Free gid software for linux

MUNGE Uid N Gid Emporium is an authentication service for creating and validating credentials. It is designed to be highly scalable for use in an HPC cluster environment.
It allows a process to authenticate the UID and GID of another local or remote process within a group of hosts having common users and groups. These hosts form a security realm that is defined by a shared cryptographic key.
Clients within this security realm can create and validate credentials without the use of root privileges, reserved ports, or platform-specific methods.
Rationale
The need for MUNGE arose out of the HPC cluster environment. Consider the scenario in which a local daemon running on a login node receives a client request and forwards it on to remote daemons running on compute nodes within the cluster. Since the user has already logged on to the login node, the local daemon just needs a reliable means of ascertaining the UID and GID of the client process. Furthermore, the remote daemons need a mechanism to ensure the forwarded authentication data has not been subsequently altered.
A common solution to this problem is to use Unix domain sockets to determine the identity of the local client, and then forward this information on to remote hosts via trusted rsh connections. But this presents several new problems. First, there is no portable API for determining the identity of a client over a Unix domain socket. Second, rsh connections must originate from a reserved port; the limited number of reserved ports available on a given host directly limits scalability. Third, root privileges are required in order to bind to a reserved port. Finally, the remote daemons have no means of determining whether the client identity is authentic.
Overview
A process creates a credential by requesting one from the local MUNGE service. The encoded credential contains the UID and GID of the originating process. This process sends the credential to another process within the security realm as a means of proving its identity. The receiving process validates the credential with the use of its local MUNGE service. The decoded credential provides the receiving process with a reliable means of ascertaining the UID and GID of the originating process. This information can be used for accounting or access control decisions.
The contents of the credential (including any optional payload data) are encrypted with a key shared by all munged daemons within the security realm. The integrity of the credential is ensured by a message authentication code (MAC). The credential is valid for a limited time defined by its time-to-live (TTL). The daemon ensures unexpired credentials are not replayed on a particular host. Decoding of a credential can be restricted to a particular user and/or group ID. The payload data can be used for purposes such as embedding the destinations address to ensure the credential is only valid on a specific host. The internal format of the credential is encoded in a platform-independent manner. And the credential itself is base64 encoded to allow it to be transmitted over virtually any transport.
Enhancements:
- A bug was fixed that caused stack corruption on AMD-64 when using Libgcrypt.

mod_ruid is an Apache module based on mod_suid2 only for linux.

-it runs only on linux because afaik only linux has implemented posix 1003.1e capabilities
-it has better performance than mod_suid2 because it doesn`t need to kill httpd children after one request. it makes use of kernel capabilites and after receiving a new request suids again.
-there are some security issues, for instance if attacker successfully exploits the httpd process, he can set effective capabilities and setuid to root. i recommend to use some security patch in kernel (grsec), or something..

-there are two main operation modes: stat and config
1. stat is default, httpd setuid and setgid to uid and gid of requested filename(script)/directory this is good if you use mod_vhost_alias for virtual hosting

2. config
like mod_suid2, you must define uid and gid

Installation:

1. download and install latest libcap from here
2. run /apachedir/bin/apxs -a -i -l cap -c mod_ruid.c
3. configure httpd.conf
4. restart apache

CONFIGURE OPTIONS:

RMode config|stat (default is stat)
RUidGid user|#uid group|#gid - when RMode is config, set to this uid and gid

RMinUidGid user|#uid group|#gid - when uid/gid is < than min uid/gid set to default uid/gid RDefaultUidGid user|#uid group|#gid

RGroups group1 group2 - aditional groups set via setgroups

RCoreDump - on or off, if on, you can have coredumps of httpd after crash (default off) RCoreDumpSize - limit size of coredump in bytes, 0 is unlimited (default 0)

lighttpd is a secure, fast, compliant, and very flexible Web server which has been optimized for high-performance environments.
lighttpd has a very low memory footprint compared to other Web servers, and it takes care of CPU load. lighttpd has an advanced feature set that includes FastCGI (load balanced), CGI, Auth, Output-Compression, URL-Rewriting, SSL, and much more.
Main features:
Advanced Features:
- virtual hosts
- virtual directory listings
- URL-Rewriting, HTTP-Redirects
- automatic expiration of files
- Large File Support (64bit fileoffsets)
- Ranges (start-end, start-, -end, multiple ranges)
- on-the-fly output-compression with transparent caching
- deflate, gzip, bzip2
- authentication
- basic, digest
- backends: plain files, htpasswd, htdigest, ldap
- fast and secure application controlled downloads
- Server Side Includes
- User Tracking
- FastCGI, CGI, SSI
PHP-Support:
- same speed as or faster than apache + mod_php4
- includes a utility to spawn FastCGI processes (neccesary for PHP 4.3.x)
- via FastCGI and CGI interface
- support Code Caches like Turckmm, APC or eaccelarator
- load-balanced FastCGI
- (one webserver distibutes request to multiple PHP-servers via FastCGI)
Security features:
- chroot(), set UID, set GID
- protecting docroot
- strict HTTP-header parsing
Platforms
Releases of lighttpd are built regulary for at least the following platforms
- Linux (binary packages for FC3, SuSE, Debian, Gentoo, PLD-Linux, OpenWRT)
- *BSD (FreeBSD, NetBSD, OpenBSD, MacOS X)
- SGI IRIX
- Windows (Cygwin)
while it is known to compile cleanly on
- Solaris
- AIX
and various other POSIX compatible OSes.

File::chmod is a Perl module that implements symbolic and ls chmod modes.

