From owner-freebsd-security@FreeBSD.ORG Sun Jun 8 00:28:55 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0DF237B401 for ; Sun, 8 Jun 2003 00:28:55 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D06243FAF for ; Sun, 8 Jun 2003 00:28:55 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from root@localhost) by lariat.org (8.9.3/8.9.3) id BAA24342 for security@freebsd.org; Sun, 8 Jun 2003 01:28:50 -0600 (MDT) Date: Sun, 8 Jun 2003 01:28:50 -0600 (MDT) From: Brett Glass Message-Id: <200306080728.BAA24342@lariat.org> To: security@freebsd.org Subject: Removable media security in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jun 2003 07:28:56 -0000 I'm working with a FreeBSD user -- a teacher -- who's running KDE on a system on which she neither has nor wants root privileges. She wants to be able to mount and unmount floppies and ZIP cartridges from within KDE, using the standard KwikDisk utility (which, by the way, generates mount and unmount command that don't conform to FreeBSD syntax; however, it appears possible to fix this by customizing the commands). I don't want to open up the floppy and ZIP drives to all users simultaneously, since this would allow anyone to write someone else's removable media. Is there a standard, SECURE way of allowing an unprivileged user at the console to get at removable media that s/he has inserted in the machine? --Brett Glass From owner-freebsd-security@FreeBSD.ORG Sun Jun 8 01:04:33 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8C57837B401 for ; Sun, 8 Jun 2003 01:04:33 -0700 (PDT) Received: from ip-213-17-211-16.broker.com.pl (ip-213-17-211-16.broker.com.pl [213.17.211.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id F373B43F85 for ; Sun, 8 Jun 2003 01:04:31 -0700 (PDT) (envelope-from zk@wspim.edu.pl) Received: from hhos.serious.ld (localhost.serious.ld [127.0.0.1]) h5884Uaw000530; Sun, 8 Jun 2003 10:04:30 +0200 (CEST) (envelope-from zk@wspim.edu.pl) Received: (from zk@localhost) by hhos.serious.ld (8.12.8p1/8.12.8/Submit) id h5884Tm7000529; Sun, 8 Jun 2003 10:04:29 +0200 (CEST) Date: Sun, 8 Jun 2003 10:04:29 +0200 From: zk To: Brett Glass Message-ID: <20030608080429.GA234@hhos.serious.ld> References: <200306080728.BAA24342@lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200306080728.BAA24342@lariat.org> User-Agent: Mutt/1.4.1i cc: security@freebsd.org Subject: Re: Removable media security in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jun 2003 08:04:33 -0000 On Sun, Jun 08, 2003 at 01:28:50AM -0600, Brett Glass wrote: > since this would allow anyone to write someone else's removable media. Is > there a standard, SECURE way of allowing an unprivileged user at the console > to get at removable media that s/he has inserted in the machine? > Create group floppy, chown 0:floopy /dev/floppy*, chmod g+rw /dev/fd0* and add user to group floppy. And vfs.usermount=1 zk From owner-freebsd-security@FreeBSD.ORG Sun Jun 8 13:28:59 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B214937B401 for ; Sun, 8 Jun 2003 13:28:59 -0700 (PDT) Received: from sec.ms.mff.cuni.cz (sec.ms.mff.cuni.cz [195.113.17.100]) by mx1.FreeBSD.org (Postfix) with ESMTP id D084E43FD7 for ; Sun, 8 Jun 2003 13:28:58 -0700 (PDT) (envelope-from petricek@sec.ms.mff.cuni.cz) Received: from localhost (localhost [127.0.0.1]) by sec.ms.mff.cuni.cz (8.12.8/8.12.8) with ESMTP id h58KZlIV086525 for ; Sun, 8 Jun 2003 22:35:47 +0200 (CEST) (envelope-from petricek@sec.ms.mff.cuni.cz) Date: Sun, 8 Jun 2003 22:35:47 +0200 (CEST) From: Vaclav Petricek To: freebsd-security@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: redirect unauthorized users to a login page (natd as a transparent proxy) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jun 2003 20:29:00 -0000 Hello I am trying to redirect all http traffic of unauthorized wifi users on a wireless hotspot to a login page. The problem I have is that I can not disable the regular address translation (I want the source address to stay the same). 10.0.0.7 is the wifi client 195.250.155.29 is the web wifi user tries to access from his browser 195.113.17.94 is my login page 10.0.0.1 is the wifi interface on the server What happens is In [TCP] [TCP] 10.0.0.7:1036 -> 195.250.155.29:80 aliased to [TCP] 10.0.0.1:1036 -> 195.113.17.94:80 The natd configuration file: ------------------------------------------------------------------------- interface wi0 port 1234 #proxy_only yes reverse proxy_rule port 80 server 195.113.17.94:80 ------------------------------------------------------------------------- Natd was run as natd -f /etc/natd.conf -v with 00010 divert 1234 tcp from any to any via wi0 I was hoping proxy_only will do the trick but it does not seem to have any impact and the source address is changed anyway. A quick glance at the source did not help much to my understanding of the proxy_only option. Thank you very moch for any hints, Vaclav From owner-freebsd-security@FreeBSD.ORG Sun Jun 8 15:05:16 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4B5B437B401 for ; Sun, 8 Jun 2003 15:05:16 -0700 (PDT) Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE26643F75 for ; Sun, 8 Jun 2003 15:05:12 -0700 (PDT) (envelope-from ru@whale.sunbay.crimea.ua) Received: from whale.sunbay.crimea.ua (ru@localhost [127.0.0.1]) h58M58P6085023 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 9 Jun 2003 01:05:08 +0300 (EEST) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.12.9/8.12.8/Submit) id h58M57MA085017; Mon, 9 Jun 2003 01:05:07 +0300 (EEST) (envelope-from ru) Date: Mon, 9 Jun 2003 01:05:07 +0300 From: Ruslan Ermilov To: Vaclav Petricek Message-ID: <20030608220507.GA84706@sunbay.com> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="EuxKj2iCbKjpUGkD" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.4i cc: freebsd-security@freebsd.org Subject: Re: redirect unauthorized users to a login page (natd as a transparent proxy) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jun 2003 22:05:16 -0000 --EuxKj2iCbKjpUGkD Content-Type: multipart/mixed; boundary="vtzGhvizbBRQ85DL" Content-Disposition: inline --vtzGhvizbBRQ85DL Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jun 08, 2003 at 10:35:47PM +0200, Vaclav Petricek wrote: >=20 > Hello >=20 > I am trying to redirect all http traffic of unauthorized wifi users on a > wireless hotspot to a login page. The problem I have is that I can not > disable the regular address translation (I want the source address to stay > the same). >=20 > 10.0.0.7 is the wifi client > 195.250.155.29 is the web wifi user tries to access from his browser > 195.113.17.94 is my login page > 10.0.0.1 is the wifi interface on the server >=20 > What happens is >=20 > In [TCP] [TCP] 10.0.0.7:1036 -> 195.250.155.29:80 aliased to > [TCP] 10.0.0.1:1036 -> 195.113.17.94:80 >=20 > The natd configuration file: > ------------------------------------------------------------------------- > interface wi0 > port 1234 > #proxy_only yes > reverse > proxy_rule port 80 server 195.113.17.94:80 > ------------------------------------------------------------------------- >=20 > Natd was run as natd -f /etc/natd.conf -v with > 00010 divert 1234 tcp from any to any via wi0 >=20 > I was hoping proxy_only will do the trick but it does not seem to have > any impact and the source address is changed anyway. >=20 > A quick glance at the source did not help much to my understanding of the > proxy_only option. >=20 Confirmed as a bug. The attached patch worked for me, please test it. You'll have to recompile and reinstall libalias(3), then recompile and reinstall natd(8) with new library. Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software Ltd, ru@FreeBSD.org FreeBSD committer --vtzGhvizbBRQ85DL Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=p Content-Transfer-Encoding: quoted-printable Index: alias.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/lib/libalias/alias.c,v retrieving revision 1.36 diff -u -p -r1.36 alias.c --- alias.c 23 Jul 2002 00:16:19 -0000 1.36 +++ alias.c 8 Jun 2003 21:56:06 -0000 @@ -1057,7 +1057,8 @@ TcpAliasOut(struct ip *pip, int maxpacke =20 link =3D FindUdpTcpOut(pip->ip_src, pip->ip_dst, tc->th_sport, tc->th_dport, - IPPROTO_TCP, 1); + IPPROTO_TCP, + !(packetAliasMode & PKT_ALIAS_PROXY_ONLY)); if (link !=3DNULL) { u_short alias_port; --vtzGhvizbBRQ85DL-- --EuxKj2iCbKjpUGkD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+47MTUkv4P6juNwoRAsn+AKCHkWjieyXZvyRYzPJngRtWGF85TwCeKzqv GQY7xoDE76TXhD85NnP1ass= =8h8c -----END PGP SIGNATURE----- --EuxKj2iCbKjpUGkD-- From owner-freebsd-security@FreeBSD.ORG Sun Jun 8 16:02:10 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B42A037B401; Sun, 8 Jun 2003 16:02:10 -0700 (PDT) Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id A734B43F3F; Sun, 8 Jun 2003 16:02:07 -0700 (PDT) (envelope-from ru@whale.sunbay.crimea.ua) Received: from whale.sunbay.crimea.ua (ru@localhost [127.0.0.1]) h58N24P6090360 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 9 Jun 2003 02:02:04 +0300 (EEST) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.12.9/8.12.8/Submit) id h58N24A5090355; Mon, 9 Jun 2003 02:02:04 +0300 (EEST) (envelope-from ru) Date: Mon, 9 Jun 2003 02:02:04 +0300 From: Ruslan Ermilov To: Vaclav Petricek Message-ID: <20030608230204.GB88799@sunbay.com> References: <20030608220507.GA84706@sunbay.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="YToU2i3Vx8H2dn7O" Content-Disposition: inline In-Reply-To: <20030608220507.GA84706@sunbay.com> User-Agent: Mutt/1.5.4i cc: current@freebsd.org cc: security@freebsd.org Subject: Re: redirect unauthorized users to a login page (natd as a transparent proxy) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jun 2003 23:02:11 -0000 --YToU2i3Vx8H2dn7O Content-Type: multipart/mixed; boundary="ZwgA9U+XZDXt4+m+" Content-Disposition: inline --ZwgA9U+XZDXt4+m+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jun 09, 2003 at 01:05:07AM +0300, Ruslan Ermilov wrote: > On Sun, Jun 08, 2003 at 10:35:47PM +0200, Vaclav Petricek wrote: > >=20 > > Hello > >=20 > > I am trying to redirect all http traffic of unauthorized wifi users on a > > wireless hotspot to a login page. The problem I have is that I can not > > disable the regular address translation (I want the source address to s= tay > > the same). > >=20 > > 10.0.0.7 is the wifi client > > 195.250.155.29 is the web wifi user tries to access from his browser > > 195.113.17.94 is my login page > > 10.0.0.1 is the wifi interface on the server > >=20 > > What happens is > >=20 > > In [TCP] [TCP] 10.0.0.7:1036 -> 195.250.155.29:80 aliased to > > [TCP] 10.0.0.1:1036 -> 195.113.17.94:80 > >=20 > > The natd configuration file: > > -----------------------------------------------------------------------= -- > > interface wi0 > > port 1234 > > #proxy_only yes > > reverse > > proxy_rule port 80 server 195.113.17.94:80 > > -----------------------------------------------------------------------= -- > >=20 > > Natd was run as natd -f /etc/natd.conf -v with > > 00010 divert 1234 tcp from any to any via wi0 > >=20 > > I was hoping proxy_only will do the trick but it does not seem to have > > any impact and the source address is changed anyway. > >=20 > > A quick glance at the source did not help much to my understanding of t= he > > proxy_only option. > >=20 > Confirmed as a bug. The attached patch worked for me, > please test it. You'll have to recompile and reinstall > libalias(3), then recompile and reinstall natd(8) with > new library. >=20 I was too fast. This patch doesn't work well. It works in a sense that it doesn't modify source IP address of the proxied packets, but it doesn't work in a sense that reply packets do not undergo de-aliasing. The attached patch is verified to work. Please test it instead. Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software Ltd, ru@FreeBSD.org FreeBSD committer --ZwgA9U+XZDXt4+m+ Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=p Content-Transfer-Encoding: quoted-printable Index: alias.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/lib/libalias/alias.c,v retrieving revision 1.36 diff -u -p -r1.36 alias.c --- alias.c 23 Jul 2002 00:16:19 -0000 1.36 +++ alias.c 8 Jun 2003 22:38:36 -0000 @@ -1425,6 +1425,10 @@ PacketAliasOut(char *ptr, /* v SetDefaultAliasAddress(pip->ip_src); } } + else if (packetAliasMode & PKT_ALIAS_PROXY_ONLY) + { + SetDefaultAliasAddress(pip->ip_src); + } =20 iresult =3D PKT_ALIAS_IGNORED; if ((ntohs(pip->ip_off) & IP_OFFMASK) =3D=3D 0) --ZwgA9U+XZDXt4+m+-- --YToU2i3Vx8H2dn7O Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+48BsUkv4P6juNwoRAgg6AJ4uk9DZ04rH04FOGBLpwmSOl2wPfQCeOKXQ QRdYCO2xl05lmisN4l0oYHo= =XF6c -----END PGP SIGNATURE----- --YToU2i3Vx8H2dn7O-- From owner-freebsd-security@FreeBSD.ORG Sun Jun 8 08:58:26 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 693E537B401 for ; Sun, 8 Jun 2003 08:58:26 -0700 (PDT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A5BA43F3F for ; Sun, 8 Jun 2003 08:58:25 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.12.9/8.12.9) with ESMTP id h58Fv4On088794; Sun, 8 Jun 2003 11:57:05 -0400 (EDT) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)h58Fv41R088791; Sun, 8 Jun 2003 11:57:04 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Sun, 8 Jun 2003 11:57:04 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: zk In-Reply-To: <20030608080429.GA234@hhos.serious.ld> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Mailman-Approved-At: Mon, 09 Jun 2003 05:16:02 -0700 cc: security@freebsd.org Subject: Re: Removable media security in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jun 2003 15:58:26 -0000 On Sun, 8 Jun 2003, zk wrote: > On Sun, Jun 08, 2003 at 01:28:50AM -0600, Brett Glass wrote: > > since this would allow anyone to write someone else's removable media. Is > > there a standard, SECURE way of allowing an unprivileged user at the console > > to get at removable media that s/he has inserted in the machine? > > Create group floppy, chown 0:floopy /dev/floppy*, chmod g+rw /dev/fd0* > and add user to group floppy. And vfs.usermount=1 If the definition of the policy really means "any user who can log in at the console", I'd change the chown/chmod bits to a pointer to fbtab, and use vfs.usermount. On the "SECURE" front -- well, it depends a bit on how robust our file system support is. Bad UFS file systems can cause the FreeBSD kernel to behave improperly, since it's assumed that file systems will be clean or explicitly checked before mounting. I've never really experimented much with our FAT file system support to see how robust it is; we have a 5.2-RELEASE TODO list item to merge some robustness improvements from the Darwin implementation back into FreeBSD, which suggests our implementation could be improved on :-). I believe our usermount support carefully sets nodev, nosuid, etc, on any file systems mounted by root, but haven't tested that in a bit. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories From owner-freebsd-security@FreeBSD.ORG Mon Jun 9 06:39:37 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A22D37B401; Mon, 9 Jun 2003 06:39:37 -0700 (PDT) Received: from ip-213-17-211-16.broker.com.pl (ip-213-17-211-16.broker.com.pl [213.17.211.