From owner-freebsd-security@FreeBSD.ORG Sun Oct 23 14:55:27 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B79B16A41F; Sun, 23 Oct 2005 14:55:27 +0000 (GMT) (envelope-from delphij@frontfree.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [210.51.165.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0A1B43D49; Sun, 23 Oct 2005 14:55:26 +0000 (GMT) (envelope-from delphij@frontfree.net) Received: from localhost (tarsier.geekcn.org [210.51.165.229]) by tarsier.geekcn.org (Postfix) with ESMTP id 82AD8EB096E; Sun, 23 Oct 2005 22:55:22 +0800 (CST) Received: from tarsier.geekcn.org ([210.51.165.229]) by localhost (mail.geekcn.org [210.51.165.229]) (amavisd-new, port 10024) with ESMTP id 29964-17; Sun, 23 Oct 2005 22:55:19 +0800 (CST) Received: from beastie.frontfree.net (unknown [211.71.95.7]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTP id 3206CEB08C4; Sun, 23 Oct 2005 22:55:16 +0800 (CST) Received: from localhost (localhost.frontfree.net [127.0.0.1]) by beastie.frontfree.net (Postfix) with ESMTP id 2709F134DD6; Sun, 23 Oct 2005 18:52:32 +0800 (CST) Received: from beastie.frontfree.net ([127.0.0.1]) by localhost (beastie.frontfree.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 55050-02; Sun, 23 Oct 2005 18:52:30 +0800 (CST) Received: by beastie.frontfree.net (Postfix, from userid 1001) id 57289134D61; Sun, 23 Oct 2005 18:52:30 +0800 (CST) Date: Sun, 23 Oct 2005 18:52:30 +0800 From: Xin LI To: freebsd-security@FreeBSD.org Message-ID: <20051023105230.GA55181@frontfree.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="PEIAKu/WMn1b1Hv9" Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-GPG-key-ID/Fingerprint: 0xCAEEB8C0 / 43B8 B703 B8DD 0231 B333 DC28 39FB 93A0 CAEE B8C0 X-GPG-Public-Key: http://www.delphij.net/delphij.asc X-Operating-System: FreeBSD beastie.frontfree.net 5.4-RELEASE-p6 FreeBSD 5.4-RELEASE-p6 #4: Thu Jul 28 10:59:26 CST 2005 delphij@beastie.frontfree.net:/usr/obj/usr/src/sys/BEASTIE i386 X-URL: http://www.delphij.net X-By: delphij@beastie.frontfree.net X-Location: Beijing, China X-Virus-Scanned: amavisd-new at frontfree.net X-Virus-Scanned: amavisd-new at geekcn.org Cc: developers@FreeBSD.org Subject: Is it feasible to cross-build compat5x binary? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: delphij@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Oct 2005 14:55:27 -0000 --PEIAKu/WMn1b1Hv9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi folks, I think we need to update compat5x binary to fix FreeBSD-SA-05:21.openssl, but will the binaries built by ``make universe'' be identical with actual build on Alpha, Sparc64, etc? (Yes, I'm volunteering to do the work iff they are identical ;-) Cheers, --=20 Xin LI http://www.delphij.net/ See complete headers for GPG key and other information. --PEIAKu/WMn1b1Hv9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDW2tu/cVsHxFZiIoRAjr7AJ9HAmuBl/dtG6cRk1e16T90CK2gHACgkJ4H VxKZZ7kqmvb7TNnmzKty5m8= =6/Eq -----END PGP SIGNATURE----- --PEIAKu/WMn1b1Hv9-- From owner-freebsd-security@FreeBSD.ORG Sun Oct 23 23:29:43 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 963BA16A41F; Sun, 23 Oct 2005 23:29:43 +0000 (GMT) (envelope-from obrien@NUXI.com) Received: from dragon.NUXI.org (trang.nuxi.com [66.93.134.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A01F43D46; Sun, 23 Oct 2005 23:29:43 +0000 (GMT) (envelope-from obrien@NUXI.com) Received: from dragon.NUXI.org (obrien@localhost [127.0.0.1]) by dragon.NUXI.org (8.13.4/8.13.4) with ESMTP id j9NNTaOZ000980; Sun, 23 Oct 2005 16:29:36 -0700 (PDT) (envelope-from obrien@dragon.NUXI.org) Received: (from obrien@localhost) by dragon.NUXI.org (8.13.4/8.13.1/Submit) id j9NNTZIi000979; Sun, 23 Oct 2005 16:29:35 -0700 (PDT) (envelope-from obrien) Date: Sun, 23 Oct 2005 16:29:35 -0700 From: "David O'Brien" To: delphij@delphij.net Message-ID: <20051023232935.GC602@dragon.NUXI.org> Mail-Followup-To: obrien@freebsd.org, delphij@delphij.net, freebsd-security@FreeBSD.org, developers@FreeBSD.org References: <20051023105230.GA55181@frontfree.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20051023105230.GA55181@frontfree.net> X-Operating-System: FreeBSD 7.0-CURRENT Organization: The NUXI BSD Group X-Pgp-Rsa-Fingerprint: B7 4D 3E E9 11 39 5F A3 90 76 5D 69 58 D9 98 7A X-Pgp-Rsa-Keyid: 1024/34F9F9D5 User-Agent: Mutt/1.5.9i Cc: freebsd-security@FreeBSD.org, developers@FreeBSD.org Subject: Re: Is it feasible to cross-build compat5x binary? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: obrien@FreeBSD.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Oct 2005 23:29:43 -0000 On Sun, Oct 23, 2005 at 06:52:30PM +0800, Xin LI wrote: > I think we need to update compat5x binary to fix FreeBSD-SA-05:21.openssl, > but will the binaries built by ``make universe'' be identical with actual > build on Alpha, Sparc64, etc? (Yes, I'm volunteering to do the work iff > they are identical ;-) We should no trust cross built libraries for this purpose at this time. We really don't know how identical the results will be to being natively built. -- -- David (obrien@FreeBSD.org) From owner-freebsd-security@FreeBSD.ORG Mon Oct 24 08:08:43 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A77D916A41F; Mon, 24 Oct 2005 08:08:43 +0000 (GMT) (envelope-from PeterJeremy@optushome.com.au) Received: from mail25.syd.optusnet.com.au (mail25.syd.optusnet.com.au [211.29.133.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id 07ABD43D46; Mon, 24 Oct 2005 08:08:42 +0000 (GMT) (envelope-from PeterJeremy@optushome.com.au) Received: from cirb503493.alcatel.com.au (c220-239-19-236.belrs4.nsw.optusnet.com.au [220.239.19.236]) by mail25.syd.optusnet.com.au (8.12.11/8.12.11) with ESMTP id j9O88DBF024943 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Mon, 24 Oct 2005 18:08:14 +1000 Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au [127.0.0.1]) by cirb503493.alcatel.com.au (8.12.10/8.12.10) with ESMTP id j9O88CHh043470; Mon, 24 Oct 2005 18:08:12 +1000 (EST) (envelope-from pjeremy@cirb503493.alcatel.com.au) Received: (from pjeremy@localhost) by cirb503493.alcatel.com.au (8.12.10/8.12.9/Submit) id j9O88CIW043469; Mon, 24 Oct 2005 18:08:12 +1000 (EST) (envelope-from pjeremy) Date: Mon, 24 Oct 2005 18:08:11 +1000 From: Peter Jeremy To: obrien@freebsd.org, delphij@delphij.net, freebsd-security@freebsd.org, developers@freebsd.org Message-ID: <20051024080811.GF39882@cirb503493.alcatel.com.au> References: <20051023105230.GA55181@frontfree.net> <20051023232935.GC602@dragon.NUXI.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20051023232935.GC602@dragon.NUXI.org> User-Agent: Mutt/1.4.2.1i X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc Cc: Subject: Re: Is it feasible to cross-build compat5x binary? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Oct 2005 08:08:43 -0000 On Sun, 2005-Oct-23 16:29:35 -0700, David O'Brien wrote: >We should no trust cross built libraries for this purpose at this time. >We really don't know how identical the results will be to being natively >built. At some stage, we need to validate our cross-build chain with cmp(1). We can probably leverage off the work that NetBSD has done in this area. This would significantly simplify the work involved in supporting the various architectures. -- Peter Jeremy From owner-freebsd-security@FreeBSD.ORG Mon Oct 24 12:09:29 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA2DC16A41F; Mon, 24 Oct 2005 12:09:29 +0000 (GMT) (envelope-from bde@zeta.org.au) Received: from mailout2.pacific.net.au (mailout2.pacific.net.au [61.8.0.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id E8CF243D48; Mon, 24 Oct 2005 12:09:28 +0000 (GMT) (envelope-from bde@zeta.org.au) Received: from mailproxy1.pacific.net.au (mailproxy1.pacific.net.au [61.8.0.86]) by mailout2.pacific.net.au (8.13.4/8.13.4/Debian-3) with ESMTP id j9OC9DHW009009; Mon, 24 Oct 2005 22:09:13 +1000 Received: from katana.zip.com.au (katana.zip.com.au [61.8.7.246]) by mailproxy1.pacific.net.au (8.13.4/8.13.4/Debian-3) with ESMTP id j9OC9AMe017360; Mon, 24 Oct 2005 22:09:12 +1000 Date: Mon, 24 Oct 2005 22:09:11 +1000 (EST) From: Bruce Evans X-X-Sender: bde@delplex.bde.org To: Martin Cracauer In-Reply-To: <20051024064605.A44523@cons.org> Message-ID: <20051024215918.V15095@delplex.bde.org> References: <20051023105230.GA55181@frontfree.net> <20051023232935.GC602@dragon.NUXI.org> <20051024080811.GF39882@cirb503493.alcatel.com.au> <20051024064605.A44523@cons.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Peter Jeremy , delphij@delphij.net, developers@freebsd.org, freebsd-security@freebsd.org Subject: Re: Is it feasible to cross-build compat5x binary? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Oct 2005 12:09:30 -0000 On Mon, 24 Oct 2005, Martin Cracauer wrote: > Peter Jeremy wrote on Mon, Oct 24, 2005 at 06:08:11PM +1000: >> On Sun, 2005-Oct-23 16:29:35 -0700, David O'Brien wrote: >>> We should no trust cross built libraries for this purpose at this time. >>> We really don't know how identical the results will be to being natively >>> built. >> >> At some stage, we need to validate our cross-build chain with cmp(1). > > ELF object files are timestamped. But there's some elf-cmp out there. On libraries (ELF or not: .so or .a) are. I use diff -r to check that builds of object trees give reproducible results, and just ignore libraries since they are built up from object files by a simple process (perhaps not so simple for .so's). The main problem at least used to be braindamaged applications that create irreproducible results using the following methods: - version.c files with a unique version number or timestamp - __DATE__ in C files. Results are reproducible until the next day - __TIME__ in C files - __FILE__ in C files. For {source,generated} files, this makes the results depend on the location of the {source,object} tree. Bruce From owner-freebsd-security@FreeBSD.ORG Mon Oct 24 10:46:17 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6ED2016A41F; Mon, 24 Oct 2005 10:46:17 +0000 (GMT) (envelope-from cracauer@schlepper.zs64.net) Received: from schlepper.zs64.net (schlepper.zs64.net [212.12.50.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id CCBDB43D53; Mon, 24 Oct 2005 10:46:16 +0000 (GMT) (envelope-from cracauer@schlepper.zs64.net) Received: from schlepper.zs64.net (schlepper [212.12.50.230]) by schlepper.zs64.net (8.13.3/8.12.9) with ESMTP id j9OAk5IY044563; Mon, 24 Oct 2005 12:46:05 +0200 (CEST) (envelope-from cracauer@schlepper.zs64.net) Received: (from cracauer@localhost) by schlepper.zs64.net (8.13.3/8.12.9/Submit) id j9OAk5Zk044562; Mon, 24 Oct 2005 06:46:05 -0400 (EDT) (envelope-from cracauer) Date: Mon, 24 Oct 2005 06:46:05 -0400 From: Martin Cracauer To: Peter Jeremy Message-ID: <20051024064605.A44523@cons.org> References: <20051023105230.GA55181@frontfree.net> <20051023232935.GC602@dragon.NUXI.org> <20051024080811.GF39882@cirb503493.alcatel.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20051024080811.GF39882@cirb503493.alcatel.com.au>; from PeterJeremy@optushome.com.au on Mon, Oct 24, 2005 at 06:08:11PM +1000 X-Mailman-Approved-At: Mon, 24 Oct 2005 14:18:34 +0000 Cc: freebsd-security@FreeBSD.ORG, delphij@delphij.net, developers@FreeBSD.ORG, obrien@FreeBSD.ORG Subject: Re: Is it feasible to cross-build compat5x binary? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Oct 2005 10:46:17 -0000 Peter Jeremy wrote on Mon, Oct 24, 2005 at 06:08:11PM +1000: > On Sun, 2005-Oct-23 16:29:35 -0700, David O'Brien wrote: > >We should no trust cross built libraries for this purpose at this time. > >We really don't know how identical the results will be to being natively > >built. > > At some stage, we need to validate our cross-build chain with cmp(1). ELF object files are timestamped. But there's some elf-cmp out there. Martin -- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Martin Cracauer http://www.cons.org/cracauer/ FreeBSD - where you want to go, today. http://www.freebsd.org/ From owner-freebsd-security@FreeBSD.ORG Tue Oct 25 00:48:20 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D9F0016A41F; Tue, 25 Oct 2005 00:48:20 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from smtp2-g19.free.fr (smtp2-g19.free.fr [212.27.42.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7AEAE43D45; Tue, 25 Oct 2005 00:48:20 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by smtp2-g19.free.fr (Postfix) with ESMTP id E74925221F; Tue, 25 Oct 2005 02:48:18 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id B077D405A; Tue, 25 Oct 2005 02:47:57 +0200 (CEST) Date: Tue, 25 Oct 2005 02:47:57 +0200 From: Jeremie Le Hen To: Peter Jeremy Message-ID: <20051025004757.GH14063@obiwan.tataz.chchile.org> References: <20051023105230.GA55181@frontfree.net> <20051023232935.GC602@dragon.NUXI.org> <20051024080811.GF39882@cirb503493.alcatel.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20051024080811.GF39882@cirb503493.alcatel.com.au> User-Agent: Mutt/1.5.10i Cc: freebsd-security@freebsd.org, delphij@delphij.net, developers@freebsd.org Subject: Re: Is it feasible to cross-build compat5x binary? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2005 00:48:21 -0000 Hi Peter and others, > At some stage, we need to validate our cross-build chain with cmp(1). > We can probably leverage off the work that NetBSD has done in this > area. This would significantly simplify the work involved in supporting > the various architectures. in case you know enough about NetBSD's build.sh, can you say if FreeBSD's build architecture is powerful enough to merely use it with a few s/// or does it still lack one or more things ? Thanks, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-security@FreeBSD.ORG Tue Oct 25 17:09:43 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 81A9A16A41F; Tue, 25 Oct 2005 17:09:43 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3004643D62; Tue, 25 Oct 2005 17:09:41 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id B1CBA1A3C29; Tue, 25 Oct 2005 10:09:40 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 8721C52941; Tue, 25 Oct 2005 13:09:35 -0400 (EDT) Date: Tue, 25 Oct 2005 13:09:35 -0400 From: Kris Kennaway To: Jeremie Le Hen Message-ID: <20051025170934.GA29561@xor.obsecurity.org> References: <20051023105230.GA55181@frontfree.net> <20051023232935.GC602@dragon.NUXI.org> <20051024080811.GF39882@cirb503493.alcatel.com.au> <20051025004757.GH14063@obiwan.tataz.chchile.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="PNTmBPCT7hxwcZjr" Content-Disposition: inline In-Reply-To: <20051025004757.GH14063@obiwan.tataz.chchile.org> User-Agent: Mutt/1.4.2.1i Cc: Peter Jeremy , delphij@delphij.net, developers@freebsd.org, freebsd-security@freebsd.org Subject: Re: Is it feasible to cross-build compat5x binary? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2005 17:09:43 -0000 --PNTmBPCT7hxwcZjr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Oct 25, 2005 at 02:47:57AM +0200, Jeremie Le Hen wrote: > Hi Peter and others, >=20 > > At some stage, we need to validate our cross-build chain with cmp(1). > > We can probably leverage off the work that NetBSD has done in this > > area. This would significantly simplify the work involved in supporting > > the various architectures. >=20 > in case you know enough about NetBSD's build.sh, can you say if FreeBSD's > build architecture is powerful enough to merely use it with a few s/// > or does it still lack one or more things ? I expect it's pretty different. ru@ did a lot of work on cross-building FreeBSD though, and he had a fairly detailed list of known differences between cross-built and native builds. I'm not sure if he reduced it to 0 length. Kris --PNTmBPCT7hxwcZjr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDXmbOWry0BWjoQKURAi4oAJ0XkYOWewesxcz0rziVaYWa8r0RBQCfQDOB /+WAtJO3n32fgmdwWPwnDnE= =1CWW -----END PGP SIGNATURE----- --PNTmBPCT7hxwcZjr-- From owner-freebsd-security@FreeBSD.ORG Tue Oct 25 17:32:39 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD53C16A41F for ; Tue, 25 Oct 2005 17:32:39 +0000 (GMT) (envelope-from jjfitzgerald@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E5FD43D4C for ; Tue, 25 Oct 2005 17:32:38 +0000 (GMT) (envelope-from jjfitzgerald@gmail.com) Received: by wproxy.gmail.com with SMTP id i23so632894wra for ; Tue, 25 Oct 2005 10:32:37 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=bDu2e+1RbZjKO+FnLJqRSWGIxC1ANLfce0tyCx/ot2kUrr0CscL6S/x08f8yB4AX5CJjxIS4WQ1sHxZSnBdYT6Kh0fl3hTS42+GXtcQoJQNhUeUbe8JPSPgogRTVbttDZ7PiImDops3/acY1dqmncI7RMc6PZMhW0hPUnXrkPOo= Received: by 10.54.110.17 with SMTP id i17mr3703719wrc; Tue, 25 Oct 2005 10:32:37 -0700 (PDT) Received: by 10.54.101.14 with HTTP; Tue, 25 Oct 2005 10:32:37 -0700 (PDT) Message-ID: <5e49673f0510251032w38312bb7kb082b15d97d00082@mail.gmail.com> Date: Tue, 25 Oct 2005 13:32:37 -0400 From: John Fitzgerald To: freebsd-security@FreeBSD.org MIME-Version: 1.0 X-Mailman-Approved-At: Tue, 25 Oct 2005 19:53:08 +0000 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: ipf stopped working on 5.3 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2005 17:32:39 -0000 I've had ipf working on a few 5.3 servers for quite awhile. Not too long ag= o some developers had to do some coding work and were coming from dynamic IP's. I (reluctantly) opened up SSH to the world. Immediately I started seeing the attacks where bots of some sort would try to break in with a variety of different users. So, I (thought) I closed it up again and told the developers to use a dedicated proxy. They did, but I realized that I hadn't actually closed things off. I was still getting attacked. I had tried, but ipf suddenly wasn't working. Whenever I would change the firewall rules and ipf -D and the ipf -E -f /etc/my.rules it would simply return: 1:ioctl(add/insert rule): No such process I didn't have the time to look into it at the time, but am now trying to figure it out. Ipf is obviously not working and I don't know why. I have tried recompiling the kernel a myriad of different ways. With/without ipfw, with/without ipsec, etc. All to no avail. Is this a bug, did I get hacked? I have googled this quite a bit and the only thing that I found was possibl= y a buildworld scenario where something got updated and it doesn't work now. = I didn't install src so I'm a bit out of luck on that one. FreeBSD 5.3-RELEASE OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7d 17 Mar 2004 Cheers, JJ From owner-freebsd-security@FreeBSD.ORG Tue Oct 25 17:34:57 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B487A16A41F for ; Tue, 25 Oct 2005 17:34:57 +0000 (GMT) (envelope-from jjfitzgerald@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4745343D45 for ; Tue, 25 Oct 2005 17:34:56 +0000 (GMT) (envelope-from jjfitzgerald@gmail.com) Received: by wproxy.gmail.com with SMTP id 71so610273wra for ; Tue, 25 Oct 2005 10:34:56 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=ivOJNWCGeII3YdB0vD9jyHty9dgMrwyTYy557IPYEXn9FVTRrMmo0sC/IIKx5PPEM02nejPwh5L9u5NKDvzNxxMjdqKyZJwclldlNNvv4fVOiFZSSsaImW2WZcpP8c/3gbKHHt1ov4/id6VFy+v/TjGprQcKE6LbMx/TQ8EBkQo= Received: by 10.54.152.7 with SMTP id z7mr3702968wrd; Tue, 25 Oct 2005 10:34:56 -0700 (PDT) Received: by 10.54.101.14 with HTTP; Tue, 25 Oct 2005 10:34:56 -0700 (PDT) Message-ID: <5e49673f0510251034w40b4e073xf80bbcadcccd8f07@mail.gmail.com> Date: Tue, 25 Oct 2005 13:34:56 -0400 From: John Fitzgerald To: freebsd-security@freebsd.org MIME-Version: 1.0 X-Mailman-Approved-At: Tue, 25 Oct 2005 19:53:08 +0000 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Sorry X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2005 17:34:57 -0000 I thought this was a discussion group From owner-freebsd-security@FreeBSD.ORG Tue Oct 25 20:27:35 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0565816A41F for ; Tue, 25 Oct 2005 20:27:35 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: from web30309.mail.mud.yahoo.com (web30309.mail.mud.yahoo.com [68.142.200.102]) by mx1.FreeBSD.org (Postfix) with SMTP id 9493E43D45 for ; Tue, 25 Oct 2005 20:27:34 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: (qmail 73748 invoked by uid 60001); 25 Oct 2005 20:27:34 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=TtD8onG7rKN7NMJAH4ndK18AkUfb2JydKRv+Usk5LvzoypPUmNUNUPd/IPKfoMwjrCE1Nw9c2d4jw9G2YxceXg/0wVDWhztnmGLs6ne6qgrXz1uGdyQDeaq5DdrnxnrwTIwD4clv8mF1kO/rSglY8w9oCLnwzZjr0LqWuB7RdqY= ; Message-ID: <20051025202734.73746.qmail@web30309.mail.mud.yahoo.com> Received: from [213.54.64.152] by web30309.mail.mud.yahoo.com via HTTP; Tue, 25 Oct 2005 13:27:34 PDT Date: Tue, 25 Oct 2005 13:27:34 -0700 (PDT) From: Arne "Wörner" To: John Fitzgerald , freebsd-security@FreeBSD.org In-Reply-To: <5e49673f0510251032w38312bb7kb082b15d97d00082@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: ipf stopped working on 5.3 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2005 20:27:35 -0000 I think you should try to implement a pf-based and/or a ipfw-based firewall (both works quite well for me) immediately, so that your system is not so much endangered... This is just a workaround... -Arne --- John Fitzgerald wrote: > I've had ipf working on a few 5.3 servers for quite awhile. Not > too long ago > some developers had to do some coding work and were coming from > dynamic > IP's. I (reluctantly) opened up SSH to the world. Immediately I > started > seeing the attacks where bots of some sort would try to break in > with a > variety of different users. > > So, I (thought) I closed it up again and told the developers to > use a > dedicated proxy. They did, but I realized that I hadn't actually > closed > things off. I was still getting attacked. I had tried, but ipf > suddenly > wasn't working. Whenever I would change the firewall rules and > ipf -D and > the ipf -E -f /etc/my.rules it would simply return: > > 1:ioctl(add/insert rule): No such process > > I didn't have the time to look into it at the time, but am now > trying to > figure it out. Ipf is obviously not working and I don't know > why. I have > tried recompiling the kernel a myriad of different ways. > With/without ipfw, > with/without ipsec, etc. All to no avail. Is this a bug, did I > get hacked? > > I have googled this quite a bit and the only thing that I found > was possibly > a buildworld scenario where something got updated and it doesn't > work now. I > didn't install src so I'm a bit out of luck on that one. > > FreeBSD 5.3-RELEASE > OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7d 17 Mar 2004 > > Cheers, > JJ > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com From owner-freebsd-security@FreeBSD.ORG Tue Oct 25 21:23:05 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A4C4416A41F for ; Tue, 25 Oct 2005 21:23:05 +0000 (GMT) (envelope-from fgleiser@cactus.fi.uba.ar) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB9A443D45 for ; Tue, 25 Oct 2005 21:23:04 +0000 (GMT) (envelope-from fgleiser@cactus.fi.uba.ar) Received: from localhost (localhost [127.0.0.1]) by cactus.fi.uba.ar (8.13.3/8.13.3) with ESMTP id j9PLPGKF039675; Tue, 25 Oct 2005 18:25:16 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Tue, 25 Oct 2005 18:25:16 -0300 (ART) From: Fernando Gleiser To: John Fitzgerald In-Reply-To: <5e49673f0510251032w38312bb7kb082b15d97d00082@mail.gmail.com> Message-ID: <20051025182314.V30664@cactus.fi.uba.ar> References: <5e49673f0510251032w38312bb7kb082b15d97d00082@mail.gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Scanned-By: MIMEDefang 2.52 on 157.92.49.108 Cc: freebsd-security@freebsd.org Subject: Re: ipf stopped working on 5.3 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2005 21:23:05 -0000 On Tue, 25 Oct 2005, John Fitzgerald wrote: > > So, I (thought) I closed it up again and told the developers to use a > dedicated proxy. They did, but I realized that I hadn't actually closed > things off. I was still getting attacked. I had tried, but ipf suddenly > wasn't working. Whenever I would change the firewall rules and ipf -D and > the ipf -E -f /etc/my.rules it would simply return: > > 1:ioctl(add/insert rule): No such process Looks like a version mismatch. What does 'ipf -V' say? Are you using ipf compiled-in or as a KLD? Fer From owner-freebsd-security@FreeBSD.ORG Tue Oct 25 21:28:32 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1133716A41F for ; Tue, 25 Oct 2005 21:28:32 +0000 (GMT) (envelope-from list@rsnnv.com) Received: from mail.rsnnv.com (mail.rsnnv.com [207.168.182.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id B315143D76 for ; Tue, 25 Oct 2005 21:28:26 +0000 (GMT) (envelope-from list@rsnnv.com) Received: (qmail 5772 invoked by uid 89); 25 Oct 2005 21:27:16 -0000 Received: by simscan 1.1.0 ppid: 5754, pid: 5755, t: 1.5770s scanners: attach: 1.1.0 clamav: 0.87/m:34/d:1146 spam: 3.0.3 Received: from unknown (HELO rsnnv01) (207.168.182.130) by mail.rsnnv.com with (RC4-MD5 encrypted) SMTP; 25 Oct 2005 21:27:14 -0000 From: "Chris Odell" To: "'John Fitzgerald'" , Date: Tue, 25 Oct 2005 14:28:09 -0700 Organization: Red Star Networks, Inc MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 Thread-Index: AcXZniDnHuX7D2jTS9+RTXRAbV/awwADLbPA In-Reply-To: <5e49673f0510251032w38312bb7kb082b15d97d00082@mail.gmail.com> X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on rock.rsnnv.com X-Spam-Level: X-Spam-Status: No, score=0.5 required=5.0 tests=AWL autolearn=ham version=3.0.3 Message-Id: <20051025212826.B315143D76@mx1.FreeBSD.org> Cc: Subject: RE: ipf stopped working on 5.3 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: list@rsnnv.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2005 21:28:32 -0000 I had this same problem and found out there is a parimeter that needs to be added to the kernel config that was not needed previously. When I get back to my office, I will look it up and send it to you. Chris Odell -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] On Behalf Of John Fitzgerald Sent: Tuesday, October 25, 2005 10:33 AM To: freebsd-security@FreeBSD.org Subject: ipf stopped working on 5.3 I've had ipf working on a few 5.3 servers for quite awhile. Not too long ago some developers had to do some coding work and were coming from dynamic IP's. I (reluctantly) opened up SSH to the world. Immediately I started seeing the attacks where bots of some sort would try to break in with a variety of different users. So, I (thought) I closed it up again and told the developers to use a dedicated proxy. They did, but I realized that I hadn't actually closed things off. I was still getting attacked. I had tried, but ipf suddenly wasn't working. Whenever I would change the firewall rules and ipf -D and the ipf -E -f /etc/my.rules it would simply return: 1:ioctl(add/insert rule): No such process I didn't have the time to look into it at the time, but am now trying to figure it out. Ipf is obviously not working and I don't know why. I have tried recompiling the kernel a myriad of different ways. With/without ipfw, with/without ipsec, etc. All to no avail. Is this a bug, did I get hacked? I have googled this quite a bit and the only thing that I found was possibly a buildworld scenario where something got updated and it doesn't work now. I didn't install src so I'm a bit out of luck on that one. FreeBSD 5.3-RELEASE OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7d 17 Mar 2004 Cheers, JJ _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Wed Oct 26 01:24:39 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E800C16A41F for ; Wed, 26 Oct 2005 01:24:39 +0000 (GMT) (envelope-from jjfitzgerald@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D48543D45 for ; Wed, 26 Oct 2005 01:24:39 +0000 (GMT) (envelope-from jjfitzgerald@gmail.com) Received: by wproxy.gmail.com with SMTP id 71so18155wra for ; Tue, 25 Oct 2005 18:24:38 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=QDijgmnbjNCdTabhYuTwDLFjc7qPX/8JTfdklJ76b0V+wYIMxIf9+Fxw7Qvb99OK0fKxyuQkackdWh9V+eoIN1AgT0Du0570xGPw2oJVxtfhnZAtP52yylCKhK6JK8DFSWJrjJXFjTsP8rQ+cP3UitnD3uWWilfncsbwOi2Mgv8= Received: by 10.54.110.9 with SMTP id i9mr129633wrc; Tue, 25 Oct 2005 18:24:38 -0700 (PDT) Received: by 10.54.101.14 with HTTP; Tue, 25 Oct 2005 18:24:38 -0700 (PDT) Message-ID: <5e49673f0510251824r1330bbbcrcdc95da36d90f1b8@mail.gmail.com> Date: Tue, 25 Oct 2005 21:24:38 -0400 From: John Fitzgerald To: list@rsnnv.com In-Reply-To: <20051025212826.B315143D76@mx1.FreeBSD.org> MIME-Version: 1.0 References: <5e49673f0510251032w38312bb7kb082b15d97d00082@mail.gmail.com> <20051025212826.B315143D76@mx1.FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: ipf stopped working on 5.3 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2005 01:24:40 -0000 ipf: IP Filter: v3.4.35 (336) Kernel: IP Filter: v3.4.35 Running: yes Log Flags: 0 =3D none set Default: pass all, Logging: available Active list: 0 Though it does show it as active, it won't process any rules. -JJ On 10/25/05, Chris Odell wrote: > > > I had this same problem and found out there is a parimeter that needs to > be added to the kernel config that was not needed previously. When I get > back to my office, I will look it up and send it to you. > > Chris Odell > > -----Original Message----- > From: owner-freebsd-security@freebsd.org > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of John Fitzgerald > Sent: Tuesday, October 25, 2005 10:33 AM > To: freebsd-security@FreeBSD.org > Subject: ipf stopped working on 5.3 > > I've had ipf working on a few 5.3 servers for quite awhile. Not too long > ago > some developers had to do some coding work and were coming from dynamic > IP's. I (reluctantly) opened up SSH to the world. Immediately I started > seeing the attacks where bots of some sort would try to break in with a > variety of different users. > > So, I (thought) I closed it up again and told the developers to use a > dedicated proxy. They did, but I realized that I hadn't actually closed > things off. I was still getting attacked. I had tried, but ipf suddenly > wasn't working. Whenever I would change the firewall rules and ipf -D and > the ipf -E -f /etc/my.rules it would simply return: > > 1:ioctl(add/insert rule): No such process > > I didn't have the time to look into it at the time, but am now trying to > figure it out. Ipf is obviously not working and I don't know why. I have > tried recompiling the kernel a myriad of different ways. With/without > ipfw, > with/without ipsec, etc. All to no avail. Is this a bug, did I get hacked= ? > > I have googled this quite a bit and the only thing that I found was > possibly > a buildworld scenario where something got updated and it doesn't work now= . > I > didn't install src so I'm a bit out of luck on that one. > > FreeBSD 5.3-RELEASE > OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7d 17 Mar 2004 > > Cheers, > JJ > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g > " > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g > " > From owner-freebsd-security@FreeBSD.ORG Wed Oct 26 12:25:13 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D1F8B16A423 for ; Wed, 26 Oct 2005 12:25:13 +0000 (GMT) (envelope-from jjfitzgerald@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D0C343D5A for ; Wed, 26 Oct 2005 12:25:05 +0000 (GMT) (envelope-from jjfitzgerald@gmail.com) Received: by wproxy.gmail.com with SMTP id 71so53384wra for ; Wed, 26 Oct 2005 05:25:04 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=LIjkJpVUYsdggxGmZmSwRoyAXqHb7hYE7vwR2N6wuJd2RHD9x0zT7nx10o63s//g55U7SLILmmbxcbtjm+LOFW/mHxqNxmSRxYeBdISxlRroJJV0ik1l1PBCpuPfkLFQa2k2hmPQUztJOjAmvVcQvyBea9jOIPhLqeAtL42TtT8= Received: by 10.54.120.6 with SMTP id s6mr385482wrc; Wed, 26 Oct 2005 05:25:03 -0700 (PDT) Received: by 10.54.101.14 with HTTP; Wed, 26 Oct 2005 05:25:03 -0700 (PDT) Message-ID: <5e49673f0510260525m796f8b06g2a9176e4858c1708@mail.gmail.com> Date: Wed, 26 Oct 2005 08:25:03 -0400 From: John Fitzgerald To: Krzysztof Stryjek In-Reply-To: <20051026071948.GI52933@fw.wtp3.org> MIME-Version: 1.0 References: <5e49673f0510251032w38312bb7kb082b15d97d00082@mail.gmail.com> <20051026071948.GI52933@fw.wtp3.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: ipf stopped working on 5.3 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2005 12:25:14 -0000 Yeah, options INET6 is already in there (by default). It's curious that it would stop working on one of my servers, yet remain functional on the other= . -JJ On 10/26/05, Krzysztof Stryjek wrote: > > Hello, > > Check if you have INET6 in your kernel. I've found this via Google, that > ipf needs inet6 to be compiled. > > Greetings > -- > /~\ The ASCII Krzysztof Stryjek > \ / Ribbon Campaign wtp (at) wtp3.org > X Against HTML http://fw.wtp3.org/~wtp/ > / \ Email! GG: 3608113 JID:wtp@chrome.pl > > Intolerance is the last defense of the insecure. > > > From owner-freebsd-security@FreeBSD.ORG Wed Oct 26 12:57:03 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C63816A41F for ; Wed, 26 Oct 2005 12:57:03 +0000 (GMT) (envelope-from jjfitzgerald@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 85E4143D5A for ; Wed, 26 Oct 2005 12:56:52 +0000 (GMT) (envelope-from jjfitzgerald@gmail.com) Received: by wproxy.gmail.com with SMTP id 71so56013wra for ; Wed, 26 Oct 2005 05:56:52 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=uinc85+PGPlbfHnGCfRA9Kk+7oXQBEVKr077Mu9VB0Zf74lImkprC7kv9v5urska7YXWz3jbPO+i0sNEnJ+TzF7YMkwRwmahNE0iuax7QtBCff6pvgItgYqaCIdEugwo26XMJDfHyCJAoRl8bgIw9Bh34be6+/XpvBi3H3LoxNQ= Received: by 10.54.120.6 with SMTP id s6mr400166wrc; Wed, 26 Oct 2005 05:56:52 -0700 (PDT) Received: by 10.54.101.14 with HTTP; Wed, 26 Oct 2005 05:56:52 -0700 (PDT) Message-ID: <5e49673f0510260556m1471c5bbme68d9b86681cf1ae@mail.gmail.com> Date: Wed, 26 Oct 2005 08:56:52 -0400 From: John Fitzgerald To: claco@chrislaco.com In-Reply-To: <435F7A98.9010800@chrislaco.com> MIME-Version: 1.0 References: <5e49673f0510251032w38312bb7kb082b15d97d00082@mail.gmail.com> <20051026071948.GI52933@fw.wtp3.org> <5e49673f0510260525m796f8b06g2a9176e4858c1708@mail.gmail.com> <435F7A98.9010800@chrislaco.