Somewhat in response to a message from taubz, given its own topic to encourage reading:

There's been an idea floating around here for a while of having one or more people set up special shell accounts on their machines for people to learn programming in a prestocked (probably UNIX?) development environment. I think it would be neat to have a whole mini-C course, possibly based on an existing web tutorial of high quality, with all dev tools, example sources, etc., set up. I'm sure others are interested in all sorts of things, including having popular dynamic web dev technologies set up to create simple web sites while learning.

So it comes down to this: does anyone have a permanently connected machine and the interest and ability to host something like this? I know taubz is just looking for hosting to be able to use a machine of his for this purpose. Please let us know if you'd be interested in this, or if you have any additional suggestions for this idea.

possibly, but not sure at present... I'll have to investigate.

So how would this work? The people connect via SSI, or Telnet and read something on what they are to do, then attempt to do it? Would chatting or instant messaging be allowed inside this shell? What APIs would be allowed? What Languages would be available?

Humm.... I have an idea for the programming thread...

One would think you'd never used UNIX before. :-)

It would be a regular UNIX machine, stocked with some things to help people learn various things. Read this as very open ended, awaiting ideas from members.

So, I have never really connected to a remote unix machine too much. Could you use the commandline version of emacs in the shell account? You might want to include both vi and emacs though (if you CAN even do it)... some people can be finicky.

Would it use gcc or cc?

Would we be able to connect to the X server (I have no idea what this would involve, I just know its ports have a tendancy to be firewall'd out in firewall packages)?
Would we include easy to use programs to message other users? You could just do a whois to see whose currently logged in, then type something like "mesg DakeDesuDx Hi," (/me thinks) I believe there ARE programs to do this, just you cannot operate the commandline while doing it which might take away from the fun of the shell account and turn it into a glorified chat... so if you want I will research on how to send messages terminal to terminal, but sadly I do not have a network so I could not test it on my home computz other than for runtime errors.

Also would we be able to sign up shell accounts on the web? I know it is possible for SSH and FTP seeing as how many webhosts work like that.

Would we be able to use sendmail?
If we are allowed to use X, what would be available? Motif? KDE? Gnome? BlackBox?

(/me thinks that this would require a LOT of harddrive space for the options...)(/me also wishes he had the skill and the computer to do this...)

I chat on IRC too much... that should not be a "whois" it should either be a "who" or "whoami"

Dake, that would be very much up to the server administrator, but my guess is that it would not allow X... Basically what you would have would be gcc (Why would you use cc?) and your standard unix text editors, pico, vi, emacs.
You would be given a disk quota of maybe a meg or 2, meaning that if every TPU user signed up, then you would have no more than about 3 gigs used for home dirs...
SSH would be the only allowed protocol, and I imagine that signups would be integrated into the devlocus system somehow... possibly to allow the administrator to do per-case access desicions, (such as denying codered access). sendmail and all other messaging commands would be disabled, and permissions would be set quite low for each user (so some malicious program couldn't kill the system).

I'm hoping that after I get my adsl set up (hopefully not too long!), then I can think about doing that, and such...

What would the point of disabling message commands be? If they really want to message each other there are all sorts of products out there to do it, we would just be making it a little more convienant. I think sendmail would be useful if we limited it within the system, no ingoing or outgoing emails to the users. Sendmail could be used to send users warnings, and also maybe messages to the whole system. I admit we could just have the messages to the whole system be displayed first thing they log in, but something about sending an email to the whole system seems to put a smile to my face.

As for low permissions, I agree. Though we should still allow the user to open ports, so that they can play with code for something httpd, sshd, ftpd, or even telentd, just these ports would be above the root ports, and the daemons would be assigned to the username that daemon (Thus making those said daemons useless if they log off, or timeout &evilgrin;).

Dake, you don't seem to understand what I meant. Messaging software like ICQ and IRC are quite readily available, so there is no need to increase load on the server through frivilous conversations. No way that _I_ for one would allow people to open http, ftp or telnet ports... that's like saying "Please, turn my server into a DDOS zombie!

The point of these lShells would be to have a uniform development enviroment that would make it very easy to give help or advice... if people want to start getting into anything too complex, then they can do it on their own computers, because they have obviously reached a level of proficiency that will allow them to set up and use a compiler of their choice.

