From owner-freebsd-security Sun Apr 9 12:07:27 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id MAA29453 for security-outgoing; Sun, 9 Apr 1995 12:07:27 -0700 Received: from aries.ibms.sinica.edu.tw ([140.109.40.248]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id MAA29447 for ; Sun, 9 Apr 1995 12:07:23 -0700 Received: (from taob@localhost) by aries.ibms.sinica.edu.tw (8.6.11/8.6.9) id DAA27405; Mon, 10 Apr 1995 03:05:28 +0800 Date: Mon, 10 Apr 1995 03:05:28 +0800 (CST) From: Brian Tao cc: freebsd-security@FreeBSD.org Subject: Re: satan "heavy" mode attacks In-Reply-To: <199504081658.MAA29650@ns1.win.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: security-owner@FreeBSD.org Precedence: bulk On Sat, 8 Apr 1995, Mark Hittinger wrote: > > We probably need to double check our inetd and make sure it can deal with > the resource overload issue. No problems on 950322-SNAP machines. Ran SATAN in heavy scan mode from my two FreeBSD boxes against each other, simultaneously. Machines didn't even blink once. :) -- Brian ("Though this be madness, yet there is method in't") Tao taob@gate.sinica.edu.tw <-- work ........ play --> taob@io.org From owner-freebsd-security Sun Apr 9 21:19:35 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id VAA00157 for security-outgoing; Sun, 9 Apr 1995 21:19:35 -0700 Received: from mail.barrnet.net (mail.BARRNET.NET [131.119.246.7]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id VAA00151 for ; Sun, 9 Apr 1995 21:19:33 -0700 Received: from clinet.fi (clinet.fi [193.64.6.1]) by mail.barrnet.net (8.6.10/MAIL-RELAY-LEN) with ESMTP id VAA16126 for ; Sun, 9 Apr 1995 21:16:58 -0700 Received: from zetor.clinet.fi (root@zetor.clinet.fi [193.64.6.8]) by clinet.fi (8.6.10/8.6.4) with ESMTP id HAA00352; Mon, 10 Apr 1995 07:18:09 +0300 From: Heikki Suonsivu Received: (hsu@localhost) by zetor.clinet.fi (8.6.10/8.6.4) id JAA00260; Mon, 10 Apr 1995 09:19:28 +0300 Date: Mon, 10 Apr 1995 09:19:28 +0300 Message-Id: <199504100619.JAA00260@zetor.clinet.fi> To: John Capo Cc: freebsd-security@FreeBSD.org Subject: Re: satan "heavy" mode attacks In-Reply-To: <199504082241.SAA00738@irbs.com> References: <199504081658.MAA29650@ns1.win.net> <199504082241.SAA00738@irbs.com> Organization: Helsinki University of Technology, Otaniemi, Finland Sender: security-owner@FreeBSD.org Precedence: bulk John Capo writes: > I have run the "heavy" Satan against four -current systems and > three 1.1.5.1 systems and they survived just fine. YMMV :-) We got complaints about NFS mounts leaking to unpriviledged programs when running satan against 1.1.5.1. 2.* systems seem to be safe. -- Heikki Suonsivu, T{ysikuu 10 C 83/02210 Espoo/FINLAND, hsu@cs.hut.fi home +358-0-8031121 work -4513377 fax -4555276 riippu SN From owner-freebsd-security Sun Apr 9 21:32:39 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id VAA00292 for security-outgoing; Sun, 9 Apr 1995 21:32:39 -0700 Received: from mail.barrnet.net (mail.BARRNET.NET [131.119.246.7]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id VAA00284 for ; Sun, 9 Apr 1995 21:32:38 -0700 Received: from goof.com (goof.com [198.82.204.15]) by mail.barrnet.net (8.6.10/MAIL-RELAY-LEN) with ESMTP id VAA16122 for ; Sun, 9 Apr 1995 21:16:42 -0700 Received: (from mmead@localhost) by goof.com (8.6.11/8.6.9) id AAA02586; Mon, 10 Apr 1995 00:19:14 -0400 Date: Mon, 10 Apr 1995 00:19:14 -0400 From: "matthew c. mead" Message-Id: <199504100419.AAA02586@goof.com> To: Mark Hittinger Cc: freebsd-security@FreeBSD.org Subject: Re: satan "heavy" mode attacks In-Reply-To: Your message of Sat, April 8, 1995 12:58:56 -0400 References: <199504081658.MAA29650@ns1.win.net> Sender: security-owner@FreeBSD.org Precedence: bulk On Sat, April 8, 1995 at 12:58:56 (-0400), Mark Hittinger wrote: > I've just read that some sites are reporting that using satan in its "heavy" > mode will overload an inetd and make it toss its cookies. > There are reports that the activity also causes some firewall products to > consume available memory and discontinue logging some things. > We probably need to double check our inetd and make sure it can deal with > the resource overload issue. I've run *several* heavy level satan checks against goof.com over a T1 connection and haven't had a problem at all... -matt -- Matthew C. Mead -> Virginia Tech Center for Transportation Research - -> Multiple Platform System and Network Administration Work Related -> mmead@ctr.vt.edu | mmead@goof.com <- All Other ---- ------- WWW -> http://www.goof.com/~mmead --- ----- From owner-freebsd-security Mon Apr 10 10:04:41 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id KAA11847 for security-outgoing; Mon, 10 Apr 1995 10:04:41 -0700 Received: from vector.eikon.e-technik.tu-muenchen.de (vector.eikon.e-technik.tu-muenchen.de [129.187.142.36]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id KAA11132 for ; Mon, 10 Apr 1995 10:01:12 -0700 Received: from localhost (localhost [127.0.0.1]) by vector.eikon.e-technik.tu-muenchen.de (8.6.11/8.6.9) with SMTP id OAA01712; Mon, 10 Apr 1995 14:39:31 +0200 Message-Id: <199504101239.OAA01712@vector.eikon.e-technik.tu-muenchen.de> X-Authentication-Warning: vector.eikon.e-technik.tu-muenchen.de: Host localhost didn't use HELO protocol To: John Capo cc: freebsd-security@FreeBSD.org Subject: Re: satan "heavy" mode attacks In-reply-to: Your message of "Sun, 09 Apr 1995 00:41:39 +0200." <199504082241.SAA00738@irbs.com> Date: Mon, 10 Apr 1995 14:39:30 +0200 From: Julian Howard Stacey Sender: security-owner@FreeBSD.org Precedence: bulk > and they survived just fine. YMMV :-) John, what's YMMV short for ? Julian S. From owner-freebsd-security Mon Apr 10 10:17:00 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id KAA12601 for security-outgoing; Mon, 10 Apr 1995 10:17:00 -0700 Received: from trout.sri.MT.net (trout.sri.MT.net [204.182.243.12]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id KAA12595 for ; Mon, 10 Apr 1995 10:16:56 -0700 Received: (from nate@localhost) by trout.sri.MT.net (8.6.11/8.6.10) id LAA02377; Mon, 10 Apr 1995 11:20:49 -0600 Date: Mon, 10 Apr 1995 11:20:49 -0600 From: Nate Williams Message-Id: <199504101720.LAA02377@trout.sri.MT.net> In-Reply-To: Julian Howard Stacey "Re: satan "heavy" mode attacks" (Apr 10, 2:39pm) X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: Julian Howard Stacey Subject: Re: satan "heavy" mode attacks Cc: freebsd-security@FreeBSD.org Sender: security-owner@FreeBSD.org Precedence: bulk > > and they survived just fine. YMMV :-) > John, what's YMMV short for ? Your Milage May Vary. (You may get different results than his) Nate From owner-freebsd-security Mon Apr 10 11:17:07 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id LAA14718 for security-outgoing; Mon, 10 Apr 1995 11:17:07 -0700 Received: from campino.informatik.rwth-aachen.de (campino.Informatik.RWTH-Aachen.DE [137.226.225.2]) by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id LAA14684 for ; Mon, 10 Apr 1995 11:16:55 -0700 Received: from gilberto.physik.rwth-aachen.de by campino.informatik.rwth-aachen.de (4.1/campino-6) id AA25938; Mon, 10 Apr 95 20:06:27 +0200 Received: (from kuku@localhost) by gilberto.physik.rwth-aachen.de (8.6.8/8.6.9) id UAA15582; Mon, 10 Apr 1995 20:11:44 +0200 Message-Id: <199504101811.UAA15582@gilberto.physik.rwth-aachen.de> Subject: Re: satan "heavy" mode attacks To: jhs@regent.e-technik.tu-muenchen.de (Julian Howard Stacey) Date: Mon, 10 Apr 1995 20:11:43 +0200 (MET DST) Cc: freebsd-security@FreeBSD.org In-Reply-To: <199504101239.OAA01712@vector.eikon.e-technik.tu-muenchen.de> from "Julian Howard Stacey" at Apr 10, 95 02:39:30 pm From: Christoph Kukulies Reply-To: Christoph Kukulies X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 335 Sender: security-owner@FreeBSD.org Precedence: bulk > > > > and they survived just fine. YMMV :-) > John, what's YMMV short for ? > Julian S. > Your Mileage May Vary :-) --Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de FreeBSD blues 2.1.0-Development FreeBSD 2.1.0-Development #0: Mon Apr 3 17:10:12 MET DST 1995 root@blues:/usr/src/sys/compile/BLUESGUS i386 From owner-freebsd-security Tue Apr 11 00:36:26 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id AAA15526 for security-outgoing; Tue, 11 Apr 1995 00:36:26 -0700 Received: from mail.barrnet.net (mail.BARRNET.NET [131.119.246.7]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id AAA15520 for ; Tue, 11 Apr 1995 00:36:20 -0700 Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by mail.barrnet.net (8.6.10/MAIL-RELAY-LEN) with ESMTP id AAA25066 for ; Tue, 11 Apr 1995 00:33:30 -0700 Received: from localhost (localhost [127.0.0.1]) by precipice.shockwave.com (8.6.11/8.6.9) with SMTP id AAA10955; Tue, 11 Apr 1995 00:32:30 -0700 Message-Id: <199504110732.AAA10955@precipice.shockwave.com> To: adam cc: freebsd-security@FreeBSD.org, pst@precipice.shockwave.com Subject: Re: atrun hole In-reply-to: Your message of "Tue, 04 Apr 1995 16:20:44 +0300." <199504041320.QAA09588@lune.math.tau.ac.il> Date: Tue, 11 Apr 1995 00:32:30 -0700 From: Paul Traina Sender: security-owner@FreeBSD.org Precedence: bulk By the way, this really should be CERTed for both Linux and FreeBSD and any other system using Tom's at program. From owner-freebsd-security Tue Apr 11 00:38:08 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id AAA15547 for security-outgoing; Tue, 11 Apr 1995 00:38:08 -0700 Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id AAA15540 for ; Tue, 11 Apr 1995 00:38:02 -0700 Received: from localhost (localhost [127.0.0.1]) by precipice.shockwave.com (8.6.11/8.6.9) with SMTP id AAA10743; Tue, 11 Apr 1995 00:30:46 -0700 Message-Id: <199504110730.AAA10743@precipice.shockwave.com> To: adam cc: freebsd-security@FreeBSD.org, pst@precipice.shockwave.com Subject: Re: atrun hole In-reply-to: Your message of "Tue, 04 Apr 1995 16:20:44 +0300." <199504041320.QAA09588@lune.math.tau.ac.il> Date: Tue, 11 Apr 1995 00:30:45 -0700 From: Paul Traina Sender: security-owner@FreeBSD.org Precedence: bulk Yes, this is an extremely nasty hole. What's the status on a version 2.8? From owner-freebsd-security Tue Apr 11 03:50:36 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id DAA18171 for security-outgoing; Tue, 11 Apr 1995 03:50:36 -0700 Received: from gmurrh.ozonline.com.au (gmurrh.ozonline.com.au [203.4.248.200]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id DAA18165 for ; Tue, 11 Apr 1995 03:50:31 -0700 Received: (from ap@localhost) by gmurrh.ozonline.com.au (8.6.12/8.6.6) id FAA00940; Wed, 12 Apr 2006 05:55:17 GMT Date: Wed, 12 Apr 2006 05:55:17 GMT From: Andrew Prendergast Message-Id: <200604120555.FAA00940@gmurrh.ozonline.com.au> To: adam@math.tau.ac.il, pst@Shockwave.COM Subject: Re: atrun hole Cc: freebsd-security@FreeBSD.org, pst@precipice.shockwave.com Sender: security-owner@FreeBSD.org Precedence: bulk I missed the details.. Pleeze send me info (things like this make me somewhat