From owner-freebsd-security Sun Dec 9 6:19:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from mx04.nexgo.de (mx04.nexgo.de [151.189.8.80]) by hub.freebsd.org (Postfix) with ESMTP id 6807737B417 for ; Sun, 9 Dec 2001 06:19:52 -0800 (PST) Received: from localhost (dsl-213-023-060-243.arcor-ip.net [213.23.60.243]) by mx04.nexgo.de (Postfix) with ESMTP id 588CA37B3E; Sun, 9 Dec 2001 15:19:50 +0100 (CET) Received: by localhost (Postfix, from userid 31451) id 4AA8443CF; Sun, 9 Dec 2001 15:19:39 +0100 (CET) Date: Sun, 9 Dec 2001 15:19:39 +0100 From: Markus Friedl To: Henry smith Cc: security@freebsd.org Subject: Re: upgrade sshd ? Message-ID: <20011209151939.A25117@folly> References: <20011205010118.50293.qmail@web21109.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011205010118.50293.qmail@web21109.mail.yahoo.com>; from getzz11@yahoo.com on Tue, Dec 04, 2001 at 05:01:18PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Dec 04, 2001 at 05:01:18PM -0800, Henry smith wrote: > Right now, I'm using OpenSSH_3.0.1. Do I need to > upgrade to 3.0.2 ? No, only if you need to use UseLogin. UseLogin is usually only needed for some legacy systems. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 9 10:27:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from green.bikeshed.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 5B17337B417; Sun, 9 Dec 2001 10:27:11 -0800 (PST) Received: from localhost (green@localhost) by green.bikeshed.org (8.11.6/8.11.6) with ESMTP id fB9IRAl13742; Sun, 9 Dec 2001 13:27:10 -0500 (EST) (envelope-from green@green.bikeshed.org) Message-Id: <200112091827.fB9IRAl13742@green.bikeshed.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Robert Watson Cc: "Crist J . Clark" , alexus , freebsd-security@FreeBSD.ORG Subject: Re: identd inside of jail In-Reply-To: Message from Robert Watson of "Fri, 07 Dec 2001 11:52:57 EST." From: "Brian F. Feldman" Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 09 Dec 2001 13:27:10 -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Robert Watson wrote: > > This problem is fixed in 5.0-CURRENT as it performs two checks in udp and > tcp getcred: first, it checks for privilege (and permits the jail to > succeed), and second, it checks whether the connection in question is > visible to the current jail. I do not currently plan to merge these > changes to -STABLE, as they rely on changes merging the pcred and ucred > structures, which in turn depend on a lot of other changes throughout the > kernel in 5.0-CURRENT. As a follow-up note, the credential management > code in 5.0-CURRENT is substantially rewritten, and the result is much > better enforcement of process and resource visibility, both from the > perspective of jail, and from limiting users from seeing resources created > by other users (such as TCP connections) when dictated by policy. For 4.X, how about a sysctl kern.security.bsd.jail_getcred_enabled or a jail.getcred_allowed? That would make at least some people happy, I think. -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 9 13:24: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id B7AA937B416; Sun, 9 Dec 2001 13:24:00 -0800 (PST) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.6/8.11.5) with SMTP id fB9LNji91881; Sun, 9 Dec 2001 16:23:45 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Sun, 9 Dec 2001 16:23:45 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: "Brian F. Feldman" Cc: "Crist J . Clark" , alexus , freebsd-security@FreeBSD.ORG Subject: Re: identd inside of jail In-Reply-To: <200112091827.fB9IRAl13742@green.bikeshed.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 9 Dec 2001, Brian F. Feldman wrote: > Robert Watson wrote: > > > > This problem is fixed in 5.0-CURRENT as it performs two checks in udp and > > tcp getcred: first, it checks for privilege (and permits the jail to > > succeed), and second, it checks whether the connection in question is > > visible to the current jail. I do not currently plan to merge these > > changes to -STABLE, as they rely on changes merging the pcred and ucred > > structures, which in turn depend on a lot of other changes throughout the > > kernel in 5.0-CURRENT. As a follow-up note, the credential management > > code in 5.0-CURRENT is substantially rewritten, and the result is much > > better enforcement of process and resource visibility, both from the > > perspective of jail, and from limiting users from seeing resources created > > by other users (such as TCP connections) when dictated by policy. > > For 4.X, how about a sysctl kern.security.bsd.jail_getcred_enabled or a > jail.getcred_allowed? That would make at least some people happy, I > think. I'm a little wary of adding features that we know we'll obsolete as soon as 5.0 comes out :-). However, if you called it: jail.almostdeprecated.global_getcred_allowed or something, I might survive. Part of the issue here is that we know this isn't the right fix, it's just that the right fix is fairly involved, and something that the details of are still in flux in the -CURRENT branch (general handling of credentials and subject/object visibility has changed a lot, and will change more before we're done). Right now the fix in -CURRENT relies on the cached subject credential in the socket: this is actually wrong, it should probably instead rely on an object label. In a sense, I'd really prefer that we simply wait until 5.0 to ship with a system that has this behavior correct in jail: 5.0 has much more mature kernel security characteristics. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 9 13:27:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id F2C8837B405; Sun, 9 Dec 2001 13:27:44 -0800 (PST) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.6/8.11.5) with SMTP id fB9LRU091944; Sun, 9 Dec 2001 16:27:30 -0500 (EST) (envelope-from arr@FreeBSD.org) X-Authentication-Warning: fledge.watson.org: arr owned process doing -bs Date: Sun, 9 Dec 2001 16:27:29 -0500 (EST) From: "Andrew R. Reiter" X-Sender: arr@fledge.watson.org To: Robert Watson Cc: "Brian F. Feldman" , "Crist J . Clark" , alexus , freebsd-security@FreeBSD.org Subject: Re: identd inside of jail In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org : : jail.almostdeprecated.global_getcred_allowed Is it worth moving jail -> kern.security.jail. since most security related subsystems are there? I think was also fond of this idea, iirc. I searched to see what would really be effected by the move and it seemed just about nothing would be. Andrew -- Andrew R. Reiter arr@watson.org arr@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 9 13:29:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 4BFC037B405; Sun, 9 Dec 2001 13:29:07 -0800 (PST) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.6/8.11.5) with SMTP id fB9LSqG91961; Sun, 9 Dec 2001 16:28:52 -0500 (EST) (envelope-from arr@FreeBSD.org) X-Authentication-Warning: fledge.watson.org: arr owned process doing -bs Date: Sun, 9 Dec 2001 16:28:52 -0500 (EST) From: "Andrew R. Reiter" X-Sender: arr@fledge.watson.org To: "Andrew R. Reiter" Cc: Robert Watson , "Brian F. Feldman" , "Crist J . Clark" , alexus , freebsd-security@FreeBSD.org Subject: Re: identd inside of jail In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 9 Dec 2001, Andrew R. Reiter wrote: :: :: jail.almostdeprecated.global_getcred_allowed : :Is it worth moving jail -> kern.security.jail. since most security :related subsystems are there? I think was also fond of this idea, iirc. ^-- green :I searched to see what would really be effected by the move and it seemed :just about nothing would be. : :Andrew : :-- :Andrew R. Reiter :arr@watson.org :arr@FreeBSD.org : : :To Unsubscribe: send mail to majordomo@FreeBSD.org :with "unsubscribe freebsd-security" in the body of the message : -- Andrew R. Reiter arr@watson.org arr@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 9 14: 6:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 0978C37B405; Sun, 9 Dec 2001 14:06:31 -0800 (PST) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.6/8.11.5) with SMTP id fB9M6Gi92587; Sun, 9 Dec 2001 17:06:16 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Sun, 9 Dec 2001 17:06:15 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: "Andrew R. Reiter" Cc: "Brian F. Feldman" , "Crist J . Clark" , alexus , freebsd-security@FreeBSD.org Subject: Re: identd inside of jail In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 9 Dec 2001, Andrew R. Reiter wrote: > : jail.almostdeprecated.global_getcred_allowed > > Is it worth moving jail -> kern.security.jail. since most security > related subsystems are there? I think was also fond of this idea, iirc. > I searched to see what would really be effected by the move and it > seemed just about nothing would be. In -CURRENT, yes. In -STABLE, almost definitely not. :-) Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 9 23:52:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta06-svc.ntlworld.com (mta06-svc.ntlworld.com [62.253.162.46]) by hub.freebsd.org (Postfix) with ESMTP id D9FA337B416 for ; Sun, 9 Dec 2001 23:52:31 -0800 (PST) Received: from there ([80.4.125.7]) by mta06-svc.ntlworld.com (InterMail vM.4.01.03.23 201-229-121-123-20010418) with SMTP id <20011210075231.JFSH3849.mta06-svc.ntlworld.com@there> for ; Mon, 10 Dec 2001 07:52:31 +0000 Content-Type: text/plain; charset="iso-8859-1" From: Mike D To: freebsd-security@freebsd.org Subject: ICMP from within only Date: Mon, 10 Dec 2001 07:52:07 +0000 X-Mailer: KMail [version 1.3] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <20011210075231.JFSH3849.mta06-svc.ntlworld.com@there> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is it possible to define a rule that will allow through pings and traceroutes, but only the ones initiated from within the firewall? Thanks for any advice! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 1:22:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.af-inet.net (cx793560-b.dt1.sdca.home.com [24.13.5.229]) by hub.freebsd.org (Postfix) with ESMTP id 3CC7E37B419 for ; Mon, 10 Dec 2001 01:22:14 -0800 (PST) Received: from localhost (jaron@localhost) by mail.af-inet.net (8.11.4/8.11.4) with ESMTP id fBA9A5f32198; Mon, 10 Dec 2001 01:10:06 -0800 (PST) Date: Mon, 10 Dec 2001 01:10:05 -0800 (PST) From: Jaron Omega To: Mike D Cc: Subject: Re: ICMP from within only In-Reply-To: <20011210075231.JFSH3849.mta06-svc.ntlworld.com@there> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 10 Dec 2001, Mike D wrote: >Is it possible to define a rule that will allow through pings and >traceroutes, but only the ones initiated from within the firewall? > >Thanks for any advice! Yes via 'icmptypes' attribute. fwcmd = /sbin/ipfw <- FreeBSD's firewall. Allows YOU to ping, and run traceroute. $fwcmd add allow icmp from any to via icmptypes 0,3,11 Denies others to ping you. $fwcmd add deny icmp from any to via icmptypes 0,8 Allows pinging etc, from your personal network. $fwcmd add allow icmp from to via icmptypes 0,8 Jaron Omega To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 1:33:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from straylight.ringlet.net (sentinel.office1.bg [217.75.134.126]) by hub.freebsd.org (Postfix) with SMTP id DC69F37B417 for ; Mon, 10 Dec 2001 01:33:40 -0800 (PST) Received: (qmail 14003 invoked by uid 1000); 10 Dec 2001 09:32:49 -0000 Date: Mon, 10 Dec 2001 11:32:49 +0200 From: Peter Pentchev To: Jaron Omega Cc: Mike D , freebsd-security@FreeBSD.ORG Subject: Re: ICMP from within only Message-ID: <20011210113249.D757@straylight.oblivion.bg> Mail-Followup-To: Jaron Omega , Mike D , freebsd-security@FreeBSD.ORG References: <20011210075231.JFSH3849.mta06-svc.ntlworld.com@there> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jaron@af-inet.net on Mon, Dec 10, 2001 at 01:10:05AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Dec 10, 2001 at 01:10:05AM -0800, Jaron Omega wrote: > On Mon, 10 Dec 2001, Mike D wrote: > > >Is it possible to define a rule that will allow through pings and > >traceroutes, but only the ones initiated from within the firewall? > > > >Thanks for any advice! > > Yes via 'icmptypes' attribute. > > fwcmd = /sbin/ipfw <- FreeBSD's firewall. > > Allows YOU to ping, and run traceroute. > $fwcmd add allow icmp from any to via icmptypes 0,3,11 Note that this alone will not really allow you to run traceroute. This lets in the *response* packets; however, those responses will never be generated unless you allow the outgoing traceroute packets. For the Van Jacobson traceroute implementation (used in most modern Unix-like OS's, including FreeBSD), you will need something like: $fwcmd add allow udp from to any 33400-33500 via The MS Windows traceroute uses ICMP ECHO (ping) packets, IIRC, so the above rule for pings should work fine. > Denies others to ping you. > $fwcmd add deny icmp from any to via icmptypes 0,8 > > Allows pinging etc, from your personal network. > $fwcmd add allow icmp from to via icmptypes 0,8 As above, you might need to allow UDP packets with a destination port range of 33400-33500 for VJ traceroute to work. G'luck, Peter -- This sentence every third, but it still comprehensible. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 4:21:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from email03.aon.at (WARSL401PIP7.highway.telekom.at [195.3.96.115]) by hub.freebsd.org (Postfix) with SMTP id 74A3137B41C for ; Mon, 10 Dec 2001 04:21:07 -0800 (PST) Received: (qmail 263126 invoked from network); 10 Dec 2001 12:19:01 -0000 Received: from n054p029.adsl.highway.telekom.at (HELO gcidream.com) ([213.33.6.189]) (envelope-sender ) by qmail3.highway.telekom.at (qmail-ldap-1.03) with SMTP for ; 10 Dec 2001 12:19:01 -0000 From: "N.Anderson@gcidream.com" To: "8899@msn.com" <8899@msn.com> Message-ID: <1007990642.0157830546@gcidream.com> Subject: Low cost quality conference calls MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Mon, 10 Dec 2001 04:21:07 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Take Control Of Your Conference Calls

Long Distance Conferencing
Only 18 Cents Per Minute

Connects Up To 100 Participants=21

  • No setup fees
  • No contracts or monthly fees
  • Call anytime, from anywhere, to anywhere
  • International Dial In 18 cents per minute
  • Simplicity in set up and administration
  • Operator Help available 24/7

    • G= et the best quality, the easiest to use, and lowest rate in the industry.

    If you like saving = money, fill out the form below and one of our consultants will contact you.

    Required Input Field*

    Name*
    Web Address*
    Company Name*
    State*
    Business Phone*
    Home Phone
    Email Address*
    Type of Business



    This ad is being sent in compliance with Senate Bill 1618= , Title 3, Section 301. You have recently visited our web site, referral or affiliate sit= es which indicated you were interested in communication services. If this email is reaching = you in error and you feel that you have not contacted us, Click here. We sincerely apologize, and assure you will be r= emoved from our distribution list.

    To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 6: 1:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from salseiros.melim.com.br (salseiros.melim.com.br [200.215.110.23]) by hub.freebsd.org (Postfix) with ESMTP id 66D7A37B416 for ; Mon, 10 Dec 2001 06:01:06 -0800 (PST) Received: from fazendinha (ressacada.melim.com.br [200.215.110.4]) by salseiros.melim.com.br (Postfix) with SMTP id DBAB1BA88 for ; Mon, 10 Dec 2001 12:01:03 -0200 (BRST) Message-ID: <035301c18183$54d13460$2aa8a8c0@melim.com.br> From: "Ronan Lucio" To: Subject: Accessing as root Date: Mon, 10 Dec 2001 12:02:40 -0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi All, I need to make some scripts to change the password and another things like that need root permissions, but: How can I do it without opening a security hole in the server? What is the best way to do it? Thankīs to All, Ronan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 6:17:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from web11805.mail.yahoo.com (web11805.mail.yahoo.com [216.136.172.159]) by hub.freebsd.org (Postfix) with SMTP id 37ECA37B419 for ; Mon, 10 Dec 2001 06:17:06 -0800 (PST) Message-ID: <20011210141706.27192.qmail@web11805.mail.yahoo.com> Received: from [64.73.64.94] by web11805.mail.yahoo.com via HTTP; Mon, 10 Dec 2001 06:17:06 PST Date: Mon, 10 Dec 2001 06:17:06 -0800 (PST) From: X Philius Reply-To: xphilius@yahoo.com Subject: Re: Anyone know Free Mac OS 9.xx SSH2 client?? To: Jim Flowers , micheas Cc: security@FreeBSD.ORG In-Reply-To: <001f01c17ff3$ed1cc270$22b197ce@ezo.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jim, Hmmm. With the F-Secure SSH client (the non-GPL DataFellows client) all I did was remove the CR/LF from the exported pub key block and manually pasted it in to the authorized_keys2 file. This worked fine for that client, but does not work with the pub key exported from MacSSH. I did not know about this conversion process. The pub key string from MacSSH *looks* the same, but perhaps this is the problem. The error message on the server does seem to suggest that there is some problem with the format of the key. Jason --- Jim Flowers wrote: > You don't say what the ssh server is but I assume it is stock fbsd. > Can you > generate DSA key pair on Mac and then convert the public key with > `ssh-keygen -X -f ~/.ssh/whateverkey.pub >> authorized_keys2`. __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 6:36:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from web11806.mail.yahoo.com (web11806.mail.yahoo.com [216.136.172.160]) by hub.freebsd.org (Postfix) with SMTP id 3972137B405 for ; Mon, 10 Dec 2001 06:36:29 -0800 (PST) Message-ID: <20011210143629.51246.qmail@web11806.mail.yahoo.com> Received: from [64.73.64.94] by web11806.mail.yahoo.com via HTTP; Mon, 10 Dec 2001 06:36:28 PST Date: Mon, 10 Dec 2001 06:36:28 -0800 (PST) From: X Philius Reply-To: xphilius@yahoo.com Subject: Re: Anyone know Free Mac OS 9.xx SSH2 client?? To: David Kutcher , Jim Flowers , micheas Cc: security@FreeBSD.ORG In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org David, Stellar! That worked! I am so psyched! Haven't tried the tunneling action yet, but I'm not too concerned about securing my data, just my passwords, I'm not a spook, nor a criminal ;-) I think I'll drop them an email and let them know they should post their product in a few more obvious spots. I checked versiontracker and download.com and tucows and didn't see their terminal. Jason --- David Kutcher wrote: > http://w3.arizona.edu/~consult/mac-mindt.html > > MindTerm. MindTerm and Fetch were the only method so far that I've > been > able to use to connect a non-OSX mac to an SSH server (terminal and > ftp) > > David __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 7:59:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 2F81E37B417 for ; Mon, 10 Dec 2001 07:59:42 -0800 (PST) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 16DSro-000FhU-00; Mon, 10 Dec 2001 18:01:20 +0200 From: Sheldon Hearn To: "Ronan Lucio" Cc: security@freebsd.org Subject: Re: Accessing as root In-reply-to: Your message of "Mon, 10 Dec 2001 12:02:40 -0200." <035301c18183$54d13460$2aa8a8c0@melim.com.br> Date: Mon, 10 Dec 2001 18:01:20 +0200 Message-ID: <60355.1008000080@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 10 Dec 2001 12:02:40 -0200, "Ronan Lucio" wrote: > I need to make some scripts to change the password and another > things like that need root permissions, but: > > How can I do it without opening a security hole in the server? > What is the best way to do it? 1) Limit exposure to just those commands that need privelege, by passing your command as arguments to the su(1) command. 2) Be _very_ careful about the input you accept and then pass on to these priveleged commands. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 8: 1:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 3A70B37B417 for ; Mon, 10 Dec 2001 08:01:30 -0800 (PST) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 16DSte-000FiM-00; Mon, 10 Dec 2001 18:03:14 +0200 From: Sheldon Hearn To: "Ronan Lucio" Cc: security@freebsd.org Subject: Re: Accessing as root In-reply-to: Your message of "Mon, 10 Dec 2001 18:01:20 +0200." <60355.1008000080@axl.seasidesoftware.co.za> Date: Mon, 10 Dec 2001 18:03:14 +0200 Message-ID: <60409.1008000194@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 10 Dec 2001 18:01:20 +0200, Sheldon Hearn wrote: > > I need to make some scripts to change the password and another > > things like that need root permissions, but: > > > > How can I do it without opening a security hole in the server? > > What is the best way to do it? > > 1) Limit exposure to just those commands that need privelege, by passing > your command as arguments to the su(1) command. This is stupid advice, sorry. You need to make your script setuid root (see chmod(1)). If the script is big, or does complex input handling, consider breaking out the part that needs privelege into its own smaller script, called by a wrapper that does input sanity checking. Ultimately, you want to limit the privelege to as little work as possible. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 8: 7:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from straylight.ringlet.net (sentinel.office1.bg [217.75.134.126]) by hub.freebsd.org (Postfix) with SMTP id 4C2F837B416 for ; Mon, 10 Dec 2001 08:07:35 -0800 (PST) Received: (qmail 28353 invoked by uid 1000); 10 Dec 2001 16:06:39 -0000 Date: Mon, 10 Dec 2001 18:06:39 +0200 From: Peter Pentchev To: Sheldon Hearn Cc: Ronan Lucio , security@freebsd.org Subject: Re: Accessing as root Message-ID: <20011210180639.J757@straylight.oblivion.bg> Mail-Followup-To: Sheldon Hearn , Ronan Lucio , security@freebsd.org References: <60355.1008000080@axl.seasidesoftware.co.za> <60409.1008000194@axl.seasidesoftware.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <60409.1008000194@axl.seasidesoftware.co.za>; from sheldonh@starjuice.net on Mon, Dec 10, 2001 at 06:03:14PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Dec 10, 2001 at 06:03:14PM +0200, Sheldon Hearn wrote: > > > On Mon, 10 Dec 2001 18:01:20 +0200, Sheldon Hearn wrote: > > > > I need to make some scripts to change the password and another > > > things like that need root permissions, but: > > > > > > How can I do it without opening a security hole in the server? > > > What is the best way to do it? > > > > 1) Limit exposure to just those commands that need privelege, by passing > > your command as arguments to the su(1) command. > > This is stupid advice, sorry. > > You need to make your script setuid root (see chmod(1)). If the script > is big, or does complex input handling, consider breaking out the part > that needs privelege into its own smaller script, called by a wrapper > that does input sanity checking. > > Ultimately, you want to limit the privelege to as little work as > possible. And then, of course, there is the security/sudo port, which lets you specify which uid's are allowed to execute which commands as root or whatever other uid, with or without passwords, with or without controlling terminals. G'luck, Peter -- I am not the subject of this sentence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 8:19:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.uniserve.com (mail2.uniserve.com [204.244.156.10]) by hub.freebsd.org (Postfix) with ESMTP id AE8CC37B419 for ; Mon, 10 Dec 2001 08:19:08 -0800 (PST) Received: from landons.vpp-office.uniserve.ca ([216.113.198.10] helo=pirahna.uniserve.com) by mail2.uniserve.com with esmtp (Exim 3.13 #1) id 16DT8a-0001V5-00; Mon, 10 Dec 2001 08:18:41 -0800 Message-Id: <5.1.0.14.0.20011210081655.02664e30@pop.uniserve.com> X-Sender: landons@pop.uniserve.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 10 Dec 2001 08:18:34 -0800 To: Peter Pentchev , Sheldon Hearn From: Landon Stewart Subject: Re: Accessing as root Cc: Ronan Lucio , security@freebsd.org In-Reply-To: <20011210180639.J757@straylight.oblivion.bg> References: <60409.1008000194@axl.seasidesoftware.co.za> <60355.1008000080@axl.seasidesoftware.co.za> <60409.1008000194@axl.seasidesoftware.co.za> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_258913658==_.ALT" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=====================_258913658==_.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed At 06:06 PM 12/10/2001 +0200, Peter Pentchev wrote: >On Mon, Dec 10, 2001 at 06:03:14PM +0200, Sheldon Hearn wrote: > > > > > > On Mon, 10 Dec 2001 18:01:20 +0200, Sheldon Hearn wrote: > > > > > > I need to make some scripts to change the password and another > > > > things like that need root permissions, but: > > > > > > > > How can I do it without opening a security hole in the server? > > > > What is the best way to do it? > > > > > > 1) Limit exposure to just those commands that need privelege, by passing > > > your command as arguments to the su(1) command. > > > > This is stupid advice, sorry. > > > > You need to make your script setuid root (see chmod(1)). If the script > > is big, or does complex input handling, consider breaking out the part > > that needs privelege into its own smaller script, called by a wrapper > > that does input sanity checking. > > > > Ultimately, you want to limit the privelege to as little work as > > possible. > >And then, of course, there is the security/sudo port, which lets you >specify which uid's are allowed to execute which commands as root or >whatever other uid, with or without passwords, with or without controlling >terminals. Yes, sudo is definately the BEST bet IMHO. I would like to stress "execute *which* commands as root". You can actually specify what commands are allowed to be executed and optionally with what parameters. --- Landon Stewart Right of Use Disclaimer: "The sender intends this message for a specific recipient and, as it may contain information that is privileged or confidential, any use, dissemination, forwarding, or copying by anyone without permission from the sender is prohibited. Personal e-mail may contain views that are not necessarily those of the company." --=====================_258913658==_.ALT Content-Type: text/html; charset="us-ascii" At 06:06 PM 12/10/2001 +0200, Peter Pentchev wrote:
    On Mon, Dec 10, 2001 at 06:03:14PM +0200, Sheldon Hearn wrote:
    >
    >
    > On Mon, 10 Dec 2001 18:01:20 +0200, Sheldon Hearn wrote:
    >
    > > > I need to make some scripts to change the password and another
    > > > things like that need root permissions, but:
    > > >
    > > > How can I do it without opening a security hole in the server?
    > > > What is the best way to do it?
    > >
    > > 1) Limit exposure to just those commands that need privelege, by passing
    > >    your command as arguments to the su(1) command.
    >
    > This is stupid advice, sorry.
    >
    > You need to make your script setuid root (see chmod(1)).  If the script
    > is big, or does complex input handling, consider breaking out the part
    > that needs privelege into its own smaller script, called by a wrapper
    > that does input sanity checking.
    >
    > Ultimately, you want to limit the privelege to as little work as
    > possible.

    And then, of course, there is the security/sudo port, which lets you
    specify which uid's are allowed to execute which commands as root or
    whatever other uid, with or without passwords, with or without controlling
    terminals.

    Yes, sudo is definately the BEST bet IMHO.  I would like to stress "execute *which* commands as root".  You can actually specify what commands are allowed to be executed and optionally with what parameters.



    ---
    Landon Stewart


    Right of Use Disclaimer:
    "The sender intends this message for a specific recipient and, as it may contain information that is privileged or confidential, any use, dissemination, forwarding, or copying by anyone without permission from the sender is prohibited. Personal e-mail may contain views that are not necessarily those of the company."
     --=====================_258913658==_.ALT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 8:37:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from mine.kame.net (kame195.kame.net [203.178.141.195]) by hub.freebsd.org (Postfix) with ESMTP id 8690837B405 for ; Mon, 10 Dec 2001 08:37:34 -0800 (PST) Received: from localhost ([3ffe:507:1ff:2:c1a6:e2f0:1f5d:9f7c]) by mine.kame.net (8.11.1/3.7W) with ESMTP id fBAGViS25530; Tue, 11 Dec 2001 01:31:44 +0900 (JST) To: freebsd-security-local@insignia.com Cc: freebsd-security@freebsd.org Subject: Re: Racoon <> VPN Gateway In-Reply-To: Your message of "Fri, 07 Dec 2001 09:57:06 +0000" References: X-Mailer: Cue version 0.6 (011026-1440/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20011211013724G.sakane@kame.net> Date: Tue, 11 Dec 2001 01:37:24 +0900 From: Shoichi Sakane X-Dispatcher: imput version 20000228(IM140) Lines: 23 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I've now got further trying to get racoon talking to a Redcreek > Ravlin10 VPN gateway, once I realised the gif device is needed > for tunnel mode. It actually replies to me, though the reply > isn't what racoon seems to expect. basically you don't need the gif device configuration when you want to use IPsec tunnel mode. > I'm trying to establish an ESP tunnel mode connection between > 213.208.123.252 (racoon) and 195.74.141.60 (Ravlin). > Racoon says: > >2001-12-06 20:44:02: DEBUG: isakmp.c:394:isakmp_main(): malformed cookie received or the spi expired. did you see other error message before this message ? i think this session failed due to some reasons, so racoon could not process this session any more. > whereas the Ravlin says: > >Dec 6 20:46:30 ravlin10 [051b4216] 101-12-06/20:45:05(GMT) Received ISAKMP initialization request. Peer: (213.208.123.252) > >Dec 6 20:46:32 ravlin10 [03044222] 101-12-06/20:45:07(GMT) Invalid payload. Possible overrun attack! () i'm not sure the meaning of above two messages. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 8:44:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from salseiros.melim.com.br (salseiros.melim.com.br [200.215.110.23]) by hub.freebsd.org (Postfix) with ESMTP id DEEAD37B416 for ; Mon, 10 Dec 2001 08:44:38 -0800 (PST) Received: from fazendinha (ressacada.melim.com.br [200.215.110.4]) by salseiros.melim.com.br (Postfix) with SMTP id C6D00BA5B for ; Mon, 10 Dec 2001 14:44:32 -0200 (BRST) Message-ID: <03f301c1819a$2b96bbd0$2aa8a8c0@melim.com.br> From: "Ronan Lucio" To: References: <60355.1008000080@axl.seasidesoftware.co.za> <60409.1008000194@axl.seasidesoftware.co.za> <20011210180639.J757@straylight.oblivion.bg> Subject: Re: Accessing as root Date: Mon, 10 Dec 2001 14:46:09 -0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, But, if I use sudo, Iīll need to set the pw to be executed by apache (nobody), wouldnīt it open a security hoje? For example: Would the other users be able to put a code that can be executed by apache and change any password? []īs Ronan > On Mon, Dec 10, 2001 at 06:03:14PM +0200, Sheldon Hearn wrote: > > > > > > On Mon, 10 Dec 2001 18:01:20 +0200, Sheldon Hearn wrote: > > > > > > I need to make some scripts to change the password and another > > > > things like that need root permissions, but: > > > > > > > > How can I do it without opening a security hole in the server? > > > > What is the best way to do it? > > > > > > 1) Limit exposure to just those commands that need privelege, by passing > > > your command as arguments to the su(1) command. > > > > This is stupid advice, sorry. > > > > You need to make your script setuid root (see chmod(1)). If the script > > is big, or does complex input handling, consider breaking out the part > > that needs privelege into its own smaller script, called by a wrapper > > that does input sanity checking. > > > > Ultimately, you want to limit the privelege to as little work as > > possible. > > And then, of course, there is the security/sudo port, which lets you > specify which uid's are allowed to execute which commands as root or > whatever other uid, with or without passwords, with or without controlling > terminals. > > G'luck, > Peter > > -- > I am not the subject of this sentence. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 9: 3:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id F19EC37B416 for ; Mon, 10 Dec 2001 09:03:45 -0800 (PST) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.4/8.11.3) with ESMTP id fBAH3kV96031 for ; Mon, 10 Dec 2001 12:03:46 -0500 (EST) Date: Mon, 10 Dec 2001 12:03:46 -0500 (EST) From: Ralph Huntington To: Subject: promiscuous mode In-Reply-To: <20011211013724G.sakane@kame.net> Message-ID: <20011210120011.H59192-100000@mohegan.mohawk.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I recently found these log entries: messages.2:Dec 6 13:45:35 mohawk /kernel: fxp0: promiscuous mode enabled messages.2:Dec 6 13:46:31 mohawk /kernel: fxp0: promiscuous mode disabled messages.2:Dec 6 13:47:53 mohawk /kernel: fxp0: promiscuous mode enabled messages.2:Dec 6 13:51:00 mohawk /kernel: fxp0: promiscuous mode disabled messages.2:Dec 6 13:51:00 mohawk /kernel: fxp0: promiscuous mode enabled messages.2:Dec 6 13:55:42 mohawk /kernel: fxp0: promiscuous mode disabled Can someone tell me how this mode might be enabled/disabled? We have very few shell users on this machine and I didn't think any of them would know anything about promiscuous mode. Turns out I know little about it myself. Any pointers to relevant docs and/or some idea of what this might be about would be very much appreciated. Thank you in advance. - Ralph To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 9: 4:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.uniserve.com (mail2.uniserve.com [204.244.156.10]) by hub.freebsd.org (Postfix) with ESMTP id A84F237B405 for ; Mon, 10 Dec 2001 09:03:44 -0800 (PST) Received: from landons.vpp-office.uniserve.ca ([216.113.198.10] helo=pirahna.uniserve.com) by mail2.uniserve.com with esmtp (Exim 3.13 #1) id 16DTq0-00049k-00; Mon, 10 Dec 2001 09:03:32 -0800 Message-Id: <5.1.0.14.0.20011210085706.026e9d68@pop.uniserve.com> X-Sender: landons@pop.uniserve.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 10 Dec 2001 09:03:30 -0800 To: "Ronan Lucio" , From: Landon Stewart Subject: Re: Accessing as root In-Reply-To: <03f301c1819a$2b96bbd0$2aa8a8c0@melim.com.br> References: <60355.1008000080@axl.seasidesoftware.co.za> <60409.1008000194@axl.seasidesoftware.co.za> <20011210180639.J757@straylight.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_261610015==_.ALT" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=====================_261610015==_.ALT Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable You can specify what they run and as who, Here's an example excerpt from my= =20 sudoers file: "... Runas_Alias TOOLS =3D tools #Specifys what "TOOLS" means (what username) httpd ALL=3D(TOOLS) NOPASSWD:/home/tools/emailsearch.simple * #Specifies that httpd (or nobody) can run this command with any=20 parameters # as the user "TOOLS" (which =3D the passwd user tools) httpd ALL=3DNOPASSWD:/usr/local/netsaint/sbin/netsaint -h * # Specifies that this command (ONLY) can be run as root by httpd=20 without a # password. ..." This is a FreeBSD system and you could use a similar setup (use visudo to=20 edit the sudoers file), just substitute the httpd for "nobody" because=20 thats what your web server runs as. I suggest installing /usr/ports/security/sudo and reading the documents at= =20 http://www.courtesan.com/sudo/ Once you get the hang of it, you will use it for everything. Be carefull=20 to restrict things and not get lazy after a while. You must limit how many= =20 and what parameters are allowed to be run if the script you are running is= =20 at all flakey. At 02:46 PM 12/10/2001 -0200, Ronan Lucio wrote: >Hi, > >But, if I use sudo, I=B4ll need to set the pw to be executed by apache >(nobody), >wouldn=B4t it open a security hoje? > >For example: >Would the other users be able to put a code that can be executed by apache >and change any password? > >[]=B4s >Ronan --- Landon Stewart System Administrator Uniserve Online landons@uniserve.com Telephone: (604) 856-6281 ext 399 Toll Free: (877) UNI-Serve ext 399 Right of Use Disclaimer: "The sender intends this message for a specific recipient and, as it may=20 contain information that is privileged or confidential, any use,=20 dissemination, forwarding, or copying by anyone without permission from the= =20 sender is prohibited. Personal e-mail may contain views that are not=20 necessarily those of the company." --=====================_261610015==_.ALT Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable You can specify what they run and as who, Here's an example excerpt from my sudoers file:

    "...
    Runas_Alias TOOLS =3D tools
            #Specifys what "TOOLS" means (what username)
    httpd   ALL=3D(TOOLS) NOPASSWD:/home/tools/emailsearch.simple *
            #Specifies that httpd (or nobody) can run this command with any parameters
            # as the user "TOOLS" (which =3D the passwd user tools)
    httpd   ALL=3DNOPASSWD:/usr/local/netsaint/sbin/netsaint -h *
            # Specifies that this command (ONLY) can be run as root by httpd without a
            # password. 
    ..."

