Old 9th April 2006, 23:05   #1
h_jinx
Junior Member
 
Join Date: Apr 2006
Posts: 3
Shell security

Hi,

I currently own a dedicated server and wish to install a shoutcast server on it.

However, I am not that familiar with linux and so have a question concerning security.

Obviously I do not want the shoutcast server running as root. How do I set up things so it runs as a user with only the permissions necessary?

Many thanks,

J
h_jinx is offline   Reply With Quote
Old 9th April 2006, 23:21   #2
fc*uk
Moderator
 
fc*uk's Avatar
 
Join Date: Dec 2005
Location: Atlantic Beach
Posts: 8,140
you should just be able to run the server as any user (of the binaries will not run, then just "chmod -777 sc_serv" and do the same for sc_trans.

By default, linux is a secure enough OS not to allow serious changes to be made to anything unless you are running as root. Like I said, you should not have to run as root to get any of the shoutcast stuff to work. Just open any shell and start the services you need by "./sc_trans (or serv) config_file.config" and you should be good to go...
fc*uk is offline   Reply With Quote
Old 9th April 2006, 23:22   #3
h_jinx
Junior Member
 
Join Date: Apr 2006
Posts: 3
Thanks for the quick answer.

Is there no point in setting up another user then and then "chown" the entire shoutcast directory to that?

Thanks again
h_jinx is offline   Reply With Quote
Old 9th April 2006, 23:42   #4
fc*uk
Moderator
 
fc*uk's Avatar
 
Join Date: Dec 2005
Location: Atlantic Beach
Posts: 8,140
well .... there is no point to setting up another user as long as you are not running everything as 'root' ....
fc*uk is offline   Reply With Quote
Old 9th April 2006, 23:57   #5
hackerdork
Forum King
 
hackerdork's Avatar
 
Join Date: Feb 2006
Location: Earth Circa sometime.
Posts: 3,297
chmod 755 sc_serv sc_trans*

chmod 644 sc_serv.conf sc_trans.conf

I myself made a user called shoutcast, with no home directory or login shell, then did this

I placed the exes in /usr/local/bin , which is in the path (no duh) and have the configs in /etc

su shoutcast -c sc_serv /etc/sc_serv.conf >/dev/null 2>&1
su shoutcast -c sc_trans_freebsd /etc/sc_trans.conf >/dev/null 2>&1

cool part is shoutcast server (sc_serv) and transcoder sc_trans_freebsd run on the system as shoutcast user, not root so if there was a hack, well heck there is not login shell to begin with in /etc/password for that user

/etc/passwd (example only!!!!)

shoutcast:*:4000:4000:::0:Shoutcast sandbox:/bin/noshell:/bin/sh

You be the judge waht works best for you

This same setup was tested on RH 5.2, 6.0 back in the 'old days', Mandrake 10, FreeBsd 3.2 through FreeBSD 6.0-Release and so on.

Take care.

~ DK

~ According to the ship's log we're down to our last 3000 vomit bags.It'll never be enough.
search the forums! don't PM me on how-to, or ask me to setup you system. you do it so you learn.
hackerdork is offline   Reply With Quote
Old 10th April 2006, 00:43   #6
fc*uk
Moderator
 
fc*uk's Avatar
 
Join Date: Dec 2005
Location: Atlantic Beach
Posts: 8,140
hmmmm.... DK in all seriousness here (as it seems to me that I have not been using linux nearly as long as you, nor am I as familiar with it as you) what is the benefit of doing what you suggested???
fc*uk is offline   Reply With Quote
Old 10th April 2006, 01:57   #7
hackerdork
Forum King
 
hackerdork's Avatar
 
Join Date: Feb 2006
Location: Earth Circa sometime.
Posts: 3,297
people feel safer running a process as a non root user. My post shows one method of how to do that.

~ DK

~ According to the ship's log we're down to our last 3000 vomit bags.It'll never be enough.
search the forums! don't PM me on how-to, or ask me to setup you system. you do it so you learn.
hackerdork is offline   Reply With Quote
Old 10th April 2006, 23:31   #8
h_jinx
Junior Member
 
Join Date: Apr 2006
Posts: 3
Hi DK,

Thanks for your help.

However, I am lost here:

shoutcast:*:4000:4000:::0:Shoutcast sandbox:/bin/noshell:/bin/s

What would you advise I change it to?

btw, I sent you a PM, not sure if you received it?

Thanks again.
h_jinx is offline   Reply With Quote
Old 11th April 2006, 00:20   #9
hackerdork
Forum King
 
hackerdork's Avatar
 
Join Date: Feb 2006
Location: Earth Circa sometime.
Posts: 3,297
everyone

that is username shoutcast, no password, UID and GID of 4000, real name, home directory and login shell.

it could be this

shoutcast:#$@#$@#$:4000:5000:::0:whatever:/home/shoutcast:/bin/sh

it would use shoutcast to login to /home/shoutcast using the /bin/sh (borne) shell. however I dont like giving it login priv.

ps I got your PM, talk to you on messanger prog.

~ D

~ According to the ship's log we're down to our last 3000 vomit bags.It'll never be enough.
search the forums! don't PM me on how-to, or ask me to setup you system. you do it so you learn.

Last edited by hackerdork; 11th April 2006 at 01:06.
hackerdork is offline   Reply With Quote
Reply
Go Back   Winamp & Shoutcast Forums > Shoutcast > Shoutcast Technical Support

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump