From owner-freebsd-security Sun Jun 14 03:25:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA18573 for freebsd-security-outgoing; Sun, 14 Jun 1998 03:25:41 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from heron.doc.ic.ac.uk (NUfxxxohbcWmRjE9XRp7S3Dh+sNBkZ2j@heron.doc.ic.ac.uk [146.169.46.3]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id DAA18551 for ; Sun, 14 Jun 1998 03:24:57 -0700 (PDT) (envelope-from njs3@doc.ic.ac.uk) Received: from oak71.doc.ic.ac.uk [146.169.46.71] ([/RBoVJgpf8PObHMJT70g9qx/iaSgt7lS]) by heron.doc.ic.ac.uk with smtp (Exim 1.62 #3) id 0yl9x4-00060g-00; Sun, 14 Jun 1998 11:23:54 +0100 Received: from njs3 by oak71.doc.ic.ac.uk with local (Exim 1.62 #3) id 0yl9x3-00077K-00; Sun, 14 Jun 1998 11:23:53 +0100 From: njs3@doc.ic.ac.uk (Niall Smart) Date: Sun, 14 Jun 1998 11:23:53 +0100 In-Reply-To: dima@best.net (Dima Ruban) "Re: bsd securelevel patch question" (Jun 13, 11:03pm) X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: dima@best.net, avalon@coombs.anu.edu.au (Darren Reed) Subject: Re: bsd securelevel patch question Cc: jayrich@room101.sysc.com, security@FreeBSD.ORG Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jun 13, 11:03pm, Dima Ruban wrote: } Subject: Re: bsd securelevel patch question > > > > According to Thomas Ptacek, this is not exactly a bug, and after thinking some > > > more about it, I kinda agree with him. (Feature, not a bug) > > > > Given it is exploitable, whether or not it is a feature, is irrelevant. > > It permits the protection intended by securelevel over /dev/kmem to be > > bypassed, reducing the overall security of the system. > > Hmm, this is not exactly bypassing a protection, you know. > Mainly because this protection is simply not targeted for this. Thats arguable, consider this quote from the D&I of 4.4BSD Files marked immutable include those that are frequently the subject of attack by intruders (e.g., login and su). The append-only flag is typically used for critical system logs. If an intruder breaks in, he will be unable to cover his tracks. Although simple in concept, these two features improve the security of a system dramatically. I've already posted the following argument to bugtraq, but I'll repeat it again here. Why do they advocate protecting login and su if such protection can be trivially defeated using the same techniques we demonstrated in the attack on inetd? And why do they claim these features improve the security of a system "dramatically" if they can be bypassed so easily? What use are securelevels without propagating the immutable flag? Niall To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jun 14 13:27:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA23839 for freebsd-security-outgoing; Sun, 14 Jun 1998 13:27:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from adk.gr (COREDUMP.CIS.UPENN.EDU [158.130.6.141]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA23816 for ; Sun, 14 Jun 1998 13:27:05 -0700 (PDT) (envelope-from angelos@dsl.cis.upenn.edu) Received: from dsl.cis.upenn.edu ([198.223.41.41]) by adk.gr (8.8.8/8.8.5) with ESMTP id QAA16124 for ; Sun, 14 Jun 1998 16:26:36 -0400 (EDT) Message-Id: <199806142026.QAA16124@adk.gr> To: security@FreeBSD.ORG Subject: Re: bsd securelevel patch question Date: Sun, 14 Jun 1998 16:20:41 EDT From: "Angelos D. Keromytis" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I think the right question is to ask "what use are securelevels ?" They're ultimately flawed, so what's the point in trying to fix such bugs ? Is anyone really using securelevels anyway ? -Angelos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jun 14 13:49:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA27887 for freebsd-security-outgoing; Sun, 14 Jun 1998 13:49:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from burka.rdy.com (dima@burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA27790 for ; Sun, 14 Jun 1998 13:48:29 -0700 (PDT) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.8.8/RDY&DVV) id NAA06480; Sun, 14 Jun 1998 13:48:24 -0700 (PDT) Message-Id: <199806142048.NAA06480@burka.rdy.com> Subject: Re: bsd securelevel patch question In-Reply-To: from Niall Smart at "Jun 14, 98 11:23:53 am" To: njs3@doc.ic.ac.uk (Niall Smart) Date: Sun, 14 Jun 1998 13:48:24 -0700 (PDT) Cc: security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Niall Smart writes: > On Jun 13, 11:03pm, Dima Ruban wrote: > Thats arguable, consider this quote from the D&I of 4.4BSD > > Files marked immutable include those that are frequently the subject > of attack by intruders (e.g., login and su). The append-only flag > is typically used for critical system logs. If an intruder breaks > in, he will be unable to cover his tracks. Although simple in > concept, these two features improve the security of a system > dramatically. > > I've already posted the following argument to bugtraq, but I'll repeat > it again here. > > Why do they advocate protecting login and su if such protection can > be trivially defeated using the same techniques we demonstrated in > the attack on inetd? And why do they claim these features improve the > security of a system "dramatically" if they can be bypassed so easily? > > What use are securelevels without propagating the immutable flag? The problem is - your patch doesn't fix anything. It just makes things more complicated. Example was already given, but here we go again: You make text segment of a program that marked immutable being a read-only. Excellent. In this case you need to make sure that such a process can't be killed or basically can't receive any signals. And this breaks the whole idea of signals. Because otherwise, being root, I can easily kill such a process and start another one with a back door in it. pid is not an issue - it can be easily faked to be the same as a target process. > > Niall > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jun 14 14:20:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA01669 for freebsd-security-outgoing; Sun, 14 Jun 1998 14:20:27 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from heron.doc.ic.ac.uk (p5YjelBwSwzbPgBBu+zWvNwd2JUiObgF@heron.doc.ic.ac.uk [146.169.46.3]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id OAA01497 for ; Sun, 14 Jun 1998 14:19:40 -0700 (PDT) (envelope-from njs3@doc.ic.ac.uk) Received: from oak71.doc.ic.ac.uk [146.169.46.71] ([gvciwbBaOiDVmCun2z9nmiPBMS853QQ2]) by heron.doc.ic.ac.uk with smtp (Exim 1.62 #3) id 0ylKBW-0007Az-00; Sun, 14 Jun 1998 22:19:30 +0100 Received: from njs3 by oak71.doc.ic.ac.uk with local (Exim 1.62 #3) id 0ylKBV-0001IS-00; Sun, 14 Jun 1998 22:19:29 +0100 From: njs3@doc.ic.ac.uk (Niall Smart) Date: Sun, 14 Jun 1998 22:19:29 +0100 In-Reply-To: dima@best.net (Dima Ruban) "Re: bsd securelevel patch question" (Jun 14, 1:48pm) X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: dima@best.net, njs3@doc.ic.ac.uk (Niall Smart) Subject: Re: bsd securelevel patch question Cc: security@FreeBSD.ORG, abc@ralph.ml.org Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jun 14, 1:48pm, Dima Ruban wrote: } Subject: Re: bsd securelevel patch question > Niall Smart writes: > > On Jun 13, 11:03pm, Dima Ruban wrote: > > > > Why do they advocate protecting login and su if such protection can > > be trivially defeated using the same techniques we demonstrated in > > the attack on inetd? And why do they claim these features improve the > > security of a system "dramatically" if they can be bypassed so easily? > > > > What use are securelevels without propagating the immutable flag? > > The problem is - your patch doesn't fix anything. It just makes things more > complicated. > Example was already given, but here we go again: > You make text segment of a program that marked immutable being a read-only. > Excellent. In this case you need to make sure that such a process can't > be killed or basically can't receive any signals. And this breaks the > whole idea of signals. Because otherwise, being root, I can easily kill > such a process and start another one with a back door in it. > pid is not an issue - it can be easily faked to be the same as a target > process. This is not correct, the fix does not require the prevention of killing immutable processes. Its effectiveness relies on the ability to detect when a system daemon has died, and one other requirement noted below. There are a number of ways to achieve the first: - Kernel modifications which log whenever a process which has no controlling terminal dies. This is straightforward to achieve and covers all the important cases. It is even useful for non-security related reasons. Of course you can extend this patch to log whenever any particular pid dies. This is the recommended approach. - Never reuse PID's generated while the system was in secure level 0. Again, this is relatively easy to achieve, and prevents the replacement of daemons with trojans that have an identical pid, and the monitoring can be performed in userland. There is still the question of who monitors the death of the monitoring process. This is why the first idea is superior. One of the important implications of the fix is that it moves from the need to detect covert modification of the system daemons, which is obviously a critical need, to the need to detect when the daemons have been whacked using kill and then replaced. It is virtually impossible to detect the first type of abuse, and indeed I do not believe this kind of abuse should even be permitted. Detecting when a process dies is much easier. Also, if the immutable flag is used in the way I believe it should, then there is nothing the attacker can do to modify the logs generated when he replaces a daemon, nor can he prevent you from viewing them. I mentioned that there was one other way to defeat the patch: If the intruder can find a way to overflow an internal buffer inside the daemon then he can still make it execute arbitrary code. There are certain communication channels which are only between the root user and the system daemons which may therefore not be well protected in terms of buffer management. For example, parsing of configuration files. The only way of preventing against this style of attack is to either - ensure your buffers can't ever be overflowed by _anyone_, this is _always_ a good idea. - implement a capabilities-based security model; even this isn't fool-proof. Niall To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jun 14 14:22:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA02069 for freebsd-security-outgoing; Sun, 14 Jun 1998 14:22:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.119.24.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA02046 for ; Sun, 14 Jun 1998 14:22:13 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.8.7/8.8.7) with ESMTP id VAA20471; Sun, 14 Jun 1998 21:22:00 GMT Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id XAA21001; Sun, 14 Jun 1998 23:21:59 +0200 (MET DST) Message-ID: <19980614232158.50384@follo.net> Date: Sun, 14 Jun 1998 23:21:58 +0200 From: Eivind Eklund To: Niall Smart , dima@best.net, Darren Reed Cc: jayrich@room101.sysc.com, security@FreeBSD.ORG Subject: Re: bsd securelevel patch question References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89.1i In-Reply-To: ; from Niall Smart on Sun, Jun 14, 1998 at 11:23:53AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Jun 14, 1998 at 11:23:53AM +0100, Niall Smart wrote: > On Jun 13, 11:03pm, Dima Ruban wrote: > } Subject: Re: bsd securelevel patch question > Thats arguable, consider this quote from the D&I of 4.4BSD > > Files marked immutable include those that are frequently the subject > of attack by intruders (e.g., login and su). The append-only flag > is typically used for critical system logs. If an intruder breaks > in, he will be unable to cover his tracks. Although simple in > concept, these two features improve the security of a system > dramatically. > > I've already posted the following argument to bugtraq, but I'll repeat > it again here. > > Why do they advocate protecting login and su if such protection can > be trivially defeated using the same techniques we demonstrated in > the attack on inetd? And why do they claim these features improve the > security of a system "dramatically" if they can be bypassed so easily? > > What use are securelevels without propagating the immutable flag? They can assure that a correct system comes up again after a boot, with logs of at least the point of attack. This can be a dramatic improvement. If you want better protection than that, I think it would be better to change the entire security model (throw away setuid, for a start). Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jun 14 14:39:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA05265 for freebsd-security-outgoing; Sun, 14 Jun 1998 14:39:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from heron.doc.ic.ac.uk (4XxwnzCOtO9+mvAXYWeIe1b3e7+WqqCt@heron.doc.ic.ac.uk [146.169.46.3]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id OAA05236 for ; Sun, 14 Jun 1998 14:39:04 -0700 (PDT) (envelope-from njs3@doc.ic.ac.uk) Received: from oak71.doc.ic.ac.uk [146.169.46.71] ([5Miy8CS7qENlKKwYnnJFMDadwM+tsqpx]) by heron.doc.ic.ac.uk with smtp (Exim 1.62 #3) id 0ylKUK-0007DI-00; Sun, 14 Jun 1998 22:38:56 +0100 Received: from njs3 by oak71.doc.ic.ac.uk with local (Exim 1.62 #3) id 0ylKUJ-0001MS-00; Sun, 14 Jun 1998 22:38:55 +0100 From: njs3@doc.ic.ac.uk (Niall Smart) Date: Sun, 14 Jun 1998 22:38:55 +0100 In-Reply-To: "Angelos D. Keromytis" "Re: bsd securelevel patch question" (Jun 14, 4:20pm) X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: "Angelos D. Keromytis" , security@FreeBSD.ORG Subject: Re: bsd securelevel patch question Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jun 14, 4:20pm, "Angelos D. Keromytis" wrote: } Subject: Re: bsd securelevel patch question > > I think the right question is to ask "what use are securelevels ?" > They're ultimately flawed, so what's the point in trying to fix such > bugs ? Is anyone really using securelevels anyway ? I think you've got to ask two questions: 1) do they noticably improve security? 2) can we replace them with something better? The answer to both questions is yes. However, answering "yes" to "can we replace them with something better?" isn't quite the same thing as going out and actually spending the time designing and implementing the replacement. Apart from the actual amount of work required, there are other considerations which may make a replacement less attractive when compared to secure levels, such as compatability with legacy code, the new security bugs that will be introduced during the implementation of such a complex system and the managability aspects of a fine grained security policy. When something better than secure levels comes out, I'll use it, but till then secure levels remain useful to me and others. On that note, look at http://www.enteract.com/~tqbf/harden.html. Niall To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jun 14 14:45:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA06431 for freebsd-security-outgoing; Sun, 14 Jun 1998 14:45:55 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from heron.doc.ic.ac.uk (LXCzKt5823KtuafgmXDEZ1J4JGJT0HtP@heron.doc.ic.ac.uk [146.169.46.3]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id OAA06347 for ; Sun, 14 Jun 1998 14:45:40 -0700 (PDT) (envelope-from njs3@doc.ic.ac.uk) Received: from oak71.doc.ic.ac.uk [146.169.46.71] ([3Gb4oMLE3ya512KVhquW4GIStA18FOI7]) by heron.doc.ic.ac.uk with smtp (Exim 1.62 #3) id 0ylKaU-0007E2-00; Sun, 14 Jun 1998 22:45:18 +0100 Received: from njs3 by oak71.doc.ic.ac.uk with local (Exim 1.62 #3) id 0ylKaT-0001Nb-00; Sun, 14 Jun 1998 22:45:17 +0100 From: njs3@doc.ic.ac.uk (Niall Smart) Date: Sun, 14 Jun 1998 22:45:17 +0100 In-Reply-To: Eivind Eklund "Re: bsd securelevel patch question" (Jun 14, 