nervous). Andrew Prendergast NetCafe Admin From owner-freebsd-security Tue Apr 11 04:04:52 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id EAA18304 for security-outgoing; Tue, 11 Apr 1995 04:04:52 -0700 Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id EAA18298 for ; Tue, 11 Apr 1995 04:04:51 -0700 Received: from localhost (localhost [127.0.0.1]) by precipice.shockwave.com (8.6.11/8.6.9) with SMTP id EAA00370; Tue, 11 Apr 1995 04:02:40 -0700 Message-Id: <199504111102.EAA00370@precipice.shockwave.com> To: Andrew Prendergast cc: adam@math.tau.ac.il, freebsd-security@FreeBSD.org Subject: Re: atrun hole In-reply-to: Your message of "Wed, 12 Apr 2006 05:55:17 GMT." <200604120555.FAA00940@gmurrh.ozonline.com.au> Date: Tue, 11 Apr 1995 04:02:26 -0700 From: Paul Traina Sender: security-owner@FreeBSD.org Precedence: bulk Suffice it to say that at/atrun may be used to obtain root access for a normal user. You may block this merely by disabling atrun in your cron file. From: Andrew Prendergast Subject: Re: atrun hole I missed the details.. Pleeze send me info (things like this make me somewhat >> nervous). Andrew Prendergast NetCafe Admin From owner-freebsd-security Wed Apr 12 08:33:28 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id IAA15993 for security-outgoing; Wed, 12 Apr 1995 08:33:28 -0700 Received: from sol.sees.bangor.ac.uk (sol.sees.bangor.ac.uk [147.143.102.1]) by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id IAA15987 for ; Wed, 12 Apr 1995 08:33:25 -0700 From: Mr D Whitehead (Ext 2703) Message-Id: <9326.9504121533@sol.sees.bangor.ac.uk> Subject: FreeBSD Security Problem? To: freebsd-security@FreeBSD.org Date: Wed, 12 Apr 1995 16:33:28 +0100 (BST) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1297 Sender: security-owner@FreeBSD.org Precedence: bulk Hi, First the compliments - great job so far. Now the problem. I have been using FreeBSD (2.0R) at home (without any problems) and also evaluating it for use at work. One ancient and major problem seems to exist (unless I have missed something or it has already been altered) and that is the reboot to single user. No password, nothing, just a root shell to do with as you wish. OK I know its not a problem at home - but just imagine the fun all our undergraduates would have with this if we put a machine in a public area (the current suggestion is for 50). We would really like to replace our ageing Sun SLC's but are seriously worried about the above problem - any comments? Many thanks, -- Dave Whitehead (Computer Support Staff) ------------------------------------------------------------------------------- EMAIL:- | TELEPHONE:- (work )davew@sees.bangor.ac.uk | +44 1248 382703 (Direct line) (home) 100023.1076@compuserve.com | +44 1248 351151 ext 2703 ------------------------------------------------------------------------------- SNAIL MAIL:- Dave Whitehead School of Electronic Engineering & Computer Systems, University College of North Wales, Dean Street, Bangor LL57 1UT ------------------------------------------------------------------------------ From owner-freebsd-security Wed Apr 12 09:42:03 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id JAA17280 for security-outgoing; Wed, 12 Apr 1995 09:42:03 -0700 Received: from halloran-eldar.lcs.mit.edu (halloran-eldar.lcs.mit.edu [18.26.0.159]) by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id JAA17274 for ; Wed, 12 Apr 1995 09:41:57 -0700 Received: by halloran-eldar.lcs.mit.edu; id AA07111; Wed, 12 Apr 1995 12:41:14 -0400 Date: Wed, 12 Apr 1995 12:41:14 -0400 From: Garrett Wollman Message-Id: <9504121641.AA07111@halloran-eldar.lcs.mit.edu> To: Mr D Whitehead (Ext 2703) Cc: freebsd-security@FreeBSD.org Subject: FreeBSD Security Problem? In-Reply-To: <9326.9504121533@sol.sees.bangor.ac.uk> References: <9326.9504121533@sol.sees.bangor.ac.uk> Sender: security-owner@FreeBSD.org Precedence: bulk < said: > One ancient and major problem seems to exist (unless I have missed > something or it has already been altered) and that is the reboot to > single user. No password, nothing, just a root shell to do with as > you wish. >From /etc/ttys: ------------------------------------ # This entry needed for asking password when init goes to single-user mode # If you want to be asked for password, change "secure" to "insecure" here console none unknown off secure ------------------------------------ -GAWollman -- Garrett A. Wollman | Shashish is simple, it's discreet, it's brief. ... wollman@lcs.mit.edu | Shashish is the bonding of hearts in spite of distance. Opinions not those of| It is a bond more powerful than absence. We like people MIT, LCS, ANA, or NSA| who like Shashish. - Claude McKenzie + Florent Vollant From owner-freebsd-security Wed Apr 12 10:13:44 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id KAA17772 for security-outgoing; Wed, 12 Apr 1995 10:13:44 -0700 Received: from phoenix.csc.calpoly.edu (phoenix.csc.calpoly.edu [129.65.17.14]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id KAA17764 for ; Wed, 12 Apr 1995 10:13:43 -0700 Received: from statler.CalPoly.Edu (statler.csc.calpoly.edu [129.65.17.8]) by phoenix.csc.calpoly.edu (8.6.11) with SMTP id KAA03338; Wed, 12 Apr 1995 10:13:41 -0700 Received: by statler.CalPoly.Edu (5.x/SMI-SVR4) id AA05444; Wed, 12 Apr 1995 10:13:34 -0700 From: nlawson@statler.csc.calpoly.edu (Nathan Lawson) Message-Id: <9504121713.AA05444@statler.CalPoly.Edu> Subject: Re: FreeBSD Security Problem? To: davew@sees.bangor.ac.uk (Mr D Whitehead) Date: Wed, 12 Apr 1995 10:13:34 -0700 (PDT) Cc: security@FreeBSD.org In-Reply-To: <9326.9504121533@sol.sees.bangor.ac.uk> from "Mr D Whitehead" at Apr 12, 95 04:33:28 pm X-Mailer: ELM [version 2.4 PL22] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: security-owner@FreeBSD.org Precedence: bulk > First the compliments - great job so far. > > Now the problem. I have been using FreeBSD (2.0R) at home (without > any problems) and also evaluating it for use at work. One ancient and major > problem seems to exist (unless I have missed something or it has already been > altered) and that is the reboot to single user. No password, nothing, just a > root shell to do with as you wish. OK I know its not a problem at home - but > just imagine the fun all our undergraduates would have with this if we put a > machine in a public area (the current suggestion is for 50). > > We would really like to replace our ageing Sun SLC's but are seriously > worried about the above problem - any comments? Only that it's not a problem. Change the entry in /etc/ttys for "console" from "secure" to "insecure" and you will be required to enter the root password before being dropped to a shell in single-user mode. Hope this helps. -- Nathan Lawson | "If the automobile had followed the same development as the CSL 490/News Admin | computer, a Rolls-Royce would today cost $100, get a 756-7180 @Work | million miles per gallon, and explode once a year, ------------------- killing everyone inside." -- Robert Cringely From owner-freebsd-security Wed Apr 12 10:51:45 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id KAA19013 for security-outgoing; Wed, 12 Apr 1995 10:51:45 -0700 Received: from gndrsh.aac.dev.com (gndrsh.aac.dev.com [198.145.92.241]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id KAA19006 for ; Wed, 12 Apr 1995 10:51:41 -0700 Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.6.8/8.6.6) id KAA07234; Wed, 12 Apr 1995 10:51:21 -0700 From: "Rodney W. Grimes" Message-Id: <199504121751.KAA07234@gndrsh.aac.dev.com> Subject: Re: FreeBSD Security Problem? To: davew@sees.bangor.ac.uk (Mr D Whitehead) Date: Wed, 12 Apr 1995 10:51:21 -0700 (PDT) Cc: freebsd-security@FreeBSD.org In-Reply-To: <9326.9504121533@sol.sees.bangor.ac.uk> from "Mr D Whitehead" at Apr 12, 95 04:33:28 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1611 Sender: security-owner@FreeBSD.org Precedence: bulk > > Hi, > First the compliments - great job so far. > > Now the problem. I have been using FreeBSD (2.0R) at home (without > any problems) and also evaluating it for use at work. One ancient and major > problem seems to exist (unless I have missed something or it has already been > altered) and that is the reboot to single user. No password, nothing, just a > root shell to do with as you wish. OK I know its not a problem at home - but > just imagine the fun all our undergraduates would have with this if we put a > machine in a public area (the current suggestion is for 50). > > We would really like to replace our ageing Sun SLC's but are seriously > worried about the above problem - any comments? As has already been pointed out in other mail tweak /etc/ttys. But this still leaves a very nasty hole you need to plug. You will have to remove the floppy drive from all machines, otherwise a person can just download a FreeBSD boot floppy and boot single user from it, mount the hard disk, splat the passwd file or the ttys file and then reboot from the hard disk. Some BOIS allow you to set the boot sequecne to C:, A:, if yours do, this is another way around the floppy problem. Set it to C:, A:, and then password protect the BIOS so the user can't change it back. Since C: should always have a valid boot partition on it there is no way for them to boot from floppy, but they can still use the floppy for normal things. -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation Company Custom computers for FreeBSD From owner-freebsd-security Wed Apr 12 11:03:28 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id LAA19305 for security-outgoing; Wed, 12 Apr 1995 11:03:28 -0700 Received: from localhost (localhost [127.0.0.1]) by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id LAA19298 ; Wed, 12 Apr 1995 11:03:27 -0700 X-Authentication-Warning: freefall.cdrom.com: Host localhost didn't use HELO protocol To: Mr D Whitehead (Ext 2703) cc: freebsd-security@FreeBSD.org Subject: Re: FreeBSD Security Problem? In-reply-to: Your message of "Wed, 12 Apr 95 16:33:28 BST." <9326.9504121533@sol.sees.bangor.ac.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 12 Apr 1995 11:03:27 -0700 Message-ID: <19297.797709807@freefall.cdrom.com> From: Gary Palmer (FreeBSD/ARM Team) Sender: security-owner@FreeBSD.org Precedence: bulk In message <9326.9504121533@sol.sees.bangor.ac.uk>, Mr D Whitehead writes: > Now the problem. I have been using FreeBSD (2.0R) at home (without >any problems) and also evaluating it for use at work. One ancient and major >problem seems to exist (unless I have missed something or it has already been >altered) and that is the reboot to single user. No password, nothing, just a >root shell to do with as you wish. OK I know its not a problem at home - but >just imagine the fun all our undergraduates would have with this if we put a >machine in a public area (the current suggestion is for 50). This is not a problem. You edit /etc/ttys and remove the ``secure'' keyword from the console line. This means that a root password is required when rebooting single user. Hope this helps some. Gary From owner-freebsd-security Wed Apr 12 11:49:02 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id LAA20125 for security-outgoing; Wed, 12 Apr 1995 11:49:02 -0700 Received: from aries.ibms.sinica.edu.tw ([140.109.40.248]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id LAA20113 for ; Wed, 12 Apr 1995 11:48:54 -0700 Received: (from taob@localhost) by aries.ibms.sinica.edu.tw (8.6.11/8.6.9) id CAA00612; Thu, 13 Apr 1995 02:42:54 +0800 Date: Thu, 13 Apr 1995 02:42:54 +0800 (CST) From: Brian Tao To: Mr D Whitehead cc: freebsd-security@FreeBSD.org Subject: Re: FreeBSD Security Problem? In-Reply-To: <9326.9504121533@sol.sees.bangor.ac.