Get your own restricted shell!
$ grep restricted /etc/passwd
restricted:x:1001:1001:bert hubert,,,:/home/restricted:/home/ahu/git/secfilter/shwrap
$ cat shwrap
#!/bin/sh
/home/ahu/git/secfilter/secfilt --no-outbound-network=1 /bin/bash
Get your own restricted shell!
$ grep restricted /etc/passwd
restricted:x:1001:1001:bert hubert,,,:/home/restricted:/home/ahu/git/secfilter/shwrap
$ cat shwrap
#!/bin/sh
/home/ahu/git/secfilter/secfilt --no-outbound-network=1 /bin/bash
We often get requests for a PowerDNS package repository to ease updating. This is our idea on how we'll implement this. | |
There will be a repository that always gives you | |
1) auth and recursor from the tip of master or other branches ("scary-master", "scary-oneshot") | |
2) auth and recursor from 3.3.x, where we promise that updates within 3.3.x will never break ("auth-3.3, recursor-3.5") | |
3) auth and recursor "highest released version" ("auth-release", "recursor-release") | |
So to upgrade to a newer version, either: | |
1) just update and get whatever pain we want to inflict on you | |
2) update and get something that Should Just Work |
1: blogspot.com | |
2: test.blogspot.com | |
3: blogspot.co.uk | |
Now we get a lookup for zzz.blogspot.com: is it on the list? We do a binary search and end up between 2 and 3. So how do we decide if zzz.blogspot.com is on the list? | |
Walk backwards until an entry matches? When do we stop? | |
This setup only works if we do 4 lookups, one for zzz.blogspot.com., blogspot.com., com., .. which is exactly what we don't want. |
adservers=newDS() | |
adservers:add(dofile("blocklist.lua")) | |
function preresolve(dq) | |
if(not adservers:check(dq.qname) or (dq.qtype ~= pdns.A and dq.qtype ~= pdns.AAAA)) then | |
return false | |
end | |
dq:addRecord(pdns.SOA, | |
"fake."..dq.qname:toString().." fake."..dq.qname:toString().." 1 7200 900 1209600 86400", |
(echo return{; | |
for z in {1..10} | |
do for a in {1..255} | |
do for b in {1..255} | |
do echo \"10.$z.$a.$b\", | |
done ; done; done | |
echo } ) > filtercustomers.lua |
addLocal("0.0.0.0") | |
newServer("192.168.5.123:5300") | |
addAction(AllRule(), MacAddrAction(65001)) | |
-- using LuaAction, the MAC address could be hashed or truncated, for increased privacy |
filter={} | |
filter["192.168.5.24"]={["b8:27:eb:0c:88:27"]=1, ["00:0d:b9:36:6f:79"]= 1} | |
filter["10.0.0.1"]={["06:31:25:7a:84:6b"]=1} | |
-- note that the filtering could be more than binary, but specify lots of categories | |
-- see https://i.imgur.com/wGwNHl7.png for inspiration | |
baddomains=newDS() | |
baddomains:add("xxx") |
pi@raspberrypi ~ $ /sbin/ifconfig eth0 | head -1 | |
eth0 Link encap:Ethernet HWaddr b8:27:eb:0c:88:27 | |
pi@raspberrypi ~ $ dig www.ds9a.xxx @192.168.5.24 +short | |
blockingserver.powerdns.com. | |
ahu@ahucer:~$ /sbin/ifconfig eth0 | head -1 | |
eth0 Link encap:Ethernet HWaddr 90:fb:e9:3b:61:dc | |
ahu@ahucer:~$ dig www.ds9a.xxx @192.168.5.24 | |
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10412 |
# sqlite3 /etc/powerdns/powerdns.sqlite3 < /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql |
local-address=0.0.0.0 | |
launch=gsqlite3 | |
gsqlite3-database=/etc/powerdns/powerdns.sqlite3 | |
master | |
daemon | |
guardian |