From owner-freebsd-security Sun Oct 13 8:41:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C31737B401 for ; Sun, 13 Oct 2002 08:41:25 -0700 (PDT) Received: from nic.upatras.gr (nic.upatras.gr [150.140.129.30]) by mx1.FreeBSD.org (Postfix) with SMTP id 7D93943E7B for ; Sun, 13 Oct 2002 08:41:23 -0700 (PDT) (envelope-from keramida@ceid.upatras.gr) Received: (qmail 25777 invoked from network); 13 Oct 2002 15:34:20 -0000 Received: from upnet-dialinpool-57.upnet.gr (HELO hades.hell.gr) (@150.140.128.197) by nic.upatras.gr with SMTP; 13 Oct 2002 15:34:20 -0000 Received: from hades.hell.gr (hades [127.0.0.1]) by hades.hell.gr (8.12.6/8.12.6) with ESMTP id g9DFfSaW003812; Sun, 13 Oct 2002 18:41:28 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from keramida@localhost) by hades.hell.gr (8.12.6/8.12.6/Submit) id g9DFfRuV003811; Sun, 13 Oct 2002 18:41:28 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Sun, 13 Oct 2002 18:41:27 +0300 From: Giorgos Keramidas To: Ricardo Anguiano Cc: Chris BeHanna , FreeBSD Security Subject: Re: access() is a security hole? Message-ID: <20021013154127.GA2970@hades.hell.gr> References: <20021011094935.I86274-100000@topperwein.pennasoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-PGP-Fingerprint: C1EB 0653 DB8B A557 3829 00F9 D60F 941A 3186 03B6 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2002-10-11 09:39, Ricardo Anguiano wrote: > Chris BeHanna writes: > > On Fri, 11 Oct 2002, Bruce Evans wrote: > > > Setuid programs should only use access() to check whether they will > > > have permission after they set[ug]id() to the real [ug]id. Non-setuid > > > programs mostly don't need such checks. They can just try the operation. > > > > Perhaps the way to avoid the race is to open the file, lock it, > > and *then* call access(), then close the file or proceed based upon > > the result. > > What's wrong with opening the file, then using fstat to check the > properties of the file associated with the file descriptor? Sometimes, just opening a `file' has interesting side-effects. For instance, opening a rewinding tape device will start the tape rewinding process. You might not want to cause such side-effects to happen :-/ -- keramida@FreeBSD.org FreeBSD: The Power to Serve FreeBSD 5.0-CURRENT #12: Thu Oct 10 21:08:38 EEST 2002 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 13 11:43:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 38E6C37B401 for ; Sun, 13 Oct 2002 11:43:12 -0700 (PDT) Received: from topperwein.dyndns.org (acs-24-154-51-246.zoominternet.net [24.154.51.246]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5EBB743EA9 for ; Sun, 13 Oct 2002 11:43:11 -0700 (PDT) (envelope-from behanna@zbzoom.net) Received: from topperwein.pennasoft.com ([192.168.168.10]) by topperwein.dyndns.org (8.12.6/8.12.5) with ESMTP id g9DIhBCk033892 for ; Sun, 13 Oct 2002 14:43:11 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Sun, 13 Oct 2002 14:43:06 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: FreeBSD Security Subject: Re: access() is a security hole? In-Reply-To: Message-ID: <20021013143844.W86274-100000@topperwein.pennasoft.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 11 Oct 2002, Ricardo Anguiano wrote: > Benjamin Krueger writes: > > > * Ricardo Anguiano (anguiano@codesourcery.com) [021011 09:39]: > > > Chris BeHanna writes: > > > > > > > On Fri, 11 Oct 2002, Bruce Evans wrote: > > > > > Setuid programs should only use access() to check whether they will > > > > > have permission after they set[ug]id() to the real [ug]id. Non-setuid > > > > > programs mostly don't need such checks. They can just try the operation. > > > > > > > > Perhaps the way to avoid the race is to open the file, lock it, > > > > and *then* call access(), then close the file or proceed based upon > > > > the result. > > > > > > What's wrong with opening the file, then using fstat to check the > > > properties of the file associated with the file descriptor? If you're worried about the kinds of races to which access(2) is vulnerable, then you *MUST* lock the file to prevent another process from modifying it, and that lock must be mandatory. open() and fstat() do not close the hole. You need open() with a mandatory lock, then fstat(), then, if the uid/gid has permission, do with the lock whatever the program logic requires, or else close the file, dropping the lock implicitly. > > And if you don't have sufficient permission to open the file? > > IMHO, then there was no point in making the access(2) call. The > problem exists when the process is running with elevated privileges. > > AFAIK, open(2) does not fail due to permission problems when run as > root. Thus, the need to check for the invoking user's permission to > open the file. Correct. In the case that the process has no permission to open the file, the setuid/gid program merely closes it immediately. > PS: Chris: postmaster@telstraclear.co.nz says you don't exist. Then it's misconfigured, as I quite clearly do. Perhaps it was a transient DNS problem. -- Chris BeHanna http://www.pennasoft.com Principal Consultant PennaSoft Corporation chris@pennasoft.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 13 23:27:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E801E37B401 for ; Sun, 13 Oct 2002 23:27:53 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5F3E243EAA for ; Sun, 13 Oct 2002 23:27:53 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.org (8.9.3/8.9.3) id AAA13616 for security@freebsd.org; Mon, 14 Oct 2002 00:27:45 -0600 (MDT) Date: Mon, 14 Oct 2002 00:27:45 -0600 (MDT) From: Brett Glass Message-Id: <200210140627.AAA13616@lariat.org> To: security@freebsd.org Subject: TCFS for FreeBSD? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Has TCFS been ported to FreeBSD? I'm looking for a good encrypted network file system for a group of FreeBSD machines. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 13 23:45: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC8ED37B401 for ; Sun, 13 Oct 2002 23:45:03 -0700 (PDT) Received: from bas.flux.utah.edu (bas.flux.utah.edu [155.98.60.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 33F2F43E7B for ; Sun, 13 Oct 2002 23:45:03 -0700 (PDT) (envelope-from danderse@flux.utah.edu) Received: from bas.flux.utah.edu (localhost [127.0.0.1]) by bas.flux.utah.edu (8.12.5/8.12.5) with ESMTP id g9E6UlOR014107; Mon, 14 Oct 2002 00:30:47 -0600 (MDT) (envelope-from danderse@bas.flux.utah.edu) Received: (from danderse@localhost) by bas.flux.utah.edu (8.12.5/8.12.5/Submit) id g9E6Ulrl014106; Mon, 14 Oct 2002 00:30:47 -0600 (MDT) Date: Mon, 14 Oct 2002 00:30:47 -0600 From: "David G. Andersen" To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: TCFS for FreeBSD? Message-ID: <20021014003047.A99525@cs.utah.edu> References: <200210140627.AAA13616@lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200210140627.AAA13616@lariat.org>; from brett@lariat.org on Mon, Oct 14, 2002 at 12:27:45AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org SFS. http://www.fs.net/ Been running it here, very stably, for almost two years. Great stuff. -Dave Brett Glass just mooed: > Has TCFS been ported to FreeBSD? I'm looking for a good encrypted network > file system for a group of FreeBSD machines. > > --Brett Glass > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 14 0: 1:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE6CA37B401 for ; Mon, 14 Oct 2002 00:01:23 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2233643EB1 for ; Mon, 14 Oct 2002 00:01:23 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.org (8.9.3/8.9.3) id BAA13945; Mon, 14 Oct 2002 01:01:06 -0600 (MDT) Date: Mon, 14 Oct 2002 01:01:06 -0600 (MDT) From: Brett Glass Message-Id: <200210140701.BAA13945@lariat.org> To: brett@lariat.org, danderse@cs.utah.edu Subject: Re: TCFS for FreeBSD? Cc: security@FreeBSD.ORG In-Reply-To: <20021014003047.A99525@cs.utah.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Just checked, and it's GPLed. (Which it shouldn't be, because it is sponsored by DARPA.) Can't use it -- both by policy and for practical reasons (we can't fix bugs ourselves because we can't look at the code). --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 14 0:10:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3DD2737B401 for ; Mon, 14 Oct 2002 00:10:47 -0700 (PDT) Received: from bas.flux.utah.edu (bas.flux.utah.edu [155.98.60.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id C1A1443EAA for ; Mon, 14 Oct 2002 00:10:46 -0700 (PDT) (envelope-from danderse@flux.utah.edu) Received: from bas.flux.utah.edu (localhost [127.0.0.1]) by bas.flux.utah.edu (8.12.5/8.12.5) with ESMTP id g9E7AkOR015104; Mon, 14 Oct 2002 01:10:46 -0600 (MDT) (envelope-from danderse@bas.flux.utah.edu) Received: (from danderse@localhost) by bas.flux.utah.edu (8.12.5/8.12.5/Submit) id g9E7AkxW015103; Mon, 14 Oct 2002 01:10:46 -0600 (MDT) Date: Mon, 14 Oct 2002 01:10:46 -0600 From: "David G. Andersen" To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: TCFS for FreeBSD? Message-ID: <20021014011046.B99525@cs.utah.edu> References: <20021014003047.A99525@cs.utah.edu> <200210140701.BAA13945@lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200210140701.BAA13945@lariat.org>; from brett@lariat.org on Mon, Oct 14, 2002 at 01:01:06AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brett Glass just mooed: > Just checked, and it's GPLed. (Which it shouldn't be, because it is sponsored > by DARPA.) Can't use it -- both by policy and for practical reasons (we can't > fix bugs ourselves because we can't look at the code). Please don't turn this into a religious discussion. But to respond to a factual error in your message: Our DARPA program managers are content with us GPL'ing code. An important part of DARPA sponsorship is tech transfer to both civilian and military applications. The GPL and BSD licenses, as well as not releasing the code and creating a startup, are all viewed as good ways for taking sponsored research and making something useful out of it. The important part is that it gets out there and improves the state of technology. I don't care what your politics are, but don't spread incorrect information. This discussion is now quite off-topic for -security. This is my last message. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 14 6:51:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 19CDC37B401 for ; Mon, 14 Oct 2002 06:51:29 -0700 (PDT) Received: from arbornet.org (m-net.arbornet.org [209.142.209.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F69B43EAC for ; Mon, 14 Oct 2002 06:51:28 -0700 (PDT) (envelope-from polytarp@m-net.arbornet.org) Received: from m-net.arbornet.org (localhost [127.0.0.1]) by arbornet.org (8.12.3/8.11.2) with ESMTP id g9EDqZAj045822; Mon, 14 Oct 2002 09:52:35 -0400 (EDT) (envelope-from polytarp@m-net.arbornet.org) Received: from localhost (polytarp@localhost) by m-net.arbornet.org (8.12.3/8.12.3/Submit) with ESMTP id g9EDqYDc045819; Mon, 14 Oct 2002 09:52:34 -0400 (EDT) Date: Mon, 14 Oct 2002 09:52:34 -0400 (EDT) From: pgreen To: Brett Glass Cc: danderse@cs.utah.edu, Subject: Re: TCFS for FreeBSD? In-Reply-To: <200210140701.BAA13945@lariat.org> Message-ID: <20021014095202.L45744-100000@m-net.arbornet.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Wait, you can't look at the code? Is it too bright, blinding, or what? On Mon, 14 Oct 2002, Brett Glass wrote: > Just checked, and it's GPLed. (Which it shouldn't be, because it is sponsored > by DARPA.) Can't use it -- both by policy and for practical reasons (we can't > fix bugs ourselves because we can't look at the code). > > --Brett > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 14 7:55: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3474037B404 for ; Mon, 14 Oct 2002 07:55:04 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E00D43EB1 for ; Mon, 14 Oct 2002 07:55:03 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id IAA17593; Mon, 14 Oct 2002 08:54:53 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20021014085250.00e0d940@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 14 Oct 2002 08:54:50 -0600 To: "David G. Andersen" From: Brett Glass Subject: Re: TCFS for FreeBSD? Cc: security@FreeBSD.ORG In-Reply-To: <20021014011046.B99525@cs.utah.edu> References: <200210140701.BAA13945@lariat.org> <20021014003047.A99525@cs.utah.edu> <200210140701.BAA13945@lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 01:10 AM 10/14/2002, David G. Andersen wrote: > But to respond to a factual error in your message: Our DARPA program >managers are content with us GPL'ing code. An important part of >DARPA sponsorship is tech transfer to both civilian and military >applications. Exactly. >The GPL and BSD licenses, as well as not releasing >the code and creating a startup, are all viewed as good ways for >taking sponsored research and making something useful out of it. The GPL makes the code useless to commercial software developers and therefore does not satisfy that goal. Now, to return to the topic at hand: Does anyone know of an encrypted file system for FreeBSD which is licensed under a truly free, non-viral license? --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 14 7:56:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9DA2637B401 for ; Mon, 14 Oct 2002 07:56:58 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id CFD4643EB1 for ; Mon, 14 Oct 2002 07:56:57 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id IAA17618; Mon, 14 Oct 2002 08:56:40 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20021014085509.00e0d530@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 14 Oct 2002 08:56:36 -0600 To: pgreen From: Brett Glass Subject: Re: TCFS for FreeBSD? Cc: danderse@cs.utah.edu, In-Reply-To: <20021014095202.L45744-100000@m-net.arbornet.org> References: <200210140701.BAA13945@lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 07:52 AM 10/14/2002, pgreen wrote: >Wait, you can't look at the code? Is it too bright, blinding, or what? Looking at GPLed code puts programmers at risk of lawsuits claiming that anything similar to it which they later produce is derivative -- and therefore must later be licensed under the GPL and given away for free. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 14 9:14:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0142137B401 for ; Mon, 14 Oct 2002 09:14:14 -0700 (PDT) Received: from arbornet.org (m-net.arbornet.org [209.142.209.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6319B43E65 for ; Mon, 14 Oct 2002 09:14:13 -0700 (PDT) (envelope-from polytarp@m-net.arbornet.org) Received: from m-net.arbornet.org (localhost [127.0.0.1]) by arbornet.org (8.12.3/8.11.2) with ESMTP id g9EGFVAj058559; Mon, 14 Oct 2002 12:15:31 -0400 (EDT) (envelope-from polytarp@m-net.arbornet.org) Received: from localhost (polytarp@localhost) by m-net.arbornet.org (8.12.3/8.12.3/Submit) with ESMTP id g9EGFUVb058556; Mon, 14 Oct 2002 12:15:31 -0400 (EDT) Date: Mon, 14 Oct 2002 12:15:30 -0400 (EDT) From: pgreen To: Brett Glass Cc: danderse@cs.utah.edu, Subject: Re: TCFS for FreeBSD? In-Reply-To: <4.3.2.7.2.20021014085509.00e0d530@localhost> Message-ID: <20021014121425.Q58385-100000@m-net.arbornet.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org fear_monger_straightener -- detect fear mongers Copyright (C) 2002 Phil Green This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #include int main(void) { int n; for (n = 0; n < 100; n++) { printf("I made Brett Glass look at GPLd code!"); } return 0; } On Mon, 14 Oct 2002, Brett Glass wrote: > At 07:52 AM 10/14/2002, pgreen wrote: > > >Wait, you can't look at the code? Is it too bright, blinding, or what? > > Looking at GPLed code puts programmers at risk of lawsuits claiming that > anything similar to it which they later produce is derivative -- and > therefore must later be licensed under the GPL and given away for free. > > --Brett > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 14 9:20:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B74F837B401 for ; Mon, 14 Oct 2002 09:20:39 -0700 (PDT) Received: from scaup.mail.pas.earthlink.net (scaup.mail.pas.earthlink.net [207.217.120.49]) by mx1.FreeBSD.org (Postfix) with ESMTP id 699A143E9E for ; Mon, 14 Oct 2002 09:20:39 -0700 (PDT) (envelope-from jason@somebodydial911.com) Received: from 1cust76.tnt3.gary.in.da.uu.net ([67.241.69.76] helo=192.168.1.4) by scaup.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 1817xI-0003or-00; Mon, 14 Oct 2002 09:20:33 -0700 Date: Mon, 14 Oct 2002 11:20:28 -0500 From: jason perkins Subject: Re: TCFS for FreeBSD? To: pgreen , security@FreeBSD.ORG X-Priority: 3 In-Reply-To: <20021014121425.Q58385-100000@m-net.arbornet.org> Message-ID: MIME-Version: 1.0 Content-Type: text/plain; Charset=US-ASCII Content-Transfer-Encoding: 7bit X-Mailer: Mailsmith 1.5.4 (Blindsider) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 10/14/02 at 12:15, polytarp@m-net.arbornet.org (pgreen) wrote: > fear_monger_straightener -- detect fear mongers > Copyright (C) 2002 Phil Green > > This program is free software; you can redistribute it and/or modify > it under the terms of the GNU General Public License as published by > the Free Software Foundation; either version 2 of the License, or > (at your option) any later version. > > This program is distributed in the hope that it will be useful, > but WITHOUT ANY WARRANTY; without even the implied warranty of > MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > GNU General Public License for more details. > > You should have received a copy of the GNU General Public License > along with this program; if not, write to the Free Software > Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA > > #include > > int main(void) > { > int n; > > for (n = 0; n < 100; n++) > { > printf("I made Brett Glass look at GPLd code!"); > } > > return 0; > } Just so long as you don't include "AFAIK" or "as far as i know" in your posts and fun afoul of Brett's trademarks: oops. -- Jason Perkins To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 14 10: 6:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 117D337B401 for ; Mon, 14 Oct 2002 10:06:43 -0700 (PDT) Received: from topperwein.dyndns.org (acs-24-154-51-246.zoominternet.net [24.154.51.246]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F98543E9E for ; Mon, 14 Oct 2002 10:06:42 -0700 (PDT) (envelope-from behanna@zbzoom.net) Received: from [192.168.168.10] ([192.168.168.10]) by topperwein.dyndns.org (8.12.6/8.12.5) with ESMTP id g9EH6fE9062915 for ; Mon, 14 Oct 2002 13:06:41 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Mon, 14 Oct 2002 13:06:36 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: FreeBSD Security Subject: Re: TCFS for FreeBSD? In-Reply-To: Message-ID: <20021014130059.U13713-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 14 Oct 2002, jason perkins wrote: > > [...GPL flame bait snipped...] > > Just so long as you don't include "AFAIK" or "as far as i know" in your posts > and fun afoul of Brett's trademarks: > > According to http://www.uspto.gov , they aren't Brett's (or anyone else's) trademarks. Should anyone attempt to trademark them, it should be a trivial exercise to demonstrate that they are or were in common use prior to the attempt. The discussion of whether or not reading GPL'd code creates an intellectual property "contamination" issue requiring the use of "clean room" techniques to insulate a company from a lawsuit by the FSF is off-topic. It's important, to be sure, but it's off-topic. Regards, -- Chris BeHanna http://www.pennasoft.com Principal Consultant PennaSoft Corporation chris@pennasoft.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 14 12:22:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6838137B401 for ; Mon, 14 Oct 2002 12:22:25 -0700 (PDT) Received: from mpls-qmqp-02.inet.qwest.net (mpls-qmqp-02.inet.qwest.net [63.231.195.113]) by mx1.FreeBSD.org (Postfix) with SMTP id D19DD43E6E for ; Mon, 14 Oct 2002 12:22:24 -0700 (PDT) (envelope-from maildrop@qwest.net) Received: (qmail 25059 invoked by uid 0); 14 Oct 2002 19:16:58 -0000 Received: from unknown (63.231.195.10) by mpls-qmqp-02.inet.qwest.net with QMQP; 14 Oct 2002 19:16:58 -0000 Received: from unknown (HELO jenny) (63.231.238.226) by mpls-pop-10.inet.qwest.net with SMTP; 14 Oct 2002 19:22:24 -0000 Date: Mon, 14 Oct 2002 14:31:05 -0500 Message-ID: From: "Maildrop" To: freebsd-security@freebsd.org Subject: FW: monitor ALL connections to ALL ports MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I put these rule in: ipfw add count log all from any to any I am getting messages in my log (/var/log/all.log) that appears like this: Oct 14 14:15:06 hydra /kernel: Connection attempt to UDP 192.168.17.1:161 from 192.168.17.1:1166 Which is exactly, what I want, but there is a couple isses: 1) It only logs "failed" connects. If I try to `telnet localhost 55`, it will log that, but if I do a `telnet locahost 80` (where web server is running) the connection is valid and doesn't log it. 2) How do I setup Syslog for this? ipfw man page says it logs to LOG_SECURITY facility. I want to log all connections (failed or not), into one file.. This is what I currently have in my syslogd.conf file (the log above I am pulling from all.log): security.* /var/log/security log.security /var/log/ipfw.log Both these files are empty :( I restarted syslogd. Regads, Jack > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Dragan Mickovic > Sent: Saturday, October 12, 2002 9:41 AM > To: Maildrop > Cc: freebsd-security@freebsd.org > Subject: Re: monitor ALL connections to ALL ports > > > You can just put IPFilter with a default rule to pass and log. By default > it will log src,dst,port,len .. ie: > > Sep 22 19:39:20 server_name ipmon[84]: 19:39:20.251359 fxp0 @0:20 > b 192.168.1.20,137 -> 192.168.1.255,137 PR udp len 20 78 IN > > > micko > > On Sat, Oct 12, 2002 at 12:17:42AM -0500, Maildrop wrote: > > > > I currently have a DSL line and a FreeBSD firewall/gateway > (dual homed). It > > has one internal IP address and 5 external IP address (one > "real" ip and 4 > > alaises on same external nic). > > > > What I want to do is montior and record (to log) all incoming/outging > > connection (just source ip/dest ip/port). If someone connects to my web > > server it should log what ip accessed it, the time, which ip (web server > > runs on 2 external ip address) and the port. Also if someone > does a port > > scan against the box I should be able to tell it is a port scan > (since one > > ip address would be opening up a bunch of ports). > > > > Right now I don't care what data is being sent/received, just what > > connections are being made (and the details about those connections). > > > > Any suggestions? > > > > Regards, > > Jack > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > Dragan Mickovic > UNIX Systems Administrator > NTT/Verio x.4012 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 14 15: 2:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4766437B40B for ; Mon, 14 Oct 2002 15:02:42 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0890343EB2 for ; Mon, 14 Oct 2002 15:02:42 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id B1398154D5; Mon, 14 Oct 2002 14:58:50 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id AEF82154D3 for ; Mon, 14 Oct 2002 14:58:50 -0700 (PDT) Date: Mon, 14 Oct 2002 14:58:50 -0700 (PDT) From: Mike Hoskins To: freebsd-security@freebsd.org Subject: Re: FW: monitor ALL connections to ALL ports In-Reply-To: Message-ID: <20021014145602.K1231-100000@fubar.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 14 Oct 2002, Maildrop wrote: > I put these rule in: > ipfw add count log all from any to any Is this rule before the other allow rules in your chain? Since the rule chain is parsed on a first-match basis, you'll either need this rule before all others or you'll need to add log entires to each of your other rules. > security.* /var/log/security By default, this logs anything dumped to syslog by ipfw via the log keyword. I think you're just being bitten by rule order. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 14 17:32:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9540C37B401 for ; Mon, 14 Oct 2002 17:32:36 -0700 (PDT) Received: from mail.relinetworks.com (tiamat.relinetworks.com [204.214.92.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id 83BC143E4A for ; Mon, 14 Oct 2002 17:32:35 -0700 (PDT) (envelope-from rob@relinetworks.com) Received: from mail.relinetworks.com (rob@localhost [127.0.0.1]) by mail.relinetworks.com (8.12.6/8.12.6) with ESMTP id g9F0WFvJ009290 for ; Mon, 14 Oct 2002 20:32:20 -0400 (EDT) Received: (from rob@localhost) by mail.relinetworks.com (8.12.6/8.12.2/Submit) id g9F0WDnM009289 for security@freebsd.org; Mon, 14 Oct 2002 20:32:13 -0400 (EDT) Date: Mon, 14 Oct 2002 20:32:13 -0400 From: Rob Andrews To: security@freebsd.org Subject: Re: TCFS for FreeBSD? Message-ID: <20021014203213.A9141@enigma.relinetworks.com> References: <200210140627.AAA13616@lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200210140627.AAA13616@lariat.org>; from brett@lariat.org on Mon, Oct 14, 2002 at 12:27:45AM -0600 Organization: RELI Networks, Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mark, Would you please take the time to remind the persons involved on this thread of why it was you reposted this lists guidelines to everyone on the list. Once again, the inital question was on topic and even one of the responses.. But per normal for one of the persons, it was turned into an offtopic and inappropriate dialog for this list. -- Rob Andrews RELI Networks, Inc. Marietta, GA. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 14 20:23:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D968A37B401 for ; Mon, 14 Oct 2002 20:23:41 -0700 (PDT) Received: from txsmtp03.texas.rr.com (smtp3.texas.rr.com [24.93.36.