From owner-freebsd-security Sun Sep 9 0:59:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.sovintel.ru (ns.sovintel.ru [212.44.130.6]) by hub.freebsd.org (Postfix) with ESMTP id 8CAE537B407 for ; Sun, 9 Sep 2001 00:59:00 -0700 (PDT) Received: from ppp70-spb-213-221-48.sovintel.ru (ppp70-spb-213-221-48.sovintel.ru [213.221.48.70] (may be forged)) by ns.sovintel.ru (8.11.5/8.11.5) with SMTP id f897vQo66101 for ; Sun, 9 Sep 2001 11:57:40 +0400 (MSD) (envelope-from helprita@list.ru) Message-ID: <00de01c138d8$84c3cb40$1230ddd5@users.mns.ru> From: "alya radzik" To: freebsd-security@FreeBSD.org Subject: =?koi8-r?B?0M/Nz8fJ1MUg09DB09TJIM3BzMXO2MvVwCDExdfP3svV?= Date: Sun, 9 Sep 2001 06:38:32 +0400 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_00DB_01C138FA.0B785720" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2417.2000 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_00DB_01C138FA.0B785720 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 8bit Моей дочери Рите 7 лет. 1 января 2001 года у нее начались спазмы почки, а на следующий день вылился почти литр крови. Маргарите поставили страшный диагноз - опухоль Вилмса правой почки с метастазами в правое легкое, 4-я стадия. С этого момента девочка перенесла курс интенсивной лучевой и химиотерапии, тяжелейшую операцию по удалению правой почки и опухолевого тромба длиной 8.5 см., заражение крови через катетер, химический ожог кишечника, гемаррагический синдром и падение зрения. Состояние и мучения девочки не передать никакими словами. Несмотря на полгода интенсивных процедур лечение Маргариты далеко от успешного завершения. А ведь Рита всего лишь семилетняя девочка, которая очень любит танцевать и много трудилась до болезни, чтобы стать балериной. Наши опытные врачи дают нам благоприятный прогноз, но чтобы вылечиться, нам необходимы лекарства для защиты и поддержания органов, время от времени нужна кровь для вливания. Лекарства очень дорогие, одна ампула нейпогена стоит 180 долларов, а ампул нужно много, перед каждым блоком химии. 50 мг. дифлюкана в растворе стоят 550 рублей - это нам на день, 7 капсул дифлюкана по 50 мг. - около 900 рублей, а в день нужно принимать 2 капсулы. Мы должны пить эссенциале, покупать противорвотные латран, зофрам, для защиты сердца от токсического воздействия химии и общей поддержки нужны кардиоксан, инозия-ф, коэнзим Q10 и т.д. Рита очень нежная девочка и плохо переносит жесткий протокол лечения по 4 стадии. Она была на грани гибели после лечения химиопрепаратом карбоплатина. Поэтому ее перевели на менее жесткий протокол лечения по 3 стадии, но остающийся метастаз в легком вероятно вынудит врачей снова провести курс карбоплатины, о чем нас заранее предупредили, и тогда нам будет нужен амбизом - самый эффективный на сегодняшний день противогрибковый препарат. Нам понадобится около 10 ампул амбизома, а цена одной ампулы около 220 долларов. Его более дешевые аналоги для нас непригодны из-за токсичности. Мы с Ритой, ее бабушкой и моей сестрой живем в одной комнате (14.2 м2) в коммуналке на первом этаже, под нами в подвале постоянно стоит вода. Квартира темная и сырая. Даже когда ход лечения позволяет нам возвращаться домой, мы с дочкой часто предпочитаем оставаться в больнице, где условия проживания гораздо лучше. Я не могу работать, так как постоянно нахожусь на отделении вместе с Маргаритой. Моя мама получает пенсию 780 рублей, сестра зарабатывает около 1500 рублей. Прошу помощи, очень трудно! Заранее спасибо всем, кто откликнется. С уважением, Алевтина Раздик тел: (812)272-92-18 helprita@list.ru http://helprita.boom.ru ------=_NextPart_000_00DB_01C138FA.0B785720 Content-Type: image/jpeg; name="homerita.jpg" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="homerita.jpg" /9j/4AAQSkZJRgABAgEASwBLAAD//gAmRmlsZSB3cml0dGVuIGJ5IEFkb2JlIFBob3Rvc2hvcKgg NS4w/+4AIUFkb2JlAGSAAAAAAQMAEAMCAwYAAAAAAAAAAAAAAAD/2wCEAAwICAgJCAwJCQwRCwoL ERUPDAwPFRgTExUTExgRDAwMDAwMEQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwBDQsLDQ4N EA4OEBQODg4UFA4ODg4UEQwMDAwMEREMDAwMDAwRDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwM DP/CABEIAGQAWgMBIgACEQEDEQH/xADLAAACAgMBAQAAAAAAAAAAAAAFBgMEAAcIAgEBAAIDAQAA AAAAAAAAAAAAAAIDAAQFARAAAgICAgEDAwMFAAAAAAAAAgMBBAAFERIGExQWICIVECEyMDEkBxcR AAIBAwEFBQMGCA8AAAAAAAECAwAREgQhMUEiE1EyQlIzciMUcbFigpKiEGHSU2NzNAUgMIGRodGy wuJDk8PjVDUSAAIBAwEFBQcFAAAAAAAAAAABETECEiEQQWFCEyBRcSIy8IGRobFSYoIDI1MU/9oA DAMBAQIRAxEAAAAcdUpMwmT2uScM+k2JHtZfghaa7aLHrS+NfYMCE3NCeJjyhxZjaEcoBAkxOiHm iSvxsDAuulUpSV+BCjNdVHLjQgUGCyy5IzEbJKFpor8mriVurXbbr1i2ETYmv2uteonuCNtG00ze TWJhFaK8dHgUJJ950BVvzZ82YLmWKcjalojpEx2lIjoLN+hN0R1F6PjEFUKUaaq+xRN8PRsjXxQ2 Bq1wpG9NYbBNJkTkU2dEavOeciRS0zmYXSBnlbNIeqs5Vwp1VnKuSdVZyrknVWcq5J//2gAIAQIA AQUAJSywlhMJUoSlHUuk8+nPHQeFLkiBa4yRjh0yI+4LgZKZV9sDMzBZZnhfeOoyMlEc5EzhRzHM SP8AkdhI3BTlkRE8yU/tyUZ1H1VJ65W4yI4zrHOdY5T/AHD+P0f/2gAIAQMAAQUAFpDkNnkRa0rC GpiYHjkOec5yTZEy9zBmOQ6jgliw7SQjGCQzgDzPSeRHnE4Y/tASElH3cIyJBZQYHBp+305iCkYn tPUmwWRyOTZLrJlP6s/l9P8A/9oACAEBAAEFANVsU1RR5RrRv3F+JbANd8c1y27vS6mhHkmyfbqe b3Eg7zixYVoPJqGqqV9/Qsq/OURj5TrsAGTMIvdVULtiT1ezWTKFrYtPx5ZHapQGuTZNpaW2rYVb Ba+Ned0vR9hGR40EiXjFuM+L3iHZ+PWwoAQamrdfcsuTetDYrqbT29DrWylo421hPiFxQfjNlkTz nM4fPHkHkJPdagvTlZNWWqZCS1fvagdhDxlNYrjNzTSHyFWespcPv1VzsPKKQVNTVtXV1tE1mR4f wIePWAyvpIrjv6xK2tQ1qr7qrUvo+O0csxYOHn1jbX2MLQFwGuBfUBGckB6lCO3l9IGN1IrsYjQr i76uWNTTdG+WmmgyWk/FEkNSu6lEqzpJRZUayv21LB+vKrl/QWhrfHdnkFzH+wFvrW68TaOprnPp fHdgTtQh80Hh5Im3VZccrd7NSb292iTqxvXVK/5irh2whWyTSvhvPHatJWjaoQu20RlUlkkwQZtg BDygjsb0qtloavYt1uy+cOw4cmke090CNnZhWjam4mNn6L0Xqq5sW1tYMtIb3jjatibCjzVvRqXe 8qZFol5Z1tCkes9ge1vQiqz2yrk1qVscmtMApXWOMVXrpnY6HWbJX/N62bOwNjHN2A5qNUTLWuoT Vojr6QEK+v12/Yezb8k9TTfifdf0f//aAAgBAgIGPwDK6JMZTtmhFqTuZrbBDfhBvOYiiWswUl94 4OJGbp3EE73s1Y25xS1aOl/ou6cZTHmy/ryLdyZuIgpBBjy5ermxElW3eY3vLF1PEagWjRl0/NGP UknW1Oto/wCOPyeydkwXeK9Qqe7s/wD/2gAIAQMCBj8AhNktVpCFbanLF1FGVDL4yU+eySU2o7hW /uN3K3W2RplR7KFB8aGfRWeUV5fuxGhktwVTQzLXKIifKaveNLSVREWy49vSWttrhdUbmZPXxwga xVzSqZZKXy2kfVEPaq/o7X//2gAIAQEBBj8AKyzTadggETqtyhvzt9LKo5Z9RPqIYwVJ6Vrk28r0 Ypv3trVheQyNE98Lk+HKPJcam08H7z1LpKCosiFlW3mwp5NFLqddqMBHH18QntOi9JOWgNRqmIBu FJ5N98V8lRxMFlixJ6rXy2fSqTSMuEc4Kl1UsTfZ2+WunrG5Cw9+l9g7q9SLvUJ9O5kiYlQQQBkO 93qu0gH4iy/11x324UcmIvuAFzs/u1ksbG/4t9ASpgRwJCV3DHGwuxBJOI8VR6aEHA5MwF74pUMT e6ji5mFiC39FLDpO/ECBnxBOVSQ3tNHdlI4Yml65w1KWs/A25sXqbJV00+nZmWSMOQxYKfTHI3NU aRR6d81F5cTG4uB4WeTmr/zYvR/OLv8Azu+jdYwbWUgC/wBakZNSqMl9yA/PWL6xbE5G0Sg39qtT qH1zySJA/JiLMArcn1q08/VL6uWEq8SixUnbi1B3lOQIsMiLL9WpIJJCyNsiLG6g/VOVM+oGOVyj C5Uljy1LGRZhNioO61+T7r1JGNQISFV+m3EHvL9qiTwUBABfYK3N6GHHf5a2fgNjapY4nxgiGC23 Mx8bezRdrtKF3ntJotuLAknibGutGpZSbbPlrpup60Numx4G1TFl9+JVyHYQwXl+zQ1MwvgjR7eN zfm9nGun1Stjytvt8teovZ/jqxYWoozAsNoUG9SFQ2RRgDs2bPlqReCG+R43rpyi6NYX7LGioIA4 bKWGNAEYjqtwuBytTAhWJWxvvv8AyUMUEaaghrdjLjnTtJIVBkBJ7BfmqGXTzpEyyBM1bYQ/sV+1 zbrd7727u00gZ+Xbv4eGlYSPcXMuR33pdMhxWVrADiPM3loRxD3YNjxJ9qtoFxWyjR2bbbajlQW6 JZieIvYVLGSmCg26gBB4feo6l36caOGRFC2BHnby14N+PfXu+agGBBtY22bKugGZZwLncoNua9Nq p1B3soubn2dtJLqAV6m2w27CaVBIEcjYrcpP2qt2UduyiwOy/wA9PFKmTMdhIvtqSf8AypkDAbrB ifCKhkjndpZZArCVjgqtl5e4qV6qbsPU4f8AY/U1s40kgGUUgYp2E27tGZx1B33v2LzKn0aQaeUw nHbiATt8uVO8v711DxLtjgkW4DbO89mXH2KvIecXFD4SODVLdrpNI62GzFss/wDbq2qgEEw3hWDo QPEj/l1NC7hWhnUpluKjBnWpAlimClLdjWf7uVL8LGsstgJkk5gUJ8KpXrj07em+/wDMd2thuwPh oQ6nGVg2cd96ipNbooTGCMZEFitjys6ighO2ukGGbdu6gUIIPZVrDMb+2rDh2Vq0iOWLNc9pDfk1 AGNhioIvwxWvidNEspQdEo635Se/HjzZ1/50Pq5f8v6ypnHK0RdhsFiL5f2a1McoTOUWgdmsN3d5 F8zU+nnkWQRozRglSthhnj4mxyrqJLjynau8OPDR00ukeZmBYPmtnt5cvFSxTaCdG2HGwcC/stSP pFcTIQJEZGXlP0mGH3qGW/srVa+aOZQGL2CEg3OXqJlHUzQWaMRjFHGRDEczNj3Fjp5dbAZInjLd Wys3iX3fkzev2eT1M949P8qg7IXlmtlBJsIVjz8jeFa14nUhHXPT47lBUIycv6RfG9QNJ7kalhE8 YGIUSgqzr5EyoRmIRIB6lrXP0seWrRlXZDssQbXoAgC1ua+2go2kWN+N6u21jvP4GMUaRltrFVAv 9mmSeFQzj1EGLfzjvfWr9tbfb007nlpdTp7LIimKQ7GLb+5ieZUenhn1SOsitiLWANkLe3IuNKdL pS2sQgmaQkociyzKmzuJ9Ol000jam17mU5mxPp5N3lTwUXjhVGbeVFvmrYT/AA0+Fy+Kybo4Wt3m y7vL08/r1F8b0Ph8X6VrY48nUy6Xvf8AUqfoY/GX95a1rfoP0X8V/9k= ------=_NextPart_000_00DB_01C138FA.0B785720-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 9 1: 6:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id DEDBE37B401 for ; Sun, 9 Sep 2001 01:06:25 -0700 (PDT) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id 1FEBE1D14; Sun, 9 Sep 2001 10:05:56 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 52DF1552A; Sun, 9 Sep 2001 10:05:56 +0200 (CEST) Date: Sun, 9 Sep 2001 10:05:54 +0200 (CEST) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: D J Hawkey Jr Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits In-Reply-To: <20010908171641.A79354@sheol.localdomain> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 8 Sep 2001, D J Hawkey Jr wrote: > On Sep 08, at 08:07 PM, Krzysztof Zaraska wrote: > > > > On Sat, 8 Sep 2001, D J Hawkey Jr wrote: > > > > But activity in /tmp is normal and will be ignored by tripwire, right? > > Tripwire's policy file can reflect nearly any level of Admin paranoia. Ever seen an admin that would observe changes in /tmp on a daily basis? > > > > We may also consider adding a feature to kldload to load only modules > > > > from under /modules but I'm afraid this may be circumvented by attacker > > > > fetching her own kldload. A better way would be to implement an > > > > appropriate lock in kernel code but I don't know if it's possible. > > Who's the "we"? The FreeBSD project? "We" was intended to mean "anyone involved in this discussion". If you want to read it as "the FreeBSD community such as developers and users" you may. I'm _not_ a FreeBSD project member and therefore "we" cannot refer to the project. > > Or, something LIDS-like. > You're the second to mention LIDS. I know so little about it as to > refrain from comment (like, why should I let that stop me now?). Based > on another's description, it strikes me as rather over-engineered, but > that's an ignorant opinion. Maybe it has to be. Well. I heard about it once, went to their site, read the docs and run away ;). Seriously, it seemed to offer interesting features but all the complications scared me off. > RedHat does seem more dependant on LKMs than FreeBSD and KLDs, at least > out-of-the-box, so perhaps the modules are more of a security issue? This is due to the way Linux bootloader works. The compressed kernel image must fit within the first 640K of memory, so that imposes a limit on the kernel size. Since they want plug-and-play they must have all the existing drivers (save maybe video cards and the like) built. But taking into account the kernel size limit they must be built as modules. FreeBSD also has lots of drivers in the GENERIC kernel (for the similar reason) but this system does not seem to have this kind of limitations. IIRC they are some Linux drivers that _must_ be built as modules for some reason (PPP-related stuff, I guess). I hope this discussion won't end up with advocacy of FreeBSD's superiority to Linux in the area of kernel modules. BTW: is there a way to build linux.ko in the kernel? Or is it a must-be module? > > may be a similar situation in the future, that say some SuperHardware Inc. > > releases it's new 10Gbit ethernet adapter giving away the compiled drivers > > as modules and not releasing the source code nor the hardware > > specifications. In this case you need module support, at least at boot > > time. > > Or, wait for the more open-minded competition that'll be along shortly. > :-) When the device price is around USD10,000 I doubt the existence of open-minded competition (I am not specifically referring to the above example). Not to mention the situation the you need the backward compatibility with some ancient proprietary hardware / software your company bought years ago and the manufacturer went out of business. OK, this is off topic. Just wanted to show that kernel modules may be necessary. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 9 1: 8:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16]) by hub.freebsd.org (Postfix) with ESMTP id 0F8A537B401 for ; Sun, 9 Sep 2001 01:08:54 -0700 (PDT) Received: from bde.zeta.org.au (bde.zeta.org.au [203.2.228.102]) by mailman.zeta.org.au (8.9.3/8.8.7) with ESMTP id SAA31956; Sun, 9 Sep 2001 18:08:44 +1000 Date: Sun, 9 Sep 2001 18:07:52 +1000 (EST) From: Bruce Evans X-X-Sender: To: Matt Dillon Cc: Mike Tancsa , Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. In-Reply-To: <200109082045.f88KjjK29003@earth.backplane.com> Message-ID: <20010909174638.Q3607-100000@alphplex.bde.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 8 Sep 2001, Matt Dillon wrote: > We should probably chflags all binaries that are not owned by root > but might be run by root 'schg'. At the very least. That's in > addition to any fix of the problem. These binaries really have got > to be set 'schg'. > > -r-sr-sr-x 1 uucp dialer 123888 Jul 23 22:22 cu > -r-sr-xr-x 1 man wheel 28512 Jul 23 22:22 man > -r-xr-xr-x 1 uucp dialer 38340 Jul 23 22:24 tip ^^^ > -r-sr-xr-x 1 uucp wheel 88228 Jul 23 22:22 uucp > -r-sr-xr-x 1 uucp wheel 37312 Jul 23 22:22 uuname > -r-sr-sr-x 1 uucp dialer 96752 Jul 23 22:22 uustat > -r-sr-xr-x 1 uucp wheel 88844 Jul 23 22:22 uux > > chflags schg /usr/bin/{cu,man,tip,uucp,uuname,uustat,uux} tip isn't one of these. It has bogus ownership in case the BINMODE in its Makefile is uncommented. I don't see how schg'ing these binaries makes them significantly more secure. These binaries are not writable by uucp. They are writable by root, but root can just as easily un-schg them as write them. If schg'ing these binaries somhow helps, then it is probably also needed for: -r-sr-sr-x 1 uucp dialer - 550956 Aug 21 09:38 /usr/libexec/uucp/uucico -r-sr-s--- 1 uucp uucp - 425944 Aug 21 09:38 /usr/libexec/uucp/uuxqt Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 9 1:10:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from algol.vtrip-ltd.com (algol.vtrip-ltd.com [139.91.200.19]) by hub.freebsd.org (Postfix) with ESMTP id EA0E237B403 for ; Sun, 9 Sep 2001 01:10:21 -0700 (PDT) Received: from verigak (helo=localhost) by algol.vtrip-ltd.com with local-esmtp (Exim 3.12 #1 (Debian)) id 15fzcq-0008V3-00; Sun, 09 Sep 2001 11:07:32 +0300 Date: Sun, 9 Sep 2001 11:07:32 +0300 (EEST) From: Giorgos Verigakis To: Deepak Jain Cc: Kris Kennaway , D J Hawkey Jr , Alexander Langer , Subject: RE: Kernel-loadable Root Kits In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 8 Sep 2001, Deepak Jain wrote: > > Presumably, a user in userland has root to be loading a kernel module in the > first place. > > This user could easily edit the rc.conf file to boot up in securelevel=-1 > and reboot the machine -- as well as circumvent most notifications about the > reboot. Yes, but then you can chflag schg rc.conf rc ... (or maybe the whole /etc) > > Hell, if I wanted to compromise a box, screwing the kernel directly is the > way to go. Especially for remotely administered boxes, there is almost no > downside. > > Deepak Jain > AiNET > > > > -----Original Message----- > From: Kris Kennaway [mailto:kris@obsecurity.org] > Sent: Saturday, September 08, 2001 6:37 PM > To: D J Hawkey Jr > Cc: Alexander Langer; deepak@ai.net; freebsd-security@FreeBSD.ORG > Subject: Re: Kernel-loadable Root Kits > > > On Sat, Sep 08, 2001 at 10:28:16AM -0500, D J Hawkey Jr wrote: > > > Q: Can the kernel be "forced" to load a module from within itself? That > > is, does a cracker need to be in userland? > > If you're at securelevel 1 or higher, you shouldn't be able to cause > untrusted code to be loaded by the kernel by "legal" means, only by > "illegal" means such as exploiting kernel buffer overflows and other > bugs which may exist. > > Kris > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 9 1:22: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 1395D37B407 for ; Sun, 9 Sep 2001 01:21:59 -0700 (PDT) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id f898Le338879; Sun, 9 Sep 2001 12:21:40 +0400 (MSD) (envelope-from ache) Date: Sun, 9 Sep 2001 12:21:40 +0400 From: "Andrey A. Chernov" To: Bruce Evans Cc: Matt Dillon , Mike Tancsa , security@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010909122140.A38804@nagual.pp.ru> References: <200109082045.f88KjjK29003@earth.backplane.com> <20010909174638.Q3607-100000@alphplex.bde.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20010909174638.Q3607-100000@alphplex.bde.org> User-Agent: Mutt/1.3.21i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Sep 09, 2001 at 18:07:52 +1000, Bruce Evans wrote: > I don't see how schg'ing these binaries makes them significantly more > secure. These binaries are not writable by uucp. They are writable > by root, but root can just as easily un-schg them as write them. From user, chmod u+w binary, then ovewrite it -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 9 1:37: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id D4E3037B403 for ; Sun, 9 Sep 2001 01:36:57 -0700 (PDT) Received: (from dillon@localhost) by earth.backplane.com (8.11.6/8.11.2) id f898atk32035; Sun, 9 Sep 2001 01:36:55 -0700 (PDT) (envelope-from dillon) Date: Sun, 9 Sep 2001 01:36:55 -0700 (PDT) From: Matt Dillon Message-Id: <200109090836.f898atk32035@earth.backplane.com> To: Bruce Evans Cc: Mike Tancsa , Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. References: <20010909174638.Q3607-100000@alphplex.bde.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :I don't see how schg'ing these binaries makes them significantly more :secure. These binaries are not writable by uucp. They are writable :by root, but root can just as easily un-schg them as write them. : Huh? The binaries are owned by user uucp, so they are writable by user uucp. su - uucp cd /usr/bin chmod 755 uucp vi uucp (have fun) chmod 4555 uucp -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 9 4: 7:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from brea.mc.mpls.visi.com (brea.mc.mpls.visi.com [208.42.156.100]) by hub.freebsd.org (Postfix) with ESMTP id 4276A37B403 for ; Sun, 9 Sep 2001 04:07:29 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by brea.mc.mpls.visi.com (Postfix) with ESMTP id 545522DDB7C; Sun, 9 Sep 2001 06:07:28 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f89B7NB01178; Sun, 9 Sep 2001 06:07:23 -0500 (CDT) (envelope-from hawkeyd) Date: Sun, 9 Sep 2001 06:07:18 -0500 From: D J Hawkey Jr To: Krzysztof Zaraska Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010909060718.A1135@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <20010908171641.A79354@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from kzaraska@student.uci.agh.edu.pl on Sun, Sep 09, 2001 at 10:05:54AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sep 09, at 10:05 AM, Krzysztof Zaraska wrote: > > On Sat, 8 Sep 2001, D J Hawkey Jr wrote: > > > > On Sep 08, at 08:07 PM, Krzysztof Zaraska wrote: > > > > > > But activity in /tmp is normal and will be ignored by tripwire, right? > > > > Tripwire's policy file can reflect nearly any level of Admin paranoia. > > Ever seen an admin that would observe changes in /tmp on a daily basis? No, but I could see one getting interested in /tmp if events led him or her there. Actually, I rather thought the /tmp thang an example; my reply was therefore in a more generic vein. > > > Or, something LIDS-like. > > > > You're the second to mention LIDS. I know so little about it as to > > refrain from comment (like, why should I let that stop me now?). Based > > on another's description, it strikes me as rather over-engineered, but > > that's an ignorant opinion. Maybe it has to be. > > Well. I heard about it once, went to their site, read the docs and run > away ;). Seriously, it seemed to offer interesting features but all the > complications scared me off. > > > RedHat does seem more dependant on LKMs than FreeBSD and KLDs, at least > > out-of-the-box, so perhaps the modules are more of a security issue? > > This is due to the way Linux bootloader works. The compressed kernel image > must fit within the first 640K of memory, so that imposes a limit on the > kernel size. Since they want plug-and-play they must have all the existing > drivers (save maybe video cards and the like) built. But taking into > account the kernel size limit they must be built as modules. FreeBSD also > has lots of drivers in the GENERIC kernel (for the similar reason) but > this system does not seem to have this kind of limitations. > > IIRC they are some Linux drivers that _must_ be built as modules for some > reason (PPP-related stuff, I guess). > > I hope this discussion won't end up with advocacy of FreeBSD's superiority > to Linux in the area of kernel modules. Not by my hand. Not in public, anyway. ;-, > BTW: is there a way to build linux.ko in the kernel? Or is it a must-be > module? Dunno. I haven't need to run a Linux app under FreeBSD yet, so I don't even enable compatability. SeeYa, Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 9 4:46:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from bluenugget.net (bsd.st [64.3.150.188]) by hub.freebsd.org (Postfix) with ESMTP id 3401E37B401 for ; Sun, 9 Sep 2001 04:46:40 -0700 (PDT) Received: by bluenugget.net (Postfix, from userid 1000) id 973E513602; Sun, 9 Sep 2001 04:49:13 -0700 (PDT) Date: Sun, 9 Sep 2001 04:49:13 -0700 From: Jason DiCioccio To: D J Hawkey Jr Cc: Krzysztof Zaraska , freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010909044913.A12564@bluenugget.net> References: <20010908171641.A79354@sheol.localdomain> <20010909060718.A1135@sheol.localdomain> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ew6BAiZeqk4r7MaW" Content-Disposition: inline In-Reply-To: <20010909060718.A1135@sheol.localdomain> User-Agent: Mutt/1.3.21i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --ew6BAiZeqk4r7MaW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable [big snip] > > BTW: is there a way to build linux.ko in the kernel? Or is it a must-be > > module? [big snip] options COMPAT_LINUX Cheers, -JD- --=20 Jason DiCioccio - geniusj@bsd.st - PGP Key @ http://bsd.st/~geniusj/pgpkey.= asc PGP Key Fingerprint C442 04E2 26B0 3809 8357 96AB D350 9596 0436 7C08 --ew6BAiZeqk4r7MaW Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBO5tXN9NQlZYENnwIEQIEygCfWBcSRoowWeOvEqtTo7YbGVmhD+IAoNQe A2ssYWhfBMq6f+9Tx5TCGfX4 =bYnW -----END PGP SIGNATURE----- --ew6BAiZeqk4r7MaW-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 9 4:47:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from bazooka.unixfreak.org (bazooka.unixfreak.org [63.198.170.138]) by hub.freebsd.org (Postfix) with ESMTP id C427837B405 for ; Sun, 9 Sep 2001 04:47:17 -0700 (PDT) Received: by bazooka.unixfreak.org (Postfix, from userid 1000) id 80C903E28; Sun, 9 Sep 2001 04:47:17 -0700 (PDT) Received: from bazooka.unixfreak.org (localhost [127.0.0.1]) by bazooka.unixfreak.org (Postfix) with ESMTP id 72CF73C12E; Sun, 9 Sep 2001 04:47:17 -0700 (PDT) To: "Andrew R. Reiter" Cc: Kris Kennaway , security@freebsd.org Subject: Re: netbsd vulnerabilities In-Reply-To: ; from arr@watson.org on "Sat, 8 Sep 2001 06:43:49 -0400 (EDT)" Date: Sun, 09 Sep 2001 04:47:12 -0700 From: Dima Dorfman Message-Id: <20010909114717.80C903E28@bazooka.unixfreak.