From owner-freebsd-security Wed Sep 27 16:01:19 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id QAA17552 for security-outgoing; Wed, 27 Sep 1995 16:01:19 -0700 Received: from sequent.kiae.su (sequent.kiae.su [144.206.136.6]) by freefall.freebsd.org (8.6.12/8.6.6) with SMTP id QAA17547 for ; Wed, 27 Sep 1995 16:01:16 -0700 Received: by sequent.kiae.su id AA12752 (5.65.kiae-2 for security@freebsd.org); Thu, 28 Sep 1995 02:55:39 +0400 Received: by sequent.KIAE.su (UUMAIL/2.0); Thu, 28 Sep 95 02:55:37 +0300 Received: (from ache@localhost) by ache.dialup.demos.ru (8.6.11/8.6.12) id BAA06085 for security@freebsd.org; Thu, 28 Sep 1995 01:55:02 +0300 To: security@freebsd.org Message-Id: Organization: Olahm Ha-Yetzirah Date: Thu, 28 Sep 1995 01:55:02 +0300 (MSK) X-Mailer: Mail/@ [v2.40 FreeBSD] From: =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= (aka Andrey A. Chernov, Black Mage) X-Class: Fast Subject: Troubles with telnet encryption enabling. Lines: 10 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Length: 558 Sender: owner-security@freebsd.org Precedence: bulk I can't enable encryption in telnet (secure), telnetd secure too. All settings appearse processed, but input/output always said as clear-text instead of encrypted. -x option don't enable encryption fully too. Does anybody have success on that thing or explanation? -- Andrey A. Chernov : And I rest so composedly, /Now, in my bed, ache@astral.msk.su : That any beholder /Might fancy me dead - FidoNet: 2:5020/230.3 : Might start at beholding me, /Thinking me dead. RELCOM Team,FreeBSD Team : E.A.Poe From "For Annie" 1849 From owner-freebsd-security Wed Sep 27 23:22:54 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id XAA05547 for security-outgoing; Wed, 27 Sep 1995 23:22:54 -0700 Received: from grunt.grondar.za (grunt.grondar.za [196.7.18.129]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id XAA05526 for ; Wed, 27 Sep 1995 23:22:38 -0700 Received: from grumble.grondar.za (grumble.grondar.za [196.7.18.130]) by grunt.grondar.za (8.6.12/8.6.9) with ESMTP id IAA13228; Thu, 28 Sep 1995 08:22:18 +0200 Received: from localhost (localhost [127.0.0.1]) by grumble.grondar.za (8.6.12/8.6.9) with SMTP id IAA16335; Thu, 28 Sep 1995 08:22:17 +0200 Message-Id: <199509280622.IAA16335@grumble.grondar.za> X-Authentication-Warning: grumble.grondar.za: Host localhost didn't use HELO protocol To: =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= (aka Andrey A. Chernov, Black Mage) cc: security@FreeBSD.org Subject: Re: Troubles with telnet encryption enabling. Date: Thu, 28 Sep 1995 08:22:17 +0200 From: Mark Murray Sender: owner-security@FreeBSD.org Precedence: bulk > I can't enable encryption in telnet (secure), telnetd secure too. > All settings appearse processed, but input/output always said > as clear-text instead of encrypted. -x option don't enable > encryption fully too. Does anybody have success on that thing > or explanation? I only get encrypted transmissions on Kerberos-authenticated connections. I'll look later to see if that is the way it is supposed to be. M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 Finger mark@grumble.grondar.za for PGP key From owner-freebsd-security Thu Sep 28 01:52:55 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id BAA08125 for security-outgoing; Thu, 28 Sep 1995 01:52:55 -0700 Received: from sequent.kiae.su (sequent.kiae.su [144.206.136.6]) by freefall.freebsd.org (8.6.12/8.6.6) with SMTP id BAA08116 for ; Thu, 28 Sep 1995 01:52:30 -0700 Received: by sequent.kiae.su id AA06859 (5.65.kiae-2 ); Thu, 28 Sep 1995 12:37:36 +0400 Received: by sequent.KIAE.su (UUMAIL/2.0); Thu, 28 Sep 95 12:37:36 +0300 Received: (from ache@localhost) by ache.dialup.demos.ru (8.6.11/8.6.12) id