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org, Krzysztof Stryjek Subject: Re: ipf stopped working on 5.3 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2005 12:57:03 -0000 It doesn't work on boot or after ipf -D; ipf -E -f /etc/ipf.rules. My rc.conf specifies the rules file so it's the same thing and I don't have an= y other scripts that could be interfering with it (that I know of). The only thing they installed that might have affected it (?) is "cronolog"= . I've never used it before and it just appears to be a log parser. Other tha= n that, it's just a web box so I have openssl, mod_ssl, mod_perl, mason, php, mysql, and apache installed with nothing else to speak of. I don't like a lot of miscellany on my servers so it's hard to say that it might be a conflict with something that was put on there. -JJ On 10/26/05, Christopher H. Laco wrote: > > John Fitzgerald wrote: > > Yeah, options INET6 is already in there (by default). It's curious that > it > > would stop working on one of my servers, yet remain functional on the > other. > > > > -JJ > > > > I missed most of this thread, so I'm sure this has been covered. > > Does it just not work after boot, but works after issuing ipf -Fav -f > /etc/ipf.rules? > > I spent a couple of days trying to figure out why my ipf rules were > loading on boot...and the it turned out to be the fact that I put bash > in my roots .cshrc file...it was short cirtuiting the startup scripts > for ipf... > > -=3DChris > > > From owner-freebsd-security@FreeBSD.ORG Wed Oct 26 16:43:40 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9399D16A41F for ; Wed, 26 Oct 2005 16:43:40 +0000 (GMT) (envelope-from avalon@caligula.anu.edu.au) Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id EAC3343D45 for ; Wed, 26 Oct 2005 16:43:39 +0000 (GMT) (envelope-from avalon@caligula.anu.edu.au) Received: from caligula.anu.edu.au (localhost [127.0.0.1]) by caligula.anu.edu.au (8.12.9/8.12.9) with ESMTP id j9QGhcOw008523; Thu, 27 Oct 2005 02:43:38 +1000 (EST) Received: (from avalon@localhost) by caligula.anu.edu.au (8.12.9/8.12.8/Submit) id j9QGhbng008521; Thu, 27 Oct 2005 02:43:37 +1000 (EST) From: Darren Reed Message-Id: <200510261643.j9QGhbng008521@caligula.anu.edu.au> To: jjfitzgerald@gmail.com (John Fitzgerald) Date: Thu, 27 Oct 2005 02:43:37 +1000 (Australia/ACT) In-Reply-To: <5e49673f0510251032w38312bb7kb082b15d97d00082@mail.gmail.com> from "John Fitzgerald" at Oct 25, 2005 01:32:37 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: ipf stopped working on 5.3 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2005 16:43:40 -0000 In some mail from John Fitzgerald, sie said: > > Whenever I would change the firewall rules and ipf -D and > the ipf -E -f /etc/my.rules it would simply return: > > 1:ioctl(add/insert rule): No such process More than likely you have a rule referring to a group before you've used "head" in a rule. Darren From owner-freebsd-security@FreeBSD.ORG Wed Oct 26 16:48:22 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DCC1D16A41F for ; Wed, 26 Oct 2005 16:48:22 +0000 (GMT) (envelope-from ray@redshift.com) Received: from mail.quickmeet.com (quickmeet.com [216.228.17.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id A430743D48 for ; Wed, 26 Oct 2005 16:48:22 +0000 (GMT) (envelope-from ray@redshift.com) Received: from workstation (workstation [192.168.20.250]) by mail.quickmeet.com (Postfix) with SMTP id 0744C17032; Wed, 26 Oct 2005 09:21:16 -0700 (PDT) Message-Id: <3.0.1.32.20051026094825.00d41100@pop.redshift.com> X-Mailer: na X-Sender: redshift.com Date: Wed, 26 Oct 2005 09:48:25 -0700 To: John Fitzgerald , freebsd-security@FreeBSD.org From: ray@redshift.com In-Reply-To: <5e49673f0510251032w38312bb7kb082b15d97d00082@mail.gmail.co m> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Cc: Subject: Re: ipf stopped working on 5.3 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2005 16:48:23 -0000 At 01:32 PM 10/25/2005 -0400, John Fitzgerald wrote: | I've had ipf working on a few 5.3 servers for quite awhile. Not too long ago | some developers had to do some coding work and were coming from dynamic | IP's. I (reluctantly) opened up SSH to the world. Immediately I started | seeing the attacks where bots of some sort would try to break in with a | variety of different users. | | So, I (thought) I closed it up again and told the developers to use a | dedicated proxy. They did, but I realized that I hadn't actually closed | things off. I was still getting attacked. I had tried, but ipf suddenly | wasn't working. Whenever I would change the firewall rules and ipf -D and | the ipf -E -f /etc/my.rules it would simply return: | | 1:ioctl(add/insert rule): No such process | | I didn't have the time to look into it at the time, but am now trying to | figure it out. Ipf is obviously not working and I don't know why. I have | tried recompiling the kernel a myriad of different ways. With/without ipfw, | with/without ipsec, etc. All to no avail. Is this a bug, did I get hacked? | | I have googled this quite a bit and the only thing that I found was possibly | a buildworld scenario where something got updated and it doesn't work now. I | didn't install src so I'm a bit out of luck on that one. | | FreeBSD 5.3-RELEASE | OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7d 17 Mar 2004 | usually that means you are trying to run it without being root, or you have a rule that doesn't belong to a group/head. I ran into something else once that caused that, but now I can't remember it. Feel free to send your ipf.rules if it's not to sensitive. Ray From owner-freebsd-security@FreeBSD.ORG Wed Oct 26 17:01:21 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D16B816A41F for ; Wed, 26 Oct 2005 17:01:21 +0000 (GMT) (envelope-from jjfitzgerald@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 47B2043D46 for ; Wed, 26 Oct 2005 17:01:21 +0000 (GMT) (envelope-from jjfitzgerald@gmail.com) Received: by wproxy.gmail.com with SMTP id 71so77743wra for ; Wed, 26 Oct 2005 10:01:20 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=XgHNOS/LhplRYd6qfHndyCR5Jjh38YslknDoRiRfp/FlsijvRJzelCMV6b70VXOYeR3Y9N0H66xmZZPfBHwAoX86sNftgpSzY7Xtq0bWDOe69ZPcu4vwSqlnqC7gq/44OdTF316PirvbWZP2XzI8BmJPMCv1lZXgpBMsVM9okSI= Received: by 10.54.40.60 with SMTP id n60mr516095wrn; Wed, 26 Oct 2005 10:01:20 -0700 (PDT) Received: by 10.54.101.14 with HTTP; Wed, 26 Oct 2005 10:01:20 -0700 (PDT) Message-ID: <5e49673f0510261001o10ccb473m6c363d651fa78a6c@mail.gmail.com> Date: Wed, 26 Oct 2005 13:01:20 -0400 From: John Fitzgerald To: "ray@redshift.com" In-Reply-To: <3.0.1.32.20051026094825.00d41100@pop.redshift.com> MIME-Version: 1.0 References: <3.0.1.32.20051026094825.00d41100@pop.redshift.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: ipf stopped working on 5.3 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2005 17:01:21 -0000 Hi Ray, Here's a cleaned up version of ipf.rules: #-------------------------------------------------------------------------- # block nasty packets #-------------------------------------------------------------------------- block in log quick all with short block in log quick all with opt lsrr block in log quick all with opt ssrr #-------------------------------------------------------------------------- # loopback packets left alone #-------------------------------------------------------------------------- pass in log quick on lo0 all pass out log quick on lo0 all #-------------------------------------------------------------------------- # 100 incoming bge0 # 150 outgoing bge0 #-------------------------------------------------------------------------- block in log on bge0 all head 10 block in log on bge0 all head 100 block out log on bge0 all head 150 #-------------------------------------------------------------------------- # allow all traffic to 80 and 443 #-------------------------------------------------------------------------- pass in log quick proto tcp from any to any port =3D 80 flags S/SA keep sta= te pass in log quick proto tcp from any to any port =3D 443 flags S/SA keep st= ate #-------------------------------------------------------------------------- # allow only traffic from known hosts to localhost:ssh #-------------------------------------------------------------------------- pass in log quick proto tcp from MY_FIRST_HOST to any port =3D 22 flags S/S= A keep state pass in log quick proto tcp from MY_SECOND_HOST to any port =3D 22 flags S/= SA keep state #-------------------------------------------------------------------------- # allow outgoing keystrokes and syslog to logger #-------------------------------------------------------------------------- pass out log quick proto udp from any to MY_LOGGER port =3D 514 group 150 #-------------------------------------------------------------------------- # block all other outgoing traffic #-------------------------------------------------------------------------- block out log quick from any to any group 100 #-------------------------------------------------------------------------- # block all #-------------------------------------------------------------------------- block in log quick on bge0 all The group 10 is for my script to block ip's on the fly. I think someone fro= m the FreeBSD Diary wrote a script that I use when attacks come in. I suppose I could use 100 for that, but I just used 10 to separate and I think that's what the example used. Probably not the best ipf.rules but it (seemed) to work. JJ On 10/26/05, ray@redshift.com wrote: > > At 01:32 PM 10/25/2005 -0400, John Fitzgerald wrote: > | I've had ipf working on a few 5.3 servers for quite awhile. Not too lon= g > ago > | some developers had to do some coding work and were coming from dynamic > | IP's. I (reluctantly) opened up SSH to the world. Immediately I started > | seeing the attacks where bots of some sort would try to break in with a > | variety of different users. > | > | So, I (thought) I closed it up again and told the developers to use a > | dedicated proxy. They did, but I realized that I hadn't actually closed > | things off. I was still getting attacked. I had tried, but ipf suddenly > | wasn't working. Whenever I would change the firewall rules and ipf -D > and > | the ipf -E -f /etc/my.rules it would simply return: > | > | 1:ioctl(add/insert rule): No such process > | > | I didn't have the time to look into it at the time, but am now trying t= o > | figure it out. Ipf is obviously not working and I don't know why. I hav= e > | tried recompiling the kernel a myriad of different ways. With/without > ipfw, > | with/without ipsec, etc. All to no avail. Is this a bug, did I get > hacked? > | > | I have googled this quite a bit and the only thing that I found was > possibly > | a buildworld scenario where something got updated and it doesn't work > now. I > | didn't install src so I'm a bit out of luck on that one. > | > | FreeBSD 5.3-RELEASE > | OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7d 17 Mar 2004 > | > > usually that means you are trying to run it without being root, or you > have a > rule that doesn't belong to a group/head. > > I ran into something else once that caused that, but now I can't remember > it. > Feel free to send your ipf.rules if it's not to sensitive. > > Ray > > From owner-freebsd-security@FreeBSD.ORG Wed Oct 26 17:13:00 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D879E16A41F for ; Wed, 26 Oct 2005 17:13:00 +0000 (GMT) (envelope-from jjfitzgerald@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4068D43D45 for ; Wed, 26 Oct 2005 17:13:00 +0000 (GMT) (envelope-from jjfitzgerald@gmail.com) Received: by wproxy.gmail.com with SMTP id 71so78719wra for ; Wed, 26 Oct 2005 10:12:59 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=l0mTJMLUbQi6ipF+uhvqes7iRQJZaXrFBubyz0MMmGs+ZIKF1vXgP5RtV7yU4jOwDZJmq7dMvmARIiRbM/3Ub5omzQqt7K+PrPiXIOAjFj5wEbWg7KZ6Jyo1hPlxLeROewsIOeU0wofhjDLLbaCQJHsTMg9WfvLyUQ/amlpX0q8= Received: by 10.54.110.1 with SMTP id i1mr526533wrc; Wed, 26 Oct 2005 10:12:59 -0700 (PDT) Received: by 10.54.101.14 with HTTP; Wed, 26 Oct 2005 10:12:59 -0700 (PDT) Message-ID: <5e49673f0510261012u3ebd85b7if50abd2bbed150f6@mail.gmail.com> Date: Wed, 26 Oct 2005 13:12:59 -0400 From: John Fitzgerald To: "ray@redshift.com" In-Reply-To: <5e49673f0510261001o10ccb473m6c363d651fa78a6c@mail.gmail.com> MIME-Version: 1.0 References: <3.0.1.32.20051026094825.00d41100@pop.redshift.com> <5e49673f0510261001o10ccb473m6c363d651fa78a6c@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: ipf stopped working on 5.3 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2005 17:13:01 -0000 Another strange symptom is that if I ipf -D and then ipf -E -f /etc/ipf.rules, my terminal (I'm remote) will freeze and I'll be forced to power cycle the server, after which time it will come back up (with no rule= s running). I'm assuming that after the ipf -E -f /etc/ipf.rules somehow the firewall stops all traffic since apache won't respond to web requests either. As a side note, I did put the sshd server listening on an obscure port so i= t should take awhile for the bots to find it. The ipf.rules I left at 22 as a testament to it not working. However this obviously isn't a permanent solution as I should be able to get ipf working. JJ On 10/26/05, John Fitzgerald wrote: > > Hi Ray, > > Here's a cleaned up version of ipf.rules: > > > #------------------------------------------------------------------------= -- > # block nasty packets > #------------------------------------------------------------------------= -- > > block in log quick all with short > block in log quick all with opt lsrr > block in log quick all with opt ssrr > > > #------------------------------------------------------------------------= -- > # loopback packets left alone > > #------------------------------------------------------------------------= -- > pass in log quick on lo0 all > pass out log quick on lo0 all > > #------------------------------------------------------------------------= -- > > # 100 incoming bge0 > # 150 outgoing bge0 > > #------------------------------------------------------------------------= -- > block in log on bge0 all head 10 > block in log on bge0 all head 100 > block out log on bge0 all head 150 > > > #------------------------------------------------------------------------= -- > # allow all traffic to 80 and 443 > > #------------------------------------------------------------------------= -- > pass in log quick proto tcp from any to any port =3D 80 flags S/SA keep > state > pass in log quick proto tcp from any to any port =3D 443 flags S/SA keep > state > > > #------------------------------------------------------------------------= -- > # allow only traffic from known hosts to localhost:ssh > > #------------------------------------------------------------------------= -- > pass in log quick proto tcp from MY_FIRST_HOST to any port =3D 22 flags S= /SA > keep state > pass in log quick proto tcp from MY_SECOND_HOST to any port =3D 22 flags > S/SA keep state > > > #------------------------------------------------------------------------= -- > # allow outgoing keystrokes and syslog to logger > > #------------------------------------------------------------------------= -- > pass out log quick proto udp from any to MY_LOGGER port =3D 514 group 150 > > > #------------------------------------------------------------------------= -- > # block all other outgoing traffic > > #------------------------------------------------------------------------= -- > block out log quick from any to any group 100 > > > #------------------------------------------------------------------------= -- > # block all > > #------------------------------------------------------------------------= -- > block in log quick on bge0 all > > The group 10 is for my script to block ip's on the fly. I think someone > from the FreeBSD Diary wrote a script that I use when attacks come in. I > suppose I could use 100 for that, but I just used 10 to separate and I th= ink > that's what the example used. Probably not the best ipf.rules but it > (seemed) to work. > > JJ > > > On 