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4707743FBF; Mon, 9 Jun 2003 06:39:35 -0700 (PDT) (envelope-from zk@wspim.edu.pl) Received: from hhos.serious.ld (localhost.serious.ld [127.0.0.1]) h59DdWhg000573; Mon, 9 Jun 2003 15:39:32 +0200 (CEST) (envelope-from zk@wspim.edu.pl) Received: (from zk@localhost) by hhos.serious.ld (8.12.8p1/8.12.8/Submit) id h59DdVb8000572; Mon, 9 Jun 2003 15:39:31 +0200 (CEST) Date: Mon, 9 Jun 2003 15:39:31 +0200 From: zk To: security@freebsd.org Message-ID: <20030609133931.GA471@hhos.serious.ld> References: <20030608080429.GA234@hhos.serious.ld> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i cc: Robert Watson Subject: Re: Removable media security in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jun 2003 13:39:37 -0000 On Sun, Jun 08, 2003 at 11:57:04AM -0400, Robert Watson wrote: > > If the definition of the policy really means "any user who can log in at > the console", I'd change the chown/chmod bits to a pointer to fbtab, and > use vfs.usermount. > The problem with fbtab: i want to give mount permission to some console user and not to the other. And what about xdm. Is there any solution besides changing scripts in /usr/X11R6/lib/X11/xdm. > On the "SECURE" front -- well, it depends a bit on how robust our file > system support is. Bad UFS file systems can cause the FreeBSD kernel to > behave improperly, since it's assumed that file systems will be clean or > explicitly checked before mounting. I've never really experimented much > with our FAT file system support to see how robust it is; we have a > 5.2-RELEASE TODO list item to merge some robustness improvements from the > Darwin implementation back into FreeBSD, which suggests our implementation > could be improved on :-). I believe our usermount support carefully sets > nodev, nosuid, etc, on any file systems mounted by root, but haven't > tested that in a bit. > From owner-freebsd-security@FreeBSD.ORG Mon Jun 9 10:17:07 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF14A37B401; Mon, 9 Jun 2003 10:17:07 -0700 (PDT) Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8128E43FDF; Mon, 9 Jun 2003 10:17:06 -0700 (PDT) (envelope-from simon@arthur.nitro.dk) Received: by arthur.nitro.dk (Postfix, from userid 1000) id 718C810BF8D; Mon, 9 Jun 2003 19:17:04 +0200 (CEST) Date: Mon, 9 Jun 2003 19:17:04 +0200 From: "Simon L. Nielsen" To: zk Message-ID: <20030609171703.GB405@nitro.dk> References: <20030608080429.GA234@hhos.serious.ld> <20030609133931.GA471@hhos.serious.ld> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="qcHopEYAB45HaUaB" Content-Disposition: inline In-Reply-To: <20030609133931.GA471@hhos.serious.ld> User-Agent: Mutt/1.5.4i cc: Robert Watson cc: security@freebsd.org Subject: Re: Removable media security in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jun 2003 17:17:08 -0000 --qcHopEYAB45HaUaB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003.06.09 15:39:31 +0200, zk wrote: > On Sun, Jun 08, 2003 at 11:57:04AM -0400, Robert Watson wrote: > >=20 > > If the definition of the policy really means "any user who can log in at > > the console", I'd change the chown/chmod bits to a pointer to fbtab, and > > use vfs.usermount. > >=20 > The problem with fbtab: i want to give mount permission to some console u= ser > and not to the other. Sounds like something sudo can solve - /usr/ports/security/sudo. --=20 Simon L. Nielsen --qcHopEYAB45HaUaB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE+5MEP8kocFXgPTRwRApnrAJ9v696c6HmY6aJee4JJ6bxwsow0eQCeP9lL WC2AmSEcRGNFvlk3hkGsOBU= =m6+L -----END PGP SIGNATURE----- --qcHopEYAB45HaUaB-- From owner-freebsd-security@FreeBSD.ORG Mon Jun 9 11:02:44 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50DF337B404 for ; Mon, 9 Jun 2003 11:02:44 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A70E143FFD for ; Mon, 9 Jun 2003 11:02:38 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h59I2cUp053246 for ; Mon, 9 Jun 2003 11:02:38 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h59I2cNQ053240 for security@freebsd.org; Mon, 9 Jun 2003 11:02:38 -0700 (PDT) Date: Mon, 9 Jun 2003 11:02:38 -0700 (PDT) Message-Id: <200306091802.h59I2cNQ053240@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: security@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jun 2003 18:02:44 -0000 Current FreeBSD problem reports No matches to your query From owner-freebsd-security@FreeBSD.ORG Mon Jun 9 14:13:25 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5032A37B401 for ; Mon, 9 Jun 2003 14:13:25 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id E179743FBF for ; Mon, 9 Jun 2003 14:13:24 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id A959D1524B; Mon, 9 Jun 2003 14:08:01 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id A882315247 for ; Mon, 9 Jun 2003 14:08:01 -0700 (PDT) Date: Mon, 9 Jun 2003 14:08:01 -0700 (PDT) From: Mike Hoskins To: security@freebsd.org In-Reply-To: <20030609171703.GB405@nitro.dk> Message-ID: <20030609140347.B13040@fubar.adept.org> References: <20030608080429.GA234@hhos.serious.ld> <20030609133931.GA471@hhos.serious.ld> <20030609171703.GB405@nitro.dk> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: Removable media security in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jun 2003 21:13:25 -0000 On Mon, 9 Jun 2003, Simon L. Nielsen wrote: > Sounds like something sudo can solve - /usr/ports/security/sudo. That's what I've been doing. It started off on my own machine, where I wanted to use Gkrellm's "click to mount" buttons for floppy/cdrom. I installed sudo, gave myself passwordless permission to mount and umount via sudoers, then configured Gkrellm to issue `sudo mount|umount...` -mrh -- From: "Spam Catcher" To: spam-catcher@adept.org Do NOT send email to the address listed above or you will be added to a blacklist! From owner-freebsd-security@FreeBSD.ORG Mon Jun 9 15:54:34 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9590B37B401 for ; Mon, 9 Jun 2003 15:54:34 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id DF4AF43F75 for ; Mon, 9 Jun 2003 15:54:33 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.org (8.9.3/8.9.3) id QAA10240; Mon, 9 Jun 2003 16:54:27 -0600 (MDT) Date: Mon, 9 Jun 2003 16:54:27 -0600 (MDT) From: Brett Glass Message-Id: <200306092254.QAA10240@lariat.org> To: mike@adept.org, security@freebsd.org In-Reply-To: <20030609140347.B13040@fubar.adept.org> Subject: Re: Removable media security in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jun 2003 22:54:34 -0000 Sorry not to have replied to some of the responses in this thread, but things have been extraordinarily busy here. Alas, none of the approaches that have been mentioned so far are quite what I need (though it might be possible to adapt them to work). Here's why: /etc/fbtab is fine for text logins, but (as far as I know) isn't consulted by kdm or similar desktop managers. Allowing the user to use sudo would effectively be giving him/her root privileges, which we explicitly don't want to do. If the desktop manager can be set up to change ownerships, etc., upon login, it would help. One response mentioned that this could be done for xdm, but I don't know if kdm has the same capability. I also don't know how to obtain the user name and device information from the environment -- and/or someplace else -- if I create a script to do this. (While the device information could be in /etc/fstab -- in entries with the noauto option set -- the script would need to consult a table to know which devices the user should own for the duration of the session. Clearly, there should be a standard place for this information so that administrators can find and edit it.) In the end, we just want the person who's logged in via an X desktop manager at the console to be able to use the removable media and not have that media spied upon by other users who might not be at the console (which is why I started this thread on -security; there are plenty of insecure ways to do it, but I need to implement a secure way). I'm thinking of having them mounted at ~/floppy and ~/zip, which we'd create in advance in each user's home directory, or just at /floppy and /zip... comments on the pluses and minuses of these two approaches are welcomed. In either case, the console user should own them and the underlying raw devices for the duration of the login.) A scheme that's compatible with KDE's built-in mounting and unmounting utilities would be a plus. (They were designed for Linux, and the current FreeBSD port of KDE doesn't change the mount and umount command formats to work with BSD.... Perhaps the final scheme could be integrated into the FreeBSD port of KDE and other desktops.) As I recall, Red Hat does something like this, but I'm not sure exactly how. --Brett From owner-freebsd-security@FreeBSD.ORG Mon Jun 9 16:40:17 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F35637B405 for ; Mon, 9 Jun 2003 16:40:17 -0700 (PDT) Received: from dfmm.org (walter.dfmm.org [209.151.233.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id C644A43F3F for ; Mon, 9 Jun 2003 16:40:16 -0700 (PDT) (envelope-from freebsd-security@dfmm.org) Received: (qmail 26469 invoked by uid 1000); 9 Jun 2003 23:40:16 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 9 Jun 2003 23:40:16 -0000 Date: Mon, 9 Jun 2003 16:40:15 -0700 (PDT) From: Jason Stone X-X-Sender: To: In-Reply-To: <200306092254.QAA10240@lariat.org> Message-ID: <20030609161342.Q14379-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: Removable media security in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jun 2003 23:40:17 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Allowing the user to use sudo would effectively be giving him/her root > privileges, which we explicitly don't want to do. You understand that sudo allows the user to only run a particular command with particular arguments as root, right? You also understand that you're asking, at a fundamental level, to allow the user to perform priveleged operations, right? > If the desktop manager can be set up to change ownerships, etc., upon > login, it would help. Yes, this can be done, and by default xdm/gdm/kdm all chown /dev/console to the user logging in. So a super-easy but somewhat inflexible solution would be to just modify the xdm/kdm startup scripts to chown /mnt/floppy to the user, set it 0700 and mount it at login time, and then umount and chown back to root at logout time. As for allowing the user to mount stuff on demand in the middle of a session, that will be more complicated. If I had to do it, I think I might have a setuid c program that checked to see if the invoking user owned the console and then ran the appropriate mount command. If you have one such program per mountable device, you wouldn't even have to check the commandline or environment. I haven't fully thought this through yet, so there might be some problem with it. rwatson, of course, points out the real security consideration - regardless of how you deal with the essentially quotidian details of letting users "safely" run a priveleged command, allowing users to mount filesystems at will is inherently dangerous, as there's an extent to which the kernel trusts the contents of the filesystem. By specially crafting the contents of the floppy, the user has the ability to directly insert potential malicious data into certain kernel data-structures. On more than one occasion, I've crashed freebsd 3.x and 4.x boxes by trying to work with corrupted msdos floppy images - clearly, the msdos fs implementation is not (or at least was not - I haven't looked at it recently) very careful, and it's not at all unreasonable to think that someone could exploit this. -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD4DBQE+5RrgswXMWWtptckRAmPjAJdGxq674DPsZfxlk2QuLku3QjTUAJ9AJ0LU qoirX4LftzTdjP973kzGGA== =VshS -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon Jun 9 16:52:00 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3BB4137B401 for ; Mon, 9 Jun 2003 16:52:00 -0700 (PDT) Received: from zimbo.cs.wm.edu (zimbo.cs.wm.edu [128.239.2.64]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A42E43F75 for ; Mon, 9 Jun 2003 16:51:59 -0700 (PDT) (envelope-from zvezdan@dali.cs.wm.edu) Received: from dali.cs.wm.edu (dali [128.239.26.26]) by zimbo.cs.wm.edu (8.12.8/8.12.8) with ESMTP id h59NpwGT031579 for ; Mon, 9 Jun 2003 19:51:58 -0400 Received: (from zvezdan@localhost) by dali.cs.wm.edu (8.12.8/8.12.8/Submit) id h59Npv5k010556 for security@freebsd.org; Mon, 9 Jun 2003 19:51:57 -0400 Date: Mon, 9 Jun 2003 19:51:57 -0400 From: Zvezdan Petkovic To: security@freebsd.org Message-ID: <20030609235157.GB10414@dali.cs.wm.edu> Mail-Followup-To: security@freebsd.org References: <20030609140347.B13040@fubar.adept.org> <200306092254.QAA10240@lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200306092254.QAA10240@lariat.org> User-Agent: Mutt/1.4.1i Subject: Re: Removable media security in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jun 2003 23:52:00 -0000 Brett, I found this in the notes I wrote on configuration of my VAIO laptop to run FreeBSD, OpenBSD, or Linux. On Mon, Jun 09, 2003 at 04:54:27PM -0600, Brett Glass wrote: > > If the desktop manager can be set up to change ownerships, etc., upon login, > it would help. One response mentioned that this could be done for xdm, but I > don't know if kdm has the same capability. FreeBSD section: To use kdm instead of xdm put /usr/local/bin/kdm instead of xdm in /etc/ttys (or rc.local if you start X that way). The configuration is in /usr/local/share/config/kdm. I have linked Xaccess, Xservers, and Xwilling to xdm versions of these files. I didn't change other X* files, except adding to Xstartup/Xreset similar to Give/TakeConsole for xdm (see OpenBSD section). Configure kdmrc according to preferences. User pictures for the login screen in PNG format go in /usr/local/share/apps/kdm/pics/users/. The reference to OpenBSD section is for this piece: Set the permission for the devices you want to use after login in /etc/X11/xdm/GiveConsole and revert them back to root in /etc/X11/xdm/TakeConsole. For example, to be able to play audio CDs put in GiveConsole: chmod o+r /dev/{,r}cd0? and in Take console the same line with o-r option. Similar can be done with the device ownership, mount points, and sysctl(8) option kern.usermount if we want to allow users to mount and write the device (e.g. floppy or CD-RW). The brace syntax is possible above because sh in OpenBSD is a hard link to ksh. For FreeBSD sh you'd need two lines. What I refer to above is something like this in GiveConsole (Xstartup for kdm): chown $USER /dev/console chown $USER /dev/fd0* chown $USER /dev/fd1* chown $USER /dev/hdc and this in TakeConsole (Xreset for kdm) chmod 622 /dev/console chown root /dev/console chown root /dev/fd0* chown root /dev/fd1* umount /mnt/floppy >/dev/null 2>&1 # some people forget to umount chown root /dev/hdc You can combine this with the correct chmod to keep them readable for the current console user only. > As I recall, Red Hat does something like this, but I'm not sure exactly how. In Red Hat it can be done in the way described above or through /etc/security/console.perms I hope this helps for a start. -- Zvezdan Petkovic http://www.cs.wm.edu/~zvezdan/ From owner-freebsd-security@FreeBSD.ORG Mon Jun 9 17:56:41 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E54DA37B404 for ; Mon, 9 Jun 2003 17:56:41 -0700 (PDT) Received: from gunjin.wccnet.org (gunjin.wccnet.org [198.111.176.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id 243BB43F3F for ; Mon, 9 Jun 2003 17:56:41 -0700 (PDT) (envelope-from anthony@gunjin.wccnet.org) Received: from gunjin.wccnet.org (localhost.rexroof.com [127.0.0.1]) by gunjin.wccnet.org (8.12.3/8.12.2) with ESMTP id h5A12Qsn043230; Mon, 9 Jun 2003 21:02:26 -0400 (EDT) Received: (from anthony@localhost) by gunjin.wccnet.org (8.12.3/8.12.3/Submit) id h5A12Q8U043229; Mon, 9 Jun 2003 21:02:26 -0400 (EDT) Date: Mon, 9 Jun 2003 21:02:25 -0400 From: Anthony Schneider To: Brett Glass Message-ID: <20030610010225.GA42913@x-anthony.com> References: <200306080728.BAA24342@lariat.