This is one of those quick "I had to look all this up and I'm going to forget if I don't write it down" threads ![:)]( "Smile")
If anyone has any suggestions for additions or improvements, please drop a reply below and I'll try to incorporate them into this post.
So you want to set up a secure(ish) fileserver for a LAN party?
Security
SYST is the default admin account for Acorn Level 4 (and most other Econet fileserver) systems. It defaults to having no password, and a superuser account with a known username is a bit of a target. (this is why many UNIX systems prevent 'root' logins from remote systems). Needless to say, the first thing you should do is set a password on SYST, and ideally rename it too.
Level 4 and Advanced Level 4 make this easy. Start !Manager, click the iconbar icon and select "Local Server". Pick the "SYST" user in the user manager - it should have a crown icon (for System User) and open the user editor. Fill in the Password field with something suitably memorable. Hit the Update button.
For extra security you can rename the SYST account. To do this, middle-click the SYST user (the crown) and select "User 'SYST'", then "Rename". Enter the new name, and hit enter.
For Pi Econet Bridge servers, it's a command-line job.
Open up a task window or ShellCLI, hit F12, or grab a convenient BBC Micro.
Log on to the fileserver with "*I AM station user :", e.g. "I AM 0.254 SYST :". Enter your password when prompted.
Now to set the SYST password, type: *PASS oldpassword newpassword
Renaming the SYST user isn't hard, but involves creating a new privileged user and deleting the old one, because *RENUSER can't rename the current user:
Setting up a locked-down user account to display a welcome message
By convention, the user BOOT should be set to autoboot, and display a bit of information about the server.
You may also set up a Cloud user, whose home directory should contain a single text file which contains information about the server and its owner.
This method can also be varied, e.g. to create users which autoboot into network games like Cave or Arena.
In Level 4 or Advanced Level 4 you'll want to create a new user and set the following options on their account:(Alas I don't know how to set the boot option and the README isn't clear - OPT 4 3 might work but would be system-wide)
This gives you a normal user who cannot change their password, "chroots" them so they can only see their own files, and stops them from seeing other disks. You'll want to make sure the files and home directory are owned by the system user - which will be the case if you are logged in as SYST while you create and edit them.
Now navigate to the new user's home directory. You'll want to create some files:Make sure there is a blank line at the end of the file!
For the BBC !Boot, you should only need the following:Finally, set the access of all the files in the BOOT user's directory to LR/r (locked, owner read-only, public read-only).
Go up a directory and set the Access on the user's directory to R/r (owner read only, public read only).
There is a catch if you do this with Level 4: Acorn ownership semantics mean that any file in the user's home is considered to be owned by them. This seems to mean that you can't stop someone from logging in as BOOT, then deleting the entire contents of the BOOT directory. Setting access R/r makes it harder, but still possible if the user knows their way around the filesystem commands.
On the Pi Econet Bridge, file ownership is independent of the path: to stop someone from deleting a file, it just needs to have its owner set to SYST (or another convenient user) with *CHOWN. Do the same with the user home directory too, and it will also be impossible to create new files as the 'fenced in' user.
If anyone has any suggestions for additions or improvements, please drop a reply below and I'll try to incorporate them into this post.
So you want to set up a secure(ish) fileserver for a LAN party?
Security
SYST is the default admin account for Acorn Level 4 (and most other Econet fileserver) systems. It defaults to having no password, and a superuser account with a known username is a bit of a target. (this is why many UNIX systems prevent 'root' logins from remote systems). Needless to say, the first thing you should do is set a password on SYST, and ideally rename it too.
Level 4 and Advanced Level 4 make this easy. Start !Manager, click the iconbar icon and select "Local Server". Pick the "SYST" user in the user manager - it should have a crown icon (for System User) and open the user editor. Fill in the Password field with something suitably memorable. Hit the Update button.
For extra security you can rename the SYST account. To do this, middle-click the SYST user (the crown) and select "User 'SYST'", then "Rename". Enter the new name, and hit enter.
For Pi Econet Bridge servers, it's a command-line job.
Open up a task window or ShellCLI, hit F12, or grab a convenient BBC Micro.
Log on to the fileserver with "*I AM station user :", e.g. "I AM 0.254 SYST :". Enter your password when prompted.
Now to set the SYST password, type: *PASS oldpassword newpassword
Renaming the SYST user isn't hard, but involves creating a new privileged user and deleting the old one, because *RENUSER can't rename the current user:
Code:
* I AM 254 SYST : (enter password when prompted)*NEWUSER KING*SETPASS KING CHARLES*PRIV KING S*I AM 0.254 KING : (enter password when prompted)*REMUSER SYSTSetting up a locked-down user account to display a welcome message
By convention, the user BOOT should be set to autoboot, and display a bit of information about the server.
You may also set up a Cloud user, whose home directory should contain a single text file which contains information about the server and its owner.
This method can also be varied, e.g. to create users which autoboot into network games like Cave or Arena.
In Level 4 or Advanced Level 4 you'll want to create a new user and set the following options on their account:
- Boot option: Exec
- Privilege: Fixed (this locks the user into their home directory)
- Root directory (URD): Boot, Hello, or whatever you desire. Can also be a subdirectory, e.g. Users.Boot or PubUsers.Boot
- Create user directory: Check this box.
Code:
*I AM 0.254 SYST : (enter your system password when prompted)*NEWUSER BOOT*PRIV BOOT N*PRIV BOOT CThis gives you a normal user who cannot change their password, "chroots" them so they can only see their own files, and stops them from seeing other disks. You'll want to make sure the files and home directory are owned by the system user - which will be the case if you are logged in as SYST while you create and edit them.
Now navigate to the new user's home directory. You'll want to create some files:
- !ArmBoot - run by Archimedes class machines. Needs to be *SetType'd to Obey.
- !Boot - run by BBC and Master class machines.
- !Hello - SetType Text. Should contain your message of the day. Limit this to 40 columns wide, and 23 lines, so it fits on a MODE 7 screen.
Code:
NetType !HelloFor the BBC !Boot, you should only need the following:
Code:
*Type !HelloGo up a directory and set the Access on the user's directory to R/r (owner read only, public read only).
There is a catch if you do this with Level 4: Acorn ownership semantics mean that any file in the user's home is considered to be owned by them. This seems to mean that you can't stop someone from logging in as BOOT, then deleting the entire contents of the BOOT directory. Setting access R/r makes it harder, but still possible if the user knows their way around the filesystem commands.
On the Pi Econet Bridge, file ownership is independent of the path: to stop someone from deleting a file, it just needs to have its owner set to SYST (or another convenient user) with *CHOWN. Do the same with the user home directory too, and it will also be impossible to create new files as the 'fenced in' user.
Statistics: Posted by philpem — Sun May 26, 2024 1:36 am