10/26/05, ray@redshift.com < ray@redshift.com> wrote: > > > > At 01:32 PM 10/25/2005 -0400, John Fitzgerald wrote: > > | I've had ipf working on a few 5.3 servers for quite awhile. Not too > > long ago > > | some developers had to do some coding work and were coming from > > dynamic > > | IP's. I (reluctantly) opened up SSH to the world. Immediately I > > started > > | seeing the attacks where bots of some sort would try to break in with > > a > > | variety of different users. > > | > > | So, I (thought) I closed it up again and told the developers to use a > > | dedicated proxy. They did, but I realized that I hadn't actually > > closed > > | things off. I was still getting attacked. I had tried, but ipf > > suddenly > > | wasn't working. Whenever I would change the firewall rules and ipf -D > > and > > | the ipf -E -f /etc/my.rules it would simply return: > > | > > | 1:ioctl(add/insert rule): No such process > > | > > | I didn't have the time to look into it at the time, but am now trying > > to > > | figure it out. Ipf is obviously not working and I don't know why. I > > have > > | tried recompiling the kernel a myriad of different ways. With/without > > ipfw, > > | with/without ipsec, etc. All to no avail. Is this a bug, did I get > > hacked? > > | > > | I have googled this quite a bit and the only thing that I found was > > possibly > > | a buildworld scenario where something got updated and it doesn't work > > now. I > > | didn't install src so I'm a bit out of luck on that one. > > | > > | FreeBSD 5.3-RELEASE > > | OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7d 17 Mar 2004 > > | > > > > usually that means you are trying to run it without being root, or you > > have a > > rule that doesn't belong to a group/head. > > > > I ran into something else once that caused that, but now I can't > > remember it. > > Feel free to send your ipf.rules if it's not to sensitive. > > > > Ray > > > > > From owner-freebsd-security@FreeBSD.ORG Tue Oct 25 22:35:26 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C0AB16A41F for ; Tue, 25 Oct 2005 22:35:26 +0000 (GMT) (envelope-from nathan.goulding@gmail.com) Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id 06EED43D55 for ; Tue, 25 Oct 2005 22:35:25 +0000 (GMT) (envelope-from nathan.goulding@gmail.com) Received: by xproxy.gmail.com with SMTP id t4so45990wxc for ; Tue, 25 Oct 2005 15:35:25 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=ldaSeECjPzXRco2HodvIgGraLjdZUK8EXX7ZuhJGb2skdviVb0F3GTJwywEZkBfV5noya1eCpkpXwxbfeayah86K6C05LHUkcBXjCb/Tc66skV131khWnTrpo1/9fHVGZE+lcjlXYSA1WceRADs/QMCnIeDd5Az5+xb8+peY2W4= Received: by 10.65.244.16 with SMTP id w16mr141922qbr; Tue, 25 Oct 2005 15:35:25 -0700 (PDT) Received: by 10.65.119.12 with HTTP; Tue, 25 Oct 2005 15:35:25 -0700 (PDT) Message-ID: Date: Tue, 25 Oct 2005 18:35:25 -0400 From: Nathan Goulding To: list@rsnnv.com In-Reply-To: <20051025212826.B315143D76@mx1.FreeBSD.org> MIME-Version: 1.0 References: <5e49673f0510251032w38312bb7kb082b15d97d00082@mail.gmail.com> <20051025212826.B315143D76@mx1.FreeBSD.org> X-Mailman-Approved-At: Wed, 26 Oct 2005 17:14:45 +0000 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: ipf stopped working on 5.3 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2005 22:35:26 -0000 ipf: IP Filter: v3.4.35 (336) Kernel: IP Filter: v3.4.35 Running: yes Log Flags: 0 =3D none set Default: pass all, Logging: available Active list: 0 Though it does show it as active, it won't process any rules. -JJ On 10/25/05, Chris Odell wrote: > > > I had this same problem and found out there is a parimeter that needs to > be added to the kernel config that was not needed previously. When I get > back to my office, I will look it up and send it to you. > > Chris Odell > > -----Original Message----- > From: owner-freebsd-security@freebsd.org > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of John Fitzgerald > Sent: Tuesday, October 25, 2005 10:33 AM > To: freebsd-security@FreeBSD.org > Subject: ipf stopped working on 5.3 > > I've had ipf working on a few 5.3 servers for quite awhile. Not too long > ago > some developers had to do some coding work and were coming from dynamic > IP's. I (reluctantly) opened up SSH to the world. Immediately I started > seeing the attacks where bots of some sort would try to break in with a > variety of different users. > > So, I (thought) I closed it up again and told the developers to use a > dedicated proxy. They did, but I realized that I hadn't actually closed > things off. I was still getting attacked. I had tried, but ipf suddenly > wasn't working. Whenever I would change the firewall rules and ipf -D and > the ipf -E -f /etc/my.rules it would simply return: > > 1:ioctl(add/insert rule): No such process > > I didn't have the time to look into it at the time, but am now trying to > figure it out. Ipf is obviously not working and I don't know why. I have > tried recompiling the kernel a myriad of different ways. With/without > ipfw, > with/without ipsec, etc. All to no avail. Is this a bug, did I get hacked= ? > > I have googled this quite a bit and the only thing that I found was > possibly > a buildworld scenario where something got updated and it doesn't work now= . > I > didn't install src so I'm a bit out of luck on that one. > > FreeBSD 5.3-RELEASE > OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7d 17 Mar 2004 > > Cheers, > JJ > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g > " > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g > " > From owner-freebsd-security@FreeBSD.ORG Wed Oct 26 05:18:48 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A0E816A41F; Wed, 26 Oct 2005 05:18:48 +0000 (GMT) (envelope-from imp@bsdimp.com) Received: from harmony.bsdimp.com (vc4-2-0-87.dsl.netrack.net [199.45.160.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id CBDB343D45; Wed, 26 Oct 2005 05:18:47 +0000 (GMT) (envelope-from imp@bsdimp.com) Received: from localhost (localhost.village.org [127.0.0.1] (may be forged)) by harmony.bsdimp.com (8.13.3/8.13.3) with ESMTP id j9Q5HWa5017086; Tue, 25 Oct 2005 23:17:33 -0600 (MDT) (envelope-from imp@bsdimp.com) Date: Tue, 25 Oct 2005 23:17:29 -0600 (MDT) Message-Id: <20051025.231729.26928360.imp@bsdimp.com> To: cracauer@cons.org From: "M. Warner Losh" In-Reply-To: <20051024064605.A44523@cons.org> References: <20051023232935.GC602@dragon.NUXI.org> <20051024080811.GF39882@cirb503493.alcatel.com.au> <20051024064605.A44523@cons.org> X-Mailer: Mew version 3.3 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0 (harmony.bsdimp.com [127.0.0.1]); Tue, 25 Oct 2005 23:17:33 -0600 (MDT) X-Mailman-Approved-At: Wed, 26 Oct 2005 17:14:45 +0000 Cc: PeterJeremy@optushome.com.au, delphij@delphij.net, developers@FreeBSD.org, obrien@FreeBSD.org, freebsd-security@FreeBSD.org Subject: Re: Is it feasible to cross-build compat5x binary? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2005 05:18:48 -0000 In message: <20051024064605.A44523@cons.org> Martin Cracauer writes: : Peter Jeremy wrote on Mon, Oct 24, 2005 at 06:08:11PM +1000: : > On Sun, 2005-Oct-23 16:29:35 -0700, David O'Brien wrote: : > >We should no trust cross built libraries for this purpose at this time. : > >We really don't know how identical the results will be to being natively : > >built. : > : > At some stage, we need to validate our cross-build chain with cmp(1). : : ELF object files are timestamped. But there's some elf-cmp out there. Elf .o's are timestampped, but Elf executables are 100% reproducible, except when people go out of their way to not make them so. Like adding the date or person builder. Warner From owner-freebsd-security@FreeBSD.ORG Wed Oct 26 05:24:23 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 847DB16A420; Wed, 26 Oct 2005 05:24:23 +0000 (GMT) (envelope-from imp@bsdimp.com) Received: from harmony.bsdimp.com (vc4-2-0-87.dsl.netrack.net [199.45.160.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B9F443D46; Wed, 26 Oct 2005 05:24:23 +0000 (GMT) (envelope-from imp@bsdimp.com) Received: from localhost (localhost.village.org [127.0.0.1] (may be forged)) by harmony.bsdimp.com (8.13.3/8.13.3) with ESMTP id j9Q5NQUl017129; Tue, 25 Oct 2005 23:23:27 -0600 (MDT) (envelope-from imp@bsdimp.com) Date: Tue, 25 Oct 2005 23:23:23 -0600 (MDT) Message-Id: <20051025.232323.93475319.imp@bsdimp.com> To: kris@obsecurity.org From: "M. Warner Losh" In-Reply-To: <20051025170934.GA29561@xor.obsecurity.org> References: <20051024080811.GF39882@cirb503493.alcatel.com.au> <20051025004757.GH14063@obiwan.tataz.chchile.org> <20051025170934.GA29561@xor.obsecurity.org> X-Mailer: Mew version 3.3 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0 (harmony.bsdimp.com [127.0.0.1]); Tue, 25 Oct 2005 23:23:28 -0600 (MDT) X-Mailman-Approved-At: Wed, 26 Oct 2005 17:14:45 +0000 Cc: jeremie@le-hen.org, developers@FreeBSD.org, PeterJeremy@optushome.com.au, obrien@FreeBSD.org, freebsd-security@FreeBSD.org, delphij@delphij.net Subject: Re: Is it feasible to cross-build compat5x binary? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2005 05:24:23 -0000 In message: <20051025170934.GA29561@xor.obsecurity.org> Kris Kennaway writes: : On Tue, Oct 25, 2005 at 02:47:57AM +0200, Jeremie Le Hen wrote: : > Hi Peter and others, : > : > > At some stage, we need to validate our cross-build chain with cmp(1). : > > We can probably leverage off the work that NetBSD has done in this : > > area. This would significantly simplify the work involved in supporting : > > the various architectures. : > : > in case you know enough about NetBSD's build.sh, can you say if FreeBSD's : > build architecture is powerful enough to merely use it with a few s/// : > or does it still lack one or more things ? : : I expect it's pretty different. ru@ did a lot of work on : cross-building FreeBSD though, and he had a fairly detailed list : of known differences between cross-built and native builds. I'm not : sure if he reduced it to 0 length. NetBSD build.sh runs great on FreeBSD, when building NetBSD sources that is :-). I know that cross builds for i386 from amd64 work well enough. However, we[*] was unable to get a full cross build for i386 world seutp on my amd64 machine when last I tried. Warner [*] tried to setup a dual amd64 box as our build server for our embedded FreeBSD/i386 product. It was quite a bit more complicated than just a normal cross build, but there were many issues that our (both FreeBSD and our company's) build system paper over for a few edge cases that seem to not matter... From owner-freebsd-security@FreeBSD.ORG Wed Oct 26 12:46:19 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E8C216A41F for ; Wed, 26 Oct 2005 12:46:19 +0000 (GMT) (envelope-from claco@chrislaco.com) Received: from mail.icantfocus.com (mail.icantfocus.com [65.42.59.33]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0E2A343D48 for ; Wed, 26 Oct 2005 12:46:18 +0000 (GMT) (envelope-from claco@chrislaco.com) Received: from [191.2.3.14] (mail2.summitracing.com [208.44.49.7]) by mail.icantfocus.com (Postfix) with ESMTP id 9EB36237F5; Wed, 26 Oct 2005 08:16:53 -0400 (EDT) Message-ID: <435F7A98.9010800@chrislaco.com> Date: Wed, 26 Oct 2005 08:46:16 -0400 From: "Christopher H. Laco" User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: John Fitzgerald References: <5e49673f0510251032w38312bb7kb082b15d97d00082@mail.gmail.com> <20051026071948.GI52933@fw.wtp3.org> <5e49673f0510260525m796f8b06g2a9176e4858c1708@mail.gmail.com> In-Reply-To: <5e49673f0510260525m796f8b06g2a9176e4858c1708@mail.gmail.com> X-Enigmail-Version: 0.92.0.0 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms060300090806020809070200" X-Mailman-Approved-At: Wed, 26 Oct 2005 17:14:45 +0000 Cc: freebsd-security@freebsd.org, Krzysztof Stryjek Subject: Re: ipf stopped working on 5.3 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: claco@chrislaco.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2005 12:46:19 -0000 This is a cryptographically signed message in MIME format. --------------ms060300090806020809070200 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit John Fitzgerald wrote: > Yeah, options INET6 is already in there (by default). It's curious that it > would stop working on one of my servers, yet remain functional on the other. > > -JJ > I missed most of this thread, so I'm sure this has been covered. Does it just not work after boot, but works after issuing ipf -Fav -f /etc/ipf.rules? I spent a couple of days trying to figure out why my ipf rules were loading on boot...and the it turned out to be the fact that I put bash in my roots .cshrc file...it was short cirtuiting the startup scripts for ipf... -=Chris --------------ms060300090806020809070200 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII8TCC AtMwggI8oAMCAQICAw37vjANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDUwMjA3MTc0NDM3WhcNMDYwMjA3MTc0NDM3 WjBFMR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMSIwIAYJKoZIhvcNAQkBFhNj bGFjb0BjaHJpc2xhY28uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwOzj 4xFQtv4Fjr44h4AmlOTqOYw4PM80JgQrIhCQpJlQQgr+gltu+HqCdkU+8nO+MjTOSgDH98Vx t0GK7Y7uZkwPkYM+av/RQf37y7QMPlrQiBJcKb1TYa1yWijjdvwOpEB1RSnEBtKKXN/Yc6WF kV/mRGpCKoaxCC6YeBr4uWXXduz6KOR4RLBE3+EmxzUeGwPulHmS/evmPkt2Z7O/AVx2y1zW zng76M1mftCw9dI7nob1F9xhIjdHEbjivysFNFmqqH0HDwkcM/VgXoU5pQNNzkglwN22MlDH 6ZylE6fCLHzzIh+1t5wdFmN+YtvemhuxO6puVuSsngJaQXBHvwIDAQABozAwLjAeBgNVHREE FzAVgRNjbGFjb0BjaHJpc2xhY28uY29tMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQAD gYEAaxPn+huyClyf0rU/gPmK9pqb9TSWPjxSpXhXDA9rweZiDM7kapY+s+gYQWsN2aS0Aeaz ugPigDLVcFejf4ZxZKIKfuj05rIFC0HYg9mE6rQE8PPJP1y8Ln8Nttr6uLBKBxgPTz26sOQP k+kfFo1su7WSJk5DHHcnIplfPHew+NYwggLTMIICPKADAgECAgMN+74wDQYJKoZIhvcNAQEE BQAwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0 ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA1 MDIwNzE3NDQzN1oXDTA2MDIwNzE3NDQzN1owRTEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWls IE1lbWJlcjEiMCAGCSqGSIb3DQEJARYTY2xhY29AY2hyaXNsYWNvLmNvbTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAMDs4+MRULb+BY6+OIeAJpTk6jmMODzPNCYEKyIQkKSZ UEIK/oJbbvh6gnZFPvJzvjI0zkoAx/fFcbdBiu2O7mZMD5GDPmr/0UH9+8u0DD5a0IgSXCm9 U2Gtcloo43b8DqRAdUUpxAbSilzf2HOlhZFf5kRqQiqGsQgumHga+Lll13bs+ijkeESwRN/h Jsc1HhsD7pR5kv3r5j5LdmezvwFcdstc1s54O+jNZn7QsPXSO56G9RfcYSI3RxG44r8rBTRZ qqh9Bw8JHDP1YF6FOaUDTc5IJcDdtjJQx+mcpROnwix88yIftbecHRZjfmLb3pobsTuqblbk rJ4CWkFwR78CAwEAAaMwMC4wHgYDVR0RBBcwFYETY2xhY29AY2hyaXNsYWNvLmNvbTAMBgNV HRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAGsT5/obsgpcn9K1P4D5ivaam/U0lj48UqV4 VwwPa8HmYgzO5GqWPrPoGEFrDdmktAHms7oD4oAy1XBXo3+GcWSiCn7o9OayBQtB2IPZhOq0 BPDzyT9cvC5/Dbba+riwSgcYD089urDkD5PpHxaNbLu1kiZOQxx3JyKZXzx3sPjWMIIDPzCC AqigAwIBAgIBDTANBgkqhkiG9w0BAQUFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3Vs dGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UE AxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25h bC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAzMDcxNzAwMDAwMFoXDTEzMDcxNjIzNTk1OVow YjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4x LDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQDEpjxVc1X7TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/ DDph8r9RzgHU5VAKMNcCY1osiRVwjt3J8CuFWqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+ K/67GD4Hv0CAAmTXp6a7n2XRxSpUhQ9IBH+nttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIG A1UdEwEB/wQIMAYBAf8CAQAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC50aGF3dGUu Y29tL1RoYXd0ZVBlcnNvbmFsRnJlZW1haWxDQS5jcmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQi MCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwyLTEzODANBgkqhkiG9w0BAQUFAAOBgQBI jNFQg+oLLswNo2asZw9/r6y+whehQ5aUnX9MIbj4Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZ foSxmRsAxRoLgnSeJVCUYsfbJ3FXJY3dqZw5jowgT2Vfldr394fWxghOrvbqNOUQGls1TXfj ViF4gtwhGTXeJLHTHUb/XV9lTzGCAzswggM3AgEBMGkwYjELMAkGA1UEBhMCWkExJTAjBgNV BAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJz b25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMN+74wCQYFKw4DAhoFAKCCAacwGAYJKoZIhvcN AQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDUxMDI2MTI0NjE2WjAjBgkqhkiG 9w0BCQQxFgQUeqZ7gW3Y3bnXVO1u09U9YQm3qfswUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG 9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcN AwICASgweAYJKwYBBAGCNxAEMWswaTBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3Rl IENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVt YWlsIElzc3VpbmcgQ0ECAw37vjB6BgsqhkiG9w0BCRACCzFroGkwYjELMAkGA1UEBhMCWkEx JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0 ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMN+74wDQYJKoZIhvcNAQEBBQAEggEA sCEECRIfjy/qdW8bMNMLwYcS4/HKFwTUVQOcgr69UAItvRLhz9ajw7kDiTulIR7PQTTs4zFG mq9TWNtpsdRDR1ZtclEnMUpaG+SYGVD2yQVZ9FLFl5JCDkSSOI1x2FNuo5oMOONKWDohb/eC 57sc0a6+Y745J0wNBWoyERFuonCe2+u6IRSTZk1iVPe23SUfP4aorYWuhJmcI2xlicOGRHCw NYRz193vslSCgVJNbSypjyUPoet4GtW/yxvCgc3EkWBaPvKOFyRrItOXXSjMdsFrAlvg+mar dUx7U1LbZfScTkgBHLP8lk7EXBt1vhwwyvVzRduWFZMpDF86plTGmwAAAAAAAA== --------------ms060300090806020809070200-- From owner-freebsd-security@FreeBSD.ORG Thu Oct 27 05:21:38 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F4E016A41F; Thu, 27 Oct 2005 05:21:38 +0000 (GMT) (envelope-from bde@zeta.org.au) Received: from mailout1.pacific.net.au (mailout1.pacific.net.au [61.8.0.84]) by mx1.FreeBSD.org (Postfix) with ESMTP id 62C5E43D45; Thu, 27 Oct 2005 05:21:37 +0000 (GMT) (envelope-from bde@zeta.org.au) Received: from mailproxy2.pacific.net.au (mailproxy2.pacific.net.au [61.8.0.87]) by mailout1.pacific.net.au (8.13.4/8.13.4/Debian-3) with ESMTP id j9R5L5Bf011779; Thu, 27 Oct 2005 15:21:05 +1000 Received: from katana.zip.com.au (katana.zip.com.au [61.8.7.246]) by mailproxy2.pacific.net.au (8.13.4/8.13.4/Debian-3) with ESMTP id j9R5L2kE017839; Thu, 27 Oct 2005 15:21:03 +1000 Date: Thu, 27 Oct 2005 15:21:02 +1000 (EST) From: Bruce Evans X-X-Sender: bde@delplex.bde.org To: "M. Warner Losh" In-Reply-To: <20051025.231729.26928360.imp@bsdimp.com> Message-ID: <20051027151929.K24217@delplex.bde.org> References: <20051023232935.GC602@dragon.NUXI.org> <20051024080811.GF39882@cirb503493.alcatel.com.au> <20051024064605.A44523@cons.org> <20051025.231729.26928360.imp@bsdimp.