From owner-freebsd-security@FreeBSD.ORG Sun Apr 1 08:49:38 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DA2451065670 for ; Sun, 1 Apr 2012 08:49:38 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 9B5108FC0C for ; Sun, 1 Apr 2012 08:49:38 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 8E34765CC; Sun, 1 Apr 2012 08:49:31 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 70273829A; Sun, 1 Apr 2012 10:49:31 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: schultz@ime.usp.br References: <20120331140820.101653608997tekk@webmail.ime.usp.br> Date: Sun, 01 Apr 2012 10:49:31 +0200 In-Reply-To: <20120331140820.101653608997tekk@webmail.ime.usp.br> (schultz@ime.usp.br's message of "Sat, 31 Mar 2012 14:08:20 -0300") Message-ID: <86fwcnygys.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security in Multiuser Environments X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Apr 2012 08:49:38 -0000 schultz@ime.usp.br writes: > * Encrypted the whole (except /boot) system with geli(8) > (HMAC/SHA256 and AES-XTS). It is not as nice and much slower > than proper filesystem-level checksumming but it is what > FreeBSD provides (ZFS is too unstable). ZFS is stable enough, but I'm a little confused: encryption is not "checksumming", and ZFS provides checksums but not encryption. > * Disabled useless and potentially dangerous services: cron, devd > and sendmail. These services are neither useless nor dangerous. > * Removed every setuid bit. The system works even then. except users are no longer able to change their password or shell. > * Added a group sudoers and made sudo setuid only to users in > sudoers: would have avoided trouble with recent sudo exploit if > only trusted users have slaves. I'm not sure what "made sudo setuid only to users in sudoers" means. Perhaps you mean "executable only by users in sudoers"? Also... all this and you didn't raise the securelevel? Didn't set system binaries schg? Didn't remove unwanted binaries like rcp(1), rlogin(1), at(1) etc? > As for using sudo to grant privilege, for each master-slave > relationship between users u and v, I have added a line like > "u ALL =3D (v) NOPASSWD: ALL" to /etc/sudoers. Then the user u is > supposed to become v by issuing "sudo -i -u v" and to execute a > command as v by issuing "sudo -i -u v ...". I'm surprised there isn't a sudoers option to force -i; I'm sure Todd Miller would be happy for a patch :) DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Sun Apr 1 21:06:00 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BD8C11065676 for ; Sun, 1 Apr 2012 21:06:00 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (60.wheelsystems.com [83.12.187.60]) by mx1.freebsd.org (Postfix) with ESMTP id 6E0C08FC12 for ; Sun, 1 Apr 2012 21:06:00 +0000 (UTC) Received: from localhost (89-73-195-149.dynamic.chello.pl [89.73.195.149]) by mail.dawidek.net (Postfix) with ESMTPSA id 132E4B9A; Sun, 1 Apr 2012 23:05:51 +0200 (CEST) Date: Sun, 1 Apr 2012 23:04:18 +0200 From: Pawel Jakub Dawidek To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= Message-ID: <20120401210418.GC1346@garage.freebsd.pl> References: <20120331140820.101653608997tekk@webmail.ime.usp.br> <86fwcnygys.fsf@ds4.des.no> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="TakKZr9L6Hm6aLOc" Content-Disposition: inline In-Reply-To: <86fwcnygys.fsf@ds4.des.no> X-OS: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-security@freebsd.org, schultz@ime.usp.br Subject: Re: FreeBSD Security in Multiuser Environments X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Apr 2012 21:06:00 -0000 --TakKZr9L6Hm6aLOc Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Apr 01, 2012 at 10:49:31AM +0200, Dag-Erling Sm=F8rgrav wrote: > schultz@ime.usp.br writes: > > * Encrypted the whole (except /boot) system with geli(8) > > (HMAC/SHA256 and AES-XTS). It is not as nice and much slower > > than proper filesystem-level checksumming but it is what > > FreeBSD provides (ZFS is too unstable). >=20 > ZFS is stable enough, but I'm a little confused: encryption is not > "checksumming", and ZFS provides checksums but not encryption. Also, on-disk encryption provides no additional protection against system users. It protects the data when no keys are available (for example when your turned off laptop is stolen) and in running system keys are in memory and disks are decrypted, so users that are logged in have access to decrypted content. To protect file system content from system users one should use standard UNIX permissions and ACLs. --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://tupytaj.pl --TakKZr9L6Hm6aLOc Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk94wtEACgkQForvXbEpPzTTzACg0qoIJZ8rXO0lPZqZGO6oVz/h oggAoPLnGeuCylkRopF7VAXSVSAe9Xsj =4goP -----END PGP SIGNATURE----- --TakKZr9L6Hm6aLOc-- From owner-freebsd-security@FreeBSD.ORG Tue Apr 3 06:54:31 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7A5AF106566B; Tue, 3 Apr 2012 06:54:31 +0000 (UTC) (envelope-from james.technew@gmail.com) Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id A3C848FC0C; Tue, 3 Apr 2012 06:54:30 +0000 (UTC) Received: by wgbds12 with SMTP id ds12so3263641wgb.31 for ; Mon, 02 Apr 2012 23:54:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=DhibmYsDs4ahlgs4Jcqn3gn4WKV/8nTlahWHyzf0+zM=; b=Kwk86Si5PSkAK+ZD8MakeXGN9zq1liESfuO5KStRuhwLumXugv6Jq97Fwq3rhab6+K vI2qzjMal9Cjh4yvboze48SZvKRqy2KpL3Gtiv2Oi2fYG5P+lYOCmsHaZXx0vblr9vSc pbVs+koU7PF12x2ln+A2q/cBtJd+6b0czxubHvXBpB/TD0DmuM0q0JUls8/Eo1t++137 yR2mMHqCzbi5rP6dDqgPyqYZVWt2dxmo3VgzmmL053e82usZpal25bKosTRg/73pVdeN 3e7Y5JKK2Qv8kUcnqToBLUJ7DDK4qifYPfudB2EXtmGhrX8nxYZE2UmldzV64Mm9U1Mt Of4Q== MIME-Version: 1.0 Received: by 10.180.97.4 with SMTP id dw4mr3176832wib.18.1333436064187; Mon, 02 Apr 2012 23:54:24 -0700 (PDT) Received: by 10.180.79.194 with HTTP; Mon, 2 Apr 2012 23:54:24 -0700 (PDT) In-Reply-To: <4F79EA30.6070205@acsalaska.net> References: <4F79EA30.6070205@acsalaska.net> Date: Tue, 3 Apr 2012 14:54:24 +0800 Message-ID: From: James Chang To: Mel Flynn Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-security@freebsd.org, freebsd-ports , Alex Dupre Subject: Re: About PHP 5.X in FreeBSD port tree X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2012 06:54:31 -0000 Dear Sir, Thanks for your notice, but there seems no information about whether the vulnerabilities about CVE-2011-2483, CVE-2011-4153 and CVE-2011-3389 were fixed in FreeBSD port tree (PHP 5.3.10_1) or not? Best Regards! James Chang 2012/4/3 Mel Flynn : > Please search the list before posting. > > -- > Mel From owner-freebsd-security@FreeBSD.ORG Tue Apr 3 07:31:52 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D10811065670 for ; Tue, 3 Apr 2012 07:31:52 +0000 (UTC) (envelope-from ale@FreeBSD.org) Received: from andxor.it (relay.andxor.it [195.223.2.3]) by mx1.freebsd.org (Postfix) with SMTP id BB97D8FC14 for ; Tue, 3 Apr 2012 07:31:50 +0000 (UTC) Received: (qmail 61153 invoked from network); 3 Apr 2012 07:25:08 -0000 Received: from unknown (HELO alex.andxor.it) (192.168.2.30) by andxor.it with SMTP; 3 Apr 2012 07:25:08 -0000 Message-ID: <4F7AA5D4.5030704@FreeBSD.org> Date: Tue, 03 Apr 2012 09:25:08 +0200 From: Alex Dupre User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:11.0) Gecko/20120315 Firefox/11.0 SeaMonkey/2.8 MIME-Version: 1.0 To: James Chang References: <4F79EA30.6070205@acsalaska.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Tue, 03 Apr 2012 11:41:27 +0000 Cc: freebsd-security@freebsd.org, Mel Flynn , freebsd-ports Subject: Re: About PHP 5.X in FreeBSD port tree X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2012 07:31:52 -0000 James Chang ha scritto: > Thanks for your notice, but there seems no information about > whether the vulnerabilities about CVE-2011-2483, CVE-2011-4153 and > CVE-2011-3389 were fixed in FreeBSD port tree (PHP 5.3.10_1) or not? PHP 5.3.11 will be released soon and the port will be updated to this release before switching to (probably) 5.4.1. -- Alex Dupre From owner-freebsd-security@FreeBSD.ORG Tue Apr 3 14:01:21 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A84B01065670 for ; Tue, 3 Apr 2012 14:01:21 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-vb0-f54.google.com (mail-vb0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 591348FC0C for ; Tue, 3 Apr 2012 14:01:21 +0000 (UTC) Received: by vbmv11 with SMTP id v11so3461617vbm.13 for ; Tue, 03 Apr 2012 07:01:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=ZojNrnAR1HYYbLzRx4cwgmXSP5xCPffj5IkfMPspvQM=; b=nNnqC1KnfDYBIaKlVnfJVRPSZDRg3GjvKgyN6Pm3ss3Eck6IXzUDt0/dF9Uu1kcunf B7oE02C9LRNB3fQhYBM57ZOc+BDUMF3xqlCUuYKZHQoJNTmHhsaQtF0foUtss6lzTTOq ILd2y9EifWCShtIzdD0ZMZHm5FbsOAUyGh0AJpVDjDiT+H/SFlMP0Qllfz1yN5TGfnVz JbGUqiVRVeSYJ4ty5JlSnbbe2gKlH88hmnrlWeXmErmSrk6WIBUQuK2uZvZ0Em0D4PJD xFeNpr3os69SAvvAShgCcOHZSP3rksywkqwCVxMjqtbS71wsWUzAIuzR9shzoB9JhJS/ 13Sg== MIME-Version: 1.0 Received: by 10.220.224.197 with SMTP id ip5mr5739922vcb.41.1333461675094; Tue, 03 Apr 2012 07:01:15 -0700 (PDT) Received: by 10.52.117.76 with HTTP; Tue, 3 Apr 2012 07:01:15 -0700 (PDT) In-Reply-To: References: <4F79EA30.6070205@acsalaska.net> Date: Tue, 3 Apr 2012 10:01:15 -0400 Message-ID: From: Robert Simmons To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: About PHP 5.X in FreeBSD port tree X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2012 14:01:21 -0000 On Tue, Apr 3, 2012 at 2:54 AM, James Chang wrote= : > Dear Sir, > > =A0 =A0 =A0 =A0Thanks for your notice, but there seems no information abo= ut > whether the vulnerabilities about CVE-2011-2483, CVE-2011-4153 and > CVE-2011-3389 were fixed in FreeBSD port tree (PHP 5.3.10_1) or not? Looks like CVE-2011-2483 applies to PHP before 5.3.7: http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2011-2483 and CVE-2011-4153 applies to 5.3.8: http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2011-4153 and CVE-2011-3389 does not apply to PHP AFAIK: http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2011-3389 Since the version in ports is 5.3.10, I think you're safe. I'm sure someone will correct me if I'm off the mark. Personally, I use portaudit to keep it all straight: http://www.freebsd.org/cgi/url.cgi?ports/ports-mgmt/portaudit/pkg-descr Additionally, I'm signed up for the digest version of the US-CERT alerts from here: http://www.us-cert.gov/cas/signup.html Pretty good because it shows right in the second column of the report what versions are affected. Cheers! Rob From owner-freebsd-security@FreeBSD.ORG Wed Apr 4 07:03:10 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 414501065670 for ; Wed, 4 Apr 2012 07:03:10 +0000 (UTC) (envelope-from andreas@romab.com) Received: from rot13.romab.com (rot13.romab.com [213.115.13.4]) by mx1.freebsd.org (Postfix) with ESMTP id E6BF48FC0C for ; Wed, 4 Apr 2012 07:03:09 +0000 (UTC) Received: by rot13.romab.com (Postfix, from userid 1004) id 79610B29; Wed, 4 Apr 2012 08:53:34 +0200 (CEST) Received: from minuteman.u88.romab.com (localhost [127.0.0.1]) by rot13.romab.com (Postfix) with ESMTP id 5B56BB27 for ; Wed, 4 Apr 2012 08:53:34 +0200 (CEST) Message-ID: <4F7BEFEF.3030702@romab.com> Date: Wed, 04 Apr 2012 08:53:35 +0200 From: Andreas Jonsson User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0) Gecko/20120327 Thunderbird/11.0.1 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20120331140820.101653608997tekk@webmail.ime.usp.br> <86fwcnygys.fsf@ds4.des.no> In-Reply-To: <86fwcnygys.fsf@ds4.des.no> X-Enigmail-Version: 1.4 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: FreeBSD Security in Multiuser Environments X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Apr 2012 07:03:10 -0000 > Also... all this and you didn't raise the securelevel? Didn't set > system binaries schg? Didn't remove unwanted binaries like rcp(1), > rlogin(1), at(1) etc? > > To add to the list of all this... no mounting of /var /tmp, and /home as noexec, nosuid (oh wait, no suid binaries at all, then all partitions can be mounted as nosuid, except for sudo. perhaps i missed something?) No mac_biba, No mac_partition, no mac_bsdextended, and no mac_portacl... /a