From owner-freebsd-security Sun Mar 19 17: 4:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from mta02.onebox.com (mta02.onebox.com [216.33.158.209]) by hub.freebsd.org (Postfix) with ESMTP id A750A37B7AF; Sun, 19 Mar 2000 17:04:23 -0800 (PST) (envelope-from chutima_s@zdnetonebox.com) Received: from onebox.com ([216.33.158.154]) by mta02.onebox.com (InterMail vM.4.01.02.17 201-229-119) with SMTP id <20000320010422.RWHK28925.mta02.onebox.com@onebox.com>; Sun, 19 Mar 2000 17:04:22 -0800 Received: from [203.107.232.70] by onebox.com with HTTP; Sun, 19 Mar 2000 17:04:22 -0800 Date: Sun, 19 Mar 2000 17:04:22 -0800 Subject: Multiple process run from rc.conf.local From: "Chutima S." To: freebsd-security@FreeBSD.ORG Cc: freebsd-net@FreeBSD.ORG Message-Id: <20000320010422.RWHK28925.mta02.onebox.com@onebox.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear all, I'm running FreeBSD-3.4-Stable, I created rc.conf.local for run additional process for starup time. But I found that all processes in file rc.conf.local was restarted every day and every week (look like daily and weekly routine check for system start them). What happen? Do I misuse of rc.conf.local? Should I move my startup script to /usr/local/etc/rc.d instead? Thanks, -- Chutima Subsirin chutima_s@zdnetonebox.com - email ___________________________________________________________________ To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, all in one place - sign up today at http://www.zdnetonebox.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 19 19:29:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 434B737B868; Sun, 19 Mar 2000 19:29:12 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id WAA79059; Sun, 19 Mar 2000 22:29:08 -0500 (EST) (envelope-from cjc) Date: Sun, 19 Mar 2000 22:29:08 -0500 From: "Crist J. Clark" To: "Chutima S." Subject: Re: Multiple process run from rc.conf.local Message-ID: <20000319222908.G78153@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <20000320010422.RWHK28925.mta02.onebox.com@onebox.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000320010422.RWHK28925.mta02.onebox.com@onebox.com>; from chutima_s@zdnetonebox.com on Sun, Mar 19, 2000 at 05:04:22PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Mar 19, 2000 at 05:04:22PM -0800, Chutima S. wrote: > Dear all, > > I'm running FreeBSD-3.4-Stable, I created rc.conf.local for run additional > process for starup time. But I found that all processes in file rc.conf.local > was restarted every day and every week (look like daily and weekly routine > check for system start them). What happen? Do I misuse of rc.conf.local? Yes. rc.conf.local should only set values used by other scripts. The periodic(8) scripts load the values in defaults/rc.conf, rc.conf, and if you have one, rc.local.conf. > Should I move my startup script to /usr/local/etc/rc.d instead? Yes. It belongs there or in rc.local (although the latter is officially depricated). And this really should have gone to -questions rather than either -security and -net. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 19 22:31:53 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 8E1A037B528; Sun, 19 Mar 2000 22:31:45 -0800 (PST) From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-00:07.mh [REVISED] Reply-To: security-officer@freebsd.org From: FreeBSD Security Officer Message-Id: <20000320063145.8E1A037B528@hub.freebsd.org> Date: Sun, 19 Mar 2000 22:31:45 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:07 Security Advisory FreeBSD, Inc. Topic: mh/nmh/exmh/exmh2 ports allow remote execution of binary code Category: ports Module: mh/nmh/exmh/exmh2 Announced: 2000-03-15 Revised: 2000-03-19 Affects: Ports collection before the correction date. Corrected: [See below for a more complete description] All versions fixed in 4.0-RELEASE. mh: 2000-03-04 nmh: 2000-02-29 exmh: 2000-03-05 exmh2: 2000-03-05 FreeBSD only: NO I. Background MH and its successor NMH are popular Mail User Agents. EXMH and EXMH2 are TCL/TK-based front-ends to the MH system. There are also Japanese-language versions of the MH and EXMH2 ports, but these are developed separately and are not vulnerable to the problem described here. II. Problem Description The mhshow command used for viewing MIME attachments contains a buffer overflow which can be exploited by a specially-crafted email attachment, which will allow the execution of arbitrary code as the local user when the attachment is opened. The *MH ports are not installed by default, nor are they "part of FreeBSD" as such: they are part of the FreeBSD ports collection, which contains over 3100 third-party applications in a ready-to-install format. The FreeBSD 4.0-RELEASE ports collection is not vulnerable to this problem. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact An attacker who can convince a user to open a hostile MIME attachment sent as part of an email message can execute arbitrary binary code running with the privileges of that user. If you have not chosen to install any of the mh/nmh/exmh/exmh2 ports/packages, then your system is not vulnerable. The Japanese-language version of MH is being actively developed and is believed to have fixed this particular problem over a year ago. Consequently the ja-mh and ja-exmh2 ports are not believed to be vulnerable to this problem. IV. Workaround 1) Remove the mhshow binary, located in /usr/local/bin/mhshow. This will prevent the viewing of MIME attachments from within *mh. 2) Remove the mh/nmh/exmh/exmh2 ports, if you you have installed them. V. Solution The English language version of the MH software is no longer actively developed, and no fix is currently available. It is unknown whether a fix to the problem will be forthcoming - consider upgrading to use NMH instead, which is the designated successor of the MH software. EXMH and EXMH2 can both be compiled to use NMH instead (this is now the default behaviour). It is not necessary to recompile EXMH/EXMH2 after reinstalling NMH. SOLUTION: Remove any old versions of the mail/mh or mail/nmh ports and perform one of the following: 1) Upgrade your entire ports collection and rebuild the mail/nmh port. 2) Reinstall a new package obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/nmh-1.0.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/mail/nmh-1.0.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/mail/nmh-1.0.3.tgz 3) download a new port skeleton for the nmh port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz VI. Revision history v1.0 2000-03-15 Initial release v1.1 2000-03-19 Update to note that the japanese-localized ports are not vulnerable -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBONXFXlUuHi5z0oilAQHQ/QP9FCTFiFlaeSv2ROM46PbDkF6MN39SLTuv DEW6a6wmMU5+YbSTlFLjvYrqYgpjOmM7NMOMhhceVVpoZVMMPonHuJxHWh7YvF2G T4bZcRM3kpRcjXAOQnIiUrgh77zoEmfBysAmHZbNucCmOB5y7UqHI3CM31+geiPR /bsvHCy4U0U= =Odcg -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 20 13:44:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id 84E6A37B952; Mon, 20 Mar 2000 13:44:51 -0800 (PST) (envelope-from dave@elvis.mu.org) Received: (from dave@localhost) by elvis.mu.org (8.9.1/8.9.1) id PAA63798; Mon, 20 Mar 2000 15:46:14 -0600 (CST) (envelope-from dave) Date: Mon, 20 Mar 2000 15:46:14 -0600 From: Dave McKay To: freebsd-security@freebsd.org Cc: freebsd-hackers@freebsd.org Subject: ports security advisories.. Message-ID: <20000320154614.A63670@elvis.mu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="4Ckj6UjgE2iN1+kY" X-Mailer: Mutt 1.0.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --4Ckj6UjgE2iN1+kY Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Is it really necessary to post the ports security advisories? The exploitable programs are not part of the FreeBSD OS, they are third party software. I think the proper place for these is the Bugtraq mailing list on securityfocus.com. Also to add to the arguments, most of the advisories are not FreeBSD specific. --=20 Dave McKay Network Engineer - Google Inc. dave@mu.org - dave@google.com I'm feeling lucky... --4Ckj6UjgE2iN1+kY Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia iQCVAwUBONacJXY8vP7IQ1TlAQEjwgQAlTj79musTFaLJOmfDAGRot4nvUqB70vz rjHSEEIFKBQNOajTLgWgDC59vLTnTJuOnliOVeRH8e2iHLN8MdqTldvq5GeGI6k5 7sY9iOmb2u9/mfl9Yf0o5zFdZrBfzSvoozB+bQygQohMRmFgeVXsBi+27vW39IXc Fm7z3dPNLAc= =vMIo -----END PGP SIGNATURE----- --4Ckj6UjgE2iN1+kY-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 20 13:54:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from testbed.baileylink.net (testbed.baileylink.net [63.71.213.24]) by hub.freebsd.org (Postfix) with ESMTP id 6C95037B601 for ; Mon, 20 Mar 2000 13:54:30 -0800 (PST) (envelope-from brad@testbed.baileylink.net) Received: (from brad@localhost) by testbed.baileylink.net (8.9.3/8.9.3) id PAA83795 for freebsd-security@freebsd.org; Mon, 20 Mar 2000 15:55:49 -0600 (CST) (envelope-from brad) Date: Mon, 20 Mar 2000 15:55:49 -0600 From: Brad Guillory To: freebsd-security@freebsd.org Subject: Re: ports security advisories.. Message-ID: <20000320155548.E59294@baileylink.net> References: <20000320154614.A63670@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000320154614.A63670@elvis.mu.org>; from dave@mu.org on Mon, Mar 20, 2000 at 03:46:14PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I would like to see them stay. If I have a port installed it is nice to know that SA's regarding that port will come to this list. The bandwidth used is far less than the bandwidth used by people who sign every post that they make. ;-) BMG On Mon, Mar 20, 2000 at 03:46:14PM -0600, Dave McKay wrote: > Is it really necessary to post the ports security advisories? > The exploitable programs are not part of the FreeBSD OS, they > are third party software. I think the proper place for these > is the Bugtraq mailing list on securityfocus.com. Also to add > to the arguments, most of the advisories are not FreeBSD > specific. > > -- > Dave McKay > Network Engineer - Google Inc. > dave@mu.org - dave@google.com > I'm feeling lucky... -- __O _-\<,_ Why drive when you can bike? (_)/ (_) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 20 13:57:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from tandem.milestonerdl.com (tandem.milestonerdl.com [204.107.138.1]) by hub.freebsd.org (Postfix) with ESMTP id 8905537BA14; Mon, 20 Mar 2000 13:56:52 -0800 (PST) (envelope-from marc@milestonerdl.com) Received: from tandem.milestonerdl.com (tandem.milestonerdl.com [204.107.138.1]) by tandem.milestonerdl.com (8.10.0/8.10.0) with ESMTP id e2KLtDQ03532; Mon, 20 Mar 2000 15:55:13 -0600 (CST) Date: Mon, 20 Mar 2000 15:55:12 -0600 (CST) From: Marc Rassbach To: Dave McKay Cc: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Subject: Re: ports security advisories.. In-Reply-To: <20000320154614.A63670@elvis.mu.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is it necessary to post ports security advisories? YES. Should they be on this list? You think not. And until a list exists for security on FreeBSD not related to core OS/packages, this is the best forum for it, as it relates to FreeBSD Security. On Mon, 20 Mar 2000, Dave McKay wrote: > Is it really necessary to post the ports security advisories? > The exploitable programs are not part of the FreeBSD OS, they > are third party software. I think the proper place for these > is the Bugtraq mailing list on securityfocus.com. Also to add > to the arguments, most of the advisories are not FreeBSD > specific. > > -- > Dave McKay > Network Engineer - Google Inc. > dave@mu.org - dave@google.com > I'm feeling lucky... > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 20 14:12:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from mercure.IRO.UMontreal.CA (mercure.IRO.UMontreal.CA [132.204.24.67]) by hub.freebsd.org (Postfix) with ESMTP id E5D4437B9B9 for ; Mon, 20 Mar 2000 14:12:07 -0800 (PST) (envelope-from beaupran@IRO.UMontreal.CA) Received: from blc25.IRO.UMontreal.CA (IDENT:root@blc25.IRO.UMontreal.CA [132.204.21.39]) by mercure.IRO.UMontreal.CA (8.9.3/8.9.3) with ESMTP id RAA05525; Mon, 20 Mar 2000 17:11:43 -0500 Received: (from beaupran@localhost) by blc25.IRO.UMontreal.CA (8.9.3/8.9.3) id RAA02194; Mon, 20 Mar 2000 17:11:43 -0500 Full-Name: Antoine Beaupre X-Authentication-Warning: blc25.IRO.UMontreal.CA: beaupran set sender to beaupran@IRO.UMontreal.CA using -f From: Antoine Beaupre MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14550.41503.132314.613733@blc25.IRO.UMontreal.CA> Date: Mon, 20 Mar 2000 17:11:43 -0500 (EST) To: Dave McKay Cc: freebsd-security@FreeBSD.ORG Subject: Re: ports security advisories.. References: <20000320154614.A63670@elvis.mu.org> X-Mailer: VM 6.75 under Emacs 20.3.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [trimmed -hackers from CC:] I personnally think that yes, it is necessary. And I consider that the ports collection is part of FreeBSD and any use use of it that may be harmful must be published. The software is not FBSD responsability but if we find bugs in the ports, better report them. My 2 cents. --- Big Brother told Dave McKay to write, at 15:46 of March 20: > Is it really necessary to post the ports security advisories? > The exploitable programs are not part of the FreeBSD OS, they > are third party software. I think the proper place for these > is the Bugtraq mailing list on securityfocus.com. Also to add > to the arguments, most of the advisories are not FreeBSD > specific. > > -- > Dave McKay > Network Engineer - Google Inc. > dave@mu.org - dave@google.com > I'm feeling lucky... -- Si l'image donne l'illusion de savoir C'est que l'adage pretend que pour croire, L'important ne serait que de voir Lofofora To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 20 14:21:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from brain.proaxis.com (brain.proaxis.com [206.163.142.1]) by hub.freebsd.org (Postfix) with ESMTP id 4FB2F37B8B8; Mon, 20 Mar 2000 14:21:06 -0800 (PST) (envelope-from cdinsmore@vatyx.com) Received: from proxyserver (pd02-56.inet-x.net [206.163.153.120]) by brain.proaxis.com (8.9.3/8.9.3) with SMTP id OAA06343; Mon, 20 Mar 2000 14:20:54 -0800 (PST) Received: by proxyserver (VPOP3) with SMTP; Mon, 20 Mar 2000 14:25:20 -0800 Received: by SERVER with Internet Mail Service (5.0.1457.3)id ; Mon, 20 Mar 2000 14:24:51 -0800 Message-ID: From: Casey Dinsmore To: Dave McKay , freebsd-security@FreeBSD.ORG Cc: freebsd-hackers@FreeBSD.ORG Subject: RE: ports security advisories.. Date: Mon, 20 Mar 2000 14:24:48 -0800 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain X-Server: VPOP3 V1.2.0d - Registered to: Vatyx, Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I think that it is a necessary thing to do, since these programs are offered in the ports collection, and this is -security after all. It was nice and convienant to have the advisories posted because I just happened to have completed installing lynx-ssl from the ports collection mere hours before they were posted on wednesday. Casey Dinsmore Webmaster / Network Administrator Vatyx, Inc. cdinsmore@vatyx.com http://www.vatyx.com Phone: 541.929.6496 Fax: 541.929.2251 > -----Original Message----- > From: Dave McKay [SMTP:dave@mu.org] > Sent: Monday, March 20, 2000 1:46 PM > To: freebsd-security@FreeBSD.ORG > Cc: freebsd-hackers@FreeBSD.ORG > Subject: ports security advisories.. > > Is it really necessary to post the ports security advisories? > The exploitable programs are not part of the FreeBSD OS, they > are third party software. I think the proper place for these > is the Bugtraq mailing list on securityfocus.com. Also to add > to the arguments, most of the advisories are not FreeBSD > specific. > > -- > Dave McKay > Network Engineer - Google Inc. > dave@mu.org - dave@google.com > I'm feeling lucky... << File: ATT00142.ATT >> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 20 14:22:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 1FC0337B9F1; Mon, 20 Mar 2000 14:22:12 -0800 (PST) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id OAA13317; Mon, 20 Mar 2000 14:22:12 -0800 (PST) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Mon, 20 Mar 2000 14:22:11 -0800 (PST) From: Kris Kennaway To: Dave McKay Cc: freebsd-security@freebsd.org Subject: Re: ports security advisories.. In-Reply-To: <20000320154614.A63670@elvis.mu.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 20 Mar 2000, Dave McKay wrote: > Is it really necessary to post the ports security advisories? > The exploitable programs are not part of the FreeBSD OS, they > are third party software. I think the proper place for these > is the Bugtraq mailing list on securityfocus.com. Also to add > to the arguments, most of the advisories are not FreeBSD > specific. It's true they're not part of FreeBSD, but they're things which FreeBSD people are quite likely to install. Is a root hole in (e.g.) sendmail any worse than a root hole in a port you have installed? Both will hurt you equally much. Suppose we only publicize the "popular" security advisories - how do we quantify which ports are popular, and what about all the people who have installed an "unpopular" port? IMO, requiring people to wade through bugtraq to read the advisories is too much to ask. Personally, I think receiving a security advisory (on average) every few weeks is not much of a burden at all on most people's mailboxes (especially since you can just scan through the headers and say "hmm, mtr..nope, haven't installed it.." ), but if there was enough of a demand we could separate out the ports advisories from the base system advisories onto another list. Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 20 15:15:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from overcee.netplex.com.au (peter1.yahoo.com [208.48.107.4]) by hub.freebsd.org (Postfix) with ESMTP id 0CCC937BB5A; Mon, 20 Mar 2000 15:15:31 -0800 (PST) (envelope-from peter@netplex.com.au) Received: from netplex.com.au (localhost [127.0.0.1]) by overcee.netplex.com.au (Postfix) with ESMTP id B5AB41CC9; Mon, 20 Mar 2000 23:15:28 -0800 (PST) (envelope-from peter@netplex.com.au) X-Mailer: exmh version 2.1.1 10/15/1999 To: Dave McKay Cc: freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: ports security advisories.. In-Reply-To: Message from Dave McKay of "Mon, 20 Mar 2000 15:46:14 CST." <20000320154614.A63670@elvis.mu.org> Date: Mon, 20 Mar 2000 23:15:28 -0800 From: Peter Wemm Message-Id: <20000321071528.B5AB41CC9@overcee.netplex.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dave McKay wrote: > Is it really necessary to post the ports security advisories? > The exploitable programs are not part of the FreeBSD OS, they > are third party software. I think the proper place for these > is the Bugtraq mailing list on securityfocus.com. Also to add > to the arguments, most of the advisories are not FreeBSD > specific. Sadly yes, it seems it is. If we get in first, we get to remind people that it's not a standard part of FreeBSD etc. Otherwise people post on bugtraq "security hole in FreeBSD, no public response after a week" style things which do not look good at all. Doing it this way is a bit irritiating but is the least evil of the alternatives. Cheers, -Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 20 15:24:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 54F0537BD60; Mon, 20 Mar 2000 15:24:25 -0800 (PST) (envelope-from bright@fw.wintelcom.net) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id e2KNlSC07286; Mon, 20 Mar 2000 15:47:28 -0800 (PST) Date: Mon, 20 Mar 2000 15:47:28 -0800 From: Alfred Perlstein To: Dave McKay Cc: freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: ports security advisories.. Message-ID: <20000320154728.G14789@fw.wintelcom.net> References: <20000320154614.A63670@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <20000320154614.A63670@elvis.mu.org>; from dave@mu.org on Mon, Mar 20, 2000 at 03:46:14PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Dave McKay [000320 14:18] wrote: > Is it really necessary to post the ports security advisories? > The exploitable programs are not part of the FreeBSD OS, they > are third party software. I think the proper place for these > is the Bugtraq mailing list on securityfocus.com. Also to add > to the arguments, most of the advisories are not FreeBSD > specific. I don't agree, I monitor FreeBSD boxes almost exclusively and find that the recent additional advisories take less time to go through and since they are freebsd specific they help the average FreeBSD-joe upgrade with FreeBSD specific instructions. Also, considering the recent bugtraq postings about problems with FreeBSD ports when it was a 3rd party application... I think that it's a wise PR move. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 20 17:10:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.targetnet.com (mail.targetnet.com [207.245.246.3]) by hub.freebsd.org (Postfix) with ESMTP id 7759F37BDEC for ; Mon, 20 Mar 2000 17:10:10 -0800 (PST) (envelope-from james@targetnet.com) Received: from james by mail.targetnet.com with local (Exim 3.02 #1) id 12Vy6s-000DOz-00; Fri, 17 Mar 2000 09:52:18 -0500 Date: Fri, 17 Mar 2000 09:52:18 -0500 From: James FitzGibbon To: Rodrigo Campos Cc: Sheldon Hearn , freebsd-security@freebsd.org Subject: Re: wrapping sshd Message-ID: <20000317095218.D41950@targetnet.com> References: <59327.953151264@axl.ops.uunet.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre1i In-Reply-To: Organization: Targetnet.com Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Rodrigo Campos (camposr@MATRIX.COM.BR) [000315 16:58]: > > The answer has nothing to do with secrurity, although you couldn't have > > known that without reading the sshd(8) manual page. :-) > > > > Look for the first occurance of the word inetd in the sshd(8) manual > > page. > > But my question has nothing to do with inetd, by "wrapping sshd" I mean > compiling it with support to libwrap, wich would make it read the > /etc/hosts.allow file in order to grant or deny access based on the > client hostname or ip address, even when it's running as a daemon. I agree with you on this one; the comment should be in /etc/inetd.conf and changed to reference the downside of having sshd running from inetd. The ports Makefile for the original datafellows sshd has the commment: # # Maximal ssh package requires YES values for # USE_PERL, USE_TCPWRAP # and I have always compiled my copy of sshd linked with libwrap for this reason. -- j. James FitzGibbon james@targetnet.com Targetnet.com Inc. Voice/Fax +1 416 306-0466/0452 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 20 17:34:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from vinyl.sentex.ca (vinyl.sentex.ca [209.112.4.14]) by hub.freebsd.org (Postfix) with ESMTP id 9E3B537B846 for ; Mon, 20 Mar 2000 17:34:05 -0800 (PST) (envelope-from mike@sentex.net) Received: from granite.sentex.net (granite-atm.sentex.ca [209.112.4.1]) by vinyl.sentex.ca (8.9.3/8.9.3) with ESMTP id UAA47738 for ; Mon, 20 Mar 2000 20:34:03 -0500 (EST) (envelope-from mike@sentex.net) Received: from chimp (ospf-mdt.sentex.net [205.211.164.81]) by granite.sentex.net (8.8.8/8.6.9) with ESMTP id UAA06005 for ; Mon, 20 Mar 2000 20:34:02 -0500 (EST) Message-Id: <4.2.2.20000320202203.03826c60@mail.sentex.net> X-Sender: mdtancsa@mail.sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Mon, 20 Mar 2000 20:33:48 -0500 To: freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: Re: ports security advisories.. In-Reply-To: <20000321071528.B5AB41CC9@overcee.netplex.com.au> References: <20000320154614.A63670@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:15 PM 3/20/2000 -0800, Peter Wemm wrote: >Dave McKay wrote: > > > Is it really necessary to post the ports security advisories? > > The exploitable programs are not part of the FreeBSD OS, they > > are third party software. I think the proper place for these > > is the Bugtraq mailing list on securityfocus.com. Also to add > > to the arguments, most of the advisories are not FreeBSD > > specific. > >Sadly yes, it seems it is. If we get in first, we get to remind people >that it's not a standard part of FreeBSD etc. Otherwise people post on >bugtraq "security hole in FreeBSD, no public response after a week" style >things which do not look good at all. Doing it this way is a bit >irritiating but is the least evil of the alternatives. I think its a great and valuable service. There are times when even bugtraq can be a bit late. Furthermore, new users often do not know that the ports are something separate from FreeBSD. As PW said, it gives an opportunity to be proactive and give the SA a proper context. Also, a little repetition here I think is a good thing. There are way too many machines out on the net that are insecure and open to abuse. Getting a potentially important security advisory twice (or even 3 times) is not going to kill anyone and might cajole a few more people to deal with the issue. Besides, the Ports SAs so far have been concise, to the point and always potentially relevant. Although the bugtraq guy does a pretty good job of moderating the list, there can be too much "I just got scanned, what does it mean???". I think the Ports Security Officer should be congratulated for taking on such a large and valuable job! Way to go PSO! ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 20 18:11:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 2C0D137C123; Mon, 20 Mar 2000 18:11:34 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id TAA20760; Mon, 20 Mar 2000 19:11:32 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id TAA19792; Mon, 20 Mar 2000 19:11:21 -0700 (MST) Message-Id: <200003210211.TAA19792@harmony.village.org> To: Dave McKay Subject: Re: ports security advisories.. Cc: freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG In-reply-to: Your message of "Mon, 20 Mar 2000 15:46:14 CST." <20000320154614.A63670@elvis.mu.org> References: <20000320154614.A63670@elvis.mu.org> Date: Mon, 20 Mar 2000 19:11:21 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- In message <20000320154614.A63670@elvis.mu.org> Dave McKay writes: : Is it really necessary to post the ports security advisories? Yes. : The exploitable programs are not part of the FreeBSD OS, they : are third party software. I think the proper place for these : is the Bugtraq mailing list on securityfocus.com. Also to add : to the arguments, most of the advisories are not FreeBSD : specific. But they are part of FreeBSD in the public mind. In order to show FreeBSD's commitment to Security, we must inform the public about all parts of the system that we offer under our name. The FreeBSD ports collection is very much part of FreeBSD, and is very FreeBSD specific[*]. Since we have packaged the sources for people, they have the reasonable expectation that this packaging was done in a safe and secure way. It is passing the buck to say "well, it really wasn't our fault that popper had a bug in it, so we didn't think we needed to tell anybody." It is code we've made available. It is no different than holes in the base OS that we inherited from the 4.4-lite distribution. We could say "well, all BSD derived OSes have this problem, so we'll not tell anybody that we fixed it." They are the same thing, especially in the mind of the users of the system. We want to elevate the security of the entire system to a higher level, and to do that we have to disiminate security information about the system more fully that we've done in the past. I'm sorry that you feel that this step to improve the security of FreeBSD is inappropriate and annoys you. So far I've had only one or two negative comment from the increased level of posting about these problems. Kris has done an excellent job of running down these issues and keeping on top of them. I think he's done the greater community an excellent service by reading bugtraq and other sources of security information and identifying those problems which will negatively impact FreeBSD users and issuing advisories. Keeping up with bugtraq can take a lot of time and effort and Kris' advisories makes this easy. Warner Losh FreeBSD Security Officer -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBONbaSNxynu/2qPVhAQHC8AQAgDR9qaksAgvfSUG12hRqHJDD+QmBuCtN g7pg3aw/A4Vz3ezu4ythW7zLj04XEnC+5UzCMu6uAmyO+pUWM2CJ3KQQYttm5XAG z+AV0hxpbOe0b003C8f2dFjvDReRBOqiQAZnH264dxVXpllQgQjiRzYkcXNB4r2r pUqxUwYwslA= =xKkJ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 20 19:23:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from isr4033.urh.uiuc.edu (isr4033.urh.uiuc.edu [130.126.208.49]) by hub.freebsd.org (Postfix) with SMTP id A991637B85D for ; Mon, 20 Mar 2000 19:23:01 -0800 (PST) (envelope-from ftobin@uiuc.edu) Received: (qmail 30861 invoked by uid 1000); 21 Mar 2000 03:22:56 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 21 Mar 2000 03:22:56 -0000 Date: Mon, 20 Mar 2000 21:22:55 -0600 (CST) From: Frank Tobin X-Sender: ftobin@isr4033.urh.uiuc.edu To: FreeBSD-security Mailing List Subject: Re: ports security advisories.. In-Reply-To: <20000320154614.A63670@elvis.mu.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dave McKay, at 15:46 -0600 on Mon, 20 Mar 2000, wrote: > Is it really necessary to post the ports security advisories? > The exploitable programs are not part of the FreeBSD OS, they > are third party software. I think the proper place for these > is the Bugtraq mailing list on securityfocus.com. Also to add > to the arguments, most of the advisories are not FreeBSD > specific. These advisories can often be considered FreeBSD specific because they can rely on how the port is maintained. For example, might they depend on whether we install the program setuid root or games, or if we accidentally might be applying a patch that could open/close the hole. -- Frank Tobin http://www.neverending.org/~ftobin/ "To learn what is good and what is to be valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 20 23: 0:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id 96FCA37BD1F for ; Mon, 20 Mar 2000 22:59:20 -0800 (PST) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id BAA216502; Tue, 21 Mar 2000 01:58:52 -0500 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <4195.953229554@zippy.cdrom.com> References: <4195.953229554@zippy.cdrom.com> Date: Tue, 21 Mar 2000 01:59:38 -0500 To: "Jordan K. Hubbard" From: Garance A Drosihn Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:08.lynx Cc: Sheldon Hearn , kjm@rins.ryukoku.ac.jp (KOJIMA Hajime), freebsd-security@FreeBSD.ORG Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 9:59 AM -0800 3/16/00, Jordan K. Hubbard wrote: > > assorted people wrote: > > > > But, /stand/sysinstall still use lynx as default text > > > > browser. If you want to read HTML documents in sysinstall, > > > > /stand/sysinstall will go to install lynx package > > > > automatically (and it will fail in 4.0-RELEASE). > > > > > >I don't think this is a problem, since any host from which it is > > >likely to read documentation is quite unlikely to be malicious. > > > > I would think it's a problem if sysinstall expects to use lynx, > > it thus goes to install lynx, and that installation *FAILS*. If > > I'm reading that right, you're then left with sysinstall trying > > to use a package that does not exist. > >The installation does not fail if lynx is missing. Well, I just did a 4.0 install and this was not a problem, but then I didn't try to read any html pages during the sysinstall... I didn't mean the install of 4.0-release would fail, but if sysinstall defaults to lynx, and lynx can not be installed, then, uh, it seems to me that should cause a problem somewhere. I lost track of who said what above, but someone said that sysinstall will try to install lynx if the user tries to read html documents. It was *that* installation, of lynx, that I was referring to as failing. Note that I'm not saying lynx should be brought back, I'm just thinking that the default browser for sysinstall should probably be a package which WILL be available if someone goes to use it. (or is it that lynx IS available on the install CD?) --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 20 23:35:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id 3E65237B63A for ; Mon, 20 Mar 2000 23:35:53 -0800 (PST) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id CAA220658; Tue, 21 Mar 2000 02:35:50 -0500 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <4.2.2.20000320202203.03826c60@mail.sentex.net> References: <20000320154614.A63670@elvis.mu.org> <4.2.2.20000320202203.03826c60@mail.sentex.net> Date: Tue, 21 Mar 2000 02:36:32 -0500 To: freebsd-security@FreeBSD.ORG From: Garance A Drosihn Subject: Re: ports security advisories.. Cc: Dave McKay , Warner Losh Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 8:33 PM -0500 3/20/00, Mike Tancsa wrote: >>Dave McKay wrote: >> >> > Is it really necessary to post the ports security advisories? >> > The exploitable programs are not part of the FreeBSD OS, they >> > are third party software. >> > >I think its a great and valuable service. There are times when even >bugtraq can be a bit late. [...] Besides, the Ports SAs so far have >been concise, to the point and always potentially relevant. I think >the Ports Security Officer should be congratulated for taking on >such a large and valuable job! Way to go PSO! I also think this is a very valuable service. If someone is running FreeBSD, then it is easier for them to monitor one list of security issues which might effect them, instead of having to join some other list (bugtrak) which will then track bugs of all kinds of things that are NOT relevant to them. Also, by being proactive with an "official freebsd announcement", we will probably see LESS traffic on this list, where everyone reads some bugtrak posting and then rushes over here to repeat it "just in case you're not aware", or to ask freebsd-specific followup questions on the report (such as "the bugtrak report didn't mention freebsd, so does that mean they KNOW it isn't a problem on freebsd, or do they not know so someone here should be looking into it?"). Besides, bugtrak can only say things like "gee, lynx has some bugs, you probably shouldn't run it". the freebsd security report can say "this is so riddled with serious bugs, we are removing it from the ports collection. Sorry for the inconvenience, but we really think this is too serious for anyone to be running it.". Given the thousands of ports for freebsd, I can see the danger of getting buried with port-related security bulletins that will not apply to you (of course, the exact same thing will happen if you DO join bugtrak...). Perhaps we can do something about that? Perhaps the subject should at least say "Port" in it? Maybe subjects of: FreeBSD Security Advisory: Port-SA-00:04.delegate FreeBSD Security Advisory: Port-SA-00:07.mh FreeBSD Security Advisory: Port-SA-00:08.lynx or: FreeBSD Port Advisory: FreeBSD-SA-00:04.delegate FreeBSD Port Advisory: FreeBSD-SA-00:07.mh FreeBSD Port Advisory: FreeBSD-SA-00:08.lynx instead of the current: FreeBSD Security Advisory: FreeBSD-SA-00:04.delegate FreeBSD Security Advisory: FreeBSD-SA-00:07.mh FreeBSD Security Advisory: FreeBSD-SA-00:08.lynx I'm also thinking how we would want to draw the line between things which are part of the "standard system" (even if they are technically a port), and things where the administrator had to explicitly install some port for the security issue to be on their system. (I'm waving my hands vaguely here, as I'm not quite sure what I mean by that...) And at some future time, someone might get ambitious enough to write a filter on the receiving side of the advisories. I might end up getting lots of such bulletins sent to me, but have most of those filtered so only the packages *I* have installed are shown to me at a much higher priority than ones I haven't. --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 21 0:40: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id AE1B437BD3E; Tue, 21 Mar 2000 00:39:57 -0800 (PST) (envelope-from dave@elvis.mu.org) Received: (from dave@localhost) by elvis.mu.org (8.9.1/8.9.1) id CAA76637; Tue, 21 Mar 2000 02:40:22 -0600 (CST) (envelope-from dave) Date: Tue, 21 Mar 2000 02:40:22 -0600 From: Dave McKay To: Kris Kennaway Cc: freebsd-security@FreeBSD.ORG Subject: Re: ports security advisories.. Message-ID: <20000321024022.A76613@elvis.mu.org> References: <20000320154614.A63670@elvis.mu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="tThc/1wpZn/ma/RB" X-Mailer: Mutt 1.0.1i In-Reply-To: ; from kris@FreeBSD.ORG on Mon, Mar 20, 2000 at 02:22:11PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --tThc/1wpZn/ma/RB Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Welp.. I'm convinced. Kris Kennaway (kris@FreeBSD.ORG) wrote: > On Mon, 20 Mar 2000, Dave McKay wrote: >=20 > > Is it really necessary to post the ports security advisories? > > The exploitable programs are not part of the FreeBSD OS, they > > are third party software. I think the proper place for these > > is the Bugtraq mailing list on securityfocus.com. Also to add > > to the arguments, most of the advisories are not FreeBSD > > specific. >=20 > It's true they're not part of FreeBSD, but they're things which FreeBSD > people are quite likely to install. Is a root hole in (e.g.) sendmail any > worse than a root hole in a port you have installed? Both will hurt you > equally much. Suppose we only publicize the "popular" security advisories > - how do we quantify which ports are popular, and what about all the > people who have installed an "unpopular" port? >=20 > IMO, requiring people to wade through bugtraq to read the advisories is > too much to ask. Personally, I think receiving a security advisory (on > average) every few weeks is not much of a burden at all on most people's > mailboxes (especially since you can just scan through the headers and say > "hmm, mtr..nope, haven't installed it.." ), but if there was > enough of a demand we could separate out the ports advisories from the > base system advisories onto another list. >=20 > Kris >=20 > ---- > In God we Trust -- all others must submit an X.509 certificate. > -- Charles Forsythe >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=20 Dave McKay Network Engineer - Google Inc. dave@mu.org - dave@google.com I'm feeling lucky... --tThc/1wpZn/ma/RB Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia iQCVAwUBONc1dnY8vP7IQ1TlAQGq+AP+OO+g+yAYy7fyJLf+A3B6XMWYx3p5t7c0 k8iIOR9VQNsyfLDMhX8EQVI1ShziHkxAMDmyJINQYXmdHsE2YNKrkMmLfFMl+P79 tYG3Ur+K+z5kOm0SJ8Kef0lQmslHGljxtQOwQijN9pKkZPAAIUWvIvtbEzE0Avk2 vs/4OXBxP64= =bc/b -----END PGP SIGNATURE----- --tThc/1wpZn/ma/RB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 21 3: 8:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.palmerharvey.co.uk (mail.palmerharvey.co.uk [62.172.109.58]) by hub.freebsd.org (Postfix) with ESMTP id 7EE0037B762; Tue, 21 Mar 2000 03:08:07 -0800 (PST) (envelope-from Dom.Mitchell@palmerharvey.co.uk) Received: from ho-nt-01.pandhm.co.uk (unverified) by mail.palmerharvey.co.uk (Content Technologies SMTPRS 4.0.1) with ESMTP id ; Tue, 21 Mar 2000 11:07:41 +0000 Received: from ADMIN ([10.100.1.20]) by ho-nt-01.pandhm.co.uk with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id G3Y8SZM6; Tue, 21 Mar 2000 11:06:04 -0000 Received: from [10.100.35.12] (helo=voodoo.pandhm.co.uk) by admin with esmtp (Exim 1.92 #1) id 12XMVz-0007Yi-00; Tue, 21 Mar 2000 11:07:59 +0000 Received: by voodoo.pandhm.co.uk (Postfix, from userid 104) id 1CC8E236; Tue, 21 Mar 2000 11:07:58 +0000 (GMT) Date: Tue, 21 Mar 2000 11:07:58 +0000 To: Dave McKay Cc: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Subject: Re: ports security advisories.. Message-ID: <20000321110758.B913@voodoo.pandhm.co.uk> References: <20000320154614.A63670@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000320154614.A63670@elvis.mu.org>; from dave@mu.org on Mon, Mar 20, 2000 at 09:46:14PM -0000 X-Warning: Go away or I will replace you with a very small shell script. X-OS: FreeBSD 3.4-STABLE i386 X-Uptime: 5:01PM up 1:18, 8 users, load averages: 0.06, 0.11, 0.19 From: Dom.Mitchell@palmerharvey.co.uk (Dominic Mitchell) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Mar 20, 2000 at 09:46:14PM -0000, Dave McKay wrote: > Is it really necessary to post the ports security advisories? > The exploitable programs are not part of the FreeBSD OS, they > are third party software. I think the proper place for these > is the Bugtraq mailing list on securityfocus.com. Also to add > to the arguments, most of the advisories are not FreeBSD > specific. Just to add a point here, some of the problems noted in these advisories *have* been FreeBSD specific, due to the way that a port has modified the default install, or suchlike. So it's definitely up to us to point this out. -- Dom Mitchell -- Palmer & Harvey McLane -- Unix Systems Administrator ``Putting the doh! into dot-com.'' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 21 7: 5:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from viking.sophos.com (viking.sophos.com [193.82.145.128]) by hub.freebsd.org (Postfix) with ESMTP id 4A49B37B9D6 for ; Tue, 21 Mar 2000 07:05:16 -0800 (PST) (envelope-from tmb@tyne.sophos.com) Received: from tyne.sophos.com (tyne.sophos.com [193.82.145.132]) by viking.sophos.com (MAILER-DAEMON) with ESMTP id A10DA45C1B; Tue, 21 Mar 2000 15:05:10 +0000 (GMT) Received: (from tmb@localhost) by tyne.sophos.com (8.9.3/8.9.3) id PAA97277; Tue, 21 Mar 2000 15:04:23 GMT (envelope-from tmb) Date: Tue, 21 Mar 2000 15:04:23 +0000 From: Mark Blackman To: Andrew Johns Cc: freebsd-security@freebsd.org Subject: Re: InterScan Virus Wall for Linux Message-ID: <20000321150423.A97205@sophos.com> References: <38CE684F.39657A28@tarjema.com> <00eb01bf8f97$24e84a20$625aa8c0@hazellbros.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <00eb01bf8f97$24e84a20$625aa8c0@hazellbros.com.au>; from johnsa@kpi.com.au on Fri, Mar 17, 2000 at 09:29:11AM +1100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Or even the FreeBSD native version of Sophos 'sweep', available since January 1999. Free evaluation versions (must register for password) http://www.sophos.com/downloads/full/index.cgi/next?GroupsID=5 - Mark. On Fri, Mar 17, 2000 at 09:29:11AM +1100, Andrew Johns wrote: > No, but you could try uvscan (Un*x VScan) from McAfee - they > *even* have a native FreeBSD version - check out their > website. > > We even have government deptartments > using it here > > Regards > -- > Andrew Johns BSc. > KPI Logistics P/L > > ----- Original Message ----- > From: "Timothy A. Gregory" > To: > Sent: Wednesday, March 15, 2000 3:26 AM > Subject: InterScan Virus Wall for Linux > > > > Has anyone had any luck getting InterScan VirusWall for > Linux running on > > FreeBSD? > > > > I've gotten the package installed, the RedHat 6.1 packages > but when I > > try to run the 'scanning' daemons (their sendmail, ishttpd, > isftpd etc) > > I get seg faults... > > > > Thanks for any help! > > -- > > ------------------------------------------------------------ > ---- > > Timothy A. Gregory Systems Administrator > > Semaphore Corporation http://www.semaphore.com > > 206.905.5000 tgregory@semaphore.com > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the > message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Mark Blackman Internet Sys. Admin. Sophos PLC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 21 23:54:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.decros.cz (ns.decros.cz [193.85.26.2]) by hub.freebsd.org (Postfix) with ESMTP id 85BBA37BBEA for ; Tue, 21 Mar 2000 23:54:17 -0800 (PST) (envelope-from p.rehor@decros.cz) Received: from dcrfs.decros.cz (exchange.decros.cz [10.1.1.3]) by ns.decros.cz (8.9.3/8.9.0/8.9.0.) with ESMTP id IAA25919 for ; Wed, 22 Mar 2000 08:54:14 +0100 (CET) Received: by dcrfs.decros.cz with Internet Mail Service (5.5.2650.21) id ; Wed, 22 Mar 2000 08:54:28 +0100 Message-ID: <9E85DC6CA1D5D311BB460006293960FE0BACC0@dcrfs.decros.cz> From: Rehor Petr To: "'freebsd-security@FreeBSD.ORG'" Subject: RE: InterScan Virus Wall for Linux Date: Wed, 22 Mar 2000 08:54:23 +0100 X-Mailer: Internet Mail Service (5.5.2650.21) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Or even the FreeBSD native version of Antiviral Toolkit Pro available from http://www.avp.ru (Avp or AvpDaemon, $35 per year in Czech for one host and unlimited users :-). I test it on FreeBSD 3.3 and 3.4. AvpDaemon is great, becose it load antiviral database only once. I use it for check viruses in sendmail - see http://www.decros.cz/~reho/check_virus Petr --------------------------------------------------------------------- DECROS s.r.o. J.S.Baara 40, Ceske Budejovice, Czech Republic Tel: +420-38-7312808 Fax: +420-38-7311480 http://www.decros.cz > -----Original Message----- > From: Mark Blackman [SMTP:tmb@sophos.com] > Sent: Tuesday, March 21, 2000 4:04 PM > To: Andrew Johns > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: InterScan Virus Wall for Linux > > > Or even the FreeBSD native version of Sophos 'sweep', available > since January 1999. Free evaluation versions (must register for > password) > > http://www.sophos.com/downloads/full/index.cgi/next?GroupsID=5 > > - Mark. > > On Fri, Mar 17, 2000 at 09:29:11AM +1100, Andrew Johns wrote: > > No, but you could try uvscan (Un*x VScan) from McAfee - they > > *even* have a native FreeBSD version - check out their > > website. > > > > We even have government deptartments > > using it here > > > > Regards > > -- > > Andrew Johns BSc. > > KPI Logistics P/L > > > > ----- Original Message ----- > > From: "Timothy A. Gregory" > > To: > > Sent: Wednesday, March 15, 2000 3:26 AM > > Subject: InterScan Virus Wall for Linux > > > > > > > Has anyone had any luck getting InterScan VirusWall for > > Linux running on > > > FreeBSD? > > > > > > I've gotten the package installed, the RedHat 6.1 packages > > but when I > > > try to run the 'scanning' daemons (their sendmail, ishttpd, > > isftpd etc) > > > I get seg faults... > > > > > > Thanks for any help! > > > -- > > > ------------------------------------------------------------ > > ---- > > > Timothy A. Gregory Systems Administrator > > > Semaphore Corporation http://www.semaphore.com > > > 206.905.5000 tgregory@semaphore.com > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the > > message > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > -- > Mark Blackman > Internet Sys. Admin. > Sophos PLC > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 22 1:56:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from vidle.i.cz (vidle.i.cz [193.179.36.138]) by hub.freebsd.org (Postfix) with ESMTP id 8B0A537C0EF for ; Wed, 22 Mar 2000 01:56:10 -0800 (PST) (envelope-from mm@i.cz) Received: from ns.i.cz (brana.i.cz [193.179.36.134]) by vidle.i.cz (Postfix) with ESMTP id E3D963070E for ; Wed, 22 Mar 2000 10:56:08 +0100 (CET) Received: from woody.i.cz (woody.i.cz [192.168.18.29]) by ns.i.cz (Postfix) with ESMTP id 345FD36416 for ; Wed, 22 Mar 2000 10:56:07 +0100 (CET) Content-Length: 1207 Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <9E85DC6CA1D5D311BB460006293960FE0BACC0@dcrfs.decros.cz> Date: Wed, 22 Mar 2000 10:56:07 +0100 (MET) Reply-To: mm@i.cz From: Martin Machacek To: freebsd-security@FreeBSD.ORG Subject: RE: InterScan Virus Wall for Linux Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 22-Mar-00 Rehor Petr wrote: > Or even the FreeBSD native version of Antiviral Toolkit Pro available > from http://www.avp.ru (Avp or AvpDaemon, $35 per year in Czech for > one host and unlimited users :-). I test it on FreeBSD 3.3 and 3.4. > AvpDaemon is great, becose it load antiviral database only once. > I use it for check viruses in sendmail - see > http://www.decros.cz/~reho/check_virus Well, I'm here not to defend (or promote) Interscan Virus Wall but none of alternative solutions mentioned in this thread is functionally equivalent to it. Sophos, McAffe and AVP products are (AFAIK) all file oriented virus scanners. Interscan Virus Wall is specificaly designed to scan for viruses in HTTP, FTP and SMTP communication in "realtime". It acts as HTTP and FTP proxy and as SMTP relay. For sure you can build this functionality with file oriented scanner but it is not trivial (especially in the case of HTTP and Trendmicro did quite good job here). I would definitely like to hear from somebody who has build virus scanning HTTP and/or FTP proxy on top of AVP, Sophos or McAffee products or managed to run Interscan Virus Wall on FreeBSD. Anybody? Martin --- [PGP KeyID F3F409C4] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 22 15:57:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from ring.vpop.net (ring.vpop.net [206.117.147.5]) by hub.freebsd.org (Postfix) with ESMTP id A379A37BC8B for ; Wed, 22 Mar 2000 15:57:09 -0800 (PST) (envelope-from mreimer@vpop.net) Received: from vpop.net (bilbo.vpop.net [216.160.82.65]) by ring.vpop.net (8.9.3/8.9.3) with ESMTP id PAA16079; Wed, 22 Mar 2000 15:57:05 -0800 (PST) (envelope-from mreimer@vpop.net) Message-ID: <38D95DDE.297DD6F6@vpop.net> Date: Wed, 22 Mar 2000 15:57:18 -0800 From: Matthew Reimer Organization: VPOP Technologies, Inc. X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.0-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: "f.johan.beisser" Cc: freebsd-security@FreeBSD.ORG Subject: Re: pipsecd and KAME References: Content-Type: multipart/mixed; boundary="------------94E5928B8E8FCF987E3C85E6" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. --------------94E5928B8E8FCF987E3C85E6 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Pipsecd does interoperate with KAME ipsec. I wrote a script to help generate the configuration files, though it doesn't generate the 'startup' file for pipsecd. Just edit conf.pl and run gen_ipsec_rules.pl. Matt "f.johan.beisser" wrote: > > thanks! > > this is just what i'm looking for.. > > pipsecd supports the following encryption algorythms: > blowfish_cbc, cast_cbc, des_cbc, des3_cbc, null > > KAME has these: > des-cbc, 3des-cbc, simple, blowfish-cbc, cast128-cbc > rc5-cbc, des-deriv, 3des-deriv > > each of these has certain key requirements, usually between 40 and 2048 > bits for the keys. > > from KAME (4.0-current), the setkey man pages gives the basic manual setup > of the ipsec keysets. > > other resources: > > http://www.kame.net/newsletter/19980626/ > > which seems to be the version of IPsec that 4.0 is using (vs the most > recent version of KAME). > > -- jan > > ERRATA: when i have this working, i'll post it to the list.. thanks for > your help so far. > > On Fri, 4 Feb 2000, Matthew Reimer wrote: > > > "f.johan.beisser" wrote: > > > > > > has anyone successfully run pipesecd and kame for IPsec tunneling? > > > > > > i'm kind of curious about this, i've got a freebsd 4.0 machine, and a > > > simple little -stable box taht i'd like to test this with.. > > > > > > any advice/help would be appreciated.. > > > > I'm trying to get this to work too. I haven't yet, but this indicates > > that it's possible: > > > > http://www.hsc.fr/ressources/presentations/ipsec99/ipsec99020.html > > > > Matt > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > +-----/ f. johan beisser /------------------------------+ > email: jan[at]caustic.org web: http://www.caustic.org/~jan > "knowledge is power. power corrupts. study hard, be evil." --------------94E5928B8E8FCF987E3C85E6 Content-Type: application/x-perl; name="gen_ipsec_rules.pl" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="gen_ipsec_rules.pl" #!/usr/bin/perl # # Generates ipsec rules for setkey(8) or pipsecd. # # XXX More security could be added by using a different enc/auth key # for each host-host connection, rather than for each host. require 'conf.pl'; if (-e 'conf_save.pl') { require 'conf_save.pl' } # Make a hash of the SPIs currently in use. %spis_inuse = map { $_, undef } values %spi; # Start looking for new SPIs from this value. $spi = 1000; foreach $local (@names) { print "Generating $local.cf...\n"; open(CF, ">$local.cf") or die $!; print CF "#\n"; print CF "# Generated ", scalar localtime, ".\n"; print CF "#\n\n"; print CF "flush;\n"; print CF "spdflush;\n"; if (not defined $enc_key{$local}) { $enc_key{$local} = gen_random_bytes(24); # 3DES needs 24 bytes } if (not defined $auth_key{$local}) { $auth_key{$local} = gen_random_bytes(16); # MD5 needs 16 bytes } $n = 0; foreach $remote (@names) { next if ($local eq $remote); print " $local <--> $remote...\n"; if (not defined $enc_key{$remote}) { $enc_key{$remote} = gen_random_bytes(24); # 3DES needs 8 bytes } if (not defined $auth_key{$remote}) { $auth_key{$remote} = gen_random_bytes(16); # MD5 needs 16 bytes } if (not defined $spi{"$local-$remote"}) { $spi{"$local-$remote"} = new_SPI(); } if (not defined $spi{"$remote-$local"}) { $spi{"$remote-$local"} = new_SPI(); } $SPI_in = $spi{"$remote-$local"}; $SPI_out = $spi{"$local-$remote"}; if ($type{$local} eq 'kame-ipsec') { print CF <<"END"; # $local <--> $remote # Tunnel $network{$local} <--> $network{$remote} via secure gateways # $gateway{$local} <--> $gateway{$remote}. add $gateway{$local} $gateway{$remote} esp $SPI_out -m tunnel -E 3des-cbc $enc_key{$local} -A hmac-md5 $auth_key{$local} ; add $gateway{$remote} $gateway{$local} esp $SPI_in -m tunnel -E 3des-cbc $enc_key{$remote} -A hmac-md5 $auth_key{$remote} ; spdadd $gateway{$local} $gateway{$remote} any -P out ipsec esp/tunnel/$gateway{$local}-$gateway{$remote}/require ; spdadd $gateway{$remote} $gateway{$local} any -P in ipsec esp/tunnel/$gateway{$remote}-$gateway{$local}/require ; spdadd $network{$local} $network{$remote} any -P out ipsec esp/tunnel/$gateway{$local}-$gateway{$remote}/require ; spdadd $network{$remote} $network{$local} any -P in ipsec esp/tunnel/$gateway{$remote}-$gateway{$local}/require ; END } elsif ($type{$local} eq 'pipsecd') { print CF <<"END"; # $local <--> $remote using des3_cbc and md5 # Tunnel $network{$local} <--> $network{$remote} via secure gateways # $gateway{$local} <--> $gateway{$remote}. sa ipesp spi=$SPI_out enc=des3_cbc ekey=$enc_key{$local} auth=hmac-md5-96 akey=$auth_key{$local} dest=$gateway{$remote} sa ipesp spi=$SPI_in enc=des3_cbc ekey=$enc_key{$remote} auth=hmac-md5-96 akey=$auth_key{$remote} if /dev/tun$n local_spi=$SPI_in remote_spi=$SPI_out END $n++; } } close(CF); } # # Now save the SPIs, and encryption and authentication keys. # open(SAVE, ">conf_save.pl") or die $!; print SAVE "# This file is automatically generated! Your edits will be lost.\n"; print SAVE "\n"; print SAVE "%spi = (\n"; foreach (keys %spi) { print SAVE "\t\"$_\" => $spi{$_},\n" } print SAVE "\t);\n\n"; print SAVE "%enc_key = (\n"; foreach (@names) { print SAVE "\t$_ => \"$enc_key{$_}\",\n" } print SAVE "\t);\n\n"; print SAVE "%auth_key = (\n"; foreach (@names) { print SAVE "\t$_ => \"$auth_key{$_}\",\n" } print SAVE "\t);\n\n"; print SAVE "1;\n"; close(SAVE); exit; # -------------------------------------------------------------------------- # Creates a random key and returns it as a hex string. sub gen_random_bytes { my $n_bytes = shift; my $key; open(RND, " 'kame-ipsec', matt => 'pipsecd' ); %network = (jan => '1.2.3.0/28', matt => '4.5.6.8/29', ); %gateway = (jan => '1.2.3.1', matt => '4.5.6.9' ); 1; --------------94E5928B8E8FCF987E3C85E6-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 23 17:41: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id B3FE637B866; Thu, 23 Mar 2000 17:41:05 -0800 (PST) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id RAA53761; Thu, 23 Mar 2000 17:41:06 -0800 (PST) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 23 Mar 2000 17:41:05 -0800 (PST) From: Kris Kennaway To: Olaf Hoyer Cc: security@FreeBSD.ORG Subject: Re: New article In-Reply-To: <4.1.20000324022914.00cbed30@mail.rz.fh-wilhelmshaven.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 24 Mar 2000, Olaf Hoyer wrote: > Question: Is a loadable kernel module not a potential security risk? Only if your machine is insecurely configured. > Imagine some attacker exchanging some kernel module against own code, and > causing that module to be loaded (say, some driver for access to certain > filesystems, or zip drive etc...), or waiting for the module to be loaded > (say, for regular, scheduled activities like backups or batch jobs or so) This is why one of the first steps in securing that box should be to give the modules the noschg flag. Hmm, probably this should be done by default, like we noschg the kernel at install-time. Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 23 21:58:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from rock.ghis.net (rock.ghis.net [209.222.164.7]) by hub.freebsd.org (Postfix) with ESMTP id E162437BB8B; Thu, 23 Mar 2000 21:58:48 -0800 (PST) (envelope-from will@blackdawn.com) Received: from shadow.blackdawn.com (postfix@[209.69.196.61]) by rock.ghis.net (8.9.3/8.9.3) with ESMTP id VAA51237; Thu, 23 Mar 2000 21:58:24 -0800 (PST) Received: by shadow.blackdawn.com (Postfix, from userid 1000) id 1EBC51ACC; Fri, 24 Mar 2000 00:58:22 -0500 (EST) Date: Fri, 24 Mar 2000 00:58:22 -0500 From: Will Andrews To: Kris Kennaway Cc: Olaf Hoyer , security@FreeBSD.ORG Subject: Re: New article Message-ID: <20000324005822.D91717@shadow.blackdawn.com> References: <4.1.20000324022914.00cbed30@mail.rz.fh-wilhelmshaven.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from kris@FreeBSD.ORG on Thu, Mar 23, 2000 at 05:41:05PM -0800 X-Operating-System: FreeBSD 3.4-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Mar 23, 2000 at 05:41:05PM -0800, Kris Kennaway wrote: > This is why one of the first steps in securing that box should be to give > the modules the noschg flag. Hmm, probably this should be done by > default, like we noschg the kernel at install-time. ITYM "schg". I know the kernel is installed "schg", dunno about modules. I don't use those things anyway. :-) -- Will Andrews GCS/E/S @d- s+:+>+:- a--->+++ C++ UB++++ P+ L- E--- W+++ !N !o ?K w--- ?O M+ V-- PS+ PE++ Y+ PGP+>+++ t++ 5 X++ R+ tv+ b++>++++ DI+++ D+ G++>+++ e->++++ h! r-->+++ y? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 23 23:18:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 45D0137B68D; Thu, 23 Mar 2000 23:18:41 -0800 (PST) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id XAA08609; Thu, 23 Mar 2000 23:18:41 -0800 (PST) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 23 Mar 2000 23:18:40 -0800 (PST) From: Kris Kennaway To: Will Andrews Cc: Olaf Hoyer , security@FreeBSD.ORG Subject: Re: New article In-Reply-To: <20000324005822.D91717@shadow.blackdawn.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 24 Mar 2000, Will Andrews wrote: > ITYM "schg". I know the kernel is installed "schg", dunno about modules. > I don't use those things anyway. :-) Oops, you are of course correct :) Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 24 4:36:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from storm.FreeBSD.org.uk (storm.freebsd.org.uk [194.242.139.170]) by hub.freebsd.org (Postfix) with ESMTP id 1B23337B5D2; Fri, 24 Mar 2000 04:36:22 -0800 (PST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (hak.nat.Awfulhak.org [172.31.0.12]) by storm.FreeBSD.org.uk (8.9.3/8.9.3) with ESMTP id MAA38934; Fri, 24 Mar 2000 12:36:17 GMT (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id MAA02043; Fri, 24 Mar 2000 12:36:12 GMT (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200003241236.MAA02043@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.1 10/15/1999 To: Kris Kennaway Cc: Olaf Hoyer , security@freebsd.org, brian@hak.lan.Awfulhak.org Subject: Re: New article In-Reply-To: Message from Kris Kennaway of "Thu, 23 Mar 2000 17:41:05 PST." Date: Fri, 24 Mar 2000 12:36:12 +0000 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Fri, 24 Mar 2000, Olaf Hoyer wrote: > > > Question: Is a loadable kernel module not a potential security risk? > > Only if your machine is insecurely configured. > > > Imagine some attacker exchanging some kernel module against own code, and > > causing that module to be loaded (say, some driver for access to certain > > filesystems, or zip drive etc...), or waiting for the module to be loaded > > (say, for regular, scheduled activities like backups or batch jobs or so) > > This is why one of the first steps in securing that box should be to give > the modules the noschg flag. Hmm, probably this should be done by > default, like we noschg the kernel at install-time. The same should be done to the directory itself. Ditto for /bin, /usr/bin, /sbin, /usr/sbin etc - in fact, anything that's in roots path. And what about /etc/{*passwd,*pwd.db} ? Methinks this is a large can of worms ! > Kris > > ---- > In God we Trust -- all others must submit an X.509 certificate. > -- Charles Forsythe -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 24 6: 3:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rz.fh-wilhelmshaven.de (mail.rz.fh-wilhelmshaven.de [139.13.25.134]) by hub.freebsd.org (Postfix) with ESMTP id 67BDF37B5BA for ; Fri, 24 Mar 2000 06:03:42 -0800 (PST) (envelope-from ohoyer@fbwi.fh-wilhelmshaven.de) Received: from fettesau.stuwo.fh-wilhelmshaven.de (stuwopc5.stuwo.fh-wilhelmshaven.de [139.13.209.5]) by mail.rz.fh-wilhelmshaven.de (8.9.3/8.9.3) with SMTP id PAA25027 for ; Fri, 24 Mar 2000 15:03:08 +0100 (MET) Message-Id: <4.1.20000324144943.00a05470@mail.rz.fh-wilhelmshaven.de> X-Sender: ohoyer@mail.rz.fh-wilhelmshaven.de