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: developers@freebsd.org, PeterJeremy@optushome.com.au, freebsd-security@freebsd.org, cracauer@cons.org, delphij@delphij.net Subject: Re: Is it feasible to cross-build compat5x binary? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Oct 2005 05:21:38 -0000 On Tue, 25 Oct 2005, M. Warner Losh wrote: > In message: <20051024064605.A44523@cons.org> > Martin Cracauer writes: > : ELF object files are timestamped. But there's some elf-cmp out there. > > Elf .o's are timestampped, Script started on Thu Oct 27 15:17:31 2005 ttyv2:bde@epsplex:/tmp/z> echo "int i = 1;" >z.c ttyv2:bde@epsplex:/tmp/z> cc -c z.c ttyv2:bde@epsplex:/tmp/z> mv z.o z.o~ ttyv2:bde@epsplex:/tmp/z> cc -c z.c ttyv2:bde@epsplex:/tmp/z> md5 z.o~ z.o MD5 (z.o~) = c92e2bbb5a0e8b4f05eced238762dde1 MD5 (z.o) = c92e2bbb5a0e8b4f05eced238762dde1 ttyv2:bde@epsplex:/tmp/z> cmp z.o~ z.o ttyv2:bde@epsplex:/tmp/z> exit Script done on Thu Oct 27 15:18:14 2005 > but Elf executables are 100% reproducible, > except when people go out of their way to not make them so. Like > adding the date or person builder. True. Bruce From owner-freebsd-security@FreeBSD.ORG Thu Oct 27 06:08:52 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 41A1C16A41F for ; Thu, 27 Oct 2005 06:08:52 +0000 (GMT) (envelope-from db@traceroute.dk) Received: from cicero2.cybercity.dk (cicero2.cybercity.dk [212.242.40.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id DBA5B43D45 for ; Thu, 27 Oct 2005 06:08:51 +0000 (GMT) (envelope-from db@traceroute.dk) Received: from user4.cybercity.dk (user4.cybercity.dk [212.242.41.50]) by cicero2.cybercity.dk (Postfix) with ESMTP id 5CFD7190D71 for ; Thu, 27 Oct 2005 08:08:50 +0200 (CEST) Received: from [10.0.0.3] (port132.ds1-arsy.adsl.cybercity.dk [212.242.239.73]) by user4.cybercity.dk (Postfix) with ESMTP id 12BF550424 for ; Thu, 27 Oct 2005 08:08:50 +0200 (CEST) From: db To: freebsd-security@freebsd.org Date: Thu, 27 Oct 2005 06:08:51 +0000 User-Agent: KMail/1.8.2 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200510270608.51571.db@traceroute.dk> Subject: Non-executable stack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Oct 2005 06:08:52 -0000 Hi all Does FreeBSD support a non-executable stack on any of the tier 1 and 2 platforms that has this feature? If not, are there any plans of implementing this and is there a patch I can use for 6.0 (when it is released)? Best regards db From owner-freebsd-security@FreeBSD.ORG Thu Oct 27 06:17:16 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5905316A41F for ; Thu, 27 Oct 2005 06:17:16 +0000 (GMT) (envelope-from ray@redshift.com) Received: from mail.quickmeet.com (quickmeet.com [216.228.17.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2112643D46 for ; Thu, 27 Oct 2005 06:17:16 +0000 (GMT) (envelope-from ray@redshift.com) Received: from workstation (workstation [192.168.20.250]) by mail.quickmeet.com (Postfix) with SMTP id A5E9F17032; Wed, 26 Oct 2005 22:50:03 -0700 (PDT) Message-Id: <3.0.1.32.20051026231719.00a842c0@pop.redshift.com> X-Mailer: na X-Sender: redshift.com Date: Wed, 26 Oct 2005 23:17:19 -0700 To: John Fitzgerald From: ray@redshift.com In-Reply-To: <5e49673f0510261012u3ebd85b7if50abd2bbed150f6@mail.gmail.co m> References: <5e49673f0510261001o10ccb473m6c363d651fa78a6c@mail.gmail.com> <3.0.1.32.20051026094825.00d41100@pop.redshift.com> <5e49673f0510261001o10ccb473m6c363d651fa78a6c@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Cc: freebsd-security@freebsd.org Subject: Re: ipf stopped working on 5.3 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Oct 2005 06:17:16 -0000 At 01:12 PM 10/26/2005 -0400, John Fitzgerald wrote: | Another strange symptom is that if I ipf -D and then ipf -E -f | /etc/ipf.rules, my terminal (I'm remote) will freeze and I'll be forced to | power cycle the server, after which time it will come back up (with no rules | running). I'm assuming that after the ipf -E -f /etc/ipf.rules somehow the | firewall stops all traffic since apache won't respond to web requests | either. | | As a side note, I did put the sshd server listening on an obscure port so it | should take awhile for the bots to find it. The ipf.rules I left at 22 as a | testament to it not working. However this obviously isn't a permanent | solution as I should be able to get ipf working. after you make changes to ipf.rules, you should restart ipf like this: ipf -F a && ipf -f /etc/ipf.rules -F will flush your old rules, whereas ipf -D will disable ipf. Try the line above and see if your SSH session remains active after you make changes, etc. Ray From owner-freebsd-security@FreeBSD.ORG Thu Oct 27 06:31:34 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6FF0816A41F for ; Thu, 27 Oct 2005 06:31:34 +0000 (GMT) (envelope-from jimmy@inet-solutions.be) Received: from mail.ihosting.be (vero.ihosting.be [83.217.81.43]) by mx1.FreeBSD.org (Postfix) with SMTP id 9F6D043D48 for ; Thu, 27 Oct 2005 06:31:32 +0000 (GMT) (envelope-from jimmy@inet-solutions.be) Received: (qmail 98884 invoked by uid 1033); 27 Oct 2005 06:35:31 -0000 Received: from jimmy@inet-solutions.be by excalibur.hyprotech.be by uid 1016 with qmail-scanner-1.20st (clamscan: 0.75. spamassassin: 2.63. Clear:RC:1(127.0.0.1):. Processed in 0.009979 secs); 27 Oct 2005 06:35:31 -0000 Received: from localhost (HELO vero.ihosting.be) (127.0.0.1) by mail.ihosting.be with SMTP; 27 Oct 2005 06:35:31 -0000 Received: (from jimmy@inet-solutions.be) by vero.ihosting.be (mini_sendmail/1.3.5 16nov2003); Thu, 27 Oct 2005 08:35:31 CEST (sender jimmy@inet-solutions.be by using webserver vero.ihosting.be path /www/ihosting/horde.ihosting.be/imp - report abuse to abuse@boxke.be) Received: from 194.78.143.3 ([194.78.143.3]) by webmail.boxke.be (IMP) with HTTP for ; Thu, 27 Oct 2005 08:35:31 +0200 Message-ID: <1130394931.43607533be6d7@webmail.boxke.be> Date: Thu, 27 Oct 2005 08:35:31 +0200 From: jimmy@inet-solutions.be To: db References: <200510270608.51571.db@traceroute.dk> In-Reply-To: <200510270608.51571.db@traceroute.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.2.3 X-Originating-IP: 194.78.143.3 Cc: freebsd-security@freebsd.org Subject: Re: Non-executable stack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Oct 2005 06:31:34 -0000 Quoting db : > Hi all > > Does FreeBSD support a non-executable stack on any of the tier 1 and 2 > platforms that has this feature? > If not, are there any plans of implementing this and is there a patch I can > use for 6.0 (when it is released)? > > Best regards > db Hi, I don't think it will ever be in FreeBSD, but I used ProPolice in the past: http://www.research.ibm.com/trl/projects/security/ssp/buildfreebsd.html The patch should be for 5.x in general, I don't use it anymore since some ports will break, if you play with it you can disable it by default and enable it explicit when you are willing to compile a binary with it. Once applied and compiled the whole base with it enabled, you cannot just turn back! Kind regards, Jimmy Scott ---------------------------------------------------------------- This message has been sent through ihosting.be To report spamming or other unaccepted behavior by a iHosting customer, please send a message to abuse@ihosting.be ---------------------------------------------------------------- From owner-freebsd-security@FreeBSD.ORG Thu Oct 27 14:30:59 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B365116A41F for ; Thu, 27 Oct 2005 14:30:59 +0000 (GMT) (envelope-from avalon@caligula.anu.edu.au) Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2795343D45 for ; Thu, 27 Oct 2005 14:30:58 +0000 (GMT) (envelope-from avalon@caligula.anu.edu.au) Received: from caligula.anu.edu.au (localhost [127.0.0.1]) by caligula.anu.edu.au (8.12.9/8.12.9) with ESMTP id j9REUvOw011635; Fri, 28 Oct 2005 00:30:57 +1000 (EST) Received: (from avalon@localhost) by caligula.anu.edu.au (8.12.9/8.12.8/Submit) id j9REUuYG011625; Fri, 28 Oct 2005 00:30:56 +1000 (EST) From: Darren Reed Message-Id: <200510271430.j9REUuYG011625@caligula.anu.edu.au> To: ray@redshift.com Date: Fri, 28 Oct 2005 00:30:56 +1000 (Australia/ACT) In-Reply-To: <3.0.1.32.20051026231719.00a842c0@pop.redshift.com> from "ray@redshift.com" at Oct 26, 2005 11:17:19 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, John Fitzgerald Subject: Re: ipf stopped working on 5.3 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Oct 2005 14:30:59 -0000 In some mail from ray@redshift.com, sie said: > > At 01:12 PM 10/26/2005 -0400, John Fitzgerald wrote: > | Another strange symptom is that if I ipf -D and then ipf -E -f > | /etc/ipf.rules, my terminal (I'm remote) will freeze and I'll be forced to > | power cycle the server, after which time it will come back up (with no rules > | running). I'm assuming that after the ipf -E -f /etc/ipf.rules somehow the > | firewall stops all traffic since apache won't respond to web requests > | either. > | > | As a side note, I did put the sshd server listening on an obscure port so it > | should take awhile for the bots to find it. The ipf.rules I left at 22 as a > | testament to it not working. However this obviously isn't a permanent > | solution as I should be able to get ipf working. > > after you make changes to ipf.rules, you should restart ipf like this: > > ipf -F a && ipf -f /etc/ipf.rules many do it like this: # test new rules for 30 seconds ipf -If /etc/ipf.rules -s && sleep 30 && ipf -s The '-I' tells ipf to load /etc/ipf.rules into the "inactive set" of rules and "-s" says switch active set. You can flush inactive rules too: ipf -iFa and dump them out: ipfstat -Iio (IPFilter pioneered this idea) Darren From owner-freebsd-security@FreeBSD.ORG Thu Oct 27 15:11:37 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9FC7D16A41F for ; Thu, 27 Oct 2005 15:11:37 +0000 (GMT) (envelope-from db@traceroute.dk) Received: from cicero0.cybercity.dk (cicero0.cybercity.dk [212.242.40.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E8E143D48 for ; Thu, 27 Oct 2005 15:11:37 +0000 (GMT) (envelope-from db@traceroute.dk) Received: from user4.cybercity.dk (user4.cybercity.dk [212.242.41.50]) by cicero0.cybercity.dk (Postfix) with ESMTP id C21EC2A886; Thu, 27 Oct 2005 17:11:34 +0200 (CEST) Received: from trinita (port132.ds1-arsy.adsl.cybercity.dk [212.242.239.73]) by user4.cybercity.dk (Postfix) with ESMTP id 7750550328; Thu, 27 Oct 2005 17:11:34 +0200 (CEST) From: db To: jimmy@inet-solutions.be, freebsd-security@freebsd.org Date: Thu, 27 Oct 2005 15:11:35 +0000 User-Agent: KMail/1.8.2 References: <200510270608.51571.db@traceroute.dk> <1130394931.43607533be6d7@webmail.boxke.be> In-Reply-To: <1130394931.43607533be6d7@webmail.boxke.be> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200510271511.36004.db@traceroute.dk> Cc: Subject: Re: Non-executable stack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Oct 2005 15:11:37 -0000 On Thursday 27 October 2005 06:35, you wrote: > I don't think it will ever be in FreeBSD, but I used ProPolice in the past: I really hope it will. AFAIK OpenBSD implemented this in late 2002 when 3.2 was released. I can see why FreeBSD doesn't want software protection of the stack on systems like ia32, but on ia64 we have hardware support, so why not be able to build a kernel with stack (and heap?) protection? > http://www.research.ibm.com/trl/projects/security/ssp/buildfreebsd.html > > The patch should be for 5.x in general, I don't use it anymore since some > ports will break, if you play with it you can disable it by default and > enable it explicit when you are willing to compile a binary with it. Ok thanks, but I was looking for a kernel level patch. Btw which ports will break? br db From owner-freebsd-security@FreeBSD.ORG Thu Oct 27 19:36:40 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 95E3C16A41F; Thu, 27 Oct 2005 19:36:40 +0000 (GMT) (envelope-from ru@ip.net.ua) Received: from tigra.ip.net.ua (tigra.ip.net.ua [82.193.96.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF7C143D46; Thu, 27 Oct 2005 19:36:39 +0000 (GMT) (envelope-from ru@ip.net.ua) Received: from localhost (rocky.ip.net.ua [82.193.96.2]) by tigra.ip.net.ua (8.12.11/8.12.11) with ESMTP id j9RJaTuK034686; Thu, 27 Oct 2005 22:36:29 +0300 (EEST) (envelope-from ru@ip.net.ua) Received: from tigra.ip.net.ua ([82.193.96.10]) by localhost (rocky.ipnet [82.193.96.2]) (amavisd-new, port 10024) with LMTP id 84955-03-3; Thu, 27 Oct 2005 22:36:25 +0300 (EEST) Received: from heffalump.ip.net.ua (heffalump.ip.net.ua [82.193.96.213]) by tigra.ip.net.ua (8.12.11/8.12.11) with ESMTP id j9RJZFTS034635 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 27 Oct 2005 22:35:15 +0300 (EEST) (envelope-from ru@ip.net.ua) Received: (from ru@localhost) by heffalump.ip.net.ua (8.13.4/8.13.4) id j9RJZHEB091622; Thu, 27 Oct 2005 22:35:17 +0300 (EEST) (envelope-from ru) Date: Thu, 27 Oct 2005 22:35:17 +0300 From: Ruslan Ermilov To: obrien@freebsd.org, delphij@delphij.net, freebsd-security@freebsd.org, developers@freebsd.org Message-ID: <20051027193517.GS68470@ip.net.ua> References: <20051023105230.GA55181@frontfree.net> <20051023232935.GC602@dragon.NUXI.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="3dBJfKlFjfsS/piO" Content-Disposition: inline In-Reply-To: <20051023232935.GC602@dragon.NUXI.org> User-Agent: Mutt/1.5.9i X-Virus-Scanned: by amavisd-new at ip.net.ua X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: Is it feasible to cross-build compat5x binary? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Oct 2005 19:36:40 -0000 --3dBJfKlFjfsS/piO Content-Type: multipart/mixed; boundary="e9fMjeYs+GPci+mg" Content-Disposition: inline --e9fMjeYs+GPci+mg Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Oct 23, 2005 at 04:29:35PM -0700, David O'Brien wrote: > On Sun, Oct 23, 2005 at 06:52:30PM +0800, Xin LI wrote: > > I think we need to update compat5x binary to fix FreeBSD-SA-05:21.opens= sl, > > but will the binaries built by ``make universe'' be identical with actu= al > > build on Alpha, Sparc64, etc? (Yes, I'm volunteering to do the work iff > > they are identical ;-) >=20 > We should no trust cross built libraries for this purpose at this time. > We really don't know how identical the results will be to being natively > built. > =20 On -CURRENT they will be identical. I regularly do test cross-builds and do binary compares from installworld/installkernel. The infrastructure is there, and is activated by the CROSS_BUILD_TESTING knob: it tries to eliminate as much difference as it can, with the help of tools/build/cross-build, and ensuring the object directory is the same on native and foreign architectures. Attached is the script I use to test cross-builds. I pass it buildworld, buildkernel, installworld, installkernel, and distribution targets, and then do binary compares. The only known decrepancy at this time is with file(1) data files on sparc64/non-sparc64. Cheers, --=20 Ruslan Ermilov ru@FreeBSD.org FreeBSD committer --e9fMjeYs+GPci+mg-- --3dBJfKlFjfsS/piO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDYSv1qRfpzJluFF4RAi+yAJwPQBEpWwpvQqp/6tCC0qEDrWeJxgCfTrAw Vzqp7wlStr7+Akc3nxJJzL8= =2Pt/ -----END PGP SIGNATURE----- --3dBJfKlFjfsS/piO-- From owner-freebsd-security@FreeBSD.ORG Thu Oct 27 19:41:47 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 00AFE16A420; Thu, 27 Oct 2005 19:41:46 +0000 (GMT) (envelope-from ru@ip.net.ua) Received: from tigra.ip.net.ua (tigra.ip.net.ua [82.193.96.