1306025548 Q * imcsk8 Ping timeout: 480 seconds
1306025558 Q * hparker Quit: Quit
1306026917 M * Bertl off to bed now ... have a good one everyone!
1306026921 N * Bertl Bertl_zZ
1306027556 J * hparker ~hparker@2001:470:1f0f:32c:beae:c5ff:fe01:b647
1306030047 J * aj__ ~aj@p4FFD351F.dip.t-dialin.net
1306030354 Q * derjohn_foo Ping timeout: 480 seconds
1306031898 Q * hparker Quit: Quit
1306036728 J * emcepe ~mcp@wolk-project.de
1306036733 Q * mcp Ping timeout: 480 seconds
1306036738 N * emcepe mcp
1306043477 J * allquixotic ~allquixot@178.63.122.3
1306043539 Q * allquixotic 
1306053045 J * bonbons ~bonbons@2001:960:7ab:0:78d4:28d9:d8c0:6ce8
1306060173 N * Bertl_zZ Bertl
1306060179 M * Bertl morning folks!
1306060221 M * Mr_Smoke Mo'in
1306060313 J * VirMan c113a53b@ircip2.mibbit.com
1306060321 M * VirMan hi :)
1306060348 M * VirMan i just got into question about vserver xxxx exec function - is it safe ?
1306060363 M * VirMan i mean if there is possibility to abuse this command ?
1306060398 M * VirMan if i want to allow my guests to use this function from administrative panel and give them unlimited access to add text to that fuction
1306060408 M * VirMan they can harm my hosts?
1306060545 M * cehteh its shell, so its really easy to exploit
1306061921 M * Bertl VirMan: it is designed for an administrator who knows what he is doing, not for a (potentially hostile) 'customer'
1306061946 M * Bertl if you want to allow a customer access to the guest, use a guest service for that, e.g. a bash on a socket or so
1306061974 J * harobed ~sklein@arl57-1-82-231-110-14.fbx.proxad.net
1306062931 M * VirMan smhm
1306062964 M * VirMan i wanted to give them an option to enter command from adm panel directly :)
1306062969 M * VirMan but well
1306062980 M * VirMan i wll just stick to cahnge password
1306062992 M * VirMan thanks :)
1306063279 M * cehteh you know how shell exploiting works?
1306063336 M * VirMan well - probably some combination of ; and ` that ends vserver exec function and then allows to execute on host directly
1306063370 M * cehteh yes and other things .. so you should be very careful with any user entered string (including usernames) passed along
1306063372 M * VirMan i'm not a bash master :P
1306063406 M * VirMan yup. - i'm filtering those in passwd fields
1306063418 M * cehteh by what? ... 
1306063423 M * VirMan php
1306063427 M * cehteh eww :P
1306063433 M * cehteh i mean by what rule
1306063435 M * VirMan i have web adm panel for vservers
1306063453 M * cehteh $ ` and so on for example could be valid characters in a password
1306063454 M * VirMan strip of every ; and `
1306063467 M * VirMan i restrict not to use ones :)
1306063472 M * cehteh and just stripping characters when you dont know bash is not a good idea
1306063489 M * cehteh better do the opposite, only allow characters which you know that they are safe
1306063514 M * VirMan this is only failsafe if user locks his uest by some freaky things
1306063521 M * cehteh and moreover you have to pass it in a safe way to the underlying bash functions, then even ` $ and ; will be handled correctly
1306063559 M * VirMan i have php daemon working on hosts
1306063570 M * VirMan it is eecuting all commands locally
1306063571 M * cehteh prolly its not users who exploit these but when your admin panel is reachable from the web, then bad boys may play with it
1306063600 M * cehteh i'd put this daemon into a vserver too
1306063608 M * cehteh never ever run anything public on the host
1306063630 M * cehteh (i've only running administatrive ssh there)
1306063673 M * VirMan no it's only connecting via http to my web API on main web page
1306063689 M * VirMan it's launched by cron every one minute
1306063697 M * cehteh yeah, i wont do that :)
1306063730 M * cehteh setup an administrative vserver which does this tasks and communicates via ssh with the other vservers
1306063738 M * VirMan well what's the isuue ? :) - if it passivelly connects to my main host ? - and my API has filters for only those ips ?
