Freeside demo information

Ivan Kohler ivan at sisd.com
Fri Jun 4 05:04:30 PDT 1999 

Cc:'ed to the list as the stuff below under 2) below may be of interest.

On Thu, Jun 03, 1999 at 10:09:17AM -0300, Lance Cavener wrote:
> At 07:56 PM 6/2/99 +0000, you wrote:
> >Hello Downtown <admin at senarius.net>,
> >
> >Your sample Freeside database has been setup.
> 
>   Ivan,
> 
>          Took at look at the program, and it's not bad. But your features 
> list on your web page is a little small, and I'm unsure about a couple of 
> things. I'll ask you here..
> 
> 1) Does it have any user services? Like check outstanding amounts owing? 
> Check hourly usage etc?

The only user service available right now is changing passwords, shells,
and full names ( a passwd / chsh / chfn replacement ). 

Using that as a framework plus the API documentation, other kinds of user
services aren't big projects, though.

> 2) How secure is it?

I think the code is secure.  Of course, you could set up a
Freeside box insecurely, just like any other program.

It's interesting that you also asked about user services.  I'll explain a
little about security and how user services are implemented securely.

Typically you shouldn't have anything listening on your Freeside box
except ssh (or similar) and apache-ssl (or apache+mod_ssl) with client
certificates.  Securing the clients (i.e. the windows boxes of the sales
and tech guys) is outside the scope of Freeside security.  Also, typically
the machine is placed behind a packet-filtering firewall.  The only
outgoing connections from the Freeside box are SMTP and ssh.

The passwd/chfn/chsh replacement is implemented using three parts: a
daemon that runs on the Freeside machine, a daemon that runs on the user
shell machine, and a client on the user shell machine.

The daemon on the Freeside machine opens a connection via ssh to the user
shell machine and runs the daemon on that machine.

the passwd replacement, like the original passwd, is setuid, but to an
arbitrary user instead of root.  Much of the code is taken from the
`passwd' script in the original (perl 4) camel book, now archived at
<http://www.perl.com/CPAN/scripts/nutshell/ch6/passwd>.  It talks to the
daemon on the local machine, which relays information back to the Freeside
machine via. 

To help mitigate DoS-type attacks, the client passwd program throws out
long data, and the daemon on user machine (and thus the daemon on the
Freeside box) serializes requests.

All three programs together are just over 250 lines of code and fairly
clean so it wouldn't be a big task to audit. 

I've read the perlsec manpage a couple of times.  :)

> 3) Is it more reliable than URIBS? :) (we use URIBS now and I find it horrible)

I don't know; I haven't used URIBS, so I can't compare.

I'd hope it's more reliable than "horrible".  :)

>          Well that's it. I'll be trying to install Freeside today (you 
> should package apache and mysql with freeside so it's all there and already 
> configured. That would rock.), so wish me luck :)

I see from your .sig you're a FreeBSD user.  Aren't Apache and MySQL part
of FreeBSD ports? 

-- 
Ivan Kohler <ivan at sisd.com> - finger for PGP key - <moc.dsis at navi> Relhok Navi
Open-source billing and administration for ISPs - http://www.sisd.com/freeside
20 4,16 * * * saytime # please don't be surprised if you find me dreaming too

More information about the freeside-users mailing list