New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Oh no! Go to sleep
I'm sorry
Btw I vibe coded a C webserver daemon and asked the LLM to make something fun to see.
It generate a dashboard that showed me the server resources and I saw the list of all the zfs users and their quotas and all the Ips of the machine.
Don't know if this made your anti abuse system angry
So the PoC of @forest thinking in this thread as your "vibe-coded" daemon turn into the exact thing he was warning about ?
You did it right, but our dummy system did react, little to late but always. And yes I plan to "fix" this hole tomorrow. Do you willing to help? We talk about your account also tomorrow as i like your vibe in this after party scenario 
Thanks 
i like your spirit @elusiVeRPG and i'm subscribing to your blog so i can read about all the clever nonsense people try :>
I'm curious what the threat model is. What information do you want to prevent users from accessing, and what actions do you want to prevent them from performing?
@forest
and was prepared to show all the data (list of zfs dataset - so the usernames :P )on port 8081.
He built in C something that tried to get data from getifaddrs() getmntinfo() kvm_getprocs(). The last one was already blocked (security.bsd.see_other_uids=0) so he did not see other users processes. But he can get my wg0 interface ip and the mountpoints of every ZFS dataset under /home/* Including other users so he can see usernames of the people on this box and our primary v6 + all users ipv6 addrs we have in interface. He also ran a public website with port 8080 using shellter.me name
For me? In perfect shellter world, I want to keep users as safe as possible, so I do not want the users to see even the usernames of each other. I know that many services like this, have server usernames that are just not secret at all.
I have two paths to choose from: accept that the users can see other users' usernames and IP addresses and make sure that the people who use shellter are aware of that or try some work on the topic.
Plan I am parking until tomorrow (as i need some sleep): move each shelluser into a non-VNET jail with enforce_statfs=2 (default on 15) + put wg0 and the ns-middleware client in a tiny VNET jail of their own. Hope it closes both holes without going full per-user VNET.
Any help in the topic most welcome
Or get this again under consideration and make sure that the users are aware that their ip or usernames can be seen by others.
I haven't used FreeBSD in ages, but isn't
∕etc∕passwdworld readable anyway?Please kill me now. I get so obsessed that nobody see this over getmntinfo() and as dummy me forgot about obvious basics. 🙈 Yes sure he can see that there! I just almost try to "fck" myself with extra bunch of useless work. Thanks @forest for saving me from misery
Some notes:
getent passwdandgetent groupcommands.@elusiVeRPG
Sometime, when you get a chance, maybe you could install ii for me, please? Thanks!
On shellter:
On another FreeBSD machine:
When I'm thinking about it, and I love any FreeBSD community project...
Isn't it kind of "90s approach" to give shell accounts? Especially when IRC is
pretty much dead. And if you think it's not, I bet you can spend 0.5$/mo on Tierhive.
And then you get a fully virtualized OS of your choice.
Now before you roast me, I get it, it's a hobby, I totally get it, it's a community fun.
But FreeBSD allows so much more with bhyve, and basically zero overhead for
containers. Why not simply allow containers?
I think it's just simply to feel a little like in 90`s
. Maybe also learn something new and meet new people with similar hobby. 
We also have many other projects that we do and many other projects that we want to do in the future. Maybe something with containers, but for now we play with shellter
.
Okay, four hours of sleep should be good enough.
@samoht999 You had access to the data that everybody can do access now. Only jail can really prevent it. The problem that gives me the red flag is that you want to go public with the data which are not sitting in passwd; they are in user quota, those where user delegated ipv6 addresses. And that is so sad 
that you make my heart bleeding and split into two, as your way of doing it was really, really fun and has this old school "kiddie" in it. But sorry, that still was a little too far in my opinion. We can NOT tolerate any kind of abuse if we want to have shellter running long time and for all who will to use it in "normal" way.
We have also many things to learn as we really want to give something good and fun to community. Saying that we have a dream to make some sets of service bundle is little to big but we want build a some for you. As shellter, our tunnelbroker, shrink (https://shr.al link shortner - still under development but will be available soon) freedns service (a mini version of freedns.afraid.org) and some few others idee.
And please don't get me wrong, those are all the hobby projects. Abuse is a little pain in the ass, but also is a way to get some knowledge for us. Every day we learn something new and every day we try to expand our horizons.
