From owner-freebsd-security@FreeBSD.ORG Sun Sep 7 11:55:31 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F1522106567B for ; Sun, 7 Sep 2008 11:55:31 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.freebsd.org (Postfix) with ESMTP id B3FCD8FC1A for ; Sun, 7 Sep 2008 11:55:31 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.14.2/8.14.2) with ESMTP id m87BtSt3040098 for ; Sun, 7 Sep 2008 07:55:29 -0400 (EDT) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id m87BtS2H082832 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sun, 7 Sep 2008 07:55:28 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <200809071155.m87BtS2H082832@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Sun, 07 Sep 2008 07:55:26 -0400 To: freebsd-security@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Scanned-By: MIMEDefang 2.64 on 64.7.153.18 Subject: Heimdal or MIT for kerberos? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2008 11:55:32 -0000 We are looking at deploying Kerberos for better user management (SSO) and 2 factor authentication via pkcs#11 etokens. The servers are all FreeBSD and the machines principals will login from a mix of FreeBSD, Windows and MAC OSX using ssh and openvpn. As part of our compliance project, access must be 2 factor. The Heimdal in RELENG_7 is a rather old version and doesnt seem to have all the bits needed for x509 pre-auth so I would probably need to install from the ports anyways. Does anyone have any suggestions as to which implementation to use ? We are in Canada so it doesnt matter regulation wise. Is one better maintained than the other ? There are no legacy v4 apps Thanks, ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-security@FreeBSD.ORG Mon Sep 8 14:13:10 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A38101065675 for ; Mon, 8 Sep 2008 14:13:10 +0000 (UTC) (envelope-from tethys.ocean@gmail.com) Received: from mail-gx0-f17.google.com (mail-gx0-f17.google.com [209.85.217.17]) by mx1.freebsd.org (Postfix) with ESMTP id 499858FC2D for ; Mon, 8 Sep 2008 14:13:08 +0000 (UTC) (envelope-from tethys.ocean@gmail.com) Received: by gxk10 with SMTP id 10so7810315gxk.19 for ; Mon, 08 Sep 2008 07:13:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=F/8cFWv9tlg8a24eXSpiMsEA1n+n6pFkMz6VtrlnWVY=; b=tyMqvm6xoPVLR3PlXiXBIhcXLbdcaKvadbgu/V8POchWmpIBb0oOc5MzjjmJs309Ik Sb+8rV/ItXw4IYMEUJshwrN01qCESUyIXyu2eLsW+AgwKsu6trk4IWPqn/lxw0ixPK5g e1AwcV40KDls/Ial8rpzoyyaf0QykMNdojdhk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=RAxfWNIx0aKKdFQj0ztG2LA2t4V0e8LV/4ArJvJx4nKjW8648RmiOfBMjncH8Ci11D /wqK1TERGSO2eOkBx2p5o6KKrxk2JBzgXLq1gthLFzKN5kPSdvovn+8+Jco9yHfFz5qe VFta6ZTMiGW8ouOClQBuEH781+kWAXax+D5yo= Received: by 10.142.210.4 with SMTP id i4mr5249492wfg.240.1220883186196; Mon, 08 Sep 2008 07:13:06 -0700 (PDT) Received: by 10.142.144.17 with HTTP; Mon, 8 Sep 2008 07:13:06 -0700 (PDT) Message-ID: <235b80000809080713v70b4a5cfs4927beb1c0772d9a@mail.gmail.com> Date: Mon, 8 Sep 2008 17:13:06 +0300 From: "tethys ocean" To: "FreeBSD Questions" , freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: joomla15-1.5.3 has known vulnerabilities: X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 14:13:10 -0000 Hi all one of the co-locatin customer want to use joomla(lestest version 15) i want to install from port but i ve taken this error [root@wmn /usr/ports/www/joomla15]# make install clean ===> joomla15-1.5.3 has known vulnerabilities: => joomla -- flaw in the reset token validation. Reference: < http://www.FreeBSD.org/ports/portaudit/8514b6e7-6f0f-11dd-b3db-001c2514716c.html > => Please update your ports tree and try again. *** Error code 1 Stop in /usr/ports/www/joomla15. [root@wmn /usr/ports/www/joomla15]# port is updated firstly it would install i patch it but not install -- Share now a pigeon's flight Bluebound along the ancient skies, Its women forever hair and mammal, A Mediterranean town may arise If you rip apart a pigeon's heart. From owner-freebsd-security@FreeBSD.ORG Mon Sep 8 14:58:34 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 45D351065688; Mon, 8 Sep 2008 14:58:34 +0000 (UTC) (envelope-from freebsd-security-local@be-well.ilk.org) Received: from be-well.ilk.org (dsl092-078-145.bos1.dsl.speakeasy.net [66.92.78.145]) by mx1.freebsd.org (Postfix) with ESMTP id 113A58FC26; Mon, 8 Sep 2008 14:58:33 +0000 (UTC) (envelope-from freebsd-security-local@be-well.ilk.org) Received: by be-well.ilk.org (Postfix, from userid 1147) id A674028431; Mon, 8 Sep 2008 10:42:23 -0400 (EDT) To: "tethys ocean" References: <235b80000809080713v70b4a5cfs4927beb1c0772d9a@mail.gmail.com> From: Lowell Gilbert Date: Mon, 08 Sep 2008 10:42:23 -0400 In-Reply-To: <235b80000809080713v70b4a5cfs4927beb1c0772d9a@mail.gmail.com> (tethys ocean's message of "Mon\, 8 Sep 2008 17\:13\:06 +0300") Message-ID: <44hc8qr968.fsf@be-well.ilk.org> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-security@freebsd.org, FreeBSD Questions Subject: Re: joomla15-1.5.3 has known vulnerabilities: X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 14:58:34 -0000 "tethys ocean" writes: > Hi all > > one of the co-locatin customer want to use joomla(lestest version 15) i want > to install from port but i ve taken this error > > > [root@wmn /usr/ports/www/joomla15]# make install clean > ===> joomla15-1.5.3 has known vulnerabilities: > => joomla -- flaw in the reset token validation. > Reference: < > http://www.FreeBSD.org/ports/portaudit/8514b6e7-6f0f-11dd-b3db-001c2514716c.html >> > => Please update your ports tree and try again. > *** Error code 1 > > Stop in /usr/ports/www/joomla15. > [root@wmn /usr/ports/www/joomla15]# > > port is updated > > firstly it would install i patch it but not install If you have patched to fix the vulnerability, then you can just disable portaudit. From owner-freebsd-security@FreeBSD.ORG Mon Sep 8 15:57:58 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4629D106564A for ; Mon, 8 Sep 2008 15:57:58 +0000 (UTC) (envelope-from astorms@ncircle.com) Received: from mail.ncircle.com (mail.ncircle.com [64.84.9.150]) by mx1.freebsd.org (Postfix) with ESMTP id 3003D8FC16 for ; Mon, 8 Sep 2008 15:57:57 +0000 (UTC) (envelope-from astorms@ncircle.com) Received: from CORP-MAIL.ad.ncircle.com (corpmail-01.ncircle.com [192.168.75.90]) by mail.ncircle.com (8.14.2/8.14.2) with ESMTP id m88FXoxE079110 for ; Mon, 8 Sep 2008 08:33:50 -0700 (PDT) (envelope-from astorms@ncircle.com) Received: from 192.168.75.178 ([192.168.75.178]) by CORP-MAIL.ad.ncircle.com ([192.168.75.94]) via Exchange Front-End Server webmail-01.ad.ncircle.com ([192.168.75.93]) with Microsoft Exchange Server HTTP-DAV ; Mon, 8 Sep 2008 15:33:51 +0000 User-Agent: Microsoft-Entourage/11.4.0.080122 Date: Mon, 08 Sep 2008 08:33:49 -0700 From: Andrew Storms To: "freebsd-security@freebsd.org" Message-ID: Thread-Topic: Question on recent PHP VuXML info Thread-Index: AckRyEoIiKqQkX27Ed2+cAARJIv+sA== Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-Spam-Score: -4.307 () ALL_TRUSTED,AWL,BAYES_00 X-Scanned-By: MIMEDefang 2.63 on 64.84.9.150 Subject: Question on recent PHP VuXML info X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 15:57:58 -0000 Not sure if this is the correct place for VuXML questions, but the FreeBSD VuXML list ( http://lists.freebsd.org/pipermail/freebsd-vuxml/) looks pretty dead given the last update was in 2007 according to the archives. We were previously tracking this entry, which pretty much sat for a while without an applicable upgradeable resolution available. Affected package: php5-posix-5.2.6 Type of problem: php -- input validation error in posix_access function. Reference: ----------- Then late last week, the same VuXML ID started reporting this information instead: Affected package: php5-5.2.6 Type of problem: php -- input validation error in safe_mode. Reference: ------------ The generic question I'm asking is: What happened and why? Seems to me that if you have a VuXML ID (which, I thought wasn't suppose to be re-used), then it's name and description shouldn't just apparently change one day. So is the prior "php5-posix-5.2.6" and the now "php5-5.2.6" with same ID, the same bug, a new description, does the newer supercede, etc, etc? Where can I get the background on what went on here? Thanks. -_S From owner-freebsd-security@FreeBSD.ORG Mon Sep 8 16:34:17 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 54FBF1065674 for ; Mon, 8 Sep 2008 16:34:17 +0000 (UTC) (envelope-from jille@quis.cx) Received: from smtp1.versatel.nl (smtp1.versatel.nl [62.58.50.88]) by mx1.freebsd.org (Postfix) with ESMTP id 0C2EA8FC14 for ; Mon, 8 Sep 2008 16:34:15 +0000 (UTC) (envelope-from jille@quis.cx) Received: (qmail 22516 invoked by uid 0); 8 Sep 2008 16:07:34 -0000 Received: from ip83-113-174-82.adsl2.static.versatel.nl (HELO istud.quis.cx) ([82.174.113.83]) (envelope-sender ) by smtp1.versatel.nl (qmail-ldap-1.03) with SMTP for < >; 8 Sep 2008 16:07:34 -0000 Received: from [192.168.1.4] (ille [192.168.1.4]) by istud.quis.cx (Postfix) with ESMTP id A482C5C1D; Mon, 8 Sep 2008 18:07:34 +0200 (CEST) Message-ID: <48C54DBF.3070000@quis.cx> Date: Mon, 08 Sep 2008 18:07:27 +0200 From: Jille Timmermans User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: Andrew Storms References: In-Reply-To: X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "freebsd-security@freebsd.org" Subject: Re: Question on recent PHP VuXML info X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 16:34:17 -0000 Andrew Storms wrote: > Not sure if this is the correct place for VuXML questions, but the FreeBSD > VuXML list ( http://lists.freebsd.org/pipermail/freebsd-vuxml/) looks pretty > dead given the last update was in 2007 according to the archives. > > We were previously tracking this entry, which pretty much sat for a while > without an applicable upgradeable resolution available. > > Affected package: php5-posix-5.2.6 > Type of problem: php -- input validation error in posix_access function. > Reference: > .html> > > ----------- > > Then late last week, the same VuXML ID started reporting this information > instead: > > Affected package: php5-5.2.6 > Type of problem: php -- input validation error in safe_mode. > Reference: > .html> > > ------------ > > > The generic question I'm asking is: What happened and why? Seems to me that > if you have a VuXML ID (which, I thought wasn't suppose to be re-used), then > it's name and description shouldn't just apparently change one day. There was an input validation bug in a function that was used in all posix_ functions that used files (http://../ ended up in /) which bypassed safe_mode. > > So is the prior "php5-posix-5.2.6" and the now "php5-5.2.6" with same ID, > the same bug, a new description, does the newer supercede, etc, etc? Where > can I get the background on what went on here? It was only in the posix module, not in entire PHP. ale@ took the fixing patch from PHP-cvs and attached it as a patch to the port a few days ago (or at least committed it) Afaik the vuxml also updated then; and I think ale@ took a look at the patch and changed the vuxml to say the portrevision with that patch wasn't vulnerable anymore, and also clearified the description. -- Jille > > Thanks. > > -_S > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Mon Sep 8 16:34:22 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1AC6D1065671 for ; Mon, 8 Sep 2008 16:34:22 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA04.westchester.pa.mail.comcast.net (qmta04.westchester.pa.mail.comcast.net [76.96.62.40]) by mx1.freebsd.org (Postfix) with ESMTP id BC90E8FC22 for ; Mon, 8 Sep 2008 16:34:21 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA11.westchester.pa.mail.comcast.net ([76.96.62.36]) by QMTA04.westchester.pa.mail.comcast.net with comcast id CCBM1a0090mv7h054GJKxc; Mon, 08 Sep 2008 16:18:19 +0000 Received: from koitsu.dyndns.org ([67.180.253.227]) by OMTA11.westchester.pa.mail.comcast.net with comcast id CGJJ1a00L4v8bD73XGJJnu; Mon, 08 Sep 2008 16:18:19 +0000 X-Authority-Analysis: v=1.0 c=1 a=B4vypQ2SMr0A:10 a=6I5d2MoRAAAA:8 a=ue5APn2yAAAA:8 a=QycZ5dHgAAAA:8 a=19ixDgaoKT3zGBaQa_sA:9 a=bNvIoA5fbWoHeNuoB1oA:7 a=JijkwyIQ4i2ipZbQekV1H1IQ_9oA:4 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id 39DC217B84E; Mon, 8 Sep 2008 09:18:18 -0700 (PDT) Date: Mon, 8 Sep 2008 09:18:18 -0700 From: Jeremy Chadwick To: Andrew Storms Message-ID: <20080908161818.GA72963@icarus.home.lan> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-security@freebsd.org Subject: Re: Question on recent PHP VuXML info X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 16:34:22 -0000 On Mon, Sep 08, 2008 at 08:33:49AM -0700, Andrew Storms wrote: > Not sure if this is the correct place for VuXML questions, but the FreeBSD > VuXML list ( http://lists.freebsd.org/pipermail/freebsd-vuxml/) looks pretty > dead given the last update was in 2007 according to the archives. > > We were previously tracking this entry, which pretty much sat for a while > without an applicable upgradeable resolution available. > > Affected package: php5-posix-5.2.6 > Type of problem: php -- input validation error in posix_access function. > Reference: > .html> > ----------- > > Then late last week, the same VuXML ID started reporting this information > instead: > > Affected package: php5-5.2.6 > Type of problem: php -- input validation error in safe_mode. > Reference: > .html> > ------------ > > The generic question I'm asking is: What happened and why? Seems to me that > if you have a VuXML ID (which, I thought wasn't suppose to be re-used), then > it's name and description shouldn't just apparently change one day. > > So is the prior "php5-posix-5.2.6" and the now "php5-5.2.6" with same ID, > the same bug, a new description, does the newer supercede, etc, etc? Where > can I get the background on what went on here? My initial impression after reading the full disclosures on SecurityFocus is that these two flaws are separate, and should have been given separate VuXML IDs: CVE-2008-2665: http://www.securityfocus.com/bid/29797 CVE-2008-2666: http://www.securityfocus.com/bid/29796 As for the CVS commits under scrutiny, here they are in chronological order: Revision 1.1645 Revision 1.1646 Revision 1.1647 Revision 1.1676 http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/vuxml/vuln.xml -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-security@FreeBSD.ORG Tue Sep 9 05:12:52 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6C3861065676 for ; Tue, 9 Sep 2008 05:12:52 +0000 (UTC) (envelope-from ipfreak@yahoo.com) Received: from web52105.mail.re2.yahoo.com (web52105.mail.re2.yahoo.com [206.190.48.108]) by mx1.freebsd.org (Postfix) with SMTP id 2C1278FC12 for ; Tue, 9 Sep 2008 05:12:51 +0000 (UTC) (envelope-from ipfreak@yahoo.com) Received: (qmail 10544 invoked by uid 60001); 9 Sep 2008 04:46:10 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type:Message-ID; b=G2iZBBgYJjlLOz8AAWGA4AKh09rAEc+2In2STVC1JTkJ6Z4vHFpqfjNylVP6Qwrx9/OaKy6gWWqN4hw1NlaH75RApqGNVbhrT4YYZGIxOpjOvZDIPrLTKW4HYK3NVzLiCZrEVxz9TFXiIOnvYUnrfmk2XfnGl//NpDq1QGjK9Co=; X-YMail-OSG: CjVoowQVM1mirDi4YFA4VFLcwnSnO2twL8k_I0K.H3oidsIddHEnyZpuZOaYDX22iq_zgFT33lJw6uxMU9oeRjIdaFLI5L_2URdQ9mQSQHSNvC8xbtOMf6i1JTF_jApEhA-- Received: from [98.169.13.4] by web52105.mail.re2.yahoo.com via HTTP; Mon, 08 Sep 2008 21:46:10 PDT X-Mailer: YahooMailWebService/0.7.218.2 Date: Mon, 8 Sep 2008 21:46:10 -0700 (PDT) From: gahn To: freebsd security MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Message-ID: <839688.9358.qm@web52105.mail.re2.yahoo.com> Subject: jails X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: ipfreak@yahoo.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2008 05:12:52 -0000 hi all: i tried to build jails and just could not get it work. it kept giving me errors. for 6.3, i got following errors: ////////////////////// cd /usr/src; make -f Makefile.inc1 hierarchy cd /usr/src/etc; make distrib-dirs mtree -eU -f /usr/src/etc/mtree/BSD.root.dist -p /home/j/mroot/ mtree -eU -f /usr/src/etc/mtree/BSD.var.dist -p /home/j/mroot/var mtree -eU -f /usr/src/etc/mtree/BSD.usr.dist -p /home/j/mroot/usr mtree -eU -f /usr/src/etc/mtree/BSD.include.dist -p /home/j/mroot/usr/include mtree -deU -f /usr/src/etc/mtree/BIND.chroot.dist -p /home/j/mroot/var/named mtree -deU -f /usr/src/etc/mtree/BSD.sendmail.dist -p /home/j/mroot/ cd /home/j/mroot/; rm -f /home/j/mroot/sys; ln -s usr/src/sys sys cd /home/j/mroot/usr/share/man/en.ISO8859-1; ln -sf ../man* . cd /home/j/mroot/usr/share/man; set - `grep "^[a-zA-Z]" /usr/src/etc/man.alias`; while [ $# -gt 0 ] ; do rm -rf "$1"; ln -s "$2" "$1"; shift; shift; done cd /home/j/mroot/usr/share/openssl/man; set - `grep "^[a-zA-Z]" /usr/src/etc/man.alias`; while [ $# -gt 0 ] ; do rm -rf "$1"; ln -s "$2" "$1"; shift; shift; done cd /home/j/mroot/usr/share/openssl/man/en.ISO8859-1; ln -sf ../man* . cd /home/j/mroot/usr/share/nls; set - `grep "^[a-zA-Z]" /usr/src/etc/nls.alias`; while [ $# -gt 0 ] ; do rm -rf "$1"; ln -s "$2" "$1"; shift; shift; done -------------------------------------------------------------- >>> Installing everything -------------------------------------------------------------- cd /usr/src; make -f Makefile.inc1 install ===> share/info (install) ===> include (install) creating osreldate.h from newvers.sh touch: not found *** Error code 127 Stop in /usr/src/include. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. //////////////////////////////// for 7.0 i got errors: //////////////////////// >>> Installing everything -------------------------------------------------------------- cd /usr/src; make -f Makefile.inc1 install ===> share/info (install) ===> lib (install) ===> lib/csu/i386-elf (install) gcc -O2 -fno-strict-aliasing -pipe -I/usr/src/lib/csu/i386-elf/../common -I/usr/src/lib/csu/i386-elf/../../libc/include -Wsystem-headers -Wall -Wno-format-y2k -W -Wno-unused-parameter -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Wreturn-type -Wcast-qual -Wwrite-strings -Wswitch -Wshadow -Wcast-align -Wunused-parameter -Wchar-subscripts -Winline -Wnested-externs -Wredundant-decls -Wno-pointer-sign -c crt1.c gcc:No such file or directory *** Error code 1 Stop in /usr/src/lib/csu/i386-elf. *** Error code 1 Stop in /usr/src/lib. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. *** Error code 1 /////////////////////////////// i followed the instructions of the "handbook".... thanks From owner-freebsd-security@FreeBSD.ORG Tue Sep 9 15:45:34 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2631B1065672 for ; Tue, 9 Sep 2008 15:45:34 +0000 (UTC) (envelope-from ipfreak@yahoo.com) Received: from web52108.mail.re2.yahoo.com (web52108.mail.re2.yahoo.com [206.190.48.111]) by mx1.freebsd.org (Postfix) with SMTP id D615D8FC26 for ; Tue, 9 Sep 2008 15:45:33 +0000 (UTC) (envelope-from ipfreak@yahoo.com) Received: (qmail 43769 invoked by uid 60001); 9 Sep 2008 15:45:33 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Message-ID; b=FOQ5D0t6uwuN4WUUBF7yWsbCQUEl6Rf4jGElPWxhuPjlfHKWHzBrvAjyHJECJ6KoyIeA1jg/w+BwKUujKqZgMaylA+S85/ir5r+kdmD5dWoCCi5ArxD8cqHyGxyFC0d/js9qSjIkew08RdPG/rzfKHQpgIS3s7HLEc63fKu79IM=; X-YMail-OSG: WEFa2S0VM1mkBYOwV13LYRWXLMp.WsnNwKEK1.W85YXxeh.mIuk8_DCW5yCjG87BFAoMi4Nd.KS5Q2Zf8d0dsSykmEtu1dQY0epkkEbLCfr57Eq2NbTPqxexpGbqDVUIl_NdfGNLC5GLDw4zoI3vUw4- Received: from [209.22.88.90] by web52108.mail.re2.yahoo.com via HTTP; Tue, 09 Sep 2008 08:45:33 PDT X-Mailer: YahooMailWebService/0.7.218.2 Date: Tue, 9 Sep 2008 08:45:33 -0700 (PDT) From: gahn To: Oliver Peter In-Reply-To: <20080909153559.GD10842@nemesis.frida.mouhaha.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Message-ID: <104708.43710.qm@web52108.mail.re2.yahoo.com> Cc: freebsd security Subject: Re: jails X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: ipfreak@yahoo.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2008 15:45:34 -0000 Hello: I don't know what you were referring to. but the date and time of the machine was set correctly. #date Tue Sep 9 11:40:04 EDT 2008 best --- On Tue, 9/9/08, Oliver Peter wrote: > From: Oliver Peter > Subject: Re: jails > To: "gahn" > Cc: "freebsd security" > Date: Tuesday, September 9, 2008, 8:36 AM > On Mon, Sep 08, 2008 at 09:46:10PM -0700, gahn wrote: > > hi all: > > > > i tried to build jails and just could not get it work. > it kept giving me errors. > > > > for 6.3, i got following errors: > > > > ////////////////////// > > > > cd /usr/src; make -f Makefile.inc1 hierarchy > > cd /usr/src/etc; make distrib-dirs > > mtree -eU -f /usr/src/etc/mtree/BSD.root.dist -p > /home/j/mroot/ > > mtree -eU -f /usr/src/etc/mtree/BSD.var.dist -p > /home/j/mroot/var > > mtree -eU -f /usr/src/etc/mtree/BSD.usr.dist -p > /home/j/mroot/usr > > mtree -eU -f /usr/src/etc/mtree/BSD.include.dist -p > /home/j/mroot/usr/include > > mtree -deU -f /usr/src/etc/mtree/BIND.chroot.dist -p > /home/j/mroot/var/named > > mtree -deU -f /usr/src/etc/mtree/BSD.sendmail.dist -p > /home/j/mroot/ > > cd /home/j/mroot/; rm -f /home/j/mroot/sys; ln -s > usr/src/sys sys > > cd /home/j/mroot/usr/share/man/en.ISO8859-1; ln -sf > ../man* . > > cd /home/j/mroot/usr/share/man; set - `grep > "^[a-zA-Z]" /usr/src/etc/man.alias`; while [ $# > -gt 0 ] ; do rm -rf "$1"; ln -s "$2" > "$1"; shift; shift; done > > cd /home/j/mroot/usr/share/openssl/man; set - `grep > "^[a-zA-Z]" /usr/src/etc/man.alias`; while [ $# > -gt 0 ] ; do rm -rf "$1"; ln -s "$2" > "$1"; shift; shift; done > > cd /home/j/mroot/usr/share/openssl/man/en.ISO8859-1; > ln -sf ../man* . > > cd /home/j/mroot/usr/share/nls; set - `grep > "^[a-zA-Z]" /usr/src/etc/nls.alias`; while [ $# > -gt 0 ] ; do rm -rf "$1"; ln -s "$2" > "$1"; shift; shift; done > > > > > -------------------------------------------------------------- > > >>> Installing everything > > > -------------------------------------------------------------- > > cd /usr/src; make -f Makefile.inc1 install > > ===> share/info (install) > > ===> include (install) > > creating osreldate.h from newvers.sh > > touch: not found > > *** Error code 127 > > > > Stop in /usr/src/include. > > *** Error code 1 > > > > Stop in /usr/src. > > *** Error code 1 > > > > Stop in /usr/src. > > *** Error code 1 > > > > Stop in /usr/src. > > *** Error code 1 > > > > Stop in /usr/src. > > > > //////////////////////////////// > > > > for 7.0 i got errors: > > > > //////////////////////// > > > > >>> Installing everything > > > -------------------------------------------------------------- > > cd /usr/src; make -f Makefile.inc1 install > > ===> share/info (install) > > ===> lib (install) > > ===> lib/csu/i386-elf (install) > > gcc -O2 -fno-strict-aliasing -pipe > -I/usr/src/lib/csu/i386-elf/../common > -I/usr/src/lib/csu/i386-elf/../../libc/include > -Wsystem-headers -Wall -Wno-format-y2k -W > -Wno-unused-parameter -Wstrict-prototypes > -Wmissing-prototypes -Wpointer-arith -Wreturn-type > -Wcast-qual -Wwrite-strings -Wswitch -Wshadow -Wcast-align > -Wunused-parameter -Wchar-subscripts -Winline > -Wnested-externs -Wredundant-decls -Wno-pointer-sign -c > crt1.c > > gcc:No such file or directory > > *** Error code 1 > > > > Stop in /usr/src/lib/csu/i386-elf. > > *** Error code 1 > > > > Stop in /usr/src/lib. > > *** Error code 1 > > > > Stop in /usr/src. > > *** Error code 1 > > > > Stop in /usr/src. > > *** Error code 1 > > > > Stop in /usr/src. > > *** Error code 1 > > > > /////////////////////////////// > > > > i followed the instructions of the > "handbook".... > > > > thanks > > > http://unix.derkeiler.com/Mailing-Lists/FreeBSD/stable/2003-05/0059.html > > -- > Oliver PETER, email: oliver@peter.de.com, ICQ# 113969174 > "If it feels good, you're doing something > wrong." > -- Coach McTavish From owner-freebsd-security@FreeBSD.ORG Tue Sep 9 15:54:08 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B4D40106567C for ; Tue, 9 Sep 2008 15:54:08 +0000 (UTC) (envelope-from oliver@nemesis.charlie.mouhaha.de) Received: from nemesis.charlie.mouhaha.de (nemesis.charlie.mouhaha.de [78.47.10.193]) by mx1.freebsd.org (Postfix) with ESMTP id 419A38FC1A for ; Tue, 9 Sep 2008 15:54:07 +0000 (UTC) (envelope-from oliver@nemesis.charlie.mouhaha.de) Received: from localhost (nemesis.charlie.mouhaha.de [78.47.10.193]) by nemesis.charlie.mouhaha.de (Postfix) with ESMTP id 73855421CF; Tue, 9 Sep 2008 16:36:04 +0100 (BST) X-Virus-Scanned: amavisd-new at mouhaha.de Received: from nemesis.charlie.mouhaha.de ([78.47.10.193]) by localhost (nemesis.charlie.mouhaha.de [78.47.10.193]) (amavisd-new, port 10024) with ESMTP id Pyz1z1Sdbxmv; Tue, 9 Sep 2008 16:36:00 +0100 (BST) Received: by nemesis.charlie.mouhaha.de (Postfix, from userid 1001) id A2627421B8; Tue, 9 Sep 2008 16:36:00 +0100 (BST) Date: Tue, 9 Sep 2008 16:36:00 +0100 From: Oliver Peter To: gahn Message-ID: <20080909153559.GD10842@nemesis.frida.mouhaha.de> References: <839688.9358.qm@web52105.mail.re2.yahoo.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="OXfL5xGRrasGEqWY" Content-Disposition: inline In-Reply-To: <839688.9358.qm@web52105.mail.re2.yahoo.com> X-Operating-System: FreeBSD 7.0-RELEASE-p3 amd64 User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd security Subject: Re: jails X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2008 15:54:08 -0000 --OXfL5xGRrasGEqWY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 08, 2008 at 09:46:10PM -0700, gahn wrote: > hi all: >=20 > i tried to build jails and just could not get it work. it kept giving me = errors.=20 >=20 > for 6.3, i got following errors: >=20 > ////////////////////// >=20 > cd /usr/src; make -f Makefile.inc1 hierarchy > cd /usr/src/etc; make distrib-dirs > mtree -eU -f /usr/src/etc/mtree/BSD.root.dist -p /home/j/mroot/ > mtree -eU -f /usr/src/etc/mtree/BSD.var.dist -p /home/j/mroot/var > mtree -eU -f /usr/src/etc/mtree/BSD.usr.dist -p /home/j/mroot/usr > mtree -eU -f /usr/src/etc/mtree/BSD.include.dist -p /home/j/mroot/usr/i= nclude > mtree -deU -f /usr/src/etc/mtree/BIND.chroot.dist -p /home/j/mroot/var/= named > mtree -deU -f /usr/src/etc/mtree/BSD.sendmail.dist -p /home/j/mroot/ > cd /home/j/mroot/; rm -f /home/j/mroot/sys; ln -s usr/src/sys sys > cd /home/j/mroot/usr/share/man/en.ISO8859-1; ln -sf ../man* . > cd /home/j/mroot/usr/share/man; set - `grep "^[a-zA-Z]" /usr/src/etc/man= =2Ealias`; while [ $# -gt 0 ] ; do rm -rf "$1"; ln -s "$2" "$1"; shift= ; shift; done > cd /home/j/mroot/usr/share/openssl/man; set - `grep "^[a-zA-Z]" /usr/src= /etc/man.alias`; while [ $# -gt 0 ] ; do rm -rf "$1"; ln -s "$2" "$1"; = shift; shift; done > cd /home/j/mroot/usr/share/openssl/man/en.ISO8859-1; ln -sf ../man* . > cd /home/j/mroot/usr/share/nls; set - `grep "^[a-zA-Z]" /usr/src/etc/nls= =2Ealias`; while [ $# -gt 0 ] ; do rm -rf "$1"; ln -s "$2" "$1"; shift= ; shift; done >=20 > -------------------------------------------------------------- > >>> Installing everything > -------------------------------------------------------------- > cd /usr/src; make -f Makefile.inc1 install > =3D=3D=3D> share/info (install) > =3D=3D=3D> include (install) > creating osreldate.h from newvers.sh > touch: not found > *** Error code 127 >=20 > Stop in /usr/src/include. > *** Error code 1 >=20 > Stop in /usr/src. > *** Error code 1 >=20 > Stop in /usr/src. > *** Error code 1 >=20 > Stop in /usr/src. > *** Error code 1 >=20 > Stop in /usr/src. >=20 > //////////////////////////////// >=20 > for 7.0 i got errors: >=20 > //////////////////////// >=20 > >>> Installing everything > -------------------------------------------------------------- > cd /usr/src; make -f Makefile.inc1 install > =3D=3D=3D> share/info (install) > =3D=3D=3D> lib (install) > =3D=3D=3D> lib/csu/i386-elf (install) > gcc -O2 -fno-strict-aliasing -pipe -I/usr/src/lib/csu/i386-elf/../common= -I/usr/src/lib/csu/i386-elf/../../libc/include -Wsystem-headers -Wall -Wn= o-format-y2k -W -Wno-unused-parameter -Wstrict-prototypes -Wmissing-prototy= pes -Wpointer-arith -Wreturn-type -Wcast-qual -Wwrite-strings -Wswitch -Wsh= adow -Wcast-align -Wunused-parameter -Wchar-subscripts -Winline -Wnested-ex= terns -Wredundant-decls -Wno-pointer-sign -c crt1.c > gcc:No such file or directory > *** Error code 1 >=20 > Stop in /usr/src/lib/csu/i386-elf. > *** Error code 1 >=20 > Stop in /usr/src/lib. > *** Error code 1 >=20 > Stop in /usr/src. > *** Error code 1 >=20 > Stop in /usr/src. > *** Error code 1 >=20 > Stop in /usr/src. > *** Error code 1 >=20 > /////////////////////////////// >=20 > i followed the instructions of the "handbook".... >=20 > thanks http://unix.derkeiler.com/Mailing-Lists/FreeBSD/stable/2003-05/0059.html --=20 Oliver PETER, email: oliver@peter.de.com, ICQ# 113969174 "If it feels good, you're doing something wrong." -- Coach McTavish --OXfL5xGRrasGEqWY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkjGl98ACgkQ6LH/IUVtaI9JmACeOJYzdBK+AmkJ0CvBBdkiS+Bh Zc4An24B+bSfn6nUDmJMtyHGgcBffzGJ =EoMY -----END PGP SIGNATURE----- --OXfL5xGRrasGEqWY-- From owner-freebsd-security@FreeBSD.ORG Tue Sep 9 16:14:07 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 898121065674 for ; Tue, 9 Sep 2008 16:14:07 +0000 (UTC) (envelope-from lists@peter.de.com) Received: from nemesis.charlie.mouhaha.de (nemesis.charlie.mouhaha.de [78.47.10.193]) by mx1.freebsd.org (Postfix) with ESMTP id 3F1748FC14 for ; Tue, 9 Sep 2008 16:14:07 +0000 (UTC) (envelope-from lists@peter.de.com) Received: from localhost (nemesis.charlie.mouhaha.de [78.47.10.193]) by nemesis.charlie.mouhaha.de (Postfix) with ESMTP id 267EC42BE6 for ; Tue, 9 Sep 2008 16:54:46 +0100 (BST) X-Virus-Scanned: amavisd-new at mouhaha.de Received: from nemesis.charlie.mouhaha.de ([78.47.10.193]) by localhost (nemesis.charlie.mouhaha.de [78.47.10.193]) (amavisd-new, port 10024) with ESMTP id 1o+qQ26d8P3U for ; Tue, 9 Sep 2008 16:54:43 +0100 (BST) Received: from nemesis.charlie.mouhaha.de (nemesis.charlie.mouhaha.de [78.47.10.193]) by nemesis.charlie.mouhaha.de (Postfix) with SMTP id C90D142BC6 for ; Tue, 9 Sep 2008 16:54:42 +0100 (BST) Received: from dilbert.office.centralnic.com (office.centralnic.net [82.68.174.118]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by nemesis.charlie.mouhaha.de (Postfix) with ESMTPSA id 32E2042BC3; Tue, 9 Sep 2008 16:54:42 +0100 (BST) Date: Tue, 9 Sep 2008 16:54:40 +0100 From: Oliver Peter To: ipfreak@yahoo.com Message-ID: <20080909165440.1ec3ef7f@dilbert.office.centralnic.com> In-Reply-To: <104708.43710.qm@web52108.mail.re2.yahoo.com> References: <20080909153559.GD10842@nemesis.frida.mouhaha.de> <104708.43710.qm@web52108.mail.re2.yahoo.com> X-Mailer: Claws Mail 3.0.2 (GTK+ 2.10.4; i386-redhat-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd security Subject: Re: jails X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: lists@peter.de.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2008 16:14:07 -0000 On Tue, 9 Sep 2008 08:45:33 -0700 (PDT) gahn wrote: > I don't know what you were referring to. but the date and time of the > machine was set correctly. > > #date Tue Sep 9 11:40:04 EDT 2008 Can you reproduce the problem - with correct date/time? Are you trying to build a 7-RELEASE jail within a 6.3 environment? (very bad idea) Also, if you have updated your sourcetree it's recommended to erase the while content of your obj directory bevore you build your world, i.e.: # rm -rf /usr/obj/* (but that only applies if you want to make an upgrade from 6 -> 7) Provide us your make.conf as well. Cheers. PS: move this topic to freebsd-questions@ ! It isn't security related. -- Oliver PETER, email: oliver@peter.de.com, ICQ# 113969174 "I like to con people. And I like to insult people. If you combine con & insult, you get consult!" -- Dogbert From owner-freebsd-security@FreeBSD.ORG Tue Sep 9 16:46:11 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CCEC8106566B for ; Tue, 9 Sep 2008 16:46:11 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA01.westchester.pa.mail.comcast.net (qmta01.westchester.pa.mail.comcast.net [76.96.62.16]) by mx1.freebsd.org (Postfix) with ESMTP id 76C528FC08 for ; Tue, 9 Sep 2008 16:46:10 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA09.westchester.pa.mail.comcast.net ([76.96.62.20]) by QMTA01.westchester.pa.mail.comcast.net with comcast id CfGy1a0020SCNGk51gm9lx; Tue, 09 Sep 2008 16:46:09 +0000 Received: from koitsu.dyndns.org ([67.180.253.227]) by OMTA09.westchester.pa.mail.comcast.net with comcast id Cgm81a00Y4v8bD73Vgm8Eh; Tue, 09 Sep 2008 16:46:09 +0000 X-Authority-Analysis: v=1.0 c=1 a=85N1-lAfAAAA:8 a=6I5d2MoRAAAA:8 a=QycZ5dHgAAAA:8 a=Ew5RnUc98ei0Kv8EBRoA:9 a=5F-1-IZVYub69kpmINoA:7 a=uaImXV0SJOzPsBl1XHLTQ4ZnqV8A:4 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id 19CF117B84E; Tue, 9 Sep 2008 09:46:08 -0700 (PDT) Date: Tue, 9 Sep 2008 09:46:08 -0700 From: Jeremy Chadwick To: gahn Message-ID: <20080909164608.GA2448@icarus.home.lan> References: <20080909153559.GD10842@nemesis.frida.mouhaha.de> <104708.43710.qm@web52108.mail.re2.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <104708.43710.qm@web52108.mail.re2.yahoo.com> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd security , Oliver Peter Subject: Re: jails X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2008 16:46:11 -0000 On Tue, Sep 09, 2008 at 08:45:33AM -0700, gahn wrote: > Hello: > > I don't know what you were referring to. but the date and time of the machine was set correctly. > > #date Tue Sep 9 11:40:04 EDT 2008 > > best Is your system clock skewing a lot? Are you running ntpd? (I hope you're not using ntpdate from a cronjob, that would pretty much guarantee what you're seeing.) You can't easily tell clock skew with userland utilities, but the result often manifests itself in the way you're seeing. I can provide some advice on how to use ntpd/ntpq/ntpdc if need be. If you're not using ntpd, you should be! Here's a decent/proper ntp.conf (you should visit the use.html document and pick servers that are appropriate for your region). Do not add "iburst" to all of the servers; just the first one. # north-america.pool.ntp.org # http://www.pool.ntp.org/use.html # # maxpoll 9 is used to work around PLL/FLL flipping, which # happens at exactly 1024 seconds (the default maxpoll value). # Another FreeBSD member recommended using 9 instead. # http://lists.freebsd.org/pipermail/freebsd-stable/2006-December/031512.html # server 0.north-america.pool.ntp.org maxpoll 9 iburst server 1.north-america.pool.ntp.org maxpoll 9 server 2.north-america.pool.ntp.org maxpoll 9 # Default: ignore all ntp queries from all other hosts. Packets # to/from "server" lines are still respected. restrict default noquery nomodify nopeer # Allow queries to/from localhost, used for ntpdc and other utils # Allow queries to/from the local private network (read-only) restrict 127.0.0.0 mask 255.0.0.0 restrict 192.168.1.0 mask 255.255.255.0 nomodify nopeer notrap After, run "ntpdate ", where server is the first server in your list. ntpdate should update the clock for you, and provide you an idea of just how skewed it was compared to the remote NTP server's clock. Then you can run ntpd safely. Just place the below into /etc/rc.conf and run /etc/rc.d/ntpd start. (ntpd_sync_on_start is primarily for when you reboot the box; don't let the name mislead you) ntpd_enable="yes" ntpd_sync_on_start="yes" Hope this helps, or at least educates. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | From owner-freebsd-security@FreeBSD.ORG Tue Sep 9 18:02:08 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 571431065677 for ; Tue, 9 Sep 2008 18:02:08 +0000 (UTC) (envelope-from ipfreak@yahoo.com) Received: from web52101.mail.re2.yahoo.com (web52101.mail.re2.yahoo.com [206.190.48.104]) by mx1.freebsd.org (Postfix) with SMTP id 03DB78FC20 for ; Tue, 9 Sep 2008 18:02:07 +0000 (UTC) (envelope-from ipfreak@yahoo.com) Received: (qmail 98336 invoked by uid 60001); 9 Sep 2008 18:02:07 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Message-ID; b=3vnbo+fvZD5IitnN/f0GoNjS7MWu5WGbhyRgjNCHoijRQBpEZAQgEz/ifUJTROnixgqYE0Jljk2xIXEKeN8Au/dcEKh+Yp5LVw2Pm/u9zlc8gTjBj0OPycRS1pJrGZ5FCBEAHCbssNERtU339e/QWde9G6sCvoQkDLnIr48Llng=; X-YMail-OSG: cfLKR5AVM1m28w7n6BsgNc6xdoJw.yPVIMBdHo6tcdSHiAXSUMKnguZCxDFwlcXeOxrMpFN36.m3nMvybTx58NsT8hfwEnMdPOKBs45afU0m8AIt8ytD4OnIw9QcBQJMFpXVVUk843w1Ar1LlQawcX0- Received: from [209.22.88.90] by web52101.mail.re2.yahoo.com via HTTP; Tue, 09 Sep 2008 11:02:07 PDT X-Mailer: YahooMailWebService/0.7.218.2 Date: Tue, 9 Sep 2008 11:02:07 -0700 (PDT) From: gahn To: lists@peter.de.com, freebsd security , free bsd In-Reply-To: <20080909165440.1ec3ef7f@dilbert.office.centralnic.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Message-ID: <351360.97910.qm@web52101.mail.re2.yahoo.com> Cc: Subject: Re: jails X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: ipfreak@yahoo.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2008 18:02:08 -0000 thanks for your all. it has worked out very well after i did first "make world DESTDIR/home/j/mroot", then did "make installworld DESTDIR=/home/j/mroot". best --- On Tue, 9/9/08, Oliver Peter wrote: > From: Oliver Peter > Subject: Re: jails > To: ipfreak@yahoo.com > Cc: "freebsd security" > Date: Tuesday, September 9, 2008, 8:54 AM > On Tue, 9 Sep 2008 08:45:33 -0700 (PDT) > gahn wrote: > > > I don't know what you were referring to. but the > date and time of the > > machine was set correctly. > > > > #date Tue Sep 9 11:40:04 EDT 2008 > > Can you reproduce the problem - with correct date/time? > > Are you trying to build a 7-RELEASE jail within a 6.3 > environment? > (very bad idea) > > Also, if you have updated your sourcetree it's > recommended to erase the > while content of your obj directory bevore you build your > world, i.e.: > > # rm -rf /usr/obj/* > > (but that only applies if you want to make an upgrade from > 6 -> 7) > > Provide us your make.conf as well. > > Cheers. > > PS: move this topic to freebsd-questions@ ! > It isn't security related. > > -- > Oliver PETER, email: oliver@peter.de.com, ICQ# 113969174 > "I like to con people. And I like to insult people. > If you combine con & insult, you get consult!" > -- Dogbert From owner-freebsd-security@FreeBSD.ORG Tue Sep 9 21:06:08 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 90539106566B; Tue, 9 Sep 2008 21:06:08 +0000 (UTC) (envelope-from simon@nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.freebsd.org (Postfix) with ESMTP id 4F8DF8FC22; Tue, 9 Sep 2008 21:06:08 +0000 (UTC) (envelope-from simon@nitro.dk) Received: from arthur.nitro.dk (arthur.bofh [192.168.2.3]) by mx.nitro.dk (Postfix) with ESMTP id 2EAE41E8C0D; Tue, 9 Sep 2008 20:50:00 +0000 (UTC) Received: by arthur.nitro.dk (Postfix, from userid 1000) id 173AF5F06; Tue, 9 Sep 2008 22:50:00 +0200 (CEST) Date: Tue, 9 Sep 2008 22:49:59 +0200 From: "Simon L. Nielsen" To: Jeremy Chadwick Message-ID: <20080909204958.GA1203@arthur.nitro.dk> References: <20080908161818.GA72963@icarus.home.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080908161818.GA72963@icarus.home.lan> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-security@freebsd.org, Andrew Storms Subject: Re: Question on recent PHP VuXML info X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2008 21:06:08 -0000 On 2008.09.08 09:18:18 -0700, Jeremy Chadwick wrote: > On Mon, Sep 08, 2008 at 08:33:49AM -0700, Andrew Storms wrote: > > Not sure if this is the correct place for VuXML questions, but the FreeBSD > > VuXML list ( http://lists.freebsd.org/pipermail/freebsd-vuxml/) looks pretty > > dead given the last update was in 2007 according to the archives. > > > > We were previously tracking this entry, which pretty much sat for a while > > without an applicable upgradeable resolution available. While I haven't looked into the details of this particular entry, Jille and Jeremy did that well, I just want to take this opportunity to point out that "safe_mode" is broken... From the particular entry: It should be noted that this vulnerability is not considered to be serious by the FreeBSD Security Team, since safe_mode and open_basedir are insecure by design and should not be relied upon. We (secteam) have seriously debated if it was worth documenting "safe_mode" issues at all, but the compromise was just to add something similar to the above text. -- Simon L. Nielsen FreeBSD Security Team From owner-freebsd-security@FreeBSD.ORG Wed Sep 10 06:46:03 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C0A091065675 for ; Wed, 10 Sep 2008 06:46:03 +0000 (UTC) (envelope-from gunnar@bsd-gf.sr.se) Received: from dart.sr.se (dart.SR.SE [134.25.0.132]) by mx1.freebsd.org (Postfix) with ESMTP id 4EFA58FC13 for ; Wed, 10 Sep 2008 06:46:03 +0000 (UTC) (envelope-from gunnar@bsd-gf.sr.se) Received: from honken.sr.se (honken.sr.se [134.25.128.27]) by dart.sr.se (8.14.2/8.14.2) with ESMTP id m8A6Y9iY074404 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 10 Sep 2008 08:34:14 +0200 (CEST) (envelope-from gunnar@bsd-gf.sr.se) Received: from bsd-gf.sr.se (bsd-gf.sr.se [134.25.191.27]) by honken.sr.se (8.14.2/8.14.2) with ESMTP id m8A6Y9xC025777; Wed, 10 Sep 2008 08:34:09 +0200 (CEST) (envelope-from gunnar@bsd-gf.sr.se) Received: from bsd-gf.sr.se (localhost [127.0.0.1]) by bsd-gf.sr.se (8.14.2/8.14.2) with ESMTP id m8A6Y9ji000200; Wed, 10 Sep 2008 08:34:09 +0200 (CEST) (envelope-from gunnar@bsd-gf.sr.se) Received: (from gunnar@localhost) by bsd-gf.sr.se (8.14.2/8.14.2/Submit) id m8A6Y8Yf000199; Wed, 10 Sep 2008 08:34:08 +0200 (CEST) (envelope-from gunnar) Date: Wed, 10 Sep 2008 08:34:08 +0200 From: Gunnar Flygt To: Mike Tancsa Message-ID: <20080910063408.GA99970@sr.se> References: <200809071155.m87BtS2H082832@lava.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200809071155.m87BtS2H082832@lava.sentex.ca> User-Agent: Mutt/1.4.2.3i Cc: freebsd-security@freebsd.org Subject: Re: Heimdal or MIT for kerberos? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Gunnar Flygt List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Sep 2008 06:46:03 -0000 I'm very pleased with heimdal 1.1. I compile it from sources. No big problem. Compile on one machine and copy the file structure to the other at the same OS level. Then using openssh-gssapi-overwrite-base-5.0.p1,1 with the KRB5_HOME flag set to the directory of heimdal. Same thing there, compile and make a package on one machine. The KDC's run FreeBSD 7 and the same release of heimdal as the others. On Sun, Sep 07, 2008 at 07:55:26AM -0400, Mike Tancsa wrote: > We are looking at deploying Kerberos for better user management (SSO) > and 2 factor authentication via pkcs#11 etokens. The servers are all > FreeBSD and the machines principals will login from a mix of FreeBSD, > Windows and MAC OSX using ssh and openvpn. As part of our compliance > project, access must be 2 factor. The Heimdal in RELENG_7 is a > rather old version and doesnt seem to have all the bits needed for > x509 pre-auth so I would probably need to install from the ports > anyways. Does anyone have any suggestions as to which > implementation to use ? We are in Canada so it doesnt matter > regulation wise. Is one better maintained than the other ? There are > no legacy v4 apps > Thanks, > > ---Mike > > -------------------------------------------------------------------- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, mike@sentex.net > Providing Internet since 1994 www.sentex.net > Cambridge, Ontario Canada www.sentex.net/mike > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Sat Sep 13 06:04:38 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6421C106564A for ; Sat, 13 Sep 2008 06:04:38 +0000 (UTC) (envelope-from khachatur.shahinyan@arca.am) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.171]) by mx1.freebsd.org (Postfix) with ESMTP id 062B68FC19 for ; Sat, 13 Sep 2008 06:04:32 +0000 (UTC) (envelope-from khachatur.shahinyan@arca.am) Received: by ug-out-1314.google.com with SMTP id m2so176273uge.39 for ; Fri, 12 Sep 2008 23:04:31 -0700 (PDT) Received: by 10.66.218.15 with SMTP id q15mr288245ugg.77.1221284612041; Fri, 12 Sep 2008 22:43:32 -0700 (PDT) Received: from ?192.168.1.80? ( [91.199.226.101]) by mx.google.com with ESMTPS id n34sm59300ugc.12.2008.09.12.22.43.30 (version=SSLv3 cipher=RC4-MD5); Fri, 12 Sep 2008 22:43:31 -0700 (PDT) Message-ID: <48CB52AE.6070501@arca.am> Date: Sat, 13 Sep 2008 10:42:06 +0500 From: Khachatur Shahinyan User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sat, 13 Sep 2008 06:06:23 +0000 Subject: Freebsd auto locking users X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Sep 2008 06:04:38 -0000 Dear FreeBsd gurus, I have a problem concerning users password and authentication policies. The goal is 1)make freebsd to lock users after 3 unsuccessful login attempts, 2)force users to change their passwords every 90 days I've done such changes in Linux distros, with various PAM modules.But in Freebsd it seems that i need to use login.conf file. Here I made necessary changes in that file: >>>>>> default:\ ............. ............. ............. :login-retries=1:\ :passwordtime=90d:\ :warnpassword=7d:\ :warnexpire=7d:\ >>>>>>> Then I made the cap_mkdb /etc/login.conf , and everything went normal, no error messages, but after adding a test user I see no changes in the master.passwd file. The fields which are reserved for password aging parameters are 0:0 test:$1$F9yf.PuK$xqIsGEgK3MexpPZ4UBav0.:1001:1001::0:0:User &:/home/test:/bin/sh And the locking point does not work either, e.g. no matter how many times I input wrong password, I'm still able to login. :( I cannot understand what I'm doing wrong, and what should be done solve this issues? I'm not an expert Freebsd administration, so any comments and suggestions are welcome. Thank You Khachatur Shahinyan From owner-freebsd-security@FreeBSD.ORG Sat Sep 13 06:52:24 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 60B141065675 for ; Sat, 13 Sep 2008 06:52:24 +0000 (UTC) (envelope-from kurin@delete.org) Received: from lithium.delete.org (lithium.delete.org [198.177.254.210]) by mx1.freebsd.org (Postfix) with ESMTP id 3ED268FC12 for ; Sat, 13 Sep 2008 06:52:18 +0000 (UTC) (envelope-from kurin@delete.org) Received: by lithium.delete.org (Postfix, from userid 1028) id 1A06D7F186; Sat, 13 Sep 2008 02:35:23 -0400 (EDT) Date: Sat, 13 Sep 2008 02:35:23 -0400 From: Toby Burress To: Khachatur Shahinyan Message-ID: <20080913063522.GA3784@lithium.delete.org> References: <48CB52AE.6070501@arca.am> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48CB52AE.6070501@arca.am> User-Agent: mutt-ng/devel-r804 (FreeBSD) X-Mailman-Approved-At: Sat, 13 Sep 2008 13:44:18 +0000 Cc: freebsd-security@freebsd.org Subject: Re: Freebsd auto locking users X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Sep 2008 06:52:24 -0000 On Sat, Sep 13, 2008 at 10:42:06AM +0500, Khachatur Shahinyan wrote: > :passwordtime=90d:\ > :warnpassword=7d:\ > :warnexpire=7d:\ > >>>>>>> Then I made the cap_mkdb /etc/login.conf , and everything went normal, no error messages, but after adding a test user I see no changes in the master.passwd > file. > The fields which are reserved for password aging parameters are 0:0 > test:$1$F9yf.PuK$xqIsGEgK3MexpPZ4UBav0.:1001:1001::0:0:User &:/home/test:/bin/sh > > And the locking point does not work either, e.g. no matter how many times I input wrong password, I'm still able to login. :( > I cannot understand what I'm doing wrong, and what should be done solve this issues? I'm not an expert Freebsd administration, so any comments and suggestions are > welcome. You'll notice in the login.conf man page that these are in the "reserved capabilities" section: RESERVED CAPABILITIES The following capabilities are reserved for the purposes indicated and may be supported by third-party software. They are not implemented in the base system. For blocking repeated password attempts, check out security/pam_abl. Note that if sshd doesn't use PAM, it won't have any effect for ssh logins. A quick search doesn't show me any port for enforcing password age. For what it's worth, I once emailed Bruce Schneier about the effectiveness of that and he said he never changed his passwords (based on age, anyway). But there's probably something. From owner-freebsd-security@FreeBSD.ORG Sat Sep 13 14:18:32 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 01F6D1065676 for ; Sat, 13 Sep 2008 14:18:32 +0000 (UTC) (envelope-from jon.passki@hursk.com) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.173]) by mx1.freebsd.org (Postfix) with ESMTP id D112F8FC1C for ; Sat, 13 Sep 2008 14:18:31 +0000 (UTC) (envelope-from jon.passki@hursk.com) Received: by wf-out-1314.google.com with SMTP id 24so1251173wfg.7 for ; Sat, 13 Sep 2008 07:18:31 -0700 (PDT) Received: by 10.142.222.21 with SMTP id u21mr1903363wfg.323.1221313705143; Sat, 13 Sep 2008 06:48:25 -0700 (PDT) Received: by 10.143.155.19 with HTTP; Sat, 13 Sep 2008 06:48:25 -0700 (PDT) Message-ID: Date: Sat, 13 Sep 2008 08:48:25 -0500 From: "Jon Passki" To: "Khachatur Shahinyan" In-Reply-To: <48CB52AE.6070501@arca.am> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <48CB52AE.6070501@arca.am> Cc: freebsd-security@freebsd.org Subject: Re: Freebsd auto locking users X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Sep 2008 14:18:32 -0000 On Sat, Sep 13, 2008 at 12:42 AM, Khachatur Shahinyan wrote: > > Dear FreeBsd gurus, I have a problem concerning users password and authentication policies. The goal is > 1)make freebsd to lock users after 3 unsuccessful login attempts, > 2)force users to change their passwords every 90 days > > I've done such changes in Linux distros, with various PAM modules.But in Freebsd it seems that i need to use login.conf file. Here I made necessary changes in that file: > >>>>>> > default:\ > ............. > ............. > ............. :login-retries=1:\ > :passwordtime=90d:\ > :warnpassword=7d:\ > :warnexpire=7d:\ > >>>>>>> Then I made the cap_mkdb /etc/login.conf , and everything went normal, no error messages, but after adding a test user I see no changes in the master.passwd file. > The fields which are reserved for password aging parameters are 0:0 > test:$1$F9yf.PuK$xqIsGEgK3MexpPZ4UBav0.:1001:1001::0:0:User &:/home/test:/bin/sh > > And the locking point does not work either, e.g. no matter how many times I input wrong password, I'm still able to login. :( > I cannot understand what I'm doing wrong, and what should be done solve this issues? I'm not an expert Freebsd administration, so any comments and suggestions are welcome. login.conf manual page: [1] RESERVED CAPABILITIES The following capabilities are reserved for the purposes indicated and may be supported by third-party software. They are not implemented in the base system. [...] passwordtime time Used by passwd(1) to set next pass- word expiry date. [...] The other capabilities (warnpassword, warnexpire, login-retries) do not relate to lock-outs attempts. To my knowledge, there are no other capabilities that are supported by the base in login.conf that will lock out an account. This has been discussed prior [2,3]. It is not available in the base; the administrator has to manually do this. [1] http://www.freebsd.org/cgi/man.cgi?query=login.conf&apropos=0&sektion=0&manpath=FreeBSD+7.0-RELEASE&format=html [2] http://lists.freebsd.org/pipermail/freebsd-questions/2003-August/015073.html [3] http://lists.freebsd.org/pipermail/freebsd-questions/2008-February/167981.html Cheers, Jon From owner-freebsd-security@FreeBSD.ORG Sat Sep 13 21:05:33 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BC228106567F for ; Sat, 13 Sep 2008 21:05:33 +0000 (UTC) (envelope-from mouss@netoyen.net) Received: from imlil.netoyen.net (imlil.netoyen.net [91.121.103.130]) by mx1.freebsd.org (Postfix) with ESMTP id 7CF098FC19 for ; Sat, 13 Sep 2008 21:05:33 +0000 (UTC) (envelope-from mouss@netoyen.net) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=netoyen.net; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received: x-virus-scanned; s=msa; t=1221338850; bh=YtdxoVraot9ylWZEaKadMLd Au/M4unrAo3VmTxie95A=; b=lFiFEiSJgxzJwfbUdAS5ZAtKyrZlh5qcs4hD2HY ZwcBZF4redW2sstokMZnZVyRhBS5hCThGjGOUFCwY5fHDPXmeMvrgO9ppdVsrFZ7 4bLoEhQ2UAAqp+e7rF6S4Jm97vtT6hAC/Aw8ihp8UlE5Hyq/+Zc4zYk8KE6Zg7Qr JcmI= X-Virus-Scanned: amavisd-new at netoyen.net Received: from [192.168.1.65] (ouzoud.netoyen.net [82.239.111.75]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: mouss@netoyen.net) by smtp.netoyen.net (Postfix) with ESMTPSA id F2471E54829; Sat, 13 Sep 2008 22:47:29 +0200 (CEST) Message-ID: <48CC26A7.6020407@netoyen.net> Date: Sat, 13 Sep 2008 22:46:31 +0200 From: mouss User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: Toby Burress References: <48CB52AE.6070501@arca.am> <20080913063522.GA3784@lithium.delete.org> In-Reply-To: <20080913063522.GA3784@lithium.delete.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Khachatur Shahinyan Subject: Re: Freebsd auto locking users X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Sep 2008 21:05:33 -0000 Toby Burress wrote: > On Sat, Sep 13, 2008 at 10:42:06AM +0500, Khachatur Shahinyan wrote: >> :passwordtime=90d:\ >> :warnpassword=7d:\ >> :warnexpire=7d:\ >>>>>>>>> Then I made the cap_mkdb /etc/login.conf , and everything went normal, no error messages, but after adding a test user I see no changes in the master.passwd >> file. >> The fields which are reserved for password aging parameters are 0:0 >> test:$1$F9yf.PuK$xqIsGEgK3MexpPZ4UBav0.:1001:1001::0:0:User &:/home/test:/bin/sh >> >> And the locking point does not work either, e.g. no matter how many times I input wrong password, I'm still able to login. :( >> I cannot understand what I'm doing wrong, and what should be done solve this issues? I'm not an expert Freebsd administration, so any comments and suggestions are >> welcome. > > You'll notice in the login.conf man page that these are in the > "reserved capabilities" section: > > RESERVED CAPABILITIES > The following capabilities are reserved for the purposes indicated and > may be supported by third-party software. They are not implemented in > the base system. > > For blocking repeated password attempts, check out security/pam_abl. > Note that if sshd doesn't use PAM, it won't have any effect for ssh > logins. > > A quick search doesn't show me any port for enforcing password age. > For what it's worth, I once emailed Bruce Schneier about the > effectiveness of that and he said he never changed his passwords > (based on age, anyway). But there's probably something. Given that it's not easy to select a good password (both strong and easy to remember), password expiration sometimes result in weak passwords or in forgotten ones. or if no measure is taken against, people change to old ones. http://www.cryptosmith.com/sanity/expharmful.html http://www.rsa.com/blog/blog_entry.aspx?id=1286 http://www.cerias.purdue.edu/site/blog/post/password-change-myths/P50/ and the other side has its proponents of course: http://lopsa.org/node/29