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4657943EAC for ; Mon, 14 Oct 2002 20:23:41 -0700 (PDT) (envelope-from ww@austin.rr.com) Received: from apricot (cs24243228-109.austin.rr.com [24.243.228.109]) by txsmtp03.texas.rr.com (8.12.5/8.12.2) with SMTP id g9F3MXNL007683 for ; Mon, 14 Oct 2002 23:22:33 -0400 (EDT) From: "William Wallace" To: "FreeBSD Security" Subject: RE: Kernel log message Date: Mon, 14 Oct 2002 22:21:13 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <3DA8F90A.7070101@hq.dyns.cx> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks to all who replied. Just as an additional interesting piece of information: Because the machine in question was in a state that made it easy to simply wipe it out and re-install everything from scratch, I decided to do just that. Upon reinstalling the OS and rebooting, I got a kernel log message in my FreeBSD server that indicated the "opposite" MAC address change. It changed from "00:00:78:0d:5a:7f" back to "00:20:78:0d:5a:7f", which is what it was originally. I'm suspicious now of some kind of malicious software or something, but it's going to be hard to determine what exactly made that happen. Thanks again, - William. -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of wolf Sent: Saturday, October 12, 2002 11:40 PM Cc: FreeBSD Security Subject: Re: Kernel log message >Could someone explain to me what the following log message means: > >disco.wwallace.net kernel log messages: > >arp: 192.168.100.2 moved from 00:20:78:0d:5a:7f to 00:00:78:0d:5a:7f on > >de0 > >Oct 5 08:03:57 disco /kernel: arp: 192.168.100.2 moved from > >00:20:78:0d:5a:7f to 00:00:78:0d:5a:7f on de0 > >The machine in question (192.168.100.2) is a Windows 2000 machine that has >had the same NIC for years. Also, only one of the digits in the MAC >address seems to have changed. What could cause this? > 1) The NIC card could be dieing. "same NIC for years" 2) Transmission error of some sort on you LAN 3) Problem w/ a packet switch. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 14 21: 5:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D44537B401 for ; Mon, 14 Oct 2002 21:05:57 -0700 (PDT) Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 10B2943E3B for ; Mon, 14 Oct 2002 21:05:55 -0700 (PDT) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.2) with SMTP id OAA06050; Tue, 15 Oct 2002 14:05:47 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Tue, 15 Oct 2002 14:05:47 +1000 (EST) From: Ian Smith To: William Wallace Cc: FreeBSD Security Subject: RE: Kernel log message In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 14 Oct 2002, William Wallace wrote: > Thanks to all who replied. Just as an additional interesting piece of > information: Because the machine in question was in a state that made it > easy to simply wipe it out and re-install everything from scratch, I decided > to do just that. Upon reinstalling the OS and rebooting, I got a kernel log > message in my FreeBSD server that indicated the "opposite" MAC address > change. It changed from "00:00:78:0d:5a:7f" back to "00:20:78:0d:5a:7f", That's still a one-bit error. In my humble experience, one-bit errors are almost invariably hardware. If so, then I guess this is off-topic. > which is what it was originally. I'm suspicious now of some kind of > malicious software or something, but it's going to be hard to determine what > exactly made that happen. Did you try cleaning the NIC in question, and the computer it lives in? [..] > >The machine in question (192.168.100.2) is a Windows 2000 machine that has > >had the same NIC for years. Also, only one of the digits in the MAC > >address seems to have changed. What could cause this? > > > > 1) The NIC card could be dieing. "same NIC for years" > 2) Transmission error of some sort on you LAN > 3) Problem w/ a packet switch. Still smells like hardware to me too; fluff and dust can engender such. Cheers, Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 14 22:16:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C0F437B401 for ; Mon, 14 Oct 2002 22:16:52 -0700 (PDT) Received: from mgr2.xmission.com (mgr2.xmission.com [198.60.22.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 61E0C43E9C for ; Mon, 14 Oct 2002 22:16:51 -0700 (PDT) (envelope-from glewis@eyesbeyond.com) Received: from mail by mgr2.xmission.com with spam-scanned (Exim 3.35 #1) id 181K4V-0003xK-02 for security@freebsd.org; Mon, 14 Oct 2002 23:16:47 -0600 Received: from [207.135.128.145] (helo=misty.eyesbeyond.com) by mgr2.xmission.com with esmtp (Exim 3.35 #1) id 181K49-0003mR-02; Mon, 14 Oct 2002 23:16:26 -0600 Received: (from glewis@localhost) by misty.eyesbeyond.com (8.11.6/8.11.6) id g9F5GMK98349; Tue, 15 Oct 2002 14:46:22 +0930 (CST) (envelope-from glewis@eyesbeyond.com) X-Authentication-Warning: misty.eyesbeyond.com: glewis set sender to glewis@eyesbeyond.com using -f Date: Tue, 15 Oct 2002 14:46:21 +0930 From: Greg Lewis To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: TCFS for FreeBSD? Message-ID: <20021015144621.A98316@misty.eyesbeyond.com> References: <200210140627.AAA13616@lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200210140627.AAA13616@lariat.org>; from brett@lariat.org on Mon, Oct 14, 2002 at 12:27:45AM -0600 X-Spam-Status: No, hits=-2.7 required=8.0 tests=IN_REP_TO,REFERENCES,SIGNATURE_SHORT_DENSE, SPAM_PHRASE_00_01,USER_AGENT,USER_AGENT_MUTT,X_AUTH_WARNING version=2.42 X-Spam-Level: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Oct 14, 2002 at 12:27:45AM -0600, Brett Glass wrote: > Has TCFS been ported to FreeBSD? I'm looking for a good encrypted network > file system for a group of FreeBSD machines. > > --Brett Glass I've got a partial port against -STABLE, but obviously as I'm using the word partial its not complete :). The kernel portion is mostly done, except that its not linking (something to do with how I use MALLOC_DECLARE judging by the linker errors). I haven't started the userland portions, but should the kernel side actually work by some minor miracle once the linker problem was resolved then that shouldn't be too much of a problem. -- Greg Lewis Email : glewis@eyesbeyond.com Eyes Beyond Web : http://www.eyesbeyond.com Information Technology FreeBSD : glewis@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 15 4:37:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4B88737B404 for ; Tue, 15 Oct 2002 04:37:45 -0700 (PDT) Received: from seattlefenix.net (seattleFenix.net [216.39.145.247]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0BC9243E9C for ; Tue, 15 Oct 2002 04:37:45 -0700 (PDT) (envelope-from roo@seattlefenix.net) Received: by surreal.seattlefenix.net (Postfix, from userid 1001) id 731A836B2D; Fri, 11 Oct 2002 09:48:05 -0700 (PDT) Date: Fri, 11 Oct 2002 09:48:05 -0700 From: Benjamin Krueger To: Ricardo Anguiano Cc: Chris BeHanna , FreeBSD Security Subject: Re: access() is a security hole? Message-ID: <20021011164805.GA27132@surreal.seattlefenix.net> Reply-To: benjamin@seattleFenix.net References: <20021011094935.I86274-100000@topperwein.pennasoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i X-PGP-Key: http://www.macguire.net/benjamin/public_key.asc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Ricardo Anguiano (anguiano@codesourcery.com) [021011 09:39]: > Chris BeHanna writes: > > > On Fri, 11 Oct 2002, Bruce Evans wrote: > > > Setuid programs should only use access() to check whether they will > > > have permission after they set[ug]id() to the real [ug]id. Non-setuid > > > programs mostly don't need such checks. They can just try the operation. > > > > Perhaps the way to avoid the race is to open the file, lock it, > > and *then* call access(), then close the file or proceed based upon > > the result. > > What's wrong with opening the file, then using fstat to check the > properties of the file associated with the file descriptor? > > -- > Ricardo Anguiano > CodeSourcery, LLC And if you don't have sufficient permission to open the file? -- Benjamin Krueger "Everyone has wings, some folks just don't know what they're for" - B. Banzai ---------------------------------------------------------------- Send mail w/ subject 'send public key' or query for (0x251A4B18) Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 15 4:52:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 21ED637B401 for ; Tue, 15 Oct 2002 04:52:09 -0700 (PDT) Received: from seattlefenix.net (seattleFenix.net [216.39.145.247]) by mx1.FreeBSD.org (Postfix) with ESMTP id A297943E88 for ; Tue, 15 Oct 2002 04:52:08 -0700 (PDT) (envelope-from roo@seattlefenix.net) Received: by seattlefenix.net (Postfix, from userid 1001) id 9D89A36B04; Tue, 15 Oct 2002 04:52:07 -0700 (PDT) Date: Tue, 15 Oct 2002 04:52:07 -0700 From: Benjamin Krueger To: Benjamin Krueger Cc: Ricardo Anguiano , Chris BeHanna , FreeBSD Security Subject: Re: access() is a security hole? Message-ID: <20021015115207.GB15573@surreal.seattlefenix.net> Reply-To: benjamin@seattleFenix.net References: <20021011094935.I86274-100000@topperwein.pennasoft.com> <20021011164805.GA27132@surreal.seattlefenix.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021011164805.GA27132@surreal.seattlefenix.net> User-Agent: Mutt/1.4i X-PGP-Key: http://www.macguire.net/benjamin/public_key.asc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Benjamin Krueger (benjamin@seattleFenix.net) [021015 04:39]: > * Ricardo Anguiano (anguiano@codesourcery.com) [021011 09:39]: > > Chris BeHanna writes: > > > > > On Fri, 11 Oct 2002, Bruce Evans wrote: > > > > Setuid programs should only use access() to check whether they will > > > > have permission after they set[ug]id() to the real [ug]id. Non-setuid > > > > programs mostly don't need such checks. They can just try the operation. > > > > > > Perhaps the way to avoid the race is to open the file, lock it, > > > and *then* call access(), then close the file or proceed based upon > > > the result. > > > > What's wrong with opening the file, then using fstat to check the > > properties of the file associated with the file descriptor? > > > > -- > > Ricardo Anguiano > > CodeSourcery, LLC > > And if you don't have sufficient permission to open the file? Please ignore this. It was sent friday but just fell out of a stuffed up mail server. -- Benjamin Krueger ---------------------------------------------------------------- Send mail w/ subject 'send public key' or query for (0x251A4B18) Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 15 8:55:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E58737B401 for ; Tue, 15 Oct 2002 08:55:27 -0700 (PDT) Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id A0F7943EB2 for ; Tue, 15 Oct 2002 08:55:26 -0700 (PDT) (envelope-from kzaraska@student.uci.agh.edu.pl) Received: from velvet (velvet.zaraska.dhs.org [192.168.11.2]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with SMTP id A08421F8F; Tue, 15 Oct 2002 15:55:21 +0000 (GMT) Date: Tue, 15 Oct 2002 17:57:14 +0200 From: Krzysztof Zaraska To: Mike Hoskins , "Maildrop" Cc: freebsd-security@freebsd.org Subject: Re: FW: monitor ALL connections to ALL ports Message-Id: <20021015175714.6ecbd83a.kzaraska@student.uci.agh.edu.pl> In-Reply-To: <20021014145602.K1231-100000@fubar.adept.org> References: <20021014145602.K1231-100000@fubar.adept.org> X-Mailer: Sylpheed version 0.8.5 (GTK+ 1.2.10; i386-portbld-freebsd5.