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="W/nzBZO5zC0uMSeA" Content-Disposition: inline In-Reply-To: <200306080728.BAA24342@lariat.org> User-Agent: Mutt/1.4i cc: security@freebsd.org Subject: Re: Removable media security in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2003 00:56:42 -0000 --W/nzBZO5zC0uMSeA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable if devfs supports (or soon will support) filesystem ACLs, that might be the way to go. obviously this won't get around the "trusted media" problem... -Anthony. On Sun, Jun 08, 2003 at 01:28:50AM -0600, Brett Glass wrote: > I'm working with a FreeBSD user -- a teacher -- who's running KDE on a sy= stem > on which she neither has nor wants root privileges. She wants to be able = to > mount and unmount floppies and ZIP cartridges from within KDE, using the > standard KwikDisk utility (which, by the way, generates mount and unmount > command that don't conform to FreeBSD syntax; however, it appears possible > to fix this by customizing the commands). >=20 > I don't want to open up the floppy and ZIP drives to all users simultaneo= usly, > since this would allow anyone to write someone else's removable media. Is > there a standard, SECURE way of allowing an unprivileged user at the cons= ole > to get at removable media that s/he has inserted in the machine? >=20 > --Brett Glass >=20 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" --W/nzBZO5zC0uMSeA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE+5S4gKUeW47UGY2kRAqRPAJ9v+hkqyT+tMdw3W2+cTpPw8za3ewCdHbqk KpC5MydVwoycYCYyyYGr/Ng= =Eu66 -----END PGP SIGNATURE----- --W/nzBZO5zC0uMSeA-- From owner-freebsd-security@FreeBSD.ORG Mon Jun 9 18:32:21 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A257837B401 for ; Mon, 9 Jun 2003 18:32:21 -0700 (PDT) Received: from in.flite.net (in.flite.net [207.203.36.254]) by mx1.FreeBSD.org (Postfix) with ESMTP id F089E43FAF for ; Mon, 9 Jun 2003 18:32:20 -0700 (PDT) (envelope-from deevil@deevil.homeunix.org) Received: from deevil.homeunix.org (adsl-34-189-185.bct.bellsouth.net [67.34.189.185]) by in.flite.net (8.12.6/8.12.6) with ESMTP id h5A1WJBY088965 for ; Mon, 9 Jun 2003 21:32:19 -0400 (EDT) (envelope-from deevil@deevil.homeunix.org) Date: Mon, 9 Jun 2003 21:32:14 -0400 Mime-Version: 1.0 (Apple Message framework v552) Content-Type: text/plain; charset=US-ASCII; format=flowed From: Ken Ebling To: security@freebsd.org Content-Transfer-Encoding: 7bit Message-Id: <5D6A2AB8-9AE3-11D7-9B57-000393CAE6EC@deevil.homeunix.org> X-Mailer: Apple Mail (2.552) Subject: Have I been hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2003 01:32:21 -0000 I'm noticing something strange on two of my machines.. They're both 4.7-RELEASE-p3 i386 and they've both been up 150 days without any problems... /var/log/messages on each system contains only: Jun 9 12:00:01 in newsyslog[60291]: logfile turned over dmesg's output is truncated.. it periodically changes, but currently it reads: ite.net host=6532251hfc207.tampabay.rr.com [65.32.251.207] What's really weird, is yesterday the messages file also only contained the line about the log being turned over, but today I unzipped messages.0 and it had entries for yesterday. I'm going to check messages.0 again after midnight and see if any of today's entries are there. Hindsight is always 20/20, and now I wish I had tripwire or aide installed. =/ I rebooted one of the machines, and now it seems to be acting normal again.. I going to rebuild world on all my systems and install tripwire anyways, but I'm kind of curious as to whether my machines have been rooted or not. I don't know if chkrootkit v0.40 is very accurate or even worthwhile, but it reported no problems. I also checked for standard stuff like suid binaries and accounts with a uid of 0. Nothing looks out of place, aside from the messages file being empty and suddenly filling with data before newsyslog gzips it. Any thoughts would be greatly appreciated, Ken Ebling From owner-freebsd-security@FreeBSD.ORG Mon Jun 9 20:05:08 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA98B37B401 for ; Mon, 9 Jun 2003 20:05:08 -0700 (PDT) Received: from shell.i-sphere.com (shell.i-sphere.com [207.126.121.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6ED4A43F3F for ; Mon, 9 Jun 2003 20:05:08 -0700 (PDT) (envelope-from fasty@shell.i-sphere.com) Received: from shell.i-sphere.com (fasty@shell.i-sphere.com [207.126.121.10]) by shell.i-sphere.com (8.12.6p2/8.12.6) with ESMTP id h5A34Dat029167; Tue, 10 Jun 2003 03:04:13 GMT (envelope-from fasty@shell.i-sphere.com) Received: (from fasty@localhost) by shell.i-sphere.com (8.12.6p2/8.12.6/Submit) id h5A34D0I029166; Tue, 10 Jun 2003 03:04:13 GMT Date: Tue, 10 Jun 2003 03:04:13 +0000 From: fasty To: Ken Ebling Message-ID: <20030610030413.GA29145@i-sphere.com> References: <5D6A2AB8-9AE3-11D7-9B57-000393CAE6EC@deevil.homeunix.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5D6A2AB8-9AE3-11D7-9B57-000393CAE6EC@deevil.homeunix.org> User-Agent: Mutt/1.4.1i X-Virus-Scanned: by amavisd-milter (http://amavis.org/) cc: freebsd-security@freebsd.org Subject: Re: Have I been hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2003 03:05:09 -0000 Ohh you need update your Freebsd source and rebuild. Because there have patch 10. I noticed your FreeBSD 4.7-RELEASE-p3 compare mine FreeBSD 4.7-RELEASE-p10 -fasty On Mon, Jun 09, 2003 at 09:32:14PM -0400, Ken Ebling wrote: > I'm noticing something strange on two of my machines.. They're both > 4.7-RELEASE-p3 i386 and they've both been up 150 days without any > problems... > > /var/log/messages on each system contains only: > Jun 9 12:00:01 in newsyslog[60291]: logfile turned over > > dmesg's output is truncated.. it periodically changes, but currently > it reads: > ite.net host=6532251hfc207.tampabay.rr.com [65.32.251.207] > > What's really weird, is yesterday the messages file also only contained > the line about the log being turned over, but today I unzipped > messages.0 and it had entries for yesterday. I'm going to check > messages.0 again after midnight and see if any of today's entries are > there. > > Hindsight is always 20/20, and now I wish I had tripwire or aide > installed. =/ > > I rebooted one of the machines, and now it seems to be acting normal > again.. > > I going to rebuild world on all my systems and install tripwire > anyways, but I'm kind of curious as to whether my machines have been > rooted or not. I don't know if chkrootkit v0.40 is very accurate or > even worthwhile, but it reported no problems. I also checked for > standard stuff like suid binaries and accounts with a uid of 0. > Nothing looks out of place, aside from the messages file being empty > and suddenly filling with data before newsyslog gzips it. > > Any thoughts would be greatly appreciated, > > Ken Ebling > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Tue Jun 10 00:04:38 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5920B37B401; Tue, 10 Jun 2003 00:04:37 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id A156443FE1; Tue, 10 Jun 2003 00:04:36 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id BAA14541; Tue, 10 Jun 2003 01:04:30 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20030610010227.02a68ed0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 10 Jun 2003 01:04:25 -0600 To: Doug Barton From: Brett Glass In-Reply-To: <20030609162102.U5564@12-234-22-23.pyvrag.nggov.pbz> References: <200306092254.QAA10240@lariat.org> <200306092254.QAA10240@lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: security@freebsd.org Subject: Re: Removable media security in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2003 07:04:38 -0000 At 05:21 PM 6/9/2003, Doug Barton wrote: >On Mon, 9 Jun 2003, Brett Glass wrote: > >> Allowing the user to use sudo would effectively be giving him/her root >> privileges, which we explicitly don't want to do. > >No it wouldn't. You can specify the commands that you allow each user to >run. Ah, but letting the user mount and unmount things effectively lets that person do anything he or she wants, by switching around what's mounted at key mountpoints. --Brett From owner-freebsd-security@FreeBSD.ORG Tue Jun 10 00:17:06 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7126837B401 for ; Tue, 10 Jun 2003 00:17:06 -0700 (PDT) Received: from mailgate.mnemonic.no (mailgate.mnemonic.no [195.18.160.220]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5DA6243F93 for ; Tue, 10 Jun 2003 00:17:05 -0700 (PDT) (envelope-from eal@mnemonic.no) Received: from mnemonic.no (localhost [127.0.0.1]) by mailgate.mnemonic.no (Postfix) with ESMTP id 104578979B; Tue, 10 Jun 2003 09:17:02 +0200 (MEST) Received: from chupacabra.wks.mss.mnemonic.no (chupacabra.wks.mss.mnemonic.no [172.27.3.2]) by mnemonic.no (Postfix) with ESMTP id 8929C418A1; Tue, 10 Jun 2003 09:17:02 +0200 (MEST) Received: by chupacabra.mnemonic.no (Postfix, from userid 123) id 6469B2B2671; Tue, 10 Jun 2003 09:16:52 +0200 (CEST) Date: Tue, 10 Jun 2003 09:16:52 +0200 From: Erik Alexander =?iso-8859-1?Q?L=F8kken?= To: Brett Glass Message-ID: <20030610071652.GJ561@mnemonic.no> References: <200306092254.QAA10240@lariat.org> <200306092254.QAA10240@lariat.org> <4.3.2.7.2.20030610010227.02a68ed0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20030610010227.02a68ed0@localhost> User-Agent: Mutt/1.4i X-System: King of the Road, FreeBSD 4.8-STABLE i386 cc: security@freebsd.org Subject: Re: Removable media security in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2003 07:17:06 -0000 On 10.06 01:04, Brett Glass wrote: > At 05:21 PM 6/9/2003, Doug Barton wrote: > > >On Mon, 9 Jun 2003, Brett Glass wrote: > > > >> Allowing the user to use sudo would effectively be giving him/her root > >> privileges, which we explicitly don't want to do. > > > >No it wouldn't. You can specify the commands that you allow each user to > >run. > > Ah, but letting the user mount and unmount things effectively lets that > person do anything he or she wants, by switching around what's mounted > at key mountpoints. > Or you can limit which mount points the user actually has the privileges to change, in sudoers: %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom /erik From owner-freebsd-security@FreeBSD.ORG Tue Jun 10 00:37:06 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D183837B401 for ; Tue, 10 Jun 2003 00:37:06 -0700 (PDT) Received: from dfmm.org (walter.dfmm.org [209.151.233.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 510EB43F93 for ; Tue, 10 Jun 2003 00:37:06 -0700 (PDT) (envelope-from jason@shalott.net) Received: (qmail 44787 invoked by uid 1000); 10 Jun 2003 07:37:04 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 10 Jun 2003 07:37:04 -0000 Date: Tue, 10 Jun 2003 00:37:04 -0700 (PDT) From: Jason Stone X-X-Sender: To: In-Reply-To: <4.3.2.7.2.20030610010227.02a68ed0@localhost> Message-ID: <20030610003528.J14379-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: Removable media security in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2003 07:37:07 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > >> Allowing the user to use sudo would effectively be giving him/her root > >> privileges, which we explicitly don't want to do. > > > >No it wouldn't. You can specify the commands that you allow each user to > >run. > > Ah, but letting the user mount and unmount things effectively lets > that person do anything he or she wants, by switching around what's > mounted at key mountpoints. No - in the sudo config you can (actually, _must_) specify not just the command but (all) the arguments. -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE+5YqgswXMWWtptckRAnP7AJ9jkM40BsuK/lrkUV34pHYAWjUnhwCffi+h r7Y/LspVB3IzqJZsCr4ZSsk= =ipU5 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Jun 10 02:46:58 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA88537B401; Tue, 10 Jun 2003 02:46:58 -0700 (PDT) Received: from sec.ms.mff.cuni.cz (sec.ms.mff.cuni.cz [195.113.17.100]) by mx1.FreeBSD.org (Postfix) with ESMTP id B53D943FB1; Tue, 10 Jun 2003 02:46:57 -0700 (PDT) (envelope-from petricek@sec.ms.mff.cuni.cz) Received: from localhost (localhost [127.0.0.1]) by sec.ms.mff.cuni.cz (8.12.8/8.12.8) with ESMTP id h5A9rmIV089515; Tue, 10 Jun 2003 11:53:48 +0200 (CEST) (envelope-from petricek@sec.ms.mff.cuni.cz) Date: Tue, 10 Jun 2003 11:53:48 +0200 (CEST) From: Vaclav Petricek To: Ruslan Ermilov In-Reply-To: <20030608230204.GB88799@sunbay.com> Message-ID: References: <20030608220507.GA84706@sunbay.com> <20030608230204.GB88799@sunbay.com> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1938582547-1055238828=:89471" cc: current@freebsd.org cc: security@freebsd.org Subject: Re: redirect unauthorized users to a login page (natd as atransparent proxy) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2003 09:46:59 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-1938582547-1055238828=:89471 Content-Type: TEXT/PLAIN; charset=US-ASCII > > > I was hoping proxy_only will do the trick but it does not seem to have > > > any impact and the source address is changed anyway. > > > > > > A quick glance at the source did not help much to my understanding of the > > > proxy_only option. > > > > > Confirmed as a bug. The attached patch worked for me, > > please test it. You'll have to recompile and reinstall > > libalias(3), then recompile and reinstall natd(8) with > > new library. > > > I was too fast. This patch doesn't work well. It works > in a sense that it doesn't modify source IP address of > the proxied packets, but it doesn't work in a sense that > reply packets do not undergo de-aliasing. The attached > patch is verified to work. Please test it instead. The patch works. Thank you very much. I attach my attempt on a patch that should make it possible to ommit the alias_address and interface options in case proxy_only is specified. IMHO in that situation these options are not used and should not be required by natd.. Thank you for any comments on the diff (especially style). Should I fire a PR? Best regards, Vaclav --0-1938582547-1055238828=:89471 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="libalias-proxy_only-noalias.diff" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename="libalias-proxy_only-noalias.diff" LS0tIG5hdGQuYy5vcmlnCVR1ZSBKdW4gMTAgMTE6MTE6MjggMjAwMw0KKysr IG5hdGQuYwlUdWUgSnVuIDEwIDExOjM1OjU5IDIwMDMNCkBAIC0xMzEsNiAr MTMxLDcgQEANCiAJc3RydWN0IHNvY2thZGRyX2luCWFkZHI7DQogCWZkX3Nl dAkJCXJlYWRNYXNrOw0KIAlpbnQJCQlmZE1heDsNCisJaW50CQkJcHJveHlf b25seTsNCiAvKiANCiAgKiBJbml0aWFsaXplIHBhY2tldCBhbGlhc2luZyBz b2Z0d2FyZS4NCiAgKiBEb25lIGFscmVhZHkgaGVyZSB0byBiZSBhYmxlIHRv IGFsdGVyIG9wdGlvbiBiaXRzDQpAQCAtMTcwLDcgKzE3MSw5IEBADQogLyoN CiAgKiBDaGVjayB0aGF0IHZhbGlkIGFsaWFzaW5nIGFkZHJlc3MgaGFzIGJl ZW4gZ2l2ZW4uDQogICovDQotCWlmIChhbGlhc0FkZHIuc19hZGRyID09IElO QUREUl9OT05FICYmIGlmTmFtZSA9PSBOVUxMKQ0KKw0KKwlwcm94eV9vbmx5 ID0gKFBhY2tldEFsaWFzU2V0TW9kZSgwLDApICYgUEtUX0FMSUFTX1BST1hZ X09OTFkpOw0KKwlpZiAoYWxpYXNBZGRyLnNfYWRkciA9PSBJTkFERFJfTk9O RSAmJiBpZk5hbWUgPT0gTlVMTCAmJiAhcHJveHlfb25seSkNCiAJCWVycngg KDEsICJhbGlhc2luZyBhZGRyZXNzIG5vdCBnaXZlbiIpOw0KIA0KIAlpZiAo YWxpYXNBZGRyLnNfYWRkciAhPSBJTkFERFJfTk9ORSAmJiBpZk5hbWUgIT0g TlVMTCkNCg== --0-1938582547-1055238828=:89471-- From owner-freebsd-security@FreeBSD.ORG Tue Jun 10 03:38:45 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1725837B401; Tue, 10 Jun 2003 03:38:45 -0700 (PDT) Received: from HAL9000.homeunix.com (ip114.bella-vista.sfo.interquest.net [66.199.86.114]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D7C343F75; Tue, 10 Jun 2003 03:38:44 -0700 (PDT) (envelope-from das@FreeBSD.ORG) Received: from HAL9000.homeunix.com (localhost [127.0.0.1]) by HAL9000.homeunix.com (8.12.9/8.12.9) with ESMTP id h5AAcWPB015164; Tue, 10 Jun 2003 03:38:32 -0700 (PDT) (envelope-from das@FreeBSD.ORG) Received: (from das@localhost) by HAL9000.homeunix.com (8.12.9/8.12.9/Submit) id h5AAcUB3015163; Tue, 10 Jun 2003 03:38:30 -0700 (PDT) (envelope-from das@FreeBSD.ORG) Date: Tue, 10 Jun 2003 03:38:30 -0700 From: David Schultz To: Robert Watson Message-ID: <20030610103830.GC14407@HAL9000.homeunix.com> Mail-Followup-To: Robert Watson , zk , security@FreeBSD.org References: <20030608080429.GA234@hhos.serious.ld> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: cc: security@FreeBSD.ORG Subject: Re: Removable media security in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2003 10:38:45 -0000 On Sun, Jun 08, 2003, Robert Watson wrote: > On the "SECURE" front -- well, it depends a bit on how robust our file > system support is. Bad UFS file systems can cause the FreeBSD kernel to > behave improperly, since it's assumed that file systems will be clean or > explicitly checked before mounting. I've never really experimented much > with our FAT file system support to see how robust it is; we have a > 5.2-RELEASE TODO list item to merge some robustness improvements from the > Darwin implementation back into FreeBSD, which suggests our implementation > could be improved on :-). FAT is somewhat less robust than UFS. In particular, its handling of media errors can lead to a tight loop in at least one place and a null pointer dereference in another. Improvements from Darwin would be much appreciated. I would be interested in knowing the licensing issues involved, if any. From owner-freebsd-security@FreeBSD.ORG Tue Jun 10 04:47:43 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E20437B401 for ; Tue, 10 Jun 2003 04:47:43 -0700 (PDT) Received: from relay2.mecon.ar (relay2.mecon.ar [168.101.16.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 14E4243FB1 for ; Tue, 10 Jun 2003 04:47:41 -0700 (PDT) (envelope-from fernando@mecon.gov.ar) Received: from racing.mecon.ar (racing.mecon.ar [168.101.133.15]) by relay2.mecon.ar (8.12.6p2/8.12.6) with ESMTP id h5ABlXEt077237; Tue, 10 Jun 2003 08:47:33 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from racing.mecon.ar (meyosp.mecon.gov.ar [10.11.0.149]) by racing.mecon.ar (8.12.6/8.12.6) with ESMTP id h5ABjRQ0041687; Tue, 10 Jun 2003 08:45:28 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from bal740r0.mecon.gov.ar (bal740r0.mecon.ar [10.11.1.11]) by racing.mecon.ar (8.12.6/8.12.6) with ESMTP id h5ABjRNc041684; Tue, 10 Jun 2003 08:45:27 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from bal740r0.mecon.gov.ar (localhost [127.0.0.1]) by bal740r0.mecon.gov.ar (8.12.6/8.12.6) with ESMTP id h5ABjRIs000381; Tue, 10 Jun 2003 08:45:27 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: (from fpscha@localhost) by bal740r0.mecon.gov.ar (8.12.6/8.12.6/Submit) id h5ABjPYX000380; Tue, 10 Jun 2003 08:45:25 -0300 (ART) (envelope-from fernando@mecon.gov.ar) X-Authentication-Warning: bal740r0.mecon.gov.ar: fpscha set sender to fernando@mecon.gov.ar using -f Date: Tue, 10 Jun 2003 08:45:25 -0300 From: Fernando Schapachnik To: Brett Glass Message-ID: <20030610114525.GA318@bal740r0.mecon.gov.ar> References: <20030609140347.B13040@fubar.adept.org> <200306092254.QAA10240@lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200306092254.QAA10240@lariat.org> User-Agent: Mutt/1.4.1i X-OS: FreeBSD 4.7 - http://www.freebsd.org cc: security@freebsd.org Subject: Re: Removable media security in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2003 11:47:43 -0000 This is how I do it: mkdir ~user/cdrom chmod g+w /dev/acd0c sysctl vfs.usermount=1 pw user mod operador -m user /etc/fstab: /dev/acd0c /home/user/cdrom ... On the KDE Desktop, create a CD-ROM entry: [Desktop Action Eject] Exec=kdeeject %v Name=Eject [Desktop Entry] Actions=Eject Dev=/dev/acd0c Encoding=UTF-8 FSType=Default Icon=cdrom_mount MountPoint=/home/user/cdrom ReadOnly=true Type=FSDevice UnmountIcon=cdrom_unmount You can do the same for floppies. Also, the KDE entry can be created via the "New" menu, on the Desktop. Good luck. Fernando. From owner-freebsd-security@FreeBSD.ORG Tue Jun 10 07:42:54 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E8D8A37B401 for ; Tue, 10 Jun 2003 07:42:54 -0700 (PDT) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 50B3C43FD7 for ; Tue, 10 Jun 2003 07:42:53 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 5700 invoked from network); 10 Jun 2003 14:42:50 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 10 Jun 2003 14:42:50 -0000 Message-ID: <3EE5EE6A.9080705@tenebras.com> Date: Tue, 10 Jun 2003 07:42:50 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.3.1) Gecko/20030425 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: Brett Glass References: <200306092254.QAA10240@lariat.org> <200306092254.QAA10240@lariat.org> <4.3.2.7.2.20030610010227.02a68ed0@localhost> In-Reply-To: <4.3.2.7.2.20030610010227.02a68ed0@localhost> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: Doug Barton cc: security@freebsd.org Subject: Re: Removable media security in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2003 14:42:55 -0000 Brett Glass wrote: > Ah, but letting the user mount and unmount things effectively lets that > person do anything he or she wants, by switching around what's mounted > at key mountpoints. ACL fs + crypto fs? Stackable filesystem to the rescue? Terry? [Kibo!] -- "Well," Brahma said, "even after ten thousand explanations, a fool is no wiser, but an intelligent man requires only two thousand five hundred." - The Mahabharata From owner-freebsd-security@FreeBSD.ORG Tue Jun 10 07:45:33 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2987E37B401 for ; Tue, 10 Jun 2003 07:45:33 -0700 (PDT) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 8C66A43FEC for ; Tue, 10 Jun 2003 07:45:31 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 5724 invoked from network); 10 Jun 2003 14:45:30 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 10 Jun 2003 14:45:30 -0000 Message-ID: <3EE5EF0A.7060703@tenebras.com> Date: Tue, 10 Jun 2003 07:45:30 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.3.1) Gecko/20030425 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: David Schultz References: <20030608080429.GA234@hhos.serious.ld> <20030610103830.GC14407@HAL9000.homeunix.com> In-Reply-To: <20030610103830.GC14407@HAL9000.homeunix.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: Robert Watson cc: security@FreeBSD.ORG Subject: Re: Removable media security in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2003 14:45:33 -0000 David Schultz wrote: > FAT is somewhat less robust than UFS. ... That is possibly the most subtle funny thing I have read all day. "An orange crate is somewhat less robust than a Humvee" is how I read that. -- "Well," Brahma said, "even after ten thousand explanations, a fool is no wiser, but an intelligent man requires only two thousand five hundred." - The Mahabharata From owner-freebsd-security@FreeBSD.ORG Tue Jun 10 07:52:09 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4707837B401; Tue, 10 Jun 2003 07:52:09 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9E2D343FAF; Tue, 10 Jun 2003 07:52:07 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id IAA18384; Tue, 10 Jun 2003 08:52:04 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20030610085115.02a6e9d0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 10 Jun 2003 08:52:00 -0600 To: David Schultz , Robert Watson From: Brett Glass In-Reply-To: <20030610103830.GC14407@HAL9000.homeunix.com> References: <20030608080429.GA234@hhos.serious.ld> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: security@freebsd.org Subject: Re: Removable media security in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2003 14:52:09 -0000 At 04:38 AM 6/10/2003, David Schultz wrote: >Improvements from Darwin >would be much appreciated. I would be interested in knowing the >licensing issues involved, if any. Apple's licensing is viral. But that's a subject for a different forum. --Brett From owner-freebsd-security@FreeBSD.ORG Tue Jun 10 07:58:18 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BEA7E37B401; Tue, 10 Jun 2003 07:58:18 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id D625743F3F; Tue, 10 Jun 2003 07:58:17 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id IAA18430; Tue, 10 Jun 2003 08:58:12 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20030610085402.02756390@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 10 Jun 2003 08:58:06 -0600 To: Jon DeShirley From: Brett Glass In-Reply-To: <3EE58562.1070601@uidaho.edu> References: <4.3.2.7.2.20030610010227.02a68ed0@localhost> <200306092254.QAA10240@lariat.org> <200306092254.QAA10240@lariat.org> <4.3.2.7.2.20030610010227.02a68ed0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: Doug Barton cc: security@freebsd.org Subject: Re: Removable media security in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2003 14:58:19 -0000 At 01:14 AM 6/10/2003, Jon DeShirley wrote: >Example: > >%users NOPASSWD:ALL=/sbin/mount /cdrom,/sbin/umount /cdrom > >What does this do? It allows users in the group 'users' to run the explicit commands ONLY. Ah, but the commands will be different for each user, because one needs to change permissions and ownership to a specific user (and, if you mount in the user's home directory, a specific path). What's more, the command must only be allowed to execute if the user is logged in via an X Windows desktop manager at the console, and the effects must be undone when s/he logs out. So, there are a lot of logistics that may make it infeasible to use this approach. --Brett From owner-freebsd-security@FreeBSD.ORG Tue Jun 10 09:08:03 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 75BA237B405 for ; Tue, 10 Jun 2003 09:08:03 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 8956843FDD for ; Tue, 10 Jun 2003 09:07:59 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 4964 invoked from network); 10 Jun 2003 16:01:06 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 10 Jun 2003 16:01:05 -0000 Received: (qmail 81452 invoked by uid 1000); 10 Jun 2003 16:10:43 -0000 Date: Tue, 10 Jun 2003 19:10:43 +0300 From: Peter Pentchev To: Brett Glass Message-ID: <20030610161043.GG485@straylight.oblivion.bg> Mail-Followup-To: Brett Glass , Jon DeShirley , Doug Barton , security@freebsd.org References: <4.3.2.7.2.20030610010227.02a68ed0@localhost> <200306092254.QAA10240@lariat.org> <200306092254.QAA10240@lariat.org> <4.3.2.7.2.20030610010227.02a68ed0@localhost> <4.3.2.7.2.20030610085402.02756390@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Sr1nOIr3CvdE5hEN" Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20030610085402.02756390@localhost> User-Agent: Mutt/1.5.4i cc: Doug Barton cc: security@freebsd.org Subject: Re: Removable media security in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2003 16:08:03 -0000 --Sr1nOIr3CvdE5hEN Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jun 10, 2003 at 08:58:06AM -0600, Brett Glass wrote: > At 01:14 AM 6/10/2003, Jon DeShirley wrote: >=20 > >Example: > > > >%users NOPASSWD:ALL=3D/sbin/mount /cdrom,/sbin/umount /cdrom > > > >What does this do? It allows users in the group 'users' to run the expl= icit commands ONLY. >=20 > Ah, but the commands will be different for each user, because > one needs to change permissions and ownership to a specific > user (and, if you mount in the user's home directory, a > specific path). What's more, the command must only be > allowed to execute if the user is logged in via an X Windows > desktop manager at the console, and the effects must be > undone when s/he logs out. So, there are a lot of logistics > that may make it infeasible to use this approach. So, uhm, make a script to mount/chmod/etc, and another script to unmount/unchmod/etc, and only allow sudo access to those? =20 G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence is false. --Sr1nOIr3CvdE5hEN Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE+5gMD7Ri2jRYZRVMRAtGYAJ94EbJ4DeyJAjxCb87O1SN9fkwp6QCghNza /f+FqcEgVZKS6GkIZ7blO0U= =x1iB -----END PGP SIGNATURE----- --Sr1nOIr3CvdE5hEN-- From owner-freebsd-security@FreeBSD.ORG Tue Jun 10 11:07:57 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F01037B401; Tue, 10 Jun 2003 11:07:57 -0700 (PDT) Received: from HAL9000.homeunix.com (ip114.bella-vista.sfo.interquest.net [66.199.86.114]) by mx1.FreeBSD.org (Postfix) with ESMTP id 61A1343F75; Tue, 10 Jun 2003 11:07:56 -0700 (PDT) (envelope-from das@freebsd.org) Received: from HAL9000.homeunix.com (localhost [127.0.0.1]) by HAL9000.homeunix.com (8.12.9/8.12.9) with ESMTP id h5AI7jPB016867; Tue, 10 Jun 2003 11:07:45 -0700 (PDT) (envelope-from das@freebsd.org) Received: (from das@localhost) by HAL9000.homeunix.com (8.12.9/8.12.9/Submit) id h5AI7jLA016866; Tue, 10 Jun 2003 11:07:45 -0700 (PDT) (envelope-from das@freebsd.org) Date: Tue, 10 Jun 2003 11:07:45 -0700 From: David Schultz To: Michael Sierchio Message-ID: <20030610180745.GA16845@HAL9000.homeunix.com> Mail-Followup-To: Michael Sierchio , Robert Watson , security@freebsd.org References: <20030608080429.GA234@hhos.serious.ld> <20030610103830.GC14407@HAL9000.homeunix.com> <3EE5EF0A.7060703@tenebras.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3EE5EF0A.7060703@tenebras.com> cc: Robert Watson cc: security@freebsd.org Subject: Re: Removable media security in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2003 18:07:57 -0000 On Tue, Jun 10, 2003, Michael Sierchio wrote: > David Schultz wrote: > > >FAT is somewhat less robust than UFS. ... > > That is possibly the most subtle funny thing I have read > all day. "An orange crate is somewhat less robust than > a Humvee" is how I read that. :-) In this case, I was referring specifically to bugs in our present implementation, not to the filesystem itself. The overall design certainly deserves stronger words. From owner-freebsd-security@FreeBSD.ORG Tue Jun 10 11:14:37 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 49F7C37B404; Tue, 10 Jun 2003 11:14:37 -0700 (PDT) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8972943FA3; Tue, 10 Jun 2003 11:14:33 -0700 (PDT) (envelope-from nick@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 1001) id 31A7C3ABB47; Tue, 10 Jun 2003 20:16:38 +0200 (CEST) Date: Tue, 10 Jun 2003 20:16:38 +0200 From: Pawel Jakub Dawidek To: cerber-list@lists.sourceforge.net Message-ID: <20030610181638.GI443@garage.freebsd.pl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="wZdghQXYJzyo6AGC" Content-Disposition: inline X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc X-OS: FreeBSD 4.8-RELEASE i386 X-URL: http://garage.freebsd.pl User-Agent: Mutt/1.5.1i cc: freebsd-security@freebsd.org cc: freebsd-stable@freebsd.org cc: freebsd-hackers@freebsd.org Subject: CerbNG v1.0-RC2 is now avaliable! X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2003 18:14:37 -0000 --wZdghQXYJzyo6AGC Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello! We are proudly announce that CerbNG-1.0 Release Candidate 2 is now avaliable. There are many changes from RC1 (many new functionalities, some bug fixes, new interesting policies, new regression tests and more). It seems that CerbNG is stable for now, so we hope that the next version is going to be final 1.0 series release. We count on feedback from FreeBSD community in founding bugs (if there are any:)), contributing new policies, comments (critism as well) and any help. We want to thank all people that helped us create better, more functional and stable CerbNG. As we all know motivation gives us strength for hard work and in the open-source world motivation is provided by interest and feedback from community. We hope that when 1.0-RELEASE is avaliable, we will be able to present RC1 of CerbNG for FreeBSD 5.x. CerbNG can be found at: http://cerber.sourceforge.net http://sourceforge.net/projects/cerber/ Release notes are at: http://cerber.sourceforge.net/CerbNG-1.0-RC2-RELNOTES.txt Always up to date (snapshot from HEAD) policies are avaliable at: http://cerber.sourceforge.net/policies/ We would also like to invite you to subscribe cerb mailing lists. Enjoy!! Pawel Jakub Dawidek, Slawek Zak. --=20 Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net --wZdghQXYJzyo6AGC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPuYghj/PhmMH/Mf1AQH/nwP9EOsgm1mN4EI2bBHBUUSetldD2i8fCLDv 4Qb8u6SuT+dY9RlbjCmqZ4QPCg+hRrSrW60XZp/t8b8zKACodRJjM5KAeF5zZRiS cVEthUPm4c00NSwaGFVG0fgXlS/w3KCKNWUgAke6JbbJ3oJMt0d4Px7jhQRkpmUz UfoOoep1E40= =/UZc -----END PGP SIGNATURE----- --wZdghQXYJzyo6AGC-- From owner-freebsd-security@FreeBSD.ORG Tue Jun 10 12:12:45 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9861A37B401 for ; Tue, 10 Jun 2003 12:12:45 -0700 (PDT) Received: from pimout2-ext.prodigy.net (pimout2-ext.prodigy.net [207.115.63.