From owner-freebsd-security@FreeBSD.ORG Sun Oct 17 14:41:15 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C974316A4CE; Sun, 17 Oct 2004 14:41:15 +0000 (GMT) Received: from gomez.cs.pitt.edu (gomez.cs.pitt.edu [130.49.220.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6715843D5A; Sun, 17 Oct 2004 14:41:15 +0000 (GMT) (envelope-from ywang4@cs.pitt.edu) Received: from selenium.cs.pitt.edu (selenium.cs.pitt.edu [130.49.220.33]) by gomez.cs.pitt.edu (8.12.10/8.12.5) with ESMTP id i9HEfFKW013493 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Sun, 17 Oct 2004 10:41:15 -0400 (envelope-from ywang4@cs.pitt.edu) Received: from selenium.cs.pitt.edu (localhost.localdomain [127.0.0.1]) by selenium.cs.pitt.edu (8.12.8/8.12.8) with ESMTP id i9HEfFvD002774; Sun, 17 Oct 2004 10:41:15 -0400 Received: from localhost (ywang4@localhost)i9HEfENi002770; Sun, 17 Oct 2004 10:41:14 -0400 X-Authentication-Warning: selenium.cs.pitt.edu: ywang4 owned process doing -bs Date: Sun, 17 Oct 2004 10:41:14 -0400 (EDT) From: Yan Wang To: freebsd-fs@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: TCFS on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Oct 2004 14:41:16 -0000 Dear all, I tried to port Transparent Cryptographic File System (http://www.tcfs.it) OpenBSD version to FreeBSD 4.8, but failed. Has any one tried this before? How much modification is needed? Any info is appreciated. Thanks, Yan From owner-freebsd-security@FreeBSD.ORG Mon Oct 18 15:04:18 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 656E716A4CF for ; Mon, 18 Oct 2004 15:04:18 +0000 (GMT) Received: from smtp813.mail.sc5.yahoo.com (smtp813.mail.sc5.yahoo.com [66.163.170.83]) by mx1.FreeBSD.org (Postfix) with SMTP id 4BA4D43D5A for ; Mon, 18 Oct 2004 15:04:18 +0000 (GMT) (envelope-from fscked@pacbell.net) Received: from unknown (HELO pacbell.net) (fscked@pacbell.net@67.124.120.185 with plain) by smtp813.mail.sc5.yahoo.com with SMTP; 18 Oct 2004 15:04:18 -0000 Message-ID: <4173DAF3.4090605@pacbell.net> Date: Mon, 18 Oct 2004 08:02:11 -0700 From: richard childers / kg6hac Organization: Daemonized Networking Services - http://www.daemonized.com User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20041018120111.9286316A4D9@hub.freebsd.org> In-Reply-To: <20041018120111.9286316A4D9@hub.freebsd.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: re: transparent cfs (tcfs) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: fscked@pacbell.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Oct 2004 15:04:18 -0000 >Date: Sun, 17 Oct 2004 10:41:14 -0400 (EDT) >From: Yan Wang >Subject: TCFS on FreeBSD > > >I tried to port Transparent Cryptographic File System >(http://www.tcfs.it) OpenBSD version to FreeBSD 4.8, but failed. Has >any one tried this before? How much modification is needed? Any info is >appreciated. > >Thanks, > >Yan > > > Yan, I've successfully installed and employed AT&T's CFS under FreeBSD 4.x; I'm not sure if that's the same thing as TCFS, or perhaps a derivative. CFS is similar to NFS, except it works through the loopback device and cannot be shared over the network. Regards, -- richard -- Richard Childers / Senior Engineer Daemonized Networking Services 945 Taraval Street, #105 San Francisco, CA 94116 USA [011.]1.415.759.5571 http://www.daemonized.com 'A well-schooled electorate, being necessary to the security of a free State, the right of the people to keep and read Books, shall not be infringed.' -- (Attributed to J. Neil Shulman) -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.2.4 (FreeBSD) mQGiBECGpfsRBACoPJJfIIrWAqjlW92TtYCtY//e7OW8alWylr/1ygtSQzjCCdvC Ysa0fCcx01UenlWV+5YY/zC7KPsX2rQUKAs20fqs9et74dmgMGOj0vMjTzWEs29G FyAsIRSpFioa8zzrjXEUVnU6OFaD9a9eaC+LSTCiKgXjbQySDKM5T1c+vwCg8W3Y RZ83LRIUULGMPlY6zS4fQwUEAIIiTHDdWpbE+HeREJwH+4eDpGVf76XtNlOMXrt9 tJ3ExL+9ezLulg1nCrOYodOB7TEZqzV40R7emDZSX0hI9QEBCv6nW5aDVpw/bf+q UEHwxrUvE2LBi35hoqR2QwqNlagOauSorWj8Qm/31luxJVeLVy1A1czp6B/mvG1T co03A/9a5kzEAebJ5TzWXQC2/4gu/osXQnrw9B9FFpYOtLc0MNQuAFt8VLn5yO5Q 8T58w+FQvFI5FqzI5URmjQeEyWWuyIechknk4RnwIO1UPVjgRTuNgf9/TvNNfqpa aVlbNp+AG21D6VqsFN2zJFFJeUqiYdXw6i+ESL3SZRymIhwYWrQ8UmljaGFyZCBB IENoaWxkZXJzICh3d3cuZGFlbW9uaXplZC5jb20pIDxmc2NrZWRAcGFjYmVsbC5u ZXQ+iF4EExECAB4FAkCGpfsCGwMGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQjGqW TlNTP66KzQCgjf0SQbiK1rgu7hRsmLPSSaGF7X8AoL7Qw/E9kTZr0fntP0XXEnk/ q6nRuQINBECGpvkQCADFzFq+kYbk+KTIhcVBTjTWDbBnjGgmuGR3LGp9hOd6W9SJ i4GD5184ZnMbEgvDZcDEGDNgMcU+f1girwYI2v/o7QA7VQ5bpUbnfOBytzO+bvd7 uCOyJltg8AG5MFLxfhAMHofpNxGlFTEXdVp4M9xyBB+hdLHbJNJqkMGPf+iCUf1W Q86KncU2AK4Sf9I+WYBZwkjaIhi9dQzeEX1c0Um6LxXSBtkjZprIk1M13gVaIJ6E dDN6hrSMbXZL+7yURw38vHXCtRJAKEOyW178rI8MzJzvVNhobvC62uEWD9Idz8sH 5A06fqb2fKJYLQ1keGUpb/qpny7oTmAe0Hx9jOM7AAMGCACdTe1M4U++/7/OVGip 1gnWEtMhHeQQbS7KPh1w8/1kvs5Mml6uGYQI44lKTDP7OHJQ9hIT/+5tfKPHIPhU M/7Mqa8y81c/AK+WUOyY9+uZ0zUxFGMqeU9z5iqJFWSi9QR/f5q/khfmqi5RFVyQ nnVhxBMB8pY1vZHV1CoL7NLK4c/N8mpwCiZ57LTsP8pLfDMWF/OopmM2ulzlfWTr anAdxQohenq/zTgSySX/VGZYSYvyAoXTRuU4USAVGWcUQPnVooA1N7lZP3pawjNP QMSukx9jI1673BPsPXxyQZ1PmmPt9eHKI0G0hNJG+FCmSRLNT/R7hqTzTUmpgMWM yyWPiEkEGBECAAkFAkCGpvkCGwwACgkQjGqWTlNTP642KACeITHq0b42P3oMX7Nj F5U3EaqCgYoAn3HxUB7ELB6vMUugW4aSmZpBJOR6 =ZaJO -----END PGP PUBLIC KEY BLOCK----- From owner-freebsd-security@FreeBSD.ORG Mon Oct 18 15:59:59 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93C0416A4CE for ; Mon, 18 Oct 2004 15:59:59 +0000 (GMT) Received: from gomez.cs.pitt.edu (gomez.cs.pitt.edu [130.49.220.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C0C943D2F for ; Mon, 18 Oct 2004 15:59:59 +0000 (GMT) (envelope-from ywang4@cs.pitt.edu) Received: from selenium.cs.pitt.edu (selenium.cs.pitt.edu [130.49.220.33]) by gomez.cs.pitt.edu (8.12.10/8.12.5) with ESMTP id i9IFxwKW021290 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Mon, 18 Oct 2004 11:59:58 -0400 (envelope-from ywang4@cs.pitt.edu) Received: from selenium.cs.pitt.edu (localhost.localdomain [127.0.0.1]) by selenium.cs.pitt.edu (8.12.8/8.12.8) with ESMTP id i9IFxvvD009753; Mon, 18 Oct 2004 11:59:57 -0400 Received: from localhost (ywang4@localhost)i9IFxuSC009749; Mon, 18 Oct 2004 11:59:56 -0400 X-Authentication-Warning: selenium.cs.pitt.edu: ywang4 owned process doing -bs Date: Mon, 18 Oct 2004 11:59:55 -0400 (EDT) From: Yan Wang To: richard childers / kg6hac In-Reply-To: <4173DAF3.4090605@pacbell.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: re: transparent cfs (tcfs) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Oct 2004 15:59:59 -0000 Richard, Thank you for your information. I got the response of TCFS authors, a group at University of Salerno, Italy, saying they have stopped the project. My impression is that it is pretty tough to port from OpenBSD to FreeBSD. The kernel part is very different. No wonder tcfs is not available at FreeBSD.org. Interestingly, I also got a response from OpenBSD community. They also stopped the project to include tcfs into OpenBSD, because the software license problem. tcfs was not intended to be free. As far as I know, AT&T's CFS is based on the work of Matt Blaze. What I heard is that it is implemented at the user space, only supporting directory encryption not file-level. Richard, is this true? I might reconsider using CFS. Thanks, Yan On Mon, 18 Oct 2004, richard childers / kg6hac wrote: > > >Date: Sun, 17 Oct 2004 10:41:14 -0400 (EDT) > >From: Yan Wang > >Subject: TCFS on FreeBSD > > > > > >I tried to port Transparent Cryptographic File System > >(http://www.tcfs.it) OpenBSD version to FreeBSD 4.8, but failed. Has > >any one tried this before? How much modification is needed? Any info is > >appreciated. > > > >Thanks, > > > >Yan > > > > > > > > Yan, > > > I've successfully installed and employed AT&T's CFS under FreeBSD 4.x; > I'm not sure if that's the same thing as TCFS, or perhaps a derivative. > > CFS is similar to NFS, except it works through the loopback device and > cannot be shared over the network. > > > Regards, > > -- richard > > -- > > Richard Childers / Senior Engineer > Daemonized Networking Services > 945 Taraval Street, #105 > San Francisco, CA 94116 USA > [011.]1.415.759.5571 > http://www.daemonized.com > > 'A well-schooled electorate, being necessary to the security of > a free State, the right of the people to keep and read Books, > shall not be infringed.' -- (Attributed to J. Neil Shulman) > > -----BEGIN PGP PUBLIC KEY BLOCK----- > Version: GnuPG v1.2.4 (FreeBSD) > > mQGiBECGpfsRBACoPJJfIIrWAqjlW92TtYCtY//e7OW8alWylr/1ygtSQzjCCdvC > Ysa0fCcx01UenlWV+5YY/zC7KPsX2rQUKAs20fqs9et74dmgMGOj0vMjTzWEs29G > FyAsIRSpFioa8zzrjXEUVnU6OFaD9a9eaC+LSTCiKgXjbQySDKM5T1c+vwCg8W3Y > RZ83LRIUULGMPlY6zS4fQwUEAIIiTHDdWpbE+HeREJwH+4eDpGVf76XtNlOMXrt9 > tJ3ExL+9ezLulg1nCrOYodOB7TEZqzV40R7emDZSX0hI9QEBCv6nW5aDVpw/bf+q > UEHwxrUvE2LBi35hoqR2QwqNlagOauSorWj8Qm/31luxJVeLVy1A1czp6B/mvG1T > co03A/9a5kzEAebJ5TzWXQC2/4gu/osXQnrw9B9FFpYOtLc0MNQuAFt8VLn5yO5Q > 8T58w+FQvFI5FqzI5URmjQeEyWWuyIechknk4RnwIO1UPVjgRTuNgf9/TvNNfqpa > aVlbNp+AG21D6VqsFN2zJFFJeUqiYdXw6i+ESL3SZRymIhwYWrQ8UmljaGFyZCBB > IENoaWxkZXJzICh3d3cuZGFlbW9uaXplZC5jb20pIDxmc2NrZWRAcGFjYmVsbC5u > ZXQ+iF4EExECAB4FAkCGpfsCGwMGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQjGqW > TlNTP66KzQCgjf0SQbiK1rgu7hRsmLPSSaGF7X8AoL7Qw/E9kTZr0fntP0XXEnk/ > q6nRuQINBECGpvkQCADFzFq+kYbk+KTIhcVBTjTWDbBnjGgmuGR3LGp9hOd6W9SJ > i4GD5184ZnMbEgvDZcDEGDNgMcU+f1girwYI2v/o7QA7VQ5bpUbnfOBytzO+bvd7 > uCOyJltg8AG5MFLxfhAMHofpNxGlFTEXdVp4M9xyBB+hdLHbJNJqkMGPf+iCUf1W > Q86KncU2AK4Sf9I+WYBZwkjaIhi9dQzeEX1c0Um6LxXSBtkjZprIk1M13gVaIJ6E > dDN6hrSMbXZL+7yURw38vHXCtRJAKEOyW178rI8MzJzvVNhobvC62uEWD9Idz8sH > 5A06fqb2fKJYLQ1keGUpb/qpny7oTmAe0Hx9jOM7AAMGCACdTe1M4U++/7/OVGip > 1gnWEtMhHeQQbS7KPh1w8/1kvs5Mml6uGYQI44lKTDP7OHJQ9hIT/+5tfKPHIPhU > M/7Mqa8y81c/AK+WUOyY9+uZ0zUxFGMqeU9z5iqJFWSi9QR/f5q/khfmqi5RFVyQ > nnVhxBMB8pY1vZHV1CoL7NLK4c/N8mpwCiZ57LTsP8pLfDMWF/OopmM2ulzlfWTr > anAdxQohenq/zTgSySX/VGZYSYvyAoXTRuU4USAVGWcUQPnVooA1N7lZP3pawjNP > QMSukx9jI1673BPsPXxyQZ1PmmPt9eHKI0G0hNJG+FCmSRLNT/R7hqTzTUmpgMWM > yyWPiEkEGBECAAkFAkCGpvkCGwwACgkQjGqWTlNTP642KACeITHq0b42P3oMX7Nj > F5U3EaqCgYoAn3HxUB7ELB6vMUugW4aSmZpBJOR6 > =ZaJO > -----END PGP PUBLIC KEY BLOCK----- > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Mon Oct 18 17:27:38 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0E56716A4CE; Mon, 18 Oct 2004 17:27:38 +0000 (GMT) Received: from misty.eyesbeyond.com (glewis.dsl.xmission.com [166.70.56.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id A3BE243D2F; Mon, 18 Oct 2004 17:27:37 +0000 (GMT) (envelope-from glewis@eyesbeyond.com) Received: from misty.eyesbeyond.com (localhost.eyesbeyond.com [127.0.0.1]) i9IHRXiU022500; Mon, 18 Oct 2004 11:27:34 -0600 (MDT) (envelope-from glewis@eyesbeyond.com) Received: (from glewis@localhost) by misty.eyesbeyond.com (8.12.11/8.12.11/Submit) id i9IHRVW7022499; Mon, 18 Oct 2004 11:27:31 -0600 (MDT) (envelope-from glewis@eyesbeyond.com) X-Authentication-Warning: misty.eyesbeyond.com: glewis set sender to glewis@eyesbeyond.com using -f Date: Mon, 18 Oct 2004 11:27:31 -0600 From: Greg Lewis To: Yan Wang Message-ID: <20041018172730.GA22441@misty.eyesbeyond.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i cc: freebsd-fs@freebsd.org cc: freebsd-security@freebsd.org Subject: Re: TCFS on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Oct 2004 17:27:38 -0000 On Sun, Oct 17, 2004 at 10:41:14AM -0400, Yan Wang wrote: > I tried to port Transparent Cryptographic File System > (http://www.tcfs.it) OpenBSD version to FreeBSD 4.8, but failed. Has > any one tried this before? How much modification is needed? Any info is > appreciated. I tried this a while ago. I got it to the point where the kernel compiled but unfortunately it would panic on boot. I didn't have the time to track down the problem unfortunately :(. I can probably dig up the patches if there is any interest, but they may need some forward porting (I think I was originally using 4.5). -- Greg Lewis Email : glewis@eyesbeyond.com Eyes Beyond Web : http://www.eyesbeyond.com Information Technology FreeBSD : glewis@FreeBSD.org From owner-freebsd-security@FreeBSD.ORG Tue Oct 19 11:36:34 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 060DD16A4CE; Tue, 19 Oct 2004 11:36:34 +0000 (GMT) Received: from r3p34.chello.upc.cz (r3p34.chello.upc.cz [213.220.207.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5306843D3F; Tue, 19 Oct 2004 11:36:33 +0000 (GMT) (envelope-from plusik@pohoda.cz) Received: from r3p34.chello.upc.cz (localhost [127.0.0.1]) by r3p34.chello.upc.cz (8.12.10/8.12.10) with ESMTP id i9JBaWPu000970; Tue, 19 Oct 2004 13:36:32 +0200 (CEST) (envelope-from plusik@pohoda.cz) Received: from localhost (plusik@localhost)i9JBaWBM000967; Tue, 19 Oct 2004 13:36:32 +0200 (CEST) (envelope-from plusik@pohoda.cz) X-Authentication-Warning: r3p34.chello.upc.cz: plusik owned process doing -bs Date: Tue, 19 Oct 2004 13:36:32 +0200 (CEST) From: Tomas Pluskal X-X-Sender: plusik@localhost To: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Message-ID: <20041019133439.X604@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: new intrusion detection system X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Oct 2004 11:36:34 -0000 Hello to all, I have implemented a new type of intrusion detection system for my Master thesis. I would like to announce this information, in case anyone would be interested in this research. The IDS system is designed as a kernel module for FreeBSD 5.2. It is inspired by the SpamAssassin program, which detects spam by applying a set of tests to every email message and counting a sum of point score generated by each test. My IDS system applies a set of tests to every running process in the OS and counts its score generated by the tests. Therefore, the purpose of the IDS is not to monitor the network traffic, but rather to monitor the process activity. The current system status is a "working prototype" - it is not ready for production usage, but it may serve as a good base for an interesting research. If you are interested in this topic, please read the details here: http://plusik.pohoda.cz/thesis/ Thanks, Tomas From owner-freebsd-security@FreeBSD.ORG Mon Oct 18 13:36:16 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 85E7916A4CE; Mon, 18 Oct 2004 13:36:16 +0000 (GMT) Received: from r3p34.chello.upc.cz (r3p34.chello.upc.cz [213.220.207.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id A008443D31; Mon, 18 Oct 2004 13:36:15 +0000 (GMT) (envelope-from plusik@pohoda.cz) Received: from eddie.chello.cz (localhost [127.0.0.1]) by eddie.chello.cz (8.12.10/8.12.10) with ESMTP id i9IDIVY3001356; Mon, 18 Oct 2004 15:18:31 +0200 (CEST) (envelope-from plusik@pohoda.cz) Received: from localhost (plusik@localhost)i9IDIVkG001353; Mon, 18 Oct 2004 15:18:31 +0200 (CEST) (envelope-from plusik@pohoda.cz) X-Authentication-Warning: eddie.chello.cz: plusik owned process doing -bs Date: Mon, 18 Oct 2004 15:18:31 +0200 (CEST) From: Tomas Pluskal X-X-Sender: plusik@localhost To: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Message-ID: <20041018150025.E578@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Mailman-Approved-At: Tue, 19 Oct 2004 12:36:46 +0000 Subject: intrusion detection system X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Oct 2004 13:36:16 -0000 Hello to all, I have implemented a new type of intrusion detection system for my Master thesis. I would like to announce this information, in case anyone would be interested in this research. The IDS system is designed as a kernel module for FreeBSD 5.2. It is inspired by the SpamAssassin program, which detects spam by applying a set of tests to every email message and counting a sum of point score generated by each test. My IDS system applies a set of tests to every running process in the OS and counts its score generated by the tests. Therefore, the purpose of the IDS is not to monitor the network traffic, but rather to monitor the process activity. The current system status is a "working prototype" - it is more a research than a real IDS. If you are interested in this, please read the details here: http://plusik.pohoda.cz/thesis/ Thanks, Tomas From owner-freebsd-security@FreeBSD.ORG Tue Oct 19 12:47:10 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E681F16A4CE for ; Tue, 19 Oct 2004 12:47:10 +0000 (GMT) Received: from t-rex.incirlik.af.mil (t-rex.incirlik.af.mil [132.27.151.