From owner-freebsd-security Tue Nov 5 5:15: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 79FBF37B401 for ; Tue, 5 Nov 2002 05:14:57 -0800 (PST) Received: from antalya.lupe-christoph.de (pD9E8863B.dip0.t-ipconnect.de [217.232.134.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9BE0F43E6E for ; Tue, 5 Nov 2002 05:14:55 -0800 (PST) (envelope-from lupe@lupe-christoph.de) Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id 545FA5E1; Tue, 5 Nov 2002 14:14:53 +0100 (CET) Date: Tue, 5 Nov 2002 14:14:53 +0100 To: security@freebsd.org Cc: rammer@cs.tut.fi Subject: Re: aide 0.9, anybody Message-ID: <20021105131453.GA31325@lupe-christoph.de> References: <20021029102222.GA8274@lupe-christoph.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021029102222.GA8274@lupe-christoph.de> User-Agent: Mutt/1.4i From: lupe@lupe-christoph.de (Lupe Christoph) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Rami, on freebsd-security I reported problems getting aide-0.9 to compile. Some people seem to have done some work on this, but no one submitted a port for aide-0.9 (the port is stuck at 0.7). I have invested some more time in this. Below you find a log describing what I did, mostly on the CVS version. freebsd-security, if anybody wants to do this, please follow the instrauctions on http://www.cs.tut.fi/~rammer/aide.html to get the CVS version of aide. Using the CVS version requires one to use the older variants of the auto* ports, autoconf213 and automake14. Use autoheader213; automake14; autoconf213 On Tuesday, 2002-10-29 at 11:22:22 +0100, Lupe Christoph wrote: > I already overcame some problems in configure with libgcrypt. Who do I > talk to about updating the port once it installs and works? Weellll, I kludged configure to do that. Now I have a patch to configure.in. That file twiddles CPPFLAGS, IMNSHO unnecessarily. This patch removes the twiddling: --- configure.in.orig Fri May 31 14:47:07 2002 +++ configure.in Tue Nov 5 11:23:56 2002 @@ -46,7 +46,7 @@ AC_ARG_WITH(extra-includes, [ --with-extra-includes Specify additional paths to find headerfiles], - [ CPPFLAGS="$CFLAGS $withval" ]) + [ CPPFLAGS="$CPPFLAGS $withval" ]) AC_ARG_WITH(extra-libs, [ --with-extra-libs Specify aditional paths to find libraries], [ LDFLAGS="$LDFLAGS $withval" ]) @@ -164,7 +164,6 @@ fi CFLAGS="$LD_STATIC_FLAG" -CPPFLAGS="$LD_STATIC_FLAG" AC_SUBST(LD_STATIC_FLAG) I believe the first one is a typo, and the second one a thinko ... Checking CVS version of aide ... That problem is gone. I confirmed that aide-0.9 has a problem with newer bison versions by trying it on Debian Testing which also has bison 1.75. And that is not gone in CVS. Rami, can you please look at this? bison -y -d -p conf -o conf_yacc.c /usr/home/lupe/aide-cvs/aide/src/conf_yacc.y /usr/home/lupe/aide-cvs/aide/src/conf_yacc.y:144.23-154.5: type clash (`i' `s') on default action /usr/home/lupe/aide-cvs/aide/src/conf_yacc.y:154.7: parse error, unexpected ":", expecting ";" or "|" /usr/home/lupe/aide-cvs/aide/src/conf_yacc.y:217.23: parse error, unexpected ":", expecting ";" or "|" /usr/home/lupe/aide-cvs/aide/src/conf_yacc.y:251.1-2: parse error, unexpected "%%", expecting ";" or "|" Using yacc instead of bison -y works OK. Why, then, does configure insist on bison??? Rami, can you please make the autoconf stuff check for yacc first? Also, the CVS version requires GNU make: "/usr/home/lupe/aide-cvs/aide/src/Makefile", line 267: Need an operator make: fatal errors encountered -- cannot continue That line is: -include $(DEP_FILES) AFAIR, different makes have different syntax for include. Dunno if automake can compensate for this. Now I get this: In file included from /usr/home/lupe/aide-cvs/aide/src/conf_yacc.y:13: /usr/home/lupe/aide-cvs/aide/include/db_config.h:302: syntax error before `blkcnt_t' Which is: AIDE_BLKCNT_TYPE bcount; This gets rewritten by macro expansion: blkcnt_t bcount; This seems to be a copy of st_blocks from the stat struct. But that has: int64_t st_blocks; /* blocks allocated for file */ autoconf should include a check for the type of st_blocks. Next obstacle: gen_list.c:30: ustat.h: No such file or directory FreeBSD has no ustat! The code that uses ustat is: /* Here we should check if we need to add it.. */ { struct ustat buf; if (ustat(fs.st_dev, &buf) != 0 || buf.f_fname[0]==0) { } else { } } Looks like an incomplete experiment. For now, I'll just remove it. This was the last block, now I get an aide executable. BTW, the configure line I used was ./configure --with-zlib --with-config_file=/etc/aide/aide.conf \ --with-gcrypt --enable-forced_configmd --enable-forced_dbmd \ --with-extra-includes=-I/usr/local/include \ --with-extra-libs=-L/usr/local/lib I'm out of tuits for now, so I can't test the executable right now. Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be | | unsinkable. The designer had a speech impediment. He said: "I have | | thith great unthinkable conthept ..." | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 5 10: 9:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CAEC937B401 for ; Tue, 5 Nov 2002 10:09:30 -0800 (PST) Received: from kobold.compt.com (TBextgw.compt.com [209.115.146.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 22D0E43E75 for ; Tue, 5 Nov 2002 10:09:30 -0800 (PST) (envelope-from klaus@kobold.compt.com) Date: Tue, 5 Nov 2002 13:09:23 -0500 From: Klaus Steden To: freebsd-security@freebsd.org Subject: per-user groups Message-ID: <20021105130922.A36056@cthulu.compt.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Can anyone explain to me the benefits of per-user groups? It seems to me that modern *nix systems, FreeBSD included, create a new group for each user. Is there a security benefit (or some other benefit) to be had by this? Why has it apparently been adopted as a convention by the free *nix flavours? Just curious, not looking to start a long discussion about it, so off-list answers are fine. thanks, Klaus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 5 10:35:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E701037B401 for ; Tue, 5 Nov 2002 10:35:50 -0800 (PST) Received: from proxy.centtech.com (moat.centtech.com [207.200.51.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id B4E2943E75 for ; Tue, 5 Nov 2002 10:35:49 -0800 (PST) (envelope-from anderson@centtech.com) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6+Sun/8.11.6) with ESMTP id gA5IZis28939; Tue, 5 Nov 2002 12:35:44 -0600 (CST) Received: (from root@localhost) by sprint.centtech.com (8.11.6+Sun/8.11.6) id gA5IZib00394; Tue, 5 Nov 2002 12:35:44 -0600 (CST) Received: from centtech.com (electron [204.177.173.173]) by sprint.centtech.com (8.11.6+Sun/8.11.6) with ESMTP id gA5IZfx00387; Tue, 5 Nov 2002 12:35:41 -0600 (CST) Message-ID: <3DC80F76.4020909@centtech.com> Date: Tue, 05 Nov 2002 12:35:34 -0600 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Klaus Steden Cc: freebsd-security@freebsd.org Subject: Re: per-user groups References: <20021105130922.A36056@cthulu.compt.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Klaus Steden wrote: > Can anyone explain to me the benefits of per-user groups? It seems to me that > modern *nix systems, FreeBSD included, create a new group for each user. > > Is there a security benefit (or some other benefit) to be had by this? Why has > it apparently been adopted as a convention by the free *nix flavours? My understanding (which is most probably incorrect), is that it is safer to assign a new group per user, then automatically default them to some set group. In other words - people are lazy, and so if that's true (it is), then they are likely to believe that the default is the best choice. If all users default to some standard group, then it is far easier to have accidentally set a file to mode 775 (or some such variant), and have the whole user base have rights to it, than a default group of the user itself - which would be limited. Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology Beware the fury of a patient man. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 5 11: 0:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3440137B401 for ; Tue, 5 Nov 2002 11:00:51 -0800 (PST) Received: from mx.sat.corp.rackspace.com (mx.sat.corp.rackspace.com [64.39.1.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B9DC43E88 for ; Tue, 5 Nov 2002 11:00:50 -0800 (PST) (envelope-from jnelson@rackspace.com) Received: from pop3.sat.corp.rackspace.com (pop3.sat.corp.rackspace.com [64.39.2.141]) by mx.sat.corp.rackspace.com (8.11.6/8.11.6) with ESMTP id gA5J0OE20227; Tue, 5 Nov 2002 13:00:25 -0600 Received: from jnelson (64-39-0-52.dhcp.hq.rackspace.com [64.39.0.52]) (authenticated bits=0) by pop3.sat.corp.rackspace.com (8.12.3/8.12.3) with ESMTP id gA5J0Jlq007284; Tue, 5 Nov 2002 13:00:19 -0600 From: "jnelson" To: "'Eric Anderson'" , "'Klaus Steden'" Cc: Subject: RE: per-user groups Date: Tue, 5 Nov 2002 13:00:54 -0600 Message-ID: <000d01c284fd$aa81a290$34002740@jnelson> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: <3DC80F76.4020909@centtech.com> X-Virus-Scanned: by amavisd-milter (http://amavis.org/) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org " 'probably incorrect' " but I think he's exactly right. Users must belong to a group, so defaulting to creating their own bypasses this requirement--in essence. I've been using the same custom Zsh for so long that I don't recall what the default umask setting is, but I pretty sure 022 is it and not 002. I've heard talk of a new system of group/user permissions; is anyone working with that project? -j -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Eric Anderson Sent: Tuesday, November 05, 2002 12:36 PM To: Klaus Steden Cc: freebsd-security@FreeBSD.ORG Subject: Re: per-user groups Klaus Steden wrote: > Can anyone explain to me the benefits of per-user groups? It seems to me that > modern *nix systems, FreeBSD included, create a new group for each user. > > Is there a security benefit (or some other benefit) to be had by this? Why has > it apparently been adopted as a convention by the free *nix flavours? My understanding (which is most probably incorrect), is that it is safer to assign a new group per user, then automatically default them to some set group. In other words - people are lazy, and so if that's true (it is), then they are likely to believe that the default is the best choice. If all users default to some standard group, then it is far easier to have accidentally set a file to mode 775 (or some such variant), and have the whole user base have rights to it, than a default group of the user itself - which would be limited. Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology Beware the fury of a patient man. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 5 11: 8: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 14A7E37B401 for ; Tue, 5 Nov 2002 11:08:01 -0800 (PST) Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com [24.147.188.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1EFD343E6E for ; Tue, 5 Nov 2002 11:08:00 -0800 (PST) (envelope-from freebsd-security-local@be-well.no-ip.com) Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com [24.147.188.198] (may be forged)) by be-well.ilk.org (8.12.6/8.12.5) with ESMTP id gA5J7xWJ024681 for ; Tue, 5 Nov 2002 14:07:59 -0500 (EST) (envelope-from freebsd-security-local@be-well.no-ip.com) Received: (from lowell@localhost) by be-well.ilk.org (8.12.6/8.12.6/Submit) id gA5J7xEB024678; Tue, 5 Nov 2002 14:07:59 -0500 (EST) X-Authentication-Warning: be-well.ilk.org: lowell set sender to freebsd-security-local@be-well.ilk.org using -f To: freebsd-security@freebsd.org Subject: Re: per-user groups References: <20021105130922.A36056@cthulu.compt.com> From: Lowell Gilbert Date: 05 Nov 2002 14:07:59 -0500 In-Reply-To: <20021105130922.A36056@cthulu.compt.com> Message-ID: <441y5zj0mo.fsf@be-well.ilk.org> Lines: 14 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Klaus Steden writes: > Can anyone explain to me the benefits of per-user groups? It seems to me that > modern *nix systems, FreeBSD included, create a new group for each user. The only thing that does this is adduser(8), which is just a script that can be (and is) adapted easily for people with different kinds of policies in mind. > Is there a security benefit (or some other benefit) to be had by this? Why has > it apparently been adopted as a convention by the free *nix flavours? There's an explanation in the manual for adduser(8)... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 5 11:21:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9BFA437B401 for ; Tue, 5 Nov 2002 11:21:18 -0800 (PST) Received: from cithaeron.argolis.org (pool-138-88-125-24.res.east.verizon.net [138.88.125.24]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7237A43E7B for ; Tue, 5 Nov 2002 11:21:12 -0800 (PST) (envelope-from piechota@argolis.org) Received: from cithaeron.argolis.org (localhost [127.0.0.1]) by cithaeron.argolis.org (8.12.6/8.12.5) with ESMTP id gA5JKshU028215; Tue, 5 Nov 2002 14:20:54 -0500 (EST) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.12.6/8.12.6/Submit) with ESMTP id gA5JKrmN028212; Tue, 5 Nov 2002 14:20:53 -0500 (EST) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Tue, 5 Nov 2002 14:20:53 -0500 (EST) From: Matt Piechota To: Eric Anderson Cc: Klaus Steden , Subject: Re: per-user groups In-Reply-To: <3DC80F76.4020909@centtech.com> Message-ID: <20021105141841.F27225-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 5 Nov 2002, Eric Anderson wrote: > My understanding (which is most probably incorrect), is that it is safer > to assign a new group per user, then automatically default them to some > set group. > > In other words - people are lazy, and so if that's true (it is), then > they are likely to believe that the default is the best choice. If all > users default to some standard group, then it is far easier to have > accidentally set a file to mode 775 (or some such variant), and have the > whole user base have rights to it, than a default group of the user > itself - which would be limited. It also makes sharing safer without admin intervention: bob@foo% chgrp fred myfile ; chown 750 myfile bob@foo% echo 'check out myfile' | write fred -- Matt Piechota To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 5 12:56:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C701537B401 for ; Tue, 5 Nov 2002 12:56:20 -0800 (PST) Received: from bsd.ist-ffo.de (bsd.ist-ffo.de [192.124.253.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id D713F43E42 for ; Tue, 5 Nov 2002 12:56:19 -0800 (PST) (envelope-from griesche@bsd.ist-ffo.de) Received: from bsd.ist-ffo.de (localhost [127.0.0.1]) by bsd.ist-ffo.de (8.12.3/8.12.3) with ESMTP id gA5KuHnx096395; Tue, 5 Nov 2002 21:56:17 +0100 (CET) (envelope-from griesche@bsd.ist-ffo.de) Received: (from griesche@localhost) by bsd.ist-ffo.de (8.12.3/8.12.3/Submit) id gA5KuHGq096394; Tue, 5 Nov 2002 21:56:17 +0100 (CET) Date: Tue, 5 Nov 2002 21:56:17 +0100 (CET) From: Joachim Griesche Message-Id: <200211052056.gA5KuHGq096394@bsd.ist-ffo.de> To: freebsd-security@freebsd.org Subject: Per-user groups, use of chgrp Cc: griesche@bsd.ist-ffo.de Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello! I am afraid that the example Mr. Piechota has given does not work. I can only change the file affiliation to a group which I am a member of: fs-24>uname -r -s FreeBSD 4.6-RELEASE-p2 fs-25>touch myfile fs-26>ls -l myfile -rw-r--r-- 1 griesche user 0 Nov 5 21:47 myfile fs-27>chgrp montage myfile chgrp: you are not a member of group montage fs-28>ls -l myfile -rw-r--r-- 1 griesche user 0 Nov 5 21:47 myfile With best regards Joachim Griesche Network administrator Institut fuer Solartechnologien GmbH Frankfurt (Oder), Germany To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 5 13:19:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F37E37B401 for ; Tue, 5 Nov 2002 13:19:37 -0800 (PST) Received: from cithaeron.argolis.org (pool-138-88-125-24.res.east.verizon.net [138.88.125.24]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3EC3743E4A