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id DA05343FCB for ; Tue, 10 Jun 2003 12:12:44 -0700 (PDT) (envelope-from metrol@metrol.net) Received: from metlap (adsl-67-121-60-9.dsl.anhm01.pacbell.net [67.121.60.9]) h5AJCd3T057936; Tue, 10 Jun 2003 15:12:43 -0400 From: Michael Collette To: Pawel Jakub Dawidek Date: Tue, 10 Jun 2003 12:11:25 -0700 User-Agent: KMail/1.5.2 References: <20030610181638.GI443@garage.freebsd.pl> In-Reply-To: <20030610181638.GI443@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200306101211.25418.metrol@metrol.net> cc: freebsd-security@freebsd.org Subject: Re: CerbNG v1.0-RC2 is now avaliable! X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2003 19:12:45 -0000 Just curious. Is this meant to be fed back into the main FreeBSD kernel or remain a stand alone security solution? It sounds interesting enough, though much of this is easily over my wee brain here. On Tuesday 10 June 2003 11:16 am, Pawel Jakub Dawidek wrote: > Hello! > > We are proudly announce that CerbNG-1.0 Release Candidate 2 is now > avaliable. > > There are many changes from RC1 (many new functionalities, some bug fixes, > new interesting policies, new regression tests and more). > > It seems that CerbNG is stable for now, so we hope that the next version > is going to be final 1.0 series release. We count on feedback from > FreeBSD community in founding bugs (if there are any:)), contributing > new policies, comments (critism as well) and any help. We want to > thank all people that helped us create better, more functional and > stable CerbNG. As we all know motivation gives us strength for hard work > and in the open-source world motivation is provided by interest and > feedback from community. > > We hope that when 1.0-RELEASE is avaliable, we will be able > to present RC1 of CerbNG for FreeBSD 5.x. > > CerbNG can be found at: > > http://cerber.sourceforge.net > http://sourceforge.net/projects/cerber/ > > Release notes are at: > > http://cerber.sourceforge.net/CerbNG-1.0-RC2-RELNOTES.txt > > Always up to date (snapshot from HEAD) policies are avaliable at: > > http://cerber.sourceforge.net/policies/ > > We would also like to invite you to subscribe cerb mailing lists. > > Enjoy!! > > Pawel Jakub Dawidek, Slawek Zak. -- "Always listen to experts. They'll tell you what can't be done, and why. Then do it." - Robert A. Heinlein From owner-freebsd-security@FreeBSD.ORG Tue Jun 10 13:16:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 254FC37B401 for ; Tue, 10 Jun 2003 13:16:02 -0700 (PDT) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id D3FEB43FB1 for ; Tue, 10 Jun 2003 13:15:56 -0700 (PDT) (envelope-from nick@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 1001) id CF9EB3ABB47; Tue, 10 Jun 2003 22:17:50 +0200 (CEST) Date: Tue, 10 Jun 2003 22:17:50 +0200 From: Pawel Jakub Dawidek To: Michael Collette Message-ID: <20030610201750.GK443@garage.freebsd.pl> References: <20030610181638.GI443@garage.freebsd.pl> <200306101211.25418.metrol@metrol.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="6K2R/cS9K4qvcBNq" Content-Disposition: inline In-Reply-To: <200306101211.25418.metrol@metrol.net> X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc X-OS: FreeBSD 4.8-RELEASE i386 X-URL: http://garage.freebsd.pl User-Agent: Mutt/1.5.1i cc: freebsd-security@freebsd.org Subject: Re: CerbNG v1.0-RC2 is now avaliable! X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2003 20:16:02 -0000 --6K2R/cS9K4qvcBNq Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jun 10, 2003 at 12:11:25PM -0700, Michael Collette wrote: +> Just curious. Is this meant to be fed back into the main FreeBSD kernel= or=20 +> remain a stand alone security solution? It will stay stand-alone. After release 1.0 we'll prepare a port with cerb for FreeBSD ports collection. Many work have been done to close cerb in kld module without any kernel patches, so we will continue this direction. --=20 Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net --6K2R/cS9K4qvcBNq Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPuY87j/PhmMH/Mf1AQG6lwP/cxfNTp1nmIrg/3zCpv0tT0eMgft3Q6Jn +mL7D5hL0P1Gm8AMcGPp//u56Cw6Vk7NSNYiTfKGB0ViONxvTMxlBFy6OAGxv/MQ Czx1WiXfDaOCTnvBXPbvKXQJtlE9083um8ps3WrkTN9rZhzBegoEbCgBDMoROLzg bWaf33w3ipo= =9+8E -----END PGP SIGNATURE----- --6K2R/cS9K4qvcBNq-- From owner-freebsd-security@FreeBSD.ORG Tue Jun 10 14:32:14 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ECBF937B401; Tue, 10 Jun 2003 14:32:14 -0700 (PDT) Received: from mta1.adelphia.net (mta1.adelphia.net [64.8.50.175]) by mx1.FreeBSD.org (Postfix) with ESMTP id DCD1B43FAF; Tue, 10 Jun 2003 14:32:13 -0700 (PDT) (envelope-from jond@uidaho.edu) Received: from uidaho.edu ([68.66.181.7]) by mta5.adelphia.net (InterMail vM.5.01.05.32 201-253-122-126-132-20030307) with ESMTP id <20030610071448.ZNOO1551.mta5.adelphia.net@uidaho.edu>; Tue, 10 Jun 2003 03:14:48 -0400 Message-ID: <3EE58562.1070601@uidaho.edu> Date: Tue, 10 Jun 2003 00:14:42 -0700 From: Jon DeShirley User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Brett Glass References: <200306092254.QAA10240@lariat.org> <200306092254.QAA10240@lariat.org> <4.3.2.7.2.20030610010227.02a68ed0@localhost> In-Reply-To: <4.3.2.7.2.20030610010227.02a68ed0@localhost> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: Doug Barton cc: security@freebsd.org Subject: Re: Removable media security in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2003 21:32:15 -0000 On Tue, 9 Jun 2003 Brett Glass wrote: > At 05:21 PM 6/9/2003, Doug Barton wrote: > >>On Mon, 9 Jun 2003, Brett Glass wrote: >> >>>Allowing the user to use sudo would effectively be giving him/her root >>>privileges, which we explicitly don't want to do. >> >>No it wouldn't. You can specify the commands that you allow each user to >>run. > > Ah, but letting the user mount and unmount things effectively lets that > person do anything he or she wants, by switching around what's mounted > at key mountpoints. Example: %users NOPASSWD:ALL=/sbin/mount /cdrom,/sbin/umount /cdrom What does this do? It allows users in the group 'users' to run the explicit commands ONLY. Now, unless you give them sudo access to vi /etc/fstab or something, there's no way '/sbin/mount /cdrom' is going to change behavior. btw, I would suggest reading the sudoers manual: http://www.courtesan.com/sudo/man/sudoers.html Cheers, --jon From owner-freebsd-security@FreeBSD.ORG Tue Jun 10 15:28:48 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D67BE37B401 for ; Tue, 10 Jun 2003 15:28:48 -0700 (PDT) Received: from mail.ubergeeks.com (lorax.ubergeeks.com [209.145.65.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD03043FBF for ; Tue, 10 Jun 2003 15:28:47 -0700 (PDT) (envelope-from adrian+freebsd-security@ubergeeks.com) Received: from mail.ubergeeks.com (localhost [127.0.0.1]) by mail.ubergeeks.com (8.12.8p1/8.12.8) with ESMTP id h5AMSi3r084056; Tue, 10 Jun 2003 18:28:45 -0400 (EDT) (envelope-from adrian+freebsd-security@ubergeeks.com) Received: from localhost (adrian@localhost)h5AMSiCM084053; Tue, 10 Jun 2003 18:28:44 -0400 (EDT) (envelope-from adrian+freebsd-security@ubergeeks.com) X-Authentication-Warning: lorax.ubergeeks.com: adrian owned process doing -bs Date: Tue, 10 Jun 2003 18:28:44 -0400 (EDT) From: Adrian Filipi-Martin Sender: adrian@ubergeeks.com To: zk In-Reply-To: <20030608080429.GA234@hhos.serious.ld> Message-ID: <20030609191725.E77012@lorax.ubergeeks.com> References: <200306080728.BAA24342@lariat.org> <20030608080429.GA234@hhos.serious.ld> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-MailScanner-Information: Please contact the ISP for more information X-MailScanner: Found to be clean cc: security@freebsd.org Subject: Re: Removable media security in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2003 22:28:49 -0000 On Sun, 8 Jun 2003, zk wrote: > On Sun, Jun 08, 2003 at 01:28:50AM -0600, Brett Glass wrote: > > since this would allow anyone to write someone else's removable media. Is > > there a standard, SECURE way of allowing an unprivileged user at the console > > to get at removable media that s/he has inserted in the machine? > > > Create group floppy, chown 0:floopy /dev/floppy*, chmod g+rw /dev/fd0* > and add user to group floppy. > And vfs.usermount=1 > > zk I'd also recommend this approach, but with one caveat. The users will likely have trouble with newly formatted media. newfs always creates a filesystem with root:wheel as the owner. I submitted a patch (bin/34146) to make the default ownership match the user running the command if it was not being run as root. You might want to check it out. We've been running unix application developer desktops happily this way for a couple of years now. We've been using the Give/TakeConsole scripts under wdm. I used to use the sudo based approaches in the past under HP-UX, but usermounts under *BSD are just simply cleaner and more flexible. cheers, Adrian -- [ adrian@ubergeeks.com ] From owner-freebsd-security@FreeBSD.ORG Tue Jun 10 16:07:58 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9727837B401 for ; Tue, 10 Jun 2003 16:07:58 -0700 (PDT) Received: from rwcrmhc11.attbi.com (rwcrmhc11.attbi.com [204.127.198.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id F178643F93 for ; Tue, 10 Jun 2003 16:07:57 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org (12-234-159-107.client.attbi.com[12.234.159.107](untrusted sender)) by attbi.com (rwcrmhc11) with ESMTP id <2003061023075201300akhahe>; Tue, 10 Jun 2003 23:07:52 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.8p1/8.12.3) with ESMTP id h5AN7oki045016; Tue, 10 Jun 2003 16:07:50 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.8p1/8.12.8/Submit) id h5AN7iRW045015; Tue, 10 Jun 2003 16:07:44 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Tue, 10 Jun 2003 16:07:44 -0700 From: "Crist J. Clark" To: Lupe Christoph Message-ID: <20030610230744.GD44069@blossom.cjclark.org> References: <20030607111540.GC4812@lupe-christoph.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030607111540.GC4812@lupe-christoph.de> User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-security@FreeBSD.ORG Subject: Re: Impossible to IPfilter this? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2003 23:07:58 -0000 On Sat, Jun 07, 2003 at 01:15:40PM +0200, Lupe Christoph wrote: > Hi! > > I'm trying to increase security on my FreeBSD 4.8 firewall/DSL router/VPN > router. > > My problem is with firewalling the VPN part. I'm using a tunnel to a > RedHat 7.1 box running FreeS/WAN. This tunnel allows traffic from my > internal net (172.17.0.0/24) to that box only: > > spdadd 172.17.0.0/24 $REDHAT/32 any -P out ipsec esp/tunnel/$MYADDR-$REDHAT/unique; > spdadd $REDHAT/32 172.17.0.0/24 any -P in ipsec esp/tunnel/$REDHAT-$MYADDR/unique; > > What I want to do is prohibit traffic from $REDHAT to 172.17.0.7, the > internal address of this FreeBSD box. I'm using IPFilter, so I inserted > a rule like this: > > block in log quick from any to 172.17.0.7 > > It is not attached to any interface, so it should supposedly work even > for tunnelled traffic. Only it doesn't. Not sure who told you that, but it won't affect tunneled traffic. Not specifying an interface just means that it will be applied to all interfaces. [snip] > Any hints how to resolve this are welcome. I don't think this is a > general IPFilter problem, hence I'm asking on this mailing list rather > than that for IPFilter. > > Thank you, > Lupe Christoph > > PS: There was talk about the sequence IPFW/IPNat/IPFilter get invoked. > It would be interesting to put the IPSec code in this picture. Are > IPSec packets going through *any* of them? With/out GIF? Here's what happens (approximately), the packets get fed to the ip_input() routine. They pass through IPFilter then IPFW. Later they find themselves in IPsec processing where the packets are taken out of the tunnel. At this point, the packets are fed back into ip_input(), BUT the reinjected packets skip all firewall processing on this pass. With the IPSEC_FILTERGIF option set, the packets _will_ go through the firewall, IPFilter then IPFW, after IPsec processing. However, there may be an ugly hack to try here. I think I might try it on one of my experimental setups at home. It may be possible to set up some additional IPsec policies to block the traffic you want to stop. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-security@FreeBSD.ORG Tue Jun 10 16:09:46 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 582B437B40B for ; Tue, 10 Jun 2003 16:09:46 -0700 (PDT) Received: from avatar.ip-ua.net (avatar.ip-ua.net [212.1.90.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6581B43FBD for ; Tue, 10 Jun 2003 16:09:44 -0700 (PDT) (envelope-from security@aka-root.com) Received: from LIGHT (mxhinet.ip-ua.net [212.1.90.116]) by avatar.ip-ua.net (8.12.8/8.12.8) with ESMTP id h5AN9cO7065961 for ; Wed, 11 Jun 2003 02:09:39 +0300 (EEST) (envelope-from security@aka-root.com) Date: Wed, 11 Jun 2003 02:11:34 +0400 From: Mitch X-Mailer: The Bat! (v1.49) X-Priority: 3 (Normal) Message-ID: <75112397993.20030611021134@aka-root.com> To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: user can't member more than 15 group X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Mitch List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2003 23:09:46 -0000 Hello All ! why freebd user can't member more than 15 group ? my system is FreeBSD 4.8-RC I need that scripts running from user "master" make some changes if files that owned by other users. Shurely i can set UID of master to "0" but this increace vunerability of system. in /etc/group I add user1:*:1001:master ... user15:*:1015:master --- all work Ok user master member of all user1-user15 groups (this user "master" with ID!=0 , in server polisy reasons, must have additional right for access to fises that belong user1 - userXX, if 775/664 right set to files) but if i add user16:*:1016:master user "master" not member of user16 group until i remove it from any other groups == it can not write to files that onned by user16:user16 and rights 664/775 I search in LINT but can not find anyone according to increase GROUP LIMIT :( Best regards, Mitch mailto:security@aka-root.com From owner-freebsd-security@FreeBSD.ORG Tue Jun 10 16:58:41 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F0F0337B404 for ; Tue, 10 Jun 2003 16:58:41 -0700 (PDT) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9DCE543F3F for ; Tue, 10 Jun 2003 16:58:41 -0700 (PDT) (envelope-from billf@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1098) id 8CDD62ED419; Tue, 10 Jun 2003 16:58:41 -0700 (PDT) Date: Tue, 10 Jun 2003 16:58:41 -0700 From: Bill Fumerola To: Mitch Message-ID: <20030610235841.GA90913@elvis.mu.org> References: <75112397993.20030611021134@aka-root.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <75112397993.20030611021134@aka-root.com> User-Agent: Mutt/1.4.1i X-Operating-System: FreeBSD 4.8-MUORG-20030411 i386 cc: freebsd-security@freebsd.org Subject: Re: user can't member more than 15 group X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2003 23:58:42 -0000 On Wed, Jun 11, 2003 at 02:11:34AM +0400, Mitch wrote: > > why freebd user can't member more than 15 group ? in src/sys/sys/syslimits.h there is a constant named 'NGROUPS_MAX'. change it to however many you need (within reason), rebuild/install world and kernel. -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org From owner-freebsd-security@FreeBSD.ORG Tue Jun 10 17:25:47 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9459B37B401 for ; Tue, 10 Jun 2003 17:25:47 -0700 (PDT) Received: from grex.cyberspace.org (grex.cyberspace.org [216.93.104.34]) by mx1.FreeBSD.org (Postfix) with SMTP id A7CD543F75 for ; Tue, 10 Jun 2003 17:25:44 -0700 (PDT) (envelope-from polytarp@grex.cyberspace.org) Received: from localhost (polytarp@localhost) by grex.cyberspace.org (8.6.13/8.6.12) with SMTP id UAA21396; Tue, 10 Jun 2003 20:25:33 -0400 Date: Tue, 10 Jun 2003 20:25:32 -0400 (EDT) From: To: In-Reply-To: <75112397993.20030611021134@aka-root.