mapping that is layers that are
> lower than KDE. See:
>
>   http://www.iglu.org.il/faq/cache/85.html
>
> (the test with xev)
>
> --
> Tzafrir Cohen
> mailto:tzafrir@...
> http://www.technion.ac.il/~tzafrir
>


Sorry, perhaps I should have been clearer:
Now that I can type Hebrew into Galeon (I'm not sure about Mozilla - and
it doesn't really matter for me), I want to be able to type Hebrew into a
text editor such as Kate or KWord but I just get the ?????????????
everytime. The question is "how come it works in Galeon but not in Kate or
KWord?"

> This also may be an issue of keyboard mapping that is layers that are
> lower than KDE. See:
>
>   http://www.iglu.org.il/faq/cache/85.html
>
> (the test with xev)

I read the above before I wrote to the list but if I can type Hebrew OK
into Galeon then the keyboard mapping is OK - no?

I am running Mandrake 8.1 with Galeon 1.0.2 - Mozilla/5.0 (X11; U; Linux
i686; en-US; rv:0.9.7) Gecko/20011221

Nigel

look at  http://iglu.org.il/faq/cache/143.html

Gil Elad

Nigel Ridley wrote:
> Why can I type Hebrew into forms/boxes in Galeon but not using any text
> editor or word processor in KDE? - I just get lots of ???????????? instead
> of Hebrew letters (I have a Hebrew keyboard and have configured KDE
> [2.2.2] to use it - switching between the US and Israeli flags on the
> right of the KDE panel). Will KDE 3 support Hebrew better?
> I really would like to be able to encourage others on my kibbutz to try
> Linux but without real support for Hebrew it's difficult.
>
> Nigel.
> Kibbutz Ramat Hakovesh

On Sat, 02 Mar 2002 12:00:29 +0200
Gil Elad <gilelad@...> wrote:

> look at  http://iglu.org.il/faq/cache/143.html
>
> Gil Elad
>
> Nigel Ridley wrote:
> > Why can I type Hebrew into forms/boxes in Galeon but not using any
text> > editor or word processor in KDE? - I just get lots of ????????????
instead> > of Hebrew letters (I have a Hebrew keyboard and have configured
KDE> > [2.2.2] to use it - switching between the US and Israeli flags on
the> > right of the KDE panel). Will KDE 3 support Hebrew better?
> > I really would like to be able to encourage others on my kibbutz to
try> > Linux but without real support for Hebrew it's difficult.
> >
> > Nigel.
> > Kibbutz Ramat Hakovesh
>
>
> Yahoo! Groups Sponsor
> ADVERTISEMENT
>
>
>
> To unsubscribe from this group, send an email to:
> gnubies-il-unsubscribe@egroups.com
>
>
>
> Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.

Thanks, I now understand that it is best to upgrade to QT version 2.3

Nigel.

On Sat, 02 Mar 2002 12:00:29 +0200
Gil Elad <gilelad@...> wrote:

> look at  http://iglu.org.il/faq/cache/143.html
>
> Gil Elad
>
> Nigel Ridley wrote:
> > Why can I type Hebrew into forms/boxes in Galeon but not using any
text> > editor or word processor in KDE? - I just get lots of ????????????
instead> > of Hebrew letters (I have a Hebrew keyboard and have configured
KDE> > [2.2.2] to use it - switching between the US and Israeli flags on
the> > right of the KDE panel). Will KDE 3 support Hebrew better?
> > I really would like to be able to encourage others on my kibbutz to
try> > Linux but without real support for Hebrew it's difficult.
> >
> > Nigel.
> > Kibbutz Ramat Hakovesh

OK. I already have QT 2.3.1 and still have ????? when I try to type
Hebrew. I changed to ISO-8859-8, through KDE's *Control
Center*>Personalization>Country & Language, but it messed up the fonts and
when I logged out and then back in again I kept getting the KDE crash
window with the following:

(no debugging symbols found)...[New Thread 1024 (LWP 2241)]
0x40e3a4f9 in wait4 () from /lib/libc.so.6
#0  0x40e3a4f9 in wait4 () from /lib/libc.so.6
#1  0x40eb8098 in __check_rhosts_file () from /lib/libc.so.6
#2  0x405f3c6e in KCrash::defaultCrashHandler () from
/usr/lib/libkdecore.so.3#3  0x40d4b847 in _IO_2_1_stderr_ () from
/usr/lib/libstdc++-libc6.2-2.so.3

I also couldn't get back into *Control Center*>Personalization>Country &
Language as it crashed every time that I clicked on the *Country &
Language* section. I eventually edited my
/home/nigel/.kde/share/config/kdeglobals file and managed to get it back
to (nearly) the way it was - the fonts on the KDE Panel are, I think, AD
Mono, and horrible! I have yet to figure out how to change them :-(

Anyway, if someone could post a copy of (the relevant part of)
.kde/share/config/kdeglobals file it would help me to get Hebrew working
propely. Here is mine:

[Locale]
Charset=iso8859-1
Country=il
Language=C

[PanelIcons]
Size=16

[Paths]
Trash=/home/nigel/Desktop/Trash/

[WM]
activeFont=helvetica,12,5,0,75,0
activeFontCharset=default

I did try Language=he but it didn't seem to change anything.