X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Fri, 24 Mar 2000 15:02:35 +0100 To: security@FreeBSD.ORG From: Olaf Hoyer Subject: Re: New article In-Reply-To: <38DB2B63.82552C96@newsguy.com> References: <200003231326.IAA24776@blackhelicopters.org> <38DA7A60.B7C23121@newsguy.com> <38DA950C.D4DCE9CC@softweyr.com> <4.1.20000324022914.00cbed30@mail.rz.fh-wilhelmshaven.de> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> I mean, if some module (which runs on a deeper, priviliged mode) has some >> malicous code in it, or simply is buggy, and is loaded during runtime, it >> could cause a box to simply crash. > >What's the difference between a buggy module loaded at runtime, and one >compiled in the kernel? If you do it yourself-nothing. If someone other is doing/causing this, there is some annoyance. > >As for malicious code... what are you doing loading such a module??? :-) > >> Imagine some attacker exchanging some kernel module against own code, and >> causing that module to be loaded (say, some driver for access to certain >> filesystems, or zip drive etc...), or waiting for the module to be loaded >> (say, for regular, scheduled activities like backups or batch jobs or so) > >So??? If the hacker compromised root, he can just replace the whole >kernel if he wants. *IF ROOT WAS COMPROMISED, THE GAME IS OVER ALREADY*. >Really. No, I mean it. There is no such thing as "making things easier" >once root was compromised. You lost, and any attempt to "make things >difficult" is an exercise in self-delusion. Fully agreed. If an attacker has gained root, then its game over. My point was aimed at the possibility, that (most probably in misconfigured systems) an attacker could exchange existing kernel modules against malicious ones, given the case that writing/changing rights to that directory are not banned for everyone except root. I also had in mind, that there is no 100% security, and that there always are bugs, some daemons with some superior access rights, and perhaps some users except root, that al least have some access under certain circumstances, i.e. backup operators. (Ok, thats more likely for NT, I know) I also know, that most security holes come from human failure or foolishness. I wanted to point out, that there is/could be some very _remote_ possibility that such a mechanism could be used, if someone is creative enough, and the system unsecure enough. Problem is, that you not intend in all cases to crash the server. This can be done with other, easier methods. Imagine some code, that spies out your data, and transmits copies over the net? Device drivers (say, for SCSI/tape drives etc) are perfect for that. The driver has to sniff for some code snippets, and trensfer that chunk of data to some remote location... Yes, I know, that this would be a theoretical, constructed example, that you could neglect in todays scenery. But what about in some years? Lets move that to -security, if further discussion is desired. Regards Olaf Hoyer -------- Olaf Hoyer www.nightfire.de mailto:Olaf.Hoyer@nightfire.de FreeBSD- Turning PC's into workstations ICQ:22838075 Liebe und Hass sind nicht blind, aber geblendet vom Feuer, dass sie selber mit sich tragen. (Nietzsche) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 24 7:41:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from foobar.franken.de (foobar.franken.de [194.94.249.81]) by hub.freebsd.org (Postfix) with ESMTP id 1607A37B52D for ; Fri, 24 Mar 2000 07:41:34 -0800 (PST) (envelope-from logix@foobar.franken.de) Received: (from logix@localhost) by foobar.franken.de (8.8.8/8.8.5) id QAA18170; Fri, 24 Mar 2000 16:41:46 +0100 (CET) Message-ID: <20000324164146.A18107@foobar.franken.de> Date: Fri, 24 Mar 2000 16:41:46 +0100 From: Harold Gutch To: "Daniel C. Sobral" , Olaf Hoyer Cc: security@FreeBSD.ORG Subject: Re: New article References: <200003231326.IAA24776@blackhelicopters.org> <38DA7A60.B7C23121@newsguy.com> <38DA950C.D4DCE9CC@softweyr.com> <4.1.20000324022914.00cbed30@mail.rz.fh-wilhelmshaven.de> <38DB2B63.82552C96@newsguy.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <38DB2B63.82552C96@newsguy.com>; from Daniel C. Sobral on Fri, Mar 24, 2000 at 05:46:27PM +0900 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Mar 24, 2000 at 05:46:27PM +0900, Daniel C. Sobral wrote: > Olaf Hoyer wrote: > > Imagine some attacker exchanging some kernel module against own code, and > > causing that module to be loaded (say, some driver for access to certain > > filesystems, or zip drive etc...), or waiting for the module to be loaded > > (say, for regular, scheduled activities like backups or batch jobs or so) > > So??? If the hacker compromised root, he can just replace the whole > kernel if he wants. *IF ROOT WAS COMPROMISED, THE GAME IS OVER ALREADY*. > Really. No, I mean it. There is no such thing as "making things easier" > once root was compromised. You lost, and any attempt to "make things > difficult" is an exercise in self-delusion. I'd say that depends on how paranoid you were when chflag-ing various files and directories, like /kernel, /boot, /etc/rc.*, /lkm etc.. Of course that won't buy you anything unless you're running in secure level 1 or higher. security(7) is a nice introduction to this. I have to agree though that I wouldn't trust a (root-)compromised machine anymore and would re-install it. Nevertheless I still somehow doubt that an attacker could inject arbitrary code into the kernel on an otherwise correctly configured box, which then also implies "chflags -R /usr/src/sys schg" for example (and I'm sure I've forgotten a couple of other things here as well). bye, Harold -- Someone should do a study to find out how many human life spans have been lost waiting for NT to reboot. Ken Deboy on Dec 24 1999 in comp.unix.bsd.freebsd.misc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 24 9:36:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from daemon.sofiaonline.com (daemon.sofiaonline.com [212.5.144.1]) by hub.freebsd.org (Postfix) with SMTP id D385137B9DF for ; Fri, 24 Mar 2000 09:35:53 -0800 (PST) (envelope-from zethix@sofiaonline.com) Received: (qmail 68545 invoked from network); 24 Mar 2000 17:11:27 -0000 Received: from carnivoro.sofiaonline.com (212.5.144.5) by daemon.sofiaonline.com with SMTP; 24 Mar 2000 17:11:27 -0000 Content-Length: 1577 Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Date: Fri, 24 Mar 2000 18:35:47 +0200 (EET) From: Dungeonkeeper To: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Subject: shell issue Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi there, First of all: I want to apologise for my poor english. Today me and a few friends of mine discussed the shells' (well, shell is actualy one of: sh/bash/csh/tcsh... not tested for ksh) command line expansion routines, mainly because of a problem discovered by one of my friends. I'm not sure if this is something new... So, let me explain what he found. It seems that the shell wants to allocate enough memory to hold the entire command line when expanding all of the arguments and we can force it to allocate hudge ammount of memory with a tricky command like this: carnivoro# /bin/csh -c `cat /dev/urandom` (I use tcsh here (the carnivoro# prompt), but the same thing happens when testing with sh/bash/tcsh) In this situation, the shell tries to allocate enough memory to hold what it reads from /dev/urandom, because it must be passed as a command line argument to /bin/csh ( actually, any command will be ok ). So, the shell eats more and more memory (on my machine (3.4-STABLE) - 251 MB) before the kernel decided to take some action (like killing some processes... started by other users? system services? or... in my case... crash :). My friend said that he sent a mail to bugtraq describing this problem. Those who are interested can read it. I believe that the shells have a maximum command lenght, so... I'm trying now to make the shell use the same command lenght when expanding such commands. I think this is the best way to avoid this problem. Any ideas? Best regards: zethix What is worth doing is worth the trouble of asking somebody to do. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 24 9:46:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by hub.freebsd.org (Postfix) with ESMTP id 1620937B59C; Fri, 24 Mar 2000 09:46:26 -0800 (PST) (envelope-from dan@dan.emsphone.com) Received: (from dan@localhost) by dan.emsphone.com (8.9.3/8.9.3) id LAA40821; Fri, 24 Mar 2000 11:43:36 -0600 (CST) (envelope-from dan) Date: Fri, 24 Mar 2000 11:43:35 -0600 From: Dan Nelson To: Dungeonkeeper Cc: freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: shell issue Message-ID: <20000324114335.A35279@dan.emsphone.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.1.5i In-Reply-To: ; from "Dungeonkeeper" on Fri Mar 24 18:35:47 GMT 2000 X-OS: FreeBSD 5.0-CURRENT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In the last episode (Mar 24), Dungeonkeeper said: > I believe that the shells have a maximum command lenght, so... I'm > trying now to make the shell use the same command lenght when > expanding such commands. I think this is the best way to avoid this > problem. Any ideas? The kernel has a maximum command-line length, but it that only gets checked when an external executable is run. Something like echo `cat /dev/urandom` would still work, since echo is usually a shell builtin command. The better way to stop malicious people from using up all your memory is to specify a datasize limit in /etc/login.conf . -- Dan Nelson dnelson@emsphone.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 24 10: 5: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id 420AD37B7CE; Fri, 24 Mar 2000 10:04:59 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id KAA14795; Fri, 24 Mar 2000 10:04:25 -0800 (PST) (envelope-from dillon) Date: Fri, 24 Mar 2000 10:04:25 -0800 (PST) From: Matthew Dillon Message-Id: <200003241804.KAA14795@apollo.backplane.com> To: Dungeonkeeper Cc: freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: shell issue References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :Hi there, : :First of all: I want to apologise for my poor english. : :Today me and a few friends of mine discussed the shells' (well, shell is :actualy one of: sh/bash/csh/tcsh... not tested for ksh) command line expansion :routines, mainly because of a problem discovered by one of my friends. I'm not :sure if this is something new... So, let me explain what he found. It seems :that the shell wants to allocate enough memory to hold the entire command line :when expanding all of the arguments and we can force it to allocate hudge :ammount of memory with a tricky command like this: : :carnivoro# /bin/csh -c `cat /dev/urandom` You can trivially write any program to allocate memory continuously. This isn't really a security problem with shells. If you want to cap memory useage you can set a datasize limit. It doesn't cap everything (i.e. it doesn't cap mmap() use), but it does cover the most common mistakes that users make. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 24 14: 6: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from tristo.netinc.ca (primary.2gen.net [209.240.46.188]) by hub.freebsd.org (Postfix) with ESMTP id C6E6E37B8C4 for ; Fri, 24 Mar 2000 14:05:57 -0800 (PST) (envelope-from mike@2Gen.net) Received: from localhost (mike@localhost) by tristo.netinc.ca (8.9.3/8.9.1) with ESMTP id SAA00368 for ; Fri, 24 Mar 2000 18:19:41 -0500 (EST) Date: Fri, 24 Mar 2000 18:19:41 -0500 (EST) From: Michael DeMutis X-Sender: mike@tristo.netinc.ca To: security@freebsd.org Subject: Deny based on IP - TCP Wrapper Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I went to the ports collection and tried to install the TCP Wrapper. tristo# make install ===> tcp_wrappers-7.6 is forbidden: tcp_wrappers is in the base system. tristo# It says it is in the base system. If that is the case, then how do I enable its use? I'd like to block telnet access based on IP. -mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 24 14:16:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from testbed.baileylink.net (testbed.baileylink.net [63.71.213.24]) by hub.freebsd.org (Postfix) with ESMTP id 7849A37BB9B for ; Fri, 24 Mar 2000 14:16:33 -0800 (PST) (envelope-from brad@testbed.baileylink.net) Received: (from brad@localhost) by testbed.baileylink.net (8.9.3/8.9.3) id QAA80890; Fri, 24 Mar 2000 16:17:44 -0600 (CST) (envelope-from brad) Date: Fri, 24 Mar 2000 16:17:44 -0600 From: Brad Guillory To: Michael DeMutis Cc: freebsd-security@FreeBSD.ORG Subject: Re: Deny based on IP - TCP Wrapper Message-ID: <20000324161743.M53604@baileylink.