    This is a FreeBSD system and you could use a similar setup (use visudo to edit the sudoers file), just substitute the httpd for "nobody" because thats what your web server runs as.

    I suggest installing /usr/ports/security/sudo and reading the documents at http://www.courtesan.com/sudo/

    Once you get the hang of it, you will use it for everything.  Be carefull to restrict things and not get lazy after a while.  You must limit how many and what parameters are allowed to be run if the script you are running is at all flakey. 

    At 02:46 PM 12/10/2001 -0200, Ronan Lucio wrote:

    Hi,

    But, if I use sudo, I=B4ll need to set the pw to be executed by=20 apache
    (nobody),
    wouldn=B4t it open a security hoje?

    For example:
    Would the other users be able to put a code that can be executed by apache
    and change any password?

    []=B4s
    Ronan




    ---
    Landon Stewart
    System Administrator
    Uniserve Online
    landons@uniserve.com
    Telephone: (604) 856-6281 ext 399
    Toll Free: (877) UNI-Serve ext 399


    Right of Use Disclaimer:
    "The sender intends this message for a specific recipient and, as it may contain information that is privileged or confidential, any use, dissemination, forwarding, or copying by anyone without permission from the sender is prohibited. Personal e-mail may contain views that are not necessarily those of the company."
     --=====================_261610015==_.ALT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 9: 7:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from joek.dnsq.org (d106043.upc-d.chello.nl [213.46.106.43]) by hub.freebsd.org (Postfix) with ESMTP id 652C037B416 for ; Mon, 10 Dec 2001 09:07:32 -0800 (PST) Received: from sanderpc (sander.dinten.lan [192.168.1.3]) by joek.dnsq.org (8.11.6/8.11.6) with ESMTP id fBAH7Uu96737; Mon, 10 Dec 2001 18:07:30 +0100 (CET) (envelope-from sander@joek.dnsq.org) From: "Sander van Dinten" To: "'Ralph Huntington'" , Subject: RE: promiscuous mode Date: Mon, 10 Dec 2001 18:07:30 +0100 Message-ID: <000701c1819d$26f0fa20$0301a8c0@sanderpc> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: <20011210120011.H59192-100000@mohegan.mohawk.net> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Are you using some kind of an network sniffer? Promiscuous will say that your network card picks up all network packages (which means it will not only pick up the packages for your IP-address). -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Ralph Huntington Sent: Monday, December 10, 2001 6:04 PM To: freebsd-security@FreeBSD.ORG Subject: promiscuous mode I recently found these log entries: messages.2:Dec 6 13:45:35 mohawk /kernel: fxp0: promiscuous mode enabled messages.2:Dec 6 13:46:31 mohawk /kernel: fxp0: promiscuous mode disabled messages.2:Dec 6 13:47:53 mohawk /kernel: fxp0: promiscuous mode enabled messages.2:Dec 6 13:51:00 mohawk /kernel: fxp0: promiscuous mode disabled messages.2:Dec 6 13:51:00 mohawk /kernel: fxp0: promiscuous mode enabled messages.2:Dec 6 13:55:42 mohawk /kernel: fxp0: promiscuous mode disabled Can someone tell me how this mode might be enabled/disabled? We have very few shell users on this machine and I didn't think any of them would know anything about promiscuous mode. Turns out I know little about it myself. Any pointers to relevant docs and/or some idea of what this might be about would be very much appreciated. Thank you in advance. - Ralph To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 9:18: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id 33FBA37B405 for ; Mon, 10 Dec 2001 09:18:04 -0800 (PST) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.4/8.11.3) with ESMTP id fBAHHvV96542; Mon, 10 Dec 2001 12:17:57 -0500 (EST) Date: Mon, 10 Dec 2001 12:17:57 -0500 (EST) From: Ralph Huntington To: Sander van Dinten Cc: Subject: RE: promiscuous mode In-Reply-To: <000701c1819d$26f0fa20$0301a8c0@sanderpc> Message-ID: <20011210121632.D59192-100000@mohegan.mohawk.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org No, there is no network sniffer running on that box (or any other on the local network-- at least that I know of, and I should know). How can I determine if someone has slipped on in? On Mon, 10 Dec 2001, Sander van Dinten wrote: > Are you using some kind of an network sniffer? > > Promiscuous will say that your network card picks up all network > packages (which means it will not only pick up the packages for your > IP-address). > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Ralph > Huntington > Sent: Monday, December 10, 2001 6:04 PM > To: freebsd-security@FreeBSD.ORG > Subject: promiscuous mode > > I recently found these log entries: > > messages.2:Dec 6 13:45:35 mohawk /kernel: fxp0: promiscuous mode > enabled > messages.2:Dec 6 13:46:31 mohawk /kernel: fxp0: promiscuous mode > disabled > messages.2:Dec 6 13:47:53 mohawk /kernel: fxp0: promiscuous mode > enabled > messages.2:Dec 6 13:51:00 mohawk /kernel: fxp0: promiscuous mode > disabled > messages.2:Dec 6 13:51:00 mohawk /kernel: fxp0: promiscuous mode > enabled > messages.2:Dec 6 13:55:42 mohawk /kernel: fxp0: promiscuous mode > disabled > > Can someone tell me how this mode might be enabled/disabled? We have > very > few shell users on this machine and I didn't think any of them would > know > anything about promiscuous mode. Turns out I know little about it > myself. > > Any pointers to relevant docs and/or some idea of what this might be > about > would be very much appreciated. Thank you in advance. - Ralph > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 9:21:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from titan.communitech.net (titan.communitech.net [209.15.2.49]) by hub.freebsd.org (Postfix) with SMTP id 2CAED37B41C for ; Mon, 10 Dec 2001 09:21:38 -0800 (PST) Received: from localhost ([209.15.2.49]) by titan.communitech.net ; Mon, 10 Dec 2001 17:21:31 -0000 Date: Mon, 10 Dec 2001 11:21:31 -0600 (CST) From: Troy Corbin To: Ralph Huntington Cc: Sander van Dinten , freebsd-security@FreeBSD.ORG Subject: RE: promiscuous mode In-Reply-To: <20011210121632.D59192-100000@mohegan.mohawk.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org maybe one of your shell users ran tcpdump? -t On Mon, 10 Dec 2001, Ralph Huntington wrote: > No, there is no network sniffer running on that box (or any other on the > local network-- at least that I know of, and I should know). How can I > determine if someone has slipped on in? > > On Mon, 10 Dec 2001, Sander van Dinten wrote: > > > Are you using some kind of an network sniffer? > > > > Promiscuous will say that your network card picks up all network > > packages (which means it will not only pick up the packages for your > > IP-address). > > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Ralph > > Huntington > > Sent: Monday, December 10, 2001 6:04 PM > > To: freebsd-security@FreeBSD.ORG > > Subject: promiscuous mode > > > > I recently found these log entries: > > > > messages.2:Dec 6 13:45:35 mohawk /kernel: fxp0: promiscuous mode > > enabled > > messages.2:Dec 6 13:46:31 mohawk /kernel: fxp0: promiscuous mode > > disabled > > messages.2:Dec 6 13:47:53 mohawk /kernel: fxp0: promiscuous mode > > enabled > > messages.2:Dec 6 13:51:00 mohawk /kernel: fxp0: promiscuous mode > > disabled > > messages.2:Dec 6 13:51:00 mohawk /kernel: fxp0: promiscuous mode > > enabled > > messages.2:Dec 6 13:55:42 mohawk /kernel: fxp0: promiscuous mode > > disabled > > > > Can someone tell me how this mode might be enabled/disabled? We have > > very > > few shell users on this machine and I didn't think any of them would > > know > > anything about promiscuous mode. Turns out I know little about it > > myself. > > > > Any pointers to relevant docs and/or some idea of what this might be > > about > > would be very much appreciated. Thank you in advance. - Ralph > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 9:22:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from joek.dnsq.org (d106043.upc-d.chello.nl [213.46.106.43]) by hub.freebsd.org (Postfix) with ESMTP id 0AB4D37B41C for ; Mon, 10 Dec 2001 09:22:16 -0800 (PST) Received: from sanderpc (sander.dinten.lan [192.168.1.3]) by joek.dnsq.org (8.11.6/8.11.6) with ESMTP id fBAHMFu97642; Mon, 10 Dec 2001 18:22:16 +0100 (CET) (envelope-from sander@joek.dnsq.org) From: "Sander van Dinten" To: "'Ralph Huntington'" Cc: Subject: RE: promiscuous mode Date: Mon, 10 Dec 2001 18:22:15 +0100 Message-ID: <000801c1819f$36a9b7c0$0301a8c0@sanderpc> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: <20011210121632.D59192-100000@mohegan.mohawk.net> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org By issueing the command "last |more" and see if you see odd logins -----Original Message----- From: Ralph Huntington [mailto:rjh@mohawk.net] Sent: Monday, December 10, 2001 6:18 PM To: Sander van Dinten Cc: freebsd-security@FreeBSD.ORG Subject: RE: promiscuous mode No, there is no network sniffer running on that box (or any other on the local network-- at least that I know of, and I should know). How can I determine if someone has slipped on in? On Mon, 10 Dec 2001, Sander van Dinten wrote: > Are you using some kind of an network sniffer? > > Promiscuous will say that your network card picks up all network > packages (which means it will not only pick up the packages for your > IP-address). > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Ralph > Huntington > Sent: Monday, December 10, 2001 6:04 PM > To: freebsd-security@FreeBSD.ORG > Subject: promiscuous mode > > I recently found these log entries: > > messages.2:Dec 6 13:45:35 mohawk /kernel: fxp0: promiscuous mode > enabled > messages.2:Dec 6 13:46:31 mohawk /kernel: fxp0: promiscuous mode > disabled > messages.2:Dec 6 13:47:53 mohawk /kernel: fxp0: promiscuous mode > enabled > messages.2:Dec 6 13:51:00 mohawk /kernel: fxp0: promiscuous mode > disabled > messages.2:Dec 6 13:51:00 mohawk /kernel: fxp0: promiscuous mode > enabled > messages.2:Dec 6 13:55:42 mohawk /kernel: fxp0: promiscuous mode > disabled > > Can someone tell me how this mode might be enabled/disabled? We have > very > few shell users on this machine and I didn't think any of them would > know > anything about promiscuous mode. Turns out I know little about it > myself. > > Any pointers to relevant docs and/or some idea of what this might be > about > would be very much appreciated. Thank you in advance. - Ralph > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 9:24:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id 878CB37B405 for ; Mon, 10 Dec 2001 09:24:44 -0800 (PST) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.4/8.11.3) with ESMTP id fBAHOhV96892; Mon, 10 Dec 2001 12:24:43 -0500 (EST) Date: Mon, 10 Dec 2001 12:24:43 -0500 (EST) From: Ralph Huntington To: Troy Corbin Cc: Sander van Dinten , Subject: RE: promiscuous mode In-Reply-To: Message-ID: <20011210122359.H59192-100000@mohegan.mohawk.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org That was it: tcpdump Kind thanks to all who replied. On Mon, 10 Dec 2001, Troy Corbin wrote: > maybe one of your shell users ran tcpdump? > > -t > > On Mon, 10 Dec 2001, Ralph Huntington wrote: > > > No, there is no network sniffer running on that box (or any other on the > > local network-- at least that I know of, and I should know). How can I > > determine if someone has slipped on in? > > > > On Mon, 10 Dec 2001, Sander van Dinten wrote: > > > > > Are you using some kind of an network sniffer? > > > > > > Promiscuous will say that your network card picks up all network > > > packages (which means it will not only pick up the packages for your > > > IP-address). > > > > > > -----Original Message----- > > > From: owner-freebsd-security@FreeBSD.ORG > > > [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Ralph > > > Huntington > > > Sent: Monday, December 10, 2001 6:04 PM > > > To: freebsd-security@FreeBSD.ORG > > > Subject: promiscuous mode > > > > > > I recently found these log entries: > > > > > > messages.2:Dec 6 13:45:35 mohawk /kernel: fxp0: promiscuous mode > > > enabled > > > messages.2:Dec 6 13:46:31 mohawk /kernel: fxp0: promiscuous mode > > > disabled > > > messages.2:Dec 6 13:47:53 mohawk /kernel: fxp0: promiscuous mode > > > enabled > > > messages.2:Dec 6 13:51:00 mohawk /kernel: fxp0: promiscuous mode > > > disabled > > > messages.2:Dec 6 13:51:00 mohawk /kernel: fxp0: promiscuous mode > > > enabled > > > messages.2:Dec 6 13:55:42 mohawk /kernel: fxp0: promiscuous mode > > > disabled > > > > > > Can someone tell me how this mode might be enabled/disabled? We have > > > very > > > few shell users on this machine and I didn't think any of them would > > > know > > > anything about promiscuous mode. Turns out I know little about it > > > myself. > > > > > > Any pointers to relevant docs and/or some idea of what this might be > > > about > > > would be very much appreciated. Thank you in advance. - Ralph > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 10:24:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 0CD0937B417 for ; Mon, 10 Dec 2001 10:24:55 -0800 (PST) Received: from simoeon.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by smtp1.sentex.ca (8.11.6/8.11.6) with ESMTP id fBAIOs564736 for ; Mon, 10 Dec 2001 13:24:54 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20011210131730.04998cf0@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 10 Dec 2001 13:18:29 -0500 To: security@freebsd.org From: Mike Tancsa Subject: AIO vulnerability (from bugtraq) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org For those not on bugtraq, ---Mike ------------------------------------------------------------------------------ Soniq Security Advisory David Rufino Dec 9, 2001 Race Condition in FreeBSD AIO implementation http://elysium.soniq.net/dr/tao/tao.html ------------------------------------------------------------------------------ RISK FACTOR: LOW SYNOPSIS AIO is a POSIX standard for asynchronous I/O. Under certain conditions, scheduled AIO operations persist after an execve, allowing arbitrary overwrites in the memory of the new process. Combined with the permission to execute suid binaries, this can yield elevated priviledges. Currently VFS_AIO is not enabled in the default FreeBSD kernel config, however comments in ``LINT'' suggest security issues have been known about privately for some time: # Use real implementations of the aio_* system calls. There are numerous # stability issues in the current aio code that make it unsuitable for # inclusion on shell boxes. The type of file descriptor used for the AIO operation is important. For instance operations on pipes will not complete fully after an execve, whereas operations on sockets will. It is not known whether AIO operations on hard disk files persist in the desired manner. VULNERABLE SYSTEMS FreeBSD 4-STABLE upto at least 28/10/01 RESOLUTION Currently there are no known patches to remove all security issues. However a patch is available to limit the use of AIO syscalls to root at http://elysium.soniq.net/dr/tao/patch-01 EXPLOIT Given that FreeBSD AIO is not in active use at the moment, I have made available a proof of concept exploit, at http://elysium.soniq.net/dr/tao/tao.c CREDITS Discovery and exploitation was conducted by David Rufino. CONTACT INFORMATION dr+securityfocussucks@soniq.net http://elysium.soniq.net/dr/index.html ------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 10:29:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from tandem.milestonerdl.com (tandem.milestonerdl.com [204.107.138.1]) by hub.freebsd.org (Postfix) with ESMTP id 5079637B41C for ; Mon, 10 Dec 2001 10:29:43 -0800 (PST) Received: from tandem (tandem [204.107.138.1]) by tandem.milestonerdl.com (8.12.0/8.12.0) with ESMTP id fBAIXP6o090099 for ; Mon, 10 Dec 2001 12:33:25 -0600 (CST) Date: Mon, 10 Dec 2001 12:33:25 -0600 (CST) From: Marc Rassbach To: freebsd-security@FreeBSD.ORG Subject: Rsync, ssh and using root. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I know that using remote root login is considered bad behavior, but my job in implementation, not judgement of security. This is what the client wants...put a hole in the default FreeBSD security. The client in the old days had a 3.5 box (2 of them) and used a combination of rsync, rsync in daemon mode, and ssh to allow root to move data between both machines. What was done under 3.5 (remote keys, etc la) no longer work on 4.4. On 4.X, it seems to fail after authencation, and I have spent 20+ hours reading man pages, and the mail list and can't find a good work around. (I have resisted looking at the source becuase I do not feel it is a bug, nor do I wish to patch code to make this work) What I am looking for is a way to have root-level privilages for reading/writing files between servers as the lo-tech solution they want for the 'server backup' is moving files once a day. Guidance as to how to do this with rsync (break securty) or some other method that does not break security is welcome. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 11: 2:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from squall.waterspout.com (squall.waterspout.com [208.13.56.12]) by hub.freebsd.org (Postfix) with ESMTP id DC9C437B41F for ; Mon, 10 Dec 2001 11:02:17 -0800 (PST) Received: by squall.waterspout.com (Postfix, from userid 1050) id 17FCF9B19; Mon, 10 Dec 2001 14:00:19 -0500 (EST) Date: Mon, 10 Dec 2001 14:00:19 -0500 From: Will Andrews To: Marc Rassbach Cc: freebsd-security@FreeBSD.ORG Subject: Re: Rsync, ssh and using root. Message-ID: <20011210140018.A23826@squall.waterspout.com> Reply-To: Will Andrews Mail-Followup-To: Marc Rassbach , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.22.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Dec 10, 2001 at 12:33:25PM -0600, Marc Rassbach wrote: > I know that using remote root login is considered bad behavior, but > my job in implementation, not judgement of security. This is what the > client wants...put a hole in the default FreeBSD security. > > The client in the old days had a 3.5 box (2 of them) and used a > combination of rsync, rsync in daemon mode, and ssh to allow root to move > data between both machines. > > What was done under 3.5 (remote keys, etc la) no longer work on 4.4. > On 4.X, it seems to fail after authencation, and I have spent 20+ hours > reading man pages, and the mail list and can't find a good work around. > (I have resisted looking at the source becuase I do not feel it is a bug, > nor do I wish to patch code to make this work) > > What I am looking for is a way to have root-level privilages for > reading/writing files between servers as the lo-tech solution they want > for the 'server backup' is moving files once a day. > > Guidance as to how to do this with rsync (break securty) or some other > method that does not break security is welcome. You did not mention what specifically happens with the machines running 4.x, so I can't suggest a solution. There have been some changes regarding how ssh works, particularly in protocols, since 3.x. -- wca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 11: 8:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id F262C37B44B; Mon, 10 Dec 2001 11:08:03 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1192) id A414681D01; Mon, 10 Dec 2001 13:08:03 -0600 (CST) Date: Mon, 10 Dec 2001 13:08:03 -0600 From: Alfred Perlstein To: Mike Tancsa Cc: security@freebsd.org, alc@freebsd.org Subject: Re: AIO vulnerability (from bugtraq) Message-ID: <20011210130803.B92148@elvis.mu.org> References: <5.1.0.14.0.20011210131730.04998cf0@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.1.0.14.0.20011210131730.04998cf0@marble.sentex.ca>; from mike@sentex.net on Mon, Dec 10, 2001 at 01:18:29PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Mike Tancsa [011210 12:25] wrote: > > For those not on bugtraq, Yah, this needs to be fixed, do note that AIO is not enabled by default in FreeBSD and the warning is pretty clear. Alan, can you take a look at this? I'd really like to get AIO enabled by default one of these days. :) > > ---Mike > > ------------------------------------------------------------------------------ > Soniq Security Advisory > David Rufino Dec 9, 2001 > > Race Condition in FreeBSD AIO implementation > http://elysium.soniq.net/dr/tao/tao.html > ------------------------------------------------------------------------------ > > RISK FACTOR: LOW > > SYNOPSIS > > AIO is a POSIX standard for asynchronous I/O. Under certain conditions, > scheduled AIO operations persist after an execve, allowing arbitrary > overwrites in the memory of the new process. Combined with the permission > to execute suid binaries, this can yield elevated priviledges. > Currently VFS_AIO is not enabled in the default FreeBSD kernel config, > however comments in ``LINT'' suggest security issues have been known about > privately for some time: > > # Use real implementations of the aio_* system calls. There are numerous > # stability issues in the current aio code that make it unsuitable for > # inclusion on shell boxes. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 11:22:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from zork.punq.net (punq.net [207.154.84.94]) by hub.freebsd.org (Postfix) with SMTP id E298A37B41B for ; Mon, 10 Dec 2001 11:22:15 -0800 (PST) Received: (qmail 83055 invoked by uid 1000); 10 Dec 2001 19:22:14 -0000 Date: Mon, 10 Dec 2001 11:22:14 -0800 From: Marcus Reid To: Marc Rassbach Cc: freebsd-security@FreeBSD.ORG Subject: Re: Rsync, ssh and using root. Message-ID: <20011210112214.B82934@blazingdot.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from marc@milestonerdl.com on Mon, Dec 10, 2001 at 12:33:25PM -0600 Coffee-Level: high Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Dec 10, 2001 at 12:33:25PM -0600, Marc Rassbach wrote: > > I know that using remote root login is considered bad behavior, but > my job in implementation, not judgement of security. This is what the > client wants...put a hole in the default FreeBSD security. Darn those clients.. > The client in the old days had a 3.5 box (2 of them) and used a > combination of rsync, rsync in daemon mode, and ssh to allow root to move > data between both machines. > > What was done under 3.5 (remote keys, etc la) no longer work on 4.4. > On 4.X, it seems to fail after authencation, and I have spent 20+ hours > reading man pages, and the mail list and can't find a good work around. > (I have resisted looking at the source becuase I do not feel it is a bug, > nor do I wish to patch code to make this work) > > What I am looking for is a way to have root-level privilages for > reading/writing files between servers as the lo-tech solution they want > for the 'server backup' is moving files once a day. You could do better without much additional effort. Give the operator user a home directory, make a dsa keypair for it, and use 'dump' across the network as operator (with ssh.) You can always add 'restore' to the pipeline if you need the files to be loose on the machine that's making the backups. No use going all the way to root if operator can get its hands on all of the data. Marcus > > Guidance as to how to do this with rsync (break securty) or some other > method that does not break security is welcome. -- Marcus L. Reid Public Key ID DA2C3C46 "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, 1759 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 11:23:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from parmenion.hosting.swbell.net (parmenion.hosting.swbell.net [216.100.98.30]) by hub.freebsd.org (Postfix) with ESMTP id 617D537B419; Mon, 10 Dec 2001 11:23:34 -0800 (PST) Received: from imimic.com (adsl-216-63-78-18.dsl.hstntx.swbell.net [216.63.78.18]) by parmenion.hosting.swbell.net id OAA27556; Mon, 10 Dec 2001 14:23:20 -0500 (EST) [ConcentricHost SMTP Relay 1.14] Message-ID: <3C150BA7.9D5EC72E@imimic.com> Date: Mon, 10 Dec 2001 13:23:19 -0600 From: "Alan L. Cox" Organization: iMimic Networking, Inc. X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 5.0-CURRENT i386) X-Accept-Language: en MIME-Version: 1.0 To: Alfred Perlstein Cc: Mike Tancsa , security@freebsd.org, alc@freebsd.org Subject: Re: AIO vulnerability (from bugtraq) References: <5.1.0.14.0.20011210131730.04998cf0@marble.sentex.ca> <20011210130803.B92148@elvis.mu.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Will do. You might also send it to tegge. Alfred Perlstein wrote: > > * Mike Tancsa [011210 12:25] wrote: > > > > For those not on bugtraq, > > Yah, this needs to be fixed, do note that AIO is not enabled by > default in FreeBSD and the warning is pretty clear. > > Alan, can you take a look at this? I'd really like to get AIO > enabled by default one of these days. :) > > > > > ---Mike > > > > ------------------------------------------------------------------------------ > > Soniq Security Advisory > > David Rufino Dec 9, 2001 > > > > Race Condition in FreeBSD AIO implementation > > http://elysium.soniq.net/dr/tao/tao.html > > ------------------------------------------------------------------------------ > > > > RISK FACTOR: LOW > > > > SYNOPSIS > > > > AIO is a POSIX standard for asynchronous I/O. Under certain conditions, > > scheduled AIO operations persist after an execve, allowing arbitrary > > overwrites in the memory of the new process. Combined with the permission > > to execute suid binaries, this can yield elevated priviledges. > > Currently VFS_AIO is not enabled in the default FreeBSD kernel config, > > however comments in ``LINT'' suggest security issues have been known about > > privately for some time: > > > > # Use real implementations of the aio_* system calls. There are numerous > > # stability issues in the current aio code that make it unsuitable for > > # inclusion on shell boxes. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 13:26:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from ldc.ro (ldc-gw.rdsnet.ro [213.157.163.8]) by hub.freebsd.org (Postfix) with SMTP id 07ECC37B416 for ; Mon, 10 Dec 2001 13:26:15 -0800 (PST) Received: (qmail 9848 invoked by uid 666); 10 Dec 2001 21:26:12 -0000 Date: Mon, 10 Dec 2001 23:26:12 +0200 From: Alex Popa To: Marc Rassbach Cc: freebsd-security@FreeBSD.ORG Subject: Re: Rsync, ssh and using root. Message-ID: <20011210232612.A56872@ldc.ro> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from marc@milestonerdl.com on Mon, Dec 10, 2001 at 12:33:25PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Dec 10, 2001 at 12:33:25PM -0600, Marc Rassbach wrote: > > I know that using remote root login is considered bad behavior, but > my job in implementation, not judgement of security. This is what the > client wants...put a hole in the default FreeBSD security. > > The client in the old days had a 3.5 box (2 of them) and used a > combination of rsync, rsync in daemon mode, and ssh to allow root to move > data between both machines. > > What was done under 3.5 (remote keys, etc la) no longer work on 4.4. > On 4.X, it seems to fail after authencation, and I have spent 20+ hours > reading man pages, and the mail list and can't find a good work around. > (I have resisted looking at the source becuase I do not feel it is a bug, > nor do I wish to patch code to make this work) > > What I am looking for is a way to have root-level privilages for > reading/writing files between servers as the lo-tech solution they want > for the 'server backup' is moving files once a day. > > Guidance as to how to do this with rsync (break securty) or some other > method that does not break security is welcome. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Well, the most important change I can think of, which might be what is keeping you from using your old ssh keys, is that (please correct me if I am wrong) the default protocol for SSH in FreeBSD 4.4 is version 2. Thus you will need a pair of DSA keys for passwordless scp, or the line "Protocol 1,2" in one of /etc/ssh/sshd_config or /etc/ssh/ssh_config. (I would prefer sshd_config, or better, generating dsa keys and putting the public one in .ssh/authorized_keys2 on the remote machine) HTH Alex ------------+------------------------------------------ Alex Popa, | "Artificial Intelligence is razor@ldc.ro| no match for Natural Stupidity" ------------+------------------------------------------ "It took the computing power of three C-64s to fly to the Moon. It takes a 486 to run Windows 95. Something is wrong here." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 15:15: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta06-svc.ntlworld.com (mta06-svc.ntlworld.com [62.253.162.46]) by hub.freebsd.org (Postfix) with ESMTP id 9C4DC37B449 for ; Mon, 10 Dec 2001 15:14:43 -0800 (PST) Received: from there ([80.4.125.7]) by mta06-svc.ntlworld.com (InterMail vM.4.01.03.23 201-229-121-123-20010418) with SMTP id <20011210231442.DTMS3849.mta06-svc.ntlworld.com@there> for ; Mon, 10 Dec 2001 23:14:42 +0000 Content-Type: text/plain; charset="iso-8859-1" From: Mike D To: freebsd-security@FreeBSD.ORG Subject: Re: ICMP from within only Date: Mon, 10 Dec 2001 23:14:08 +0000 X-Mailer: KMail [version 1.3] References: In-Reply-To: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <20011210231442.DTMS3849.mta06-svc.ntlworld.com@there> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Allows YOU to ping, and run traceroute. > $fwcmd add allow icmp from any to via icmptypes > 0,3,11 > > Denies others to ping you. > $fwcmd add deny icmp from any to via icmptypes 0,8 > > Allows pinging etc, from your personal network. > $fwcmd add allow icmp from to via > icmptypes 0,8 the problem is that I have a dynamically assigned IP address, what could you suggest for this? Shall I just do the rule for 123.123.*? (123.123 being the first 2 numbers of the DHCP range) Thanks again in advance! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 15:18: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by hub.freebsd.org (Postfix) with ESMTP id 7000437B41B for ; Mon, 10 Dec 2001 15:17:56 -0800 (PST) Received: (from emechler@localhost) by radix.cryptio.net (8.11.6/8.11.6) id fBANHtY76414; Mon, 10 Dec 2001 15:17:55 -0800 (PST) (envelope-from emechler) Date: Mon, 10 Dec 2001 15:17:55 -0800 From: Erick Mechler To: Mike D Cc: freebsd-security@FreeBSD.ORG Subject: Re: ICMP from within only Message-ID: <20011210151755.P45316@techometer.net> References: <20011210231442.DTMS3849.mta06-svc.ntlworld.com@there> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011210231442.DTMS3849.mta06-svc.ntlworld.com@there>; from Mike D on Mon, Dec 10, 2001 at 11:14:08PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :: the problem is that I have a dynamically assigned IP address, what could you :: suggest for this? Shall I just do the rule for 123.123.