From owner-freebsd-security@FreeBSD.ORG Sun Aug 31 08:33:24 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0671616A4BF for ; Sun, 31 Aug 2003 08:33:24 -0700 (PDT) Received: from voodoo.drs-sss.com (voodoo.drs-sss.com [12.153.72.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 194A443FEA for ; Sun, 31 Aug 2003 08:33:23 -0700 (PDT) (envelope-from David.Hutchens@drs-sss.com) Received: by voodoo.drs-sss.com with Internet Mail Service (5.5.2656.59) id ; Sun, 31 Aug 2003 11:33:18 -0400 Message-ID: From: "Hutchens, David" To: "'freebsd-security@freebsd.org'" Date: Sun, 31 Aug 2003 11:33:14 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2656.59) Content-Type: text/plain; charset="iso-8859-1" X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: A thousand apologies :) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Aug 2003 15:33:24 -0000 A thousand apologies :) No intent to "spam" - thank you for informing me of freebsd-test@freebsd.org Should've cleared out the stale test messages from my mail queue after fixing my dns. David Hutchens david.hutchens@drs-sss.com From owner-freebsd-security@FreeBSD.ORG Wed Sep 3 00:10:01 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1BB0D16A4BF for ; Wed, 3 Sep 2003 00:10:01 -0700 (PDT) Received: from plusmx2.polkomtel.com.pl (plusmx2.polkomtel.com.pl [212.2.96.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id 869F043FEC for ; Wed, 3 Sep 2003 00:09:58 -0700 (PDT) (envelope-from jaroslaw.nozderko@polkomtel.com.pl) Received: from mswwaw2.corp.plusnet (plus-96-119.polkomtel.com.pl [212.2.96.119]) by plusmx2.polkomtel.com.pl (Postfix) with ESMTP id 8FA1957E13 for ; Wed, 3 Sep 2003 09:09:56 +0200 (CEST) Received: from E2K2.corp.plusnet (unverified) by mswwaw2.corp.plusnet ; Wed, 3 Sep 2003 09:09:55 +0200 X-MIMEOLE: Produced By Microsoft Exchange V6.0.6249.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable Date: Wed, 3 Sep 2003 09:09:55 +0200 Message-ID: <2A857CE92C11FE40858689CAEC7BED4905558761@E2K2.corp.plusnet> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Fwd: Warning: could not send message for past 4 hours] Thread-Index: AcNxhMQpflTb5uO/QNq703l13+uo1wAZAjrg From: =?iso-8859-2?Q?Jaros=B3aw_Nozderko?= To: Subject: MAC problems X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Sep 2003 07:10:01 -0000 FreeBSD version: 5.1-RELEASE =20 Hi, I'm quite new to FreeBSD. I've check list archives and=20 read a handbook, but I didn't find solution to my problem=20 and I hope this is not off-topic. I've installed 5.1-RELEASE, enabled ACLs on the filesystems=20 and I wanted to test MAC features. I'm also new to MAC, so=20 perhaps this is some my mistake. When I enable mac_biba or mac_lomac (in loader.conf) without any configuration, it seems to block networking: =20 jarek@skorpion jarek> ping 192.168.65.100 PING 192.168.65.100 (192.168.65.100): 56 data bytes ping: sendto: Permission denied ping: sendto: Permission denied ping: sendto: Permission denied ^C --- 192.168.65.100 ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss On the other side, when mac_mls is loaded, networking works, but starting X server fails with message "Couldn't mmap /dev/vga" (I don't see /dev/vga device regardless of MAC policy loaded) =20 Is it normal, or is something wrong ? Is any additional documentation about MAC available, more than papers at http://www.trustedbsd.org ? I'd like to learn a bit more. =20 Regards and thanks for any help, Jarek From owner-freebsd-security@FreeBSD.ORG Wed Sep 3 18:35:44 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0292216A4BF for ; Wed, 3 Sep 2003 18:35:44 -0700 (PDT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id E79F443FBF for ; Wed, 3 Sep 2003 18:35:42 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.12.9/8.12.9) with ESMTP id h841YwrO000596; Wed, 3 Sep 2003 21:34:58 -0400 (EDT) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)h841Yv9Y000593; Wed, 3 Sep 2003 21:34:58 -0400 (EDT) Date: Wed, 3 Sep 2003 21:34:57 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: =?iso-8859-2?Q?Jaros=B3aw_Nozderko?