Nigel.

On Sat, 2 Mar 2002, Nigel Ridley wrote:

> On Sat, 02 Mar 2002 12:00:29 +0200
> Gil Elad <gilelad@...> wrote:
>
> > look athttp://iglu.org.il/faq/cache/143.html
> >
> > Gil Elad
> >
> > Nigel Ridley wrote:
> > > Why can I type Hebrew into forms/boxes in Galeon but not using any
> text> > editor or word processor in KDE? - I just get lots of ????????????
> instead> > of Hebrew letters (I have a Hebrew keyboard and have configured
> KDE> > [2.2.2] to use it - switching between the US and Israeli flags on
> the> > right of the KDE panel). Will KDE3 support Hebrew better?
> > > I really would like to be able to encourage others on my kibbutz to
> try> > Linux but without real support for Hebrew it's difficult.
> > >
> > > Nigel.
> > > Kibbutz Ramat Hakovesh
>
> OK. I already have QT 2.3.1 and still have????? when I try to type
> Hebrew. I changed to ISO-8859-8, through KDE's *Control

Change this to ISO-10646-1

If you can't local the control interface, try editing
.kde/share/config/.kdeglobals

What I currently have, but I don't use KDE on this machine:

   [Locale]
   Charset=iso10646-1
   Country=il
   Language=C

(I believe I set Langage="C" either to have translation set from the
environment LC settings or not to use translation at all. Those would give
a different effect in my case)

> Center*>Personalization>Country & Language, but it messed up the fonts and
> when I logged out and then back in again I kept getting the KDE crash
> window with the following:

Expected. Is this not in the FAQ, BTW?

>
> [WM]
> activeFont=helvetica,12,5,0,75,0
> activeFontCharset=default

Actually, there are "Font" options apread all over that directory, but the
global fonts setting are saved in $HOME/.kderc

The following is from the .kderc of the same computer. It is set to give
fonts that are avilable generaly anywhere (assuming you have a fairly
recent XFree):

[General]
StandardFont=fixed,12,5,22,0,0
activeFont=fixed,14,5,22,50,0
fixed=fixed,12,5,22,2,0
font=fixed,13,5,22,0,0
menuFont=fixed,13,5,22,0,0
toolBarFont=fixed,13,5,22,0,0

I figure you should use Arial for everything except the fixed font, and
Courier New for the fixed font. I believe that '22' in the line above
means 'iso-10646-1' in some internal QT or KDE enumaration. But I never
checked this.

>
> I did try Language=he but it didn't seem to change anything.

--
Tzafrir Cohen
mailto:tzafrir@...
http://www.technion.ac.il/~tzafrir

On Sat, 2 Mar 2002 19:01:49 +0200 (IST)
Tzafrir Cohen <tzafrir@...> wrote:

> On Sat, 2 Mar 2002, Nigel Ridley wrote:
>
> > On Sat, 02 Mar 2002 12:00:29 +0200
> > Gil Elad <gilelad@...> wrote:
> >
> > > look athttp://iglu.org.il/faq/cache/143.html
> > >
> > > Gil Elad
> > >
> > > Nigel Ridley wrote:
> > > > Why can I type Hebrew into forms/boxes in Galeon but not using any
> > text> > editor or word processor in KDE? - I just get lots of
????????????> > instead> > of Hebrew letters (I have a Hebrew keyboard and
have configured> > KDE> > [2.2.2] to use it - switching between the US and
Israeli flags on> > the> > right of the KDE panel). Will KDE3 support
Hebrew better?> > > > I really would like to be able to encourage others
on my kibbutz to> > try> > Linux but without real support for Hebrew it's
difficult.> > > >
> > > > Nigel.
> > > > Kibbutz Ramat Hakovesh
> >
> > OK. I already have QT 2.3.1 and still have????? when I try to type
> > Hebrew. I changed to ISO-8859-8, through KDE's *Control
>
> Change this to ISO-10646-1
>
> If you can't local the control interface, try editing
> .kde/share/config/.kdeglobals
>
> What I currently have, but I don't use KDE on this machine:
>
>   [Locale]
>   Charset=iso10646-1
>   Country=il
>   Language=C
>
> (I believe I set Langage="C" either to have translation set from the
> environment LC settings or not to use translation at all. Those would
give> a different effect in my case)
>
> > Center*>Personalization>Country & Language, but it messed up the fonts
and> > when I logged out and then back in again I kept getting the KDE
crash> > window with the following:
>
> Expected. Is this not in the FAQ, BTW?
>
> >
> > [WM]
> > activeFont=helvetica,12,5,0,75,0
> > activeFontCharset=default
>
> Actually, there are "Font" options apread all over that directory, but
the> global fonts setting are saved in $HOME/.kderc
>
> The following is from the .kderc of the same computer. It is set to give
> fonts that are avilable generaly anywhere (assuming you have a fairly
> recent XFree):
>
> [General]
> StandardFont=fixed,12,5,22,0,0
> activeFont=fixed,14,5,22,50,0
> fixed=fixed,12,5,22,2,0
> font=fixed,13,5,22,0,0
> menuFont=fixed,13,5,22,0,0
> toolBarFont=fixed,13,5,22,0,0
>
> I figure you should use Arial for everything except the fixed font, and
> Courier New for the fixed font. I believe that '22' in the line above
> means 'iso-10646-1' in some internal QT or KDE enumaration. But I never
> checked this.
>
> >
> > I did try Language=he but it didn't seem to change anything.
>
> --
> Tzafrir Cohen
> mailto:tzafrir@...
> http://www.technion.ac.il/~tzafrir

I tried what you suggested with the iso-10646-1 but I don't have Arial
fonts and the ISO-8859-8, along with all the Hebrew fonts, has dissapeared
from the font list under KDE's Control Center!? Now I don't have Hebrew
typing ability in Galeon anymore - nothing - not even gibberish. I'll keep
trying though ..........

Nigel.

On Sat, 2 Mar 2002, Nigel Ridley wrote:

> I tried what you suggested with the iso-10646-1 but I don't have Arial
> fonts and the ISO-8859-8, along with all the Hebrew fonts, has dissapeared
> from the font list under KDE's Control Center!? Now I don't have Hebrew
> typing ability in Galeon anymore - nothing - not even gibberish. I'll keep
> trying though ..........

You should have misc-fixed of charsets iso-8859-8 and iso-10646-1 . It is
generally readable enough (At least if you don't try to resize it, and
stick to the point sizes of 12 or 13)

Under KDE you should generally use iso-10646-1 .

You should seperate keyboard mapping from fonts. Those are two separate
issues.

Note that galeon shares almost no configuration with KDE.

I would also recommend not to use kxkb, as it is badly designed (and thus
its keyboard switching may be slow) and use standard Xkd switching (as
recommended in the IGLU FAQ.

--
Tzafrir Cohen
mailto:tzafrir@...
http://www.technion.ac.il/~tzafrir

On Sat, 2 Mar 2002, Amir Abiri wrote:

> I kinda told it all in the subject line...
>
> I'm tired of doing "rpm -i <some package>", copypasting the
> dependencies failure lines and issuing a new rpm -i command... I
> especially hate it when you do that from the RPMS directory on the CD,
> for something that you sipmly didn't install in the begining, yet all
> the files for it are right here in the working directory...

A number of similar tools:

* rpmfind
(avilable from rpmfind.net). Useful mainly for installing.
Probably not very useful for updating and removing.

* urpmi
Mandrake uses a tool called urpmi as a framework on top of RPM.urpmi has
most of what you expect, but is still not mature enough (last time I
tried. There are reports of great improvements on the 8.2 beta. I'm not
sure what they mean. I don't know if they finally have an equivalent to
apt-get upgrade)

* apt
Originally A framework by debian on top of their deb package format. It
was ported to RPM by the linux distribution conectiva. I think that you
can find some useful information on freshrpms.net

Note that this is not only a matter of a good tool and/or format. It is
actualy more about keeping a consistant repository: all packages have to
agre oncertain things and work together. Otherwise things like automatic
updates will run ino troubles no matter how smart you build your tool to
be.

--
Tzafrir Cohen
mailto:tzafrir@...
http://www.technion.ac.il/~tzafrir

Hi,

I am trying to divide my hard disk so I will have 3 main partition for
win2k, redhat 7.2 and redhat 6.2.
So I am trying to divide my partitioning for my 7.2 so I divide about 5
logical, and then I want to start defying my 6.2 using logical and I get the
error no free sectors available.
what do to if I want to prepare the partitioning for those 3 os ?


Best regards,

Idan Dolev

Do you know where can I find in the net 6.2 i386 iso file ?

Best regards,

Idan Dolev

Does anyone know how i can let my apache run iptables ? i have tried to suid a
little shell script for that purpose, but that doesn't work. Seems like iptables
makes it's own double-check that you really are root.

Does anyone have any idea ?