*? (123.123 being the :: first 2 numbers of the DHCP range) Check out the 'me' option in ipfw(8). Cheers - Erick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 15:41:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.amigo.net (smtp1.amigo.net [209.94.64.30]) by hub.freebsd.org (Postfix) with ESMTP id C2DBD37B405 for ; Mon, 10 Dec 2001 15:41:35 -0800 (PST) Received: from there (billing.amigo.net [209.94.67.250]) by smtp1.amigo.net (8.11.4/8.11.4) with SMTP id fBANmG182366; Mon, 10 Dec 2001 16:48:16 -0700 (MST) (envelope-from randys@amigo.net) Message-Id: <200112102348.fBANmG182366@smtp1.amigo.net> Content-Type: text/plain; charset="iso-8859-1" From: Randy Smith Organization: Amigo.Net To: Marc Rassbach Subject: Re: Rsync, ssh and using root. Date: Mon, 10 Dec 2001 16:41:30 -0700 X-Mailer: KMail [version 1.3.1] References: In-Reply-To: Cc: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Monday 10 December 2001 11:33, you wrote: > > What I am looking for is a way to have root-level privilages for > reading/writing files between servers as the lo-tech solution they want > for the 'server backup' is moving files once a day. Another option, though not nearly as much fun to set up, is to use NFS+IPSec+rsync. It goes something like this: - Setup a read-only mount from the main machine (Box A) using NFS. You will, of course, restrict access to this to the IP address of the other machine (Box B). - Setup IPSec between the boxes to prevent IP spoofing and to provide the encryption. (I use static keys to avoid the stability problems with racoon. (They may not exist anymore but racoon had issues when I was looking into this the first time.)) - On Box B, mount the NFS directory and then rsync from that to where ever it needs to be. (bash# rsync --delete /path/to/boxa/nfs /path/to/local/location) This avoids the problems with SSH and root access but may lead to other problems that I am not aware of. One good thing about this is that restoring to the other machine is reasonably easy. Remount boxa:/nfs/dir as read-write and then reverse the paths in the rsync command above. Others may be able to point out any problems/improvments that exist with this plan. Good luck. -- Randy Smith Amigo.Net Systems Administrator 1-719-589-6100 x 4185 http://www.amigo.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 17:10: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 466DC37B405; Mon, 10 Dec 2001 17:09:59 -0800 (PST) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.6/8.11.5) with SMTP id fBB19YN13120; Mon, 10 Dec 2001 20:09:34 -0500 (EST) (envelope-from arr@FreeBSD.org) X-Authentication-Warning: fledge.watson.org: arr owned process doing -bs Date: Mon, 10 Dec 2001 20:09:33 -0500 (EST) From: "Andrew R. Reiter" X-Sender: arr@fledge.watson.org To: Alfred Perlstein Cc: Mike Tancsa , security@FreeBSD.org, alc@FreeBSD.org, security-officer@FreeBSD.org Subject: Re: AIO vulnerability (from bugtraq) In-Reply-To: <20011210130803.B92148@elvis.mu.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Since kkenn is gone for a period of time, should anyone on security-officer respond publically? Or has this already been done and I'm behind email.. On Mon, 10 Dec 2001, Alfred Perlstein wrote: :* Mike Tancsa [011210 12:25] wrote: :> :> For those not on bugtraq, : :Yah, this needs to be fixed, do note that AIO is not enabled by :default in FreeBSD and the warning is pretty clear. : :Alan, can you take a look at this? I'd really like to get AIO :enabled by default one of these days. :) : :> :> ---Mike :> :> ------------------------------------------------------------------------------ :> Soniq Security Advisory :> David Rufino Dec 9, 2001 :> :> Race Condition in FreeBSD AIO implementation :> http://elysium.soniq.net/dr/tao/tao.html :> ------------------------------------------------------------------------------ :> :> RISK FACTOR: LOW :> :> SYNOPSIS :> :> AIO is a POSIX standard for asynchronous I/O. Under certain conditions, :> scheduled AIO operations persist after an execve, allowing arbitrary :> overwrites in the memory of the new process. Combined with the permission :> to execute suid binaries, this can yield elevated priviledges. :> Currently VFS_AIO is not enabled in the default FreeBSD kernel config, :> however comments in ``LINT'' suggest security issues have been known about :> privately for some time: :> :> # Use real implementations of the aio_* system calls. There are numerous :> # stability issues in the current aio code that make it unsuitable for :> # inclusion on shell boxes. : :To Unsubscribe: send mail to majordomo@FreeBSD.org :with "unsubscribe freebsd-security" in the body of the message : -- Andrew R. Reiter arr@watson.org arr@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 18:22:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id 5193837B416; Mon, 10 Dec 2001 18:22:50 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1192) id 0590581D01; Mon, 10 Dec 2001 20:22:50 -0600 (CST) Date: Mon, 10 Dec 2001 20:22:49 -0600 From: Angry Skull To: "Andrew R. Reiter" Cc: Mike Tancsa , security@FreeBSD.org, alc@FreeBSD.org, security-officer@FreeBSD.org Subject: Re: AIO vulnerability (from bugtraq) Message-ID: <20011210202249.Q92148@elvis.mu.org> References: <20011210130803.B92148@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from arr@FreeBSD.org on Mon, Dec 10, 2001 at 08:09:33PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Andrew R. Reiter [011210 19:09] wrote: > > Since kkenn is gone for a period of time, should anyone on > security-officer respond publically? Or has this already been done and > I'm behind email.. I'm sorry, did you even bother to read the bugtraq mail? Or BOTHER TO READ THE FIRST TWO LINES OF MY POST? grrr, -angryskul To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 18:27:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id C4F7137B416 for ; Mon, 10 Dec 2001 18:27:44 -0800 (PST) Received: (from rik@localhost) by pkl.net (8.9.3/8.9.3) id CAA31097 for freebsd-security@freebsd.org; Tue, 11 Dec 2001 02:27:43 GMT Date: Tue, 11 Dec 2001 02:27:43 +0000 From: Rik To: freebsd-security@freebsd.org Subject: Why is web mode (-w) disabled in ntop port? Message-ID: <20011211022743.A29482@spoon.pkl.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, I saw ntop in action at BSDCon Europe, and I have decided to try it out for myself. I primarily wanted to tinker with the web interface, only to find that it has been unconditionally disabled with a patch applied by the ports tree. I was wondering: Why? IT simply says it was disabled "for security reasons". Does it hae some kind of dire security problem which hasn't yet been resolved, except by disabling the feature? And can someone tell be whether it was better ettiquette to ask the list rather than the port maintainer directly? rik -- PGP Key: D2729A3F - Keyserver: wwwkeys.uk.pgp.net - rich at rdrose dot org Key fingerprint = 5EB1 4C63 9FAD D87B 854C 3DED 1408 ED77 D272 9A3F Public key also encoded with outguess on http://rikrose.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 19:31:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 3FED637B416; Mon, 10 Dec 2001 19:31:47 -0800 (PST) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.6/8.11.5) with SMTP id fBB3VR415490; Mon, 10 Dec 2001 22:31:28 -0500 (EST) (envelope-from arr@FreeBSD.org) X-Authentication-Warning: fledge.watson.org: arr owned process doing -bs Date: Mon, 10 Dec 2001 22:31:27 -0500 (EST) From: "Andrew R. Reiter" X-Sender: arr@fledge.watson.org To: Angry Skull Cc: Mike Tancsa , security@FreeBSD.org, alc@FreeBSD.org, security-officer@FreeBSD.org Subject: Re: AIO vulnerability (from bugtraq) In-Reply-To: <20011210202249.Q92148@elvis.mu.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org So your email stated that there was a security officer response? On Mon, 10 Dec 2001, Angry Skull wrote: :* Andrew R. Reiter [011210 19:09] wrote: :> :> Since kkenn is gone for a period of time, should anyone on :> security-officer respond publically? Or has this already been done and :> I'm behind email.. : :I'm sorry, did you even bother to read the bugtraq mail? Or BOTHER :TO READ THE FIRST TWO LINES OF MY POST? : :grrr, :-angryskul : -- Andrew R. Reiter arr@watson.org arr@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 19:59:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-95.dsl.lsan03.pacbell.net [63.207.60.95]) by hub.freebsd.org (Postfix) with ESMTP id BCD9037B405 for ; Mon, 10 Dec 2001 19:59:21 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 41F7266BCE; Mon, 10 Dec 2001 19:59:21 -0800 (PST) Date: Mon, 10 Dec 2001 19:59:21 -0800 From: Kris Kennaway To: Rik Cc: freebsd-security@freebsd.org Subject: Re: Why is web mode (-w) disabled in ntop port? Message-ID: <20011210195921.A51790@xor.obsecurity.org> References: <20011211022743.A29482@spoon.pkl.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="d6Gm4EdcadzBjdND" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011211022743.A29482@spoon.pkl.net>; from freebsd-security@rikrose.net on Tue, Dec 11, 2001 at 02:27:43AM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --d6Gm4EdcadzBjdND Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Dec 11, 2001 at 02:27:43AM +0000, Rik wrote: > Hi all, >=20 > I saw ntop in action at BSDCon Europe, and I have decided to try it out > for myself. I primarily wanted to tinker with the web interface, only to > find that it has been unconditionally disabled with a patch applied by > the ports tree. >=20 > I was wondering: Why? IT simply says it was disabled "for security > reasons". Does it hae some kind of dire security problem which hasn't > yet been resolved, except by disabling the feature? Yes. > And can someone tell be whether it was better ettiquette to ask the list > rather than the port maintainer directly? It's better ettiquette to do the research yourself before asking; 10 seconds of looking through the list of FreeBSD Security Advisories at http://www.freebsd.org/security shows you this: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:36.ntop.asc Kris --d6Gm4EdcadzBjdND Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8FYR6Wry0BWjoQKURApzzAJ0dNkiAMTpfaWs29kRQJr0mJnH3igCePb6G 7rmd3nSzV53yPmoAKtaJmN8= =Jnb7 -----END PGP SIGNATURE----- --d6Gm4EdcadzBjdND-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 20: 6:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id 25D9837B416; Mon, 10 Dec 2001 20:06:35 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1192) id A532081D01; Mon, 10 Dec 2001 22:06:29 -0600 (CST) Date: Mon, 10 Dec 2001 22:06:29 -0600 From: Alfred Perlstein To: "Andrew R. Reiter" Cc: Mike Tancsa , security@FreeBSD.org, alc@FreeBSD.org, security-officer@FreeBSD.org Subject: Re: AIO vulnerability (from bugtraq) Message-ID: <20011210220629.T92148@elvis.mu.org> References: <20011210202249.Q92148@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from arr@FreeBSD.org on Mon, Dec 10, 2001 at 10:31:27PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Andrew R. Reiter [011210 21:31] wrote: > > So your email stated that there was a security officer response? No, my email clearly stated that AIO is not on by default and has a large glaring blinking neon sign hanging off it stating use at your own risk. I thought it would painfully obvious that it doesn't require a security officer responce. -- -Alfred Perlstein [alfred@freebsd.org] 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.' http://www.morons.org/rants/gpl-harmful.php3 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 20:43: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from mine.kame.net (kame195.kame.net [203.178.141.195]) by hub.freebsd.org (Postfix) with ESMTP id 6D54137B41B for ; Mon, 10 Dec 2001 20:43:02 -0800 (PST) Received: from localhost ([3ffe:507:1ff:2:49a3:7b82:d1ce:da93]) by mine.kame.net (8.11.1/3.7W) with ESMTP id fBB4bNS28495; Tue, 11 Dec 2001 13:37:24 +0900 (JST) To: roam@ringlet.net Cc: security@FreeBSD.org Subject: Re: IPsec tunnel (manual keying) configuration problem In-Reply-To: Your message of "Fri, 23 Nov 2001 20:44:44 +0200" <20011123204444.A1304@straylight.oblivion.bg> References: <20011123204444.A1304@straylight.oblivion.bg> X-Mailer: Cue version 0.6 (011026-1440/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20011211134252T.sakane@kame.net> Date: Tue, 11 Dec 2001 13:42:52 +0900 From: Shoichi Sakane X-Dispatcher: imput version 20000228(IM140) Lines: 7 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > The way I read those logs, vn and portal forward packets to other hosts > just fine. However, when a packet arrives for the endpoints themselves, > it somehow does not reach the TCP stack or something - at least it does not > reach the part where the handshake SYN's and ACK's are processed. have you solved your problem? if not, check the output "netstat -s". i think there are some errors in the stat of ipsec. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 21:20:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from switchblade.cyberpunkz.org (switchblade.cyberpunkz.org [198.174.169.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F81B37B419 for ; Mon, 10 Dec 2001 21:20:39 -0800 (PST) Received: from switchblade.cyberpunkz.org (rob@localhost.cyberpunkz.org [127.0.0.1]) by switchblade.cyberpunkz.org (8.12.1/CpA-TLS-1.2.12-1) with ESMTP id fBB5KXGr055325 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for ; Mon, 10 Dec 2001 23:20:34 -0600 (CST)?g (envelope-from rob@switchblade.cyberpunkz.org)œ Posted-Date: Mon, 10 Dec 2001 23:20:34 -0600 (CST) Abuse-Contact: abuse@cyberpunkz.org Received: (from rob@localhost) by switchblade.cyberpunkz.org (8.12.1/8.12.1/Submit) id fBB5KXSd055324 for freebsd-security@freebsd.org; Mon, 10 Dec 2001 23:20:33 -0600 (CST)?g (envelope-from rob) Date: Mon, 10 Dec 2001 23:20:33 -0600 From: Rob Andrews To: freebsd-security@freebsd.org Subject: last / wtmp / login ?? Message-ID: <20011210232033.A91989@switchblade.cyberpunkz.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm wondering if it is possible to force last or information collected which last displays to only show the actual IP address instead of a hostname in the login report. Does anyone have a suggestion of how I go about getting the information displayed to be on the IP's instead of the broken hostnames? Or does it get logged with the name into the file? Rob Andrews To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 23:35:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from relay.EECS.Berkeley.EDU (relay.EECS.Berkeley.EDU [169.229.34.228]) by hub.freebsd.org (Postfix) with ESMTP id 1240D37B417; Mon, 10 Dec 2001 23:35:24 -0800 (PST) Received: from gateway.EECS.Berkeley.EDU (nsmail@gateway.EECS.Berkeley.EDU [169.229.60.73]) by relay.EECS.Berkeley.EDU (8.9.3/8.9.3) with ESMTP id XAA22239; Mon, 10 Dec 2001 23:35:23 -0800 (PST) Received: from uclink.berkeley.edu (uva-121-4.Reshall.Berkeley.EDU [169.229.121.4]) by gateway.EECS.Berkeley.EDU (Netscape Messaging Server 4.15) with ESMTP id GO652U00.LA2; Mon, 10 Dec 2001 23:35:18 -0800 Message-ID: <3C15B736.7080605@uclink.berkeley.edu> Date: Mon, 10 Dec 2001 23:35:18 -0800 From: Hao Chen User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.6) Gecko/20011120 X-Accept-Language: en-us MIME-Version: 1.0 To: freebsd-audit@freebsd.org, freebsd-security@freebsd.org Subject: setuid() POSIX compliance Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I am a graduate student doing computer security research and I am looking at the implementation of setuid() system call in FreeBSD 4.4 Release. I have the following questions: 1. The following comments are from /usr/src/sys/kern/kern_prot.c /* * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD * compatable. It says that setting the uid/gid to euid/egid is a special * case of "appropriate privilege". Once the rules are expanded out, this * basically means that setuid(nnn) sets all three id's, in all permitted * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) * does not set the saved id - this is dangerous for traditional BSD * programs. For this reason, we *really* do not want to set * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. */ But according to POSIX 1003.1-1988, section 4.2.2.2: If {_POSIX_SAVED_IDS} is defined: (1) If the process has appropriate privileges, the setuid() function sets the real user ID, effective user ID, and the saved set-user-ID to uid. Does FreeBSD's interpretation of _POSIX_SAVED_IDS differ from POSIX? Or did I misunderstand anything here? 2. Also according to the above comment from /usr/src/sys/kern/kern_prot.c, setting _POSIX_SAVED_IDS will cause setuid(getuid()) NOT to set the saved id. However, according to the following code from setuid() in /usr/src/sys/kern/kern_prot.c, setuid(getuid()) will not set the saved id ONLY if: (1) _POSIX_SAVED_IDS is set, and (2) euid is not root, and (3) either (3.1) POSIX_APPENDIX_B_4_2_2 is unset, or (3.2) POSIX_APPENDIX_B_4_2_2 is set and the parameter to setuid() is not equal to the euid. If POSIX_APPENDIX_B_4_2_2 is set, which is the case in the pre-compiled kernel (and is also the case for Linux), for setuid(getuid()), the above condition requires at least that euid!=0, ruid!=euid, and ruid!=0 (because the programmer intends to DROP privilege by setuid(getuid())). Is there any real situation where this condition may arise? #ifdef _POSIX_SAVED_IDS /* * Do we have "appropriate privileges" (are we root or uid == euid) * If so, we are changing the real uid and/or saved uid. */ if ( #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ uid == pc->pc_ucred->cr_uid || #endif suser_xxx(0, p, PRISON_ROOT) == 0) /* we are using privs */ #endif { // set saved id Thank you in advance! - Hao To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 23:41:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from xela.oopz.com (xela.oopz.com [209.20.244.131]) by hub.freebsd.org (Postfix) with ESMTP id 7BB2137B416; Mon, 10 Dec 2001 23:41:08 -0800 (PST) Subject: password changes MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Mon, 10 Dec 2001 23:41:02 -0800 Message-ID: content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft Exchange V6.0.4712.0 X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: password changes Thread-Index: AcGCFy611iUY9PZ9QzaUlRAB93YVVg== From: "Noah Davidson" To: "FreeBSD Security List (E-mail)" , "FreeBSD Security List (E-mail 2)" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org How can I change the password of a user and not be prompted to verify it. We are changing our mail server to sendmail. I have all of the passwords in plain text. I want to write a script that changes all 5000 or so passwords. How can I do this? I would like to call passwd or some command from a perl script to do this. Any Ideas would be very helpful. Thanks Noah Davidson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 10 23:41:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from xela.oopz.com (xela.oopz.com [209.20.244.131]) by hub.freebsd.org (Postfix) with ESMTP id 7BB2137B416; Mon, 10 Dec 2001 23:41:08 -0800 (PST) Subject: password changes MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Mon, 10 Dec 2001 23:41:02 -0800 Message-ID: content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft Exchange V6.0.4712.0 X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: password changes Thread-Index: AcGCFy611iUY9PZ9QzaUlRAB93YVVg== From: "Noah Davidson" To: "FreeBSD Security List (E-mail)" , "FreeBSD Security List (E-mail 2)" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org How can I change the password of a user and not be prompted to verify it. We are changing our mail server to sendmail. I have all of the passwords in plain text. I want to write a script that changes all 5000 or so passwords. How can I do this? I would like to call passwd or some command from a perl script to do this. Any Ideas would be very helpful. Thanks Noah Davidson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 11 0: 0:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from science.slc.edu (Science.SLC.Edu [198.83.6.248]) by hub.freebsd.org (Postfix) with ESMTP id DA9C537B419; Tue, 11 Dec 2001 00:00:13 -0800 (PST) Received: (from aschneid@localhost) by science.slc.edu (8.11.0/8.11.0) id fBB7wHZ07499; Tue, 11 Dec 2001 02:58:17 -0500 (EST) (envelope-from aschneid) Date: Tue, 11 Dec 2001 02:58:17 -0500 From: Anthony Schneider To: Noah Davidson Cc: "FreeBSD Security List (E-mail)" , "FreeBSD Security List (E-mail 2)" Subject: Re: password changes Message-ID: <20011211025817.A7458@mail.slc.edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="NzB8fVQJ5HfG6fxh" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from Noah@oopz.com on Mon, Dec 10, 2001 at 11:41:02PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --NzB8fVQJ5HfG6fxh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable try "expect". cd /usr/ports/lang/expect && make install -Anthony. On Mon, Dec 10, 2001 at 11:41:02PM -0800, Noah Davidson wrote: > How can I change the password of a user and not be prompted to verify > it. We are changing our mail server to sendmail. I have all of the > passwords in plain text. I want to write a script that changes all 5000 > or so passwords. How can I do this? I would like to call passwd or > some command from a perl script to do this. Any Ideas would be very > helpful. >=20 > Thanks > Noah Davidson >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --NzB8fVQJ5HfG6fxh Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjwVvJgACgkQ+rDjkNht5F3ooQCfZ8fT74yOnVpV0IyfKWhDS3RZ dHcAmgKy//o+RN5GIVOCTcYDzOCRCI/G =gOgE -----END PGP SIGNATURE----- --NzB8fVQJ5HfG6fxh-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 11 0: 0:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from science.slc.edu (Science.SLC.Edu [198.83.6.248]) by hub.freebsd.org (Postfix) with ESMTP id DA9C537B419; Tue, 11 Dec 2001 00:00:13 -0800 (PST) Received: (from aschneid@localhost) by science.slc.edu (8.11.0/8.11.0) id fBB7wHZ07499; Tue, 11 Dec 2001 02:58:17 -0500 (EST) (envelope-from aschneid) Date: Tue, 11 Dec 2001 02:58:17 -0500 From: Anthony Schneider To: Noah Davidson Cc: "FreeBSD Security List (E-mail)" , "FreeBSD Security List (E-mail 2)" Subject: Re: password changes Message-ID: <20011211025817.A7458@mail.slc.edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="NzB8fVQJ5HfG6fxh" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from Noah@oopz.com on Mon, Dec 10, 2001 at 11:41:02PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --NzB8fVQJ5HfG6fxh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable try "expect". cd /usr/ports/lang/expect && make install -Anthony. On Mon, Dec 10, 2001 at 11:41:02PM -0800, Noah Davidson wrote: > How can I change the password of a user and not be prompted to verify > it. We are changing our mail server to sendmail. I have all of the > passwords in plain text. I want to write a script that changes all 5000 > or so passwords. How can I do this? I would like to call passwd or > some command from a perl script to do this. Any Ideas would be very > helpful. >=20 > Thanks > Noah Davidson >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --NzB8fVQJ5HfG6fxh Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjwVvJgACgkQ+rDjkNht5F3ooQCfZ8fT74yOnVpV0IyfKWhDS3RZ dHcAmgKy//o+RN5GIVOCTcYDzOCRCI/G =gOgE -----END PGP SIGNATURE----- --NzB8fVQJ5HfG6fxh-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 11 0: 3:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id 1CF2437B419 for ; Tue, 11 Dec 2001 00:03:55 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1098) id 9FCCF81D01; Tue, 11 Dec 2001 02:03:49 -0600 (CST) Date: Tue, 11 Dec 2001 02:03:49 -0600 From: Bill Fumerola To: Noah Davidson Cc: "FreeBSD Security List (E-mail 2)" Subject: Re: password changes Message-ID: <20011211020349.T32521@elvis.mu.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from Noah@oopz.com on Mon, Dec 10, 2001 at 11:41:02PM -0800 X-Operating-System: FreeBSD 4.4-FEARSOME-20011125 i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Dec 10, 2001 at 11:41:02PM -0800, Noah Davidson wrote: > How can I change the password of a user and not be prompted to verify > it. We are changing our mail server to sendmail. I have all of the > passwords in plain text. I want to write a script that changes all 5000 > or so passwords. How can I do this? I would like to call passwd or > some command from a perl script to do this. Any Ideas would be very > helpful. man 8 pw, specifically ''-h''. -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org - my anger management counselor can beat up your self-affirmation therapist ps. freebsd-${mailinglist}@freebsd.org and ${mailinglist}@freebsd.org are always the same for all of our mainstream majordomo mailing lists... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 11 2: 2:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from junior.lgc.com (junior.lgc.com [134.132.72.99]) by hub.freebsd.org (Postfix) with ESMTP id CF8C537B416 for ; Tue, 11 Dec 2001 02:02:56 -0800 (PST) Received: from lgchvw02.lgc.com (lgchvw02.lgc.com [134.132.93.108]) by junior.lgc.com (8.11.3/8.11.3) with SMTP id fBBA22M21404 for ; Tue, 11 Dec 2001 04:02:03 -0600 (CST) Received: from 134.132.72.99 by lgchvw02.lgc.com (InterScan E-Mail VirusWall NT); Tue, 11 Dec 2001 04:02:46 -0600 Received: from vesna (oleg@[134.132.197.98]) by junior.lgc.com (8.11.3/8.11.3) with SMTP id fBBA1t121381 for ; Tue, 11 Dec 2001 04:01:55 -0600 (CST) Content-Type: text/plain; charset="iso-8859-1" From: Oleg Cherkasov Organization: http://oleg.dnsalias.com To: freebsd-security@freebsd.org Subject: Re: AIO vulnerability (from bugtraq) Date: Tue, 11 Dec 2001 11:02:39 +0100 X-Mailer: KMail [version 1.2] References: <5.1.0.14.0.20011210131730.04998cf0@marble.sentex.ca> <20011210130803.B92148@elvis.mu.org> In-Reply-To: <20011210130803.B92148@elvis.mu.org> MIME-Version: 1.0 Message-Id: <0112111102390U.10748@vesna> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Monday 10 December 2001 20:08, Alfred Perlstein wrote: > * Mike Tancsa [011210 12:25] wrote: > > For those not on bugtraq, > > Yah, this needs to be fixed, do note that AIO is not enabled by > default in FreeBSD and the warning is pretty clear. I've got: $ sysctl -a|fgrep aio p1003_1b.aio_listio_max: 0 p1003_1b.aio_max: 0 p1003_1b.aio_prio_delta_max: 0 Is it disabled? Oleg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 11 2:29:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from shikima.mine.nu (pc1-card4-0-cust77.cdf.cable.ntl.com [62.252.49.77]) by hub.freebsd.org (Postfix) with ESMTP id B598437B416 for ; Tue, 11 Dec 2001 02:29:29 -0800 (PST) Received: from rasputin by shikima.mine.nu with local (Exim 3.33 #1) id 16DkBj-0000RV-00; Tue, 11 Dec 2001 10:31:03 +0000 Date: Tue, 11 Dec 2001 10:31:03 +0000 From: Rasputin To: Sheldon Hearn Cc: security@freebsd.org Subject: Re: Accessing as root Message-ID: <20011211103103.A1668@shikima.mine.nu> Reply-To: Rasputin References: <60355.1008000080@axl.seasidesoftware.co.za> <60409.1008000194@axl.seasidesoftware.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <60409.1008000194@axl.seasidesoftware.co.za>; from sheldonh@starjuice.net on Mon, Dec 10, 2001 at 06:03:14PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Sheldon Hearn [011210 16:05]: > > > On Mon, 10 Dec 2001 18:01:20 +0200, Sheldon Hearn wrote: > > > > I need to make some scripts to change the password and another > > > things like that need root permissions, but: > > > > > > How can I do it without opening a security hole in the server? > > > What is the best way to do it? > > > > 1) Limit exposure to just those commands that need privelege, by passing > > your command as arguments to the su(1) command. > > This is stupid advice, sorry. > > You need to make your script setuid root (see chmod(1)). Can you do that on FreeBSD? Most moderm UNIXes don't allow suid scripts. -- Rasputin :: Jack of All Trades - Master of Nuns :: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 11 2:54:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id ED1EF37B416 for ; Tue, 11 Dec 2001 02:54:38 -0800 (PST) Received: (from rik@localhost) by pkl.net (8.9.3/8.9.3) id KAA12397; Tue, 11 Dec 2001 10:54:33 GMT Date: Tue, 11 Dec 2001 10:54:33 +0000 From: Rik To: Kris Kennaway Cc: FreeBSD Security Subject: Re: Why is web mode (-w) disabled in ntop port? Message-ID: <20011211105433.A12134@spoon.pkl.net> References: <20011211022743.A29482@spoon.pkl.net> <20011210195921.A51790@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Mutt/1.2.5i In-Reply-To: <20011210195921.A51790@xor.obsecurity.org>; from kris@obsecurity.org on Mon, Dec 10, 2001 at 07:59:21PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Dec 10, 2001 at 07:59:21PM -0800, Kris Kennaway wrote: > It's better ettiquette to do the research yourself before asking; 10 > seconds of looking through the list of FreeBSD Security Advisories at > http://www.freebsd.org/security shows you this: [snip URL i should have found] You'd have thought I'd have found that. Aparently I am unable to type command names without the use of tab completion, as I did search the list. D'oh. Oh well, I freely admit being a moron. Thanks for pointing it out rik --=20 PGP Key: D2729A3F - Keyserver: wwwkeys.uk.pgp.net - rich at rdrose dot org Key fingerprint =3D 5EB1 4C63 9FAD D87B 854C 3DED 1408 ED77 D272 9A3F Public key also encoded with outguess on http://rikrose.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 11 3:10: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from highland.isltd.insignia.com (highland.isltd.insignia.com [195.74.141.1]) by hub.freebsd.org (Postfix) with ESMTP id 7736937B437 for ; Tue, 11 Dec 2001 03:09:28 -0800 (PST) Received: from wolf.isltd.insignia.com (wolf.isltd.insignia.com [172.16.1.3]) by highland.isltd.insignia.com (8.11.6/8.11.3/check_local4.2) with ESMTP id fBBB9MY33955 for ; Tue, 11 Dec 2001 11:09:22 GMT Received: (from news@localhost) by wolf.isltd.insignia.com (8.9.3/8.9.3) id LAA25983 for freebsd-security@freebsd.org; Tue, 11 Dec 2001 11:09:21 GMT From: freebsd-security-local@insignia.com To: freebsd-security@freebsd.org Subject: Re: Racoon <> VPN Gateway Date: Tue, 11 Dec 2001 11:09:21 +0000 Message-ID: <52qb1u0gfaub5ktcc4nb6rg5ndp9o8g1f5@4ax.