KAA00314; Thu, 28 Sep 1995 10:54:09 +0300 To: Mark Murray Cc: security@FreeBSD.org References: <199509280622.IAA16335@grumble.grondar.za> In-Reply-To: <199509280622.IAA16335@grumble.grondar.za>; from Mark Murray at Thu, 28 Sep 1995 08:22:17 +0200 Message-Id: Organization: Olahm Ha-Yetzirah Date: Thu, 28 Sep 1995 10:54:08 +0300 (MSK) X-Mailer: Mail/@ [v2.40 FreeBSD] From: =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= (aka Andrey A. Chernov, Black Mage) X-Class: Fast Subject: Re: Troubles with telnet encryption enabling. Lines: 22 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Length: 1015 Sender: owner-security@FreeBSD.org Precedence: bulk In message <199509280622.IAA16335@grumble.grondar.za> Mark Murray writes: >> I can't enable encryption in telnet (secure), telnetd secure too. >> All settings appearse processed, but input/output always said >> as clear-text instead of encrypted. -x option don't enable >> encryption fully too. Does anybody have success on that thing >> or explanation? >I only get encrypted transmissions on Kerberos-authenticated connections. >I'll look later to see if that is the way it is supposed to be. No, encryption is separated from kerberos there, they must go independently (see "encrypt" command inside telnet too). It looks like client send encryption requests and daemon receive and parse them, but does nothing... -- Andrey A. Chernov : And I rest so composedly, /Now, in my bed, ache@astral.msk.su : That any beholder /Might fancy me dead - FidoNet: 2:5020/230.3 : Might start at beholding me, /Thinking me dead. RELCOM Team,FreeBSD Team : E.A.Poe From "For Annie" 1849 From owner-freebsd-security Thu Sep 28 07:29:37 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id HAA15392 for security-outgoing; Thu, 28 Sep 1995 07:29:37 -0700 Received: from halloran-eldar.lcs.mit.edu (halloran-eldar.lcs.mit.edu [18.26.0.159]) by freefall.freebsd.org (8.6.12/8.6.6) with SMTP id HAA15387 for ; Thu, 28 Sep 1995 07:29:33 -0700 Received: by halloran-eldar.lcs.mit.edu; (5.65/1.1.8.2/19Aug95-0530PM) id AA17677; Thu, 28 Sep 1995 10:27:23 -0400 Date: Thu, 28 Sep 1995 10:27:23 -0400 From: "Garrett A. Wollman" Message-Id: <9509281427.AA17677@halloran-eldar.lcs.mit.edu> To: =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= (aka Andrey A. Chernov, Black Mage) Cc: Mark Murray , security@FreeBSD.org Subject: Re: Troubles with telnet encryption enabling. In-Reply-To: References: <199509280622.IAA16335@grumble.grondar.za> Sender: owner-security@FreeBSD.org Precedence: bulk < said: > No, encryption is separated from kerberos there, they must go > independently (see "encrypt" command inside telnet too). > It looks like client send encryption requests > and daemon receive and parse them, but does nothing... In what key do you expect to get your data encrypted? That's why an authentication mechanism is required: it's what provides the shared secret session key. -GAWollman -- Garrett A. Wollman | Shashish is simple, it's discreet, it's brief. ... wollman@lcs.mit.edu | Shashish is the bonding of hearts in spite of distance. Opinions not those of| It is a bond more powerful than absence. We like people MIT, LCS, ANA, or NSA| who like Shashish. - Claude McKenzie + Florent Vollant From owner-freebsd-security Thu Sep 28 08:26:16 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id IAA17431 for security-outgoing; Thu, 28 Sep 1995 08:26:16 -0700 Received: from who.cdrom.com (who.cdrom.com [192.216.222.3]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id IAA17416 for ; Thu, 28 Sep 1995 08:26:12 -0700 Received: from sequent.kiae.su (sequent.kiae.su [144.206.136.6]) by who.cdrom.com (8.6.12/8.6.11) with SMTP id IAA28143 for ; Thu, 28 Sep 1995 08:25:31 -0700 Received: by sequent.kiae.su id AA12789 (5.65.kiae-2 ); Thu, 28 Sep 1995 19:09:32 +0400 Received: by sequent.KIAE.su (UUMAIL/2.0); Thu, 28 Sep 95 19:09:31 +0300 Received: (from ache@localhost) by ache.dialup.demos.ru (8.6.11/8.6.9) id SAA00540; Thu, 28 Sep 1995 18:07:16 +0300 To: "Garrett A. Wollman" Cc: Mark Murray , security@FreeBSD.org References: <199509280622.IAA16335@grumble.grondar.za> <9509281427.AA17677@halloran-eldar.lcs.mit.edu> In-Reply-To: <9509281427.AA17677@halloran-eldar.lcs.mit.edu>; from "Garrett A. Wollman" at Thu, 28 Sep 1995 10:27:23 -0400 Message-Id: Organization: Olahm Ha-Yetzirah Date: Thu, 28 Sep 1995 18:07:15 +0300 (MSK) X-Mailer: Mail/@ [v2.40 FreeBSD] From: =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= (aka Andrey A. Chernov, Black Mage) X-Class: Fast Subject: Re: Troubles with telnet encryption enabling. Lines: 24 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Length: 1019 Sender: owner-security@FreeBSD.org Precedence: bulk In message <9509281427.AA17677@halloran-eldar.lcs.mit.edu> Garrett A. Wollman writes: >< said: >> No, encryption is separated from kerberos there, they must go >> independently (see "encrypt" command inside telnet too). >> It looks like client send encryption requests >> and daemon receive and parse them, but does nothing... >In what key do you expect to get your data encrypted? >That's why an authentication mechanism is required: it's what provides >the shared secret session key. Oops. Thanx, I was under impression that keys can be exchanged somehow else... -- Andrey A. Chernov : And I rest so composedly, /Now, in my bed, ache@astral.msk.su : That any beholder /Might fancy me dead - FidoNet: 2:5020/230.3 : Might start at beholding me, /Thinking me dead. RELCOM Team,FreeBSD Team : E.A.Poe From "For Annie" 1849 From owner-freebsd-security Thu Sep 28 10:41:49 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id KAA21771 for security-outgoing; Thu, 28 Sep 1995 10:41:49 -0700 Received: from ibp.ibp.fr (ibp.ibp.fr [132.227.60.30]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id KAA21761 for ; Thu, 28 Sep 1995 10:41:42 -0700 Received: from blaise.ibp.fr (blaise.ibp.fr [132.227.60.1]) by ibp.ibp.fr (8.6.12/jtpda-5.0) with ESMTP id SAA01572 ; Thu, 28 Sep 1995 18:41:32 +0100 Received: from (uucp@localhost) by blaise.ibp.fr (8.6.12/jtpda-5.0) with UUCP id SAA09617 ; Thu, 28 Sep 1995 18:41:26 +0100 Received: (from roberto@localhost) by keltia.freenix.fr (8.7/keltia-uucp-2.5.1) id JAA00781; Thu, 28 Sep 1995 09:21:41 +0100 (MET) From: Ollivier Robert Message-Id: <199509280821.JAA00781@keltia.freenix.fr> Subject: Re: Troubles with telnet encryption enabling. To: mark@grondar.za (Mark Murray) Date: Thu, 28 Sep 1995 09:21:40 +0100 (MET) Cc: ache@astral.msk.su, security@FreeBSD.org In-Reply-To: <199509280622.IAA16335@grumble.grondar.za> from "Mark Murray" at Sep 28, 95 08:22:17 am X-Operating-System: FreeBSD 2.2-CURRENT ctm#1141 X-Mailer: ELM [version 2.4 PL24 ME8] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org Precedence: bulk It seems that Mark Murray said: > I only get encrypted transmissions on Kerberos-authenticated connections. > I'll look later to see if that is the way it is supposed to be. I'm afraid so. A while ago I was checking our encrypted telnet and SRA-telnet and never got any of them to encrypt (I don't have Kerberos). There is a patch for SRA-telnet to do encrypt without K4 but I was unable to encrypt... 9 Feb 1995 448.3 Ko /sources/crypt/telnet/esrasrc-1.0.tar.gz 28 Mar 1995 479.1 Ko /sources/crypt/telnet/srasrc-1.3.1-modified.tar.gz 9 Feb 1995 516.2 Ko /sources/crypt/telnet/srasrc-1.3.1.tar.gz 9 Feb 1995 216.0 Ko /sources/crypt/telnet/telnet.94.02.07.NE.tar.gz I use ssh now :-) -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.frmug.fr.net FreeBSD keltia.freenix.fr 2.2-CURRENT #2: Mon Sep 25 02:02:31 MET 1995 From owner-freebsd-security Thu Sep 28 11:50:13 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id LAA24495 for security-outgoing; Thu, 28 Sep 1995 11:50:13 -0700 Received: from puli.cisco.com (puli.cisco.com [171.69.1.174]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id LAA24490 for ; Thu, 28 Sep 1995 11:50:10 -0700 Received: from localhost.cisco.com (localhost.cisco.com [127.0.0.1]) by puli.cisco.com (8.6.8+c/8.6.5) with SMTP id LAA04636 for ; Thu, 28 Sep 1995 11:49:36 -0700 Message-Id: <199509281849.LAA04636@puli.cisco.com> To: security@freebsd.org Subject: are we affected? Date: Thu, 28 Sep 1995 11:49:36 -0700 From: Paul Traina Sender: owner-security@freebsd.org Precedence: bulk ------- Forwarded Message Date: Thu, 28 Sep 1995 14:41:55 -0400 From: Linda Hutz Pesante To: first-teams@first.org Subject: final version of vendor bulletin DISTRIBUTION RESTRICTIONS: PUBLIC RELEASE ====================================================================== CERT Vendor-Initiated Bulletin VB-95:07 September 28, 1995 Topic: Directory and file vulnerability from lsof 3.18 through 3.43 Source: Vic Abell (abe@cc.purdue.edu) To aid in the wide distribution of essential security information, the CERT Coordination Center is forwarding the following information from Vic Abell, who urges you to act on this information as soon as possible. Please contact Vic Abell if you have any questions or need further information. ========================FORWARDED TEXT STARTS HERE============================ It may be possible to write lsof's private device cache file to system locations that are normally inaccessible to the lsof user, depending on the UNIX dialect where lsof is installed and how that dialect grants permission to access kernel memory information. The vulnerability affects lsof revisions 3.18 through 3.43, installed on these UNIX dialects: AIX 3.2.4, 3.2.5, 4.1, the IBM RISC/System 6000 4.1.1, and 4.1.2 EP/IX 2.1.1 the CDC 4680 FreeBSD 1.1.5.1, 2.0, and Intel-based systems 2.0.5 HP-UX 8.x, 9.x, and 10 HP systems (some combinations) IRIX 4.0.5H, 5.2, 5.3, SGI systems 6.0, and 6.1 Linux through 1.3.0 Intel-based systems Motorola V/88 R32V3, M88K systems R40V4.[123] NetBSD 1.0 and 1.0A Intel and SPARC-based systems NEXTSTEP 2.1 and 3.[0123] all NEXTSTEP architectures OSF/1 1.3, 2.0, 3.0, and the DEC Alpha 3.2 RISC/os 4.52 MIPS R2000-based systems SCO OpenDesktop or Intel-based systems OpenServer 1.1, 3.0, and 5.0 Sequent Dynix 3.0.12 the Sequent Symmetry Sequent PTX 2.1.[156] and Sequent systems 4.0.[23] Solaris 2.[1234] and 2.5 Sun 4 and i86pc systems BETA SunOS 4.1.[1234] Sun 3 and 4 Ultrix 2.2, 4.2, 4.3, DEC RISC and VAX and 4.4 I recommend that users of the affected revisions of lsof on these dialects install lsof revision 3.44, 3.45 or later. Section III describes its location and some appropriate installation considerations. - ----------------------------------------------------------------------------- I. Description A private device cache file feature was introduced at lsof revision 3.18 to speed up subsequent calls to lsof by reducing the need for a full scan of the nodes in /dev (or /devices). Accompanying the feature was an option (-D) that allowed the lsof user to specify where the device cache file was to be recorded. Since lsof normally runs with effective group ID permission set to the group that can read kernel memory devices, the -D option might allow lsof to write its device cache file to a location not normally accessible to the real user or group owning the lsof process. The locations where the lsof device cache file might be inappropriately recorded depend on the group that owns the memory devices and to what other files and directories the group has write permission. Here are two examples: 1) IBM's distribution of AIX sets group ownership of /dev/kmem and /etc to the "system" group and enables group write permission in /etc; and 2) Sun's Solaris distribution does the same thing, using the "sys" group. (Security conscious installations often create a new group -- e.g., "kmem" or "mem" -- that owns no files and is used solely for enabling read access to kernel memory devices.) A fix for this group ID vulnerability may be found in lsof revisions 3.44, 3.45, and above. A more serious vulnerability exists when lsof must run setuid to the root user and also has device cache file support. This happens for the lsof implementation that runs under Motorola's V/88 UNIX dialects R40V4.1, R40V4.2, and R40V4.3. This gives the lsof user an unlimited choice of places to record the device cache file. A partial fix for this vulnerability was introduced in lsof revision 3.43. The complete fix may be found in lsof revisions 3.44, 3.45, and above. II. Impact Unauthorized users may be able to write the lsof device cache file to normally-restricted locations, possibly in place of important system files. The vulnerability can be exploited only by users with a valid account. It cannot be exploited by arbitrary remote users. The vulnerability affects all lsof revisions 3.18 through 3.43 on UNIX dialects where device cache file support has been implemented. III. Solution Retrieve lsof revision 3.44, 3.45, or later and install it. Compressed tar archive: ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/lsof.tar.Z Gzip'd tar archive: ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/lsof.tar.gz Lsof 3.44 eliminates the vulnerability for all relevant UNIX dialects. However, its overly zealous restrictions for Solaris and SunOS and are relaxed in revision 3.45. Both tar archives are wrappers that contain authentication information (MD5 checksums and PGP certificates) and a tar archive of the lsof sources. 1. Retrieve the wrapper archive, extract its three files -- README.lsof_, lsof_.tar, and lsof_.tar.asc -- and verify its authentication information. ( should be 3.44 or greater.) 2. Unpack the lsof source archive from lsof_.tar and read its documentation files. Pay particular attention to the 00DCACHE file that describes options for specifying the location of the device cache, and the security section in the 00README file. 3. Having selected the lsof options appropriate to the UNIX dialect where you want to install it, run the Configure script, use make to build lsof, and install the resulting lsof executable. - ----------------------------------------------------------------------------- Vic Abell appreciates the advice and comments provided by members of the bugtraq mailing list that led him to realize this vulnerability existed. He thanks Katherine T. Fithen and Linda Hutz Pesante of the CERT Coordination Center for their help in preparing this bulletin. =========================FORWARDED TEXT ENDS HERE============================= CERT publications, information about FIRST representatives, and other information related to computer security are available for anonymous FTP from info.cert.org. CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce. If you would like to have future advisories and bulletins mailed to you or to a mail exploder at your site, please send mail to cert-advisory-request@cert.org. If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise that the e-mail be encrypted. The CERT Coordination Center can support a shared DES key, PGP (public key available via anonymous FTP on info.cert.org), or PEM (contact CERT staff for details). Internet email: cert@cert.org Telephone: +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax: +1 412-268-6989 CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 USA CERT is a service mark of Carnegie Mellon University. ------- End of Forwarded Message From owner-freebsd-security Thu Sep 28 12:05:07 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id MAA24822 for security-outgoing; Thu, 28 Sep 1995 12:05:07 -0700 Received: from halloran-eldar.lcs.mit.edu (halloran-eldar.lcs.mit.edu [18.26.0.159]) by freefall.freebsd.org (8.6.12/8.6.6) with SMTP id MAA24814 for ; Thu, 28 Sep 1995 12:05:03 -0700 Received: by halloran-eldar.lcs.mit.edu; (5.65/1.1.8.2/19Aug95-0530PM) id AA18217; Thu, 28 Sep 1995 15:04:59 -0400 Date: Thu, 28 Sep 1995 15:04:59 -0400 From: "Garrett A. Wollman" Message-Id: <9509281904.AA18217@halloran-eldar.lcs.mit.edu> To: Paul Traina Cc: security@freebsd.org Subject: are we affected? In-Reply-To: <199509281849.LAA04636@puli.cisco.com> References: <199509281849.LAA04636@puli.cisco.com> Sender: owner-security@freebsd.org Precedence: bulk < said: > The vulnerability affects lsof revisions 3.18 through 3.43, installed > on these UNIX dialects: Not unless you decide to install an old version of the `lsof' program. -GAWollman -- Garrett A. Wollman | Shashish is simple, it's discreet, it's brief. ... wollman@lcs.mit.edu | Shashish is the bonding of hearts in spite of distance. Opinions not those of| It is a bond more powerful than absence. We like people MIT, LCS, ANA, or NSA| who like Shashish. - Claude McKenzie + Florent Vollant From owner-freebsd-security Thu Sep 28 12:26:06 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id MAA26112 for security-outgoing; Thu, 28 Sep 1995 12:26:06 -0700 Received: from Root.COM (implode.Root.COM [198.145.90.17]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id MAA26106 ; Thu, 28 Sep 1995 12:26:02 -0700 Received: from corbin.Root.COM (corbin [198.145.90.34]) by Root.COM (8.6.12/8.6.5) with ESMTP id MAA22684; Thu, 28 Sep 1995 12:24:38 -0700 Received: from localhost (localhost [127.0.0.1]) by corbin.Root.COM (8.6.12/8.6.5) with SMTP id MAA01968; Thu, 28 Sep 1995 12:27:13 -0700 Message-Id: <199509281927.MAA01968@corbin.Root.COM> To: torstenb@freebsd.org cc: batie@agora.rdrop.com (Alan Batie), core@freebsd.org, security@freebsd.org Subject: Re: smail patch In-reply-to: Your message of "Thu, 28 Sep 95 18:30:26 BST." From: David Greenman Reply-To: davidg@Root.COM Date: Thu, 28 Sep 1995 12:27:12 -0700 Sender: owner-security@freebsd.org Precedence: bulk >Alan Batie wrote: > >> > the sample configuration files that the smail port installs in >> > /usr/local/lib/smail/ uses /usr/libexec/mail.local for delivery to local >> > mailboxes (see the "local" transport in transports.sample) like sendmail. >> >> That is a solution for that particular problem, but that patch, or something >> similar, still needs to be applied. For example, at work we have /usr/local >> on an file server and use secondary configs for local customizations. Since >> apparently NFS requires a group, there will likely be problems. > >let me quote src/sysdep.c: > >> * NOTE: we assume that setgroups(0, (int *)NULL) has been called >> * to clear out any groups that may erroneously allow access >> * to the file. > >Not clearing the group access list opens a security hole. >I don't have the time to look deeper at the smail sources now. Please >post to comp.mail.smail... > >Sorry, but I won't change something that opens a new security hole... The first group in the group list is special. It is the effective gid of the process. The change to do the setgroups(1, &dummy) is not a security hole. The effective gid is set in various places, and one gid 'slot' must exist for this to work correctly. It is not valid to set the group list to contain