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id E276C43D3F for ; Tue, 19 Oct 2004 12:47:07 +0000 (GMT) (envelope-from Ozgur.Ozdemircili@izmir.af.mil) Received: from t-rex.incirlik.af.mil (root@localhost) by t-rex.incirlik.af.mil with ESMTP id i9JCl4213149 for ; Tue, 19 Oct 2004 15:47:04 +0300 (EEST) Received: from inc-svr-navieg.incirlik.usafe.ds.af.mil (inc-svr-navieg.incirlik.af.mil [132.27.152.16]) by t-rex.incirlik.af.mil with SMTP id i9JCl3A13140 for ; Tue, 19 Oct 2004 15:47:04 +0300 (EEST) Received: from izm-exch-01.incirlik.usafe.ds.af.mil ([132.27.180.200]) id M2004101915470207685 ; Tue, 19 Oct 2004 15:47:03 +0300 Received: by izm-exch-01.incirlik.usafe.ds.af.mil with Internet Mail Service (5.5.2653.19) id ; Tue, 19 Oct 2004 15:47:03 +0300 Message-ID: <7373DB1CFB205549B6A952E10BE0E69075A373@izm-exch-01.incirlik.usafe.ds.af.mil> From: Ozdemircili Ozgur NMI Civ TR 425 ABS/SGST To: "'Tomas Pluskal'" Date: Tue, 19 Oct 2004 15:46:52 +0300 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain cc: "'freebsd-security@freebsd.org'" Subject: RE: intrusion detection system X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Oct 2004 12:47:11 -0000 Great job Thomas, I am reading and at the same time making a news out of it for the Turkish FreeBSD scene ;). By the way I have discovered the relation where you got all your "inspiration" for your project ;P Legos of course. Keep up the good work. Ozgur Ozdemircili 425 SG M.A.S DSN: 675-3236 -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Tomas Pluskal Sent: Monday, October 18, 2004 4:19 PM To: freebsd-security@freebsd.org; freebsd-hackers@freebsd.org Subject: intrusion detection system Hello to all, I have implemented a new type of intrusion detection system for my Master thesis. I would like to announce this information, in case anyone would be interested in this research. The IDS system is designed as a kernel module for FreeBSD 5.2. It is inspired by the SpamAssassin program, which detects spam by applying a set of tests to every email message and counting a sum of point score generated by each test. My IDS system applies a set of tests to every running process in the OS and counts its score generated by the tests. Therefore, the purpose of the IDS is not to monitor the network traffic, but rather to monitor the process activity. The current system status is a "working prototype" - it is more a research than a real IDS. If you are interested in this, please read the details here: http://plusik.pohoda.cz/thesis/ Thanks, Tomas _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Tue Oct 19 13:47:08 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9AF8C16A4CE; Tue, 19 Oct 2004 13:47:08 +0000 (GMT) Received: from smtpq1.home.nl (smtpq1.home.nl [213.51.128.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id D129E43D31; Tue, 19 Oct 2004 13:47:07 +0000 (GMT) (envelope-from dodell@sitetronics.com) Received: from [213.51.128.136] (port=45891 helo=smtp5.home.nl) by smtpq1.home.nl with esmtp (Exim 4.30) id 1CJuKQ-0004DD-EK; Tue, 19 Oct 2004 15:47:06 +0200 Received: from cc740438-a.deven1.ov.home.nl ([82.75.136.183]:3983) by smtp5.home.nl with esmtp (Exim 4.30) id 1CJuKP-0000TS-8f; Tue, 19 Oct 2004 15:47:05 +0200 Message-ID: <41751ADA.40107@sitetronics.com> Date: Tue, 19 Oct 2004 15:47:06 +0200 From: "Devon H. O'Dell" User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Tomas Pluskal References: <20041019133439.X604@localhost> In-Reply-To: <20041019133439.X604@localhost> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-AtHome-MailScanner-Information: Please contact support@home.nl for more information X-AtHome-MailScanner: Found to be clean cc: freebsd-security@freebsd.org cc: freebsd-hackers@freebsd.org Subject: Re: new intrusion detection system X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Oct 2004 13:47:08 -0000 Tomas Pluskal wrote: > > Hello to all, > > I have implemented a new type of intrusion detection system for my > Master thesis. I would like to announce this information, in case anyone > would be interested in this research. > > The IDS system is designed as a kernel module for FreeBSD 5.2. It is > inspired by the SpamAssassin program, which detects spam by applying a > set of tests to every email message and counting a sum of point score > generated by each test. My IDS system applies a set of tests to every > running process in the OS and counts its score generated by the tests. > Therefore, the purpose of the IDS is not to monitor the network traffic, > but rather to monitor the process activity. > > The current system status is a "working prototype" - it is not ready for > production usage, but it may serve as a good base for an interesting > research. > > If you are interested in this topic, please read the details here: > http://plusik.pohoda.cz/thesis/ > > Thanks, > > Tomas Hello Tomas, At a first glance of this email, I thought ``An IDS based upon SpamAssassin ideology? Intrusions differ too much from spam for this to be accurate!'' After reading your thesis, my ideas were changed. This work is certainly very interesting, and I encourage you to continue its development. Certainly one thing that would be desirable that I did not see listed in the improvements section (and many other IDS systems, such as Bro) would be the ability to carry out some action (instead of pure reporting) based upon behavior; this would allow for IDS as well as IPS behavior. I'm quite interested and impressed by the work you've done here. Do you have any plans of setting this up as a collaborative project? Can I help you by providing a place for you to do this? At the moment, I'm not able to provide much help for implementing any of the features listed in your thesis (although I am interested in working on and with this software at some point in the not-too-far future :)), but please let me know if I can help by providing resources, as this is something that I can do with little effort and in little time. Congratulations, and good luck with your study! Kind Regards, Devon H. O'Dell From owner-freebsd-security@FreeBSD.ORG Tue Oct 19 15:27:47 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2AD5116A4CE for ; Tue, 19 Oct 2004 15:27:47 +0000 (GMT) Received: from mproxy.gmail.com (rproxy.gmail.com [64.233.170.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC28F43D31 for ; Tue, 19 Oct 2004 15:27:46 +0000 (GMT) (envelope-from justin.bastedo@gmail.com) Received: by mproxy.gmail.com with SMTP id 74so334930rnk for ; Tue, 19 Oct 2004 08:27:46 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=RvoKyUhlh7CsQNDG0+s68oR/q6HmW7Qbb0qqlU5REHtKIZoQexpDiGhCjZZiZi7nn4mtUbbz5DI7scPtkTYm028aXAoGy/CZ1S7gymvkFiu6Qx87fHoowUSjKmycxvHfUUBLjPZWrwRpZ64h8/2Jqz3gqUFG7YmCPvWCZrukB1k Received: by 10.38.152.19 with SMTP id z19mr2013509rnd; Tue, 19 Oct 2004 08:27:46 -0700 (PDT) Received: by 10.38.59.51 with HTTP; Tue, 19 Oct 2004 08:27:46 -0700 (PDT) Message-ID: <8a525524041019082721ffe822@mail.gmail.com> Date: Tue, 19 Oct 2004 08:27:46 -0700 From: Justin Bastedo To: Tomas Pluskal In-Reply-To: <20041018150025.E578@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <20041018150025.E578@localhost> cc: freebsd-security@freebsd.org Subject: Re: intrusion detection system X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Justin Bastedo List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Oct 2004 15:27:47 -0000 Yeah it looks really interesting good work. It seems like a great idea. I think i remember reading an article about some company that got acquired by cisco that was developing behavioral based Antivirus software. Keep up the good work i look forward to hearing more news on this! On Mon, 18 Oct 2004 15:18:31 +0200 (CEST), Tomas Pluskal wrote: > > Hello to all, > > I have implemented a new type of intrusion detection system for my Master > thesis. I would like to announce this information, in case anyone would be > interested in this research. > > The IDS system is designed as a kernel module for FreeBSD 5.2. It is > inspired by the SpamAssassin program, which detects spam by applying a set > of tests to every email message and counting a sum of point score > generated by each test. My IDS system applies a set of tests to every > running process in the OS and counts its score generated by the tests. > Therefore, the purpose of the IDS is not to monitor the network traffic, > but rather to monitor the process activity. > > The current system status is a "working prototype" - it is more a research > than a real IDS. > > If you are interested in this, please read the details here: > http://plusik.pohoda.cz/thesis/ > > Thanks, > > Tomas > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -- Justin Bastedo At Gmail Dot Com -------------------------------------------------- http://www.thebastedo.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Attached is a PGP Public Key. Import this key into your copy of PGP to exchange encrypted and signed email. If you do not have PGP, please visit http://www.pgp.com for your own copy. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 - not licensed for commercial use: www.pgp.com iQA/AwUBQWxjbLk9v2UZrS+uEQI2FQCdFYEhvXMrEIqzru+mspfxLLyutH8Ani4O wJ6946W6QMkcHjPr4dAau6kq =G2aD -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Oct 19 16:18:27 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DEB7E16A4CE; Tue, 19 Oct 2004 16:18:27 +0000 (GMT) Received: from r3p34.chello.upc.cz (r3p34.chello.upc.cz [213.220.207.