1306063761 M * cehteh but you pass some commands along and say you dont know bash well
1306063784 M * cehteh if there is the slightiest overseen case, then you are potentially doomed
1306063792 M * VirMan well - only changing passwords for know (sending it and local php executes it. )
1306063813 M * VirMan i considered allowing bash execution but you cured me from that idea :D
1306063836 M * cehteh well at some level some bash will be executed right?
1306063844 M * VirMan no :)
1306063854 M * cehteh what passwords anyways? system logins?
1306063874 M * VirMan well there would be executted vserver xxxxx exec passwd root blablabla
1306063885 M * VirMan guest logins
1306063897 M * cehteh exactly and so you pass some strings you execute there
1306063910 M * cehteh that could be exploitable if not done right
1306063921 M * cehteh btw i dont use passwords at all on my vserver, only ssh keys
1306063936 M * VirMan yes , but those stings are internally prepared bysystem - not user entered - only password is enterd and it's filtered with many things
1306063954 M * cehteh users usually pick weak passwords and there are a lot drones out there which try dictionary attacks on hosts
1306063969 M * VirMan it's rescue only :P
1306063975 M * cehteh so i have a 'no passwords at all' policy
1306063988 M * VirMan user then enters via ssh and changes passwords :)
1306063993 M * cehteh not even for rescue ... no passwords point
1306064009 M * cehteh let the user send up his ssh pubkey
1306064017 M * VirMan well - i would agree with you , but users (customers) requires that.. 
1306064027 M * cehteh install his pubkey on the rescue system
1306064049 M * cehteh they all have ssh right?
1306064060 M * VirMan how do i know hos pubkey ? - he then should upload it into my system.
1306064076 M * VirMan not every ssh client has those
1306064080 M * VirMan easly accessible
1306064082 M * cehteh huh?
1306064090 M * cehteh all i know do, even putty for linux
1306064097 M * cehteh err putty for windows
1306064099 M * VirMan ok.
1306064114 M * cehteh public key crypto is a very core functionality for ssh
1306064140 M * cehteh putty for windows formatts it in a strange way you prolly have to mangle it a bit 
1306064145 M * VirMan hmm - so maybe i'll consider uploading ssh pubkey into serv as option:)
1306064167 M * cehteh i think thats a good idea
1306064205 M * cehteh the user currently logs in via https .. starts a rescue system and gets a temporary password back right?
1306064263 M * VirMan yes
1306064271 M * cehteh you could instead offer to upload a pubkey with the same UI ad well as having some database of users pubkeys for known users already, then the user can pick "use my pubkey" there
1306064286 M * VirMan or generate password for him
1306064296 M * cehteh well or that
1306064307 M * cehteh since its random password, its prolly secure enough
1306064319 M * VirMan true.
1306064344 M * cehteh but educating users to use public keys and no passwords is a good thing, you just have to communicate the security benefits of this
1306064361 M * cehteh (and how to use ssh-agent and other tools to get passwordless auth)
1306064371 M * cehteh its even easier then :)
1306064454 M * cehteh on my linux i use pam-ssh to login, that starts up an ssh-agent automatically and i never have to enter passwords
1306064459 M * cehteh (after the login)
1306064493 M * cehteh dunno, but prolly some sso feature would be doable in windows to, isnt there some ssh-agent there too?