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from mike@2Gen.net on Fri, Mar 24, 2000 at 06:19:41PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You should look in man under hosts_options(5) and the files /etc/hosts.allow. The /etc/hosts.deny file is no longer used so if someone point you there just ignore them ;-). Check out the man pages though or if you are impatient there is probably enough info in the hosts.allow file to get going. Have fun, BMG On Fri, Mar 24, 2000 at 06:19:41PM -0500, Michael DeMutis wrote: > > I went to the ports collection and tried to install the TCP Wrapper. > > tristo# make install > ===> tcp_wrappers-7.6 is forbidden: tcp_wrappers is in the base system. > tristo# > > It says it is in the base system. > > If that is the case, then how do I enable its use? > > I'd like to block telnet access based on IP. > > -mike > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- __O _-\<,_ Why drive when you can bike? (_)/ (_) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 24 19:38:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 191DA37B70B for ; Fri, 24 Mar 2000 19:38:32 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id UAA42009; Fri, 24 Mar 2000 20:38:27 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id UAA59319; Fri, 24 Mar 2000 20:38:18 -0700 (MST) Message-Id: <200003250338.UAA59319@harmony.village.org> To: Brian Somers Subject: Re: New article Cc: security@FreeBSD.ORG In-reply-to: Your message of "Fri, 24 Mar 2000 12:36:12 GMT." <200003241236.MAA02043@hak.lan.Awfulhak.org> References: <200003241236.MAA02043@hak.lan.Awfulhak.org> Date: Fri, 24 Mar 2000 20:38:18 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200003241236.MAA02043@hak.lan.Awfulhak.org> Brian Somers writes: : The same should be done to the directory itself. Ditto for /bin, : /usr/bin, /sbin, /usr/sbin etc - in fact, anything that's in roots : path. And /usr/lib, and all the files in the above directories (since they can still be changed via hard links). And all the config files that are in /etc or /usr/local/etc. Anything that is touched before the security level is raised needs to be protected as well. Don't forget all modules. Oh, /usr/local/sbin also appears in the default path. Directories created under the /usr/local mountmount might be a good way to drive a wedge in. Also under /usr to a lessor extent. ccdconfig is run if /etc/ccd.conf exists, but the path has it first, so it isn't too bad. /etc/rc.conf and /etc/defaults/rc.conf are good ones to attack as well. Well, all the /etc/rc* files. If one could create a /sbin/rpc.umntall, then it would be run instead of rpc.umntall. Well, there are others too. : And what about /etc/{*passwd,*pwd.db} ? Methinks this is a large : can of worms ! Can't do those and still expect users to be able to change their passwords. Big big can of words... Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 24 19:41:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id BC98937B7BD for ; Fri, 24 Mar 2000 19:41:31 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id UAA42021; Fri, 24 Mar 2000 20:41:27 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id UAA59342; Fri, 24 Mar 2000 20:41:19 -0700 (MST) Message-Id: <200003250341.UAA59342@harmony.village.org> To: Harold Gutch Subject: Re: New article Cc: "Daniel C. Sobral" , Olaf Hoyer , security@FreeBSD.ORG In-reply-to: Your message of "Fri, 24 Mar 2000 16:41:46 +0100." <20000324164146.A18107@foobar.franken.de> References: <20000324164146.A18107@foobar.franken.de> <200003231326.IAA24776@blackhelicopters.org> <38DA7A60.B7C23121@newsguy.com> <38DA950C.D4DCE9CC@softweyr.com> <4.1.20000324022914.00cbed30@mail.rz.fh-wilhelmshaven.de> <38DB2B63.82552C96@newsguy.com> Date: Fri, 24 Mar 2000 20:41:18 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20000324164146.A18107@foobar.franken.de> Harold Gutch writes: : I'd say that depends on how paranoid you were when chflag-ing : various files and directories, like /kernel, /boot, /etc/rc.*, : /lkm etc.. Of course that won't buy you anything unless you're : running in secure level 1 or higher. security(7) is a nice : introduction to this. Of course it won't buy you anything. Full stop. Much of the boot process executes at secure level 0, which means if you can compromize even one file in the boot chain, you'll be able to do anything you want. : I have to agree though that I wouldn't trust a (root-)compromised : machine anymore and would re-install it. Nevertheless I still : somehow doubt that an attacker could inject arbitrary code into : the kernel on an otherwise correctly configured box, which then : also implies "chflags -R /usr/src/sys schg" for example (and I'm : sure I've forgotten a couple of other things here as well). Don't put source on secure machines. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 25 10:33:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from proxy4.ba.best.com (proxy4.ba.best.com [206.184.139.15]) by hub.freebsd.org (Postfix) with ESMTP id AC2AD37B86D for ; Sat, 25 Mar 2000 10:33:47 -0800 (PST) (envelope-from fitz@jfitz.com) Received: from fitz (adsl-63-194-217-126.dsl.snfc21.pacbell.net [63.194.217.126]) by proxy4.ba.best.com (8.9.3/8.9.2/best.out) with SMTP id KAA29387 for ; Sat, 25 Mar 2000 10:32:17 -0800 (PST) Message-ID: <003801bf9688$87418540$040ba8c0@fitz> From: "John Fitzgibbon" To: Subject: Publishing Firewall Logs Date: Sat, 25 Mar 2000 10:31:10 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I decided to start publishing my firewall logs on the web http://63.194.217.126/logs/ My thinking is that to identify the root, (excuse the pun), source of distributed attacks, administrators need access to a broad set of logs. If you can identify IP addresses that were banging on a lot of doors, (or banging on a particular door), prior to an attack, you should be able to narrow the search. My firewall box doesn't have anything much running on it and I don't use it to store anything sensitive, so I thought, "why not make the logs available?". I'm aware of the obvious counter-argument that any information you make available creates a risk. This is basically what I'm looking for feedback on -- Is this information useful? Is this a dumb idea? What specific vulnerabilities am I creating? John Fitzgibbon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 25 12:52:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from ionet.net (mail.ionet.net [206.41.128.16]) by hub.freebsd.org (Postfix) with ESMTP id 014E537B951 for ; Sat, 25 Mar 2000 12:52:12 -0800 (PST) (envelope-from ssamalin@ionet.net) Received: from ionet.net (ip2.bedford4.ma.pub-ip.psi.net [38.32.73.2]) by ionet.net (8.9.1a/8.9.1) with ESMTP id OAA09594 for ; Sat, 25 Mar 2000 14:52:22 -0600 (CST) Message-ID: <38DD2730.A977A6D0@ionet.net> Date: Sat, 25 Mar 2000 15:53:04 -0500 From: Sam Samalin X-Mailer: Mozilla 4.7 [en] (WinNT; I) X-Accept-Language: en,pdf MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: security-digest V4 #592 References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org unsubscribe freebsd-security security-digest wrote: > security-digest Saturday, March 25 2000 Volume 04 : Number 592 > > In this issue: > Re: New article > Re: New article > Re: New article > Re: New article > Re: New article > shell issue > Re: shell issue > Re: shell issue > Deny based on IP - TCP Wrapper > Re: Deny based on IP - TCP Wrapper > Re: New article > Re: New article > Publishing Firewall Logs > > ---------------------------------------------------------------------- > > Date: Fri, 24 Mar 2000 00:58:22 -0500 > From: Will Andrews > Subject: Re: New article > > On Thu, Mar 23, 2000 at 05:41:05PM -0800, Kris Kennaway wrote: > > This is why one of the first steps in securing that box should be to give > > the modules the noschg flag. Hmm, probably this should be done by > > default, like we noschg the kernel at install-time. > > ITYM "schg". I know the kernel is installed "schg", dunno about modules. > I don't use those things anyway. :-) > > - -- > Will Andrews > GCS/E/S @d- s+:+>+:- a--->+++ C++ UB++++ P+ L- E--- W+++ !N !o ?K w--- > ?O M+ V-- PS+ PE++ Y+ PGP+>+++ t++ 5 X++ R+ tv+ b++>++++ DI+++ D+ > G++>+++ e->++++ h! r-->+++ y? > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > ------------------------------ > > Date: Thu, 23 Mar 2000 23:18:40 -0800 (PST) > From: Kris Kennaway > Subject: Re: New article > > On Fri, 24 Mar 2000, Will Andrews wrote: > > > ITYM "schg". I know the kernel is installed "schg", dunno about modules. > > I don't use those things anyway. :-) > > Oops, you are of course correct :) > > Kris > > - ---- > In God we Trust -- all others must submit an X.509 certificate. > -- Charles Forsythe > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > ------------------------------ > > Date: Fri, 24 Mar 2000 12:36:12 +0000 > From: Brian Somers > Subject: Re: New article > > > On Fri, 24 Mar 2000, Olaf Hoyer wrote: > > > > > Question: Is a loadable kernel module not a potential security risk? > > > > Only if your machine is insecurely configured. > > > > > Imagine some attacker exchanging some kernel module against own code, and > > > causing that module to be loaded (say, some driver for access to certain > > > filesystems, or zip drive etc...), or waiting for the module to be loaded > > > (say, for regular, scheduled activities like backups or batch jobs or so) > > > > This is why one of the first steps in securing that box should be to give > > the modules the noschg flag. Hmm, probably this should be done by > > default, like we noschg the kernel at install-time. > > The same should be done to the directory itself. Ditto for /bin, > /usr/bin, /sbin, /usr/sbin etc - in fact, anything that's in roots > path. > > And what about /etc/{*passwd,*pwd.db} ? Methinks this is a large > can of worms ! > > > Kris > > > > ---- > > In God we Trust -- all others must submit an X.509 certificate. > > -- Charles Forsythe > - -- > Brian > > Don't _EVER_ lose your sense of humour ! > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > ------------------------------ > > Date: Fri, 24 Mar 2000 15:02:35 +0100 > From: Olaf Hoyer > Subject: Re: New article > > > >> I mean, if some module (which runs on a deeper, priviliged mode) has some > >> malicous code in it, or simply is buggy, and is loaded during runtime, it > >> could cause a box to simply crash. > > > >What's the difference between a buggy module loaded at runtime, and one > >compiled in the kernel? > If you do it yourself-nothing. > If someone other is doing/causing this, there is some annoyance. > > > > >As for malicious code... what are you doing loading such a module??? :-) > > > >> Imagine some attacker exchanging some kernel module against own code, and > >> causing that module to be loaded (say, some driver for access to certain > >> filesystems, or zip drive etc...), or waiting for the module to be loaded > >> (say, for regular, scheduled activities like backups or batch jobs or so) > > > >So??? If the hacker compromised root, he can just replace the whole > >kernel if he wants. *IF ROOT WAS COMPROMISED, THE GAME IS OVER ALREADY*. > >Really. No, I mean it. There is no such thing as "making things easier" > >once root was compromised. You lost, and any attempt to "make things > >difficult" is an exercise in self-delusion. > > Fully agreed. If an attacker has gained root, then its game over. > > My point was aimed at the possibility, that (most probably in misconfigured > systems) an attacker could exchange existing kernel modules against > malicious ones, given the case that writing/changing rights to that > directory are not banned for everyone except root. > > I also had in mind, that there is no 100% security, and that there always > are bugs, some daemons with some superior access rights, and perhaps some > users except root, that al least have some access under certain > circumstances, i.e. backup operators. (Ok, thats more likely for NT, I know) > > I also know, that most security holes come from human failure or foolishness. > I wanted to point out, that there is/could be some very _remote_ > possibility that such a mechanism could be used, if someone is creative > enough, and the system unsecure enough. > > Problem is, that you not intend in all cases to crash the server. This can > be done with other, easier methods. > > > Imagine some code, that spies out your data, and transmits copies over the net? > Device drivers (say, for SCSI/tape drives etc) are perfect for that. > The driver has to sniff for some code snippets, and trensfer that chunk of > data to some remote location... > > > Yes, I know, that this would be a theoretical, constructed example, that > you could neglect in todays scenery. But what about in some years? > > Lets move that to -security, if further discussion is desired. > > Regards > Olaf Hoyer > - -------- > Olaf Hoyer www.nightfire.de mailto:Olaf.Hoyer@nightfire.de > FreeBSD- Turning PC's into workstations ICQ:22838075 > > Liebe und Hass sind nicht blind, aber geblendet vom Feuer, > dass sie selber mit sich tragen. (Nietzsche) > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > ------------------------------ > > Date: Fri, 24 Mar 2000 16:41:46 +0100 > From: Harold Gutch > Subject: Re: New article > > On Fri, Mar 24, 2000 at 05:46:27PM +0900, Daniel C. Sobral wrote: > > Olaf Hoyer wrote: > > > Imagine some attacker exchanging some kernel module against own code, and > > > causing that module to be loaded (say, some driver for access to certain > > > filesystems, or zip drive etc...), or waiting for the module to be loaded > > > (say, for regular, scheduled activities like backups or batch jobs or so) > > > > So??? If the hacker compromised root, he can just replace the whole > > kernel if he wants. *IF ROOT WAS COMPROMISED, THE GAME IS OVER ALREADY*. > > Really. No, I mean it. There is no such thing as "making things easier" > > once root was compromised. You lost, and any attempt to "make things > > difficult" is an exercise in self-delusion. > > I'd say that depends on how paranoid you were when chflag-ing > various files and directories, like /kernel, /boot, /etc/rc.*, > /lkm etc.. Of course that won't buy you anything unless you're > running in secure level 1 or higher. security(7) is a nice > introduction to this. > I have to agree though that I wouldn't trust a (root-)compromised > machine anymore and would re-install it. Nevertheless I still > somehow doubt that an attacker could inject arbitrary code into > the kernel on an otherwise correctly configured box, which then > also implies "chflags -R /usr/src/sys schg" for example (and I'm > sure I've forgotten a couple of other things here as well). > > bye, > Harold > > - -- > Someone should do a study to find out how many human life spans have > been lost waiting for NT to reboot. > Ken Deboy on Dec 24 1999 in comp.unix.bsd.freebsd.misc > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > ------------------------------ > > Date: Fri, 24 Mar 2000 18:35:47 +0200 (EET) > From: Dungeonkeeper > Subject: shell issue > > Hi there, > > First of all: I want to apologise for my poor english. > > Today me and a few friends of mine discussed the shells' (well, shell is > actualy one of: sh/bash/csh/tcsh... not tested for ksh) command line expansion > routines, mainly because of a problem discovered by one of my friends. I'm not > sure if this is something new... So, let me explain what he found. It seems > that the shell wants to allocate enough memory to hold the entire command line > when expanding all of the arguments and we can force it to allocate hudge > ammount of memory with a tricky command like this: > > carnivoro# /bin/csh -c `cat /dev/urandom` > > (I use tcsh here (the carnivoro# prompt), but the same thing happens when > testing with sh/bash/tcsh) In this situation, the shell tries to allocate enough > memory to hold what it > reads from /dev/urandom, because it must be passed as a command line argument > to /bin/csh ( actually, any command will be ok ). So, the shell eats more and > more memory (on my machine (3.4-STABLE) - 251 MB) before the kernel decided to > take some action (like killing some processes... started by other users? > system services? or... in my case... crash :). My friend said that he sent a > mail to bugtraq describing this problem. Those who are interested can read it. > > I believe that the shells have a maximum command lenght, so... I'm trying now > to make the shell use the same command lenght when expanding such commands. I > think this is the best way to avoid this problem. Any ideas? > > Best regards: zethix > > What is worth doing is worth the trouble of asking somebody to do. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > ------------------------------ > > Date: Fri, 24 Mar 2000 11:43:35 -0600 > From: Dan Nelson > Subject: Re: shell issue > > In the last episode (Mar 24), Dungeonkeeper said: > > I believe that the shells have a maximum command lenght, so... I'm > > trying now to make the shell use the same command lenght when > > expanding such commands. I think this is the best way to avoid this > > problem. Any ideas? > > The kernel has a maximum command-line length, but it that only gets > checked when an external executable is run. Something like > > echo `cat /dev/urandom` > > would still work, since echo is usually a shell builtin command. > > The better way to stop malicious people from using up all your memory > is to specify a datasize limit in /etc/login.conf . > > - -- > Dan Nelson > dnelson@emsphone.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > ------------------------------ > > Date: Fri, 24 Mar 2000 10:04:25 -0800 (PST) > From: Matthew Dillon > Subject: Re: shell issue > > :Hi there, > : > :First of all: I want to apologise for my poor english. > : > :Today me and a few friends of mine discussed the shells' (well, shell is > :actualy one of: sh/bash/csh/tcsh... not tested for ksh) command line expansion > :routines, mainly because of a problem discovered by one of my friends. I'm not > :sure if this is something new... So, let me explain what he found. It seems > :that the shell wants to allocate enough memory to hold the entire command line > :when expanding all of the arguments and we can force it to allocate hudge > :ammount of memory with a tricky command like this: > : > :carnivoro# /bin/csh -c `cat /dev/urandom` > > You can trivially write any program to allocate memory continuously. > This isn't really a security problem with shells. If you want to cap > memory useage you can set a datasize limit. It doesn't cap everything > (i.e. it doesn't cap mmap() use), but it does cover the most common > mistakes that users make. > > -Matt > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > ------------------------------ > > Date: Fri, 24 Mar 2000 18:19:41 -0500 (EST) > From: Michael DeMutis > Subject: Deny based on IP - TCP Wrapper > > I went to the ports collection and tried to install the TCP Wrapper. > > tristo# make install > ===> tcp_wrappers-7.6 is forbidden: tcp_wrappers is in the base system. > tristo# > > It says it is in the base system. > > If that is the case, then how do I enable its use? > > I'd like to block telnet access based on IP. > > - -mike > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > ------------------------------ > > Date: Fri, 24 Mar 2000 16:17:44 -0600 > From: Brad Guillory > Subject: Re: Deny based on IP - TCP Wrapper > > You should look in man under hosts_options(5) and the files > /etc/hosts.allow. > > The /etc/hosts.deny file is no longer used so if someone point you there > just ignore them ;-). Check out the man pages though or if you are > impatient there is probably enough info in the hosts.allow file > to get going. > > Have fun, BMG > > On Fri, Mar 24, 2000 at 06:19:41PM -0500, Michael DeMutis wrote: > > > > I went to the ports collection and tried to install the TCP Wrapper. > > > > tristo# make install > > ===> tcp_wrappers-7.6 is forbidden: tcp_wrappers is in the base system. > > tristo# > > > > It says it is in the base system. > > > > If that is the case, then how do I enable its use? > > > > I'd like to block telnet access based on IP. > > > > -mike > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > - -- > __O > _-\<,_ Why drive when you can bike? > (_)/ (_) > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > ------------------------------ > > Date: Fri, 24 Mar 2000 20:38:18 -0700 > From: Warner Losh > Subject: Re: New article > > In message <200003241236.MAA02043@hak.lan.Awfulhak.org> Brian Somers writes: > : The same should be done to the directory itself. Ditto for /bin, > : /usr/bin, /sbin, /usr/sbin etc - in fact, anything that's in roots > : path. > > And /usr/lib, and all the files in the above directories (since they > can still be changed via hard links). And all the config files that > are in /etc or /usr/local/etc. Anything that is touched before the > security level is raised needs to be protected as well. Don't forget > all modules. Oh, /usr/local/sbin also appears in the default path. > Directories created under the /usr/local mountmount might be a good > way to drive a wedge in. Also under /usr to a lessor extent. > ccdconfig is run if /etc/ccd.conf exists, but the path has it first, > so it isn't too bad. /etc/rc.conf and /etc/defaults/rc.conf are good > ones to attack as well. Well, all the /etc/rc* files. > > If one could create a /sbin/rpc.umntall, then it would be run instead > of rpc.umntall. Well, there are others too. > > : And what about /etc/{*passwd,*pwd.db} ? Methinks this is a large > : can of worms ! > > Can't do those and still expect users to be able to change their > passwords. > > Big big can of words... > > Warner > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > ------------------------------ > > Date: Fri, 24 Mar 2000 20:41:18 -0700 > From: Warner Losh > Subject: Re: New article > > In message <20000324164146.A18107@foobar.franken.de> Harold Gutch writes: > : I'd say that depends on how paranoid you were when chflag-ing > : various files and directories, like /kernel, /boot, /etc/rc.*, > : /lkm etc.. Of course that won't buy you anything unless you're > : running in secure level 1 or higher. security(7) is a nice > : introduction to this. > > Of course it won't buy you anything. Full stop. Much of the boot > process executes at secure level 0, which means if you can compromize > even one file in the boot chain, you'll be able to do anything you > want. > > : I have to agree though that I wouldn't trust a (root-)compromised > : machine anymore and would re-install it. Nevertheless I still > : somehow doubt that an attacker could inject arbitrary code into > : the kernel on an otherwise correctly configured box, which then > : also implies "chflags -R /usr/src/sys schg" for example (and I'm > : sure I've forgotten a couple of other things here as well). > > Don't put source on secure machines. > > Warner > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > ------------------------------ > > Date: Sat, 25 Mar 2000 10:31:10 -0800 > From: "John Fitzgibbon" > Subject: Publishing Firewall Logs > > I decided to start publishing my firewall logs on the web > http://63.194.217.126/logs/ > > My thinking is that to identify the root, (excuse the pun), source of > distributed attacks, administrators need access to a broad set of logs. If > you can identify IP addresses that were banging on a lot of doors, (or > banging on a particular door), prior to an attack, you should be able to > narrow the search. My firewall box doesn't have anything much running on it > and I don't use it to store anything sensitive, so I thought, "why not make > the logs available?". I'm aware of the obvious counter-argument that any > information you make available creates a risk. > > This is basically what I'm looking for feedback on -- Is this information > useful? Is this a dumb idea? What specific vulnerabilities am I creating? > > John Fitzgibbon. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > ------------------------------ > > End of security-digest V4 #592 > ****************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message