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id F1E2543D2D; Tue, 19 Oct 2004 16:18:26 +0000 (GMT) (envelope-from plusik@pohoda.cz) Received: from eddie.chello.cz (localhost [127.0.0.1]) by eddie.chello.cz (8.12.10/8.12.10) with ESMTP id i9JG3BSF001222; Tue, 19 Oct 2004 18:03:11 +0200 (CEST) (envelope-from plusik@pohoda.cz) Received: from localhost (plusik@localhost)i9JG3BZw001219; Tue, 19 Oct 2004 18:03:11 +0200 (CEST) (envelope-from plusik@pohoda.cz) X-Authentication-Warning: eddie.chello.cz: plusik owned process doing -bs Date: Tue, 19 Oct 2004 18:03:11 +0200 (CEST) From: Tomas Pluskal X-X-Sender: plusik@localhost To: "Devon H. O'Dell" In-Reply-To: <41751ADA.40107@sitetronics.com> Message-ID: <20041019174231.S958@localhost> References: <20041019133439.X604@localhost> <41751ADA.40107@sitetronics.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: freebsd-security@freebsd.org cc: freebsd-hackers@freebsd.org Subject: Re: new intrusion detection system X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Oct 2004 16:18:28 -0000 > > At a first glance of this email, I thought ``An IDS based upon SpamAssassin > ideology? Intrusions differ too much from spam for this to be accurate!'' > After reading your thesis, my ideas were changed. I agree with you that this approach for IDS cannot be as accurate as SpamAssassin is accurate with spam detection, because the intrusion detection problem is more complex and has many complications (I have also mentioned this in the thesis). But still this approach has its benefits. > This work is certainly very interesting, and I encourage you to continue its > development. Certainly one thing that would be desirable that I did not see > listed in the improvements section (and many other IDS systems, such as Bro) > would be the ability to carry out some action (instead of pure reporting) > based upon behavior; this would allow for IDS as well as IPS behavior. It is not listed in the improvements section, because it is already a part of the IDS - it has 6 configurable actions to invoke when the process score reaches defined level. It is also possible to add new actions as "submodules". > > I'm quite interested and impressed by the work you've done here. Do you have > any plans of setting this up as a collaborative project? Can I help you by > providing a place for you to do this? I have made this public right now, and looking at the responses, I am thinking about starting a project. Perhaps SourceForge would be a good place where to start. Looking for volunteers, of course :) Tomas From owner-freebsd-security@FreeBSD.ORG Tue Oct 19 21:43:45 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 12CD716A4CE; Tue, 19 Oct 2004 21:43:45 +0000 (GMT) Received: from sccrmhc11.comcast.net (sccrmhc11.comcast.net [204.127.202.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id 80A6943D2D; Tue, 19 Oct 2004 21:43:44 +0000 (GMT) (envelope-from bartobri@comcast.net) Received: from [192.168.0.104] (c-24-11-10-106.client.comcast.net[24.11.10.106]) by comcast.net (sccrmhc11) with SMTP id <20041019214343011007dvp3e>; Tue, 19 Oct 2004 21:43:44 +0000 In-Reply-To: <20041019133439.X604@localhost> References: <20041019133439.X604@localhost> Mime-Version: 1.0 (Apple Message framework v619) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Brian Barto Date: Tue, 19 Oct 2004 17:43:43 -0400 To: Tomas Pluskal X-Mailer: Apple Mail (2.619) cc: freebsd-hackers@freebsd.org cc: freebsd-security@freebsd.org Subject: Re: new intrusion detection system X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Oct 2004 21:43:45 -0000 Very interesting stuff. Certainly worth more investigation. Something occurred to me while I read your thesis. Though maybe it was worth a mention. The TTL (time to live) could potentially cause the IDS module to be easily beaten. An attack could begin and immediately go into a sleep state with the intent to expire the TTL. Later resuming with it's actions going unnoticed. I hope to see more on this. I think it is a very creative and useful idea. Thanks, Brian On Oct 19, 2004, at 7:36 AM, Tomas Pluskal wrote: > > Hello to all, > > I have implemented a new type of intrusion detection system for my > Master thesis. I would like to announce this information, in case > anyone would be interested in this research. > > The IDS system is designed as a kernel module for FreeBSD 5.2. It is > inspired by the SpamAssassin program, which detects spam by applying a > set of tests to every email message and counting a sum of point score > generated by each test. My IDS system applies a set of tests to every > running process in the OS and counts its score generated by the tests. > Therefore, the purpose of the IDS is not to monitor the network > traffic, but rather to monitor the process activity. > > The current system status is a "working prototype" - it is not ready > for production usage, but it may serve as a good base for an > interesting research. > > If you are interested in this topic, please read the details here: > http://plusik.pohoda.cz/thesis/ > > Thanks, > > Tomas > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Tue Oct 19 21:55:03 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 51AB716A4CE; Tue, 19 Oct 2004 21:55:03 +0000 (GMT) Received: from smtpq3.home.nl (smtpq3.home.nl [213.51.128.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id B412243D45; Tue, 19 Oct 2004 21:55:02 +0000 (GMT) (envelope-from dodell@sitetronics.com) Received: from [213.51.128.134] (port=52420 helo=smtp3.home.nl) by smtpq3.home.nl with esmtp (Exim 4.30) id 1CK1wa-0001nI-FF; Tue, 19 Oct 2004 23:55:00 +0200 Received: from cc740438-a.deven1.ov.home.nl ([82.75.136.183]:4279) by smtp3.home.nl with esmtp (Exim 4.30) id 1CK1wZ-0006gI-LR; Tue, 19 Oct 2004 23:54:59 +0200 Message-ID: <41758D35.2070708@sitetronics.com> Date: Tue, 19 Oct 2004 23:55:01 +0200 From: "Devon H. O'Dell" User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Brian Barto References: <20041019133439.X604@localhost> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-AtHome-MailScanner-Information: Please contact support@home.nl for more information X-AtHome-MailScanner: Found to be clean cc: freebsd-hackers@freebsd.org cc: Tomas Pluskal cc: freebsd-security@freebsd.org Subject: Re: new intrusion detection system X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Oct 2004 21:55:03 -0000 Brian Barto wrote: > Very interesting stuff. Certainly worth more investigation. > > Something occurred to me while I read your thesis. Though maybe it was > worth a mention. The TTL (time to live) could potentially cause the IDS > module to be easily beaten. An attack could begin and immediately go > into a sleep state with the intent to expire the TTL. Later resuming > with it's actions going unnoticed. > > I hope to see more on this. I think it is a very creative and useful idea. > > Thanks, > Brian This is certainly something that will need to be researched and tuned in practical environments. In many cases, it's not practical to wait for over a certain period of time to perform the combination of commands needed to exploit software due to network or file issues. But it is a very valid point. --Devon From owner-freebsd-security@FreeBSD.ORG Thu Oct 21 10:35:41 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EEBEF16A4CE; Thu, 21 Oct 2004 10:35:40 +0000 (GMT) Received: from afields.ca (afields.ca [216.194.67.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE6C243D2F; Thu, 21 Oct 2004 10:35:40 +0000 (GMT) (envelope-from afields@afields.ca) Received: from afields.ca (localhost.afields.ca [127.0.0.1]) by afields.ca (8.12.11/8.12.11) with ESMTP id i9LAZMRt001168; Thu, 21 Oct 2004 06:35:22 -0400 (EDT) (envelope-from afields@afields.ca) Received: (from afields@localhost) by afields.ca (8.12.11/8.12.11/Submit) id i9LAZIs2001167; Thu, 21 Oct 2004 06:35:18 -0400 (EDT) (envelope-from afields) Date: Thu, 21 Oct 2004 06:35:18 -0400 From: Allan Fields To: Greg Lewis Message-ID: <20041021103518.GD74820@afields.ca> References: <20041018172730.GA22441@misty.eyesbeyond.