From owner-freebsd-security Sun Aug 27 0:14:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 64CEF37B440; Sun, 27 Aug 2000 00:14:47 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id AAA25893; Sun, 27 Aug 2000 00:14:47 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Sun, 27 Aug 2000 00:14:46 -0700 (PDT) From: Kris Kennaway To: James Wyatt Cc: Garrett Wollman , Adam Back , security@FreeBSD.ORG Subject: Re: yarrow & /dev/random In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 27 Aug 2000, James Wyatt wrote: > On servers with no regular keyboard or mouse use, there is usually enough > entropy in the disk and network IO to serve the purpose. Small servers > with low net and disk entropy often get used as consoles for busier > servers. Your mileage may vary, of course. What other sources of entropy > might one consider? Maybe an AM radio tuned to static hooked into > /dev/audio to get random samples? - Jy@ My observations suggest that a sound card tuned to maximum input gain with no microphone input (i.e. sampling noise in the card) is a very good source of randomness, with at least 6 bits of entropy per 16 bit sample for most cards, which can be sampled at 44Khz (i.e. about 32 kilobytes of randomness per second, far in excess of what Yarrow needs). More than enough for even heavy server needs. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 27 0:15:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 3FF1537B424; Sun, 27 Aug 2000 00:15:15 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id AAA25915; Sun, 27 Aug 2000 00:15:15 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Sun, 27 Aug 2000 00:15:15 -0700 (PDT) From: Kris Kennaway To: Terje Elde Cc: John Lengeling , freebsd-security@FreeBSD.ORG Subject: Re: Will PGPnet work with 4.1-STABLE IPSEC? In-Reply-To: <20000826233547.A35033@dlt.follo.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 26 Aug 2000, Terje Elde wrote: > * John Lengeling (johnl@raccoon.com) [000824 11:50]: > > Has anyone tried to get PGPnet working with IPSEC/racoon under 4.1-STABLE? > > > > Since this is the first time that I am trying to get an IPSEC VPN client > > package working with FreeBSD's IPSEC, are there any recommend VPN clients to > > use other than PGPnet? > > AFAIK the racoon in the ports collection will only work with -current, which > should not be used for security sensitive applications (ref: /dev/random ;) It works just fine with 4.1 and later. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 27 7:48:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from elde.org (elde.org [195.204.143.185]) by hub.freebsd.org (Postfix) with ESMTP id 2DF4137B423; Sun, 27 Aug 2000 07:48:29 -0700 (PDT) Received: by elde.org (Postfix, from userid 1002) id 4C3C45EF47; Sun, 27 Aug 2000 16:48:28 +0200 (CEST) Date: Sun, 27 Aug 2000 16:48:28 +0200 From: Terje Elde To: Kris Kennaway Cc: John Lengeling , freebsd-security@FreeBSD.ORG Subject: Re: Will PGPnet work with 4.1-STABLE IPSEC? Message-ID: <20000827164827.A38525@dlt.follo.net> References: <20000826233547.A35033@dlt.follo.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from kris@FreeBSD.ORG on Sun, Aug 27, 2000 at 12:15:15AM -0700 X-Mailer: Mutt http://www.mutt.org/ X-Editor: Vim http://www.vim.org/ X-IRC: ircii!epic4-2000 - prevail[1214] X-Goal: Exterminate All Rational Thought Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Kris Kennaway (kris@FreeBSD.ORG) [000827 09:16]: > > AFAIK the racoon in the ports collection will only work with -current, which > > should not be used for security sensitive applications (ref: /dev/random ;) > > It works just fine with 4.1 and later. Nice :) Sorry for jumping to conclusions. I have been paying rather close attention looking for updates have haven`t seen a single notice of this. Thanks, Terje To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 27 9:18:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from libertad.univalle.edu.co (libertad.univalle.edu.co [216.6.69.11]) by hub.freebsd.org (Postfix) with ESMTP id 02B6937B440 for ; Sun, 27 Aug 2000 09:18:49 -0700 (PDT) Received: from localhost (buliwyf@localhost) by libertad.univalle.edu.co (8.10.0/8.10.0) with ESMTP id e7RGOsk43811 for ; Sun, 27 Aug 2000 11:24:56 -0500 (COT) Date: Sun, 27 Aug 2000 11:24:54 -0500 (COT) From: Buliwyf McGraw To: freebsd-security@FreeBSD.ORG Subject: ipnat and icmp... Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Question: Can i do masquerade for icmp packets using ipf/ipnat??? For example: A B _ _ |_| Ping Request |_| --- for hotmail --- --> Internet --- --> --- 192.168.1.5 Real IP Using ipf/ipnat |_________________________________________| My Intranet, where the server B do ip masquerade for all the subnet 192.168.1.0 ======================================================================= Buliwyf McGraw Administrador del Servidor Libertad Centro de Servicios de Informacion Universidad del Valle ======================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 27 9:23: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from pawn.primelocation.net (pawn.primelocation.net [205.161.238.235]) by hub.freebsd.org (Postfix) with ESMTP id 3B93C37B424 for ; Sun, 27 Aug 2000 09:23:02 -0700 (PDT) Received: by pawn.primelocation.net (Postfix, from userid 1016) id 69ADE9B05; Sun, 27 Aug 2000 12:23:01 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by pawn.primelocation.net (Postfix) with ESMTP id 4215DBA03; Sun, 27 Aug 2000 12:23:01 -0400 (EDT) Date: Sun, 27 Aug 2000 12:23:01 -0400 (EDT) From: "Chris D. Faulhaber" X-Sender: cdf.lists@pawn.primelocation.net To: Buliwyf McGraw Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipnat and icmp... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 27 Aug 2000, Buliwyf McGraw wrote: > > Question: Can i do masquerade for icmp packets using ipf/ipnat??? > No, but you can do NAT. See ipf(8), ipnat(8), http://www.obfuscation.org/ipf/, http://coombs.anu.edu.au/~avalon/ip-filter.html, http://www.false.net/ipf/, the FreeBSD Handbook/FAQ, et. al. ----- Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 27 9:39:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 22A4737B423; Sun, 27 Aug 2000 09:39:09 -0700 (PDT) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id MAA72744; Sun, 27 Aug 2000 12:39:08 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Sun, 27 Aug 2000 12:39:08 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: freebsd-security@FreeBSD.org Cc: phk@FreeBSD.org, green@FreeBSD.org Subject: Review request: replacing p_trespass(), modifications to vaccess() Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've put up a patch that makes fairly extensive changes to the structure (but hopefully not the semantics) of inter-process authorization checks: http://www.freebsd.org/~rwatson/p_stuff.diff In theory, it does the following: 1) Replace many instances of {p_trespass, PRISON_CHECK} with one of {p_cansee, p_cansched, p_candebug, and p_cankill}, which are in kern_prot.c. This centralizes the inter-process access control in a more general way, and allows differentiation of the different types of interaction. For example, Brian Feldman's patch to modify setting of realtime priority changed the semantics for scheduling modifications, because p_trespass() is more liberal than the old authorization check. These changes should fix that. 2) Integrate the new kern.ps_showallproc change into p_cansee(), which has the effect of adding support to procfs also, whereas the existing sysctl affects only sysctl() access to the process data. 3) Modify vaccess() so that it is restructured for more careful/ordered use of privilege, and so that capability support can be added more easily. This should be semantically the same from a results perspective, but it is more careful to do a discretionary access check before falling back in privilege, et al. As such, the KSU accounting bit will now be set correctly in vaccess() for processes running as uid 0, if they use privilege to access a file rather than discretionary rights. My hope is that the only "changed" behavior is: 1) Fix the p_trespass() interaction with regards to scheduling changes 2) Make kern.ps_showallproc affect /proc It should be noted that right now, some information is still leaked via /proc, but only the existence of the pid, rather than any practical process information. This could be gathered using a walking fork()'ing process anyway looking for pid holes, anyway, but I'm looking into a solution (it probably has to do with the name cache, as I mentioned on -fs this morning, so may not be easily fixable.) Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 27 13:34: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id D7AD637B424; Sun, 27 Aug 2000 13:34:01 -0700 (PDT) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id QAA74915; Sun, 27 Aug 2000 16:34:01 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Sun, 27 Aug 2000 16:34:00 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: freebsd-security@FreeBSD.org Cc: phk@FreeBSD.org, green@FreeBSD.org Subject: Re: Review request: replacing p_trespass(), modifications to vaccess() In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org To those reviewing, I've uploaded new versions of the patches since the post, replacing a few more PRISON_CHEK() calls, and merging in a few other changes from my tree. One interesting thing to consider is the different in access control choices between ptrace() (relatively liberal) and ktrace() (slightly less so). ptrace() is more concerned with the process being setugid, whereas ktrace is concerned with differences in credentials. Given that the functionality is very similar, we should probably combine the two access control checks, and decide which is more appropriate for our needs. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 27 19:44:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.networkiowa.com (ns1.networkiowa.com [209.234.64.192]) by hub.freebsd.org (Postfix) with ESMTP id B86CA37B424; Sun, 27 Aug 2000 19:44:31 -0700 (PDT) Received: from raccoon.com (dsl.72.145.networkiowa.com [209.234.72.145]) by ns1.networkiowa.com (8.9.3/8.9.3) with ESMTP id VAA15468; Sun, 27 Aug 2000 21:50:03 -0500 Message-ID: <39A9D218.ABB9E23E@raccoon.com> Date: Sun, 27 Aug 2000 21:44:40 -0500 From: John Lengeling X-Mailer: Mozilla 4.7 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Kris Kennaway Cc: Terje Elde , freebsd-security@FreeBSD.org Subject: Re: Will PGPnet work with 4.1-STABLE IPSEC? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > > On Sat, 26 Aug 2000, Terje Elde wrote: > > > * John Lengeling (johnl@raccoon.com) [000824 11:50]: > > > Has anyone tried to get PGPnet working with IPSEC/racoon under 4.1-STABLE? > > > > > > Since this is the first time that I am trying to get an IPSEC VPN client > > > package working with FreeBSD's IPSEC, are there any recommend VPN clients to > > > use other than PGPnet? > > > > AFAIK the racoon in the ports collection will only work with -current, which > > should not be used for security sensitive applications (ref: /dev/random ;) > > It works just fine with 4.1 and later. Thanks for the info. I will give it a try. Is PGPNET a good choice for a VPN Client? I have heard good things about F-Secure's VPN+ client. Any suggestions or recommendations? johnl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 27 20:31:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 286BC37B42C; Sun, 27 Aug 2000 20:31:55 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id UAA07094; Sun, 27 Aug 2000 20:31:54 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Sun, 27 Aug 2000 20:31:54 -0700 (PDT) From: Kris Kennaway To: John Lengeling Cc: Terje Elde , freebsd-security@FreeBSD.org Subject: Re: Will PGPnet work with 4.1-STABLE IPSEC? In-Reply-To: <39A9D218.ABB9E23E@raccoon.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 27 Aug 2000, John Lengeling wrote: > Is PGPNET a good choice for a VPN Client? I have heard good things about F-Secure's VPN+ > client. Any suggestions or recommendations? Nope, sorry..never used either. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 27 20:37:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from blackstar.krsu.edu.kg (blackstar.krsu.edu.kg [195.254.161.130]) by hub.freebsd.org (Postfix) with ESMTP id 32BB737B423 for ; Sun, 27 Aug 2000 20:37:01 -0700 (PDT) Received: from krsu.edu.kg (krsu.edu.kg [195.254.164.3]) by blackstar (8.9.1a/8.9.1) with ESMTP id JAA08131; Thu, 3 Aug 2000 09:02:05 +0600 (KGST) Received: from localhost (slash@localhost) by krsu.edu.kg (8.9.3/8.9.3) with ESMTP id IAA27590; Fri, 25 Aug 2000 08:26:15 +0600 (KGST) (envelope-from slash@krsu.edu.kg) Date: Fri, 25 Aug 2000 08:26:15 +0600 (KGST) From: CrazZzy Slash To: Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma> Cc: freebsd-security@FreeBSD.ORG Subject: Re: SSH problem ??? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org delete clients host key in $HOME/.ssh/known_hosts (for ssh1) and $HOME/.ssh2/hostkeys/ (for ssh2) On Thu, 24 Aug 2000, Ali Alaoui El Hassani wrote: > Dear All, > I have set a small network that is composed of two machines that are > communicating through a router. I installed ssh in the two machines and > it was working well. but when the IPaddresses of the two machines changed, > I could not use ssh btw these two machines, itgives authentication error. > Does anybody know why? > if yes? how do I tackle the problem ? > Ali. > > > > > > > On Thu, 24 Aug 2000, Visigoth wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > > > > > You may want to look into customizing your /etc/cvsupfile a little > > bit to get what you want. CVSup is capable of only updateing certain > > portions of your source ex. > > > > > > > > *default host=cvsup5.FreeBSD.org > > *default base=/usr > > *default prefix=/usr > > *default release=cvs > > *default tag=RELENG_4 > > *default delete use-rel-suffix > > > > src-sys > > > > *default tag=. > > ports-all > > doc-all > > < end cvsupfile > > > > > This cvsupfile will only update the source for your kernel, you can also > > select other individual portions of the OS as your project allows... > > > > Have fun... ;) > > > > Damieon Stark > > Sr. Unix Systems Administrator > > visigoth@telemere.net > > > > PGP Public Key: www.telemere.net/~visigoth/visigoth.asc > > > > ____________________________________________________________________________ > > | > > M$ -Where do you want to go today? | > > Linux -Where do you want to go tomorrow?| FreeBSD - The POWER to serve > > Freebsd -Are you guys coming or what? | http://www.freebsd.org > > | > > | > > - ---------------------------------------------------------------------------- > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: PGP 6.5.1i > > > > iQA/AwUBOaVIYznmC/+RTnGeEQJwXACdGuG6qeHcsaU5cWXRK45NYd4QtUQAoMxA > > B4Nuk+rIDlVgUyKV/xgoMrNs > > =ZxN4 > > -----END PGP SIGNATURE----- > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 27 20:38:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 7DD9337B42C for ; Sun, 27 Aug 2000 20:38:36 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 13TFrX-0000Ms-00; Sun, 27 Aug 2000 21:45:31 -0600 Message-ID: <39A9E05B.D3248245@softweyr.com> Date: Sun, 27 Aug 2000 21:45:31 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.1-RC i386) X-Accept-Language: en MIME-Version: 1.0 To: Buliwyf McGraw Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipnat and icmp... References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Buliwyf McGraw wrote: > > Question: Can i do masquerade for icmp packets using ipf/ipnat??? > > For example: > A B > _ _ > |_| Ping Request |_| > --- for hotmail --- --> Internet > --- --> --- > 192.168.1.5 Real IP > Using ipf/ipnat > |_________________________________________| > My Intranet, where the server B > do ip masquerade for all the subnet > 192.168.1.0 If you mean "does ipf/ipnat translate ICMP packets properly?" the answer is yes. "Masquerading" means using a stolen IP address for nefarious purposes, even if the Linux kiddies STILL haven't figured it out. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 27 20:40:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from blackstar.krsu.edu.kg (blackstar.krsu.edu.kg [195.254.161.130]) by hub.freebsd.org (Postfix) with ESMTP id EB9EC37B42C for ; Sun, 27 Aug 2000 20:39:52 -0700 (PDT) Received: from krsu.edu.kg (krsu.edu.kg [195.254.164.3]) by blackstar (8.9.1a/8.9.1) with ESMTP id SAA27486; Fri, 4 Aug 2000 18:55:24 +0600 (KGST) Received: from localhost (slash@localhost) by krsu.edu.kg (8.9.3/8.9.3) with ESMTP id SAA65506; Mon, 21 Aug 2000 18:22:13 +0600 (KGST) (envelope-from slash@krsu.edu.kg) Date: Mon, 21 Aug 2000 18:22:13 +0600 (KGST) From: CrazZzy Slash To: "Vladimir I. Kulakov" Cc: freebsd-security@FreeBSD.ORG Subject: Re: "snmp.sample" in /usr/local/etc/rc.d/ In-Reply-To: <20000821081020Z277228-23170+34169@ajax2.sovam.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org no, i think may be something packet from ports install snmp for himself.. look through your logs.. On Mon, 21 Aug 2000, Vladimir I. Kulakov wrote: > > Hi! > > > > Can you send me your /tmp/install.log? > > There is no such file !!! :--( > Do you think it was deleted by a hacker? > > > > > Hi, all ! > > > > > > I've just moved my server from FreeBSD 2.2.5 to 4.0 due > > > to total hardware upgrade and many security holes. > > > > > > After upgrade I've mounted the hard disk from the previous > > > mashine and moved all user's data from /usr/home/ from it > > > to the new hard disk. The new mashine had new root > > > password, of course. > > > > > > But at the next day after upgrade I've suddenly noticed > > > two new scripts in /usr/local/etc/rc.d/ which intended to > > > start at every bootup process and which I've never installed. > > > > > > Moreover, at the /usr/local/sbin/ there two more > > > files appeared (snmpd and the second something like this). > > > I've never installed snmp on that mashine and mtree > > > tells me such files never existed there. > > > > > > In the log files there are nothing special. > > > > > > The new system was installed from a "clear" > > > distribution. > > > > > > Was this a troyan programs? How can I check > > > my server for such security holes? And how > > > such programs could be installed? > > > > > > May be my mistake was mounting my old disk with > > > securigy holes then working connected to the Internet ? > > > But how the hacker could execute programs even > > > from insecure disk on a secure mashine? > > > > > > Help me, please !!! > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 27 20:40:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from blackstar.krsu.edu.kg (blackstar.krsu.edu.kg [195.254.161.130]) by hub.freebsd.org (Postfix) with ESMTP id CEBC837B423 for ; Sun, 27 Aug 2000 20:40:04 -0700 (PDT) Received: from krsu.edu.kg (krsu.edu.kg [195.254.164.3]) by blackstar (8.9.1a/8.9.1) with ESMTP id NAA01934; Fri, 4 Aug 2000 13:04:30 +0600 (KGST) Received: from localhost (slash@localhost) by krsu.edu.kg (8.9.3/8.9.3) with ESMTP id MAA63947; Mon, 21 Aug 2000 12:31:27 +0600 (KGST) (envelope-from slash@krsu.edu.kg) Date: Mon, 21 Aug 2000 12:31:27 +0600 (KGST) From: CrazZzy Slash To: "Vladimir I. Kulakov" Cc: freebsd-security@FreeBSD.ORG Subject: Re: "snmp.sample" in /usr/local/etc/rc.d/ In-Reply-To: <20000820161100Z274714-23170+33643@ajax2.sovam.