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 14 Oct 2002 14:58:50 -0700 (PDT) Mike Hoskins wrote: > > I put these rule in: > > ipfw add count log all from any to any > > Is this rule before the other allow rules in your chain? Since the rule > chain is parsed on a first-match basis, you'll either need this rule > before all others or you'll need to add log entires to each of your > other rules. There's another problem I can see here: this setup will generate a log entry on EVERY packet, what is clearly an overkill. I think it would be more useful to log only opening of the connection; this can be accomplished using for example a 'setup' keyword, e.g.: # Allow access to our WWW ${fwcmd} add pass log tcp from any to ${oip} 80 setup -- // Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl // Prelude IDS: http://www.prelude-ids.org/ // A dream will always triumph over reality, once it is given the chance. // -- Stanislaw Lem To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 15 10:44:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2CBCB37B401 for ; Tue, 15 Oct 2002 10:44:45 -0700 (PDT) Received: from mpls-qmqp-04.inet.qwest.net (mpls-qmqp-04.inet.qwest.net [63.231.195.115]) by mx1.FreeBSD.org (Postfix) with SMTP id 7ACEB43E6A for ; Tue, 15 Oct 2002 10:44:44 -0700 (PDT) (envelope-from maildrop@qwest.net) Received: (qmail 41502 invoked by uid 0); 15 Oct 2002 17:44:25 -0000 Received: from unknown (63.231.195.4) by mpls-qmqp-04.inet.qwest.net with QMQP; 15 Oct 2002 17:44:25 -0000 Received: from unknown (HELO jenny) (63.231.238.226) by mpls-pop-04.inet.qwest.net with SMTP; 15 Oct 2002 17:44:43 -0000 Date: Tue, 15 Oct 2002 12:58:05 -0500 Message-ID: From: "Maildrop" To: "Krzysztof Zaraska" , "Mike Hoskins" , "Maildrop" Cc: freebsd-security@freebsd.org Subject: RE: FW: monitor ALL connections to ALL ports MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20021015175714.6ecbd83a.kzaraska@student.uci.agh.edu.pl> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yep, this is exactly what I am looking for. All packets, is a bit heavy on my hard drive :P This only works with tcp though, is there any thing to watch udp packets (like the first packet from a host on a certain port?) I know udp might be tougher, since it is stateless. > -----Original Message----- > From: Krzysztof Zaraska [mailto:kzaraska@student.uci.agh.edu.pl] > Sent: Tuesday, October 15, 2002 10:57 AM > To: Mike Hoskins; Maildrop > Cc: freebsd-security@freebsd.org > Subject: Re: FW: monitor ALL connections to ALL ports > > > On Mon, 14 Oct 2002 14:58:50 -0700 (PDT) > Mike Hoskins wrote: > > > > I put these rule in: > > > ipfw add count log all from any to any > > > > Is this rule before the other allow rules in your chain? Since the rule > > chain is parsed on a first-match basis, you'll either need this rule > > before all others or you'll need to add log entires to each of your > > other rules. > > There's another problem I can see here: this setup will generate a log > entry on EVERY packet, what is clearly an overkill. I think it would be > more useful to log only opening of the connection; this can be > accomplished using for example a 'setup' keyword, e.g.: > > # Allow access to our WWW > ${fwcmd} add pass log tcp from any to ${oip} 80 setup > > > -- > // Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl > // Prelude IDS: http://www.prelude-ids.org/ > // A dream will always triumph over reality, once it is given the chance. > // -- Stanislaw Lem > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 15 11:42:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0302B37B401 for ; Tue, 15 Oct 2002 11:42:45 -0700 (PDT) Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 219C243E9C for ; Tue, 15 Oct 2002 11:42:44 -0700 (PDT) (envelope-from kzaraska@student.uci.agh.edu.pl) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [192.168.11.2]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with SMTP id 6D0FF1F8F; Tue, 15 Oct 2002 18:42:38 +0000 (GMT) Date: Tue, 15 Oct 2002 20:44:32 +0200 From: Krzysztof Zaraska To: "Maildrop" Cc: freebsd-security@freebsd.org Subject: Re: FW: monitor ALL connections to ALL ports Message-Id: <20021015204432.22f7be8d.kzaraska@student.uci.agh.edu.pl> In-Reply-To: References: <20021015175714.6ecbd83a.kzaraska@student.uci.agh.edu.pl> X-Mailer: Sylpheed version 0.8.0 (GTK+ 1.2.10; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 15 Oct 2002 12:58:05 -0500 "Maildrop" wrote: > > Yep, this is exactly what I am looking for. All packets, is a bit heavy > on my hard drive :P This only works with tcp though, is there any thing > to watch udp packets (like the first packet from a host on a certain > port?) I know udp might be tougher, since it is stateless. ${fwcmd} add pass log udp from ${oip}:${omask} to any keep-state This should handle outgoing UDP traffic. When a packet is matched, a dynamic rule matching packets being part of the connection (same protocol, IP, and port numbers in both directions) is added into the ruleset. Dynamic rule has a limited lifetime, and is removed when expires. man ipfw for details, see information on check-state, keep-state. -- // Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl // Prelude IDS: http://www.prelude-ids.org/ // A dream will always triumph over reality, once it is given the chance. // -- Stanislaw Lem To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 15 13: 8:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5504937B401 for ; Tue, 15 Oct 2002 13:08:49 -0700 (PDT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 82FCF43E9C for ; Tue, 15 Oct 2002 13:08:47 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.12.4/8.12.4) with SMTP id g9FJlIOo029399; Tue, 15 Oct 2002 15:47:20 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Tue, 15 Oct 2002 15:47:17 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Giorgos Keramidas Cc: Ricardo Anguiano , Chris BeHanna , FreeBSD Security Subject: Re: access() is a security hole? In-Reply-To: <20021013154127.GA2970@hades.hell.gr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 13 Oct 2002, Giorgos Keramidas wrote: > > What's wrong with opening the file, then using fstat to check the > > properties of the file associated with the file descriptor? > > Sometimes, just opening a `file' has interesting side-effects. For > instance, opening a rewinding tape device will start the tape rewinding > process. You might not want to cause such side-effects to happen :-/ There are a number of scenarios where I've used access(2) and eaccess(2) to useful effect. They include: (1) Situations where the goal is to render possible access rights for the user, rather than simulate an access. For example, KDE uses the access() system call when rendering file and directory icons to suggest to the user whether or not they can access the directory. Using a call such as access(2) is *much* preferred over the use of stat() to retrieve permissions and manually calculate rights, as that doesn't take into account ACLs, MAC, distributed file system alternative protection semantics, etc. BTW, because KDE used access() to figure out how to render icons, it required no modification when we introduced ACLs and MAC in TrustedBSD in order to correctly render directories. It did require some modifications to support changing the protections on the files, of course, but that use of access() has definite advantages from a UI perspective. (2) Situations where the goal is to produce a more clean failure mode for compound operations. While it's true that it's generally better for an application to "try" the operation and see if it succeeds, there are cases where it's preferable to at least give a pass at predicting the result so as to offer a cleaner failure mode. For example, if an application is installing files onto a system, performing a set of access() checks on target directories can result in a clean failure mode "One or more directories you need to write to is unwritable", whereas merrily wandering along installing until you hit the first unwritable directory leaves a cleanup/backout problem. While this won't capture all possible failure modes ("out of disk space"), it can be substantially more user friendly. (3) Access to any object where the access has side effects, be they literal side effects (tape rewind) or just performance ones. I MFC'd my access() security warning clarification from -CURRENT to -STABLE, but it could probably use a little more work to take into acount some of these situations where access() may be the only tool that works. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 15 14:10:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A92037B401 for ; Tue, 15 Oct 2002 14:10:08 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 668F843EA3 for ; Tue, 15 Oct 2002 14:10:07 -0700 (PDT) (envelope-from mark@grimreaper.grondar.org) Received: from storm.FreeBSD.org.uk (uucp@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.6/8.12.6) with ESMTP id g9FLA6W1070022 for ; Tue, 15 Oct 2002 22:10:06 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Received: (from uucp@localhost) by storm.FreeBSD.org.uk (8.12.6/8.12.6/Submit) with UUCP id g9FLA6rc070021 for security@freebsd.org; Tue, 15 Oct 2002 22:10:06 +0100 (BST) Received: from grimreaper.grondar.org (localhost [127.0.0.1]) by grimreaper.grondar.org (8.12.6/8.12.5) with ESMTP id g9FL8v01063672 for ; Tue, 15 Oct 2002 22:08:57 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Message-Id: <200210152108.g9FL8v01063672@grimreaper.grondar.org> To: security@freebsd.org From: markm@freebsd.org Subject: Administrativia: List charter updated! Date: Tue, 15 Oct 2002 22:08:57 +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi I have upgraded the list charter to specifically mention the fact that licensing issue "debates" are off topic. Likewise for responses to off-topic posts. The updated charter is included here for your information. M FREEBSD-SECURITY Security issues This is a technical discussion list covering FreeBSD security issues. The intention is for the list to contain a high-signal, low-noise discussion of issues affecting the security of FreeBSD. Welcome topics include Cryptography (as it relates to FreeBSD), OS bugs that affect security, and security design issues. Denial-of-service (DoS) issues are less important than problems that allow an attacker to achieve elevated privelige, but are still on-topic. General system administrator questions of an FAQ nature are off-topic for this list, but the creation and maintenance of a FAQ is on-topic. Thus, the submission of questions (with answers) for inclusion into the FAQ is welcome. Such question/answer sets should be clearly marked as (at least "FAQ submission") such in the subject. The FAQ will be posted to the list regularly (There is not one at the moment - this will be rectified). Flamewars, personal attacks, low-signal postings (such as gratuitous "Me Too!" messages) and other off-topic subissions are unwelcome. Heated discussions and discussions of questionable relevance are invited to be conducted off-line until an on-topic conclusion is reached. Very specifically, licensing issues are off-topic. Equally specifically, replying to off-topic posts is also off-topic. Responding to trolls, taunts, jibes, spam etc is FORBIDDEN. If you must respond, do so in private mail. This is a members-only list, so only list members may post (using the address they subscribed under). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 15 14:23:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C680137B431 for ; Tue, 15 Oct 2002 14:23:24 -0700 (PDT) Received: from web10101.mail.yahoo.com (web10101.mail.yahoo.com [216.136.130.51]) by mx1.FreeBSD.org (Postfix) with SMTP id 78C1D43E6E for ; Tue, 15 Oct 2002 14:23:24 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20021015212324.72528.qmail@web10101.mail.yahoo.com> Received: from [68.5.49.41] by web10101.mail.yahoo.com via HTTP; Tue, 15 Oct 2002 14:23:24 PDT Date: Tue, 15 Oct 2002 14:23:24 -0700 (PDT) From: twig les Subject: Re: Sniffer nic To: freebsd-security@freebsd.org In-Reply-To: <20021012001013.GD18678@pir.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I ran into Intel's neat little comparison and compatibility page. I figured it is worth a glance for anyone interested in this thread and it took a lot of digging to get to. http://www.intel.com/support/network/adapter/1000/tti001.htm I'll post if anything spectacular happens, good or bad. --- Peter Radcliffe wrote: > Mike Hoskins probably said: > > As for the new Intel GB NICs... I'm glad to hear > they're working well > > with FreeBSD (haven't tried 'em yet)... That's a > lot more than I can > > currently say for Linux. ;) > > I've reported problems that are still ongoing with > the Intel gig copper > cards, I can't use them with any reliability. > > We went back to Netgear GA620 copper cards, which > have worked > flawlessly for me. > > P. > > -- > pir pir-sig@pir.net > pir-sig@net.tufts.edu > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message ===== ----------------------------------------------------------- Heavy metal made me do it. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 15 17:46:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4CDE837B401 for ; Tue, 15 Oct 2002 17:46:51 -0700 (PDT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 15EAC43E75 for ; Tue, 15 Oct 2002 17:46:50 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.12.4/8.12.4) with SMTP id g9G0kIOo050135; Tue, 15 Oct 2002 20:46:19 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Tue, 15 Oct 2002 20:46:18 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: wolf Cc: freebsd-security@freebsd.org Subject: Re: ipcs output when running netscape shows --rwarwarwa In-Reply-To: <3DA8F0B7.8050505@hq.dyns.cx> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Could be the sysvshm optimizations used by X11, as opposed to strictly Mozilla. There were some posts about this sometime earlier this year (or maybe last year) on bugtraq. I guess a first useful question is how recent your X server is -- often FreeBSD users upgrade the base OS, but let X age until there's a specific need to upgrade. If there was a default protection fix for the X libraries, the problem could be your Linux X shared libraries need updating, so you might also check the version of those. FWIW, my Linux Netscape does use shared libraries: curry:~/p4/trustedbsd/mac/sys/kern> file /usr/local/lib/linux-netscape6/mozilla-bin /usr/local/lib/linux-netscape6/mozilla-bin: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.0.0, dynamically linked (uses shared libs), not stripped It likewise appears to use poorly protected sysvshm segments: curry:~/p4/trustedbsd/mac/sys/kern> ipcs Message Queues: T ID KEY MODE OWNER GROUP Shared Memory: T ID KEY MODE OWNER GROUP m 2686976 0 --rwarwarwa rwatson rwatson m 196609 0 --rwarwarwa rwatson rwatson m 196610 0 --rwarwarwa rwatson rwatson m 196611 0 --rwarwarwa rwatson rwatson ... I suspect strongly my Linux X shared libraries are quite old. You might try upgrading them specifically and see what happens. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories On Sun, 13 Oct 2002, wolf wrote: > Is the 'mode' as listed below a security issue? > > Linux Netscape 6 is running w/ mode rwarwarwa while all the other apps > I've tested so far (all native compiled btw) show only --rw-------. > > :/ > > > bash-2.05a$ ipcs -m -o -p > Shared Memory: > T ID KEY MODE OWNER GROUP NATTCH CPID LPID > m 262144 0 --rw------- mjoyner mjoyner 2 597 278 > m 1048577 0 --rwarwarwa mjoyner mjoyner 2 710 278 > m 1179650 0 --rwarwarwa mjoyner mjoyner 2 710 278 > m 131075 0 --rwarwarwa mjoyner mjoyner 2 710 278 > m 131076 0 --rwarwarwa mjoyner mjoyner 2 710 278 > m 131077 0 --rwarwarwa mjoyner mjoyner 2 710 278 > m 131078 0 --rwarwarwa mjoyner mjoyner 2 710 278 > > bash-2.05a$ ps -p 710 > PID TT STAT TIME COMMAND > 710 ?? S 0:37.54 ./mozilla-bin > > bash-2.05a$ ps -p 278 > PID TT STAT TIME COMMAND > 278 ?? S 0:21.95 /usr/X11R6/bin/XFree86 -auth > /var/lib/kdm/authfiles/A > > bash-2.05a$ uname -a > FreeBSD ip-34.internal 4.7-STABLE FreeBSD 4.7-STABLE #0: Fri Oct 11 > 22:21:11 EDT 2002 > mjoyner@ip-34.internal:/usr/src/sys/compile/workstation i386 > > bash-2.05a$ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 15 23:28:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D15C37B401 for ; Tue, 15 Oct 2002 23:28:23 -0700 (PDT) Received: from coredump.sreid.org (a0g1355ly34tj.bc.hsia.telus.net [66.183.30.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 427BC43E7B for ; Tue, 15 Oct 2002 23:28:22 -0700 (PDT) (envelope-from sreid@gravitas.biz) Received: by coredump.sreid.org (Postfix, from userid 1000) id A11032AEF4; Tue, 15 Oct 2002 23:28:19 -0700 (PDT) Date: Tue, 15 Oct 2002 23:28:19 -0700 From: Steve Reid To: Maildrop Cc: freebsd-security@freebsd.org Subject: Re: FW: monitor ALL connections to ALL ports Message-ID: <20021016062819.GA10090@coredump> Mail-Followup-To: Steve Reid , Maildrop , freebsd-security@freebsd.org References: <20021014145602.K1231-100000@fubar.adept.org> <20021015175714.6ecbd83a.kzaraska@student.uci.agh.edu.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021015175714.6ecbd83a.kzaraska@student.uci.agh.edu.pl> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Oct 15, 2002 at 05:57:14PM +0200, Krzysztof Zaraska wrote: > I think it would be more useful to log only opening of the > connection; this can be accomplished using for example a 'setup' > keyword, e.g.: I believe there is also a "log in vain" sysctl variable to cause the kernel to log connection attempts to non-listening ports. Seems to be a quick and easy way to get what you want. The ipfw way is more flexible though. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 16 2: 9:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4AC1337B404 for ; Wed, 16 Oct 2002 02:09:54 -0700 (PDT) Received: from mail1.ing.nl (mail1.ing.nl [145.221.93.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 888D643E88 for ; Wed, 16 Oct 2002 02:09:52 -0700 (PDT) (envelope-from Danny.Carroll@mail.ing.nl) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: RE: FW: monitor ALL connections to ALL ports Date: Wed, 16 Oct 2002 10:48:01 +0200 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: FW: monitor ALL connections to ALL ports Importance: normal thread-index: AcJ0eFEqWWMbdFj7QsypL8LBG8lwSwAeAcQQ From: To: Cc: X-OriginalArrivalTime: 16 Oct 2002 08:48:01.0923 (UTC) FILETIME=[BC424D30:01C274F0] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Something else you could do, if you want to put the effort into it is to = write a program that accepts all packets from ipfw (via a divert rule) = and then logs what you want before returning the untouched packed back = to ipfw. Much like what natd does, except without the natting. I am sure the natd sources would be very useful in this case. -D -----Original Message----- From: Maildrop [mailto:maildrop@qwest.net] Sent: 15 October 2002 19:58 To: Krzysztof Zaraska; Mike Hoskins; Maildrop Cc: freebsd-security@freebsd.org Subject: RE: FW: monitor ALL connections to ALL ports Yep, this is exactly what I am looking for. All packets, is a bit heavy = on my hard drive :P This only works with tcp though, is there any thing to watch udp packets (like the first packet from a host on a certain port?) = I know udp might be tougher, since it is stateless. > -----Original Message----- > From: Krzysztof Zaraska [mailto:kzaraska@student.uci.agh.edu.pl] > Sent: Tuesday, October 15, 2002 10:57 AM > To: Mike Hoskins; Maildrop > Cc: freebsd-security@freebsd.org > Subject: Re: FW: monitor ALL connections to ALL ports > > > On Mon, 14 Oct 2002 14:58:50 -0700 (PDT) > Mike Hoskins wrote: > > > > I put these rule in: > > > ipfw add count log all from any to any > > > > Is this rule before the other allow rules in your chain? Since the = rule > > chain is parsed on a first-match basis, you'll either need this rule > > before all others or you'll need to add log entires to each of your > > other rules. > > There's another problem I can see here: this setup will generate a log > entry on EVERY packet, what is clearly an overkill. I think it would = be > more useful to log only opening of the connection; this can be > accomplished using for example a 'setup' keyword, e.g.: > > # Allow access to our WWW > ${fwcmd} add pass log tcp from any to ${oip} 80 setup > > > -- > // Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl > // Prelude IDS: http://www.prelude-ids.org/ > // A dream will always triumph over reality, once it is given the = chance. > // -- Stanislaw Lem > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----------------------------------------------------------------=0A= ATTENTION:=0A= The information in this electronic mail message is private and=0A= confidential, and only intended for the addressee. Should you=0A= receive this message by mistake, you are hereby notified that=0A= any disclosure, reproduction, distribution or use of this=0A= message is strictly prohibited. Please inform the sender by=0A= reply transmission and delete the message without copying or=0A= opening it.=0A= =0A= Messages and attachments are scanned for all viruses known.=0A= If this message contains password-protected attachments, the=0A= files have NOT been scanned for viruses by the ING mail domain.=0A= Always scan attachments before opening them.=0A= ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 16 2:37:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8589F37B401 for ; Wed, 16 Oct 2002 02:37:37 -0700 (PDT) Received: from south.nanolink.com (south.nanolink.com [217.75.134.10]) by mx1.FreeBSD.org (Postfix) with SMTP id B74E643E8A for ; Wed, 16 Oct 2002 02:37:32 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 26183 invoked by uid 85); 16 Oct 2002 09:46:20 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by south.nanolink.com with SMTP; 16 Oct 2002 09:46:19 -0000 Received: (qmail 67828 invoked by uid 1000); 16 Oct 2002 09:37:16 -0000 Date: Wed, 16 Oct 2002 12:37:15 +0300 From: Peter Pentchev To: Danny.Carroll@mail.ing.nl Cc: maildrop@qwest.net, freebsd-security@freebsd.org Subject: Re: FW: monitor ALL connections to ALL ports Message-ID: <20021016093715.GX372@straylight.oblivion.bg> Mail-Followup-To: Danny.Carroll@mail.ing.nl, maildrop@qwest.net, freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="37cJpJlYZwAfNbm5" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.1i X-Virus-Scanned: by Nik's Monitoring Daemon (AMaViS perl-11d ) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --37cJpJlYZwAfNbm5 Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Oct 16, 2002 at 10:48:01AM +0200, Danny.Carroll@mail.ing.nl wrote: > Something else you could do, if you want to put the effort into it is > to write a program that accepts all packets from ipfw (via a divert > rule) and then logs what you want before returning the untouched > packed back to ipfw. >=20 > Much like what natd does, except without the natting. > I am sure the natd sources would be very useful in this case. I am a bit surprised that nobody has mentioned ports/net/clog yet. It is simple yet effective; it does not log UDP packets, but this functionality may not be too hard to add. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence every third, but it still comprehensible. --37cJpJlYZwAfNbm5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (FreeBSD) iD8DBQE9rTNL7Ri2jRYZRVMRAranAJwMca/ePOz/60K9qnn7HAuSZKq3cACfXqB3 kH1yH22Ybj3Rpr0p0xbBQMs= =45Kg -----END PGP SIGNATURE----- --37cJpJlYZwAfNbm5-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 16 8:29:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F53B37B401 for ; Wed, 16 Oct 2002 08:29:11 -0700 (PDT) Received: from platinum.daweb.net (platinum.daweb.net [217.158.56.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2CF4A43EAC for ; Wed, 16 Oct 2002 08:29:10 -0700 (PDT) (envelope-from jk@burstfire.net) Received: from platinum.daweb.net (localhost [127.0.0.1]) by platinum.daweb.net (8.12.6/8.12.6) with ESMTP id g9GFStPi062463 for ; Wed, 16 Oct 2002 16:28:55 +0100 (BST) (envelope-from jk@burstfire.net) Received: from localhost (jk@localhost) by platinum.daweb.net (8.12.6/8.12.6/Submit) with ESMTP id g9GFSopV062460 for ; Wed, 16 Oct 2002 16:28:50 +0100 (BST) X-Authentication-Warning: platinum.daweb.net: jk owned process doing -bs Date: Wed, 16 Oct 2002 16:28:50 +0100 (BST) From: Jess Kitchen X-X-Sender: jk@platinum.daweb.net To: freebsd-security@FreeBSD.ORG Subject: Re: FW: monitor ALL connections to ALL ports In-Reply-To: Message-ID: <20021016162219.V62311-100000@platinum.daweb.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 14 Oct 2002, Maildrop wrote: > I put these rule in: > > ipfw add count log all from any to any > > I am getting messages in my log (/var/log/all.log) that appears like this: > Oct 14 14:15:06 hydra /kernel: Connection attempt to UDP 192.168.17.1:161 > from 192.168.17.1:1166 Hi, This doesn't look like ipfw logging output to me, in fact it seems indicative of net.inet.tcp.log_in_vain You may also have more mileage with ipfw if you tried something like this; ipfw add 500 pass log tcp from any to any setup ipfw add 600 pass tcp from any to any established This will log initial connection setups but not ongoing traffic, for example an ftp session would hose your logs quite a bit. Additionally the count feature is always available to you, try ipfw show Oh and you need to put count/pass rules before an 'allow any to any' type rule otherwise it won't get caught because the processing has already finished on the traffic. May be why you see no logging output currently. Cheers, J. -- Jess Kitchen http://www.burstfire.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 16 8:31: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 40D6C37B401 for ; Wed, 16 Oct 2002 08:31:05 -0700 (PDT) Received: from platinum.daweb.net (platinum.daweb.net [217.158.56.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6EE6B43EAA for ; Wed, 16 Oct 2002 08:31:04 -0700 (PDT) (envelope-from jk@burstfire.net) Received: from platinum.daweb.net (localhost [127.0.0.1]) by platinum.daweb.net (8.12.6/8.12.6) with ESMTP id g9GFUoPi062510 for ; Wed, 16 Oct 2002 16:30:50 +0100 (BST) (envelope-from jk@burstfire.net) Received: from localhost (jk@localhost) by platinum.daweb.net (8.12.6/8.12.6/Submit) with ESMTP id g9GFUjQg062507 for ; Wed, 16 Oct 2002 16:30:45 +0100 (BST) X-Authentication-Warning: platinum.daweb.net: jk owned process doing -bs Date: Wed, 16 Oct 2002 16:30:45 +0100 (BST) From: Jess Kitchen X-X-Sender: jk@platinum.daweb.net To: freebsd-security@FreeBSD.ORG Subject: Re: FW: monitor ALL connections to ALL ports In-Reply-To: <20021016162219.V62311-100000@platinum.daweb.net> Message-ID: <20021016163017.O62311-100000@platinum.daweb.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 16 Oct 2002, Jess Kitchen wrote: [snip] > This doesn't look like ipfw logging output to me, in fact it seems > indicative of net.inet.tcp.log_in_vain Whoops, sorry for the repost. Caffeine hasn't quite kicked in, heh. J. -- Jess Kitchen http://www.burstfire.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 16 13: 3: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB8E737B401 for ; Wed, 16 Oct 2002 13:03:03 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id AD8DD43EA3 for ; Wed, 16 Oct 2002 13:03:03 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id 3D93C15247; Wed, 16 Oct 2002 13:02:53 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id 3B5B315226 for ; Wed, 16 Oct 2002 13:02:53 -0700 (PDT) Date: Wed, 16 Oct 2002 13:02:53 -0700 (PDT) From: Mike Hoskins To: freebsd-security@freebsd.org Subject: CERT VU#539363 Message-ID: <20021016124439.T4295-100000@fubar.