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="69pVuxX8awAiJ7fD" Content-Disposition: inline In-Reply-To: <20041018172730.GA22441@misty.eyesbeyond.com> User-Agent: Mutt/1.4i X-Mailman-Approved-At: Thu, 21 Oct 2004 12:35:55 +0000 cc: freebsd-fs@freebsd.org cc: Yan Wang cc: freebsd-security@freebsd.org Subject: Re: TCFS on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Oct 2004 10:35:41 -0000 --69pVuxX8awAiJ7fD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Oct 18, 2004 at 11:27:31AM -0600, Greg Lewis wrote: > On Sun, Oct 17, 2004 at 10:41:14AM -0400, Yan Wang wrote: > > I tried to port Transparent Cryptographic File System > > (http://www.tcfs.it) OpenBSD version to FreeBSD 4.8, but failed. Has > > any one tried this before? How much modification is needed? Any info is > > appreciated. >=20 > I tried this a while ago. I got it to the point where the kernel compiled > but unfortunately it would panic on boot. I didn't have the time to track > down the problem unfortunately :(. >=20 > I can probably dig up the patches if there is any interest, but they may > need some forward porting (I think I was originally using 4.5). I'd be interested in this and would also like to take a look at the patches. Mind you my biggest constraint is also time. There is a lack of ports on FreeBSD of this type of crypt file system. While gbde offers a convenient device level approach, TCFS might be employed in other applications/to meet differing security requirements. Some have reported TCFS has/had problems on other platforms and porting would potentially require addressing these issues as well. Also see this effort for NetBSD: http://vaxn8.tripod.com/tcfs/ The author also was using various test tools. My approach would be to port to 5.x or HEAD, but if anyone is more interested in support on 4.x hosts given the relative lack of options, it makes sense to bring 4.x patches up to date as well. Remember of course 4.x users can still use good old cfs for the time being. It is in fact quite reliable from my tests but has several significant deficiencies including: - relatively dated security model/design - significantly bottlenecked I/O performance - lack of support for long filenames (you'll notice this almost immediately) - lack of support for extended characters: if I remember correctly, my tests had certain problems where files would be copied into the volume, but then become inaccessible, producing errors on each access and you'd have to work with the backing files to remove them (-- the very fact this can be done highlights another issue;) TCFS tries to address these problems in cfs, but I've wondered if it wouldn't be an idea to simply tweak aspects of cfs itself, but it'd still be inherently limited by the interface choice (NFS). Until something comprehensive comes along to deal with userside filesystem implementations, I'd assume that it will remain more efficient to implement as much as possible in the kernel which raises the idea of employing a vnode stacking approach such as cryptfs. > --=20 > Greg Lewis Email : glewis@eyesbeyond.com > Eyes Beyond Web : http://www.eyesbeyond.com > Information Technology FreeBSD : glewis@FreeBSD.org --=20 Allan Fields, AFRSL - http://afields.ca 2D4F 6806 D307 0889 6125 C31D F745 0D72 39B4 5541 --69pVuxX8awAiJ7fD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQFBd5Dl90UNcjm0VUERApyBAJ9Wjd5DNrELuZci6i3HvQUvZrihzQCfd3y6 Gr/Xz+EoIWFJk8kyJ4J34LE= =Tq9u -----END PGP SIGNATURE----- --69pVuxX8awAiJ7fD-- From owner-freebsd-security@FreeBSD.ORG Thu Oct 21 15:07:49 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9DE7516A4CE; Thu, 21 Oct 2004 15:07:49 +0000 (GMT) Received: from misty.eyesbeyond.com (glewis.dsl.xmission.com [166.70.56.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id CDB1843D54; Thu, 21 Oct 2004 15:07:48 +0000 (GMT) (envelope-from glewis@eyesbeyond.com) Received: from misty.eyesbeyond.com (localhost.eyesbeyond.com [127.0.0.1]) i9LF7YC1084927; Thu, 21 Oct 2004 09:07:34 -0600 (MDT) (envelope-from glewis@eyesbeyond.com) Received: (from glewis@localhost) by misty.eyesbeyond.com (8.12.11/8.12.11/Submit) id i9LF7X08084926; Thu, 21 Oct 2004 09:07:33 -0600 (MDT) (envelope-from glewis@eyesbeyond.com) X-Authentication-Warning: misty.eyesbeyond.com: glewis set sender to glewis@eyesbeyond.com using -f Date: Thu, 21 Oct 2004 09:07:32 -0600 From: Greg Lewis To: Allan Fields Message-ID: <20041021150732.GA84912@misty.eyesbeyond.com> References: <20041018172730.GA22441@misty.eyesbeyond.com> <20041021103518.GD74820@afields.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041021103518.GD74820@afields.ca> User-Agent: Mutt/1.4.2.1i cc: freebsd-fs@FreeBSD.org cc: Yan Wang cc: freebsd-security@FreeBSD.org Subject: Re: TCFS on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Oct 2004 15:07:49 -0000 On Thu, Oct 21, 2004 at 06:35:18AM -0400, Allan Fields wrote: > On Mon, Oct 18, 2004 at 11:27:31AM -0600, Greg Lewis wrote: > > On Sun, Oct 17, 2004 at 10:41:14AM -0400, Yan Wang wrote: > > > I tried to port Transparent Cryptographic File System > > > (http://www.tcfs.it) OpenBSD version to FreeBSD 4.8, but failed. Has > > > any one tried this before? How much modification is needed? Any info is > > > appreciated. > > > > I tried this a while ago. I got it to the point where the kernel compiled > > but unfortunately it would panic on boot. I didn't have the time to track > > down the problem unfortunately :(. > > > > I can probably dig up the patches if there is any interest, but they may > > need some forward porting (I think I was originally using 4.5). > > I'd be interested in this and would also like to take a look at the > patches. Mind you my biggest constraint is also time. Several people have asked about this. I will dig them out in the next couple days (they are currently on a machine which is powered off). -- Greg Lewis Email : glewis@eyesbeyond.com Eyes Beyond Web : http://www.eyesbeyond.com Information Technology FreeBSD : glewis@FreeBSD.org From owner-freebsd-security@FreeBSD.ORG Thu Oct 21 22:14:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A67C16A4CE for ; Thu, 21 Oct 2004 22:14:30 +0000 (GMT) Received: from mxfep01.bredband.com (mxfep01.bredband.com [195.54.107.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F25843D58 for ; Thu, 21 Oct 2004 22:14:29 +0000 (GMT) (envelope-from jesper@hackunite.net) Received: from mail.hackunite.net ([213.112.198.219] [213.112.198.219]) by mxfep01.bredband.com with SMTP <20041021194642.RBNZ18265.mxfep01.bredband.com@mail.hackunite.net> for ; Thu, 21 Oct 2004 21:46:42 +0200 Received: from 213.112.198.199 (SquirrelMail authenticated user z3l3zt@hackunite.net) by mail.hackunite.net with HTTP; Thu, 21 Oct 2004 21:46:48 +0200 (CEST) Message-ID: <1323.213.112.198.199.1098388008.squirrel@mail.hackunite.net> Date: Thu, 21 Oct 2004 21:46:48 +0200 (CEST) From: "Jesper Wallin" To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: SquirrelMail 1.4.2 X-Priority: 3 Importance: Normal X-Mailman-Approved-At: Fri, 22 Oct 2004 12:33:59 +0000 Subject: Default permissions of /home/user.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Oct 2004 22:14:30 -0000 Hello.. I've asked this question before without getting any further help really.. When a new user is added using "adduser" on 5.x (havn't really checked if it's the same under 4.x or not), the default homedir permission is 755 (drwxr-xr-x) which to me, looks a bit insecure? It's of course pretty easy to solve it by a simple chmod, but yet, isn't there anyway to change the default chmod value? Last time I asked about this, people told me to check out the skel directory, but the only thing you can do in there is to change the default chmod value of the files/directories _in_ the homedir, not the chmod values of the actually homedir.. I would be glad if someone could give me further assistanse how do solve this without manually modifying the "adduser" script.. and if it this option doesn't exist, shouldn't it be added or is it just me who want my homedir secure from other users? ;) Best regards, Jesper Wallin From owner-freebsd-security@FreeBSD.ORG Fri Oct 22 03:18:46 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 100B416A4CE for ; Fri, 22 Oct 2004 03:18:46 +0000 (GMT) Received: from mxfep04.bredband.com (mxfep04.bredband.com [195.54.107.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D4C443D2F for ; Fri, 22 Oct 2004 03:18:45 +0000 (GMT) (envelope-from jesper@hackunite.net) Received: from mail.hackunite.net ([213.112.198.219] [213.112.198.219]) by mxfep01.bredband.com with SMTP <20041021194642.RBNZ18265.mxfep01.bredband.com@mail.hackunite.net> for ; Thu, 21 Oct 2004 21:46:42 +0200 Received: from 213.112.198.199 (SquirrelMail authenticated user z3l3zt@hackunite.net) by mail.hackunite.net with HTTP; Thu, 21 Oct 2004 21:46:48 +0200 (CEST) Message-ID: <1323.213.112.198.199.1098388008.squirrel@mail.hackunite.net> Date: Thu, 21 Oct 2004 21:46:48 +0200 (CEST) From: "Jesper Wallin" To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: SquirrelMail 1.4.2 X-Priority: 3 Importance: Normal X-Mailman-Approved-At: Fri, 22 Oct 2004 12:33:59 +0000 Subject: Default permissions of /home/user.