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! Can you send me your /tmp/install.log? On Sun, 20 Aug 2000, Vladimir I. Kulakov wrote: > Hi, all ! > > I've just moved my server from FreeBSD 2.2.5 to 4.0 due > to total hardware upgrade and many security holes. > > After upgrade I've mounted the hard disk from the previous > mashine and moved all user's data from /usr/home/ from it > to the new hard disk. The new mashine had new root > password, of course. > > But at the next day after upgrade I've suddenly noticed > two new scripts in /usr/local/etc/rc.d/ which intended to > start at every bootup process and which I've never installed. > > Moreover, at the /usr/local/sbin/ there two more > files appeared (snmpd and the second something like this). > I've never installed snmp on that mashine and mtree > tells me such files never existed there. > > In the log files there are nothing special. > > The new system was installed from a "clear" > distribution. > > Was this a troyan programs? How can I check > my server for such security holes? And how > such programs could be installed? > > May be my mistake was mounting my old disk with > securigy holes then working connected to the Internet ? > But how the hacker could execute programs even > from insecure disk on a secure mashine? > > Help me, please !!! > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 27 20:40:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from blackstar.krsu.edu.kg (blackstar.krsu.edu.kg [195.254.161.130]) by hub.freebsd.org (Postfix) with ESMTP id 39B0637B43C for ; Sun, 27 Aug 2000 20:40:23 -0700 (PDT) Received: from krsu.edu.kg (krsu.edu.kg [195.254.164.3]) by blackstar (8.9.1a/8.9.1) with ESMTP id RAA09967; Thu, 3 Aug 2000 17:56:25 +0600 (KGST) Received: from localhost (slash@localhost) by krsu.edu.kg (8.9.3/8.9.3) with ESMTP id RAA52803; Sun, 20 Aug 2000 17:23:50 +0600 (KGST) (envelope-from slash@krsu.edu.kg) Date: Sun, 20 Aug 2000 17:23:50 +0600 (KGST) From: CrazZzy Slash To: Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Need to install stelnet,sftp ?????????????????? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, Install /usr/ports/security/ssh2. On Sat, 19 Aug 2000, Ali Alaoui El Hassani wrote: Dear all, I need to install stlenet, sftp , shttp on a FreeBsd 3.3 any Help? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 28 2:54:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16]) by hub.freebsd.org (Postfix) with ESMTP id 2780F37B422; Mon, 28 Aug 2000 02:54:15 -0700 (PDT) Received: from bde.zeta.org.au (bde.zeta.org.au [203.2.228.102]) by mailman.zeta.org.au (8.8.7/8.8.7) with ESMTP id TAA05658; Mon, 28 Aug 2000 19:54:10 +1000 Date: Mon, 28 Aug 2000 20:54:09 +1100 (EST) From: Bruce Evans X-Sender: bde@besplex.bde.org To: Robert Watson Cc: freebsd-security@FreeBSD.ORG, phk@FreeBSD.ORG, green@FreeBSD.ORG Subject: Re: Review request: replacing p_trespass(), modifications to vaccess() In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 27 Aug 2000, Robert Watson wrote: > I've put up a patch that makes fairly extensive changes to the structure > (but hopefully not the semantics) of inter-process authorization checks: > > http://www.freebsd.org/~rwatson/p_stuff.diff Most of this seems reasonable. > 3) Modify vaccess() so that it is restructured for more careful/ordered > use of privilege, and so that capability support can be added more > easily. This should be semantically the same from a results > perspective, but it is more careful to do a discretionary access > check before falling back in privilege, et al. As such, the KSU ASU? > accounting bit will now be set correctly in vaccess() for processes > running as uid 0, if they use privilege to access a file rather > than discretionary rights. vaccess() currently intentionally doesn't set ASU, since checking for access doesn't require any privilege. ASU should only be set if privileged access is used, e.g., upon successful completion of an open(2) call that needed privilege to succeed, but never for access(2). Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 28 5:33:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 1BD2137B422; Mon, 28 Aug 2000 05:33:44 -0700 (PDT) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id IAA83046; Mon, 28 Aug 2000 08:33:26 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Mon, 28 Aug 2000 08:33:26 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Bruce Evans Cc: freebsd-security@FreeBSD.ORG, phk@FreeBSD.ORG, green@FreeBSD.ORG Subject: Re: Review request: replacing p_trespass(), modifications to vaccess() In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 28 Aug 2000, Bruce Evans wrote: > On Sun, 27 Aug 2000, Robert Watson wrote: > > > I've put up a patch that makes fairly extensive changes to the structure > > (but hopefully not the semantics) of inter-process authorization checks: > > > > http://www.freebsd.org/~rwatson/p_stuff.diff > > Most of this seems reasonable. > > > 3) Modify vaccess() so that it is restructured for more careful/ordered > > use of privilege, and so that capability support can be added more > > easily. This should be semantically the same from a results > > perspective, but it is more careful to do a discretionary access > > check before falling back in privilege, et al. As such, the KSU > ASU? > > accounting bit will now be set correctly in vaccess() for processes > > running as uid 0, if they use privilege to access a file rather > > than discretionary rights. > > vaccess() currently intentionally doesn't set ASU, since checking for > access doesn't require any privilege. ASU should only be set if > privileged access is used, e.g., upon successful completion of an > open(2) call that needed privilege to succeed, but never for access(2). In the various p_can* calls, I have a *privused argument, intended to allow the caller to determine whether or not privilege would be used to perform the access authorized by the pcan* calls. In my capability tree, the ASU flag is not set by suser(), rather by an independent suser_used(p) call, which is called based on a cumulative privilege flag, once some part of the operation commits persistently. The same technique could easily be applied in vaccess(). However, I have received comments from a number of people that the ASU flag introduces more complexity than it is worth: they'd rather see reduced structural complexity, and lose the ASU flag. In any case, I'd like to see suser() used in vaccess(), centralizing the super-user decision, regardless of whether ASU is provided for, meaning that to correctly maintain ASU, it must not be set in suser(). With that reasoning in mind, do you think ASU can be {temporarily, permanently} deprecated/broken? Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 28 6:10: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16]) by hub.freebsd.org (Postfix) with ESMTP id 68AA337B424; Mon, 28 Aug 2000 06:09:44 -0700 (PDT) Received: from bde.zeta.org.au (bde.zeta.org.au [203.2.228.102]) by mailman.zeta.org.au (8.8.7/8.8.7) with ESMTP id AAA17272; Tue, 29 Aug 2000 00:09:36 +1100 Date: Tue, 29 Aug 2000 00:09:34 +1100 (EST) From: Bruce Evans X-Sender: bde@besplex.bde.org To: Robert Watson Cc: freebsd-security@FreeBSD.ORG, phk@FreeBSD.ORG, green@FreeBSD.ORG Subject: Re: Review request: replacing p_trespass(), modifications to vaccess() In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 28 Aug 2000, Robert Watson wrote: > In the various p_can* calls, I have a *privused argument, intended to > allow the caller to determine whether or not privilege would be used to > perform the access authorized by the pcan* calls. In my capability tree, > the ASU flag is not set by suser(), rather by an independent suser_used(p) > call, which is called based on a cumulative privilege flag, once some part > of the operation commits persistently. The same technique could easily be > applied in vaccess(). However, I have received comments from a number of > people that the ASU flag introduces more complexity than it is worth: > they'd rather see reduced structural complexity, and lose the ASU flag. > In any case, I'd like to see suser() used in vaccess(), centralizing the > super-user decision, regardless of whether ASU is provided for, meaning > that to correctly maintain ASU, it must not be set in suser(). > > With that reasoning in mind, do you think ASU can be {temporarily, > permanently} deprecated/broken? I think it should be permanently dropped from normal kernels, but your work seems to require even more flags like it, at least for debugging. I'm not sure how well complexity for extra security can be localised. Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 28 6:27:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 0FC4937B43C; Mon, 28 Aug 2000 06:27:56 -0700 (PDT) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id JAA83518; Mon, 28 Aug 2000 09:27:51 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Mon, 28 Aug 2000 09:27:51 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Bruce Evans Cc: freebsd-security@FreeBSD.ORG, phk@FreeBSD.ORG, green@FreeBSD.ORG Subject: Re: Review request: replacing p_trespass(), modifications to vaccess() In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 29 Aug 2000, Bruce Evans wrote: > > With that reasoning in mind, do you think ASU can be {temporarily, > > permanently} deprecated/broken? > > I think it should be permanently dropped from normal kernels, but your > work seems to require even more flags like it, at least for debugging. > I'm not sure how well complexity for extra security can be localised. My main concern at this point was whether or not ASU could be dropped from the base system. You're right of course: eventually, I hope to handle auditing of privilege, just seperately from the current use of the accounting system to do that. We've gone through a couple of partial implementations of auditing on FreeBSD, and I've had the opportunity to consider similar systems on other platforms, and have yet to see an implementation that satisfies all my concerns (in terms of correctness, cleaness of integration et al). I'm tempted to put off dealing with that until we've had a chance to look further at the impact of authorization improvements in the system, although presumably avoid explicitly breaking the possibility of adding it easily :-). I'll update my patches to include the removal of ASU from suser(), which would then allow suser() to accept const proc * and const cred *, which will remove qualifier warnings elsewhere in the tree. I'd like for us to move in the direction of only requiring const struct cred * for access control decisions, but right now that's not possible due to the use of P_SUGID in struct proc's flags. One question to ask then is whether or not P_SUGID could be moved into a set of credential flags, reflecting that state of the credentials. Doing so would impact the use of crcopy() and friends, and also require that it be explicitely unset following an exec() of a non-setugid binary (presumably -- I haven't read through the details of P_SUGID semantics). With the advent of capabilities that are independent of uid0, it strikes me that the requirements are actually for multiple flags: one that indicates a change in privilege or credential over the lifetime of the process, requiring protection of the process from certain types of operations (ptrace, et al). The second would be a cached indication of having privilege available: be it via uid0 providing that privilege, or via holding capabilities, et al. If fast enough, this need not be cached, of course. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 28 6:57:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id C298F37B43C for ; Mon, 28 Aug 2000 06:57:35 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA29057; Mon, 28 Aug 2000 06:56:56 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda29055; Mon Aug 28 06:56:40 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id GAA08497; Mon, 28 Aug 2000 06:56:40 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdlE8492; Mon Aug 28 06:56:04 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.0/8.9.1) id e7SDu3R01108; Mon, 28 Aug 2000 06:56:03 -0700 (PDT) Message-Id: <200008281356.e7SDu3R01108@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdHn1104; Mon Aug 28 06:55:18 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1-RELEASE X-Sender: cy To: "David G. Andersen" Cc: cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG Subject: Re: Blackhat Firewall-1 Codes In-reply-to: Your message of "Sat, 26 Aug 2000 02:38:02 MDT." <200008260838.CAA11671@faith.cs.utah.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 28 Aug 2000 06:55:18 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200008260838.CAA11671@faith.cs.utah.edu>, "David G. Andersen" write s: > Lo and behold, Crist J . Clark once said: > > > > > > - differing levels of "rawness" between BSD and Linux; > > > BSD raw sockets perform an htons() on the ip_len, ip_off, > > > and ip_tos fields. > > > > Hmmm.. Is this just FreeBSD as opposed to a *BSD thing? The authors > > claim the codes were "developed and tested on OpenBSD and Linux." > > Recent OpenBSDs behave in the same manner as Linux; Net and Free behave > differently. Try this one; I'll be it's the problem. That's the nice thing about standards. There's so many to choose from. Sorry but this really hit a nerve, as this topic always does. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 28 7:29:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay1.ntu-kpi.kiev.ua (oberon.ntu-kpi.kiev.ua [195.178.136.20]) by hub.freebsd.org (Postfix) with ESMTP id 3F43937B42C for ; Mon, 28 Aug 2000 07:29:49 -0700 (PDT) Received: by relay1.ntu-kpi.kiev.ua (Postfix, from userid 1122) id 8E5B42FA69; Mon, 28 Aug 2000 17:29:42 +0300 (EEST) From: Yaroslav Halchinsky To: freebsd-security@freebsd.org Subject: Re: icmptypes In-Reply-To: <200008220128.TAA43045@harmony.village.org> User-Agent: tin/1.4.2-20000205 ("Possession") (UNIX) (FreeBSD/3.4-STABLE (i386)) Message-Id: <20000828142942.8E5B42FA69@relay1.ntu-kpi.kiev.ua> Date: Mon, 28 Aug 2000 17:29:42 +0300 (EEST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Warner Losh wrote: > For ICMP packets, drop them on the floor, but make sure that you have > the path mtu types enabled. What about source quenches? -- Regards, Yaroslav Halchinsky To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 28 10:17: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id D754937B43E; Mon, 28 Aug 2000 10:16:45 -0700 (PDT) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id NAA86082; Mon, 28 Aug 2000 13:16:34 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Mon, 28 Aug 2000 13:16:34 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Bruce Evans Cc: freebsd-security@FreeBSD.ORG, phk@FreeBSD.ORG, green@FreeBSD.ORG Subject: Re: Review request: replacing p_trespass(), modifications to vaccess() In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've uploaded a new version of the p_stuff.diff patch (http://www.freebsd.org/~rwatson/p_stuff.diff) that adds the following changes: 1) Eliminate ASU being set in suser_xxx() 2) Change suser{,_xxx} and p_can{see,kill,sched,debug} to use const struct *{cred,proc} 3) Modify vaccess() to accept an additional argument, in the style of p_can*, *privused, which can allow the caller to determine if privilege was required for vaccess() to return 0. 4) Change EPERM back to EACCES when vaccess() fails, as it's a failure due to DAC permissions, not a failure of privilege at this level. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services On Mon, 28 Aug 2000, Robert Watson wrote: > > On Tue, 29 Aug 2000, Bruce Evans wrote: > > > > With that reasoning in mind, do you think ASU can be {temporarily, > > > permanently} deprecated/broken? > > > > I think it should be permanently dropped from normal kernels, but your > > work seems to require even more flags like it, at least for debugging. > > I'm not sure how well complexity for extra security can be localised. > > My main concern at this point was whether or not ASU could be dropped from > the base system. You're right of course: eventually, I hope to handle > auditing of privilege, just seperately from the current use of the > accounting system to do that. We've gone through a couple of partial > implementations of auditing on FreeBSD, and I've had the opportunity to > consider similar systems on other platforms, and have yet to see an > implementation that satisfies all my concerns (in terms of correctness, > cleaness of integration et al). I'm tempted to put off dealing with that > until we've had a chance to look further at the impact of authorization > improvements in the system, although presumably avoid explicitly breaking > the possibility of adding it easily :-). > > I'll update my patches to include the removal of ASU from suser(), which > would then allow suser() to accept const proc * and const cred *, which > will remove qualifier warnings elsewhere in the tree. > > I'd like for us to move in the direction of only requiring const struct > cred * for access control decisions, but right now that's not possible due > to the use of P_SUGID in struct proc's flags. One question to ask then is > whether or not P_SUGID could be moved into a set of credential flags, > reflecting that state of the credentials. Doing so would impact the use > of crcopy() and friends, and also require that it be explicitely unset > following an exec() of a non-setugid binary (presumably -- I haven't read > through the details of P_SUGID semantics). With the advent of > capabilities that are independent of uid0, it strikes me that the > requirements are actually for multiple flags: one that indicates a change > in privilege or credential over the lifetime of the process, requiring > protection of the process from certain types of operations (ptrace, et > al). The second would be a cached indication of having privilege > available: be it via uid0 providing that privilege, or via holding > capabilities, et al. If fast enough, this need not be cached, of course. > > Robert N M Watson > > robert@fledge.watson.org http://www.watson.org/~robert/ > PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 > TIS Labs at Network Associates, Safeport Network Services > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 28 10:31:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from toronto.bricsnet.com (toronto.bricsnet.com [209.146.217.44]) by hub.freebsd.org (Postfix) with ESMTP id 76BAE37B424 for ; Mon, 28 Aug 2000 10:31:05 -0700 (PDT) Received: from rave (host-51.toronto.bricsnet.com [209.146.217.51]) by toronto.bricsnet.com (8.8.8/8.8.8) with SMTP id NAA01620; Mon, 28 Aug 2000 13:31:04 -0400 (EDT) (envelope-from shale@bricsnet.com) From: "Shane Hale" To: Subject: Date: Mon, 28 Aug 2000 13:31:06 -0400 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0194_01C010F4.38654740" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-MS-TNEF-Correlator: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0194_01C010F4.38654740 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Hello I have a machine that's getting attacked regularly. (Yes i know my clock is wrong... 1886809 seconds fast to be exact) Sep 19 00:17:54 shell /kernel: icmp-response bandwidth limit 3491/200 pps Sep 19 00:17:55 shell /kernel: icmp-response bandwidth limit 3499/200 pps Sep 19 00:17:56 shell /kernel: icmp-response bandwidth limit 3505/200 pps Sep 19 00:17:57 shell /kernel: icmp-response bandwidth limit 3503/200 pps Sep 19 00:17:58 shell /kernel: icmp-response bandwidth limit 3505/200 pps Sep 19 00:17:59 shell /kernel: icmp-response bandwidth limit 3502/200 pps Sep 19 00:18:00 shell /kernel: icmp-response bandwidth limit 3488/200 pps Sep 19 00:18:01 shell /kernel: icmp-response bandwidth limit 3491/200 pps Sep 19 00:18:02 shell /kernel: icmp-response bandwidth limit 3494/200 pps Sep 19 00:18:03 shell /kernel: icmp-response bandwidth limit 3491/200 pps Sep 19 00:18:04 shell /kernel: icmp-response bandwidth limit 3497/200 pps Sep 19 00:18:05 shell /kernel: icmp-response bandwidth limit 3501/200 pps Sep 19 00:18:06 shell /kernel: icmp-response bandwidth limit 3504/200 pps Sep 19 00:18:07 shell /kernel: icmp-response bandwidth limit 3485/200 pps Sep 19 00:18:27 shell /kernel: icmp-response bandwidth limit 1599/200 pps (This went on for about 15 minutes, and caused my network to be slow as molasses and a traceroute from home stopped at the router that routes my C-Class) I have ICMP bandwith limiting on the machine being attacked, but... - how can i trace who's attacking me - what exactly are they trying to do - how does ICMP_BANDWITH Limiting work If there is anyone who can help me, i'd appreciate it. Shane Hale Systems Administration Bricsnet, Inc Suite 601, 2300 Yonge Street, Box 2361 / Toronto, Ontario / M4P 1E4 / Canada Phone: +1(416)489-9000 ext. 304 Fax: +1(416)489-3201 Email: shale@bricsnet.com Web: http://www.bricsnet.com __________________________________________ Bricsnet Inc. Bricsnet.com is the leading e-marketplace for the global building industry ------=_NextPart_000_0194_01C010F4.38654740 Content-Type: application/ms-tnef; name="winmail.dat" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="winmail.dat" eJ8+IgYRAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy b3NvZnQgTWFpbC5Ob3RlADEIAQ2ABAACAAAAAgACAAEGgAMADgAAANAHCAAcAA0AHwAAAAEAKAEB A5AGADAIAAAhAAAACwACAAEAAAALACMAAAAAAAMAJgAAAAAACwApAAAAAAADADYAAAAAAAIBcQAB AAAAFgAAAAHAERW+559ytpRYLEW5rqg/fRqq6XcAAAIBHQwBAAAAGAAAAFNNVFA6U0hBTEVAQlJJ Q1NORVQuQ09NAAsAAQ4AAAAAQAAGDgCiQbsVEcABAgEKDgEAAAAYAAAAAAAAADsgoPu2yiJDkRVK cL4vTEjCgAAACwAfDgEAAAACAQkQAQAAAG4EAABqBAAAnAkAAExaRnX+f8WkAwAKAHJjcGcxMjUW MgD4C2BuDhAwMzNPAfcCpAPjAgBjaArAc/BldDAgBxMCgwBQEG/fBesCgw5QA9URdX0KgAjItCA7 CW8wAoAKgXYIkKR3awuAZDQMYGMAUI8LAwu2CrEKgEhlbAkACxlkGhVjEgIxIEkgQRDwdmUgYSAA wWhLC4AboHQQ8HQnBCBndREwdAuAZxuwAkAA0GslCYAgFmBndQtgcmwkeS4aGihZB5FpIAhrbm8H 4G15IGNvCQAdkB+ABCB3A2APIC4BIRAgMTg4NjgwPDkgESAFoBggBCBmYUJzBUB0byBiG6BlsngA 0HQpGhoGYHAhQAEhsDAwOjE3OjXKNCHAaBnRIC8doASghRnQOh+AY21wLRZgvHNwAiARICLAAHBk A/BSZBxgIGwHcGkFQDMwNDkxLwHQEVBwcHcQsCPfJOA1JR8mLyc9OTsoPyRZNioPKx8nOzUwdjUt LyRZNy7/MA8xHTP7Mh8kWTgz7zT/MR83HyRobyGxOP86DzsbMjv/JFY4/jpBAT3fPu8nSyFgQO9B +b8bMELPQ98nT0X/QhcyR6/bSL9JzTRKz0H5M0yfTa+/Sc9Pz0IIJQ9Sj1OeN1Sv/0H5Kf9Xfzru VJ9B6i7vXG//Ou5Pr0HqM99hX0TOO+9B6e4yZT9mT1ObMT2gLR0e5f5UHBAgoQnwBUACICJABbF/ AaAIYGzyG9ALgG/gB5As5xuwGCAgIGF1ESAdwCABuRwwdHcFsCBwIqRzCQD/B+AiYBvQBvAiYBEg BCBw0vkbwHRyANAEkG/RG6ADUv8bYANwcnEioGiwHbEcgBxRfxugdFMFwBxidjRy8SAQQxwtQ3My I1sbVUlDTf5QbAVT1h0Sb0F2AhvmItC7HRpwsGJv4CERGhotdPH/B+BxEAOgH5B0AyCwdQAcof8d VB0SB4B9dn7wddEjAx5Q3xuwFmB18iAQdAB5HRIioT5kGgV91IKQB5F5Ul9CAEFORFdJVEgg7kx6 RnHieCtmdfKBcSCR/QBweQIgftN+I2pRJEAHgLlwsGknc8FosBZgYwcw/3SBVDAedhrgAtEZVRoV FFD3BgAQ8BwxSAdAgAUGsCJw9GVtFNFkcEEEAHQBHQDLAiAZZEIFEGNzcbFwsGxJbgDgPIR1VDAb oDbTR4BwsDIzaIFZIOEboI5TdAAJ4I6RQm94j/FiNhswLyBUBbACIW89cLBPAjAKwI2QkbFNNFl5 gDFFVmCRwEMAcGF0ZGEZZFB1ABwwaxArQDEoNDE2KUWgOfwtOSSQEVAjAHzQVFBWUehGYXiUyzMB 0BiDCoA+RQDAAxBrEGpAi9FAYt+OMQKxIcCLInGxLgWgdOAoV2ViaxBoAkBwOugvL3ea8C6Y4o5i meL9GhpfnL+dz55FjcyOsh51f44mmeMgkXYCi+CT4B0SZf4tAMByABEwC1F+wW9ydgL+ZwkAZyAD IHywAxCiUxgRX3EwgfGKxhlVFWEAprAAAAsAAYAIIAYAAAAAAMAAAAAAAABGAAAAAAOFAAAAAAAA AwAugAggBgAAAAAAwAAAAAAAAEYAAAAAUoUAAH1uAQALADuACCAGAAAAAADAAAAAAAAARgAAAAAO hQAAAAAAAAMAPYAIIAYAAAAAAMAAAAAAAABGAAAAABCFAAAAAAAAAwA+gAggBgAAAAAAwAAAAAAA AEYAAAAAEYUAAAAAAAADAD+ACCAGAAAAAADAAAAAAAAARgAAAAAYhQAAAAAAAB4AZ4AIIAYAAAAA AMAAAAAAAABGAAAAAFSFAAABAAAABAAAADkuMAALAGiACCAGAAAAAADAAAAAAAAARgAAAAAGhQAA AAAAAAMAaYAIIAYAAAAAAMAAAAAAAABGAAAAAAGFAAAAAAAACwCJgAggBgAAAAAAwAAAAAAAAEYA AAAAgoUAAAEAAAACAfgPAQAAABAAAAA7IKD7tsoiQ5EVSnC+L0xIAgH6DwEAAAAQAAAAOyCg+7bK IkORFUpwvi9MSAIB+w8BAAAAjgAAAAAAAAA4obsQBeUQGqG7CAArKlbCAABQU1RQUlguRExMAAAA AAAAAABOSVRB+b+4AQCqADfZbgAAAEM6XFdJTkRPV1NcTG9jYWwgU2V0dGluZ3NcQXBwbGljYXRp b24gRGF0YVxNaWNyb3NvZnRcT3V0bG9va1xQZXJzb25hbCBGb2xkZXJzKDEpLnBzdAAAAAMA/g8F AAAAAwANNP03AAACAX8AAQAAADIAAAA8Q0NFREpCQkZIQkZBQk9ORVBLSUNPRUNIQ0RBQS5zaGFs ZUBicmljc25ldC5jb20+AAAAAwAGECEBcogDAAcQaQYAAAMAEBAAAAAAAwAREAAAAAAeAAgQAQAA AGUAAABIRUxMT0lIQVZFQU1BQ0hJTkVUSEFUU0dFVFRJTkdBVFRBQ0tFRFJFR1VMQVJMWShZRVNJ S05PV01ZQ0xPQ0tJU1dST05HMTg4NjgwOVNFQ09ORFNGQVNUVE9CRUVYQUNUKVNFAAAAAA83 ------=_NextPart_000_0194_01C010F4.38654740-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 28 10:36:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 0169B37B43C for ; Mon, 28 Aug 2000 10:36:02 -0700 (PDT) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id e7SHa0S12379; Mon, 28 Aug 2000 10:36:00 -0700 (PDT) Date: Mon, 28 Aug 2000 10:36:00 -0700 From: Alfred Perlstein To: Shane Hale Cc: freebsd-security@FreeBSD.ORG Subject: Re: your mail Message-ID: <20000828103600.P1209@fw.wintelcom.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: ; from shale@bricsnet.com on Mon, Aug 28, 2000 at 01:31:06PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Shane Hale [000828 10:31] wrote: > > Hello > > I have a machine that's getting attacked regularly. > > (Yes i know my clock is wrong... 1886809 seconds fast to be exact) > > Sep 19 00:17:54 shell /kernel: icmp-response bandwidth limit 3491/200 pps > Sep 19 00:17:55 shell /kernel: icmp-response bandwidth limit 3499/200 pps > Sep 19 00:17:56 shell /kernel: icmp-response bandwidth limit 3505/200 pps > Sep 19 00:17:57 shell /kernel: icmp-response bandwidth limit 3503/200 pps > Sep 19 00:17:58 shell /kernel: icmp-response bandwidth limit 3505/200 pps > Sep 19 00:17:59 shell /kernel: icmp-response bandwidth limit 3502/200 pps > Sep 19 00:18:00 shell /kernel: icmp-response bandwidth limit 3488/200 pps > Sep 19 00:18:01 shell /kernel: icmp-response bandwidth limit 3491/200 pps > Sep 19 00:18:02 shell /kernel: icmp-response bandwidth limit 3494/200 pps > Sep 19 00:18:03 shell /kernel: icmp-response bandwidth limit 3491/200 pps > Sep 19 00:18:04 shell /kernel: icmp-response bandwidth limit 3497/200 pps > Sep 19 00:18:05 shell /kernel: icmp-response bandwidth limit 3501/200 pps > Sep 19 00:18:06 shell /kernel: icmp-response bandwidth limit 3504/200 pps > Sep 19 00:18:07 shell /kernel: icmp-response bandwidth limit 3485/200 pps > Sep 19 00:18:27 shell /kernel: icmp-response bandwidth limit 1599/200 pps > > (This went on for about 15 minutes, and caused my network to be slow as > molasses and a traceroute from home stopped at the router that routes my > C-Class) > > I have ICMP bandwith limiting on the machine being attacked, but... > > - how can i trace who's attacking me > - what exactly are they trying to do > - how does ICMP_BANDWITH Limiting work > > If there is anyone who can help me, i'd appreciate it. Well, you'd want to run tcpdump to see what's actually going on, however the problem is that most likely the attack is from a spoofed source so that unless the attacker is a complete knob you're probably out of luck unless you can co-operate with your upstream and trace this thing across the net. A better option is to figure out why it's happening, your box is named 'shell' so it sounds like one of your Lusers got into a pissing contest with someone, I would try to figure out who started it and remove the account. -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 28 10:58:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from libertad.univalle.edu.co (libertad.univalle.edu.co [216.6.69.11]) by hub.freebsd.org (Postfix) with ESMTP id 5999B37B423 for ; Mon, 28 Aug 2000 10:56:41 -0700 (PDT) Received: from localhost (buliwyf@localhost) by libertad.univalle.edu.co (8.10.0/8.10.0) with ESMTP id e7SHN9801362 for ; Mon, 28 Aug 2000 12:23:16 -0500 (COT) Date: Mon, 28 Aug 2000 12:23:09 -0500 (COT) From: Buliwyf McGraw To: freebsd-security@FreeBSD.ORG Subject: Re: ipnat and icmp (II) In-Reply-To: <39A9E05B.D3248245@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Question: Can i do masquerade for icmp packets using ipf/ipnat??? > > > > For example: > > A B > > _ _ > > |_| Ping Request |_| > > --- for hotmail --- --> Internet > > --- --> --- > > 192.168.1.5 Real IP > > Using ipf/ipnat > > |_________________________________________| > > My Intranet, where the server B > > do ip masquerade for all the subnet > > 192.168.1.0 > > If you mean "does ipf/ipnat translate ICMP packets properly?" the answer is > yes. What i want to know is what rule i need to use in Server B, if i want to do a traceroute/ping from 192.168.1.5 to www.hotmail.com, i dont care if the answer for the request come from server B, what i want is to know if some server on Internet is alive. Can i do this with ipf/ipnat? I tried something crazy, like: map ed0 192.168.0.0/16 -> 240.1.0.0/24 portmap icmp 10000:20000 Obviusly, it doesnt work :/ Im looking for instructions about it, but in the examples i saw, always talk about NAT for tcp/udp, never icmp. It is possible? Thanks for any help. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 28 11: 9: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.antix.org (satan.antix.org [209.68.237.171]) by hub.freebsd.org (Postfix) with ESMTP id A698737B43E for ; Mon, 28 Aug 2000 11:08:54 -0700 (PDT) Received: from localhost (panic@localhost) by mail.antix.org (8.11.0/8.11.0) with ESMTP id e7SI93E61113 for ; Mon, 28 Aug 2000 11:09:03 -0700 (PDT) Date: Mon, 28 Aug 2000 11:09:02 -0700 (PDT) From: "Col.Panic" To: freebsd-security@FreeBSD.ORG Subject: Re: your mail (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have an interesting appendage to add to this answer. I have ICMP shut down at the router, and I get the same messages from my new 4.1-STABLE system. I can understand if somebody is spoofing ICMP packets, but if they are, how are the replies getting to my machine? I've looked into it, and there isn't anybody logged into the machine for when this occurs. I'm at a loss. Thanks, -Jason ---------- Forwarded message ---------- Date: Mon, 28 Aug 2000 10:36:00 -0700 From: Alfred Perlstein To: Shane Hale Cc: freebsd-security@FreeBSD.ORG Subject: Re: your mail * Shane Hale [000828 10:31] wrote: > > Hello > > I have a machine that's getting attacked regularly. > > (Yes i know my clock is wrong... 1886809 seconds fast to be exact) > > Sep 19 00:17:54 shell /kernel: icmp-response bandwidth limit 3491/200 pps > Sep 19 00:17:55 shell /kernel: icmp-response bandwidth limit 3499/200 pps > Sep 19 00:17:56 shell /kernel: icmp-response bandwidth limit 3505/200 pps > Sep 19 00:17:57 shell /kernel: icmp-response bandwidth limit 3503/200 pps > Sep 19 00:17:58 shell /kernel: icmp-response bandwidth limit 3505/200 pps > Sep 19 00:17:59 shell /kernel: icmp-response bandwidth limit 3502/200 pps > Sep 19 00:18:00 shell /kernel: icmp-response bandwidth limit 3488/200 pps > Sep 19 00:18:01 shell /kernel: icmp-response bandwidth limit 3491/200 pps > Sep 19 00:18:02 shell /kernel: icmp-response bandwidth limit 3494/200 pps > Sep 19 00:18:03 shell /kernel: icmp-response bandwidth limit 3491/200 pps > Sep 19 00:18:04 shell /kernel: icmp-response bandwidth limit 3497/200 pps > Sep 19 00:18:05 shell /kernel: icmp-response bandwidth limit 3501/200 pps > Sep 19 00:18:06 shell /kernel: icmp-response bandwidth limit 3504/200 pps > Sep 19 00:18:07 shell /kernel: icmp-response bandwidth limit 3485/200 pps > Sep 19 00:18:27 shell /kernel: icmp-response bandwidth limit 1599/200 pps > > (This went on for about 15 minutes, and caused my network to be slow as > molasses and a traceroute from home stopped at the router that routes my > C-Class) > > I have ICMP bandwith limiting on the machine being attacked, but... > > - how can i trace who's attacking me > - what exactly are they trying to do > - how does ICMP_BANDWITH Limiting work > > If there is anyone who can help me, i'd appreciate it. Well, you'd want to run tcpdump to see what's actually going on, however the problem is that most likely the attack is from a spoofed source so that unless the attacker is a complete knob you're probably out of luck unless you can co-operate with your upstream and trace this thing across the net. A better option is to figure out why it's happening, your box is named 'shell' so it sounds like one of your Lusers got into a pissing contest with someone, I would try to figure out who started it and remove the account. -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 28 11:13: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 9201837B424 for ; Mon, 28 Aug 2000 11:13:01 -0700 (PDT) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id e7SICtP13588; Mon, 28 Aug 2000 11:12:55 -0700 (PDT) Date: Mon, 28 Aug 2000 11:12:54 -0700 From: Alfred Perlstein To: "Col.Panic" Cc: freebsd-security@FreeBSD.ORG Subject: Re: your mail (fwd) Message-ID: <20000828111254.S1209@fw.wintelcom.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: ; from panic@satan.antix.org on Mon, Aug 28, 2000 at 11:09:02AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Sep 19 00:17:56 shell /kernel: icmp-response bandwidth limit 3505/200 pps > > Sep 19 00:17:57 shell /kernel: icmp-response bandwidth limit 3503/200 pps > > Sep 19 00:17:58 shell /kernel: icmp-response bandwidth limit 3505/200 pps > > Sep 19 00:17:59 shell /kernel: icmp-response bandwidth limit 3502/200 pps * Col.Panic [000828 11:09] wrote: > I have an interesting appendage to add to this answer. I have ICMP shut > down at the router, and I get the same messages from my new 4.1-STABLE > system. I can understand if somebody is spoofing ICMP packets, but if > they are, how are the replies getting to my machine? > > I've looked into it, and there isn't anybody logged into the machine for > when this occurs. I'm at a loss. It's an icmp _response_ limit, meaning it limits the amount of icmp error messages your machine will generate in repsonse to bogus connections or listen queue overflows. most likely an ACK/SYN attack of some sort or a server unable to handle its listen queue (incomiming connections) -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 28 11:13:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from wopr.chc-chimes.com (wopr.chc-chimes.com [216.234.105.162]) by hub.freebsd.org (Postfix) with ESMTP id AEFFD37B423 for ; Mon, 28 Aug 2000 11:13:26 -0700 (PDT) Received: from localhost (matta@localhost) by wopr.chc-chimes.com (8.9.3/8.9.3) with ESMTP id OAA30924; Mon, 28 Aug 2000 14:16:29 -0400 (EDT) (envelope-from matta@unixshell.com) Date: Mon, 28 Aug 2000 14:16:21 -0400 (EDT) From: Matt Ayres X-Sender: matta@wopr.chc-chimes.com To: "Col.Panic" Cc: freebsd-security@FreeBSD.ORG Subject: Re: your mail (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org FreeBSD will also give the message below when UDP has gone over 100pps. -Matt On Mon, 28 Aug 2000, Col.Panic wrote: > I have an interesting appendage to add to this answer. I have ICMP shut > down at the router, and I get the same messages from my new 4.1-STABLE > system. I can understand if somebody is spoofing ICMP packets, but if > they are, how are the replies getting to my machine? > > I've looked into it, and there isn't anybody logged into the machine for > when this occurs. I'm at a loss. > > Thanks, > > -Jason > > > > ---------- Forwarded message ---------- > Date: Mon, 28 Aug 2000 10:36:00 -0700 > From: Alfred Perlstein > To: Shane Hale > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: your mail > > * Shane Hale [000828 10:31] wrote: > > > > Hello > > > > I have a machine that's getting attacked regularly. > > > > (Yes i know my clock is wrong... 