11:21pm) X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: Eivind Eklund , Niall Smart , dima@best.net, Darren Reed Subject: Re: bsd securelevel patch question Cc: jayrich@room101.sysc.com, security@FreeBSD.ORG Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jun 14, 11:21pm, Eivind Eklund wrote: } Subject: Re: bsd securelevel patch question > On Sun, Jun 14, 1998 at 11:23:53AM +0100, Niall Smart wrote: > > > > What use are securelevels without propagating the immutable flag? > > They can assure that a correct system comes up again after a boot, > with logs of at least the point of attack. This can be a dramatic > improvement. Yes, that is an improvement, but not much of one if no logs of the attack were generated (which is a very likely scenario, I have never seen logs of an attack, only attempted attacks), or if the attacker controls the program you are using to view the logs, or if the attacker controls the syslogd ensuring no suspicious log entries subsequent to the intrusion ever reach the log files. Propagating the immutable flag leads to a dramatic improvement, not propagating it leads to a a meagre improvement, in fact it could be construed as taking a step backwards due to over confidence in the security of the system just because the secure levels wand has been waved. I still haven't heard one convincing argument for not propagating the immutable flag, and have given plenty for. Niall To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jun 14 15:10:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA09912 for freebsd-security-outgoing; Sun, 14 Jun 1998 15:10:37 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.119.24.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA09855 for ; Sun, 14 Jun 1998 15:10:02 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.8.7/8.8.7) with ESMTP id WAA21604; Sun, 14 Jun 1998 22:09:57 GMT Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id AAA21428; Mon, 15 Jun 1998 00:09:56 +0200 (MET DST) Message-ID: <19980615000956.57060@follo.net> Date: Mon, 15 Jun 1998 00:09:56 +0200 From: Eivind Eklund To: Niall Smart , dima@best.net, Darren Reed Cc: jayrich@room101.sysc.com, security@FreeBSD.ORG Subject: Re: bsd securelevel patch question References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89.1i In-Reply-To: ; from Niall Smart on Sun, Jun 14, 1998 at 10:45:17PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Jun 14, 1998 at 10:45:17PM +0100, Niall Smart wrote: > Propagating the immutable flag leads to a dramatic improvement, not > propagating it leads to a a meagre improvement, in fact it could be > construed as taking a step backwards due to over confidence in the > security of the system just because the secure levels wand has been > waved. Propagating it is not a dramatic improvement unless you have some way of logging killed processes. We presently don't, I believe.. > I still haven't heard one convincing argument for not propagating the > immutable flag, and have given plenty for. I'm in favour, if you also patch kern_sig.c to print out the fact that something has been killed, and that it had the immutable flag set. Otherwise, I can't see that it is useful at all. (It'd be nice to print the RUID of the process that sent the signal, too, but that might be difficult to aquire) Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jun 14 16:23:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA25012 for freebsd-security-outgoing; Sun, 14 Jun 1998 16:23:27 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from adk.gr (COREDUMP.CIS.UPENN.EDU [158.130.6.141]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA25000 for ; Sun, 14 Jun 1998 16:23:18 -0700 (PDT) (envelope-from angelos@dsl.cis.upenn.edu) Received: from dsl.cis.upenn.edu ([198.223.41.41]) by adk.gr (8.8.8/8.8.5) with ESMTP id TAA26158 for ; Sun, 14 Jun 1998 19:22:47 -0400 (EDT) Message-Id: <199806142322.TAA26158@adk.gr> To: security@FreeBSD.ORG Subject: Re: bsd securelevels... Date: Sun, 14 Jun 1998 19:16:49 EDT From: "Angelos D. Keromytis" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- To: security@freebsd.org Subject: Re: bsd securelevels... Cc: Date: 06/14/98, 19:16:47 > 1) do they noticably improve security? 2) can we replace them with > something better? The answer to both questions is yes. The answer to (1) is yes only as long as people are using securelevels. My feeling is that pretty much noone is using them, because they are viewed (rightfully, IMO) as being both too twisted and not secure enough to justify setting them. I don't really care whether the patch goes in or not (it won't affect any system I am or will use anyway), so this is my last message on the subject. - -Angelos -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBNYRZ370pBjh2h1kFAQHgeQP9E77rghXfXWpRKwjNDroGr1Iak6Sl2m3r IGtbWwuXEBj8DwAOi7e2GdQij93eFUynkKplu72OJtcTcu1WDVSQpUnjUKHOmsLY KKJBY0SCo45iaVcKvtBuJX60d4WvhX54TKEqkO8H6qmi7CrhdfIO58PkUn74Q5r8 HvOngV1c7P8= =YOJ3 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Jun 14 18:41:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA14793 for freebsd-security-outgoing; Sun, 14 Jun 1998 18:41:37 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from implode.root.com (implode.root.com [198.145.90.17]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA14762 for ; Sun, 14 Jun 1998 18:41:27 -0700 (PDT) (envelope-from root@implode.root.com) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.5/8.8.5) with ESMTP id SAA06234; Sun, 14 Jun 1998 18:38:47 -0700 (PDT) Message-Id: <199806150138.SAA06234@implode.root.com> To: njs3@doc.ic.ac.uk (Niall Smart) cc: dima@best.net, security@FreeBSD.ORG, abc@ralph.ml.org Subject: Re: bsd securelevel patch question In-reply-to: Your message of "Sun, 14 Jun 1998 22:19:29 BST." From: David Greenman Reply-To: dg@root.com Date: Sun, 14 Jun 1998 18:38:47 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > - implement a capabilities-based security model; even this isn't > fool-proof. As a former VMS developer, I've been wanting to do that for years in FreeBSD. login.conf seems like the ideal place to build the privilege list and the changes to the kernel aren't very difficult, just tedious. One of these days... -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 15 03:53:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA16290 for freebsd-security-outgoing; Mon, 15 Jun 1998 03:53:47 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA16267 for ; Mon, 15 Jun 1998 03:53:40 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199806151053.DAA16267@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA067588005; Mon, 15 Jun 1998 20:53:25 +1000 From: Darren Reed Subject: Re: bsd securelevels... To: angelos@dsl.cis.upenn.edu (Angelos D. Keromytis) Date: Mon, 15 Jun 1998 20:53:24 +1000 (EST) Cc: security@FreeBSD.ORG In-Reply-To: <199806142322.TAA26158@adk.gr> from "Angelos D. Keromytis" at Jun 14, 98 07:16:49 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Angelos D. Keromytis, sie said: > > -----BEGIN PGP SIGNED MESSAGE----- > > To: security@freebsd.org > Subject: Re: bsd securelevels... > Cc: > Date: 06/14/98, 19:16:47 > > > > 1) do they noticably improve security? 2) can we replace them with > > something better? The answer to both questions is yes. > > The answer to (1) is yes only as long as people are using > securelevels. My feeling is that pretty much noone is using them, > because they are viewed (rightfully, IMO) as being both too twisted > and not secure enough to justify setting them. I imagine any firewall running FreeBSD has it set to > 0... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 15 04:01:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA17341 for freebsd-security-outgoing; Mon, 15 Jun 1998 04:01:05 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA17320 for ; Mon, 15 Jun 1998 04:00:58 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199806151100.EAA17320@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA068928284; Mon, 15 Jun 1998 20:58:04 +1000 From: Darren Reed Subject: Re: bsd securelevel patch question To: njs3@doc.ic.ac.uk (Niall Smart) Date: Mon, 15 Jun 1998 20:58:04 +1000 (EST) Cc: eivind@yes.no, njs3@doc.ic.ac.uk, dima@best.net, avalon@coombs.anu.edu.au, jayrich@room101.sysc.com, security@FreeBSD.ORG In-Reply-To: from "Niall Smart" at Jun 14, 98 10:45:17 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org btw, using the immutable flag(s) without setting the securelevel > 0 is fruitless as raw device access remains open... using both, is required, if you're going to use either. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 15 04:07:11 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA18687 for freebsd-security-outgoing; Mon, 15 Jun 1998 04:07:11 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.119.24.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA18659 for ; Mon, 15 Jun 1998 04:06:54 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.8.7/8.8.7) with ESMTP id LAA14796; Mon, 15 Jun 1998 11:06:53 GMT Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id NAA26359; Mon, 15 Jun 1998 13:06:53 +0200 (MET DST) Message-ID: <19980615130652.61198@follo.net> Date: Mon, 15 Jun 1998 13:06:52 +0200 From: Eivind Eklund To: Darren Reed Cc: security@FreeBSD.ORG Subject: Re: bsd securelevel patch question References: <199806151059.KAA13992@ns1.yes.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89.1i In-Reply-To: <199806151059.KAA13992@ns1.yes.no>; from Darren Reed on Mon, Jun 15, 1998 at 08:58:04PM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jun 15, 1998 at 08:58:04PM +1000, Darren Reed wrote: > > btw, using the immutable flag(s) without setting the securelevel > 0 is > fruitless as raw device access remains open... > > using both, is required, if you're going to use either. Of course. If you have securelevel <= 0, you can just use chflags to remove the immutable flag, so that is _truly_ pointless. It doesn't even slow down an attacker. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 15 04:25:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA21207 for freebsd-security-outgoing; Mon, 15 Jun 1998 04:25:59 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from heron.doc.ic.ac.uk (uMYZR/Hxo6qR2Xagdh0FPNB8qPr+mOIH@heron.doc.ic.ac.uk [146.169.46.3]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id EAA21200 for ; Mon, 15 Jun 1998 04:25:55 -0700 (PDT) (envelope-from njs3@doc.ic.ac.uk) Received: from oak71.doc.ic.ac.uk [146.169.46.71] ([ZtSxfvyEnjS79V4gIrdRoXNmCJCaoM38]) by heron.doc.ic.ac.uk with smtp (Exim 1.62 #3) id 0ylXMQ-0001Vy-00; Mon, 15 Jun 1998 12:23:38 +0100 Received: from njs3 by oak71.doc.ic.ac.uk with local (Exim 1.62 #3) id 0ylXMP-0003KN-00; Mon, 15 Jun 1998 12:23:37 +0100 From: njs3@doc.ic.ac.uk (Niall Smart) Date: Mon, 15 Jun 1998 12:23:37 +0100 In-Reply-To: Darren Reed "Re: bsd securelevel patch question" (Jun 15, 8:58pm) X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: Darren Reed , njs3@doc.ic.ac.uk (Niall Smart) Subject: Re: bsd securelevel patch question Cc: eivind@yes.no, dima@best.net, jayrich@room101.sysc.com, security@FreeBSD.ORG Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jun 15, 8:58pm, Darren Reed wrote: } Subject: Re: bsd securelevel patch question > > btw, using the immutable flag(s) without setting the securelevel > 0 is > fruitless as raw device access remains open... > > using both, is required, if you're going to use either. > 1 you mean. Secure level 0 is insecure mode. Niall To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 15 08:15:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA26102 for freebsd-security-outgoing; Mon, 15 Jun 1998 08:15:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gateman.zeus.leitch.com (gateman.zeus.leitch.com [204.187.61.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA26078 for ; Mon, 15 Jun 1998 08:15:29 -0700 (PDT) (envelope-from woods@tap.zeus.leitch.com) Received: from zeus.leitch.com (tap.zeus.leitch.com [204.187.61.10]) by gateman.zeus.leitch.com (8.8.5/8.7.3/1.0) with ESMTP id LAA06228 for ; Mon, 15 Jun 1998 11:14:37 -0400 (EDT) Received: from brain.zeus.leitch.com (brain.zeus.leitch.com [204.187.61.32]) by zeus.leitch.com (8.7.5/8.7.3/1.0) with ESMTP id LAA24291 for ; Mon, 15 Jun 1998 11:14:51 -0400 (EDT) Received: (from woods@localhost) by brain.zeus.leitch.com (8.8.8/8.8.8) id LAA04480; Mon, 15 Jun 1998 11:14:37 -0400 (EDT) (envelope-from woods@tap.zeus.leitch.com) Date: Mon, 15 Jun 1998 11:14:37 -0400 (EDT) Message-Id: <199806151514.LAA04480@brain.zeus.leitch.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: woods@zeus.leitch.com (Greg A. Woods) To: freebsd-security@FreeBSD.ORG Subject: Re: bsd securelevel patch question In-Reply-To: Niall Smart's message of "Sun, June 14, 1998 22:19:29 +0100" regarding "Re: bsd securelevel patch question" id References: X-Mailer: VM 6.45 under Emacs 20.2.1 Reply-To: freebsd-security@FreeBSD.ORG Organization: Planix, Inc.; Toronto, Ontario; Canada Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [ On Sun, June 14, 1998 at 22:19:29 (+0100), Niall Smart wrote: ] > Subject: Re: bsd securelevel patch question > > This is not correct, the fix does not require the prevention of killing > immutable processes. Its effectiveness relies on the ability to detect > when a system daemon has died, and one other requirement noted below. > There are a number of ways to achieve the first: > > - Kernel modifications which log whenever a process which has no > controlling terminal dies. This is straightforward to achieve and > covers all the important cases. It is even useful for non-security > related reasons. Of course you can extend this patch to log whenever > any particular pid dies. This is the recommended approach. I presume you really mean "when a process which has no controlling terminal dies *abnormally*". Lots and lots of processes in the general category of "have no controlling terminal" will die "normally" during the lifetime of a system, and I don't think they need to be logged specially.... > - Never reuse PID's generated while the system was in secure level 0. > Again, this is relatively easy to achieve, and prevents the replacement > of daemons with trojans that have an identical pid, and the monitoring > can be performed in userland. There is still the question of who > monitors the death of the monitoring process. This is why the first > idea is superior. I don't think this is an either/or proposition -- they are not conflicting. I.e. "and", not "or" is the correct conjunction! -- Greg A. Woods +1 416 443-1734 VE3TCP Planix, Inc. ; Secrets of the Weird To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 15 08:17:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA26286 for freebsd-security-outgoing; Mon, 15 Jun 1998 08:17:02 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from nexus.astro.psu.edu (nexus.astro.psu.edu [128.118.147.20]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id IAA26278 for ; Mon, 15 Jun 1998 08:16:57 -0700 (PDT) (envelope-from mph@astro.psu.edu) Received: from mstar.astro.psu.edu by nexus.astro.psu.edu (4.1/Nexus-1.3) id AA04651; Mon, 15 Jun 98 11:14:40 EDT Received: by mstar.astro.psu.edu (SMI-8.6/Client-1.3) id LAA00353; Mon, 15 Jun 1998 11:14:36 -0400 Message-Id: <19980615111435.A348@mstar.astro.psu.edu> Date: Mon, 15 Jun 1998 11:14:35 -0400 From: Matthew Hunt To: Niall Smart , Darren Reed Cc: eivind@yes.no, dima@best.net, jayrich@room101.sysc.com, security@FreeBSD.ORG Subject: Re: bsd securelevel patch question References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91.1i In-Reply-To: ; from Niall Smart on Mon, Jun 15, 1998 at 12:23:37PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jun 15, 1998 at 12:23:37PM +0100, Niall Smart wrote: > > btw, using the immutable flag(s) without setting the securelevel > 0 is > > fruitless as raw device access remains open... > > 1 you mean. > > Secure level 0 is insecure mode. Yes, so securelevel > 0, or securelevel >= 1. -- Matthew Hunt * Stay close to the Vorlon. http://www.pobox.com/~mph/pgp.key for PGP public key 0x67203349. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 15 08:47:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA02395 for freebsd-security-outgoing; Mon, 15 Jun 1998 08:47:48 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from heron.doc.ic.ac.uk (eOVu3ykgsh2kbQBXYFHdQHtrvcDie2gn@heron.doc.ic.ac.uk [146.169.46.3]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id IAA02388 for ; Mon, 15 Jun 1998 08:47:42 -0700 (PDT) (envelope-from njs3@doc.ic.ac.uk) Received: from oak71.doc.ic.ac.uk [146.169.46.71] ([1PO/AUtejhIca7KHn73JgaL0KBOMFq4Y]) by heron.doc.ic.ac.uk with smtp (Exim 1.62 #3) id 0ylbI4-0002Ug-00; Mon, 15 Jun 1998 16:35:24 +0100 Received: from njs3 by oak71.doc.ic.ac.uk with local (Exim 1.62 #3) id 0ylbI3-0004aS-00; Mon, 15 Jun 1998 16:35:23 +0100 From: njs3@doc.ic.ac.uk (Niall Smart) Date: Mon, 15 Jun 1998 16:35:23 +0100 In-Reply-To: Matthew Hunt "Re: bsd securelevel patch question" (Jun 15, 11:14am) X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: Matthew Hunt , Niall Smart , Darren Reed Subject: Re: bsd securelevel patch question Cc: eivind@yes.no, dima@best.net, jayrich@room101.sysc.com, security@FreeBSD.ORG Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jun 15, 11:14am, Matthew Hunt wrote: } Subject: Re: bsd securelevel patch question > On Mon, Jun 15, 1998 at 12:23:37PM +0100, Niall Smart wrote: > > > > btw, using the immutable flag(s) without setting the securelevel > 0 is > > > fruitless as raw device access remains open... > > > > 1 you mean. Thats greater than 1, i.e., >= 2, not a quote and then 1. > > > > Secure level 0 is insecure mode. > > Yes, so securelevel > 0, or securelevel >= 1. At securelevel 1 disks can be unmounted and their device files accessed. Securelevel 1 is no good. Niall To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 15 08:53:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA03356 for freebsd-security-outgoing; Mon, 15 Jun 1998 08:53:55 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from server4.mpcbbs.com.br (server4.mpc.com.br [200.246.0.252]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA03271; Mon, 15 Jun 1998 08:53:25 -0700 (PDT) (envelope-from capriotti@geocities.com) Received: from hot_nt (d1p14.mpcnet.com.br [200.246.29.78]) by server4.mpcbbs.com.br (8.8.6/8.8.6) with SMTP id MAA17417; Mon, 15 Jun 1998 12:52:53 -0300 (EST) Message-Id: <3.0.32.19691231210000.0092cac0@pop.mpc.com.br> X-Sender: capriotti@pop.mpc.com.br X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 15 Jun 1998 12:50:34 -0300 To: freebsd-questions@FreeBSD.ORG From: Capriotti Subject: SKIP and IP encryptation Cc: capriotti@geocities.com, freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello. I am sorry for the crossposting; I thought it could save some time and maximize the search capabilities. Is there any case of successfull implementation of IP encryptation provided by SKIP someone could tell me about ? And, of course, the other side: The vulnerable/not very favorable points of SKIP like performance, reliability, etc. TIA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 15 09:47:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA12588 for freebsd-security-outgoing; Mon, 15 Jun 1998 09:47:41 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA12461; Mon, 15 Jun 1998 09:46:50 -0700 (PDT) (envelope-from archie@whistle.com) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id JAA08792; Mon, 15 Jun 1998 09:46:02 -0700 (PDT) Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3) id sma008790; Mon Jun 15 09:45:34 1998 Received: (from archie@localhost) by bubba.whistle.com (8.8.7/8.6.12) id JAA12877; Mon, 15 Jun 1998 09:45:33 -0700 (PDT) From: Archie Cobbs Message-Id: <199806151645.JAA12877@bubba.whistle.com> Subject: Re: SKIP and IP encryptation In-Reply-To: <3.0.32.19691231210000.0092cac0@pop.mpc.com.br> from Capriotti at "Jun 15, 98 12:50:34 pm" To: capriotti@geocities.com (Capriotti) Date: Mon, 15 Jun 1998 09:45:33 -0700 (PDT) Cc: freebsd-questions@FreeBSD.ORG, capriotti@geocities.com, freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL31 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Capriotti writes: > Is there any case of successfull implementation of IP encryptation provided > by SKIP someone could tell me about ? Yes, several folks have used it successfully. Check out the SKIP port available as /usr/ports/security/skip if you haven't already and/or subscribe to and ask on the SKIP mailing list, skip-info@rt.com. > And, of course, the other side: The vulnerable/not very favorable points of > SKIP like performance, reliability, etc. It's kindof complicated to administer.. it's worth reading all of the ample documentation first. Seems reliable, and performance of course depends on your hardware. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 15 13:40:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA22909 for freebsd-security-outgoing; Mon, 15 Jun 1998 13:40:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA22700 for ; Mon, 15 Jun 1998 13:39:09 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.8.8/8.8.8) id QAA26276; Mon, 15 Jun 1998 16:39:06 -0400 (EDT) (envelope-from wollman) Date: Mon, 15 Jun 1998 16:39:06 -0400 (EDT) From: Garrett Wollman Message-Id: <199806152039.QAA26276@khavrinen.lcs.mit.edu> To: Eivind Eklund Cc: Darren Reed , security@FreeBSD.ORG Subject: Re: bsd securelevel patch question In-Reply-To: <19980615130652.61198@follo.net> References: <199806151059.KAA13992@ns1.yes.no> <19980615130652.61198@follo.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > remove the immutable flag, so that is _truly_ pointless. It doesn't > even slow down an attacker. In the past, it certainly has done so. Remember that most kiddie-crackers are totally clueless -- if the version of r00tkit they're running doesn't know how to do it, they don't either. Just the same, my ``public'' machine (xyz.lcs.mit.edu, which is supposed to be one of the ftp?.freebsd.org, but no matter how many times I mention it to DG it never happens; also cvsup3.freebsd.org) has historically run with lots of interesting directories append-only, important files immutable, and securelevel 2. Of course, it also doesn't run sendmail -bd, lpd, or most of the stuff from inetd. (It does run portmap -- which should be optional -- because I never bothered to hack /etc/rc to make it configurable.) -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 15 14:15:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA29426 for freebsd-security-outgoing; Mon, 15 Jun 1998 14:15:38 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dc1.mfn.org (ftp.mfn.org [204.238.179.12]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id OAA29377 for ; Mon, 15 Jun 1998 14:15:24 -0700 (PDT) (envelope-from sysadmin@mfn.org) Received: from greeves.mfn.org (unverified [204.238.179.35]) by mail.mfn.org (EMWAC SMTPRS 0.83) with SMTP id ; Mon, 15 Jun 1998 16:16:12 -0500 Received: by greeves.mfn.org with Microsoft Mail id <01BD9878.85D2BCC0@greeves.mfn.org>; Mon, 15 Jun 1998 16:13:24 -0500 Message-ID: <01BD9878.85D2BCC0@greeves.mfn.org> From: greeves To: "security@FreeBSD.ORG" Subject: RE: bsd securelevels... Date: Mon, 15 Jun 1998 16:13:23 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> 1) do they noticably improve security? 2) can we replace them with >> something better? The answer to both questions is yes. >The answer to (1) is yes only as long as people are using >securelevels. My feeling is that pretty much noone is using them, >because they are viewed (rightfully, IMO) as being both too twisted >and not secure enough to justify setting them. More likely nobody is using them because they are not now known, and are not being pushed. I run a network that *would* have been using them, had I *KNOWN* about them! Remember, a great deal of the FBSD world is *NOT* on the edge of the technology, and that includes the more "advanced" users who came from different *nix environments (such as myself). I came to FBSD out from a commercial SVR3/4 environment that did not have anything like secure levels. Even though I came here *because* of heightened security awareness, the fact that I still know only as much about securelevels as has been posted in the recent spate of warnings on it. Possibly someone should generate a little verbiage in the FAQ about this! J.A. Terranson sysadmin@mfn.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 15 14:16:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA29614 for freebsd-security-outgoing; Mon, 15 Jun 1998 14:16:26 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from nexus.astro.psu.edu (nexus.astro.psu.edu [128.118.147.20]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id OAA29569 for ; Mon, 15 Jun 1998 14:16:13 -0700 (PDT) (envelope-from mph@astro.psu.edu) Received: from mstar.astro.psu.edu by nexus.astro.psu.edu (4.1/Nexus-1.3) id AA07724; Mon, 15 Jun 98 17:15:56 EDT Received: by mstar.astro.psu.edu (SMI-8.6/Client-1.3) id RAA03904; Mon, 15 Jun 1998 17:15:52 -0400 Message-Id: <19980615171548.A3879@mstar.astro.psu.edu> Date: Mon, 15 Jun 1998 17:15:48 -0400 From: Matthew Hunt To: Niall Smart , Darren Reed Cc: eivind@yes.no, dima@best.net, jayrich@room101.sysc.com, security@FreeBSD.ORG Subject: Re: bsd securelevel patch question References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91.1i In-Reply-To: ; from Niall Smart on Mon, Jun 15, 1998 at 04:35:23PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jun 15, 1998 at 04:35:23PM +0100, Niall Smart wrote: > > > > 1 you mean. > > Thats greater than 1, i.e., >= 2, not a quote and then 1. Yep, my mental block was elsewhere. :-) > At securelevel 1 disks can be unmounted and their device files accessed. > Securelevel 1 is no good. You are right; I thought the question was when the schg flags became "permanent". I forgot that the device files could circumvent that. Regards, Matt -- Matthew Hunt * Stay close to the Vorlon. http://www.pobox.com/~mph/pgp.key for PGP public key 0x67203349. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 15 16:29:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA19141 for freebsd-security-outgoing; Mon, 15 Jun 1998 16:29:49 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from implode.root.com (implode.root.com [198.145.90.17]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA19098 for ; Mon, 15 Jun 1998 16:28:56 -0700 (PDT) (envelope-from root@implode.root.com) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.5/8.8.5) with ESMTP id QAA13186; Mon, 15 Jun 1998 16:26:02 -0700 (PDT) Message-Id: <199806152326.QAA13186@implode.root.com> To: Garrett Wollman cc: Eivind Eklund , Darren Reed , security@FreeBSD.ORG Subject: Re: bsd securelevel patch question In-reply-to: Your message of "Mon, 15 Jun 1998 16:39:06 EDT." <199806152039.QAA26276@khavrinen.lcs.mit.edu> From: David Greenman Reply-To: dg@root.com Date: Mon, 15 Jun 1998 16:26:02 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Just the same, my ``public'' machine (xyz.lcs.mit.edu, which is >supposed to be one of the ftp?.freebsd.org, but no matter how many >times I mention it to DG it never happens; also cvsup3.freebsd.org) It's assigned to ftp5.freebsd.org. -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 15 19:39:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA12812 for freebsd-security-outgoing; Mon, 15 Jun 1998 19:39:27 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from socrates.i-pi.com (socrates.i-pi.com [198.49.217.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA12798 for ; Mon, 15 Jun 1998 19:39:22 -0700 (PDT) (envelope-from ingham@i-pi.com) Received: (from ingham@localhost) by socrates.i-pi.com (8.8.8/8.8.7) id UAA00789; Mon, 15 Jun 1998 20:36:30 -0600 (MDT) (envelope-from ingham) Message-ID: <19980615203630.50085@i-pi.com> Date: Mon, 15 Jun 1998 20:36:30 -0600 From: Kenneth Ingham To: Darren Reed , "Angelos D. Keromytis" Cc: security@FreeBSD.ORG Subject: Re: bsd securelevels... References: <199806142322.TAA26158@adk.gr> <199806151053.DAA16267@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89i In-Reply-To: <199806151053.DAA16267@hub.freebsd.org>; from Darren Reed on Mon, Jun 15, 1998 at 08:53:24PM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org For those wondering about securelevels, I have several machines running with securelevel > 1. Kenneth To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jun 17 13:25:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA28726 for freebsd-security-outgoing; Wed, 17 Jun 1998 13:25:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tandem.milestonerdl.com (main.milestonerdl.com [204.107.138.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA28695; Wed, 17 Jun 1998 13:25:30 -0700 (PDT) (envelope-from marc@tandem.milestonerdl.com) Received: (from marc@localhost) by tandem.milestonerdl.com (8.8.4/8.8.4) id PAA15386; Wed, 17 Jun 1998 15:48:37 GMT Date: Wed, 17 Jun 1998 15:48:37 +0000 () From: Marc Rassbach To: Brian Somers , list , nat3 , nat4 Subject: FreeBSD 2.2.6, NAT and SKIP Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Im trying to set up a network like this: (IPs changed to protect the guilty) 1) Anyone wanna share the Landmines for the V.35 move? 2) How can I get SKIP on FreeBSD 2.2.6 to "de-skipify" incoming skip traffic from , oh, say 156.46.1.1 on the net going to the no-skip-unix box at 204.107.138.114 AKA 192.168.1.6? 3) Instead of ppp alias doing the NAT/IP Masquerading/aliasing, how can I have natd do the NAT/IP Masquerading/aliasing work for me? modem to net via tun0/ppp. Will be moving to a V.35 interface | in 1-2 months. +-----------------+ | Freebsd 226 | 204.107.138.113/28 +-----------------+ | ed0 interface 192.168.1.254 | +-----------------------------------+ | 192.168.1.6 | 192.168.1.31 | would like it to be | would like it to be | 204.107.138.114 to da net | 204.107.138.115 to da +-----------------+ +---------------------+ net | Unix box that | | NT box that can run | | can not run SKIP| | SKIP | +-----------------+ +---------------------+ What I have gotten working: 1) SKIP and NT. (instructions for how in next post to skip-list ok?) 2) ppp alias function (thus letting the unix/NT box to be seen) What Hasnt worked for me: 1) ifconfig ed0 192.168.2.6 netmask 255.255.255.255 alias then tying to tell natd to do redirect_address 192.168.1.6 192.168.2.6 didnt work. 2) ip-filter/ipnat. Got it compiled, but wouldnt NAT for me. Please respond directly via e-mail, if possible. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jun 18 21:47:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA22733 for freebsd-security-outgoing; Thu, 18 Jun 1998 21:47:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from keep.scn.ru (keep.scn.ru [195.151.16.41]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA22724; Thu, 18 Jun 1998 21:47:11 -0700 (PDT) (envelope-from smith@scn.ru) Received: from scn.ru (quick.scn.ru [195.151.16.33]) by keep.scn.ru (8.8.8/8.8.7) with ESMTP id MAA21443; Fri, 19 Jun 1998 12:48:19 +0800 (KRSS) (envelope-from smith@scn.ru) Message-ID: <3589FB60.B373D5F7@scn.ru> Date: Fri, 19 Jun 1998 12:47:12 +0700 From: "Vladimir N. Kovalev" Organization: Sibchallenge Telecom Inc. X-Mailer: Mozilla 4.05 [en] (Win95; I) MIME-Version: 1.0 To: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Is this a trojan horse ? Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello ! Yesterday, I installed a 2.2-980607-SNAP. Today, I run "mtree -p / -f bin.mtree -e -K md5digest >/root/tmp/qqmtree 2>&1 &" and see: ... sbin/init: size (204800, 208896) MD5 (758865f0a57ff876be1182835ec29c10, 0407733ab6f2913bca0c0d77ca5a37f6) .... Please, tell me why this is happen ? Is this a trojan horse ? Thanks in advance ! Vladimir N. Kovalev To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jun 19 06:33:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA12163 for freebsd-security-outgoing; Fri, 19 Jun 1998 06:33:07 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mailhub.scl.ameslab.gov (mailhub.scl.ameslab.gov [147.155.137.127]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA12111; Fri, 19 Jun 1998 06:32:49 -0700 (PDT) (envelope-from ghelmer@scl.ameslab.gov) Received: from demios.ether.scl.ameslab.gov ([147.155.137.54] helo=demios.scl.ameslab.gov) by mailhub.scl.ameslab.gov with smtp (Exim 1.90 #1) id 0yn1GS-0002yl-00; Fri, 19 Jun 1998 08:31:36 -0500 Date: Fri, 19 Jun 1998 08:32:33 -0500 (CDT) From: Guy Helmer To: "Vladimir N. Kovalev" cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Is this a trojan horse ? In-Reply-To: <3589FB60.B373D5F7@scn.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 19 Jun 1998, Vladimir N. Kovalev wrote: > Yesterday, I installed a 2.2-980607-SNAP. > Today, I run "mtree -p / -f bin.mtree -e -K md5digest >/root/tmp/qqmtree 2>&1 &" > and see: > .... > sbin/init: > size (204800, 208896) > MD5 (758865f0a57ff876be1182835ec29c10, 0407733ab6f2913bca0c0d77ca5a37f6) > .... > > Please, tell me why this is happen ? > Is this a trojan horse ? It is probably not a trojan horse. Did you install the "des" package during your installation? If so, /sbin/init will be different than the /sbin/init in the "bin" distribution due to the inclusion of the des password encoding routines in its executable. /sbin/init is one of the files replaced by the "des" distribution -- check it against the des.mtree file. Guy Helmer Guy Helmer, Graduate Student, Iowa State University Dept. of Computer Science Research Assistant, Ames Laboratory --- ghelmer@scl.ameslab.gov http://www.cs.iastate.edu/~ghelmer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jun 19 20:10:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA28991 for freebsd-security-outgoing; Fri, 19 Jun 1998 20:10:40 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA28948 for ; Fri, 19 Jun 1998 20:10:34 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id XAA29127; Fri, 19 Jun 1998 23:07:42 -0400 (EDT) From: "Allen Smith" Message-Id: <9806192307.ZM29126@beatrice.rutgers.edu> Date: Fri, 19 Jun 1998 23:07:42 -0400 In-Reply-To: David Greenman "Re: bsd securelevel patch question" (Jun 14, 6:38pm) References: <199806150138.SAA06234@implode.root.com> X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: dg@root.com, njs3@doc.ic.ac.uk (Niall Smart) Subject: Re: bsd securelevel patch question Cc: dima@best.net, security@FreeBSD.ORG, abc@ralph.ml.org, tqbf@secnet.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jun 14, 6:38pm, David Greenman (possibly) wrote: > > - implement a capabilities-based security model; even this isn't > > fool-proof. > > As a former VMS developer, I've been wanting to do that for years in > FreeBSD. login.conf seems like the ideal place to build the privilege > list and the changes to the kernel aren't very difficult, just tedious. > One of these days... Why are you wanting to do it via login.conf, instead of via multiple groups? I'm asking because I'm looking at doing this for ICMP sockets (raw sockets limited to ICMP) so that programs such as ping, squid's pinger, etcetera can be setgid as opposed to setuid. (This is discussed in much detail on http://www.enteract.com/~tqbf/harden.html which is why I'm ccing him.) Thanks, -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jun 19 20:38:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA01871 for freebsd-security-outgoing; Fri, 19 Jun 1998 20:38:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from joshua.enteract.com (joshua.enteract.com [207.229.129.5]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id UAA01865 for ; Fri, 19 Jun 1998 20:38:07 -0700 (PDT) (envelope-from tqbf@pobox.com) From: tqbf@pobox.com Received: (qmail 4256 invoked by uid 1004); 20 Jun 1998 03:38:09 -0000 Message-ID: <19980620033809.4255.qmail@joshua.enteract.com> Subject: Re: bsd securelevel patch question In-Reply-To: <9806192307.ZM29126@beatrice.rutgers.edu> from Allen Smith at "Jun 19, 98 11:07:42 pm" To: easmith@beatrice.rutgers.edu (Allen Smith) Date: Fri, 19 Jun 1998 22:38:09 -0500 (CDT) Cc: dg@root.com, njs3@doc.ic.ac.uk, dima@best.net, security@FreeBSD.ORG, abc@ralph.ml.org, tqbf@secnet.com Reply-To: tqbf@pobox.com X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Why are you wanting to do it via login.conf, instead of via multiple > groups? I'm asking because I'm looking at doing this for ICMP sockets I don't see how you'd use login.conf to handle restricted system capabilities (such as network access); these are privileges extended to users by the kernel, not by other processes on the system who can use a login.conf API to access information in that file. One idea is to allow GID "icmp" access to ICMP raw socket functionality, and then have only one process on the system run with these credentials (the "icmpd"). Users could make requests of the icmpd via local IPC, and the daemon could validate these requests against login.conf. This solution has very real security benefits, but I find administrating them from login.conf to be clumsy. In terms of transitioning away from binary "superuser" privilege, I think normal Unix filesystem security semantics (owner, group, and SET[UG]ID) are expressive enough. Since I have entire systems built up and deployed with hacks like these, I am very interested in hearing how other people are approaching this issue. More importantly, I am very interested in talking to people about moving forward with some sort of coherent model for providing enhanced system- level security. Thanks for writing. ----------------------------------------------------------------------------- Thomas H. Ptacek The Company Formerly Known As Secure Networks, Inc. ----------------------------------------------------------------------------- http://www.pobox.com/~tqbf "If you're so special, why aren't you dead?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Jun 20 04:21:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA14392 for freebsd-security-outgoing; Sat, 20 Jun 1998 04:21:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from wumpus.its.uow.edu.au (wumpus.its.uow.edu.au [130.130.68.12]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA14379 for ; Sat, 20 Jun 1998 04:21:15 -0700 (PDT) (envelope-from ncb05@uow.edu.au) Received: from banshee.cs.uow.edu.au (ncb05@banshee.cs.uow.edu.au [130.130.188.1]) by wumpus.its.uow.edu.au (8.9.0.Beta5/8.9.0.Beta5) with SMTP id VAA16064 for ; Sat, 20 Jun 1998 21:21:14 +1000 (EST) Date: Sat, 20 Jun 1998 21:21:14 +1000 (EST) From: Nicholas Charles Brawn X-Sender: ncb05@banshee.cs.uow.edu.au To: security@FreeBSD.ORG Subject: non-executable stack? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I was pondering the following after reading about solaris 2.6's non-executable stack option. 1. How feasible is it to implement a non-executable stack kernel option? 2. If it *is* feasible, what do people think of a sysctl-based interface to enable/disenable it? 3. If both 1 & 2 were implemented, how about making it impossible to disenable at say.. securelevel >= 1? If I remember the discussions on bugtraq right, a non-exec patch isn't a cure-all for buffer overflow attacks. However it would be an overall security enhancement and prevent many script-based attacks. What are peoples thoughts on this? Nick -- Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Jun 20 05:32:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA19771 for freebsd-security-outgoing; Sat, 20 Jun 1998 05:32:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA19762 for ; Sat, 20 Jun 1998 05:32:31 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199806201232.FAA19762@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA014925843; Sat, 20 Jun 1998 22:30:43 +1000 From: Darren Reed Subject: Re: non-executable stack? To: ncb05@uow.edu.au (Nicholas Charles Brawn) Date: Sat, 20 Jun 1998 22:30:43 +1000 (EST) Cc: security@FreeBSD.ORG In-Reply-To: from "Nicholas Charles Brawn" at Jun 20, 98 09:21:14 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Nicholas Charles Brawn, sie said: > > I was pondering the following after reading about solaris 2.6's > non-executable stack option. If it is of any benefit, the option isn't available for Solaris-x86, nor the older SPARC chips. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Jun 20 09:58:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA09770 for freebsd-security-outgoing; Sat, 20 Jun 1998 09:58:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from pubnix.org (www.pubnix.org [155.229.39.88]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA09753 for ; Sat, 20 Jun 1998 09:58:25 -0700 (PDT) (envelope-from jtb@pubnix.org) Received: from localhost (jtb@localhost) by pubnix.org (8.8.8/NooWop) with SMTP id MAA27088; Sat, 20 Jun 1998 12:57:27 -0400 (EDT) Date: Sat, 20 Jun 1998 12:57:26 -0400 (EDT) From: jtb To: Nicholas Charles Brawn cc: security@FreeBSD.ORG Subject: Re: non-executable stack? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It could just be me, but why are we discussing solaris 2.6 kernel options on the FreeBSD security mailing list, if anyone wants to discuss teh potential of instituting a similar patch in FreeBSD I'm all ears, but I still don't see how discussing solaris kernel options has anything to do with FreeBSD security. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Jonathan T. Bowie ADM w00w00 WSD jobe@sekurity.org jtb@pubnix.org jobe@dataforce.net Independant Security Developer Home: (603)436-5698 "I'd hate to advocate drugs, sex, alcohol, or Cell: (603)553-6697 violence... to any one, but they've worked for me." -- Hunter S. Thompson =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= On Sat, 20 Jun 1998, Nicholas Charles Brawn wrote: > I was pondering the following after reading about solaris 2.6's > non-executable stack option. > > 1. How feasible is it to implement a non-executable stack kernel option? > 2. If it *is* feasible, what do people think of a sysctl-based interface > to enable/disenable it? > 3. If both 1 & 2 were implemented, how about making it impossible to > disenable at say.. securelevel >= 1? > > If I remember the discussions on bugtraq right, a non-exec patch isn't a > cure-all for buffer overflow attacks. However it would be an overall > security enhancement and prevent many script-based attacks. > > What are peoples thoughts on this? > > Nick > > -- > Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick > Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Jun 20 10:02:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA10374 for freebsd-security-outgoing; Sat, 20 Jun 1998 10:02:55 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from pubnix.org (www.pubnix.org [155.229.39.88]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA10361 for ; Sat, 20 Jun 1998 10:02:51 -0700 (PDT) (envelope-from jtb@pubnix.org) Received: from localhost (jtb@localhost) by pubnix.org (8.8.8/NooWop) with SMTP id NAA27138; Sat, 20 Jun 1998 13:01:56 -0400 (EDT) Date: Sat, 20 Jun 1998 13:01:55 -0400 (EDT) From: jtb To: Nicholas Charles Brawn cc: security@FreeBSD.ORG Subject: Re: non-executable stack? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org BTW, If the solaris kernel works the same as teh linux kernel(most likely because they're both SysV to an extent) return into libc attacks should work, although I would have to talk to solar designer about it, as I've never worked with the Solaris stack. Check http://www.false.com/~solar/ I think he has his non-standard buffer overflow paper there, if not check bugtraq archives. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Jonathan T. Bowie ADM w00w00 WSD jobe@sekurity.org jtb@pubnix.org jobe@dataforce.net Independant Security Developer Home: (603)436-5698 "I'd hate to advocate drugs, sex, alcohol, or Cell: (603)553-6697 violence... to any one, but they've worked for me." -- Hunter S. Thompson =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Jun 20 10:57:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA16581 for freebsd-security-outgoing; Sat, 20 Jun 1998 10:57:04 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from pubnix.org (www.pubnix.org [155.229.39.88]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA16574 for ; Sat, 20 Jun 1998 10:57:02 -0700 (PDT) (envelope-from jtb@pubnix.org) Received: from localhost (jtb@localhost) by pubnix.org (8.8.8/NooWop) with SMTP id NAA27512; Sat, 20 Jun 1998 13:56:04 -0400 (EDT) Date: Sat, 20 Jun 1998 13:56:03 -0400 (EDT) From: jtb To: ben@rosengart.com cc: freebsd-security@FreeBSD.ORG Subject: Re: non-executable stack? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm very sorry, I seem to have misread his post, and I would like to apologize. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Jonathan T. Bowie ADM w00w00 WSD jobe@sekurity.org jtb@pubnix.org jobe@dataforce.net Independant Security Developer Home: (603)436-5698 "I'd hate to advocate drugs, sex, alcohol, or Cell: (603)553-6697 violence... to any one, but they've worked for me." -- Hunter S. Thompson =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= On Sat, 20 Jun 1998, Snob Art Genre wrote: > On Sat, 20 Jun 1998, jtb wrote: > > > It could just be me, but why are we discussing solaris 2.6 kernel options > > on the FreeBSD security mailing list, if anyone wants to discuss teh > > potential of instituting a similar patch in FreeBSD I'm all ears, but I > > still don't see how discussing solaris kernel options has anything to do > > with FreeBSD security. > > The message to which you responded mentioned the Solaris option and > discussed the possibility of implementing something similar in FreeBSD, > and what the interface to use it should be. It seem completely on topic > to me, I don't understand your objection. > > > Ben > > "You have your mind on computers, it seems." > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Jun 20 14:54:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA13777 for freebsd-security-outgoing; Sat, 20 Jun 1998 14:54:36 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from kaori.communique.net (kaori.communique.net [204.27.67.55]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA13768; Sat, 20 Jun 1998 14:54:32 -0700 (PDT) (envelope-from tjohnson@verio.net) Received: by KAORI with Internet Mail Service (5.0.1458.49) id ; Sat, 20 Jun 1998 16:54:26 -0500 Message-ID: From: Tony Johnson To: "'freebsd-security@FreeBSD.ORG'" , "'FreeBSD hackers'" Subject: cc/gcc optimization options Date: Sat, 20 Jun 1998 16:54:25 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1458.49) Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BD9C6C.15324920" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------ =_NextPart_000_01BD9C6C.15324920 Content-Type: text/plain When I configure a kernel I usually use the optimization options Wall -g -O4 fomit-frame-pointer funroll-all-loops fno-strength-reduce fno-strict-protoypes fast-math. Application such as Crack and Apache recommend using the highest optimizations and I came to these conclusions. I noticed that my ipfw may go nuts every month/1.5 months and I have to execute /etc/rc.firewall to resolve the problem. Could the way I configured my kernel be causing the ipfw to run amok. It seems as if configuring the kernel w/these options makes freebsd use less resources and runs a bit faster. Any comments/Suggestions??? ------ =_NextPart_000_01BD9C6C.15324920 Content-Type: application/octet-stream; name="Tony Johnson.vcf" Content-Disposition: attachment; filename="Tony Johnson.vcf" BEGIN:VCARD VERSION:2.1 N:Johnson;Greg FN:Tony Johnson EMAIL;PREF;INTERNET:tjohnson@verio.net REV:19980620T213923Z END:VCARD ------ =_NextPart_000_01BD9C6C.15324920-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message