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Andrew R. Reiter" wrote: > The attached code fixes the semop bug which is specified in the recent > NetBSD security announcement. I'm not positive about hte naming scheme > wanted by all in terms of: size_t vs. unsigned int vs. unsigned. I made > it u_int b/c i saw in sysproto.h that there seemed to be more u_int's > instead of size_t's :-) Great logic. I think semop_args.nsops should be u_int (like you made it) because that's how it's listed in syscalls.master. > --- kern/sysv_sem.c.orig Sat Sep 8 03:11:21 2001 > +++ kern/sysv_sem.c Sat Sep 8 03:20:23 2001 > @@ -672,7 +672,7 @@ > struct semop_args { > int semid; > struct sembuf *sops; > - int nsops; > + u_int nsops; > }; > #endif > > @@ -682,17 +682,18 @@ > register struct semop_args *uap; > { > int semid = uap->semid; > - int nsops = uap->nsops; > + u_int nsops = uap->nsops; > struct sembuf sops[MAX_SOPS]; > register struct semid_ds *semaptr; > register struct sembuf *sopptr; > register struct sem *semptr; > struct sem_undo *suptr = NULL; > - int i, j, eval; > + u_int i, j; > + int eval; What's the point of this change? i and j are used as indices into sops[], and don't really need to be unsigned. Furthermore, I think this change introduces an infinite loop bug. On line 1017 (r1.34), we have: for (j = i - 1; j >= 0; j--) { if ((sops[j].sem_flg & SEM_UNDO) == 0) continue; adjval = sops[j].sem_op; if (adjval == 0) continue; if (semundo_adjust(p, &suptr, semid, sops[j].sem_num, adjval) != 0) panic("semop - can't undo undos"); } Since j is unsigned, the test in the for loop will always succeed, and the only other way out of this loop is by way of panic(). That said, I'm not sure if this loop can ever be entered as a result of the user doing something (i.e., can't be "exploited" per se)--although I haven't tried. It is only executed if semundo_adjust() fails, which, as far as I can tell, can only happen if memory allocation fails. Nevertheless, it isn't good to have a sure-thing infinite loop in the kernel :-). > --- sys/sem.h.orig Sat Sep 8 03:21:08 2001 > +++ sys/sem.h Sat Sep 8 03:21:27 2001 > @@ -101,7 +101,7 @@ > int semsys __P((int, ...)); > int semctl __P((int, int, int, ...)); > int semget __P((key_t, int, int)); > -int semop __P((int, struct sembuf *,unsigned)); > +int semop __P((int, struct sembuf *, u_int)); I don't see the point of this, either, except to break consistency with the manual page. `u_int' is the same as `unsigned'. The other changes look pretty good. Attached is the corresponding patch to -current. If nobody sees anything wrong in about a day, I'll commit this and MFC it after the RE's approval. Kris, SO--objections? Thanks. Index: sysv_sem.c =================================================================== RCS file: /ref/cvsf/src/sys/kern/sysv_sem.c,v retrieving revision 1.34 diff -u -r1.34 sysv_sem.c --- sysv_sem.c 31 Aug 2001 00:02:18 -0000 1.34 +++ sysv_sem.c 9 Sep 2001 11:28:32 -0000 @@ -781,7 +781,7 @@ struct semop_args { int semid; struct sembuf *sops; - int nsops; + u_int nsops; }; #endif @@ -794,7 +794,7 @@ register struct semop_args *uap; { int semid = uap->semid; - int nsops = uap->nsops; + u_int nsops = uap->nsops; struct sembuf sops[MAX_SOPS]; register struct semid_ds *semaptr; register struct sembuf *sopptr; @@ -804,7 +804,7 @@ int do_wakeup, do_undos; #ifdef SEM_DEBUG - printf("call to semop(%d, 0x%x, %d)\n", semid, sops, nsops); + printf("call to semop(%d, 0x%x, %u)\n", semid, sops, nsops); #endif mtx_lock(&Giant); @@ -840,7 +840,7 @@ if (nsops > MAX_SOPS) { #ifdef SEM_DEBUG - printf("too many sops (max=%d, nsops=%d)\n", MAX_SOPS, nsops); + printf("too many sops (max=%d, nsops=%u)\n", MAX_SOPS, nsops); #endif error = E2BIG; goto done2; @@ -848,7 +848,7 @@ if ((error = copyin(uap->sops, &sops, nsops * sizeof(sops[0]))) != 0) { #ifdef SEM_DEBUG - printf("error = %d from copyin(%08x, %08x, %d)\n", error, + printf("error = %d from copyin(%08x, %08x, %u)\n", error, uap->sops, &sops, nsops * sizeof(sops[0])); #endif goto done2; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 9 5:24: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from r220-1.rz.RWTH-Aachen.DE (r220-1.rz.RWTH-Aachen.DE [134.130.3.31]) by hub.freebsd.org (Postfix) with ESMTP id C24BE37B403 for ; Sun, 9 Sep 2001 05:23:58 -0700 (PDT) Received: from r220-1.rz.RWTH-Aachen.DE (relay2.RWTH-Aachen.DE [134.130.3.1]) by r220-1.rz.RWTH-Aachen.DE (8.10.1/8.11.3-2) with ESMTP id f89CNrc00100; Sun, 9 Sep 2001 14:23:53 +0200 (MEST) Received: from kawoserv.kawo2.rwth-aachen.de (root@kawoserv.kawo2.RWTH-Aachen.DE [134.130.180.1]) by r220-1.rz.RWTH-Aachen.DE (8.10.1/8.11.3/5) with ESMTP id f89CNqu00096; Sun, 9 Sep 2001 14:23:52 +0200 (MEST) Received: (from doegi@localhost) by kawoserv.kawo2.rwth-aachen.de (8.9.3/8.9.3) id OAA26781; Sun, 9 Sep 2001 14:23:50 +0200 Date: Sun, 9 Sep 2001 14:23:49 +0200 From: Alexander Langer To: Giorgos Keramidas Cc: D J Hawkey Jr , deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010909142349.A26496@kawoserv.kawo2.rwth-aachen.de> References: <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain> <20010908181537.A840@ringworld.oblivion.bg> <20010908102816.B77764@sheol.localdomain> <20010908183728.D840@ringworld.oblivion.bg> <20010908105308.A78138@sheol.localdomain> <20010908203935.B54535@fump.kawo2.rwth-aachen.de> <20010909003011.B6949@hades.hell.gr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3us In-Reply-To: <20010909003011.B6949@hades.hell.gr> X-PGP-Fingerprint: 44 28 CA 4C 46 5B D3 A8 A8 E3 BA F3 4E 60 7D 7F X-PGP-at: finger alex@big.endian.de X-Verwirrung: Dieser Header dient der allgemeinen Verwirrung. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake Giorgos Keramidas (charon@labs.gr): > Guys, this has a simple and elegant solution. Raise your securelevel, > if you are worried so much. You don't have to do some special > kernel-hacker magic. If it was that easy... Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 9 6:13: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from gamma.root-servers.ch (gamma.root-servers.ch [195.49.62.126]) by hub.freebsd.org (Postfix) with SMTP id 4FA6E37B401 for ; Sun, 9 Sep 2001 06:13:00 -0700 (PDT) Received: (qmail 61234 invoked from network); 9 Sep 2001 13:12:59 -0000 Received: from dclient217-162-128-224.hispeed.ch (HELO athlon550) (217.162.128.224) by 0 with SMTP; 9 Sep 2001 13:12:59 -0000 Date: Sun, 9 Sep 2001 15:16:42 +0200 From: Gabriel Ambuehl X-Mailer: The Bat! (v1.53bis) Educational Organization: BUZ Internet Services X-Priority: 3 (Normal) Message-ID: <151193622478.20010909151642@buz.ch> To: Giorgos Verigakis Cc: Deepak Jain , Kris Kennaway , D J Hawkey Jr , Alexander Langer , Subject: Re[2]: Kernel-loadable Root Kits In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hello Giorgos, Sunday, September 09, 2001, 10:07:32 AM, you wrote: >> This user could easily edit the rc.conf file to boot up in >> securelevel=-1 and reboot the machine -- as well as circumvent >> most notifications about the reboot. > Yes, but then you can chflag schg rc.conf rc ... (or maybe the > whole /etc) Would you care to point out how I could lower the securelevel then for legitimate use (i.e. updates or changes to /etc) of the system by the administrators? Best regards, Gabriel -----BEGIN PGP SIGNATURE----- Version: PGP 6.5i iQEVAwUBO5tdrsZa2WpymlDxAQHC5Af+OWFg0iJhixVi5CmlBe4POEc8cQmai97W aa1eCPkkNqwHZBQD3b4CGlvCIJZogH0Nv+GQcvsJECx8GHBSczbjl6E003hVTpSr JiBILeEy2pp67rKRSM4KZjqvnLKWNoHjXfrd62Hr2SqqVZ4rtOkvwviW1QWF/DCO 52erGgJU7Xp2i83JlVWi0lUZsXuwSp6IafccfNVSuWluobJLzcS8Tg9FanPbnovR /1wgY0z0lEVm/ri2rPdUGM6kKSn3h+1ORltc/c9F2WVIqleL3Z4TAZOBrbKR+0Mm 6oD2SPRti6TZ9riB/ayK+Jafhhh7AC/le55exGlSzBNVF9SR5F4AWQ== =4lFV -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 9 6:39:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from sirius.pbegames.com (sirius.pbegames.com [206.139.252.17]) by hub.freebsd.org (Postfix) with ESMTP id 2EEC437B406 for ; Sun, 9 Sep 2001 06:39:12 -0700 (PDT) Received: from leviathan.pbegames.com (66-44-8-207.s2239.apx1.lnh.md.dialup.rcn.com [66.44.8.207]) by sirius.pbegames.com (8.9.3/8.9.3) with ESMTP id JAA13444 for ; Sun, 9 Sep 2001 09:39:10 -0400 (EDT) (envelope-from thomas@pbegames.com) Message-Id: <5.1.0.14.2.20010909093635.0238e540@pbegames.com> X-Sender: thomas@pbegames.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sun, 09 Sep 2001 09:38:31 -0400 To: security@FreeBSD.ORG From: Mark Thomas Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. In-Reply-To: <20010909174638.Q3607-100000@alphplex.bde.org> References: <200109082045.f88KjjK29003@earth.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Assuming one does NOT run uucp in any way, is there a recommended way to disable all uucp features? Changing all executables to read-only and removing periodic scripts seems like a good start. What else might be needed? Mark --- thomas@pbegames.com -------------> http://www.pbegames.com/~thomas Play by Electron Games ----------> http://www.pbegames.com [TM4463-ORG] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 9 7: 6: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from trillian.nitro.dk (213.237.101.114.adsl.kh.worldonline.dk [213.237.101.114]) by hub.freebsd.org (Postfix) with SMTP id 4848237B408 for ; Sun, 9 Sep 2001 07:05:59 -0700 (PDT) Received: (qmail 484 invoked from network); 9 Sep 2001 14:05:52 -0000 Received: from bofh.bofh (192.168.1.3) by 0 with SMTP; 9 Sep 2001 14:05:52 -0000 Date: Sun, 9 Sep 2001 16:05:44 +0200 (CEST) From: Simon Nielsen X-X-Sender: To: Gabriel Ambuehl Cc: Subject: Re[2]: Kernel-loadable Root Kits In-Reply-To: <151193622478.20010909151642@buz.ch> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, 9 Sep 2001, Gabriel Ambuehl wrote: > Would you care to point out how I could lower the securelevel then > for legitimate use (i.e. updates or changes to /etc) of the system by > the administrators? Reboot.. and if you set the securelevel automaticly on boot (e.g. in rc.conf) you must start in single user mode after the reboot. Simon -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: pgpenvelope 2.9.0 - http://pgpenvelope.sourceforge.net/ iD8DBQE7m3c/8kocFXgPTRwRAtk5AJ9rV+hNKeb3q3qOHJeEFFwEUWzJOgCfV1Dv MxOXyWI3KZcwmK9k85f1q5U= =1FaF -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 9 7: 7:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from gamma.root-servers.ch (gamma.root-servers.ch [195.49.62.126]) by hub.freebsd.org (Postfix) with SMTP id 9BF6F37B401 for ; Sun, 9 Sep 2001 07:07:36 -0700 (PDT) Received: (qmail 62254 invoked from network); 9 Sep 2001 14:07:31 -0000 Received: from dclient217-162-128-224.hispeed.ch (HELO athlon550) (217.162.128.224) by 0 with SMTP; 9 Sep 2001 14:07:31 -0000 Date: Sun, 9 Sep 2001 16:11:24 +0200 From: Gabriel Ambuehl X-Mailer: The Bat! (v1.53bis) Educational Organization: BUZ Internet Services X-Priority: 3 (Normal) Message-ID: <1521196904667.20010909161124@buz.ch> To: Simon Nielsen Cc: freebsd-security@FreeBSD.ORG Subject: Re[3]: Kernel-loadable Root Kits In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hello Simon, Sunday, September 09, 2001, 4:05:44 PM, you wrote: >> Would you care to point out how I could lower the securelevel then >> for legitimate use (i.e. updates or changes to /etc) of the system >> by the administrators? > Reboot.. and if you set the securelevel automaticly on boot (e.g. > in rc.conf) you must start in single user mode after the reboot. Yeah I know that this would be a way to do it but it's rather hard to do with colocated servers... Best regards, Gabriel pPcх▒a,K -----BEGIN PGP SIGNATURE----- Version: PGP 6.5i iQEVAwUBO5tqgMZa2WpymlDxAQFg6Af/VfKirIl5oYz3LVUakUS7Q16w/vIzL59F UFetmgbsJ8uqOVwa84ZPgJSLdeKZVt5YccCe+JO2DOHiEZrxV3vwzyEoLU5tcnv3 J3/mfhHj6hqrP8QQF61QyaurCVNOnm9ciVAJbWXWsGXQfL5DIW4vLuZg6PguoM0X 0CYoS4QDFQK9izctehwof7aurLGpeYY6GCmSMvqe+kfNFMFW3XFag6owdvmbX/DI k7eVOUFg67paOk46oSIFaXG0zTq/7dg2aNq8WrbEnWy78SSNBbomqqrjAHkWQaq6 n7Sml3BJ/ttG2M1z6Um308OyGubDwmetqro4EgFA4y9Z+W0GlC56Iw== =7aNV -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 9 7:32: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from trillian.nitro.dk (213.237.101.114.adsl.kh.worldonline.dk [213.237.101.114]) by hub.freebsd.org (Postfix) with SMTP id 3F53037B407 for ; Sun, 9 Sep 2001 07:31:57 -0700 (PDT) Received: (qmail 546 invoked from network); 9 Sep 2001 14:31:55 -0000 Received: from bofh.bofh (192.168.1.3) by 0 with SMTP; 9 Sep 2001 14:31:55 -0000 Date: Sun, 9 Sep 2001 16:31:55 +0200 (CEST) From: Simon Nielsen X-X-Sender: To: Gabriel Ambuehl Cc: Subject: Re[3]: Kernel-loadable Root Kits In-Reply-To: <1521196904667.20010909161124@buz.ch> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 9 Sep 2001, Gabriel Ambuehl wrote: > >> Would you care to point out how I could lower the securelevel then > >> for legitimate use (i.e. updates or changes to /etc) of the system > >> by the administrators? > > Reboot.. and if you set the securelevel automaticly on boot (e.g. > > in rc.conf) you must start in single user mode after the reboot. > Yeah I know that this would be a way to do it but it's rather hard to > do with colocated servers... Thats right, but i'm rather sure rebooting is the only way to lower the securelevel (anyone please correct me if i'm wrong). From init(8) : The kernel runs with four different levels of security. Any super-user process can raise the security level, but no process can lower it. [CUT] Simon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 9 10:44: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16]) by hub.freebsd.org (Postfix) with ESMTP id 4622E37B405 for ; Sun, 9 Sep 2001 10:44:04 -0700 (PDT) Received: from bde.zeta.org.au (bde.zeta.org.au [203.2.228.102]) by mailman.zeta.org.au (8.9.3/8.8.7) with ESMTP id DAA23324; Mon, 10 Sep 2001 03:43:45 +1000 Date: Mon, 10 Sep 2001 03:42:51 +1000 (EST) From: Bruce Evans X-X-Sender: To: Dima Dorfman Cc: "Andrew R. Reiter" , Kris Kennaway , Subject: Re: netbsd vulnerabilities In-Reply-To: <20010909114717.80C903E28@bazooka.unixfreak.org> Message-ID: <20010910033441.I7598-100000@alphplex.bde.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 9 Sep 2001, Dima Dorfman wrote: > "Andrew R. Reiter" wrote: > > The attached code fixes the semop bug which is specified in the recent > > NetBSD security announcement. I'm not positive about hte naming scheme > > wanted by all in terms of: size_t vs. unsigned int vs. unsigned. I made > > it u_int b/c i saw in sysproto.h that there seemed to be more u_int's > > instead of size_t's :-) Great logic. > > I think semop_args.nsops should be u_int (like you made it) because > that's how it's listed in syscalls.master. It should match the (SYSV) spec, whatever that says. syscalls.master is rarely correct. > > --- sys/sem.h.orig Sat Sep 8 03:21:08 2001 > > +++ sys/sem.h Sat Sep 8 03:21:27 2001 > > @@ -101,7 +101,7 @@ > > int semsys __P((int, ...)); > > int semctl __P((int, int, int, ...)); > > int semget __P((key_t, int, int)); > > -int semop __P((int, struct sembuf *,unsigned)); > > +int semop __P((int, struct sembuf *, u_int)); > > I don't see the point of this, either, except to break consistency > with the manual page. `u_int' is the same as `unsigned'. This also fixes a style bug (missing space after comma) and takes us further from removing dependencies on . Anyway, this has nothing to do with the bug (unless the correct type is not unsigned int). > The other changes look pretty good. Attached is the corresponding > patch to -current. If nobody sees anything wrong in about a day, I'll > commit this and MFC it after the RE's approval. OK. Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 9 11:31:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.zoidial.com (ns1.zoidial.com [65.160.250.1]) by hub.freebsd.org (Postfix) with ESMTP id 43C7C37B407 for ; Sun, 9 Sep 2001 11:31:31 -0700 (PDT) Received: from gecko2k (host-24-34-129-65-bgr.scieron.com [65.161.75.160]) by ns1.zoidial.com (8.10.2/8.10.2) with SMTP id f89IV5Z20183; Sun, 9 Sep 2001 14:31:05 -0400 From: Eric Thern Date: Sun, 09 Sep 2001 18:31:27 GMT Message-ID: <20010909.18312775@mis.configured.host> Subject: Re: Kernel-loadable Root Kits < securelevel > To: Simon Nielsen , In-Reply-To: References: X-Mailer: Mozilla/3.0 (compatible; StarOffice/5.2;Win32) X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > >> Would you care to point out how I could lower the securelevel the= n > > >> for legitimate use (i.e. updates or changes to /etc) of the syste= m > > >> by the administrators? > > > Reboot.. and if you set the securelevel automaticly on boot (e.g.= > > > in rc.conf) you must start in single user mode after the reboot. > > Yeah I know that this would be a way to do it but it's rather hard t= o > > do with colocated servers... > Thats right, but i'm rather sure rebooting is the only way to lower th= e > securelevel (anyone please correct me if i'm wrong). > >From init(8) : > The kernel runs with four different levels of security. Any super-user= > process can raise the security level, but no process can lower it. > [CUT] Is there any possibility of having console be able to lower the=20 securelevel without rebooting? In a situation with dedicated or=20 colocated servers where only one person has console access, it would sur= e=20 be a wonderful thing, although I'm fairly certain there is some security= =20 loophole in that whole mess. -Eric To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 9 11:59: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (discworld.nanolink.com [217.75.135.248]) by hub.freebsd.org (Postfix) with SMTP id 9854837B403 for ; Sun, 9 Sep 2001 11:58:57 -0700 (PDT) Received: (qmail 5106 invoked by uid 1000); 9 Sep 2001 18:58:29 -0000 Date: Sun, 9 Sep 2001 21:58:29 +0300 From: Peter Pentchev To: Eric Thern Cc: Simon Nielsen , freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits < securelevel > Message-ID: <20010909215829.A733@ringworld.oblivion.bg> Mail-Followup-To: Eric Thern , Simon Nielsen , freebsd-security@FreeBSD.ORG References: <20010909.18312775@mis.configured.host> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010909.18312775@mis.configured.host>; from eric@zoidial.com on Sun, Sep 09, 2001 at 06:31:27PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Sep 09, 2001 at 06:31:27PM +0000, Eric Thern wrote: > > > > >> Would you care to point out how I could lower the securelevel then > > > >> for legitimate use (i.e. updates or changes to /etc) of the system > > > >> by the administrators? > > > > Reboot.. and if you set the securelevel automaticly on boot (e.g. > > > > in rc.conf) you must start in single user mode after the reboot. > > > Yeah I know that this would be a way to do it but it's rather hard to > > > do with colocated servers... > > Thats right, but i'm rather sure rebooting is the only way to lower the > > securelevel (anyone please correct me if i'm wrong). > > >From init(8) : > > The kernel runs with four different levels of security. Any super-user > > process can raise the security level, but no process can lower it. > > [CUT] > > Is there any possibility of having console be able to lower the > securelevel without rebooting? In a situation with dedicated or > colocated servers where only one person has console access, it would sure > be a wonderful thing, although I'm fairly certain there is some security > loophole in that whole mess. If ddb support is compiled into the kernel, then it could be as easy as hitting Ctrl-PrtScr and using ddb to modify the value of the kernel variable named 'securelevel'. G'luck, Peter -- The rest of this sentence is written in Thailand, on To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 9 11:59:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from aries.ai.net (aries.ai.net [205.134.163.4]) by hub.freebsd.org (Postfix) with ESMTP id DC79D37B408 for ; Sun, 9 Sep 2001 11:59:26 -0700 (PDT) Received: from blood (pool-138-88-77-53.res.east.verizon.net [138.88.77.53]) by aries.ai.net (8.9.3/8.9.3) with SMTP id PAA02938; Sun, 9 Sep 2001 15:07:23 -0400 (EDT) (envelope-from deepak@ai.net) Reply-To: From: "Deepak Jain" To: "Gabriel Ambuehl" , "Giorgos Verigakis" Cc: "Kris Kennaway" , "D J Hawkey Jr" , "Alexander Langer" , Subject: RE: Re[2]: Kernel-loadable Root Kits Date: Sun, 9 Sep 2001 15:03:22 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <151193622478.20010909151642@buz.ch> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Exactly! The old security adage comes to mind -- the more useful a system is, by definition, the less secure it is. The most secure server in the world is one that is unplugged from everything and locked in a closet somewhere. Deepak Jain AiNET -----Original Message----- From: Gabriel Ambuehl [mailto:gabriel_ambuehl@buz.ch] Sent: Sunday, September 09, 2001 9:17 AM To: Giorgos Verigakis Cc: Deepak Jain; Kris Kennaway; D J Hawkey Jr; Alexander Langer; freebsd-security@FreeBSD.ORG Subject: Re[2]: Kernel-loadable Root Kits -----BEGIN PGP SIGNED MESSAGE----- Hello Giorgos, Sunday, September 09, 2001, 10:07:32 AM, you wrote: >> This user could easily edit the rc.conf file to boot up in >> securelevel=-1 and reboot the machine -- as well as circumvent >> most notifications about the reboot. > Yes, but then you can chflag schg rc.conf rc ... (or maybe the > whole /etc) Would you care to point out how I could lower the securelevel then for legitimate use (i.e. updates or changes to /etc) of the system by the administrators? Best regards, Gabriel -----BEGIN PGP SIGNATURE----- Version: PGP 6.5i iQEVAwUBO5tdrsZa2WpymlDxAQHC5Af+OWFg0iJhixVi5CmlBe4POEc8cQmai97W aa1eCPkkNqwHZBQD3b4CGlvCIJZogH0Nv+GQcvsJECx8GHBSczbjl6E003hVTpSr JiBILeEy2pp67rKRSM4KZjqvnLKWNoHjXfrd62Hr2SqqVZ4rtOkvwviW1QWF/DCO 52erGgJU7Xp2i83JlVWi0lUZsXuwSp6IafccfNVSuWluobJLzcS8Tg9FanPbnovR /1wgY0z0lEVm/ri2rPdUGM6kKSn3h+1ORltc/c9F2WVIqleL3Z4TAZOBrbKR+0Mm 6oD2SPRti6TZ9riB/ayK+Jafhhh7AC/le55exGlSzBNVF9SR5F4AWQ== =4lFV -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 9 12: 0:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by hub.freebsd.org (Postfix) with ESMTP id 212DA37B401 for ; Sun, 9 Sep 2001 12:00:34 -0700 (PDT) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by cactus.fi.uba.ar (8.11.3/8.9.3) with ESMTP id f89Iw5X18637; Sun, 9 Sep 2001 15:58:05 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Sun, 9 Sep 2001 15:58:05 -0300 (ART) From: Fernando Gleiser To: Eric Thern Cc: Subject: Re: Kernel-loadable Root Kits < securelevel > In-Reply-To: <20010909.18312775@mis.configured.host> Message-ID: <20010909153307.V4633-100000@cactus.fi.uba.ar> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 9 Sep 2001, Eric Thern wrote: > > Is there any possibility of having console be able to lower the > securelevel without rebooting? In a situation with dedicated or > colocated servers where only one person has console access, it would sure > be a wonderful thing, although I'm fairly certain there is some security > loophole in that whole mess. If you have DDB enabled in your kernel, you can break to it and lower the securelevel from the debuger. Leave ddb, do whatever you have to do then raise your securelevel again. Fer > > > -Eric > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 9 14:16: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from C-Tower.Area51.DK (c-tower.area51.dk [62.243.200.203]) by hub.freebsd.org (Postfix) with SMTP id 0FEEB37B401 for ; Sun, 9 Sep 2001 14:16:04 -0700 (PDT) Received: (qmail 61798 invoked by uid 1007); 9 Sep 2001 21:16:23 -0000 Date: Sun, 9 Sep 2001 22:16:23 +0100 From: Alex Holst To: freebsd-security@FreeBSD.ORG Subject: Re: Re[2]: Kernel-loadable Root Kits Message-ID: <20010909221623.A58504@area51.dk> Mail-Followup-To: Alex Holst , freebsd-security@FreeBSD.ORG References: <151193622478.20010909151642@buz.ch> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from deepak@ai.net on Sun, Sep 09, 2001 at 03:03:22PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Quoting Deepak Jain (deepak@ai.net): > The most secure server in the world is one that is unplugged from everything > and locked in a closet somewhere. Seeing as how "availability" is considered part of security, this is a load of [snip] which gives non-security type people the wrong view of what security is. Besides, in the situation where a server is locked in a closet, all you have to do it call up the receptionist and in an urgent voice tell her to plug the machine back in and flick the powerswitch. -- I prefer the dark of the night, after midnight and before four-thirty, when it's more bare, more hollow. http://a.area51.dk/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 9 18:44:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from public.hefei.cngb.com (public.hefei.cngb.com [210.15.28.3]) by hub.freebsd.org (Postfix) with ESMTP id 5DEAC37B406 for ; Sun, 9 Sep 2001 18:44:18 -0700 (PDT) Received: from hefei.cngb.com (www.kf.hefei.cngb.com [210.15.28.50]) by public.hefei.cngb.com (8.11.6/8.11.6) with ESMTP id f8A1guK15759 for ; Mon, 10 Sep 2001 09:42:56 +0800 (CST) Message-ID: <3B9C1B0B.8399E810@hefei.cngb.com> Date: Mon, 10 Sep 2001 09:44:43 +0800 From: jack chen X-Mailer: Mozilla 4.51 [zh-cn] (Win98; I) X-Accept-Language: zh-CN MIME-Version: 1.0 To: FreeBSD-security@FreeBSD.org Subject: [Fwd: May you give me answer?] Content-Type: multipart/mixed; boundary="------------354D98413BB8623CC51AE62C" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org уБйгр╩лУси╤Ю╦Ж╡©╥жвИЁи╣д MIME ╦Яй╫╣доШо╒║ё --------------354D98413BB8623CC51AE62C Content-Type: text/plain; charset=gb2312 Content-Transfer-Encoding: 7bit --------------354D98413BB8623CC51AE62C Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Mozilla-Status2: 00000000 Message-ID: <3B9B5FE6.C74D01FE@hefei.cngb.com> Date: Sun, 09 Sep 2001 20:26:15 +0800 From: jack chen X-Mailer: Mozilla 4.51 [zh-cn] (Win98; I) X-Accept-Language: zh-CN MIME-Version: 1.0 To: questions@FreeBSD.org Subject: May you give me answer? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi there: Recently my server installed FreeBSD released 4.2 often forbidden to telnet and inetd proccess was shut down. Then i read messages log and found indication:"Sep 8 08:39:17 fh666 /kernel: pid 179 (inetd), uid 0: exited on signal 11 (core dumped)". Why is it? May you tell me how to resolve it ? Need you help. Regards, Jack --------------354D98413BB8623CC51AE62C-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 9 18:46:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 8AD7737B408 for ; Sun, 9 Sep 2001 18:46:50 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 06EA166D02; Sun, 9 Sep 2001 18:46:50 -0700 (PDT) Date: Sun, 9 Sep 2001 18:46:49 -0700 From: Kris Kennaway To: jack chen Cc: FreeBSD-security@FreeBSD.ORG Subject: Re: [Fwd: May you give me answer?] Message-ID: <20010909184649.A26258@xor.obsecurity.org> References: <3B9C1B0B.8399E810@hefei.cngb.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="lrZ03NoBR/3+SXJZ" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B9C1B0B.8399E810@hefei.cngb.com>; from chenjun@hefei.cngb.com on Mon, Sep 10, 2001 at 09:44:43AM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --lrZ03NoBR/3+SXJZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 10, 2001 at 09:44:43AM +0800, jack chen wrote: >=20 > Date: Sun, 09 Sep 2001 20:26:15 +0800 > From: jack chen > Subject: May you give me answer? > To: questions@FreeBSD.org > X-Mailer: Mozilla 4.51 [zh-cn] (Win98; I) > X-Mozilla-Status2: 00000000 > X-Accept-Language: zh-CN >=20 > Hi there: >=20 > Recently my server installed FreeBSD released 4.2 often forbidden to > telnet and inetd proccess was shut down. >=20 > Then i read messages log and found indication:"Sep 8 08:39:17 fh666 > /kernel: pid 179 (inetd), uid 0: exited on signal 11 (core dumped)". >=20 > Why is it? May you tell me how to resolve it ? >=20 > Need you help. Jack, I already answered this question the last time you asked it. Kris --lrZ03NoBR/3+SXJZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7nBuJWry0BWjoQKURAqTEAJ9aLZQdXqDJsK5acI3j9kT9sddMBgCgrs/3 uB+5+OGnM98/y/VvxooJKSo= =BBKF -----END PGP SIGNATURE----- --lrZ03NoBR/3+SXJZ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 9 19: 1:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtprelay2.abs.adelphia.net (smtprelay.abs.adelphia.net [64.8.20.11]) by hub.freebsd.org (Postfix) with ESMTP id 00CD637B401 for ; Sun, 9 Sep 2001 19:01:23 -0700 (PDT) Received: from there ([63.124.244.3]) by smtprelay2.abs.adelphia.net (Netscape Messaging Server 4.15) with SMTP id GJFC9S00.F2B; Sun, 9 Sep 2001 22:01:04 -0400 Content-Type: text/plain; charset="gb2312" From: Gerald A.Speak Reply-To: gaspeak@va.prestige.net To: jack chen , FreeBSD-security@FreeBSD.org Subject: Re: [Fwd: May you give me answer?] Date: Sun, 9 Sep 2001 22:01:02 -0400 X-Mailer: KMail [version 1.3] References: <3B9C1B0B.8399E810@hefei.cngb.com> In-Reply-To: <3B9C1B0B.8399E810@hefei.cngb.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <20010910020123.00CD637B401@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org #M#a#y#b#e#,!!#i#f!!#y#o#u!!#w#e#r#e!!#t#o!!#p#r#o#v#i#d#e!!#u#s!!#w#i#t#h!!#a!!#b#i#t!!#m#o#r#e!!#i#n#f#o#r#m#a#t#i#o#n#,!!#w#e!!#m#a#y!!#b#e!!#a#b#l#e!!!v#t#o!!#p#o#i#n#t!!#y#o#u!!#i#n!!#t#h#e!!#d#i#r#e#c#t#i#o#n!!#t#h#a#t!!#y#o#u!!#n#e#e#d!!#t#o!!#g#o#.#.#.#.!v!v#O#n!!#S#u#n#d#a#y!!#0#9!!#S#e#p#t#e#m#b#e#r!!#2#0#0#1!!#0#9#:#4#4!!#p#m#,!!#j#a#c#k!!#c#h#e#n!!#w#r#o#t#e#:!v#>!!#X#-#M#o#z#i#l#l#a#-#S#t#a#t#u#s#2#:!!#0#0#0#0#0#0#0#0!v#>!!#M#e#s#s#a#g#e#-#I#D#:!!#<#3#B#9#B#5#F#E#6#.#C#7#4#D#0#1#F#E#@#h#e#f#e#i#.#c#n#g#b#.#c#o#m#>!v#>!!#D#a#t#e#:!!#S#u#n#,!!#0#9!!#S#e#p!!#2#0#0#1!!#2#0#:#2#6#:#1#5!!#+#0#8#0#0!v#>!!#F#r#o#m#:!!#j#a#c#k!!#c#h#e#n!!#<#c#h#e#n#j#u#n#@#h#e#f#e#i#.#c#n#g#b#.#c#o#m#>!v#>!!#X#-#M#a#i#l#e#r#:!!#M#o#z#i#l#l#a!!#4#.#5#1!!#[#z#h#-#c#n#]!!#(#W#i#n#9#8#;!!#I#)!v#>!!#X#-#A#c#c#e#p#t#-#L#a#n#g#u#a#g#e#:!!#z#h#-#C#N!v#>!!#M#I#M#E#-#V#e#r#s#i#o#n#:!!#1#.#0!v#>!!#T#o#:!!#q#u#e#s#t#i#o#n#s#@#F#r#e#e#B#S#D#.#o#r#g!v#>!!#S#u#b#j#e#c#t#:!!#M#a#y!!#y#o#u!!#g#i#v#e!!#m#e!!#a#n#s#w#e#r#?!v#>!!#C#o#n#t#e#n#t#-#T#y#p#e#:!!#t#e#x#t#/#p#l#a#i#n#;!!#c#h#a#r#s#e#t#=#u#s#-#a#s#c#i#i!v#>!!#C#o#n#t#e#n#t#-#T#r#a#n#s#f#e#r#-#E#n#c#o#d#i#n#g#:!!#7#b#i#t!v#>!!#>!!#H#i!!#t#h#e#r#e#:!v#>!v#>!!!!!!!!!!#R#e#c#e#n#t#l#y!!#m#y!!#s#e#r#v#e#r!!#i#n#s#t#a#l#l#e#d!!#F#r#e#e#B#S#D!!#r#e#l#e#a#s#e#d!!#4#.#2!!#o#f#t#e#n!!#f#o#r#b#i#d#d#e#n!!#t#o!v#>!!#t#e#l#n#e#t!!#a#n#d!!#i#n#e#t#d!!#p#r#o#c#c#e#s#s!!#w#a#s!!#s#h#u#t!!#d#o#w#n#.!v#>!v#>!!#T#h#e#n!!#i!!!!#r#e#a#d!!#m#e#s#s#a#g#e#s!!!!#l#o#g!!#a#n#d!!#f#o#u#n#d!!#i#n#d#i#c#a#t#i#o#n#:#"#S#e#p!!!!#8!!#0#8#:#3#9#:#1#7!!#f#h#6#6#6!v#>!!#/#k#e#r#n#e#l#:!!#p#i#d!!#1#7#9!!#(#i#n#e#t#d#)#,!!#u#i#d!!#0#:!!#e#x#i#t#e#d!!#o#n!!#s#i#g#n#a#l!!#1#1!!#(#c#o#r#e!!#d#u#m#p#e#d#)#"#.!v#>!v#>!!#W#h#y!!#i#s!!#i#t#?!!#M#a#y!!#y#o#u!!#t#e#l#l!!#m#e!!#h#o#w!!#t#o!!#r#e#s#o#l#v#e!!#i#t!!#?!v#>!v#>!!#N#e#e#d!!#y#o#u!!#h#e#l#p#.!v#>!v#>!!#R#e#g#a#r#d#s#,!v#>!!#J#a#c#k!v To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 9 19:30: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from carbon.flatlan.net (carbon.berkeley.netdot.net [216.27.190.209]) by hub.freebsd.org (Postfix) with ESMTP id A92F337B408 for ; Sun, 9 Sep 2001 19:30:03 -0700 (PDT) Received: by carbon.flatlan.net (Postfix, from userid 101) id 5BFEA3C144; Sun, 9 Sep 2001 19:30:03 -0700 (PDT) Date: Sun, 9 Sep 2001 19:30:03 -0700 From: Nicholas Esborn To: freebsd-security@freebsd.org Subject: IPsec w/ gif tunnels question Message-ID: <20010909193003.A20775@flatlan.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hola, all. Is there any particular way to test whether a packet is successfully processed by the ipsec subsystem? I am writing a script to bring up gif tunnels between hosts communicating through transport-mode ipsec. I want to be able to see that traffic is being encrypted before setting up the tunnel. So far, I've come up with: 1) parsing SPD/SAD entries to see if any match 2) using tcpdump to watch for a packet my script sends, to verify that it is AH/ESP (ick) 3) using 'require' instead of 'use' in my SPD entries. This doesn't seem to allow racoon to communicate between machines, which doesn't surprise me. Is there some way racoon can get around this to establish keys? Thanks for any insight you may have. -nick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 10 0:57:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 0A5E737B401 for ; Mon, 10 Sep 2001 00:57:40 -0700 (PDT) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id D93CE1D14; Mon, 10 Sep 2001 09:55:58 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 9E160552A for ; Mon, 10 Sep 2001 09:55:58 +0200 (CEST) Date: Mon, 10 Sep 2001 09:55:57 +0200 (CEST) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: freebsd-security@freebsd.org Subject: Kernel-loadable Rootkits Summary Attempt Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello everyone, This is an attempt to summarize the discussion regarding this topic. Credits go to respectable posters. All comments welcome. ATTACK: Trojan module insertion IMPACT: Backdooring the system DETECTION: tripwire if attacker left the binary, kldstat if module is not stealth ; may be undetectable COUNTERMEASURE: Set securelevel to 1 (via sysctl and in rc.conf) or higher what prevents module insertion ATTACK: Putting trojan version of legitimate module under /modules IMPACT: Trojan module will be loaded when system reboots DETECTION: tripwire COUNTERMEASURE: chmod schg /modules/* and set securelevel >= 1 what prevents modification of files under /modules ATTACK: Modifying /etc/rc* scripts IMPACT: Possibility of lowering the securelevel and/or inserting trojan module at boot time DETECTION: tripwire COUNTERMEASURE: chmod schg /etc/rc* and set securelevel >= 1 PROBLEM: There's no possibility of lowering the securelevel without console access. In order to make any modification to protected /etc/rc* files or modules you must boot singleuser or use ddb built in kernel to modify a kernel variable named 'securelevel'. Regards, Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 10 9:52:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from federation.addy.com (addy.com [208.11.142.20]) by hub.freebsd.org (Postfix) with ESMTP id 9809A37B401 for ; Mon, 10 Sep 2001 09:52:55 -0700 (PDT) Received: from localhost (jim@localhost) by federation.addy.com (8.9.3/8.9.3) with ESMTP id MAA48021 for ; Mon, 10 Sep 2001 12:53:35 -0400 (EDT) (envelope-from jim@federation.addy.com) Date: Mon, 10 Sep 2001 12:53:35 -0400 (EDT) From: Jim Sander To: Freebsd-security@FreeBSD.ORG Subject: allow selective RSA AUTH in sshd setup? In-Reply-To: <001c01c1385e$d8e43400$f0f2a118@tampabay.rr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org By default, I bar key-based logins (RSAAuthentication no) so that I don't have to worry about users keeping their ~/.ssh/authorized_keys secure. (expecting good key management of people who if left on their own would choose 'me' as their password is probably a bad idea) For most people who never touch a shell anyway, this is fine. But I do want to allow certain users who at least marginally know what their doing the benefit of using this feature. Anyone know a simple and effective way to do this? -=Jim=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 10 10: 2:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from C-Tower.Area51.DK (c-tower.area51.dk [62.243.200.203]) by hub.freebsd.org (Postfix) with SMTP id 767E737B406 for ; Mon, 10 Sep 2001 10:02:20 -0700 (PDT) Received: (qmail 61875 invoked by uid 1007); 10 Sep 2001 17:02:39 -0000 Date: Mon, 10 Sep 2001 18:02:39 +0100 From: Alex Holst To: Freebsd-security@FreeBSD.ORG Subject: Re: allow selective RSA AUTH in sshd setup? Message-ID: <20010910180239.B59628@area51.dk> Mail-Followup-To: Alex Holst , Freebsd-security@FreeBSD.ORG References: <001c01c1385e$d8e43400$f0f2a118@tampabay.rr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jim@federation.addy.com on Mon, Sep 10, 2001 at 12:53:35PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Quoting Jim Sander (jim@federation.addy.com): > By default, I bar key-based logins (RSAAuthentication no) so that I > don't have to worry about users keeping their ~/.ssh/authorized_keys > secure. I assume you mean ~/.ssh/identity on the client side? If it's your server, you can enforce rules on authorized_keys. I'm somewhat puzzled as RSA keys are significantly stronger plain passwords. What do you use for authentication? SecurID? CryptoCard? You would need to take a look at login.conf to specify individual authentication methods on a per user basis. I am not clear on how well this is supported yet. -- I prefer the dark of the night, after midnight and before four-thirty, when it's more bare, more hollow. http://a.area51.dk/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 10 10: 9: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (sentinel.office1.bg [217.75.135.254]) by hub.freebsd.org (Postfix) with SMTP id 6492A37B401 for ; Mon, 10 Sep 2001 10:08:38 -0700 (PDT) Received: (qmail 5220 invoked by uid 1000); 10 Sep 2001 17:06:34 -0000 Date: Mon, 10 Sep 2001 20:06:34 +0300 From: Peter Pentchev To: Jim Sander Cc: Freebsd-security@FreeBSD.ORG Subject: Re: allow selective RSA AUTH in sshd setup? Message-ID: <20010910200634.J1983@ringworld.oblivion.bg> Mail-Followup-To: Jim Sander , Freebsd-security@FreeBSD.ORG References: <001c01c1385e$d8e43400$f0f2a118@tampabay.rr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jim@federation.addy.com on Mon, Sep 10, 2001 at 12:53:35PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Sep 10, 2001 at 12:53:35PM -0400, Jim Sander wrote: > By default, I bar key-based logins (RSAAuthentication no) so that I > don't have to worry about users keeping their ~/.ssh/authorized_keys > secure. (expecting good key management of people who if left on their own > would choose 'me' as their password is probably a bad idea) For most > people who never touch a shell anyway, this is fine. But I do want to > allow certain users who at least marginally know what their doing the > benefit of using this feature. > > Anyone know a simple and effective way to do this? Create a ~/.ssh/config file, put 'RSAAuthentication yes' there. I don't think it's possible to do this on a group basis, you'll have to do it for each user. Of course, this also means that each of the other users may put this in their own ~/.ssh/config file, and circumvent your attempt to disable key-based logins; however, from your description (and some personal experience) I would consider that to be somewhat unlikely :) G'luck, Peter -- If wishes were fishes, the antecedent of this conditional would be true. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 10 10:11:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from male.aldigital.co.uk (male.aldigital.co.uk [213.129.64.13]) by hub.freebsd.org (Postfix) with ESMTP id 9E42637B40C for ; Mon, 10 Sep 2001 10:11:13 -0700 (PDT) Received: from algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by male.aldigital.co.uk (Postfix) with ESMTP id 53E9E6A1411; Mon, 10 Sep 2001 17:11:11 +0000 (GMT) Message-ID: <3B9CF42B.FDBF942A@algroup.co.uk> Date: Mon, 10 Sep 2001 18:11:07 +0100 From: Adam Laurie X-Mailer: Mozilla 4.7 [en-gb] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Alex Holst Cc: Freebsd-security@FreeBSD.ORG Subject: Re: allow selective RSA AUTH in sshd setup? References: <001c01c1385e$d8e43400$f0f2a118@tampabay.rr.com> <20010910180239.B59628@area51.dk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Alex Holst wrote: > > Quoting Jim Sander (jim@federation.addy.com): > > By default, I bar key-based logins (RSAAuthentication no) so that I > > don't have to worry about users keeping their ~/.ssh/authorized_keys > > secure. > > I assume you mean ~/.ssh/identity on the client side? If it's your server, > you can enforce rules on authorized_keys. I'm somewhat puzzled as RSA keys > are significantly stronger plain passwords. What do you use for > authentication? SecurID? CryptoCard? speaking of which, shouldn't the daily/weekly/monthly security checks notify if authorized_keys has changed in the same way that it does for a change of password? cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 The Stores http://www.thebunker.net 2 Bath Road http://www.aldigital.co.uk London W4 1LT mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 10 10:15:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from C-Tower.Area51.DK (c-tower.area51.dk [62.243.200.203]) by hub.freebsd.org (Postfix) with SMTP id 156D437B401 for ; Mon, 10 Sep 2001 10:15:08 -0700 (PDT) Received: (qmail 63204 invoked by uid 1007); 10 Sep 2001 17:15:28 -0000 Date: Mon, 10 Sep 2001 18:15:27 +0100 From: Alex Holst To: Freebsd-security@FreeBSD.ORG Subject: Re: allow selective RSA AUTH in sshd setup? Message-ID: <20010910181527.C59628@area51.dk> Mail-Followup-To: Alex Holst , Freebsd-security@FreeBSD.ORG References: <001c01c1385e$d8e43400$f0f2a118@tampabay.rr.com> <20010910180239.B59628@area51.dk> <3B9CF42B.FDBF942A@algroup.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B9CF42B.FDBF942A@algroup.co.uk>; from adam@algroup.co.uk on Mon, Sep 10, 2001 at 06:11:07PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Quoting Adam Laurie (adam@algroup.co.uk): > Alex Holst wrote: > > I assume you mean ~/.ssh/identity on the client side? If it's your server, > > you can enforce rules on authorized_keys. I'm somewhat puzzled as RSA keys > > are significantly stronger plain passwords. What do you use for > > authentication? SecurID? CryptoCard? > > speaking of which, shouldn't the daily/weekly/monthly security checks > notify if authorized_keys has changed in the same way that it does for a > change of password? No, a user should be free to change and add keys as they see fit. The sshd already implements access control if there is a chance authorized_keys has been tampered with. If you really want to verify all changes to users authorized_keys file, change the ownership so users can't modify the file but still read it. -- I prefer the dark of the night, after midnight and before four-thirty, when it's more bare, more hollow. http://a.area51.dk/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 10 10:29:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from C-Tower.Area51.DK (c-tower.area51.dk [62.243.200.203]) by hub.freebsd.org (Postfix) with SMTP id 42C2537B405 for ; Mon, 10 Sep 2001 10:29:12 -0700 (PDT) Received: (qmail 64575 invoked by uid 1007); 10 Sep 2001 17:29:32 -0000 Date: Mon, 10 Sep 2001 18:29:32 +0100 From: Alex Holst To: Freebsd-security@FreeBSD.ORG Subject: Re: allow selective RSA AUTH in sshd setup? Message-ID: <20010910182931.D59628@area51.dk> Mail-Followup-To: Alex Holst , Freebsd-security@FreeBSD.ORG References: <001c01c1385e$d8e43400$f0f2a118@tampabay.rr.com> <20010910200634.J1983@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010910200634.J1983@ringworld.oblivion.bg>; from roam@ringlet.net on Mon, Sep 10, 2001 at 08:06:34PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Quoting Peter Pentchev (roam@ringlet.net): > On Mon, Sep 10, 2001 at 12:53:35PM -0400, Jim Sander wrote: [..] > > people who never touch a shell anyway, this is fine. But I do want to > > allow certain users who at least marginally know what their doing the > > benefit of using this feature. > > > > Anyone know a simple and effective way to do this? > > Create a ~/.ssh/config file, put 'RSAAuthentication yes' there. ~/.ssh/config is a client-side file. -- I prefer the dark of the night, after midnight and before four-thirty, when it's more bare, more hollow. http://a.area51.dk/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 10 11: 5:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from male.aldigital.co.uk (male.aldigital.co.uk [213.129.64.13]) by hub.freebsd.org (Postfix) with ESMTP id 1884B37B403 for ; Mon, 10 Sep 2001 11:05:12 -0700 (PDT) Received: from algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by male.aldigital.co.uk (Postfix) with ESMTP id 645DA6A1411; Mon, 10 Sep 2001 18:05:10 +0000 (GMT) Message-ID: <3B9D00D0.C522C41A@algroup.co.uk> Date: Mon, 10 Sep 2001 19:05:04 +0100 From: Adam Laurie X-Mailer: Mozilla 4.7 [en-gb] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Alex Holst Cc: Freebsd-security@FreeBSD.ORG Subject: Re: allow selective RSA AUTH in sshd setup? References: <001c01c1385e$d8e43400$f0f2a118@tampabay.rr.com> <20010910180239.B59628@area51.dk> <3B9CF42B.FDBF942A@algroup.co.uk> <20010910181527.C59628@area51.dk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Alex Holst wrote: > > Quoting Adam Laurie (adam@algroup.co.uk): > > Alex Holst wrote: > > > I assume you mean ~/.ssh/identity on the client side? If it's your server, > > > you can enforce rules on authorized_keys. I'm somewhat puzzled as RSA keys > > > are significantly stronger plain passwords. What do you use for > > > authentication? SecurID? CryptoCard? > > > > speaking of which, shouldn't the daily/weekly/monthly security checks > > notify if authorized_keys has changed in the same way that it does for a > > change of password? > > No, a user should be free to change and add keys as they see fit. The sshd > already implements access control if there is a chance authorized_keys has > been tampered with. so why do password changes get notified then? i don't see the rationale that says root should get notified if a user changes his password, but not if he gives someone else access to the box... surely the point of a security check is to notify potential new security risks? apart from him probably not being authorised to make such decisions, the user himself may not even be aware that something he's done has caused a key to be added to his password file... > If you really want to verify all changes to users authorized_keys file, > change the ownership so users can't modify the file but still read it. and how would you do that without blocking their entire home directory then? :) cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 The Stores http://www.thebunker.net 2 Bath Road http://www.aldigital.co.uk London W4 1LT mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 10 11:16:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.yadt.co.uk (yadt.demon.co.uk [158.152.4.134]) by hub.freebsd.org (Postfix) with SMTP id 4529237B403 for ; Mon, 10 Sep 2001 11:15:58 -0700 (PDT) Received: (qmail 84353 invoked from network); 10 Sep 2001 18:15:52 -0000 Received: from gattaca.local.yadt.co.uk (HELO mail.gattaca.yadt.co.uk) (qmailr@10.0.0.2) by xfiles.yadt.co.uk with SMTP; 10 Sep 2001 18:15:52 -0000 Received: (qmail 62064 invoked by uid 1000); 10 Sep 2001 18:15:52 -0000 Date: Mon, 10 Sep 2001 19:15:52 +0100 From: David Taylor To: Adam Laurie Cc: Freebsd-security@FreeBSD.ORG Subject: Re: allow selective RSA AUTH in sshd setup? Message-ID: <20010910191552.A61465@gattaca.yadt.co.uk> Mail-Followup-To: Adam Laurie , Freebsd-security@FreeBSD.ORG References: <001c01c1385e$d8e43400$f0f2a118@tampabay.rr.com> <20010910180239.B59628@area51.dk> <3B9CF42B.FDBF942A@algroup.co.uk> <20010910181527.C59628@area51.dk> <3B9D00D0.C522C41A@algroup.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B9D00D0.C522C41A@algroup.co.uk>; from adam@algroup.co.uk on Mon, Sep 10, 2001 at 19:05:04 +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 10 Sep 2001, Adam Laurie wrote: > > If you really want to verify all changes to users authorized_keys file, > > change the ownership so users can't modify the file but still read it. > > and how would you do that without blocking their entire home directory > then? :) > Easy enough # mkdir ~user/.ssh # touch ~user/.ssh/{authorized_keys,config,random,etc,etc,etc} # chown root:usersprivategroup ~user/.ssh # chmod 750 ~user/.ssh # chown user:usersprivategroup ~user/.ssh/* # chmod 640 ~user/.ssh/* # chown root:usersprivategroup ~user/.ssh/authorized_keys SSH even seems happy to have a root-owned authorized_keys file... -- David Taylor davidt@yadt.co.uk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 10 11:20:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id 6FF7F37B403 for ; Mon, 10 Sep 2001 11:20:40 -0700 (PDT) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f8AHF0V10626; Mon, 10 Sep 2001 10:16:20 -0700 (PDT) Date: Mon, 10 Sep 2001 10:15:00 -0700 (PDT) From: David Kirchner X-X-Sender: To: David Taylor Cc: Adam Laurie , Subject: Re: allow selective RSA AUTH in sshd setup? In-Reply-To: <20010910191552.A61465@gattaca.yadt.co.uk> Message-ID: <20010910101420.W85958-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 10 Sep 2001, David Taylor wrote: > Easy enough > > # mkdir ~user/.ssh > # touch ~user/.ssh/{authorized_keys,config,random,etc,etc,etc} > # chown root:usersprivategroup ~user/.ssh > # chmod 750 ~user/.ssh > # chown user:usersprivategroup ~user/.ssh/* > # chmod 640 ~user/.ssh/* > # chown root:usersprivategroup ~user/.ssh/authorized_keys > > SSH even seems happy to have a root-owned authorized_keys file... And then chflags schg .ssh so the user can't rename and re-create the .ssh directory. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 10 11:43: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from male.aldigital.co.uk (male.aldigital.co.uk [213.129.64.13]) by hub.freebsd.org (Postfix) with ESMTP id 299BB37B405 for ; Mon, 10 Sep 2001 11:42:57 -0700 (PDT) Received: from algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by male.aldigital.co.uk (Postfix) with ESMTP id C39D76A1411; Mon, 10 Sep 2001 18:42:55 +0000 (GMT) Message-ID: <3B9D0991.C5AD21FA@algroup.co.uk> Date: Mon, 10 Sep 2001 19:42:25 +0100 From: Adam Laurie X-Mailer: Mozilla 4.7 [en-gb] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: David Taylor Cc: Freebsd-security@FreeBSD.ORG Subject: Re: allow selective RSA AUTH in sshd setup? References: <001c01c1385e$d8e43400$f0f2a118@tampabay.rr.com> <20010910180239.B59628@area51.dk> <3B9CF42B.FDBF942A@algroup.co.uk> <20010910181527.C59628@area51.dk> <3B9D00D0.C522C41A@algroup.co.uk> <20010910191552.A61465@gattaca.yadt.co.uk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org David Taylor wrote: > > On Mon, 10 Sep 2001, Adam Laurie wrote: > > > > If you really want to verify all changes to users authorized_keys file, > > > change the ownership so users can't modify the file but still read it. > > > > and how would you do that without blocking their entire home directory > > then? :) > > > > Easy enough > > # mkdir ~user/.ssh > # touch ~user/.ssh/{authorized_keys,config,random,etc,etc,etc} > # chown root:usersprivategroup ~user/.ssh > # chmod 750 ~user/.ssh > # chown user:usersprivategroup ~user/.ssh/* > # chmod 640 ~user/.ssh/* > # chown root:usersprivategroup ~user/.ssh/authorized_keys $ mv .ssh .ssh- $ cp -r .ssh- .ssh $ cat dodgy_geezer.pub >> .ssh/authorized_keys =:O > > SSH even seems happy to have a root-owned authorized_keys file... true these days, but has not always been the case. cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 The Stores http://www.thebunker.net 2 Bath Road http://www.aldigital.co.uk London W4 1LT mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 10 11:46:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 6470C37B40A; Mon, 10 Sep 2001 11:46:38 -0700 (PDT) Received: from simoeon.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by smtp1.sentex.ca (8.11.6/8.11.6) with ESMTP id f8AIkb442297; Mon, 10 Sep 2001 14:46:37 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20010910143835.0226a2b0@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 10 Sep 2001 14:40:49 -0400 To: Kris Kennaway From: Mike Tancsa Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Cc: Matt Dillon , security@freebsd.org In-Reply-To: <20010908190700.A5881@xor.obsecurity.org> References: <20010909055903.A34519@nagual.pp.ru> <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> <200109090120.f891KvM14677@xerxes.courtesan.com> <20010908185415.A5619@xor.obsecurity.org> <20010909055903.A34519@nagual.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Any chance of getting at least Matt's chflags changes MFC'd before 4.4R? Or is the jury still out on the best approach ? ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 10 11:47:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from male.aldigital.co.uk (male.aldigital.co.uk [213.129.64.13]) by hub.freebsd.org (Postfix) with ESMTP id D855B37B405 for ; Mon, 10 Sep 2001 11:47:46 -0700 (PDT) Received: from algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by male.aldigital.co.uk (Postfix) with ESMTP id 8DA7B6A1481; Mon, 10 Sep 2001 18:47:45 +0000 (GMT) Message-ID: <3B9D0AB0.96DB5AA@algroup.co.uk> Date: Mon, 10 Sep 2001 19:47:12 +0100 From: Adam Laurie X-Mailer: Mozilla 4.7 [en-gb] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: David Kirchner Cc: David Taylor , Freebsd-security@FreeBSD.ORG Subject: Re: allow selective RSA AUTH in sshd setup? References: <20010910101420.W85958-100000@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org David Kirchner wrote: > > On Mon, 10 Sep 2001, David Taylor wrote: > > > Easy enough > > > > # mkdir ~user/.ssh > > # touch ~user/.ssh/{authorized_keys,config,random,etc,etc,etc} > > # chown root:usersprivategroup ~user/.ssh > > # chmod 750 ~user/.ssh > > # chown user:usersprivategroup ~user/.ssh/* > > # chmod 640 ~user/.ssh/* > > # chown root:usersprivategroup ~user/.ssh/authorized_keys > > > > SSH even seems happy to have a root-owned authorized_keys file... > > And then chflags schg .ssh so the user can't rename and re-create the .ssh > directory. indeed... that'll be the important bit! however, i'd still rather just get notified of an important security change by my regular security checking script than have to enforce policies that may not be appropriate for all users/machines. cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 The Stores http://www.thebunker.net 2 Bath Road http://www.aldigital.co.uk London W4 1LT mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 10 13:24:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from federation.addy.com (addy.com [208.11.142.20]) by hub.freebsd.org (Postfix) with ESMTP id DBC8F37B406 for ; Mon, 10 Sep 2001 13:24:04 -0700 (PDT) Received: from localhost (jim@localhost) by federation.addy.com (8.9.3/8.9.3) with ESMTP id QAA61838 for ; Mon, 10 Sep 2001 16:24:45 -0400 (EDT) (envelope-from jim@federation.addy.com) Date: Mon, 10 Sep 2001 16:24:45 -0400 (EDT) From: Jim Sander Cc: Freebsd-security@FreeBSD.ORG Subject: Re: allow selective RSA AUTH in sshd setup? In-Reply-To: <20010910180239.B59628@area51.