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: user can't member more than 15 group X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2003 00:25:47 -0000 On Wed, 11 Jun 2003 security@aka-root.com wrote: > Hello All ! > > why freebd user can't member more than 15 group ? > my system is FreeBSD 4.8-RC > > I need that scripts running > from user "master" make some changes if files that owned by other users. > Shurely i can set UID of master to "0" but this increace vunerability > of system. > > in /etc/group I add > > user1:*:1001:master > ... > user15:*:1015:master > > --- all work Ok user master member of all user1-user15 groups > (this user "master" with ID!=0 , in server polisy reasons, must have > additional right for access to fises that belong > user1 - userXX, if 775/664 right set to files) > > but if i add > user16:*:1016:master > user "master" not member of user16 group until i remove it from any > other groups == it can not write to files that onned by > user16:user16 and rights 664/775 > > I search in LINT but can not find anyone according to increase GROUP > LIMIT :( > > > Best regards, > Mitch mailto:security@aka-root.com > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > gDSG Israel is Zionist? From owner-freebsd-security@FreeBSD.ORG Tue Jun 10 22:27:31 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F359437B404 for ; Tue, 10 Jun 2003 22:27:30 -0700 (PDT) Received: from buexe.b-5.de (buexe.b-5.de [80.148.32.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4127143F75 for ; Tue, 10 Jun 2003 22:27:29 -0700 (PDT) (envelope-from lupe@lupe-christoph.de) Received: from antalya.lupe-christoph.de ([172.17.0.9])h5B5R6J03221; Wed, 11 Jun 2003 07:27:07 +0200 Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id 5975D5F9; Wed, 11 Jun 2003 07:27:05 +0200 (CEST) Date: Wed, 11 Jun 2003 07:27:05 +0200 To: "Crist J. Clark" Message-ID: <20030611052705.GC26930@lupe-christoph.de> References: <20030607111540.GC4812@lupe-christoph.de> <20030610230744.GD44069@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030610230744.GD44069@blossom.cjclark.org> User-Agent: Mutt/1.5.4i From: lupe@lupe-christoph.de (Lupe Christoph) cc: freebsd-security@FreeBSD.ORG Subject: Re: Impossible to IPfilter this? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2003 05:27:31 -0000 On Tuesday, 2003-06-10 at 16:07:44 -0700, Crist J. Clark wrote: > On Sat, Jun 07, 2003 at 01:15:40PM +0200, Lupe Christoph wrote: > > block in log quick from any to 172.17.0.7 > > It is not attached to any interface, so it should supposedly work even > > for tunnelled traffic. Only it doesn't. > Not sure who told you that, but it won't affect tunneled traffic. Not > specifying an interface just means that it will be applied to all > interfaces. Sigh. I noticed. It was just a try, nobody told me. > > PS: There was talk about the sequence IPFW/IPNat/IPFilter get invoked. > > It would be interesting to put the IPSec code in this picture. Are > > IPSec packets going through *any* of them? With/out GIF? > Here's what happens (approximately), the packets get fed to the > ip_input() routine. They pass through IPFilter then IPFW. Later they > find themselves in IPsec processing where the packets are taken out of > the tunnel. At this point, the packets are fed back into ip_input(), > BUT the reinjected packets skip all firewall processing on this > pass. With the IPSEC_FILTERGIF option set, the packets _will_ go > through the firewall, IPFilter then IPFW, after IPsec processing. ... even if they are not passing through a GIF interface? My LINT says # Set IPSEC_FILTERGIF to force packets coming through a gif tunnel # to be processed by any configured packet filtering (ipfw, ipf). And I could not get GIF to work with FreeS/WAN. > However, there may be an ugly hack to try here. I think I might try it > on one of my experimental setups at home. It may be possible to set up > some additional IPsec policies to block the traffic you want to stop. That could be very interesting. Thank you! Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett | From owner-freebsd-security@FreeBSD.ORG Wed Jun 11 03:05:05 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A9CC37B404 for ; Wed, 11 Jun 2003 03:05:05 -0700 (PDT) Received: from highland.isltd.insignia.com (highland.isltd.insignia.com [195.74.141.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D5AB43FB1 for ; Wed, 11 Jun 2003 03:05:04 -0700 (PDT) (envelope-from subscriber@insignia.com) Received: from dailuaine.isltd.insignia.com (dailuaine.isltd.insignia.com [172.16.64.11])h5BA52Ef033422 for ; Wed, 11 Jun 2003 11:05:02 +0100 (BST) (envelope-from subscriber@insignia.com) Received: from exchange-uk.isltd.insignia.com (exchange-uk [172.16.64.9]) h5BA52D0043037 for ; Wed, 11 Jun 2003 11:05:02 +0100 (BST) (envelope-from subscriber@insignia.com) Received: by exchange-uk.isltd.insignia.com with Internet Mail Service (5.5.2653.19) id ; Wed, 11 Jun 2003 11:05:02 +0100 Message-ID: <2F03DF3DDE57D411AFF4009027B8C36704129AE8@exchange-uk.isltd.insignia.com> From: Subscriber To: freebsd-security@freebsd.org Date: Wed, 11 Jun 2003 11:05:00 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" X-Scanned-By: MIMEDefang 2.32 (www . roaringpenguin . com / mimedefang) Subject: IPFW: combining "divert natd" with "keep-state" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2003 10:05:06 -0000 I've been using ipfw for a while to create a router with NAT and packet filtering, but have never combined it with stateful filtering, instead using things like "established" to accept incoming TCP packets which are part of a conversation initiated from the "inside". I'd like to move to using keep-state/check-state to get tighter filtering and also to allow outgoing UDP and the replies, which currently I block. But I just can't get my head around how to do this. On the way out, should the dynamic rules be created to match the pre-NAT or post-NAT packets? The man pages are good at explaining both NAT and dynamic rules but not both in combination. Jim Hatfield From owner-freebsd-security@FreeBSD.ORG Wed Jun 11 04:20:41 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D4FCD37B401 for ; Wed, 11 Jun 2003 04:20:41 -0700 (PDT) Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id DEF9D43F3F for ; Wed, 11 Jun 2003 04:20:25 -0700 (PDT) (envelope-from ru@whale.sunbay.crimea.ua) Received: from whale.sunbay.crimea.ua (ru@localhost [127.0.0.1]) h5BBKKmV067009 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 11 Jun 2003 14:20:20 +0300 (EEST) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.12.9/8.12.8/Submit) id h5BBKK92067004; Wed, 11 Jun 2003 14:20:20 +0300 (EEST) (envelope-from ru) Date: Wed, 11 Jun 2003 14:20:20 +0300 From: Ruslan Ermilov To: Subscriber Message-ID: <20030611112020.GA66629@sunbay.com> References: <2F03DF3DDE57D411AFF4009027B8C36704129AE8@exchange-uk.isltd.insignia.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="kfjH4zxOES6UT95V" Content-Disposition: inline In-Reply-To: <2F03DF3DDE57D411AFF4009027B8C36704129AE8@exchange-uk.isltd.insignia.com> User-Agent: Mutt/1.5.4i cc: freebsd-security@freebsd.org Subject: Re: IPFW: combining "divert natd" with "keep-state" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2003 11:20:42 -0000 --kfjH4zxOES6UT95V Content-Type: multipart/mixed; boundary="MfFXiAuoTsnnDAfZ" Content-Disposition: inline --MfFXiAuoTsnnDAfZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jun 11, 2003 at 11:05:00AM +0100, Subscriber wrote: > I've been using ipfw for a while to create a router with NAT > and packet filtering, but have never combined it with > stateful filtering, instead using things like "established" to > accept incoming TCP packets which are part of a conversation > initiated from the "inside". >=20 > I'd like to move to using keep-state/check-state to get tighter > filtering and also to allow outgoing UDP and the replies, which > currently I block. >=20 > But I just can't get my head around how to do this. On the way > out, should the dynamic rules be created to match the pre-NAT > or post-NAT packets? >=20 > The man pages are good at explaining both NAT and dynamic > rules but not both in combination. >=20 Jim, Attached is the conversation I had with Luigi Rizzo exactly three years ago on this topic. Maybe it is still helpful. Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software Ltd, ru@FreeBSD.org FreeBSD committer --MfFXiAuoTsnnDAfZ Content-Type: message/rfc822 Content-Disposition: inline X-UIDL: *A(!!FQ4!!\Y_"!'_F!! Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.9.3/1.13) id XAA08390; Thu, 8 Jun 2000 23:20:52 +0300 (EEST) Date: Thu, 8 Jun 2000 23:20:52 +0300 From: Ruslan Ermilov To: Luigi Rizzo Subject: [IPFW] keep-state/check-state with divert Message-ID: <20000608232052.A7856@sunbay.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i Hi! I have found an "endless-loop problem" with ipfw when using both `divert' and `keep-state'/`check-state' rules. I was thinking that combining these two features together would allow me to fix PR conf/13769. The idea of this problem report is that people usually block Intranet traffic on their external interface, and as well use it for NAT purposes. The problem is that when incoming packets are dealiased they appear as "coming IN with Intranet dst_ip through public interface". Here is what I was thinking about (rl0 - external interface): : ipfw -f flush : : ipfw add 100 divert natd ip from any to any out via rl0 keep-state : ipfw add 200 divert natd ip from any to any in via rl0 : ipfw add 300 check-state : ipfw add 400 deny log ip from any to any in via rl0 : : ipfw add 500 allow ip from any to any But unfortunately this does not work, and this creates an infinite loop for rule 100, i.e. outgoing packet is first aliased (rule 100), then passed to rule 200, then 300, which triggers (the dynamic) rule 100: Script started on Thu Jun 8 21:47:35 2000 perl# ipfw show; sleep 0.5; ipfw sh; sleep 0.5; ipfw show 00100 382707 26024076 divert 8668 ip from any to any keep-state out xmit rl0 00200 0 0 divert 8668 ip from any to any in recv rl0 00300 0 0 check-state 00400 0 0 deny log ip from any to any in recv rl0 00500 0 0 allow ip from any to any 65535 0 0 deny ip from any to any ## Dynamic rules: 00100 382706 26024008 (T 30, # 113) ty 0 udp, local.ip 1654 <-> remote.ip 53 00100 387636 26359248 divert 8668 ip from any to any keep-state out xmit rl0 00200 0 0 divert 8668 ip from any to any in recv rl0 00300 0 0 check-state 00400 0 0 deny log ip from any to any in recv rl0 00500 0 0 allow ip from any to any 65535 0 0 deny ip from any to any ## Dynamic rules: 00100 387635 26359180 (T 30, # 113) ty 0 udp, local.ip 1654 <-> remote.ip 53 00100 392412 26684016 divert 8668 ip from any to any keep-state out xmit rl0 00200 0 0 divert 8668 ip from any to any in recv rl0 00300 0 0 check-state 00400 0 0 deny log ip from any to any in recv rl0 00500 0 0 allow ip from any to any 65535 0 0 deny ip from any to any ## Dynamic rules: 00100 392411 26683948 (T 30, # 113) ty 0 udp, local.ip 1654 <-> remote.ip 53 perl# exit Script done on Thu Jun 8 21:47:55 2000 It is my understanding, that when a dynamic rule is created, it just copies protocol, src and dst ip/ports, and action from the original rule, right? Would it be possible if for `divert' rule the action for dynamic rule will be `allow'? Also, I don't like the idea that if the `keep-state' option is present in the rule, then this rule becomes like a simple `check-state'. What was the intent for this? Any thoughts? Thanks, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --MfFXiAuoTsnnDAfZ Content-Type: message/rfc822 Content-Disposition: inline X-UIDL: >9Z"!RYk!!E!)"!9`P!! Received: from hub.freebsd.org (hub.FreeBSD.ORG [204.216.27.18]) by whale.sunbay.crimea.ua (8.9.3/1.13) with ESMTP id IAA17127 for ; Fri, 9 Jun 2000 08:26:26 +0300 (EEST) Received: by hub.freebsd.org (Postfix) id EA1F537C1C3; Thu, 8 Jun 2000 22:26:07 -0700 (PDT) Delivered-To: ru@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id 2F81737B669; Thu, 8 Jun 2000 22:26:02 -0700 (PDT) (envelope-from luigi@info.iet.unipi.it) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id HAA07626; Fri, 9 Jun 2000 07:25:34 +0200 (CEST) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200006090525.HAA07626@info.iet.unipi.it> Subject: Re: [IPFW] keep-state/check-state with divert In-Reply-To: <20000608232052.A7856@sunbay.com> from Ruslan Ermilov at "Jun 8, 2000 11:20:52 pm" To: Ruslan Ermilov Date: Fri, 9 Jun 2000 07:25:34 +0200 (CEST) Cc: Luigi Rizzo X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit > Hi! > > I have found an "endless-loop problem" with ipfw when using both > `divert' and `keep-state'/`check-state' rules. what version is this, 3.4 or above ? But mainly, writing a ruleset which involves divert is tricky because packets are reinjected into the firewall so you have to consider the possible paths when laying out your rules. What i generally do is a 'skipto' for packets that might need to be diverted so they do not interfere with the main path. To summarise, i think the problem is partly with the ruleset, not just in the ipfw implementation. What i probably agree is that a check-state should not match dynamic rules with a lower rule-number (basically the idea of check-state was to have it near the very beginning of a ruleset, before all keep-state rules, and after the check for clearly unacceptable packets). cheers luigi > interface, and as well use it for NAT purposes. The problem is > that when incoming packets are dealiased they appear as "coming > IN with Intranet dst_ip through public interface". > > Here is what I was thinking about (rl0 - external interface): > > : ipfw -f flush > : > : ipfw add 100 divert natd ip from any to any out via rl0 keep-state > : ipfw add 200 divert natd ip from any to any in via rl0 > : ipfw add 300 check-state > : ipfw add 400 deny log ip from any to any in via rl0 > : > : ipfw add 500 allow ip from any to any > > But unfortunately this does not work, and this creates an infinite > loop for rule 100, i.e. outgoing packet is first aliased (rule 100), > then passed to rule 200, then 300, which triggers (the dynamic) rule > 100: > > Script started on Thu Jun 8 21:47:35 2000 > perl# ipfw show; sleep 0.5; ipfw sh; sleep 0.5; ipfw show > 00100 382707 26024076 divert 8668 ip from any to any keep-state out xmit rl0 > 00200 0 0 divert 8668 ip from any to any in recv rl0 > 00300 0 0 check-state > 00400 0 0 deny log ip from any to any in recv rl0 > 00500 0 0 allow ip from any to any > 65535 0 0 deny ip from any to any > ## Dynamic rules: > 00100 382706 26024008 (T 30, # 113) ty 0 udp, local.ip 1654 <-> remote.ip 53 > > 00100 387636 26359248 divert 8668 ip from any to any keep-state out xmit rl0 > 00200 0 0 divert 8668 ip from any to any in recv rl0 > 00300 0 0 check-state > 00400 0 0 deny log ip from any to any in recv rl0 > 00500 0 0 allow ip from any to any > 65535 0 0 deny ip from any to any > ## Dynamic rules: > 00100 387635 26359180 (T 30, # 113) ty 0 udp, local.ip 1654 <-> remote.ip 53 > > 00100 392412 26684016 divert 8668 ip from any to any keep-state out xmit rl0 > 00200 0 0 divert 8668 ip from any to any in recv rl0 > 00300 0 0 check-state > 00400 0 0 deny log ip from any to any in recv rl0 > 00500 0 0 allow ip from any to any > 65535 0 0 deny ip from any to any > ## Dynamic rules: > 00100 392411 26683948 (T 30, # 113) ty 0 udp, local.ip 1654 <-> remote.ip 53 > perl# exit > > Script done on Thu Jun 8 21:47:55 2000 > > It is my understanding, that when a dynamic rule is created, it just copies > protocol, src and dst ip/ports, and action from the original rule, right? > Would it be possible if for `divert' rule the action for dynamic rule will > be `allow'? Also, I don't like the idea that if the `keep-state' option > is present in the rule, then this rule becomes like a simple `check-state'. > What was the intent for this? Any thoughts? > > > Thanks, > -- > Ruslan Ermilov Oracle Developer/DBA, > ru@sunbay.com Sunbay Software AG, > ru@FreeBSD.org FreeBSD committer, > +380.652.512.251 Simferopol, Ukraine > > http://www.FreeBSD.org The Power To Serve > http://www.oracle.com Enabling The Information Age > --MfFXiAuoTsnnDAfZ Content-Type: message/rfc822 Content-Disposition: inline X-UIDL: !ac"!mU@!!'