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 327C943D48; Thu, 27 Oct 2005 19:41:45 +0000 (GMT) (envelope-from ru@ip.net.ua) Received: from localhost (rocky.ip.net.ua [82.193.96.2]) by tigra.ip.net.ua (8.12.11/8.12.11) with ESMTP id j9RJfYep034817; Thu, 27 Oct 2005 22:41:34 +0300 (EEST) (envelope-from ru@ip.net.ua) Received: from tigra.ip.net.ua ([82.193.96.10]) by localhost (rocky.ipnet [82.193.96.2]) (amavisd-new, port 10024) with LMTP id 84954-04; Thu, 27 Oct 2005 22:41:31 +0300 (EEST) Received: from heffalump.ip.net.ua (heffalump.ip.net.ua [82.193.96.213]) by tigra.ip.net.ua (8.12.11/8.12.11) with ESMTP id j9RJc3ru034717 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 27 Oct 2005 22:38:03 +0300 (EEST) (envelope-from ru@ip.net.ua) Received: (from ru@localhost) by heffalump.ip.net.ua (8.13.4/8.13.4) id j9RJc5AM093580; Thu, 27 Oct 2005 22:38:05 +0300 (EEST) (envelope-from ru) Date: Thu, 27 Oct 2005 22:38:05 +0300 From: Ruslan Ermilov To: Peter Jeremy Message-ID: <20051027193805.GT68470@ip.net.ua> References: <20051023105230.GA55181@frontfree.net> <20051023232935.GC602@dragon.NUXI.org> <20051024080811.GF39882@cirb503493.alcatel.com.au> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="GMArzDD+OGn24EFp" Content-Disposition: inline In-Reply-To: <20051024080811.GF39882@cirb503493.alcatel.com.au> User-Agent: Mutt/1.5.9i X-Virus-Scanned: by amavisd-new at ip.net.ua Cc: freebsd-security@freebsd.org, delphij@delphij.net, developers@freebsd.org Subject: Re: Is it feasible to cross-build compat5x binary? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Oct 2005 19:41:47 -0000 --GMArzDD+OGn24EFp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Oct 24, 2005 at 06:08:11PM +1000, Peter Jeremy wrote: > On Sun, 2005-Oct-23 16:29:35 -0700, David O'Brien wrote: > >We should no trust cross built libraries for this purpose at this time. > >We really don't know how identical the results will be to being natively > >built. >=20 > At some stage, we need to validate our cross-build chain with cmp(1). > We can probably leverage off the work that NetBSD has done in this > area. This would significantly simplify the work involved in supporting > the various architectures. >=20 This has already been and being done. Cheers, --=20 Ruslan Ermilov ru@FreeBSD.org FreeBSD committer --GMArzDD+OGn24EFp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDYSydqRfpzJluFF4RAlGHAJ0XWdbFI0gMKKMKdFKNFr+DwNVHBgCeN7yn 9CCYgAg/vIBTzJPqhdXAymY= =8JEs -----END PGP SIGNATURE----- --GMArzDD+OGn24EFp-- From owner-freebsd-security@FreeBSD.ORG Thu Oct 27 19:52:08 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2132716A41F; Thu, 27 Oct 2005 19:52:08 +0000 (GMT) (envelope-from ru@ip.net.ua) Received: from tigra.ip.net.ua (tigra.ip.net.ua [82.193.96.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4570843D48; Thu, 27 Oct 2005 19:52:07 +0000 (GMT) (envelope-from ru@ip.net.ua) Received: from localhost (rocky.ip.net.ua [82.193.96.2]) by tigra.ip.net.ua (8.12.11/8.12.11) with ESMTP id j9RJq1vV035177; Thu, 27 Oct 2005 22:52:02 +0300 (EEST) (envelope-from ru@ip.net.ua) Received: from tigra.ip.net.ua ([82.193.96.10]) by localhost (rocky.ipnet [82.193.96.2]) (amavisd-new, port 10024) with LMTP id 85226-01-2; Thu, 27 Oct 2005 22:51:58 +0300 (EEST) Received: from heffalump.ip.net.ua (heffalump.ip.net.ua [82.193.96.213]) by tigra.ip.net.ua (8.12.11/8.12.11) with ESMTP id j9RJn5Hj035062 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 27 Oct 2005 22:49:05 +0300 (EEST) (envelope-from ru@ip.net.ua) Received: (from ru@localhost) by heffalump.ip.net.ua (8.13.4/8.13.4) id j9RJn7kS024456; Thu, 27 Oct 2005 22:49:07 +0300 (EEST) (envelope-from ru) Date: Thu, 27 Oct 2005 22:49:07 +0300 From: Ruslan Ermilov To: Kris Kennaway Message-ID: <20051027194907.GU68470@ip.net.ua> References: <20051023105230.GA55181@frontfree.net> <20051023232935.GC602@dragon.NUXI.org> <20051024080811.GF39882@cirb503493.alcatel.com.au> <20051025004757.GH14063@obiwan.tataz.chchile.org> <20051025170934.GA29561@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="TPGKQYD3WP7vMswh" Content-Disposition: inline In-Reply-To: <20051025170934.GA29561@xor.obsecurity.org> User-Agent: Mutt/1.5.9i X-Virus-Scanned: by amavisd-new at ip.net.ua Cc: Peter Jeremy , Jeremie Le Hen , developers@FreeBSD.org, delphij@delphij.net, freebsd-security@FreeBSD.org Subject: Re: Is it feasible to cross-build compat5x binary? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Oct 2005 19:52:08 -0000 --TPGKQYD3WP7vMswh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Oct 25, 2005 at 01:09:35PM -0400, Kris Kennaway wrote: > On Tue, Oct 25, 2005 at 02:47:57AM +0200, Jeremie Le Hen wrote: > > Hi Peter and others, > >=20 > > > At some stage, we need to validate our cross-build chain with cmp(1). > > > We can probably leverage off the work that NetBSD has done in this > > > area. This would significantly simplify the work involved in support= ing > > > the various architectures. > >=20 > > in case you know enough about NetBSD's build.sh, can you say if FreeBSD= 's > > build architecture is powerful enough to merely use it with a few s/// > > or does it still lack one or more things ? >=20 It depends on what's your FreeBSD and NetBSD versions are. If both are HEADs of CVS, I only had to add freebsd-7 and -x86_64-*-freebsd*) +amd64-*-freebsd* | x86_64-*-freebsd*) support into two files in the NetBSD distribution of gcc to make it compile, but other than that it works (I use my 7-current amd64 box dailyto cross-build NetBSD-current for a MIPS-based SoC). > I expect it's pretty different. ru@ did a lot of work on > cross-building FreeBSD though, and he had a fairly detailed list > of known differences between cross-built and native builds. I'm not > sure if he reduced it to 0 length. >=20 I'm sure I reported it to the current@ list a while back. I've been able to reduce it to the length of 1, and for some time now, I use my fastest box (amd64) to cross-build and cross-install worlds and kernels for other architecture machines in my home network (i386, alpha, and until recently sparc64). Cheers, --=20 Ruslan Ermilov ru@FreeBSD.org FreeBSD committer --TPGKQYD3WP7vMswh Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDYS8zqRfpzJluFF4RAsuKAKCFEKFTLf422l2ULrSCqwhki9mcDgCeNkOv xOB2hdq1y2M2v4cqDrVjIFM= =5mGc -----END PGP SIGNATURE----- --TPGKQYD3WP7vMswh-- From owner-freebsd-security@FreeBSD.ORG Thu Oct 27 19:58:45 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D7B8016A41F for ; Thu, 27 Oct 2005 19:58:45 +0000 (GMT) (envelope-from jimmy@inet-solutions.be) Received: from astra.telenet-ops.be (astra.telenet-ops.be [195.130.132.58]) by mx1.FreeBSD.org (Postfix) with ESMTP id F1B4043D45 for ; Thu, 27 Oct 2005 19:58:44 +0000 (GMT) (envelope-from jimmy@inet-solutions.be) Received: from localhost (localhost.localdomain [127.0.0.1]) by astra.telenet-ops.be (Postfix) with SMTP id 6B8E6380F4; Thu, 27 Oct 2005 21:58:43 +0200 (CEST) Received: from intranet.devbox.be (d54C304FE.access.telenet.be [84.195.4.254]) by astra.telenet-ops.be (Postfix) with ESMTP id 384D9381DE; Thu, 27 Oct 2005 21:58:43 +0200 (CEST) Received: from intranet.devbox.be (localhost [127.0.0.1]) by intranet.devbox.be (8.13.3/8.13.3) with ESMTP id j9RJwgK8006401; Thu, 27 Oct 2005 21:58:42 +0200 (CEST) Received: (from jimmy@localhost) by intranet.devbox.be (8.13.3/8.13.3/Submit) id j9RJwgpv002624; Thu, 27 Oct 2005 21:58:42 +0200 (CEST) Date: Thu, 27 Oct 2005 21:58:42 +0200 From: Jimmy Scott To: db Message-ID: <20051027195842.GA19013@ada.devbox.be> References: <200510270608.51571.db@traceroute.dk> <1130394931.43607533be6d7@webmail.boxke.be> <200510271511.36004.db@traceroute.dk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="lrZ03NoBR/3+SXJZ" Content-Disposition: inline In-Reply-To: <200510271511.36004.db@traceroute.dk> User-Agent: Mutt/1.4.2i X-PGP-KeyID: 48033D3D X-PGP-Fingerprint: 88A9 54A0 D143 A4F7 8ACA 154F 8032 D30C 4803 3D3D X-PGP-Key: http://pub.devbox.be/misc/pgp.jimmy.asc Cc: freebsd-security@freebsd.org Subject: Re: Non-executable stack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Oct 2005 19:58:46 -0000 --lrZ03NoBR/3+SXJZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Oct 27, 2005 at 03:11:35PM +0000, db wrote: > On Thursday 27 October 2005 06:35, you wrote: >=20 > > http://www.research.ibm.com/trl/projects/security/ssp/buildfreebsd.html > > > > The patch should be for 5.x in general, I don't use it anymore since so= me > > ports will break, if you play with it you can disable it by default and > > enable it explicit when you are willing to compile a binary with it. >=20 > Ok thanks, but I was looking for a kernel level patch. Btw which ports wi= ll=20 > break? >=20 I did not keep a list, but as far as I remember, the 'pure-pw' binary from pure-ftpd was the last thing that failed. Because it was not visible in first place (the port builded fine), I decided the risk of breaking things without noticing it was not worth it. I don't mean that it's a bad thing, but it will cost you some time to find the bugs, report the bugs and get them fixed. And if you are willing to use it in a production environment, you have to fully test the software eacht time you are upgrading to be sure things will not break. It's also not officially supported as far as I know. Kind regards, Jimmy Scott --=20 People usually get what's coming to them ... unless it's been mailed. --lrZ03NoBR/3+SXJZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (OpenBSD) iD8DBQFDYTFygDLTDEgDPT0RAlh4AJ0ccvAUXpHciDwEM8UEe9fMq8CAPQCeK+lE ExjtwwBMk2F/bkM0iD7HA3E= =6oQq -----END PGP SIGNATURE----- --lrZ03NoBR/3+SXJZ-- From owner-freebsd-security@FreeBSD.ORG Thu Oct 27 20:02:17 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D14BD16A41F; Thu, 27 Oct 2005 20:02:17 +0000 (GMT) (envelope-from ru@ip.net.ua) Received: from tigra.ip.net.ua (tigra.ip.net.ua [82.193.96.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0CB0D43D45; Thu, 27 Oct 2005 20:02:16 +0000 (GMT) (envelope-from ru@ip.net.ua) Received: from localhost (rocky.ip.net.ua [82.193.96.2]) by tigra.ip.net.ua (8.12.11/8.12.11) with ESMTP id j9RK2BSr035501; Thu, 27 Oct 2005 23:02:12 +0300 (EEST) (envelope-from ru@ip.net.ua) Received: from tigra.ip.net.ua ([82.193.96.10]) by localhost (rocky.ipnet [82.193.96.2]) (amavisd-new, port 10024) with LMTP id 85226-03; Thu, 27 Oct 2005 23:02:10 +0300 (EEST) Received: from heffalump.ip.net.ua (heffalump.ip.net.ua [82.193.96.213]) by tigra.ip.net.ua (8.12.11/8.12.11) with ESMTP id j9RJvCK3035353 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 27 Oct 2005 22:57:13 +0300 (EEST) (envelope-from ru@ip.net.ua) Received: (from ru@localhost) by heffalump.ip.net.ua (8.13.4/8.13.4) id j9RJvFtk045792; Thu, 27 Oct 2005 22:57:15 +0300 (EEST) (envelope-from ru) Date: Thu, 27 Oct 2005 22:57:14 +0300 From: Ruslan Ermilov To: "M. Warner Losh" Message-ID: <20051027195714.GV68470@ip.net.ua> References: <20051024080811.GF39882@cirb503493.alcatel.com.au> <20051025004757.GH14063@obiwan.tataz.chchile.org> <20051025170934.GA29561@xor.obsecurity.org> <20051025.232323.93475319.imp@bsdimp.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="DMefDzZywwCHZelG" Content-Disposition: inline In-Reply-To: <20051025.232323.93475319.imp@bsdimp.com> User-Agent: Mutt/1.5.9i X-Virus-Scanned: by amavisd-new at ip.net.ua Cc: freebsd-security@FreeBSD.org, developers@FreeBSD.org Subject: Re: Is it feasible to cross-build compat5x binary? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Oct 2005 20:02:18 -0000 --DMefDzZywwCHZelG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Oct 25, 2005 at 11:23:23PM -0600, M. Warner Losh wrote: > I know that cross builds for i386 from amd64 work well enough. > However, we[*] was unable to get a full cross build for i386 world > seutp on my amd64 machine when last I tried. >=20 I use it on a regular basis: $ uname -srnm FreeBSD hammer.runet 7.0-CURRENT amd64 $ uname -srnmv FreeBSD lurker.runet 7.0-CURRENT FreeBSD 7.0-CURRENT #11: Fri Oct 14 10:05:= 37 EEST 2005 ru@hammer.runet:/usr/obj/i386/usr/src/sys/LURKER i386 I NFS-mount /, /usr, and /var file systems from i386 to amd64, and do everything from amd64, inluding installworld, installkernel, and distribution, with TARGET_ARCH=3Di386 and DESTDIR=3D/mnt. make __MAKE_CONF=3D/dev/null \ TARGET_ARCH=3Di386 \ -DNO_PROFILE KERNCONF=3DLURKER \ -DNO_CLEAN \ buildworld buildkernel NFS-mount /, /usr, and /var on /mnt. make __MAKE_CONF=3D/dev/null \ TARGET_ARCH=3Di386 \ -DNO_PROFILE KERNCONF=3DLURKER \ -DNO_CLEAN \ DESTDIR=3D/mnt \ installworld installkernel mkdir /mnt/var/tmp/`date +%Y%m%d` make __MAKE_CONF=3D/dev/null \ TARGET_ARCH=3Di386 \ -DNO_PROFILE KERNCONF=3DLURKER \ -DNO_CLEAN \ DESTDIR=3D/mnt/var/tmp/`date +%Y%m%d` \ distrib-dirs distribution (Sorry, I don't use mergemaster(8) at all.) Cheers, --=20 Ruslan Ermilov ru@FreeBSD.org FreeBSD committer --DMefDzZywwCHZelG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDYTEaqRfpzJluFF4RAnfOAKCM1ayyAre45MKnviHqytMW1c1DkACgkVRE IJRIsooANoz5/7c/pqjrtDs= =jMRG -----END PGP SIGNATURE----- --DMefDzZywwCHZelG-- From owner-freebsd-security@FreeBSD.ORG Thu Oct 27 20:17:03 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2838C16A41F for ; Thu, 27 Oct 2005 20:17:03 +0000 (GMT) (envelope-from db@traceroute.dk) Received: from cicero0.cybercity.dk (cicero0.cybercity.dk [212.242.40.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id B92DF43D46 for ; Thu, 27 Oct 2005 20:17:02 +0000 (GMT) (envelope-from db@traceroute.dk) Received: from user3.cybercity.dk (user3.cybercity.dk [212.242.41.36]) by cicero0.cybercity.dk (Postfix) with ESMTP id 85FBB2A909; Thu, 27 Oct 2005 22:17:00 +0200 (CEST) Received: from trinita (port132.ds1-arsy.adsl.cybercity.dk [212.242.239.73]) by user3.cybercity.dk (Postfix) with ESMTP id 2BD0793D20; Thu, 27 Oct 2005 22:17:00 +0200 (CEST) From: db To: Jimmy Scott , freebsd-security@freebsd.org Date: Thu, 27 Oct 2005 20:17:02 +0000 User-Agent: KMail/1.8.2 References: <200510270608.51571.db@traceroute.dk> <200510271511.36004.db@traceroute.dk> <20051027195842.GA19013@ada.devbox.be> In-Reply-To: <20051027195842.GA19013@ada.devbox.be> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200510272017.02565.db@traceroute.dk> Cc: Subject: Re: Non-executable stack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Oct 2005 20:17:03 -0000 On Thursday 27 October 2005 19:58, you wrote: > > Ok thanks, but I was looking for a kernel level patch. Btw which ports > > will break? > > I did not keep a list, but as far as I remember, the 'pure-pw' binary > from pure-ftpd was the last thing that failed. Because it was not > visible in first place (the port builded fine), I decided the risk of > breaking things without noticing it was not worth it. Ok, I was planing on using pure-ftpd. > I don't mean that it's a bad thing, but it will cost you some time to > find the bugs, report the bugs and get them fixed. And if you are > willing to use it in a production environment, you have to fully test > the software eacht time you are upgrading to be sure things will not > break. It's also not officially supported as far as I know. I'm not a kernel hacker and only have access to ia32, so I can't help develop or test it, but I hope someone with the right skills and means also think it's about time we give the admins and users the option of a non-executable stack (and heap). If I can help in any way I will. Maybe my next computer will be an AMD64, I think it must be the cheapest of the platforms with hardware support for execute and read permission distinction on memory? Best regards db From owner-freebsd-security@FreeBSD.ORG Fri Oct 28 07:03:16 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB85916A423 for ; Fri, 28 Oct 2005 07:03:16 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd3mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 509FB43D46 for ; Fri, 28 Oct 2005 07:03:16 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd3mr6so.prod.shaw.ca (pd3mr6so-qfe3.prod.shaw.ca [10.0.141.21]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IP2006J769F2P30@l-daemon> for freebsd-security@freebsd.org; Fri, 28 Oct 2005 01:03:15 -0600 (MDT) Received: from pn2ml9so.prod.shaw.ca ([10.0.121.7]) by pd3mr6so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IP200FOF69FKV90@pd3mr6so.prod.shaw.ca> for freebsd-security@freebsd.org; Fri, 28 Oct 2005 01:03:15 -0600 (MDT) Received: from [192.168.0.60] (S0106006067227a4a.vc.shawcable.net [24.87.209.6]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0IP200I6X69FJ5@l-daemon> for freebsd-security@freebsd.org; Fri, 28 Oct 2005 01:03:15 -0600 (MDT) Date: Fri, 28 Oct 2005 00:03:13 -0700 From: Colin Percival In-reply-to: <20051027233106.377D070DCE3@mail.npubs.com> To: Nielsen Message-id: <4361CD31.1080707@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Accept-Language: en-us, en X-Enigmail-Version: 0.92.1.0 References: <20051027233106.377D070DCE3@mail.npubs.com> User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051001) Cc: freebsd-security@freebsd.org Subject: Re: Is the server portion of freebsd-update open source? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Oct 2005 07:03:16 -0000 Nielsen wrote: > I need a system for distributing binary updates to a collection of > customized FreeBSD machines, jails, and embedded systems. freebsd-update > seems to be what I'm looking for, but I'm wondering if the server side > is a proprietary piece of technology held by someone somewhere, or if it > is in fact open source. The FreeBSD Update build code is... umm... somewhere in between. I think the best way to explain it is to say that I don't care about copyright on the build code, but the code is a stinking pile of hacks upon hacks with multiple known bugs -- so I don't particularly want to expose it to public scrutiny and I doubt that it will be very useful either. Rewriting the build code is approaching the top of my todo list, but isn't there quite yet; in the meantime, if you can send me more details about what you want to do I'll see if I can accommodate you. Colin Percival From owner-freebsd-security@FreeBSD.ORG Fri Oct 28 07:25:22 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9176F16A420; Fri, 28 Oct 2005 07:25:22 +0000 (GMT) (envelope-from markzero@logik.ath.cx) Received: from addr9.addr.com (addr9.addr.com [38.113.244.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B19843D45; Fri, 28 Oct 2005 07:25:22 +0000 (GMT) (envelope-from markzero@logik.ath.cx) Received: from logik.ath.cx (localhost [127.0.0.1]) by addr9.addr.com (8.12.11/8.12.8/Submit) with ESMTP id j9S7PJmP075895; Fri, 28 Oct 2005 00:25:19 -0700 (PDT) Received: by logik.ath.cx (Postfix, from userid 1001) id CFB73644F; Fri, 28 Oct 2005 08:25:18 +0100 (BST) Date: Fri, 28 Oct 2005 08:25:18 +0100 From: markzero To: Colin Percival Message-ID: <20051028072518.GA82014@logik.internal.network> References: <20051027233106.377D070DCE3@mail.npubs.com> <4361CD31.1080707@freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="T4sUOijqQbZv57TR" Content-Disposition: inline In-Reply-To: <4361CD31.1080707@freebsd.org> X-GPG-Key: http://darklogik.org/pub/pgp/pgp.txt X-Fingerprint: 0160 A46A 9A48 D3B0 C92F B690 17FB 4B72 0207 ED43 X-ADDRSpamFilter: Passed, probability (0%) X-ADDRSignature: 3BBA53F1 Cc: freebsd-security@freebsd.org Subject: Re: Is the server portion of freebsd-update open source? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Oct 2005 07:25:22 -0000 --T4sUOijqQbZv57TR Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Oct 28, 2005 at 12:03:13AM -0700, Colin Percival wrote: >=20 > The FreeBSD Update build code is... umm... somewhere in between. I think > the best way to explain it is to say that I don't care about copyright on > the build code, but the code is a stinking pile of hacks upon hacks with > multiple known bugs -- so I don't particularly want to expose it to public > scrutiny and I doubt that it will be very useful either. >=20 > Rewriting the build code is approaching the top of my todo list, but isn't > there quite yet; in the meantime, if you can send me more details about w= hat > you want to do I'll see if I can accommodate you. Refreshing honesty there Colin, you made my morning! Just chiming in here, hope you don't mind. In my case, all I'm after is a way to distribute a custom build of FreeBSD. When I say custom, I really just mean a standard build with a custom make.conf: CPUTYPE?=3Dp3 CFLAGS=3D -O -pipe NO_RESCUE=3Dtrue NO_BLUETOOTH=3Dtrue NO_I4B=3Dtrue NO_IPFILTER=3Dtrue NO_KERBEROS=3Dtrue NO_LPR=3Dtrue NOGAMES=3Dtrue NO_BIND=3Dtrue NO_SENDMAIL=3Dtrue NO_VINUM=3Dtrue NOATM=3Dtrue NOINET6=3Dtrue NOINFO=3Dtrue NOSHARE=3Dtrue PPP_NOSUID=3Dtrue LOADER_TFTP_SUPPORT=3Dno I'd rather not use NFS, for security reasons, so I've had to resort to ad-hoc shell scripts to do updates. It'd be nice to have something officially supported to replace them. My 2.30414 yen. M --=20 pgp: http://www.darklogik.org/pub/pgp/pgp.txt 0160 A46A 9A48 D3B0 C92F B690 17FB 4B72 0207 ED43 --T4sUOijqQbZv57TR Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iQIVAwUBQ2HSWxf7S3ICB+1DAQpENxAAqodJNPZekZ17H7D6cSz3afxxymZ/Gvcu 1lZArtaR+JpZB9s1PQXk18lpO7NxEv4PjaN5i175fyDKUo0Yj6IIPu4Hvs4rEECs xd337noZV1u/MrQBCXxPfXylIddQhVg52ZPhOqIh+w2K44wgu1WNXfYhJ4RF6yxp 9C4o78HqEGDgDgIEfSGO55Bh7zHOl/0u7UWUM6teu8h0MPm7/ykIG3nDVnJRKtV8 ZGm3wtyozaplo0+580siQdbej7NgyAykaVntxz+Q2ORdXPbffZN78t2xhhbyn0JK aysX341w48hlQRoyopgLrCw+6j44fjqiaBF+AIIcoYslHU8w7qaTnK3bp1bxg+A0 BUC3cYmKJ1gSBSpbO6onb/bMl/mopkpPNyfXu0XdKluXe8Rkp+B9hMB9E4l6I6rR oN/OWa99Srh5j8k5e7+HbKNQcPymhLu6DhBVgPV3CapTHjGWsFD2KDIfgkXDvDE4 s5tm5AmrEVFrxACKO1BWkwpOKZqt/Waf+K/KuP9QZefvnHtj17OrV+ku59+yxARr aNkMMfB5tyZq5lOugn+ofTHj1TEws0RORT4PNcRo45ZZjOyqu956PdSzCFMxkLu3 ocoEsv8oJOioRAfelGkmaBYjrCvgvSle4Wrcg9jjRbUF+ax7PnkfTZPH1bbm/+F2 tm8baHrIPUg= =UE2j -----END PGP SIGNATURE----- --T4sUOijqQbZv57TR-- From owner-freebsd-security@FreeBSD.ORG Fri Oct 28 11:53:20 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6F51F16A420 for ; Fri, 28 Oct 2005 11:53:20 +0000 (GMT) (envelope-from cordeiro@cert.br) Received: from woq.cert.br (woq.cert.br [200.160.7.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A07143D4C for ; Fri, 28 Oct 2005 11:53:19 +0000 (GMT) (envelope-from cordeiro@cert.br) Received: from luinil.cert.br (luinil.cert.br [200.160.7.67]) by woq.cert.br (Postfix) with ESMTP id BF86D224966 for ; Fri, 28 Oct 2005 09:53:18 -0200 (BRST) Received: from luinil.cert.br (localhost.cert.br [127.0.0.1]) by luinil.cert.br (Postfix) with ESMTP id 7B6EE5C03E for ; Fri, 28 Oct 2005 11:51:49 +0000 (UTC) Received: by luinil.cert.br (Postfix, from userid 1400) id 5A8575C089; Fri, 28 Oct 2005 11:51:49 +0000 (UTC) From: Luiz Eduardo Roncato Cordeiro Organization: Computer Emergency Response Team Brazil To: freebsd-security@freebsd.org Date: Fri, 28 Oct 2005 09:51:47 -0200 User-Agent: MUA X-URL: http://www.cert.br MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200510280951.48910.cordeiro@cert.br> X-Virus-Scanned: ClamAV using ClamSMTP Subject: chkrootkit 0.46 reboots FreeBSD 5.4-RELEASE-p8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Oct 2005 11:53:20 -0000 Hello, Please, don't use chkrootkit 0.46 on production machines. The "chkproc" process sends a SIGXFSZ (25) signal to init, that interprets this signal as a "disaster" and reboots after a 30s sleep. I'm contacting the chkrootkit maintainer to fix this problem. Sorry, Cordeiro From owner-freebsd-security@FreeBSD.ORG Thu Oct 27 23:20:13 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6BDC216A41F; Thu, 27 Oct 2005 23:20:13 +0000 (GMT) (envelope-from nielsen@memberwebs.com) Received: from mail.npubs.com (mail.zoneseven.net [209.66.100.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 06B7443D48; Thu, 27 Oct 2005 23:20:13 +0000 (GMT) (envelope-from nielsen@memberwebs.com) From: Nielsen User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051013) X-Accept-Language: en-us, en MIME-Version: 1.0 To: cperciva@freebsd.org X-Enigmail-Version: 0.92.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <20051027233106.377D070DCE3@mail.npubs.com> X-Virus-Scanned: ClamAV using ClamSMTP Date: Thu, 27 Oct 2005 23:31:06 +0000 (GMT) X-Mailman-Approved-At: Fri, 28 Oct 2005 14:27:13 +0000 Cc: freebsd-security@freebsd.org Subject: Is the server portion of freebsd-update open source? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Oct 2005 23:20:13 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm wondering if/where I can get the server side component for freebsd-update. Presumably such a component would build and sign the binary patches and prepare them to be served via HTTP to the freebsd-update client. I need a system for distributing binary updates to a collection of customized FreeBSD machines, jails, and embedded systems. freebsd-update seems to be what I'm looking for, but I'm wondering if the server side is a proprietary piece of technology held by someone somewhere, or if it is in fact open source. Any pointers on where the project would be hosted if it is open source? The few leads that turned up when searching google ended up being dead ends. Thanks, Nate -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDYSzxe/sRCNknZa8RAvQMAKC0wTFgcHlTc/PnvWLs7BtownvRogCeLvaE 9XCHY09BzYS0Qh7SJmfb7SM= =DsO5 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Oct 28 07:09:47 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 85E9916A41F for ; Fri, 28 Oct 2005 07:09:47 +0000 (GMT) (envelope-from patrick.bihan-faou@netzuno.com) Received: from zeweb.mindstep.com (zeweb.mindstep.com [209.161.205.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB8A743D45 for ; Fri, 28 Oct 2005 07:09:46 +0000 (GMT) (envelope-from patrick.bihan-faou@netzuno.com) Received: from localhost (localhost.local.mindstep.com [127.0.0.1]) by hottub.local.mindstep.com (Postfix) with ESMTP id 8707F5A5D for ; Fri, 28 Oct 2005 03:09:45 -0400 (EDT) (envelope-from patrick.bihan-faou@netzuno.com) Received: from hottub.local.mindstep.com ([127.0.0.1]) by localhost (hottub.local.mindstep.com [127.0.0.1]) (amavisd-new, port port 10024) with LMTP id 15572-02-5 for ; Fri, 28 Oct 2005 03:09:45 -0400 (EDT) Received: from [192.168.50.146] (d213-103-11-67.cust.tele2.fr [213.103.11.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hottub.local.mindstep.com (Postfix) with ESMTP id 1763656DA for ; Fri, 28 Oct 2005 03:09:44 -0400 (EDT) (envelope-from patrick.bihan-faou@netzuno.com) Message-ID: <4361CEB5.8050305@netzuno.com> Date: Fri, 28 Oct 2005 09:09:41 +0200 From: Patrick Bihan-Faou Organization: netZuno Technologies User-Agent: Thunderbird 1.4.1 (Windows/20051006) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <200510270608.51571.db@traceroute.dk> <200510271511.36004.db@traceroute.dk> <20051027195842.GA19013@ada.devbox.be> <200510272017.02565.db@traceroute.dk> In-Reply-To: <200510272017.02565.db@traceroute.dk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new on ZunoBox at hottub.local.mindstep.com X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on hottub.local.mindstep.com X-Mailman-Approved-At: Fri, 28 Oct 2005 14:27:28 +0000 Subject: Re: Non-executable stack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Oct 2005 07:09:47 -0000 db wrote: > On Thursday 27 October 2005 19:58, you wrote: > >>> Ok thanks, but I was looking for a kernel level patch. Btw which ports >>> will break? >>> >> I did not keep a list, but as far as I remember, the 'pure-pw' binary >> from pure-ftpd was the last thing that failed. Because it was not >> visible in first place (the port builded fine), I decided the risk of >> breaking things without noticing it was not worth it. >> > > Ok, I was planing on using pure-ftpd. > > >> I don't mean that it's a bad thing, but it will cost you some time to >> find the bugs, report the bugs and get them fixed. And if you are >> willing to use it in a production environment, you have to fully test >> the software eacht time you are upgrading to be sure things will not >> break. It's also not officially supported as far as I know. >> > > I'm not a kernel hacker and only have access to ia32, so I can't help develop > or test it, but I hope someone with the right skills and means also think > it's about time we give the admins and users the option of a non-executable > stack (and heap). If I can help in any way I will. Maybe my next computer > will be an AMD64, I think it must be the cheapest of the platforms with > hardware support for execute and read permission distinction on memory? > We are using the stack protection patches for GCC in production servers running FreeBSD 4.11 and everything runs well. We are using a fairly large number of ports (from samba to php to postgresql, etc.) and none have shown issues with this feature. Note that since it is a compiler and library patch, the kernel also benefits from it. I would say that if a port misbehaves with this, then it is more likely a problem with the port. I can't comment on how it work in FreeBSD 5 or 6, but in FreeBSD 4.11 it rocks. Patrick. From owner-freebsd-security@FreeBSD.ORG Fri Oct 28 15:12:41 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8367116A41F for ; Fri, 28 Oct 2005 15:12:41 +0000 (GMT) (envelope-from db@traceroute.dk) Received: from cicero2.cybercity.dk (cicero2.cybercity.dk [212.242.40.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2142943D46 for ; Fri, 28 Oct 2005 15:12:41 +0000 (GMT) (envelope-from db@traceroute.dk) Received: from user4.cybercity.dk (user4.cybercity.dk [212.242.41.50]) by cicero2.cybercity.dk (Postfix) with ESMTP id 3F18619151C; Fri, 28 Oct 2005 17:12:39 +0200 (CEST) Received: from trinita (port132.ds1-arsy.adsl.cybercity.dk [212.242.239.73]) by user4.cybercity.dk (Postfix) with ESMTP id 72419502F6; Fri, 28 Oct 2005 17:12:38 +0200 (CEST) From: db To: freebsd-security@freebsd.org, patrick.bihan-faou@netzuno.com Date: Fri, 28 Oct 2005 15:12:40 +0000 User-Agent: KMail/1.8.2 References: <200510270608.51571.db@traceroute.dk> <200510272017.02565.db@traceroute.dk> <4361CEB5.8050305@netzuno.com> In-Reply-To: <4361CEB5.8050305@netzuno.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200510281512.40622.db@traceroute.dk> Cc: Subject: Re: Non-executable stack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Oct 2005 15:12:41 -0000 On Friday 28 October 2005 07:09, Patrick Bihan-Faou wrote: > We are using the stack protection patches for GCC in production servers > running FreeBSD 4.11 and everything runs well. We are using a fairly > large number of ports (from samba to php to postgresql, etc.) and none > have shown issues with this feature. > Note that since it is a compiler and library patch, the kernel also > benefits from it. I would say that if a port misbehaves with this, then > it is more likely a problem with the port. I don't know how it is implemented with gcc, but I'm guessing that kernel support is best performancewise (on platforms with hardware support for this). But thanks for your input, I also use php and postgresql, so it is nice to know that they will work :-) br db From owner-freebsd-security@FreeBSD.ORG Sat Oct 29 02:25:58 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5B59F16A41F for ; Sat, 29 Oct 2005 02:25:58 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd5mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id EFB3F43D45 for ; Sat, 29 Oct 2005 02:25:57 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd2mr7so.prod.shaw.ca (pd2mr7so-qfe3.prod.shaw.ca [10.0.141.10]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IP300CW1O39HFB0@l-daemon> for freebsd-security@freebsd.org; Fri, 28 Oct 2005 20:25:57 -0600 (MDT) Received: from pn2ml1so.prod.shaw.ca ([10.0.121.145]) by pd2mr7so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IP300D29O39JBD0@pd2mr7so.prod.shaw.ca> for freebsd-security@freebsd.org; Fri, 28 Oct 2005 20:25:57 -0600 (MDT) Received: from [192.168.0.60] (S0106006067227a4a.vc.shawcable.net [24.87.209.6]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0IP30010SO38NP@l-daemon> for freebsd-security@freebsd.org; Fri, 28 Oct 2005 20:25:57 -0600 (MDT) Date: Fri, 28 Oct 2005 19:25:56 -0700 From: Colin Percival In-reply-to: <20051028072518.GA82014@logik.internal.network> To: markzero Message-id: <4362DDB4.6030906@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Accept-Language: en-us, en X-Enigmail-Version: 0.92.1.0 References: <20051027233106.377D070DCE3@mail.npubs.com> <4361CD31.1080707@freebsd.org> <20051028072518.GA82014@logik.internal.network> User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051001) Cc: freebsd-security@freebsd.org Subject: Re: Is the server portion of freebsd-update open source? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Oct 2005 02:25:58 -0000 markzero wrote: > In my case, all I'm after is a way to distribute a custom build of > FreeBSD. When I say custom, I really just mean a standard build with > a custom make.conf: > > [snip] > > I'd rather not use NFS, for security reasons, so I've had to resort > to ad-hoc shell scripts to do updates. It'd be nice to have something > officially supported to replace them. It looks like nearly all of your customizations simply involve removing certain files from the system. FreeBSD Update is designed to handle this situation: If there is a security update in sendmail and you have deleted the sendmail binaries, FreeBSD Update will ignore that particular update. Is there any reason why this is insufficient? Colin Percival From owner-freebsd-security@FreeBSD.ORG Sat Oct 29 02:38:41 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC02616A41F for ; Sat, 29 Oct 2005 02:38:41 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id ECACA43D4C for ; Sat, 29 Oct 2005 02:38:39 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id D267C1A3C1A; Fri, 28 Oct 2005 19:38:39 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 0E870512CF; Fri, 28 Oct 2005 22:38:36 -0400 (EDT) Date: Fri, 28 Oct 2005 22:38:35 -0400 From: Kris Kennaway To: Patrick Bihan-Faou Message-ID: <20051029023835.GA31831@xor.obsecurity.org> References: <200510270608.51571.db@traceroute.dk> <200510271511.36004.db@traceroute.dk> <20051027195842.GA19013@ada.devbox.be> <200510272017.02565.db@traceroute.dk> <4361CEB5.8050305@netzuno.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="jRHKVT23PllUwdXP" Content-Disposition: inline In-Reply-To: <4361CEB5.8050305@netzuno.com> User-Agent: Mutt/1.4.2.1i Cc: freebsd-security@freebsd.org Subject: Re: Non-executable stack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Oct 2005 02:38:42 -0000 --jRHKVT23PllUwdXP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Oct 28, 2005 at 09:09:41AM +0200, Patrick Bihan-Faou wrote: > We are using the stack protection patches for GCC in production servers= =20 > running FreeBSD 4.11 and everything runs well. We are using a fairly=20 > large number of ports (from samba to php to postgresql, etc.) and none=20 > have shown issues with this feature. Several years ago when I last used this, X did not work when compiled with propolice, and there were problems with a couple of other ports that I forget now. Kris --jRHKVT23PllUwdXP Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDYuCrWry0BWjoQKURAkuvAKCUx3XmVjwV/3YkOkoXOhCmHuVM6QCZAeBz jLP1xutuc3nbgdcFcx0jD/I= =esVm -----END PGP SIGNATURE----- --jRHKVT23PllUwdXP-- From owner-freebsd-security@FreeBSD.ORG Sat Oct 29 05:56:09 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9ECDF16A41F; Sat, 29 Oct 2005 05:56:09 +0000 (GMT) (envelope-from markzero@logik.ath.cx) Received: from addr9.addr.com (addr9.addr.com [38.113.244.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A29D43D45; Sat, 29 Oct 2005 05:56:09 +0000 (GMT) (envelope-from markzero@logik.ath.cx) Received: from logik.ath.cx (localhost [127.0.0.1]) by addr9.addr.com (8.12.11/8.12.8/Submit) with ESMTP id j9T5u6ss041792; Fri, 28 Oct 2005 22:56:07 -0700 (PDT) Received: by logik.ath.cx (Postfix, from userid 1001) id D3560644F; Sat, 29 Oct 2005 06:56:05 +0100 (BST) Date: Sat, 29 Oct 2005 06:56:05 +0100 From: markzero To: Colin Percival Message-ID: <20051029055605.GA58671@logik.internal.network> References: <20051027233106.377D070DCE3@mail.npubs.com> <4361CD31.1080707@freebsd.org> <20051028072518.GA82014@logik.internal.network> <4362DDB4.6030906@freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="T4sUOijqQbZv57TR" Content-Disposition: inline In-Reply-To: <4362DDB4.6030906@freebsd.org> X-GPG-Key: http://darklogik.org/pub/pgp/pgp.txt X-Fingerprint: 0160 A46A 9A48 D3B0 C92F B690 17FB 4B72 0207 ED43 X-ADDRSpamFilter: Passed, probability (0%) X-ADDRSignature: FD86507 Cc: freebsd-security@freebsd.org Subject: Re: Is the server portion of freebsd-update open source? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Oct 2005 05:56:09 -0000 --T4sUOijqQbZv57TR Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, > It looks like nearly all of your customizations simply involve removing > certain files from the system. FreeBSD Update is designed to handle > this situation: If there is a security update in sendmail and you have > deleted the sendmail binaries, FreeBSD Update will ignore that particular > update. >=20 > Is there any reason why this is insufficient? No this isn't insufficient, what is insufficient is that I currently can't run a local freebsd-update server. I'm quite limited by bandwidth here, you see. What would make more sense in my situation would be to have a local mirror of the 'official' freebsd-update server so that all of my machines can sync to that rather than all of them downloading over the WAN. Cheers! M --=20 pgp: http://www.darklogik.org/pub/pgp/pgp.txt 0160 A46A 9A48 D3B0 C92F B690 17FB 4B72 0207 ED43 --T4sUOijqQbZv57TR Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iQIVAwUBQ2MO9Bf7S3ICB+1DAQooXA//dxz6Ft6Z5G18JHpFoQqL6QHbVihImirR nM45LZHuErnfQsoH5Rl4pfRNMzEZ4q+9OQ7cscoinHBFOK1eMexc1F55IXeOZxKd W1TletVV56XIC/HKdYovD5pRekonFvBTvNj//jNchsUGi3LwMFEalj8IDpVNz6zP smGyguBBOCST+MUfCC4fZwCBuUU2DYJzLG/9DM9GVg/g0N8PPnoyr/747sgxA1pD Z1QmnP3xpSuiY9C84BAJHLiuVedlOVPc8pSLQisBet1RbIknygb7IKsgqrbTuJBA uvO9tMhKtiQKC6nA753YIGuaBcawf1oPrixn7mlGiGNf9xcXYXEQrk3OJY3ygEhN Oql92gSTzPdkRg0B2vRMMKeKu2Fpv5l4p73/jr4dXYESM2o3wyvh+QzB8lZHttx/ 0yZz8qBgJrZh22o8hhA1fuBRpEKjUivsaMvV/GUDVBCBHPBW93WvebNKIgIcOAA3 6SmhVQiLNcqISDEss5nLLie5mJG+I3dvim0dMBtzLQRe9NvsuUMYTY7CUiCJCf/J W0nYMOhTu6Mqlpo9YSxCum+O9kZIQWxv8+uC3IDsP82ymXkfm7+lXZbNGORlnEey moUFoeS/vOB+x23TXOUkWDUgw+Nu9NtMhggk7nCHnJzEkMs6ITGHgVKeoX59qkCK gA0/X2iHXKY= =6X1T -----END PGP SIGNATURE----- --T4sUOijqQbZv57TR-- From owner-freebsd-security@FreeBSD.ORG Sat Oct 29 12:37:00 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8AF7E16A420 for ; Sat, 29 Oct 2005 12:37:00 +0000 (GMT) (envelope-from silby@silby.com) Received: from relay03.pair.com (relay03.pair.com [209.68.5.17]) by mx1.FreeBSD.org (Postfix) with SMTP id 04E1D43D46 for ; Sat, 29 Oct 2005 12:36:59 +0000 (GMT) (envelope-from silby@silby.com) Received: (qmail 90740 invoked from network); 29 Oct 2005 12:36:58 -0000 Received: from unknown (HELO localhost) (unknown) by unknown with SMTP; 29 Oct 2005 12:36:58 -0000 X-pair-Authenticated: 209.68.2.70 Date: Sat, 29 Oct 2005 07:36:55 -0500 (CDT) From: Mike Silbersack To: db In-Reply-To: <200510271511.36004.db@traceroute.dk> Message-ID: <20051029073411.F11965@odysseus.silby.com> References: <200510270608.51571.db@traceroute.dk> <1130394931.43607533be6d7@webmail.boxke.be> <200510271511.36004.db@traceroute.dk> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org, jimmy@inet-solutions.be Subject: Re: Non-executable stack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Oct 2005 12:37:00 -0000 On Thu, 27 Oct 2005, db wrote: > On Thursday 27 October 2005 06:35, you wrote: >> I don't think it will ever be in FreeBSD, but I used ProPolice in the past: > > I really hope it will. AFAIK OpenBSD implemented this in late 2002 when 3.2 > was released. I can see why FreeBSD doesn't want software protection of the > stack on systems like ia32, but on ia64 we have hardware support, so why not > be able to build a kernel with stack (and heap?) protection? The issue is not one of want, but one of practicality. FreeBSD updates to new versions of gcc relatively frequently, and having to update the propolice patch with each update (or waiting for an update) would be additional work. It appears that propolice has finally made its way into gcc 4.1, so hopefully that will be ready for FreeBSD 7. Mike "Silby" Silbersack From owner-freebsd-security@FreeBSD.ORG Sat Oct 29 12:42:17 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C01F916A41F for ; Sat, 29 Oct 2005 12:42:17 +0000 (GMT) (envelope-from db@traceroute.dk) Received: from cicero2.cybercity.dk (cicero2.cybercity.dk [212.242.40.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E32C43D46 for ; Sat, 29 Oct 2005 12:42:17 +0000 (GMT) (envelope-from db@traceroute.dk) Received: from user5.cybercity.dk (user5.cybercity.dk [212.242.41.51]) by cicero2.cybercity.dk (Postfix) with ESMTP id 525E0190362; Sat, 29 Oct 2005 14:42:15 +0200 (CEST) Received: from trinita (port132.ds1-arsy.adsl.cybercity.dk [212.242.239.73]) by user5.cybercity.dk (Postfix) with ESMTP id E411A3A1DD0; Sat, 29 Oct 2005 14:42:14 +0200 (CEST) From: db To: Mike Silbersack , freebsd-security@freebsd.org Date: Sat, 29 Oct 2005 12:42:16 +0000 User-Agent: KMail/1.8.2 References: <200510270608.51571.db@traceroute.dk> <200510271511.36004.db@traceroute.dk> <20051029073411.F11965@odysseus.silby.com> In-Reply-To: <20051029073411.F11965@odysseus.silby.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200510291242.16461.db@traceroute.dk> Cc: Subject: Re: Non-executable stack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Oct 2005 12:42:17 -0000 On Saturday 29 October 2005 12:36, you wrote: > The issue is not one of want, but one of practicality. FreeBSD updates > to new versions of gcc relatively frequently, and having to update the > propolice patch with each update (or waiting for an update) would be > additional work. > > It appears that propolice has finally made its way into gcc 4.1, so > hopefully that will be ready for FreeBSD 7. I don't want a gcc fix via propolice, I want kernel support for this. So that if a program tries to execute code in the stack or heap it will crash. br db From owner-freebsd-security@FreeBSD.ORG Sat Oct 29 13:15:23 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2EC9416A41F for ; Sat, 29 Oct 2005 13:15:23 +0000 (GMT) (envelope-from jimmy@inet-solutions.be) Received: from hoboe1bl1.telenet-ops.be (hoboe1bl1.telenet-ops.be [195.130.137.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A09943D49 for ; Sat, 29 Oct 2005 13:15:22 +0000 (GMT) (envelope-from jimmy@inet-solutions.be) Received: from localhost (localhost.localdomain [127.0.0.1]) by hoboe1bl1.telenet-ops.be (Postfix) with SMTP id 10F1B38160; Sat, 29 Oct 2005 15:15:21 +0200 (CEST) Received: from intranet.devbox.be (d54C304FE.access.telenet.be [84.195.4.254]) by hoboe1bl1.telenet-ops.be (Postfix) with ESMTP id 9A5F0380FB; Sat, 29 Oct 2005 15:15:20 +0200 (CEST) Received: from intranet.devbox.be (localhost [127.0.0.1]) by intranet.devbox.be (8.13.3/8.13.3) with ESMTP id j9TDFKpV013751; Sat, 29 Oct 2005 15:15:20 +0200 (CEST) Received: (from jimmy@localhost) by intranet.devbox.be (8.13.3/8.13.3/Submit) id j9TDFJ6W004764; Sat, 29 Oct 2005 15:15:19 +0200 (CEST) Date: Sat, 29 Oct 2005 15:15:19 +0200 From: Jimmy Scott To: db Message-ID: <20051029131519.GA22254@ada.devbox.be> References: <200510270608.51571.db@traceroute.dk> <200510271511.36004.db@traceroute.dk> <20051029073411.F11965@odysseus.silby.com> <200510291242.16461.db@traceroute.dk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="u3/rZRmxL6MmkK24" Content-Disposition: inline In-Reply-To: <200510291242.16461.db@traceroute.dk> User-Agent: Mutt/1.4.2i X-PGP-KeyID: 48033D3D X-PGP-Fingerprint: 88A9 54A0 D143 A4F7 8ACA 154F 8032 D30C 4803 3D3D X-PGP-Key: http://pub.devbox.be/misc/pgp.jimmy.asc Cc: freebsd-security@freebsd.org Subject: Re: Non-executable stack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Oct 2005 13:15:23 -0000 --u3/rZRmxL6MmkK24 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Oct 29, 2005 at 12:42:16PM +0000, db wrote: > On Saturday 29 October 2005 12:36, you wrote: > > The issue is not one of want, but one of practicality. FreeBSD updates > > to new versions of gcc relatively frequently, and having to update the > > propolice patch with each update (or waiting for an update) would be > > additional work. > > > > It appears that propolice has finally made its way into gcc 4.1, so > > hopefully that will be ready for FreeBSD 7. >=20 > I don't want a gcc fix via propolice, I want kernel support for this. So = that=20 > if a program tries to execute code in the stack or heap it will crash. >=20 > br > db > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" >=20 The thing you are refering to is W^X using the NXE register of the amd64 if I'm not mistaken, marking memory pages as writable or executable, but not both. (The thing also works on i386 using an ugly hack). --=20 People usually get what's coming to them ... unless it's been mailed. --u3/rZRmxL6MmkK24 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (OpenBSD) iD8DBQFDY3XngDLTDEgDPT0RAo8fAJ99XJ/DF1OxxWR/slYIPrpI/DuL+gCdELqI JRiLhJPpfgVJ+PUWf8LDAgM= =hoU6 -----END PGP SIGNATURE----- --u3/rZRmxL6MmkK24-- From owner-freebsd-security@FreeBSD.ORG Sat Oct 29 14:12:57 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 282A816A41F for ; Sat, 29 Oct 2005 14:12:57 +0000 (GMT) (envelope-from db@traceroute.dk) Received: from cicero2.cybercity.dk (cicero2.cybercity.dk [212.242.40.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id B871843D45 for ; Sat, 29 Oct 2005 14:12:56 +0000 (GMT) (envelope-from db@traceroute.dk) Received: from user5.cybercity.dk (user5.cybercity.dk [212.242.41.51]) by cicero2.cybercity.dk (Postfix) with ESMTP id 4588119040C; Sat, 29 Oct 2005 16:12:55 +0200 (CEST) Received: from trinita (port132.ds1-arsy.adsl.cybercity.dk [212.242.239.73]) by user5.cybercity.dk (Postfix) with ESMTP id E49AB3A1D85; Sat, 29 Oct 2005 16:12:54 +0200 (CEST) From: db To: Jimmy Scott , freebsd-security@freebsd.org Date: Sat, 29 Oct 2005 14:12:57 +0000 User-Agent: KMail/1.8.2 References: <200510270608.51571.db@traceroute.dk> <200510291242.16461.db@traceroute.dk> <20051029131519.GA22254@ada.devbox.be> In-Reply-To: <20051029131519.GA22254@ada.devbox.be> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200510291412.57656.db@traceroute.dk> Cc: Subject: Re: Non-executable stack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Oct 2005 14:12:57 -0000 On Saturday 29 October 2005 13:15, you wrote: > The thing you are refering to is W^X using the NXE register of the amd64 > if I'm not mistaken, marking memory pages as writable or executable, > but not both. (The thing also works on i386 using an ugly hack). Yeah. Memory on ia32 can be writable and readable. When it is readable it is also executable. On other arch's like AMD64 and IA64, I believe memory can be readable, writable and executable. Therefore I would like to remove the executable bit on the stack and heap for the systems supporting it. br db From owner-freebsd-security@FreeBSD.ORG Sat Oct 29 14:34:30 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D48BC16A420 for ; Sat, 29 Oct 2005 14:34:30 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd3mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7639243D45 for ; Sat, 29 Oct 2005 14:34:30 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd4mr1so.prod.shaw.ca (pd4mr1so-qfe3.prod.shaw.ca [10.0.141.212]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IP4007SALTH8XC0@l-daemon> for freebsd-security@freebsd.org; Sat, 29 Oct 2005 08:34:29 -0600 (MDT) Received: from pn2ml10so.prod.shaw.ca ([10.0.121.80]) by pd4mr1so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IP4001MFLTHV0G0@pd4mr1so.prod.shaw.ca> for freebsd-security@freebsd.org; Sat, 29 Oct 2005 08:34:29 -0600 (MDT) Received: from [192.168.0.60] (S0106006067227a4a.vc.shawcable.net [24.87.209.6]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0IP400B07LTH24@l-daemon> for freebsd-security@freebsd.org; Sat, 29 Oct 2005 08:34:29 -0600 (MDT) Date: Sat, 29 Oct 2005 07:34:28 -0700 From: Colin Percival In-reply-to: <20051029055605.GA58671@logik.internal.network> To: markzero Message-id: <43638874.2020004@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Accept-Language: en-us, en X-Enigmail-Version: 0.92.1.0 References: <20051027233106.377D070DCE3@mail.npubs.com> <4361CD31.1080707@freebsd.org> <20051028072518.GA82014@logik.internal.network> <4362DDB4.6030906@freebsd.org> <20051029055605.GA58671@logik.internal.network> User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051001) Cc: freebsd-security@freebsd.org Subject: Re: Is the server portion of freebsd-update open source? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Oct 2005 14:34:30 -0000 markzero wrote: > No this isn't insufficient, what is insufficient is that I currently > can't run a local freebsd-update server. I'm quite limited by bandwidth > here, you see. What would make more sense in my situation would be to > have a local mirror of the 'official' freebsd-update server so that > all of my machines can sync to that rather than all of them downloading > over the WAN. Go ahead. :-) FreeBSD Update relies entirely upon static files served over HTTP, so if you point your favourite HTTP mirroring tool at update.daemonology.net you can create a local mirror. Another approach which is likely to be more useful is to set up an HTTP proxy: Since many files on the FreeBSD Update web server won't be fetched by most systems (FreeBSD Update attempts to use binary patches, and only falls back to fetching complete files if the patching fails), using a caching HTTP proxy will use far less bandwidth than mirroring everything. Colin Percival