So, ideally, it would only need to have gcc and it's abilities to compile other non-c languages, right? That's the cool thing with gcc, it can compile all the fun languages.

Other than that, it could have a /usr/samples directory or something that has a couple very basic programs and their source, to show people what's going on. Those could even be copied straight out of a book (not sure of the legality of that, though). There should also be instructions somewhere telling people how to use man pages. A special tutorial on how to include files would probably be good, to avoid thousands of email messages telling the admin that "the compiler is broken because it can't find something.h". A tutorial on understanding the very cryptic gcc error messages would also be a plus!

A bunch of you are acting like making a development machine that can be accessed remotely is a new challenge. In fact, nearly all Linux distributions qualify for this out of the box. I have to express surprise at Dake's ignorance here, since telnet/SSH/actual physical terminal are just different I/O methods for interacting with your shell, and programs don't even need to know which you're using, so there is NO extra effort needed to use ALL console programs. If you ask "will such and such be available?", ask yourself whether you have it on your UNIX machine and if it's safe to give shell users access to it. The effort that must be put in is in security and basic infrastructure stuff.

Well, the main root of my ignorance is I have never really used a shell account through telnet, SSH, etc., too often. I have one computer in my house which is running Red Hat Linux (thus causing more ignorance on my part)

I guess I can agree about the message software.

As for the ports, they will NOT be root ports like 80, 22, etc., they will be above 1024 (I believe it is) and if I recall correctly you cannot have any programs running under your name when you logout, so put a timeout on each username so they have to log in again after X number of hour(s) (I would suggest two). Most people would have to spend a great deal more effort advertising a http site at port 5032, cause most people would just type in www.tpu.org, or whatever the domain name would be for these shell accounts.

If we get DoSes, well we will find out which program is allowing it (there is software out there for that, I have never run a server on anything other than localhost, so I do not know if you can do it with `top` or not...) and then talk to that user, requesting them to disable that program opening the server up to DoS, they should be reasonable, if they refuse to disable that program, we freeze their account. They will have a difficult time signing up again, cause of the approval process.

We could also request that users do not have software like that on the server for more than two months, we will get other users to report problems, and I am sure somebody will report them (Cause if you've ever heard about the fight about whether GDTalker or Tiberia is better you'd know how this would work).
The main point of this would be so that the user can learn about programming stuff with sockets. I must state clearly that it is NOT about giving them a free server to do their wimps upon.

If your also worried about Telnet, we can have something on the server monitor what is being send and recieved to see if anything is using the telnet protocal, and then just end that task. We should also monitor which programs are doing what anyways, so we do not have people taking up the server resources with a quake clone they've compiled.

Heck if you want we can monitor users so that we know what type of underwear, if any, they are wearing while using the shell account.

I will state that is some idiot wants to DoS TPU, that they deserve a smack, because I find that extremely stupid... It is like somebody saying breaking other peoples stuff is fun, it shows a lack of respect for other peoples belonging and I do not think those people should have shell accounts to begin with.

I think you're still making this more complicated than it is. What I have in mind is simply restricting ports < 1024 (incoming and outgoing). Telnet and SSH are both fine to use to log in. Programs using more than 20% of the CPU for over 15 minutes can be killed. 5MB disk quota. Machine reboots every few days to kill off servers and stray processes.

I think that restricts people from doing anything that they couldn't already do on their own PC.

- taubz

Okay good... I have a tendancy of making things too complicated, that is prolly my tragic flaw.

As for disk quota hum... I guess it is okay, if people want to store stuff they've used to learned there are various other services on the net they can use. I would have before put it at 10Megs, but I guess that is a little much, considering it will prolly never be used.

I actaully never thought of reseting the server. That is a lot simpler than what I put.

I would also request having a version of the JDK installed on the server and maybe javac. I am requesting this cause it is not a standard distro thing, seeing as how I never got it with my current distro >_<.