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm sure everyone saw this on Bugtraq, firewalls, firewall-wizards, etc... But I noticed Apple was quick to resond with a 'we're not vulnerable' regarding OS X and wondered if we could draw similar conclusions. From their "Solution" section: "Use firewall features that detect and block flood traffic" I assume they mean things like the PIX can do... Monitor for excessive SYNs from foreign hosts and throttle connections (or deny them entirely after a threshold). However, if the attacker used randomly forged source addresses to an open port on the firewall, I don't see how these features would really help. "Use dynamically resizeable state tables" Couldn't this hurt more at some point? Assuming the attacker has time and is able to forge IPs... A state table has to either become full (reach net.inet.ip.fw.dyn_max) or use all available resources at some point, right? Hard to say which is better. "Use separate timeout values for initial sessions" net.inet.ip.fw.dyn_syn_lifetime ? "Use dynamically adjustable session timers (Aggressive Aging)" Do they mean the net.inet.ip.fw.dyn_* timers? If so, what sort of algorithm would do this "dynamic" adjustment, and based upon what criterea? A couple possible cases... A large number of rules are created for a given host... So the timeout values for rules associated with that host are cut short until the total rules from that host return below some threshold. Or maybe a lot of rules are created for a set of hosts causing the state table to grow to within some threshold of net.inet.ip.fw.dyn_max, causing the lifetime of all rules to be shortened and hopefully create more room for additional rules. "Allow connection tracking to be disabled" I.e. Turn off statefulness? I suppose that could give one time to find a real solution, but it may require a lot of work. :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 16 13:58:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 25E4337B401 for ; Wed, 16 Oct 2002 13:58:52 -0700 (PDT) Received: from smtpout.mac.com (smtpout.mac.com [204.179.120.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id 731B643EAC for ; Wed, 16 Oct 2002 13:58:51 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from asmtp02.mac.com (asmtp02-qfe3 [10.13.10.66]) by smtpout.mac.com (Xserve/MantshX 2.0) with ESMTP id g9GKwU2Q001860 for ; Wed, 16 Oct 2002 13:58:30 -0700 (PDT) Received: from bust ([12.38.161.88]) by asmtp02.mac.com (Netscape Messaging Server 4.15) with ESMTP id H43EA200.RB9 for ; Wed, 16 Oct 2002 13:58:50 -0700 Date: Wed, 16 Oct 2002 16:58:50 -0400 Subject: Re: CERT VU#539363 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v482) From: Chuck Swiger To: freebsd-security@FreeBSD.ORG Content-Transfer-Encoding: 7bit In-Reply-To: <20021016124439.T4295-100000@fubar.adept.org> Message-Id: <122BC346-E14A-11D6-BE66-000A27D85A7E@mac.com> X-Mailer: Apple Mail (2.482) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wednesday, October 16, 2002, at 04:02 PM, Mike Hoskins wrote: > I'm sure everyone saw this on Bugtraq, firewalls, firewall-wizards, etc.. > . > But I noticed Apple was quick to resond with a 'we're not vulnerable' > regarding OS X and wondered if we could draw similar conclusions. I'm not entirely sure that "not being vulnerable" simply means that OS X's default configuration doesn't ship with FTP, or whether it means OS X being used as a firewall (via IPFW, or whatever) isn't vulnerable. OS X (or FreeBSD, for that matter) may not be vulnerable also because they don't try to monitor FTP transactions looking for the PASV, and thus don't create the bogus dynamic rule. Someone using static packet filtering rules (before a check-state) can block access to the low ports (below 1024) and mitigate against the spoofed dynamic rules. > From their "Solution" section: > > "Use firewall features that detect and block flood traffic" > > I assume they mean things like the PIX can do... Monitor for excessive > SYNs from foreign hosts and throttle connections (or deny them entirely > after a threshold). However, if the attacker used randomly forged source > addresses to an open port on the firewall, I don't see how these features > would really help. Syn-flood and ICMP broadcast flood protection in FreeBSD is pretty solid. I think the vector of the attack is against an FTP server behind a firewall, not against a port on the firewall itself. Besides, generally speaking, your firewalls shouldn't have open ports. I live with 22 open for remote management purposes, but that's it. > "Use dynamically resizeable state tables" > > Couldn't this hurt more at some point? Assuming the attacker has time and > is able to forge IPs... A state table has to either become full > (reach net.inet.ip.fw.dyn_max) or use all available resources at some > point, right? Hard to say which is better. Sure. Running out of state table entries is perhaps the primary weakness of dynamic filtering, and it's not clear that there are perfect solutions to that problem. :-) > "Use dynamically adjustable session timers (Aggressive Aging)" > > Do they mean the net.inet.ip.fw.dyn_* timers? If so, what sort of > algorithm would do this "dynamic" adjustment, and based upon what > criterea? > > A couple possible cases... > > A large number of rules are created for a given host... So the timeout > values for rules associated with that host are cut short until the total > rules from that host return below some threshold. > > Or maybe a lot of rules are created for a set of hosts causing the state > table to grow to within some threshold of net.inet.ip.fw.dyn_max, causing > the lifetime of all rules to be shortened and hopefully create more room > for additional rules. I think Luigi Rizzo has already been there; from /usr/src/sys/netinet/ip_fw.c: /* * after reaching 0, dynamic rules are considered still valid for * an additional grace time, unless there is lack of resources. */ static u_int32_t dyn_grace_time = 10 ; static u_int32_t static_count = 0 ; /* # of static rules */ static u_int32_t dyn_count = 0 ; /* # of dynamic rules */ static u_int32_t dyn_max = 1000 ; /* max # of dynamic rules */ > "Allow connection tracking to be disabled" > > I.e. Turn off statefulness? I suppose that could give one time to find a > real solution, but it may require a lot of work. :) They probably mean disabling the aspect of the firewall responsible for examining or proxying passive FTP and adding dynamic rules when it sees a PASV response. -Chuck Chuck Swiger | chuck@codefab.com | All your packets are belong to us. -------------+-------------------+----------------------------------- "The human race's favorite method for being in control of the facts is to ignore them." -Celia Green To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 16 17: 9:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3238A37B401 for ; Wed, 16 Oct 2002 17:09:32 -0700 (PDT) Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2929643E6A for ; Wed, 16 Oct 2002 17:09:31 -0700 (PDT) (envelope-from avalon@caligula.anu.edu.au) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id KAA02471; Thu, 17 Oct 2002 10:09:16 +1000 (EST) From: Darren Reed Message-Id: <200210170009.KAA02471@caligula.anu.edu.au> Subject: Re: CERT VU#539363 To: mike@adept.org (Mike Hoskins) Date: Thu, 17 Oct 2002 10:09:16 +1000 (Australia/ACT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20021016124439.T4295-100000@fubar.adept.org> from "Mike Hoskins" at Oct 16, 2002 01:02:53 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Mike Hoskins, sie said: > > > I'm sure everyone saw this on Bugtraq, firewalls, firewall-wizards, etc... > But I noticed Apple was quick to resond with a 'we're not vulnerable' > regarding OS X and wondered if we could draw similar conclusions. If they don't do stateful filtering then they are not vulnerable. Guess we know what version of ipfw is/isn't in OSX then, eh ? Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 16 17:12:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1525C37B401 for ; Wed, 16 Oct 2002 17:12:47 -0700 (PDT) Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 91D2A43E8A for ; Wed, 16 Oct 2002 17:12:43 -0700 (PDT) (envelope-from avalon@caligula.anu.edu.au) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id KAA03159; Thu, 17 Oct 2002 10:12:06 +1000 (EST) From: Darren Reed Message-Id: <200210170012.KAA03159@caligula.anu.edu.au> Subject: Re: CERT VU#539363 To: cswiger@mac.com (Chuck Swiger) Date: Thu, 17 Oct 2002 10:12:06 +1000 (Australia/ACT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <122BC346-E14A-11D6-BE66-000A27D85A7E@mac.com> from "Chuck Swiger" at Oct 16, 2002 04:58:50 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Chuck Swiger, sie said: > [...] > OS X (or FreeBSD, for that matter) may not be vulnerable also because they > don't try to monitor FTP transactions looking for the PASV, and thus don't > create the bogus dynamic rule. Someone using static packet filtering > rules (before a check-state) can block access to the low ports (below 1024) > and mitigate against the spoofed dynamic rules. [...] You're confusing 539363 (state) with 328867 (FTP). Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 16 17:43:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 619BC37B401 for ; Wed, 16 Oct 2002 17:43:18 -0700 (PDT) Received: from HAL9000.homeunix.com (12-232-220-15.client.attbi.com [12.232.220.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6AE3543E3B for ; Wed, 16 Oct 2002 17:43:17 -0700 (PDT) (envelope-from dschultz@uclink.Berkeley.EDU) Received: from HAL9000.homeunix.com (localhost [127.0.0.1]) by HAL9000.homeunix.com (8.12.6/8.12.5) with ESMTP id g9H0hFjf009194; Wed, 16 Oct 2002 17:43:15 -0700 (PDT) (envelope-from dschultz@uclink.Berkeley.EDU) Received: (from das@localhost) by HAL9000.homeunix.com (8.12.6/8.12.5/Submit) id g9H0hF1U009193; Wed, 16 Oct 2002 17:43:15 -0700 (PDT) (envelope-from dschultz@uclink.Berkeley.EDU) Date: Wed, 16 Oct 2002 17:43:15 -0700 From: David Schultz To: Mike Hoskins Cc: freebsd-security@FreeBSD.ORG Subject: Re: CERT VU#539363 Message-ID: <20021017004315.GA8951@HAL9000.homeunix.com> Mail-Followup-To: Mike Hoskins , freebsd-security@FreeBSD.ORG References: <20021016124439.T4295-100000@fubar.adept.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021016124439.T4295-100000@fubar.adept.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake Mike Hoskins : > I'm sure everyone saw this on Bugtraq, firewalls, firewall-wizards, etc... > But I noticed Apple was quick to resond with a 'we're not vulnerable' > regarding OS X and wondered if we could draw similar conclusions. FreeBSD's ipfw isn't vulnerable because it doesn't do application layer filtering. On the other hand, ipfilter is potentially susceptible, probably depending on the FTP server you use. I suspect that OS X is not vulnerable for the same reason, namely, it doesn't ship with a firewall that understands FTP in the first place. > "Use firewall features that detect and block flood traffic" [...] > "Use dynamically resizeable state tables" [...] Your criticisms here are well-founded; these suggestions do not fix the resource exhausion problem. However, you have to realize that a stateful firewall is inherently vulnerable to this kind of attack. (Consider what happens when you're sent an excessive number of incomplete fragmented IP packets.) I haven't read the list of suggestions you're referring to, but the suggestions probably assume that the administrator requires a stateful firewall, in which case the best you can possibly do is manage that (theoretically unbounded) state intelligently. > "Use separate timeout values for initial sessions" > > net.inet.ip.fw.dyn_syn_lifetime ? Yes. > "Use dynamically adjustable session timers (Aggressive Aging)" [...] > Or maybe a lot of rules are created for a set of hosts causing the state > table to grow to within some threshold of net.inet.ip.fw.dyn_max, causing > the lifetime of all rules to be shortened and hopefully create more room > for additional rules. I believe that's the idea. IPFW doesn't do this; it simply stops creating new dynamic rules when the table is full. I think there's lots of room for DOS resistance here; you could imagine separate per-rule or per-source quotas on dynamic rules, for example. > "Allow connection tracking to be disabled" > > I.e. Turn off statefulness? I suppose that could give one time to find a > real solution, but it may require a lot of work. :) If you turn off statefulness, you lose some expressiveness, and you may consequently allow or restrict more than you intended to. You couldn't permit outgoing-only requests via most UDP protocols, for instance; without state, you wouldn't know whether an incoming response was solicited by a local machine. For TCP this is less of a problem. If you assume that your internal hosts properly drop non-SYN packets corresponding to nonexistent connections, all you have to do is filter SYNs as appropriate and check for spoofing. Of course with an application layer firewall filtering a stateful protocol like FTP, you clearly need to maintain state, and that's in addition to IP fragment reassembly. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 16 22:15: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9854037B401 for ; Wed, 16 Oct 2002 22:15:06 -0700 (PDT) Received: from smtp.comcast.net (smtp.comcast.net [24.153.64.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1CD6C43EA9 for ; Wed, 16 Oct 2002 22:15:06 -0700 (PDT) (envelope-from lomifeh@earthlink.net) Received: from earthlink.net (bgp586692bgs.jdover01.nj.comcast.net [68.39.202.147]) by mtaout01.icomcast.net (iPlanet Messaging Server 5.1 HotFix 1.4 (built Aug 5 2002)) with ESMTP id <0H4400C5K18BIZ@mtaout01.icomcast.net> for freebsd-security@FreeBSD.ORG; Thu, 17 Oct 2002 01:14:35 -0400 (EDT) Date: Thu, 17 Oct 2002 01:14:34 -0400 From: Larry Sica Subject: Re: CERT VU#539363 In-reply-to: <200210170009.KAA02471@caligula.anu.edu.au> To: Darren Reed Cc: mike@adept.org (Mike Hoskins), freebsd-security@FreeBSD.ORG Message-id: <5346C791-E18F-11D6-A5F8-000393A335A2@earthlink.net> MIME-version: 1.0 X-Mailer: Apple Mail (2.546) Content-type: text/plain; charset=US-ASCII; format=flowed Content-transfer-encoding: 7BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wednesday, October 16, 2002, at 08:09 PM, Darren Reed wrote: > In some mail from Mike Hoskins, sie said: >> >> >> I'm sure everyone saw this on Bugtraq, firewalls, firewall-wizards, >> etc... >> But I noticed Apple was quick to resond with a 'we're not vulnerable' >> regarding OS X and wondered if we could draw similar conclusions. > > If they don't do stateful filtering then they are not vulnerable. > > Guess we know what version of ipfw is/isn't in OSX then, eh ? > 10.2 does do state. --Larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 16 23: 1: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 94A0237B401 for ; Wed, 16 Oct 2002 23:00:58 -0700 (PDT) Received: from mgr3.xmission.com (mgr3.xmission.com [198.60.22.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id E71A543E75 for ; Wed, 16 Oct 2002 23:00:57 -0700 (PDT) (envelope-from glewis@eyesbeyond.com) Received: from mail by mgr3.xmission.com with spam-scanned (Exim 3.35 #1) id 1823iL-0006cE-03; Thu, 17 Oct 2002 00:00:57 -0600 Received: from [207.135.128.145] (helo=misty.eyesbeyond.com) by mgr3.xmission.com with esmtp (Exim 3.35 #1) id 1823iD-0006Zq-03; Thu, 17 Oct 2002 00:00:53 -0600 Received: (from glewis@localhost) by misty.eyesbeyond.com (8.11.6/8.11.6) id g9H5xpO55587; Thu, 17 Oct 2002 15:29:51 +0930 (CST) (envelope-from glewis@eyesbeyond.com) X-Authentication-Warning: misty.eyesbeyond.com: glewis set sender to glewis@eyesbeyond.com using -f Date: Thu, 17 Oct 2002 15:29:46 +0930 From: Greg Lewis To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: TCFS for FreeBSD? Message-ID: <20021017152946.A55544@misty.eyesbeyond.com> References: <200210140627.AAA13616@lariat.org> <200210140627.AAA13616@lariat.org> <20021015144621.A98316@misty.eyesbeyond.com> <4.3.2.7.2.20021016223222.02b5e180@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.7.2.20021016223222.02b5e180@localhost>; from brett@lariat.org on Wed, Oct 16, 2002 at 10:33:56PM -0600 X-Spam-Status: No, hits=-2.4 required=8.0 tests=IN_REP_TO,REFERENCES,SIGNATURE_SHORT_DENSE, SPAM_PHRASE_03_05,USER_AGENT,USER_AGENT_MUTT,X_AUTH_WARNING version=2.43 X-Spam-Level: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Oct 16, 2002 at 10:33:56PM -0600, Brett Glass wrote: > May I help? I'd like to be able to use it, so long as it > has not been GPLed. (I haven't checked to see whether the > maintainers, who are Linux-oriented, GPLed the code they > added to it.) Well, the code I ported is from OpenBSD, and the copyright in the relevant files is BSD style. I also used some KAME code to add some crypto functionality, but that again is BSD licensed. I actually fixed my link errors last night, so now I have a kernel with TCFS support compiled in. I haven't yet tried to boot it, so I'm going to try that next and also try and get the userland utilities compiling. I can send you the kernel diffs if you like. Note that this is the first kernel project I've tried, so I'd be very surprised if it actually worked first time. A crash box is probably the best thing to test it on :). Just tell me what part you'd like to be involved in and I'll try and provide what I have of the code so far :). Others who are interested are also welcome to what there is so far. -- Greg Lewis Email : glewis@eyesbeyond.com Eyes Beyond Web : http://www.eyesbeyond.com Information Technology FreeBSD : glewis@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 17 0:44:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9EB3537B401 for ; Thu, 17 Oct 2002 00:44:45 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5357143E4A for ; Thu, 17 Oct 2002 00:44:45 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id 66AE515247; Thu, 17 Oct 2002 00:44:28 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id 645FC15226; Thu, 17 Oct 2002 00:44:28 -0700 (PDT) Date: Thu, 17 Oct 2002 00:44:28 -0700 (PDT) From: Mike Hoskins To: David Schultz Cc: freebsd-security@FreeBSD.ORG Subject: Re: CERT VU#539363 In-Reply-To: <20021017004315.GA8951@HAL9000.homeunix.com> Message-ID: <20021017003422.V5273-100000@fubar.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 16 Oct 2002, David Schultz wrote: > Thus spake Mike Hoskins : > FreeBSD's ipfw isn't vulnerable because it doesn't do application > layer filtering. On the other hand, ipfilter is potentially > susceptible, probably depending on the FTP server you use. Are you thinking of VU#328867? Take a look at 539363 (which you indicate you haven't read below). 539353 certainly does affect ipfw, or any stateful firewall, from what I can see. It's not a question of whether a given implementation is or isn't vulnerable so much as a question of which implementations best deal with this type of (ab)use. > > "Use firewall features that detect and block flood traffic" > [...] > > "Use dynamically resizeable state tables" > [...] > Your criticisms here are well-founded; these suggestions do not > fix the resource exhausion problem. However, you have to realize > that a stateful firewall is inherently vulnerable to this kind of > attack. Note that the points above (in quotes) were from the CERT VU, I was just commenting on their reccomendations and attempting to draw FreeBSD-specific corollaries. > I haven't read the > list of suggestions you're referring to, but the suggestions > probably assume that the administrator requires a stateful > firewall, in which case the best you can possibly do is manage > that (theoretically unbounded) state intelligently. "[T]he best you can possibly do is manage that ..." I learned and accepted that about stateful firewalls long ago. My only real point was ensuring we handle things as gracefully as possible and possibly provide an official response to CERT. > I believe that's the idea. IPFW doesn't do this; it simply stops > creating new dynamic rules when the table is full. I think > there's lots of room for DOS resistance here; you could imagine > separate per-rule or per-source quotas on dynamic rules, for > example. I noticed a lot of big names haven't replied (Cisco). I'd like to know how the PIX' "adaptive security" algorithms handle this - a first clue will be seeing their response. > If you turn off statefulness, you lose some expressiveness, and > you may consequently allow or restrict more than you intended to. Indeed, I never intended to suggest configuring a "static" firewall as a valid option for most stateful installations. I believe that was an intended reccomendation from CERT, however, in their typically vague and overly broad manner. ;) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 17 4:52:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8785337B401 for ; Thu, 17 Oct 2002 04:52:39 -0700 (PDT) Received: from HAL9000.homeunix.com (12-232-220-15.client.attbi.com [12.232.220.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3CDDC43E7B for ; Thu, 17 Oct 2002 04:52:38 -0700 (PDT) (envelope-from dschultz@uclink.Berkeley.EDU) Received: from HAL9000.homeunix.com (localhost [127.0.0.1]) by HAL9000.homeunix.com (8.12.6/8.12.5) with ESMTP id g9HBqXjf010975; Thu, 17 Oct 2002 04:52:33 -0700 (PDT) (envelope-from dschultz@uclink.Berkeley.EDU) Received: (from das@localhost) by HAL9000.homeunix.com (8.12.6/8.12.5/Submit) id g9HBqXiI010974; Thu, 17 Oct 2002 04:52:33 -0700 (PDT) (envelope-from dschultz@uclink.Berkeley.EDU) Date: Thu, 17 Oct 2002 04:52:33 -0700 From: David Schultz To: Mike Hoskins Cc: freebsd-security@FreeBSD.ORG Subject: Re: CERT VU#539363 Message-ID: <20021017115233.GA10789@HAL9000.homeunix.com> Mail-Followup-To: Mike Hoskins , freebsd-security@FreeBSD.ORG References: <20021017004315.GA8951@HAL9000.homeunix.com> <20021017003422.V5273-100000@fubar.adept.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021017003422.V5273-100000@fubar.adept.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake Mike Hoskins : > > I believe that's the idea. IPFW doesn't do this; it simply stops > > creating new dynamic rules when the table is full. I think > > there's lots of room for DOS resistance here; you could imagine > > separate per-rule or per-source quotas on dynamic rules, for > > example. > > I noticed a lot of big names haven't replied (Cisco). I'd like to know > how the PIX' "adaptive security" algorithms handle this - a first clue > will be seeing their response. > > > If you turn off statefulness, you lose some expressiveness, and > > you may consequently allow or restrict more than you intended to. > > Indeed, I never intended to suggest configuring a "static" firewall as a > valid option for most stateful installations. I believe that was an > intended reccomendation from CERT, however, in their typically vague and > overly broad manner. ;) I just read the latter advisory you referred to. It appears to be based on the paper by Stephen Gill that it cites, and the author of the advisory doesn't seem to realize that the described vulnerabilities aren't new or recently discovered. The general problem with maintaining state is well-known, and the specific attack of desynchronizing the connection state between an internal host and the firewall is described in [1], along with several variants. That said, I still find the problem of intelligently managing firewall state very interesting. (By the way, the Gill paper cited at the bottom of the advisory mentions PIX. You mentioned you were interested in that, so you might want to take a look.) [1] Paxson, V. Bro: A System for Detecting Network Intruders in Real-Time. Berkeley, 1999. ftp://ftp.ee.lbl.gov/papers/bro-CN99.ps.gz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 17 8:44:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E86437B401 for ; Thu, 17 Oct 2002 08:44:20 -0700 (PDT) Received: from mgr5.xmission.com (mgr5.xmission.com [198.60.22.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 46F6E43E77 for ; Thu, 17 Oct 2002 08:44:19 -0700 (PDT) (envelope-from glewis@eyesbeyond.com) Received: from mail by mgr5.xmission.com with spam-scanned (Exim 3.35 #1) id 182CoE-0005IX-05 for security@freebsd.org; Thu, 17 Oct 2002 09:43:38 -0600 Received: from [207.135.128.145] (helo=misty.eyesbeyond.com) by mgr5.xmission.com with esmtp (Exim 3.35 #1) id 182Clt-0004Zk-05; Thu, 17 Oct 2002 09:41:15 -0600 Received: (from glewis@localhost) by misty.eyesbeyond.com (8.11.6/8.11.6) id g9HFf8o59777; Fri, 18 Oct 2002 01:11:08 +0930 (CST) (envelope-from glewis@eyesbeyond.com) X-Authentication-Warning: misty.eyesbeyond.com: glewis set sender to glewis@eyesbeyond.com using -f Date: Fri, 18 Oct 2002 01:11:08 +0930 From: Greg Lewis To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: TCFS for FreeBSD? Message-ID: <20021018011108.A59727@misty.eyesbeyond.com> References: <20021017152946.A55544@misty.eyesbeyond.com> <200210170617.AAA29738@lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200210170617.AAA29738@lariat.org>; from brett@lariat.org on Thu, Oct 17, 2002 at 12:17:27AM -0600 X-Spam-Status: No, hits=-3.5 required=8.0 tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES, SIGNATURE_SHORT_DENSE,SPAM_PHRASE_00_01,USER_AGENT, USER_AGENT_MUTT,X_AUTH_WARNING version=2.43 X-Spam-Level: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Oct 17, 2002 at 12:17:27AM -0600, Brett Glass wrote: > I was under the impression that TCFS, like CFS, operated entirely > in userspace. What parts of it work down at the kernel level? Its a filesystem that works in the kernel much like ufs, etc. That is, it has a standard vfsops definitions and associated functions. All the BSD code on the TCFS site and that in OpenBSD is like this. I don't know if maybe on Linux its implemented in user space since I haven't looked at the Linux code. > Also, what did you bring in from KAME? (I would think that the > necessary crypto would be available through the OpenSSL libraries.) Right, except OpenSSL isn't linked into the kernel :). The kernel crypto parts that -STABLE doesn't have are the blowfish and DES block encryption code. The code itself is originally from OpenSSL or SSLeay by the looks of it. > Since you've already worked heavily on the kernel stuff, I should > probably focus on the userland utilities to avoid having to come > up the learning curve when you're already there. Actually, I don't know a lot about either kernel workings or filesystems, I just wanted to try and port TCFS :). That said, I've just checked and the user utilities aren't in my tree, so I'll try and track them down (I must have them somewhere :). -- Greg Lewis Email : glewis@eyesbeyond.com Eyes Beyond Web : http://www.eyesbeyond.com Information Technology FreeBSD : glewis@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 17 8:48:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EDF4937B401 for ; Thu, 17 Oct 2002 08:48:27 -0700 (PDT) Received: from mtiwmhc12.worldnet.att.net (mtiwmhc12.worldnet.att.net [204.127.131.116]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2AD3E43E3B for ; Thu, 17 Oct 2002 08:46:47 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from prime ([12.88.86.131]) by mtiwmhc12.worldnet.att.net (InterMail vM.5.01.05.12 201-253-122-126-112-20020820) with SMTP id <20021017154517.BLWG5287.mtiwmhc12.worldnet.att.net@prime> for ; Thu, 17 Oct 2002 15:45:17 +0000 Message-ID: <008401c275f4$3508e2c0$0301a8c0@prime> From: "Charles Swiger" To: References: <200210170012.KAA03159@caligula.anu.edu.au> Subject: Re: CERT VU#539363 Date: Thu, 17 Oct 2002 11:45:23 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Darren Reed wrote: > In some mail from Chuck Swiger, sie said: [ ... ] > You're confusing 539363 (state) with 328867 (FTP). Agreed. Being confused may not completely invalidate what I said, though. :-) -Chuck To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 17 9: 0:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E21837B401 for ; Thu, 17 Oct 2002 09:00:19 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 89C4043E75 for ; Thu, 17 Oct 2002 09:00:18 -0700 (PDT) (envelope-from mark@grimreaper.grondar.org) Received: from storm.FreeBSD.org.uk (uucp@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.6/8.12.6) with ESMTP id g9HG01W1052482; Thu, 17 Oct 2002 17:00:01 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Received: (from uucp@localhost) by storm.FreeBSD.org.uk (8.12.6/8.12.6/Submit) with UUCP id g9HG00Ou052472; Thu, 17 Oct 2002 17:00:00 +0100 (BST) Received: from grimreaper.grondar.org (localhost [127.0.0.1]) by grimreaper.grondar.org (8.12.6/8.12.5) with ESMTP id g9HFuv01087629; Thu, 17 Oct 2002 16:56:57 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Message-Id: <200210171556.g9HFuv01087629@grimreaper.grondar.org> To: Greg Lewis Cc: security@FreeBSD.ORG From: Mark Murray Subject: Re: TCFS for FreeBSD? References: <20021018011108.A59727@misty.eyesbeyond.com> In-Reply-To: <20021018011108.A59727@misty.eyesbeyond.com> ; from Greg Lewis "Fri, 18 Oct 2002 01:11:08 +0930." Date: Thu, 17 Oct 2002 16:56:56 +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > Also, what did you bring in from KAME? (I would think that the > > necessary crypto would be available through the OpenSSL libraries.) > > Right, except OpenSSL isn't linked into the kernel :). The kernel > crypto parts that -STABLE doesn't have are the blowfish and DES > block encryption code. The code itself is originally from OpenSSL > or SSLeay by the looks of it. There is a new (kernel) crypto susbsystem that Sam Leffler has committed to current. He wants to commit it to stable as well, and I think he'll be allowed to. It is the OpenBSD system, and it supports hardware crypto accelerators. Its very good. M -- o Mark Murray \_ O.\_ Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 17 12:35:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C0D6737B401 for ; Thu, 17 Oct 2002 12:35:28 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 744B443E3B for ; Thu, 17 Oct 2002 12:35:28 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id 13D4915314; Thu, 17 Oct 2002 12:35:12 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id 119341530F; Thu, 17 Oct 2002 12:35:12 -0700 (PDT) Date: Thu, 17 Oct 2002 12:35:12 -0700 (PDT) From: Mike Hoskins To: David Schultz Cc: freebsd-security@FreeBSD.ORG Subject: Re: CERT VU#539363 In-Reply-To: <20021017115233.GA10789@HAL9000.homeunix.com> Message-ID: <20021017122854.G6449-100000@fubar.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 17 Oct 2002, David Schultz wrote: > I just read the latter advisory you referred to. It appears to be > based on the paper by Stephen Gill that it cites, and the author > of the advisory doesn't seem to realize that the described > vulnerabilities aren't new or recently discovered. Yes, they've existed as long as state tables have. > variants. That said, I still find the problem of intelligently > managing firewall state very interesting. That was my primary reason for bringing this to -security. (The second being to see if we had a readied response.) I knew the issues discussed were nothing knew, as I think anyone running stateful firewalls has known for quite some time... I just wanted to see official opinion about our implementation. > [1] Paxson, V. Bro: A System for Detecting Network Intruders in > Real-Time. Berkeley, 1999. ftp://ftp.ee.lbl.gov/papers/bro-CN99.ps.gz Ahh, the alma matter. Touche, I'm reading it now. ;) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 17 15:50:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8A3CD37B406 for ; Thu, 17 Oct 2002 15:50:24 -0700 (PDT) Received: from web10102.mail.yahoo.com (web10102.mail.yahoo.com [216.136.130.52]) by mx1.FreeBSD.org (Postfix) with SMTP id 4936F43E88 for ; Thu, 17 Oct 2002 15:50:24 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20021017225023.18216.qmail@web10102.mail.yahoo.com> Received: from [68.5.49.41] by web10102.mail.yahoo.com via HTTP; Thu, 17 Oct 2002 15:50:23 PDT Date: Thu, 17 Oct 2002 15:50:23 -0700 (PDT) From: twig les Subject: SSH keeps dying while box seems to be up/PC Weasel? To: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hey all, strange problem here that is probably just bad ram but maybe someone here might see something I missed. I have 2 identical boxes running 4.6 release (patched & stripped down) in another state, so I can't sit on the console and watch stuff. One box is fine, the other is hell in beige. The box keeps becoming unresponsive; the first crash was Saturday morning (note to self - turn off cell phone on Friday) and then again on Sunday and today twice. Each time I have to call remote hands and get them to hard reboot the thing. This box was running happily for about 2-3 months with this config - nothing changed last week. Previously this box ran 4.4 release for almost a year without a single crash. So anyway the debug output from my ssh attempt is below. On a related issue, can anyone recommend the PC Weasel for console access from experience? I can't exactly point my management to their site since it's completely unprofessional (I actually like it, I just can't send management there) so any experience is welcome. =========================================== ssh debug =========================================== Client% ssh -v -v -v Server debug: SshAppCommon/sshappcommon.c:133/ssh_app_get_global_regex_context: Allocating global SshRegex context. debug: SshConfig/sshconfig.c:2232/ssh2_parse_config: Unable to open /opt/home/ktokash/.ssh2/ssh2_config debug: Connecting to mas01, port 22... (SOCKS not used) debug: Ssh2/ssh2.c:1977/main: Entering event loop. debug: Ssh2Client/sshclient.c:1403/ssh_client_wrap: Creating transport protocol. debug: SshAuthMethodClient/sshauthmethodc.c:85/ssh_client_authentication_initialize: Added "hostbased" to usable methods. debug: SshAuthMethodClient/sshauthmethodc.c:85/ssh_client_authentication_initialize: Added "securid-1@ssh.com" to usable methods. debug: SshAuthMethodClient/sshauthmethodc.c:85/ssh_client_authentication_initialize: Added "publickey" to usable methods. debug: SshAuthMethodClient/sshauthmethodc.c:85/ssh_client_authentication_initialize: Added "password" to usable methods. debug: Ssh2Client/sshclient.c:1444/ssh_client_wrap: Creating userauth protocol. debug: client supports 4 auth methods: 'hostbased,securid-1@ssh.com,publickey,password' debug: Ssh2Common/sshcommon.c:560/ssh_common_wrap: local ip = 10.30.150.162, local port = 53843 debug: Ssh2Common/sshcommon.c:562/ssh_common_wrap: remote ip = 10.20.0.124, remote port = 22 debug: SshConnection/sshconn.c:1930/ssh_conn_wrap: Wrapping... debug: Remote version: SSH-1.99-OpenSSH_2.9 FreeBSD localisations 20020307 debug: Ssh2Transport/trcommon.c:1306/ssh_tr_input_version: Remote version has rekey incompatibility bug. debug: Ssh2Transport/trcommon.c:1309/ssh_tr_input_version: Remote version is OpenSSH, KEX guesses disabled. debug: Ssh2Transport/trcommon.c:1648/ssh_tr_negotiate: lang s to c: `', lang c to s: `' debug: Ssh2Transport/trcommon.c:1714/ssh_tr_negotiate: c_to_s: cipher aes128-cbc, mac hmac-sha1, compression none debug: Ssh2Transport/trcommon.c:1717/ssh_tr_negotiate: s_to_c: cipher aes128-cbc, mac hmac-sha1, compression none debug: Remote host key found from database. debug: Ssh2Common/sshcommon.c:318/ssh_common_special: Received SSH_CROSS_STARTUP packet from connection protocol. debug: Ssh2Common/sshcommon.c:368/ssh_common_special: Received SSH_CROSS_ALGORITHMS packet from connection protocol. debug: server offers auth methods 'publickey,password,keyboard-interactive'. debug: SshConfig/sshconfig.c:2232/ssh2_parse_config: Unable to open /opt/home/ktokash/.ssh2/identification debug: Ssh2AuthClient/sshauthc.c:316/ssh_authc_completion_proc: Method 'publickey' disabled. debug: server offers auth methods 'publickey,password,keyboard-interactive'. debug: Ssh2AuthPasswdClient/authc-passwd.c:95/ssh_client_auth_passwd: Starting password query... ktokash's password: debug: Ssh2Common/sshcommon.c:286/ssh_common_special: Received SSH_CROSS_AUTHENTICATED packet from connection protocol. debug: Ssh2Common/sshcommon.c:829/ssh_common_new_channel: num_channels now 1 debug: Ssh2Common/sshcommon.c:155/ssh_common_disconnect: DISCONNECT received: Connection closed. debug: Ssh2/ssh2.c:127/client_disconnect: locally_generated = TRUE Disconnected; connection lost (Connection closed.). debug: Ssh2Client/sshclient.c:1478/ssh_client_destroy: Destroying client. debug: SshConfig/sshconfig.c:537/ssh_config_pki_free: Freeing pki. (host_pki != NULL, user_pki = NULL) debug: SshConnection/sshconn.c:1982/ssh_conn_destroy: Destroying SshConn object. debug: Ssh2Common/sshcommon.c:803/ssh_common_destroy_channel: num_channels now 0 debug: Got session close with exit_status=0 debug: destroying client struct... Connection to mas01 closed. debug: Ssh2Client/sshclient.c:1540/ssh_client_destroy_finalize: Destroying client completed. debug: SshAuthMethodClient/sshauthmethodc.c:89/ssh_client_authentication_uninitialize: Destroying authentication method array. debug: SshAppCommon/sshappcommon.c:146/ssh_app_free_global_regex_context: Freeing global SshRegex context. debug: SshConfig/sshconfig.c:537/ssh_config_pki_free: Freeing pki. (host_pki = NULL, user_pki = NULL) ===== ----------------------------------------------------------- Heavy metal made me do it. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos & More http://faith.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 18 19:36:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC26B37B401 for ; Fri, 18 Oct 2002 19:36:31 -0700 (PDT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 09B1F43E9C for ; Fri, 18 Oct 2002 19:36:31 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.12.4/8.12.4) with SMTP id g9J2ZxOo040447 for ; Fri, 18 Oct 2002 22:35:59 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Fri, 18 Oct 2002 22:35:59 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: security@FreeBSD.org Subject: PRIVMAN -- library for privilege separation Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Network Associates Laboratories' CBOSS Project has funded a variety of new things in FreeBSD 5.0 including UFS2, a lot of the TrustedBSD work, etc. That stuff already gets a fair amount of exposure on the FreeBSD side, so I wanted to point people at another project under CBOSS, PRIVMAN. PRIVMAN is a library to make it easier for developers to create privilege separated applications (similar to that used in Cyrus for password checking, OpenSSH for privsep, or in some of the OWL daemons, etc). It's still under development, but we'd welcome any feedback you have to privman@nailabs.com: http://opensource.nailabs.com/privman/ We provide patches against the BSD FTPd, WU-FTPd, and thttpd to demonstrate how the library can be used with existing applications to improve their resistence to attacks. Questions can be directed to Doug Kilpatrick at NAI Labs. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message