1306064506 M * VirMan well
1306064522 M * VirMan i don't know , but users use lots and tons of different software and else
1306064532 M * VirMan os , cients and etc
1306064541 M * VirMan so i do not want to interfeere with that
1306064614 M * cehteh blame the user :P
1306064695 M * VirMan hehe
1306066405 J * BenG ~bengreen@cpc12-aztw24-2-0-cust146.aztw.cable.virginmedia.com
1306066408 J * wurtel_ ~paul@gw-office.telegraaf.net
1306066408 Q * wurtel Read error: Connection reset by peer
1306066429 Q * BenG 
1306066957 Q * harobed Ping timeout: 480 seconds
1306067029 J * harobed ~sklein@82.231.110.14
1306068770 Q * VirMan Quit: http://www.mibbit.com ajax IRC Client
1306069791 J * VirMan c113a53b@ircip4.mibbit.com
1306069817 M * VirMan :) how to check version of util-vserver?
1306069889 M * VirMan i got this version on one server : 2.6.35-vs2.3.0.36.32 and i have problems calling util-vserver through scripts
1306069956 M * VirMan everything works perfectly with 2.6.33-vs2.3.0.36.30.4
1306070252 Q * Piet Ping timeout: 480 seconds
1306070784 J * Piet ~Piet__@28IAABR0O.tor-irc.dnsbl.oftc.net
1306071528 M * Bertl VirMan: vserver-info - SYSINFO
1306071551 M * VirMan thanks :)
1306073151 M * arekm Bertl: hi, is .39 patch somewhere near publishing?
1306073172 M * Bertl haven't had the time to look into it yet
1306074052 J * petzsch ~markus@dslb-088-075-170-006.pools.arcor-ip.net
1306076352 Q * harobed Quit: Ex-Chat
1306077063 Q * petzsch Quit: Leaving.
1306080819 Q * aj__ Ping timeout: 480 seconds
1306083355 J * petzsch ~markus@dslb-088-075-170-006.pools.arcor-ip.net
1306087398 J * imcsk8 ~ichavero@148.229.1.11
1306087967 J * ksn ~ksn@197.168.60.102
1306088045 P * ksn 
1306088465 J * harobed ~harobed@arl57-1-82-231-110-14.fbx.proxad.net
1306089331 J * derjohn_mob aj@tmo-027-70.customers.d1-online.com
1306090505 N * ensc Guest1839
1306090515 J * ensc ~irc-ensc@p5DF2FC5D.dip.t-dialin.net
1306090983 Q * Guest1839 Ping timeout: 480 seconds
1306091554 Q * Piet Quit: Piet
1306091620 J * hijacker_ ~hijacker@87-126-142-51.btc-net.bg
1306091746 J * Piet ~Piet__@28IAABR54.tor-irc.dnsbl.oftc.net
1306092115 Q * derjohn_mob Ping timeout: 480 seconds
1306093515 J * derjohn_mob aj@tmo-045-107.customers.d1-online.com
1306094073 Q * derjohn_mob Ping timeout: 480 seconds
1306094646 J * derjohn_mob aj@tmo-058-43.customers.d1-online.com
1306096157 Q * petzsch Quit: Leaving.
1306097933 M * VirMan hi.
1306097953 M * VirMan i deleted  some contents of running vserver.. how to kill it now ?
1306097986 M * daniel_hozac vkill
1306098028 M * VirMan vkill 6102 vkill: vc_ctx_kill(): No such process
1306098074 M * daniel_hozac you might want to read vkill --help
1306098084 M * VirMan that's ok :)
1306098086 M * VirMan thanks :)
1306098694 Q * derjohn_mob Ping timeout: 480 seconds
1306099422 Q * hijacker_ Quit: Leaving
1306101327 Q * bonbons Quit: Leaving
1306104490 J * derjohn_mob ~aj@d003133.adsl.hansenet.de
1306104907 Q * harobed Ping timeout: 480 seconds
1306106397 Q * manana Remote host closed the connection
1306107920 Q * trippeh Remote host closed the connection
1306107922 J * trippeh atomt@uff.ugh.no