For users who are willing to have an HTTP server or host a website on Shellter please ask us probably we will help, but please behave or you will be eaten by our FreeBSD deamon :P
Done, and happy to learn as I use irc from 97 and first time I see "ii"
. I will test it also today.
The daemon with the user quotas on port 8081 was off when your super Free SD daemon banned me
I didn't keep it running
That's why you are not purged yet, just suspended :P. I keep you in purgatory for a while, but I think if you will commit to behave and to not feed the beast in any other way our angel of salvation can give you a rope to climb up from there.
I appreciate what @elusiVeRPG wants to do. My journey with linux started from a similar project in which I had to send a postcard and receive a shell access back in 2005. That shell helped me a lot with learning Linux and with scripting.
I also love IRC a and what @elusiVeRPG wants to do in promoting it. Sadly, IRC did not evolve much (I still appreciate InspIRCd / Anope projects trying to add more features — I try to contribute to those when I can), but sadly social media became extremely popular for communication, while IRC remained mostly beautiful for its simplicity and privacy.
Anyway, keep it going @elusiVeRPG and I hope many will learn FreeBSD using your platform.
I really like this project.
It reminds me of those tilde services.
Maybe an idea for this too?
As it would also remove the overhead of running your own webserver as user.
Oh dear (l)user who was purged few minutes ago.
.
You even didn't read the site. If you read it, you know that it's not a single-user system.
We are in multi-mode my dear dummy
What this little adventurer actually did:
He registered on our tunnel broker tb.tahio.eu
love you for that he got three /64 prefixes per tunnel, so he got himself a nice triple :P.
Problem: a tunnel needs a client endpoint to terminate on. He didn't have one or he want to give us extra ipv6 space such a noble couse. So he registered on shellter (also ours), from inside his shell account tried to build a SIT tunnel between OUR tb server and OUR shellter — both endpoints owned by us, no box of his anywhere. He wanted our shellter to receive the tunnel from our TB and assign his three tb-allocated /64s
to his shell account as IPv6 addresses.
He typed all the iproute2 commands (
)
ip tunnel add,ip -6 route add,ip link set) without noticing that shellter runs FreeBSD andipdoesn't exist here. Zero output, zero pause, just paste paste paste from our tb config generator! (happy to helpWhen the tunnel cosplay didn't work, he switched to plan B - the hacker wannabe! FreeBSD single user mode root password recovery sequence straight from the handbook (I did learn something new, now I can recover my long lost root password
):
fsck -y /
mount -u /
mount -a
passwd root
exit # boots to multi-user
Yes, the "# boots to multi-user" comment is still attached in his bash history. Attempted from a regular shelluser session on a fully multi-user host.
Reading the rules takes ~3 minutes. Suspension takes 30 seconds.
Math your way out of that my love.
We actually plan to do it in this way also, that user gets:
https://shellter.me/~username/ and https://username.shellter.me/ but was busy with other stuff maybe it will be rolled out today evening. Thanks for the tip.
Cool! Would we also be able to run CGI scripts or is it just for static sites?
I need to think about it for now. I will just say that I will get that under consideration.
What are you trying to achieve here? Was there any actual harm done? I assume none of what they tried actually worked - and at some point they should probably notice and stop. Of course, if they keep hammering the system with nonsense, then fine, but if it's a one off because they misunderstood what they got, then I am not sure why to bother. You really should have more confidence in FreeBSD to block anything harmful from non-root accounts.
Actual harmful outbound network activity might be another thing (but would you be able to attribute that to a specific user?)
Also, there is this super evil hacker tool called
df(which I am wondering if using that should get a user banned? /s)I like the motd, nice sexy devil
EDIT : It would be great if you put commands in motd, example getegg for eggrop or znc for installing znc, you have preinstalled software but its missing info in motd ? info is for ipv6 rdns ports and irssi
Are you joking? Did you read the whole story or just taking something from the context?
What are you trying to achieve here? Whole account activity was not "nice" noting more nothing less and the story was to get a little fun in it, pull the stick from your 3 letters :P
I will make something about it when I have a little free time later on evening.
Yes we are able to flag traffic to specific user and we do that.
@emperor some years ago I have also this one: https://asciinema.org/a/406811
But don't tell to anybody as it was on Debian :P
I doubt FreeBSD will mange to block users from running vibe coded daemons using code they likely don't even somewhat understand on the open internet
Wow thats even nicer
Great one
that was not my words :P Those words are from @cmeerw
I coded my first c daemon at age 13 some 20+ years ago