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Oct 2004 03:18:46 -0000 Hello.. I've asked this question before without getting any further help really.. When a new user is added using "adduser" on 5.x (havn't really checked if it's the same under 4.x or not), the default homedir permission is 755 (drwxr-xr-x) which to me, looks a bit insecure? It's of course pretty easy to solve it by a simple chmod, but yet, isn't there anyway to change the default chmod value? Last time I asked about this, people told me to check out the skel directory, but the only thing you can do in there is to change the default chmod value of the files/directories _in_ the homedir, not the chmod values of the actually homedir.. I would be glad if someone could give me further assistanse how do solve this without manually modifying the "adduser" script.. and if it this option doesn't exist, shouldn't it be added or is it just me who want my homedir secure from other users? ;) Best regards, Jesper Wallin From owner-freebsd-security@FreeBSD.ORG Fri Oct 22 12:33:10 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9BBB216A4CE for ; Fri, 22 Oct 2004 12:33:10 +0000 (GMT) Received: from male.aldigital.co.uk (male.aldigital.co.uk [213.129.64.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1996F43D31 for ; Fri, 22 Oct 2004 12:33:10 +0000 (GMT) (envelope-from adam.laurie@thebunker.net) Received: from [192.168.111.69] (host217-35-79-251.in-addr.btopenworld.com [217.35.79.251]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by male.aldigital.co.uk (Postfix) with ESMTP id 9740C97748; Fri, 22 Oct 2004 13:33:07 +0100 (BST) Message-ID: <4178FE02.9040103@thebunker.net> Date: Fri, 22 Oct 2004 13:33:06 +0100 From: Adam Laurie User-Agent: Mozilla Thunderbird 0.7.3 (X11/20040916) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Yan Wang References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Fri, 22 Oct 2004 12:33:59 +0000 cc: freebsd-security@freebsd.org cc: richard childers / kg6hac Subject: Re: transparent cfs (tcfs) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Oct 2004 12:33:10 -0000 Yan Wang wrote: > Richard, > > Thank you for your information. > > I got the response of TCFS authors, a group at University of Salerno, Italy, > saying they have stopped the project. My impression is that it is pretty > tough to port from OpenBSD to FreeBSD. The kernel part is very different. > No wonder tcfs is not available at FreeBSD.org. > > Interestingly, I also got a response from OpenBSD community. They also > stopped the project to include tcfs into OpenBSD, because the software > license problem. tcfs was not intended to be free. > > As far as I know, AT&T's CFS is based on the work of Matt Blaze. What I > heard is that it is implemented at the user space, only supporting > directory encryption not file-level. Richard, is this true? I might > reconsider using CFS. CFS maps an encrypted directory tree, so everything in it including files and sub-directories gets encrypted. i've been using it, without problems, for several years, and would have no hesitation in recommending it. cheers, Adam -- Adam Laurie Tel: +44 (20) 7605 7000 The Bunker Secure Hosting Ltd. Fax: +44 (20) 7605 7099 Shepherds Building http://www.thebunker.net Rockley Road London W14 0DA mailto:adam@thebunker.net UNITED KINGDOM PGP key on keyservers From owner-freebsd-security@FreeBSD.ORG Fri Oct 22 13:34:09 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 72C6616A4CE for ; Fri, 22 Oct 2004 13:34:09 +0000 (GMT) Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9DD3B43D41 for ; Fri, 22 Oct 2004 13:34:08 +0000 (GMT) (envelope-from andrew@scoop.co.nz) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.11/8.12.11) with ESMTP id i9MDY7DH093614; Sat, 23 Oct 2004 02:34:07 +1300 (NZDT) (envelope-from andrew@scoop.co.nz) Date: Sat, 23 Oct 2004 02:34:07 +1300 (NZDT) From: Andrew McNaughton To: Jesper Wallin In-Reply-To: <1323.213.112.198.199.1098388008.squirrel@mail.hackunite.net> Message-ID: <20041023022916.L21245@a2.scoop.co.nz> References: <1323.213.112.198.199.1098388008.squirrel@mail.hackunite.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.6 (a2.scoop.co.nz [127.0.0.1]); Sat, 23 Oct 2004 02:34:07 +1300 (NZDT) X-Virus-Scanned: clamd / ClamAV version 0.75.1, clamav-milter version 0.75c on a2.scoop.co.nz X-Virus-Status: Clean cc: freebsd-security@freebsd.org Subject: Re: Default permissions of /home/user.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Oct 2004 13:34:09 -0000 On Thu, 21 Oct 2004, Jesper Wallin wrote: > Hello.. > > I've asked this question before without getting any further help really.. > When a new user is added using "adduser" on 5.x (havn't really checked > if it's the same under 4.x or not), the default homedir permission is 755 > (drwxr-xr-x) which to me, looks a bit insecure? It's of course pretty easy > to solve it by a simple chmod, but yet, isn't there anyway to change the > default chmod value? Last time I asked about this, people told me to check > out the skel directory, but the only thing you can do in there is to change the > default chmod value of the files/directories _in_ the homedir, not the chmod > values of the actually homedir.. I would be glad if someone could give me > further assistanse how do solve this without manually modifying the "adduser" > script.. and if it this option doesn't exist, shouldn't it be added or is it just > me who want my homedir secure from other users? ;) By default, anyone can read a user's home directory, but because normally noone is in the user's default group except the user themselves, noone else can write to it. If a user wants to restrict access to their entire home directory, they can chmod their own home directory, but this is not really recommended. It's better that they should make a restricted sub-directory for any restricted content. That way they can create directories inside their home directory with permissions such that they allow collaboration with whichever group is appropriate. Andrew McNaughton -- No added Sugar. Not tested on animals. May contain traces of Nuts. If irritation occurs, discontinue use. ------------------------------------------------------------------- Andrew McNaughton Living in a shack in Tasmania andrew@scoop.co.nz Between the bush and the sea Mobile: +61 422 753 792 http://staff.scoop.co.nz/andrew/cv.doc http://www.scoop.co.nz/ From owner-freebsd-security@FreeBSD.ORG Fri Oct 22 13:55:16 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E5C6916A4CE for ; Fri, 22 Oct 2004 13:55:16 +0000 (GMT) Received: from internet.potentialtech.com (h-66-167-251-6.phlapafg.covad.net [66.167.251.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8877943D41 for ; Fri, 22 Oct 2004 13:55:14 +0000 (GMT) (envelope-from wmoran@potentialtech.com) Received: from working.potentialtech.com (pa-plum-cmts1e-68-68-113-64.pittpa.adelphia.net [68.68.113.64]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by internet.potentialtech.com (Postfix) with ESMTP id C24D869A39; Fri, 22 Oct 2004 09:55:13 -0400 (EDT) Date: Fri, 22 Oct 2004 09:55:12 -0400 From: Bill Moran To: "Jesper Wallin" Message-Id: <20041022095512.31d991ae.wmoran@potentialtech.com> In-Reply-To: <1323.213.112.198.199.1098388008.squirrel@mail.hackunite.net> References: <1323.213.112.198.199.1098388008.squirrel@mail.hackunite.net> Organization: Potential Technologies X-Mailer: Sylpheed version 0.9.12 (GTK+ 1.2.10; i386-portbld-freebsd4.9) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: Default permissions of /home/user.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Oct 2004 13:55:17 -0000 "Jesper Wallin" wrote: > Hello.. > > I've asked this question before without getting any further help really.. > When a new user is added using "adduser" on 5.x (havn't really checked > if it's the same under 4.x or not), the default homedir permission is 755 > (drwxr-xr-x) which to me, looks a bit insecure? It's of course pretty easy > to solve it by a simple chmod, but yet, isn't there anyway to change the > default chmod value? Last time I asked about this, people told me to check > out the skel directory, but the only thing you can do in there is to change the > default chmod value of the files/directories _in_ the homedir, not the chmod > values of the actually homedir.. I would be glad if someone could give me > further assistanse how do solve this without manually modifying the "adduser" > script.. and if it this option doesn't exist, shouldn't it be added or is it just > me who want my homedir secure from other users? ;) The adduser script does not determine the permissions on the home directoyr. The pw command does that, adduser just calls pw. I don't know, but perhaps if you change the permissions on /usr/share/skel itself, the new directories created from it will have those permissions (I haven't tried this, so I could be wrong). pw doesn't seem to have an option to change the permissions on the home directory at creation time. Possibly an option could be added to adduser, that reads the desired permissions from adduser.conf and changes them after creation? -- Bill Moran Potential Technologies http://www.potentialtech.com From owner-freebsd-security@FreeBSD.ORG Fri Oct 22 18:58:03 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 21AD916A4CE for ; Fri, 22 Oct 2004 18:58:03 +0000 (GMT) Received: from ns.pro.sk (proxy.pro.sk [212.55.244.