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I assume you mean ~/.ssh/identity on the client side? I meant what I said- `man sshd` ... "$HOME/.ssh/authorized_keys Lists the RSA keys that can be used to log into the user's account." > If it's your server, you can enforce rules on authorized_keys. As was demonstrated in other posts, enforcing "rules" via file-system tricks isn't going to work, or it will end up being more work than allowing "unlimited" RSA Auth. If I set it up so they can't modify the file, it defeats the purpose of having it. Let's not even re-re-start the debate about /etc/periodic monitoring ~/.ssh/authorized_keys... An option not mentioned is that I could also run one sshd per user- but that wouldn't be very good for me either, although more do-able than schg files and such. > I'm somewhat puzzled The reason I don't allow RSAAuthentication is that I envision this near certainty: a user will know enough to set up authentication from his personal machine, but won't adequately guard the private key file from the hypothetical latest Outlook flaw allowing his key to be sent to a script kiddie and then used to change his church's web site on my server into a porn warehouse. I can handle explaining "don't give your password away" and even "choose something better than Jesus1" - but explaining that he needs to periodically monitor a non-human-readable file in a "hidden" folder on the server is beyond my ability, let alone my desire. Yet, for certain people who have demonstrated their minimal competence, I want to say "I've set you up to use RSAAuth- make sure you keep an eye on your key files." They'll be capable of doing some way-cool stuff to make their lives immeasurably easier, and we'll all be happy. If this person blows it, I can say "you said you knew what you were doing." > You would need to take a look at login.conf to specify individual > authentication methods on a per user basis. I am not clear on how well this > is supported yet. Checked login.conf, and pam.conf too- which I think may be a more likely candidate for this sort of thing, maybe? (won't claim to be expert here- and both seem to apply in many ways) I remember reading something about using login.conf classes in pam.conf, but can't remember where or when- it might have been a delusion. :) Apparently the amount of support is "not at all" at least in RELENG_4, as far as I can see. I can see this being a potentially cool feature to put into either config, but it doesn't look like it's there now. Or maybe the feature is there and the documentation isn't? (or I overlooked it) Perhaps I should consider this a worthy first task for my contribution to FreeBSD. (honestly, I don't think I'm yet qualified to do that reliably, and it's not important enough for me to become so just now) Any pointers would be appreciated though. -=Jim=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 10 13:25:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 86CD837B403 for ; Mon, 10 Sep 2001 13:25:10 -0700 (PDT) Received: (from dillon@localhost) by earth.backplane.com (8.11.6/8.11.2) id f8AKP8v41950; Mon, 10 Sep 2001 13:25:08 -0700 (PDT) (envelope-from dillon) Date: Mon, 10 Sep 2001 13:25:08 -0700 (PDT) From: Matt Dillon Message-Id: <200109102025.f8AKP8v41950@earth.backplane.com> To: Mike Tancsa Cc: Kris Kennaway , security@freebsd.org Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. References: <20010909055903.A34519@nagual.pp.ru> <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> <200109090120.f891KvM14677@xerxes.courtesan.com> <20010908185415.A5619@xor.obsecurity.org> <20010909055903.A34519@nagual.pp.ru> <5.1.0.14.0.20010910143835.0226a2b0@marble.sentex.ca> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org : : :Hi, : Any chance of getting at least Matt's chflags changes MFC'd before :4.4R? Or is the jury still out on the best approach ? : : ---Mike : Jordan approved it. I've comitted it. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 10 14:42:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from federation.addy.com (addy.com [208.11.142.20]) by hub.freebsd.org (Postfix) with ESMTP id B5C4C37B405 for ; Mon, 10 Sep 2001 14:42:25 -0700 (PDT) Received: from localhost (jim@localhost) by federation.addy.com (8.9.3/8.9.3) with ESMTP id RAA67042 for ; Mon, 10 Sep 2001 17:43:07 -0400 (EDT) (envelope-from jim@federation.addy.com) Date: Mon, 10 Sep 2001 17:43:07 -0400 (EDT) From: Jim Sander Cc: Freebsd-security@FreeBSD.ORG Subject: Re: allow selective RSA AUTH in sshd setup? In-Reply-To: <20010910200634.J1983@ringworld.oblivion.bg> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org For clarity, do you mean the following? 1) Change system-wide sshd.conf to "RSAAuthentication yes" 2) Create ~/.ssh/config for all users with "RSAAuthentication no" 3) Allow "special" users to change this file. Assuming that works- it's close to what I want. I don't see anything in the docs about per-user overrides of the config, although I don't see why it wouldn't let you put *more* retrictions on. I'm sure it wouldn't let you say, turn on RSAAuth if the system-wide conf doesn't allow it- if it does, that's a bug I think. But as I said, don't see any docs on this... Unfortunately, with this method I'd have to create thousands of files- and the vast majority of them won't ever get used. Disks are cheap, but it still this rubs me the wrong way. I'd prefer a more elegant solution, especially since it still lets *any* user potentially use RSAAuth, not just the ones I decide to allow. -=Jim=- On Mon, 10 Sep 2001, Peter Pentchev wrote: > On Mon, Sep 10, 2001 at 12:53:35PM -0400, Jim Sander wrote: > > By default, I bar key-based logins (RSAAuthentication no) so that I > > don't have to worry about users keeping their ~/.ssh/authorized_keys > > secure. (expecting good key management of people who if left on their own > > would choose 'me' as their password is probably a bad idea) For most > > people who never touch a shell anyway, this is fine. But I do want to > > allow certain users who at least marginally know what their doing the > > benefit of using this feature. > > > > Anyone know a simple and effective way to do this? > > Create a ~/.ssh/config file, put 'RSAAuthentication yes' there. > I don't think it's possible to do this on a group basis, you'll have > to do it for each user. > > Of course, this also means that each of the other users may put this > in their own ~/.ssh/config file, and circumvent your attempt to disable > key-based logins; however, from your description (and some personal > experience) I would consider that to be somewhat unlikely :) > > G'luck, > Peter > > -- > If wishes were fishes, the antecedent of this conditional would be true. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 10 15:21: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from C-Tower.Area51.DK (c-tower.area51.dk [62.243.200.203]) by hub.freebsd.org (Postfix) with SMTP id 9C52237B405 for ; Mon, 10 Sep 2001 15:20:58 -0700 (PDT) Received: (qmail 89551 invoked by uid 1007); 10 Sep 2001 22:21:17 -0000 Date: Mon, 10 Sep 2001 23:21:17 +0100 From: Alex Holst To: Freebsd-security@FreeBSD.ORG Subject: Re: allow selective RSA AUTH in sshd setup? Message-ID: <20010910232117.A82808@area51.dk> Mail-Followup-To: Alex Holst , Freebsd-security@FreeBSD.ORG References: <20010910180239.B59628@area51.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jim@federation.addy.com on Mon, Sep 10, 2001 at 04:24:45PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Quoting Jim Sander (jim@federation.addy.com): > The reason I don't allow RSAAuthentication is that I envision this near > certainty: a user will know enough to set up authentication from his > personal machine, but won't adequately guard the private key file from the > hypothetical latest Outlook flaw allowing his key to be sent to a script > kiddie and then used to change his church's web site on my server into a > porn warehouse. Using RSA keys gives you two factors of protection. Using passwords gives you one factor. > I can handle explaining "don't give your password away" and even > "choose something better than Jesus1" - but explaining that he needs to > periodically monitor a non-human-readable file in a "hidden" folder on the > server is beyond my ability, let alone my desire. Allow me to introduce you to the concept of a 'security policy.' -- those who fail to understand and follow it will be escorted out of the building. If management support for this approach does not come through then whatever you are trying to protect can't be all that important. -- I prefer the dark of the night, after midnight and before four-thirty, when it's more bare, more hollow. http://a.area51.dk/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 10 15:27:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id C565737B405 for ; Mon, 10 Sep 2001 15:27:10 -0700 (PDT) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f8ALMue11002; Mon, 10 Sep 2001 14:22:56 -0700 (PDT) Date: Mon, 10 Sep 2001 14:22:56 -0700 (PDT) From: David Kirchner X-X-Sender: To: Alex Holst Cc: Subject: Re: allow selective RSA AUTH in sshd setup? In-Reply-To: <20010910232117.A82808@area51.dk> Message-ID: <20010910141822.M85958-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 10 Sep 2001, Alex Holst wrote: > Using RSA keys gives you two factors of protection. Using passwords gives > you one factor. > > Allow me to introduce you to the concept of a 'security policy.' -- those > who fail to understand and follow it will be escorted out of the building. > If management support for this approach does not come through then whatever > you are trying to protect can't be all that important. The difficulty in security policy comes with verifying the security policy. There's no way to know that whoever generated the key set a good password, or any password at all, unless you watch them create it. At least with 'passwd' you can try to ensure secure passwords, and with sshd you can deny empty passwords. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 10 21:29:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id 6D49E37B405 for ; Mon, 10 Sep 2001 21:29:39 -0700 (PDT) Received: (qmail 23944 invoked from network); 11 Sep 2001 04:29:03 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 11 Sep 2001 04:29:03 -0000 Message-ID: <000901c13a7a$64889ba0$0100a8c0@alexus> From: "alexus" To: Subject: /proc permition Date: Tue, 11 Sep 2001 00:29:48 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org is there a way to change permition for /proc so users won't be able to go inside of that dir and retrive information about processes? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 11 15: 0:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id 9572737B401 for ; Tue, 11 Sep 2001 15:00:26 -0700 (PDT) Received: (qmail 37752 invoked from network); 11 Sep 2001 21:59:52 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 11 Sep 2001 21:59:52 -0000 Message-ID: <001001c13b0d$259770e0$0d00a8c0@alexus> From: "alexus" To: "Fernando Schapachnik" Cc: References: <000901c13a7a$64889ba0$0100a8c0@alexus> <20010911093516.A27079@ns1.via-net-works.net.ar> Subject: Re: /proc permition Date: Tue, 11 Sep 2001 18:00:19 -0400 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i did umount it and it workin fine without it is this a bad thing to do? or any other suggestions/comments on that? ----- Original Message ----- From: "Fernando Schapachnik" To: "alexus" Sent: Tuesday, September 11, 2001 8:35 AM Subject: Re: /proc permition > Maybe you can't unmount it in a test box an see how many programs > relay on it. > > En un mensaje anterior, alexus escribiС: > > is there a way to change permition for /proc so users won't be able to go > > inside of that dir and retrive information about processes? > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > Fernando P. Schapachnik > PlanificaciСn de red y tecnologМa > VIA NET.WORKS ARGENTINA S.A. > fschapachnik@vianetworks.com.ar > Tel.: (54-11) 4323-3381 > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 12 7:39:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from prox.centtech.com (moat2.centtech.com [206.196.95.21]) by hub.freebsd.org (Postfix) with ESMTP id 720F737B40B for ; Wed, 12 Sep 2001 07:39:50 -0700 (PDT) Received: (from smap@localhost) by prox.centtech.com (8.9.3+Sun/8.9.3) id JAA09131; Wed, 12 Sep 2001 09:39:38 -0500 (CDT) Received: from sprint.centtech.com(10.177.173.31) by prox via smap (V2.1+anti-relay+anti-spam) id xma009129; Wed, 12 Sep 01 09:39:34 -0500 Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id JAA29857; Wed, 12 Sep 2001 09:39:34 -0500 (CDT) Message-ID: <3B9F739C.1056E287@centtech.com> Date: Wed, 12 Sep 2001 09:39:24 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Doug Ambrisko Cc: freebsd-security@freebsd.org Subject: Re: AirSnort / WEP References: <200109062144.f86LieC10282@ambrisko.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm not familiar with 'RFMOM'. Anyway, I have a few 802.11 cards here to play with (Orinoco Gold from Lucent, and a D0Link Air DWL-650 (Prism II Chipset)), which work out of the box with FreeBSD. I'm willing to help if I can, but I'm not much of a C programmer. This really is a great, and needed tool for FreeBSD. Eric By the way, anyone know anything about RELEASE 4.4? what happened? Doug Ambrisko wrote: > > Eric Anderson writes: > | Has anyone messed with AirSnort or WEPCrack with FreeBSD yet? Is there an equivalent tool, since these are both based > | around linux? > > This could be ported to the RFMOM patches that I have for the Aironet > card. I haven't done it yet but thought about porting it. > > http://www.ambrisko.com/doug/an/ > > Doug A. -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 Truth is more marvelous than mystery. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 12 13:40:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id BDA8237B405 for ; Wed, 12 Sep 2001 13:40:30 -0700 (PDT) Received: (qmail 44221 invoked from network); 12 Sep 2001 20:40:02 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 12 Sep 2001 20:40:02 -0000 Message-ID: <000b01c13bcb$2639da10$0d00a8c0@alexus> From: "alexus" Cc: , Subject: protecting /sbin and /usr/local/sbin Date: Wed, 12 Sep 2001 16:40:24 -0400 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hi i noticed some people are trying to use some files from /sbin and /usr/local/sbin to retrive some info.. i was wondering if i'll do chmod o-rwx /sbin/* /usr/local/sbin/* Will it do any damages? or i simply can't do this? thank you To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 12 14:28: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-6.dsl.lsan03.pacbell.net [63.207.60.6]) by hub.freebsd.org (Postfix) with ESMTP id 29AB437B40A; Wed, 12 Sep 2001 14:27:53 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id AEE5966D0A; Wed, 12 Sep 2001 14:27:52 -0700 (PDT) Date: Wed, 12 Sep 2001 14:27:52 -0700 From: Kris Kennaway To: alexus Cc: freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: protecting /sbin and /usr/local/sbin Message-ID: <20010912142752.A26055@xor.obsecurity.org> References: <000b01c13bcb$2639da10$0d00a8c0@alexus> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="liOOAslEiF7prFVr" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000b01c13bcb$2639da10$0d00a8c0@alexus>; from ml@db.nexgen.com on Wed, Sep 12, 2001 at 04:40:24PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --liOOAslEiF7prFVr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 12, 2001 at 04:40:24PM -0400, alexus wrote: > hi >=20 > i noticed some people are trying to use some files from /sbin and > /usr/local/sbin to retrive some info.. How is this a problem? > i was wondering if i'll do >=20 > chmod o-rwx /sbin/* /usr/local/sbin/* >=20 > Will it do any damages? or i simply can't do this? You can do it, but if your system relies on non-root users executing these commands, bits will obviously fail. I think you're probably overreacting, though. Kris --liOOAslEiF7prFVr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7n9NXWry0BWjoQKURAiCEAJ4yfDxWdIqAzsNUqs8mV0uTcGrt8wCg/j3J RqHXkS/7AOf/rvKrhN7SQUY= =yRQu -----END PGP SIGNATURE----- --liOOAslEiF7prFVr-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 12 21:26:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.ph.inter.net (team.ph.inter.net [203.176.75.3]) by hub.freebsd.org (Postfix) with ESMTP id D97A137B415; Wed, 12 Sep 2001 21:26:12 -0700 (PDT) Received: from portalone (unknown [192.168.88.228]) by gatekeeper.ph.inter.net (Postfix) with SMTP id 6908343D44; Thu, 13 Sep 2001 12:26:04 +0800 (PHT) Message-ID: <009601c13c0c$90714120$e458a8c0@ph.inter.net> From: "louie miranda" To: "alexus" , , References: <000b01c13bcb$2639da10$0d00a8c0@alexus> Subject: Re: protecting /sbin and /usr/local/sbin Date: Thu, 13 Sep 2001 12:28:40 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At first : luwi@freebsd /> ls -la /sbin /usr/local/sbin its shows all the files on the dir.. now try luwi@freebsd /> chmod o-r /usr/sbin/ /sbin/ They can still access the file/program in the /sbin/ usr/sbin/ directory but when they do "ls -l" on it, > Access Denied! :) man chmod :) louie miranda (axishift.ath.cx) ------------------------------------------ Security Is A Series Of Well-Defined Steps chmod -R 0 / ; and smile :) ----- Original Message ----- From: "alexus" Cc: ; Sent: Thursday, September 13, 2001 4:40 AM Subject: protecting /sbin and /usr/local/sbin > hi > > i noticed some people are trying to use some files from /sbin and > /usr/local/sbin to retrive some info.. > > i was wondering if i'll do > > chmod o-rwx /sbin/* /usr/local/sbin/* > > Will it do any damages? or i simply can't do this? > > thank you > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 12 21:45:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id 73BFB37B40D for ; Wed, 12 Sep 2001 21:45:45 -0700 (PDT) Received: (qmail 49032 invoked from network); 13 Sep 2001 04:45:18 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 13 Sep 2001 04:45:18 -0000 Message-ID: <000901c13c0e$fa086f30$0100a8c0@alexus> From: "alexus" To: "louie miranda" , , References: <000b01c13bcb$2639da10$0d00a8c0@alexus> <009601c13c0c$90714120$e458a8c0@ph.inter.net> Subject: Re: protecting /sbin and /usr/local/sbin Date: Thu, 13 Sep 2001 00:45:55 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org people usually don't look for directory where files are.. they just run them... ----- Original Message ----- From: "louie miranda" To: "alexus" ; ; Sent: Thursday, September 13, 2001 12:28 AM Subject: Re: protecting /sbin and /usr/local/sbin > > At first : > > luwi@freebsd /> ls -la /sbin /usr/local/sbin > > its shows all the files on the dir.. > > > now try > > luwi@freebsd /> chmod o-r /usr/sbin/ /sbin/ > > They can still access the file/program in the /sbin/ usr/sbin/ directory > > but when they do "ls -l" on it, > Access Denied! :) > > man chmod > > > :) > > > > > > louie miranda (axishift.ath.cx) > ------------------------------------------ > Security Is A Series Of Well-Defined Steps > > chmod -R 0 / ; and smile :) > > > > ----- Original Message ----- > From: "alexus" > Cc: ; > Sent: Thursday, September 13, 2001 4:40 AM > Subject: protecting /sbin and /usr/local/sbin > > > > hi > > > > i noticed some people are trying to use some files from /sbin and > > /usr/local/sbin to retrive some info.. > > > > i was wondering if i'll do > > > > chmod o-rwx /sbin/* /usr/local/sbin/* > > > > Will it do any damages? or i simply can't do this? > > > > thank you > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-isp" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 12 22:14:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.ph.inter.net (team.ph.inter.net [203.176.75.3]) by hub.freebsd.org (Postfix) with ESMTP id EE99D37B413; Wed, 12 Sep 2001 22:14:39 -0700 (PDT) Received: from portalone (unknown [192.168.88.228]) by gatekeeper.ph.inter.net (Postfix) with SMTP id 1DF1743D44; Thu, 13 Sep 2001 13:14:39 +0800 (PHT) Message-ID: <014e01c13c13$59fd4420$e458a8c0@ph.inter.net> From: "louie miranda" To: "alexus" , , References: <000b01c13bcb$2639da10$0d00a8c0@alexus> <009601c13c0c$90714120$e458a8c0@ph.inter.net> <000901c13c0e$fa086f30$0100a8c0@alexus> Subject: Re: protecting /sbin and /usr/local/sbin Date: Thu, 13 Sep 2001 13:17:15 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org then chmod 0 /sbin/* the files ;) hehe. louie miranda (axishift.ath.cx) ------------------------------------------ Security Is A Series Of Well-Defined Steps chmod -R 0 / ; and smile :) ----- Original Message ----- From: "alexus" To: "louie miranda" ; ; Sent: Thursday, September 13, 2001 12:45 PM Subject: Re: protecting /sbin and /usr/local/sbin > people usually don't look for directory where files are.. they just run > them... > > ----- Original Message ----- > From: "louie miranda" > To: "alexus" ; ; > > Sent: Thursday, September 13, 2001 12:28 AM > Subject: Re: protecting /sbin and /usr/local/sbin > > > > > > At first : > > > > luwi@freebsd /> ls -la /sbin /usr/local/sbin > > > > its shows all the files on the dir.. > > > > > > now try > > > > luwi@freebsd /> chmod o-r /usr/sbin/ /sbin/ > > > > They can still access the file/program in the /sbin/ usr/sbin/ directory > > > > but when they do "ls -l" on it, > Access Denied! :) > > > > man chmod > > > > > > :) > > > > > > > > > > > > louie miranda (axishift.ath.cx) > > ------------------------------------------ > > Security Is A Series Of Well-Defined Steps > > > > chmod -R 0 / ; and smile :) > > > > > > > > ----- Original Message ----- > > From: "alexus" > > Cc: ; > > Sent: Thursday, September 13, 2001 4:40 AM > > Subject: protecting /sbin and /usr/local/sbin > > > > > > > hi > > > > > > i noticed some people are trying to use some files from /sbin and > > > /usr/local/sbin to retrive some info.. > > > > > > i was wondering if i'll do > > > > > > chmod o-rwx /sbin/* /usr/local/sbin/* > > > > > > Will it do any damages? or i simply can't do this? > > > > > > thank you > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-isp" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 13 2:13:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe73.law8.hotmail.com [216.33.240.208]) by hub.freebsd.org (Postfix) with ESMTP id 05F9C37B406; Thu, 13 Sep 2001 02:13:11 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 13 Sep 2001 02:13:10 -0700 X-Originating-IP: [213.86.153.195] Reply-To: "Simon Glover" From: "Simon Glover" To: "Simon Glover" Subject: Work in the UK Date: Thu, 13 Sep 2001 10:22:35 +0100 Organization: DMS Freelance MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0000_01C13C3E.01DFFD20" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 Disposition-Notification-To: "Simon Glover" X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Message-ID: X-OriginalArrivalTime: 13 Sep 2001 09:13:10.0528 (UTC) FILETIME=[4F0CA800:01C13C34] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0000_01C13C3E.01DFFD20 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0001_01C13C3E.01DFFD20" ------=_NextPart_001_0001_01C13C3E.01DFFD20 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable ARE YOU AN AUSTRALIAN IT PROFESSIONAL? DO YOU KNOW A COMPANY IN THE UK THAT WOULD LIKE TO OFFER YOU WORK BUT = DOESN'T BECAUSE OF COMPLICATED WORK PERMIT PROCEDURES? DMS Freelance is looking for IT consultants with potential employment = offers in the UK to help grow our rapidly expanding IT consultancy = division. Business Analysts 5 years experience, 3 years with Systems Degree Database Specialist IT Manager 5-7 Years experience Network Specialist Software Engineer Java/Java Script Perl/Perl Script Active Server Pages ASP XML/DHTML Oracle SQL Server Visual Basic/Visual C++ Peoplesoft SAP/CRM/ERP We can employ you and sponsor you to work as part of our global = workforce. We will pay you through our tax efficient salary structure - Our = consultants pay an average of 22% in taxes. IF YOU ARE INTERESTED IN JOINING OUR TEAM PLEASE EMAIL SIMON@DMS-LONDON = WITH YOUR CV AND AN OUTLINE OF YOUR CIRCUMSTANCES AND POTENTIAL = OPPORTUNITIES. Please forward this email onto other contacts that might be interested = in exploring opportunities ------=_NextPart_001_0001_01C13C3E.01DFFD20 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable ARE YOU AN AUSTRALIAN IT PROFESSIONAL

