Jeff Quast wrote:
On 9/15/06, Joachim Schipper <[EMAIL PROTECTED]> wrote:
It would probably be best to let a daemon or cronjob outside the chroot
read it; a socket or even a simple pipe in the chroot is sufficient to
signal a daemon, or even send the whole IP address.
Of course, this does result in a two-part script, but the seperation is
likely to be a good thing from a security standpoint.
Joachim
This design is mentioned alot. I understand it, and it would probobly
be best solution.
Does anybody have a simple two-bin C app that communicates over a pipe
that functions for this purpose? I suppose I could pull out my richard
stevens AUP...
I see this recommended alot. So somebody had to actualy sat down and
do this at some point. Care to share?
I have two perl scripts that I used to implement wireless Internet access.
There are a few holes but it is a work in progress. My next step is to
change it to allow users that do not have ssh, access to our network.
Some, airports only allow port 80 so I need to deal with that.
The way the scripts work:
PF redirects all users that are not in the goodip table to a default web
page.
They are asked for a user name and password. When they hit enter, the
first script handles the input.
The perl script checks the user name and password and if it is correct
it sends the IP address over a socket to the access server script that
then adds the ip to the goodip table. If the user then enters a new web
page then they are directed because PF will now have them in the good ip
table.
Things that need to be fixed or considered.
Consider using authpf.
I did not add perl to the Apache chroot. When this is done, will the
socket still work?
I have user name and password in the perl script. This is not secure.
I have to write a script to clean the goodip table every so often.
Web page does not always show proper information. I redirect the first
hit, but when they hit home, their cache shows the login page.
I am new to perl.
If you are interested, let me know and I will e-mail or post the code
(very small scripts).
Victor Camacho