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: security-owner@FreeBSD.org Precedence: bulk On Wed, 12 Apr 1995, Mr D Whitehead wrote: > > One ancient and major problem seems to exist (unless I have missed > something or it has already been altered) and that is the reboot to > single user. No password, nothing, just a root shell to do with as > you wish. Mark the console as "insecure" in /etc/ttys. Remove floppy drives from the machines too. ;-) -- Brian ("Though this be madness, yet there is method in't") Tao taob@gate.sinica.edu.tw <-- work ........ play --> taob@io.org From owner-freebsd-security Wed Apr 12 11:51:05 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id LAA20191 for security-outgoing; Wed, 12 Apr 1995 11:51:05 -0700 Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id LAA20185 ; Wed, 12 Apr 1995 11:51:03 -0700 Received: (from pst@localhost) by precipice.shockwave.com (8.6.11/8.6.9) id LAA24509; Wed, 12 Apr 1995 11:50:29 -0700 Date: Wed, 12 Apr 1995 11:50:29 -0700 From: Paul Traina Message-Id: <199504121850.LAA24509@precipice.shockwave.com> To: security@FreeBSD.org, wollman@FreeBSD.org Subject: one way of fixing the kerberos/skey interaction Sender: security-owner@FreeBSD.org Precedence: bulk *** login.c Sat Jan 14 19:14:10 1995 --- /tmp/login.c Wed Apr 12 11:49:45 1995 *************** *** 274,279 **** --- 274,290 ---- if (pwd) { #ifdef KERBEROS + #ifdef SKEY + /* + * Do not allow user to type in kerberos password + * over the net (actually, this is ok for encrypted + * links, but we have no way of determining if the + * link is encrypted. + */ + if (!permit_password) { + rval = 1; /* failed */ + } else + #endif rval = klogin(pwd, instance, localhost, p); if (rval != 0 && rootlogin && pwd->pw_uid != 0) rootlogin = 0; From owner-freebsd-security Wed Apr 12 13:12:12 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id NAA22364 for security-outgoing; Wed, 12 Apr 1995 13:12:12 -0700 Received: from mpp.com (dialup-2-122.gw.umn.edu [134.84.101.122]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id NAA22355 for ; Wed, 12 Apr 1995 13:12:03 -0700 Received: (from mpp@localhost) by mpp.com (8.6.11/8.6.9) id PAA03812; Wed, 12 Apr 1995 15:10:13 -0500 From: Mike Pritchard Message-Id: <199504122010.PAA03812@mpp.com> Subject: Re: cvs commit: src/usr.sbin/cron/cron do_command.c To: ache@freefall.cdrom.com (Andrey A. Chernov) Date: Wed, 12 Apr 1995 15:10:12 -0500 (CDT) Cc: freebsd-security@FreeBSD.org In-Reply-To: <199504121857.LAA20359@freefall.cdrom.com> from "Andrey A. Chernov" at Apr 12, 95 11:57:41 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1640 Sender: security-owner@FreeBSD.org Precedence: bulk > > ache 95/04/12 11:57:40 > > Modified: usr.sbin/cron/cron do_command.c > Log: > Close MAILTO security hole I took a look at your fix, and the security hole is still there. Simply checking if the first character of the MAILTO variable is a '-' isn't enough, since I could simply prefix the MAILTO variable with a space (or lots of them or whatever). I can also add additional arguments, which with sendmail isn't a problem, but what if the administrator chooses to edit cron/config.h and use a different mail delivery program? Then who knows how those extra arguments are going to be used. Even if MAILTO isn't set, if I manage to get LOGNAME set to something funny (possible), then the same security hole exists, since it will be used as the mailing address in place of MAILTO. I still think that the best way to fix this problem is to require that the user name that cron intends to send mail to points to a valid login name (which my fix does). That way there is no doubt that the user isn't passing something funny in the variable that may be interpreted by either the popen call or sendmail in some unintended manner. Programs that run as root should be as restrictive as possible with user supplied parameters that they pass off to other programs that are also going to be run as root (or as anything other than the calling user). They shouldn't try and decide if the parameters look "OK" enough to pass along. They should require that they conform to a very strictly defined format. -- Mike Pritchard pritc003@maroon.tc.umn.edu "Go that way. Really fast. If something gets in your way, turn" From owner-freebsd-security Wed Apr 12 14:36:33 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id OAA26280 for security-outgoing; Wed, 12 Apr 1995 14:36:33 -0700 Received: from sol.sees.bangor.ac.uk (sol.sees.bangor.ac.uk [147.143.102.1]) by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id OAA26271 for ; Wed, 12 Apr 1995 14:36:29 -0700 From: Mr D Whitehead (Ext 2703) Message-Id: <11964.9504122136@sol.sees.bangor.ac.uk> Subject: Re: FreeBSD Security Problem? To: freebsd-security@FreeBSD.org Date: Wed, 12 Apr 1995 22:36:37 +0100 (BST) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1262 Sender: security-owner@FreeBSD.org Precedence: bulk Many thanks to all who replied. I dont know how I missed it - too much 'Sun' (with prom passwd and ttys constructed at startup) I expect. >From /etc/ttys: ------------------------------------ # This entry needed for asking password when init goes to single-user mode # If you want to be asked for password, change "secure" to "insecure" here console none unknown off secure ------------------------------------ The points about the boot order (C: then A:) and the floppy are well taken and should be OK. The available hardware can set the boot order and the BIOS setup can be protected by a password, so we should be ok. Thanks Again Dave Whitehead (Computer Support Staff) ------------------------------------------------------------------------------- EMAIL:- | TELEPHONE (work):- (work) davew@sees.bangor.ac.uk | +44 1248 382703 (Direct line) (home) 100023.1076@compuserve.com | +44 1248 351151 ext 2703 ------------------------------------------------------------------------------- SNAIL MAIL:- Dave Whitehead School of Electronic Engineering & Computer Systems, University College of North Wales, Dean Street, Bangor LL57 1UT ------------------------------------------------------------------------------ From owner-freebsd-security Wed Apr 12 14:41:47 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id OAA26581 for security-outgoing; Wed, 12 Apr 1995 14:41:47 -0700 Received: from haven.ios.com (haven.ios.com [198.4.75.45]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id OAA26573 for ; Wed, 12 Apr 1995 14:41:45 -0700 Received: (from rashid@localhost) by haven.ios.com (8.6.9/8.6.9) id RAA05405; Wed, 12 Apr 1995 17:37:09 -0400 From: "Rashid Karimov." Message-Id: <199504122137.RAA05405@haven.ios.com> Subject: Re: FreeBSD Security Problem? To: nlawson@statler.csc.calpoly.edu (Nathan Lawson) Date: Wed, 12 Apr 1995 17:37:09 -0400 (EDT) Cc: davew@sees.bangor.ac.uk, security@FreeBSD.org In-Reply-To: <9504121713.AA05444@statler.CalPoly.Edu> from "Nathan Lawson" at Apr 12, 95 10:13:34 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1315 Sender: security-owner@FreeBSD.org Precedence: bulk HI there, > > > First the compliments - great job so far. > > > > Now the problem. I have been using FreeBSD (2.0R) at home (without > > any problems) and also evaluating it for use at work. One ancient and major > > problem seems to exist (unless I have missed something or it has already been > > altered) and that is the reboot to single user. No password, nothing, just a > > root shell to do with as you wish. OK I know its not a problem at home - but > > just imagine the fun all our undergraduates would have with this if we put a > > machine in a public area (the current suggestion is for 50). > > > > We would really like to replace our ageing Sun SLC's but are seriously > > worried about the above problem - any comments? > > Only that it's not a problem. Change the entry in /etc/ttys for "console" > from "secure" to "insecure" and you will be required to enter the root password > before being dropped to a shell in single-user mode. There is so called "physical security" :) . If you don't trust your undergraduates - put the PC into the safe. Because even if you'll make the console secure , they will be able to harm the PC - by booting from the floppy - if the PC has one, of going to hardware setup and reformatting the HDD... alot of nasty things :) SY RK K From owner-freebsd-security Wed Apr 12 14:48:28 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id OAA26910 for security-outgoing; Wed, 12 Apr 1995 14:48:28 -0700 Received: from sequent.kiae.su (sequent.kiae.su [144.206.136.6]) by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id OAA26904 for ; Wed, 12 Apr 1995 14:48:24 -0700 Received: by sequent.kiae.su id AA04500 (5.65.kiae-2 ); Thu, 13 Apr 1995 01:40:31 +0400 Received: by sequent.KIAE.su (UUMAIL/2.0); Thu, 13 Apr 95 01:40:30 +0400 Received: (from ache@localhost) by astral.msk.su (8.6.8/8.6.6) id BAA02974; Thu, 13 Apr 1995 01:40:53 +0400 To: Mike Pritchard Cc: freebsd-security@FreeBSD.org References: <199504122010.PAA03812@mpp.com> In-Reply-To: <199504122010.PAA03812@mpp.com>; from Mike Pritchard at Wed, 12 Apr 1995 15:10:12 -0500 (CDT) Message-Id: Organization: Olahm Ha-Yetzirah Date: Thu, 13 Apr 1995 01:40:53 +0400 X-Mailer: Mail/@ [v2.32 FreeBSD] From: "Andrey A. Chernov, Black Mage" X-Class: Fast Subject: Re: cvs commit: src/usr.sbin/cron/cron do_command.c Lines: 51 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Length: 2095 Sender: security-owner@FreeBSD.org Precedence: bulk In message <199504122010.PAA03812@mpp.com> Mike Pritchard writes: >> >> ache 95/04/12 11:57:40 >> >> Modified: usr.sbin/cron/cron do_command.c >> Log: >> Close MAILTO security hole >I took a look at your fix, and the security hole is still there. Simply >checking if the first character of the MAILTO variable is a '-' isn't >enough, since I could simply prefix the MAILTO variable with a space (or >lots of them or whatever). Did you really tried f.e. sendmail ' -v' ??? >I can also add additional arguments, >which with sendmail isn't a problem, but what if the administrator chooses >to edit cron/config.h and use a different mail delivery program? >when who knows how those extra arguments are going