Will the users be allowed a sort of webpage going? The purpose of this would be so that they can share what they are learning with others, and we would have a ToS agreement of some sorts (tell me if I am making this too complicated). I am not sure about this, cause there are many, many other services that offer it. So it is not really necessary. The only plus for this would be no ads, and only "Teen Programmers" could sign up so we do not need to worry about people using it to host their company, cause the purpose to it would be for sharing with the world what people have learned on the shell account (Sort of like an electronic refridgerator for aged toddlers).

Two things that I would suggest not allowing users permissions to the printer and Lynx. I am pretty sure that there are people out there that would find it amusing to print stuff out on somebody else accross the net's computer. Lynx, well, we do not want people to be using server resources that are completely unnecessary.

Why get rid of Lynx? How else are people going to be able to view HTML?

LOL... no comments on the denying access to the printer? :)

That's a given.
I don't see why RedHat would make you ignorant.... I have RedHat on my machine, but then again, I'm a console junkie :-)

I just note for other communities that promoting Red Hat in anyway is a rather nice way to start a flame war between which distro is the best. I simple step out, by saying,

<longstory>
"My mother is a \"Windows Expert,\" she did not understand why I was on Linux to begin with, often blaming Windows 95 final crash on my RHL 5.0 distro. Then I was stuck with RHL 5.0, when the current architecture was RHL7.x, so I need to upgrade Linux... I kept asking Mother to buy a new version of Linux, and her excuse for not getting it was \"Which Linux SHOULD I get, and will it support your hardware,\" >_< which is the natural answer of a \"Windows Expert,\" So due to a strike of Luck I managed to get a copy of Red Hat Linux 7.0 on a burned CD, and have been thankful for it. I still get comments like, \"When are you going to upgrade to Windows,\" or \"I've never heard of Linux,\" or \"Isn't Linux hard to learn.\" So naturally I have come accross the conclusion that I am not that smart, just everyone I know is a complete idiot, which I privately keep to myself."
</longstory>
Normally just mentioning "Windows Expert" will get whatever community I am in to start bashing windows (whether it deserves bashing or not), or something similar.

ILL!

(I love linux)!

I don't see how the printer is a security problem if there's no printer attached to the computer.

If I'm the one setting it up, then the only TOS/use restriction that I would have is that the server is not used for commercial purposes. Enforcement would be unnecessary, though. To me it doesn't matter if there are non-teens using it, non-TPU members, etc. The more the merrier, as long as the server isn't overloaded (which would be controlled by the software restrictions, not TOS restrictions).

Yes, they would get http://host/~username webpages as well as Sun's JDK, MySQL, lots of Perl packages...

So, yes, Dake, you're still making it waaay too complicated.

- taubz

>> I don't see how the printer is a security problem if there's no printer attached to the computer.

LOL! For some reason, that strikes me as funny.

DakuDesuDx,

You can get CDs of any linux from http://www.cheapbytes.com/ It's really cheap (like $10 including shipping).

Anyway I think that you'll be a good user of the TPU Shells because you are not yet a unix guru and you seem to be enthusiastic about it. =)

-Mike_L

Everybody,

I'm working to get two shell boxes set up. Actually one is already set up, but I don't know how long that will last. Anyway my intention is to set up at least two boxes permanently on the Internet.

Psion and taubz have the same ideas as I do:

ssh logins
2-5 MB disk quota
reboot every week
user webpages, http://foo.tpu.org/~username/
disallow incoming and outgoing data on ports < 1024
disable sendmail, lpd, and other unneeded system commands
absolutely no X-Windows stuff

I will run my servers on OpenBSD 2.9. This OS is very stable and secure. It would have your typical console development tools installed as well as support for various languages and libraries.

I like the idea of a unix sockets tutorial. I wrote some example unix sockets programs a while back and they have been sitting on my website. Occasionally I get emails about them.

Anyway this is a good idea. We'll just have to see how my two servers work out, and if anyone else can set up a server or two. I have some hardware I can donate to someone if they have a decent connection to host it.

I would like to experiment with file replication. This would mean that users could get their files from any of the servers. It would also mean that one server could go offline and the others would keep on chugging. Psion suggested using AFS for this.

-Mike_L

Heres a question... would you allow users permissions to edit their .bash_rc and .bash_profile (or whatever they are named on server) files?

