From owner-freebsd-security@FreeBSD.ORG Sun Jul 13 04:00:58 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CEF0A1065671 for ; Sun, 13 Jul 2008 04:00:58 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx23.fluidhosting.com [204.14.89.6]) by mx1.freebsd.org (Postfix) with ESMTP id 837018FC12 for ; Sun, 13 Jul 2008 04:00:58 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 1121 invoked by uid 399); 13 Jul 2008 04:00:57 -0000 Received: from localhost (HELO lap.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 13 Jul 2008 04:00:57 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <48797DF7.9050402@FreeBSD.org> Date: Sat, 12 Jul 2008 21:00:55 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0.0.14 (X11/20080606) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: In-Reply-To: X-Enigmail-Version: 0.95.6 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jul 2008 04:00:58 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 This is an interesting thread, so I'm going to try to respond to what I think are the reasonable points all in one post so as not to single anyone out. Again, thanks to those who chose to give thanks, encouragement, or criticism with a positive approach. This issue is complicated because it both is, and is not a "serious" security issue. As others stated rather eloquently, the fact that DNS is an "insecure" service is (or certainly should be) well known. What is also (or certainly should be) well known is that almost all of the other services on the Internet are also insecure, even those with "secure" in the name. :) The problem with this particular vulnerability is that it grabbed the media's attention, and since they think they understand it they are banging the drum pretty loudly. This creates FUD in normally rational people, and hilarity ensues. There are a large number of steps that network operators can and should already have been taking to mitigate damage from this attack. Ingress/egress filtering (ala BCP 38), secure ACLs on your name servers and/or firewalls, splitting authoritative and resolving name services to separate instances, restricting availability of recursive services to only those users who should have them, etc. The danger (and this is a BIG danger in the DNS world) is that most networks are not taking the basic steps that they should be taking to secure their name service (it works, why touch it?), and this upcoming exploit is going to hit them right between the eyes. Changing topics, the BIND installation in the base is not intended to be an out of the box solution to those for whom DNS is part of their critical infrastructure. The BIND bits, along with the sample named.conf file, are set up to run by default as a fairly secure local resolver (and by local I mean really local: only listening on the loopback address). The fact that for many purposes (for instance a "medium" sized ISP, etc.) it works well out of the box is not totally accidental, but like any other service if it's important to your business you need to invest the time and effort to make sure it's working the way you need it to, not rely on others to do that work for you. Jeremy asked why the ports are updated before the BIND in the base. Someone else gave part of the answer, that a lot more QA is involved in dealing with stuff in the base. There are patches to create, security advisories (including instructions, etc.) to write, FreeBSD update stuff to prep, etc. By contrast updating the ports is easy, and gives users for whom a given security issue is critical a simple path to upgrade, and just as importantly, to back out from when/if they deem what's in the base suitable for their needs. However, there is a more fundamental reason that goes to the heart of my philosophy as BIND maintainer. When I was the DNS admen at Yahoo! I _never_ used the BIND that came with the base system. There were a variety of reasons for this, the two most important being that I had a lot of custom tweaks/patches for our version of BIND, and the fact that I needed to update stuff more often than the boxes were updated. This lead to the "replace the base" option in the ports way back when. There is another meta-issue that seems to be coming up a lot lately, which is users who seem to be paralyzed, unable to take any action to help themselves, totally dependent on the FreeBSD developers to make things happen for them. I'm not going to get dragged into that topic again, but I will say that Mark was right, the BIND ports are pretty easy to update if you ever have to do it yourself. And, you don't even have to go out of your way to check the PGP signature, there is a 'make verify' target that will do that for you. :) Seriously though, one user wrote to me (and others) privately and said in so many words, "The things I run on FreeBSD are critically important to me, therefore making them run smoothly must be critically important to you." If you have that mindset, you really, really need to take a reality check. (Go ahead, we'll wait for you.) The vast majority of people who work on FreeBSD do it for FUN, as VOLUNTEERS. If you need a commercial level of support, you're going to have to pay for it, it's that simple. And NO, please do not go off into the woods on this topic. I believe that there is a market for commercial FreeBSD support, but unfortunately it hasn't reached critical mass yet. (Chicken, meet egg. Why don't you two go off and talk for a while?) So, the short version is, "Don't Panic." Well, wok, panic a little, but don't let it distract you from actually getting something useful done, like upgrading your servers, firewall rules, etc. And, if anyone has a business that relies heavily on DNS and needs a good DNS consultant, I know where to find one. :) hope this helps, Doug - -- ~ This .signature sanitized for your protection -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEAREDAAYFAkh5ffcACgkQyIakK9Wy8Ps9YwCgtl80hRIuMkMqcRf9gWLP2dwA fUIAoOsWRsXAYIMotlgC/yS1RQdp2g6E =TLjy -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Sun Jul 13 19:10:05 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 66426106568B; Sun, 13 Jul 2008 19:10:05 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4B4D28FC26; Sun, 13 Jul 2008 19:10:05 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m6DJA5Ou093321; Sun, 13 Jul 2008 19:10:05 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m6DJA5hl093319; Sun, 13 Jul 2008 19:10:05 GMT (envelope-from security-advisories@freebsd.org) Date: Sun, 13 Jul 2008 19:10:05 GMT Message-Id: <200807131910.m6DJA5hl093319@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-08:06.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jul 2008 19:10:05 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-08:06.bind Security Advisory The FreeBSD Project Topic: DNS cache poisoning Category: contrib Module: bind Announced: 2008-07-13 Credits: Dan Kaminsky Affects: All supported FreeBSD versions. Corrected: 2008-07-12 10:07:33 UTC (RELENG_6, 6.3-STABLE) 2008-07-13 18:42:38 UTC (RELENG_6_3, 6.3-RELEASE-p3) 2008-07-13 18:42:38 UTC (RELENG_7, 7.0-STABLE) 2008-07-13 18:42:38 UTC (RELENG_7_0, 7.0-RELEASE-p3) CVE Name: CVE-2008-1447 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. DNS requests contain a query id which is used to match a DNS request with the response and to make it harder for anybody but the DNS server which received the request to send a valid response. II. Problem Description The BIND DNS implementation does not randomize the UDP source port when doing remote queries, and the query id alone does not provide adequate randomization. III. Impact The lack of source port randomization reduces the amount of data the attacker needs to guess in order to successfully execute a DNS cache poisoning attack. This allows the attacker to influence or control the results of DNS queries being returned to users from target systems. IV. Workaround Limiting the group of machines that can do recursive queries on the DNS server will make it more difficult, but not impossible, for this vulnerability to be exploited. To limit the machines able to perform recursive queries, add an ACL in named.conf and limit recursion like the following: acl example-acl { 192.0.2.0/24; }; options { recursion yes; allow-recursion { example-acl; }; }; V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE or 7-STABLE, or to the RELENG_7_0 or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3 and 7.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 6.3] # fetch http://security.FreeBSD.org/patches/SA-08:06/bind63.patch # fetch http://security.FreeBSD.org/patches/SA-08:06/bind63.patch.asc [FreeBSD 7.0] # fetch http://security.FreeBSD.org/patches/SA-08:06/bind7.patch # fetch http://security.FreeBSD.org/patches/SA-08:06/bind7.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/bind # make obj && make depend && make && make install # cd /usr/src/usr.sbin/named # make obj && make depend && make && make install NOTE WELL: This update causes BIND to choose a new, random UDP port for each new query; this may cause problems for some network configurations, particularly if firewall(s) block incoming UDP packets on particular ports. The avoid-v4-udp-ports and avoid-v6-udp-ports options should be used to avoid selecting random port numbers within a blocked range. NOTE WELL: If a port number is specified via the query-source or query-source-v6 options to BIND, randomized port selection will not be used. Consequently it is strongly recommended that these options not be used to specify fixed port numbers. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/contrib/bind9/bin/named/client.c 1.1.1.2.2.5 src/contrib/bind9/bin/named/server.c 1.1.1.2.2.4 src/contrib/bind9/lib/dns/api 1.1.1.2.2.5 src/contrib/bind9/lib/dns/dispatch.c 1.1.1.1.4.4 src/contrib/bind9/lib/dns/include/dns/dispatch.h 1.1.1.1.4.3 src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.8 RELENG_6_3 src/UPDATING 1.416.2.37.2.8 src/sys/conf/newvers.sh 1.69.2.15.2.7 src/contrib/bind9/bin/named/client.c 1.1.1.2.2.3.2.1 src/contrib/bind9/bin/named/server.c 1.1.1.2.2.2.2.1 src/contrib/bind9/lib/dns/api 1.1.1.2.2.3.2.1 src/contrib/bind9/lib/dns/dispatch.c 1.1.1.1.4.2.2.1 src/contrib/bind9/lib/dns/include/dns/dispatch.h 1.1.1.1.4.1.2.1 src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.6.2.1 RELENG_7 src/contrib/bind9/bin/named/client.c 1.1.1.6.2.2 src/contrib/bind9/bin/named/server.c 1.1.1.6.2.2 src/contrib/bind9/lib/dns/api 1.1.1.6.2.2 src/contrib/bind9/lib/dns/dispatch.c 1.1.1.4.2.2 src/contrib/bind9/lib/dns/include/dns/dispatch.h 1.1.1.3.2.2 src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.2 RELENG_7_0 src/UPDATING 1.507.2.3.2.7 src/sys/conf/newvers.sh 1.72.2.5.2.7 src/contrib/bind9/bin/named/client.c 1.1.1.6.2.1.2.1 src/contrib/bind9/bin/named/server.c 1.1.1.6.2.1.2.1 src/contrib/bind9/lib/dns/api 1.1.1.6.2.1.2.1 src/contrib/bind9/lib/dns/dispatch.c 1.1.1.4.2.1.2.1 src/contrib/bind9/lib/dns/include/dns/dispatch.h 1.1.1.3.2.1.2.1 src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.1.2.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 http://www.kb.cert.org/vuls/id/800113 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-08:06.bind.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAkh6UiMACgkQFdaIBMps37IE5ACfYzpWMhEXgWNdjwVlzd7JTwBS Eu0AnRIogMIJ3fjQF4hcymtdwR6buRNc =shnR -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Sun Jul 13 22:39:35 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BC954106564A for ; Sun, 13 Jul 2008 22:39:35 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.freebsd.org (Postfix) with ESMTP id 7557A8FC16 for ; Sun, 13 Jul 2008 22:39:35 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (unknown [192.168.3.39]) by mx.nitro.dk (Postfix) with ESMTP id 31AA22DA438; Sun, 13 Jul 2008 22:23:13 +0000 (UTC) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 629E3114C4; Mon, 14 Jul 2008 00:23:45 +0200 (CEST) Date: Mon, 14 Jul 2008 00:23:45 +0200 From: "Simon L. Nielsen" To: Chuck Swiger Message-ID: <20080713222344.GB15766@zaphod.nitro.dk> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-security@freebsd.org, Doug Barton Subject: Re: OpenSSL warning from dns/bind95 build...? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jul 2008 22:39:35 -0000 On 2008.07.11 13:14:09 -0700, Chuck Swiger wrote: [quote edited to contain important part] >> WARNING Your OpenSSL crypto library may be vulnerable to >> WARNING one or more of the the following known security >> WARNING flaws: >> WARNING >> WARNING CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and >> WARNING CVE-2006-2940. >> WARNING [...] > Is the version of OpenSSL now included with RELENG_6 (OpenSSL 0.9.7e-p1) > OK, or is it at risk as reported? Just so there is no doubt - the base system OpenSSL isn't actually vulnerable to those issues. They were fixed in SA-02:33.openssl, FreeBSD-SA-06:19.openssl, and FreeBSD-SA-06:23.openssl. The BIND build system just has no way to see this since they were patched instead of upgraded. -- Simon L. Nielsen Hats: Base system OpenSSL janitor and FreeBSD Security Team From owner-freebsd-security@FreeBSD.ORG Mon Jul 14 00:29:38 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C27761065679; Mon, 14 Jul 2008 00:29:38 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) by mx1.freebsd.org (Postfix) with ESMTP id 404598FC17; Mon, 14 Jul 2008 00:29:38 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.2/8.14.2) with ESMTP id m6E0TaRg059266; Mon, 14 Jul 2008 10:29:37 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200807140029.m6E0TaRg059266@drugs.dv.isc.org> To: freebsd-security@freebsd.org From: Mark Andrews In-reply-to: Your message of "Sun, 13 Jul 2008 19:10:05 GMT." <200807131910.m6DJA5hl093319@freefall.freebsd.org> Date: Mon, 14 Jul 2008 10:29:36 +1000 Sender: marka@isc.org Cc: FreeBSD Security Advisories Subject: Re: FreeBSD Security Advisory FreeBSD-SA-08:06.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2008 00:29:38 -0000 There was no mention of checking named.conf to ensure that a port was not specified in the query-source clauses. Just upgrading will not fix the problem it if named.conf has "query-source port 53". Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org From owner-freebsd-security@FreeBSD.ORG Mon Jul 14 00:42:33 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0F922106567F for ; Mon, 14 Jul 2008 00:42:33 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx23.fluidhosting.com [204.14.89.6]) by mx1.freebsd.org (Postfix) with ESMTP id 991338FC16 for ; Mon, 14 Jul 2008 00:42:32 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 10564 invoked by uid 399); 14 Jul 2008 00:42:32 -0000 Received: from localhost (HELO lap.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 14 Jul 2008 00:42:32 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <487AA0F6.1010801@FreeBSD.org> Date: Sun, 13 Jul 2008 17:42:30 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0.0.14 (X11/20080606) MIME-Version: 1.0 To: "Simon L. Nielsen" References: <20080713222344.GB15766@zaphod.nitro.dk> In-Reply-To: <20080713222344.GB15766@zaphod.nitro.dk> X-Enigmail-Version: 0.95.6 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: OpenSSL warning from dns/bind95 build...? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2008 00:42:33 -0000 Simon L. Nielsen wrote: > On 2008.07.11 13:14:09 -0700, Chuck Swiger wrote: > > [quote edited to contain important part] > >>> WARNING Your OpenSSL crypto library may be vulnerable to >>> WARNING one or more of the the following known security >>> WARNING flaws: >>> WARNING >>> WARNING CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and >>> WARNING CVE-2006-2940. >>> WARNING > [...] >> Is the version of OpenSSL now included with RELENG_6 (OpenSSL 0.9.7e-p1) >> OK, or is it at risk as reported? > > Just so there is no doubt - the base system OpenSSL isn't actually > vulnerable to those issues. They were fixed in SA-02:33.openssl, > FreeBSD-SA-06:19.openssl, and FreeBSD-SA-06:23.openssl. > > The BIND build system just has no way to see this since they were > patched instead of upgraded. ... hence the false economy of not doing a "standard" upgrade of the version in the base. :) It's nice to know that for the particular set of problems listed in this version of BIND's warning message our users should not be at risk though. I used the ports openssl on my 6-stable boxes without problems, but I did not have that many ports installed, and I nuked the base openssl first. YMMV. Doug -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Mon Jul 14 01:34:45 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0734B106566B; Mon, 14 Jul 2008 01:34:45 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) by mx1.freebsd.org (Postfix) with ESMTP id BB2F28FC14; Mon, 14 Jul 2008 01:34:44 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.2/8.14.2) with ESMTP id m6E1YgJT060145; Mon, 14 Jul 2008 11:34:42 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200807140134.m6E1YgJT060145@drugs.dv.isc.org> To: Michael Scheidell From: Mark Andrews In-reply-to: Your message of "Sun, 13 Jul 2008 21:13:47 -0400." Date: Mon, 14 Jul 2008 11:34:42 +1000 Sender: marka@isc.org Cc: FreeBSD Security Advisories , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-08:06.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2008 01:34:45 -0000 > NOTE WELL: If a port number is specified via the query-source or > query-source-v6 options to BIND, randomized port selection will not be > used. Consequently it is strongly recommended that these options not > be used to specify fixed port numbers > -- > Michael Scheidell, CTO > >|SECNAP Network Security > Winner 2008 Network Products Guide Hot Companies > FreeBSD SpamAssassin Ports maintainer Yep, I missed it despite looking for it. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org From owner-freebsd-security@FreeBSD.ORG Mon Jul 14 01:35:38 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 40B19106566C; Mon, 14 Jul 2008 01:35:38 +0000 (UTC) (envelope-from scheidell@secnap.net) Received: from fl.us.spammertrap.net (fl.us.spammertrap.net [204.89.241.173]) by mx1.freebsd.org (Postfix) with ESMTP id 0DF338FC17; Mon, 14 Jul 2008 01:35:37 +0000 (UTC) (envelope-from scheidell@secnap.net) Received: from localhost (localhost [127.0.0.1]) by fl.us.spammertrap.net (Postfix) with ESMTP id 3155AE604F; Sun, 13 Jul 2008 21:13:38 -0400 (EDT) X-Quarantine-ID: X-Virus-Scanned: SpammerTrap(r) SME-250 1.81 at secnap.com X-Amavis-Modified: Mail body modified (using disclaimer) by fl.us.spammertrap.net Received: from secnap3.secnap.com (secnap3.secnap.com [204.89.241.130]) by fl.us.spammertrap.net (Postfix) with ESMTP id 867D5E6040; Sun, 13 Jul 2008 21:13:37 -0400 (EDT) Received: from 75.201.67.194 ([75.201.67.194]) by secnap3.secnap.com ([10.70.1.13]) with Microsoft Exchange Server HTTP-DAV ; Mon, 14 Jul 2008 01:13:37 +0000 User-Agent: Microsoft-Entourage/12.11.0.080522 Date: Sun, 13 Jul 2008 21:13:47 -0400 From: Michael Scheidell To: Mark Andrews , Message-ID: Thread-Topic: FreeBSD Security Advisory FreeBSD-SA-08:06.bind Thread-Index: AcjlTt22WXx87yCch0qJcMUUDjTESg== In-Reply-To: <200807140029.m6E0TaRg059266@drugs.dv.isc.org> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Cc: FreeBSD Security Advisories Subject: Re: FreeBSD Security Advisory FreeBSD-SA-08:06.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2008 01:35:38 -0000 NOTE WELL: If a port number is specified via the query-source or query-source-v6 options to BIND, randomized port selection will not be used. Consequently it is strongly recommended that these options not be used to specify fixed port numbers -- Michael Scheidell, CTO >|SECNAP Network Security Winner 2008 Network Products Guide Hot Companies FreeBSD SpamAssassin Ports maintainer > From: Mark Andrews > Date: Mon, 14 Jul 2008 10:29:36 +1000 > To: > Cc: FreeBSD Security Advisories > Subject: Re: FreeBSD Security Advisory FreeBSD-SA-08:06.bind > > > There was no mention of checking named.conf to ensure that > a port was not specified in the query-source clauses. Just > upgrading will not fix the problem it if named.conf has > > "query-source port 53". > > Mark > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com _________________________________________________________________________ From owner-freebsd-security@FreeBSD.ORG Mon Jul 14 23:39:41 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 528E0106566C for ; Mon, 14 Jul 2008 23:39:41 +0000 (UTC) (envelope-from booloo@ucsc.edu) Received: from root.ucsc.edu (root.ucsc.edu [128.114.2.68]) by mx1.freebsd.org (Postfix) with ESMTP id 465588FC19 for ; Mon, 14 Jul 2008 23:39:41 +0000 (UTC) (envelope-from booloo@ucsc.edu) Received: from root.ucsc.edu (localhost [127.0.0.1]) by root.ucsc.edu (8.13.8/8.13.8) with ESMTP id m6ENddKE059934 for ; Mon, 14 Jul 2008 16:39:39 -0700 (PDT) (envelope-from booloo@root.ucsc.edu) Received: (from booloo@localhost) by root.ucsc.edu (8.13.8/8.13.8/Submit) id m6ENddt4059933 for freebsd-security@freebsd.org; Mon, 14 Jul 2008 16:39:39 -0700 (PDT) (envelope-from booloo) Date: Mon, 14 Jul 2008 16:39:39 -0700 From: Mark Boolootian To: freebsd-security@freebsd.org Message-ID: <20080714233939.GA59891@root.ucsc.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.15 (2007-04-06) X-Spam-Status: No, score=-1.4 required=20.0 tests=ALL_TRUSTED, DKIM_POLICY_SIGNSOME, DK_POLICY_SIGNSOME autolearn=failed version=3.2.1 X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on root.ucsc.edu Subject: freebsd-update not pulling in BIND update X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: booloo@ucsc.edu List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2008 23:39:41 -0000 Hi folks, I ran freebsd-update today hoping it would have picked up the BIND upgrade. freebsd-update reported: The following files will be updated as part of updating to 7.0-RELEASE-p3: /boot/kernel/kernel /boot/kernel/kernel.symbols /usr/bin/dig /usr/bin/host /usr/bin/nslookup /usr/bin/nsupdate /usr/include/netinet/tcp.h /usr/lib/libssh.a /usr/lib/libssh.so.4 /usr/lib/libssh_p.a /usr/sbin/dnssec-signzone /usr/sbin/lwresd /usr/sbin/named /usr/sbin/named-checkconf /usr/sbin/named-checkzone /usr/sbin/named-compilezone /usr/sbin/sshd /usr/src/sys/conf/newvers.sh /usr/src/sys/netinet/tcp.h /usr/src/sys/netinet/tcp_output.c While there is a new file for /usr/sbin/named, it isn't reporting the updated version: $ /usr/sbin/named -v BIND 9.4.2 Any thoughts? thanks in advance, mark From owner-freebsd-security@FreeBSD.ORG Tue Jul 15 04:28:04 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 30B55106564A for ; Tue, 15 Jul 2008 04:28:04 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from websrv01.jr-hosting.nl (websrv01.jr-hosting.nl [78.47.69.233]) by mx1.freebsd.org (Postfix) with ESMTP id EB15D8FC1A for ; Tue, 15 Jul 2008 04:28:03 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from localhost ([::1] helo=galain.elvandar.org) by websrv01.jr-hosting.nl with esmtpa (Exim 4.69 (FreeBSD)) (envelope-from ) id 1KIc8w-000Nbs-Da; Tue, 15 Jul 2008 06:28:02 +0200 Received: from 145.7.91.133 (SquirrelMail authenticated user remko) by galain.elvandar.org with HTTP; Tue, 15 Jul 2008 06:28:02 +0200 (CEST) Message-ID: In-Reply-To: <20080714233939.GA59891@root.ucsc.edu> References: <20080714233939.GA59891@root.ucsc.edu> Date: Tue, 15 Jul 2008 06:28:02 +0200 (CEST) From: "Remko Lodder" To: booloo@ucsc.edu User-Agent: SquirrelMail/1.4.15 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-security@freebsd.org Subject: Re: freebsd-update not pulling in BIND update X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: remko@elvandar.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jul 2008 04:28:04 -0000 On Tue, July 15, 2008 1:39 am, Mark Boolootian wrote: > > Hi folks, > > I ran freebsd-update today hoping it would have picked > up the BIND upgrade. freebsd-update reported: > > The following files will be updated as part of updating to > 7.0-RELEASE-p3: > /boot/kernel/kernel > /boot/kernel/kernel.symbols > /usr/bin/dig > /usr/bin/host > /usr/bin/nslookup > /usr/bin/nsupdate > /usr/include/netinet/tcp.h > /usr/lib/libssh.a > /usr/lib/libssh.so.4 > /usr/lib/libssh_p.a > /usr/sbin/dnssec-signzone > /usr/sbin/lwresd > /usr/sbin/named > /usr/sbin/named-checkconf > /usr/sbin/named-checkzone > /usr/sbin/named-compilezone > /usr/sbin/sshd > /usr/src/sys/conf/newvers.sh > /usr/src/sys/netinet/tcp.h > /usr/src/sys/netinet/tcp_output.c > > While there is a new file for /usr/sbin/named, it isn't reporting > the updated version: > > $ /usr/sbin/named -v > BIND 9.4.2 > > Any thoughts? > > thanks in advance, > mark > _______________________________________________ >From my understand we don't bump the version of the named binary, so that seems correct.. -- /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-security@FreeBSD.ORG Tue Jul 15 04:36:55 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 41EB21065691 for ; Tue, 15 Jul 2008 04:36:55 +0000 (UTC) (envelope-from booloo@ucsc.edu) Received: from root.ucsc.edu (root.ucsc.edu [128.114.2.68]) by mx1.freebsd.org (Postfix) with ESMTP id 14D358FC19 for ; Tue, 15 Jul 2008 04:36:54 +0000 (UTC) (envelope-from booloo@ucsc.edu) Received: from root.ucsc.edu (localhost [127.0.0.1]) by root.ucsc.edu (8.13.8/8.13.8) with ESMTP id m6F4alMH062862; Mon, 14 Jul 2008 21:36:47 -0700 (PDT) (envelope-from booloo@root.ucsc.edu) Received: (from booloo@localhost) by root.ucsc.edu (8.13.8/8.13.8/Submit) id m6F4alO2062861; Mon, 14 Jul 2008 21:36:47 -0700 (PDT) (envelope-from booloo) Date: Mon, 14 Jul 2008 21:36:47 -0700 From: Mark Boolootian To: Remko Lodder Message-ID: <20080715043647.GA62823@root.ucsc.edu> References: <20080714233939.GA59891@root.ucsc.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.15 (2007-04-06) X-Spam-Status: No, score=-1.4 required=20.0 tests=ALL_TRUSTED, DKIM_POLICY_SIGNSOME, DK_POLICY_SIGNSOME autolearn=failed version=3.2.1 X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on root.ucsc.edu Cc: freebsd-security@freebsd.org Subject: Re: freebsd-update not pulling in BIND update X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: booloo@ucsc.edu List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jul 2008 04:36:55 -0000 > From my understand we don't bump the version of the named binary, so that > seems correct.. Thank you Remko. I really should have tested ahead of posting (which i aim to do shortly). From owner-freebsd-security@FreeBSD.ORG Thu Jul 17 00:34:34 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A9784106566C for ; Thu, 17 Jul 2008 00:34:34 +0000 (UTC) (envelope-from mattjreimer@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.230]) by mx1.freebsd.org (Postfix) with ESMTP id 5EA918FC0C for ; Thu, 17 Jul 2008 00:34:34 +0000 (UTC) (envelope-from mattjreimer@gmail.com) Received: by wx-out-0506.google.com with SMTP id h27so2355891wxd.7 for ; Wed, 16 Jul 2008 17:34:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=NYp2Jglnjx8VMO3WcchrUWpp10YC71gC6N+QdhKcaDg=; b=gjmr5Y+cx6L8EqnBy1zT3dJyIZVSasutYurc38HH3rVls1/VzQ64q9uZQmgoUVKdKH uEq4PsEl+DuaqtXARfOaaAUY5zvQXrzBCvOvR9jIDLyvwuoe/XTHJQDygFU/Ji/saPUF ejzR91xfBT4TIuMdevNSmfpWBSj/LFjPPPzKI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=Gk/QnEbU9tXJLWF1aHc7w3TogFCROWg7sVQp2WcjC0K8b6qIO/EOHQ/UWakrPvAGpE 5OynhqHkNdNrSJzV7MsnrqH6hz/K9UYGvbBf3xcYfzMR2IB/Xt+YTCFLe/hKbQqB4bx6 ecurgNLe+Qxnf8p48v81iPhCwVOUc+B9j4olA= Received: by 10.101.1.12 with SMTP id d12mr3190731ani.31.1216253432172; Wed, 16 Jul 2008 17:10:32 -0700 (PDT) Received: by 10.100.110.10 with HTTP; Wed, 16 Jul 2008 17:10:32 -0700 (PDT) Message-ID: Date: Wed, 16 Jul 2008 17:10:32 -0700 From: "Matt Reimer" To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: A new kind of security needed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2008 00:34:34 -0000 Is anyone else nervous trusting all his programs to have access to all his files? Is there already a reasonable solution to this problem? It makes me nervous for, say, Firefox and its plugins to be able to read and write every file I own, whether it's gnucash, ~/.ssh, or other sensitive files. Programs could be set up to run under their own uids, but this is cumbersome, especially in a desktop environment. One possibility would be to "filewall" off a program--say, Firefox--so that of all my uid's files Firefox is only able to read or write ~/.mozilla. If we had app signatures like it seems OS X does, then maybe a "filewall" MAC module could use extended attributes to grant access to files based on the app's signature. Permission could be granted to the application to access other files through a special file picker, so the user is always in control. Thoughts? Matt From owner-freebsd-security@FreeBSD.ORG Thu Jul 17 02:36:05 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1A49F1065675 for ; Thu, 17 Jul 2008 02:36:05 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: from strawberry.noncombatant.org (strawberry.noncombatant.org [64.142.6.126]) by mx1.freebsd.org (Postfix) with ESMTP id BC0638FC14 for ; Thu, 17 Jul 2008 02:36:04 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: from blueberry-2.local (unknown [64.142.6.126]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by strawberry.noncombatant.org (Postfix) with ESMTPSA id 2B903866810; Wed, 16 Jul 2008 19:36:04 -0700 (PDT) Message-ID: <487EB013.9090706@noncombatant.org> Date: Wed, 16 Jul 2008 19:36:03 -0700 From: Chris Palmer User-Agent: Thunderbird 2.0.0.14 (Macintosh/20080421) MIME-Version: 1.0 To: Matt Reimer , freebsd-security@freebsd.org References: In-Reply-To: X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: A new kind of security needed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2008 02:36:05 -0000 Matt Reimer wrote: > Is anyone else nervous trusting all his programs to have access to all > his files? Is there already a reasonable solution to this problem? http://www.cis.upenn.edu/~KeyKOS/Confinement.html http://cr.yp.to/qmail/qmailsec-20071101.pdf Also: CapDesk, Bitfrost, systrace, EROS/Coyotos In general, solutions have proven to be vaporware, very burdensome to use (systrace), or reduced in scope (Bernstein's single-source transforms). The success rate is not zero, though, and I too crave a solution... From owner-freebsd-security@FreeBSD.ORG Thu Jul 17 06:24:30 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 168ED106566B for ; Thu, 17 Jul 2008 06:24:30 +0000 (UTC) (envelope-from freebsd-security@dfmm.org) Received: from dfmm.org (treehorn.dfmm.org [66.180.195.213]) by mx1.freebsd.org (Postfix) with ESMTP id D0D9D8FC08 for ; Thu, 17 Jul 2008 06:24:29 +0000 (UTC) (envelope-from freebsd-security@dfmm.org) Received: (qmail 61863 invoked by uid 1000); 17 