to be used. It is administrators fault. >Even if MAILTO isn't set, if I manage to get LOGNAME set to something >funny (possible), then the same security hole exists, since it will be used >as the mailing address in place of MAILTO. LOGNAME forced to pw->pw_name in entry.c >I still think that the best way to fix this problem is to require that >the user name that cron intends to send mail to points to a valid login >name (which my fix does). That way there is no doubt that the user isn't >passing something funny in the variable that may be interpreted by either >the popen call or sendmail in some unintended manner. Programs that run as >root should be as restrictive as possible with user supplied parameters that >they pass off to other programs that are also going to be run as root (or >as anything other than the calling user). They shouldn't try and decide if >the parameters look "OK" enough to pass along. They should require that >they conform to a very strictly defined format. Your fix breaks MAILTO handling according to cron manpage. -- Andrey A. Chernov : And I rest so composedly, /Now, in my bed, ache@astral.msk.su : That any beholder /Might fancy me dead - FidoNet: 2:5020/230.3 : Might start at beholding me, /Thinking me dead. RELCOM Team,FreeBSD Team : E.A.Poe From "For Annie" 1849 From owner-freebsd-security Wed Apr 12 16:25:09 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id QAA00317 for security-outgoing; Wed, 12 Apr 1995 16:25:09 -0700 Received: from ain.charm.net (ain.charm.net [198.69.35.206]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id QAA00307 ; Wed, 12 Apr 1995 16:25:06 -0700 Received: (from nc@localhost) by ain.charm.net (8.6.11/8.6.9) id TAA00648; Wed, 12 Apr 1995 19:18:43 -0400 Date: Wed, 12 Apr 1995 19:18:43 -0400 (EDT) From: Network Coordinator To: freebsd-security@FreeBSD.org, freebsd-questions@FreeBSD.org Subject: httpd - security problem? (question, not a statement) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: security-owner@FreeBSD.org Precedence: bulk I remember reading somewhere that there is a bug in a number of port 80 daemons that would allow someone to gain root access remotely through it. I know there is a bug when using httpd with Satan v1.0 (well, for as much as a I trust CERT), but when not running Satan, is there any harm in letting cern_httpd v3.0 run in standalone (full-time) mode [as root, no less]. Any ideas on securing up a system would be greatly appreciated. Thanks, Jerry. From owner-freebsd-security Thu Apr 13 05:19:29 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id FAA12302 for security-outgoing; Thu, 13 Apr 1995 05:19:29 -0700 Received: from taurus.math.tau.ac.il (root@taurus.math.tau.ac.il [132.67.64.4]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id FAA12294 for ; Thu, 13 Apr 1995 05:19:13 -0700 Received: from lune.math.tau.ac.il (adam@lune.math.tau.ac.il [132.67.96.11]) by taurus.math.tau.ac.il (8.6.10/8.6.10) with ESMTP id PAA20970; Thu, 13 Apr 1995 15:17:01 +0300 From: adam Received: (adam@localhost) by lune.math.tau.ac.il (8.6.9/8.6.9) id PAA21237; Thu, 13 Apr 1995 15:17:00 +0300 Message-Id: <199504131217.PAA21237@lune.math.tau.ac.il> Subject: Re: cvs commit: src/usr.sbin/cron/cron do_command.c To: freebsd-security@FreeBSD.org Date: Thu, 13 Apr 1995 15:17:00 +0300 (GMT+0300) In-Reply-To: <199504122010.PAA03812@mpp.com> from "Mike Pritchard" at Apr 12, 95 03:10:12 pm X-Sender: adam@math.tau.ac.il X-Organization: DIS WHEEL SHALL EXPL0DE X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2829 Sender: security-owner@FreeBSD.org Precedence: bulk > > Modified: usr.sbin/cron/cron do_command.c > > Log: > > Close MAILTO security hole > I took a look at your fix, and the security hole is still there. Simply > checking if the first character of the MAILTO variable is a '-' isn't > enough, since I could simply prefix the MAILTO variable with a space (or > lots of them or whatever). I can also add additional arguments, > which with sendmail isn't a problem, but what if the administrator chooses > to edit cron/config.h and use a different mail delivery program? > Then who knows how those extra arguments are going to be used. The cron in question is vixie-cron-3.0. I emailed Paul Vixie around the time I posted the hole in Thomas Koenig's atrun, and also included a patch. Since that cron hasn't been updated for quite some time, and is probably not at the top of his list, it's taking a while, though I'm only guessing (and it hasn't really been such a long while). My suggestion is not to run Sendmail as root. If you want, you can ``verify'' MAILTO, but IMHO, such a fix is begging to fail, because you need to start studying Sendmail and seeing what wrongs it can do running as root. Like, the obvious fix of searching for ``-'' fails for people who mail ``cron-people''. Running sendmail as the user seems to work fine, including From: headers and everything. Well, it's out... so here's my patch. safe_p() is a slight modification of something Paul Vixie wrote. *** do_command.c.orig Sun Apr 9 18:29:18 1995 --- do_command.c Sun Apr 9 19:47:34 1995 *************** *** 33,38 **** --- 33,39 ---- static void child_process __P((entry *, user *)), do_univ __P((user *)); + static int safe_p __P((const char *)); void do_command(e, u) *************** *** 360,365 **** --- 361,369 ---- * up the mail command and subjects and stuff... */ + if (!safe_p(mailto)) + log_it(usernm, getpid(), "UNSAFE", mailto); + if (mailto) { register char **env; auto char mailcmd[MAX_COMMAND]; *************** *** 368,373 **** --- 372,383 ---- (void) gethostname(hostname, MAXHOSTNAMELEN); (void) sprintf(mailcmd, MAILARGS, MAILCMD, mailto); + setgid(e->gid); + #if defined (BSD) + initgroups(env_get("LOGNAME", e->envp), e->gid); + #endif + setuid(e->uid); + if (!(mail = cron_popen(mailcmd, "w"))) { perror(MAILCMD); (void) _exit(ERROR_EXIT); *************** *** 462,467 **** --- 472,492 ---- } } + static int + safe_p(s) + register const char *s; + { + static const char safe_delim[] = "@!:%-_."; + register char ch; + + while ((ch = *s++) != '\0') { + if (isascii(ch) && isprint(ch) && + (isalnum(ch) || strchr(safe_delim, ch))) + continue; + return (FALSE); + } + return (TRUE); + } static void do_univ(u) adam? From owner-freebsd-security Thu Apr 13 07:19:50 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id HAA15532 for security-outgoing; Thu, 13 Apr 1995 07:19:50 -0700 Received: from sol.sees.bangor.ac.uk (sol.sees.bangor.ac.uk [147.143.102.1]) by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id HAA15517 for ; Thu, 13 Apr 1995 07:19:25 -0700 From: Mr D Whitehead (Ext 2703) Message-Id: <14679.9504131419@sol.sees.bangor.ac.uk> Subject: Broken find invalidates /etc/security To: freebsd-security@FreeBSD.org Date: Thu, 13 Apr 1995 15:19:37 +0100 (BST) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1419 Sender: security-owner@FreeBSD.org Precedence: bulk Strictly speaking this is a bug report, but as I found it while checking the /etc/security script for FreeBSD 2.0-950112-SNAP I thought it best to report it here. Description ----------- The the scan for suid files is only finding sgid files. The responsibility for this seems to lie with the -or operator to find. If you change the -or to -and the script will do what you expect ( but not what you want), if you remove the -or -perm -g+s then all suid files are found. Using the octal equivalents of 4000 and 2000 is no help. The evidence seems quite strong that the -or operator is broken. I have not checked with earlier or later versions but I suggest that an eyeball check of /var/log/setuid.today is done for all versions, if stuff like sendmail etc is not there then lots of people have a false sense of security. -- Dave Whitehead (Computer Support Staff) ------------------------------------------------------------------------------- EMAIL:- | TELEPHONE (work):- (work) davew@sees.bangor.ac.uk | +44 1248 382703 (Direct line) (home) 100023.1076@compuserve.com | +44 1248 351151 ext 2703 ------------------------------------------------------------------------------- SNAIL MAIL:- Dave Whitehead School of Electronic Engineering & Computer Systems, University College of North Wales, Dean Street, Bangor LL57 1UT ------------------------------------------------------------------------------ From owner-freebsd-security Thu Apr 13 07:21:31 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id HAA15580 for security-outgoing; Thu, 13 Apr 1995 07:21:31 -0700 Received: from sequent.kiae.su (sequent.kiae.su [144.206.136.6]) by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id HAA15567 for ; Thu, 13 Apr 1995 07:21:24 -0700 Received: by sequent.kiae.su id AA03820 (5.65.kiae-2 ); Thu, 13 Apr 1995 18:10:59 +0400 Received: by sequent.KIAE.su (UUMAIL/2.0); Thu, 13 Apr 95 18:10:58 +0400 Received: (from ache@localhost) by astral.msk.su (8.6.8/8.6.6) id SAA01716; Thu, 13 Apr 1995 18:09:56 +0400 To: adam , freebsd-security@FreeBSD.org References: <199504131217.PAA21237@lune.math.tau.ac.il> In-Reply-To: <199504131217.PAA21237@lune.math.tau.ac.il>; from adam at Thu, 13 Apr 1995 15:17:00 +0300 (GMT+0300) Message-Id: Organization: Olahm Ha-Yetzirah Date: Thu, 13 Apr 1995 18:09:56 +0400 X-Mailer: Mail/@ [v2.32 FreeBSD] From: "Andrey A. Chernov, Black Mage" X-Class: Fast Subject: Re: cvs commit: src/usr.sbin/cron/cron do_command.c Lines: 20 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Length: 972 Sender: security-owner@FreeBSD.org Precedence: bulk In message <199504131217.PAA21237@lune.math.tau.ac.il> adam writes: >My suggestion is not to run Sendmail as root. If you want, you can >``verify'' MAILTO, but IMHO, such a fix is begging to fail, because >you need to start studying Sendmail and seeing what wrongs it can do >running as root. Like, the obvious fix of searching for ``-'' fails >for people who mail ``cron-people''. This complex fix is really unneded and breaks many things. Only check *mailto == '-' needed. Any other argument is treated as normal address and nothing wrong hapens in sending to it from root. It is equivalent to login as root and send mail to somebody. It is way just I fix it in -current. -- Andrey A. Chernov : And I rest so composedly, /Now, in my bed, ache@astral.msk.su : That any beholder /Might fancy me dead - FidoNet: 2:5020/230.3 : Might start at beholding me, /Thinking me dead. RELCOM Team,FreeBSD Team : E.A.Poe From "For Annie" 1849 From owner-freebsd-security Thu Apr 13 09:34:33 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id JAA20516 for security-outgoing; Thu, 13 Apr 1995 09:34:33 -0700 Received: from mpp.com (dialup-1-21.gw.umn.edu [134.84.101.21]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id JAA20500 for ; Thu, 13 Apr 1995 09:34:21 -0700 Received: (from mpp@localhost) by mpp.com (8.6.11/8.6.9) id LAA07243; Thu, 13 Apr 1995 11:31:22 -0500 From: Mike Pritchard Message-Id: <199504131631.LAA07243@mpp.com> Subject: Re: cvs commit: src/usr.sbin/cron/cron do_command.c To: ache@astral.msk.su (Andrey A. Chernov, Black Mage) Date: Thu, 13 Apr 1995 11:31:22 -0500 (CDT) Cc: pritc003@maroon.tc.umn.edu, freebsd-security@FreeBSD.org In-Reply-To: from "Andrey A. Chernov, Black Mage" at Apr 13, 95 01:40:53 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 3529 Sender: security-owner@FreeBSD.org Precedence: bulk > >> > >> ache 95/04/12 11:57:40 > >> > >> Modified: usr.sbin/cron/cron do_command.c > >> Log: > >> Close MAILTO security hole > > >I took a look at your fix, and the security hole is still there. Simply > >checking if the first character of the MAILTO variable is a '-' isn't > >enough, since I could simply prefix the MAILTO variable with a space (or > >lots of them or whatever). > > Did you really tried f.e. > > sendmail ' -v' Yes, I just got your fix via sup and was able to obtain root access even with your fix installed. Here is what I set my MAILTO variable to: MAILTO=" -C/usr/tmp/c test" This is then sprinted into a string, which is then parsed with "strtok" to split the string up. Strtok skips the leading spaces, and you wind up with a valid argument to sendmail. Just so you are sure I've got your fix, here is the Id string from do_command.c: static char rcsid[] = "$Id: do_command.c,v 1.2 1995/04/12 18:57:37 ache Exp $"; > >I can also add additional arguments, > >which with sendmail isn't a problem, but what if the administrator chooses > >to edit cron/config.h and use a different mail delivery program? > >when who knows how those extra arguments are going to be used. > > It is administrators fault. Even if you use sendmail, who knows what might change in sendmail in the future that might allow this to cause problems? There may even be a way right now to exploit the extra arguments that no one has thought of yet. > >I still think that the best way to fix this problem is to require that > >the user name that cron intends to send mail to points to a valid login > >name (which my fix does). That way there is no doubt that the user isn't > >passing something funny in the variable that may be interpreted by either > >the popen call or sendmail in some unintended manner. Programs that run as > >root should be as restrictive as possible with user supplied parameters that > >they pass off to other programs that are also going to be run as root (or > >as anything other than the calling user). They shouldn't try and decide if > >the parameters look "OK" enough to pass along. They should require that > >they conform to a very strictly defined format. > > Your fix breaks MAILTO handling according to cron manpage. How? The cron man page states: ... current minute. When executing commands, any output is mailed to the owner of the crontab (or to the user named in the MAILTO environment variable in the crontab, if such exists). It doesn't sound like cron is saying that it allows anything other than a valid user name in the MAILTO varaible. It doesn't say anything about mailing to a mail address, just to a user. If you need the mail to go somewhere else, either setup an account that cron can mail to that you can forward in /etc/aliases, or if you are a normal user, use one of the mail filtering programs to do it for you. Cron shouldn't have to worry about anything other than delivering mail back to a valid local user. I still think that the best fix is to only allow valid local user names to be specified in the MAILTO variable. Then there is no doubt that the user isn't able to spoof sendmail. Either that or run sendmail as the user and let them put anything they like in the MAILTO variable. > Andrey A. Chernov : And I rest so composedly, /Now, in my bed, -- Mike Pritchard pritc003@maroon.tc.umn.edu "Go that way. Really fast. If something gets in your way, turn" From owner-freebsd-security Thu Apr 13 09:53:58 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id JAA20828 for security-outgoing; Thu, 13 Apr 1995 09:53:58 -0700 Received: from trout.sri.MT.net (trout.sri.MT.net [204.182.243.12]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id JAA20819 for ; Thu, 13 Apr 1995 09:53:54 -0700 Received: (from nate@localhost) by trout.sri.MT.net (8.6.11/8.6.11) id KAA26380; Thu, 13 Apr 1995 10:52:51 -0600 Date: Thu, 13 Apr 1995 10:52:51 -0600 From: Nate Williams Message-Id: <199504131652.KAA26380@trout.sri.MT.net> In-Reply-To: Mike Pritchard "Re: cvs commit: src/usr.sbin/cron/cron do_command.c" (Apr 13, 11:31am) X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: Mike Pritchard , ache@astral.msk.su (Andrey A. Chernov, Black Mage) Subject: Re: cvs commit: src/usr.sbin/cron/cron do_command.c Cc: freebsd-security@FreeBSD.org Sender: security-owner@FreeBSD.org Precedence: bulk > > >I still think that the best way to fix this problem is to require that > > >the user name that cron intends to send mail to points to a valid login > > >name (which my fix does). > > Your fix breaks MAILTO handling according to cron manpage. > > How? The cron man page states: > ... > current minute. When executing commands, any output is > mailed to the owner of the crontab (or to the user named > in the MAILTO environment variable in the crontab, if such > exists). > > It doesn't sound like cron is saying that it allows anything other > than a valid user name in the MAILTO varaible. It doesn't say anything > about mailing to a mail address, just to a user. If you need the mail > to go somewhere else, either setup an account that cron can mail to > that you can forward in /etc/aliases, or if you are a normal user, use > one of the mail filtering programs to do it for you. Cron shouldn't > have to worry about anything other than delivering mail back to a > valid local user. I don't understand the problem completely, but I agree with Mike. You shouldn't be allowed to set MAILTO to anything but a local username. Nothing more, nothing less. If you need more flexibility then cron isn't the program to provide it to you. Any un-necessary flexibility provided in setuid/setgid programs almost always creates security bugs. Nate From owner-freebsd-security Fri Apr 14 01:53:04 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id BAA11337 for security-outgoing; Fri, 14 Apr 1995 01:53:04 -0700 Received: from mpp.com (dialup-3-199.gw.umn.edu [134.84.101.199]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id BAA11331 for ; Fri, 14 Apr 1995 01:52:55 -0700 Received: (from mpp@localhost) by mpp.com (8.6.11/8.6.9) id DAA00743; Fri, 14 Apr 1995 03:52:09 -0500 From: Mike Pritchard Message-Id: <199504140852.DAA00743@mpp.com> Subject: Re: cvs commit: src/usr.sbin/cron/cron Makefile do_command.c bitstring.3 bitstring.h To: ache@freefall.cdrom.com (Andrey A. Chernov) Date: Fri, 14 Apr 1995 03:52:08 -0500 (CDT) Cc: freebsd-security@FreeBSD.org In-Reply-To: <199504132058.NAA27172@freefall.cdrom.com> from "Andrey A. Chernov" at Apr 13, 95 01:58:16 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1494 Sender: security-owner@FreeBSD.org Precedence: bulk > ache 95/04/13 13:58:15 > > Modified: usr.sbin/cron/cron Makefile do_command.c > Removed: usr.sbin/cron/cron bitstring.3 bitstring.h > Log: > Really fix MAILTO hole by parsing spaces. > Remove local bitstring copy So far I haven't been able to get root with this fix in, but there are still MAILTO related problems. If I feed cron a MAILTO variable that contains more than 100 arguments, it will core dump due to going past the end of an array. Someone might be able to expliot that somehow. For example: MAILTO=a a a a a a a a ...and so on...arg101 arg102 arg103 I can also overrun the "mailcmd" buffer that the sendmail command + arguments is sprintfed into by having a 1000 character MAILTO variable. Both of these are good examples of why suid root programs that work with user supplied arguments should only accept arguments that conform to a strictly defined format. Cron_popen() needs to be fixed to check that it isn't going past the end of the argument array to fix the above problem and do_command() should call snprintf() instead of sprintf() to prevent overruns of the mailcmd buffer. There may be other ways to make cron blow up with a strange MAILTO variable, but these are the first two I found without much work. Again, changing cron to require that MAILTO only contain a valid local user name avoids both of these problems. -- Mike Pritchard pritc003@maroon.tc.umn.edu "Go that way. Really fast. If something gets in your way, turn" From owner-freebsd-security Fri Apr 14 03:52:19 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id DAA14350 for security-outgoing; Fri, 14 Apr 1995 03:52:19 -0700 Received: from mpp.com (dialup-4-43.gw.umn.edu [128.101.96.43]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id DAA14342 for ; Fri, 14 Apr 1995 03:52:15 -0700 Received: (from mpp@localhost) by mpp.com (8.6.11/8.6.9) id FAA11038; Fri, 14 Apr 1995 05:51:14 -0500 From: Mike Pritchard Message-Id: <199504141051.FAA11038@mpp.com> Subject: Re: cvs commit: src/usr.sbin/cron/cron Makefile do_command.c bitstring.3 bitstring.h To: ache@freefall.cdrom.com (Andrey A. Chernov) Date: Fri, 14 Apr 1995 05:51:14 -0500 (CDT) Cc: freebsd-security@FreeBSD.org In-Reply-To: <199504132058.NAA27172@freefall.cdrom.com> from "Andrey A. Chernov" at Apr 13, 95 01:58:16 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 3795 Sender: security-owner@FreeBSD.org Precedence: bulk Ok, here is a fix for all of the currently known cron problems that also allows the user to set MAILTO to anything they please. This is done by calling sendmail with "-t" to tell it to read the recipient list from the mail header. The argument given with MAILTO is not passed on the command line, thus making it impossible for the user to spoof sendmail in anyway (unless someone knows how to do it by mucking with the "To:" line in the mail header). I hope that this fix will make everyone happy. -Mike *** orig/config.h Fri Apr 14 05:29:20 1995 --- ./config.h Fri Apr 14 05:28:33 1995 *************** *** 42,51 **** */ #define MAILCMD _PATH_SENDMAIL /*-*/ ! #define MAILARGS "%s -FCronDaemon -odi -oem %s" /*-*/ /* -Fx = set full-name of sender * -odi = Option Deliverymode Interactive * -oem = Option Errors Mailedtosender */ /* #define MAILCMD "/bin/mail" /*-*/ --- 42,52 ---- */ #define MAILCMD _PATH_SENDMAIL /*-*/ ! #define MAILARGS "%s -FCronDaemon -odi -oem -t" /*-*/ /* -Fx = set full-name of sender * -odi = Option Deliverymode Interactive * -oem = Option Errors Mailedtosender + * -t = read recipient from header of message */ /* #define MAILCMD "/bin/mail" /*-*/ *** orig/do_command.c Fri Apr 14 05:26:55 1995 --- ./do_command.c Fri Apr 14 05:40:02 1995 *************** *** 94,128 **** */ usernm = env_get("LOGNAME", e->envp); mailto = env_get("MAILTO", e->envp); - if (mailto != NULL && *mailto) { - char *head, *next; - int address_found = 0; - - head = mailto; - while (isspace(*head)) - head++; - for ( ; (next = strpbrk(head, " \t")) != NULL; head = next) { - next++; - while (isspace(*next)) - next++; - address_found = 1; - if (*head == '-') { - mailto = NULL; - break; - } - } - if (mailto != NULL && *head) { - address_found = 1; - if (*head == '-') - mailto = NULL; - } - if (!address_found) - mailto = ""; - if (mailto == NULL) { - log_it("CRON",getpid(), usernm, "attempts to crack"); - exit(ERROR_EXIT); - } - } #ifdef USE_SIGCHLD /* our parent is watching for our death by catching SIGCHLD. we --- 94,99 ---- *************** *** 395,402 **** auto char hostname[MAXHOSTNAMELEN]; (void) gethostname(hostname, MAXHOSTNAMELEN); ! (void) sprintf(mailcmd, MAILARGS, ! MAILCMD, mailto); if (!(mail = cron_popen(mailcmd, "w"))) { perror(MAILCMD); (void) _exit(ERROR_EXIT); --- 366,373 ---- auto char hostname[MAXHOSTNAMELEN]; (void) gethostname(hostname, MAXHOSTNAMELEN); ! (void) snprintf(mailcmd, sizeof(mailcmd), ! MAILARGS, MAILCMD); if (!(mail = cron_popen(mailcmd, "w"))) { perror(MAILCMD); (void) _exit(ERROR_EXIT); *** orig/popen.c Fri Apr 14 05:26:55 1995 --- ./popen.c Fri Apr 14 05:38:28 1995 *************** *** 32,37 **** --- 32,38 ---- #include + #define MAX_ARGS 100 #define WANT_GLOBBING 0 /* *************** *** 50,56 **** FILE *iop; int argc, pdes[2]; PID_T pid; ! char *argv[100]; #if WANT_GLOBBING char **pop, *vv[2]; int gargc; --- 51,57 ---- FILE *iop; int argc, pdes[2]; PID_T pid; ! char *argv[MAX_ARGS + 1]; #if WANT_GLOBBING char **pop, *vv[2]; int gargc; *************** *** 72,78 **** return(NULL); /* break up string into pieces */ ! for (argc = 0, cp = program;; cp = NULL) if (!(argv[argc++] = strtok(cp, " \t\n"))) break; --- 73,79 ---- return(NULL); /* break up string into pieces */ ! for (argc = 0, cp = program; argc < MAX_ARGS; cp = NULL) if (!(argv[argc++] = strtok(cp, " \t\n"))) break; From owner-freebsd-security Fri Apr 14 03:57:31 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id DAA14421 for security-outgoing; Fri, 14 Apr 1995 03:57:31 -0700 Received: from sovcom.kiae.su (sovcom.kiae.su [144.206.136.1]) by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id DAA14414 for ; Fri, 14 Apr 1995 03:57:25 -0700 Received: by sovcom.kiae.su id AA05213 (5.65.kiae-2 ); Fri, 14 Apr 1995 14:45:11 +0400 Received: by sovcom.KIAE.su (UUMAIL/2.0); Fri, 14 Apr 95 14:45:10 +0300 Received: (from ache@localhost) by astral.msk.su (8.6.8/8.6.6) id OAA00385; Fri, 14 Apr 1995 14:34:15 +0400 To: Mike Pritchard Cc: freebsd-security@FreeBSD.org References: <199504140852.DAA00743@mpp.com> In-Reply-To: <199504140852.DAA00743@mpp.com>; from Mike Pritchard at Fri, 14 Apr 1995 03:52:08 -0500 (CDT) Message-Id: Organization: Olahm Ha-Yetzirah Date: Fri, 14 Apr 1995 14:34:15 +0400 X-Mailer: Mail/@ [v2.32 FreeBSD] From: "Andrey A. Chernov, Black Mage" X-Class: Fast Subject: Re: cvs commit: src/usr.sbin/cron/cron Makefile do_command.c bitstring.3 bitstring.h Lines: 38 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Length: 1721 Sender: security-owner@FreeBSD.org Precedence: bulk In message <199504140852.DAA00743@mpp.com> Mike Pritchard writes: >> ache 95/04/13 13:58:15 >> >> Modified: usr.sbin/cron/cron Makefile do_command.c >> Removed: usr.sbin/cron/cron bitstring.3 bitstring.h >> Log: >> Really fix MAILTO hole by parsing spaces. >> Remove local bitstring copy >I can also overrun the "mailcmd" buffer that the sendmail command + arguments >is sprintfed into by having a 1000 character MAILTO variable. >Both of these are good examples of why suid root programs that work with >user supplied arguments should only accept arguments that conform to a >strictly defined format. Cron_popen() needs to be fixed to check that it >isn't going past the end of the argument array to fix the above problem >and do_command() should call snprintf() instead of sprintf() to prevent >overruns of the mailcmd buffer. I'll try to look at, maybe even cron_popen() not needs fixing, only count number addition to sscanf (NAME = %[^#\n]) can helps, but I am not shure yet... >Again, changing cron to require that MAILTO only contain a valid local >user name avoids both of these problems. I don't understand, how local use names can fix overflow problems. I don't understand advantage of local names too, you can make .forward with all needed aliases in any case. Manpage don't says that it can contain local users only, it can be my home address f.e. (opposite to office address). -- Andrey A. Chernov : And I rest so composedly, /Now, in my bed, ache@astral.msk.su : That any beholder /Might fancy me dead - FidoNet: 2:5020/230.3 : Might start at beholding me, /Thinking me dead. RELCOM Team,FreeBSD Team : E.A.Poe From "For Annie" 1849 From owner-freebsd-security Fri Apr 14 13:37:20 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id NAA04241 for security-outgoing; Fri, 14 Apr 1995 13:37:20 -0700 Received: from grunt.grondar.za (grunt.grondar.za [196.7.18.129]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id NAA04222 ; Fri, 14 Apr 1995 13:36:52 -0700 Received: from localhost (localhost [127.0.0.1]) by grunt.grondar.za (8.6.11/8.6.9) with SMTP id WAA00906; Fri, 14 Apr 1995 22:37:00 +0200 Message-Id: <199504142037.WAA00906@grunt.grondar.za> X-Authentication-Warning: grunt.grondar.za: Host localhost didn't use HELO protocol To: ports@FreeBSD.org, security@FreeBSD.org Subject: Gabriel - anyone interested? Date: Fri, 14 Apr 1995 22:36:59 +0200 From: Mark Murray Sender: security-owner@FreeBSD.org Precedence: bulk I don't have the facilities to test this, except that I got a copy and it compiles under current. Anyone care to bang on it? Seems like a good idea? Gabriel is a SATAN detector. I am told it is quite good. M ------- Forwarded Message From: dennis@nebulus.net (Dennis Breckenridge) Subject: Re: Gabreil For BSD/OS 2.0 To: dennis@nebulus.net (Dennis Breckenridge) Date: Fri, 14 Apr 1995 11:06:37 -0700 (PDT) Cc: gabriel@lat.com Sender: owner-gabriel@lat.com Precedence: bulk Dennis Breckenridge sez: > > I have modified Gabriel to use tcpdump under BSDI (BSD/OS 2.0). If > anyone is interested in this package it's available at: > > ftp://ftp.nebulus.net/pub/bsdi/security/gabriel1.0-bsdi2.tar.gz I updated the program to support listening to any interface by specifying it on the command line. I also rolled a few bug fixes into the scripts. The new and improved program is at: ftp://ftp.nebulus.net/pub/bsdi/security/gabriel1.1-bsdi2.tar.gz - -- Dennis "Not Everything can be a Solaris bug!" - Ross Alexander ------- End of Forwarded Message From owner-freebsd-security Fri Apr 14 17:19:07 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id RAA19172 for security-outgoing; Fri, 14 Apr 1995 17:19:07 -0700 Received: from mail.barrnet.net (mail.BARRNET.NET [131.119.246.7]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id RAA19127 for ; Fri, 14 Apr 1995 17:17:26 -0700 Received: from vector.eikon.e-technik.tu-muenchen.de (vector.eikon.e-technik.tu-muenchen.de [129.187.142.36]) by mail.barrnet.net (8.6.10/MAIL-RELAY-LEN) with ESMTP id RAA06588 for ; Fri, 14 Apr 1995 17:13:22 -0700 Received: from localhost (localhost [127.0.0.1]) by vector.eikon.e-technik.tu-muenchen.de (8.6.11/8.6.9) with SMTP id TAA03555; Wed, 12 Apr 1995 19:55:36 +0200 Message-Id: <199504121755.TAA03555@vector.eikon.e-technik.tu-muenchen.de> X-Authentication-Warning: vector.eikon.e-technik.tu-muenchen.de: Host localhost didn't use HELO protocol To: Christoph Kukulies cc: jhs@regent.e-technik.tu-muenchen.de (Julian Howard Stacey), freebsd-security@FreeBSD.org Subject: Re: satan "heavy" mode attacks In-reply-to: Your message of "Mon, 10 Apr 1995 20:11:43 +0200." <199504101811.UAA15582@gilberto.physik.rwth-aachen.de> Date: Wed, 12 Apr 1995 19:09:41 +0200 From: Julian Howard Stacey Sender: security-owner@FreeBSD.org Precedence: bulk > From: Christoph Kukulies > Your Mileage May Vary :-) You understand American better than I do ! (I'm English :-) Julian S From owner-freebsd-security Fri Apr 14 17:24:42 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id RAA19264 for security-outgoing; Fri, 14 Apr 1995 17:24:42 -0700 Received: from mail.barrnet.net (mail.BARRNET.NET [131.119.246.7]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id RAA19153 for ; Fri, 14 Apr 1995 17:18:52 -0700 Received: from vector.eikon.e-technik.tu-muenchen.de (vector.eikon.e-technik.tu-muenchen.de [129.187.142.36]) by mail.barrnet.net (8.6.10/MAIL-RELAY-LEN) with ESMTP id RAA06591 for ; Fri, 14 Apr 1995 17:13:33 -0700 Received: (from jhs@localhost) by vector.eikon.e-technik.tu-muenchen.de (8.6.11/8.6.9) id TAA01259 for security@freebsd.org; Wed, 12 Apr 1995 19:55:15 +0200 Date: Wed, 12 Apr 1995 19:55:15 +0200 From: Julian Howard Stacey Message-Id: <199504121755.TAA01259@vector.eikon.e-technik.tu-muenchen.de> To: security@FreeBSD.org Subject: satan as a trojan Sender: security-owner@FreeBSD.org Precedence: bulk An extract on paper from a jpl.nasa.gov internal doc, makes the point one must be careful which site one gets Satan source from, as tampered code could contain hidden code. It'd be all too easy to reflexively : archie satan .... ftp ... run What better target for a trojan horse diseminator, than the machines of people concerned enough to run security checkers. It's a case where a `blessed` port stored locally on freefall could be reassuring, also ideally such port should only be updated after the maintainer actually understands the upgrade diffs from his master feed site :-) I guess if one ftp's some kind of checksum off the Satan master site & the code itself off a local high speed site it should be OK, but I suspect `cksum` can be easily fooled, so I hope & assume Satan master site will be offering something harder to forge. I'll wait for someone else to port Satan, I'm spending time on Hylafax (replaces flexfax). Julian Stacey From owner-freebsd-security Fri Apr 14 17:26:37 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id RAA19331 for security-outgoing; Fri, 14 Apr 1995 17:26:37 -0700 Received: from vector.eikon.e-technik.tu-muenchen.de (vector.eikon.e-technik.tu-muenchen.de [129.187.142.36]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id RAA19142 for ; Fri, 14 Apr 1995 17:18:37 -0700 Received: from localhost (localhost [127.0.0.1]) by vector.eikon.e-technik.tu-muenchen.de (8.6.11/8.6.9) with SMTP id TAA02162; Wed, 12 Apr 1995 19:55:34 +0200 Message-Id: <199504121755.TAA02162@vector.eikon.e-technik.tu-muenchen.de> X-Authentication-Warning: vector.eikon.e-technik.tu-muenchen.de: Host localhost didn't use HELO protocol To: Nate Williams cc: Julian Howard Stacey , freebsd-security@FreeBSD.org Subject: Re: satan "heavy" mode attacks In-reply-to: Your message of "Mon, 10 Apr 1995 19:20:49 +0200." <199504101720.LAA02377@trout.sri.MT.net> Date: Wed, 12 Apr 1995 19:05:47 +0200 From: Julian Howard Stacey Sender: security-owner@FreeBSD.org Precedence: bulk > > John, what's YMMV short for ? > Your Milage May Vary. (You may get different results than his) Oh, yes, I suppose so, I've only seen it in fill