Thanks to:
S. Administrator
Simon Greaves
Apparently I was doing it correctly but I suspect that the telnetd or login
function was dropping the environment variables. I still do not understand
why I was not getting the rules implemented properly. I have decided not to
use tcpserver ( See my other summary for "Determining the IP alias that a
user connects to").
Here are the (edited) responses.
It's got to be CTRL-D if you are entering the rules manually. Normally one
would write them into a text file (say, /etc/rules.txt), then run
tcprules /etc/rules.cdb /etc/rules.tmp < /etc/rules.txt
Indeed I think you need to repeat the full set of rules each time; that's
why you'd normally store them in a text file (or have another program
generate them; that's why tcprules reads from standard input).
> # /usr/local/bin/tcprules /etc/rules.cdb /etc/rules.tmp
> :allow,SERVICE="test"
> # /usr/local/bin/tcprulescheck /etc/rules.cdb
> rule :
> set environment variable SERVICE=test
> allow connection
> #
Yes, that's OK.
> When I log in, the variable SERVICE is never passed through telnetd to my
> shell as I would like.
That may be because your telnetd sanitizes the environment. (Most likely,
this is done by your login program called from telnetd. Tru64's
/usr/bin/login
supports a -p option, which /usr/sbin/telnetd may not be supplying. If so,
remember that you can replace telnetd with an open-source version. (I'd
start
by looking at OpenBSD's... yes, it seems suitable, as long as you don't
#define NO_LOGIN_P when compiling.)
> Is this related to passing the variable to telnetd? Will it drop the
> variables assigned before telnetd is invoked?
Probably, yes. A quick and dirty test would be for you to write a wrapper
around /usr/bin/login that (a) prints out the options it's been invoked
with, (b) adds -p if missing, (c) execs /usr/bin/login. If you choose a
path name for this program of exactly the same length as "/usr/bin/login",
you can do string substitution on Compaq's /usr/sbin/telnetd executable.
> Or am going about this all wrong?
Well, you could chroot to another virtual environment before you start up
telnet. Then you might not _need_ to pass any environment variables, since
the process would see a different filesystem.
I think the question is exactly what characteristics of the user environment
you want to modify. If you want `uname -n` to return something else, that
might be tricky (though you could supply a different libc.so in the chroot
environment, and hope that the user doesn't bypass that by running a
statically linked program). If you want a different selection of programs
in /usr/bin, or even in /usr/local/bin, I'd say a chrooted environment is
the way to go. If you only want to modify a few environment variables, then
/usr/bin/login -p should do fine.
********************************************************
> Does anyone know the exact method of using tcprules?
Best way is to stick all the rules into a text file, then send that file
to stdin of tcprules.
Eg:
# cd /etc
# vi rules
# tcprules rules.cdb rules.tmp < rules
I don't know how telnetd handles env. vars, my guess would be it would
ignore them for security reasons, but that is just a guess (I'm not
really sure what you are trying to achieve with this).
Simon
*********************************************************
#################################################
Original Post:
Hello Managers,
This is actually a followup to my posting with subject "Determining the IP
alias that a user connects to"
A fellow administrator was kind enough to point me in the direction of
ucspi-tcp "tcpserver" by D. J. Bernstein (
http://cr.yp.to/), however, the
documentation is limited and I am still having trouble getting it to work as
I would like.
I was hoping someone out there may have some experience or be able to point
to me more detailed documentation.
tcpserver looks like a slick program. I had no problem compiling it and
installing it.
I have configured it to replace telnetd by commenting out telnetd in
/etc/inetd.conf. For testing purposes I start tcpserver manually, but will
probably start and/or stop it through /sbin/init.d, inet.local, or the
cluster service start/stop scripts as I need for each alias.
However, for testing I start it with this line( or slight variations):
/usr/local/bin/tcpserver -v -x /etc/rules.cdb -B "Hello World!" 192.168.1.1
23 /usr/sbin/telnetd
Depending upon the rules I've set up, this works. I can telnet to that
address, get the banner, and login.
I start an alias with:
ifconfig tu0 alias 192.168.1.100
Then start another tcpserver on that alias:
/usr/local/bin/tcpserver -v -x /etc/rules.cdb -B "Hello New World!"
192.168.1.100 23 /usr/sbin/telnetd
I can then telnet to that address, get the new banner, and login. I can also
still connect to the original address with no problem.
However, my problem seems to lie with the rules. tcprules is used to create
the cdb file for the tcpserver rules. The documentation is not clear on how
to exit tcprules after entering each rule as a line. Control D seems to
terminate the program but when I check the rules with tcprulescheck, it
never seems to have accepted the proper rules or only keeps the last rule
entered.
Does anyone know the exact method of using tcprules?
Even when it seems that I have properly entered a single rule to allow all
and set a variable as follows:
# /usr/local/bin/tcprules /etc/rules.cdb /etc/rules.tmp
:allow,SERVICE="test"
# /usr/local/bin/tcprulescheck /etc/rules.cdb
rule :
set environment variable SERVICE=test
allow connection
#
When I log in, the variable SERVICE is never passed through telnetd to my
shell as I would like.
Is this related to passing the variable to telnetd? Will it drop the
variables assigned before telnetd is invoked?
Or am going about this all wrong?
Any help or suggestions would of course be greatly appreciated.
Thanks.
John
----------------------------------------------------
John Seel
UNIX Systems Administrator
Faulding, Inc.
'john.seel_at_us.faulding.com"
(908) 659-2398
-----------------------------------------------------
Received on Mon Jan 08 2001 - 14:02:42 NZDT