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id F05B943D1F for ; Fri, 22 Oct 2004 18:58:01 +0000 (GMT) (envelope-from prosa@pro.sk) Received: from peter (Peter [192.168.1.53]) by ns.pro.sk (8.12.11/8.12.11) with SMTP id i9MIvx1Q023181 for ; Fri, 22 Oct 2004 20:58:00 +0200 (CEST) (envelope-from prosa@pro.sk) Message-ID: <008401c4b868$ffd64ac0$3501a8c0@pro.sk> From: "Peter Rosa" To: "FreeBSD Security" References: <1323.213.112.198.199.1098388008.squirrel@mail.hackunite.net> Date: Fri, 22 Oct 2004 20:57:37 +0200 X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.3 (ns.pro.sk [192.168.1.1]); Fri, 22 Oct 2004 20:58:00 +0200 (CEST) X-RAVMilter-Version: 8.4.3(snapshot 20030217) (ns.pro.sk) Subject: Re: Default permissions of /home/user.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Oct 2004 18:58:03 -0000 Hi, try to read /usr/sbin/adduser. It's perl script, not ELF, so you can change something there. In line 953 (FreeBSD 4.10) is this: mkdir($homedir, 755). Simple change it to 700 and you should be where you wanted. NOT TESTED !!!! Peter Rosa From owner-freebsd-security@FreeBSD.ORG Fri Oct 22 19:52:42 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 774EA16A4CE for ; Fri, 22 Oct 2004 19:52:42 +0000 (GMT) Received: from ns.pro.sk (proxy.pro.sk [212.55.244.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC6D443D1D for ; Fri, 22 Oct 2004 19:52:41 +0000 (GMT) (envelope-from prosa@pro.sk) Received: from peter (Peter [192.168.1.53]) by ns.pro.sk (8.12.11/8.12.11) with SMTP id i9MJqeLQ023369 for ; Fri, 22 Oct 2004 21:52:40 +0200 (CEST) (envelope-from prosa@pro.sk) Message-ID: <00ab01c4b870$a3024760$3501a8c0@pro.sk> From: "Peter Rosa" To: "FreeBSD Security" References: <1323.213.112.198.199.1098388008.squirrel@mail.hackunite.net> <008401c4b868$ffd64ac0$3501a8c0@pro.sk> Date: Fri, 22 Oct 2004 21:52:18 +0200 X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.3 (ns.pro.sk [192.168.1.1]); Fri, 22 Oct 2004 21:52:40 +0200 (CEST) X-RAVMilter-Version: 8.4.3(snapshot 20030217) (ns.pro.sk) Subject: Re: Default permissions of /home/user.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Oct 2004 19:52:42 -0000 Sorry for my mistake - you use FreeBSD 5. The adduser command was changed to sh script in it. I do not use 5, so sorry again. If your /usr/sbin/adduser has in the start of lines 278 to 280 word "_pwcmd", add something like this after line 280: _pwcmd="$_pwcmd && chmod 700 $_home" Command stored in $_pwcmd is executed on line 282. The user should be added and homedir should be created. The addition above should chmod its homedir to 700 (drwx------) automatically. !!! AGAIN, NOT TESTED !!! Peter Rosa P.S. This addition will be removed when you update your system. Try to find better way :-))) From owner-freebsd-security@FreeBSD.ORG Fri Oct 22 21:49:25 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EBC5116A4CE for ; Fri, 22 Oct 2004 21:49:25 +0000 (GMT) Received: from straylight.ringlet.net (discworld.nanolink.com [217.75.135.134]) by mx1.FreeBSD.org (Postfix) with SMTP id 5F71A43D46 for ; Fri, 22 Oct 2004 21:49:22 +0000 (GMT) (envelope-from roam@ringlet.net) Received: (qmail 18754 invoked by uid 1000); 22 Oct 2004 14:06:06 -0000 Date: Fri, 22 Oct 2004 17:06:06 +0300 From: Peter Pentchev To: Bill Moran Message-ID: <20041022140606.GA1043@straylight.m.ringlet.net> Mail-Followup-To: Bill Moran , Jesper Wallin , freebsd-security@freebsd.org References: <1323.213.112.198.199.1098388008.squirrel@mail.hackunite.net> <20041022095512.31d991ae.wmoran@potentialtech.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="PEIAKu/WMn1b1Hv9" Content-Disposition: inline In-Reply-To: <20041022095512.31d991ae.wmoran@potentialtech.com> User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org cc: Jesper Wallin Subject: Re: Default permissions of /home/user.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Oct 2004 21:49:26 -0000 --PEIAKu/WMn1b1Hv9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Oct 22, 2004 at 09:55:12AM -0400, Bill Moran wrote: > "Jesper Wallin" wrote: >=20 > > Hello.. > >=20 > > I've asked this question before without getting any further help really= =2E. > > When a new user is added using "adduser" on 5.x (havn't really checked > > if it's the same under 4.x or not), the default homedir permission is 7= 55 > > (drwxr-xr-x) which to me, looks a bit insecure? It's of course pretty e= asy > > to solve it by a simple chmod, but yet, isn't there anyway to change the > > default chmod value? Last time I asked about this, people told me to ch= eck > > out the skel directory, but the only thing you can do in there is to ch= ange the > > default chmod value of the files/directories _in_ the homedir, not the = chmod > > values of the actually homedir.. I would be glad if someone could give = me > > further assistanse how do solve this without manually modifying the "ad= duser" > > script.. and if it this option doesn't exist, shouldn't it be added or = is it just > > me who want my homedir secure from other users? ;) >=20 > The adduser script does not determine the permissions on the home directo= yr. > The pw command does that, adduser just calls pw. >=20 > I don't know, but perhaps if you change the permissions on /usr/share/skel > itself, the new directories created from it will have those permissions > (I haven't tried this, so I could be wrong). >=20 > pw doesn't seem to have an option to change the permissions on the home > directory at creation time. Possibly an option could be added to adduser, > that reads the desired permissions from adduser.conf and changes them > after creation? Here's something I did back in 2002 for just this purpose. It is for the 4.x adduser Perl script only - I've never ported it to the 5.x adduser shell script, since I've never actually *used* it ever since its conception :) Still, if it could be of some help to anyone, here it is. G'luck, Peter Index: src/usr.sbin/adduser/adduser.perl =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/usr.sbin/adduser/adduser.perl,v retrieving revision 1.44.2.4 diff -u -r1.44.2.4 adduser.perl --- src/usr.sbin/adduser/adduser.perl 15 Feb 2002 17:31:15 -0000 1.44.2.4 +++ src/usr.sbin/adduser/adduser.perl 18 Feb 2002 14:12:46 -0000 @@ -41,6 +41,7 @@ $config_read =3D 1; # read config file $logfile =3D "/var/log/adduser"; # logfile $home =3D "/home"; # default HOME + $home_perm =3D "u+wrX,go-w"; # default permissions on HOME $etc_shells =3D "/etc/shells"; $etc_passwd =3D "/etc/master.passwd"; $group =3D "/etc/group"; @@ -221,6 +222,33 @@ return 0; } =20 +# return the default permissions' string for HOME +sub home_permissions { + local($perm) =3D @_; + local($p) =3D $perm; + + return $p if !$verbose && $p eq &home_permissions_valid($p); + + while(1) { + $p =3D &confirm_list("Enter your default HOME permissions:", 1, $perm, ""= ); + last if $p eq &home_permissions_valid($p); + } + + $changes++ if $p ne $perm; + return $p; +} + +# check for valid permissions +sub home_permissions_valid { + local($perm) =3D @_; + + if ($perm =3D~ /^((([ugo]+[+-][rwxX]+),?)+)/) { + return $1; + } else { + return ""; + } +} + # check for valid passwddb sub passwd_check { system(@pwd_mkdb, '-C', $etc_passwd); @@ -953,7 +981,8 @@ if (!mkdir("$homedir", 0755)) { warn "$dir: $!\n"; return 0; } - system 'chown', "$name:$group", $homedir; + system('chmod', $home_perm, $homedir); + system('chown', "$name:$group", $homedir); return !