 

Are you an Australian IT professional?

 

Do you know a company in the UK that would like to offer you work but = doesn’t because of complicated work permit = procedures?

 

 

DMS Freelance is looking for IT consultants with potential employment offers = in the UK to help grow our rapidly expanding IT consultancy = division.

 

 

Business Analysts 5 years experience, 3 years with Systems = Degree

Database Specialist

IT Manager 5-7 Years experience

Network = Specialist

Software = Engineer

Java/Java Script

Perl/Perl = Script

Active Server Pages ASP

XML/DHTML

Oracle

SQL Server

Visual Basic/Visual C++

Peoplesoft

SAP/CRM/ERP

 

 

We can employ you and sponsor you to work as part of our global = workforce.

 

We will pay you through our tax efficient salary structure – Our = consultants pay an average of 22% in = taxes.

 

 

 

 

IF YOU ARE INTERESTED IN JOINING OUR TEAM PLEASE EMAIL simon@dms-london WITH YOUR CV AND = AN OUTLINE OF YOUR CIRCUMSTANCES AND POTENTIAL = OPPORTUNITIES.

 

Please forward this email onto other contacts that might be interested in = exploring opportunities

 

 

------=_NextPart_001_0001_01C13C3E.01DFFD20-- ------=_NextPart_000_0000_01C13C3E.01DFFD20 Content-Type: image/jpeg; name="image001.jpg" Content-Transfer-Encoding: base64 Content-ID: /9j/4AAQSkZJRgABAQEASwBLAAD/4wMOTVNPIFBhbGV0dGUgrayrvb28w8TEx8nJys3Oz8/Pz9LU 09PU1NbX1dja2NjZ2drc2tvd293g3d3e3t7g3uDi3+Hj4eHj4uPl4uTm4+Xn5eXn5ufp5ujp6Orr 6urs6+zu6+3u7u7w7vDx8fP0mJaUpaOiqamqr62rsLGxtLKxtLW2t7m6uLa0urq5u7y8vL6/vry6 v769v8DAv8LDwsC+wsLBwsPEwsXGxMTFxMbHxcO/xcfGxcfKxsbFxsjJxsnLyMrMyMvNycjGycrI yczOysrMys3Py8zKy8zOy87Py8/RzM3Ozc7QzdDTzdHVzs3Kzs/Nzs/SztDPztHRz9PV0NHV0NLS 0NPV0dDN0dDS0dPU0dTW0dXW0tLT0tPT0tTU0tTW0tba09LS09TX09bW09ba1NTW1NfY1Nfb1dTU 1dXU1dbW1dbZ1djb1dnc1tfY1tfb1tja19bV19ja19nZ19nb19rd2NfZ2Nnc2NrZ2Nrb2Nre2Nvc 2Nvf2djZ2dnd2tnZ2tra2tre2tvc2tvf2t3e2t7g29ra29re29vb29vf29zd29zh293e297h3Nzd 3N7e3N7h3ODh3dzb3d3d3d3g3d7f3d/h3d/j3eDj3t7e3t7i3uDh3uHj3uHk397e397g3+Dg3+Dj 3+Dl3+Lk4OHi4OHk4OLi4OLm4OTk4eDh4eHi4eHl4eLj4ePj4ePm4eTn4uHi4uLk4uTl4uTo4uXm 4+Pl4+Tk4+Tl4+Tn4+Xk4+Xo4+bm4+bo5Obo5Ojp5eTl5eTo5eXl5ebn5ebo5ebp5efn5efp5efq 5ubo5ufo5ujo5ujr5unq5+fp5+fr5+jo5+nr5+rr5+vr6Ofr6Ojo6Ojq6Ont6Ozs6ejr6erq6evs 6evt6ezs6unr6urr6urt6uvt6uzs6uzv6u3t6u3v6+vt6+zs6+zv6+3t6+3v6+7u6+7w7Ozu7O7v 7PDw7e3v7e7w7e/v7e/y7fDx7u3v7+/w7+/y7/Dy7/Hx7/Lz8PDy8PLz8PP08fHz8fLz8vL08vX2 8/T19fb4/9sAQwALCAgKCAcLCgkKDQwLDREcEhEPDxEiGRoUHCkkKyooJCcnLTJANy0wPTAnJzhM OT1DRUhJSCs2T1VORlRAR0hF/9sAQwEMDQ0RDxEhEhIhRS4nLkVFRUVFRUVFRUVFRUVFRUVFRUVF RUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVF/8AAEQgAgACAAwEiAAIRAQMRAf/EABoAAAMB AQEBAAAAAAAAAAAAAAIDBAEABQf/xAAzEAACAgEEAQMCBAUDBQAAAAABAgMRABIhMUEEE1FhInEF MkKBFCNSkaEkYrEzcsHR8f/EABUBAQEAAAAAAAAAAAAAAAAAAAAB/8QAFREBAQAAAAAAAAAAAAAA AAAAABH/2gAMAwEAAhEDEQA/APosXlxuCxJFbb46OQybsKXr5zyIJw6AqhlkO5HQz0I/VeMN5FIf 6VPGVFPrJrIBGcHuxtWRK382lFKcaTpI09nA6dEc23XBzx/Ked5ViEmw+pm7Az1XVpNgdu8UPGjW yRfZvAVHMzMUQUij8x7ONEbsdSuOd8akC1sKT/nAlLBgqVpHNnJFaNMJt31E7i8BZHkdiVGkflxs cPqJyGJ7OcYtJCMQt8ADvKgUjcg+oavgA7j98j8jSZwiihz989BgISLJJrjJUjdyZNP1E9jjADxo RLI0jE33lscakggccHMUKqEnb3xgkX9JwNaQkEdfBxcnkcbkAc4uVyCQoG/ZORzeQYYGcLq08fOA 5HVEDKg+r8if+cLX6jmaU0g2AvbA8iAlC10VH9s1Ikih0O3qE779YHP5KM38sAn3x8atLs50/wDa c7xPH0JegCxvfeUhFUWNhkAfTGu3/wBwC6gamNe+awEhJWthtecAFTeuOcomln+rSwpDx/uwhEfI rcj4qhjliXdzvfvjI3AS22PQwGRIIltjZxU0sQdWdwAOL7zikkxBoBfnDj8OHUWdQze7b4HNEZCr BiAN698Ix0dO1djGO6pVmj1mMNQ1d1kCDFHCjEd775GiySghhpDHjvHeX6lLpUtvvgodL6i5FdZR q+H6a/msfIyZ/Tlm0s1hNz7Y6bzTr0BbHZGSRQSSuKAVLJI51fc4Hq+QskoEcS1q/Mx6wPT8fxdp JQCdzeOJdT98RJF6zEFFZtNEn2wDj8zx5bKSqwG3ODJ5CMhIN/bJX/CURLA3HPzhtCI1VVWi21+2 FAJJpf8AppSjs4fjJJqJeTUDwMqR1C6VHHOaCkbDb7nrCO9JpNj9IwxCFUWASMcozHNAHn4rIFny EU6b3zhMgYgMC3JGYyq534wTCBfpgKeyRzlDSFAJYi/fEny4VGguLHQwXGlSS2w5NXeKCruyCgPb bIqgMXAAH9+sn8pRGt0WJ6xiyhNh3uPc4LElWZ/2GBGwkljIiG91eeh4sLRRizqbs5qJpjAA56GO AIWgMIlknkkkWIxMNQJLA7DOUPGKQi73Jx3qKsd8n/nFiNQ3qNsT1eUF6rEnVQUd3zksryA+ojAr ewxkgjXUxA+cTH5EbbBxtxWRTmmf6NK1Z3BytU+n6jz/AIzz1cytVsiA1dc5d6amtyT98qCMug8j SMW3kalIA/vjRGo5r98n8tkVdIF/A7wqdPKkaYr9ND26++VSBn00T85JEqrGCRp2sgdZV/FRRwA3 8VXeAEpC0DnLRiAWgOKzhH6sTrp+oggk95N4Pgy+PER5EhZieLvSMB6VqI/UozklSSQrrBI6xroN FA0a5xCKA59IKD384FgkVdiQMD+LBYrEuojk9YiWIyIUJIvv2xURaIBHZVctQrvIC8egdq24o7Zn kvI9oqg7cg4xITopTQ+OsMqkHG5Jok85USCSQxlWTesyDxdMmv8AJ/tGZ52qEq8ekljVMdr+MoXx qXWpLPXJ4vAV5Eg0lVZQ/S33mJ+JBYgoppuCqmxea34cs8WmcDUTZrrD8P8AC4/DLBbIJuvbArZj oDG7rgZDLeguGprokdZdIitGVNgH22xBQsojiAAHt1ged45YP6Mk9u5Okf8ArPV8bxEg3Yl3/qbc 5kHhrES9fUe8ZIFI3P8AnAazqgsCz8YmSbbfa+Mn9QxmwWa9qOIlllYHQhB4Dc4DJGPrkBi2oUFx 3jRmMHXVk7fGJ8fxvSAYks598fISNgdzkUckijbjq8gniQlWkJI1WATxlWoLHqYb8ZMAk6DULo39 sotjikABZgo/pGR+akhdViBYHnev846eSSRFXxwWB5Y8ViBLPBaBNUh3BvY4QqRJJToexdAith+/ ee1EiqgGeN5A8uQBo42VrF6qofbHw/iDS3Gg+tfzX1gXzyxxi2IGTv5dC6K3xYxBKmb62/mAcdjM 1pK2gNqYdcHAZ/O8lRThDfW+2VRoIhxzycX46R+KCF/Mxs/fKrsXkUEkoFL2esnZask7dA8Y+XSF +rjI5gZ6Rdk/V8jAIAOA5N+2Gq2LP9sBB6a0ooAUBjIn2JOAdUOdzg+jqa2N+wzUtnsivYYbNpB3 G3PxgTTxkKQGAvbMh8ZY4SI1vs/JzpZRpOoWfetsZH5MIhNsPnKiwoBY224zyfMM8fkK8Ch1OzA9 Z6C6m3dhY5A6yeQqoZQaHN4DwwMILULGeP4csMXn+QHNNZq+x3jR47+Z9Ls5A/VwP7d4+L8Phj8g akBWtlra8Cd/Fk87yBMg0KvDXz8ZfFBTglV2HXOUkgJtsoGZFe5rk4VtKatd8ExEsCGKj2znZw+y 7YDStVkbZAHkw6kvWbGQeJLIvjMXI2Jr7XteHL5LyzCFNr5b2GVIERdK/sPfABjoiGoguf8AOGqG xQ2rI/KBE8If8pbnrLfWVd2IAGVDUj25xczBYyB1g/xa0eh7nvJP4mSQsWQKg9zzkVWK9MtJ3jfG 8WM/WVF+53yAyuY7Wjl8LlIVUCmI4ygQxkZv0i6v3wfIh9SJ1jIV6rURjIfFAP1NfdZVpUDrA8/x 5hBphe9XAJ/VjGbUziMGx2cOfx1mPYI4I5H2zkhNA2QAOMIZEVZKGM7yAOIPIUFqWTavnKXmRKLM BfGAUsoVbo1kUgedqXaKt/nDlcTSBd9A7vnDQhV0gjbIqVfFjjWo1uvck45CqpuKPzjHkVRW2+TS B5Go2qg9d4AeRLZv8w6AHeTQxvJIwk1ISdQLb/sMo8YSo0glj0qrUhJssPfAlHqSgs6qg67OVBAx rJoiTU479v3xKp/qgpfZdyo7yhHjhB0j6m3Cgb4Mda29RKd+K9sCqFEJvQK62yrXpF6d/tgRxiKP jYdDGSWUod4V/9k= ------=_NextPart_000_0000_01C13C3E.01DFFD20-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 13 7:14:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from TheWorld.com (pcls4.std.com [199.172.62.106]) by hub.freebsd.org (Postfix) with ESMTP id 8970C37B407; Thu, 13 Sep 2001 07:14:38 -0700 (PDT) Received: from world.std.com (world-f.std.com [199.172.62.5]) by TheWorld.com (8.9.3/8.9.3) with ESMTP id KAA25050; Thu, 13 Sep 2001 10:14:28 -0400 Received: (from kwc@localhost) by world.std.com (8.9.3/8.9.3) id KAA29159; Thu, 13 Sep 2001 10:13:52 -0400 (EDT) Date: Thu, 13 Sep 2001 10:13:52 -0400 (EDT) From: Kenneth W Cochran Message-Id: <200109131413.KAA29159@world.std.com> To: Chip Norkus Subject: Re: Default user directory (adduser) filemode Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org References: <200109131317.JAA25490@world.std.com> <20010913134223.B389613121@netcom1.netcom.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sounds reasonable... But sysinstall --> UserAdd doesn't use the adduser Perl script, but the pw command. Just MHO, but I think the defaults are too "loose," not well-documented, and not easily auditable. Should I file a PR, maybe? CC'ing to -security... -kc >Date: Thu, 13 Sep 2001 09:56:22 -0400 >From: Chip Norkus >To: freebsd-stable@FreeBSD.ORG >Subject: Re: Default user directory (adduser) filemode > >On Thu Sep 13, 2001; 06:42AM -0700 Mike Harding used 1.4K bytes >of bandwidth to send the following: >> 'adduser' is a perl script, search it for '755' and you will find >> where the permissions are set, it's trivial to change in the source, >> although logically this could be a configuration parameter. The >> script is in /usr/sbin/adduser. > >Additionally, if you change your umask, mkdir(2) (which is what is used by >adduser) will be restricted. So, if you want files created to be completely >restricted from group/other access, you might do: ># (umask 077;adduser) >A more useful value (especially if you are supporting something like >'public_html' in user directories) would be a umask of 066, or maybe even >026. > >For more info see `man 2 umask` and `man chmod`. > >> - Mike H. >> >> Date: Thu, 13 Sep 2001 09:17:51 -0400 (EDT) >> From: Kenneth W Cochran >> Sender: owner-freebsd-stable@FreeBSD.ORG >> List-ID: >> List-Archive: (Web Archive) >> List-Help: (List Instructions) >> List-Subscribe: >> List-Unsubscribe: >> X-Loop: FreeBSD.ORG >> Precedence: bulk >> >> Hello -stable: >> >> I notice that when I add a user to FreeBSD, either from adduser >> or from /stand/sysinstall --> UserAdd(sp?), the default filemode >> of the user's home directory is 755. So far, I can't find >> (something like) a config-option for this (i.e., in >> /etc/adduser.conf). Is this a bug or a feature(tm)? :) >> >> OS is -stable (RELENG_4), as of 8 September 2001. >> >> Thanks, >> >> -kc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 13 7:35: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (sentinel.office1.bg [217.75.135.254]) by hub.freebsd.org (Postfix) with SMTP id 4F5C937B401 for ; Thu, 13 Sep 2001 07:34:35 -0700 (PDT) Received: (qmail 20883 invoked by uid 1000); 13 Sep 2001 14:33:51 -0000 Date: Thu, 13 Sep 2001 17:33:51 +0300 From: Peter Pentchev To: Kenneth W Cochran Cc: Chip Norkus , freebsd-security@freebsd.org, freebsd-stable@freebsd.org Subject: Re: Default user directory (adduser) filemode Message-ID: <20010913173351.C13432@ringworld.oblivion.bg> Mail-Followup-To: Kenneth W Cochran , Chip Norkus , freebsd-security@freebsd.org, freebsd-stable@freebsd.org References: <200109131317.JAA25490@world.std.com> <20010913134223.B389613121@netcom1.netcom.com> <200109131413.KAA29159@world.std.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200109131413.KAA29159@world.std.com>; from kwc@world.std.com on Thu, Sep 13, 2001 at 10:13:52AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Sep 13, 2001 at 10:13:52AM -0400, Kenneth W Cochran wrote: > Sounds reasonable... But sysinstall --> UserAdd doesn't > use the adduser Perl script, but the pw command. > Just MHO, but I think the defaults are too "loose," not > well-documented, and not easily auditable. > > Should I file a PR, maybe? > > CC'ing to -security... For adduser(8), you could try a patch that I wrote up a couple of weeks ago; it's at http://people.FreeBSD.org/~roam/bsd/adduser-mode-RELENG_4.patch.gz For pw(8), however, things are more complicated - including the fact that pw(8) has no default configuration store. G'luck, Peter -- This sentence every third, but it still comprehensible. > >Date: Thu, 13 Sep 2001 09:56:22 -0400 > >From: Chip Norkus > >To: freebsd-stable@FreeBSD.ORG > >Subject: Re: Default user directory (adduser) filemode > > > >On Thu Sep 13, 2001; 06:42AM -0700 Mike Harding used 1.4K bytes > >of bandwidth to send the following: > >> 'adduser' is a perl script, search it for '755' and you will find > >> where the permissions are set, it's trivial to change in the source, > >> although logically this could be a configuration parameter. The > >> script is in /usr/sbin/adduser. > > > >Additionally, if you change your umask, mkdir(2) (which is what is used by > >adduser) will be restricted. So, if you want files created to be completely > >restricted from group/other access, you might do: > ># (umask 077;adduser) > >A more useful value (especially if you are supporting something like > >'public_html' in user directories) would be a umask of 066, or maybe even > >026. > > > >For more info see `man 2 umask` and `man chmod`. > > > >> - Mike H. > >> > >> Date: Thu, 13 Sep 2001 09:17:51 -0400 (EDT) > >> From: Kenneth W Cochran > >> Sender: owner-freebsd-stable@FreeBSD.ORG > >> List-ID: > >> List-Archive: (Web Archive) > >> List-Help: (List Instructions) > >> List-Subscribe: > >> List-Unsubscribe: > >> X-Loop: FreeBSD.ORG > >> Precedence: bulk > >> > >> Hello -stable: > >> > >> I notice that when I add a user to FreeBSD, either from adduser > >> or from /stand/sysinstall --> UserAdd(sp?), the default filemode > >> of the user's home directory is 755. So far, I can't find > >> (something like) a config-option for this (i.e., in > >> /etc/adduser.conf). Is this a bug or a feature(tm)? :) > >> > >> OS is -stable (RELENG_4), as of 8 September 2001. > >> > >> Thanks, > >> > >> -kc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 13 8:39:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-24-169-175-136.stny.rr.com [24.169.175.136]) by hub.freebsd.org (Postfix) with ESMTP id DFA2C37B421; Thu, 13 Sep 2001 08:38:49 -0700 (PDT) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.11.6/8.11.4) with ESMTP id f8DFbps33983; Thu, 13 Sep 2001 11:37:55 -0400 (EDT) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Thu, 13 Sep 2001 11:37:51 -0400 (EDT) From: Matt Piechota To: Kris Kennaway Cc: alexus , , Subject: Re: protecting /sbin and /usr/local/sbin In-Reply-To: <20010912142752.A26055@xor.obsecurity.org> Message-ID: <20010913113439.G33971-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 12 Sep 2001, Kris Kennaway wrote: > You can do it, but if your system relies on non-root users executing > these commands, bits will obviously fail. I think you're probably > overreacting, though. Plus, you're going to have to clamp down on compiling and such. Some one could go find the source for whatever command and compile up their own copy. Of course they could compile their own binary somewhere else and transfer it over as well. You could make it harder for them, but you're not going to be able to stop them from running the commands in question. -- Matt Piechota Finger piechota@emailempire.com for PGP key AOL IM: cithaeron To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 13 8:48:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail1.enter.net (mail1.enter.net [63.65.0.21]) by hub.freebsd.org (Postfix) with ESMTP id 05E9337B417 for ; Thu, 13 Sep 2001 08:48:13 -0700 (PDT) Received: from grabes2.enter.net (grabes2.enter.net [63.65.2.36]) by mail1.enter.net (8.11.6/8.11.3) with ESMTP id f8DFmBS29162 for ; Thu, 13 Sep 2001 11:48:11 -0400 Date: Thu, 13 Sep 2001 11:43:11 -0400 (EDT) From: Gavin Grabias To: Subject: Log Files Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, This is slightly offtopic but on the security topic. Does anyone know where to find all the laws that ISPs have to conform too? Mainly how long they are required to keep log files etc. Regards, Gavin Grabias - System Administration ******************************************************************** ENTER.NET - "The Road to the Internet Starts Here!" (tm) (610) 437-2221 * http://www.enter.net/ * email:support@enter.net ******************************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 13 8:54:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from spitfire.velocet.net (spitfire.velocet.net [216.138.223.227]) by hub.freebsd.org (Postfix) with ESMTP id D0A2C37B40C for ; Thu, 13 Sep 2001 08:54:09 -0700 (PDT) Received: from nomad.tor.lets.net (H74.C220.tor.velocet.net [216.138.220.74]) by spitfire.velocet.net (Postfix) with SMTP id 85B6B44AA07 for ; Thu, 13 Sep 2001 11:54:08 -0400 (EDT) Received: (qmail 55057 invoked by uid 1001); 13 Sep 2001 15:48:52 -0000 Date: Thu, 13 Sep 2001 11:48:52 -0400 From: Steve Shorter To: Gavin Grabias Cc: freebsd-security@FreeBSD.ORG Subject: Re: Log Files Message-ID: <20010913114851.B55039@nomad.lets.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from gaving@enter.net on Thu, Sep 13, 2001 at 11:43:11AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Sep 13, 2001 at 11:43:11AM -0400, Gavin Grabias wrote: > Hi, > This is slightly offtopic but on the security topic. Does anyone know > where to find all the laws that ISPs have to conform too? Mainly how long > they are required to keep log files etc. Huh?? There arn't any. At least not in my jurisdiction. Don't know about yours, but it is not a well established legal/state/police practice to force the retention of logs. At least not yet. And hope it never happens. -steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 13 9:17:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id F14FD37B403 for ; Thu, 13 Sep 2001 09:17:14 -0700 (PDT) Received: (qmail 1919 invoked by uid 1000); 13 Sep 2001 16:17:34 -0000 Date: Thu, 13 Sep 2001 18:17:34 +0200 From: "Karsten W. Rohrbach" To: Peter Pentchev Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org Subject: Re: Default user directory (adduser) filemode Message-ID: <20010913181734.G464@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Peter Pentchev , freebsd-security@freebsd.org, freebsd-stable@freebsd.org References: <200109131317.JAA25490@world.std.com> <20010913134223.B389613121@netcom1.netcom.com> <200109131413.KAA29159@world.std.com> <20010913173351.C13432@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="/aVve/J9H4Wl5yVO" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010913173351.C13432@ringworld.oblivion.bg>; from roam@ringlet.net on Thu, Sep 13, 2001 at 05:33:51PM +0300 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --/aVve/J9H4Wl5yVO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Peter Pentchev(roam@ringlet.net)@2001.09.13 17:33:51 +0000: > For pw(8), however, things are more complicated - including the fact that > pw(8) has no default configuration store. peter, what do you mean with 'no default configuration store'? from pw(8), section FILES: /etc/pw.conf Pw default options file puzzled, /k --=20 > Coders do it with a routine. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --/aVve/J9H4Wl5yVO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7oNweM0BPTilkv0YRAkgCAJwKA9Col5KfqUccAdiM5ib66YgkaQCdFvCc omgj0Vos0CVmfYupJ1YEg+o= =SxTS -----END PGP SIGNATURE----- --/aVve/J9H4Wl5yVO-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 13 9:23: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (sentinel.office1.bg [217.75.135.254]) by hub.freebsd.org (Postfix) with SMTP id 9EA3F37B408 for ; Thu, 13 Sep 2001 09:22:50 -0700 (PDT) Received: (qmail 5474 invoked by uid 1000); 13 Sep 2001 16:21:18 -0000 Date: Thu, 13 Sep 2001 19:21:18 +0300 From: Peter Pentchev To: "Karsten W. Rohrbach" Cc: freebsd-security@FreeBSD.org, freebsd-stable@FreeBSD.org Subject: Re: Default user directory (adduser) filemode Message-ID: <20010913192118.F13432@ringworld.oblivion.bg> Mail-Followup-To: "Karsten W. Rohrbach" , freebsd-security@FreeBSD.org, freebsd-stable@FreeBSD.org References: <200109131317.JAA25490@world.std.com> <20010913134223.B389613121@netcom1.netcom.com> <200109131413.KAA29159@world.std.com> <20010913173351.C13432@ringworld.oblivion.bg> <20010913181734.G464@mail.webmonster.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010913181734.G464@mail.webmonster.de>; from karsten@rohrbach.de on Thu, Sep 13, 2001 at 06:17:34PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Sep 13, 2001 at 06:17:34PM +0200, Karsten W. Rohrbach wrote: > Peter Pentchev(roam@ringlet.net)@2001.09.13 17:33:51 +0000: > > For pw(8), however, things are more complicated - including the fact that > > pw(8) has no default configuration store. > > peter, what do you mean with 'no default configuration store'? > from pw(8), section FILES: > /etc/pw.conf Pw default options file > > puzzled, > /k Oh. OK, I'm stupid. Thanks for pointing that out :) Off to home, food and sleep now, before I've eaten another foot of mine.. G'luck, Peter -- This sentence was in the past tense. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 13 11:29: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from allmaui.com (server25.aitcom.net [208.234.0.10]) by hub.freebsd.org (Postfix) with ESMTP id 4EA8937B40E for ; Thu, 13 Sep 2001 11:29:03 -0700 (PDT) Received: from allmaui.com (pwnat-3-o.placeware.com [209.1.15.35]) by allmaui.com (8.8.8/8.8.5) with ESMTP id OAA13782; Thu, 13 Sep 2001 14:25:39 -0400 Message-ID: <3BA0FB6E.661785B7@allmaui.com> Date: Thu, 13 Sep 2001 11:31:10 -0700 From: Craig Cowen X-Mailer: Mozilla 4.78 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Steve Shorter Cc: Gavin Grabias , freebsd-security@FreeBSD.ORG Subject: Re: Log Files References: <20010913114851.B55039@nomad.lets.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Oh it will be, just give it time Steve Shorter wrote: > On Thu, Sep 13, 2001 at 11:43:11AM -0400, Gavin Grabias wrote: > > Hi, > > This is slightly offtopic but on the security topic. Does anyone know > > where to find all the laws that ISPs have to conform too? Mainly how long > > they are required to keep log files etc. > > Huh?? There arn't any. At least not in my jurisdiction. > Don't know about yours, but it is not a well established > legal/state/police practice to force the retention of logs. At least > not yet. And hope it never happens. > > -steve > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 13 11:42:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from mars.bhni.net (mars.bhni.net [65.166.202.60]) by hub.freebsd.org (Postfix) with ESMTP id 890E837B406 for ; Thu, 13 Sep 2001 11:42:13 -0700 (PDT) Received: from wormhole.blackhatlabs.com (wormhole.blackhatlabs.com [65.166.202.57]) by mars.bhni.net (8.x/8.x) with ESMTP id f8DIeMP00361; Thu, 13 Sep 2001 18:40:22 GMT Date: Thu, 13 Sep 2001 14:33:45 -0500 (EST) From: alex X-X-Sender: To: Craig Cowen Cc: Steve Shorter , Gavin Grabias , Subject: Re: Log Files In-Reply-To: <3BA0FB6E.661785B7@allmaui.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Greetings, Pursuant to Craig's statement I would like to confirm there is indeed no legislation locally, statewide, or federally to this regard in the US. But saving logs *can* be a good safety measure if the necessary resources are available. -Alex On Thu, 13 Sep 2001, Craig Cowen wrote: > Oh it will be, just give it time > > Steve Shorter wrote: > > > On Thu, Sep 13, 2001 at 11:43:11AM -0400, Gavin Grabias wrote: > > > Hi, > > > This is slightly offtopic but on the security topic. Does anyone know > > > where to find all the laws that ISPs have to conform too? Mainly how long > > > they are required to keep log files etc. > > > > Huh?? There arn't any. At least not in my jurisdiction. > > Don't know about yours, but it is not a well established > > legal/state/police practice to force the retention of logs. At least > > not yet. And hope it never happens. > > > > -steve > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 13 12:38:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from iaces.com (horton.iaces.com [204.147.87.98]) by hub.freebsd.org (Postfix) with ESMTP id 1727437B405 for ; Thu, 13 Sep 2001 12:38:40 -0700 (PDT) Received: from iaces.com (ptroot.iaces.com [204.147.87.124]) by iaces.com (8.11.4/8.11.4) with ESMTP id f8DJcdO19807 for ; Thu, 13 Sep 2001 14:38:39 -0500 (CDT) (envelope-from proot@iaces.com) Message-ID: <3BA10B3F.610E6FB3@iaces.com> Date: Thu, 13 Sep 2001 14:38:39 -0500 From: Paul Root X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: security@freebsd.org Subject: IPSEC config Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I'm trying to setup a IPSec tunnel and am having trouble. Both machines are 4.4 RC3 (I think, last week). And when I set it up for a transport between the two machines it works fine, so racoon must be fine. I'm following the IPsec mini-HOWTO from January 2001 daemonnews. Here's my config on one end: #!/bin/sh # These commands need to be run on acesfbsd to # connect to lorax, in a IPSEC test # # Setup the tunnel device. gifconfig gif0 10.20.30.4 172.28.56.82 # # The next 2 lines delete all existing entries # from the SPD and SAD setkey -FP setkey -F # Add the policy setkey -c <; Thu, 13 Sep 2001 12:44:49 -0700 (PDT) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id f8DJica20338; Thu, 13 Sep 2001 12:44:38 -0700 Date: Thu, 13 Sep 2001 12:44:38 -0700 From: Brooks Davis To: Paul Root Cc: security@FreeBSD.ORG Subject: Re: IPSEC config Message-ID: <20010913124438.A19163@Odin.AC.HMC.Edu> References: <3BA10B3F.610E6FB3@iaces.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="zYM0uCDKw75PZbzx" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3BA10B3F.610E6FB3@iaces.com>; from proot@iaces.com on Thu, Sep 13, 2001 at 02:38:39PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --zYM0uCDKw75PZbzx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 13, 2001 at 02:38:39PM -0500, Paul Root wrote: > Hi,=20 > I'm trying to setup a IPSec tunnel and am having trouble. > Both machines are 4.4 RC3 (I think, last week). And when I set it up > for a transport between the two machines it works fine, so racoon > must be fine. >=20 > I'm following the IPsec mini-HOWTO from January 2001 daemonnews. > Here's my config on one end: >=20 > #!