Jul 2008 06:24:29 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 17 Jul 2008 06:24:29 -0000 Date: Wed, 16 Jul 2008 23:24:28 -0700 (PDT) From: Jason Stone X-X-Sender: jason@treehorn.dfmm.org To: Matt Reimer In-Reply-To: Message-ID: References: User-Agent: Alpine 1.00 (BSF 882 2007-12-20) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: A new kind of security needed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2008 06:24:30 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Is anyone else nervous trusting all his programs to have access to all > his files? Is there already a reasonable solution to this problem? > > It makes me nervous for, say, Firefox and its plugins to be able to read > and write every file I own, whether it's gnucash, ~/.ssh, or other > sensitive files. Absolutely. Right now, I use different logins for different things (casual web surfing, financial stuff, snd work), but it's inconvenient and far from fullproof. Capabilities or MAC systems could be used here -- someone just has to put in the work to make it happen. -Jason -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQFIfuWdswXMWWtptckRAui7AJoDPimy9czlyCRbPcDMTK0XzZ9GIgCg2u0z CQweJjrVQz2fV3xNH5ML50M= =G2pt -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Jul 17 07:18:20 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6E579106567E for ; Thu, 17 Jul 2008 07:18:20 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from smtp.univ-lyon2.fr (smtp.univ-lyon2.fr [159.84.143.102]) by mx1.freebsd.org (Postfix) with ESMTP id 284F68FC29 for ; Thu, 17 Jul 2008 07:18:20 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from localhost (localhost [127.0.0.1]) by smtp.univ-lyon2.fr (Postfix) with ESMTP id DA11780D7840 for ; Thu, 17 Jul 2008 08:59:01 +0200 (CEST) X-Virus-Scanned: amavisd-new at univ-lyon2.fr Received: from smtp.univ-lyon2.fr ([127.0.0.1]) by localhost (smtp.univ-lyon2.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CL4A7VG9wZXg for ; Thu, 17 Jul 2008 08:59:00 +0200 (CEST) Received: from patpro.univ-lyon2.fr (unknown [159.84.148.59]) by smtp.univ-lyon2.fr (Postfix) with ESMTP id 84E4580D783D for ; Thu, 17 Jul 2008 08:59:00 +0200 (CEST) Message-Id: <884CB541-7977-4EF1-9B72-7226BDF30188@patpro.net> From: Patrick Proniewski To: Liste FreeBSD-security In-Reply-To: Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v926) Date: Thu, 17 Jul 2008 08:59:00 +0200 References: X-Mailer: Apple Mail (2.926) Subject: Re: A new kind of security needed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2008 07:18:20 -0000 On 17 juil. 08, at 08:24, Jason Stone wrote: >> Is anyone else nervous trusting all his programs to have access to >> all his files? Is there already a reasonable solution to this >> problem? >> >> It makes me nervous for, say, Firefox and its plugins to be able to >> read and write every file I own, whether it's gnucash, ~/.ssh, or >> other sensitive files. > > Absolutely. Right now, I use different logins for different things > (casual web surfing, financial stuff, snd work), but it's > inconvenient and far from fullproof. > > Capabilities or MAC systems could be used here -- someone just has > to put in the work to make it happen. What about sandbox/chroot ? Apple has designed such a system for Mac OS X 10.5, and even if it's not fully functional now, it's probably interesting. patpro From owner-freebsd-security@FreeBSD.ORG Thu Jul 17 08:10:56 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5B097106564A for ; Thu, 17 Jul 2008 08:10:56 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id 27A2D8FC08 for ; Thu, 17 Jul 2008 08:10:56 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 25DCD46B99; Thu, 17 Jul 2008 03:54:32 -0400 (EDT) Date: Thu, 17 Jul 2008 08:54:31 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Patrick Proniewski In-Reply-To: <884CB541-7977-4EF1-9B72-7226BDF30188@patpro.net> Message-ID: <20080717085136.B87887@fledge.watson.org> References: <884CB541-7977-4EF1-9B72-7226BDF30188@patpro.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Liste FreeBSD-security Subject: Re: A new kind of security needed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2008 08:10:56 -0000 On Thu, 17 Jul 2008, Patrick Proniewski wrote: >> Absolutely. Right now, I use different logins for different things (casual >> web surfing, financial stuff, snd work), but it's inconvenient and far from >> fullproof. >> >> Capabilities or MAC systems could be used here -- someone just has to put >> in the work to make it happen. > > What about sandbox/chroot ? Apple has designed such a system for Mac OS X > 10.5, and even if it's not fully functional now, it's probably interesting. > > And, interestingly, the Mac OS X Sandbox parts are based on the TrustedBSD MAC Framework that was first developed on FreeBSD and later port to Mac OS X. However, Sandbox is not open source, and does rely on the reliability of pathnames, which on UFS (and even HFS+) is a bit of a tricky issue. FWIW, I have some work in progress on the capability front, but it's a highly complex issue that will take years to work through properly. Unfortunately, the real issue isn't so much the OS primitives as building up a non-trivial application base that uses them. Providing primitives to subdivie applications isn't easy, but once you've done that you still have to rewrite lots of applications to take advantage of it, and in a way that shows a lot more application programmer discipline. It's not clear to me that the pressure is there to make feature-driven application development for major desktop applications adopt techniques of this sort. Robert N M Watson Computer Laboratory University of Cambridge From owner-freebsd-security@FreeBSD.ORG Thu Jul 17 13:34:54 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9FF88106568D; Thu, 17 Jul 2008 13:34:54 +0000 (UTC) (envelope-from tim@clewlow.org) Received: from clewlow.org (clewlow.org [210.215.149.194]) by mx1.freebsd.org (Postfix) with ESMTP id 18B468FC1C; Thu, 17 Jul 2008 13:34:53 +0000 (UTC) (envelope-from tim@clewlow.org) Received: from 192.168.1.100 (localhost [127.0.0.1]) by clewlow.org (Postfix) with ESMTP id