On Sun, Mar 03, 2002 at 02:53:24PM -0000, amir@... wrote:
> Does anyone know how i can let my apache run iptables ? i have tried
> to suid a little shell script for that purpose, but that doesn't
> work. Seems like iptables makes it's own double-check that you really
> are root.
>
> Does anyone have any idea ?

suid bit or sudo. if it didnt work, you didnt do it correctly (an
suid script is equivalent to being run by root).
OR
ask yourself why do you need this and come up with a better design.

ftp://mirror.hiwaay.net/redhat/redhat/linux/6.2/en/iso/i386/zoot-i386.iso

You can find the full mirrors list at
http://www.redhat.com/download/mirror.html

Sagi

----- Original Message -----
From: "Idan Dolev" <IDolev@...>


> Do you know where can I find in the net 6.2 i386 iso file ?
>
> Best regards,
>
> Idan Dolev
>
>
>
>
>
> To unsubscribe from this group, send an email to:
> gnubies-il-unsubscribe@egroups.com
>
>
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
>
>

i have a shell script:
-rwsr-xr--    1 root     apache         96 Mar  3 13:54 access

This shell script can be run by the user i want (apache) and it has it's suid
bit set.
From what i read this means that i should be run as root. unless there is more
to it ? if so what ?

I get this error message from iptables:
iptables v1.2.2: can't initialize iptables table `filter': Permission denied
(you must be root)

I also tried suiding the iptables.

If i run something that has the suid bit on, does that mean that a process is
created owned by that user ? or that a process  is created with the user that
run it but with a some envoirment variables changed ?

Hi

I don't think that having SUID bit on the script is enough.

You need to use the setuid() function to switch UID.

I'm not sure that you can do that in normal shell script, but it shouldn't
be hard to write a small C program that will run setuid() and then run the
script.

Sagi

----- Original Message -----
From: <amir@...>


> i have a shell script:
> -rwsr-xr--    1 root     apache         96 Mar  3 13:54 access
>
> This shell script can be run by the user i want (apache) and it has it's
suid bit set.
> From what i read this means that i should be run as root. unless there is
more to it ? if so what ?
>
> I get this error message from iptables:
> iptables v1.2.2: can't initialize iptables table `filter': Permission
denied (you must be root)
>
> I also tried suiding the iptables.
>
> If i run something that has the suid bit on, does that mean that a process
is created owned by that user ? or that a process  is created with the user
that run it but with a some envoirment variables changed ?
>

On 3 Mar 2002 amir@... wrote:

> i have a shell script:
> -rwsr-xr--  1 root     apache         96 Mar  3 13:54 access
>
> This shell script can be run by the user i want (apache) and it has
> it's suid bit set.
> From what i read this means that i should be run as root. unless there
> is more to it ? if so what ?
>
> I get this error message from iptables:
> iptables v1.2.2: can't initialize iptables table `filter': Permission denied
(you must be root)
>
> I also tried suiding the iptables.

Warning: I'm sure you are aware of the danger of this.

If you make a SUID program (e.g: shell script), you should take the time
to make is as much "fail-proof" as posible: when it fails - it should fail
the "right" way and not harm security.

For instance: what may happen if some users stop such a script in the
middle, or run several such scripts together? Does the program accept any
user input? If so: how much validation is done to that input?

>
> If i run something that has the suid bit on, does that mean that a
> process is created owned by that user ? or that a processis created with
> the user that run it but with a some envoirment variables changed ?

Almost: each process has actually two user IDs: the real UID and hte
effective UID.

su changes the effective UID (and effective group ID).
See su(1) and setuid(8)

--
Tzafrir Cohen                        /"\
mailto:tzafrir@...        \ /  ASCII Ribbon Campaign
Taub 229, 972-4-829-3942,             X   Against  HTML  Mail
http://www.technion.ac.il/~tzafrir   / \

Do you know if there is an option of getting a cd of redhat with 2.2.18
kernel

Best regards,

Idan Dolev

On 3 Mar 2002 amir@... wrote:

> Does anyone know how i can let my apache run iptables ? i have tried to
> suid a little shell script for that purpose, but that doesn't work.
> Seems like iptables makes it's own double-check that you really are
> root.
>

Maybe a better design would be to write a server that is to be run as root
that will run iptables for you, and communicate with this server thru a
CGI script using a set of named pipe or a unix-domain socket with
permissions that are restrictive enough. We pulled a similar stunt in the
IP-Noise project, and it worked beutifully.

Regards,

	 Shlomi Fish

> Does anyone have any idea ?
>
>
> To unsubscribe from this group, send an email to:
> gnubies-il-unsubscribe@egroups.com
>
>
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>



----------------------------------------------------------------------
Shlomi Fish        shlomif@...
Home Page:         http://t2.technion.ac.il/~shlomif/
Home E-mail:       shlomif@...