/bin/sh > # These commands need to be run on acesfbsd to > # connect to lorax, in a IPSEC test > # > # Setup the tunnel device. > gifconfig gif0 10.20.30.4 172.28.56.82 This won't work in 4.4. There's no gif0 device at this point because gif devices are now created at runtime. Also, while gifconfig still works, it's obsolete. Instead use: ifconfig gif0 create tunnel 10.20.30.4 172.28.56.82 These addresses should be the local machine's address and the remote machines address (is the local machine really a 10.x address?) -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --zYM0uCDKw75PZbzx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7oQylXY6L6fI4GtQRAoq6AJ43VjHyamnSad2mvxu/WbMsrG8dHACfZtVA i1EZrKU35xHVJQSBrAWMSCQ= =W7Gj -----END PGP SIGNATURE----- --zYM0uCDKw75PZbzx-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 13 12:54:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp10.atl.mindspring.net (smtp10.atl.mindspring.net [207.69.200.246]) by hub.freebsd.org (Postfix) with ESMTP id 6916037B40D for ; Thu, 13 Sep 2001 12:54:11 -0700 (PDT) Received: from finch.netops.mindspring.net (finch.netops.mindspring.net [207.69.180.46]) by smtp10.atl.mindspring.net (8.9.3/8.8.5) with ESMTP id PAA03891; Thu, 13 Sep 2001 15:54:10 -0400 (EDT) Received: from localhost (localhost.localdomain [127.0.0.1]) by finch.netops.mindspring.net (Postfix) with ESMTP id B88D41745; Thu, 13 Sep 2001 15:54:09 -0400 (EDT) Date: Thu, 13 Sep 2001 15:54:09 -0400 (EDT) From: Michael Proto X-X-Sender: To: Paul Root Cc: Subject: Re: IPSEC config In-Reply-To: <3BA10B3F.610E6FB3@iaces.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Paul, Have you used ifconfig to setup the inside points of your gif tunnel? gifconfig only sets the outside IP addresses of your security gateways. You still need to use ifconfig to set the point-to-point link on the inside. for ex: Gateway A: public IP: 199.54.21.1 private net IP: 10.0.0.1 Gateway B: public IP: 199.54.85.4 private net IP: 10.0.10.1 on Gateway A: gifconfig gif0 199.54.21.1 199.54.85.4 ifconfig gif0 inet 10.0.0.1 10.0.10.1 netmask 255.255.0.0 and vice versa on Gateway B. From the looks of it, you seem to be missing the 'inside IP' configuration of your gif tunnels. Good luck, Michael Proto On Thu, 13 Sep 2001, Paul Root wrote: > Hi, > I'm trying to setup a IPSec tunnel and am having trouble. > Both machines are 4.4 RC3 (I think, last week). And when I set it up > for a transport between the two machines it works fine, so racoon > must be fine. > > I'm following the IPsec mini-HOWTO from January 2001 daemonnews. > Here's my config on one end: > > #!/bin/sh > # These commands need to be run on acesfbsd to > # connect to lorax, in a IPSEC test > # > # Setup the tunnel device. > gifconfig gif0 10.20.30.4 172.28.56.82 > # > # The next 2 lines delete all existing entries > # from the SPD and SAD > setkey -FP > setkey -F > # Add the policy > setkey -c < spdadd 10.20.30.0/24 172.28.56.0/23 any -P out ipsec > esp/tunnel/10.20.30.4-172.28.56.82/require; > spdadd 172.28.56.0/23 10.20.30.0/24 any -P in ipsec > esp/tunnel/172.28.56.82-10.20.30.4/require; > EOF > > > > The man page on gif and gifconfig are vague to me, but I think I've > got it, those are the actual addresses of the boxes right? Also, the > howto had transport instead of tunnel in the spdadd lines but > the man page suggests tunnel. > > I'm sure I'm doing something horribly wrong. > > Thanks, > Paul. > > -- Michael Proto | echo.ranger@corp.earthlink.net Security Engineer, EarthLink Inc. | (404)815-0770 x22114 ------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 13 13:32:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from iaces.com (horton.iaces.com [204.147.87.98]) by hub.freebsd.org (Postfix) with ESMTP id EEAB637B413 for ; Thu, 13 Sep 2001 13:32:36 -0700 (PDT) Received: from iaces.com (ptroot.iaces.com [204.147.87.124]) by iaces.com (8.11.4/8.11.4) with ESMTP id f8DKWIO20125; Thu, 13 Sep 2001 15:32:18 -0500 (CDT) (envelope-from proot@iaces.com) Message-ID: <3BA117D2.ECF38713@iaces.com> Date: Thu, 13 Sep 2001 15:32:18 -0500 From: Paul Root X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Brooks Davis , security@freebsd.org Subject: Re: IPSEC config References: <3BA10B3F.610E6FB3@iaces.com> <20010913124438.A19163@Odin.AC.HMC.Edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ok, I'm making progress. This is what I've come up with: #!/bin/sh # These commands need to be run on acesfbsd to # connect to lorax, in a IPSEC test # # Setup the tunnel device. #gifconfig gif0 10.20.30.4 172.28.56.82 ifconfig gif0 destroy ifconfig gif0 create tunnel 10.20.30.4 172.28.56.82 # # The next 2 lines delete all existing entries # from the SPD and SAD setkey -FP setkey -F # Add the policy setkey -c < acesfbsd.isakmp: isakmp: phase 1 I agg: [|sa] 15:23:36.439595 acesfbsd.isakmp > lorax.isakmp: isakmp: phase 1 R agg: [|sa] 15:23:36.744202 lorax.isakmp > acesfbsd.isakmp: isakmp: phase 1 I agg: (hash: len=20) 15:23:37.884653 lorax.isakmp > acesfbsd.isakmp: isakmp: phase 2/others I oakley- quick[E]: [|hash] 15:23:37.906233 acesfbsd.isakmp > lorax.isakmp: isakmp: phase 2/others R oakley- quick[E]: [|hash] 15:23:37.970725 lorax.isakmp > acesfbsd.isakmp: isakmp: phase 2/others I oakley- quick[E]: [|hash] 15:23:42.160046 lorax > acesfbsd: ESP(spi=0x0343e661,seq=0x1) 15:23:49.717717 acesfbsd > lorax: ESP(spi=0x0d914c06,seq=0x1) 15:23:49.718980 lorax > acesfbsd: ESP(spi=0x0343e661,seq=0x2) 15:23:50.725920 acesfbsd > lorax: ESP(spi=0x0d914c06,seq=0x2) 15:23:50.727104 lorax > acesfbsd: ESP(spi=0x0343e661,seq=0x3) 15:23:51.735860 acesfbsd > lorax: ESP(spi=0x0d914c06,seq=0x3) 15:23:51.737023 lorax > acesfbsd: ESP(spi=0x0343e661,seq=0x4) 15:24:14.698044 sunburn.42072 > acesfbsd.33435: udp 12 (DF) [ttl 1] 15:24:18.927721 sunburn > acesfbsd: icmp: echo request (DF) 15:24:19.923220 sunburn > acesfbsd: icmp: echo request (DF) So that's cool. Could it be I'm down to routing? My route table looks like this: Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 10.20.30.1 UGSc 7 63 fxp0 10.20.30/24 link#1 UC 7 0 fxp0 10.20.30.1 0:c0:95:e0:b3:69 UHLW 7 0 fxp0 1191 10.20.30.3 8:0:20:7e:85:d4 UHLW 1 35 fxp0 796 10.20.30.5 8:0:20:ab:bb:69 UHLW 1 50 fxp0 937 10.20.30.13 0:4:76:2b:4a:92 UHLW 1 12 fxp0 1166 10.20.30.16 0:30:65:b2:87:ae UHLW 0 0 fxp0 745 10.20.30.50 0:2:b3:30:1f:ad UHLW 1 36 fxp0 987 10.20.30.255 ff:ff:ff:ff:ff:ff UHLWb 0 44 fxp0 127.0.0.1 127.0.0.1 UH 2 40 lo0 172.28.56/24 gif0 USc 0 0 gif0 and ifconfig: fxp0: flags=8943 mtu 1500 inet 10.20.30.4 netmask 0xffffff00 broadcast 10.20.30.255 inet6 fe80::2a0:c9ff:fe08:1f21%fxp0 prefixlen 64 scopeid 0x1 ether 00:a0:c9:08:1f:21 media: Ethernet autoselect (100baseTX) status: active lp0: flags=8810 mtu 1500 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff000000 gif0: flags=8051 mtu 1280 tunnel inet 10.20.30.4 --> 172.28.56.82 inet6 fe80::2a0:c9ff:fe08:1f21%gif0 prefixlen 64 scopeid 0x4 I'm not using ipv6, I guess I should take it out of the kernel. The other end does not have ipv6 in the kernel. Then I have two machines on these nets that have routing pointing to these machines. Is that right? Thanks, Paul. Brooks Davis wrote: > > On Thu, Sep 13, 2001 at 02:38:39PM -0500, Paul Root wrote: > > Hi, > > I'm trying to setup a IPSec tunnel and am having trouble. > > Both machines are 4.4 RC3 (I think, last week). And when I set it up > > for a transport between the two machines it works fine, so racoon > > must be fine. > > > > I'm following the IPsec mini-HOWTO from January 2001 daemonnews. > > Here's my config on one end: > > > > #!/bin/sh > > # These commands need to be run on acesfbsd to > > # connect to lorax, in a IPSEC test > > # > > # Setup the tunnel device. > > gifconfig gif0 10.20.30.4 172.28.56.82 > > This won't work in 4.4. There's no gif0 device at this point because gif > devices are now created at runtime. Also, while gifconfig still works, > it's obsolete. Instead use: > > ifconfig gif0 create tunnel 10.20.30.4 172.28.56.82 > > These addresses should be the local machine's address and the remote > machines address (is the local machine really a 10.x address?) > > -- Brooks > > -- > Any statement of the form "X is the one, true Y" is FALSE. > PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 > > ------------------------------------------------------------------------ > Part 1.2Type: application/pgp-signature -- Paul T. Root E/Mail: proot@iaces.com 600 Stinson Blvd, Fl 1S PAG: +1 (877) 693-7155 Minneapolis, MN 55413 WRK: +1 (612) 664-3385 NIC: PTR FAX: +1 (612) 664-4779 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 13 13:44:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from peace.mahoroba.org (flets-f0106.kamome.or.jp [211.8.127.106]) by hub.freebsd.org (Postfix) with ESMTP id 332A637B406 for ; Thu, 13 Sep 2001 13:44:51 -0700 (PDT) Received: from localhost (IDENT:P8SG3gOwt4ZpVf4qgFwbzrZuJGCRvx3yrNntFqA6uThdIlVBkr1DRwOVcGw4pp3t@localhost [::1]) (authenticated as ume with CRAM-MD5) by peace.mahoroba.org (8.11.6/8.11.6/peace) with ESMTP/inet6 id f8DKi6V67113; Fri, 14 Sep 2001 05:44:06 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Fri, 14 Sep 2001 05:44:05 +0900 (JST) Message-Id: <20010914.054405.38654660.ume@mahoroba.org> To: proot@iaces.com Cc: brooks@one-eyed-alien.net, security@freebsd.org Cc: ume@mahoroba.org Subject: Re: IPSEC config From: Hajimu UMEMOTO In-Reply-To: <3BA117D2.ECF38713@iaces.com> References: <3BA10B3F.610E6FB3@iaces.com> <20010913124438.A19163@Odin.AC.HMC.Edu> <3BA117D2.ECF38713@iaces.com> X-Mailer: xcite1.38> Mew version 1.95b119 on Emacs 20.7 / Mule 4.0 =?iso-2022-jp?B?KBskQjJWMWMbKEIp?= X-PGP-Public-Key: http://www.imasy.org/~ume/publickey.asc X-PGP-Fingerprint: 6B 0C 53 FC 5D D0 37 91 05 D0 B3 EF 36 9B 6A BC X-URL: http://www.imasy.org/~ume/ X-Operating-System: FreeBSD 5.0-CURRENT Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, >>>>> On Thu, 13 Sep 2001 15:32:18 -0500 >>>>> Paul Root said: proot> I'm not using ipv6, I guess I should take it out of the kernel. The other proot> end does not have ipv6 in the kernel. If you don't want auto configured IPv6 link-local address at all, you can disable it by `sysctl net.inet6.ip6.auto_linklocal=0'. Sincerely, -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 13 15: 5:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id 536AE37B40F for ; Thu, 13 Sep 2001 15:05:13 -0700 (PDT) Received: from localhost (rik@localhost) by pkl.net (8.9.3/8.9.3) with ESMTP id XAA28211; Thu, 13 Sep 2001 23:05:05 +0100 Date: Thu, 13 Sep 2001 23:05:05 +0100 (BST) From: rik@rikrose.net X-Sender: rik@pkl.net To: alex Cc: freebsd-security@FreeBSD.ORG Subject: Re: Log Files In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 13 Sep 2001, alex wrote: > no legislation locally, statewide, or federally to this regard in the US. "in the US". Please note that in the UK, we are officially obliged to log *everything*, and aparently, according to $HIGH_UP_JDGE_PERSON, we have to also filter the content to people we provide content to downstream. To which, AFAIK, then entire UK sysadmin community has just laughed, and carried on doing what they are doing aynway. I don't yet know of anyone that has actually changed their policy, due to that ruling earlier this year. rik To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 13 15:20:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 2BE7837B410 for ; Thu, 13 Sep 2001 15:20:49 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id QAA06232 for ; Thu, 13 Sep 2001 16:20:40 -0600 (MDT) Message-Id: <4.3.2.7.2.20010913161936.04a17d40@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 13 Sep 2001 16:20:11 -0600 To: security@freebsd.org From: Brett Glass Subject: US Congress already discussing bans on strong crypto Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org http://www.wired.com/news/politics/0,1283,46816,00.html Congress Mulls Stiff Crypto Laws By Declan McCullagh (declan@wired.com) 1:45 p.m. Sep. 13, 2001 PDT WASHINGTON -- The encryption wars have begun. For nearly a decade, privacy mavens have been worrying that a terrorist attack could prompt Congress to ban communications-scrambling products that frustrate both police wiretaps and U.S. intelligence agencies. Tuesday's catastrophe, which shed more blood on American soil than any event since the Civil War, appears to have started that process. Some politicians and defense hawks are warning that extremists such as Osama bin Laden, who U.S. officials say is a crypto-aficionado and the top suspect in Tuesday's attacks, enjoy unfettered access to privacy-protecting software and hardware that render their communications unintelligible to eavesdroppers. In a floor speech on Thursday, Sen. Judd Gregg (R-New Hampshire) called for a global prohibition on encryption products without backdoors for government surveillance. "This is something that we need international cooperation on and we need to have movement on in order to get the information that allows us to anticipate and prevent what occurred in New York and in Washington," Gregg said, according to a copy of his remarks that an aide provided. President Clinton appointed an ambassador-rank official, David Aaron, to try this approach, but eventually the administration abandoned the project. Gregg said encryption makers "have as much at risk as we have at risk as a nation, and they should understand that as a matter of citizenship, they have an obligation" to include decryption methods for government agents. Gregg, who previously headed the appropriations subcommittee overseeing the Justice Department, said that such access would only take place with "court oversight." [...] Frank Gaffney of the Center for Security Policy, a hawkish think tank that has won accolades from all recent Republican presidents, says that this week's terrorist attacks demonstrate the government must be able to penetrate communications it intercepts. "I'm certainly of the view that we need to let the U.S. government have access to encrypted material under appropriate circumstances and regulations," says Gaffney, an assistant secretary of defense under President Reagan. [...] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 13 16: 1:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from aragorn.neomedia.it (aragorn.neomedia.it [195.103.207.6]) by hub.freebsd.org (Postfix) with ESMTP id 724E837B40B for ; Thu, 13 Sep 2001 16:01:53 -0700 (PDT) Received: (from httpd@localhost) by aragorn.neomedia.it (8.11.4/8.11.4) id f8DN1er15008; Fri, 14 Sep 2001 01:01:40 +0200 (CEST) To: Brett Glass Subject: Re: US Congress already discussing bans on strong crypto Message-ID: <1000422100.3ba13ad4c2890@webmail.neomedia.it> Date: Fri, 14 Sep 2001 01:01:40 +0200 (CEST) From: Salvo Bartolotta Cc: security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: IMP/PHP IMAP webmail program 2.2.4-cvs X-WebMail-Company: Neomedia s.a.s. X-Originating-IP: 62.98.238.26 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > http://www.wired.com/news/politics/0,1283,46816,00.html > Congress Mulls Stiff Crypto Laws > By Declan McCullagh (declan@wired.com) > 1:45 p.m. Sep. 13, 2001 PDT > WASHINGTON -- The encryption wars have begun. I'll let another American President respond: "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin, 1759 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 13 16:25: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from pineapple.theshop.net (pineapple.theshop.net [208.128.7.7]) by hub.freebsd.org (Postfix) with ESMTP id 6985E37B419 for ; Thu, 13 Sep 2001 16:24:58 -0700 (PDT) Received: from bsdprophet.org (peach13.theshop.net [206.30.143.78]) by pineapple.theshop.net (8.11.3/8.11.1) with ESMTP id f8DNNmq93396; Thu, 13 Sep 2001 18:23:49 -0500 (CDT) (envelope-from Scott@bsdprophet.org) Message-ID: <3BA14036.825B0DC4@bsdprophet.org> Date: Thu, 13 Sep 2001 18:24:38 -0500 From: Scott Corey Organization: Open Source Education Foundation osef.org X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Salvo Bartolotta Cc: Brett Glass , security@FreeBSD.ORG Subject: Re: US Congress already discussing bans on strong crypto References: <1000422100.3ba13ad4c2890@webmail.neomedia.it> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Benjamin Franklin was not a United States President, however, he was monumental in molding the United States. Salvo Bartolotta wrote: > > > http://www.wired.com/news/politics/0,1283,46816,00.html > > > Congress Mulls Stiff Crypto Laws > > By Declan McCullagh (declan@wired.com) > > 1:45 p.m. Sep. 13, 2001 PDT > > > WASHINGTON -- The encryption wars have begun. > > > > I'll let another American President respond: > > "They that can give up essential liberty to obtain a little temporary > safety deserve neither liberty nor safety." > -- Benjamin Franklin, 1759 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 13 16:27:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from aragorn.neomedia.it (aragorn.neomedia.it [195.103.207.6]) by hub.freebsd.org (Postfix) with ESMTP id 727AA37B413 for ; Thu, 13 Sep 2001 16:27:24 -0700 (PDT) Received: (from httpd@localhost) by aragorn.neomedia.it (8.11.4/8.11.4) id f8DNRKe08352; Fri, 14 Sep 2001 01:27:20 +0200 (CEST) To: Brett Glass Subject: Re: US Congress already discussing bans on strong crypto Message-ID: <1000423640.3ba140d836279@webmail.neomedia.it> Date: Fri, 14 Sep 2001 01:27:20 +0200 (CEST) From: Salvo Bartolotta Cc: security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: IMP/PHP IMAP webmail program 2.2.4-cvs X-WebMail-Company: Neomedia s.a.s. X-Originating-IP: 62.98.238.26 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It seems that Salvo Bartolotta once thoughtlessly scribbled: > > I'll let another American President respond: ^^^^^^^^^ ^^^^^^^^^ ?^%&ё$^ ATA read error: resetting device... done. ?^%&ё$^ ATA read error: resetting device... done. ?^%&ё$^ ASSOCIATIVE MEMORY FAULT. ECC fault. GPF. > "They that can give up essential liberty to obtain a little temporary > safety deserve neither liberty nor safety." > -- Benjamin Franklin, 1759 I should have said "one of the most important statesman [of all times]". My apologies. I'll have to check my HDs and RAM... -- Salvo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 13 18: 5:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from spitfire.velocet.net (spitfire.velocet.net [216.138.223.227]) by hub.freebsd.org (Postfix) with ESMTP id 0190137B413 for ; Thu, 13 Sep 2001 18:05:42 -0700 (PDT) Received: from nomad.tor.lets.net (H74.C220.tor.velocet.net [216.138.220.74]) by spitfire.velocet.net (Postfix) with SMTP id BC2C344A9F9 for ; Thu, 13 Sep 2001 21:05:40 -0400 (EDT) Received: (qmail 495 invoked by uid 1001); 14 Sep 2001 01:00:41 -0000 Date: Thu, 13 Sep 2001 21:00:41 -0400 From: Steve Shorter To: rik@rikrose.net Cc: alex , freebsd-security@FreeBSD.ORG Subject: Re: Log Files Message-ID: <20010913210041.A485@nomad.lets.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rik@rikrose.net on Thu, Sep 13, 2001 at 11:05:05PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Sep 13, 2001 at 11:05:05PM +0100, rik@rikrose.net wrote: > On Thu, 13 Sep 2001, alex wrote: > > no legislation locally, statewide, or federally to this regard in the US. > > "in the US". Please note that in the UK, we are officially obliged to log > *everything*, and aparently, according to $HIGH_UP_JDGE_PERSON, we have to > also filter the content to people we provide content to downstream. > > To which, AFAIK, then entire UK sysadmin community has just laughed, and > carried on doing what they are doing aynway. I don't yet know of anyone > that has actually changed their policy, due to that ruling earlier this > year. Perhaps they have not found a way of enforcing this dimension of their dictatorship. Best of luck in your struggle to be free and productive. -steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 13 18: 8:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from tao.org.uk (genius.tao.org.uk [212.135.162.51]) by hub.freebsd.org (Postfix) with ESMTP id CD42237B40D for ; Thu, 13 Sep 2001 18:08:11 -0700 (PDT) Received: by tao.org.uk (Postfix, from userid 100) id 8D3904BB; Fri, 14 Sep 2001 02:08:09 +0100 (BST) Date: Fri, 14 Sep 2001 02:08:09 +0100 From: Josef Karthauser To: Steve Shorter Cc: rik@rikrose.net, alex , freebsd-security@FreeBSD.ORG Subject: Re: Log Files Message-ID: <20010914020809.D28588@tao.org.uk> Mail-Followup-To: Josef Karthauser , Steve Shorter , rik@rikrose.net, alex , freebsd-security@FreeBSD.ORG References: <20010913210041.A485@nomad.lets.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="veXX9dWIonWZEC6h" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010913210041.A485@nomad.lets.net>; from steve@nomad.lets.net on Thu, Sep 13, 2001 at 09:00:41PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --veXX9dWIonWZEC6h Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 13, 2001 at 09:00:41PM -0400, Steve Shorter wrote: > On Thu, Sep 13, 2001 at 11:05:05PM +0100, rik@rikrose.net wrote: > > On Thu, 13 Sep 2001, alex wrote: > > > no legislation locally, statewide, or federally to this regard in the= US. > >=20 > > "in the US". Please note that in the UK, we are officially obliged to l= og > > *everything*, and aparently, according to $HIGH_UP_JDGE_PERSON, we have= to > > also filter the content to people we provide content to downstream. AFAIK there is no official obligation yet. Joe --veXX9dWIonWZEC6h Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjuhWHkACgkQXVIcjOaxUBahywCgoDGxkh4rXiZFbRFh6K/xf81X /nMAoJ8byNPB8D3okz9jN7G+rIa934I1 =IFN8 -----END PGP SIGNATURE----- --veXX9dWIonWZEC6h-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 13 19:29:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from venus.terahertz.net (venus.terahertz.net [208.137.7.240]) by hub.freebsd.org (Postfix) with ESMTP id 4936E37B40B for ; Thu, 13 Sep 2001 19:29:53 -0700 (PDT) Received: from localhost (sideshow@localhost) by venus.terahertz.net (8.11.3/8.9.3) with ESMTP id f8E2GlT03799; Thu, 13 Sep 2001 21:16:47 -0500 (CDT) Date: Thu, 13 Sep 2001 21:16:47 -0500 (CDT) From: Matt Watson To: Scott Corey Cc: Salvo Bartolotta , Brett Glass , security@FreeBSD.ORG Subject: Re: US Congress already discussing bans on strong crypto In-Reply-To: <3BA14036.825B0DC4@bsdprophet.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Not to mention the united states wasn't even a country in 1759. They were still a british colony then. -- Matt Watson TeraHertz Communications On Thu, 13 Sep 2001, Scott Corey wrote: > Benjamin Franklin was not a United States President, however, he was > monumental in molding the United States. > > > Salvo Bartolotta wrote: > > > > > http://www.wired.com/news/politics/0,1283,46816,00.html > > > > > Congress Mulls Stiff Crypto Laws > > > By Declan McCullagh (declan@wired.com) > > > 1:45 p.m. Sep. 13, 2001 PDT > > > > > WASHINGTON -- The encryption wars have begun. > > > > > > > > I'll let another American President respond: > > > > "They that can give up essential liberty to obtain a little temporary > > safety deserve neither liberty nor safety." > > -- Benjamin Franklin, 1759 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 13 21:31: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from grace.speakeasy.org (grace.speakeasy.org [216.254.0.2]) by hub.freebsd.org (Postfix) with SMTP id 3866537B401 for ; Thu, 13 Sep 2001 21:30:55 -0700 (PDT) Received: (qmail 21255 invoked by uid 31657); 14 Sep 2001 04:30:54 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 14 Sep 2001 04:30:54 -0000 Date: Thu, 13 Sep 2001 21:30:54 -0700 (PDT) From: Mike Isely X-X-Sender: Reply-To: Mike Isely To: "Kenneth P. Stox" Cc: Mike Isely , Mike Uchima , Brett Glass , , "Dean R. Pannell" , Matt Braithwaite , George Isely , Mark Edel Subject: Re: FW: US Congress already discussing bans on strong crypto In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org After feeling absolutely disgusted for an hour I got around to going back and reading the entire Wired article (also linked by slashdot). So far at least this appears to be the case of only a single idiot senator proposing this, with significant dissent from other (hopefully) respected sources. I'm not sure yet if that would be enough to let cooler heads prevail here. One can hope that since it would be impossible for the whole international community to agree on a single set of backdoor keys (or central escrow authority), that perhaps this will die just from the practical difficulties. A central set of keys or central authority after all would be the only way for the FBI to get at keys for software used by terrorists in a less-than-friendly country. Not to mention the fact that any 16 year old can simply implement the code again. -Mike On Thu, 13 Sep 2001, Kenneth P. Stox wrote: > > FYI: > > -----FW: <4.3.2.7.2.20010913161936.04a17d40@localhost>----- > > From: Brett Glass > Subject: US Congress already discussing bans on strong crypto > > http://www.wired.com/news/politics/0,1283,46816,00.html > > Congress Mulls Stiff Crypto Laws > By Declan McCullagh (declan@wired.com) > 1:45 p.m. Sep. 13, 2001 PDT > > WASHINGTON -- The encryption wars have begun. > > For nearly a decade, privacy mavens have been worrying that a > terrorist attack could prompt Congress to ban > communications-scrambling products that frustrate both police wiretaps > and U.S. intelligence agencies. > > Tuesday's catastrophe, which shed more blood on American soil than any > event since the Civil War, appears to have started that process. > > Some politicians and defense hawks are warning that extremists such as > Osama bin Laden, who U.S. officials say is a crypto-aficionado and the > top suspect in Tuesday's attacks, enjoy unfettered access to > privacy-protecting software and hardware that render their > communications unintelligible to eavesdroppers. > > In a floor speech on Thursday, Sen. Judd Gregg (R-New Hampshire) > called for a global prohibition on encryption products without > backdoors for government surveillance. > > "This is something that we need international cooperation on and we > need to have movement on in order to get the information that allows > us to anticipate and prevent what occurred in New York and in > Washington," Gregg said, according to a copy of his remarks that an > aide provided. > > President Clinton appointed an ambassador-rank official, David Aaron, > to try this approach, but eventually the administration abandoned the > project. > > Gregg said encryption makers "have as much at risk as we have at risk > as a nation, and they should understand that as a matter of > citizenship, they have an obligation" to include decryption methods > for government agents. Gregg, who previously headed the appropriations > subcommittee overseeing the Justice Department, said that such access > would only take place with "court oversight." > > [...] > > Frank Gaffney of the Center for Security Policy, a hawkish think tank > that has won accolades from all recent Republican presidents, says > that this week's terrorist attacks demonstrate the government must be > able to penetrate communications it intercepts. > > "I'm certainly of the view that we need to let the U.S. government > have access to encrypted material under appropriate circumstances and > regulations," says Gaffney, an assistant secretary of defense under > President Reagan. > > [...] > > > --------------End of forwarded message------------------------- > > ---------------------------------- > E-Mail: Kenneth P. Stox > Date: 13-Sep-01 > Time: 17:42:41 > ---------------------------------- > > -- | Mike Isely | PGP fingerprint POSITIVELY NO | | 03 54 43 4D 75 E5 CC 92 UNSOLICITED JUNK MAIL! | isely @ pobox (dot) com | 71 16 01 E2 B5 F5 C1 E8 | (spam-foiling address) | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 13 22: 4:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from grace.speakeasy.org (grace.speakeasy.org [216.254.0.2]) by hub.freebsd.org (Postfix) with SMTP id B0B1937B40F for ; Thu, 13 Sep 2001 22:04:39 -0700 (PDT) Received: (qmail 24218 invoked by uid 31657); 14 Sep 2001 05:04:39 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 14 Sep 2001 05:04:39 -0000 Date: Thu, 13 Sep 2001 22:04:39 -0700 (PDT) From: Mike Isely X-X-Sender: Reply-To: Mike Isely To: "Kenneth P. Stox" , Mike Uchima , Brett Glass , , "Dean R. Pannell" , Matt Braithwaite , George Isely , Mark Edel Cc: Mike Isely Subject: Re: FW: US Congress already discussing bans on strong crypto In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org One other thought: If war really happens here, this may be the first time a real war takes place in this "era" of the internet. That to me suggests we may also see a real live "info war" here. Why, on the cusp of a war like that, would we at that very instant choose to punch a big 'ole back door in the very technology that our own information economy is becoming so quickly dependant upon? Yes, let's volunteer to go back to Enigma and assume that our enemies will follow suit so that we can conveniently eavesdrop on them. Yeah, right. Utter insanity. -Mike On Thu, 13 Sep 2001, Mike Isely wrote: > > After feeling absolutely disgusted for an hour I got around to going back > and reading the entire Wired article (also linked by slashdot). So far at > least this appears to be the case of only a single idiot senator proposing > this, with significant dissent from other (hopefully) respected sources. > I'm not sure yet if that would be enough to let cooler heads prevail here. > > One can hope that since it would be impossible for the whole international > community to agree on a single set of backdoor keys (or central escrow > authority), that perhaps this will die just from the practical > difficulties. A central set of keys or central authority after all would > be the only way for the FBI to get at keys for software used by terrorists > in a less-than-friendly country. Not to mention the fact that any 16 year > old can simply implement the code again. > > -Mike > > > > On Thu, 13 Sep 2001, Kenneth P. Stox wrote: > > > > > FYI: > > > > -----FW: <4.3.2.7.2.20010913161936.04a17d40@localhost>----- > > > > From: Brett Glass > > Subject: US Congress already discussing bans on strong crypto > > > > http://www.wired.com/news/politics/0,1283,46816,00.html > > > > Congress Mulls Stiff Crypto Laws > > By Declan McCullagh (declan@wired.com) > > 1:45 p.m. Sep. 13, 2001 PDT > > > > WASHINGTON -- The encryption wars have begun. > > > > For nearly a decade, privacy mavens have been worrying that a > > terrorist attack could prompt Congress to ban > > communications-scrambling products that frustrate both police wiretaps > > and U.S. intelligence agencies. > > > > Tuesday's catastrophe, which shed more blood on American soil than any > > event since the Civil War, appears to have started that process. > > > > Some politicians and defense hawks are warning that extremists such as > > Osama bin Laden, who U.S. officials say is a crypto-aficionado and the > > top suspect in Tuesday's attacks, enjoy unfettered access to > > privacy-protecting software and hardware that render their > > communications unintelligible to eavesdroppers. > > > > In a floor speech on Thursday, Sen. Judd Gregg (R-New Hampshire) > > called for a global prohibition on encryption products without > > backdoors for government surveillance. > > > > "This is something that we need international cooperation on and we > > need to have movement on in order to get the information that allows > > us to anticipate and prevent what occurred in New York and in > > Washington," Gregg said, according to a copy of his remarks that an > > aide provided. > > > > President Clinton appointed an ambassador-rank official, David Aaron, > > to try this approach, but eventually the administration abandoned the > > project. > > > > Gregg said encryption makers "have as much at risk as we have at risk > > as a nation, and they should understand that as a matter of > > citizenship, they have an obligation" to include decryption methods > > for government agents. Gregg, who previously headed the appropriations > > subcommittee overseeing the Justice Department, said that such access > > would only take place with "court oversight." > > > > [...] > > > > Frank Gaffney of the Center for Security Policy, a hawkish think tank > > that has won accolades from all recent Republican presidents, says > > that this week's terrorist attacks demonstrate the government must be > > able to penetrate communications it intercepts. > > > > "I'm certainly of the view that we need to let the U.S. government > > have access to encrypted material under appropriate circumstances and > > regulations," says Gaffney, an assistant secretary of defense under > > President Reagan. > > > > [...] > > > > > > --------------End of forwarded message------------------------- > > > > ---------------------------------- > > E-Mail: Kenneth P. Stox > > Date: 13-Sep-01 > > Time: 17:42:41 > > ---------------------------------- > > > > > > -- | Mike Isely | PGP fingerprint POSITIVELY NO | | 03 54 43 4D 75 E5 CC 92 UNSOLICITED JUNK MAIL! | isely @ pobox (dot) com | 71 16 01 E2 B5 F5 C1 E8 | (spam-foiling address) | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 13 23:30:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 8076537B406 for ; Thu, 13 Sep 2001 23:30:39 -0700 (PDT) Received: from cairo.anu.edu.au (localhost [127.0.0.1]) by cairo.anu.edu.au (8.12.0.Beta16/8.12.0.Beta16) with ESMTP id f8E6UHr7014565; Fri, 14 Sep 2001 16:30:17 +1000 (EST) Received: (from avalon@localhost) by cairo.anu.edu.au (8.12.0.Beta16/8.12.0.Beta16) id f8E6UG8s014562; Fri, 14 Sep 2001 16:30:16 +1000 (EST) From: Darren Reed Message-Id: <200109140630.f8E6UG8s014562@cairo.anu.edu.au> Subject: Re: US Congress already discussing bans on strong crypto In-Reply-To: <4.3.2.7.2.20010913161936.04a17d40@localhost> from Brett Glass at "Sep 13, 1 04:20:11 pm" To: brett@lariat.org (Brett Glass) Date: Fri, 14 Sep 2001 16:30:16 +1000 (EST) Cc: security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL39 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Brett Glass, sie said: > http://www.wired.com/news/politics/0,1283,46816,00.html [...] > For nearly a decade, privacy mavens have been worrying that a > terrorist attack could prompt Congress to ban > communications-scrambling products that frustrate both police wiretaps > and U.S. intelligence agencies. Translation: For nearly a decade the various intelligence agencies in the USA have been relying more and more upon using electronic means to gather their data, phasing out the traditional use of humans (spies). They no longer have the abilities they used to have and are getting desperate. [...] > Some politicians and defense hawks are warning that extremists such as > Osama bin Laden, who U.S. officials say is a crypto-aficionado and the > top suspect in Tuesday's attacks, enjoy unfettered access to > privacy-protecting software and hardware that render their > communications unintelligible to eavesdroppers. Translation: The CIA has so far failed to get an agent anywhere near bin Laden and is therefore relying on SIGINT and other more passive means to work out what bin Laden is planning/doing. > In a floor speech on Thursday, Sen. Judd Gregg (R-New Hampshire) > called for a global prohibition on encryption products without > backdoors for government surveillance. Ok, this is serious. Who's puppet is he? CIA's ? NSA's ? FBI's ? It's no longer a "do not export" approach but putting strong encryption products (no backdoors) on a "banned list". > "This is something that we need international cooperation on and we > need to have movement on in order to get the information that allows > us to anticipate and prevent what occurred in New York and in > Washington," Gregg said, according to a copy of his remarks that an > aide provided. Translation: We don't want to have to spend any significant amount of money or resources in our intelligence gathering activities. Where possible, we'd like to be as lazy as we can. > President Clinton appointed an ambassador-rank official, David Aaron, > to try this approach, but eventually the administration abandoned the > project. Translation: The rest of the world realised what was afoot and didn't want the USA to be privy to their communications which were supposed to be secure. I don't think I need to comment about the rest. The only problem is that the cat is out of the bag in terms of the crypto technology itself - heck, wasn't it always? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 14 2:44:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from easyisp.org (sjef.easyisp.org [213.88.184.220]) by hub.freebsd.org (Postfix) with SMTP id 90C9437B406 for ; Fri, 14 Sep 2001 02:44:23 -0700 (PDT) Received: (qmail 19006 invoked by uid 1002); 14 Sep 2001 09:35:53 -0000 Message-ID: <20010914093553.22895.qmail@easyisp.org> From: "news" To: security@FreeBSD.ORG Subject: Re: netbsd vulnerabilities Date: Fri, 14 Sep 2001 09:35:53 GMT Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org anyone know when there will be anything official out there for this problem ? with regards rasmus fauske > "Andrew R. Reiter" wrote: > > The attached code fixes the semop bug which is specified in the recent > > NetBSD security announcement. I'm not positive about hte naming scheme > > wanted by all in terms of: size_t vs. unsigned int vs. unsigned. I made > > it u_int b/c i saw in sysproto.h that there seemed to be more u_int's > > instead of size_t's :-) Great logic.> > I think semop_args.nsops should be u_int (like you made it) because > that's how it's listed in syscalls.master. It should match the (SYSV) spec, whatever that says. syscalls.master is rarely correct.> > --- sys/sem.h.orig Sat Sep 8 03:21:08 2001 > > +++ sys/sem.h Sat Sep 8 03:21:27 2001> > @@ -101,7 +101,7 @@ > > int semsys __P((int, ...));> > int semctl __P((int, int, int, ...)); > > int semget __P((key_t, int, int)); > > -int semop __P((int, struct sembuf *,unsigned)); > > +int semop __P((int, struct sembuf *, u_int));> > I don't see the point of this, either, except to break consistency > with the manual page. `u_int' is the same as `unsigned'. This also fixes a style bug (missing space after comma) and takes us further from removing dependencies on . Anyway, this has nothing to do with the bug (unless the correct type is not unsignedint). > The other changes look pretty good. Attached is the corresponding > patch to -current. If nobody sees anything wrong in about a day, I'll > commit this and MFC it after the RE's approval.OK.Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 14 3:12:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from supermarine.crossflight.co.uk (supermarine.crossflight.co.uk [195.172.72.3]) by hub.freebsd.org (Postfix) with ESMTP id 1CFD537B403 for ; Fri, 14 Sep 2001 03:12:13 -0700 (PDT) Received: from mailscan.crossflight.co.uk (mailscan2.crossflight.co.uk [195.172.72.202]) by supermarine.crossflight.co.uk (8.11.5/8.9.0) with ESMTP id f8EACA706600 for ; Fri, 14 Sep 2001 11:12:11 +0100 (GMT/BST) Received: from crossflight.co.uk (unverified) by mailscan.crossflight.co.uk (Content Technologies SMTPRS 4.2.5) with ESMTP id ; Fri, 14 Sep 2001 11:12:06 +0100 Message-ID: <3BA1D7F0.C9C15513@crossflight.co.uk> Date: Fri, 14 Sep 2001 11:12:00 +0100 From: Guy Dawson Reply-To: guy@crossflight.co.uk Organization: Crossflight Ltd - this message is (c) Crossflight Ltd 2001 X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Darren Reed Cc: Brett Glass , security@freebsd.org Subject: Re: US Congress already discussing bans on strong crypto References: <200109140630.f8E6UG8s014562@cairo.anu.edu.au> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Darren Reed wrote: > The only problem is that the cat is out of the bag in terms of the crypto > technology itself - heck, wasn't it always? The cat was never in the bag. Good crypto can be done with pen, paper and some patience. Sure it's not practical for long messages but it's still useful. Guy -- -------------------------------------------------------------------- Guy Dawson I.T. Manager Crossflight Ltd guy@crossflight.co.uk 07973 797819 01753 776104 ********************************************************************** This email contains the views and opinions of a Crossflight Limited employee and at this stage are in no way a direct representation of Crossflight Limited. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. To ensure the integrity and appropriate use of its email system, Crossflight Limited reserves the right to examine any email held on its email system or sent to or from it. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. We strongly recommend that you check this email with your own virus software as Crossflight Limited will not be held responsible for any damage caused by viruses as a result of opening this mail. ********************************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 14 3:16:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from ranger.argus-systems.com (ranger.argus-systems.com [206.221.232.80]) by hub.freebsd.org (Postfix) with ESMTP id 6F91437B409 for ; Fri, 14 Sep 2001 03:16:09 -0700 (PDT) Received: from dedog.argus-systems.co.uk (host62-6-130-160.host.btclick.com [62.6.130.160]) by ranger.argus-systems.com (8.9.3/8.9.3) with SMTP id FAA18833 for ; Fri, 14 Sep 2001 05:16:07 -0500 (CDT) Received: by dedog.argus-systems.co.uk (sSMTP sendmail emulation); Fri, 14 Sep 2001 11:19:17 +0100 Date: Fri, 14 Sep 2001 11:19:17 +0100 From: fergus To: security@FreeBSD.ORG Subject: Re: US Congress already discussing bans on strong crypto Message-ID: <20010914111917.C1043@dedog.argus-systems.co.uk> Mail-Followup-To: security@FreeBSD.ORG References: <4.3.2.7.2.20010913161936.04a17d40@localhost> <200109140630.f8E6UG8s014562@cairo.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200109140630.f8E6UG8s014562@cairo.anu.edu.au>; from avalon@cairo.anu.edu.au on Fri, Sep 14, 2001 at 04:30:16PM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > The only problem is that the cat is out of the bag in terms of the crypto > technology itself - heck, wasn't it always? what you all seem to fail to realise is that if the US makes crypto illegal then terrorists will repect that & never use it again. i mean there's no way they could use crypto without freeware or licensed/sold products - they're just camel bashers aren't they? ok, so the rest of us lose our ability to communicate without full disclosure to our employers, all govenment bodies & everyone in between ( i mean who is going to decide who gets the backdoor ? ) but it's a small price to pay to bring maniacs under control. i mean what right do you have to privacy? privacy is the same as secrecy & if you've nothing to hide what are you afraid of. * does that seem sarcastic ? * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 14 3:43:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id D8E1C37B436 for ; Fri, 14 Sep 2001 03:43:34 -0700 (PDT) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 15hqRT-000Cdt-00; Fri, 14 Sep 2001 12:43:27 +0200 From: Sheldon Hearn To: fergus Cc: security@FreeBSD.ORG Subject: Re: US Congress already discussing bans on strong crypto In-reply-to: Your message of "Fri, 14 Sep 2001 11:19:17 +0100." <20010914111917.C1043@dedog.argus-systems.co.uk> Date: Fri, 14 Sep 2001 12:43:27 +0200 Message-ID: <48600.1000464207@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 14 Sep 2001 11:19:17 +0100, fergus wrote: > * does that seem sarcastic ? * No, just off topic. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 14 3:51:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from rod.inty.net (rod.inty.net [195.224.93.241]) by hub.freebsd.org (Postfix) with ESMTP id 5732337B407 for ; Fri, 14 Sep 2001 03:51:15 -0700 (PDT) Received: from inty.hq.inty.net (inty.hq.inty.net [213.38.150.150]) by rod.inty.net (8.11.3/8.11.2) with ESMTP id f8EApDv51117 for ; Fri, 14 Sep 2001 11:51:14 +0100 (BST) Received: from tariq ([10.0.1.156]) by inty.hq.inty.net (8.9.3/8.9.3) with SMTP id LAA23805 for ; Fri, 14 Sep 2001 11:51:13 +0100 (BST) From: "Terry" To: Subject: adding a win2k client to a bsd ipsec net - 2modes at once? Date: Fri, 14 Sep 2001 11:51:40 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <48600.1000464207@axl.seasidesoftware.co.za> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I can get a FreeBSD IPSEC VPN (tunnel mode) going ... (setting up gif0, routing etc etc)... and I can JUST ABOUT do a FreeBSD<->win2k ipsec transport mode going... i want to be able to have mobile win2k laptops join the static ipsec vpn... i guess they use transport mode? anyway, documentation is scarce (ipve spent a week reading stuff from the bsd, ipsec sites, mailing and news archives... no luck)... the scope IS THERE ... the racoon config file format does allow connection specific SA's to be genereated: remote anonymous {...} (anyone) sainfo anonymous {...} (again, anyone) remote address 1.2.3.4 (extra ones?) sainfo address 1.2.3.4 (extra ones?) has anyone done this? i'm using freebsd 4.3-release, will use 4.4-release when its out... any help/ideas welcome -- Information in this electronic mail message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient any use, disclosure, copying or distribution of this message is prohibited and may be unlawful. When addressed to our customers, any information contained in this message is subject to Intelligent Network Technology Ltd Terms & Conditions. -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 14 3:54:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from athena.za.net (athena.za.net [196.30.167.200]) by hub.freebsd.org (Postfix) with ESMTP id 7873137B408 for ; Fri, 14 Sep 2001 03:54:15 -0700 (PDT) Received: from jus (helo=localhost) by athena.za.net with local-esmtp (Exim 3.13 #1) id 15hqbU-00058V-00; Fri, 14 Sep 2001 12:53:48 +0200 Date: Fri, 14 Sep 2001 12:53:48 +0200 (SAST) From: Justin Stanford X-Sender: jus@athena.za.net To: Terry Cc: freebsd-security@freebsd.org Subject: Re: adding a win2k client to a bsd ipsec net - 2modes at once? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yes, I've also been wondering about BSD/win2k IPSec setups.. is it possible, has anyone made it work? -- Justin Stanford Internet/Network Security & Solutions Consultant 4D Digital Security http://www.4dds.co.za Cell: (082) 7402741 E-Mail: jus@security.za.net PGP Key: http://www.security.za.net/jus-pgp-key.txt On Fri, 14 Sep 2001, Terry wrote: > > I can get a FreeBSD IPSEC VPN (tunnel mode) going ... (setting up > gif0, routing etc etc)... > > and I can JUST ABOUT do a FreeBSD<->win2k ipsec transport mode > going... > > i want to be able to have mobile win2k laptops join the static ipsec > vpn... i guess they use transport mode? > > anyway, documentation is scarce (ipve spent a week reading stuff from > the bsd, ipsec sites, mailing and news archives... no luck)... the > scope IS THERE ... the racoon config file format does allow connection > specific SA's to be genereated: > > remote anonymous {...} (anyone) > sainfo anonymous {...} (again, anyone) > > remote address 1.2.3.4 (extra ones?) > sainfo address 1.2.3.4 (extra ones?) > > has anyone done this? > i'm using freebsd 4.3-release, will use 4.4-release when its out... > > any help/ideas welcome > > > -- > Information in this electronic mail message is confidential > and may be legally privileged. It is intended solely for > the addressee. Access to this message by anyone else is > unauthorised. If you are not the intended recipient any > use, disclosure, copying or distribution of this message is > prohibited and may be unlawful. When addressed to our > customers, any information contained in this message is > subject to Intelligent Network Technology Ltd Terms & Conditions. > -- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 14 4: 6:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 41F6537B40B for ; Fri, 14 Sep 2001 04:06:25 -0700 (PDT) Received: from cairo.anu.edu.au (localhost [127.0.0.1]) by cairo.anu.edu.au (8.12.0.Beta16/8.12.0.Beta16) with ESMTP id f8EB6Lr7027652; Fri, 14 Sep 2001 21:06:21 +1000 (EST) Received: (from avalon@localhost) by cairo.anu.edu.au (8.12.0.Beta16/8.12.0.Beta16) id f8EB6LAV027647; Fri, 14 Sep 2001 21:06:21 +1000 (EST) From: Darren Reed Message-Id: <200109141106.f8EB6LAV027647@cairo.anu.edu.au> Subject: Re: adding a win2k client to a bsd ipsec net - 2modes at once? In-Reply-To: from Justin Stanford at "Sep 14, 1 12:53:48 pm" To: jus@security.za.net (Justin Stanford) Date: Fri, 14 Sep 2001 21:06:21 +1000 (EST) Cc: terry346@hotmail.com, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL39 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Justin Stanford, sie said: > Yes, I've also been wondering about BSD/win2k IPSec setups.. is it > possible, has anyone made it work? yes and yes To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 14 4:39:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id AFD4537B40F for ; Fri, 14 Sep 2001 04:39:35 -0700 (PDT) Received: (qmail 25605 invoked by uid 1000); 14 Sep 2001 11:39:56 -0000 Date: Fri, 14 Sep 2001 13:39:56 +0200 From: "Karsten W. Rohrbach" To: Darren Reed Cc: Justin Stanford , terry346@hotmail.com, freebsd-security@FreeBSD.ORG Subject: Re: adding a win2k client to a bsd ipsec net - 2modes at once? Message-ID: <20010914133956.C25184@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Darren Reed , Justin Stanford , terry346@hotmail.com, freebsd-security@FreeBSD.ORG References: <200109141106.f8EB6LAV027647@cairo.anu.edu.au> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="xo44VMWPx7vlQ2+2" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200109141106.f8EB6LAV027647@cairo.anu.edu.au>; from avalon@cairo.anu.edu.au on Fri, Sep 14, 2001 at 09:06:21PM +1000 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --xo44VMWPx7vlQ2+2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Darren Reed(avalon@cairo.anu.edu.au)@2001.09.14 21:06:21 +0000: > In some mail from Justin Stanford, sie said: > > Yes, I've also been wondering about BSD/win2k IPSec setups.. is it > > possible, has anyone made it work? >=20 > yes and yes darren, could you please detail your configuration? i would be rather interested if you happen to have success using racoon or isakmpd and what tweaks i may have overlooked in the past (i did NOT get win2k to successfully establish phase2)... /k --=20 > "I think pop music has done more for oral intercourse than anything else > that has ever happened, and vice versa." --Frank Zappa KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --xo44VMWPx7vlQ2+2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7oeyMM0BPTilkv0YRAvB8AJ0UFDeTJWxkHvBv4SIleVPoZT9lvQCeKGQ9 RX8Jf+li8/0PqAntFfgD92I= =ZJDX -----END PGP SIGNATURE----- --xo44VMWPx7vlQ2+2-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 14 4:41:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id C43D737B406 for ; Fri, 14 Sep 2001 04:41:30 -0700 (PDT) Received: (qmail 25676 invoked by uid 1000); 14 Sep 2001 11:41:52 -0000 Date: Fri, 14 Sep 2001 13:41:52 +0200 From: "Karsten W. Rohrbach" To: security@freebsd.org Subject: Re: US Congress already discussing bans on strong crypto Message-ID: <20010914134152.D25184@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , security@freebsd.org References: <4.3.2.7.2.20010913161936.04a17d40@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="wLAMOaPNJ0fu1fTG" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.7.2.20010913161936.04a17d40@localhost>; from brett@lariat.org on Thu, Sep 13, 2001 at 04:20:11PM -0600 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --wLAMOaPNJ0fu1fTG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Brett Glass(brett@lariat.org)@2001.09.13 16:20:11 +0000: > http://www.wired.com/news/politics/0,1283,46816,00.html >=20 > Congress Mulls Stiff Crypto Laws > By Declan McCullagh (declan@wired.com) > 1:45 p.m. Sep. 13, 2001 PDT >=20 > WASHINGTON -- The encryption wars have begun. [...] > In a floor speech on Thursday, Sen. Judd Gregg (R-New Hampshire) ^^^^^^^^^^ the more often you read this it starts to look like 'judge dredd' *g* > called for a global prohibition on encryption products without > backdoors for government surveillance. /k --=20 > Hackers know all the right MOVs. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --wLAMOaPNJ0fu1fTG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7oe0AM0BPTilkv0YRAou+AJ9663qab2mS0eV4EvGq7BSPZT0fSgCfWIZ2 ksXhDEwURdMAdawLEVfQEeE= =mqtj -----END PGP SIGNATURE----- --wLAMOaPNJ0fu1fTG-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 14 4:51:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 2AFA637B408 for ; Fri, 14 Sep 2001 04:51:37 -0700 (PDT) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.6/8.11.5) with SMTP id f8EBpIx15647; Fri, 14 Sep 2001 07:51:22 -0400 (EDT) (envelope-from arr@watson.org) Date: Fri, 14 Sep 2001 07:51:17 -0400 (EDT) From: "Andrew R. Reiter" To: news Cc: security@FreeBSD.ORG Subject: Re: netbsd vulnerabilities In-Reply-To: <20010914093553.22895.qmail@easyisp.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org cvsup On Fri, 14 Sep 2001, news wrote: :anyone know when there will be anything official out there for this problem :? : :with regards :rasmus fauske : : : :> "Andrew R. Reiter" wrote: :> > The attached code fixes the semop bug which is specified in the recent :> > NetBSD security announcement. I'm not positive about hte naming scheme :> > wanted by all in terms of: size_t vs. unsigned int vs. unsigned. I made :> > it u_int b/c i saw in sysproto.h that there seemed to be more u_int's :> > instead of size_t's :-) Great logic.> :> I think semop_args.nsops should be u_int (like you made it) because :> that's how it's listed in syscalls.master. :It should match the (SYSV) spec, whatever that says. syscalls.master :is rarely correct.> > --- sys/sem.h.orig Sat Sep 8 03:21:08 2001 :> > +++ sys/sem.h Sat Sep 8 03:21:27 2001> > @@ -101,7 +101,7 @@ :> > int semsys __P((int, ...));> > int semctl __P((int, int, int, ...)); :> > int semget __P((key_t, int, int)); :> > -int semop __P((int, struct sembuf *,unsigned)); :> > +int semop __P((int, struct sembuf *, u_int));> :> I don't see the point of this, either, except to break consistency :> with the manual page. `u_int' is the same as `unsigned'. :This also fixes a style bug (missing space after comma) and takes us :further from removing dependencies on . Anyway, this :has nothing to do with the bug (unless the correct type is not unsignedint). :> The other changes look pretty good. Attached is the corresponding :> patch to -current. If nobody sees anything wrong in about a day, I'll :> commit this and MFC it after the RE's approval.OK.Bruce :To Unsubscribe: send mail to majordomo@FreeBSD.org :with "unsubscribe freebsd-security" in the body of the message : :To Unsubscribe: send mail to majordomo@FreeBSD.org :with "unsubscribe freebsd-security" in the body of the message : *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 14 5:17:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from hale.inty.net (hale.inty.net [195.92.21.144]) by hub.freebsd.org (Postfix) with ESMTP id 4E03337B410 for ; Fri, 14 Sep 2001 05:17:07 -0700 (PDT) Received: from inty.hq.inty.net (inty.hq.inty.net [213.38.150.150]) by hale.inty.net (8.11.3/8.11.2) with ESMTP id f8ECH5M77776 for ; Fri, 14 Sep 2001 13:17:06 +0100 (BST) Received: from tariq ([10.0.1.156]) by inty.hq.inty.net (8.9.3/8.9.3) with SMTP id NAA29245 for ; Fri, 14 Sep 2001 13:17:03 +0100 (BST) From: "Terry" To: Subject: Re: adding a win2k client to a bsd ipsec net - 2modes at once? Date: Fri, 14 Sep 2001 13:17:31 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org in responce to a previous "yes and yes" comment: * to get the basic bsd-bsd tunnels the online docs are good (just search for freebsd ipsec on google, say). * http://www.x-itec.de/projects/tuts/ipsec-howto.txt describes tunnel mode between racoon and win2k (pre-shared keys only, thats fine with me for now). but nothing on getting a mobile w2k (laptop?) to "join" an existing freebsd vpn setup... to re-iterate: i don;t think the obvious tunnel mode from the laptop to a bsd ipsec gateway will work.... or will it? and how? anyone else? i really do want to avoid expensive 3rd party propritary systems... high cost and intrinsic limit on security. t -- Information in this electronic mail message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient any use, disclosure, copying or distribution of this message is prohibited and may be unlawful. When addressed to our customers, any information contained in this message is subject to Intelligent Network Technology Ltd Terms & Conditions. -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 14 7: 2:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from magellan.palisadesys.com (magellan.palisadesys.com [192.188.162.211]) by hub.freebsd.org (Postfix) with ESMTP id 6606437B405 for ; Fri, 14 Sep 2001 07:02:46 -0700 (PDT) Received: from mira (mira.palisadesys.com [192.188.162.116]) (authenticated (0 bits)) by magellan.palisadesys.com (8.11.6/8.11.6) with ESMTP id f8EE2GN22070 (using TLSv1/SSLv3 with cipher RC4-MD5 (128 bits) verified NO); Fri, 14 Sep 2001 09:02:17 -0500 From: "Guy Helmer" To: "Justin Stanford" , "Terry" Cc: Subject: RE: adding a win2k client to a bsd ipsec net - 2modes at once? Date: Fri, 14 Sep 2001 09:04:49 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Friday, September 14, 2001 5:54 AM Justin Stanford wrote: > Yes, I've also been wondering about BSD/win2k IPSec setups.. is it > possible, has anyone made it work? I have gotten transport mode working between Win2K and FreeBSD using the latest racoon (20010831a) on a FreeBSD 4.3-RELEASE kernel, 3DES/SHA1 and preshared keys. It initially works, but then after a period of inactivity the two machines can't re-establish the communication until I restart racoon. Haven't had time to debug it :-( Guy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 14 7:11:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.interchange.ca (ns.interchange.ca [216.126.79.2]) by hub.freebsd.org (Postfix) with ESMTP id 9D86537B403 for ; Fri, 14 Sep 2001 07:11:10 -0700 (PDT) Received: by mail.interchange.ca (Fastmailer, from userid 555) id 364B8211A; Fri, 14 Sep 2001 10:10:35 -0400 (EDT) MIME-Version: 1.0 Message-Id: <3BA20FDB.000229.61269@frodo.searchcanada.ca> Content-Type: Multipart/Mixed; boundary="------------Boundary-00=_NPONGPJWK2QPJEDD7TH0" To: freebsd-security@FreeBSD.ORG Subject: Re: US Congress already discussing bans on strong crypto From: "Michael Richards" X-Fastmail-IP: 24.43.130.241 Date: Fri, 14 Sep 2001 10:10:35 -0400 (EDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --------------Boundary-00=_NPONGPJWK2QPJEDD7TH0 Content-Type: Text/Plain Content-Transfer-Encoding: 7bit I think it would be just as effective if they were to pass a law requiring all terrorist organisations to provide backdoor keys to their encrypted communications. Since things like DES and RSA are so widely published there really isn't a way to make these "go away". If you're planning on hijacking aircraft and flying them into buildings, I don't think you will care that much about a little law against sending PGP'd email. -Michael [snip] > One can hope that since it would be impossible for the whole > international community to agree on a single set of backdoor keys > (or central escrow authority), that perhaps this will die just > from the practical difficulties. A central set of keys or central > authority after all would be the only way for the FBI to get at > keys for software used by terrorists in a less-than-friendly > country. Not to mention the fact that any 16 year old can simply > implement the code again. > > -Mike _________________________________________________________________ http://fastmail.ca/ - Fast Free Web Email for Canadians --------------Boundary-00=_NPONGPJWK2QPJEDD7TH0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 14 11:13:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id D280637B40E for ; Fri, 14 Sep 2001 11:13:09 -0700 (PDT) Received: from cairo.anu.edu.au (localhost [127.0.0.1]) by cairo.anu.edu.au (8.12.0.Beta16/8.12.0.Beta16) with ESMTP id f8EID6r7019310; Sat, 15 Sep 2001 04:13:07 +1000 (EST) Received: (from avalon@localhost) by cairo.anu.edu.au (8.12.0.Beta16/8.12.0.Beta16) id f8EID5hP019307; Sat, 15 Sep 2001 04:13:05 +1000 (EST) From: Darren Reed Message-Id: <200109141813.f8EID5hP019307@cairo.anu.edu.au> Subject: Re: adding a win2k client to a bsd ipsec net - 2modes at once? In-Reply-To: <20010914133956.C25184@mail.webmonster.de> from "Karsten W. Rohrbach" at "Sep 14, 1 01:39:56 pm" To: karsten@rohrbach.de (Karsten W. Rohrbach) Date: Sat, 15 Sep 2001 04:13:05 +1000 (EST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL39 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Karsten W. Rohrbach, sie said: > Darren Reed(avalon@cairo.anu.edu.au)@2001.09.14 21:06:21 +0000: > > In some mail from Justin Stanford, sie said: > > > Yes, I've also been wondering about BSD/win2k IPSec setups.. is it > > > possible, has anyone made it work? > > > > yes and yes > > darren, could you please detail your configuration? > i would be rather interested if you happen to have success using racoon > or isakmpd and what tweaks i may have overlooked in the past (i did NOT > get win2k to successfully establish phase2)... FWIW, I am using a fairly recent KAME snapshot (20010806) on NetBSD-1.5. At one point I needed to patch racoon to prevent it core dumping (that patch is now in KAME-current). For this, I used pre-shared keys (not certificates). My racoon.conf for the win2k box looked like this: remote anonymous { exchange_mode main,base; proposal { encryption_algorithm des; hash_algorithm hmac_md5; authentication_method pre_shared_key ; dh_group 2 ; } proposal { encryption_algorithm des; hash_algorithm hmac_md5; authentication_method pre_shared_key ; dh_group 1 ; } proposal_check obey; } sainfo anonymous { encryption_algorithm des ; authentication_algorithm hmac_md5 ; compression_algorithm deflate ; } I used DES-MD5 because I wanted to go for an easy, lowest common denominator approach. Oh, I was doing this all in transport mode (at first) but managed to get it to work in point-to-point tunnel encryption too where the tunnel was to the NetBSD box (default router) as you might do for a wavelan setup. transport for netbsd-win2k crypto: spdadd netbsd win2k any -P out ipsec esp/transport//require; spdadd win2k netbsd any -P in ipsec esp/transport//require; tunnel from win2k-netbsd for traffic to XXX: spdadd XXX win2k any -P out ipsec esp/tunnel/netbsd-win2k/require; spdadd win2k XXX any -P in ipsec esp/tunnel/win2k-netbsd/require; The win2k configuration was a tad more trickier and I'm not sure if I can adequately describe it right now (box is off :). For a wavelan setup, XXX might be 0.0.0.0/0 (all traffic). Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 15 6: 2:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from breg.mc.mpls.visi.com (breg.mc.mpls.visi.com [208.42.156.101]) by hub.freebsd.org (Postfix) with ESMTP id 2EC7D37B40B for ; Sat, 15 Sep 2001 06:02:48 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by breg.mc.mpls.visi.com (Postfix) with ESMTP id 4DDB32D0616 for ; Sat, 15 Sep 2001 08:02:47 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f8FD2kj67278 for freebsd-security@freebsd.org; Sat, 15 Sep 2001 08:02:46 -0500 (CDT) (envelope-from hawkeyd) Date: Sat, 15 Sep 2001 08:02:46 -0500 From: D J Hawkey Jr To: security at FreeBSD Subject: portsentry's stealth mode - works under fBSD with ipf? Message-ID: <20010915080246.A67204@sheol.localdomain> Reply-To: hawkeyd@visi.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi. I've been tinkering with dynamic "blacklisting" of source IPs, using psionic's logtail utility and a cron'd shell script. It works well, but I was wondering if it might be better to use their portsentry utility. portsentry's docs says it's stealth mode only works under Linux; is this true? By way of further explanation, the cron'd script analyzes the read in log entries for blocked source IPs that either hit on the box a smallish number of times, each hit within a defined frequency (port scans and DOS attempts), or hit on the box at all a larger number of times (for more general idiocies). If all of portsentry's features work under FreeBSD with ipf, I'd try my hand at merging the script's analyses into portsentry. Or, merge that logic into ipmon? Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 15 7:18: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id B89E837B409 for ; Sat, 15 Sep 2001 07:17:59 -0700 (PDT) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id B80F21D14; Sat, 15 Sep 2001 16:16:28 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 25724552A; Sat, 15 Sep 2001 16:16:27 +0200 (CEST) Date: Sat, 15 Sep 2001 16:16:26 +0200 (CEST) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: D J Hawkey Jr Cc: security at FreeBSD Subject: Re: portsentry's stealth mode - works under fBSD with ipf? In-Reply-To: <20010915080246.A67204@sheol.localdomain> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 15 Sep 2001, D J Hawkey Jr wrote: In some article regarding usage of portsentry on FreeBSD it was also said that stealth mode works only under Linux. It may be because of the fact, that raw sockets code may be unportable (I read this yesterday in raw(7) on Linux). > By way of further explanation, the cron'd script analyzes the read in > log entries for blocked source IPs that either hit on the box a smallish > number of times, each hit within a defined frequency (port scans and DOS > attempts), or hit on the box at all a larger number of times (for more > general idiocies). There's an add-on for snort, called Guardian that reads the alert log file in tail -f style (every 1 second IIRC) and updates firewall ruleset. I'm not sure if it supports ipf right now but should be easily hackable (it's a Perl script). Personally, I'd rather use snort than portsentry since this is a more flexible and powerful solution. And it can detect "stealth" port scans under FreeBSD (verified personally). Basing on your description I think it would suit your needs. See http://www.snort.org/ Regards, Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 15 16:47:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 1360B37B403 for ; Sat, 15 Sep 2001 16:47:22 -0700 (PDT) Received: (qmail 64845 invoked by uid 1000); 15 Sep 2001 23:47:42 -0000 Date: Sun, 16 Sep 2001 01:47:42 +0200 From: "Karsten W. Rohrbach" To: Krzysztof Zaraska Cc: D J Hawkey Jr , security at FreeBSD Subject: Dynamic Firewall/IDS System, Was: portsentry's stealth mode - works under fBSD with ipf? Message-ID: <20010916014742.F63605@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Krzysztof Zaraska , D J Hawkey Jr , security at FreeBSD References: <20010915080246.A67204@sheol.localdomain> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="7cm2iqirTL37Ot+N" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from kzaraska@student.uci.agh.edu.pl on Sat, Sep 15, 2001 at 04:16:26PM +0200 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --7cm2iqirTL37Ot+N Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Krzysztof Zaraska(kzaraska@student.uci.agh.edu.pl)@2001.09.15 16:16:26 +000= 0: > On Sat, 15 Sep 2001, D J Hawkey Jr wrote: [...] > > By way of further explanation, the cron'd script analyzes the read in > > log entries for blocked source IPs that either hit on the box a smallish > > number of times, each hit within a defined frequency (port scans and DOS > > attempts), or hit on the box at all a larger number of times (for more > > general idiocies). > There's an add-on for snort, called Guardian that reads the alert log file > in tail -f style (every 1 second IIRC) and updates firewall ruleset. I'm > not sure if it supports ipf right now but should be easily hackable (it's > a Perl script).=20 >=20 > Personally, I'd rather use snort than portsentry since this is a more > flexible and powerful solution. And it can detect "stealth" port > scans under FreeBSD (verified personally). Basing on your description I > think it would suit your needs. See http://www.snort.org/ who else, besides me, would be interested in having a dynamic system for blocking/ratelimiting based on ids or packetfilter output and the like? i am not talking perl here, rather implementing a native p2p or client server framework which does this, including crypted communications and policy based remote firewall configuration (perhaps ipfilter as proof-of-concept basis). it should run realtime (not cron or whatever=20 exec() based scheduler) as a native event handler. it should be modular in design, to be able to add input and output handlers and to have a good choice of logging/alerting features. i already got lots of ideas for it, but haven't gotten around to=20 implement something yet, and after a long time of being a quite passive=20 member of the *bsd community, this would be an interesting project i=20 would like to contribute design, ideas and code and more. tell me if you are interested in developing such a thing from scratch, together, and include a short description of your skills, programming languages and os platform you're on, if you like. /k --=20 > Nuclear war can ruin your whole compile. --Karl Lehenbauer KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --7cm2iqirTL37Ot+N Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7o+idM0BPTilkv0YRAnSzAJ4vB3Ch12rZrCO0NMLkBPWqfJwpQACdHHuI pNa1n+rErvIOo8R3tdU2Cwo= =t4ol -----END PGP SIGNATURE----- --7cm2iqirTL37Ot+N-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 15 18:48: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from brea.mc.mpls.visi.com (brea.mc.mpls.visi.com [208.42.156.100]) by hub.freebsd.org (Postfix) with ESMTP id 7456637B40C for ; Sat, 15 Sep 2001 18:48:01 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by brea.mc.mpls.visi.com (Postfix) with ESMTP id 71ABB2DDDF5; Sat, 15 Sep 2001 20:48:00 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f8G1lvw70246; Sat, 15 Sep 2001 20:47:57 -0500 (CDT) (envelope-from hawkeyd) Date: Sat, 15 Sep 2001 20:47:57 -0500 From: D J Hawkey Jr To: "Karsten W. Rohrbach" , Krzysztof Zaraska , security at FreeBSD Subject: Re: Dynamic Firewall/IDS System, Was: portsentry's stealth mode - works under fBSD with ipf? Message-ID: <20010915204756.A70057@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <20010915080246.A67204@sheol.localdomain> <20010916014742.F63605@mail.webmonster.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010916014742.F63605@mail.webmonster.de>; from karsten@rohrbach.de on Sun, Sep 16, 2001 at 01:47:42AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sep 16, at 01:47 AM, Karsten W. Rohrbach wrote: > > Krzysztof Zaraska(kzaraska@student.uci.agh.edu.pl)@2001.09.15 16:16:26 +0000: > > On Sat, 15 Sep 2001, D J Hawkey Jr wrote: > [...] > > > By way of further explanation, the cron'd script analyzes the read in > > > log entries for blocked source IPs that either hit on the box a smallish > > > number of times, each hit within a defined frequency (port scans and DOS > > > attempts), or hit on the box at all a larger number of times (for more > > > general idiocies). > > There's an add-on for snort, called Guardian that reads the alert log file > > in tail -f style (every 1 second IIRC) and updates firewall ruleset. I'm > > not sure if it supports ipf right now but should be easily hackable (it's > > a Perl script). > > > > Personally, I'd rather use snort than portsentry since this is a more > > flexible and powerful solution. And it can detect "stealth" port > > scans under FreeBSD (verified personally). Basing on your description I > > think it would suit your needs. See http://www.snort.org/ > > who else, besides me, would be interested in having a dynamic system for > blocking/ratelimiting based on ids or packetfilter output and the like? Well. I am, obviously. > i am not talking perl here, rather implementing a native p2p or client > server framework which does this, including crypted communications and > policy based remote firewall configuration (perhaps ipfilter as > proof-of-concept basis). it should run realtime (not cron or whatever > exec() based scheduler) as a native event handler. it should be modular > in design, to be able to add input and output handlers and to have a > good choice of logging/alerting features. FreeBSD already has dummynet for rate limiting, and two firewall techno- logies. The encryption stuff seems disjointed. That seems like another topic altogether. > i already got lots of ideas for it, but haven't gotten around to > implement something yet, and after a long time of being a quite passive > member of the *bsd community, this would be an interesting project i > would like to contribute design, ideas and code and more. My first post was a simple Q to see if all of portsentry's features were available on FreeBSD (the answer appears to be "No."). Krzysztof snipped off the last sentence of that post, where I thought about putting my script's logic into portsentry, or maybe even ipmon. What I currently have is a working proof-of-concept for what I want. I browsed the source to ipmon today, and there's ample room for me to hack at it. Yes, I need userland. > tell me if you are interested in developing such a thing from scratch, > together... I don't think this is necessary. It seems, to me anyway, redundant to existing technologies. Does any OS need three firewalls in its base? All I want is what I've got proven, but to move it into a daemon for something more realtime; I've got it down to 2 minute intervals via cron, but that's not frequent enough, and draws too many resources for what it does at that interval. Myself, I think I'll decline active participation in such a project. I've got a pretty well defined criteria, and it's small. With this, my needs will be met. I can daemonize it over a weekend. Besides, aren't you [basically] describing snort? > ...and include a short description of your skills, programming > languages and os platform you're on, if you like. P/A and Systems Admin by profession. C, shell, awk, sed, m4. FreeBSD, QNX, Linux, and a little Solaris. X11R5/6. > /k Let me know how and where things go, though, Dave -- It took the computing power of three C-64s to fly to the Moon. It takes an 800Mhz P3 to run Windows XP. Something is wrong here. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message