SYNOPSIS

use File::chmod;

# chmod takes all three types
# these all do the same thing
chmod(0666,@files);
chmod("=rw",@files);
chmod("-rw-rw-rw-",@files);

# or

use File::chmod qw( symchmod lschmod );

chmod(0666,@files); # this is the normal chmod
symchmod("=rw",@files); # takes symbolic modes only
lschmod("-rw-rw-rw-",@files); # takes "ls" modes only

# more functions, read on to understand

File::chmod is a utility that allows you to bypass system calls or bit processing of a files permissions. It overloads the chmod() function with its own that gets an octal mode, a symbolic mode (see below), or an "ls" mode (see below). If you wish not to overload chmod(), you can export symchmod() and lschmod(), which take, respectively, a symbolic mode and an "ls" mode.
Symbolic modes are thoroughly described in your chmod(1) man page, but here are a few examples.

# NEW: if $UMASK is true, symchmod() applies a bit-mask found in $MASK

chmod("+x","file1","file2"); # overloaded chmod(), that is...
# turns on the execute bit for all users on those two files

chmod("o=,g-w","file1","file2");
# removes other permissions, and the write bit for group

chmod("=u","file1","file2");
# sets all bits to those in user

"ls" modes are the type produced on the left-hand side of an ls -l on a directory. Examples are:

chmod("-rwxr-xr-x","file1","file2");
# the 0755 setting; user has read-write-execute, group and others
# have read-execute priveleges

chmod("-rwsrws---","file1","file2");
# sets read-write-execute for user and group, none for others
# also sets set-uid and set-gid bits

The regular chmod() and lschmod() are absolute; that is, they are not appending to or subtracting from the current file mode. They set it, regardless of what it had been before. symchmod() is useful for allowing the modifying of a files permissions without having to run a system call or determining the files permissions, and then combining that with whatever bits are appropriate. It also operates separately on each file.

An added feature to version 0.30 is the $UMASK variable, explained below; if symchmod() is called and this variable is true, then the function uses the (also new) $MASK variable (which defaults to umask()) as a mask against the new mode. This is documented below more clearly.

Xyria:CDPNNTPd is a minimalistic, easy to configure NNTP server for Unix.
The Xyria-project has been founded by Steffen Wendzel in 2004. The main goal of the project is to develop Unix services based on the following characteristics:
Provide a maximum of security while writing a minimum of code; only implement the most useful features and use as less external librarys as possible while supporting Solaris, OpenBSD and Linux x86.
Main features:
- extemely fast implementation (main target)
- very secure
- ip-address based listen()ing
- supporting IPv6 addresses and resource records
- load ballancing via round robbin
- running under an low-privileged UID & GID
- running under little endian systems: (at least) Linux, Solaris, OpenBSD
- nice configuration syntax/easy to configure
- DNSd able to forward querys
- DNSd can run as caching only-server
Enhancements:
- This release includes a memory allocation bugfix in the xover command, a speed improvement (also in xover), and a source code cleanup.

shrewd is a lightweight and simple Internet Gopher server.
The project supports IPv4/IPv6 and runs on Unix-like systems (Developed on OpenBSD/i386, tested on NetBSD, FreeBSD and Linux on i386).
The options are as follows:
-c Specify a custom configuration file location (default is
/etc/shrewd.conf).
-f Dont detach from the controlling terminal. Syslog messages are
copied to stderr.
CONFIGURATION
The shrewd configuration file has the syntax of "keyword value". You may specify one keyword/value-pair per line. Lines beginning with a # are comments. Possible keywords are:
accesslog_file
File name to use for the access log. If not specified,
no accesslog will be written.
chroot Chroot to the specified directory. Should be an abso-
lute path. If not specified, dont chroot. You proba-
bly need to have /etc/resolv.conf and /etc/hosts in
the chroot for clients to work properly.
document_root
The document root directory. Must be specified.
port An alternate port. Can be a numeric port or a service
name (listed in /etc/services). If not specified, the
default gopher port will be used.
user The name of the user to setuid() to. GID will be set
to this users gid. If not specified, run as the user
who invoked the daemon.
Enhancements:
- Small feature enhancements, bugfixes, and cleanup.

Impact project is an open source, free finite element program which can be used to predict most dynamic events such as car crashes or metal sheet punch operations. They usually involve large deformations and high velocities.
Simulations are made on a virtual three dimensional model which can be created with a pre-processor or with the built-in Fembic language. Results are viewed in a post-processor.
Impact is designed to interface with the included pre- and postprocessor by default, but there are also interfaces available for more advanced pre-and postprocessors such as GiD or Gmsh. Impact also has rudamentary support for Nastran file format.
Development is made by a team of volunteers from all over the world with the aim of creating a clean and compact program which is simple to understand and use.
Impact is licensed under the Gnu Public License which makes it free to use and modify as long as you release and publish your improvements under the same license.
Impact is written in Java which means it can be run on most hardware and operating systems.
Enhancements:
- The entire preprocessor model can now be saved in the .in file.
- It is possible to script drive the geometry and FE model by manually editing the .in file and then reading it into the preprocessor.
- A bug was fixed in the post-processor where Gradient Result is now visible in the OpenGL accelerated version.

Shadow password file utilities package includes the programs necessary to convert traditional V7 UNIX password files to the SVR4 shadow password format, and additional tools to maintain password and group files (that work with both shadow and non-shadow passwords).
Enhancements:
- A problem where su set the enviroment too early when using PAM was fixed.
- A UID/GID overflow in groupadd, groupmod, useradd, and anusermod was fixed along with overflows in inactive, mindays, warndays, and maxdays in passwd, useradd, and usermod. groupmems was rewritten to use PAM and getopt_long().
- usermod was reverted back to previous -a option semantics.
- chsh and groupmod were rewritten to use getopt_long().
- Translations and man pages were updated.