"Let's suppose you have a table with 2^n cups..."
"Wait a second - is n a natural number?"

> > Does anyone know how i can let my apache run iptables ? i have tried to
> > suid a little shell script for that purpose, but that doesn't work.
> > Seems like iptables makes it's own double-check that you really are
> > root.
> >
> > Does anyone have any idea ?
>
> Maybe a better design would be to write a server that is to be run as root
> that will run iptables for you, and communicate with this server thru a
> CGI script using a set of named pipe or a unix-domain socket with
> permissions that are restrictive enough. We pulled a similar stunt in the
> IP-Noise project, and it worked beutifully.

Thanks, but thats way too much work for a very simple problem. :)
Anyway i solved it: "/usr/bin/suidperl".
Good old perl, where would we be without it ?

--
"God is a programmer".

On Tue, Mar 05, 2002 at 01:59:27PM +0200, Amir Abiri wrote:
> > > Does anyone know how i can let my apache run iptables ? i have tried to
> > > suid a little shell script for that purpose, but that doesn't work.
> > > Seems like iptables makes it's own double-check that you really are
> > > root.
> > >
> > > Does anyone have any idea ?
> >
> > Maybe a better design would be to write a server that is to be run as root
> > that will run iptables for you, and communicate with this server thru a
> > CGI script using a set of named pipe or a unix-domain socket with
> > permissions that are restrictive enough. We pulled a similar stunt in the
> > IP-Noise project, and it worked beutifully.
>
> Thanks, but thats way too much work for a very simple problem. :)
> Anyway i solved it: "/usr/bin/suidperl".
> Good old perl, where would we be without it ?

probably in the same place you are with it, with a metric ton of
security holes just waiting to be exploited...

[ask yourself this: is user input passed *at all* to the suidperl
binary? if it is, my condolences. if not, what's the point?]
--
The ill-formed Orange
Fails to satisfy the eye:       http://vipe.technion.ac.il/~mulix/
Segmentation fault.  http://syscalltrack.sf.net/

On Sunday 03 March 2002 17:06, Tzafrir Cohen wrote:

> If you make a SUID program (e.g: shell script), you should take the time
> to make is as much "fail-proof" as posible: when it fails - it should fail
> the "right" way and not harm security.
so you are trying to SUID (root) a script?
From what I recall, that is not possible, since the kernel ignores that bit on
scripts, for sequrithy reasons. I tried to find where it is written without
success.
  - diego


--
It is not every question that deserves an answer.
		 -- Publilius Syrus

# insmod ipchains
Using /lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ipchains.o
/lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ipchains.o: init_module:
Device or resource busy
Hint: insmod errors can be caused by incorrect module parameters, including
invalid IO or IRQ parameters

How do i debug this ?
--
"God is a programmer".

On Tue, 5 Mar 2002, mulix wrote:

> On Tue, Mar 05, 2002 at 01:59:27PM +0200, Amir Abiri wrote:
> > > > Does anyone know how i can let my apache run iptables ? i have tried to
> > > > suid a little shell script for that purpose, but that doesn't work.
> > > > Seems like iptables makes it's own double-check that you really are
> > > > root.
> > > >
> > > > Does anyone have any idea ?
> > >
> > > Maybe a better design would be to write a server that is to be run as root
> > > that will run iptables for you, and communicate with this server thru a
> > > CGI script using a set of named pipe or a unix-domain socket with
> > > permissions that are restrictive enough. We pulled a similar stunt in the
> > > IP-Noise project, and it worked beutifully.
> >
> > Thanks, but thats way too much work for a very simple problem. :)
> > Anyway i solved it: "/usr/bin/suidperl".
> > Good old perl, where would we be without it ?
>
> probably in the same place you are with it, with a metric ton of
> security holes just waiting to be exploited...
>
> [ask yourself this: is user input passed *at all* to the suidperl
> binary? if it is, my condolences. if not, what's the point?]

A little less rude remark: make sure this script is well-protected
(preferably using https), and that it does only what it is allowed to do,
and that you check and double check any input for possible exploits.

Avoid SUID programs and scripts altogether is not a very wise idea. There
are many such utilities on a common Linux installation, but they all
follow the guidelines I described. (albeit not successfully all the time,
since they may contain bugs)

Regards,

	 Shlomi Fish

> --
> The ill-formed Orange
> Fails to satisfy the eye:       http://vipe.technion.ac.il/~mulix/
> Segmentation fault.  http://syscalltrack.sf.net/
>
>
>
>
>
>
> To unsubscribe from this group, send an email to:
> gnubies-il-unsubscribe@egroups.com
>
>
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>



----------------------------------------------------------------------
Shlomi Fish        shlomif@...
Home Page:         http://t2.technion.ac.il/~shlomif/
Home E-mail:       shlomif@...