It can be amusing to see a program screw up and say your login name is "Da cow who can eat toilet paper," instead of your actual login name, but I can forsee it cause problems with some stuff that the users will be attempting to do. It might be useful if one of the other users setup a directory with decent and fun program, and I wanted to add their directory to my path, because they have given proper permissions to me, and a couple other users.

I am just curious. It is of no consequence what happens in this case.

That's completely irrelevant. These files just store commands to be executed at logon. You can enter them all yourself and get the same effect.

Yeah I guess... I was asking more about writting permissions... but I guess, (now that I actually use that thingy inbetween my ears), they could just do EXPORT $whatever="dohicky"

Dake, you're getting on my nerves here. Most of your comments are irrelevant because you don't know enough about what you're talking about to comment, and you ramble a lot more than me, which is a lot.

Next time you're about to post, why don't you ask yourself 1) can I answer my own question, and 2) if I really can't, can I at least say it in fewer words.

- taubz

Dake, exporting a variable does nothing! That is the concept of permissions... you (and all programs execuated by you) only have whatever rights you are granted... the perfect dictatorship :-)

So, if the server admin decided to perhaps, not let Dake run any files, that would (AFAIK) be possible...

wtf? I do not understand what you are getting at gian...

I was asking if users would be allowed to edit the variables that are initialised when they log in... that is where the "export" comes into.

As for permissions, if I make a program in emacs (provided I have permission to do that) then I own that program, and I decide permissions. Sure the sys admin can too, but I doubt they will be babysitting that much. I am the one who can take a directory I have made (provided again, I have permissions to mkdir) and allow others to use it. If I were to chmod 0755 ~/public/ , then people could add /home/DakeDesuDx/public to their path and run executables I have made.

I will say again, that I have no idea what you are getting at, so if my post sounds stupid it is cause YOU never explained yourself properly.

Dake! if someone added /home/DakeDesuDx/public to their path, and executed a program you had written, that program inherits THEIR permissions, not yours, so for example, that program, if executed by me, could not write to your home directory, or /, not could it change the root password, because whatever you run on Unix inherits the permissions of the person which has invoked it!

I'm beginning to agree with Psion about where you learnt about Unix from...

You see that NO program, whatever the permissions a user may have set on it will have any more permissions than that user does... so unless the user has the right to execute rm -rf /, then neither does *any* program that they run.

And dake, exporting variables does nothing too!
doing "gian=1" from the console does exactly the same thing as putting "export $gian=1" in your .bash_profile.... honestly, like Psion said... "Most unix systems qualify for this straight from the box"... Unix has been in use for about 30 years.... they've though pretty long and hard about things like permissions...

You know what, you have missed the point of the argument.

I am not disputing a user other than the user who created file gaining access to write in a directory. The write permissions where for the user to write to THEIR OWN login files!

The thing about adding /home/DakeDesu/public/whatever to the path was suggested as a useful use for editing the LOGIN file, not as the security problem in question.
I was not in anyway suggestion that some user will go into another user(s) directory and editing files. I do not remember seeing that in any of my posts. I was asking if I would have permission to MY OWN version of those login files.

I then thought that export was a solution to any permissions to that file. IE: .login is owned by root, and I have no permission to touch that file other than reading or maybe executing it. My solution is not to touch that file, and just use export to play with the variables in that file.
The only two users that matter in my question about written permissions are admin and the user that the login file is used by. The third user, which apparently only I can see the grassy knoll, came into the picture when I was describing a possible use for it.

Do you understand the words that are printed on the screen? (I am getting very fustrated with people misintrepeting what I am saying)

Here lets explain it like this:

Suppose Metamorphic creates a fun text based adventure. It is just him playing around.
He allows other people to VIEW it.I then, being the lazy bastard I am, decide to instead of typing
$ cd /home/metamorphic/tba/; ./potatoe
I instead decide to edit my file that contains whatever the path variable is to contain: PATH = $PATH:/home/metamorphic/tba (sorry if there is any large syntax errors there, it is off the top of my head)
After I log in again, by doing this, I will beable to type
$ potatoe
and be able to play the game.
If I do not have permissions to the .login file I can simply type (if there are other files in the directory I want to use):
$ export PATH = $PATH:./:/home/metamorphic/tba

I have no idea where this delusional soap opera of permissions you thought I was asking came from.