^5"!_][!! Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.9.3/1.13) id KAA75821; Wed, 14 Jun 2000 10:19:53 +0300 (EEST) Date: Wed, 14 Jun 2000 10:19:53 +0300 From: Ruslan Ermilov To: Luigi Rizzo Subject: Re: [IPFW] keep-state/check-state with divert Message-ID: <20000614101953.A75209@sunbay.com> References: <20000608232052.A7856@sunbay.com> <200006090525.HAA07626@info.iet.unipi.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200006090525.HAA07626@info.iet.unipi.it>; from luigi@info.iet.unipi.it on Fri, Jun 09, 2000 at 07:25:34AM +0200 On Fri, Jun 09, 2000 at 07:25:34AM +0200, Luigi Rizzo wrote: > > Hi! > > > > I have found an "endless-loop problem" with ipfw when using both > > `divert' and `keep-state'/`check-state' rules. > > what version is this, 3.4 or above ? > But mainly, writing a ruleset which involves divert is tricky > because packets are reinjected into the firewall so you have to > consider the possible paths when laying out your rules. What > i generally do is a 'skipto' for packets that might need to be > diverted so they do not interfere with the main path. > > To summarise, i think the problem is partly with the ruleset, > not just in the ipfw implementation. What i probably agree is > that a check-state should not match dynamic rules with > a lower rule-number (basically the idea of check-state was > to have it near the very beginning of a ruleset, before all > keep-state rules, and after the check for clearly unacceptable > packets). > Yeah, it was really tricky: : ipfw -f flush : ipfw add 100 divert natd ip from any to any via rl0 in : ipfw add 200 check-state : ipfw add 300 deny ip from 192.168.0.0/16 to any in via rl0 : ipfw add 300 deny ip from any to 192.168.0.0/16 in via rl0 : ipfw add 400 skipto 500 ip from any to any out via rl0 keep-state : ipfw add 500 divert natd ip from any to any out via rl0 : ipfw add 600 deny ip from 192.168.0.0/16 to any out via rl0 : ipfw add 600 deny ip from any to 192.168.0.0/16 out via rl0 : ipfw add 65000 allow ip from any to any Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --MfFXiAuoTsnnDAfZ-- --kfjH4zxOES6UT95V Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+5xBzUkv4P6juNwoRAoB7AJ0WbR8wXeIpad7LpgICcJzH9Fr5BgCfQAur Dcy5mogk39hF6WMSo18LdZA= =iUQH -----END PGP SIGNATURE----- --kfjH4zxOES6UT95V-- From owner-freebsd-security@FreeBSD.ORG Wed Jun 11 05:21:11 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7AFA437B401 for ; Wed, 11 Jun 2003 05:21:11 -0700 (PDT) Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185]) by mx1.FreeBSD.org (Postfix) with SMTP id 8C53A43F75 for ; Wed, 11 Jun 2003 05:21:10 -0700 (PDT) (envelope-from greg.panula@dolaninformation.com) Received: (qmail 20071 invoked by uid 0); 11 Jun 2003 12:21:10 -0000 Received: from greg.panula@dolaninformation.com by proxy by uid 82 with qmail-scanner-1.16 ( Clear:. Processed in 1.638095 secs); 11 Jun 2003 12:21:10 -0000 X-Qmail-Scanner-Mail-From: greg.panula@dolaninformation.com via proxy X-Qmail-Scanner-Rcpt-To: subscriber@insignia.com,freebsd-security@freebsd.org X-Qmail-Scanner: 1.16 (Clear:. Processed in 1.638095 secs) Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23) by host185.dolanmedia.com with SMTP; 11 Jun 2003 12:21:07 -0000 Received: from dolaninformation.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167); 11 Jun 2003 07:21:07 -0500 Sender: pang@FreeBSD.ORG Message-ID: <3EE71EB3.5D675541@dolaninformation.com> Date: Wed, 11 Jun 2003 07:21:07 -0500 From: Greg Panula Organization: Dolan Information Center Inc X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Subscriber References: <2F03DF3DDE57D411AFF4009027B8C36704129AE8@exchange-uk.isltd.insignia.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: IPFW: combining "divert natd" with "keep-state" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: greg.panula@dolaninformation.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2003 12:21:11 -0000 Subscriber wrote: > > I've been using ipfw for a while to create a router with NAT > and packet filtering, but have never combined it with > stateful filtering, instead using things like "established" to > accept incoming TCP packets which are part of a conversation > initiated from the "inside". > > I'd like to move to using keep-state/check-state to get tighter > filtering and also to allow outgoing UDP and the replies, which > currently I block. > > But I just can't get my head around how to do this. On the way > out, should the dynamic rules be created to match the pre-NAT > or post-NAT packets? > > The man pages are good at explaining both NAT and dynamic > rules but not both in combination. > ## Example ## fxp0 = external nic xl0 = internal nic internal network = 10.10.10.0/24 internal traffic NAT'd to 1.2.3.4 ## handle nat traffic 100 divert 8668 ip from 10.10.10.0/24 to any out via fxp0 200 divert 8668 ip from any to 1.2.3.4 in via fxp0 300 check-state ## dynamic rules for internal clients access to everything ## needed so un-nat'd return traffic can flow out the ## internal nic to the internal clients 400 allow tcp from 10.10.10.0/24 to any keep-state via xl0 500 allow udp from 10.10.10.0/24 to any keep-state via xl0 ## dynamic rules allow natd alias address access to ## external resources 600 allow tcp from 1.2.3.4 to any keep-state out via fxp0 700 allow udp from 1.2.3.4 to any keep-state out via fxp0 You should also run natd with the "-deny_incoming" flag as an extra defense against bogus packets. good luck, greg From owner-freebsd-security@FreeBSD.ORG Wed Jun 11 11:19:09 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7458737B405; Wed, 11 Jun 2003 11:19:09 -0700 (PDT) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id C8EDC43FAF; Wed, 11 Jun 2003 11:19:07 -0700 (PDT) (envelope-from nick@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 1001) id 758E63ABB51; Wed, 11 Jun 2003 20:21:19 +0200 (CEST) Date: Wed, 11 Jun 2003 20:21:19 +0200 From: Pawel Jakub Dawidek To: cerber-list@lists.sourceforge.net Message-ID: <20030611182119.GR443@garage.freebsd.pl> References: <20030610181638.GI443@garage.freebsd.pl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="uLzYCuFow5JXEQYy" Content-Disposition: inline In-Reply-To: X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc X-OS: FreeBSD 4.8-RELEASE i386 X-URL: http://garage.freebsd.pl User-Agent: Mutt/1.5.1i cc: freebsd-security@freebsd.org cc: freebsd-stable@freebsd.org cc: freebsd-hackers@freebsd.org Subject: Re: [Cerb-list] CerbNG v1.0-RC2 is now avaliable! X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2003 18:19:10 -0000 --uLzYCuFow5JXEQYy Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jun 11, 2003 at 07:20:26PM +0200, clemens fischer wrote: +> > We are proudly announce that CerbNG-1.0 Release Candidate 2 is now +> > avaliable. +>=20 +> congratulations! may i suggest to always include the CVS tag of any +> release announced here? i just tried to make(1) the CVS HEAD on my +> freebsd-4.8, but this failed the compilation. Could you please send any compilation output on cerb mailing list? Maybe it's just because cerb releases don't needed bison and source from CVS head branch does. --=20 Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net --uLzYCuFow5JXEQYy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPudzHz/PhmMH/Mf1AQFg2QP+N8wZQxZMqTaRUnULwmANh1mbjWn00T3g U5pV2mGgXDxh28aTmxcGbE4PCPFw2VXW4Yu0+N8mnGHomQCrYdsE1ZkBXm4DBCpI MRi9RN9xtuBCheG8Vr8CYCS3oa+CRgoEMzG7fzVsl1qMksOxl3XllmVTa/I2Vpsz 6Uq5ACfAEgQ= =C4dZ -----END PGP SIGNATURE----- --uLzYCuFow5JXEQYy-- From owner-freebsd-security@FreeBSD.ORG Thu Jun 12 05:00:22 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 89C0E37B401 for ; Thu, 12 Jun 2003 05:00:22 -0700 (PDT) Received: from highland.isltd.insignia.com (highland.isltd.insignia.com [195.74.141.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D75A43F75 for ; Thu, 12 Jun 2003 05:00:21 -0700 (PDT) (envelope-from subscriber@insignia.com) Received: from dailuaine.isltd.insignia.com (dailuaine.isltd.insignia.com [172.16.64.11])h5CC0Jld001186 for ; Thu, 12 Jun 2003 13:00:19 +0100 (BST) (envelope-from subscriber@insignia.com) Received: from exchange-uk.isltd.insignia.com (exchange-uk [172.16.64.9]) h5CC0JD0044143 for ; Thu, 12 Jun 2003 13:00:19 +0100 (BST) (envelope-from subscriber@insignia.com) Received: by exchange-uk.isltd.insignia.com with Internet Mail Service (5.5.2653.19) id ; Thu, 12 Jun 2003 13:00:19 +0100 Message-ID: <2F03DF3DDE57D411AFF4009027B8C36704129AE9@exchange-uk.isltd.insignia.com> From: Subscriber To: "'freebsd-security@freebsd.org'" Date: Thu, 12 Jun 2003 13:00:18 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" X-Scanned-By: MIMEDefang 2.33 (www . roaringpenguin . com / mimedefang) Subject: RE: IPFW: combining "divert natd" with "keep-state" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jun 2003 12:00:22 -0000 > -----Original Message----- > From: Greg Panula [mailto:greg.panula@dolaninformation.com] > Sent: 11 June 2003 13:21 > To: Subscriber > Cc: freebsd-security@freebsd.org > Subject: Re: IPFW: combining "divert natd" with "keep-state" > > ## Example ## > fxp0 = external nic > xl0 = internal nic > internal network = 10.10.10.0/24 > internal traffic NAT'd to 1.2.3.4 > > ## handle nat traffic > 100 divert 8668 ip from 10.10.10.0/24 to any out via fxp0 > 200 divert 8668 ip from any to 1.2.3.4 in via fxp0 > > 300 check-state > > ## dynamic rules for internal clients access to everything > ## needed so un-nat'd return traffic can flow out the > ## internal nic to the internal clients > 400 allow tcp from 10.10.10.0/24 to any keep-state via xl0 > 500 allow udp from 10.10.10.0/24 to any keep-state via xl0 Thanks, for some reason I was fixated on putting all the rules on the external interface and having pass all from any to any via xl0 as the first rule in the list. I'll give this a go. Jim From owner-freebsd-security@FreeBSD.ORG Thu Jun 12 05:20:01 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C20737B401 for ; Thu, 12 Jun 2003 05:20:01 -0700 (PDT) Received: from mail.gmx.net (pop.gmx.de [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id DB7DD43F3F for ; Thu, 12 Jun 2003 05:19:59 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 8444 invoked by uid 65534); 12 Jun 2003 12:19:58 -0000 Received: from p50910E17.dip0.t-ipconnect.de (EHLO mail.gsinet.sittig.org) (80.145.14.23) by mail.gmx.net (mp023) with SMTP; 12 Jun 2003 14:19:58 +0200 Received: (qmail 69607 invoked from network); 12 Jun 2003 11:21:39 -0000 Received: from shell.gsinet.sittig.org (192.168.11.153) by mail.gsinet.sittig.org with SMTP; 12 Jun 2003 11:21:39 -0000 Received: (from sittig@localhost) by shell.gsinet.sittig.org (8.11.3/8.11.3) id h5CBLcn69603 for freebsd-security@FreeBSD.ORG; Thu, 12 Jun 2003 13:21:38 +0200 (CEST) (envelope-from sittig) Date: Thu, 12 Jun 2003 13:21:38 +0200 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Message-ID: <20030612132138.A26888@shell.gsinet.sittig.org> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20030607111540.GC4812@lupe-christoph.de> <20030610230744.GD44069@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20030610230744.GD44069@blossom.cjclark.org>; from crist.clark@attbi.com on Tue, Jun 10, 2003 at 04:07:44PM -0700 Organization: System Defenestrators Inc. Subject: Re: Impossible to IPfilter this? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jun 2003 12:20:01 -0000 On Tue, Jun 10, 2003 at 16:07 -0700, Crist J. Clark wrote: > > Here's what happens (approximately), the packets get fed to the > ip_input() routine. They pass through IPFilter then IPFW. Later they > find themselves in IPsec processing where the packets are taken out of > the tunnel. At this point, the packets are fed back into ip_input(), > BUT the reinjected packets skip all firewall processing on this > pass. With the IPSEC_FILTERGIF option set, the packets _will_ go > through the firewall, IPFilter then IPFW, after IPsec processing. In this scenario (would I be in the situation to have to filter this traffic:) I would wish for some flag or "handle" to recognize the different times the packet runs through the filter. There is quite a hugh difference between "letting ESP/AH in at fxp0 and accept IPv4 -- maybe RFC1918 adresses -- from this tunnel (but not otherwise)" and "letting ESP/AH as well as IPv4 in at fxp0". Not wanting or having to extend the established filter syntax or the programming interface already laid out almost naturely makes the "interface" property of a packet one such handle. OpenBSD has enc(4) for this IIUC. FreeBSD doesn't have something similar. Granted this only came up when the IPSEC_FILTERGIF option was introduced. But it could be useful to either say "post IPsec decapsulation (no matter which tunnel was used)" by passing an "enc" interface together with the packet. Or by specifying something like "interface fpx0-ipsec" (in the generic or dynamically negotiated SA case) or "interface fpx0-$SA" (when configured manually by means of ipsec.conf or so). But sketching these approaches I see how more and more questions bubble up ... :) virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. From owner-freebsd-security@FreeBSD.ORG Thu Jun 12 05:50:47 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1363D37B401 for ; Thu, 12 Jun 2003 05:50:47 -0700 (PDT) Received: from minimail.digi.com (minimail.digi.com [204.221.110.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C61743FB1 for ; Thu, 12 Jun 2003 05:50:46 -0700 (PDT) (envelope-from Kelly_Flanagan@digi.com) X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Thu, 12 Jun 2003 07:50:45 -0500 Message-ID: <71A17D6448EC0140B44BCEB8CD0DA36E197923@minimail.digi.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Serial Ports and syslogd Thread-Index: AcMw4bdZV3++K75hQNmEcqmdXc3JRg== From: "Kelly Flanagan" To: Subject: Serial Ports and syslogd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jun 2003 12:50:47 -0000 Hello,=20 It's a bit off topic, but I'm hoping someone has seen this before. I'm = running a couple of headless boxes, one is 4.7 release, the other is 4.8 = release. Both have the same issue with newsyslog when I've got the = serial port enabled for console management. (-h in boot.conf and a getty = running on cuaa0 after the boot process)=20 Logrotate tries to send an HUP to syslogd, but it's not working = properly. I get rotated logs, but they stay empty. If I "nuke" syslogd, = and try to restart it, it eventually dies with "waiting for child" = messages and my sendmail hangs. Syslogd comes back alive after reboot. = I'm just logging locally with -s -s for flags to syslogd.=20 So, I find a few discussions saying fsync() may be the reason, and try = swaping syslogd with this line removed in syslogd.c (without being very = good at C) and knowing full well, I'll loose the most important, last = few lines of logs when my machine dies. Still no help.=20 /*flags =3D ISKERNEL | SYNC_FILE | ADDDATE;*/=20 Anybody using serial without any logging problems? Or is there a better = way to kill syslogd and restart it? From owner-freebsd-security@FreeBSD.ORG Thu Jun 12 09:48:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74CE137B401 for ; Thu, 12 Jun 2003 09:48:02 -0700 (PDT) Received: from minimail.digi.com (minimail.digi.com [204.221.110.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id B369943F3F for ; Thu, 12 Jun 2003 09:48:01 -0700 (PDT) (envelope-from Kelly_Flanagan@digi.com) X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Thu, 12 Jun 2003 11:48:00 -0500 Message-ID: <71A17D6448EC0140B44BCEB8CD0DA36E01DEDCBE@minimail.digi.