no entries; NFS will not work without at least one gid in the list - and worse, FreeBSD will panic because it can't handle this condition. Let me put this another way: If you don't fix the smail port, we *will* have a major security hole as soon as I bring in the Lite-2 changes to setgroups() as it WILL fail with EINVAL for setgroups(0, blah) and since the return status of setgroups is not checked, the entire group list will remain unchanged. Please commit the fix. -DG From owner-freebsd-security Thu Sep 28 12:31:37 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id MAA26422 for security-outgoing; Thu, 28 Sep 1995 12:31:37 -0700 Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.34]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id MAA26410 for ; Thu, 28 Sep 1995 12:31:30 -0700 Received: (from bde@localhost) by godzilla.zeta.org.au (8.6.9/8.6.9) id FAA20687; Fri, 29 Sep 1995 05:28:06 +1000 Date: Fri, 29 Sep 1995 05:28:06 +1000 From: Bruce Evans Message-Id: <199509281928.FAA20687@godzilla.zeta.org.au> To: pst@cisco.com, wollman@lcs.mit.edu Subject: Re: are we affected? Cc: security@freebsd.org Sender: owner-security@freebsd.org Precedence: bulk >> The vulnerability affects lsof revisions 3.18 through 3.43, installed >> on these UNIX dialects: >Not unless you decide to install an old version of the `lsof' program. The damage is limited mainly by lsof not being a port. I have lsof_3.31, which is quite recent (June 17). This version doesn't quite compile under 2.0.5 (the queue macros rename some variables and hide the queue internals). Bruce From owner-freebsd-security Thu Sep 28 17:50:21 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id RAA11151 for security-outgoing; Thu, 28 Sep 1995 17:50:21 -0700 Received: from ibp.ibp.fr (ibp.ibp.fr [132.227.60.30]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id RAA11144 for ; Thu, 28 Sep 1995 17:50:17 -0700 Received: from blaise.ibp.fr (blaise.ibp.fr [132.227.60.1]) by ibp.ibp.fr (8.6.12/jtpda-5.0) with ESMTP id BAA05210 ; Fri, 29 Sep 1995 01:49:50 +0100 Received: from (uucp@localhost) by blaise.ibp.fr (8.6.12/jtpda-5.0) with UUCP id BAA10502 ; Fri, 29 Sep 1995 01:49:43 +0100 Received: (from roberto@localhost) by keltia.freenix.fr (8.7/keltia-uucp-2.5.1) id BAA04090; Fri, 29 Sep 1995 01:27:11 +0100 (MET) From: Ollivier Robert Message-Id: <199509290027.BAA04090@keltia.freenix.fr> Subject: Re: are we affected? To: bde@zeta.org.au (Bruce Evans) Date: Fri, 29 Sep 1995 01:27:11 +0100 (MET) Cc: pst@cisco.com, wollman@lcs.mit.edu, security@FreeBSD.ORG In-Reply-To: <199509281928.FAA20687@godzilla.zeta.org.au> from "Bruce Evans" at Sep 29, 95 05:28:06 am X-Operating-System: FreeBSD 2.2-CURRENT ctm#1141 X-Mailer: ELM [version 2.4 PL24 ME8] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG Precedence: bulk It seems that Bruce Evans said: > The damage is limited mainly by lsof not being a port. I have > lsof_3.31, which is quite recent (June 17). This version doesn't quite > compile under 2.0.5 (the queue macros rename some variables and hide the > queue internals). Vic Abell does not have access to a 2.2-CURRENT for now. Current versions should work on 2.0, 2.0.5 and 2.1 (as the VM didn't change in 2.1 as in 2.2). I exchanged a few mail with him and a guy who allowed to use his 2.0.5 system to do the port about it. Vic is willing to do a port if he can maintain it (ie can have a permanent account on the system). -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.frmug.fr.net FreeBSD keltia.freenix.fr 2.2-CURRENT #2: Mon Sep 25 02:02:31 MET 1995 From owner-freebsd-security Thu Sep 28 19:10:26 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id TAA13885 for security-outgoing; Thu, 28 Sep 1995 19:10:26 -0700 Received: from hemi.com (hemi.com [204.132.158.10]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id TAA13880 for ; Thu, 28 Sep 1995 19:10:20 -0700 Received: (from mbarkah@localhost) by hemi.com (8.6.11/8.6.9) id UAA08497; Thu, 28 Sep 1995 20:13:25 -0600 From: Ade Barkah Message-Id: <199509290213.UAA08497@hemi.com> Subject: Re: are we affected? To: roberto@keltia.freenix.fr (Ollivier Robert) Date: Thu, 28 Sep 1995 20:13:24 -0600 (MDT) Cc: bde@zeta.org.au, pst@cisco.com, wollman@lcs.mit.edu, security@FreeBSD.ORG In-Reply-To: <199509290027.BAA04090@keltia.freenix.fr> from "Ollivier Robert" at Sep 29, 95 01:27:11 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 847 Sender: owner-security@FreeBSD.ORG Precedence: bulk > Vic Abell does not have access to a 2.2-CURRENT for now. Current versions > should work on 2.0, 2.0.5 and 2.1 (as the VM didn't change in 2.1 as in > 2.2). I exchanged a few mail with him and a guy who allowed to use his > 2.0.5 system to do the port about it. > > Vic is willing to do a port if he can maintain it (ie can have a permanent > account on the system). Yes. I'm planning to put a -current machine this weekend, which Vic will have access to. Barring major problems, that is. His sources have had native support for 2.0.5 for awhile now (as well as for all previous FreeBSD official releases.) Regards, -Ade -------------------------------------------------------------------- Inet: mbarkah@hemi.com - HEMISPHERE ONLINE - www: -------------------------------------------------------------------- From owner-freebsd-security Fri Sep 29 07:18:40 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id HAA16886 for security-outgoing; Fri, 29 Sep 1995 07:18:40 -0700 Received: from falco.ibama.gov.br ([200.6.48.80]) by freefall.freebsd.org (8.6.12/8.6.6) with SMTP id HAA16843 for ; Fri, 29 Sep 1995 07:18:09 -0700 Received: by falco.ibama.gov.br (AIX 3.2/UCB 5.64/4.03) id AA03432; Fri, 29 Sep 1995 11:17:39 -0300 Newsgroups: comp.unix.bsd.freebsd.misc Path: jazz.cr-df.rnp.br!usenet From: "Andries J. Algera" Subject: NIS maps and passwd file formats problem? Content-Type: text/plain; charset=us-ascii Message-Id: Content-Transfer-Encoding: 7bit Organization: CSR - IBAMA Mime-Version: 1.0 Date: Mon, 25 Sep 1995 20:33:30 GMT X-Mailer: Mozilla 1.1N (X11; I; SunOS 5.3 sun4m) X-Url: news:comp.unix.bsd.freebsd.misc Lines: 42 Resent-Date: Fri, 29 Sep 1995 11:17:13 -0300 (GRNLNDST) Resent-From: Bernardo Brummer Resent-To: freebsd-security@freebsd.org Resent-Message-Id: Apparently-To: freebsd-security@freebsd.org Sender: owner-security@freebsd.org Precedence: bulk I recently installed Freebsd and would like to have it using NIS for authentication. We already have a NIS+ server in NIS mode running on a SPARC w/ Solaris 2.3. The machine w/ FreeBSD seems to recognize perfectly well the NIS server, commands like ypcat passwd give the result I expect. In order to be able to use the NIS-password map for loging in, I put the following at the end of the password file (using vipw) +::::::::: So one would expect to be able to log in. However to my surprise I get the following error after typing a login name: yp_order: clnt_call: RPC: Procedure unavailable I suppose that the format of the password file and the NIS map are different. I found the password file having the format as described in passwd(5), whereas the NIS map has the following format (7 fields instead of 10): andries:z6rdfghast1.:330:30:Andries Algera:/home/vera:/bin/ksh Could anyone out there help me to solve this problem. Cheers, Andries -- -------------------------------------------------------------------- Andries Algera CSR - IBAMA Brasilia / DF - Brasil ph: +5561 316-1218 316-1219 316-1220 --------------------------------------------------------------------