D03021C0844; Thu, 17 Jul 2008 23:34:50 +1000 (EST) Received: from 192.168.1.10 (SquirrelMail authenticated user tim) by 192.168.1.100 with HTTP; Thu, 17 Jul 2008 23:34:50 +1000 (EST) Message-ID: <50456.192.168.1.10.1216301690.squirrel@192.168.1.100> In-Reply-To: <20080717085136.B87887@fledge.watson.org> References: <884CB541-7977-4EF1-9B72-7226BDF30188@patpro.net> <20080717085136.B87887@fledge.watson.org> Date: Thu, 17 Jul 2008 23:34:50 +1000 (EST) From: "Tim Clewlow" To: "Robert Watson" User-Agent: SquirrelMail/1.4.13 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: Liste FreeBSD-security Subject: Re: A new kind of security needed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2008 13:34:54 -0000 > > On Thu, 17 Jul 2008, Patrick Proniewski wrote: > >>> Absolutely. Right now, I use different logins for different >>> things (casual >>> web surfing, financial stuff, snd work), but it's inconvenient >>> and far from >>> fullproof. >>> >>> Capabilities or MAC systems could be used here -- someone just >>> has to put >>> in the work to make it happen. >> >> What about sandbox/chroot ? Apple has designed such a system for >> Mac OS X >> 10.5, and even if it's not fully functional now, it's probably >> interesting. >> >> > > And, interestingly, the Mac OS X Sandbox parts are based on the > TrustedBSD MAC > Framework that was first developed on FreeBSD and later port to Mac > OS X. > However, Sandbox is not open source, and does rely on the > reliability of > pathnames, which on UFS (and even HFS+) is a bit of a tricky issue. > > FWIW, I have some work in progress on the capability front, but it's > a highly > complex issue that will take years to work through properly. > Unfortunately, > the real issue isn't so much the OS primitives as building up a > non-trivial > application base that uses them. Providing primitives to subdivie > applications isn't easy, but once you've done that you still have to > rewrite > lots of applications to take advantage of it, and in a way that > shows a lot > more application programmer discipline. It's not clear to me that > the > pressure is there to make feature-driven application development for > major > desktop applications adopt techniques of this sort. > The "One Laptop Per Child" organisation seem to be taking the sandbox/jail concept to its extreme in an attempt to neuter viruses. In FreeBSD terms, they appear to be insisting that each user application on the laptop be run in its own jail. http://news.softpedia.com/news/The-100-Laptop-Virus-Free-37464.shtml This may be feasible on a system designed to be very restrictive in regards to hacking/tinkering, but much more difficult, if not impossible, to implement on a system like FreeBSD (how do you build a piped process group when all the individual processes are separately jailed?) Perhaps a security layer could be implemented that includes the ability to designate some applications as being only allowed to run if they are in a jail, and then have all other executables not available to be run on their own. But this would be a very different system from FreeBSD. Maybe it could be done with a sysctl switch, or maybe it would be such a major change it should really be considered a separate operating system in its own right, ie perhaps better implemented as part of PCBSD, or something of that ilk. Of course, if it can be done, without upsetting everyone, then that would be ideal, but I agree there would be a great deal of work involved. Regards, Tim. We are BSD ... resistance is futile. http://www.freebsd.org/ - http://www.openbsd.org/ - http://www.netbsd.org/ From owner-freebsd-security@FreeBSD.ORG Thu Jul 17 15:07:37 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CB7531065675 for ; Thu, 17 Jul 2008 15:07:37 +0000 (UTC) (envelope-from die.gestalt@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.174]) by mx1.freebsd.org (Postfix) with ESMTP id 5E8328FC1F for ; Thu, 17 Jul 2008 15:07:37 +0000 (UTC) (envelope-from die.gestalt@gmail.com) Received: by ug-out-1314.google.com with SMTP id q2so804154uge.37 for ; Thu, 17 Jul 2008 08:07:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=5ZEx6JVMXSrIRyNHE7qYDuucer2nrHiY6pCkpala5KQ=; b=qegbzRddT9E50a87lkHQ8nC1Aun1PyukyzqR3A2DW5HHeUr0visTEsWERcnn7GupCC GmUENmoPb5eRj9chaHh0XBTmTz/Wr5URX4gtWZBzcoS2vg5Gw6WuI7f8zUsWz0K+Xt3y bHLzTMSzmHxv92lZLSp5VlJd2V6fSTzk3M3vA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=A+gZV/XHKEQOgtTREi1n97YBZKntZ/jvQ3F1hwdAuqAandgyAP8sGJCAzbCfCGVS9h /kdGTNKycZ7ElZg4SPxpm9VKl7e2B6ypVlgnEsIb5HSx+83yko1ycGSUAhTNp7ZIRcEh brq6Eg7GCKX1KFPGgbrO/GnHy3kblvQVbcBRg= Received: by 10.125.156.10 with SMTP id i10mr118700mko.42.1216305526361; Thu, 17 Jul 2008 07:38:46 -0700 (PDT) Received: by 10.125.116.5 with HTTP; Thu, 17 Jul 2008 07:38:46 -0700 (PDT) Message-ID: <5bf3e10d0807170738t561fccb4rcfd79f994120aa1c@mail.gmail.com> Date: Thu, 17 Jul 2008 16:38:46 +0200 From: "Die Gestalt" To: "Liste FreeBSD-security" In-Reply-To: <50456.192.168.1.10.1216301690.squirrel@192.168.1.100> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <884CB541-7977-4EF1-9B72-7226BDF30188@patpro.net> <20080717085136.B87887@fledge.watson.org> <50456.192.168.1.10.1216301690.squirrel@192.168.1.100> Subject: Re: A new kind of security needed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2008 15:07:37 -0000 It's the concept behind Microsoft's experimental OS : Symphony... Otherwise you can use jail. From owner-freebsd-security@FreeBSD.ORG Thu Jul 17 15:11:07 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7B021106564A for ; Thu, 17 Jul 2008 15:11:07 +0000 (UTC) (envelope-from die.gestalt@gmail.com) Received: from gv-out-0910.google.com (gv-out-0910.google.com [216.239.58.184]) by mx1.freebsd.org (Postfix) with ESMTP id 0EC608FC13 for ; Thu, 17 Jul 2008 15:11:06 +0000 (UTC) (envelope-from die.gestalt@gmail.com) Received: by gv-out-0910.google.com with SMTP id n8so1008249gve.39 for ; Thu, 17 Jul 2008 08:11:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=p0XbohS7nE+1uRuH+awLeb3AkIRdt350hAfSLKzm8Eg=; b=kE4qOx7FbZyHREKfiLaN0rKAgJQMFwQzi/KPgsLbiKExn8v4iPT2LyTUsplEWEXAAG jS0yvGok0xY8OA94yNMaSorsC+stxkkh/FtYgaez4rBwgehcrww0gdFfUik/Yb4hckCy