Signs of Triviality

Opinions, mostly my own, on the importance of being and other things.
[homepage] [index] [] [@jschauma] [RSS]

Of Headless User Accounts and Restricted Shells

The December issue of ;login: The USENIX Magazine is now available, featuring an article I wrote entitled ``Of Headless User Accounts and Restricted Shells''. The summary/introductory paragraph reads like this:

UNIX system accounts not bound to a particular user, so called ``headless user accounts,'' are frequently used to allow for automation of certain tasks. For security reasons, such headless accounts usually have a very restricted shell, allowing only a few select commands . At the same time, system administrators and service engineers frequently have a need to let such accounts execute additional commands, even though allowing an interactive shell is not an option. To address this problem, we developed a command interpreter called sigsh that requires a cryptographic proof of authenticity and integrity (i.e., a ``signature'') by an authorized party before it executes a set of commands. sigsh(1) is currently used by Yahoo! Inc. on over a quarter-million hosts to help discover potential software vulnerabilities.

If you're a USENIX/SAGE member, then you can read the article online (otherwise, you have to wait a year :-/).

Going topless. T.O.P.L.E.S.S.

As should be obvious, this is an article about sigsh, which we use at Yahoo! in combination with scanmaster for headless host scanning. In April, I gave a presentation about this at Twitter -- you can find the slides here.

December 1, 2011

[Parental Math] [index] [sudo: unable to execute <command>: success]