1886809 seconds fast to be exact) > > > > Sep 19 00:17:54 shell /kernel: icmp-response bandwidth limit 3491/200 pps > > Sep 19 00:17:55 shell /kernel: icmp-response bandwidth limit 3499/200 pps > > Sep 19 00:17:56 shell /kernel: icmp-response bandwidth limit 3505/200 pps > > Sep 19 00:17:57 shell /kernel: icmp-response bandwidth limit 3503/200 pps > > Sep 19 00:17:58 shell /kernel: icmp-response bandwidth limit 3505/200 pps > > Sep 19 00:17:59 shell /kernel: icmp-response bandwidth limit 3502/200 pps > > Sep 19 00:18:00 shell /kernel: icmp-response bandwidth limit 3488/200 pps > > Sep 19 00:18:01 shell /kernel: icmp-response bandwidth limit 3491/200 pps > > Sep 19 00:18:02 shell /kernel: icmp-response bandwidth limit 3494/200 pps > > Sep 19 00:18:03 shell /kernel: icmp-response bandwidth limit 3491/200 pps > > Sep 19 00:18:04 shell /kernel: icmp-response bandwidth limit 3497/200 pps > > Sep 19 00:18:05 shell /kernel: icmp-response bandwidth limit 3501/200 pps > > Sep 19 00:18:06 shell /kernel: icmp-response bandwidth limit 3504/200 pps > > Sep 19 00:18:07 shell /kernel: icmp-response bandwidth limit 3485/200 pps > > Sep 19 00:18:27 shell /kernel: icmp-response bandwidth limit 1599/200 pps > > > > (This went on for about 15 minutes, and caused my network to be slow as > > molasses and a traceroute from home stopped at the router that routes my > > C-Class) > > > > I have ICMP bandwith limiting on the machine being attacked, but... > > > > - how can i trace who's attacking me > > - what exactly are they trying to do > > - how does ICMP_BANDWITH Limiting work > > > > If there is anyone who can help me, i'd appreciate it. > > Well, you'd want to run tcpdump to see what's actually going on, however > the problem is that most likely the attack is from a spoofed source > so that unless the attacker is a complete knob you're probably out > of luck unless you can co-operate with your upstream and trace this > thing across the net. > > A better option is to figure out why it's happening, your box is named > 'shell' so it sounds like one of your Lusers got into a pissing contest > with someone, I would try to figure out who started it and remove the > account. > > -Alfred > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 28 11:15:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 6A5F837B43E for ; Mon, 28 Aug 2000 11:15:43 -0700 (PDT) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id e7SIFbP13788; Mon, 28 Aug 2000 11:15:37 -0700 (PDT) Date: Mon, 28 Aug 2000 11:15:37 -0700 From: Alfred Perlstein To: Matt Ayres Cc: "Col.Panic" , freebsd-security@FreeBSD.ORG Subject: Re: your mail (fwd) Message-ID: <20000828111537.T1209@fw.wintelcom.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: ; from matta@unixshell.com on Mon, Aug 28, 2000 at 02:16:21PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Sep 19 00:17:54 shell /kernel: icmp-response bandwidth limit 3491/200 pps * Matt Ayres [000828 11:13] wrote: > FreeBSD will also give the message below when UDP has gone over 100pps. Can you explain? Are you saying that any application sending out more than 100pps of UDP will cause the system to start generating this message? I doubt that's the case but what you said sounds like it. -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 28 11:20:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from wopr.chc-chimes.com (wopr.chc-chimes.com [216.234.105.162]) by hub.freebsd.org (Postfix) with ESMTP id 92E0F37B422 for ; Mon, 28 Aug 2000 11:20:18 -0700 (PDT) Received: from localhost (matta@localhost) by wopr.chc-chimes.com (8.9.3/8.9.3) with ESMTP id OAA30963; Mon, 28 Aug 2000 14:23:30 -0400 (EDT) (envelope-from matta@unixshell.com) Date: Mon, 28 Aug 2000 14:23:30 -0400 (EDT) From: Matt Ayres X-Sender: matta@wopr.chc-chimes.com To: Alfred Perlstein Cc: "Col.Panic" , freebsd-security@FreeBSD.ORG Subject: Re: your mail (fwd) In-Reply-To: <20000828111537.T1209@fw.wintelcom.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well, I read your mail after sending this out and I also agree with you. In my exp when a UDP flood comes in, the kernel will also pump out the message, usually at a smaller pps with UDP floods. As I am not a programmer I do not know the internals as to why, but I would assume it is due to an icmp error as your e-mail stated. I was trying to alert him that in the future he might want to look to see if massive amounts of UDP traffic is coming in when receiving that message :> On Mon, 28 Aug 2000, Alfred Perlstein wrote: > > > Sep 19 00:17:54 shell /kernel: icmp-response bandwidth limit 3491/200 pps > > * Matt Ayres [000828 11:13] wrote: > > FreeBSD will also give the message below when UDP has gone over 100pps. > > Can you explain? Are you saying that any application sending out > more than 100pps of UDP will cause the system to start generating > this message? I doubt that's the case but what you said sounds like > it. > > -Alfred > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 28 11:27: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id 7469237B42C for ; Mon, 28 Aug 2000 11:26:57 -0700 (PDT) Received: (qmail 32549 invoked by uid 1000); 28 Aug 2000 18:26:56 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 28 Aug 2000 18:26:56 -0000 Date: Mon, 28 Aug 2000 13:26:56 -0500 (CDT) From: Mike Silbersack To: "Col.Panic" Cc: freebsd-security@FreeBSD.ORG Subject: Re: your mail (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 28 Aug 2000, Col.Panic wrote: > I have an interesting appendage to add to this answer. I have ICMP shut > down at the router, and I get the same messages from my new 4.1-STABLE > system. I can understand if somebody is spoofing ICMP packets, but if > they are, how are the replies getting to my machine? > > I've looked into it, and there isn't anybody logged into the machine for > when this occurs. I'm at a loss. > > Thanks, > > -Jason "icmp-response" is a misnomer. It counts both icmp unreachables and TCP RST packets. So, UDP to unopen ports, and TCP (non-syn) to unopen ports will cause bandwidth limiting and the resulting console messages. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 28 12:41:43 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 7249837B424; Mon, 28 Aug 2000 12:41:12 -0700 (PDT) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:39.netscape Reply-To: security-advisories@freebsd.org Message-Id: <20000828194112.7249837B424@hub.freebsd.org> Date: Mon, 28 Aug 2000 12:41:12 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:39 Security Advisory FreeBSD, Inc. Topic: Two vulnerabilities in Netscape Category: ports Module: netscape Announced: 2000-08-28 Credits: Solar Designer (Vulnerability #1) Dan Brumleve (Vulnerability #2) Affects: Ports collection prior to the correction date. Corrected: 2000-08-19 Vendor status: Updated version released FreeBSD only: NO I. Background Netscape is a popular web browser, available in several versions in the FreeBSD ports collection. II. Problem Description There are two security problems in recent versions of netscape: 1) Versions prior to 4.74 A client-side exploit may be possible through a buffer overflow in JPEG-handling code. Although an exploit is not known, attackers may be able to execute arbitrary code on the local machine as the user running netscape, or at the very least cause the netscape binary to crash. 2) Versions prior to 4.75 The Java Virtual Machine implementation has security vulnerabilities allowing a remote user to read the contents of local files accessible to the user running netscape, and to allow these files to be transmitted to any user on the internet. The netscape ports are not installed by default, nor are they "part of FreeBSD" as such: they are part of the FreeBSD ports collection, which contains over 3700 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5 and 4.1 are vulnerable to these problems. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Remote users can read files on the local system accessible to the user running netscape, if java is enabled, and may be able to execute arbitrary code on the local system as that user. If you have not chosen to install a netscape port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the netscape port/package, if you you have installed it. Vulnerability 2) can be worked around by disabling Java in the "Advanced" section of the Preferences control panel. Vulnerability 1) can be worked around by disabling the "Automatically load images" option in the same location, although this is not a very practical workaround. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the relevant netscape port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/ ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/ ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/ ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/ ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/www/ Since there are so many variations of the netscape ports in the FreeBSD ports collection they are not listed separately here. Localized versions are also available in the respective language subdirectory. 3) download a new port skeleton for the netscape port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOaqy41UuHi5z0oilAQGsgAP/TGyAq7u74FJ/rYkfmTd4qyiyjN2XF0nH 9Pikcu4EAJo8R0yhIU0mmXdK3HXWKRTKzH43+gLH6yZGVTr5SQu4a4RYgS4T8sbD Iu3p45DwYfZVQCjsJoseF48kaXlScheoxoR3+Et5khzhBDuwRedUXAK4VMWAm3Fp /4vWrTKykTc= =A0Wy -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 28 12:43:41 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id AE08D37B440; Mon, 28 Aug 2000 12:43:18 -0700 (PDT) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:40.mopd Reply-To: security-advisories@freebsd.org Message-Id: <20000828194318.AE08D37B440@hub.freebsd.org> Date: Mon, 28 Aug 2000 12:43:18 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:40 Security Advisory FreeBSD, Inc. Topic: mopd port allows remote root compromise Category: ports Module: mopd Announced: 2000-08-28 Credits: Matt Power , OpenBSD Affects: Ports collection prior to the correction date. Corrected: 2000-08-09 Vendor status: Contacted FreeBSD only: NO I. Background mopd is used for netbooting older DEC machines such as VAXen and DECstations. II. Problem Description The mopd port contains several remotely exploitable vulnerabilities. An attacker exploiting these can execute arbitrary code on the local machine as root. The mopd port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3700 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5-RELEASE and 4.1-RELEASE contain this problem, since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Remote users can execute arbitrary code on the local machine as root. If you have not chosen to install the mopd port/package, then your system is not vulnerable to this problem. IV. Workaround One of the following: 1) Deinstall the mopd port/package, if you have installed it. 2) Restrict access to the mopd port using a perimeter firewall, or ipfw(8)/ipf(8) on the local machine. Note that users who pass these access restrictions may still exploit the vulnerability. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the mopd port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/mopd-1.2b.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/mopd-1.2b.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/net/mopd-1.2b.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/mopd-1.2b.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/net/mopd-1.2b.tgz NOTE: Be sure to check the file creation date on the package, because the version number of the software has not changed. 3) download a new port skeleton for the mopd port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOaqy6FUuHi5z0oilAQG14gQAn9RVxulK3pIyHi3aQ5j9p0OnlOoP9Wg2 yKEPARafL+WXHS1oJ+5ZGdhUG2rZjU1QktS0xTy5PXSo0mcX91jLJ7ASwg6K5w2e rpZMBRHZVFy3HltzFxwygZGGbENIbZNzZ9Qd9Luq/OPPxZzb/9NsHnUovk5/lyIE yCAt/USxiDs= =tlfC -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 28 12:46:22 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 2D1A537B662; Mon, 28 Aug 2000 12:43:47 -0700 (PDT) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-00:41.elf Reply-To: security-advisories@freebsd.org Message-Id: <20000828194347.2D1A537B662@hub.freebsd.org> Date: Mon, 28 Aug 2000 12:43:47 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:41 Security Advisory FreeBSD, Inc. Topic: Malformed ELF images can cause a system hang Category: core Module: kernel Announced: 2000-08-28 Credits: Adam McDougall Affects: FreeBSD 3.x, 4.x and 5.x prior to the correction date Corrected: 2000-07-25 (FreeBSD 5.0-CURRENT) 2000-07-23 (FreeBSD 4.0-STABLE) FreeBSD only: Yes I. Background The ELF binary format is used for binary executable programs on modern versions of FreeBSD. II. Problem Description The ELF image activator did not perform sufficient sanity checks on the ELF image header, and when confronted with an invalid or truncated header it suffered a sign overflow bug which caused the CPU to enter into a very long loop in the kernel. The result of this is that the system will appear to lock up for an extended period of time before control returns. This bug can be exploited by unprivileged local users. This vulnerability is not present in FreeBSD 4.1-RELEASE, although 3.5-RELEASE and 3.5.1-RELEASE are vulnerable. III. Impact Local users can cause the system to lock up for an extended period of time (15 minutes or more, depending on CPU speed), during which time the system is completely unresponsive to local and remote users. IV. Workaround None available. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.1-RELEASE, 4.1-STABLE or 5.0-CURRENT after the respective correction dates. FreeBSD 3.5-STABLE has not yet been fixed due to logistical difficulties (and the patch below does not apply cleanly). Consider upgrading to 4.1-RELEASE if this is a concern - this advisory will be reissued once the patch has been applied to the 3.x branch. 2) Apply the patch below and recompile your kernel. Either save this advisory to a file, or download the patch and detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:41/elf.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:41/elf.patch.asc # cd /usr/src/sys/kern # patch -p < /path/to/patch_or_advisory [ Recompile your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system ] --- imgact_elf.c 2000/04/30 18:51:39 1.75 +++ imgact_elf.c 2000/07/23 22:19:49 1.78 @@ -190,6 +190,21 @@ object = vp->v_object; error = 0; + /* + * It's necessary to fail if the filsz + offset taken from the + * header is greater than the actual file pager object's size. + * If we were to allow this, then the vm_map_find() below would + * walk right off the end of the file object and into the ether. + * + * While I'm here, might as well check for something else that + * is invalid: filsz cannot be greater than memsz. + */ + if ((off_t)filsz + offset > object->un_pager.vnp.vnp_size || + filsz > memsz) { + uprintf("elf_load_section: truncated ELF file\n"); + return (ENOEXEC); + } + map_addr = trunc_page((vm_offset_t)vmaddr); file_addr = trunc_page(offset); @@ -341,6 +356,12 @@ } error = exec_map_first_page(imgp); + /* + * Also make certain that the interpreter stays the same, so set + * its VTEXT flag, too. + */ + if (error == 0) + nd.ni_vp->v_flag |= VTEXT; VOP_UNLOCK(nd.ni_vp, 0, p); if (error) goto fail; @@ -449,6 +470,17 @@ /* * From this point on, we may have resources that need to be freed. */ + + /* + * Yeah, I'm paranoid. There is every reason in the world to get + * VTEXT now since from here on out, there are places we can have + * a context switch. Better safe than sorry; I really don't want + * the file to change while it's being loaded. + */ + simple_lock(&imgp->vp->v_interlock); + imgp->vp->v_flag |= VTEXT; + simple_unlock(&imgp->vp->v_interlock); + if ((error = exec_extract_strings(imgp)) != 0) goto fail; @@ -610,9 +642,6 @@ imgp->auxargs = elf_auxargs; imgp->interpreted = 0; - /* don't allow modifying the file while we run it */ - imgp->vp->v_flag |= VTEXT; - fail: return error; } -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOaq1hlUuHi5z0oilAQGpvgQAoaeqjoU1QppgQ+yXF7KOL6EfTQ9mrdEe zKQ6vU//hc1ejKx9C4zmQybflQIpkHS2TMNAfXuvFG74hvETwa8cpVqolJU29CCf FKlGTCAGCSzosWrndBuvakKqjeVvvQR4JydVhkO04neVEfbUXkich/2PT+3h3dKW GuW3coG8nYE= =2w2A -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 28 12:47:52 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 1AFE737B682; Mon, 28 Aug 2000 12:44:25 -0700 (PDT) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-00:42.linux Reply-To: security-advisories@freebsd.org Message-Id: <20000828194425.1AFE737B682@hub.freebsd.org> Date: Mon, 28 Aug 2000 12:44:25 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:42 Security Advisory FreeBSD, Inc. Topic: Linux binary compatability mode can cause system compromise Category: core Module: kernel Announced: 2000-08-28 Credits: Boris Nikolaus Affects: FreeBSD 3.x, 4.x and 5.x prior to the correction date Corrected: 2000-07-23 (FreeBSD 5.0-CURRENT) 2000-07-29 (FreeBSD 4.1-STABLE) 2000-08-24 (FreeBSD 3.5-STABLE) FreeBSD only: Yes I. Background FreeBSD is binary-compatible with the Linux operating system through a loadable kernel module/optional kernel component. II. Problem Description The linux binary-compatability module implements a "shadow" filesystem hierarchy rooted in /compat/linux, which is overlayed against the regular filesystem hierarchy so that Linux binaries "see" files in the shadow hierarchy which can mask the native files. Filenames in this shadow hierarchy are treated incorrectly by the linux kernel module under certain circumstances, and a kernel stack overflow leading to a system compromise by an unprivileged user may be possible when very long filenames are used. This is only possible when the linux kernel module is loaded, or the equivalent functionality is statically compiled into the kernel. It is not enabled by default. This vulnerability was fixed just after the release of FreeBSD 4.1-RELEASE, and 3.5-RELEASE is also vulnerable. III. Impact Local users may be able to obtain root privileges on the system when linux compatability mode is enabled. IV. Workaround To determine whether the linux compatability module has been loaded, execute the following command as root and look for a 'linux.ko' entry: # kldstat Id Refs Address Size Name 1 7 0xc0100000 270be0 kernel 2 1 0xc0371000 5540 vesa.ko 3 1 0xc0377000 10094 randomdev.ko 4 1 0xc0e17000 4e000 nfs.ko 5 1 0xc0e83000 11000 linux.ko If present, unload the "linux" module by executing the following command as root: # kldunload linux For safety, remove the /modules/linux.ko file to prevent it being reloaded accidentally, and add or change the following line in /etc/rc.conf: linux_enable="NO" # Linux binary compatibility loaded at startup (or NO). If the module is not loaded, to determine whether the functionality has been statically compiled into the kernel, check the kernel configuration file for the following line: options COMPAT_LINUX If present, remove and recompile the kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 3.5-STABLE, 4.1-STABLE or 5.0-CURRENT after the respective correction dates. 