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 11 Dec 2001 01:37:24 +0900, sakane@kame.net (Shoichi Sakane) wrote: >> I've now got further trying to get racoon talking to a Redcreek >> Ravlin10 VPN gateway, once I realised the gif device is needed >> for tunnel mode. It actually replies to me, though the reply >> isn't what racoon seems to expect. > >basically you don't need the gif device configuration when you want >to use IPsec tunnel mode. Reading the daemonnnews article, they suggest that this is done "to get the routing right in the kernel" and it's nothing to do with the IPSec tunnelling. >> I'm trying to establish an ESP tunnel mode connection between >> 213.208.123.252 (racoon) and 195.74.141.60 (Ravlin). > >> Racoon says: >> >2001-12-06 20:44:02: DEBUG: isakmp.c:394:isakmp_main(): malformed cookie received or the spi expired. OK I found this. On rereading the docs I realised that I had set the pre-shared key incorrectly. It has spaces in it and I had surrounded it with double quotes. I now realise that racoon takes the first non-whitespace character after the IP address as the start of the key. Changing this made the SA come up! Racoon is not 100% happy though: >Dec 10 19:25:17 field racoon: INFO: isakmp.c:816:isakmp_ph1begin_i(): initiate new > phase 1 negotiation: 213.208.123.252[500]<=>195.74.141.60[500] >Dec 10 19:25:17 field racoon: INFO: isakmp.c:821:isakmp_ph1begin_i(): begin Identi >ty Protection mode. >Dec 10 19:25:17 field racoon: INFO: isakmp.c:2453:log_ph1established(): ISAKMP-SA >established 213.208.123.252[500]-195.74.141.60[500] spi:a3aa6711976b7507:2d437c5f3 >fb040d0 >Dec 10 19:25:18 field racoon: WARNING: isakmp_inf.c:1264:isakmp_check_notify(): ig >nore RESPONDER-LIFETIME notification. >Dec 10 19:25:18 field racoon: WARNING: ipsec_doi.c:907:cmp_aproppair_i(): transfor >m number has been modified. >Dec 10 19:25:18 field racoon: ERROR: proposal.c:488:cmpsatrns(): trns_id mismatche >d: my:2 peer:3 >Dec 10 19:25:18 field racoon: ERROR: proposal.c:488:cmpsatrns(): trns_id mismatche >d: my:2 peer:3 >Dec 10 19:25:18 field racoon: INFO: pfkey.c:1107:pk_recvupdate(): IPsec-SA establi >shed: ESP/Tunnel 195.74.141.60->213.208.123.252 spi=185712998(0xb11c166) >Dec 10 19:25:18 field racoon: INFO: pfkey.c:1319:pk_recvadd(): IPsec-SA establishe >d: ESP/Tunnel 213.208.123.252->195.74.141.60 spi=4175081201(0xf8daaef1) However I still can't get a packet to go out and back. If I try a ping and trace packets to the VPN gateway box I see the ESP packet go out but there is no reply, so we press on... Regards, Jim Hatfield To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 11 4:28:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id E241F37B41B for ; Tue, 11 Dec 2001 04:28:18 -0800 (PST) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 16Dm2r-000Ab2-00; Tue, 11 Dec 2001 14:30:01 +0200 From: Sheldon Hearn To: Rasputin Cc: security@freebsd.org Subject: Re: Accessing as root In-reply-to: Your message of "Tue, 11 Dec 2001 10:31:03 GMT." <20011211103103.A1668@shikima.mine.nu> Date: Tue, 11 Dec 2001 14:30:01 +0200 Message-ID: <40735.1008073801@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 11 Dec 2001 10:31:03 GMT, Rasputin wrote: > > You need to make your script setuid root (see chmod(1)). > > Can you do that on FreeBSD? Most moderm UNIXes don't allow suid scripts. Weird, could have sworn this used to work. Sorry, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 11 4:45:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id 870F237B41F for ; Tue, 11 Dec 2001 04:45:10 -0800 (PST) Received: from IBMKA (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with ESMTP id PAA67619; Tue, 11 Dec 2001 15:44:13 +0300 (MSK) Date: Tue, 11 Dec 2001 15:43:09 +0300 From: "Nickolay A.Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A.Kritsky" X-Priority: 3 (Normal) Message-ID: <150428298971.20011211154309@internethelp.ru> To: Sheldon Hearn Cc: Rasputin , security@FreeBSD.ORG Subject: Re[2]: Accessing as root In-reply-To: <40735.1008073801@axl.seasidesoftware.co.za> References: <40735.1008073801@axl.seasidesoftware.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Sheldon, Tuesday, December 11, 2001, 3:30:01 PM, you wrote: SH> On Tue, 11 Dec 2001 10:31:03 GMT, Rasputin wrote: >> > You need to make your script setuid root (see chmod(1)). >> >> Can you do that on FreeBSD? Most moderm UNIXes don't allow suid scripts. SH> Weird, could have sworn this used to work. SH> Sorry, SH> Sheldon. You could run suid perl scripts using suidperl from ports. But I could not find such tools for shell or awk scripts, when I had similiar problem. ;------------------------------------------- ; NKritsky ; SysAdmin InternetHelp.Ru ; http://www.internethelp.ru ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 11 4:49:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from shikima.mine.nu (pc1-card4-0-cust77.cdf.cable.ntl.com [62.252.49.77]) by hub.freebsd.org (Postfix) with ESMTP id 57AAA37B405 for ; Tue, 11 Dec 2001 04:49:17 -0800 (PST) Received: from rasputin by shikima.mine.nu with local (Exim 3.33 #1) id 16DmN2-0000dx-00; Tue, 11 Dec 2001 12:50:52 +0000 Date: Tue, 11 Dec 2001 12:50:52 +0000 From: Rasputin To: Sheldon Hearn Cc: security@freebsd.org Subject: Re: Accessing as root Message-ID: <20011211125052.A2445@shikima.mine.nu> Reply-To: Rasputin References: <20011211103103.A1668@shikima.mine.nu> <40735.1008073801@axl.seasidesoftware.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <40735.1008073801@axl.seasidesoftware.co.za>; from sheldonh@starjuice.net on Tue, Dec 11, 2001 at 02:30:01PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Sheldon Hearn [011211 12:35]: > > > On Tue, 11 Dec 2001 10:31:03 GMT, Rasputin wrote: > > > > You need to make your script setuid root (see chmod(1)). > > > > Can you do that on FreeBSD? Most moderm UNIXes don't allow suid scripts. > > Weird, could have sworn this used to work. It did - but modern kernels disallow it because of the race conditions that affect all shell/perl scripts. -- Computer programmers do it byte by byte Rasputin :: Jack of All Trades - Master of Nuns :: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 11 5:24:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from mout1.freenet.de (mout1.freenet.de [194.97.50.132]) by hub.freebsd.org (Postfix) with ESMTP id EE2CD37B445 for ; Tue, 11 Dec 2001 05:24:29 -0800 (PST) Received: from [194.97.50.135] (helo=mx2.freenet.de) by mout1.freenet.de with esmtp (Exim 3.33 #3) id 16DmtY-0005MO-00; Tue, 11 Dec 2001 14:24:28 +0100 Received: from a354f.pppool.de ([213.6.53.79] helo=Magelan.Leidinger.net) by mx2.freenet.de with esmtp (Exim 3.33 #3) id 16DmtP-0002Sc-00; Tue, 11 Dec 2001 14:24:27 +0100 Received: from Leidinger.net (netchild@localhost [127.0.0.1]) by Magelan.Leidinger.net (8.11.6/8.11.6) with ESMTP id fBBBOI902371; Tue, 11 Dec 2001 12:24:19 +0100 (CET) (envelope-from netchild@Leidinger.net) Message-Id: <200112111124.fBBBOI902371@Magelan.Leidinger.net> Date: Tue, 11 Dec 2001 12:24:16 +0100 (CET) From: Alexander Leidinger Subject: Re: Rsync, ssh and using root. To: randys@amigo.net Cc: marc@milestonerdl.com, freebsd-security@FreeBSD.ORG In-Reply-To: <200112102348.fBANmG182366@smtp1.amigo.net> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=iso-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 10 Dez, Randy Smith wrote: [NFS+IPSec+rsync] > This avoids the problems with SSH and root access but may lead to other > problems that I am not aware of. One good thing about this is that restoring > to the other machine is reasonably easy. Remount boxa:/nfs/dir as read-write > and then reverse the paths in the rsync command above. > > Others may be able to point out any problems/improvments that exist with this > plan. -> A lot of network traffic and a slower update if you didn't use --size-only (which may only a good idea in specific situations). The file on the remote box may need to go completely over the network in the worst case (if a checksum has to be calculated for the whole file, don't know how often this can happen). Bye, Alexander. -- If Bill Gates had a dime for every time a Windows box crashed... ...Oh, wait a minute, he already does. http://www.Leidinger.net Alexander @ Leidinger.net GPG fingerprint = C518 BC70 E67F 143F BE91 3365 79E2 9C60 B006 3FE7 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 11 9: 1:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id BD2EF37B41B; Tue, 11 Dec 2001 09:00:46 -0800 (PST) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id fBBH0kI72017; Tue, 11 Dec 2001 09:00:46 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Tue, 11 Dec 2001 09:00:46 -0800 (PST) Message-Id: <200112111700.fBBH0kI72017@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:65.libgtop Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:65 Security Advisory FreeBSD, Inc. Topic: Buffer overflow in libgtop_server Category: ports Module: libgtop Announced: 2001-12-11 Credits: Flavio Veloso Affects: Ports collection prior to the correction date Corrected: 2001-11-29 15:06:19 UTC FreeBSD only: NO I. Background libgtop is a library for gtop, the GNOME version of the top command. The top command is a tool to display and update information about the top cpu processes. II. Problem Description The libgtop port versions prior to libgtop-1.0.12_1 contain a stack buffer overflow in libgtop_server, allowing an arbitrary amount of data from the client application (assumed to be gtop) to be read into a fixed-sized buffer. A local attacker can exploit this bug to cause libgtop_server to execute arbitrary code. libgtop_server runs with increased privileges as a member of group kmem, which allows it to read kernel memory (but not write it). A process with the ability to read from kernel memory can monitor privileged data such as network traffic, disk buffers and terminal activity, and may be able to leverage this to obtain further privileges on the local system or on other systems, including root privileges. The libgtop port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 6000 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.4 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact A successful exploit of this stack buffer overflow would allow an attacker arbitrary access to kernel memory, possibly acquiring information allowing further increases in privileges. No exploit is known to exist at this time, and it is not known whether this buffer overflow is exploitable even in theory. In any case, local access to the machine on which libgtop_server is running is required to attempt an attack. IV. Workaround 1) Deinstall the libgtop port/package if you have it installed. OR 2) Remove the setgid bit from the libgtop_server executable by executing the following command as root: # chmod g-s `which libgtop_server` V. Solution 1) Upgrade your entire ports collection and rebuild the port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/libgtop-1.0.12_1.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/libgtop-1.0.12_1.tar.gz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. NOTE: It may be several days before updated packages are available. Be sure to check the file creation date on the package, because the version number of the software has not changed. 3) Download a new port skeleton for the libgtop port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD ports collection. Path Revision - ------------------------------------------------------------------------- ports/devel/libgtop/Makefile 1.45 ports/devel/libgtop/files/patch-src::daemon::gnuserv.c 1.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Comment: http://www.nectar.cc/pgp iQCVAwUBPBY6xlUuHi5z0oilAQHwmQQAh3KtiIcKjmw5e9B2ABmdRYlwWFVEgN9F QlUj8NqiDUaekQoLb5p923Y8VC0/9e/alRrnvd4kcmVmU8PUpXNaMp4cHz1mHnLQ 7w4QQ+qzmEOGJFOiUjE21FY8gPR3HH2rKiIOJyeHezRkUqhWMqlERJ08hnmtqjib 2TukQesxbzw= =gyPX -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 11 9: 1:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 8A7D237B420; Tue, 11 Dec 2001 09:00:57 -0800 (PST) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id fBBH0vM72097; Tue, 11 Dec 2001 09:00:57 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Tue, 11 Dec 2001 09:00:57 -0800 (PST) Message-Id: <200112111700.fBBH0vM72097@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:66.thttpd Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:66 Security Advisory FreeBSD, Inc. Topic: thttpd port contains remotely vulnerability Category: ports Module: thttpd Announced: 2001-12-11 Credits: GOBBLES SECURITY Affects: Ports collection prior to the correction date Corrected: 2001-11-22 00:10:56 UTC FreeBSD only: no I. Background thttpd is a simple, small, portable, fast, and secure HTTP server. II. Problem Description In auth_check(), there is an off-by-one error in computing the amount of memory needed for storing a NUL terminated string. Specifically, a stack buffer of 500 bytes is used to store a string of up to 501 bytes including the terminating NUL. III. Impact Due to the location of the affected buffer on the stack, this bug can be exploited using ``The poisoned NUL byte'' technique (see references). A remote attacker can hijack the thttpd process, obtaining whatever privileges it has. By default, the thttpd process runs as user `nobody'. IV. Workaround 1) Deinstall the thttpd port/package if you have it installed. V. Solution 1) Upgrade your entire ports collection and rebuild the port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/thttpd-2.22.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/thttpd-2.22.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) Download a new port skeleton for the thttpd port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD ports collection. Path Revision - ------------------------------------------------------------------------- ports/www/thttpd/Makefile 1.23 ports/www/thttpd/distinfo 1.20 ports/www/thttpd/files/patch-fdwatch.c removed - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Comment: http://www.nectar.cc/pgp iQCVAwUBPBY6x1UuHi5z0oilAQEHrgQAgscqPT0AVJcotWgO1t8WuJQyNukLHnDS qGa8LT7ebuMY/Nl6JJzTYudwmr16RtJNPSYTfk1eHPWgAYzKyiNM7uMU87ZDplpM FOggQbjdhFPNUE3WK8P2cmdm+7mrZbdWGJmvZpYH4TRNn6yQVV4F8tENl+nPu3I+ 5IGxGqgr2vA= =1MCH -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 11 11: 3: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 03EAC37B417 for ; Tue, 11 Dec 2001 11:03:02 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id LAA16806; Tue, 11 Dec 2001 11:02:34 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda16799; Tue Dec 11 11:02:19 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id fBBJ24N03707; Tue, 11 Dec 2001 11:02:04 -0800 (PST) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdrN3681; Tue Dec 11 11:01:38 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id fBBJ1bF07234; Tue, 11 Dec 2001 11:01:37 -0800 (PST) Message-Id: <200112111901.fBBJ1bF07234@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdPJ7230; Tue Dec 11 11:01:30 2001 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: "Sander van Dinten" Cc: "'Ralph Huntington'" , freebsd-security@FreeBSD.ORG Subject: Re: promiscuous mode In-reply-to: Your message of "Mon, 10 Dec 2001 18:07:30 +0100." <000701c1819d$26f0fa20$0301a8c0@sanderpc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 11 Dec 2001 11:01:30 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <000701c1819d$26f0fa20$0301a8c0@sanderpc>, "Sander van Dinten" write s: > Are you using some kind of an network sniffer? > > Promiscuous will say that your network card picks up all network > packages (which means it will not only pick up the packages for your > IP-address). Some entropy gathering applications, e.g. egd, sniff the network on occasion to gather randomness. Is this a possibility? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Email: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC FreeBSD UNIX: cy@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 11 11:33: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from science.slc.edu (Science.SLC.Edu [198.83.6.248]) by hub.freebsd.org (Postfix) with ESMTP id 6E2F937B417 for ; Tue, 11 Dec 2001 11:32:58 -0800 (PST) Received: (from aschneid@localhost) by science.slc.edu (8.11.0/8.11.0) id fBBJUFv09356; Tue, 11 Dec 2001 14:30:15 -0500 (EST) (envelope-from aschneid) Date: Tue, 11 Dec 2001 14:30:15 -0500 From: Anthony Schneider To: Cy Schubert - ITSD Open Systems Group Cc: Sander van Dinten , "'Ralph Huntington'" , freebsd-security@FreeBSD.ORG Subject: Re: promiscuous mode Message-ID: <20011211143015.A9325@mail.slc.edu> References: <000701c1819d$26f0fa20$0301a8c0@sanderpc> <200112111901.fBBJ1bF07234@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ew6BAiZeqk4r7MaW" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200112111901.fBBJ1bF07234@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Tue, Dec 11, 2001 at 11:01:30AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --ew6BAiZeqk4r7MaW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable right. if you have gpg installed, whoever installed it might have also installed e= gd which is a substitute for /dev/random. -Anthony. On Tue, Dec 11, 2001 at 11:01:30AM -0800, Cy Schubert - ITSD Open Systems G= roup wrote: > In message <000701c1819d$26f0fa20$0301a8c0@sanderpc>, "Sander van Dinten"= write > s: > > Are you using some kind of an network sniffer? > >=20 > > Promiscuous will say that your network card picks up all network > > packages (which means it will not only pick up the packages for your > > IP-address). >=20 > Some entropy gathering applications, e.g. egd, sniff the network on=20 > occasion to gather randomness. Is this a possibility? >=20 >=20 > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/Alpha Team Email: Cy.Schubert@osg.gov.bc.ca > Open Systems Group, ITSD > Ministry of Management Services > Province of BC > FreeBSD UNIX: cy@FreeBSD.org >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --ew6BAiZeqk4r7MaW Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjwWXsUACgkQ+rDjkNht5F0guwCeJHLyAyBT96jkaeYo6QxkhId/ XRsAn2SZzteQKmL3bmvdXJO5ln/5pKDF =pIv8 -----END PGP SIGNATURE----- --ew6BAiZeqk4r7MaW-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 11 14:17:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from acc0.visti.net (acc0.visti.net [195.64.225.233]) by hub.freebsd.org (Postfix) with ESMTP id 87F9037B41B for ; Tue, 11 Dec 2001 14:16:54 -0800 (PST) Received: from gw0.visti.net (gw0.visti.net [195.64.225.229]) by acc0.visti.net (8.8.8-Elvisti-980428/8.8.8) with ESMTP id AAA20072 for ; Wed, 12 Dec 2001 00:16:51 +0200 (EET) Received: from cscorp.com.ua (Ivanov-gw7r.visti.net [195.64.224.210] (may be forged)) by gw0.visti.net (8.12.1/8.12.1) with ESMTP id fBBLlw56082229 for ; Wed, 12 Dec 2001 00:16:42 +0200 (EET)?g (envelope-from csc_seminar@cscorp.com.ua) Date: Wed, 12 Dec 2001 00:16:42 +0200 (EET) Message-Id: <200112112216.fBBLlw56082229@gw0.visti.net> Received: from tanydura [192.168.101.101] by cscorp.com.ua [195.64.224.210] with SMTP (MDaemon.PRO.v5.0.4.R) for ; Tue, 11 Dec 2001 20:20:42 +0000 From: csc_seminar To: freebsd-security@freebsd.org Subject: Invitation for seminar. Ïðčãëāøåíčå íā ņåėčíāð Reply-To: csc_seminar@cscorp.com.ua Mime-Version: 1.0 Content-Type: text/plain; charset=windows-1251 X-MDRemoteIP: 192.168.101.101 X-Return-Path: csc_seminar@cscorp.com.ua X-MDaemon-Deliver-To: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ïðåäņōāâčōåëüņōâî Ęîėïāíčč Capital Standard Corporation ïðčãëāøāåō Âāņ ïðčíĸōü óũāņōčå â îäíîäíåâíûõ ęîíņóëüōāöčîííûõ ņåėčíāðāõ-ïðāęōčęóėāõ äëĸ ýôôåęōčâíîãî č áûņōðîãî ïîâûøåíčĸ ęâāëčôčęāöčč ņîōðóäíčęîâ Âāøåé ęîėïāíčč Îäíîäíåâíûé ęîíņóëüōāöčîííûé ņåėčíāð-ïðāęōčęóė ŦÁčðæåâāĸ ōîðãîâëĸ íā ėåæäóíāðîäíûõ ôčíāíņîâûõ ðûíęāõ. Ïðāęōčũåņęčå āņïåęōûŧ Äāōā ïðîâåäåíčĸ: 19 äåęāáðĸ 2001 ãîäā Âðåėĸ ïðîâåäåíčĸ ņåėčíāðā: 9.30-17.30 Ėåņōî ïðîâåäåíčĸ: Číņōčōóō ėåæäóíāðîäíûõ îōíîøåíčé  ïðîãðāėėå ņåėčíāðā: 1. Ņïåęóëĸöčč - ęāę ņïîņîá ïðčóėíîæåíčĸ ęāïčōāëā: - Ũāņōíûå číâåņōîðû - Ęîðïîðāōčâíûå č äðóãčå óũāņōíčęč ðûíęā - Ņóėėā, äîņōāōîũíāĸ äëĸ ðāáîōû 2. Číņōðóėåíōû ėčðîâûõ ōîâāðíûõ č ôčíāíņîâûõ ðûíęîâ: - FOREX - ėåæäóíāðîäíûé ðûíîę îáėåíā âāëþō - Ôüþũåðņíûå č îïöčîííûå ęîíōðāęōû 3. Ōåõíîëîãčĸ č ėåõāíčįė áčðæåâûõ č âíåáčðæåâûõ îïåðāöčé: - Įāęîíîäāōåëüíāĸ áāįā, ïðāâčëā č ïðāęōčęā āėåðčęāíņęîé ėîäåëč ōîðãîâëč - Âāëþōíûé ðûíîę Ŧspotŧ - Áčðæåâûå ōîðãîâûå ņčņōåėû - Ęîėïüþōåðíûå ōîðãîâûå ņčņōåėû - Číôîðėāöčîííûå ņčņōåėû č ęîėïüþōåðíûå ōåõíîëîãčč ïî îáåņïåũåíčþ äčëčíãîâûõ îïåðāöčé 4. Ęāę Ŧäîōĸíóōüņĸŧ äî ðûíęā: - Áðîęåðņęāĸ ęîėïāíčĸ - Ïðčíöčïāë (ėāðęåō-ėåéęåð) - Ōîðãîâûé ņũļō - Ėāðæā - Ęðåäčōíîå ïëåũî - Ņîâåðøåíčå ņäåëęč - Ïëþņû č ėčíóņû "číōåðíåō-ōîðãîâëč" - Ïðčáûëüíîņōü îïåðāöčé 5. Ïðîãíîįčðîâāíčå ðûíîũíûõ ōåíäåíöčé: - Ōåõíčũåņęčé āíāëčį - Ôóíäāėåíōāëüíûé āíāëčį - Ïðîôåņņčîíāëüíûå ęîėïüþōåðíûå ņčņōåėû č ïðîãðāėėíîå îáåņïåũåíčå, čņïîëüįóåėîå â ðāáîōå äčëåðîâ Ņōîčėîņōü óũāņōčĸ â ņåėčíāðå: 440 ãðčâåí Äëĸ âōîðîãî č ōðåōüåãî óũāņōíčęā îō îäíîé ęîėïāíčč ņęčäęā – 10%.  ņōîčėîņōü âęëþũåíû: îáóũåíčå č ęîíņóëüōāöčč íā ņåėčíāðå, îáåä, ęîôå-áðåéęč. Ýęņęëþįčâíûé āëüáîė ėāōåðčāëîâ ŦÁčðæåâāĸ ōîðãîâëĸ íā ėåæäóíāðîäíûõ ôčíāíņîâûõ ðûíęāõ. Ïðāęōčũåņęčå āņïåęōûŧ, ïîäãîōîâëåííîãî ýęņïåðōāėč ņïåöčāëüíî äëĸ óũāņōíčęîâ ņ óũļōîė âņåõ ïîņëåäíčõ čįėåíåíčé č äîïîëíåíčé. Îäíîäíåâíûé ęîíņóëüōāöčîííûé ņåėčíāð-ïðāęōčęóė: ŦŌāėîæåííîå ðåãóëčðîâāíčå âíåøíåýęîíîėčũåņęîé äåĸōåëüíîņōčŧ Äāōā ïðîâåäåíčĸ: 21 äåęāáðĸ 2001 ãîäā Âðåėĸ ïðîâåäåíčĸ ņåėčíāðā: 9.30-17.30 Ėåņōî ïðîâåäåíčĸ: Ęîíôåðåíö-įāë ãîņōčíčöû ŦŅāíęō-Ïåōåðáóðãŧ  ïðîãðāėėå ņåėčíāðā: Îņîáåííîņōč ōāėîæåííîãî įāęîíîäāōåëüņōâā â ņôåðå âíåøíåýęîíîėčũåņęîé äåĸōåëüíîņōč. Įāęîí Óęðāčíû ŦÎ Ōāėîæåííîė ōāðčôå Óęðāčíûŧ îō 5.04.2001 đ 2371-ēēē. Čįėåíåíčĸ č äîïîëíåíčĸ â Įāęîí Óęðāčíû ïî ņîņōîĸíčþ íā 1.12.01. Óęðāčíņęāĸ ōîâāðíāĸ íîėåíęëāōóðā âíåøíåýęîíîėčũåņęîé äåĸōåëüíîņōč. Îņîáåííîņōč ōāėîæåííîãî îôîðėëåíčĸ â ðāėęāõ ņîãëāøåíčé î ņâîáîäíîé ōîðãîâëå. Ïåðņïåęōčâā ðāįâčōčĸ įîíû ņâîáîäíîé ōîðãîâëč. Íîâûå ïðāâčëā ņōðāíû ïðîčņõîæäåíčĸ ōîâāðîâ. Ïîðĸäîę ïðčėåíåíčĸ ņåðōčôčęāōîâ CT-1, EUR 1,2. Âîïðîņû ęëāņņčôčęāöčč ōîâāðîâ. Îáįîð íîðėāōčâíûõ äîęóėåíōîâ ÃŌŅÓ ïî âîïðîņāė ōāðčôíîãî ðåãóëčðîâāíčĸ ïî ņîņōîĸíčþ íā 1.12.01. Îņîáåííîņōč įāïîëíåíčĸ ÃŌÄ ïðč ðāįëčũíûõ ōāėîæåííûõ ðåæčėāõ. Ëčįčíãîâûå ęîíōðāęōû, âðåėåííûé ââîį ōîâāðā. Îôîðėëåíčå ÃŌÄ ïî âíåøíåýęîíîėčũåņęčė äîãîâîðāė ņ óũāņōčåė áîëåå äâóõ ņōîðîí. Ęðčōåðčč îïðåäåëåíčĸ ōāėîæåííûėč îðãāíāėč Óęðāčíû Ŧãðóïï ðčņęāŧ (âíåøíåýęîíîėčũåņęčå îïåðāöčč, ęîōîðûå ōðåáóþō äåōāëüíîé ïðîâåðęč íā įāęîííîņōü ņäåëęč). Óņōāíîâëåíčå ôāęōîâ ōāėîæåííûõ ïðāâîíāðóøåíčé, ęëāņņčôčęāöčĸ č ïðîöåņņóāëüíîå îôîðėëåíčå ôāęōîâ ïðāâîíāðóøåíčé, ņāíęöčč, ïðåäóņėîōðåííûå įāęîíîäāōåëüņōâîė, ïîņëåäņōâčĸ âîįėîæíûå äëĸ ņóáúåęōîâ ÂÝÄ. Ïðāâîâûå îņíîâû äëĸ îņóųåņōâëåíčĸ ėåæäóíāðîäíîé āäėčíčņōðāōčâíîé ïîėîųč â ōāėîæåííûõ įîíāõ (óũāņōčå Óęðāčíû â ėåæäóíāðîäíûõ ęîíâåíöčĸõ ïî ōāėîæåííûė âîïðîņāė, äâóõ- č ėíîãîņōîðîííčå ėåæãîņóäāðņōâåííûå äîãîâîðā). Ïîðĸäîę ðåāëčįāöčč ęîíâåíöčé, ņîãëāøåíčé, î âįāčėíîé āäėčíčņōðāōčâíîé ïîėîųč â ōāėîæåííûõ âîïðîņāõ. Ņōîčėîņōü óũāņōčĸ â ņåėčíāðå 570 ãðčâåí Äëĸ âōîðîãî č ōðåōüåãî óũāņōíčęā îō îäíîé ôčðėû ņęčäęā – 10%.  ņōîčėîņōü âęëþũåíû: îáóũåíčå č ęîíņóëüōāöčč íā ņåėčíāðå, îáåä, ęîôå-áðåéęč. Ýęņęëþįčâíûé āëüáîė ėāōåðčāëîâ ŦŌāėîæåííîå ðåãóëčðîâāíčå âíåøíåýęîíîėčũåņęîé äåĸōåëüíîņōčŧ, ïîäãîōîâëåííîãî ýęņïåðōāėč ņïåöčāëüíî äëĸ óũāņōíčęîâ ņ óũļōîė âņåõ ïîņëåäíčõ čįėåíåíčé č äîïîëíåíčé Íāøā ęîėïāíčĸ ïðåäëāãāåō ōāęóþ óņëóãó ęāę ïðîâåäåíčå číäčâčäóāëüíûõ ęîíņóëüōāöčîííûõ ņåėčíāðîâ ïî âûáðāííîé Âāėč ōåėāōčęå ó Âāņ â îôčņå. Äëĸ óũāņōčĸ â ņåėčíāðå íåîáõîäčėî įāðåãčņōðčðîâāōüņĸ ïî íāøčė ōåëåôîíāė č ïîäōâåðäčōü ņâîå óũāņōčå îïëāōîé (044) 494 46 58, E-mail: csc_seminar@cscorp.com.ua Ėû ïðčíîņčė ņâîč čįâčíåíčĸ, åņëč ïîäîáíāĸ ðāņņûëęā Âāė íå číōåðåņíā. Óäāëčōü ņâîé āäðåņ čį ņïčņęā ïîäïčņũčęîâ Âû ėîæåōå, îōîņëāâ ïčņüėî ïî āäðåņó unsubscribe_sem@cscorp.com.ua To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 11 14:24:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.uniserve.com (mail2.uniserve.com [204.244.156.10]) by hub.freebsd.org (Postfix) with ESMTP id E05DC37B41B for ; Tue, 11 Dec 2001 14:24:46 -0800 (PST) Received: from landons.vpp-office.uniserve.ca ([216.113.198.10] helo=pirahna.uniserve.com) by mail2.uniserve.com with esmtp (Exim 3.13 #1) id 16DvKP-0005q6-00 for freebsd-security@freebsd.org; Tue, 11 Dec 2001 14:24:45 -0800 Message-Id: <5.1.0.14.0.20011211142404.02725c80@pop.uniserve.com> X-Sender: landons@pop.uniserve.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 11 Dec 2001 14:24:44 -0800 To: freebsd-security@freebsd.org From: Landon Stewart Subject: Re: Invitation for seminar. =?iso-8859-1?Q?=CF=F0=E8=E3=EB=E0=F8=E5=ED=E8=E5?= =?iso-8859-1?Q?_=ED=E0?= =?iso-8859-1?Q?_=F1=E5=EC=E8=ED=E0=F0?= In-Reply-To: <200112112216.fBBLlw56082229@gw0.visti.net> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sounds like a great seminar! At 12:16 AM 12/12/2001 +0200, csc_seminar wrote: > =CF=F0=E5=E4=F1=F2=E0=E2=E8=F2=E5=EB=FC=F1=F2=E2=EE =CA=EE=EC=EF=E0=ED= =E8=E8 Capital Standard Corporation =EF=F0=E8=E3=EB=E0=F8=E0=E5=F2=20 > =C2=E0=F1 =EF=F0=E8=ED=FF=F2=FC =F3=F7=E0=F1=F2=E8=E5 =E2 =EE=E4=ED=EE=E4= =ED=E5=E2=ED=FB=F5 =EA=EE=ED=F1=F3=EB=FC=F2=E0=F6=E8=EE=ED=ED=FB=F5= =F1=E5=EC=E8=ED=E0=F0=E0=F5-=EF=F0=E0=EA=F2=E8=EA=F3=EC=E0=F5=20 > =E4=EB=FF =FD=F4=F4=E5=EA=F2=E8=E2=ED=EE=E3=EE =E8 =E1=FB=F1=F2=F0=EE=E3= =EE =EF=EE=E2=FB=F8=E5=ED=E8=FF =EA=E2=E0=EB=E8=F4=E8=EA=E0=F6=E8=E8= =F1=EE=F2=F0=F3=E4=ED=E8=EA=EE=E2 =C2=E0=F8=E5=E9 =EA=EE=EC=EF=E0=ED=E8=E8 > > > =CE=E4=ED=EE=E4=ED=E5=E2=ED=FB=E9 =EA=EE=ED=F1=F3=EB=FC=F2=E0=F6=E8=EE= =ED=ED=FB=E9 =F1=E5=EC=E8=ED=E0=F0-=EF=F0=E0=EA=F2=E8=EA=F3=EC =AB=C1=E8=F0= =E6=E5=E2=E0=FF =F2=EE=F0=E3=EE=E2=EB=FF =ED=E0=20 > =EC=E5=E6=E4=F3=ED=E0=F0=EE=E4=ED=FB=F5 =F4=E8=ED=E0=ED=F1=EE=E2=FB=F5= =F0=FB=ED=EA=E0=F5. =CF=F0=E0=EA=F2=E8=F7=E5=F1=EA=E8=E5 =E0=F1=EF=E5=EA=F2= =FB=BB > =C4=E0=F2=E0 =EF=F0=EE=E2=E5=E4=E5=ED=E8=FF: 19 =E4=E5=EA=E0=E1=F0=FF= 2001 =E3=EE=E4=E0 > =C2=F0=E5=EC=FF =EF=F0=EE=E2=E5=E4=E5=ED=E8=FF =F1=E5=EC=E8=ED=E0=F0= =E0: 9.30-17.30 > =CC=E5=F1=F2=EE =EF=F0=EE=E2=E5=E4=E5=ED=E8=FF: =C8=ED=F1=F2=E8=F2=F3= =F2 =EC=E5=E6=E4=F3=ED=E0=F0=EE=E4=ED=FB=F5 =EE=F2=ED=EE=F8=E5=ED=E8=E9 > =C2 =EF=F0=EE=E3=F0=E0=EC=EC=E5 =F1=E5=EC=E8=ED=E0=F0=E0: > 1. =D1=EF=E5=EA=F3=EB=FF=F6=E8=E8 - =EA=E0=EA =F1=EF=EE=F1=EE=E1= =EF=F0=E8=F3=EC=ED=EE=E6=E5=ED=E8=FF =EA=E0=EF=E8=F2=E0=EB=E0: > - =D7=E0=F1=F2=ED=FB=E5 =E8=ED=E2=E5=F1=F2=EE=F0=FB > - =CA=EE=F0=EF=EE=F0=E0=F2=E8=E2=ED=FB=E5 =E8 =E4=F0=F3=E3=E8=E5= =F3=F7=E0=F1=F2=ED=E8=EA=E8 =F0=FB=ED=EA=E0 > - =D1=F3=EC=EC=E0, =E4=EE=F1=F2=E0=F2=EE=F7=ED=E0=FF =E4=EB=FF= =F0=E0=E1=EE=F2=FB > 2. =C8=ED=F1=F2=F0=F3=EC=E5=ED=F2=FB =EC=E8=F0=EE=E2=FB=F5 =F2=EE=E2= =E0=F0=ED=FB=F5 =E8 =F4=E8=ED=E0=ED=F1=EE=E2=FB=F5 =F0=FB=ED=EA=EE=E2: > - FOREX - =EC=E5=E6=E4=F3=ED=E0=F0=EE=E4=ED=FB=E9 =F0=FB=ED=EE=EA= =EE=E1=EC=E5=ED=E0 =E2=E0=EB=FE=F2 > - =D4=FC=FE=F7=E5=F0=F1=ED=FB=E5 =E8 =EE=EF=F6=E8=EE=ED=ED=FB=E5= =EA=EE=ED=F2=F0=E0=EA=F2=FB > 3. =D2=E5=F5=ED=EE=EB=EE=E3=E8=FF =E8 =EC=E5=F5=E0=ED=E8=E7=EC= =E1=E8=F0=E6=E5=E2=FB=F5 =E8 =E2=ED=E5=E1=E8=F0=E6=E5=E2=FB=F5 =EE=EF=E5=F0= =E0=F6=E8=E9: > - =C7=E0=EA=EE=ED=EE=E4=E0=F2=E5=EB=FC=ED=E0=FF =E1=E0=E7=E0,= =EF=F0=E0=E2=E8=EB=E0 =E8 =EF=F0=E0=EA=F2=E8=EA=E0 =E0=EC=E5=F0=E8=EA=E0=ED= =F1=EA=EE=E9 =EC=EE=E4=E5=EB=E8=20 > =F2=EE=F0=E3=EE=E2=EB=E8 > - =C2=E0=EB=FE=F2=ED=FB=E9 =F0=FB=ED=EE=EA =ABspot=BB > - =C1=E8=F0=E6=E5=E2=FB=E5 =F2=EE=F0=E3=EE=E2=FB=E5 =F1=E8=F1=F2= =E5=EC=FB > - =CA=EE=EC=EF=FC=FE=F2=E5=F0=ED=FB=E5 =F2=EE=F0=E3=EE=E2=FB=E5= =F1=E8=F1=F2=E5=EC=FB > - =C8=ED=F4=EE=F0=EC=E0=F6=E8=EE=ED=ED=FB=E5 =F1=E8=F1=F2=E5=EC=FB= =E8 =EA=EE=EC=EF=FC=FE=F2=E5=F0=ED=FB=E5 =F2=E5=F5=ED=EE=EB=EE=E3=E8=E8 =EF= =EE =EE=E1=E5=F1=EF=E5=F7=E5=ED=E8=FE=20 > =E4=E8=EB=E8=ED=E3=EE=E2=FB=F5 =EE=EF=E5=F0=E0=F6=E8=E9 > 4. =CA=E0=EA =AB=E4=EE=F2=FF=ED=F3=F2=FC=F1=FF=BB =E4=EE =F0=FB=ED=EA= =E0: > - =C1=F0=EE=EA=E5=F0=F1=EA=E0=FF =EA=EE=EC=EF=E0=ED=E8=FF > - =CF=F0=E8=ED=F6=E8=EF=E0=EB (=EC=E0=F0=EA=E5=F2-=EC=E5=E9=EA=E5= =F0) > - =D2=EE=F0=E3=EE=E2=FB=E9 =F1=F7=B8=F2 > - =CC=E0=F0=E6=E0 > - =CA=F0=E5=E4=E8=F2=ED=EE=E5 =EF=EB=E5=F7=EE > - =D1=EE=E2=E5=F0=F8=E5=ED=E8=E5 =F1=E4=E5=EB=EA=E8 > - =CF=EB=FE=F1=FB =E8 =EC=E8=ED=F3=F1=FB "=E8=ED=F2=E5=F0=ED=E5=F2= -=F2=EE=F0=E3=EE=E2=EB=E8" > - =CF=F0=E8=E1=FB=EB=FC=ED=EE=F1=F2=FC =EE=EF=E5=F0=E0=F6=E8=E9 > 5. =CF=F0=EE=E3=ED=EE=E7=E8=F0=EE=E2=E0=ED=E8=E5 =F0=FB=ED=EE=F7=ED=FB= =F5 =F2=E5=ED=E4=E5=ED=F6=E8=E9: > - =D2=E5=F5=ED=E8=F7=E5=F1=EA=E8=E9 =E0=ED=E0=EB=E8=E7 > - =D4=F3=ED=E4=E0=EC=E5=ED=F2=E0=EB=FC=ED=FB=E9 =E0=ED=E0=EB=E8=E7 > - =CF=F0=EE=F4=E5=F1=F1=E8=EE=ED=E0=EB=FC=ED=FB=E5 =EA=EE=EC=EF=FC= =FE=F2=E5=F0=ED=FB=E5 =F1=E8=F1=F2=E5=EC=FB =E8 =EF=F0=EE=E3=F0=E0=EC=EC=ED= =EE=E5=20 > =EE=E1=E5=F1=EF=E5=F7=E5=ED=E8=E5, =E8=F1=EF=EE=EB=FC=E7=F3=E5=EC=EE=E5 = =E2 =F0=E0=E1=EE=F2=E5 =E4=E8=EB=E5=F0=EE=E2 > > =D1=F2=EE=E8=EC=EE=F1=F2=FC =F3=F7=E0=F1=F2=E8=FF =E2 =F1=E5=EC=E8=ED= =E0=F0=E5: 440 =E3=F0=E8=E2=E5=ED > =C4=EB=FF =E2=F2=EE=F0=EE=E3=EE =E8 =F2=F0=E5=F2=FC=E5=E3=EE =F3=F7=E0= =F1=F2=ED=E8=EA=E0 =EE=F2 =EE=E4=ED=EE=E9 =EA=EE=EC=EF=E0=ED=E8=E8 =F1=EA=E8= =E4=EA=E0 =AD 10%. > =C2 =F1=F2=EE=E8=EC=EE=F1=F2=FC =E2=EA=EB=FE=F7=E5=ED=FB: =EE=E1=F3=F7= =E5=ED=E8=E5 =E8 =EA=EE=ED=F1=F3=EB=FC=F2=E0=F6=E8=E8 =ED=E0 =F1=E5=EC=E8=ED= =E0=F0=E5, =EE=E1=E5=E4,=20 > =EA=EE=F4=E5-=E1=F0=E5=E9=EA=E8. =DD=EA=F1=EA=EB=FE=E7=E8=E2=ED=FB=E9= =E0=EB=FC=E1=EE=EC =EC=E0=F2=E5=F0=E8=E0=EB=EE=E2 =AB=C1=E8=F0=E6=E5=E2=E0= =FF =F2=EE=F0=E3=EE=E2=EB=FF =ED=E0=20 > =EC=E5=E6=E4=F3=ED=E0=F0=EE=E4=ED=FB=F5 =F4=E8=ED=E0=ED=F1=EE=E2=FB=F5= =F0=FB=ED=EA=E0=F5. =CF=F0=E0=EA=F2=E8=F7=E5=F1=EA=E8=E5 =E0=F1=EF=E5=EA=F2= =FB=BB, =EF=EE=E4=E3=EE=F2=EE=E2=EB=E5=ED=ED=EE=E3=EE=20 > =FD=EA=F1=EF=E5=F0=F2=E0=EC=E8 =F1=EF=E5=F6=E8=E0=EB=FC=ED=EE =E4=EB=FF= =F3=F7=E0=F1=F2=ED=E8=EA=EE=E2 =F1 =F3=F7=B8=F2=EE=EC =E2=F1=E5=F5= =EF=EE=F1=EB=E5=E4=ED=E8=F5 =E8=E7=EC=E5=ED=E5=ED=E8=E9 =E8=20 > =E4=EE=EF=EE=EB=ED=E5=ED=E8=E9. > > > =CE=E4=ED=EE=E4=ED=E5=E2=ED=FB=E9 =EA=EE=ED=F1=F3=EB=FC=F2=E0=F6=E8=EE= =ED=ED=FB=E9 =F1=E5=EC=E8=ED=E0=F0-=EF=F0=E0=EA=F2=E8=EA=F3=EC: > =AB=D2=E0=EC=EE=E6=E5=ED=ED=EE=E5 =F0=E5=E3=F3=EB=E8=F0=EE=E2=E0=ED=E8= =E5 =E2=ED=E5=F8=ED=E5=FD=EA=EE=ED=EE=EC=E8=F7=E5=F1=EA=EE=E9 =E4=E5=FF=F2= =E5=EB=FC=ED=EE=F1=F2=E8=BB > =C4=E0=F2=E0 =EF=F0=EE=E2=E5=E4=E5=ED=E8=FF: 21 =E4=E5=EA=E0=E1=F0=FF= 2001 =E3=EE=E4=E0 > =C2=F0=E5=EC=FF =EF=F0=EE=E2=E5=E4=E5=ED=E8=FF =F1=E5=EC=E8=ED=E0=F0= =E0: 9.30-17.30 > =CC=E5=F1=F2=EE =EF=F0=EE=E2=E5=E4=E5=ED=E8=FF: =CA=EE=ED=F4=E5=F0=E5= =ED=F6-=E7=E0=EB =E3=EE=F1=F2=E8=ED=E8=F6=FB =AB=D1=E0=ED=EA=F2-=CF=E5=F2=E5= =F0=E1=F3=F0=E3=BB > =C2 =EF=F0=EE=E3=F0=E0=EC=EC=E5 =F1=E5=EC=E8=ED=E0=F0=E0: > =CE=F1=EE=E1=E5=ED=ED=EE=F1=F2=E8 =F2=E0=EC=EE=E6=E5=ED=ED=EE=E3=EE= =E7=E0=EA=EE=ED=EE=E4=E0=F2=E5=EB=FC=F1=F2=E2=E0 =E2 =F1=F4=E5=F0=E5= =E2=ED=E5=F8=ED=E5=FD=EA=EE=ED=EE=EC=E8=F7=E5=F1=EA=EE=E9=20 > =E4=E5=FF=F2=E5=EB=FC=ED=EE=F1=F2=E8. > =C7=E0=EA=EE=ED =D3=EA=F0=E0=E8=ED=FB =AB=CE =D2=E0=EC=EE=E6=E5=ED=ED= =EE=EC =F2=E0=F0=E8=F4=E5 =D3=EA=F0=E0=E8=ED=FB=BB =EE=F2 5.04.2001 =B9= 2371-=B2=B2=B2.=20 > =C8=E7=EC=E5=ED=E5=ED=E8=FF =E8 =E4=EE=EF=EE=EB=ED=E5=ED=E8=FF =E2 =C7=E0= =EA=EE=ED =D3=EA=F0=E0=E8=ED=FB =EF=EE =F1=EE=F1=F2=EE=FF=ED=E8=FE =ED=E0= 1.12.01.