current-users: Re: Setting up a sup server

Subject: Re: Setting up a sup server
To: Xavier HUMBERT <xavier@xavhome.fr.eu.org>
From: Manuel Bouyer <bouyer@antioche.eu.org>
List: current-users
Date: 01/21/2002 22:14:24
On Mon, Jan 21, 2002 at 07:29:49PM +0100, Xavier HUMBERT wrote:
> In message <20020119143857.GC1171@antioche.eu.org>,
> Manuel Bouyer wrote:
> 
> >Then start the sup scanner:
> >/usr/sbin/supscan current <base_directory>
> >
> >You can now sup from clients.
> 
> Thanks Manuel, supscan is working, but sup from client does not.
> 
> After setting the whole stuff in debug mode, I saw
> 
> Jan 21 19:16:08 arnor supfile[13472]: SUP File Server Version 8.13 (4.3 BSD) starting at Jan 21 19:16:08
> Jan 21 19:16:10 arnor supfile[13472]: Improper login
> Jan 21 19:16:10 arnor supfile[13472]: connection from gondor.xavhome.fr.eu.org
> [...snip...]
> Jan 21 19:16:10 arnor supfile[13472]: SCM Writing string Reason:  Unknown user anon
> Jan 21 19:16:10 arnor supfile[13472]: SCM Reading message 115
> Jan 21 19:16:10 arnor supfile[13472]: SCM Reading integer 977
> Jan 21 19:16:10 arnor supfile[13472]: SCM Reading string Improper login
> Jan 21 19:16:10 arnor supfile[13472]: Improper login

Hum, yes I have an "anon" user on my server.

> 
> Is is an open PR since 1998 :
> 
> >Number:         5545
> >Category:       misc
> >Synopsis:       Alot of data is missing from sup and supfilesrv man pages
> >Confidential:   no
> >Severity:       non-critical
> >Priority:       medium
> >Responsible:    misc-bug-people
> >State:          open
> >Class:          doc-bug
> >Submitter-Id:   net
> >Arrival-Date:   Fri Jun  5 10:20:00 1998
> >Closed-Date:    
> >Last-Modified:  Wed Mar 07 14:08:02 PST 2001
> >Originator:     Tim Rightnour
> >Release:        1.3
> 
> More precisely, I second what Tim says about the "anon" account which is
> mentionned absolutely nowher, neither the manpages, nor various docs
> across a Google search.
> 
> In fact a query "NetBSD+anon+user" directed me right to this PR.
> 
> An for the manpages :
> 
> [root@arnor man]# grep -w -r anon man*
> man1/sup.1:.B anon
> man1/sup.1:.B anon
> ... dozens of matches concernig UVM ...
> and that's all.
> 
> Creating the account is not enought : it must be activated...
> Which rights are granted to him ? How to close the security hole it
> opens ?

Hum, mine is created as:
antioche:/home/bouyer#egrep ^anon: /etc/master.passwd
anon:*:65534:600::0:0:Inconnu:/:/bin/noshell

and it's enouth to have sup running.
I don't have /bin/noshell in /etc/shells.

-- 
Manuel Bouyer <bouyer@antioche.eu.org>
--