before, Thanks ! Julian S From owner-freebsd-security Sat Apr 15 09:10:57 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id JAA15779 for security-outgoing; Sat, 15 Apr 1995 09:10:57 -0700 Received: from sequent.kiae.su (sequent.kiae.su [144.206.136.6]) by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id JAA15762 for ; Sat, 15 Apr 1995 09:10:39 -0700 Received: by sequent.kiae.su id AA15623 (5.65.kiae-2 ); Sat, 15 Apr 1995 20:03:29 +0400 Received: by sequent.KIAE.su (UUMAIL/2.0); Sat, 15 Apr 95 20:03:28 +0400 Received: (from ache@localhost) by astral.msk.su (8.6.8/8.6.6) id UAA00811; Sat, 15 Apr 1995 20:01:50 +0400 Resent-To: dennis@nebulus.net, gabriel@lat.com, mark@grondar.za, security@FreeBSD.org Resent-Message-Id: Resent-Organization: Olahm Ha-Yetzirah Resent-Date: Sat, 15 Apr 1995 20:01:49 +0400 Resent-X-Mailer: Mail/@ [v2.32 FreeBSD] Resent-From: "Andrey A. Chernov, Black Mage" Resent-Return-Receipt-To: ache@astral.msk.su Resent-X-Class: Fast Resent-Precedence: special-delivery Received: from kiae.UUCP (ache@localhost) by astral.msk.su (8.6.8/8.6.6) with UUCP id TAA00595 for ache; Sat, 15 Apr 1995 19:37:19 +0400 Received: from avangard.master.nsk.su (small.master.nsk.su) by sovcom.kiae.su with SMTP id AA14044 (5.65.kiae-2 for ); Sat, 15 Apr 1995 15:13:38 +0400 Received: (from joker@localhost) by avangard.master.nsk.su (8.6.11/8.6.9) id SAA09249 for ache@astral.msk.su; Sat, 15 Apr 1995 18:02:02 +0700 Date: Sat, 15 Apr 1995 18:02:02 +0700 From: Serge Goncharov Message-Id: <199504151102.SAA09249@avangard.master.nsk.su> To: ache@astral.msk.su Subject: Gabriel patch for FreeBSD 2.0 Sender: security-owner@FreeBSD.org Precedence: bulk diff --new-file -P -r -c ../../gabriel-1.0/Makefile ./Makefile *** ../../gabriel-1.0/Makefile Thu Apr 6 10:02:54 1995 --- ./Makefile Thu Apr 13 20:57:03 1995 *************** *** 9,14 **** --- 9,15 ---- sol1-compile = cc -g -D__sol1__ $(dbg-flags) #sol2-compile = on latsol2 gcc -g $(dbg-flags) sol2-compile = gcc -g -D__sol2__ $(dbg-flags) + freebsd-compile = gcc -g -D__freebsd__ $(dbg-flags) # If you can execute the pwd command with your make program # put it here. *************** *** 18,34 **** sol1/list.o sol1/copyright.o client_sol2_objects = sol2/gabriel_client.o sol2/hostrec.o \ sol2/list.o sol2/copyright.o ! all: @echo "Gabriel comes with pre-compiled binaries, so" @echo "you do not need to re-make them." @echo "Just following the directions in the gabriel.8 man page." ! @echo "Type \"nroff -man gabriel.8\" to display it. ! @echo " " @echo "If you want to make Gabriel from sources, then:" @echo "On a solaris 1 system type 'make solaris1'" @echo "On a solaris 2 system type 'make solaris2'" solaris1: sol1 gabriel_client.sol1 --- 19,37 ---- sol1/list.o sol1/copyright.o client_sol2_objects = sol2/gabriel_client.o sol2/hostrec.o \ sol2/list.o sol2/copyright.o ! client_freebsd_objects = Freebsd/gabriel_client.o Freebsd/hostrec.o \ ! Freebsd/list.o Freebsd/copyright.o all: @echo "Gabriel comes with pre-compiled binaries, so" @echo "you do not need to re-make them." @echo "Just following the directions in the gabriel.8 man page." ! @echo "Type \"nroff -man gabriel.8\" to display it." ! @echo " " @echo "If you want to make Gabriel from sources, then:" @echo "On a solaris 1 system type 'make solaris1'" @echo "On a solaris 2 system type 'make solaris2'" + @echo "On FreeBSD system type 'make freebsd'" solaris1: sol1 gabriel_client.sol1 *************** *** 38,50 **** --- 41,57 ---- gabriel_client.sol2: sol2 + freebsd: Freebsd gabriel_client.freebsd + clean: rm -rf sol1 rm -rf sol2 + rm -rf Freebsd # rm -f gabriel_client.sol1 gabriel_client.sol2 rm -f client_error_log client_uname_info syslog_slice rm -f *.crontab rm -f *~ core + rm -f gabriel_client.freebsd sol1: mkdir $@ *************** *** 52,84 **** --- 59,108 ---- sol2: mkdir $@ + Freebsd: + mkdir $@ + sol1/gabriel_client.o: gabriel_client.c cd sol1 ; $(sol1-compile) -c $(cwd)/$< sol2/gabriel_client.o: gabriel_client.c cd sol2 ; $(sol2-compile) -c $(cwd)/$< + Freebsd/gabriel_client.o: gabriel_client.c + cd Freebsd ; $(freebsd-compile) -c $(cwd)/gabriel_client.c + sol1/hostrec.o: hostrec.c cd sol1 ; $(sol1-compile) -c $(cwd)/$< sol2/hostrec.o: hostrec.c cd sol2 ; $(sol2-compile) -c $(cwd)/$< + Freebsd/hostrec.o: hostrec.c + cd Freebsd ; $(freebsd-compile) -c $(cwd)/hostrec.c + sol1/list.o: list.c cd sol1 ; $(sol1-compile) -c $(cwd)/$< sol2/list.o: list.c cd sol2 ; $(sol2-compile) -c $(cwd)/$< + Freebsd/list.o: list.c + cd Freebsd ; $(freebsd-compile) -c $(cwd)/list.c + sol1/copyright.o: copyright.c cd sol1 ; $(sol1-compile) -c $(cwd)/$< sol2/copyright.o: copyright.c cd sol2 ; $(sol2-compile) -c $(cwd)/$< + Freebsd/copyright.o: copyright.c + cd Freebsd ; $(freebsd-compile) -c $(cwd)/copyright.c + gabriel_client.sol1: $(client_sol1_objects) $(sol1-compile) -o gabriel_client.sol1 $(client_sol1_objects) gabriel_client.sol2: $(client_sol2_objects) $(sol2-compile) -o gabriel_client.sol2 $(client_sol2_objects) + gabriel_client.freebsd: $(client_freebsd_objects) + $(freebsd-compile) -o gabriel_client.freebsd $(client_freebsd_objects) diff --new-file -P -r -c ../../gabriel-1.0/PATCH ./PATCH *** ../../gabriel-1.0/PATCH Thu Jan 1 07:00:00 1970 --- ./PATCH Fri Apr 14 16:19:02 1995 *************** *** 0 **** --- 1,125 ---- + diff --new-file -P -r -c ../../gabriel-1.0/Makefile ./Makefile + *** ../../gabriel-1.0/Makefile Thu Apr 6 10:02:54 1995 + --- ./Makefile Thu Apr 13 20:57:03 1995 + *************** + *** 9,14 **** + --- 9,15 ---- + sol1-compile = cc -g -D__sol1__ $(dbg-flags) + #sol2-compile = on latsol2 gcc -g $(dbg-flags) + sol2-compile = gcc -g -D__sol2__ $(dbg-flags) + + freebsd-compile = gcc -g -D__freebsd__ $(dbg-flags) + + # If you can execute the pwd command with your make program + # put it here. + *************** + *** 18,34 **** + sol1/list.o sol1/copyright.o + client_sol2_objects = sol2/gabriel_client.o sol2/hostrec.o \ + sol2/list.o sol2/copyright.o + ! + + all: + @echo "Gabriel comes with pre-compiled binaries, so" + @echo "you do not need to re-make them." + @echo "Just following the directions in the gabriel.8 man page." + ! @echo "Type \"nroff -man gabriel.8\" to display it. + ! @echo " " + @echo "If you want to make Gabriel from sources, then:" + @echo "On a solaris 1 system type 'make solaris1'" + @echo "On a solaris 2 system type 'make solaris2'" + + solaris1: sol1 gabriel_client.sol1 + + --- 19,37 ---- + sol1/list.o sol1/copyright.o + client_sol2_objects = sol2/gabriel_client.o sol2/hostrec.o \ + sol2/list.o sol2/copyright.o + ! client_freebsd_objects = Freebsd/gabriel_client.o Freebsd/hostrec.o \ + ! Freebsd/list.o Freebsd/copyright.o + + all: + @echo "Gabriel comes with pre-compiled binaries, so" + @echo "you do not need to re-make them." + @echo "Just following the directions in the gabriel.8 man page." + ! @echo "Type \"nroff -man gabriel.8\" to display it." + ! @echo " " + @echo "If you want to make Gabriel from sources, then:" + @echo "On a solaris 1 system type 'make solaris1'" + @echo "On a solaris 2 system type 'make solaris2'" + + @echo "On FreeBSD system type 'make freebsd'" + + solaris1: sol1 gabriel_client.sol1 + + *************** + *** 38,50 **** + --- 41,57 ---- + + gabriel_client.sol2: sol2 + + + freebsd: Freebsd gabriel_client.freebsd + + + clean: + rm -rf sol1 + rm -rf sol2 + + rm -rf Freebsd + # rm -f gabriel_client.sol1 gabriel_client.sol2 + rm -f client_error_log client_uname_info syslog_slice + rm -f *.crontab + rm -f *~ core + + rm -f gabriel_client.freebsd + + sol1: + mkdir $@ + *************** + *** 52,84 **** + --- 59,108 ---- + sol2: + mkdir $@ + + + Freebsd: + + mkdir $@ + + + sol1/gabriel_client.o: gabriel_client.c + cd sol1 ; $(sol1-compile) -c $(cwd)/$< + + sol2/gabriel_client.o: gabriel_client.c + cd sol2 ; $(sol2-compile) -c $(cwd)/$< + + + Freebsd/gabriel_client.o: gabriel_client.c + + cd Freebsd ; $(freebsd-compile) -c $(cwd)/gabriel_client.c + + + sol1/hostrec.o: hostrec.c + cd sol1 ; $(sol1-compile) -c $(cwd)/$< + + sol2/hostrec.o: hostrec.c + cd sol2 ; $(sol2-compile) -c $(cwd)/$< + + + Freebsd/hostrec.o: hostrec.c + + cd Freebsd ; $(freebsd-compile) -c $(cwd)/hostrec.c + + + sol1/list.o: list.c + cd sol1 ; $(sol1-compile) -c $(cwd)/$< + + sol2/list.o: list.c + cd sol2 ; $(sol2-compile) -c $(cwd)/$< + + + Freebsd/list.o: list.c + + cd Freebsd ; $(freebsd-compile) -c $(cwd)/list.c + + + sol1/copyright.o: copyright.c + cd sol1 ; $(sol1-compile) -c $(cwd)/$< + + sol2/copyright.o: copyright.c + cd sol2 ; $(sol2-compile) -c $(cwd)/$< + + + Freebsd/copyright.o: copyright.c + + cd Freebsd ; $(freebsd-compile) -c $(cwd)/copyright.c + + + gabriel_client.sol1: $(client_sol1_objects) + $(sol1-compile) -o gabriel_client.sol1 $(client_sol1_objects) + + gabriel_client.sol2: $(client_sol2_objects) + $(sol2-compile) -o gabriel_client.sol2 $(client_sol2_objects) + + + gabriel_client.freebsd: $(client_freebsd_objects) + + $(freebsd-compile) -o gabriel_client.freebsd $(client_freebsd_objects) diff --new-file -P -r -c ../../gabriel-1.0/gabriel_client ./gabriel_client *** ../../gabriel-1.0/gabriel_client Thu Apr 6 04:33:06 1995 --- ./gabriel_client Wed Apr 12 17:20:53 1995 *************** *** 37,48 **** PATH=/bin:/usr/bin:/usr/5bin:/usr/sbin:. ostype=`uname` ! if [ $ostype != "SunOS" ]; then ! echo "The $ostype operating system is not supported." ! exit ! fi - osver=`uname -r` case $osver in 4.*) # echo Solaris 1: $ostype $osver --- 37,51 ---- PATH=/bin:/usr/bin:/usr/5bin:/usr/sbin:. ostype=`uname` ! case $ostype in ! "SunOS") osver=`uname -r` ! ;; ! "FreeBSD") osver=freebsd ! ;; ! *) echo "The $ostype operating system is not supported." ! exit ! esac case $osver in 4.*) # echo Solaris 1: $ostype $osver *************** *** 51,56 **** --- 54,61 ---- 5.*) # echo Solaris 2: $ostype $osver suffix=sol2 + ;; + freebsd) suffix=freebsd ;; *) echo The $osver release of $ostype is not supported. diff --new-file -P -r -c ../../gabriel-1.0/gabriel_client.c ./gabriel_client.c *** ../../gabriel-1.0/gabriel_client.c Thu Apr 6 04:33:09 1995 --- ./gabriel_client.c Thu Apr 13 23:20:07 1995 *************** *** 1,4 **** ! /* LAT's Gabriel network probe (e.g., SATAN) detector. * * Module: Top level of client probe monitor. * Author: Dr. Robert W. Baldwin. --- 1,4 ---- ! /* * * Module: Top level of client probe monitor. * Author: Dr. Robert W. Baldwin. *************** *** 26,32 **** /* Define this to enable debugging messages. */ #define GABRIEL_CLIENT_DEBUG ! /* #define GABRIEL_PROBE_DEBUG */ /* Forward references. */ --- 26,32 ---- /* Define this to enable debugging messages. */ #define GABRIEL_CLIENT_DEBUG ! #define GABRIEL_PROBE_DEBUG /* Forward references. */ *************** *** 35,40 **** --- 35,42 ---- extern void do_solaris2(); extern void parse_sol2_pkt(); extern void record_probe(); + extern void do_freebsd(); + extern void parse_freebsd_pkt(); extern void check_threshold(); extern void probe_checker(); extern void log_probing(); *************** *** 101,106 **** --- 103,114 ---- { do_solaris2(argc, argv); } + } else if (0 == strcmp(suffix, ".freebsd")) + { + while (1) + { + do_freebsd(argc, argv); + } } else { (void)printf("%s: Unacceptable program suffix.