"Let's suppose you have a table with 2^n cups..."
"Wait a second - is n a natural number?"

On Wed, Mar 06, 2002 at 10:52:05AM +0200, Shlomi Fish wrote:
> On Tue, 5 Mar 2002, mulix wrote:
>
> > On Tue, Mar 05, 2002 at 01:59:27PM +0200, Amir Abiri wrote:
> > > > > Does anyone know how i can let my apache run iptables ? i have tried
to
> > > > > suid a little shell script for that purpose, but that doesn't work.
> > > > > Seems like iptables makes it's own double-check that you really are
> > > > > root.
> > > > >
> > > > > Does anyone have any idea ?
> > > >
> > > > Maybe a better design would be to write a server that is to be run as
root
> > > > that will run iptables for you, and communicate with this server thru a
> > > > CGI script using a set of named pipe or a unix-domain socket with
> > > > permissions that are restrictive enough. We pulled a similar stunt in
the
> > > > IP-Noise project, and it worked beutifully.
> > >
> > > Thanks, but thats way too much work for a very simple problem. :)
> > > Anyway i solved it: "/usr/bin/suidperl".
> > > Good old perl, where would we be without it ?
> >
> > probably in the same place you are with it, with a metric ton of
> > security holes just waiting to be exploited...
> >
> > [ask yourself this: is user input passed *at all* to the suidperl
> > binary? if it is, my condolences. if not, what's the point?]
>
> A little less rude remark: make sure this script is well-protected

sometimes, rudeness serves a purpose, such as driving a point home.

> (preferably using https), and that it does only what it is allowed to do,
> and that you check and double check any input for possible exploits.

amir: do a short search on bugtraq for cgi exploits. compile a list of
likely offenders (user input not quoted properly, user input not
sanitized properly) and check how many of those your script is
vulnerable to. if you want help, send me the url and the script in
private.

> Avoid SUID programs and scripts altogether is not a very wise idea. There
> are many such utilities on a common Linux installation, but they all
> follow the guidelines I described. (albeit not successfully all the time,
> since they may contain bugs)

suid is bad, unless absolutely necessary. sudo is better. perhpahs
amir would like to describe why apachae (running on behalf of some
user, obviously) needs to execute iptabls at all?
--
The ill-formed Orange
Fails to satisfy the eye:       http://vipe.technion.ac.il/~mulix/
Segmentation fault.  http://syscalltrack.sf.net/

On Wed, 6 Mar 2002, mulix wrote:

> On Wed, Mar 06, 2002 at 10:52:05AM +0200, Shlomi Fish wrote:
> > On Tue, 5 Mar 2002, mulix wrote:
> >
> > > On Tue, Mar 05, 2002 at 01:59:27PM +0200, Amir Abiri wrote:
> > > > > > Does anyone know how i can let my apache run iptables ? i have tried
to
> > > > > > suid a little shell script for that purpose, but that doesn't work.
> > > > > > Seems like iptables makes it's own double-check that you really are
> > > > > > root.
> > > > > >
> > > > > > Does anyone have any idea ?
> > > > >
> > > > > Maybe a better design would be to write a server that is to be run as
root
> > > > > that will run iptables for you, and communicate with this server thru
a
> > > > > CGI script using a set of named pipe or a unix-domain socket with
> > > > > permissions that are restrictive enough. We pulled a similar stunt in
the
> > > > > IP-Noise project, and it worked beutifully.
> > > >
> > > > Thanks, but thats way too much work for a very simple problem. :)
> > > > Anyway i solved it: "/usr/bin/suidperl".
> > > > Good old perl, where would we be without it ?
> > >
> > > probably in the same place you are with it, with a metric ton of
> > > security holes just waiting to be exploited...
> > >
> > > [ask yourself this: is user input passed *at all* to the suidperl
> > > binary? if it is, my condolences. if not, what's the point?]
> >
> > A little less rude remark: make sure this script is well-protected
>
> sometimes, rudeness serves a purpose, such as driving a point home.
>

Well, I'm trying to be as little rude as possible, while being as
informative as I can. I find that explaining yourself clearly is in the
long-term better than trolling people.

> > (preferably using https), and that it does only what it is allowed to do,
> > and that you check and double check any input for possible exploits.
>
> amir: do a short search on bugtraq for cgi exploits. compile a list of
> likely offenders (user input not quoted properly, user input not
> sanitized properly) and check how many of those your script is
> vulnerable to. if you want help, send me the url and the script in
> private.
>

Learning about possible CGI exploits is a good idea. That way one can be a
better programmer.

> > Avoid SUID programs and scripts altogether is not a very wise idea. There
> > are many such utilities on a common Linux installation, but they all
> > follow the guidelines I described. (albeit not successfully all the time,
> > since they may contain bugs)
>
> suid is bad, unless absolutely necessary. sudo is better. perhpahs
> amir would like to describe why apachae (running on behalf of some
> user, obviously) needs to execute iptabls at all?

Regards,

	 Shlomi Fish

> --
> The ill-formed Orange
> Fails to satisfy the eye:       http://vipe.technion.ac.il/~mulix/
> Segmentation fault.  http://syscalltrack.sf.net/
>
>
>
>
>
>
> To unsubscribe from this group, send an email to:
> gnubies-il-unsubscribe@egroups.com
>
>
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>



----------------------------------------------------------------------
Shlomi Fish        shlomif@...
Home Page:         http://t2.technion.ac.il/~shlomif/
Home E-mail:       shlomif@...

"Let's suppose you have a table with 2^n cups..."
"Wait a second - is n a natural number?"

> > > > On Tue, Mar 05, 2002 at 01:59:27PM +0200, Amir Abiri wrote:
> > > > > > > Does anyone know how i can let my apache run iptables ? i have
tried to
> > > > > > > suid a little shell script for that purpose, but that doesn't
work.
> > > > > > > Seems like iptables makes it's own double-check that you
really are
> > > > > > > root.
> > > > > > >
> > > > > > > Does anyone have any idea ?
> > > > > >
> > > > > > Maybe a better design would be to write a server that is to be
run as root
> > > > > > that will run iptables for you, and communicate with this server
thru a
> > > > > > CGI script using a set of named pipe or a unix-domain socket
with
> > > > > > permissions that are restrictive enough. We pulled a similar
stunt in the
> > > > > > IP-Noise project, and it worked beutifully.
> > > > >
> > > > > Thanks, but thats way too much work for a very simple problem. :)
> > > > > Anyway i solved it: "/usr/bin/suidperl".
> > > > > Good old perl, where would we be without it ?
> > > >
> > > > probably in the same place you are with it, with a metric ton of
> > > > security holes just waiting to be exploited...
> > > >
> > > > [ask yourself this: is user input passed *at all* to the suidperl
> > > > binary? if it is, my condolences. if not, what's the point?]

mulix: There is no "user input", but look at the end of this message.

> > > A little less rude remark: make sure this script is well-protected

Shlomi: Who was rude to whom again ?

> > sometimes, rudeness serves a purpose, such as driving a point home.

Or driving ppl away from you. Which is my preferable way of using it...

> Well, I'm trying to be as little rude as possible, while being as
> informative as I can. I find that explaining yourself clearly is in the
> long-term better than trolling people.
>
> > > (preferably using https), and that it does only what it is allowed to
do,
> > > and that you check and double check any input for possible exploits.

Shlomi: I totaly agree on the https part, i'll look into it.

> > amir: do a short search on bugtraq for cgi exploits. compile a list of
> > likely offenders (user input not quoted properly, user input not
> > sanitized properly) and check how many of those your script is
> > vulnerable to. if you want help, send me the url and the script in
> > private.
> >
>
> Learning about possible CGI exploits is a good idea. That way one can be a
> better programmer.

And a better hacker... :)

> > > Avoid SUID programs and scripts altogether is not a very wise idea.
There
> > > are many such utilities on a common Linux installation, but they all
> > > follow the guidelines I described. (albeit not successfully all the
time,
> > > since they may contain bugs)
> >
> > suid is bad, unless absolutely necessary. sudo is better. perhpahs
> > amir would like to describe why apachae (running on behalf of some
> > user, obviously) needs to execute iptabls at all?

It's very simple: I have a firewall blocking all ports but http, smtp, and a
couple more like those. ssh is blocked too. The idea is that if i want to
log in to my machine from another machine when i'm not home, I can browse to
that URL, enter a user name and a password, and if those are correct then
another line is entered into the INPUT chain, enabling input only from that
specific IP address i'm in. The script also throws the counter iptables
command into /bin/at with a time offset of a couple of hours, so after a
while the "hole" will be "closed". The ip address is taken from the apache
envoirment variable, so it's not "user input", the time is given by the
user, but is strictly checked by the PHP script, it can only be a pure
number and in a given range.

The reason for that suid script is that even if i enable apache to run
iptables, it's still not enough. I need ROOT to run those two lines of
iptables, and we all agree that letting apache run as root is way worst
right ?

This script is 5 lines long, and doesn't address the shell at any point, it
goes directly to the iptables and at binaries, can only be run by root or
apache, and again like i said before: Has no real "user input" in it.

--
"God is a programmer".