=20 > =D3=EA=F0=E0=E8=ED=F1=EA=E0=FF =F2=EE=E2=E0=F0=ED=E0=FF =ED=EE=EC=E5=ED=EA= =EB=E0=F2=F3=F0=E0 =E2=ED=E5=F8=ED=E5=FD=EA=EE=ED=EE=EC=E8=F7=E5=F1=EA=EE=E9= =E4=E5=FF=F2=E5=EB=FC=ED=EE=F1=F2=E8. > =CE=F1=EE=E1=E5=ED=ED=EE=F1=F2=E8 =F2=E0=EC=EE=E6=E5=ED=ED=EE=E3=EE= =EE=F4=EE=F0=EC=EB=E5=ED=E8=FF =E2 =F0=E0=EC=EA=E0=F5 =F1=EE=E3=EB=E0=F8=E5= =ED=E8=E9 =EE =F1=E2=EE=E1=EE=E4=ED=EE=E9=20 > =F2=EE=F0=E3=EE=E2=EB=E5. =CF=E5=F0=F1=EF=E5=EA=F2=E8=E2=E0 =F0=E0=E7=E2= =E8=F2=E8=FF =E7=EE=ED=FB =F1=E2=EE=E1=EE=E4=ED=EE=E9 =F2=EE=F0=E3=EE=E2=EB= =E8. > =CD=EE=E2=FB=E5 =EF=F0=E0=E2=E8=EB=E0 =F1=F2=F0=E0=ED=FB =EF=F0=EE=E8= =F1=F5=EE=E6=E4=E5=ED=E8=FF =F2=EE=E2=E0=F0=EE=E2. =CF=EE=F0=FF=E4=EE=EA= =EF=F0=E8=EC=E5=ED=E5=ED=E8=FF=20 > =F1=E5=F0=F2=E8=F4=E8=EA=E0=F2=EE=E2 CT-1, EUR 1,2. > =C2=EE=EF=F0=EE=F1=FB =EA=EB=E0=F1=F1=E8=F4=E8=EA=E0=F6=E8=E8 =F2=EE= =E2=E0=F0=EE=E2. =CE=E1=E7=EE=F0 =ED=EE=F0=EC=E0=F2=E8=E2=ED=FB=F5= =E4=EE=EA=F3=EC=E5=ED=F2=EE=E2 =C3=D2=D1=D3 =EF=EE=20 > =E2=EE=EF=F0=EE=F1=E0=EC =F2=E0=F0=E8=F4=ED=EE=E3=EE =F0=E5=E3=F3=EB=E8=F0= =EE=E2=E0=ED=E8=FF =EF=EE =F1=EE=F1=F2=EE=FF=ED=E8=FE =ED=E0 1.12.01. > =CE=F1=EE=E1=E5=ED=ED=EE=F1=F2=E8 =E7=E0=EF=EE=EB=ED=E5=ED=E8=FF =C3= =D2=C4 =EF=F0=E8 =F0=E0=E7=EB=E8=F7=ED=FB=F5 =F2=E0=EC=EE=E6=E5=ED=ED=FB=F5= =F0=E5=E6=E8=EC=E0=F5.=20 > =CB=E8=E7=E8=ED=E3=EE=E2=FB=E5 =EA=EE=ED=F2=F0=E0=EA=F2=FB, =E2=F0=E5=EC= =E5=ED=ED=FB=E9 =E2=E2=EE=E7 =F2=EE=E2=E0=F0=E0. > =CE=F4=EE=F0=EC=EB=E5=ED=E8=E5 =C3=D2=C4 =EF=EE =E2=ED=E5=F8=ED=E5=FD= =EA=EE=ED=EE=EC=E8=F7=E5=F1=EA=E8=EC =E4=EE=E3=EE=E2=EE=F0=E0=EC =F1= =F3=F7=E0=F1=F2=E8=E5=EC =E1=EE=EB=E5=E5 =E4=E2=F3=F5=20 > =F1=F2=EE=F0=EE=ED. > =CA=F0=E8=F2=E5=F0=E8=E8 =EE=EF=F0=E5=E4=E5=EB=E5=ED=E8=FF =F2=E0=EC= =EE=E6=E5=ED=ED=FB=EC=E8 =EE=F0=E3=E0=ED=E0=EC=E8 =D3=EA=F0=E0=E8=ED=FB= =AB=E3=F0=F3=EF=EF =F0=E8=F1=EA=E0=BB=20 > (=E2=ED=E5=F8=ED=E5=FD=EA=EE=ED=EE=EC=E8=F7=E5=F1=EA=E8=E5 =EE=EF=E5=F0=E0= =F6=E8=E8, =EA=EE=F2=EE=F0=FB=E5 =F2=F0=E5=E1=F3=FE=F2 =E4=E5=F2=E0=EB=FC=ED= =EE=E9 =EF=F0=EE=E2=E5=F0=EA=E8 =ED=E0=20 > =E7=E0=EA=EE=ED=ED=EE=F1=F2=FC =F1=E4=E5=EB=EA=E8). =D3=F1=F2=E0=ED=EE=E2= =EB=E5=ED=E8=E5 =F4=E0=EA=F2=EE=E2 =F2=E0=EC=EE=E6=E5=ED=ED=FB=F5= =EF=F0=E0=E2=EE=ED=E0=F0=F3=F8=E5=ED=E8=E9,=20 > =EA=EB=E0=F1=F1=E8=F4=E8=EA=E0=F6=E8=FF =E8 =EF=F0=EE=F6=E5=F1=F1=F3=E0=EB= =FC=ED=EE=E5 =EE=F4=EE=F0=EC=EB=E5=ED=E8=E5 =F4=E0=EA=F2=EE=E2= =EF=F0=E0=E2=EE=ED=E0=F0=F3=F8=E5=ED=E8=E9, =F1=E0=ED=EA=F6=E8=E8,=20 > =EF=F0=E5=E4=F3=F1=EC=EE=F2=F0=E5=ED=ED=FB=E5 =E7=E0=EA=EE=ED=EE=E4=E0=F2= =E5=EB=FC=F1=F2=E2=EE=EC, =EF=EE=F1=EB=E5=E4=F1=F2=E2=E8=FF =E2=EE=E7=EC=EE= =E6=ED=FB=E5 =E4=EB=FF =F1=F3=E1=FA=E5=EA=F2=EE=E2 =C2=DD=C4. > =CF=F0=E0=E2=EE=E2=FB=E5 =EE=F1=ED=EE=E2=FB =E4=EB=FF =EE=F1=F3=F9=E5= =F1=F2=E2=EB=E5=ED=E8=FF =EC=E5=E6=E4=F3=ED=E0=F0=EE=E4=ED=EE=E9= =E0=E4=EC=E8=ED=E8=F1=F2=F0=E0=F2=E8=E2=ED=EE=E9=20 > =EF=EE=EC=EE=F9=E8 =E2 =F2=E0=EC=EE=E6=E5=ED=ED=FB=F5 =E7=EE=ED=E0=F5= (=F3=F7=E0=F1=F2=E8=E5 =D3=EA=F0=E0=E8=ED=FB =E2 =EC=E5=E6=E4=F3=ED=E0=F0= =EE=E4=ED=FB=F5 =EA=EE=ED=E2=E5=ED=F6=E8=FF=F5 =EF=EE=20 > =F2=E0=EC=EE=E6=E5=ED=ED=FB=EC =E2=EE=EF=F0=EE=F1=E0=EC, =E4=E2=F3=F5- =E8= =EC=ED=EE=E3=EE=F1=F2=EE=F0=EE=ED=ED=E8=E5 =EC=E5=E6=E3=EE=F1=F3=E4=E0=F0= =F1=F2=E2=E5=ED=ED=FB=E5 =E4=EE=E3=EE=E2=EE=F0=E0). > =CF=EE=F0=FF=E4=EE=EA =F0=E5=E0=EB=E8=E7=E0=F6=E8=E8 =EA=EE=ED=E2=E5= =ED=F6=E8=E9, =F1=EE=E3=EB=E0=F8=E5=ED=E8=E9, =EE =E2=E7=E0=E8=EC=ED=EE=E9= =E0=E4=EC=E8=ED=E8=F1=F2=F0=E0=F2=E8=E2=ED=EE=E9=20 > =EF=EE=EC=EE=F9=E8 =E2 =F2=E0=EC=EE=E6=E5=ED=ED=FB=F5 =E2=EE=EF=F0=EE=F1= =E0=F5. > > =D1=F2=EE=E8=EC=EE=F1=F2=FC =F3=F7=E0=F1=F2=E8=FF =E2 =F1=E5=EC=E8=ED= =E0=F0=E5 570 =E3=F0=E8=E2=E5=ED > =C4=EB=FF =E2=F2=EE=F0=EE=E3=EE =E8 =F2=F0=E5=F2=FC=E5=E3=EE =F3=F7=E0= =F1=F2=ED=E8=EA=E0 =EE=F2 =EE=E4=ED=EE=E9 =F4=E8=F0=EC=FB =F1=EA=E8=E4=EA=E0= =AD 10%. > =C2 =F1=F2=EE=E8=EC=EE=F1=F2=FC =E2=EA=EB=FE=F7=E5=ED=FB: =EE=E1=F3=F7= =E5=ED=E8=E5 =E8 =EA=EE=ED=F1=F3=EB=FC=F2=E0=F6=E8=E8 =ED=E0 =F1=E5=EC=E8=ED= =E0=F0=E5, =EE=E1=E5=E4,=20 > =EA=EE=F4=E5-=E1=F0=E5=E9=EA=E8. =DD=EA=F1=EA=EB=FE=E7=E8=E2=ED=FB=E9= =E0=EB=FC=E1=EE=EC =EC=E0=F2=E5=F0=E8=E0=EB=EE=E2 =AB=D2=E0=EC=EE=E6=E5=ED= =ED=EE=E5 =F0=E5=E3=F3=EB=E8=F0=EE=E2=E0=ED=E8=E5=20 > =E2=ED=E5=F8=ED=E5=FD=EA=EE=ED=EE=EC=E8=F7=E5=F1=EA=EE=E9 =E4=E5=FF=F2=E5= =EB=FC=ED=EE=F1=F2=E8=BB, =EF=EE=E4=E3=EE=F2=EE=E2=EB=E5=ED=ED=EE=E3=EE= =FD=EA=F1=EF=E5=F0=F2=E0=EC=E8 =F1=EF=E5=F6=E8=E0=EB=FC=ED=EE=20 > =E4=EB=FF =F3=F7=E0=F1=F2=ED=E8=EA=EE=E2 =F1 =F3=F7=B8=F2=EE=EC =E2=F1=E5= =F5 =EF=EE=F1=EB=E5=E4=ED=E8=F5 =E8=E7=EC=E5=ED=E5=ED=E8=E9 =E8 =E4=EE=EF=EE= =EB=ED=E5=ED=E8=E9 > > =CD=E0=F8=E0 =EA=EE=EC=EF=E0=ED=E8=FF =EF=F0=E5=E4=EB=E0=E3=E0=E5=F2= =F2=E0=EA=F3=FE =F3=F1=EB=F3=E3=F3 =EA=E0=EA =EF=F0=EE=E2=E5=E4=E5=ED=E8=E5= =E8=ED=E4=E8=E2=E8=E4=F3=E0=EB=FC=ED=FB=F5=20 > =EA=EE=ED=F1=F3=EB=FC=F2=E0=F6=E8=EE=ED=ED=FB=F5 =F1=E5=EC=E8=ED=E0=F0=EE= =E2 =EF=EE =E2=FB=E1=F0=E0=ED=ED=EE=E9 =C2=E0=EC=E8 =F2=E5=EC=E0=F2=E8=EA=E5= =F3 =C2=E0=F1 =E2 =EE=F4=E8=F1=E5. > =C4=EB=FF =F3=F7=E0=F1=F2=E8=FF =E2 =F1=E5=EC=E8=ED=E0=F0=E5= =ED=E5=EE=E1=F5=EE=E4=E8=EC=EE =E7=E0=F0=E5=E3=E8=F1=F2=F0=E8=F0=EE=E2=E0= =F2=FC=F1=FF =EF=EE =ED=E0=F8=E8=EC=20 > =F2=E5=EB=E5=F4=EE=ED=E0=EC =E8 =EF=EE=E4=F2=E2=E5=F0=E4=E8=F2=FC =F1=E2= =EE=E5 =F3=F7=E0=F1=F2=E8=E5 =EE=EF=EB=E0=F2=EE=E9 >(044) 494 46 58, E-mail: csc_seminar@cscorp.com.ua > > > =CC=FB =EF=F0=E8=ED=EE=F1=E8=EC =F1=E2=EE=E8 =E8=E7=E2=E8=ED=E5=ED=E8= =FF, =E5=F1=EB=E8 =EF=EE=E4=EE=E1=ED=E0=FF =F0=E0=F1=F1=FB=EB=EA=E0 =C2=E0= =EC =ED=E5 =E8=ED=F2=E5=F0=E5=F1=ED=E0.=20 > =D3=E4=E0=EB=E8=F2=FC =F1=E2=EE=E9 =E0=E4=F0=E5=F1 =E8=E7 =F1=EF=E8=F1=EA= =E0 =EF=EE=E4=EF=E8=F1=F7=E8=EA=EE=E2 =C2=FB =EC=EE=E6=E5=F2=E5, =EE=F2=EE= =F1=EB=E0=E2 =EF=E8=F1=FC=EC=EE =EF=EE=20 > =E0=E4=F0=E5=F1=F3 unsubscribe_sem@cscorp.com.ua > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 11 15:31:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from post2.inre.asu.edu (post2.inre.asu.edu [129.219.110.73]) by hub.freebsd.org (Postfix) with ESMTP id 4610D37B419 for ; Tue, 11 Dec 2001 15:31:37 -0800 (PST) Received: from conversion.post2.inre.asu.edu by asu.edu (PMDF V6.1 #40111) id <0GO700101DCBLS@asu.edu> for freebsd-security@freebsd.org; Tue, 11 Dec 2001 16:31:23 -0700 (MST) Received: from smtp.asu.edu (smtp.asu.edu [129.219.110.107]) by asu.edu (PMDF V6.1 #40111) with ESMTP id <0GO70010JDCBL7@asu.edu> for freebsd-security@freebsd.org; Tue, 11 Dec 2001 16:31:23 -0700 (MST) Received: from moroni.pp.asu.edu (moroni.pp.asu.edu [129.219.120.183]) by smtp.asu.edu (8.11.0/8.11.0/asu_smtp_relay,nullclient,tcp_wrapped) with ESMTP id fBBNVNO21807 for ; Tue, 11 Dec 2001 16:31:23 -0700 (MST) Date: Tue, 11 Dec 2001 16:31:24 -0700 (MST) From: David Bear Subject: uconsole in kernel config X-X-Sender: To: FreeBSD Security List Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Not sure I understand what uconsole means. Does it create a security issue of uconsole is enabled? -- David Bear College of Public Programs/ASU 480-965-8257 ...the way is like water, going where nobody wants it to go To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 11 19:26: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from bogslab.ucdavis.edu (bogslab.ucdavis.edu [169.237.68.34]) by hub.freebsd.org (Postfix) with ESMTP id 4FA2737B41D for ; Tue, 11 Dec 2001 19:25:58 -0800 (PST) Received: from thistle.bogs.org (thistle.bogs.org [198.137.203.61]) by bogslab.ucdavis.edu (8.9.3/8.9.3) with ESMTP id TAA67054 for ; Tue, 11 Dec 2001 19:25:50 -0800 (PST) (envelope-from greg@bogslab.ucdavis.edu) Received: from thistle.bogs.org (localhost [127.0.0.1]) by thistle.bogs.org (8.11.3/8.11.3) with ESMTP id fBC3QbI86884 for ; Tue, 11 Dec 2001 19:26:39 -0800 (PST) (envelope-from greg@thistle.bogs.org) Message-Id: <200112120326.fBC3QbI86884@thistle.bogs.org> To: security@FreeBSD.ORG X-To: "Noah Davidson" X-Sender: owner-freebsd-security@FreeBSD.ORG Subject: Re: password changes In-reply-to: Your message of "Mon, 10 Dec 2001 23:41:02 PST." Reply-To: gkshenaut@ucdavis.edu Date: Tue, 11 Dec 2001 19:26:37 -0800 From: Greg Shenaut Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message , "Noah Davidson" cleopede: >How can I change the password of a user and not be prompted to verify >it. We are changing our mail server to sendmail. I have all of the >passwords in plain text. I want to write a script that changes all 5000 >or so passwords. How can I do this? I would like to call passwd or >some command from a perl script to do this. Any Ideas would be very >helpful. If you are in a Very Secure Environment (and, if you have all the passwords in a plain text file, you must be), then I think what would I would try is to encrypt the plain-text passwords--using makekey(8) should work--then using vipw, write out the lines you need to change into a file, insert the encrypted passwords using whatever method you are familiar with, and then read the resulting lines back into the vipw session. Greg Shenaut To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 11 22:39:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from pirahna.awe-full.com (s64-180-126-6.bc.hsia.telus.net [64.180.126.6]) by hub.freebsd.org (Postfix) with ESMTP id 3AAA137B416 for ; Tue, 11 Dec 2001 22:39:15 -0800 (PST) Received: from uniserve.com (pirahna@localhost [127.0.0.1]) by pirahna.awe-full.com (8.11.6/8.11.6) with ESMTP id fBC6d8H86281 for ; Tue, 11 Dec 2001 22:39:08 -0800 (PST) (envelope-from landons@uniserve.com) Message-ID: <3C16FB8C.9020908@uniserve.com> Date: Tue, 11 Dec 2001 22:39:08 -0800 From: Landon Stewart User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.6) Gecko/20011125 X-Accept-Language: en-us MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: MD5 sum checking for installed binaries to check for intrusion or root kits... Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org A while ago (a few months) recently several administrators were let go, but were left to their own devices in the NOC until late that night. (Don't ask me why because I couldn't tell ya!) I have not noticed any strange happenings on any of the systems. They could have done who knows what to whatever system(s) they wanted to. Without someone saying "reformat the machines or reinstall" because thats the obvious answer, is there a way to check which files differ from the size they should be and have the correct MD5 sum than they should or is this asking too much? They are all FreeBSD machines (100%), however they differ in their version. Some are 4.0, 4.3 etc... -- Landon Stewart Right of Use: The sender intends this message for a specific recipient and, as it may contain information that is privileged or confidential, any use, dissemination, forwarding, or copying by anyone without permission from the sender is prohibited. Personal e-mail may contain views that are not necessarily those of the company. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 11 22:42:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from d150h247.resnet.uconn.edu (d150h247.resnet.uconn.edu [137.99.150.247]) by hub.freebsd.org (Postfix) with SMTP id 3D79237B416 for ; Tue, 11 Dec 2001 22:42:14 -0800 (PST) Received: (qmail 99478 invoked by uid 1001); 12 Dec 2001 06:40:56 -0000 Date: Wed, 12 Dec 2001 01:40:56 -0500 From: "Peter C. Lai" To: Landon Stewart Cc: security@FreeBSD.ORG Subject: Re: MD5 sum checking for installed binaries to check for intrusion or root kits... Message-ID: <20011212014056.A99465@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <3C16FB8C.9020908@uniserve.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3C16FB8C.9020908@uniserve.com>; from landons@uniserve.com on Tue, Dec 11, 2001 at 10:39:08PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If you were running tripwire, that would have done the job for you otherwise...but it seems like it either wouldn't have mattered, or it doesn't matter now... On Tue, Dec 11, 2001 at 10:39:08PM -0800, Landon Stewart wrote: > A while ago (a few months) recently several administrators were let go, > but were left to their own devices in the NOC until late that night. > (Don't ask me why because I couldn't tell ya!) I have not noticed any > strange happenings on any of the systems. > > They could have done who knows what to whatever system(s) they wanted > to. Without someone saying "reformat the machines or reinstall" because > thats the obvious answer, is there a way to check which files differ > from the size they should be and have the correct MD5 sum than they > should or is this asking too much? > > They are all FreeBSD machines (100%), however they differ in their > version. Some are 4.0, 4.3 etc... > > -- > Landon Stewart > > Right of Use: > The sender intends this message for a specific recipient and, as it > may contain information that is privileged or confidential, any use, > dissemination, forwarding, or copying by anyone without permission > from the sender is prohibited. Personal e-mail may contain views > that are not necessarily those of the company. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ 860.427.4542 203.206.3784 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 11 22:43:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id D536D37B405 for ; Tue, 11 Dec 2001 22:43:15 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1192) id 8C5C981D03; Wed, 12 Dec 2001 00:43:15 -0600 (CST) Date: Wed, 12 Dec 2001 00:43:15 -0600 From: Alfred Perlstein To: Landon Stewart Cc: security@FreeBSD.ORG Subject: Re: MD5 sum checking for installed binaries to check for intrusion or root kits... Message-ID: <20011212004315.H92148@elvis.mu.org> References: <3C16FB8C.9020908@uniserve.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3C16FB8C.9020908@uniserve.com>; from landons@uniserve.com on Tue, Dec 11, 2001 at 10:39:08PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Landon Stewart [011212 00:39] wrote: > A while ago (a few months) recently several administrators were let go, > but were left to their own devices in the NOC until late that night. > (Don't ask me why because I couldn't tell ya!) I have not noticed any > strange happenings on any of the systems. > > They could have done who knows what to whatever system(s) they wanted > to. Without someone saying "reformat the machines or reinstall" because > thats the obvious answer, is there a way to check which files differ > from the size they should be and have the correct MD5 sum than they > should or is this asking too much? > > They are all FreeBSD machines (100%), however they differ in their > version. Some are 4.0, 4.3 etc... Hindsight is 20/20 ain't it? :) I guess you could do a fresh install then run some form of md5 over the installed machines then test against the others. Who knows, you might have actually had some honest people on your staff. -- -Alfred Perlstein [alfred@freebsd.org] 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.' http://www.morons.org/rants/gpl-harmful.php3 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 11 22:56: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id 8D27537B405 for ; Tue, 11 Dec 2001 22:55:58 -0800 (PST) Received: from tarmap.schulte.org (tarmap.schulte.org [209.134.156.198]) by poontang.schulte.org (Postfix) with ESMTP id 56B83D160D; Wed, 12 Dec 2001 00:55:57 -0600 (CST) Message-Id: <5.1.0.14.0.20011212004626.03242638@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 12 Dec 2001 00:55:56 -0600 To: Landon Stewart , security@FreeBSD.ORG From: Christopher Schulte Subject: Re: MD5 sum checking for installed binaries to check for intrusion or root kits... In-Reply-To: <3C16FB8C.9020908@uniserve.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 10:39 PM 12/11/2001 -0800, Landon Stewart wrote: >They could have done who knows what to whatever system(s) they wanted >to. Without someone saying "reformat the machines or reinstall" because >thats the obvious answer, is there a way to check which files differ from >the size they should be and have the correct MD5 sum than they should or >is this asking too much? With no point of reference on 'good state', there's not a lot that can be done. Your previous admins may have legitimately patched things, installed non-standard binaries, or otherwise altered the system from what you'd be able to use as a reference. Even if you could match md5sums, there's many other ways by which a person could install a back door. For example, something as simple as an entry in inetd.conf which serves a root shell upon tcp port connection would not show up in a binary-only md5 scan. Install tripwire (or some custom checksum monitoring system) from the beginning of the OS install for best results. I know, not too much help now. :-( -- Christopher Schulte christopher@schulte.org http://noc.schulte.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 11 23: 1:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.viasoft.com.cn (unknown [61.153.1.177]) by hub.freebsd.org (Postfix) with ESMTP id 0022837B419 for ; Tue, 11 Dec 2001 23:01:43 -0800 (PST) Received: from viasoft.com.cn (davidwnt.viasoft.com.cn [192.168.1.239]) by mail.viasoft.com.cn (8.9.3/8.9.3) with ESMTP id PAA00573; Wed, 12 Dec 2001 15:09:04 +0800 Message-ID: <3C16FF8A.1050001@viasoft.com.cn> Date: Wed, 12 Dec 2001 14:56:10 +0800 From: David Xu User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4) Gecko/20011019 Netscape6/6.2 X-Accept-Language: en-us MIME-Version: 1.0 To: Christopher Schulte Cc: Landon Stewart , security@FreeBSD.ORG Subject: Re: MD5 sum checking for installed binaries to check for intrusion or root kits... References: <5.1.0.14.0.20011212004626.03242638@pop.schulte.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Could we add a 'sockstat -l' command to /etc/security to check listening port, this can prevent some backdoor from be installed. -- David Xu Christopher Schulte wrote: > At 10:39 PM 12/11/2001 -0800, Landon Stewart wrote: > >> They could have done who knows what to whatever system(s) they wanted >> to. Without someone saying "reformat the machines or reinstall" >> because thats the obvious answer, is there a way to check which files >> differ from the size they should be and have the correct MD5 sum than >> they should or is this asking too much? > > > With no point of reference on 'good state', there's not a lot that can > be done. Your previous admins may have legitimately patched things, > installed non-standard binaries, or otherwise altered the system from > what you'd be able to use as a reference. > > Even if you could match md5sums, there's many other ways by which a > person could install a back door. For example, something as simple as > an entry in inetd.conf which serves a root shell upon tcp port > connection would not show up in a binary-only md5 scan. > > Install tripwire (or some custom checksum monitoring system) from the > beginning of the OS install for best results. I know, not too much > help now. :-( > > -- > Christopher Schulte > christopher@schulte.org > http://noc.schulte.org/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 12 3: 1:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16]) by hub.freebsd.org (Postfix) with ESMTP id D98F437B417; Wed, 12 Dec 2001 03:01:02 -0800 (PST) Received: from bde.zeta.org.au (bde.zeta.org.au [203.2.228.102]) by mailman.zeta.org.au (8.9.3/8.8.7) with ESMTP id WAA18374; Wed, 12 Dec 2001 22:00:55 +1100 Date: Wed, 12 Dec 2001 22:01:42 +1100 (EST) From: Bruce Evans X-X-Sender: To: Hao Chen Cc: , Subject: Re: setuid() POSIX compliance In-Reply-To: <3C15B736.7080605@uclink.berkeley.edu> Message-ID: <20011212211356.L34562-100000@gamplex.bde.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > 1. The following comments are from /usr/src/sys/kern/kern_prot.c > > /* > * Use the clause in B.4.2.2 that allows setuid/setgid to be 4.2/4.3BSD > * compatable. It says that setting the uid/gid to euid/egid is a special > * case of "appropriate privilege". Once the rules are expanded out, this > * basically means that setuid(nnn) sets all three id's, in all permitted > * cases unless _POSIX_SAVED_IDS is enabled. In that case, setuid(getuid()) > * does not set the saved id - this is dangerous for traditional BSD > * programs. For this reason, we *really* do not want to set > * _POSIX_SAVED_IDS and do not want to clear POSIX_APPENDIX_B_4_2_2. > */ > > But according to POSIX 1003.1-1988, section 4.2.2.2: > > If {_POSIX_SAVED_IDS} is defined: > > (1) If the process has appropriate privileges, the setuid() function > sets the real user ID, effective user ID, and the saved set-user-ID > to uid. > > Does FreeBSD's interpretation of _POSIX_SAVED_IDS differ from POSIX? Or did > I misunderstand anything here? There is no difference, because _POSIX_SAVED_IDS is intentionally not defined, as permitted in all versions of POSIX up to at least the 1996 version. POSIX.1-2001 requires it, so FreeBSD would need to be "fixed" to conform with the current version of POSIX (unless everyone that can change one of their ids using setuid() is considered to have "appropriate privilege". > But according to POSIX 1003.1-1988, section 4.2.2.2: > > 2. Also according to the above comment from /usr/src/sys/kern/kern_prot.c, > setting _POSIX_SAVED_IDS will cause setuid(getuid()) NOT to set the saved > id. Setting _POSIX_SAVED_IDS is not a supported option. The code has ifdefs to support it for mostly historical reasons. > However, according to the following code from setuid() in > /usr/src/sys/kern/kern_prot.c, setuid(getuid()) will not set the saved id > ONLY if: > > (1) _POSIX_SAVED_IDS is set, and > (2) euid is not root, and > (3) either > (3.1) POSIX_APPENDIX_B_4_2_2 is unset, or > (3.2) POSIX_APPENDIX_B_4_2_2 is set and the parameter to setuid() is not > equal to the euid. That seems about right (I didn't check the details). When POSIX_APPENDIX_B_4_2_2 is set, root (euid = 0) has "appropriate privilege" to setuid() to anything, and all processes have "appropriate privilege" to setuid() to their euid, so setuid() sets the saved id even when _POSIX_SAVED_IDS is set. > If POSIX_APPENDIX_B_4_2_2 is set, which is the case in the pre-compiled > kernel (and is also the case for Linux), for setuid(getuid()), the above > condition requires at least that euid!=0, ruid!=euid, and ruid!=0 (because > the programmer intends to DROP privilege by setuid(getuid())). Is there any > real situation where this condition may arise? Yes. This is the usual case for processes that have execed a setuid-to-non- root program. When _POSIX_SAVED_IDS is set, it is impossible in previous versions of POSIX to drop their saved id privilege using setuid() or any other POSIX function, or even to know if they have extra privilege from a saved id. This problem is why _POSIX_SAVED_IDS is not defined in FreeBSD. POSIX.1-200x has a 4.4BSD compatible seteuid(), so processes can try seteuid(getuid(); /* euid = ruid */ setuid(geteuid()); /* hope this sets svuid = ruid too */ This sets all the ids to the same value in 4.4BSD and FreeBSD, but doesn't seem to be required to do so in POSIX.1-200x (it depends on everyone having "appropriate privilege" for setuid(geteuid()). Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 12 3:54:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from rambo.simx.org (rambo.simx.org [194.17.208.54]) by hub.freebsd.org (Postfix) with ESMTP id EDD7E37B416 for ; Wed, 12 Dec 2001 03:54:45 -0800 (PST) Received: from rambo.simx.org (malin.twenty4help.se [195.67.108.195]) by rambo.simx.org (8.11.6/8.11.6) with ESMTP id fBCBsdC92410; Wed, 12 Dec 2001 12:54:40 +0100 (CET) (envelope-from listsub@rambo.simx.org) Message-ID: <3C1745CB.40305@rambo.simx.org> Date: Wed, 12 Dec 2001 12:55:55 +0100 From: "Roger 'Rocky' Vetterberg" User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:0.9.4) Gecko/20011019 Netscape6/6.2 X-Accept-Language: en-us MIME-Version: 1.0 To: Noah Davidson Cc: "FreeBSD Security List (E-mail)" Subject: Re: password changes References: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Noah Davidson wrote: >How can I change the password of a user and not be prompted to verify >it. We are changing our mail server to sendmail. I have all of the >passwords in plain text. I want to write a script that changes all 5000 >or so passwords. How can I do this? I would like to call passwd or >some command from a perl script to do this. Any Ideas would be very >helpful. > I once needed to generate several thousands of users, with passwords from a plain text file. I did this using a perl script to write a new /etc/master.passwd and then rebuild using the pwd_mkdb command. Generating the needed lines and create the needed /home directories was easy, and to get the correct passwords I used the following code snippet: #!/usr/bin/perl $pass = pop(@ARGV); $cryptpwd = crypt($pass, &salt); print "$cryptpwd"; sub salt { local($salt); local($i, $rand); local(@itoa64) = ( '0' .. '9', 'a' .. 'z', 'A' .. 'Z' ); for ($i = 0; $i < 8; $i++) { srand(time + $rand + $$); $rand = rand(25*29*17 + $rand); $salt .= $itoa64[$rand & $#itoa64]; } return $salt; } Just put it in a file and execute it with the plaintext password as first argument, and the script will print the encrypted password to use in /etc/master.passwd. I dont remember exactly where I found this perl code, but it was ripped from one of the standard utilities in FreeBSD, probably adduser or something similar. Hopes this helps. -- R To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 12 4: 5:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 723D037B416 for ; Wed, 12 Dec 2001 04:05:35 -0800 (PST) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [192.168.11.2]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 5174F1DA7; Wed, 12 Dec 2001 13:05:26 +0100 (CET) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [127.0.0.1]) by velvet.zaraska.dhs.org (8.11.2/8.11.2) with SMTP id fBCC57C01325; Wed, 12 Dec 2001 13:05:07 +0100 Date: Wed, 12 Dec 2001 13:05:07 +0100 From: Krzysztof Zaraska To: freebsd-security@freebsd.org Subject: Fw: Re: MD5 sum checking for installed binaries to check for intrusion or root kits... Message-Id: <20011212130507.3a1849a1.kzaraska@student.uci.agh.edu.pl> Organization: University Of Mining And Metallurgy X-Mailer: Sylpheed version 0.6.2 (GTK+ 1.2.10; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 11 Dec 2001 22:39:08 -0800 Landon Stewart wrote: > A while ago (a few months) recently several administrators were let go, > but were left to their own devices in the NOC until late that night. > (Don't ask me why because I couldn't tell ya!) I have not noticed any > strange happenings on any of the systems. I'd like to note that they could also add extra "features" much earlier... > They could have done who knows what to whatever system(s) they wanted > to. Without someone saying "reformat the machines or reinstall" because > thats the obvious answer, is there a way to check which files differ > from the size they should be and have the correct MD5 sum than they > should or is this asking too much? Well I thought about this problem once (though I ended up in moving data to other machine in that case), but _theoretically_... If they are -RELEASE machines you could take install CD for appropriate version and compare binaries on the system with those on the CD. IMVHO they shouldn't differ. Configuration files will have to be analyzed by hand, of course. If a system in question was cvsup'ed and built from sources there is not much that can be done, unfortunately. Binaries installed from ports/packages can be treated the same way, but you'd have to get _exactly_ the same version-revision-patchlevel of each package in question, what may not be possible. pkg_add puts some md5 checksums under /var/db/pkg/ but these are not reliable (if someone could trojan a binary s/he could also modify the database) but you could look for inconsistencies. I would anyhow audit configuration files in first place. Next _theoretically_ a binary update/reinstall (without touching the configuration files) from a trusted source should remove trojaned binaries in base system. I would boot from install floppy (to avoid trojaned kernel etc.) and did a binary upgrade (even to the same version). As I said at the beginnig, this is a _purely theoretical_ discussion. I'm not making any claims that these methods will work. Regards, Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 12 10:25: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from shikima.mine.nu (pc1-card4-0-cust77.cdf.cable.ntl.com [62.252.49.77]) by hub.freebsd.org (Postfix) with ESMTP id 0D9EF37B423 for ; Wed, 12 Dec 2001 10:24:55 -0800 (PST) Received: from rasputin by shikima.mine.nu with local (Exim 3.33 #1) id 16EE5y-0005f4-00 for security@freebsd.org; Wed, 12 Dec 2001 18:27:06 +0000 Date: Wed, 12 Dec 2001 18:27:06 +0000 From: Rasputin To: security@freebsd.org Subject: hosts.allow Message-ID: <20011212182706.A21749@shikima.mine.nu> Reply-To: Rasputin Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I just noticed I have a hosts.allow that is set up to all kinds of wierd examples: # hosts.allow access control file for "tcp wrapped" applications. # $FreeBSD: src/etc/hosts.allow,v 1.8.2.5 2001/08/30 16:02:37 dwmalone Exp $ Should/is this enabled by default? -- Money is better than poverty, if only for financial reasons. Rasputin :: Jack of All Trades - Master of Nuns :: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 12 10:36:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.uniserve.com (mail2.uniserve.com [204.244.156.10]) by hub.freebsd.org (Postfix) with ESMTP id B554137B405 for ; Wed, 12 Dec 2001 10:36:21 -0800 (PST) Received: from landons.vpp-office.uniserve.ca ([216.113.198.10] helo=pirahna.uniserve.com) by mail2.uniserve.com with esmtp (Exim 3.13 #1) id 16EEEq-0003tE-00; Wed, 12 Dec 2001 10:36:16 -0800 Message-Id: <5.1.0.14.0.20011212103439.027a8d40@pop.uniserve.com> X-Sender: landons@pop.uniserve.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 12 Dec 2001 10:36:14 -0800 To: Rasputin , security@freebsd.org From: Landon Stewart Subject: Re: hosts.allow In-Reply-To: <20011212182706.A21749@shikima.mine.nu> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_439997152==_.ALT" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=====================_439997152==_.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed At 06:27 PM 12/12/2001 +0000, Rasputin wrote: >I just noticed I have a hosts.allow that is set up to all kinds of >wierd examples: > > ># hosts.allow access control file for "tcp wrapped" applications. ># $FreeBSD: src/etc/hosts.allow,v 1.8.2.5 2001/08/30 16:02:37 dwmalone Exp $ > >Should/is this enabled by default? # $FreeBSD: src/etc/hosts.allow,v 1.8.2.5 2001/08/30 16:02:37 dwmalone Exp $ I might not be seeing what you are seeing but the above is a CVS header for the hosts.allow file, not a hosts.allow entry. --- Landon Stewart System Administrator Right of Use Disclaimer: "The sender intends this message for a specific recipient and, as it may contain information that is privileged or confidential, any use, dissemination, forwarding, or copying by anyone without permission from the sender is prohibited. Personal e-mail may contain views that are not necessarily those of the company." --=====================_439997152==_.ALT Content-Type: text/html; charset="us-ascii" At 06:27 PM 12/12/2001 +0000, Rasputin wrote:


    I just noticed I have a hosts.allow that is set up to all kinds of
    wierd examples:


    # hosts.allow access control file for "tcp wrapped" applications.
    # $FreeBSD: src/etc/hosts.allow,v 1.8.2.5 2001/08/30 16:02:37 dwmalone Exp $

    Should/is this enabled by default?

    # $FreeBSD: src/etc/hosts.allow,v 1.8.2.5 2001/08/30 16:02:37 dwmalone Exp $

    I might not be seeing what you are seeing but the above is a CVS header for the hosts.allow file, not a hosts.allow entry.


    ---
    Landon Stewart
    System Administrator


    Right of Use Disclaimer:
    "The sender intends this message for a specific recipient and, as it may contain information that is privileged or confidential, any use, dissemination, forwarding, or copying by anyone without permission from the sender is prohibited. Personal e-mail may contain views that are not necessarily those of the company."
     --=====================_439997152==_.ALT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 12 10:46:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 0AE3E37B41F for ; Wed, 12 Dec 2001 10:46:46 -0800 (PST) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [192.168.11.2]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 51D8B1DA7; Wed, 12 Dec 2001 18:41:27 +0100 (CET) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [127.0.0.1]) by velvet.zaraska.dhs.org (8.11.2/8.11.2) with SMTP id fBCIkHd01187; Wed, 12 Dec 2001 19:46:17 +0100 Date: Wed, 12 Dec 2001 19:46:17 +0100 From: Krzysztof Zaraska To: Rasputin , freebsd-security@freebsd.org Subject: Re: hosts.allow Message-Id: <20011212194617.1333e91f.kzaraska@student.uci.agh.edu.pl> In-Reply-To: <20011212182706.A21749@shikima.mine.nu> References: <20011212182706.A21749@shikima.mine.nu> Organization: University Of Mining And Metallurgy X-Mailer: Sylpheed version 0.6.2 (GTK+ 1.2.10; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 12 Dec 2001 18:27:06 +0000 Rasputin wrote: > > > I just noticed I have a hosts.allow that is set up to all kinds of > wierd examples: > > > # hosts.allow access control file for "tcp wrapped" applications. > # $FreeBSD: src/etc/hosts.allow,v 1.8.2.5 2001/08/30 16:02:37 dwmalone Exp $ > > Should/is this enabled by default? At least my "stock" version [v 1.8.2.3 2000/07/20 15:17:44] had this near the top: # Start by allowing everything (this prevents the rest of the file # from working, so remove it when you need protection). # The rules here work on a "First match wins" basis. ALL : ALL : allow So the examples don't matter. But this default setup is insecure anyhow. Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 12 12:42: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 77F8137B417; Wed, 12 Dec 2001 12:41:55 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.11.4/8.11.4) id fBCKflY68302; Wed, 12 Dec 2001 15:41:47 -0500 (EST) (envelope-from wollman) Date: Wed, 12 Dec 2001 15:41:47 -0500 (EST) From: Garrett Wollman Message-Id: <200112122041.fBCKflY68302@khavrinen.lcs.mit.edu> To: Bruce Evans Cc: , Subject: Re: setuid() POSIX compliance In-Reply-To: <20011212211356.L34562-100000@gamplex.bde.org> References: <3C15B736.7080605@uclink.berkeley.edu> <20011212211356.L34562-100000@gamplex.bde.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > change one of their ids using setuid() is considered to have > "appropriate privilege". ``Appropriate privilege'', in the POSIX sense, can be any arbitrarily complex predicate. I.e., ``the process belongs to a user whose supplementary group list contains exactly three groups, the person sitting at the console is carrying an umbrella, and the moon is waxing gibbous'' is a valid definition of ``appropriate privilege''. A valid implementation of setuid() (ignoring syscall calling convention issues) could be: int setuid(uid_t uid) { /* ... */ /* * Appropriate privilege is defined as: * 1) The process belongs to the super-user, or * 2) The process has the CAP_CHANGE_UID capability, or * 3) The process already has that uid. * * This definition trumps the second clause (1003.1-2001, * ll. 41136ff) by considering all processes it would otherwise * apply to privileged. */ if (uid == cred->cr_uid || uid == cred->cr_euid || uid == cred->cr_svuid || has_capability(cred, CAP_CHANGE_UID) || suser_cred(cred)) { cred = crcopy(cred); assert(cred && cred->cr_refcnt == 1); cred->cr_uid = cred->cr_euid = cred->cr_svuid = uid; install_process_credential(cred); retval = 0; } else { errno = EPERM; retval = -1; } return (retval); } This implementation is valid regardless of whether _POSIX_SAVED_IDS is defined -- hence the problems which are detailed in the 1003.1-2001 rationale for setuid(). -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 12 13: 0: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.webvolution.net (ns.webvolution.net [64.173.23.219]) by hub.freebsd.org (Postfix) with ESMTP id 9DAE237B41C for ; Wed, 12 Dec 2001 12:59:55 -0800 (PST) Received: (from nobody@localhost) by ns.webvolution.net (8.11.6/8.11.6) id fBCKxqe24223 for freebsd-security@freebsd.org; Wed, 12 Dec 2001 20:59:52 GMT (envelope-from dleal@webvolution.net) X-Authentication-Warning: ns.webvolution.net: nobody set sender to dleal@webvolution.net using -f To: freebsd-security@freebsd.org Subject: IP Filter: already initialized Message-ID: <1008190792.3c17c5484856b@mail.webvolution.net> Date: Wed, 12 Dec 2001 20:59:52 +0000 (WET) From: Daniel Leal MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: IMP/PHP IMAP webmail program 2.2.6 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! I am tring to learn something about security and i was trainning with a very nice tutorial from Marty Schlacter. But when I finished, I reboot and during boot I noticed the follwing messages: ... Doing initial network setup: hostname ipfilter IP Filter: already initialized IP FIlter: already initialized ipmon ... Am I "starting" ipfilter twice? My rc.conf has the follwing lines: ipfilter_enable="YES" ipmon_enable="YES" And my kernel file has the ipfilter option: options IPFILTER It doesn't matter? If it does, what is the problem? I'm a security beginner and i am a "litle bit" confused with this... Can someone help me? Thanks, daniel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 12 13: 7:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from david.siemens.de (david.siemens.de [192.35.17.14]) by hub.freebsd.org (Postfix) with ESMTP id 497E137B417 for ; Wed, 12 Dec 2001 13:07:47 -0800 (PST) Received: from mail1.siemens.de (mail1.siemens.de [139.23.33.14]) by david.siemens.de (8.11.6/8.11.6) with ESMTP id fBCL7hS23948; Wed, 12 Dec 2001 22:07:43 +0100 (MET) Received: from mars.cert.siemens.de (ust.mchp.siemens.de [139.23.201.17]) by mail1.siemens.de (8.11.6/8.11.6) with ESMTP id fBCL7h910993; Wed, 12 Dec 2001 22:07:43 +0100 (MET) Received: from reims.mchp.siemens.de (alaska [139.23.202.134]) by mars.cert.siemens.de (8.12.1/8.12.1/Siemens CERT [ $Revision: 1.18 ]) with ESMTP id fBCL7hn8005674; Wed, 12 Dec 2001 22:07:43 +0100 (CET) Received: from reims.mchp.siemens.de (localhost [127.0.0.1]) by reims.mchp.siemens.de (8.12.1/8.12.1/alaska [ $Revision: 1.10 ]) with ESMTP id fBCL7hIi049913; Wed, 12 Dec 2001 22:07:43 +0100 (CET) Received: (from ust@localhost) by reims.mchp.siemens.de (8.12.1/8.12.1/alaska [ $Revision: 1.2 ]) id fBCL7hFr049912; Wed, 12 Dec 2001 22:07:43 +0100 (CET) Date: Wed, 12 Dec 2001 22:07:43 +0100 From: Udo Schweigert To: Daniel Leal Cc: freebsd-security@FreeBSD.ORG Subject: Re: IP Filter: already initialized Message-ID: <20011212210743.GA48220@alaska.cert.siemens.de> References: <1008190792.3c17c5484856b@mail.webvolution.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1008190792.3c17c5484856b@mail.webvolution.net> User-Agent: Mutt/1.3.24i X-Operating-System: FreeBSD 4.4-STABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Dec 12, 2001 at 20:59:52 +0000, Daniel Leal wrote: > Hi! > I am tring to learn something about security and i was trainning with > a very nice tutorial from Marty Schlacter. > But when I finished, I reboot and during boot I noticed the follwing messages: > ... > Doing initial network setup: > hostname > ipfilter > IP Filter: already initialized > IP FIlter: already initialized > ipmon > ... > > Am I "starting" ipfilter twice? > My rc.conf has the follwing lines: > ipfilter_enable="YES" > ipmon_enable="YES" > > And my kernel file has the ipfilter option: > options IPFILTER > > > It doesn't matter? If it does, what is the problem? > I'm a security beginner and i am a "litle bit" confused with this... > > Can someone help me? > From /etc/defaults/rc.conf: ipfilter_flags="-E" # should be *empty* when ipf is _not_ a module # (i.e. compiled into the kernel) to # avoid a warning about "already initialized" So: setting ipfilter_flags="" in your /etc/rc.conf will fix the problem. Best regards -- Udo Schweigert, Siemens AG | Voice : +49 89 636 42170 CT IC 3, Siemens CERT | Fax : +49 89 636 41166 D-81730 Muenchen / Germany | email : udo.schweigert@siemens.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 12 13:16:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from d13225.upc-d.chello.nl (d13225.upc-d.chello.nl [213.46.13.225]) by hub.freebsd.org (Postfix) with ESMTP id 4222137B416 for ; Wed, 12 Dec 2001 13:16:02 -0800 (PST) Received: from adv.devet.org (adv.devet.org [192.168.1.2]) by d13225.upc-d.chello.nl (Postfix) with ESMTP id 21DE3689D; Wed, 12 Dec 2001 22:16:01 +0100 (CET) Received: by adv.devet.org (Postfix, from userid 100) id C2C4F44B9; Wed, 12 Dec 2001 22:15:59 +0100 (CET) Date: Wed, 12 Dec 2001 22:15:59 +0100 To: udo.schweigert@siemens.com, dleal@webvolution.net Cc: security@freebsd.org Subject: Re: IP Filter: already initialized Message-ID: <20011212221559.A11690@adv.devet.org> References: <1008190792.3c17c5484856b@mail.webvolution.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20011212210743.GA48220@alaska.cert.siemens.de> User-Agent: Mutt/1.3.22.1i X-Newsgroups: list.freebsd.security Organization: Eindhoven, the Netherlands From: devet@devet.org (Arjan de Vet) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In article <20011212210743.GA48220@alaska.cert.siemens.de> you write: >From /etc/defaults/rc.conf: > >ipfilter_flags="-E" # should be *empty* when ipf is _not_ a module > # (i.e. compiled into the kernel) to > # avoid a warning about "already initialized" > >So: setting ipfilter_flags="" in your /etc/rc.conf will fix the problem. Since a few day ipfilter_flags="" is the new default in /etc/defaults/rc.conf on 4.4-stable (together with lots of other ipfilter related /etc/rc* cleanups). The whole '-E' had indeed become obsolete. Arjan -- Arjan de Vet, Eindhoven, The Netherlands URL : http://www.iae.nl/users/devet/ Work: http://www.madison-gurkha.com/ (Security, Open Source, Education) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 12 15:56:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from cpu1058.adsl.bellglobal.com (cpu1058.adsl.bellglobal.com [207.236.110.39]) by hub.freebsd.org (Postfix) with SMTP id 6DED837B416 for ; Wed, 12 Dec 2001 15:56:46 -0800 (PST) Received: (qmail 72090 invoked from network); 12 Dec 2001 23:57:53 -0000 Received: from unknown (HELO p450.ottawa.com) (bacid@90.0.0.1) by 90.0.0.3 with SMTP; 12 Dec 2001 23:57:53 -0000 Message-Id: <5.0.2.1.0.20011212185722.00aaa098@90.0.0.3> X-Sender: wchan@90.0.0.3 X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Wed, 12 Dec 2001 18:58:47 -0800 To: freebsd-security@FreeBSD.ORG From: "Mr. Chan" Subject: Question about port 50000 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hey, I installed FBSD 4.4 a few days ago and noticed a weird port that is running.. tcp4 0 0 *.50000 *.* LISTEN Now this is a brand new installation, so i doubt i got hacked/root kitted.. When i telnet to it this is all i get: > telnet localhost 50000 Trying 127.0.0.1... Connected to localhost.cpu1058.adsl.bellglobal.com. Escape character is '^]'. help -Unknown command ? -Unknown command ?! -Unknown command Any ideas? Thanks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 12 15:59:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from I-Sphere.COM (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id 6E81D37B417 for ; Wed, 12 Dec 2001 15:59:39 -0800 (PST) Received: (from fasty@localhost) by I-Sphere.COM (8.11.6/8.11.6) id fBD00qO63977; Wed, 12 Dec 2001 16:00:52 -0800 (PST) (envelope-from fasty) Date: Wed, 12 Dec 2001 16:00:52 -0800 From: faSty To: "Mr. Chan" Cc: freebsd-security@freebsd.org Subject: Re: Question about port 50000 Message-ID: <20011212160052.I63034@i-sphere.com> References: <5.0.2.1.0.20011212185722.00aaa098@90.0.0.3> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.0.2.1.0.20011212185722.00aaa098@90.0.0.3>; from bacid@ottawa.com on Wed, Dec 12, 2001 at 06:58:47PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org you can use lsof command or sockstat to find what program running 50000 port. -trev On Wed, Dec 12, 2001 at 06:58:47PM -0800, Mr. Chan wrote: > Hey, > > I installed FBSD 4.4 a few days ago and noticed a weird port that is running.. > > tcp4 0 0 *.50000 *.* LISTEN > > Now this is a brand new installation, so i doubt i got hacked/root kitted.. > > When i telnet to it this is all i get: > > > telnet localhost 50000 > Trying 127.0.0.1... > Connected to localhost.cpu1058.adsl.bellglobal.com. > Escape character is '^]'. > help > -Unknown command > ? > -Unknown command > ?! > -Unknown command > > > Any ideas? > > Thanks > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- After living in New York, you trust nobody, but you believe everything. Just in case. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 12 22:59:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from sanyu1.sanyutel.com (sanyu1.sanyutel.com [216.250.215.14]) by hub.freebsd.org (Postfix) with ESMTP id 9953437B43A for ; Wed, 12 Dec 2001 22:58:57 -0800 (PST) Received: from localhost (ksemat@localhost) by sanyu1.sanyutel.com (8.11.3/) with ESMTP id fBD71Mp09128; Thu, 13 Dec 2001 10:01:22 +0300 Date: Thu, 13 Dec 2001 10:01:22 +0300 (EAT) From: To: "Mr. Chan" Cc: Subject: Re: Question about port 50000 In-Reply-To: <5.0.2.1.0.20011212185722.00aaa098@90.0.0.3> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > tcp4 0 0 *.50000 *.* LISTEN > > Now this is a brand new installation, so i doubt i got hacked/root kitted.. well it cannot put itself therefore someone put it there. There are lots of automated exploits for ssh and telnet out there in the wild that could infect your system quickly. I do not have anything like that on my brand new FreeBSD 4.4-STABLE machine therefore I do not think it is a default freebsd application running on that port. Noah. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 13 0:11:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from void.xpert.com (xpert.com [199.203.132.1]) by hub.freebsd.org (Postfix) with ESMTP id 4E7D737B41B for ; Thu, 13 Dec 2001 00:11:50 -0800 (PST) Received: from mailserv.xpert.com ([199.203.132.135]) by void.xpert.com with esmtp (Exim 3.22 #1) id 16EQuC-0000Wj-00 for security@freebsd.org; Thu, 13 Dec 2001 10:07:48 +0200 Received: by mailserv.xpert.com with Internet Mail Service (5.5.2650.21) id ; Thu, 13 Dec 2001 10:11:39 +0200 Message-ID: From: Yonatan Bokovza To: "'security@freebsd.org'" Subject: RE: FreeBSD Security Advisory FreeBSD-SA-01:66.thttpd Date: Thu, 13 Dec 2001 10:11:33 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You forgot the usual paragraph: The thttpd port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 6000 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.4 contains this problem since it was discovered after the release. > -----Original Message----- > From: FreeBSD Security Advisories > [mailto:security-advisories@freebsd.org] > Sent: Tuesday, December 11, 2001 19:01 > To: FreeBSD Security Advisories > Subject: FreeBSD Security Advisory FreeBSD-SA-01:66.thttpd > > > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================== > =============== > FreeBSD-SA-01:66 > Security Advisory > > FreeBSD, Inc. > > Topic: thttpd port contains remotely vulnerability > > Category: ports > Module: thttpd > Announced: 2001-12-11 > Credits: GOBBLES SECURITY > Affects: Ports collection prior to the correction date > Corrected: 2001-11-22 00:10:56 UTC > FreeBSD only: no > > I. Background > > thttpd is a simple, small, portable, fast, and secure HTTP server. > > II. Problem Description > > In auth_check(), there is an off-by-one error in computing the amount > of memory needed for storing a NUL terminated string. Specifically, a > stack buffer of 500 bytes is used to store a string of up to 501 bytes > including the terminating NUL. > > III. Impact > > Due to the location of the affected buffer on the stack, this bug > can be exploited using ``The poisoned NUL byte'' technique (see > references). A remote attacker can hijack the thttpd process, > obtaining whatever privileges it has. By default, the thttpd process > runs as user `nobody'. > > IV. Workaround > > 1) Deinstall the thttpd port/package if you have it installed. > > V. Solution > > 1) Upgrade your entire ports collection and rebuild the port. > > 2) Deinstall the old package and install a new package dated after the > correction date, obtained from the following directories: > > [i386] > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable /www/thttpd-2.22.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-curren t/www/thttpd-2.22.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) Download a new port skeleton for the thttpd port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portche ckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portch eckout-2.0.tgz VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD ports collection. Path Revision - ------------------------------------------------------------------------- ports/www/thttpd/Makefile 1.23 ports/www/thttpd/distinfo 1.20 ports/www/thttpd/files/patch-fdwatch.c removed - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Comment: http://www.nectar.cc/pgp iQCVAwUBPBY6x1UuHi5z0oilAQEHrgQAgscqPT0AVJcotWgO1t8WuJQyNukLHnDS qGa8LT7ebuMY/Nl6JJzTYudwmr16RtJNPSYTfk1eHPWgAYzKyiNM7uMU87ZDplpM FOggQbjdhFPNUE3WK8P2cmdm+7mrZbdWGJmvZpYH4TRNn6yQVV4F8tENl+nPu3I+ 5IGxGqgr2vA= =1MCH -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 13 2:41:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from stargate.nol.co.za (nol.co.za [196.33.45.2]) by hub.freebsd.org (Postfix) with ESMTP id F0A0D37B405 for ; Thu, 13 Dec 2001 02:41:36 -0800 (PST) Received: from sun.sz.co.za ([196.33.45.209] helo=netgod.nol.co.za) by stargate.nol.co.za with esmtp (Exim 3.33 #1) id 16ETMa-0000Bi-00 for security@freebsd.org; Thu, 13 Dec 2001 12:45:16 +0200 Message-Id: <5.0.2.1.2.20011213123508.01785db8@nol.co.za> X-Sender: tim@nol.co.za X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Thu, 13 Dec 2001 12:36:03 +0200 To: security@freebsd.org From: "Timothy S. Bowers" Subject: (sh), uid 0: core dumped on signal 12 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, I get the following messages a few times then the PC just reboots: /kernel: pid 28998 (sh), uid 0: exited on signal 12 (core dumped) /kernel: pid 29356 (sh), uid 0: exited on signal 12 /kernel: pid 29357 (sh), uid 0: exited on signal 12 This happens every now and then.. like once a day on average. Is this a sign that someone is running an exploit on me? How can I find out what the cause of this is? Thank you, Timothy S. Bowers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 13 2:52:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from raven.robbins.dropbear.id.au (013.b.007.mel.iprimus.net.au [210.50.81.13]) by hub.freebsd.org (Postfix) with ESMTP id E23BA37B416 for ; Thu, 13 Dec 2001 02:52:07 -0800 (PST) Received: (from tim@localhost) by raven.robbins.dropbear.id.au (8.11.6/8.11.6) id fBDAfYx04423 for security@FreeBSD.ORG; Thu, 13 Dec 2001 21:41:34 +1100 (EST) (envelope-from tim) Date: Thu, 13 Dec 2001 21:41:33 +1100 From: "Tim J. Robbins" To: security@FreeBSD.ORG Subject: Re: (sh), uid 0: core dumped on signal 12 Message-ID: <20011213214133.A4397@raven.robbins.dropbear.id.au> References: <5.0.2.1.2.20011213123508.01785db8@nol.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.0.2.1.2.20011213123508.01785db8@nol.co.za>; from tim@nol.co.za on Thu, Dec 13, 2001 at 12:36:03PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Dec 13, 2001 at 12:36:03PM +0200, Timothy S. Bowers wrote: > I get the following messages a few times then the PC just reboots: > > /kernel: pid 28998 (sh), uid 0: exited on signal 12 (core dumped) > /kernel: pid 29356 (sh), uid 0: exited on signal 12 > /kernel: pid 29357 (sh), uid 0: exited on signal 12 #define SIGSYS 12 /* non-existent system call invoked */ You might want to check that whatever `sh' (presumably /bin/sh) that causes these errors is for the right OS release and that it hasn't become corrupted somehow. Check that userland and the kernel are in sync. > Is this a sign that someone is running an exploit on me? It could be that the machine is compromised and a rootkit used which has damaged /bin/sh. Just a guess. > How can I find out what the cause of this is? Check the things I mentioned above. truss, ktrace, and checking out the core file with gdb may help. Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 13 3:27:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from shikima.mine.nu (pc1-card4-0-cust77.cdf.cable.ntl.com [62.252.49.77]) by hub.freebsd.org (Postfix) with ESMTP id AB34637B419 for ; Thu, 13 Dec 2001 03:27:20 -0800 (PST) Received: from rasputin by shikima.mine.nu with local (Exim 3.33 #1) id 16EU3S-0006yx-00 for security@freebsd.org; Thu, 13 Dec 2001 11:29:34 +0000 Date: Thu, 13 Dec 2001 11:29:34 +0000 From: Rasputin To: security@freebsd.org Subject: Re: hosts.allow Message-ID: <20011213112934.A26770@shikima.mine.nu> Reply-To: Rasputin References: <20011212182706.A21749@shikima.mine.nu> <20011212194617.1333e91f.kzaraska@student.uci.agh.edu.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011212194617.1333e91f.kzaraska@student.uci.agh.edu.pl>; from kzaraska@student.uci.agh.edu.pl on Wed, Dec 12, 2001 at 07:46:17PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Krzysztof Zaraska [011212 18:50]: > On Wed, 12 Dec 2001 18:27:06 +0000 Rasputin wrote: > > > > > > > I just noticed I have a hosts.allow that is set up to all kinds of > > wierd examples: > > > > > > # hosts.allow access control file for "tcp wrapped" applications. > > # $FreeBSD: src/etc/hosts.allow,v 1.8.2.5 2001/08/30 16:02:37 dwmalone > Exp $ > > > > Should/is this enabled by default? > At least my "stock" version [v 1.8.2.3 2000/07/20 15:17:44] had this near > the top: > > # Start by allowing everything (this prevents the rest of the file > # from working, so remove it when you need protection). > # The rules here work on a "First match wins" basis. > ALL : ALL : allow > > So the examples don't matter. But this default setup is insecure anyhow. My objection was really that it's been installed by default, is presumably active, and has lines such as: ftpd : .nice.guy.example.com : allow ftpd : .evil.cracker.example.com : deny ftpd : ALL : allow in it. If they were commented out, fair enough. We've also got uncommented lines regarding the portmapper and other services - I know the Ips are private, but who's to say what lives on those Ips on my network? I only knew this file existed because of a warning in messages yesterday. The CVS header suggests it's been there since at least August, but I'm not sure it's a good thing to have in by default. The default allow is fair enough, I suppose, since it preserves POLA, but I'd question explicit allow/deny lines unless they're commented out. -- In English, every word can be verbed. Would that it were so in our programming languages. Rasputin :: Jack of All Trades - Master of Nuns :: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 13 5:41:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 8F58637BDF4; Thu, 13 Dec 2001 05:39:19 -0800 (PST) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.6/8.11.2) id fBDDc5921525; Thu, 13 Dec 2001 15:38:05 +0200 (EET) (envelope-from ru) Date: Thu, 13 Dec 2001 15:38:04 +0200 From: Ruslan Ermilov To: "Tim J. Robbins" Cc: security@FreeBSD.org, bug-followup@FreeBSD.org Subject: Re: bin/32791: FreeBSD's man(1) utility vulnerable to old catman attacks Message-ID: <20011213153804.A19995@sunbay.com> References: <200112130713.fBD7DiH01449@raven.robbins.dropbear.id.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200112130713.fBD7DiH01449@raven.robbins.dropbear.id.au> User-Agent: Mutt/1.3.23i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Dec 13, 2001 at 06:13:44PM +1100, Tim J. Robbins wrote: > > The catman system of the man(1) utility included with FreeBSD is > vulnerable to a whole bunch of attacks whereby the catpage's > contents can be controlled by an attacker. Discussions of the > problem: > http://security-archive.merton.ox.ac.uk/security-audit-199908/ > ("SGID man", Solar Designer, Sun Aug 01 1999 .. and followups) > http://security-archive.merton.ox.ac.uk/security-audit-200010/0022.html > (more problems) > > >How-To-Repeat: > There are too many ways to repeat the problem.. here's one: > $ ln -s /usr/share/man/cat1 cat1 > $ mkdir man1 > $ cd man1 > $ cat >ls.1 > oops! modified > ^D > $ cd .. > $ man -M . ls > Formatting page, please wait...Done. > oops! modified > > >Fix: > Remove the suid(!) bit from /usr/bin/man. > Unfortunately, removing SUID bit from man(1) is not possible, because it is used to create new or update obsolete catpages in %manpath%/cat%section% directories which are usually owned by the user ``man'', except private user directories. The below patch doesn't allow man(1) to use its SUID powers when the catpage's directory is accessed via symlink. Index: man.c =================================================================== RCS file: /home/ncvs/src/gnu/usr.bin/man/man/man.c,v retrieving revision 1.49 diff -u -p -r1.49 man.c --- man.c 2001/09/06 11:54:28 1.49 +++ man.c 2001/12/13 13:28:42 @@ -23,6 +23,7 @@ #include #include #include +#include #ifdef __FreeBSD__ #include #include @@ -1402,19 +1403,24 @@ format_and_display (path, man_file, cat_ { #ifdef SETUID - seteuid(euid); - found = make_cat_file (path, man_file, cat_file, 1); - seteuid(ruid); - - if (!found) - { - /* Try again as real user - see note below. - By running with - effective group (user) ID == real group (user) ID - except for the call above, I believe the problems - of reading private man pages is avoided. */ - found = make_cat_file (path, man_file, cat_file, 0); - } + char *cat_dir = dirname(cat_file); + struct stat sb; + if (cat_dir != NULL && lstat(cat_dir, &sb) == 0 && S_ISDIR(sb.st_mode)) + { + seteuid(euid); + found = make_cat_file (path, man_file, cat_file, 1); + seteuid(ruid); + + if (!found) + { + /* Try again as real user - see note below. + By running with + effective group (user) ID == real group (user) ID + except for the call above, I believe the problems + of reading private man pages is avoided. */ + found = make_cat_file (path, man_file, cat_file, 0); + } + } #else found = make_cat_file (path, man_file, cat_file, 0); #endif Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 13 8: 0:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from salseiros.melim.com.br (salseiros.melim.com.br [200.215.110.23]) by hub.freebsd.org (Postfix) with ESMTP id 33B2737B41D for ; Thu, 13 Dec 2001 08:00:28 -0800 (PST) Received: from fazendinha (ressacada.melim.com.br [200.215.110.4]) by salseiros.melim.com.br (Postfix) with SMTP id 0A652BAB6; Thu, 13 Dec 2001 14:00:20 -0200 (BRST) Message-ID: <058d01c183ef$ce77e1b0$2aa8a8c0@melim.com.br> From: "Ronan Lucio" To: , "Mr. Chan" References: <5.0.2.1.0.20011212185722.00aaa098@90.0.0.3> Subject: Re: Question about port 50000 Date: Thu, 13 Dec 2001 14:04:12 -0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Hey, > > I installed FBSD 4.4 a few days ago and noticed a weird port that is running.. > > tcp4 0 0 *.50000 *.* LISTEN > > Now this is a brand new installation, so i doubt i got hacked/root kitted.. > > When i telnet to it this is all i get: > > > telnet localhost 50000 > Trying 127.0.0.1... > Connected to localhost.cpu1058.adsl.bellglobal.com. > Escape character is '^]'. Itīs really weird, Openssh from FreeBSD-4.4 is vulnerable, do you have Openssh istalled? []īs Ronan > help > -Unknown command > ? > -Unknown command > ?! > -Unknown command > > > Any ideas? > > Thanks > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 13 8: 7:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 2262237B417; Thu, 13 Dec 2001 08:07:16 -0800 (PST) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id fBDG7EJ45703; Thu, 13 Dec 2001 19:07:14 +0300 (MSK) (envelope-from ache) Date: Thu, 13 Dec 2001 19:07:13 +0300 From: "Andrey A. Chernov" To: Ruslan Ermilov Cc: "Tim J. Robbins" , security@FreeBSD.ORG, bug-followup@FreeBSD.ORG Subject: Re: bin/32791: FreeBSD's man(1) utility vulnerable to old catman attacks Message-ID: <20011213160713.GA45527@nagual.pp.ru> References: <200112130713.fBD7DiH01449@raven.robbins.dropbear.id.au> <20011213153804.A19995@sunbay.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20011213153804.A19995@sunbay.com> User-Agent: Mutt/1.3.23.2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Dec 13, 2001 at 15:38:04 +0200, Ruslan Ermilov wrote: > The below patch doesn't allow man(1) to use its SUID powers > when the catpage's directory is accessed via symlink. It breaks private cat pages (symlink check must not present for them) -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 13 8:21:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from switchblade.cyberpunkz.org (switchblade.cyberpunkz.org [198.174.169.125]) by hub.freebsd.org (Postfix) with ESMTP id 47E2837B416 for ; Thu, 13 Dec 2001 08:21:15 -0800 (PST) Received: from switchblade.cyberpunkz.org (rob@localhost.cyberpunkz.org [127.0.0.1]) by switchblade.cyberpunkz.org (8.12.1/CpA-TLS-1.2.12-1) with ESMTP id fBDGL996018973 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for ; Thu, 13 Dec 2001 10:21:10 -0600 (CST)?g (envelope-from rob@switchblade.cyberpunkz.org)œ Posted-Date: Thu, 13 Dec 2001 10:21:10 -0600 (CST) Abuse-Contact: abuse@cyberpunkz.org Received: (from rob@localhost) by switchblade.cyberpunkz.org (8.12.1/8.12.1/Submit) id fBDGL9Gw018972 for freebsd-security@freebsd.org; Thu, 13 Dec 2001 10:21:09 -0600 (CST)?g (envelope-from rob) Date: Thu, 13 Dec 2001 10:21:09 -0600 From: Rob Andrews To: freebsd-security@freebsd.org Subject: Question about sshd... Message-ID: <20011213102109.A18375@switchblade.cyberpunkz.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="7AUc2qLy4jB3hD7Z" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --7AUc2qLy4jB3hD7Z Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I am wondering if there is a way or if there has been consideration of a way to impliment login permissions based upon user authentication via sshd (openssh 3.0.2) The reason I am asking is because I want to force all staff members to login through the system based upon their generated keypairs such as a RSA or DSA keypair. Users since they have very limited access I am not as worried about an account compromise. But if a staff users account on a machine is compromised then I at least want someone to have to have worked for it to even get logged into the system. I'd heard talk from someone else that they were interested in patching opensshd to do just this. so you could create a rule in the config for an allowed user and say a 'without-password' option such as there is allowed for root. Any ideas? :) Thanks, --=20 ::::::::::::=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D------------= --------- :|Robert Andrews :|Cyberpunk Alliance http://www.cyberpunkz.org :|Minneapolis, MN Email: rob@cyberpunkz.org Office: 763-535-6392 :::::::::::::::::::::::::::=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D------------------------- --7AUc2qLy4jB3hD7Z Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8GNVvAXwJ9YLqJJURAgd0AJ9cGibreJHVlh3y/LTnufhhmaElpQCeNvIS L6x5MbemIgngkuWp26OGgKA= =weup -----END PGP SIGNATURE----- --7AUc2qLy4jB3hD7Z-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 13 8:59:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from shikima.mine.nu (pc1-card4-0-cust77.cdf.cable.ntl.com [62.252.49.77]) by hub.freebsd.org (Postfix) with ESMTP id D879F37B405 for ; Thu, 13 Dec 2001 08:59:12 -0800 (PST) Received: from rasputin by shikima.mine.nu with local (Exim 3.33 #1) id 16EZEP-0009TF-00; Thu, 13 Dec 2001 17:01:13 +0000 Date: Thu, 13 Dec 2001 17:01:13 +0000 From: Rasputin To: Rob Andrews Cc: security@freebsd.org Subject: Re: Question about sshd... Message-ID: <20011213170113.A36344@shikima.mine.nu> Reply-To: Rasputin References: <20011213102109.A18375@switchblade.cyberpunkz.