\n", *************** *** 175,181 **** { (void)printf("%s: Cannot spawn packet filter.\n", program_name); ! perror("/usr/etc/etherfind"); exit(1); } --- 183,189 ---- { (void)printf("%s: Cannot spawn packet filter.\n", program_name); ! perror("/usr/sbin/snoop"); exit(1); } *************** *** 195,200 **** --- 203,249 ---- } + /* Look for network probe signature on FreeBSD. + */ + void + do_freebsd(argc, argv) + int argc; + char *argv[]; + { + FILE *pkt_filter; + char linebuf[LINEBUF_SIZE]; + char *src_host, *service; /* Ptrs within linebuf. */ + + + /* Keep lint happy. */ + (void) argc; + (void) argv; + + pkt_filter = popen(FREEBSD_POPEN_ARG, "r"); + if (pkt_filter == NULL) + { + (void)printf("%s: Cannot spawn packet filter.\n", + program_name); + perror("/usr/sbin/tspdump"); + exit(1); + } + + while (1) + { + if (NULL == fgets(linebuf, LINEBUF_SIZE, pkt_filter)) + { + (void)printf("%s: The packet filter terminated.\n", + program_name); + pclose(pkt_filter); + return; + } + parse_freebsd_pkt(linebuf, &src_host, &service); + record_probe(src_host, service); + check_threshold(); + } + } + + /* Parse a packet filter line to extract * the source host and service being probed. * For now we do not care about the destination host. *************** *** 378,383 **** --- 427,531 ---- *servicep = service; } + /* Parse a packet filter line to extract + * the source host and service being probed. + * For now we do not care about the destination host. + * The linebuf is modified by adding nulls and + * the src_hostp and servicep pointers are set to + * the appropriate places within linebuf. + * The results might be symbolic ("telnet") or + * numeric ("23") ascii strings. + * If the line is inappropriate, src_hostp is set to NULL. + */ + void + parse_freebsd_pkt(linebuf, src_hostp, servicep) + char *linebuf; + char **src_hostp; /* Returned */ + char **servicep; /* Returned */ + { + char *host; + char *p, *rest, *s; + int i; + + + /* Handle bogus lines. */ + *src_hostp = ""; + *servicep = ""; + + /* Host name is the second word. + * This would all be easy to do in perl, but one of + * the design rules is to avoid perl. + */ + for (host = linebuf, i = 1 ; i > 0 ; i--) + { + for ( ; *host != ' ' ; host++) + { + if (*host == 0) + return; + } + host++; + } + + /* Strip the source port number from host name. + * ICMP packets do not have source port numbers. + */ + /* Advance p to the end of the host field. */ + for (p = host ; *p != ' ' ; p++) + { + if (*p == 0) + return; + } + rest = &(p[1]); + + s = strstr(linebuf, "icmp:") ; + + if ( s == NULL ) + { /* Skip back to the last dot and change it to a null. */ + for ( ; *p != '.' ; p--) + { + if (*p == 0) + return; + } + } + *p++ = 0; + + if ( s != NULL ) + { + p = SERVICE_PING; + } else + { + /* The service is last part of the forhth word. + */ + /* Advance p over two more spaces. */ + p = rest; + for (i = 2 ; i > 0 ; i--) + { + for ( ; *p != ' ' ; p++) + { + if (*p == 0) + return; + } + p++; + } + + *--p = 0; /* Terminate the service. */ + /* Backup to just after the last dot. */ + for ( p-- ; *p != '.' ; p--) + { + if (*p == 0) + return; + } + p++; + + /* strip ":" */ + s = index(p, ':'); + if ( s != NULL ) + *s = 0; + } + + *src_hostp = host; + *servicep = p; + } /* Record a probe in the database. * For each source host track the most recent event diff --new-file -P -r -c ../../gabriel-1.0/gabriel_client.h ./gabriel_client.h *** ../../gabriel-1.0/gabriel_client.h Thu Apr 6 04:27:16 1995 --- ./gabriel_client.h Thu Apr 13 18:25:52 1995 *************** *** 98,103 **** --- 98,120 ---- or ip dst port 30000 \ */ + /* Arguments to the FreeBSD BPF filter. + */ + #define FREEBSD_POPEN_ARG \ + "/usr/sbin/tcpdump -v -l 2>&1 \ + tcp[13] = 2 \ + or icmp[0] = 8 \ + or dst port sunrpc \ + or dst port 1 \ + or dst port 10 \ + or dst port 100 \ + or dst port 1000 \ + or dst port 5000 \ + or dst port 10000 \ + or dst port 20000 \ + or dst port 30000 \ + " + /* Ignore Solaris 1 pkts line that do not start with * one of these words. */ diff --new-file -P -r -c ../../gabriel-1.0/gabriel_server ./gabriel_server *** ../../gabriel-1.0/gabriel_server Thu Apr 6 13:09:05 1995 --- ./gabriel_server Wed Apr 12 17:19:17 1995 *************** *** 44,53 **** #################### initialize () { ! LOG_FILE="/var/adm/gabriel.log" ! CONFIG_FILE="/etc/gabriel.conf" - LOGGER="/usr/ucb/logger" PRIORITY="local3" IDENTIFIER="gabriel" --- 44,61 ---- #################### initialize () { ! ostype=`uname` ! case $ostype in ! "FreeBSD") LOG_FILE="/var/log/gabriel.log" ! CONFIG_FILE="/usr/local/etc/gabriel.conf" ! LOGGER="/usr/bin/logger" ! ;; ! *) LOG_FILE="/var/adm/gabriel.log" ! CONFIG_FILE="/etc/gabriel.conf" ! LOGGER="/usr/ucb/logger" ! ;; ! esac PRIORITY="local3" IDENTIFIER="gabriel" *************** *** 230,236 **** ############################## PROGRAM=$0 ! PATH="/bin:/usr/bin" initialize # parse arguments --- 238,244 ---- ############################## PROGRAM=$0 ! PATH="/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin" initialize # parse arguments diff --new-file -P -r -c ../../gabriel-1.0/gabriel_tester ./gabriel_tester *** ../../gabriel-1.0/gabriel_tester Thu Apr 6 07:34:56 1995 --- ./gabriel_tester Wed Apr 12 17:33:51 1995 *************** *** 12,30 **** echo "" ostype=`uname` ! if [ $ostype != "SunOS" ]; then ! echo "The $ostype operating system is not supported." ! exit ! fi - osver=`uname -r` case $osver in 4.*) suffix=sol1 ;; 5.*) suffix=sol2 ;; *) echo The $osver release of $ostype is not supported. exit --- 12,38 ---- echo "" ostype=`uname` ! case $ostype in ! "SunOS") osver=`uname -r` ! ;; ! "FreeBSD") osver=freebsd ! ;; ! *) echo "The $ostype operating system is not supported." ! exit ! ;; ! esac case $osver in 4.*) + # echo Solaris 1: $ostype $osver suffix=sol1 ;; 5.*) + # echo Solaris 2: $ostype $osver suffix=sol2 ;; + freebsd) suffix=freebsd + ;; *) echo The $osver release of $ostype is not supported. exit *************** *** 37,49 **** echo Probing host $host # Determine name of ping program. if [ -f /usr/sbin/ping ]; then pingpgm=/usr/sbin/ping fi if [ -f /usr/etc/ping ]; then pingpgm=/usr/etc/ping fi ! $pingpgm $host 2>&1 > /dev/null if test $? != "0" then echo Host $host is not responding --- 45,68 ---- echo Probing host $host # Determine name of ping program. + if [ -f /sbin/ping ] ; then + pingpgm=/sbin/ping + fi if [ -f /usr/sbin/ping ]; then pingpgm=/usr/sbin/ping fi if [ -f /usr/etc/ping ]; then pingpgm=/usr/etc/ping fi ! ! # I need to use packets count in FreeBSD ! case $ostype in ! "FreeBSD" ) ping_flag="-c" ! maxpings=1 ! ;; ! *) ;; ! esac ! $pingpgm $ping_flag $maxpings $host 2>&1 > /dev/null if test $? != "0" then echo Host $host is not responding *************** *** 67,73 **** maxpings=100 echo "Sending $maxpings pings to flush buffers on solaris 2 clients." i=0 ! while /bin/true do i=`expr $i + 1` $pingpgm $host 2>&1 > /dev/null --- 86,101 ---- maxpings=100 echo "Sending $maxpings pings to flush buffers on solaris 2 clients." i=0 ! case $ostype in ! "FreeBSD") trueprg=/usr/bin/true ! $pingpgm $ping_flag $maxpings $host 2>&1 > /dev/null ! exit ! ;; ! *) trueprg=/bin/true ! ;; ! esac ! ! while $trueprg do i=`expr $i + 1` $pingpgm $host 2>&1 > /dev/null diff --new-file -P -r -c ../../gabriel-1.0/hostrec.c ./hostrec.c *** ../../gabriel-1.0/hostrec.c Thu Apr 6 07:13:21 1995 --- ./hostrec.c Wed Apr 12 15:52:10 1995 *************** *** 11,17 **** --- 11,19 ---- #include #include #include + #ifndef __freebsd__ #include + #endif #include "gabriel_client.h" #include "hostrec.h" diff --new-file -P -r -c ../../gabriel-1.0/install_gabriel_clients ./install_gabriel_clients *** ../../gabriel-1.0/install_gabriel_clients Thu Apr 6 06:54:26 1995 --- ./install_gabriel_clients Thu Apr 13 19:45:20 1995 *************** *** 29,36 **** # Gabriel will be installed in the first directory below # if it exists, otherwise in the second one. ! dstdir1="/usr/local" ! dstdir2="/usr" gabdir="gabriel-1.0" dstdir=$dstdir1 srcdir=`pwd` --- 29,48 ---- # Gabriel will be installed in the first directory below # if it exists, otherwise in the second one. ! ! ostype=`uname` ! case $ostype in ! "SunOS") dstdir1="/usr/local" ! dstdir2="/usr" ! syspid="/etc/syslog.pid" ! ;; ! "FreeBSD") dstdir1="/usr/local/lib" ! dstdir2="/usr/local" ! syspid="/var/run/syslog.pid" ! ;; ! *) echo "The $ostype operating system is not supported." ! exit ! esac gabdir="gabriel-1.0" dstdir=$dstdir1 srcdir=`pwd` *************** *** 73,79 **** errfile="./client_error_log" osfile="./client_uname_info" syslog="/etc/syslog.conf" - syspid="/etc/syslog.pid" systag="local3.info" sysdst="@$server" sysslice="./syslog_slice" --- 85,90 ---- *************** *** 86,92 **** $rm -rf $errfile $sysslice echo $systag\ \ $sysdst > $sysslice ! while /bin/true do echo " " echo "Enter the name of a client host or control-D if done." --- 97,103 ---- $rm -rf $errfile $sysslice echo $systag\ \ $sysdst > $sysslice ! while true do echo " " echo "Enter the name of a client host or control-D if done." *************** *** 108,114 **** echo "the .rhosts file for roots home directory." continue fi ! if grep SunOS $osfile >/dev/null then echo else --- 119,126 ---- echo "the .rhosts file for roots home directory." continue fi ! ! if grep 'SunOS\|FreeBSD' $osfile >/dev/null then echo else diff --new-file -P -r -c ../../gabriel-1.0/install_gabriel_server ./install_gabriel_server *** ../../gabriel-1.0/install_gabriel_server Thu Apr 6 10:35:19 1995 --- ./install_gabriel_server Fri Apr 14 14:34:59 1995 *************** *** 36,48 **** initialize () { INSTALLED_FROM=`pwd` ! LOG_FILE="/var/adm/gabriel.log" ! CONFIG_FILE="/etc/gabriel.conf" SYSLOG_CONF_FILE="/etc/syslog.conf" ! if [ -d /usr/local ] ; then ! GABRIEL_HOME="/usr/local/gabriel-1.0" else ! GABRIEL_HOME="/usr/gabriel-1.0" fi if [ -x /usr/ucb/echo ] ; then echo_n="/usr/ucb/echo -n" --- 36,59 ---- initialize () { INSTALLED_FROM=`pwd` ! ostype=`uname` ! case $ostype in ! "FreeBSD") LOG_FILE="/var/log/gabriel.log" ! CONFIG_FILE="/usr/local/etc/gabriel.conf" ! ;; ! *) LOG_FILE="/var/adm/gabriel.log" ! CONFIG_FILE="/etc/gabriel.conf" ! ;; ! esac SYSLOG_CONF_FILE="/etc/syslog.conf" ! if [ -d /usr/local/lib ] ; then ! GABRIEL_HOME="/usr/local/lib/gabriel-1.0" else ! if [ -d /usr/local ] ; then ! GABRIEL_HOME="/usr/local/gabriel-1.0" ! else ! GABRIEL_HOME="/usr/gabriel-1.0" ! fi fi if [ -x /usr/ucb/echo ] ; then echo_n="/usr/ucb/echo -n" *************** *** 161,166 **** --- 172,180 ---- cp -p $_NEW $SYSLOG_CONF_FILE echo "# following line added for gabriel" >> $SYSLOG_CONF_FILE echo "local3.info $LOG_FILE" >> $SYSLOG_CONF_FILE + if [ -f /var/run/syslog.pid ] ; then + kill -HUP `cat /var/run/syslog.pid` + fi if [ -f /etc/syslogd.pid ] ; then kill -HUP `cat /etc/syslogd.pid` fi