From: Michael King (mking@bridgew.edu)
Date: Mon Jul 29 2002 - 22:13:23 CDT
First of all, you sound like you have a better handle on this than I do, so
if any of this doesn't make sense, it's most likely because I didn't
understand the question.
File Protection. I see what you mean. I have not tried this, but wouldn't
it be possible to assign the two user names to the same group, and give
access to the group using "chown user.group file" command.
This website (for a unrelated product) has very good directions
http://nagios.sourceforge.net/docs/1_0/commandfile.html
A secondary solution is that there is something called the "Paranoia" Patch
for ISC DHCP server, with will do a chrooting
http://www.episec.com/people/edelkind/patches/
As for your second question, I have not had a chance to teach myself PERL
(no matter how much I want to), but if you are asking how many people are
using one subnet for unregistered, and one for registered, I am. I'm not
sure how many are, but I'm aware of at least two others, for a total of 3.
I like the Idea of CIDR notation, since it would be more scalable, rather
than adding more subnet masks to the code. (Might even work with my /28's I
use for unregistered range. The way I do it now is I add the unregistered
subnet, and let it count for each registered range. That broke when I
switched to /28's)
Hopefully Allie will chime in.
Mike
-----Original Message-----
From: owner-netreg@southwestern.edu
[mailto:owner-netreg@southwestern.edu]On Behalf Of Robert Lowe
Sent: Monday, July 29, 2002 4:16 PM
To: netreg@southwestern.edu
Subject: NetReg: File protection / Subnet issues
Hi!
I just downloaded, installed, configured, et al, everything for the first
time.
Some of the problems I encountered were discussed here, and I found answers
in
the archives. However, some things are still not clear, and the
documentation
is a bit thin.
The biggest problem I had was that the scripts failed because my web server
runs as nobody, which didn't have access to the necessary files. On the
other hand, dhcpd runs as root; this is the first time I've run the ISC
DHCP server, and since it doesn't have a user switch, I'm assuming that is
normal, unless you go to the trouble of chroot'ing it. What are most of
you doing to deal with this? What about the dhcpd.leases.tmp file that the
lease manager portion of admin.cgi wants to write? BTW, I added 'or'
clauses
to all of the file opens, and used the error subroutine (or a modified
version
of it in admin.cgi) to report problems. Perl will happily let you use a
filehandle when you can't open a file, making simple checks necessary.
The subnet problem is something I couldn't get a handle on from the
archives.
I noticed some code in subnet_overview to deal with masks ending with 255,
254, 252, and 248, but nothing generalized. I extended that to deal with my
/20, but I'm still having trouble with the view_subnet routine, since there
doesn't appear to be anything there to deal with the concept of a non-octet
subnet boundary. I'm tempted to roll my own solution, but perhaps someone
has
done this already!?? My initial thoughts wereto change the subnet portion
of
subnet.dat (and $ALLOW_DOMAIN for that matter) to CIDR notation, and use the
last field as a count of the useable dynamic address for that subnet. This
doesn't account for the potential use of shared_network spaces, where pools
for unknown and known clients could be on different subnets. This appears
to
be important since view_subnet wants to determine subnet membership based on
the IP address used to register, and if it isn't on the same subnet (even
though they might be on the same wire), then some kind of mapping has to
take
place. Is anyone doing that? Assigning a block of addresses for all
unknown
clients makes it easier to filter at a router, rather than relying on bogus
nameservers, or even messing with the client's IP TTL. I was hoping to
carve
out the last /24 of the /20. Any advice on how to best do that? Thanks!
-Robert
P.S. Some simple code that could be used to compare host IP and CIDR
notation
subnets might be something like:
#!/usr/bin/perl
print "IP address: ";
$ipaddr = <STDIN>;
chop($ipaddr);
print "Subnet in CIDR notation: ";
$cidr = <STDIN>;
chop($cidr);
($subnet,$mask) = split( /\//, $cidr );
# IP address/subnet packed into 32 bits
$pip = ip32( $ipaddr );
$psn = ip32( $subnet );
$max = 2**31;
for ($i=0; $i<32; $i++) {
$masks{32-$i} = $max - 2**$i;
}
if ( ($pip & $masks{$mask}) == ($psn & $masks{$mask}) ) {
print "IP address and subnet match!\n";
} else {
print "IP address is not in that subnet!\n";
}
sub ip32 {
($o1,$o2,$o3,$o4) = split(/\./, $_[0]);
($o1 << 24) + ($o2 << 16) + ($o3 << 8) + $o4;
}
**********************************************************************
To unsubscribe from this list, send an e-mail message to
majordomo@southwestern.edu containing a single line with the words:
unsubscribe netreg
Send requests for assistance to: owner-netreg@southwestern.edu
**********************************************************************
**********************************************************************
To unsubscribe from this list, send an e-mail message to
majordomo@southwestern.edu containing a single line with the words:
unsubscribe netreg
Send requests for assistance to: owner-netreg@southwestern.edu
**********************************************************************
This archive was generated by hypermail 2.1.4 : Thu Aug 12 2004 - 12:01:37 CDT