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Serial Ports and syslogd Thread-Index: AcMw/niAQVowAdJVSXiRtFgOlDussgABBobA From: "Kelly Flanagan" To: Subject: RE: Serial Ports and syslogd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jun 2003 16:48:02 -0000 Thanks so much, that got it. Subject: Re: Serial Ports and syslogd Your syslogd is trying to log to the console, over the serial line, and=20 is getting stuck waiting for output to flush there. The easiest fix is to edit=20 /etc/syslog.conf, and remove the line that is sending output to /dev/console. Once you=20 do that, and restart everything, you won't see your problem again. From owner-freebsd-security@FreeBSD.ORG Thu Jun 12 11:41:36 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 561DF37B401 for ; Thu, 12 Jun 2003 11:41:36 -0700 (PDT) Received: from buexe.b-5.de (buexe.b-5.de [80.148.32.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8960443FAF for ; Thu, 12 Jun 2003 11:41:34 -0700 (PDT) (envelope-from lupe@lupe-christoph.de) Received: from antalya.lupe-christoph.de ([172.17.0.9])h5CIfVJ13033 for ; Thu, 12 Jun 2003 20:41:32 +0200 Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id D54D25F9; Thu, 12 Jun 2003 20:41:24 +0200 (CEST) Date: Thu, 12 Jun 2003 20:41:24 +0200 To: freebsd-security@FreeBSD.ORG Message-ID: <20030612184124.GD26930@lupe-christoph.de> References: <20030607111540.GC4812@lupe-christoph.de> <20030610230744.GD44069@blossom.cjclark.org> <20030612132138.A26888@shell.gsinet.sittig.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030612132138.A26888@shell.gsinet.sittig.org> User-Agent: Mutt/1.5.4i From: lupe@lupe-christoph.de (Lupe Christoph) Subject: Re: Impossible to IPfilter this? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jun 2003 18:41:36 -0000 On Thursday, 2003-06-12 at 13:21:38 +0200, Gerhard Sittig wrote: > In this scenario (would I be in the situation to have to filter > this traffic:) I would wish for some flag or "handle" to recognize > the different times the packet runs through the filter. There is > quite a hugh difference between "letting ESP/AH in at fxp0 and > accept IPv4 -- maybe RFC1918 adresses -- from this tunnel (but > not otherwise)" and "letting ESP/AH as well as IPv4 in at fxp0". > Not wanting or having to extend the established filter syntax or > the programming interface already laid out almost naturely makes > the "interface" property of a packet one such handle. I've used ipsec0 on Linux for similar purposes, and I would like to see an IPSec interface in FreeBSD as well. As I said, I could not get GIF to work with FreeS/WAN, so I'm stuck with the current interface-deprived IPSec implementation. But at least (and at last!) I can use IPFilter rules for IPSec traffic, thanks to Crist's suggestion. Since I just want to prohibit traffic to "this host", that's enough for me. Thank you all, Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett | From owner-freebsd-security@FreeBSD.ORG Thu Jun 12 15:00:52 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7769937B401 for ; Thu, 12 Jun 2003 15:00:52 -0700 (PDT) Received: from ike.othius.com (24-90-215-123.nyc.rr.com [24.90.215.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4CCCC43F85 for ; Thu, 12 Jun 2003 15:00:48 -0700 (PDT) (envelope-from justin@othius.com) Received: from localhost (justin@localhost [127.0.0.1]) by ike.othius.com (8.12.8p1/8.12.8) with ESMTP id h5CM87nT089985; Thu, 12 Jun 2003 18:08:07 -0400 (EDT) (envelope-from justin@othius.com) Date: Thu, 12 Jun 2003 18:08:01 -0400 (EDT) From: Justin To: Lupe Christoph In-Reply-To: <20030612184124.GD26930@lupe-christoph.de> Message-ID: <20030612180120.B54558@ike.othius.com> References: <20030607111540.GC4812@lupe-christoph.de> <20030612132138.A26888@shell.gsinet.sittig.org> <20030612184124.GD26930@lupe-christoph.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Scanned-By: MIMEDefang 2.33 (www . roaringpenguin . com / mimedefang) cc: freebsd-security@FreeBSD.ORG Subject: Re: Impossible to IPfilter this? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jun 2003 22:00:52 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 12 Jun 2003, Lupe Christoph wrote: > I've used ipsec0 on Linux for similar purposes, and I would like to see > an IPSec interface in FreeBSD as well. As I said, I could not get GIF to > work with FreeS/WAN, so I'm stuck with the current interface-deprived > IPSec implementation. We haven't gotten to the point of applying ipsec on the traffic between hosts yet (don't worry, only pings and ssh so far anyway) but a friend and I have a gif <-> iptun tunnel setup between a FreeBSD 4.8-RELEASE (plus patches) and a 2.4x kernel with FreeS/WAN. Works fine. Seattle Wireless group had a handy little shell script that the guy at the Linux end based his commands off of. We'll see if problems arise when ipsec is applied to all traffic between the hosts, but I don't anticipate that will cause any problems. http://www.seattlewireless.net/index.cgi/IpTunnel - -Justin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE+6PnGdYQBw9Ox1VgRAvTpAJ4nJjrUry6AHdzvwTS5/02WyE9FYACgjDFS GhzSLreKf8i5Ye9TiU5slQY= =jsO1 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Jun 13 04:49:28 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2831A37B420 for ; Fri, 13 Jun 2003 04:49:28 -0700 (PDT) Received: from likya.bimel.com.tr (likya.bimel.com.tr [212.175.96.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 29A7643F75 for ; Fri, 13 Jun 2003 04:48:18 -0700 (PDT) (envelope-from ustuntas@bimel.com.tr) Received: (from root@localhost) by likya.bimel.com.tr (8.12.6p2/8.12.8) id h5DBjrXl079207 for freebsd-security@freebsd.org; Fri, 13 Jun 2003 14:45:53 +0300 (EEST) (envelope-from ustuntas@bimel.com.tr) Received: from bimel.com.tr (zeugma.bimel.com.tr [212.175.96.11]) h5DBjqYs079198 for ; Fri, 13 Jun 2003 14:45:52 +0300 (EEST) (envelope-from ustuntas@bimel.com.tr) Message-ID: <3EE9BC71.9000400@bimel.com.tr> Date: Fri, 13 Jun 2003 14:58:41 +0300 From: Murat USTUNTAS User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225 X-Accept-Language: tr, en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 Subject: Gigabit Ethernet Security With Ipfilter X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jun 2003 11:49:28 -0000 Hello all, I want to learn about requirements if I want to protect gigabit network with ipfilter as transparent firewall. Which type of hardware is required to install FreeBSD + ipf (as transparancy ) . We use 3 gigabit ethernet to protection which type of gigabit ethernet carts are powerfull. Also, what about the NMBCLUSTERS , IPSTATE_SIZE and IPSTATE_MAX in ip_state.h. I want to collect all information on that requirement. Regards, Murat Ustuntas From owner-freebsd-security@FreeBSD.ORG Fri Jun 13 13:50:03 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 513EA37B401 for ; Fri, 13 Jun 2003 13:50:03 -0700 (PDT) Received: from hysteria.spc.org (hysteria.spc.org [195.206.69.234]) by mx1.FreeBSD.org (Postfix) with SMTP id 8408443FBD for ; Fri, 13 Jun 2003 13:50:02 -0700 (PDT) (envelope-from bms@hysteria.spc.org) Received: (qmail 32573 invoked by uid 5013); 8 Jun 2003 12:22:01 -0000 Date: Sun, 8 Jun 2003 13:22:01 +0100 From: Bruce M Simpson To: Brett Glass Message-ID: <20030608122201.GH9023@spc.org> References: <200306080728.BAA24342@lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200306080728.BAA24342@lariat.org> User-Agent: Mutt/1.4.1i cc: security@freebsd.org Subject: Re: Removable media security in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jun 2003 20:50:03 -0000 On Sun, Jun 08, 2003 at 01:28:50AM -0600, Brett Glass wrote: > I don't want to open up the floppy and ZIP drives to all users simultaneously, > since this would allow anyone to write someone else's removable media. Is > there a standard, SECURE way of allowing an unprivileged user at the console > to get at removable media that s/he has inserted in the machine? man 5 fbtab BMS From owner-freebsd-security@FreeBSD.ORG Fri Jun 13 14:58:13 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1101E37B401 for ; Fri, 13 Jun 2003 14:58:13 -0700 (PDT) Received: from hysteria.spc.org (hysteria.spc.org [195.206.69.234]) by mx1.FreeBSD.org (Postfix) with SMTP id CCAFD43FE3 for ; Fri, 13 Jun 2003 14:58:11 -0700 (PDT) (envelope-from bms@hysteria.spc.org) Received: (qmail 9895 invoked by uid 5013); 13 Jun 2003 00:10:10 -0000 Date: Fri, 13 Jun 2003 01:10:10 +0100 From: Bruce M Simpson To: Justin Message-ID: <20030613001010.GA9463@spc.org> Mail-Followup-To: Bruce M Simpson , Justin , Lupe Christoph , freebsd-security@FreeBSD.ORG References: <20030607111540.GC4812@lupe-christoph.de> <20030612132138.A26888@shell.gsinet.sittig.org> <20030612184124.GD26930@lupe-christoph.de> <20030612180120.B54558@ike.othius.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030612180120.B54558@ike.othius.com> User-Agent: Mutt/1.4.1i cc: freebsd-security@FreeBSD.ORG Subject: Re: Impossible to IPfilter this? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jun 2003 21:58:13 -0000 There's a hack for this in -CURRENT: # # Set IPSEC_FILTERGIF to force packets coming through a gif tunnel # to be processed by any configured packet filtering (ipfw, ipf). # The default is that packets coming from a tunnel are _not_ processed; # they are assumed trusted. # # Note that enabling this can be problematic as there are no mechanisms # in place for distinguishing packets coming out of a tunnel (e.g. no # encX devices as found on openbsd). # #options IPSEC_FILTERGIF #filter ipsec packets from a tunnel BMS From owner-freebsd-security@FreeBSD.ORG Fri Jun 13 15:19:31 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0B6E37B401; Fri, 13 Jun 2003 15:19:31 -0700 (PDT) Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4FBA743FD7; Fri, 13 Jun 2003 15:19:25 -0700 (PDT) (envelope-from ru@sunbay.com) Received: from whale.sunbay.crimea.ua (ru@localhost [127.0.0.1]) h5DMJKVd048242 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 14 Jun 2003 01:19:20 +0300 (EEST) (envelope-from ru@sunbay.com) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.12.9/8.12.8/Submit) id h5DMJIAR048237; Sat, 14 Jun 2003 01:19:18 +0300 (EEST) (envelope-from ru) Date: Sat, 14 Jun 2003 01:19:18 +0300 From: Ruslan Ermilov To: Vaclav Petricek Message-ID: <20030613221918.GH29368@sunbay.com> References: <20030608220507.GA84706@sunbay.com> <20030608230204.GB88799@sunbay.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="IR1Y5IvQhrKgS4e6" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.4i cc: current@freebsd.org cc: security@freebsd.org Subject: Re: redirect unauthorized users to a login page (natd as a transparent proxy) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jun 2003 22:19:32 -0000 --IR1Y5IvQhrKgS4e6 Content-Type: multipart/mixed; boundary="+Z7/5fzWRHDJ0o7Q" Content-Disposition: inline --+Z7/5fzWRHDJ0o7Q Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jun 10, 2003 at 11:53:48AM +0200, Vaclav Petricek wrote: [...] > The patch works. Thank you very much. I attach my attempt on a patch that > should make it possible to ommit the alias_address and interface options > in case proxy_only is specified. IMHO in that situation these options are > not used and should not be required by natd.. >=20 Certainly. I've committed a variation of your patch to natd.c, and the corresponding documentation changes to natd.8. MFC is planned in two weeks (see attached). Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software Ltd, ru@FreeBSD.org FreeBSD committer --+Z7/5fzWRHDJ0o7Q Content-Type: message/rfc822 Content-Disposition: inline Received: from whale.sunbay.crimea.ua (root@localhost)h5DMFxXD047769 for ; Sat, 14 Jun 2003 01:15:59 +0300 (EEST) (envelope-from owner-src-committers@FreeBSD.org) Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119]) h5DMFtuY047760 for ; Sat, 14 Jun 2003 01:15:58 +0300 (EEST) (envelope-from owner-src-committers@FreeBSD.org) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 89EBD56E20 for ; Fri, 13 Jun 2003 15:15:52 -0700 (PDT) (envelope-from owner-src-committers@FreeBSD.org) Received: by hub.freebsd.org (Postfix) id C84A537B483; Fri, 13 Jun 2003 15:15:48 -0700 (PDT) Delivered-To: ru@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 538) id 2853337B404; Fri, 13 Jun 2003 15:15:45 -0700 (PDT) Delivered-To: src-committers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E7AF37B401; Fri, 13 Jun 2003 15:15:43 -0700 (PDT) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id D212443F75; Fri, 13 Jun 2003 15:15:42 -0700 (PDT) (envelope-from ru@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id h5DMFg0U025540; Fri, 13 Jun 2003 15:15:42 -0700 (PDT) (envelope-from ru@repoman.freebsd.org) Received: (from ru@localhost) by repoman.freebsd.org (8.12.6/8.12.6/Submit) id h5DMFgQf025539; Fri, 13 Jun 2003 15:15:42 -0700 (PDT) Message-Id: <200306132215.h5DMFgQf025539@repoman.freebsd.org> From: Ruslan Ermilov Date: Fri, 13 Jun 2003 15:15:42 -0700 (PDT) To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sbin/natd natd.8 natd.c X-FreeBSD-CVS-Branch: HEAD Sender: owner-src-committers@FreeBSD.org Precedence: bulk X-Loop: FreeBSD.ORG ru 2003/06/13 15:15:42 PDT FreeBSD src repository Modified files: sbin/natd natd.8 natd.c Log: If the -proxy_only option is used, the -alias_address/-interface options are not required. Suggested by: Vaclav Petricek MFC after: 2 weeks Revision Changes Path 1.58 +5 -2 src/sbin/natd/natd.8 1.42 +4 -2 src/sbin/natd/natd.c --+Z7/5fzWRHDJ0o7Q-- --IR1Y5IvQhrKgS4e6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+6k3mUkv4P6juNwoRAinyAJ0V5Bi5D/emPttBAu6YTPlxRPZdnACdFv+l ErlKqn5B/RbnrDJqC67b+Sw= =7gMR -----END PGP SIGNATURE----- --IR1Y5IvQhrKgS4e6-- From owner-freebsd-security@FreeBSD.ORG Sat Jun 14 02:55:03 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C423337B401 for ; Sat, 14 Jun 2003 02:55:03 -0700 (PDT) Received: from buexe.b-5.de (buexe.b-5.de [80.148.32.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3678543F93 for ; Sat, 14 Jun 2003 02:55:01 -0700 (PDT) (envelope-from lupe@lupe-christoph.de) Received: from antalya.lupe-christoph.de ([172.17.0.9])h5E9sgi27085; Sat, 14 Jun 2003 11:54:54 +0200 Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id 8618F5F9; Sat, 14 Jun 2003 11:54:33 +0200 (CEST) Date: Sat, 14 Jun 2003 11:54:33 +0200 To: Justin Message-ID: <20030614095433.GA29210@lupe-christoph.de> References: <20030607111540.GC4812@lupe-christoph.de> <20030610230744.GD44069@blossom.cjclark.org> <20030612132138.A26888@shell.gsinet.sittig.org> <20030612184124.GD26930@lupe-christoph.de> <20030612180120.B54558@ike.othius.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030612180120.B54558@ike.othius.com> User-Agent: Mutt/1.5.4i From: lupe@lupe-christoph.de (Lupe Christoph) cc: freebsd-security@FreeBSD.ORG Subject: Re: Impossible to IPfilter this? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jun 2003 09:55:04 -0000 On Thursday, 2003-06-12 at 18:08:01 -0400, Justin wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > On Thu, 12 Jun 2003, Lupe Christoph wrote: > > I've used ipsec0 on Linux for similar purposes, and I would like to see > > an IPSec interface in FreeBSD as well. As I said, I could not get GIF to > > work with FreeS/WAN, so I'm stuck with the current interface-deprived > > IPSec implementation. > We haven't gotten to the point of applying ipsec on the traffic between > hosts yet (don't worry, only pings and ssh so far anyway) but a friend and > I have a gif <-> iptun tunnel setup between a FreeBSD 4.8-RELEASE (plus > patches) and a 2.4x kernel with FreeS/WAN. Works fine. I'd appreciate seeing your config files for both sides. racoon.conf and ipsec.conf. > Seattle Wireless group had a handy little shell script that the guy at the > Linux end based his commands off of. We'll see if problems arise when > ipsec is applied to all traffic between the hosts, but I don't anticipate > that will cause any problems. > http://www.seattlewireless.net/index.cgi/IpTunnel I'm afraid, this is talking about IPTunnel. IPTunnel does not do IPSec. As I understand this, the traffic is not secured (authenticated, encrypted). So you may not have the config files I asked for above at all. Please recheck what you have. Thank you, Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |