------=_Part_88126_24893318.1157471576880
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

* EleBBS Support List

Thats exactly correct,  These can be bypassed by getting the source for
telnetd, and tweaking a bit. Two flaws to doing this.

1. By using elebbs as the "logon" manager instead of telnetd or similar
shell. You have severe limitation in the ability to intigrate complecated
(bash) scripts for your users to use.
2. Open up a big security hole in yoru system. Because when you run a non
validated logon manager your forced to run it with sudo root privliages.
Now if someone gets out of the elebbs shell for some reason, they have root
on your box.  Were as running it as a user with a auto execute, will only
give them access to the user the BBS runs under.


As time permits I will release code I update for my own bbs for thoes that
are intersted.  on my to do list is a modified telnetd that will simply
launch as normal but assume a user and password when a connection is made.
This will solve the problem of inetd requiring an authorized manager, and
will address several security concerns as well.  I personaly don't mind my
users loggin in to telnet for the BBS, but unfortunatly this also allows
them to log into their more secure accounts two, with NO encryption.  Which
is bad. I would prefer everybody log into the bbs using ssh as well, but not
everyone understatnds it. (tho my bbs will allow for ssh login)



On 9/5/06, Mike Ehlert  wrote:
>
> * EleBBS Support List
>
> Hi Scott,
>
> >> Ok with that type of setup we have one problem if you try to run a
> script
> >> on my system from telnetd it fails if you try to run an executable file
> >> it works.
> >
> > Why do you need telnetd?
>
> From what I've heard,  inetd/xinetd has some security changes made earlier
> this year in several of the distros, which prevent them from being able to
> run
> an "unvalidated" password/login program.
>
> Regards,   Mike
>
> _______________________________________________________________
>
> To unsubscribe write to "listbot{at}thebbs.org" and put the words
> "unsubscribe elebbs{at}thebbs.org" in the SUBJECT of the message.
> _______________________________________________________________
>



-- 
Beware the jaws that bite, for they belong to my evil attack penguin.

Open Source Software, Not only a way of life, but a tasty desert as well.
http://www.fosug.org

Bring back the days of the BBS:  Telnet/SSH2:/doteltech.com

_______________________________________________________________

To unsubscribe write to "listbot{at}thebbs.org" and put the words
"unsubscribe elebbs{at}thebbs.org" in the SUBJECT of the message.
_______________________________________________________________
------=_Part_88126_24893318.1157471576880
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


* EleBBS Support List


Thats exactly correct,  These can be bypassed by getting the
source for telnetd, and tweaking a bit. Two flaws to doing
this.1. By using elebbs as the
"logon" manager instead of telnetd or similar shell. You
have severe limitation in the ability to intigrate complecated (bash)
scripts for your users to use.
2. Open up a big security hole in yoru system. Because when you
run a non validated logon manager your forced to run it with sudo root
privliages.  Now if someone gets out of the elebbs shell for some
reason, they have root on your box.  Were as running it as a user
with a auto execute, will only give them access to the user the BBS runs
under.  
As time permits I will release code I update
for my own bbs for thoes that are intersted.  on my to do list is
a modified telnetd that will simply launch as normal but assume a user and
password when a connection is made.  This will solve the problem
of inetd requiring an authorized manager, and will address several security
concerns as well.  I personaly don't mind my users loggin in to
telnet for the BBS, but unfortunatly this also allows them to log into
their more secure accounts two, with NO encryption.  Which is bad.
I would prefer everybody log into the bbs using ssh as well, but not
everyone understatnds it. (tho my bbs will allow for ssh login)
On 9/5/06, Mike Ehlert <mike{at}pcmicro.com>">mailto:mike{at}pcmicro.com">mike{at}pcmicro.com>
wrote:

* EleBBS Support ListHi
Scott,>> Ok with that type of setup we
have one problem if you try to run a script>> on my
system from telnetd it fails if you try to run an executable
file>> it works.
>> Why do you need
telnetd?From what I've
heard,  inetd/xinetd has some security changes made
earlierthis year in several of the distros, which prevent them
from being able torunan "unvalidated"
password/login program.
Regards,  
Mike_______________________________________________________________To
unsubscribe write to "listbot{at}thebbs.org"">mailto:listbot{at}thebbs.org">listbot{at}thebbs.org"
and put the words"unsubscribe 
elebbs{at}thebbs.org"">mailto:elebbs{at}thebbs.org">elebbs{at}thebbs.org"
in the SUBJECT of the
message._______________________________________________________________
-- Beware the jaws that bite,
for they belong to my evil attack penguin.
Open Source Software, Not only a way of life, but a
tasty desert as well.  http://www.fosug.orgBring" target="new">http://www.fosug.orgBring">http://www.fosug.org">http://www.fosug.orgBring
back the days of the BBS:  Telnet/SSH2:/doteltech.com


_______________________________________________________________

To unsubscribe write to "listbot{at}thebbs.org" and put the words
"unsubscribe elebbs{at}thebbs.org" in the SUBJECT of the message.
_______________________________________________________________

------=_Part_88126_24893318.1157471576880--

--- Internet Rex 2.29