On Wed, 6 Mar 2002, Amir Abiri wrote:

> > > > > On Tue, Mar 05, 2002 at 01:59:27PM +0200, Amir Abiri wrote:
> > > > > > > > Does anyone know how i can let my apache run iptables ? i have
> tried to
> > > > > > > > suid a little shell script for that purpose, but that doesn't
> work.
> > > > > > > >Seems like iptables makes it's own double-check that you
> really are
> > > > > > > > root.
> > > > > > > >
> > > > > > > > Does anyone have any idea ?
> > > > > > >
> > > > > > > Maybe a better design would be to write a server that is to be
> run as root
> > >> > > > that will run iptables for you, and communicate with this server
> thru a
> > > > > > > CGI script using a set of named pipe or a unix-domain socket
> with
> > > > > > > permissions that are restrictive enough. We pulled a similar
> stunt in the
> > > > > > > IP-Noise project, and it worked beutifully.
> > > > > >
> > > > > > Thanks, but thats way too much work for a very simple problem. :)
> > > > > > Anyway i solved it: "/usr/bin/suidperl".
> > > > > > Good old perl, where would we be without it ?
> > > >>
> > > > > probably in the same place you are with it, with a metric ton of
> > > > > security holes just waiting to be exploited...
> > > > >
> > > > > [ask yourself this: is user input passed *at all* to the suidperl
> > > > > binary? if it is, my condolences. if not, what's the point?]
>
> mulix: There is no "user input", but look at the end of this message.
>
> > > > A little less rude remark: make sure this script is well-protected
>
> Shlomi: Who was rude to whom again ?
>
> > > sometimes, rudeness serves a purpose, such as driving a point home.
>
> Or driving ppl away from you. Which is my preferable way of using it...
>
> > Well, I'm trying to be as little rude as possible, while being as
> > informative as I can. I find that explaining yourself clearly is in the
> > long-term better than trolling people.
> >
> > > > (preferably using https), and that it does only what it is allowed to
> do,
> > > > and that you check and double check any input for possible exploits.
>
> Shlomi: I totaly agree on the https part, i'll look into it.
>
> > > amir: do a short search on bugtraq for cgi exploits. compile a list of
> > > likely offenders (user input not quoted properly, user input not
> > > sanitized properly) and check how many of those your script is
> > > vulnerable to. if you want help, send me the url and the script in
> > > private.
> > >
> >
> > Learning about possible CGI exploits is a good idea. That way one can be a
> > better programmer.
>
> And a better hacker... :)
>
> > > > Avoid SUID programs and scripts altogether is not a very wise idea.
> There
> > > > are many such utilities on a common Linux installation, but they all
> > > > follow the guidelines I described. (albeit not successfully all the
> time,
> > > > since they may contain bugs)
> > >
> > > suid is bad, unlessabsolutely necessary. sudo is better. perhpahs
> > > amir would like to describe why apachae (running on behalf of some
> > > user, obviously) needs to execute iptabls at all?
>
> It's very simple: I have a firewall blocking all ports but http, smtp, and a
> couple more like those. ssh is blocked too. The idea is that if i want to
> log in to my machine from another machine when i'm not home, I can browse to
> that URL, enter a user name and a password, and if those are correct then
> another line is entered into the INPUT chain, enabling input only from that
> specific IP address i'm in. The script also throws the counter iptables
> command into /bin/at with a time offset of a couple of hours, so after a
> while the "hole" will be "closed". The ip address is taken from the apache
> envoirment variable, so it's not "user input", the time is given by the
> user, but is strictly checked by the PHP script, it can only be a pure
> number and in a given range.
>
> The reason for that suid script is that even if i enable apache to run
> iptables, it's still not enough. I need ROOT to run those two lines of
> iptables, and we all agree that letting apache run as root is way worst
> right ?
>
> This script is 5 lines long, and doesn't address the shell at any point, it
> goes directly to the iptables and at binaries, can only be run by root or
> apache, and again like i said before: Has no real "user input" in it.

apache's authentication is problematic. I would try to use something that
is based on ssh for login and authentication.

The thing is that you have a number of HTTP sessions for this connection
because http is a stateless protocol, whereas with ssh you only have one
session.

If you want to use a web interface, get a web interface with a proven
track record, like linuxconf or webmin (you can write a perl script or
even a bash script that will be a module for linuxconf. You can also make
a costum menu for linuxconf. I figure this means that SUID may not have
to be used?)

Also: what is the IP address exactly? If you use a proxy: won't it be the
IP of the proxy server?

Also note that this allows anybody to query the password of your root
account of your machine from an annonymous web browser. Make sure you
don't use pam_tally or something, otherwise an aattacker can lock-out your
root account ;-)

--
Tzafrir Cohen                        /"\
mailto:tzafrir@...        \ /  ASCII Ribbon Campaign
Taub 229, 972-4-829-3942,             X   Against  HTML  Mail
http://www.technion.ac.il/~tzafrir   / \