2) Apply the patch below and recompile your kernel. Either save this advisory to a file, or download the patch and detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:42/linux.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:42/linux.patch.asc # cd /usr/src/sys/i386/linux # patch -p < /path/to/patch_or_advisory [ Recompile your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system ] Index: linux_misc.c =================================================================== RCS file: /home/ncvs/src/sys/i386/linux/linux_misc.c,v retrieving revision 1.77.2.3 retrieving revision 1.77.2.4 diff -u -r1.77.2.3 -r1.77.2.4 --- linux_misc.c 2000/07/20 05:31:56 1.77.2.3 +++ linux_misc.c 2000/07/30 05:36:11 1.77.2.4 @@ -954,6 +954,8 @@ tv[1].tv_usec = 0; /* so that utimes can copyin */ tvp = (struct timeval *)stackgap_alloc(&sg, sizeof(tv)); + if (tvp == NULL) + return (ENAMETOOLONG); if ((error = copyout(tv, tvp, sizeof(tv)))) return error; bsdutimes.tptr = tvp; Index: linux_util.c =================================================================== RCS file: /home/ncvs/src/sys/i386/linux/linux_util.c,v retrieving revision 1.9.2.1 retrieving revision 1.9.2.2 diff -u -r1.9.2.1 -r1.9.2.2 --- linux_util.c 2000/07/07 01:23:45 1.9.2.1 +++ linux_util.c 2000/07/30 05:36:11 1.9.2.2 @@ -162,7 +162,10 @@ else { sz = &ptr[len] - buf; *pbuf = stackgap_alloc(sgp, sz + 1); - error = copyout(buf, *pbuf, sz); + if (*pbuf != NULL) + error = copyout(buf, *pbuf, sz); + else + error = ENAMETOOLONG; free(buf, M_TEMP); } Index: linux_util.h =================================================================== RCS file: /home/ncvs/src/sys/i386/linux/linux_util.h,v retrieving revision 1.10 retrieving revision 1.10.2.1 diff -u -r1.10 -r1.10.2.1 --- linux_util.h 1999/12/04 11:10:22 1.10 +++ linux_util.h 2000/07/30 05:36:11 1.10.2.1 @@ -56,29 +56,27 @@ static __inline caddr_t stackgap_init(void); static __inline void *stackgap_alloc(caddr_t *, size_t); +#define szsigcode (*(curproc->p_sysent->sv_szsigcode)) + static __inline caddr_t stackgap_init() { -#define szsigcode (*(curproc->p_sysent->sv_szsigcode)) return (caddr_t)(PS_STRINGS - szsigcode - SPARE_USRSPACE); } - static __inline void * stackgap_alloc(sgp, sz) caddr_t *sgp; size_t sz; { - void *p = (void *) *sgp; - *sgp += ALIGN(sz); + void *p = (void *) *sgp; + + sz = ALIGN(sz); + if (*sgp + sz > (caddr_t)(PS_STRINGS - szsigcode)) + return NULL; + *sgp += sz; return p; } - -#ifdef DEBUG_LINUX -#define DPRINTF(a) printf a; -#else -#define DPRINTF(a) -#endif extern const char linux_emul_path[]; -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOaq1wFUuHi5z0oilAQFcVQQAlYhhDM6T/qEDqVTvG9yr9mv++LVGqqRE SI4MEbmwbV5NvmFqTM2OzGpKsUaAy9gEfA5mjVKR+PRFoY7g68heFGAKWSRHmgs5 ramrzVxBHOeviaHeAXpH7LgJOdFo8EwhqehLtv+M0I5n9JJjPvAEWXG9cdiYXTto pKJAPVXr9NU= =r8gN -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 28 12:48:22 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 3387437B63D; Mon, 28 Aug 2000 12:44:48 -0700 (PDT) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:43.brouted Reply-To: security-advisories@freebsd.org Message-Id: <20000828194448.3387437B63D@hub.freebsd.org> Date: Mon, 28 Aug 2000 12:44:48 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:43 Security Advisory FreeBSD, Inc. Topic: brouted port allows gid kmem compromise Category: ports Module: brouted Announced: 2000-08-28 Credits: Discovered during internal auditing Affects: Ports collection prior to the correction date. Corrected: 2000-08-22 Vendor status: Contacted FreeBSD only: NO I. Background brouted is a dynamic routing daemon. II. Problem Description The brouted port is incorrectly installed setgid kmem, and contains several exploitable buffer overflows in command-line arguments. An attacker exploiting these to gain kmem privilege can easily upgrade to full root access by manipulating kernel memory. The brouted port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3700 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5-RELEASE and 4.1-RELEASE contain this problem, since it was discovered after the releases during internal auditing. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Unprivileged local users can obtain group kmem privileges, and upgrade further to full root privileges. If you have not chosen to install the brouted port/package, then your system is not vulnerable to this problem. IV. Workaround Execute the following command as root to remove the setgid bit on the /usr/local/sbin/brouted file: # chmod g-s /usr/local/bin/brouted V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the brouted port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/brouted-1.2b.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/brouted-1.2b.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/net/brouted-1.2b.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/brouted-1.2b.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/net/brouted-1.2b.tgz NOTE: It may be several days before updated packages are available. Be sure to check the file creation date on the package, because the version number of the software has not changed. 3) download a new port skeleton for the brouted port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOaqy+lUuHi5z0oilAQHDzwQApGoedKCQAZcpjqafuNA9jPQ0fQ2PaScu OZlBlflrUVNAMcEkL3y9lmahdVTcdOBpKAALDzIxYnKYlSxGg1RTtxHoWhJiCD97 c2mc9Ni65YCHab5O90WBHK+VjTiFzfq+dpG+rXLB1W2Pfq68Xf8O2rb2eSjdVW3d /wazSPNLcSg= =V2xB -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 28 12:50:14 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 945FF37B6A4; Mon, 28 Aug 2000 12:45:08 -0700 (PDT) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:44.xlockmore Reply-To: security-advisories@freebsd.org Message-Id: <20000828194508.945FF37B6A4@hub.freebsd.org> Date: Mon, 28 Aug 2000 12:45:08 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:44 Security Advisory FreeBSD, Inc. Topic: xlockmore port allows reading of password file Category: ports Module: xlockmore Announced: 2000-08-28 Credits: bind Affects: Ports collection prior to the correction date. Corrected: 2000-08-15 Vendor status: Updated version released FreeBSD only: NO I. Background xlockmore is a utility for locking console access to an X terminal. II. Problem Description The xlockmore port, versions 4.17 and below, installs the setuid root binary xlock, which contains a vulnerability due to incorrect use of the syslog() function. The xlock program correctly drops root privileges prior to the point of vulnerability, however it may retain in memory part of the hashed password database for the user accounts on the system. Attackers who can retrieve hashed password information from the memory space of the process can mount attacks against the user account passwords and possibly gain access to accounts on the system if successful. The xlockmore port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3700 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5-RELEASE and 4.1-RELEASE contain this problem, since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Unprivileged local users may be able to gain unauthorised access to parts of the /etc/spwd.db file, allowing them to mount guessing attacks against user passwords. If you have not chosen to install the xlockmore port/package, then your system is not vulnerable to this problem. IV. Workaround One of the following: Deinstall the xlockmore port/package, if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the xlockmore port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/x11/xlockmore-4.17.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/x11/xlockmore-4.17.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/x11/xlockmore-4.17.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/x11/xlockmore-4.17.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/x11/xlockmore-4.17.1.tgz NOTE: It may be several days before updated packages are available. 3) download a new port skeleton for the xlockmore port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOaqzxFUuHi5z0oilAQEJJgP/cpBPXxsnmcGysBYnZkq0+mhMYxxDyX/D czvyS90uO3k9slC+QYsmgLeTRrDpULcHNsePwxYKbt+zEydcENLhpiiGRuGkKrvD b5UH9Sjle3rF3nTecxKRPTPD0009Tk356YeYOPVofqfZzCQpR8MqUHGz9cmhBuXH t/y3LtBhLDo= =sJTv -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 28 13:56: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.kyx.net (cr95838-b.crdva1.bc.wave.home.com [24.113.50.147]) by hub.freebsd.org (Postfix) with ESMTP id CFC8C37B42C for ; Mon, 28 Aug 2000 13:55:52 -0700 (PDT) Received: from smp.kyx.net (unknown [10.22.22.45]) by mail.kyx.net (Postfix) with SMTP id 711891DC03; Mon, 28 Aug 2000 04:59:34 -0700 (PDT) From: Dragos Ruiu Organization: kyx.net To: Alfred Perlstein , "Col.Panic" Subject: Re: your mail (fwd) Date: Mon, 28 Aug 2000 13:54:41 -0700 X-Mailer: KMail [version 1.0.29.2] Content-Type: text/plain Cc: freebsd-security@FreeBSD.ORG References: <20000828111254.S1209@fw.wintelcom.net> In-Reply-To: <20000828111254.S1209@fw.wintelcom.net> MIME-Version: 1.0 Message-Id: <0008281356040S.20616@smp.kyx.net> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I get this message regularly whenever I use an application that generates a lot of ICMP from a FreeBSD machine, like when I UDP nmap a FreeBSD target for instance. --dr On Mon, 28 Aug 2000, Alfred Perlstein wrote: > > > Sep 19 00:17:56 shell /kernel: icmp-response bandwidth limit 3505/200 pps > > > Sep 19 00:17:57 shell /kernel: icmp-response bandwidth limit 3503/200 pps > > > Sep 19 00:17:58 shell /kernel: icmp-response bandwidth limit 3505/200 pps > > > Sep 19 00:17:59 shell /kernel: icmp-response bandwidth limit 3502/200 pps > > * Col.Panic [000828 11:09] wrote: > > I have an interesting appendage to add to this answer. I have ICMP shut > > down at the router, and I get the same messages from my new 4.1-STABLE > > system. I can understand if somebody is spoofing ICMP packets, but if > > they are, how are the replies getting to my machine? > > > > I've looked into it, and there isn't anybody logged into the machine for > > when this occurs. I'm at a loss. > > It's an icmp _response_ limit, meaning it limits the amount of icmp > error messages your machine will generate in repsonse to bogus > connections or listen queue overflows. > > most likely an ACK/SYN attack of some sort or a server unable to > handle its listen queue (incomiming connections) > > -Alfred > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- dursec.com ltd. / kyx.net - we're from the future pgp fingerprint: 18C7 E37C 2F94 E251 F18E B7DC 2B71 A73E D2E8 A56D pgp key: http://www.dursec.com/drkey.asc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 28 14:40:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 8ACF337B42C; Mon, 28 Aug 2000 14:40:43 -0700 (PDT) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id RAA88845; Mon, 28 Aug 2000 17:40:28 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Mon, 28 Aug 2000 17:40:28 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Bruce Evans Cc: freebsd-security@FreeBSD.ORG, phk@FreeBSD.ORG, green@FreeBSD.ORG Subject: Re: Review request: replacing p_trespass(), modifications to vaccess() In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've updated p_stuff.diff to include a few more procfs fixes, correcting the ability of "touch /proc/pid" testing to see if the pid is real under jail/ps_showallprocs=0. I've also, at the suggestion of John Baldwin, combined the p_can* functions into a single p_can(p1, p2, operation, privused) call, which while a little visually less pleasing (P_CAN_SEE, ...) is probably happier from an abstraction point of view. Assuming no one raises any further issues, I will go ahead and commit that Tuesday night sometime. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 28 16:41:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id B05FE37B43C for ; Mon, 28 Aug 2000 16:41:27 -0700 (PDT) Received: by elvis.mu.org (Postfix, from userid 1088) id 632C02B259; Mon, 28 Aug 2000 18:41:22 -0500 (CDT) Date: Mon, 28 Aug 2000 18:41:22 -0500 From: Dave McKay To: Dragos Ruiu Cc: Alfred Perlstein , "Col.Panic" , freebsd-security@FreeBSD.ORG Subject: Re: your mail (fwd) Message-ID: <20000828184122.A83217@elvis.mu.org> References: <20000828111254.S1209@fw.wintelcom.net> <0008281356040S.20616@smp.kyx.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <0008281356040S.20616@smp.kyx.net>; from dr@kyx.net on Mon, Aug 28, 2000 at 01:54:41PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org An nmap scan doesn't generate 3500 icmp's per second, or 3500 of any packet per second. Dragos Ruiu (dr@kyx.net) wrote: > I get this message regularly whenever I use an application that generates > a lot of ICMP from a FreeBSD machine, like when I UDP nmap a FreeBSD > target for instance. --dr > > On Mon, 28 Aug 2000, Alfred Perlstein wrote: > > > > Sep 19 00:17:56 shell /kernel: icmp-response bandwidth limit 3505/200 pps > > > > Sep 19 00:17:57 shell /kernel: icmp-response bandwidth limit 3503/200 pps > > > > Sep 19 00:17:58 shell /kernel: icmp-response bandwidth limit 3505/200 pps > > > > Sep 19 00:17:59 shell /kernel: icmp-response bandwidth limit 3502/200 pps > > > > * Col.Panic [000828 11:09] wrote: > > > I have an interesting appendage to add to this answer. I have ICMP shut > > > down at the router, and I get the same messages from my new 4.1-STABLE > > > system. I can understand if somebody is spoofing ICMP packets, but if > > > they are, how are the replies getting to my machine? > > > > > > I've looked into it, and there isn't anybody logged into the machine for > > > when this occurs. I'm at a loss. > > > > It's an icmp _response_ limit, meaning it limits the amount of icmp > > error messages your machine will generate in repsonse to bogus > > connections or listen queue overflows. > > > > most likely an ACK/SYN attack of some sort or a server unable to > > handle its listen queue (incomiming connections) > > > > -Alfred > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > -- > dursec.com ltd. / kyx.net - we're from the future > pgp fingerprint: 18C7 E37C 2F94 E251 F18E B7DC 2B71 A73E D2E8 A56D > pgp key: http://www.dursec.com/drkey.asc > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Dave McKay Network Engineer - Google Inc. dave@mu.org - dave@google.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 28 18:41:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.kyx.net (cr95838-b.crdva1.bc.wave.home.com [24.113.50.147]) by hub.freebsd.org (Postfix) with ESMTP id 548B437B423 for ; Mon, 28 Aug 2000 18:41:10 -0700 (PDT) Received: from smp.kyx.net (unknown [10.22.22.45]) by mail.kyx.net (Postfix) with SMTP id B068E1DC04; Mon, 28 Aug 2000 09:06:42 -0700 (PDT) From: Dragos Ruiu Organization: kyx.net To: Dave McKay Subject: Re: your mail (fwd) Date: Mon, 28 Aug 2000 18:01:16 -0700 X-Mailer: KMail [version 1.0.29.2] Content-Type: text/plain Cc: Alfred Perlstein , "Col.Panic" , freebsd-security@FreeBSD.ORG References: <0008281356040S.20616@smp.kyx.net> <20000828184122.A83217@elvis.mu.org> In-Reply-To: <20000828184122.A83217@elvis.mu.org> MIME-Version: 1.0 Message-Id: <00082818023104.07327@smp.kyx.net> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 28 Aug 2000, Dave McKay wrote: > An nmap scan doesn't generate 3500 icmp's per second, or 3500 of any packet > per second. > I have some special versions of nmap :-) And the stock one will generate a lot of packets per second when you use the -f fragmentaiton option. > Dragos Ruiu (dr@kyx.net) wrote: > > I get this message regularly whenever I use an application that generates > > a lot of ICMP from a FreeBSD machine, like when I UDP nmap a FreeBSD > > target for instance. --dr > > -- dursec.com ltd. / kyx.net - we're from the future pgp fingerprint: 18C7 E37C 2F94 E251 F18E B7DC 2B71 A73E D2E8 A56D pgp key: http://www.dursec.com/drkey.asc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 28 19:24:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.kyx.net (cr95838-b.crdva1.bc.wave.home.com [24.113.50.147]) by hub.freebsd.org (Postfix) with ESMTP id 6B84D37B424 for ; Mon, 28 Aug 2000 19:24:26 -0700 (PDT) Received: from smp.kyx.net (unknown [10.22.22.45]) by mail.kyx.net (Postfix) with SMTP id A571F1DC03; Mon, 28 Aug 2000 10:28:09 -0700 (PDT) From: Dragos Ruiu Organization: kyx.net To: Dave McKay Subject: Re: your mail (fwd) Date: Mon, 28 Aug 2000 19:23:54 -0700 X-Mailer: KMail [version 1.0.29.2] Content-Type: text/plain Cc: Alfred Perlstein , "Col.Panic" , freebsd-security@FreeBSD.ORG References: <20000828184122.A83217@elvis.mu.org> <00082818023104.07327@smp.kyx.net> In-Reply-To: <00082818023104.07327@smp.kyx.net> MIME-Version: 1.0 Message-Id: <0008281924100B.07327@smp.kyx.net> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org But ok...3500 is a lot. On Mon, 28 Aug 2000, Dragos Ruiu wrote: > On Mon, 28 Aug 2000, Dave McKay wrote: > > An nmap scan doesn't generate 3500 icmp's per second, or 3500 of any packet > > per second. > > > I have some special versions of nmap :-) > And the stock one will generate a lot of packets per second when you use the -f > fragmentaiton option. > > > Dragos Ruiu (dr@kyx.net) wrote: > > > I get this message regularly whenever I use an application that generates > > > a lot of ICMP from a FreeBSD machine, like when I UDP nmap a FreeBSD > > > target for instance. --dr > > > > > -- > dursec.com ltd. / kyx.net - we're from the future > pgp fingerprint: 18C7 E37C 2F94 E251 F18E B7DC 2B71 A73E D2E8 A56D > pgp key: http://www.dursec.com/drkey.asc > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- dursec.com ltd. / kyx.net - we're from the future pgp fingerprint: 18C7 E37C 2F94 E251 F18E B7DC 2B71 A73E D2E8 A56D pgp key: http://www.dursec.com/drkey.asc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 29 3:12:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from bigpapa.nothinbut.net (bigpapa.nothinbut.net [207.44.32.11]) by hub.freebsd.org (Postfix) with ESMTP id A60F437B42C for ; Tue, 29 Aug 2000 03:12:42 -0700 (PDT) Received: from reddog.yi.org (engram@ls-tc01-07.nothinbut.net [207.44.35.21]) by bigpapa.nothinbut.net (8.9.3/8.9.3/Debian/GNU) with SMTP id GAA12756 for ; Tue, 29 Aug 2000 06:12:40 -0400 From: specter To: freebsd-security@freebsd.org Subject: adduser perm problem Date: Tue, 29 Aug 2000 06:14:29 -0500 X-Mailer: Unknown Abusive Thing Content-Type: text/plain MIME-Version: 1.0 Message-Id: <00082906200900.00680@reddog.yi.org> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, Perhaps I am missing something, but under 4.0 and 4.1-Release, when adding a user via adduser, I see the perms on the created home directory as "drwxr-xr-x", allowing any one to cd in and view files. Is this normal behavior, or have I oopsed something on my system? Thank you for your help. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 29 4:46:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from static.unixfreak.org (static.unixfreak.org [63.198.170.139]) by hub.freebsd.org (Postfix) with ESMTP id 4DE1537B42C for ; Tue, 29 Aug 2000 04:46:47 -0700 (PDT) Received: by static.unixfreak.org (Postfix, from userid 1000) id 0D83E1F17; Tue, 29 Aug 2000 04:46:47 -0700 (PDT) Subject: Re: adduser perm problem In-Reply-To: <00082906200900.00680@reddog.yi.org> from specter at "Aug 29, 2000 06:14:29 am" To: specter Date: Tue, 29 Aug 2000 04:46:46 -0700 (PDT) Cc: freebsd-security@freebsd.org From: Dima Dorfman Reply-To: dima@unixfreak.org X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-Id: <20000829114647.0D83E1F17@static.unixfreak.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Hello, > > Perhaps I am missing something, but under 4.0 and 4.1-Release, > when adding a user via adduser, I see the perms on the created > home directory as "drwxr-xr-x", allowing any one to cd in and > view files. > > Is this normal behavior, or have I oopsed something on my > system? I don't see anything wrong with that mode. It looks like normal behavior to me. Hope this helps -- Dima Dorfman Finger dima@unixfreak.org for my public PGP key. "Never ascribe to malice, that which can be explained by incompetence." -- Napoleon Bonaparte To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 29 9:11: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id C539237B42C for ; Tue, 29 Aug 2000 09:10:58 -0700 (PDT) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id MAA98882; Tue, 29 Aug 2000 12:10:56 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Tue, 29 Aug 2000 12:10:56 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: specter Cc: freebsd-security@freebsd.org Subject: Re: adduser perm problem In-Reply-To: <00082906200900.00680@reddog.yi.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 29 Aug 2000, specter wrote: > Perhaps I am missing something, but under 4.0 and 4.1-Release, > when adding a user via adduser, I see the perms on the created > home directory as "drwxr-xr-x", allowing any one to cd in and > view files. > > Is this normal behavior, or have I oopsed something on my > system? This is normal system behavior on FreeBSD and most UNIX-like operating systems. However, you can certainly imagine environments where you'd prefer an alternate home directory permission set, and it might be worth modifying adduser to support a command line argument (or configuration directive in adduser.conf) specifying a different permission set. I tend to create user home directories with the default open permissions, but also create public_html/ and private/ subdirectories, indicating that private material should be stored under the private directory. This seems to work fairly well in practice. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 29 9:30:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from scl-ims.phoenix.com (scl-ims.phoenix.com [134.122.1.73]) by hub.freebsd.org (Postfix) with ESMTP id 481DE37B423 for ; Tue, 29 Aug 2000 09:30:41 -0700 (PDT) Received: from allmaui.com (boxster.phoenix.com [134.122.9.179]) by scl-ims.phoenix.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id RHR3C342; Tue, 29 Aug 2000 09:30:35 -0700 Message-ID: <39AB836C.E5E8DA3D@allmaui.com> Date: Tue, 29 Aug 2000 09:33:32 +0000 From: Craig Cowen X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: specter Cc: freebsd-security@FreeBSD.ORG Subject: Re: adduser perm problem References: <00082906200900.00680@reddog.yi.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org specter wrote: > Hello, > > Perhaps I am missing something, but under 4.0 and 4.1-Release, > when adding a user via adduser, I see the perms on the created > home directory as "drwxr-xr-x", allowing any one to cd in and > view files. > > Is this normal behavior, or have I oopsed something on my > system? > > Thank you for your help. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Just hack your adduser script to add a private directory and have it set the perms you want. It will save you tons of work. Also read up on umask Craig To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 29 9:45:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from domainatlantic.com (echo.domainatlantic.com [216.66.11.240]) by hub.freebsd.org (Postfix) with SMTP id 48C5437B43C for ; Tue, 29 Aug 2000 09:44:46 -0700 (PDT) Received: (qmail 492 invoked by uid 1003); 29 Aug 2000 12:46:08 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 29 Aug 2000 12:46:08 -0000 Date: Tue, 29 Aug 2000 12:46:08 +0000 (GMT) From: "Justin Ovens [evilicey@lostworld.net]" X-Sender: ice95@Echo.DomainAtlantic.com To: freebsd-security@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org suscribe -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Justin Ovens (evilicey@lostworld.net) System/Network Administrator http://www.lostworld.net http://resume.lostworld.net -- Personal Resume. "I dread success. To have succeeded is to have finished one's business on earth, like the male spider, who is killed by the female the moment he has succeeded in his courtship. I like a state of continual becoming, with a goal in front and not behind." "Every time I think I know where it's at, they move it." -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 29 14: 5:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from news.IAEhv.nl (news.IAE.nl [194.151.64.4]) by hub.freebsd.org (Postfix) with ESMTP id EC27137B424 for ; Tue, 29 Aug 2000 14:05:15 -0700 (PDT) Received: (from uucp@localhost) by news.IAEhv.nl (8.9.1/8.9.1) with IAEhv.nl id XAA14378; Tue, 29 Aug 2000 23:05:10 +0200 (MET DST) Received: from avalon.oasis.IAEhv.nl (avalon.oasis.IAEhv.nl [192.168.1.3]) by drawbridge.oasis.IAEhv.nl (Postfix) with ESMTP id 6EECA3E39; Tue, 29 Aug 2000 23:02:37 +0200 (CEST) Received: by avalon.oasis.IAEhv.nl (Postfix, from userid 226) id 7D9223D; Tue, 29 Aug 2000 23:02:15 +0200 (CEST) Subject: Re: ipnat and icmp (II) In-Reply-To: "from Buliwyf McGraw at Aug 28, 2000 12:23:09 pm" To: Buliwyf McGraw Date: Tue, 29 Aug 2000 23:02:15 +0200 (CEST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Message-Id: <20000829210215.7D9223D@avalon.oasis.IAEhv.nl> From: volf@oasis.IAEhv.nl (Frank Volf) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Buliwyf McGraw wrote: > > map ed0 192.168.0.0/16 -> 240.1.0.0/24 portmap icmp 10000:20000 > > Obviusly, it doesnt work :/ > > Im looking for instructions about it, but in the examples i saw, always > talk about NAT for tcp/udp, never icmp. It is possible? > > Thanks for any help. Not yet, but I'm working on it. From my test machine: map xl1 192.168.1.0/255.255.255.0 -> w.x.y.z/255.255.255.255 icmpidmap icmp 60000:61000 We are first working on some FreeBSD and IP-Filter specific problems, before we can get this included in IP-Filter. Frank To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 29 19:51:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from ogyo.pointer-software.com (ogyo.pointer-software.com [210.164.96.147]) by hub.freebsd.org (Postfix) with ESMTP id 61E7E37B43C for ; Tue, 29 Aug 2000 19:51:24 -0700 (PDT) Received: from long.near.this (long.near.this [10.0.172.9]) by ogyo.pointer-software.com (8.11.0.Beta3/8.11.0.Beta3) with ESMTP id e7U2p1D32186; Wed, 30 Aug 2000 11:51:01 +0900 (JST) Message-Id: <200008300251.e7U2p1D32186@ogyo.pointer-software.com> Date: Wed, 30 Aug 2000 11:48:19 +0900 From: horio shoichi Organization: pointer software X-Mailer: Mozilla 4.7 [en] (X11; U; Linux 2.0.34 i686) X-Accept-Language: ja, en MIME-Version: 1.0 To: Buliwyf McGraw Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipnat and icmp (II) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Received: from acm.org (horio@char.near.this [10.0.172.11]) by long.near.this (8.9.3/8.9.3) with ESMTP id LAA56699; Wed, 30 Aug 2000 11:48:25 +0900 (JST) X-Received: from acm.org (horio@char.near.this [10.0.172.11]) by long.near.this (8.9.3/8.9.3) with ESMTP id LAA56699; Wed, 30 Aug 2000 11:48:25 +0900 (JST) X-Message-Id: <39AC75F3.450EE9B3@acm.org> X-Message-Id: <39AC75F3.450EE9B3@acm.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Buliwyf McGraw wrote: > > What i want to know is what rule i need to use in Server B, if i want to > do a traceroute/ping from 192.168.1.5 to www.hotmail.com, i dont care if > the answer for the request come from server B, what i want is to know if > some server on Internet is alive. > Can i do this with ipf/ipnat? > > I tried something crazy, like: > > map ed0 192.168.0.0/16 -> 240.1.0.0/24 portmap icmp 10000:20000 > > Obviusly, it doesnt work :/ > > Im looking for instructions about it, but in the examples i saw, always > talk about NAT for tcp/udp, never icmp. It is possible? Exactly what I encountered the first day of ipnat. Assuming your tcp/udp rule is: map ed0 192.168.0.0/16 -> 210.1.0.0/24 portmap tcp/udp 10000:20000 you need the following line after the rule: map ed0 192.168.0.0/16 -> 210.1.0.0/24 the likely reason of which is that since icmp can't be NATed by the first rule, it must be translated the other rule. HTH, horio shoichi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 29 23:44:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 1EBC937B43C for ; Tue, 29 Aug 2000 23:44:53 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 29 Aug 2000 23:43:51 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.9.3/8.9.3) id XAA10276 for freebsd-security@freebsd.org; Tue, 29 Aug 2000 23:44:51 -0700 (PDT) (envelope-from cjc) Date: Tue, 29 Aug 2000 23:44:51 -0700 From: "Crist J . Clark" To: freebsd-security@freebsd.org Subject: Disabling xhost(1) Access Control Message-ID: <20000829234451.G62475@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I want users to use user-level X access controls, that is, xauth(1) and the magic cookies. I do NOT want people using xhost(1) access controls. FreeBSD's XFree86 (unlike so many other X dists) defaults to enabling xauth. The problem is, it does not prevent lusers from still doing things like put 'xhost +' in their .login and defeating the system. (Grrrr...) I've been searching and cannot find a way to disable xhost(1) level access. And I mean disabling as in defaulting to everything locked out as opposed to defaulting to wide open. If a user were to 'xhost +' it would not open things up. Is there such a way to do this (aside 'rm /usr/bin/xhost' and setting all user writable filesystems noexec)? This is for xdm(1) setups and not necessarily xinit(1). -- Crist J. Clark cjclark@alum.mit.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 30 0:39:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from lists01.iafrica.com (lists01.iafrica.com [196.7.0.141]) by hub.freebsd.org (Postfix) with ESMTP id 3BE4B37B422 for ; Wed, 30 Aug 2000 00:39:35 -0700 (PDT) Received: from nwl.fw.uunet.co.za ([196.31.2.162]) by lists01.iafrica.com with esmtp (Exim 3.12 #2) id 13U2T6-0002fy-00; Wed, 30 Aug 2000 09:39:32 +0200 Received: (from nobody@localhost) by nwl.fw.uunet.co.za (8.8.8/8.6.9) id JAA06091; Wed, 30 Aug 2000 09:39:30 +0200 (SAST) Received: by nwl.fw.uunet.co.za via recvmail id 5981; Wed Aug 30 09:38:59 2000 Received: from sheldonh (helo=axl.fw.uunet.co.za) by axl.fw.uunet.co.za with local-esmtp (Exim 3.16 #1) id 13U2SZ-0000zI-00; Wed, 30 Aug 2000 09:38:59 +0200 From: Sheldon Hearn Reply-To: freebsd-questions@freebsd.org To: cjclark@alum.mit.edu Cc: freebsd-security@freebsd.org Subject: Re: Disabling xhost(1) Access Control In-reply-to: Your message of "Tue, 29 Aug 2000 23:44:51 MST." <20000829234451.G62475@149.211.6.64.reflexcom.com> Date: Wed, 30 Aug 2000 09:38:58 +0200 Message-ID: <3799.967621138@axl.fw.uunet.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 29 Aug 2000 23:44:51 MST, "Crist J . Clark" wrote: > Is there such a way to do this (aside 'rm /usr/bin/xhost' and setting > all user writable filesystems noexec)? This is for xdm(1) setups and > not necessarily xinit(1). I think that this question was more appropriate to the freebsd-questions mailing list. The answer to your question lies in the Xserver(1) manual page, in the form of the -ac option. Enjoy. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 30 0:50:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from lists01.iafrica.com (lists01.iafrica.com [196.7.0.141]) by hub.freebsd.org (Postfix) with ESMTP id 49F1437B42C for ; Wed, 30 Aug 2000 00:50:50 -0700 (PDT) Received: from nwl.fw.uunet.co.za ([196.31.2.162]) by lists01.iafrica.com with esmtp (Exim 3.12 #2) id 13U2dz-0002sS-00; Wed, 30 Aug 2000 09:50:47 +0200 Received: (from nobody@localhost) by nwl.fw.uunet.co.za (8.8.8/8.6.9) id JAA08492; Wed, 30 Aug 2000 09:50:46 +0200 (SAST) Received: by nwl.fw.uunet.co.za via recvmail id 8326; Wed Aug 30 09:50:12 2000 Received: from sheldonh (helo=axl.fw.uunet.co.za) by axl.fw.uunet.co.za with local-esmtp (Exim 3.16 #1) id 13U2dP-00018b-00; Wed, 30 Aug 2000 09:50:11 +0200 From: Sheldon Hearn To: cjclark@alum.mit.edu Cc: freebsd-security@freebsd.org Subject: Re: Disabling xhost(1) Access Control In-reply-to: Your message of "Wed, 30 Aug 2000 09:38:58 +0200." <3799.967621138@axl.fw.uunet.co.za> Date: Wed, 30 Aug 2000 09:50:10 +0200 Message-ID: <4375.967621810@axl.fw.uunet.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 30 Aug 2000 09:38:58 +0200, Sheldon Hearn wrote: > > Is there such a way to do this (aside 'rm /usr/bin/xhost' and setting > > all user writable filesystems noexec)? This is for xdm(1) setups and > > not necessarily xinit(1). > > The answer to your question lies in the Xserver(1) manual page, in the > form of the -ac option. Argh, I'm lying. Accept my apologies for the useless response and then ignore me. :-) Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 30 0:54: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 2817E37B422; Wed, 30 Aug 2000 00:54:04 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Wed, 30 Aug 2000 00:52:57 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.9.3/8.9.3) id AAA10815; Wed, 30 Aug 2000 00:53:52 -0700 (PDT) (envelope-from cjc) Date: Wed, 30 Aug 2000 00:53:52 -0700 From: "Crist J . Clark" To: freebsd-questions@freebsd.org Cc: cjclark@alum.mit.edu, freebsd-security@freebsd.org Subject: Re: Disabling xhost(1) Access Control Message-ID: <20000830005352.I62475@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <20000829234451.G62475@149.211.6.64.reflexcom.com> <3799.967621138@axl.fw.uunet.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3799.967621138@axl.fw.uunet.co.za>; from sheldonh@uunet.co.za on Wed, Aug 30, 2000 at 09:38:58AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Aug 30, 2000 at 09:38:58AM +0200, Sheldon Hearn wrote: > > On Tue, 29 Aug 2000 23:44:51 MST, "Crist J . Clark" wrote: > > > Is there such a way to do this (aside 'rm /usr/bin/xhost' and setting > > all user writable filesystems noexec)? This is for xdm(1) setups and > > not necessarily xinit(1). > > I think that this question was more appropriate to the freebsd-questions > mailing list. It'd be best on an X list, but I've not found one with enough signal-to-noise or enough baseline signal. > The answer to your question lies in the Xserver(1) manual page, in the > form of the -ac option. No, that is precisely the behavior I do not want. -ac disables host-based access control mechanisms. Enables access by any host, and permits any host ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ to modify the access control list. Use with extreme caution. This option exists primarily for running test suites remotely. Xserver(1) and Xsecurity(1) talk about how to use xauth over xhost, but not how to lock out use of xhost. -- Crist J. Clark cjclark@alum.mit.