From owner-freebsd-security Mon Mar 30 19:20:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA02006 for freebsd-security-outgoing; Mon, 30 Mar 1998 19:20:46 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gras-varg.worldgate.com (skafte@gras-varg.worldgate.com [198.161.84.12]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA01918 for ; Mon, 30 Mar 1998 19:20:26 -0800 (PST) (envelope-from skafte@worldgate.com) Received: (from skafte@localhost) by gras-varg.worldgate.com (8.8.8/8.6.12) id UAA08914; Mon, 30 Mar 1998 20:20:09 -0700 (MST) Message-ID: <19980330202008.62461@worldgate.com> Date: Mon, 30 Mar 1998 20:20:08 -0700 From: Greg Skafte To: Open Systems Networking Cc: freebsd-security@FreeBSD.ORG Subject: Re: I need some proxies! :) References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88 In-Reply-To: ; from Open Systems Networking on Wed, Mar 18, 1998 at 02:51:34PM -0500 Organization: WorldGate Inc. X-PGP-Fingerprint: 42 9C 2C A8 4D 2B C9 C4 7D B6 00 B0 50 47 20 97 X-URL: http://gras-varg.worldgate.com/~skafte Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk /usr/ports/net/delegate ..... Quoting Open Systems Networking (opsys@mail.webspan.net) On Subject: I need some proxies! :) Date: Wed, Mar 18, 1998 at 02:51:34PM -0500 > > I hate anti-commercial licenses :) > > I'm about to build a security/internet connection for a local corp. > That goes a little something like this: > > Internet--->IPFW/NAT server--->proxy server/SKIP--->Internal lan. > > Everything is just peachy till I hat the freakin proxy server. > My choice is FWTK proxies or SOCKS. And im not sure if there unable to be > used because it's for a commercial entity or not. > The license for FWTK to *ME* reads that it can be used even commercial as > long as its not used by a commercial entity to make a product. I.e. in > this instance to just run internally to the corp. and thats all. But im > not positive im checking on this. So my problem comes if I can't use the > FWTK proxies since its for a commercial use. What other choices for > proxies do i have for a FreeBSD box? who out there is using or has found a > good proxy solution to get around this blasted commercial license problem. > Don't get me wrong im not pissing and moaning because they don't want it > used for free in a commercial environment, im pissing and moaning because > they wont port their commercial firewall to FreeBSD. so i get wedged > between not using the free one for commercial use and them pretty much > refusing to port their commercial product to fbsd. There trying to have > their cake and eat it to in my opinion and that sucks. > So my snafu right now is trying to find a solution for proxies. > > ANY ideas anyone has or any pointers would really be appreciated! > > Chris > > -- > "I am closed minded. It keeps the rain out." > > ===================================| Open Systems Networking And Consulting. > FreeBSD 2.2.5 is available now! | Phone: 316-326-6800 > -----------------------------------| 1402 N. Washington, Wellington, KS-67152 > FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net > http://www.freebsd.org | Consulting-Network Engineering-Security > ===================================| http://open-systems.net > > -----BEGIN PGP PUBLIC KEY BLOCK----- > Version: 2.6.2 > > mQENAzPemUsAAAEH/06iF0BU8pMtdLJrxp/lLk3vg9QJCHajsd25gYtR8X1Px1Te > gWU0C4EwMh4seDIgK9bzFmjjlZOEgS9zEgia28xDgeluQjuuMyUFJ58MzRlC2ONC > foYIZsFyIqdjEOCBdfhH5bmgB5/+L5bjDK6lNdqD8OAhtC4Xnc1UxAKq3oUgVD/Z > d5UJXU2xm+f08WwGZIUcbGcaonRC/6Z/5o8YpLVBpcFeLtKW5WwGhEMxl9WDZ3Kb > NZH6bx15WiB2Q/gZQib3ZXhe1xEgRP+p6BnvF364I/To9kMduHpJKU97PH3dU7Mv > CXk2NG3rtOgLTEwLyvtBPqLnbx35E0JnZc0k5YkABRO0JU9wZW4gU3lzdGVtcyA8 > b3BzeXNAb3Blbi1zeXN0ZW1zLm5ldD4= > =BBjp > -----END PGP PUBLIC KEY BLOCK----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message -- Email: skafte@worldgate.com Voice: +403 413 1910 Fax: +403 421 4929 #575 Sun Life Place * 10123 99 Street * Edmonton, AB * Canada * T5J 3H1 -- -- When things can't get any worse, they simplify themselves by getting a whole lot worse then complicated. A complete and utter disaster is the simplest thing in the world; it's preventing one that's complex. (Janet Morris) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Apr 2 02:57:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA19997 for freebsd-security-outgoing; Thu, 2 Apr 1998 02:57:38 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from newserv.urc.ac.ru (newserv.urc.ac.ru [193.233.85.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA19970 for ; Thu, 2 Apr 1998 02:57:06 -0800 (PST) (envelope-from anton@urc.ac.ru) Received: from urc.ac.ru (Belle.urc.ac.ru [193.233.85.55]) by newserv.urc.ac.ru (8.8.8/8.8.8) with ESMTP id QAA04588 for ; Thu, 2 Apr 1998 16:56:19 +0600 (ESS) (envelope-from anton@urc.ac.ru) Message-ID: <35236ED3.E90D12AD@urc.ac.ru> Date: Thu, 02 Apr 1998 16:56:19 +0600 From: Anton Voronin Organization: URC FREEnet X-Mailer: Mozilla 4.04 [ru] (X11; I; FreeBSD 2.2.5-STABLE i386) MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Is there a safe way for filesystem export? Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Greetings, I have an application server working under 2.2-STABLE which also exports filesystems for workstations which boot by means of netboot from their local DOS-partition. They do not have local unix partitions, except swap, /tmp and /var/tmp partitions. If the user simply cracks BIOS and boots from FreeBSD diskette, he can mount a partition from the server which is exported for read/write and not mapping root to nobody, and, say, place there a setuid file that runs shell. Is there a possibility to authenticate NFS client not only by its IP-address but by some more secure way? Or could it be a subject for further development (if it is not limited by NFS principals)? -- Anton Voronin | Ural Regional Center of FREEnet, | Southern Ural University, Chelyabinsk, Russia http://www.urc.ac.ru/~anton | Student / programmer / system administrator To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Apr 2 03:17:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA23165 for freebsd-security-outgoing; Thu, 2 Apr 1998 03:17:19 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fang.cs.sunyit.edu (root@fang.cs.sunyit.edu [192.52.220.66]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA23155 for ; Thu, 2 Apr 1998 03:17:13 -0800 (PST) (envelope-from perlsta@cs.sunyit.edu) Received: from win95.local.sunyit.edu (A-T34.rh.sunyit.edu [150.156.210.241]) by fang.cs.sunyit.edu (8.8.5/8.7.3) with SMTP id GAA29890; Thu, 2 Apr 1998 06:17:59 GMT Message-ID: <00c401bd5e28$5346e5e0$0600a8c0@win95.local.sunyit.edu> From: "Alfred Perlstein" To: "Anton Voronin" , Subject: Re: Is there a safe way for filesystem export? Date: Thu, 2 Apr 1998 06:13:11 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="KOI8-R" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk i'd suggest -maproot=nobody also, make whatever dir's readonly if possible and nosuid where applicable. -Alfred -----Original Message----- From: Anton Voronin To: freebsd-security@FreeBSD.ORG Date: Thursday, April 02, 1998 1:12 AM Subject: Is there a safe way for filesystem export? >Greetings, > >I have an application server working under 2.2-STABLE which also exports >filesystems for workstations which boot by means of netboot from their local >DOS-partition. They do not have local unix partitions, except swap, /tmp and >/var/tmp partitions. If the user simply cracks BIOS and boots from FreeBSD >diskette, he can mount a partition from the server which is exported for >read/write and not mapping root to nobody, and, say, place there a setuid file >that runs shell. > >Is there a possibility to authenticate NFS client not only by its IP-address >but by some more secure way? Or could it be a subject for further development >(if it is not limited by NFS principals)? > >-- >Anton Voronin | Ural Regional Center of FREEnet, > | Southern Ural University, Chelyabinsk, Russia >http://www.urc.ac.ru/~anton | Student / programmer / system administrator > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Apr 2 04:03:11 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA28240 for freebsd-security-outgoing; Thu, 2 Apr 1998 04:03:11 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from newserv.urc.ac.ru (newserv.urc.ac.ru [193.233.85.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA28234 for ; Thu, 2 Apr 1998 04:03:03 -0800 (PST) (envelope-from anton@urc.ac.ru) Received: from urc.ac.ru (Belle.urc.ac.ru [193.233.85.55]) by newserv.urc.ac.ru (8.8.8/8.8.8) with ESMTP id SAA00467; Thu, 2 Apr 1998 18:01:42 +0600 (ESS) (envelope-from anton@urc.ac.ru) Message-ID: <35237E24.CF00B4D5@urc.ac.ru> Date: Thu, 02 Apr 1998 18:01:40 +0600 From: Anton Voronin Organization: URC FREEnet X-Mailer: Mozilla 4.04 [ru] (X11; I; FreeBSD 2.2.5-STABLE i386) MIME-Version: 1.0 To: Alfred Perlstein , freebsd-security@FreeBSD.ORG Subject: Re: Is there a safe way for filesystem export? References: <00c401bd5e28$5346e5e0$0600a8c0@win95.local.sunyit.edu> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Alfred Perlstein wrote: > > i'd suggest -maproot=nobody > also, make whatever dir's readonly if possible and nosuid where applicable. > > -Alfred > Unfortunately, mapping root to nobody is impossible while xdm writes into .Xauthority in users home directories and dirs like authdir or xkb.compiled. I'm affraid this topic is out of this mailing list, but would appreciate any advise on how to avoid the need of mapping root to root. > -----Original Message----- > From: Anton Voronin ?anton@urc.ac.ru? > To: freebsd-security@FreeBSD.ORG ?freebsd-security@FreeBSD.ORG? > Date: Thursday, April 02, 1998 1:12 AM > Subject: Is there a safe way for filesystem export? > > ?Greetings, > ? > ?I have an application server working under 2.2-STABLE which also exports > ?filesystems for workstations which boot by means of netboot from their > local > ?DOS-partition. They do not have local unix partitions, except swap, /tmp > and > ?/var/tmp partitions. If the user simply cracks BIOS and boots from FreeBSD > ?diskette, he can mount a partition from the server which is exported for > ?read/write and not mapping root to nobody, and, say, place there a setuid > file > ?that runs shell. > ? > ?Is there a possibility to authenticate NFS client not only by its > IP-address > ?but by some more secure way? Or could it be a subject for further > development > ?(if it is not limited by NFS principals)? > ? -- Anton Voronin | Ural Regional Center of FREEnet, | Southern Ural University, Chelyabinsk, Russia http://www.urc.ac.ru/~anton | Student / programmer / system administrator To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Apr 2 07:09:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA22544 for freebsd-security-outgoing; Thu, 2 Apr 1998 07:09:18 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (root@FLEDGE.RES.CMU.EDU [128.2.91.116]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA22536 for ; Thu, 2 Apr 1998 07:09:12 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.6.10) with SMTP id JAA21522; Thu, 2 Apr 1998 09:57:13 -0500 (EST) Date: Thu, 2 Apr 1998 09:57:13 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Anton Voronin cc: Alfred Perlstein , freebsd-security@FreeBSD.ORG Subject: Re: Is there a safe way for filesystem export? In-Reply-To: <35237E24.CF00B4D5@urc.ac.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Thu, 2 Apr 1998, Anton Voronin wrote: > > i'd suggest -maproot=nobody > > also, make whatever dir's readonly if possible and nosuid where applicable. > > Unfortunately, mapping root to nobody is impossible while xdm writes into > .Xauthority in users home directories and dirs like authdir or xkb.compiled. > I'm affraid this topic is out of this mailing list, but would appreciate any > advise on how to avoid the need of mapping root to root. Anton, I have never experienced the problem you describe -- I ran for a long time last summer on a FreeBSD 2.2.1 (or was it .2?) with XFree86 and xdm running, and my home directory mounted from a Solaris file server where NFS-root was mapped to nobody. In the version of xdm I am currently running (patched for Krb4), the call to SetUserAuthorization is definitely after the setting of credentials on the child process. Robert N Watson ---- Carnegie Mellon University http://www.cmu.edu/ Trusted Information Systems http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Apr 2 08:36:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA10665 for freebsd-security-outgoing; Thu, 2 Apr 1998 08:36:56 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from phoenix.volant.org (phoenix.volant.org [205.179.79.193]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id IAA10649 for ; Thu, 2 Apr 1998 08:36:51 -0800 (PST) (envelope-from patl@phoenix.volant.org) From: patl@phoenix.volant.org Received: from asimov.phoenix.volant.org [205.179.79.65] by phoenix.volant.org with smtp (Exim 1.62 #1) id 0yKmyx-0003TP-00; Thu, 2 Apr 1998 08:36:51 -0800 Received: from localhost by asimov.phoenix.volant.org (SMI-8.6/SMI-SVR4) id IAA22670; Thu, 2 Apr 1998 08:35:01 -0800 Date: Thu, 2 Apr 1998 08:35:01 -0800 (PST) Reply-To: patl@phoenix.volant.org Subject: Re: Is there a safe way for filesystem export? To: freebsd-security@FreeBSD.ORG In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > On Thu, 2 Apr 1998, Anton Voronin wrote: > > > > i'd suggest -maproot=nobody > > > also, make whatever dir's readonly if possible and nosuid where > > > applicable. > > > > Unfortunately, mapping root to nobody is impossible while xdm writes into > > .Xauthority in users home directories and dirs like authdir or > > xkb.compiled. I'm affraid this topic is out of this mailing list, but > > would appreciate any advise on how to avoid the need of mapping root to > > root. > > Anton, > > I have never experienced the problem you describe -- I ran for a long time > last summer on a FreeBSD 2.2.1 (or was it .2?) with XFree86 and xdm > running, and my home directory mounted from a Solaris file server where > NFS-root was mapped to nobody. In the version of xdm I am currently > running (patched for Krb4), the call to SetUserAuthorization is definitely > after the setting of credentials on the child process. I suspect the significant point here is that whatever partition has the xdm binary must not re-map root, and must allow suid. I would export /usr and other exported system partitions read-only, with no userid remapping and allowing suid. The partition(s) holding user home directories would be exported read/write with root->nobody and nosuid. -Pat To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Apr 2 13:41:57 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA09100 for freebsd-security-outgoing; Thu, 2 Apr 1998 13:41:57 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.alcatel.com.au (gatekeeper.alcatel.com.au [203.17.66.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA09067 for ; Thu, 2 Apr 1998 13:41:47 -0800 (PST) (envelope-from Peter.Jeremy@alcatel.com.au) Received: from mfg1.cim.alcatel.com.au ([139.188.23.1]) by gatekeeper.alcatel.com.au (PMDF V5.1-7 #U2695) with ESMTP id <01IVFB0BCXC0003CY2@gatekeeper.alcatel.com.au> for freebsd-security@FreeBSD.ORG; Fri, 3 Apr 1998 07:39:26 +1000 Received: from cbd.alcatel.com.au by cim.alcatel.com.au (PMDF V5.1-10 #23324) with ESMTP id <01IVFB0859U8C2ID8G@cim.alcatel.com.au>; Fri, 03 Apr 1998 07:39:22 +1000 Received: from gsms01.alcatel.com.au by cbd.alcatel.com.au (PMDF V5.1-7 #U2695) with ESMTP id <01IVFB05M75SAZTQUW@cbd.alcatel.com.au>; Fri, 03 Apr 1998 07:39:18 +1100 Received: (from jeremyp@localhost) by gsms01.alcatel.com.au (8.8.8/8.7.3) id HAA22187; Fri, 03 Apr 1998 07:39:16 +1000 (EST) Date: Fri, 03 Apr 1998 07:39:16 +1000 (EST) From: Peter Jeremy Subject: Re: Is there a safe way for filesystem export? To: freebsd-security@FreeBSD.ORG Cc: anton@urc.ac.ru Message-id: <199804022139.HAA22187@gsms01.alcatel.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Thu, 02 Apr 1998 18:01:40 +0600, Anton Voronin wrote: >Unfortunately, mapping root to nobody is impossible while xdm writes into >.Xauthority in users home directories Updating .Xauthority doesn't have to be done as root. It should be done as the user being logged in (the current implementation doesn't - which may be a security hole). Since FreeBSD includes a `saved set-user-ID', changing xdm to flip uids whilst writing .Xauthority should be fairly simple. > and dirs like authdir or xkb.compiled. `authdir' could (and probably should, since xdm doesn't clean up after itself) be on a MFS partition - ie a protected subdirectory in /tmp. As far as I know, xdm doesn't affect xdm.compiled - the X server might though. I haven't played with the XKB extension and can't offer any suggestions here. Note that the Sun's NFS implementations include the ability to use `Secure RPC' - ie DES encryption. I don't know if the relevant hooks are in FreeBSD. Peter -- Peter Jeremy (VK2PJ) peter.jeremy@alcatel.com.au Alcatel Australia Limited 41 Mandible St Phone: +61 2 9690 5019 ALEXANDRIA NSW 2015 Fax: +61 2 9690 5247 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Apr 2 16:47:44 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA12645 for freebsd-security-outgoing; Thu, 2 Apr 1998 16:47:44 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA12515 for ; Thu, 2 Apr 1998 16:47:25 -0800 (PST) (envelope-from narvi@haldjas.folklore.ee) Received: from haldjas.folklore.ee (haldjas.folklore.ee [172.17.2.1] (may be forged)) by haldjas.folklore.ee (8.8.8/8.8.4) with SMTP id PAA13820; Thu, 2 Apr 1998 15:26:25 +0300 (EEST) Date: Thu, 2 Apr 1998 15:26:25 +0300 (EEST) From: Narvi To: Anton Voronin cc: Alfred Perlstein , freebsd-security@FreeBSD.ORG Subject: Re: Is there a safe way for filesystem export? In-Reply-To: <35237E24.CF00B4D5@urc.ac.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Thu, 2 Apr 1998, Anton Voronin wrote: > Alfred Perlstein wrote: > > > > i'd suggest -maproot=nobody > > also, make whatever dir's readonly if possible and nosuid where applicable. > > > > -Alfred > > > Unfortunately, mapping root to nobody is impossible while xdm writes into > .Xauthority in users home directories and dirs like authdir or xkb.compiled. > I'm affraid this topic is out of this mailing list, but would appreciate any > advise on how to avoid the need of mapping root to root. > I think there is an option to NFS to use kerberos tickets to authenticate users/user actions. Also, the home directories *should* be mounted nosuid on all of the clients *and* the server. The real problem is not the users smuggling in setuid programs but the users having access to other users data they should not see. Sander There is no love, no good, no happiness and no future - all these are just illusions. > [snip] > > -- > Anton Voronin | Ural Regional Center of FREEnet, > | Southern Ural University, Chelyabinsk, Russia > http://www.urc.ac.ru/~anton | Student / programmer / system administrator > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Apr 2 22:35:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA29182 for freebsd-security-outgoing; Thu, 2 Apr 1998 22:35:41 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.65]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA29105 for ; Thu, 2 Apr 1998 22:35:23 -0800 (PST) (envelope-from mark@grondar.za) Received: from greenpeace.grondar.za (q6mXYlb8mj4Y0dJ3jYxFum50P+EuX/qe@greenpeace.grondar.za [196.7.18.132]) by gratis.grondar.za (8.8.8/8.8.8) with ESMTP id IAA03756; Fri, 3 Apr 1998 08:34:54 +0200 (SAST) (envelope-from mark@grondar.za) Received: from grondar.za (N2woVWMlkqQROg6TC8kM8AvSx4Xg69Hn@localhost [127.0.0.1]) by greenpeace.grondar.za (8.8.8/8.8.8) with ESMTP id IAA00305; Fri, 3 Apr 1998 08:34:47 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199804030634.IAA00305@greenpeace.grondar.za> X-Mailer: exmh version 2.0.2 2/24/98 To: Narvi cc: Anton Voronin , Alfred Perlstein , freebsd-security@FreeBSD.ORG Subject: Re: Is there a safe way for filesystem export? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 03 Apr 1998 08:34:47 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Narvi wrote: > I think there is an option to NFS to use kerberos tickets to authenticate > users/user actions. The option is there, but the Kerberos code to do it is incomplete. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Apr 2 23:03:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA03227 for freebsd-security-outgoing; Thu, 2 Apr 1998 23:03:17 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (root@FLEDGE.RES.CMU.EDU [128.2.91.116]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA03221 for ; Thu, 2 Apr 1998 23:03:09 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.6.10) with SMTP id CAA15004; Fri, 3 Apr 1998 02:02:49 -0500 (EST) Date: Fri, 3 Apr 1998 02:02:49 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Mark Murray cc: Narvi , freebsd-security@FreeBSD.ORG Subject: Re: Is there a safe way for filesystem export? In-Reply-To: <199804030634.IAA00305@greenpeace.grondar.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Fri, 3 Apr 1998, Mark Murray wrote: > > I think there is an option to NFS to use kerberos tickets to authenticate > > users/user actions. > > The option is there, but the Kerberos code to do it is incomplete. Distributed file systems such as AFS, DFS, and Coda can make use of Kerberos (in various ways) to authenticate user operations with Kerberos. I know that AFS and Coda both maintain a pool of authenticated connections per user on a client host, and the server verifies that operations come over authenticated connections. AFS and DFS are, of course, commercial products, and are probably far higher-overhead than what you are looking for (they are *not* equivilent to NFS in behavior -- closed servers and all :). Coda is freely available (ports exist for FreeBSD, NetBSD, Linux, and Mach), but is still under development. The Kerberos code is not currently integrated into the main distribution available for download, but should be in there within a version or so. I am currently making protocol-level changes to the RPC package used by Coda, and we have not tested it fully. Coda is also not a drop-in replacement for NFS, as it is also designed with dedicated servers, etc, in mind. AFS and DFS are available from Transarc, http://www.transarc.com/ Coda is an ongoing research project at Carnegie Mellon University, http://www.coda.cs.cmu.edu/ None of this is immediately related to NFS and Kerberos, however. :) To secure NFS between my hosts (which trust each other), I use a combination of private networks, secure IP tunneling using custom softare and SKIP, and packet filters. I'd rather use Coda, but it is not yet sufficiently stable to use in a production environment. Robert N Watson ---- Carnegie Mellon University http://www.cmu.edu/ Trusted Information Systems http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Apr 3 00:15:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA18038 for freebsd-security-outgoing; Fri, 3 Apr 1998 00:15:47 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from adk.gr (COREDUMP.CIS.UPENN.EDU [158.130.6.141]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA18027 for ; Fri, 3 Apr 1998 00:15:44 -0800 (PST) (envelope-from angelos@dsl.cis.upenn.edu) Received: from dsl.cis.upenn.edu (mg136-094.ricochet.net [204.179.136.94]) by adk.gr (8.8.8/8.8.5) with ESMTP id DAA05256 for ; Fri, 3 Apr 1998 03:13:58 -0500 (EST) Message-Id: <199804030813.DAA05256@adk.gr> To: freebsd-security@FreeBSD.ORG Subject: Re: Is there a safe way for filesystem export? Date: Fri, 03 Apr 1998 03:14:26 EST From: "Angelos D. Keromytis" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- To: freebsd-security@freebsd.org Subject: Re: Is there a safe way for filesystem export? Cc: Date: 04/03/98, 03:14:25 One way for doing secure (against external attackers, anyway) is to use IPsec. There is/was an IPsec implementation from WIDE for FreeBSD, and my code from OpenBSD should be trivial to port. In fact, we might make a port to FreeBSD during the summer (unfortunately, that would be available only to US citizens). - -Angelos -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBNSSaYb0pBjh2h1kFAQHoCAQAqH0Xb6VNe+FAzCmwRpk9FzuYYWWLIEiI RxVkI0nTRv98h7dsbKv8SOaY7fRZwFWradjwoyuZY0uCUW63x+TjzlQ7guQqor0U m/AoGRHtpTeGpeYvixmjFa74zekdVThoJ8NVJ4thoB39IWPZxdlUM1lv/uYW25Wq Mb7PXW4ECco= =G4Zf -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Apr 3 00:25:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA19825 for freebsd-security-outgoing; Fri, 3 Apr 1998 00:25:12 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from itesec.hsc.fr (root@itesec.hsc.fr [192.70.106.33]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA19803 for ; Fri, 3 Apr 1998 00:24:45 -0800 (PST) (envelope-from pb@hsc.fr) Received: from mars.hsc.fr (pb@mars.hsc.fr [192.70.106.44]) by itesec.hsc.fr (8.8.8/8.8.5/itesec-1.12-nospam) with ESMTP id KAA00889; Fri, 3 Apr 1998 10:23:38 +0200 (MET DST) Received: (from pb@localhost) by mars.hsc.fr (8.8.5/8.8.5/pb-19970301) id KAA07586; Fri, 3 Apr 1998 10:24:17 +0200 (MET DST) Message-ID: <19980403102416.GK52185@mars.hsc.fr> Date: Fri, 3 Apr 1998 10:24:16 +0200 From: Pierre.Beyssac@hsc.fr (Pierre Beyssac) To: angelos@dsl.cis.upenn.edu (Angelos D. Keromytis) Cc: freebsd-security@FreeBSD.ORG Subject: Re: Is there a safe way for filesystem export? References: <199804030813.DAA05256@adk.gr> X-Mailer: Mutt 0.59.1e Mime-Version: 1.0 In-Reply-To: <199804030813.DAA05256@adk.gr>; from Angelos D. Keromytis on Apr 3, 1998 03:14:26 -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk According to Angelos D. Keromytis: > One way for doing secure (against external attackers, anyway) is to > use IPsec. There is/was an IPsec implementation from WIDE for FreeBSD, > and my code from OpenBSD should be trivial to port. In fact, we might > make a port to FreeBSD during the summer (unfortunately, that would be > available only to US citizens). A while ago, Jordan said that due to a ruling (in the state of California IIRC) there was no problem for wcarchive to export crypto code. Couldn't this be used for IPsec code ? -- Pierre.Beyssac@hsc.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Apr 3 00:28:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA20506 for freebsd-security-outgoing; Fri, 3 Apr 1998 00:28:59 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from adk.gr (COREDUMP.CIS.UPENN.EDU [158.130.6.141]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA20498 for ; Fri, 3 Apr 1998 00:28:56 -0800 (PST) (envelope-from angelos@dsl.cis.upenn.edu) Received: from dsl.cis.upenn.edu (mg136-094.ricochet.net [204.179.136.94]) by adk.gr (8.8.8/8.8.5) with ESMTP id DAA29789 for ; Fri, 3 Apr 1998 03:27:11 -0500 (EST) Message-Id: <199804030827.DAA29789@adk.gr> To: freebsd-security@FreeBSD.ORG Subject: Re: Is there a safe way for filesystem export? Date: Fri, 03 Apr 1998 03:27:38 EST From: "Angelos D. Keromytis" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- To: freebsd-security@FreeBSD.ORG Subject: Re: Is there a safe way for filesystem export? Cc: Date: 04/03/98, 03:27:37 > A while ago, Jordan said that due to a ruling (in the state of > California IIRC) there was no problem for wcarchive to export > crypto code. Couldn't this be used for IPsec code ? I can certainly legally give that code to Jordan or any US citizen. What he does with it is his business. - -Angelos -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBNSSdeb0pBjh2h1kFAQGryAP/TExB+sG/wk6Boma5vHVJEP1Cx9+qYc5Z QSCHVs81yfZHkoCNVlQ92Dn/DChv6sGfrr55FTW18xfSP36tz5YUtlkCXJ3BYVsX MredhV9UJJisoTSeL8riEdhKsmNbhAPtgE0oXbLZZJ5g73/MOaLQd9u7fPmPzxxa TEMEmOX+MYE= =HvmG -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Apr 4 05:22:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA15054 for freebsd-security-outgoing; Sat, 4 Apr 1998 05:22:22 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from uddias.diaspro.com (uddias.diaspro.com [194.84.211.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA15044 for ; Sat, 4 Apr 1998 05:22:14 -0800 (PST) (envelope-from vasim@diaspro.com) Received: from localhost (localhost.diaspro.com [127.0.0.1]) by uddias.diaspro.com (8.8.8/8.8.8) with SMTP id TAA05673 for ; Sat, 4 Apr 1998 19:21:58 +0600 (ESS) (envelope-from vasim@diaspro.com) Date: Sat, 4 Apr 1998 19:21:58 +0600 (ESS) From: Vasim Valejev To: freebsd-security@FreeBSD.ORG Subject: RFC-1644 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Hi ! Transactions-TCP (RFC-1644) in FreeBSD (and other systems) can cause problems for security : 1. New variant of SYN-flood attack . Someone can send many T/TCP packets with fake originate address (any unreachable address) and overload (possible cause Denial-Of-Service) victim's server (for example - many T/TCP requests to telnet/ftp/http/etc daemons) . 2. Attack to r*-services (rshd/rlogind without kerberos-authentication) . Hacker can send T/TCP requests with originate address from /etc/hosts.equiv or .rhosts files . In some cases (computer with address from hacker's request can't send TCP-RST packet in time) it possible run commands on attacked target . My experiments shows what attacker just need 10-50 ms delay between victim sending SYN-ACK packet and receiving RST packet from trusted computer (it depends from algorithm rshd/rlogind , place DNS-server with reverse zone , etc) . This attack can be used on other tcp-services with authentication based on ip-address . RFC-1644 must die :( . My english too (*sigh*) . Just do 'sysctl -w net.inet.tcp.rfc1644=0' and forget about it :) . Vasim V. (2:5011/27 http://members.tripod.com/~Vasim VV86-RIPE) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message