for ; Tue, 5 Nov 2002 13:19:31 -0800 (PST) (envelope-from piechota@argolis.org) Received: from cithaeron.argolis.org (localhost [127.0.0.1]) by cithaeron.argolis.org (8.12.6/8.12.5) with ESMTP id gA5LJMhU028537; Tue, 5 Nov 2002 16:19:22 -0500 (EST) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.12.6/8.12.6/Submit) with ESMTP id gA5LJM2g028534; Tue, 5 Nov 2002 16:19:22 -0500 (EST) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Tue, 5 Nov 2002 16:19:22 -0500 (EST) From: Matt Piechota To: Joachim Griesche Cc: freebsd-security@FreeBSD.ORG Subject: Re: Per-user groups, use of chgrp In-Reply-To: <200211052056.gA5KuHGq096394@bsd.ist-ffo.de> Message-ID: <20021105161640.A27225-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 5 Nov 2002, Joachim Griesche wrote: > I am afraid that the example Mr. Piechota has given does > not work. I can only change the file affiliation to a group > which I am a member of: > > fs-24>uname -r -s > FreeBSD 4.6-RELEASE-p2 > fs-25>touch myfile > fs-26>ls -l myfile > -rw-r--r-- 1 griesche user 0 Nov 5 21:47 myfile > fs-27>chgrp montage myfile > chgrp: you are not a member of group montage > fs-28>ls -l myfile > -rw-r--r-- 1 griesche user 0 Nov 5 21:47 myfile > > With best regards > Joachim Griesche Oh, nevermind then. My bad, I did it on my Linux machine by accident. -- Matt Piechota To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 5 13:41:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2AB0137B401 for ; Tue, 5 Nov 2002 13:41:30 -0800 (PST) Received: from mail2.qc.uunet.ca (mail2.qc.uunet.ca [198.168.54.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5BB5F43E42 for ; Tue, 5 Nov 2002 13:41:29 -0800 (PST) (envelope-from anarcat@espresso-com.com) Received: from xtanbul.studio.espresso-com.com ([216.94.147.57]) by mail2.qc.uunet.ca (8.9.3/8.9.3) with ESMTP id QAA18332; Tue, 5 Nov 2002 16:40:53 -0500 Received: from anarcat by xtanbul.studio.espresso-com.com with local (Exim 3.36 #1 (Debian)) id 189BRJ-00043M-00; Tue, 05 Nov 2002 16:40:49 -0500 Date: Tue, 5 Nov 2002 16:40:49 -0500 From: The Anarcat To: Matt Piechota Cc: Joachim Griesche , freebsd-security@freebsd.org Subject: Re: Per-user groups, use of chgrp Message-ID: <20021105214048.GE13909@xtanbul.studio.espresso-com.com> Mail-Followup-To: Matt Piechota , Joachim Griesche , freebsd-security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hmmm.. Even then: anarcat[~]% uname -a Linux censored.xxxxx.com 2.4.18-newpmac #1 Thu Mar 14 22:44:49 EST 2002 ppc unknown unknown GNU/Linux anarcat[~]% touch myfile anarcat[~]% ls -l myfile -rw-r--r-- 1 anarcat anarcat 0 Nov 5 16:39 myfile anarcat[~]% chgrp foobar myfile chgrp: changing group of `myfile': Operation not permitted anarcat[~]% In-Reply-To: <20021105161640.A27225-100000@cithaeron.argolis.org> On Tue Nov 05, 2002 at 04:19:22PM -0500, Matt Piechota wrote: > On Tue, 5 Nov 2002, Joachim Griesche wrote: > > > I am afraid that the example Mr. Piechota has given does > > not work. I can only change the file affiliation to a group > > which I am a member of: > > > > fs-24>uname -r -s > > FreeBSD 4.6-RELEASE-p2 > > fs-25>touch myfile > > fs-26>ls -l myfile > > -rw-r--r-- 1 griesche user 0 Nov 5 21:47 myfile > > fs-27>chgrp montage myfile > > chgrp: you are not a member of group montage > > fs-28>ls -l myfile > > -rw-r--r-- 1 griesche user 0 Nov 5 21:47 myfile > > > > With best regards > > Joachim Griesche > > Oh, nevermind then. My bad, I did it on my Linux machine by accident. > > -- > Matt Piechota > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 6 3:45:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A1CCD37B401; Wed, 6 Nov 2002 03:45:52 -0800 (PST) Received: from www.meinserver.de (pD904975F.dip.t-dialin.net [217.4.151.95]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8722043E6E; Wed, 6 Nov 2002 03:45:40 -0800 (PST) (envelope-from koester@x-itec.de) Received: from compiere (winserver [192.168.0.1]) by www.meinserver.de (8.12.6/8.12.5) with ESMTP id gA6Ae3xx002269; Wed, 6 Nov 2002 11:40:09 +0100 (CET) (envelope-from koester@x-itec.de) Date: Wed, 6 Nov 2002 12:46:05 +0100 From: =?ISO-8859-15?B?Qm9yaXMgS/ZzdGVy?= X-Mailer: The Bat! (v1.60) Reply-To: Bo Organization: X-ITEC (www.x-itec.net) X-Priority: 3 (Normal) Message-ID: <2413129108.20021106124605@x-itec.de> To: owner-freebsd-questions@FreeBSD.ORG, Palle Girgensohn Cc: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: ipsec, ESP & IKE, freebsd as vpn `client' <-> openbsd, how? In-Reply-To: <133830000.1035329093@palle.girgensohn.se> References: <133830000.1035329093@palle.girgensohn.se> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Palle, Wednesday, October 23, 2002, 12:24:53 AM, you wrote: PG> Hi! PG> We just moved our company to a new `office hotel', and they have an openbsd PG> firewall with an VPN setup that I should be able to use from home. A PG> consultant set the openbsd machine up, and the guys in the new office knows PG> absolutely nothing about unix whatsoever. When asking how to use the VPN, I PG> got instructions for setting up the windows utility `PGP Desktop Security'. Read our IPSEC/IKE MiniHowTo that may help you with setting up IPSEC this may help you a little bit *g http://www.x-itec.de/projects/tuts/ipsec-howto.txt PG> Is there a crash course / FAQ that will actually help me? Or can someone PG> just give some hints on how to set things up on the FreeBSD end, from PG> scratch? -- Best regards, Boris Köster mailto:x-itec@freenet.de X-ITEC IT-Consulting Tel.: (o 27 21) 989 4oo http://www.x-itec.NET To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 7 13:37:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B4EA437B401 for ; Thu, 7 Nov 2002 13:37:40 -0800 (PST) Received: from hotmail.com (oe25.pav1.hotmail.com [64.4.30.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 70A0B43E4A for ; Thu, 7 Nov 2002 13:37:40 -0800 (PST) (envelope-from jack_xiao99@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 7 Nov 2002 13:37:40 -0800 X-Originating-IP: [216.254.175.194] From: "Jack Xiao" To: Subject: ESP/NULL with isakmpd Date: Thu, 7 Nov 2002 16:38:16 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Message-ID: X-OriginalArrivalTime: 07 Nov 2002 21:37:40.0293 (UTC) FILETIME=[E5CCDF50:01C286A5] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi All, I am wondering anybody has succeeded in implementing ESP/NULL encryption with isakmpd, racoon or even manually under FreeBSD according to RFC-2410? There're some difficulties for me to get that work with isakmpd, which is from OpenBSD. Hope get your answer soon. Thanks! Jack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 9 15:11:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1391837B401; Sat, 9 Nov 2002 15:11:53 -0800 (PST) Received: from yello.shallow.net (yello.shallow.net [203.18.243.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id A997843E42; Sat, 9 Nov 2002 15:11:52 -0800 (PST) (envelope-from joshua@shallow.net) Received: by yello.shallow.net (Postfix, from userid 1001) id 8E37F2A5B; Sun, 10 Nov 2002 10:11:51 +1100 (EST) Date: Sun, 10 Nov 2002 10:11:51 +1100 From: Joshua Goodall To: jdp@freebsd.org Cc: security@freebsd.org Subject: Security issue in net/cvsup-mirror port Message-ID: <20021109231151.GF33758@roughtrade.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Better not to file a PR for this, I feel. I was just passing by net/cvsup-mirror/files/cvsupd.sh when I noticed that it appends to the fixed-name file /var/tmp/cvsupd.out Therefore if I were a malicious user, I could make a symlink of that name in /var/tmp to effect arbitrary file corruption. If I was really clever, I might point it at /root/.ssh/authorized_keys and use secondary means to get cvsupd's output to include my public key. Consider changing it to /var/log/cvsupd.out ? Regards, Joshua. -- Joshua Goodall joshua@roughtrade.net "Your byte hit ratio is weak, old man" "If you cache me now, I will dump more core than you can possibly imagine" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message