rjIvOcojglxh2ySHmisSBkK1nyb3KsKwe5AYM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=tzTicXKnTI/ZlpCFsQKUztjgsGb3VOH4i/uZFz6wNQOerDobE2cCJvK5RiJcRA2BTY 1KcM0b/DAeep1NhBX5fD3wlBRJPQU6PjseBKErx6qbEYnJM7cRCVPGHzEa06+MYYqfYB StNpm/q8mupo7HMXWmRviAjkU0lPJOsA3PM14= Received: by 10.125.134.17 with SMTP id l17mr122394mkn.0.1216307465247; Thu, 17 Jul 2008 08:11:05 -0700 (PDT) Received: by 10.125.116.5 with HTTP; Thu, 17 Jul 2008 08:11:05 -0700 (PDT) Message-ID: <5bf3e10d0807170811j10025e0amf13ecb89ad16195f@mail.gmail.com> Date: Thu, 17 Jul 2008 17:11:05 +0200 From: "Die Gestalt" To: "Liste FreeBSD-security" In-Reply-To: <5bf3e10d0807170738t561fccb4rcfd79f994120aa1c@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <884CB541-7977-4EF1-9B72-7226BDF30188@patpro.net> <20080717085136.B87887@fledge.watson.org> <50456.192.168.1.10.1216301690.squirrel@192.168.1.100> <5bf3e10d0807170738t561fccb4rcfd79f994120aa1c@mail.gmail.com> Subject: Re: A new kind of security needed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2008 15:11:07 -0000 On Thu, Jul 17, 2008 at 4:38 PM, Die Gestalt wrote: > It's the concept behind Microsoft's experimental OS : Symphony... > > Otherwise you can use jail. > My bad, Singularity... Symphony is another story. :) From owner-freebsd-security@FreeBSD.ORG Thu Jul 17 20:10:47 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CD10A106566B for ; Thu, 17 Jul 2008 20:10:47 +0000 (UTC) (envelope-from freebsd-security@dfmm.org) Received: from dfmm.org (treehorn.dfmm.org [66.180.195.213]) by mx1.freebsd.org (Postfix) with ESMTP id 8E0088FC19 for ; Thu, 17 Jul 2008 20:10:47 +0000 (UTC) (envelope-from freebsd-security@dfmm.org) Received: (qmail 19785 invoked by uid 1000); 17 Jul 2008 20:10:47 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 17 Jul 2008 20:10:47 -0000 Date: Thu, 17 Jul 2008 13:10:46 -0700 (PDT) From: Jason Stone X-X-Sender: jason@treehorn.dfmm.org To: Tim Clewlow In-Reply-To: <50456.192.168.1.10.1216301690.squirrel@192.168.1.100> Message-ID: References: <884CB541-7977-4EF1-9B72-7226BDF30188@patpro.net> <20080717085136.B87887@fledge.watson.org> <50456.192.168.1.10.1216301690.squirrel@192.168.1.100> User-Agent: Alpine 1.00 (BSF 882 2007-12-20) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Liste FreeBSD-security , Robert Watson Subject: Re: A new kind of security needed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2008 20:10:47 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > how do you build a piped process group when all the individual > processes are separately jailed? "pipe ; fork ; chroot ; setuid". See qmail for an example. -Jason -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQFIf6dHswXMWWtptckRAoumAJoCwvvrDwZzZRQPqC7G4u8rxFv1hwCdEeiY 9KP1d4aEhCpkVy3FYkHHP0w= =4P0+ -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Jul 18 20:41:59 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4ABD1106567E; Fri, 18 Jul 2008 20:41:59 +0000 (UTC) (envelope-from lyndon@orthanc.ca) Received: from orthanc.ca (orthanc.ca [216.40.124.68]) by mx1.freebsd.org (Postfix) with ESMTP id 0D68D8FC3C; Fri, 18 Jul 2008 20:41:59 +0000 (UTC) (envelope-from lyndon@orthanc.ca) Received: from peregrin.orthanc.ca (peregrin.orthanc.ca [216.40.124.67]) (authenticated bits=0) by orthanc.ca (8.14.2/8.14.2) with ESMTP id m6IK5lBn074819; Fri, 18 Jul 2008 13:05:47 -0700 (PDT) (envelope-from lyndon@orthanc.ca) Message-Id: <05661513-E0DA-4B33-BD4E-FCF73943F332@orthanc.ca> From: Lyndon Nerenberg To: Robert Watson In-Reply-To: <20080717085136.B87887@fledge.watson.org> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v926) Date: Fri, 18 Jul 2008 13:05:42 -0700 References: <884CB541-7977-4EF1-9B72-7226BDF30188@patpro.net> <20080717085136.B87887@fledge.watson.org> X-Mailer: Apple Mail (2.926) Cc: Liste FreeBSD-security Subject: Re: A new kind of security needed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jul 2008 20:41:59 -0000 On 2008-Jul-17, at 00:54 , Robert Watson wrote: > FWIW, I have some work in progress on the capability front, but it's > a highly complex issue that will take years to work through > properly. Unfortunately, the real issue isn't so much the OS > primitives as building up a non-trivial application base that uses > them. Providing primitives to subdivie applications isn't easy, but > once you've done that you still have to rewrite lots of applications > to take advantage of it, and in a way that shows a lot more > application programmer discipline. It's not clear to me that the > pressure is there to make feature-driven application development for > major desktop applications adopt techniques of this sort. Realistically, this will never happen. It would require *every*one agreeing on a single consistent API, and that just won't happen with any sort of policy-based mechanism. It's sad people don't pay more attention to Plan 9. Namespaces go a long way towards solving this problem in a manner that's completely transparent to the application, and trivial for the end-user to configure and use. See: http://plan9.bell-labs.com/sys/doc/names.html http://plan9.bell-labs.com/magic/man2html/1/0intro http://plan9.bell-labs.com/magic/man2html/4/namespace In a nutshell, your view of the 'filesystem' is fully mutable. A simple 'rfork n' in the shell will instantiate a brand new instance of the namespace, which you can then fiddle to your heart's content. E.g. rfork n bind /usr/ftp / creates a namespace where /usr/ftp (by convention the anonymous FTP directory) is now the "root" directory of the process' filesystem. Analogous system calls exist for programmatic use. And since there is no concept of (or need for) a 'superuser' these facilities are available to everyone. This makes sandboxing trivial for any number of remotely accessible network services as well as to the interactive system user. Both files and directories can be bind targets, and the source of the bind can as easily be a program as a file or directory; the ability to create secure synthetic filesystems just naturally falls out of this paradigm. And the applications are blissfully unaware that any of this even exists. --lyndon