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 30 3:38:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from blubb.pdc.kth.se (blubb.pdc.kth.se [130.237.221.147]) by hub.freebsd.org (Postfix) with ESMTP id CCE1937B42C for ; Wed, 30 Aug 2000 03:38:18 -0700 (PDT) Received: from joda by blubb.pdc.kth.se with local (Exim 3.13 #1) id 13U5Dg-0000Us-00; Wed, 30 Aug 2000 12:35:48 +0200 To: cjclark@alum.mit.edu Cc: freebsd-security@FreeBSD.ORG Subject: Re: Disabling xhost(1) Access Control References: <20000829234451.G62475@149.211.6.64.reflexcom.com> From: joda@pdc.kth.se (Johan Danielsson) Date: 30 Aug 2000 12:35:48 +0200 In-Reply-To: "Crist J . Clark"'s message of "Tue, 29 Aug 2000 23:44:51 -0700" Message-ID: Lines: 20 User-Agent: Gnus/5.0803 (Gnus v5.8.3) Emacs/20.5 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Crist J . Clark" writes: > Is there such a way to do this (aside 'rm /usr/bin/xhost' and > setting all user writable filesystems noexec)? Not without recompiling the Xserver. If you want to do that there are at least two places you have to change the behaviour in programs/Xserver/os/access.c: * for the `xhost +' case change ChangeAccessControl(), to only succeed for the enable case (paranoid people use `xhost -' routinely). * for `xhost +host' change AddHost() to your liking (ifdef out FamilyInternet). I don't know if the FreeBSD xsrc tree differs from what I have, but I don't think so. /Johan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 30 6:14:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from martens.math.ntnu.no (martens.math.ntnu.no [129.241.15.250]) by hub.freebsd.org (Postfix) with SMTP id 5BED437B43C for ; Wed, 30 Aug 2000 06:14:48 -0700 (PDT) Received: (qmail 5879 invoked by uid 29119); 30 Aug 2000 13:14:46 -0000 Date: Wed, 30 Aug 2000 15:14:46 +0200 (MET DST) From: Per Kristian Hove X-Sender: perhov@martens.math.ntnu.no To: Johan Danielsson Cc: cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG Subject: Re: Disabling xhost(1) Access Control In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [Johan Danielsson] | If you want to do that there are at least two places you have to | change the behaviour in programs/Xserver/os/access.c: | | * for the `xhost +' case change ChangeAccessControl(), to only succeed | for the enable case (paranoid people use `xhost -' routinely). | | * for `xhost +host' change AddHost() to your liking (ifdef out | FamilyInternet). If you're paranoid, you should also change the default behaviour of InvalidHost() [also in access.c] to return 1 instead of 0 if AccessEnabled isn't set [if you're running with `xhost +', that is]. This is where the access check actually takes place. -- Per Kristian Hove Principal engineer Dept. of Mathematical Sciences Norwegian University of Science and Technology To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 30 6:48:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 00C3C37B422 for ; Wed, 30 Aug 2000 06:48:34 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA03991; Wed, 30 Aug 2000 06:47:17 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda03989; Wed Aug 30 06:47:01 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id GAA29788; Wed, 30 Aug 2000 06:47:00 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdk29786; Wed Aug 30 06:46:39 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.0/8.9.1) id e7UDkbA84396; Wed, 30 Aug 2000 06:46:37 -0700 (PDT) Message-Id: <200008301346.e7UDkbA84396@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdE84389; Wed Aug 30 06:45:47 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1-RELEASE X-Sender: cy To: Per Kristian Hove Cc: Johan Danielsson , cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG Subject: Re: Disabling xhost(1) Access Control In-reply-to: Your message of "Wed, 30 Aug 2000 15:14:46 +0200." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 30 Aug 2000 06:45:45 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Per Kristian Hove writes: > [Johan Danielsson] > > | If you want to do that there are at least two places you have to > | change the behaviour in programs/Xserver/os/access.c: > | > | * for the `xhost +' case change ChangeAccessControl(), to only succeed > | for the enable case (paranoid people use `xhost -' routinely). > | > | * for `xhost +host' change AddHost() to your liking (ifdef out > | FamilyInternet). > > If you're paranoid, you should also change the default behaviour > of InvalidHost() [also in access.c] to return 1 instead of 0 if > AccessEnabled isn't set [if you're running with `xhost +', that > is]. This is where the access check actually takes place. A less invasive approach would be to specify -nolisten tcp on your Xserver command line. Users must then set their DISPLAY variable to :0, as it uses UNIX Domain Sockets. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 30 12:34:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6]) by hub.freebsd.org (Postfix) with ESMTP id D3F1737B43E for ; Wed, 30 Aug 2000 12:34:39 -0700 (PDT) Received: from dialup-janus.css.qmw.ac.uk ([138.37.11.110]) by zeta.qmw.ac.uk with esmtp (Exim 3.02 #1) id 13UDd2-0002L0-00; Wed, 30 Aug 2000 20:34:32 +0100 Received: from david by dialup-janus.css.qmw.ac.uk with local (Exim 2.12 #1) id 13UDcy-000PJR-00; Wed, 30 Aug 2000 20:34:28 +0100 X-Mailer: exmh version 2.0.2 2/24/98 To: freebsd-security@FreeBSD.ORG Subject: Re: Disabling xhost(1) Access Control In-reply-to: Your message of "Wed, 30 Aug 2000 06:45:45 PDT." <200008301346.e7UDkbA84396@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 30 Aug 2000 20:34:27 +0100 From: David Pick Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > A less invasive approach would be to specify -nolisten tcp on your > Xserver command line. Users must then set their DISPLAY variable to > :0, as it uses UNIX Domain Sockets. Good move. In fact, I set up *all* my systems that way by editing the "/usr/X11R6/lib/X11/xdm/Xservers" file. Any X connections to remote machines have to be carried in a SSH tunnel and since they are done that way even the authentication data for the local display doesn't have to leave the local machine. It's still a good idea to make sure no remote clients can do anything nasty to your X display - and there are several things which can be done here. I wonder if there's enough support for this setup to be worth writing a patch to "sysinstall" to have the XFree86 setup ask if "Xservers" should be modified in this way during setup - and which way round should be the default? -- David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 30 13:39:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from testbed.baileylink.net (testbed.baileylink.net [63.71.213.24]) by hub.freebsd.org (Postfix) with ESMTP id A701E37B424 for ; Wed, 30 Aug 2000 13:39:36 -0700 (PDT) Received: by testbed.baileylink.net (Postfix, from userid 1118) id C07512C912; Tue, 29 Aug 2000 11:26:06 -0500 (CDT) Date: Tue, 29 Aug 2000 11:26:05 -0500 From: Brad Guillory To: freebsd-security@freebsd.org Subject: Re: adduser perm problem Message-ID: <20000829112605.A975@baileylink.net> Mail-Followup-To: freebsd-security@freebsd.org References: <00082906200900.00680@reddog.yi.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from rwatson@freebsd.org on Tue, Aug 29, 2000 at 12:10:56PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As best I can tell all you have to do is chmod the /etc/skel directory. When the directory is copied add user will then do this: system("chmod -R u+wrX,go-w $homedir"); system("chown -R $name:$group $homedir"); so the default for /etc/skel is rwxr-xr-x if you changed it to rwx------ or rwxr--r-- you will probably get what you want. The chmod mentioned above will not change the mode at all. I hope that this helps. BMG On Tue, Aug 29, 2000 at 12:10:56PM -0400, Robert Watson wrote: > > On Tue, 29 Aug 2000, specter wrote: > > > Perhaps I am missing something, but under 4.0 and 4.1-Release, > > when adding a user via adduser, I see the perms on the created > > home directory as "drwxr-xr-x", allowing any one to cd in and > > view files. > > > > Is this normal behavior, or have I oopsed something on my > > system? > > This is normal system behavior on FreeBSD and most UNIX-like operating > systems. However, you can certainly imagine environments where you'd > prefer an alternate home directory permission set, and it might be worth > modifying adduser to support a command line argument (or configuration > directive in adduser.conf) specifying a different permission set. > > I tend to create user home directories with the default open permissions, > but also create public_html/ and private/ subdirectories, indicating that > private material should be stored under the private directory. This seems > to work fairly well in practice. > > Robert N M Watson > > robert@fledge.watson.org http://www.watson.org/~robert/ > PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 > TIS Labs at Network Associates, Safeport Network Services > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- __O | Information wants to be free! | __O Bike _-\<,_ | FreeBSD:The Power to Serve (easily) | _-\<,_ to (_)/ (_) | OpenBSD:The Power to Serve (securely) | (_)/ (_) Work To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 31 1:32:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from news.lucky.net (news.lucky.net [193.193.193.102]) by hub.freebsd.org (Postfix) with ESMTP id 9C20737B423 for ; Thu, 31 Aug 2000 01:32:54 -0700 (PDT) Received: (from mail@localhost) by news.lucky.net (8.Who.Cares/8.Who.Cares) id LMQ21772 for freebsd-security@freebsd.org; Thu, 31 Aug 2000 11:32:52 +0300 (envelope-from akhitin@lisgroup.net) From: "Alexandr Khitin" To: freebsd-security@freebsd.org Subject: Firewall Setup Date: Thu, 31 Aug 2000 11:33:19 +0400 Organization: Alkar-Teleport News server Message-ID: <8ol56i$23ug$1@pandora.alkar.net> X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Lines: 5 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Guys !!! Is anyone can help me with installation on firewall on 4.1-stable .. ?? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 31 1:40:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from ux1.ibb.net (ibb0005.ibb.uu.nl [131.211.124.5]) by hub.freebsd.org (Postfix) with ESMTP id 1220337B424 for ; Thu, 31 Aug 2000 01:40:41 -0700 (PDT) Received: from localhost (mipam@localhost) by ux1.ibb.net (8.9.3/8.9.3/UX1TT) with SMTP id KAA20401; Thu, 31 Aug 2000 10:39:54 +0200 Date: Thu, 31 Aug 2000 10:39:54 +0200 (MET DST) From: Mipam To: Alexandr Khitin Cc: freebsd-security@FreeBSD.ORG Subject: Re: Firewall Setup In-Reply-To: <8ol56i$23ug$1@pandora.alkar.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Is anyone can help me with installation on firewall on 4.1-stable .. ?? Well, first descide, what you wish to use, ipfw or ipf. Then man pages would help and also the howto pages. For ipf look here: http://www.obfuscation.org/ipf/ipf-howto.html and here for examples: http://coombs.anu.edu.au/ipfilter/ Read it carefully and you're on your way. Bye, Mipam. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 31 8: 4:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id A8A2537B423 for ; Thu, 31 Aug 2000 08:04:40 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 13TX0t-0000ID-00; Mon, 28 Aug 2000 16:04:19 -0600 Message-ID: <39AAE1E3.65F12E84@softweyr.com> Date: Mon, 28 Aug 2000 16:04:19 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 4.1-RC i386) X-Accept-Language: en MIME-Version: 1.0 To: Buliwyf McGraw Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipnat and icmp (II) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Buliwyf McGraw wrote: > > > > Question: Can i do masquerade for icmp packets using ipf/ipnat??? > > > > > > For example: > > > A B > > > _ _ > > > |_| Ping Request |_| > > > --- for hotmail --- --> Internet > > > --- --> --- > > > 192.168.1.5 Real IP > > > Using ipf/ipnat > > > |_________________________________________| > > > My Intranet, where the server B > > > do ip masquerade for all the subnet > > > 192.168.1.0 > > > > If you mean "does ipf/ipnat translate ICMP packets properly?" the answer is > > yes. > > What i want to know is what rule i need to use in Server B, if i want to > do a traceroute/ping from 192.168.1.5 to www.hotmail.com, i dont care if > the answer for the request come from server B, what i want is to know if > some server on Internet is alive. > Can i do this with ipf/ipnat? > > I tried something crazy, like: > > map ed0 192.168.0.0/16 -> 240.1.0.0/24 portmap icmp 10000:20000 > > Obviusly, it doesnt work :/ > > Im looking for instructions about it, but in the examples i saw, always > talk about NAT for tcp/udp, never icmp. It is possible? This certainly works on my machine: map rl1 192.168.42.0/16 -> rl1/32 portmapping with icmp doesn't make any sense and isn't legal syntax, so don't do that. To combine the two, use the portmap option first, then the more open rule: map ed0 192.168.0.0/16 -> 240.1.0.0/24 portmap tcp/udp 1025:65000 map ed0 192.168.0.0/16 -> 240.1.0.0/24 -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 31 10:57:36 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id C6AB337B422; Thu, 31 Aug 2000 10:57:17 -0700 (PDT) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:45.esound Reply-To: security-advisories@freebsd.org Message-Id: <20000831175717.C6AB337B422@hub.freebsd.org> Date: Thu, 31 Aug 2000 10:57:17 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:45 Security Advisory FreeBSD, Inc. Topic: esound port allows file permissions to be modified Category: ports Module: esound Announced: 2000-08-31 Credits: Brian Feldman during internal auditing Affects: Ports collection prior to the correction date Corrected: 2000-06-30 Vendor status: Contacted FreeBSD only: NO I. Background EsounD is a component of the GNOME desktop environment which is responsible for multiplexing access to audio devices. II. Problem Description The esound port, versions 0.2.19 and earlier, creates a world-writable directory in /tmp owned by the user running the EsounD session, which is used for the storage of a unix domain socket. A race condition exists in the creation of this socket which allows a local attacker to cause an arbitrary file or directory owned by the user running esound to become world-writable. This can give the attacker access to the victim's account, or lead to a system compromise if esound is run by root. The esound port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3700 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 4.0 and 3.5 contain this problem, but it was corrected prior to the release of FreeBSD 4.1. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Local users can cause files or directories owned by the target user to become world-writable when that user runs the esd daemon (e.g. by starting a GNOME session), allowing a security breach of that user account (or the entire system if esd is run by root) If you have not chosen to install the esound port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the esound port/package, if you have installed it (see the pkg_delete(1) manual page for more information). V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the esound port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/audio/esound-0.2.19.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/audio/esound-0.2.19.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/audio/esound-0.2.19.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/audio/esound-0.2.19.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/audio/esound-0.2.19.tgz 3) download a new port skeleton for the esound port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOa6cE1UuHi5z0oilAQGGPwP/ePOVTscGQ6G4deQqeYVehEk8KTPr0nhm nWgQln3jZW46maoMgBHq/Zdj5DM+H9xmC9qaVjdJ2mYcNQIL3ldntO8IIeQfZ/zA kqy+CthlLiF7FSnwC4XwpzBU4OWxuNPT02naD2kK1p6ERcn1QKbqfvzel40Sc2wQ +XnHbXpx4qE= =RtJ1 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 31 21:49:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id D2A2C37B42C; Thu, 31 Aug 2000 21:49:33 -0700 (PDT) Date: Fri, 1 Sep 2000 00:49:32 -0400 (EDT) From: Brian Fundakowski Feldman X-Sender: green@green.dyndns.org To: Will Andrews Cc: "R.Sharma" , freebsd-security@FreeBSD.ORG Subject: Re: How to clear IPFW counters In-Reply-To: <20000825071028.F41087@argon.gryphonsoft.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 25 Aug 2000, Will Andrews wrote: > On Fri, Aug 25, 2000 at 03:22:52PM +0530, R.Sharma wrote: > > Can any one tell me how to clear IPFW counters when system is running in > > secure level 3. > > >From init(8) manpage: > > 3 Network secure mode - same as highly secure mode, plus IP packet > filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and > dummynet(4) configuration cannot be adjusted. > > You are SOL. Unless what you want to do is reset the logging counters. That's a nice thing to be able to do :) > -- > Will Andrews > GCS/E/S @d- s+:+ a--- C++ UB++++$ P+ L- E--- W+ N-- !o ?K w--- > O- M+ V- PS+ PE++ Y+ PGP+>+++ t++ 5 X+ R+ tv+ b++ DI+++ D+ > G++ e>++++ h! r- y? -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 31 22: 6:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id E549B37B423; Thu, 31 Aug 2000 22:06:21 -0700 (PDT) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 5B3E91C66; Fri, 1 Sep 2000 01:06:21 -0400 (EDT) Date: Fri, 1 Sep 2000 01:06:21 -0400 From: Bill Fumerola To: Brian Fundakowski Feldman Cc: Will Andrews , "R.Sharma" , freebsd-security@FreeBSD.ORG Subject: Re: How to clear IPFW counters Message-ID: <20000901010621.A33771@jade.chc-chimes.com> References: <20000825071028.F41087@argon.gryphonsoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from green@FreeBSD.org on Fri, Sep 01, 2000 at 12:49:32AM -0400 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Sep 01, 2000 at 12:49:32AM -0400, Brian Fundakowski Feldman wrote: > On Fri, 25 Aug 2000, Will Andrews wrote: > > > On Fri, Aug 25, 2000 at 03:22:52PM +0530, R.Sharma wrote: > > > Can any one tell me how to clear IPFW counters when system is running in > > > secure level 3. > > > > >From init(8) manpage: > > > > 3 Network secure mode - same as highly secure mode, plus IP packet > > filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and > > dummynet(4) configuration cannot be adjusted. > > > > You are SOL. > > Unless what you want to do is reset the logging counters. That's a > nice thing to be able to do :) Right, you actually can do that, which is what the original poster was asking. /* * Disallow sets in really-really secure mode, but still allow * the logging counters to be reset. */ if (sopt->sopt_dir == SOPT_SET && securelevel >= 3 && sopt->sopt_name != IP_FW_RESETLOG) return (EPERM); -- Bill Fumerola - Network Architect, BOFH / Chimes, Inc. billf@chimesnet.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 31 23:39:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 55EBA37B423; Thu, 31 Aug 2000 23:39:52 -0700 (PDT) Received: from bsdie.rwsystems.net([209.197.223.2]) (1614 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Fri, 1 Sep 2000 01:16:47 -0500 (CDT) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Fri, 1 Sep 2000 01:16:42 -0500 (CDT) From: James Wyatt To: Brian Fundakowski Feldman Cc: Will Andrews , "R.Sharma" , freebsd-security@FreeBSD.ORG Subject: Re: How to clear IPFW counters In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 1 Sep 2000, Brian Fundakowski Feldman wrote: > On Fri, 25 Aug 2000, Will Andrews wrote: > > On Fri, Aug 25, 2000 at 03:22:52PM +0530, R.Sharma wrote: > > > Can any one tell me how to clear IPFW counters when system is running in > > > secure level 3. > > > > >From init(8) manpage: > > > > 3 Network secure mode - same as highly secure mode, plus IP packet > > filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and > > dummynet(4) configuration cannot be adjusted. > > > > You are SOL. > > Unless what you want to do is reset the logging counters. That's a > nice thing to be able to do :) Unless those logging counters are what you use to track (cross-check, really) hacking attempts. Then, you want them left alone so the Wiley Hacker(tm) doesn't reset them. Contrived, I guess, but reasonable. - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 1 4:20:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id E03E137B422; Fri, 1 Sep 2000 04:20:49 -0700 (PDT) Date: Fri, 1 Sep 2000 07:20:47 -0400 (EDT) From: Brian Fundakowski Feldman X-Sender: green@green.dyndns.org To: James Wyatt Cc: Will Andrews , "R.Sharma" , freebsd-security@FreeBSD.ORG Subject: Re: How to clear IPFW counters In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 1 Sep 2000, James Wyatt wrote: > > > You are SOL. > > > > Unless what you want to do is reset the logging counters. That's a > > nice thing to be able to do :) > > Unless those logging counters are what you use to track (cross-check, > really) hacking attempts. Then, you want them left alone so the Wiley > Hacker(tm) doesn't reset them. Contrived, I guess, but reasonable. - Jy@ There are several kinds of counters. One is the "packet matching" counter, and another is the "bytes matching" counter. The one I added recently was the "virtual logging counter", which has the sole purpose of controlling the output of log messages for matched packets. I made the decision that it wouldn't be any kind of loss of security to allow this counter to be reset (it can only be used to turn back on logging which was disabled by having matched "logamount" number of times). -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 1 7:49:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 500EB37B422; Fri, 1 Sep 2000 07:49:15 -0700 (PDT) Received: from bsdie.rwsystems.net([209.197.223.2]) (1754 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Fri, 1 Sep 2000 09:38:33 -0500 (CDT) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Fri, 1 Sep 2000 09:38:16 -0500 (CDT) From: James Wyatt To: Brian Fundakowski Feldman Cc: Will Andrews , "R.Sharma" , freebsd-security@FreeBSD.ORG Subject: Re: How to clear IPFW counters In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 1 Sep 2000, Brian Fundakowski Feldman wrote: > On Fri, 1 Sep 2000, James Wyatt wrote: > > > Unless what you want to do is reset the logging counters. That's a > > > nice thing to be able to do :) > > > > Unless those logging counters are what you use to track (cross-check, > > really) hacking attempts. Then, you want them left alone so the Wiley > > Hacker(tm) doesn't reset them. Contrived, I guess, but reasonable. - Jy@ > > There are several kinds of counters. One is the "packet matching" > counter, and another is the "bytes matching" counter. The one I added > recently was the "virtual logging counter", which has the sole purpose > of controlling the output of log messages for matched packets. > > I made the decision that it wouldn't be any kind of loss of security > to allow this counter to be reset (it can only be used to turn back > on logging which was disabled by having matched "logamount" number of > times). Good decision and explanation. Thank you for both! - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 1 8:33: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from bitbucket.cwnet.com (bitbucket.cwnet.com [209.21.20.218]) by hub.freebsd.org (Postfix) with ESMTP id 7343437B423 for ; Fri, 1 Sep 2000 08:33:04 -0700 (PDT) Received: (from nathan@localhost) by bitbucket.cwnet.com (8.11.0/8.9.3) id e81FVG420570 for freebsd-security@freebsd.org; Fri, 1 Sep 2000 08:31:16 -0700 (PDT) (envelope-from nathan) Date: Fri, 1 Sep 2000 08:31:16 -0700 (PDT) From: nathan barrick Message-Id: <200009011531.e81FVG420570@bitbucket.cwnet.com> To: freebsd-security@freebsd.org Subject: security check output. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Okay, for the Past couple of days I have been getting these errors in my Security Check output: HOSTNAME kernel log messages: > pid 11964 (xfstt), uid 1001: exited on signal 11 > sio3: 58004 more interrupt-level buffer overflows (total 58168) > pid 12280 (xfstt), uid 1001: exited on signal 11 > sio3: 348244 more interrupt-level buffer overflows (total 406412) now, I can see two things here exiting and dumping. One is xfstt.. a X11 font server for ttf fonts. For some reason this crashes constantly. And two, is the sio3 buffer overflows.. here is the thing.. if I have ppp running and try to start X my computer freezes if i start X and then run ppp everything is okay.. I do believe this has something to do with this error. Anyone think they can help? - Nathan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 1 8:37:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 8508F37B42C; Fri, 1 Sep 2000 08:37:08 -0700 (PDT) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id IAA61934; Fri, 1 Sep 2000 08:36:58 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200009011536.IAA61934@gndrsh.dnsmgr.net> Subject: Re: How to clear IPFW counters In-Reply-To: <20000901010621.A33771@jade.chc-chimes.com> from Bill Fumerola at "Sep 1, 2000 01:06:21 am" To: billf@chimesnet.com (Bill Fumerola) Date: Fri, 1 Sep 2000 08:36:57 -0700 (PDT) Cc: green@FreeBSD.ORG (Brian Fundakowski Feldman), will@physics.purdue.edu (Will Andrews), rsharma@apsara.barc.ernet.in (R.Sharma), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org IMHO, it is time to rethink securelevel and change it from a very course grain add more restrictions as levels rise to a set of flags that control security features, flags that can be written 0 -> 1, but not 1 -> 0 if flag bit securelevel_enabled is set, or some such. > > > >From init(8) manpage: > > > > > > 3 Network secure mode - same as highly secure mode, plus IP packet > > > filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and > > > dummynet(4) configuration cannot be adjusted. > > > > > > You are SOL. > > > > Unless what you want to do is reset the logging counters. That's a > > nice thing to be able to do :) > > Right, you actually can do that, which is what the original poster was asking. > > /* > * Disallow sets in really-really secure mode, but still allow > * the logging counters to be reset. > */ > if (sopt->sopt_dir == SOPT_SET && securelevel >= 3 && > sopt->sopt_name != IP_FW_RESETLOG) > return (EPERM); -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 1 9:32: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from sofia.csl.sri.com (sofia.csl.sri.com [130.107.19.127]) by hub.freebsd.org (Postfix) with ESMTP id 3EFE137B440 for ; Fri, 1 Sep 2000 09:32:06 -0700 (PDT) Received: (from molter@localhost) by sofia.csl.sri.com (8.9.3/8.9.3) id JAA66085 for freebsd-security@FreeBSD.ORG; Fri, 1 Sep 2000 09:32:52 -0700 (PDT) (envelope-from molter) From: Marco Molteni Date: Fri, 1 Sep 2000 09:32:52 -0700 To: freebsd-security@FreeBSD.ORG Subject: Re: Disabling xhost(1) Access Control Message-ID: <20000901093252.A66078@sofia.csl.sri.com> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <200008301346.e7UDkbA84396@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre4i In-Reply-To: ; from D.M.Pick@qmw.ac.uk on Wed, Aug 30, 2000 at 08:34:27PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 30 Aug 2000, David Pick wrote: [..] > I wonder if there's enough support for this setup to be worth writing > a patch to "sysinstall" to have the XFree86 setup ask if "Xservers" > should be modified in this way during setup - and which way round > should be the default? I second it, closed by default. Marco -- Marco Molteni "rough consensus and running code" SRI International, System Design Laboratory To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 1 12: 5:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 2F22137B422; Fri, 1 Sep 2000 12:05:29 -0700 (PDT) Received: from nomad.yogotech.com (yogotech.nokia.com [4.22.66.156]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id MAA02818; Fri, 1 Sep 2000 12:55:24 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id KAA03810; Fri, 1 Sep 2000 10:30:18 -0600 (MDT) (envelope-from nate) Date: Fri, 1 Sep 2000 10:30:18 -0600 (MDT) Message-Id: <200009011630.KAA03810@nomad.yogotech.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Brian Fundakowski Feldman Cc: James Wyatt , Will Andrews , "R.Sharma" , freebsd-security@FreeBSD.ORG Subject: Re: How to clear IPFW counters In-Reply-To: References: X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > There are several kinds of counters. One is the "packet matching" > counter, and another is the "bytes matching" counter. The one I added > recently was the "virtual logging counter", which has the sole purpose > of controlling the output of log messages for matched packets. > > I made the decision that it wouldn't be any kind of loss of security > to allow this counter to be reset (it can only be used to turn back > on logging which was disabled by having matched "logamount" number of > times). FWIW, I agree with this decision. The only kind of Attack that could be done with this is to constantly reset the counters such that the logs would eventually fill up your partition where the logfiles are stored, which would require the box to be root compromised. However, if root is compromised, there are much easier ways to fill up the partition, or for that matter generate syslog messages. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 1 13:54: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from moutvdom00.kundenserver.de (moutvdom00.kundenserver.de [195.20.224.149]) by hub.freebsd.org (Postfix) with ESMTP id 2BBD737B423 for ; Fri, 1 Sep 2000 13:54:05 -0700 (PDT) Received: from [195.20.224.209] (helo=mrvdom02.schlund.de) by moutvdom00.kundenserver.de with esmtp (Exim 2.12 #2) id 13Uxp6-0005Cf-00 for freebsd-security@freebsd.org; Fri, 1 Sep 2000 22:54:04 +0200 Received: from [62.96.170.228] (helo=gottt) by mrvdom02.schlund.de with smtp (Exim 2.12 #2) id 13Uxp4-00033P-00 for freebsd-security@FreeBSD.ORG; Fri, 1 Sep 2000 22:54:02 +0200 Message-ID: <007a01c01457$3b9eff80$e4aa603e@gottt> From: "Nicolas" To: Subject: ipfw and fragments Date: Fri, 1 Sep 2000 22:56:41 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is there a way to make ipfw to reassemble fragmented ip packets before = passing them through the rules? Thanks in advance Nicolas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 1 14: 4:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id 8D83137B422 for ; Fri, 1 Sep 2000 14:04:37 -0700 (PDT) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 194801C41; Fri, 1 Sep 2000 17:04:37 -0400 (EDT) Date: Fri, 1 Sep 2000 17:04:37 -0400 From: Bill Fumerola To: Nicolas Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw and fragments Message-ID: <20000901170437.J33771@jade.chc-chimes.com> References: <007a01c01457$3b9eff80$e4aa603e@gottt> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <007a01c01457$3b9eff80$e4aa603e@gottt>; from list@rachinsky.de on Fri, Sep 01, 2000 at 10:56:41PM +0200 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Sep 01, 2000 at 10:56:41PM +0200, Nicolas wrote: > Is there a way to make ipfw to reassemble fragmented ip packets before passing them through the rules? No. The relevant bits are only in the first packet. -- Bill Fumerola - Network Architect, BOFH / Chimes, Inc. billf@chimesnet.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 2 17:53:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.kyx.net (cr95838-b.crdva1.bc.wave.home.com [24.113.50.147]) by hub.freebsd.org (Postfix) with ESMTP id E78E237B423 for ; Sat, 2 Sep 2000 17:53:32 -0700 (PDT) Received: from smp.kyx.net (unknown [10.22.22.45]) by mail.kyx.net (Postfix) with SMTP id 8A6E81DC04; Sat, 2 Sep 2000 17:52:10 -0700 (PDT) From: Dragos Ruiu Organization: kyx.net To: Bill Fumerola , Nicolas Subject: Re: ipfw and fragments Date: Sat, 2 Sep 2000 17:50:02 -0700 X-Mailer: KYX-CP/M [version core00-mail-92] Content-Type: text/plain Cc: freebsd-security@FreeBSD.ORG References: <007a01c01457$3b9eff80$e4aa603e@gottt> <20000901170437.J33771@jade.chc-chimes.com> In-Reply-To: <20000901170437.J33771@jade.chc-chimes.com> MIME-Version: 1.0 Message-Id: <00090217534118.20066@smp.kyx.net> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 01 Sep 2000, Bill Fumerola wrote: > On Fri, Sep 01, 2000 at 10:56:41PM +0200, Nicolas wrote: > > Is there a way to make ipfw to reassemble fragmented ip packets before passing them through the rules? > > No. The relevant bits are only in the first packet. > It could be made to reassemble them, but it would incurr a performance hit. cheers, --dr -- Dragos Ruiu dursec.com ltd. / kyx.net - we're from the future pgp fingerprint: 18C7 E37C 2F94 E251 F18E B7DC 2B71 A73E D2E8 A56D pgp key: http://www.dursec.com/drkey.asc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 2 20:40:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from stud.alakhawayn.ma (stud.alakhawayn.ma [193.194.63.94]) by hub.freebsd.org (Postfix) with ESMTP id 7B38C37B42C for ; Sat, 2 Sep 2000 20:40:30 -0700 (PDT) Received: from localhost (961BE653994@localhost) by stud.alakhawayn.ma (8.9.0/8.9.0) with SMTP id DAA00072 for ; Sun, 3 Sep 2000 03:36:33 GMT Date: Sun, 3 Sep 2000 03:36:32 +0000 (GMT) From: Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma> To: freebsd-security@FreeBSD.ORG Subject: ipsec tun1, tun2 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear All, I am running into troubles, I already configured tun0 to use Authentication header commnunication ikn it and it works fine. now I want to set tun 1 to use esp communication through it but the problem is that i have compilation error when I want to recompile the kernel, the problem is that I can not uninstall eveything and have a new kernel I just can not (b c f time limitation). Do you have any suggestion? Ali. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 2 23:38: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id 0C1BB37B424 for ; Sat, 2 Sep 2000 23:38:00 -0700 (PDT) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 854261C5C; Sun, 3 Sep 2000 02:37:59 -0400 (EDT) Date: Sun, 3 Sep 2000 02:37:59 -0400 From: Bill Fumerola To: Dragos Ruiu Cc: Nicolas , freebsd-security@FreeBSD.ORG Subject: Re: ipfw and fragments Message-ID: <20000903023759.O33771@jade.chc-chimes.com> References: <007a01c01457$3b9eff80$e4aa603e@gottt> <20000901170437.J33771@jade.chc-chimes.com> <00090217534118.20066@smp.kyx.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <00090217534118.20066@smp.kyx.net>; from dr@kyx.net on Sat, Sep 02, 2000 at 05:50:02PM -0700 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Sep 02, 2000 at 05:50:02PM -0700, Dragos Ruiu wrote: > > > Is there a way to make ipfw to reassemble fragmented ip packets before passing them through the rules? > > > > No. The relevant bits are only in the first packet. > > > It could be made to reassemble them, > but it would incurr a performance hit. What do you gain? Nothing that I can think that ipfw currently tests for is in the non-initial fragment. If we tested for length of data or something like that (on my list), it might become relevant, but not really. ipfw examines data on a packet-by-packet level. -- Bill Fumerola - Network Architect, BOFH / Chimes, Inc. billf@chimesnet.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 2 23:51:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.kyx.net (cr95838-b.crdva1.bc.wave.home.com [24.113.50.147]) by hub.freebsd.org (Postfix) with ESMTP id C008C37B424 for ; Sat, 2 Sep 2000 23:51:28 -0700 (PDT) Received: from smp.kyx.net (unknown [10.22.22.45]) by mail.kyx.net (Postfix) with SMTP id 36B2F1DC03; Sat, 2 Sep 2000 23:50:28 -0700 (PDT) From: Dragos Ruiu Organization: kyx.net To: Bill Fumerola Subject: Re: ipfw and fragments Date: Sat, 2 Sep 2000 23:47:29 -0700 X-Mailer: KYX-CP/M [version core00-mail-92] Content-Type: text/plain Cc: Nicolas , freebsd-security@FreeBSD.ORG References: <007a01c01457$3b9eff80$e4aa603e@gottt> <00090217534118.20066@smp.kyx.net> <20000903023759.O33771@jade.chc-chimes.com> In-Reply-To: <20000903023759.O33771@jade.chc-chimes.com> MIME-Version: 1.0 Message-Id: <0009022351571F.20066@smp.kyx.net> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 02 Sep 2000, Bill Fumerola wrote: > On Sat, Sep 02, 2000 at 05:50:02PM -0700, Dragos Ruiu wrote: > > > > > Is there a way to make ipfw to reassemble fragmented ip packets before passing them through the rules? > > > > > > No. The relevant bits are only in the first packet. > > > > > It could be made to reassemble them, > > but it would incurr a performance hit. > > What do you gain? Nothing that I can think that ipfw currently > tests for is in the non-initial fragment. > Correct me if I'm wrong because I havent looked at the ipfw source, but fragment's dont get passed. There are some applications that like to send big packets (I have a video streaming system for instance that sends up to 64K UDP datagrams) that will always get fragmented. If I wanted to send such packets unmolested through ipfw it would have to "reassemble" them as it were so that once the first fragment got through the subsequent ones could follow too. Or am I missing something here in what you're trying to do? cheers, --dr -- dursec.com ltd. / kyx.net - we're from the future pgp fingerprint: 18C7 E37C 2F94 E251 F18E B7DC 2B71 A73E D2E8 A56D pgp key: http://www.dursec.com/drkey.asc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message