From owner-freebsd-security Mon May 1 11:02:04 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id LAA01933 for security-outgoing; Mon, 1 May 1995 11:02:04 -0700 Received: from kudu.ru.ac.za (kudu.ru.ac.za [146.231.128.5]) by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id LAA01925 ; Mon, 1 May 1995 11:01:15 -0700 Received: from by kudu.ru.ac.za with cbsmtp (Smail3.1.28.1 #2) id m0s5zln-000MfpC; Mon, 1 May 95 20:00 EET Received: by neptune.ru.ac.za (Smail3.1.28.1 #10) id m0s5ozP-0000CpC; Mon, 1 May 95 08:29 SAT Message-Id: From: geoff@neptune.ru.ac.za (Geoff Rehmet) Subject: Re: Call for remove setr[ug]id() and setre[ug]id() from libc To: ache@astral.msk.su (Andrey A. Chernov, Black Mage) Date: Mon, 1 May 1995 08:29:49 +0200 (SAT) Cc: arch@FreeBSD.org, core@FreeBSD.org, security@FreeBSD.org In-Reply-To: from "Andrey A. Chernov, Black Mage" at Apr 20, 95 09:20:35 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 955 Sender: security-owner@FreeBSD.org Precedence: bulk Andrey A. Chernov, Black Mage writes : > > More info: > osetreuid/osetregid syscalls check arguments in the same > way that lib function does, and they are only a little bit safe, > because testing of s[rg]id independs of place calling. > > They both can't be implemented, they are violation of POSIX, > so I prefer to remove them to not make security hole. > If none object, I'll commit the change. (I should have replied to this earlier.) I am in favour of the removal of these calls. We must just be a little bit careful about what the effect is on library interfaces when these are removed. (Remember that a change like this involves a major version bump. -- there's been a lot of water under this bridge before) Geoff. -- Geoff Rehmet | ____ _ o /\ geoff@neptune.ru.ac.za |___ _-\_<, / /\/\ "finger -l rehmet@cs.ru.ac.za" for PGP key | (*)/'(*) /\/ / \ \ From owner-freebsd-security Mon May 1 17:08:44 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id RAA11756 for security-outgoing; Mon, 1 May 1995 17:08:44 -0700 Received: from mail.barrnet.net (mail.BARRNET.NET [131.119.246.7]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id RAA11743 ; Mon, 1 May 1995 17:08:22 -0700 Received: from bunyip.cc.uq.oz.au (bunyip.cc.uq.oz.au [130.102.2.1]) by mail.barrnet.net (8.6.10/MAIL-RELAY-LEN) with SMTP id RAA03799; Mon, 1 May 1995 17:05:34 -0700 Received: from s1.elec.uq.oz.au by bunyip.cc.uq.oz.au with SMTP (PP); Tue, 2 May 1995 10:06:34 +1000 Received: from s4 (s4.elec.uq.oz.au) by s1.elec.uq.oz.au (4.0/SMI-4.0) id AA18803; Tue, 2 May 95 10:06:11 EST From: clary@elec.uq.oz.au (Clary Harridge) Message-Id: <9505020006.AA18803@s1.elec.uq.oz.au> Subject: Re: DISKLESS users become root To: freebsd-security@FreeBSD.org Date: Tue, 2 May 1995 10:05:27 +1000 (EST) Cc: freebsd-bugs@FreeBSD.org, marks@cheque1.cheque.uq.oz.au (Mark Schulz) In-Reply-To: <9504260509.AA15058@s1.elec.uq.oz.au> from "Clary Harridge" at Apr 26, 95 03:08:47 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 2778 Sender: security-owner@FreeBSD.org Precedence: bulk > > Users on any DISKLESS client can become root during the boot sequence. > > I have diskless clients booting off a FreeBSD file server and find that > > Pressing CTRLC just after the last NFS mount and before the "autoreboot" This also happens with CTRL\ > message causes > > init: /bin/sh on /etc/rc terminated abnormally, going to single user mode > Enter pathname of shell or RETURN for sh: > > then > > RETURN gives a root shell. > > The state of the /etc/ttys file is not being checked for whether the > console is secure (or not) and the user is NOT prompted for a root > password. > The problem is that there is a time slot from the start of "init" until the "read_ttys" subroutine checks / sets the "[in]secure" mode. This time is probably small on a system with local disk and you probably need to be lucky to cause either a SIGINT (CTRLC) or SIGQUIT (CTRL|) at the right time. However on a diskless system the time slot is of the order of tens of seconds and you can easily become super user. The following patch will close this security hole. ================================================================ *** init.c Tue May 2 08:47:49 1995 --- init.c_orig Fri Apr 28 10:39:51 1995 *************** *** 178,186 **** sigset_t mask; - /* disable interrupts until /etc/ttys secure is checked */ - (void) signal(SIGINT, SIG_IGN); - (void) signal(SIGQUIT, SIG_IGN); /* Dispose of random users. */ if (getuid() != 0) { (void)fprintf(stderr, "init: %s\n", strerror(EPERM)); --- 178,183 ---- *************** *** 239,245 **** handle(badsys, SIGSYS, 0); handle(disaster, SIGABRT, SIGFPE, SIGILL, SIGSEGV, SIGBUS, SIGXCPU, SIGXFSZ, 0); ! handle(transition_handler, SIGHUP, SIGTERM, SIGTSTP, 0); handle(alrm_handler, SIGALRM, 0); sigfillset(&mask); delset(&mask, SIGABRT, SIGFPE, SIGILL, SIGSEGV, SIGBUS, SIGSYS, --- 236,242 ---- handle(badsys, SIGSYS, 0); handle(disaster, SIGABRT, SIGFPE, SIGILL, SIGSEGV, SIGBUS, SIGXCPU, SIGXFSZ, 0); ! handle(transition_handler, SIGHUP, SIGINT, SIGTERM, SIGTSTP, 0); handle(alrm_handler, SIGALRM, 0); sigfillset(&mask); delset(&mask, SIGABRT, SIGFPE, SIGILL, SIGSEGV, SIGBUS, SIGSYS, ================================================================ This is not the whole answer if your ttys flag is secure as a call to handle(transition_handler, SIGINT, 0); should probably be done at some stage after or during "read_ttys" ? -- regards Dept. of Electrical Engineering, Clary Harridge University of Queensland, QLD, Australia, 4072 Phone: +61-7-365-3636 Fax: +61-7-365-4999 INTERNET: clary@elec.uq.oz.au From owner-freebsd-security Tue May 2 03:57:21 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id DAA01158 for security-outgoing; Tue, 2 May 1995 03:57:21 -0700 Received: from dtr.com (dtr.rain.com [204.119.8.19]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id DAA01148 for ; Tue, 2 May 1995 03:56:59 -0700 Received: (from root@localhost) by dtr.com (8.6.11/8.6.9) id DAA00960 for security@freebsd.org; Tue, 2 May 1995 03:46:50 -0700 From: Brant Katkansky Message-Id: <199505021046.DAA00960@dtr.com> Subject: Security options for NFS? To: security@FreeBSD.org Date: Tue, 2 May 1995 03:46:49 -0700 (PDT) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 116 Sender: security-owner@FreeBSD.org Precedence: bulk I'm looking to secure NFS and other services not covered by tcpd - what's the conventional wisdom for FreeBSD 2.0? From owner-freebsd-security Tue May 2 05:41:49 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id FAA03366 for security-outgoing; Tue, 2 May 1995 05:41:49 -0700 Received: from redline.ru (root@mail.redline.ru [194.87.69.22]) by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id FAA03339 for ; Tue, 2 May 1995 05:41:13 -0700 Date: Tue, 2 May 1995 16:38:55 +0400 (GMT+0400) From: Anthony Graphics X-Sender: agl@mail.redline.ru To: Brant Katkansky cc: security@FreeBSD.org Subject: Re: Security options for NFS? In-Reply-To: <199505021046.DAA00960@dtr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: security-owner@FreeBSD.org Precedence: bulk On Tue, 2 May 1995, Brant Katkansky wrote: > Date: Tue, 2 May 1995 03:46:49 -0700 (PDT) > From: Brant Katkansky > To: security@FreeBSD.org > Subject: Security options for NFS? > > I'm looking to secure NFS and other services not covered by tcpd - > what's the conventional wisdom for FreeBSD 2.0? > > Try to compile NFSD 2.1 or 2.2alpha1 (do not remeber where it is: check the back issues in comp.os.linux.announce) It does pretty the same thing that tcpd does I believe although I don't know whether resulting system would be considered "secure". A hint: never run pcnfsd ;-) AGL From owner-freebsd-security Tue May 2 06:10:37 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id GAA04298 for security-outgoing; Tue, 2 May 1995 06:10:37 -0700 Received: from phoenix.csc.calpoly.edu (phoenix.csc.calpoly.edu [129.65.17.14]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id GAA04290 for ; Tue, 2 May 1995 06:10:34 -0700 Received: from statler.CalPoly.Edu (statler.csc.calpoly.edu [129.65.17.8]) by phoenix.csc.calpoly.edu (8.6.11) with SMTP id GAA02195; Tue, 2 May 1995 06:10:30 -0700 Received: by statler.CalPoly.Edu (5.x/SMI-SVR4) id AA02722; Tue, 2 May 1995 06:10:28 -0700 From: nlawson@statler.csc.calpoly.edu (Nathan Lawson) Message-Id: <9505021310.AA02722@statler.CalPoly.Edu> Subject: Re: Security options for NFS? To: bmk@dtr.com (Brant Katkansky) Date: Tue, 2 May 1995 06:10:27 -0700 (PDT) Cc: security@FreeBSD.org In-Reply-To: <199505021046.DAA00960@dtr.com> from "Brant Katkansky" at May 2, 95 03:46:49 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: security-owner@FreeBSD.org Precedence: bulk > I'm looking to secure NFS and other services not covered by tcpd - > what's the conventional wisdom for FreeBSD 2.0? Good question. I recommend compiling with the "IPFIREWALL" and "IPFIREWALL_VERBOSE" options. Then you can deny packets to those services with the ipfw(8) utility. Also, if you don't have the full ability to firewall, then you can use the SecureLib library. It compiles with very minor tweaking. I am considering sending it in to the ports people or whoever if anyone wants it. For NFS, block tcp and udp ports 111, and udp port 2049. Good luck, -- Nathan Lawson \ Never let your schooling interfere with your education. CSL 490/News Admin \ (805)756-7180 @Work \ "The steady state of disks is full." -- Ken Thompson --------------------- From owner-freebsd-security Tue May 2 10:10:47 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id KAA10187 for security-outgoing; Tue, 2 May 1995 10:10:47 -0700 Received: from halloran-eldar.lcs.mit.edu (halloran-eldar.lcs.mit.edu [18.26.0.159]) by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id KAA10181 for ; Tue, 2 May 1995 10:10:40 -0700 Received: by halloran-eldar.lcs.mit.edu; (5.65/1.1.3.6) id AA00462; Tue, 2 May 1995 13:10:20 -0400 Date: Tue, 2 May 1995 13:10:20 -0400 From: Garrett Wollman Message-Id: <9505021710.AA00462@halloran-eldar.lcs.mit.edu> To: Brant Katkansky Cc: security@FreeBSD.org Subject: Security options for NFS? In-Reply-To: <199505021046.DAA00960@dtr.com> References: <199505021046.DAA00960@dtr.com> Sender: security-owner@FreeBSD.org Precedence: bulk < said: > I'm looking to secure NFS and other services not covered by tcpd - > what's the conventional wisdom for FreeBSD 2.0? NFS has fairly strong access-control checks provided by the kernel code. However, these only operate on a per-mount-point basis. If you specify a host list in /etc/exports, then the NFS server will d oits best to ensure that only the hosts listed are able to access the data, even given a valid file handle. The portmapper is fairly harmless, provided you don't start any services that in themselves are security problems. The FreeBSD versions of `mountd' and YP are reasonable; some of the other RPC services you may want to restrict or just plain not run depending on your security policy (e.g., rusers, rstat). -GAWollman -- Garrett A. Wollman | Shashish is simple, it's discreet, it's brief. ... wollman@lcs.mit.edu | Shashish is the bonding of hearts in spite of distance. Opinions not those of| It is a bond more powerful than absence. We like people MIT, LCS, ANA, or NSA| who like Shashish. - Claude McKenzie + Florent Vollant From owner-freebsd-security Tue May 2 13:29:57 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id NAA14874 for security-outgoing; Tue, 2 May 1995 13:29:57 -0700 Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id NAA14865 for ; Tue, 2 May 1995 13:29:39 -0700 Received: by gvr.win.tue.nl (8.6.10/1.53) id WAA00793; Tue, 2 May 1995 22:29:22 +0200 From: guido@gvr.win.tue.nl (Guido van Rooij) Message-Id: <199505022029.WAA00793@gvr.win.tue.nl> Subject: Logdaemon update (s.key and stuff) To: freebsd-security@FreeBSD.org Date: Tue, 2 May 1995 22:29:21 +0200 (MET DST) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 106 Sender: security-owner@FreeBSD.org Precedence: bulk Is someone busy doingn this? (Paul? You seem to be the one committing the previous S/Key release) -Guido From owner-freebsd-security Tue May 2 17:03:15 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id RAA21050 for security-outgoing; Tue, 2 May 1995 17:03:15 -0700 Received: from nahanni.BouletFermat.ab.ca (danny@dboulet.ccinet.ab.ca [198.161.96.245]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id RAA21043 for ; Tue, 2 May 1995 17:03:08 -0700 Received: (from danny@localhost) by nahanni.BouletFermat.ab.ca (8.6.9/8.6.9) id SAA09731 for freebsd-security@FreeBSD.org; Tue, 2 May 1995 18:00:19 -0600 Date: Tue, 2 May 1995 18:00:19 -0600 From: Danny Boulet Message-Id: <199505030000.SAA09731@nahanni.BouletFermat.ab.ca> To: freebsd-security@FreeBSD.org Subject: Re: Security options for NFS? Sender: security-owner@FreeBSD.org Precedence: bulk nlawson@statler.csc.calpoly.edu (Nathan Lawson) says: > > I'm looking to secure NFS and other services not covered by tcpd - > > what's the conventional wisdom for FreeBSD 2.0? > > Good question. I recommend compiling with the "IPFIREWALL" and > "IPFIREWALL_VERBOSE" options. Then you can deny packets to those services > with the ipfw(8) utility. Also, if you don't have the full ability to > firewall, then you can use the SecureLib library. It compiles with very > minor tweaking. I am considering sending it in to the ports people or > whoever if anyone wants it. > > For NFS, block tcp and udp ports 111, and udp port 2049. > > Good luck, > -- > Nathan Lawson \ Never let your schooling interfere with your education. > CSL 490/News Admin \ > (805)756-7180 @Work \ "The steady state of disks is full." -- Ken Thompson > --------------------- > The IPFIREWALL support in FreeBSD 2.0 is based on an older version of my ipfirewall utility. The latest version (v2.0a) includes the following: - ability to match packets based on whether or not they: = are in-bound TCP/IP connection attempts = are IP fragments = have IP options defined - ability to request that a packet be accepted and logged (i.e. echoed on the console). - all rejected or logged packet messages indicate which filter matched the packet (helps when debugging filters). - interface-specific filters (provides a way to defeat a variety of IP spoofing style attacks by attaching filters to specific network interfaces). - minor cleanup all over the place. The latest version is available for ftp from: ftp://ftp.nebulus.net/pub/bsdi/security/ipfirewall_v2.0a.gz or ftp://ftp.bsdi.com/contrib/networking/security/ipfirewall_v2.0a.shar.gz I've got FreeBSD 2.0 on a CD-ROM so I can provide diffs that should allow ipfirewall v2.0 to be installed on FreeBSD 2.0. Unfortunately, I don't run FreeBSD on any machine that I've got access to so I can't test the diffs (I use BSD/OS v2.0 for all my ipfirewall development). Contact me directly (danny@bouletfermat.ab.ca) if you're interested in these diffs. Once someone running FreeBSD has verified that they work, I'll include them in my standard release. -Danny P.S. A bound 30 page user's guide is provided to those who contribute the suggested minimum shareware amount ($60 Canadian or roughly $44 US these days). From owner-freebsd-security Tue May 2 19:58:46 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id TAA25373 for security-outgoing; Tue, 2 May 1995 19:58:46 -0700 Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id TAA25363 for ; Tue, 2 May 1995 19:58:41 -0700 Received: from localhost (localhost [127.0.0.1]) by precipice.shockwave.com (8.6.11/8.6.9) with SMTP id TAA01474; Tue, 2 May 1995 19:57:20 -0700 Message-Id: <199505030257.TAA01474@precipice.shockwave.com> To: guido@gvr.win.tue.nl (Guido van Rooij) cc: freebsd-security@FreeBSD.org Subject: Re: Logdaemon update (s.key and stuff) In-reply-to: Your message of "Tue, 02 May 1995 22:29:21 +0200." <199505022029.WAA00793@gvr.win.tue.nl> Date: Tue, 02 May 1995 19:57:19 -0700 From: Paul Traina Sender: security-owner@FreeBSD.org Precedence: bulk Huh? What's happened? I seem to have missed some context here. From: guido@gvr.win.tue.nl (Guido van Rooij) Subject: Logdaemon update (s.key and stuff) Is someone busy doingn this? (Paul? You seem to be the one committing the previous S/Key release) -Guido