$?; } =20 @@ -961,7 +990,7 @@ # rename 'dot.foo' files to '.foo' print "Copy files from $dotdir to $homedir\n" if $verbose; system('cp', '-R', $dotdir, $homedir); - system('chmod', '-R', 'u+wrX,go-w', $homedir); + system('chmod', '-R', $home_perm, $homedir); system('chown', '-Rh', "$name:$group", $homedir); =20 # security @@ -1365,6 +1394,9 @@ # default HOME directory ("/home") home =3D "$home" =20 +# default permissions on HOME ("u+wrX,go-w") +home_perm =3D "$home_perm"; + # List of directories where shells located # path =3D ('/bin', '/usr/bin', '/usr/local/bin') path =3D ($shpath) @@ -1425,6 +1457,7 @@ &shells_add; # maybe add some new shells $defaultshell =3D &shell_default; # enter default shell $home =3D &home_partition($home); # find HOME partition +$home_perm =3D &home_permissions($home_perm); # set HOME permissions $dotdir =3D &dotdir_default; # check $dotdir $send_message =3D &message_default; # send message to new user $defaultpasswd =3D &password_default; # maybe use password --=20 Peter Pentchev roam@ringlet.net roam@cnsys.bg roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence contradicts itself - or rather - well, no, actually it doesn'= t! --PEIAKu/WMn1b1Hv9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBeRPO7Ri2jRYZRVMRAuDJAJ4m26pCthmiU8ZrZi+XIDqe6NUPEwCeIliM uXZGfJBPbLo4nWOOxgPcOhI= =q5w0 -----END PGP SIGNATURE----- --PEIAKu/WMn1b1Hv9-- From owner-freebsd-security@FreeBSD.ORG Sat Oct 23 15:03:36 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C1FE516A4CE for ; Sat, 23 Oct 2004 15:03:36 +0000 (GMT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7192243D41 for ; Sat, 23 Oct 2004 15:03:36 +0000 (GMT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.13.1/8.13.1) with ESMTP id i9NF3FSL071746; Sat, 23 Oct 2004 11:03:15 -0400 (EDT) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)i9NF3FMG071743; Sat, 23 Oct 2004 16:03:15 +0100 (BST) (envelope-from robert@fledge.watson.org) Date: Sat, 23 Oct 2004 16:03:15 +0100 (BST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Jesper Wallin In-Reply-To: <1323.213.112.198.199.1098388008.squirrel@mail.hackunite.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: Default permissions of /home/user.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Oct 2004 15:03:36 -0000 On Thu, 21 Oct 2004, Jesper Wallin wrote: > I've asked this question before without getting any further help > really.. When a new user is added using "adduser" on 5.x (havn't really > checked if it's the same under 4.x or not), the default homedir > permission is 755 (drwxr-xr-x) which to me, looks a bit insecure? It's > of course pretty easy to solve it by a simple chmod, but yet, isn't > there anyway to change the default chmod value? Last time I asked about > this, people told me to check out the skel directory, but the only thing > you can do in there is to change the default chmod value of the > files/directories _in_ the homedir, not the chmod values of the actually > homedir.. I would be glad if someone could give me further assistanse > how do solve this without manually modifying the "adduser" script.. and > if it this option doesn't exist, shouldn't it be added or is it just me > who want my homedir secure from other users? ;) I'm a fan of creating "public", "public_html", and "private" directories in the user's home directory when their account is created, with appropriate permissions. That way I can just tell users "put the file in your private directory if you want it to be private". I use custom scripts for accounts here, but you may just be able to create those prototype directories in skel and have adduser do the right thing. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Principal Research Scientist, McAfee Research From owner-freebsd-security@FreeBSD.ORG Sat Oct 23 19:34:45 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C506616A4DF for ; Sat, 23 Oct 2004 19:34:45 +0000 (GMT) Received: from beastie.hyow.eu.org (213-152-46-100.dsl.eclipse.net.uk [213.152.46.100]) by mx1.FreeBSD.org (Postfix) with SMTP id 72E1143D31 for ; Sat, 23 Oct 2004 19:34:44 +0000 (GMT) (envelope-from mark@hyow.eu.org) Received: (qmail 90307 invoked by uid 751); 23 Oct 2004 19:37:48 -0000 Received: from mark@hyow.eu.org by beastie.hyow.eu.org by uid 731 with qmail-scanner-1.22-st-qms (clamdscan: 0.75. spamassassin: 2.64. Clear:RC:1(127.0.0.1):. Processed in 0.909387 secs); 23 Oct 2004 19:37:47 -0000 X-Antivirus-HYOW.EU.ORG-Mail-From: mark@hyow.eu.org via beastie.hyow.eu.org X-Antivirus-HYOW.EU.ORG: 1.22-st-qms (Clear:RC:1(127.0.0.1):. Processed in 0.909387 secs Process 90302) Received: from localhost.hyow.eu.org (HELO beastie.hyow.eu.org) (mark@hyow.eu.org@127.0.0.1) by beastie.hyow.eu.org with SMTP; 23 Oct 2004 19:37:46 -0000 Received: from 10.0.0.10 (SquirrelMail authenticated user mark@hyow.eu.org); by beastie.hyow.eu.org with HTTP; Sat, 23 Oct 2004 20:37:46 +0100 (BST) Message-ID: <52757.10.0.0.10.1098560266.squirrel@10.0.0.10> In-Reply-To: <00ab01c4b870$a3024760$3501a8c0@pro.sk> References: <1323.213.112.198.199.1098388008.squirrel@mail.hackunite.net> <008401c4b868$ffd64ac0$3501a8c0@pro.sk> <00ab01c4b870$a3024760$3501a8c0@pro.sk> Date: Sat, 23 Oct 2004 20:37:46 +0100 (BST) From: "Mark Magiera" To: freebsd-security@freebsd.org User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 1 (Highest) Importance: High Subject: Re: Default permissions of /home/user.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Oct 2004 19:34:45 -0000 > Sorry for my mistake - you use FreeBSD 5. The adduser command was changed > to > sh script in it. I do not use 5, so sorry again. > > If your /usr/sbin/adduser has in the start of lines 278 to 280 word > "_pwcmd", add something like this after line 280: > _pwcmd="$_pwcmd && chmod 700 $_home" > > Command stored in $_pwcmd is executed on line 282. The user should be > added > and homedir should be created. The addition above should chmod its homedir > to 700 (drwx------) automatically. > > !!! AGAIN, NOT TESTED !!! > > Peter Rosa Just a quick correction, you'll want to chmod $uhome not $_home. Having done that, you can consider your suggestion tested and working. Mark Magiera From owner-freebsd-security@FreeBSD.ORG Sat Oct 23 21:13:42 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3065316A4CE for ; Sat, 23 Oct 2004 21:13:42 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id C25A243D1D for ; Sat, 23 Oct 2004 21:13:41 +0000 (GMT) (envelope-from vladgalu@gmail.com) Received: by rproxy.gmail.com with SMTP id 74so267654rnk for ; Sat, 23 Oct 2004 14:13:38 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=VkzGdjeHX264hvn+dPShqcdnibhNisgt2TQ/4KyXNgGd44W6b3fVvWKSCc3Z/y9TKK776/S+TFFN6PIKjR7qWH1t8hJddSqXLQe8+1wZDJMakfjOgnGcmq49iAwW1pnG4Ii6ZMYj3kyHVBavl2Ys8Y4AgOMusbuuT+TzF7QXQrc= Received: by 10.38.68.14 with SMTP id q14mr253636rna; Sat, 23 Oct 2004 14:13:38 -0700 (PDT) Received: by 10.38.149.19 with HTTP; Sat, 23 Oct 2004 14:13:38 -0700 (PDT) Message-ID: <79722fad04102314136d2dc0e2@mail.gmail.com> Date: Sun, 24 Oct 2004 00:13:38 +0300 From: Vlad GALU To: freebsd-security@freebsd.org In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <1323.213.112.198.199.1098388008.squirrel@mail.hackunite.net> Subject: Re: Default permissions of /home/user.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Vlad GALU List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Oct 2004 21:13:42 -0000 On Sat, 23 Oct 2004 16:03:15 +0100 (BST), Robert Watson wrote: > > On Thu, 21 Oct 2004, Jesper Wallin wrote: > > > I've asked this question before without getting any further help > > really.. When a new user is added using "adduser" on 5.x (havn't really > > checked if it's the same under 4.x or not), the default homedir > > permission is 755 (drwxr-xr-x) which to me, looks a bit insecure? It's > > of course pretty easy to solve it by a simple chmod, but yet, isn't > > there anyway to change the default chmod value? Last time I asked about > > this, people told me to check out the skel directory, but the only thing > > you can do in there is to change the default chmod value of the > > files/directories _in_ the homedir, not the chmod values of the actually > > homedir.. I would be glad if someone could give me further assistanse > > how do solve this without manually modifying the "adduser" script.. and > > if it this option doesn't exist, shouldn't it be added or is it just me > > who want my homedir secure from other users? ;) > > I'm a fan of creating "public", "public_html", and "private" directories > in the user's home directory when their account is created, with > appropriate permissions. That way I can just tell users "put the file in > your private directory if you want it to be private". I use custom > scripts for accounts here, but you may just be able to create those > prototype directories in skel and have adduser do the right thing. One thing though. The mtree file that controls the permissions for / specifies 0755 as the mask for /root. It's allright with me, I have "chmod /root 0600" in my .profile, but still ... > Robert N M Watson FreeBSD Core Team, TrustedBSD Projects > robert@fledge.watson.org Principal Research Scientist, McAfee Research > > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -- If it's there, and you can see it, it's real. If it's not there, and you can see it, it's virtual. If it's there, and you can't see it, it's transparent. If it's not there, and you can't see it, you erased it.