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011213102109.A18375@switchblade.cyberpunkz.org>; from rob@cyberpunkz.org on Thu, Dec 13, 2001 at 10:21:09AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Rob Andrews [011213 16:28]: > I am wondering if there is a way or if there has been consideration > of a way to impliment login permissions based upon user authentication > via sshd (openssh 3.0.2) > > The reason I am asking is because I want to force all staff members to > login through the system based upon their generated keypairs such as a > RSA or DSA keypair. Users since they have very limited access I am not > as worried about an account compromise. But if a staff users account > on a machine is compromised then I at least want someone to have to have > worked for it to even get logged into the system. > > I'd heard talk from someone else that they were interested in patching > opensshd to do just this. so you could create a rule in the config > for an allowed user and say a 'without-password' option such as there > is allowed for root. Is there a reason you can't use the usual RSA authentication methods for this? That doesn't rely on system passwords, just the private keyfile. -- Rasputin :: Jack of All Trades - Master of Nuns :: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 13 9: 2: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp016.mail.yahoo.com (smtp016.mail.yahoo.com [216.136.174.113]) by hub.freebsd.org (Postfix) with SMTP id 6395837B41E for ; Thu, 13 Dec 2001 09:01:29 -0800 (PST) Received: from unknown (HELO warhawk) (202.1.200.105) by smtp.mail.vip.sc5.yahoo.com with SMTP; 13 Dec 2001 17:01:27 -0000 From: "Haikal Saadh" To: "'Rob Andrews'" , Subject: RE: Question about sshd... Date: Thu, 13 Dec 2001 22:01:19 +0500 Message-ID: <001601c183f7$cc88e950$69c801ca@warhawk> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-Reply-To: <20011213102109.A18375@switchblade.cyberpunkz.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I understood that if you *'red out your staff members password using vipw, and if you generate a keypair for them, they should be able to login via ssh, but not telnet or the local console. > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Rob Andrews > Sent: Thursday, December 13, 2001 9:21 PM > To: freebsd-security@freebsd.org > Subject: Question about sshd... > > > I am wondering if there is a way or if there has been > consideration of a way to impliment login permissions based > upon user authentication via sshd (openssh 3.0.2) > > The reason I am asking is because I want to force all staff > members to login through the system based upon their > generated keypairs such as a RSA or DSA keypair. Users since > they have very limited access I am not as worried about an > account compromise. But if a staff users account on a > machine is compromised then I at least want someone to have > to have worked for it to even get logged into the system. > > I'd heard talk from someone else that they were interested in > patching opensshd to do just this. so you could create a > rule in the config for an allowed user and say a > 'without-password' option such as there is allowed for root. > > Any ideas? :) > Thanks, > > -- > ::::::::::::=================--------------------- > :|Robert Andrews > :|Cyberpunk Alliance http://www.cyberpunkz.org > :|Minneapolis, MN Email: rob@cyberpunkz.org Office: 763-535-6392 > :::::::::::::::::::::::::::====================--------------- > ---------- > > _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 13 9: 3:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.latnet.lv (mail.latnet.lv [159.148.108.208]) by hub.freebsd.org (Postfix) with SMTP id 2552837B419 for ; Thu, 13 Dec 2001 09:03:05 -0800 (PST) Received: (qmail 9670 invoked by uid 64014); 13 Dec 2001 17:03:04 -0000 Received: from endrju@mail.lv by mail with qmail-scanner-0.96 (. Clean. Processed in 0.039798 secs); 13 Dec 2001 17:03:04 -0000 Received: from guru.hacked.void.lv (HELO SERVER1) (159.148.65.130) by mail.latnet.lv with SMTP; 13 Dec 2001 17:03:03 -0000 Message-ID: <005d01c183f8$2932aec0$8241949f@TRDC> From: "endrju" To: Subject: ipfw+syn Date: Thu, 13 Dec 2001 19:04:00 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org when i tried something like this: nmap -sS ... but: sendto in send_syn_fragz: Permission denied sendto in send_syn_fragz: Permission denied i even set my firewall rules to 'allow ip from any to any' but nothing happened. what's wrong / what can i do? .endrju. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 13 9:27:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp015.mail.yahoo.com (smtp015.mail.yahoo.com [216.136.173.59]) by hub.freebsd.org (Postfix) with SMTP id 28F5337B405 for ; Thu, 13 Dec 2001 09:27:25 -0800 (PST) Received: from unknown (HELO warhawk) (202.1.200.105) by smtp.mail.vip.sc5.yahoo.com with SMTP; 13 Dec 2001 17:01:50 -0000 From: "Haikal Saadh" To: Subject: /etc/permissions Date: Thu, 13 Dec 2001 22:01:43 +0500 Message-ID: <001701c183f7$da9170d0$69c801ca@warhawk> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I just ran tiger on a 4.4R box today, and it mentioned that most the files in /etc have perms that shouldn't be there...likewise, auscert's unix security checklist recommended removing world read perms from quite a few files. Have the permissions been overlooked, or is there some design issue that I've missed out on? Common sense dictates that the files in /etc/ should only be root accessible, right? _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 13 9:37:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-66-67-16-161.stny.rr.com [66.67.16.161]) by hub.freebsd.org (Postfix) with ESMTP id A822437B41A for ; Thu, 13 Dec 2001 09:37:45 -0800 (PST) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.11.6/8.11.4) with ESMTP id fBDHaI149300; Thu, 13 Dec 2001 12:36:18 -0500 (EST) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Thu, 13 Dec 2001 12:36:18 -0500 (EST) From: Matt Piechota To: Haikal Saadh Cc: Subject: Re: /etc/permissions In-Reply-To: <001701c183f7$da9170d0$69c801ca@warhawk> Message-ID: <20011213123158.R49226-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 13 Dec 2001, Haikal Saadh wrote: > I just ran tiger on a 4.4R box today, and it mentioned that most the > files in /etc have perms that shouldn't be there...likewise, auscert's > unix security checklist recommended removing world read perms from quite > a few files. Have the permissions been overlooked, or is there some > design issue that I've missed out on? Common sense dictates that the > files in /etc/ should only be root accessible, right? Not really. If I run 'ls -l', ls needs to be able to read passwd to match the uid's on the inode to a username. If I can't read the file normally, ls (running as me) won't be able to either. I'd imagine there some things that could go without people being able to read them, but to me that's just security by obscurity, and doesn't really buy much. Except making it harder to do system maintenance without being logged in as root. -- Matt Piechota To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 13 9:42:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.latnet.lv (mail.latnet.lv [159.148.108.208]) by hub.freebsd.org (Postfix) with SMTP id 0DAAF37B405 for ; Thu, 13 Dec 2001 09:42:29 -0800 (PST) Received: (qmail 21027 invoked by uid 64014); 13 Dec 2001 17:42:27 -0000 Received: from endrju@mail.lv by mail with qmail-scanner-0.96 (. Clean. Processed in 0.113507 secs); 13 Dec 2001 17:42:27 -0000 Received: from guru.hacked.void.lv (HELO SERVER1) (159.148.65.130) by mail.latnet.lv with SMTP; 13 Dec 2001 17:42:27 -0000 Message-ID: <013401c183fd$aa359f50$8241949f@TRDC> From: "endrju" To: References: <005d01c183f8$2932aec0$8241949f@TRDC> Subject: Re: ipfw+syn Date: Thu, 13 Dec 2001 19:43:24 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org oh, i forget.... i run: nmap -sS -f sS - stealth syn scan f - tiny fragmented packets. ----- Original Message ----- From: "endrju" To: Sent: Thursday, December 13, 2001 7:04 PM Subject: ipfw+syn > when i tried something like this: > nmap -sS ... but: > sendto in send_syn_fragz: Permission denied > sendto in send_syn_fragz: Permission denied > > i even set my firewall rules to > 'allow ip from any to any' > but nothing happened. > > what's wrong / what can i do? > > ..endrju. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 13 9:42:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from green.bikeshed.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 102A337B417; Thu, 13 Dec 2001 09:42:49 -0800 (PST) Received: from localhost (green@localhost) by green.bikeshed.org (8.11.6/8.11.6) with ESMTP id fBDHgho79388; Thu, 13 Dec 2001 12:42:48 -0500 (EST) (envelope-from green@green.bikeshed.org) Message-Id: <200112131742.fBDHgho79388@green.bikeshed.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: "Ronan Lucio" Cc: freebsd-security@FreeBSD.ORG, "Mr. Chan" Subject: Re: Question about port 50000 In-Reply-To: Message from "Ronan Lucio" of "Thu, 13 Dec 2001 14:04:12 -0200." <058d01c183ef$ce77e1b0$2aa8a8c0@melim.com.br> From: "Brian F. Feldman" Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Date: Thu, 13 Dec 2001 12:42:43 -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Ronan Lucio" wrote: > > Hey, > > > > I installed FBSD 4.4 a few days ago and noticed a weird port that is > running.. > > > > tcp4 0 0 *.50000 *.* LI= STEN > > > > Now this is a brand new installation, so i doubt i got hacked/root > kitted.. > > > > When i telnet to it this is all i get: > > > > > telnet localhost 50000 > > Trying 127.0.0.1... > > Connected to localhost.cpu1058.adsl.bellglobal.com. > > Escape character is '^]'. > = > It=B4s really weird, > Openssh from FreeBSD-4.4 is vulnerable, do you have Openssh istalled? No, OpenSSH is vulnerable if you for some reason had enabled UseLogin. = There's no reason to have done that... -- = Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 13 10: 6:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from science.slc.edu (Science.SLC.Edu [198.83.6.248]) by hub.freebsd.org (Postfix) with ESMTP id DAA8737B419 for ; Thu, 13 Dec 2001 10:06:43 -0800 (PST) Received: (from aschneid@localhost) by science.slc.edu (8.11.0/8.11.0) id fBDI58V21012; Thu, 13 Dec 2001 13:05:08 -0500 (EST) (envelope-from aschneid) Date: Thu, 13 Dec 2001 13:05:08 -0500 From: Anthony Schneider To: endrju Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw+syn Message-ID: <20011213130508.A20968@mail.slc.edu> References: <005d01c183f8$2932aec0$8241949f@TRDC> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="HlL+5n6rz5pIUxbD" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <005d01c183f8$2932aec0$8241949f@TRDC>; from endrju@mail.lv on Thu, Dec 13, 2001 at 07:04:00PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --HlL+5n6rz5pIUxbD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Silly question, maybe, but did you run nmap as root? -Anthony. On Thu, Dec 13, 2001 at 07:04:00PM +0200, endrju wrote: > when i tried something like this: > nmap -sS ... but: > sendto in send_syn_fragz: Permission denied > sendto in send_syn_fragz: Permission denied >=20 > i even set my firewall rules to > 'allow ip from any to any' > but nothing happened.=20 >=20 > what's wrong / what can i do?=20 >=20 > .endrju. >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --HlL+5n6rz5pIUxbD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjwY7dEACgkQ+rDjkNht5F0OeQCdFoz7rt7NTK20vsr2fUk2x+hm lj8An1Qvp5vhwgIp+tfuSI/aJkaElUem =Fsi/ -----END PGP SIGNATURE----- --HlL+5n6rz5pIUxbD-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 13 10:10:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id D013937B419 for ; Thu, 13 Dec 2001 10:10:36 -0800 (PST) Received: (from str@localhost) by giganda.komkon.org (8.11.3/8.11.3) id fBDI8vi15855; Thu, 13 Dec 2001 13:08:57 -0500 (EST) (envelope-from str) Date: Thu, 13 Dec 2001 13:08:57 -0500 (EST) From: Igor Roshchin Message-Id: <200112131808.fBDI8vi15855@giganda.komkon.org> To: piechota@argolis.org, wyldephyre2@yahoo.com Subject: Re: /etc/permissions Cc: security@FreeBSD.ORG In-Reply-To: <20011213123158.R49226-100000@cithaeron.argolis.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > From owner-freebsd-security@FreeBSD.ORG Thu Dec 13 12:38:08 2001 > Date: Thu, 13 Dec 2001 12:36:18 -0500 (EST) > From: Matt Piechota > To: Haikal Saadh > Cc: > Subject: Re: /etc/permissions > > On Thu, 13 Dec 2001, Haikal Saadh wrote: > > > I just ran tiger on a 4.4R box today, and it mentioned that most the > > files in /etc have perms that shouldn't be there...likewise, auscert's > > unix security checklist recommended removing world read perms from quite > > a few files. Have the permissions been overlooked, or is there some > > design issue that I've missed out on? Common sense dictates that the > > files in /etc/ should only be root accessible, right? > > Not really. If I run 'ls -l', ls needs to be able to read passwd to > match the uid's on the inode to a username. If I can't read the file > normally, ls (running as me) won't be able to either. I'd imagine there > some things that could go without people being able to read them, but to > me that's just security by obscurity, and doesn't really buy much. Except > making it harder to do system maintenance without being logged in as root. > While some of the files , like /etc/groups and /etc/passwd, need to be world readable for some programs to work properly, several other files can be made unreadable for the users, especially on a shell server. Although hiding some files could be "security by obscurity", some measures could create an additional difficulty for a malicious user. Not allowing a user with a malicious intent to know how, for example the system logging is done (that btw, requires making at least some of the /var/log/ files unreadable too), can prevent that user from preparing for the proper cover-up, should one decide to exploit a local vulnerability. Some users might not do that if they are afraid that you might be logging things remotely, to a log-host. This just one example. There are many other reasons too. As we all know, sometimes, corporate requirements dictate to introduce some "weakness" in the system (explicitely allowed connections from a certain network, some ports opened for access from a particular network, etc..). While a sysadmin should not rely on those things being secure just because the config file (such as /etc/rc.firewall) is not readable, if this creates an extra mile for a malicious user to break in, it makes sense to implement it. Probably, an optimal solution is to have those files under the group wheel, and to make them group-readable for the convenience of the admins. -rw-r----- 1 root wheel 12345 Dec 32 19:87 /etc/rc.firewall This way all admins who can read those files anyway by su-ing into root can read them without actually doing that. Good candidates for this change would probably be: rc.firewall hosts.allow syslog.conf rc.conf (probably ?) inetd.conf periodic/ and periodic/* daily|weekly|monthly.local (not installed by default) maybe even mail/ and mail/*, or at least sendmail.cf probably kerberos* ... ... (feel free to expand) Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 13 10:13: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from science.slc.edu (Science.SLC.Edu [198.83.6.248]) by hub.freebsd.org (Postfix) with ESMTP id 0EFFF37B416 for ; Thu, 13 Dec 2001 10:12:55 -0800 (PST) Received: (from aschneid@localhost) by science.slc.edu (8.11.0/8.11.0) id fBDIBKh21144; Thu, 13 Dec 2001 13:11:20 -0500 (EST) (envelope-from aschneid) Date: Thu, 13 Dec 2001 13:11:20 -0500 From: Anthony Schneider To: endrju Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw+syn Message-ID: <20011213131120.A21111@mail.slc.edu> References: <005d01c183f8$2932aec0$8241949f@TRDC> <20011213130508.A20968@mail.slc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="zhXaljGHf11kAtnf" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011213130508.A20968@mail.slc.edu>; from aschneid@mail.slc.edu on Thu, Dec 13, 2001 at 01:05:08PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --zhXaljGHf11kAtnf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable =2E..but nmap tells you that you need root priviledges immediately when you execute it, so you wouldn't get far enough to get the permission denied errors, so...nevermind. -Anthony. On Thu, Dec 13, 2001 at 01:05:08PM -0500, Anthony Schneider wrote: > Silly question, maybe, but did you run nmap as root? > -Anthony. >=20 > On Thu, Dec 13, 2001 at 07:04:00PM +0200, endrju wrote: > > when i tried something like this: > > nmap -sS ... but: > > sendto in send_syn_fragz: Permission denied > > sendto in send_syn_fragz: Permission denied > >=20 > > i even set my firewall rules to > > 'allow ip from any to any' > > but nothing happened.=20 > >=20 > > what's wrong / what can i do?=20 > >=20 > > .endrju. > >=20 > >=20 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message --zhXaljGHf11kAtnf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjwY70cACgkQ+rDjkNht5F034QCfSHvhcS2/W8GfpMX0wV4ANaAD 1L4Aniu4/O5jnb4pCiLdkSNlzlWG/Fc2 =2x5z -----END PGP SIGNATURE----- --zhXaljGHf11kAtnf-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 13 10:18:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.latnet.lv (mail.latnet.lv [159.148.108.208]) by hub.freebsd.org (Postfix) with SMTP id C68D237B417 for ; Thu, 13 Dec 2001 10:18:48 -0800 (PST) Received: (qmail 28437 invoked by uid 64014); 13 Dec 2001 18:18:47 -0000 Received: from endrju@mail.lv by mail with qmail-scanner-0.96 (. Clean. Processed in 0.192422 secs); 13 Dec 2001 18:18:47 -0000 Received: from guru.hacked.void.lv (HELO SERVER1) (159.148.65.130) by mail.latnet.lv with SMTP; 13 Dec 2001 18:18:47 -0000 Message-ID: <016001c18402$bd795110$8241949f@TRDC> From: "endrju" To: "Anthony Schneider" Cc: References: <005d01c183f8$2932aec0$8241949f@TRDC> <20011213130508.A20968@mail.slc.edu> <20011213131120.A21111@mail.slc.edu> Subject: Re: ipfw+syn Date: Thu, 13 Dec 2001 20:19:44 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org what's so silly there, erm.... but i ran nmap as root. i'm not fool. look: su-2.04# nmap -sS -f aaa.bbb.ccc.ddd Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) sendto in send_syn_fragz: Permission denied sendto in send_syn_fragz: Permission denied sendto in send_syn_fragz: Permission denied sendto in send_syn_fragz: Permission denied ...and so on ----- Original Message ----- From: "Anthony Schneider" To: "endrju" Cc: Sent: Thursday, December 13, 2001 8:11 PM Subject: Re: ipfw+syn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 13 10:24:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id 008A537B41A for ; Thu, 13 Dec 2001 10:24:28 -0800 (PST) Received: from boredom (dickie.ST.HMC.Edu [134.173.59.94]) by odin.ac.hmc.edu (8.11.0/8.11.0) with SMTP id fBDIOS812083 for ; Thu, 13 Dec 2001 10:24:28 -0800 Message-ID: <001601c18403$373ff030$5e3bad86@boredom> From: "Jeff Jirsa" To: References: <005d01c183f8$2932aec0$8241949f@TRDC> <20011213130508.A20968@mail.slc.edu> <20011213131120.A21111@mail.slc.edu> <016001c18402$bd795110$8241949f@TRDC> Subject: Re: ipfw+syn Date: Thu, 13 Dec 2001 10:23:08 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > what's so silly there, erm.... > but i ran nmap as root. i'm not fool. > look: > > su-2.04# nmap -sS -f aaa.bbb.ccc.ddd > > Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) > sendto in send_syn_fragz: Permission denied > sendto in send_syn_fragz: Permission denied > sendto in send_syn_fragz: Permission denied > sendto in send_syn_fragz: Permission denied > ...and so on > Perhaps the problem is that the _fragments_ are denied by ipfw? Can you successfully run nmap without the -f flag? - Jeff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 13 13: 4:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 0440F37B419; Thu, 13 Dec 2001 13:04:37 -0800 (PST) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [192.168.11.2]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 278E01DA7; Thu, 13 Dec 2001 22:04:34 +0100 (CET) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [127.0.0.1]) by velvet.zaraska.dhs.org (8.11.2/8.11.2) with SMTP id fBDL47Z01437; Thu, 13 Dec 2001 22:04:07 +0100 Date: Thu, 13 Dec 2001 22:04:07 +0100 From: Krzysztof Zaraska To: "Brian F. Feldman" Cc: freebsd-security@freebsd.org Subject: Re: Question about port 50000 Message-Id: <20011213220407.5ac73e37.kzaraska@student.uci.agh.edu.pl> In-Reply-To: <200112131742.fBDHgho79388@green.bikeshed.org> References: <200112131742.fBDHgho79388@green.bikeshed.org> Organization: University Of Mining And Metallurgy X-Mailer: Sylpheed version 0.6.2 (GTK+ 1.2.10; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 13 Dec 2001 12:42:43 -0500 Brian F. Feldman wrote: > > Itīs really weird, > > Openssh from FreeBSD-4.4 is vulnerable, do you have Openssh istalled? > > No, OpenSSH is vulnerable if you for some reason had enabled UseLogin. > There's no reason to have done that... ...and the hostile user must have a valid account. So this not a remote-root exploit per se. Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 13 13:38:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from chaos.evolve.za.net (chaos.evolve.za.net [196.34.172.107]) by hub.freebsd.org (Postfix) with ESMTP id C23E737B405 for ; Thu, 13 Dec 2001 13:38:13 -0800 (PST) Received: from DAVE ([192.168.0.56]) by chaos.evolve.za.net (8.11.6/1.1.3) with SMTP id fBDLc8W64883 for ; Thu, 13 Dec 2001 23:38:09 +0200 (SAST) (envelope-from dave@raven.za.net) Message-ID: <004301c1841e$1450a7c0$3800a8c0@DAVE> From: "Dave Raven" To: References: <200112131742.fBDHgho79388@green.bikeshed.org> <20011213220407.5ac73e37.kzaraska@student.uci.agh.edu.pl> Subject: Re: Question about port 50000 Date: Thu, 13 Dec 2001 23:35:24 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-2" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Not sure if this has been shown, but how about a sockstat |grep 50000 ----- Original Message ----- From: "Krzysztof Zaraska" To: "Brian F. Feldman" Cc: Sent: Thursday, December 13, 2001 11:04 PM Subject: Re: Question about port 50000 On Thu, 13 Dec 2001 12:42:43 -0500 Brian F. Feldman wrote: > > Itīs really weird, > > Openssh from FreeBSD-4.4 is vulnerable, do you have Openssh istalled? > > No, OpenSSH is vulnerable if you for some reason had enabled UseLogin. > There's no reason to have done that... ...and the hostile user must have a valid account. So this not a remote-root exploit per se. Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 13 14:28:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from xela.oopz.com (xela.oopz.com [209.20.244.131]) by hub.freebsd.org (Postfix) with ESMTP id CFA1E37B416 for ; Thu, 13 Dec 2001 14:28:09 -0800 (PST) Subject: Username length MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Date: Thu, 13 Dec 2001 14:28:09 -0800 Message-ID: content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft Exchange V6.0.4712.0 X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Username length Thread-Index: AcGEJXFTdPY6ul3HTbKnlpu06VnXCA== From: "Noah Davidson" To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org We have a sendmail server running for a few hundred domains. We need to have users login using user@host.com . I can make usernames in this format if I edit the password file directly. The problem I run into is that usernames can only be 17 chars. I ran into this url http://docs.freebsd.org/cgi/getmsg.cgi?fetch=3D60800+0+archive/2001/freeb= s d-isp/20010114.freebsd-isp I did changes the values that it talked about, but now how can we have longer than 17 char usernames? I recompiled the kernel, but How do I get this into effect. Any help would be greatly appreciated. =20 Thanks Noah Davidson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 13 17: 9:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from raven.robbins.dropbear.id.au (066.d.001.mel.iprimus.net.au [203.134.132.66]) by hub.freebsd.org (Postfix) with ESMTP id 1EBC737B41A; Thu, 13 Dec 2001 17:09:34 -0800 (PST) Received: (from tim@localhost) by raven.robbins.dropbear.id.au (8.11.6/8.11.6) id fBE0vux09946; Fri, 14 Dec 2001 11:57:56 +1100 (EST) (envelope-from tim) Date: Fri, 14 Dec 2001 11:57:55 +1100 From: "Tim J. Robbins" To: Ruslan Ermilov Cc: security@FreeBSD.ORG, bug-followup@FreeBSD.ORG Subject: Re: bin/32791: FreeBSD's man(1) utility vulnerable to old catman attacks Message-ID: <20011214115755.A9872@raven.robbins.dropbear.id.au> References: <200112130713.fBD7DiH01449@raven.robbins.dropbear.id.au> <20011213153804.A19995@sunbay.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011213153804.A19995@sunbay.com>; from ru@FreeBSD.ORG on Thu, Dec 13, 2001 at 03:38:04PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Dec 13, 2001 at 03:38:04PM +0200, Ruslan Ermilov wrote: > Unfortunately, removing SUID bit from man(1) is not possible, > because it is used to create new or update obsolete catpages > in %manpath%/cat%section% directories which are usually owned > by the user ``man'', except private user directories. I think that making man sgid man instead of suid man would be a good idea also; I remember Red Hat Linux used this same man utility in version 6.2 and they had it sgid. If an attacker gained uid man through a flaw in the utility, they could plant a trojan horse and wait for root to run it. I'll check out how it's been done in Redhat and see if I can come up with a patch. I don't think this would break anything. As for the catman issues, I think it's a flaw in the man utility that it trusts the user running the command to format the manual pages. I can't think of a good way to fix it. Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 13 18: 7:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from durendal.skynet.be (durendal.skynet.be [195.238.3.128]) by hub.freebsd.org (Postfix) with ESMTP id 1728337B417 for ; Thu, 13 Dec 2001 18:07:52 -0800 (PST) Received: from skynet.be (dialup127.herentals.skynet.be [195.238.28.127]) by durendal.skynet.be (8.11.6/8.11.6/Skynet-OUT-2.16) with ESMTP id fBE27mS07547; Fri, 14 Dec 2001 03:07:48 +0100 (MET) (envelope-from ) Message-ID: <3C195EEC.9010208@skynet.be> Date: Fri, 14 Dec 2001 03:07:40 +0100 From: Raf Schietekat Reply-To: Raf_Schietekat@ieee.org User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4) Gecko/20011019 Netscape6/6.2 X-Accept-Language: en-us MIME-Version: 1.0 To: FreeBSD-security@FreeBSD.org Subject: kdm grants ordinary users root access on 4.4-R Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dear experts, When I do startx from a console, my KDE environment starts up as expected (I have "startkde" in both .xsession and .xinitrc). Since I succeeded in setting up kdm (which took some asking and guessing, because I didn't find much in the way of documentation), I have the following problem: >>>>> I wrote on FreeBSD-questions with subject "kdm op 4.4-R" No, hold the presses, now I've got another problem, which some system administrators may frown upon... ;-) When I log in into KDE as my ordinary-user(-though-member-of-wheel) identity, I get my session back as I left it, but when I start up a Konsole (I was going to give the su root kcontrol another try), I notice that I am... root! Right at the prompt greeting me when the window pops up, no su or anything! # whoami root # pwd /usr/home/rfschtkt # cd # pwd /usr/home/rfschtkt [How come cd doesn't take me to /root?] <<<<< (Note that the subject "kdm op 4.4-R" is from a lapse into Dutch, means "kdm on 4.4-R".) Configuration was pretty much as follows: >>>>> I wrote on FreeBSD-questions with subject "kdm op 4.4-R" desktop# ls /usr/local/share/config/kdm kdmrc desktop# cd /usr/local/share/config/kdm desktop# cp /usr/X11R6/lib/X11/xdm/Xservers Xservers desktop# kdm -nodaemon [aha, login window appears... but login fails, Ctrl-Alt-F1] [several error messages about Xaccess, Xsetup, Xstartup, Xreset, Ctrl-C] ^Cdesktop# cp /usr/X11R6/lib/X11/xdm/Xaccess Xaccess desktop# cp /usr/X11R6/lib/X11/xdm/Xsetup_0 Xsetup desktop# cp /usr/X11R6/lib/X11/xdm/Xsession Xstartup desktop# echo > Xreset [ee Xstartup to contain a line for KDE] desktop# kdm -nodaemon [can log in fine, Sound server error looks different than the message I normally get, but that's another issue] [when I log out, the screen is black with a % shell in the upper left hand corner, and xconsole in the lower right, I type exit, I get kdm, Ctrl-Alt-F1, Ctrl-C] ^Cdesktop# echo "/usr/local/bin/kdm/desktop" > Xsetup [now I have a background, although there are a few seconds of delay each time, I go out of X, ee /etc/ttys to enable kdm from there, kill -HUP 1, still works fine, but I still get the % shell where I have to type exit <<<<< If I then log out and remove kdm from /etc/ttys and try to log in normally again, I can't until I've removed some files that were written in my home directory with owner root, but then I'm back to normal (normal user in Konsole until I enable kdm again). Did I miss something in the setup? Is it a known problem? Raf Schietekat To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 13 23:57:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 19C2D37B416; Thu, 13 Dec 2001 23:57:07 -0800 (PST) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.6/8.11.2) id fBE7uJt36213; Fri, 14 Dec 2001 09:56:19 +0200 (EET) (envelope-from ru) Date: Fri, 14 Dec 2001 09:56:19 +0200 From: Ruslan Ermilov To: "Andrey A. Chernov" Cc: "Tim J. Robbins" , security@FreeBSD.ORG, bug-followup@FreeBSD.ORG Subject: Re: bin/32791: FreeBSD's man(1) utility vulnerable to old catman attacks Message-ID: <20011214095619.A35094@sunbay.com> References: <200112130713.fBD7DiH01449@raven.robbins.dropbear.id.au> <20011213153804.A19995@sunbay.com> <20011213160713.GA45527@nagual.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20011213160713.GA45527@nagual.pp.ru> User-Agent: Mutt/1.3.23i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Dec 13, 2001 at 07:07:13PM +0300, Andrey A. Chernov wrote: > On Thu, Dec 13, 2001 at 15:38:04 +0200, Ruslan Ermilov wrote: > > > The below patch doesn't allow man(1) to use its SUID powers > > when the catpage's directory is accessed via symlink. > > It breaks private cat pages (symlink check must not present for them) > Oops, right, wrongly placed closing brace: Index: man.c =================================================================== RCS file: /home/ncvs/src/gnu/usr.bin/man/man/man.c,v retrieving revision 1.49 diff -u -p -r1.49 man.c --- man.c 2001/09/06 11:54:28 1.49 +++ man.c 2001/12/14 07:57:03 @@ -23,6 +23,7 @@ #include #include #include +#include #ifdef __FreeBSD__ #include #include @@ -1402,10 +1403,15 @@ format_and_display (path, man_file, cat_ { #ifdef SETUID - seteuid(euid); - found = make_cat_file (path, man_file, cat_file, 1); - seteuid(ruid); - + char *cat_dir = dirname(cat_file); + struct stat sb; + if (cat_dir != NULL && lstat(cat_dir, &sb) == 0 && S_ISDIR(sb.st_mode)) + { + seteuid(euid); + found = make_cat_file (path, man_file, cat_file, 1); + seteuid(ruid); + } + if (!found) { /* Try again as real user - see note below. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 14 0: 4:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 3D94737B416; Fri, 14 Dec 2001 00:04:14 -0800 (PST) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.6/8.11.2) id fBE840R37042; Fri, 14 Dec 2001 10:04:00 +0200 (EET) (envelope-from ru) Date: Fri, 14 Dec 2001 10:04:00 +0200 From: Ruslan Ermilov To: "Tim J. Robbins" Cc: security@FreeBSD.ORG, bug-followup@FreeBSD.ORG Subject: Re: bin/32791: FreeBSD's man(1) utility vulnerable to old catman attacks Message-ID: <20011214100400.B35094@sunbay.com> References: <200112130713.fBD7DiH01449@raven.robbins.dropbear.id.au> <20011213153804.A19995@sunbay.com> <20011214115755.A9872@raven.robbins.dropbear.id.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20011214115755.A9872@raven.robbins.dropbear.id.au> User-Agent: Mutt/1.3.23i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Dec 14, 2001 at 11:57:55AM +1100, Tim J. Robbins wrote: > On Thu, Dec 13, 2001 at 03:38:04PM +0200, Ruslan Ermilov wrote: > > > Unfortunately, removing SUID bit from man(1) is not possible, > > because it is used to create new or update obsolete catpages > > in %manpath%/cat%section% directories which are usually owned > > by the user ``man'', except private user directories. > > I think that making man sgid man instead of suid man would be a good > idea also; I remember Red Hat Linux used this same man utility in version 6.2 > and they had it sgid. If an attacker gained uid man through a flaw in the > utility, they could plant a trojan horse and wait for root to run it. > > I'll check out how it's been done in Redhat and see if I can come up > with a patch. I don't think this would break anything. > Our man(1) uses its SUID bit only to write to catpages. > As for the catman issues, I think it's a flaw in the man utility that > it trusts the user running the command to format the manual pages. > I can't think of a good way to fix it. > Yeah, having in mind the other breakage, that the user is allowed to supply his own ${GROFF_TMAC_PATH}, I think it would be a good idea to disable this feature of man(1) to create catpages, like it's done in OpenBSD and probably NetBSD. Catpages are optional, and if you have enough disk space, you can set MANBUILDCAT=YES in your /etc/make.conf, and have ``make world'' build and install then for you. Also, we have a ${weekly_catman_enable} feature in periodic.conf(5). Removing catpaging feature of man(1) would allow us to drop its SUIDness completely. If there are no serious objections, I'm volunteering to do this job after a 4.5-RELEASE. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 14 5:37:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.latnet.lv (mail.latnet.lv [159.148.108.208]) by hub.freebsd.org (Postfix) with SMTP id 2193537B416 for ; Fri, 14 Dec 2001 05:37:47 -0800 (PST) Received: (qmail 1358 invoked by uid 64014); 14 Dec 2001 13:37:45 -0000 Received: from endrju@mail.lv by mail with qmail-scanner-0.96 (. Clean. Processed in 0.072316 secs); 14 Dec 2001 13:37:45 -0000 Received: from guru.hacked.void.lv (HELO SERVER1) (159.148.65.130) by mail.latnet.lv with SMTP; 14 Dec 2001 13:37:45 -0000 Message-ID: <005d01c184a4$a6aeefb0$8241949f@TRDC> From: "endrju" To: References: <005d01c183f8$2932aec0$8241949f@TRDC> <20011213130508.A20968@mail.slc.edu> <20011213131120.A21111@mail.slc.edu> <016001c18402$bd795110$8241949f@TRDC> <001601c18403$373ff030$5e3bad86@boredom> Subject: Re: ipfw+syn Date: Fri, 14 Dec 2001 15:38:44 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ...# ipfw -a list 00100 0 0 allow ip from any to any frag 00200 419 44610 allow ip from any to any 65535 884 92423 deny ip from any to any but anyway: su-2.04# nmap -sS -f aaa.bbb.ccc.ddd Starting nmap V. 2.53 by fyodor@insecure.org (www.insecure.org/nmap/ ) sendto in send_syn_fragz: Permission denied ----- Original Message ----- From: "Jeff Jirsa" To: Sent: Thursday, December 13, 2001 8:23 PM Subject: Re: ipfw+syn > > > > what's so silly there, erm.... > > but i ran nmap as root. i'm not fool. > > look: > > > > su-2.04# nmap -sS -f aaa.bbb.ccc.ddd > > > > Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) > > sendto in send_syn_fragz: Permission denied > > sendto in send_syn_fragz: Permission denied > > sendto in send_syn_fragz: Permission denied > > sendto in send_syn_fragz: Permission denied > > ...and so on > > > > Perhaps the problem is that the _fragments_ are denied by ipfw? > Can you successfully run nmap without the -f flag? > > - Jeff > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 14 6:18:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.yahho.com (28.c210-85-16.ethome.net.tw [210.85.16.28]) by hub.freebsd.org (Postfix) with SMTP id C689437B416; Fri, 14 Dec 2001 06:17:23 -0800 (PST) Received: from tpts5 by titan.seed.net.tw with SMTP id ieeaSB0NFVCdBkoUC7sbnj; Fri, 14 Dec 2001 22:24:56 +0800 Message-ID: From: Santa@yahoo.com To: Subject:Merry Christmas MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_dWS8e4H5ubXjneRRoat" X-Mailer: oZma3iezzmlIMEBlK X-Priority: 3 X-MSMail-Priority: Normal Date: Fri, 14 Dec 2001 06:17:23 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_dWS8e4H5ubXjneRRoat Content-Type: multipart/alternative; boundary="----=_NextPart_dWS8e4H5ubXjneRRoatAA" ------=_NextPart_dWS8e4H5ubXjneRRoatAA Content-Type: text/html; charset="big5" Content-Transfer-Encoding: base64 PGh0bWw+DQo8aGVhZD4NCjx0aXRsZT5VbnRpdGxlZCBEb2N1bWVudDwvdGl0bGU+DQo8bWV0YSBo dHRwLWVxdWl2PSJDb250ZW50LVR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD1iaWc1 Ij4NCjwvaGVhZD4NCg0KPGJvZHkgYmdjb2xvcj0iI0ZGRkZGRiI+DQo8b2JqZWN0IGNsYXNzaWQ9 ImNsc2lkOkQyN0NEQjZFLUFFNkQtMTFjZi05NkI4LTQ0NDU1MzU0MDAwMCIgY29kZWJhc2U9Imh0 dHA6Ly9kb3dubG9hZC5tYWNyb21lZGlhLmNvbS9wdWIvc2hvY2t3YXZlL2NhYnMvZmxhc2gvc3dm bGFzaC5jYWIjdmVyc2lvbj00LDAsMiwwIiB3aWR0aD0iNTUwIiBoZWlnaHQ9IjMyNCI+DQogIDxw YXJhbSBuYW1lPSJfY3giIHZhbHVlPSIxNDU1MiI+DQogIDxwYXJhbSBuYW1lPSJfY3kiIHZhbHVl PSI4NTczIj4NCiAgPHBhcmFtIG5hbWU9Ik1vdmllIiB2YWx1ZT0iaHR0cDovL3d3dy5pdmlkZW8u Y29tLnR3L2ZsYXNoL2UtY2FyZC5zd2YiPg0KICA8cGFyYW0gbmFtZT0iU3JjIiB2YWx1ZT0iaHR0 cDovL3d3dy5pdmlkZW8uY29tLnR3L2ZsYXNoL2UtY2FyZC5zd2YiPg0KICA8cGFyYW0gbmFtZT0i V01vZGUiIHZhbHVlPSJXaW5kb3ciPg0KICA8cGFyYW0gbmFtZT0iUGxheSIgdmFsdWU9IjAiPg0K ICA8cGFyYW0gbmFtZT0iTG9vcCIgdmFsdWU9Ii0xIj4NCiAgPHBhcmFtIG5hbWU9IlF1YWxpdHki IHZhbHVlPSJIaWdoIj4NCiAgPHBhcmFtIG5hbWU9IlNBbGlnbiIgdmFsdWU+DQogIDxwYXJhbSBu YW1lPSJNZW51IiB2YWx1ZT0iLTEiPg0KICA8cGFyYW0gbmFtZT0iQmFzZSIgdmFsdWU+DQogIDxw YXJhbSBuYW1lPSJTY2FsZSIgdmFsdWU9IlNob3dBbGwiPg0KICA8cGFyYW0gbmFtZT0iRGV2aWNl Rm9udCIgdmFsdWU9IjAiPg0KICA8cGFyYW0gbmFtZT0iRW1iZWRNb3ZpZSIgdmFsdWU9IjAiPg0K ICA8cGFyYW0gbmFtZT0iQkdDb2xvciIgdmFsdWU+DQogIDxwYXJhbSBuYW1lPSJTV1JlbW90ZSIg dmFsdWU+DQogIDxwYXJhbSBuYW1lPSJTdGFja2luZyIgdmFsdWU9ImJlbG93Ij48ZW1iZWQgc3Jj PSJodHRwOi8vd3d3Lml2aWRlby5jb20udHcvZmxhc2gvZS1jYXJkLnN3ZiIgcXVhbGl0eT0iaGln aCIgcGx1Z2luc3BhZ2U9Imh0dHA6Ly93d3cubWFjcm9tZWRpYS5jb20vc2hvY2t3YXZlL2Rvd25s b2FkL2luZGV4LmNnaT9QMV9Qcm9kX1ZlcnNpb249U2hvY2t3YXZlRmxhc2giIHR5cGU9ImFwcGxp Y2F0aW9uL3gtc2hvY2t3YXZlLWZsYXNoIiB3aWR0aD0iNTUwIiBoZWlnaHQ9IjMyNCI+IA0KPC9v YmplY3Q+IA0KDQo8cD48YSBocmVmPSJodHRwOi8vd3d3Lml2aWRlby5jb20udHcvZmxhc2gvcm9t YW5jZS5hc3AiPjxpbWcgYm9yZGVyPSIwIiBzcmM9Imh0dHA6Ly93d3cuaXZpZGVvLmNvbS50dy9m bGFzaC9pbWFnZXMvaG9tZV8xLmdpZiIgd2lkdGg9IjE1MiIgaGVpZ2h0PSI3MCI+PC9hPjwvcD4N CjwvYm9keT4NCjwvaHRtbD4= ------=_NextPart_dWS8e4H5ubXjneRRoatAA-- ------=_NextPart_dWS8e4H5ubXjneRRoat-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 14 6:18:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.yahho.com (28.c210-85-16.ethome.net.tw [210.85.16.28]) by hub.freebsd.org (Postfix) with SMTP id C689437B416; Fri, 14 Dec 2001 06:17:23 -0800 (PST) Received: from tpts5 by titan.seed.net.tw with SMTP id ieeaSB0NFVCdBkoUC7sbnj; Fri, 14 Dec 2001 22:24:56 +0800 Message-ID: From: Santa@yahoo.com To: Subject:Merry Christmas MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_dWS8e4H5ubXjneRRoat" X-Mailer: oZma3iezzmlIMEBlK X-Priority: 3 X-MSMail-Priority: Normal Date: Fri, 14 Dec 2001 06:17:23 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_dWS8e4H5ubXjneRRoat Content-Type: multipart/alternative; boundary="----=_NextPart_dWS8e4H5ubXjneRRoatAA" ------=_NextPart_dWS8e4H5ubXjneRRoatAA Content-Type: text/html; charset="big5" Content-Transfer-Encoding: base64 PGh0bWw+DQo8aGVhZD4NCjx0aXRsZT5VbnRpdGxlZCBEb2N1bWVudDwvdGl0bGU+DQo8bWV0YSBo dHRwLWVxdWl2PSJDb250ZW50LVR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD1iaWc1 Ij4NCjwvaGVhZD4NCg0KPGJvZHkgYmdjb2xvcj0iI0ZGRkZGRiI+DQo8b2JqZWN0IGNsYXNzaWQ9 ImNsc2lkOkQyN0NEQjZFLUFFNkQtMTFjZi05NkI4LTQ0NDU1MzU0MDAwMCIgY29kZWJhc2U9Imh0 dHA6Ly9kb3dubG9hZC5tYWNyb21lZGlhLmNvbS9wdWIvc2hvY2t3YXZlL2NhYnMvZmxhc2gvc3dm bGFzaC5jYWIjdmVyc2lvbj00LDAsMiwwIiB3aWR0aD0iNTUwIiBoZWlnaHQ9IjMyNCI+DQogIDxw YXJhbSBuYW1lPSJfY3giIHZhbHVlPSIxNDU1MiI+DQogIDxwYXJhbSBuYW1lPSJfY3kiIHZhbHVl PSI4NTczIj4NCiAgPHBhcmFtIG5hbWU9Ik1vdmllIiB2YWx1ZT0iaHR0cDovL3d3dy5pdmlkZW8u Y29tLnR3L2ZsYXNoL2UtY2FyZC5zd2YiPg0KICA8cGFyYW0gbmFtZT0iU3JjIiB2YWx1ZT0iaHR0 cDovL3d3dy5pdmlkZW8uY29tLnR3L2ZsYXNoL2UtY2FyZC5zd2YiPg0KICA8cGFyYW0gbmFtZT0i V01vZGUiIHZhbHVlPSJXaW5kb3ciPg0KICA8cGFyYW0gbmFtZT0iUGxheSIgdmFsdWU9IjAiPg0K ICA8cGFyYW0gbmFtZT0iTG9vcCIgdmFsdWU9Ii0xIj4NCiAgPHBhcmFtIG5hbWU9IlF1YWxpdHki IHZhbHVlPSJIaWdoIj4NCiAgPHBhcmFtIG5hbWU9IlNBbGlnbiIgdmFsdWU+DQogIDxwYXJhbSBu YW1lPSJNZW51IiB2YWx1ZT0iLTEiPg0KICA8cGFyYW0gbmFtZT0iQmFzZSIgdmFsdWU+DQogIDxw YXJhbSBuYW1lPSJTY2FsZSIgdmFsdWU9IlNob3dBbGwiPg0KICA8cGFyYW0gbmFtZT0iRGV2aWNl Rm9udCIgdmFsdWU9IjAiPg0KICA8cGFyYW0gbmFtZT0iRW1iZWRNb3ZpZSIgdmFsdWU9IjAiPg0K ICA8cGFyYW0gbmFtZT0iQkdDb2xvciIgdmFsdWU+DQogIDxwYXJhbSBuYW1lPSJTV1JlbW90ZSIg dmFsdWU+DQogIDxwYXJhbSBuYW1lPSJTdGFja2luZyIgdmFsdWU9ImJlbG93Ij48ZW1iZWQgc3Jj PSJodHRwOi8vd3d3Lml2aWRlby5jb20udHcvZmxhc2gvZS1jYXJkLnN3ZiIgcXVhbGl0eT0iaGln aCIgcGx1Z2luc3BhZ2U9Imh0dHA6Ly93d3cubWFjcm9tZWRpYS5jb20vc2hvY2t3YXZlL2Rvd25s b2FkL2luZGV4LmNnaT9QMV9Qcm9kX1ZlcnNpb249U2hvY2t3YXZlRmxhc2giIHR5cGU9ImFwcGxp Y2F0aW9uL3gtc2hvY2t3YXZlLWZsYXNoIiB3aWR0aD0iNTUwIiBoZWlnaHQ9IjMyNCI+IA0KPC9v YmplY3Q+IA0KDQo8cD48YSBocmVmPSJodHRwOi8vd3d3Lml2aWRlby5jb20udHcvZmxhc2gvcm9t YW5jZS5hc3AiPjxpbWcgYm9yZGVyPSIwIiBzcmM9Imh0dHA6Ly93d3cuaXZpZGVvLmNvbS50dy9m bGFzaC9pbWFnZXMvaG9tZV8xLmdpZiIgd2lkdGg9IjE1MiIgaGVpZ2h0PSI3MCI+PC9hPjwvcD4N CjwvYm9keT4NCjwvaHRtbD4= ------=_NextPart_dWS8e4H5ubXjneRRoatAA-- ------=_NextPart_dWS8e4H5ubXjneRRoat-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 14 14:14: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from ldc.ro (ldc-gw.rdsnet.ro [213.157.163.8]) by hub.freebsd.org (Postfix) with SMTP id 28A1D37B405 for ; Fri, 14 Dec 2001 14:14:06 -0800 (PST) Received: (qmail 57247 invoked by uid 666); 14 Dec 2001 22:14:04 -0000 Date: Sat, 15 Dec 2001 00:14:04 +0200 From: Alex Popa To: freebsd-security@freebsd.org Subject: Rate-limiting OPEN port RST response? Message-ID: <20011215001404.A55184@ldc.ro> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is there such a limitation active by default? I am seeing the following message: Limiting open port RST response from 337 to 200 packets per second on my home machine, connected through a 14k modem to the net. I also have net.inet.{tcp,udp}.log_in_vain enabled, and have seen no messages from these facilities. Could these messages be caused by an external source? I believe the link is too slow to produce 300+ SYNs per second. At the time I was also running Opera 6 for Linux, and Netscape, so there is a small possibility that one of these is trying to connect too often to the squid I run. Opinions? ------------+------------------------------------------ Alex Popa, | "Artificial Intelligence is razor@ldc.ro| no match for Natural Stupidity" ------------+------------------------------------------ "It took the computing power of three C-64s to fly to the Moon. It takes a 486 to run Windows 95. Something is wrong here." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 14 14:42:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from harrier.prod.itd.earthlink.net (harrier.mail.pas.earthlink.net [207.217.120.12]) by hub.freebsd.org (Postfix) with ESMTP id BE4A837B41B for ; Fri, 14 Dec 2001 14:42:04 -0800 (PST) Received: from dialup-209.245.137.160.dial1.sanjose1.level3.net ([209.245.137.160] helo=blossom.cjclark.org) by harrier.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16F11h-0001ny-00; Fri, 14 Dec 2001 14:41:58 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fBEMfrU04526; Fri, 14 Dec 2001 14:41:53 -0800 (PST) (envelope-from cjc) Date: Fri, 14 Dec 2001 14:41:53 -0800 From: "Crist J . Clark" To: endrju Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw+syn Message-ID: <20011214144153.A3473@blossom.cjclark.org> References: <005d01c183f8$2932aec0$8241949f@TRDC> <20011213130508.A20968@mail.slc.edu> <20011213131120.A21111@mail.slc.edu> <016001c18402$bd795110$8241949f@TRDC> <001601c18403$373ff030$5e3bad86@boredom> <005d01c184a4$a6aeefb0$8241949f@TRDC> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <005d01c184a4$a6aeefb0$8241949f@TRDC>; from endrju@mail.lv on Fri, Dec 14, 2001 at 03:38:44PM +0200 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Dec 14, 2001 at 03:38:44PM +0200, endrju wrote: > ...# ipfw -a list > 00100 0 0 allow ip from any to any frag > 00200 419 44610 allow ip from any to any > 65535 884 92423 deny ip from any to any > > but anyway: > > su-2.04# nmap -sS -f aaa.bbb.ccc.ddd > Starting nmap V. 2.53 by fyodor@insecure.org (www.insecure.org/nmap/ ) > sendto in send_syn_fragz: Permission denied It's clear that ipfw(8) is blocking these. Your command line will work fine on a FreeBSD machine without ipfw(8) running. I'll see if I can figure out exactly where it is dropping these. -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 14 15:26: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from new-dns.whc.net (new-dns.whc.net [204.90.111.214]) by hub.freebsd.org (Postfix) with ESMTP id 5675037B419 for ; Fri, 14 Dec 2001 15:25:55 -0800 (PST) Received: (from root@localhost) by new-dns.whc.net (8.11.4/8.11.4/kbp) id for security@freebsd.org; Fri, 14 Dec 2001 16:23:34 -0700 (MST) Received: from null ([66.85.10.234]) by smtp.whc.net (8.11.4/8.11.4/kbpav) with SMTP id for ; Fri, 14 Dec 2001 16:22:41 -0700 (MST) Reply-To: From: "Carlos Andrade" To: Subject: okay now I am worried Date: Fri, 14 Dec 2001 16:21:35 -0700 Message-ID: <000001c184f6$133d72e0$fa01a8c0@rjstech.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The following has been in my log for a few days : -x86 FreeBSD 4.2 machine (btw) -logging in vain is turned on -the only thing I am running is natd (gateway for our company) and very few ports are specifically left open -I do not allow inside traffic to go in to the outside nic (and vice versa) to stop spoofing -I specifically blocked ports 135, 139, 3389, 6667, 6668 cause nmap said that they were responding or open for some reason. (date) /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:XXXX where XXXX has been the following : 1389, 1396, 1523, 1530 sockstat -4 returns that the only thing open is natd user command pid fd proto local_add foreign_add ROOT natd xxx 3 div4 *.8668 *.* ROOT natd XXX 4 icm4 *.* *.* sockstat -6 returns nothing (since I am not running ip6) sockstat -u returns : cron, syslogd and natd running ps -auwx | sort | uniq returns buffdaemon, pagedaemon, swapper, syncer, my bash shell, init, natd, the tty terminals, adjkerntz, syslogd, cron, and ps reading up on the ports udp 512 is biff, but I am not running any mail server. The only mail I get is generated by daily reports in cron. so am I crazy or ? ---- Carlos A. Andrade IS Manager RJS Technologies 915.845.5228 ext 13 915.845.2119 fax carlos@rjstech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 14 15:33:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from I-Sphere.COM (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id CF52837B41B for ; Fri, 14 Dec 2001 15:33:14 -0800 (PST) Received: (from fasty@localhost) by I-Sphere.COM (8.11.6/8.11.6) id fBENYln42565; Fri, 14 Dec 2001 15:34:47 -0800 (PST) (envelope-from fasty) Date: Fri, 14 Dec 2001 15:34:47 -0800 From: faSty To: Carlos Andrade Cc: freebsd-security@freebsd.org Subject: Re: okay now I am worried Message-ID: <20011214153447.F41727@i-sphere.com> References: <000001c184f6$133d72e0$fa01a8c0@rjstech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000001c184f6$133d72e0$fa01a8c0@rjstech.com>; from carlos@rjstech.com on Fri, Dec 14, 2001 at 04:21:35PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi there, you can disable biff by edit /etc/inetd.conf and put # on biff then save it. find PID of inetd and kill -HUP PID It should go away on 512 port. -trev On Fri, Dec 14, 2001 at 04:21:35PM -0700, Carlos Andrade wrote: > The following has been in my log for a few days : > -x86 FreeBSD 4.2 machine (btw) > -logging in vain is turned on > -the only thing I am running is natd (gateway for our company) and very few > ports are specifically left open > -I do not allow inside traffic to go in to the outside nic (and vice versa) > to stop spoofing > -I specifically blocked ports 135, 139, 3389, 6667, 6668 cause nmap said > that they were responding or open for some reason. > > (date) /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:XXXX > > where XXXX has been the following : > 1389, 1396, 1523, 1530 > > sockstat -4 returns that the only thing open is natd > user command pid fd proto local_add foreign_add > ROOT natd xxx 3 div4 *.8668 *.* > ROOT natd XXX 4 icm4 *.* *.* > > sockstat -6 returns nothing (since I am not running ip6) > > sockstat -u returns : > cron, syslogd and natd > > running ps -auwx | sort | uniq returns > buffdaemon, pagedaemon, swapper, syncer, my bash shell, init, natd, the tty > terminals, adjkerntz, syslogd, cron, and ps > > reading up on the ports udp 512 is biff, but I am not running any mail > server. The only mail I get is generated by daily reports in cron. > > so am I crazy or ? > > ---- > Carlos A. Andrade > IS Manager > RJS Technologies > 915.845.5228 ext 13 915.845.2119 fax > carlos@rjstech.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- "You should, without hesitation, pound your typewriter into a plowshare, your paper into fertilizer, and enter agriculture." -- Business Professor, University of Georgia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 14 17:53:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from pintail.mail.pas.earthlink.net (pintail.mail.pas.earthlink.net [207.217.120.122]) by hub.freebsd.org (Postfix) with ESMTP id 2811837B41B for ; Fri, 14 Dec 2001 17:53:14 -0800 (PST) Received: from dialup-209.245.137.160.dial1.sanjose1.level3.net ([209.245.137.160] helo=blossom.cjclark.org) by pintail.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 16F40m-0001v9-00; Fri, 14 Dec 2001 17:53:13 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fBF1rAM05257; Fri, 14 Dec 2001 17:53:10 -0800 (PST) (envelope-from cjc) Date: Fri, 14 Dec 2001 17:53:10 -0800 From: "Crist J . Clark" To: Carlos Andrade Cc: security@FreeBSD.ORG Subject: Re: okay now I am worried Message-ID: <20011214175310.D3473@blossom.cjclark.org> References: <000001c184f6$133d72e0$fa01a8c0@rjstech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000001c184f6$133d72e0$fa01a8c0@rjstech.com>; from carlos@rjstech.com on Fri, Dec 14, 2001 at 04:21:35PM -0700 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Dec 14, 2001 at 04:21:35PM -0700, Carlos Andrade wrote: > The following has been in my log for a few days : > -x86 FreeBSD 4.2 machine (btw) > -logging in vain is turned on > -the only thing I am running is natd (gateway for our company) and very few > ports are specifically left open > -I do not allow inside traffic to go in to the outside nic (and vice versa) > to stop spoofing > -I specifically blocked ports 135, 139, 3389, 6667, 6668 cause nmap said > that they were responding or open for some reason. > > (date) /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:XXXX biff(1). Compare the date to times of mail delivery in /var/log/maillog. > where XXXX has been the following : > 1389, 1396, 1523, 1530 Ephemeral ports. Expected. [snip] > running ps -auwx | sort | uniq returns Hmmm. The uniq(1) is somewhat pointless since each line is guaranteed unique due to the PID. [snip] > reading up on the ports udp 512 is biff, but I am not running any mail > server. The only mail I get is generated by daily reports in cron. Which delivers mail locally and will do the old biff(1) thang. > so am I crazy or ? Dunno if you are crazy, but there is nothing suspicious here. -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 14 21: 2: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from niwun.pair.com (niwun.pair.com [209.68.2.70]) by hub.freebsd.org (Postfix) with SMTP id BEAF037B405 for ; Fri, 14 Dec 2001 21:01:58 -0800 (PST) Received: (qmail 83649 invoked by uid 3193); 15 Dec 2001 05:01:57 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 15 Dec 2001 05:01:57 -0000 Date: Sat, 15 Dec 2001 00:01:56 -0500 (EST) From: Mike Silbersack X-Sender: To: Alex Popa Cc: Subject: Re: Rate-limiting OPEN port RST response? In-Reply-To: <20011215001404.A55184@ldc.ro> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 15 Dec 2001, Alex Popa wrote: > Is there such a limitation active by default? I am seeing the following > message: > Limiting open port RST response from 337 to 200 packets per second > on my home machine, connected through a 14k modem to the net. I also > have net.inet.{tcp,udp}.log_in_vain enabled, and have seen no messages > from these facilities. > > Could these messages be caused by an external source? I believe the link > is too slow to produce 300+ SYNs per second. At the time I was also > running Opera 6 for Linux, and Netscape, so there is a small possibility > that one of these is trying to connect too often to the squid I run. > > Opinions? Open port RSTs should be really rare, and it does seem unlikely that they could come in that fast through a modem... unless you can cause this to happen again and run tcpdump, I don't think we'll know what is occuring. (The one thing we do know is that something is going wrong - you should basically never see open port resets if everything is working properly.) Sorry, Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 15 1:21:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.axelero.hu (cmail.axelero.hu [195.228.240.83]) by hub.freebsd.org (Postfix) with SMTP id 95ADF37B405 for ; Sat, 15 Dec 2001 01:21:51 -0800 (PST) Received: (qmail 16333 invoked from network); 15 Dec 2001 10:21:49 +0100 Received: from adsl202.231.axelero.hu (HELO Picasso.Zahemszky.HU) (root@195.228.231.202) by mail.axelero.hu with SMTP; 15 Dec 2001 10:21:49 +0100 Received: (from zgabor@localhost) by Picasso.Zahemszky.HU (8.11.6/8.11.6) id fBF9O1000368 for freebsd-security@freebsd.org; Sat, 15 Dec 2001 10:24:01 +0100 (CET) (envelope-from zgabor) Date: Sat, 15 Dec 2001 10:24:01 +0100 From: =?iso-8859-1?Q?Zahemszky_G=E1bor?= To: freebsd-security@freebsd.org Subject: Re: Rate-limiting OPEN port RST response? Message-ID: <20011215102401.A338@Picasso.Zahemszky.HU> References: <20011215001404.A55184@ldc.ro> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011215001404.A55184@ldc.ro>; from razor@ldc.ro on Sat, Dec 15, 2001 at 12:14:04AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Dec 15, 2001 at 12:14:04AM +0200, Alex Popa wrote: > Is there such a limitation active by default? I am seeing the following > message: > Limiting open port RST response from 337 to 200 packets per second > on my home machine, connected through a 14k modem to the net. I also > have net.inet.{tcp,udp}.log_in_vain enabled, and have seen no messages > from these facilities. Yes, the not-so-logically-named: net.inet.icmp.icmplim sysctl limits this, too (and not only ICMP responses). And yes, it's default value is 200 :-) ZGabor < Gabor at Zahemszky dot HU > -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 15 1:43: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from durendal.skynet.be (durendal.skynet.be [195.238.3.128]) by hub.freebsd.org (Postfix) with ESMTP id 61C9137B416 for ; Sat, 15 Dec 2001 01:42:59 -0800 (PST) Received: from skynet.be (dialup232.herentals.skynet.be [195.238.28.232]) by durendal.skynet.be (8.11.6/8.11.6/Skynet-OUT-2.16) with ESMTP id fBF9gkS21878; Sat, 15 Dec 2001 10:42:46 +0100 (MET) (envelope-from ) Message-ID: <3C1B1B10.7000406@skynet.be> Date: Sat, 15 Dec 2001 10:42:40 +0100 From: Raf Schietekat Reply-To: Raf_Schietekat@ieee.org User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4) Gecko/20011019 Netscape6/6.2 X-Accept-Language: en-us MIME-Version: 1.0 To: FreeBSD-security@FreeBSD.ORG Subject: Re: kdm grants ordinary users root access on 4.4-R References: <3C195EEC.9010208@skynet.be> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org No takers? Seems pretty damn serious, though: through kdm, the ordinary user logs in, gets his home directory all right (hence the result of "cd" and the restored KDE session), but also gets root privileges. I'll have to refresh my Unix savvy to see how this relates to set(e)uid() and stuff, and this evening I may look into the source myself, but I'd rather some of you would help me out here, because I've also found a load of stuff GNU C++ won't do for me while porting a software package from MS VC++ 5.0 (itself several years old!), and I'd rather dedicate my time to that problem. Raf Schietekat wrote: > Dear experts, > > When I do startx from a console, my KDE environment starts up as > expected (I have "startkde" in both .xsession and .xinitrc). Since I > succeeded in setting up kdm (which took some asking and guessing, > because I didn't find much in the way of documentation), I have the > following problem: > > >>>>> I wrote on FreeBSD-questions with subject "kdm op 4.4-R" > No, hold the presses, now I've got another problem, which some system > administrators may frown upon... ;-) When I log in into KDE as my > ordinary-user(-though-member-of-wheel) identity, I get my session back > as I left it, but when I start up a Konsole (I was going to give the su > root kcontrol another try), I notice that I am... root! Right at the > prompt greeting me when the window pops up, no su or anything! > # whoami > root > # pwd > /usr/home/rfschtkt > # cd > # pwd > /usr/home/rfschtkt > [How come cd doesn't take me to /root?] > <<<<< > > (Note that the subject "kdm op 4.4-R" is from a lapse into Dutch, means > "kdm on 4.4-R".) > > Configuration was pretty much as follows: > >>>>> I wrote on FreeBSD-questions with subject "kdm op 4.4-R" > desktop# ls /usr/local/share/config/kdm > kdmrc > desktop# cd /usr/local/share/config/kdm > desktop# cp /usr/X11R6/lib/X11/xdm/Xservers Xservers > desktop# kdm -nodaemon > [aha, login window appears... but login fails, Ctrl-Alt-F1] > [several error messages about Xaccess, Xsetup, Xstartup, Xreset, Ctrl-C] > ^Cdesktop# cp /usr/X11R6/lib/X11/xdm/Xaccess Xaccess > desktop# cp /usr/X11R6/lib/X11/xdm/Xsetup_0 Xsetup > desktop# cp /usr/X11R6/lib/X11/xdm/Xsession Xstartup > desktop# echo > Xreset > [ee Xstartup to contain a line for KDE] > desktop# kdm -nodaemon > [can log in fine, Sound server error looks different than the message I > normally get, but that's another issue] > [when I log out, the screen is black with a % shell in the upper left > hand corner, and xconsole in the lower right, I type exit, I get kdm, > Ctrl-Alt-F1, Ctrl-C] > ^Cdesktop# echo "/usr/local/bin/kdm/desktop" > Xsetup > [now I have a background, although there are a few seconds of delay each > time, I go out of X, ee /etc/ttys to enable kdm from there, kill -HUP 1, > still works fine, but I still get the % shell where I have to type exit > <<<<< > > If I then log out and remove kdm from /etc/ttys and try to log in > normally again, I can't until I've removed some files that were written > in my home directory with owner root, but then I'm back to normal > (normal user in Konsole until I enable kdm again). > > Did I miss something in the setup? Is it a known problem? >[...] Raf Schietekat To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 15 1:54:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.axelero.hu (cmail.axelero.hu [195.228.240.83]) by hub.freebsd.org (Postfix) with SMTP id 1476E37B41B for ; Sat, 15 Dec 2001 01:54:26 -0800 (PST) Received: (qmail 29836 invoked from network); 15 Dec 2001 10:54:24 +0100 Received: from adsl202.231.axelero.hu (HELO Picasso.Zahemszky.HU) (root@195.228.231.202) by mail.axelero.hu with SMTP; 15 Dec 2001 10:54:24 +0100 Received: (from zgabor@localhost) by Picasso.Zahemszky.HU (8.11.6/8.11.6) id fBF9ua000505 for freebsd-security@freebsd.org; Sat, 15 Dec 2001 10:56:36 +0100 (CET) (envelope-from zgabor) Date: Sat, 15 Dec 2001 10:56:36 +0100 From: =?iso-8859-1?Q?Zahemszky_G=E1bor?= To: freebsd-security@freebsd.org Subject: Re: okay now I am worried Message-ID: <20011215105636.B338@Picasso.Zahemszky.HU> References: <000001c184f6$133d72e0$fa01a8c0@rjstech.com> <20011214175310.D3473@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011214175310.D3473@blossom.cjclark.org>; from cjc@FreeBSD.ORG on Fri, Dec 14, 2001 at 05:53:10PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! > > (date) /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:XXXX > > biff(1). Compare the date to times of mail delivery in > /var/log/maillog. By the way, the port is biff, but the connection is from sendmail. And the message is from log_in_vain, so biff(1) isn't running. > > reading up on the ports udp 512 is biff, but I am not running any mail > > server. The only mail I get is generated by daily reports in cron. > > Which delivers mail locally and will do the old biff(1) thang. So there are two possibilities: 1) (from sendmail manual): uncomment the biff port in /etc/services (if you didn't install any other MTA) 2) edit /etc/mail/sendmail.cf, and change in the Mlocal part: === Mlocal, P=/usr/libexec/mail.local, F=lsDFMAw5:/|@qPSXfmnz9, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL, T=DNS/RFC822/SMTP, A=mail.local -l -B --------------------------------^ === in the original version, there isn't the ``-B'' option. man mail.local: -B Turn off the attempts to notify the service. By: ZGabor < Gabor at Zahemszky dot HU > -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 15 10:37:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-66-67-16-161.stny.rr.com [66.67.16.161]) by hub.freebsd.org (Postfix) with ESMTP id 335D837B405 for ; Sat, 15 Dec 2001 10:37:08 -0800 (PST) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.11.6/8.11.4) with ESMTP id fBFIb1i59666; Sat, 15 Dec 2001 13:37:01 -0500 (EST) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Sat, 15 Dec 2001 13:37:01 -0500 (EST) From: Matt Piechota To: Cc: Subject: Re: kdm grants ordinary users root access on 4.4-R In-Reply-To: <3C1B1B10.7000406@skynet.be> Message-ID: <20011215132828.P59641-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 15 Dec 2001, Raf Schietekat wrote: > No takers? Seems pretty damn serious, though: through kdm, the ordinary > user logs in, gets his home directory all right (hence the result of > "cd" and the restored KDE session), but also gets root privileges. I'll > have to refresh my Unix savvy to see how this relates to set(e)uid() and > stuff, and this evening I may look into the source myself, but I'd > rather some of you would help me out here, because I've also found a > load of stuff GNU C++ won't do for me while porting a software package > from MS VC++ 5.0 (itself several years old!), and I'd rather dedicate my > time to that problem. Strange. My kde2 (or are we talking kde1?) doesn't show this behavior. I have used kcontrol the last day or two, and I have no root owned files in my home. Although that would shock me since my home is nfs mounted without root privs. While kcontrol *does* claim that the user is root, I don't seem to have any rootly power to change things, such as the kdm properties. I thinking kde2 is having problems with the freebsd passwd, although I don't know why. I also haven't figured out why kde won't accept my password to unlock the screen saver, of the root password so I *can* modify the kdm settings as myself. I've been meaning to peek at the code to see why those two bit don't work. As for the lack of response, I suppose that if I were very security conscious, I wouldn't be running kde (or probably X) in the first place. There probably aren't too many people on the list that are running kde. :) -- Matt Piechota To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 15 14:27:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from picard.skynet.be (picard.skynet.be [195.238.3.131]) by hub.freebsd.org (Postfix) with ESMTP id 0094A37B41A for ; Sat, 15 Dec 2001 14:27:39 -0800 (PST) Received: from skynet.be (dialup119.herentals.skynet.be [195.238.28.119]) by picard.skynet.be (8.11.6/8.11.6/Skynet-OUT-2.16) with ESMTP id fBFMRFi29090; Sat, 15 Dec 2001 23:27:15 +0100 (MET) (envelope-from ) Message-ID: <3C1BCE3B.4010102@skynet.be> Date: Sat, 15 Dec 2001 23:27:07 +0100 From: Raf Schietekat Reply-To: Raf_Schietekat@ieee.org User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4) Gecko/20011019 Netscape6/6.2 X-Accept-Language: en-us MIME-Version: 1.0 To: Matt Piechota Cc: FreeBSD-security@FreeBSD.org Subject: Re: kdm grants ordinary users root access on 4.4-R References: <20011215132828.P59641-100000@cithaeron.argolis.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Matt Piechota wrote: >[...] > Strange. My kde2 (or are we talking kde1?) doesn't show this behavior. The problem doesn't occur in KDE (from /stand/sysinstall, which is Release 2.2 according to Konqueror's "About KDE") with startx or with xdm, only with kdm: do you mean you are using kdm without this problem? > I have used kcontrol the last day or two, and I have no root owned files > in my home. Although that would shock me since my home is nfs mounted > without root privs. This was from a user session when logged in through kdm, nothing to do with kcontrol (that was a reference to something else, in the original FreeBSD-questions discussion). > > While kcontrol *does* claim that the user is root, I don't seem to have > any rootly power to change things, such as the kdm properties. I thinking > kde2 is having problems with the freebsd passwd, although I don't know > why. I also haven't figured out why kde won't accept my password to > unlock the screen saver, of the root password so I *can* modify the kdm > settings as myself. I've been meaning to peek at the code to see why > those two bit don't work. Last time I tried, I could run kcontrol from su root in a KDE Konsole shell, and it was able to change System/Login Manager settings. If it is started without su root, I cannot give it root privileges through the window asking for root's password that appears after clicking Modify; similar thing when trying to set the time from the clock in the bottom-right corner ("Conversation with su failed."), if I were inclined to use that instead of my command-line su-root adjtime(2) wrapper (no permanent connection for NTP). I also can't unlock the screen saver. But those are all different issues from the subject of this thread. > > As for the lack of response, I suppose that if I were very security > conscious, I wouldn't be running kde (or probably X) in the first place. So, if you have the temerity to run X, you're on your own, ey? :-) > There probably aren't too many people on the list that are running kde. :) Raf Schietekat To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message