If I have to explain further, I will have no other choice, but to abandon english as a first langauge cause A) Nobody seems to understand what I am talking about B) I cannot express what my thoughts as well enough in this medium.

You understand that because more than one person is "misinterpreting" you, that perhaps you should re-phrase your "argument"...

Dake, you are still arguing over something that has *no* importance, and you seem to be digging yourself into a deeper and deeper hole... stop while we can still see the top of your head....

I get what you're saying. There is, AFAIK, no way to restrict environment variables. Indeed, the use of environment variables poses no security risk, so there's no reason to try to ban them.

gain! The biggest misunderstanding here is that you think I am still arguing for or against or whatever my stupid thought.

I am now arguing about what you thought I was saying.

Pareu voi Francaise?

Incase I seem to have some strange thought on what the denotation of my words are, I was dispute the inferance that you thought I was still trying to present an "argument."

See, dake, just because you add /sbin to your path, doesn't mean you will be able to execute all the binaries in there...

Because the owner of those files (root) has set the permissions on that to Full access for the owner (root), read and execute access for the group (root), and NO access for Everyone else...


And because you are neither root, nor in the root group, you will be denied access, even though it is in your path...

(/me now knows that no matter what he says in this post, gian will think it as some ignorant nonsence, due to his inability to read)

Okay. This idea that I would be able to use, say some fun program that say Psion made, was based on the idea that <b><u><i>!!!!@@@@|_-Psion-_|@@@@!!!!</i></u></b> had chmod'd /home/Psion/funstuff/ to something like 0755 or some similar permission, so that the fun program he made could be used by others.

(/me wonders if gian will notice me saying it was Psion who gave permissions to it, and not me trying to hack it, which would be dumb)
(/me wonders if he made the name Psion noticable enough, despite HTML not being supported here)
I had first asked about .login being changed, because it could lead to some pranks being done on various programs, and etc., on the system, but no real serious security hole. I was thinking of it as a prank, which would show how stupid people are, which I am beginning to think that even meeting people on the internet will not show me signs of intellegent life.

(/me wonders if that last paragraph was too abusive)

Dake, you simply just re-iterated what I have said for my last ~3 posts... if Psion wants to share his fun little program, he can, because it will never have root permission when executed by you, so the damage it can do is minimal, and who cares if you use it!

I think you need to be a little more introspective before you start being abusive about other people's ability to interpret the constant stream of letters that you seem to think is speech.

gian... did I ever say I would have root permissions running that program?

gian... did I ever say the program would cause damage when run by me?

Dake: The fact that you asked about whether or not environment variables could be fiddled with suggests that you though that these modifications might have cause to be forbidden, the sole reasons for which are policy violation or security risk. There's no reason for policy to forbid the modification of environment variables, which leaves security risk.

The only way something like that could be a security risk would be if it could either get elevated privileges, or circumvent security. The more obvious of those two would be elevated privileges. This is, I think, the interpretation shared by most here.

You should probably consider thinking a little bit more before you post.

> I am just curious. It is of no consequence what happens in this case

I think the "no consequence" is a major clue I am not talking about a security error. Of course, I might be speaking a different version of english. Is it not emphasised when it is at the end of a post?

>It can be amusing to see a program screw up and say your login name is "Da cow who can eat toilet paper," instead of your actual login name,

This shows that it can be used for pranks. If a user has experienmented with a program that reads the other user's name, perhaps storing them, this will make this site devolve into something worse than GameDev. I am not saying it will read the other users .login file... maybe an environment var, and only if the user who is "Da cow who can eat toilet paper," runs the program.

I think the name also implies that this would be for pranks.

> but I can forsee it cause problems with some stuff that the users will be attempting to do.

Notice the word users there... not "superusers," and again I was trying to hint that it might be a hinderance to programs that other users have made that use enviromental variables.

These are all from my first post on this subject.

You seem rather misguided about the way that one would "spoof" their username.... Do you have a linux machine?

Do it, and then come back and tell me, because from your "description" (in the lightest sense of the word) what you are saying sounds implausable...

Can you guys just drop it, please? (AKA, any more replies are likely to be deleted by me.)