= In-Reply-To: <2A857CE92C11FE40858689CAEC7BED4905558761@E2K2.corp.plusnet> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE cc: freebsd-security@freebsd.org Subject: Re: MAC problems X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Sep 2003 01:35:44 -0000 On Wed, 3 Sep 2003, [iso-8859-2] Jaros=B3aw Nozderko wrote: > I'm quite new to FreeBSD. I've check list archives and read a handbook, > but I didn't find solution to my problem and I hope this is not > off-topic. I've installed 5.1-RELEASE, enabled ACLs on the filesystems > and I wanted to test MAC features. I'm also new to MAC, so perhaps this > is some my mistake. When I enable mac_biba or mac_lomac (in > loader.conf) without any configuration, it seems to block networking:=20 > =20 > jarek@skorpion jarek> ping 192.168.65.100 > PING 192.168.65.100 (192.168.65.100): 56 data bytes > ping: sendto: Permission denied > ping: sendto: Permission denied > ping: sendto: Permission denied > ^C > --- 192.168.65.100 ping statistics --- > 3 packets transmitted, 0 packets received, 100% packet loss The default process label when you haven't configured per-user labels is a high integrity label in the Biba policy. The default label on network interfaces is low integrity. The result is generally a failure to be able to send on the network interfaces, although the failure mode varies a bit depending on the socket type, etc. For experimentation purposes, you'll probably want to set the following flag in loader.conf: security.mac.biba.trust_all_interfaces=3D"1" This will tell mac_biba that you want interfaces to be labeled as high integrity by default. You can also selectively change the security labels on interfaces using ifconfig: paprika# ifconfig wi0 maclabel 'biba/high(low-high)' paprika# ifconfig wi0 wi0: flags=3D8843 mtu 1500 inet6 fe80::209:5bff:fe31:27a4%wi0 prefixlen 64 scopeid 0x4=20 inet 192.168.5.3 netmask 0xffffff00 broadcast 192.168.5.255 ether 00:09:5b:31:27:a4 media: IEEE 802.11 Wireless Ethernet autoselect (DS/11Mbps) status: associated ssid more-80211-in-bethesda 1:more-80211-in-bethesda stationname "FreeBSD WaveLAN/IEEE node" channel 3 authmode OPEN powersavemode OFF powersavesleep 100 wepmode MIXED weptxkey 1 wepkey 1:128-bit maclabel biba/high(low-high) In the Biba policy, network interface labels have three elements: a single (effective) label, and low and high ends of a range. The single element is the default label for packets sourced from the interface; the low and high range elements place a bound on data allowed out the interface. The above labels incoming packets as high, and permits packets of any labels out the interface. > On the other side, when mac_mls is loaded, networking works, but > starting X server fails with message "Couldn't mmap /dev/vga" (I don't > see /dev/vga device regardless of MAC policy loaded) I seem to recall that the error message given by X is actually inaccurate:= =20 it reports a failure to mmap /dev/vga, but it's actually failing to mmap system memory. The default MLS label on user processes is mls/low -- since direct access to hardware of your system may leak information about higher confidentiality processes or data. As a result, the policy prevents you from doing so, which breaks X11. There are several approaches to resolving this: (1) Assign bypass labels to the special devices X accesses, so that processes can access the resources regardless of the label. This is a security hole, but for experimentation purposes, can be quite useful.= =20 I generally run the following script at boot on systems where this approach is used:=20 # Configure multilabel md-backed /tmp mdconfig -a -t swap -s 30m -u 10 newfs /dev/md10 tunefs -l enable /dev/md10 mount /dev/md10 /tmp mkdir /tmp/.X11-unix /tmp/.ICE-unix chmod 01777 /tmp /tmp/.X11-unix /tmp/.ICE-unix setfmac biba/equal,mls/equal /tmp /tmp/.X11-unix /tmp/.ICE-unix # Relabel entries in /dev so that X11 works (bypass protections) setpmac biba/equal,mls/equal setfmac biba/equal,mls/equal /dev/pci = \ /dev/io /dev/mem /dev/kmem /dev/sysmouse /dev/agpgart \ /dev/dri This assigns an "equal" (bypass) label to a bunch of device nodes accessed by X11. It also sets up /tmp with bypass labels so that X11 can dump its sockets there. (2) Assign a bypass label to the X server, so that it can access these resources while communicating with arbitrary user processes. To do this, the X server has to be started using: setpmac mls/equal /usr/X11R6/bin/startx Note that this also has the effect of bypassing MLS protection, but has different properties than (1). Your system resources are still protected by MLS, but the X server can now communicate with arbitrary processes, which might allow for information flow via the X server. Also, if your X server is compromised, the exploit code runs with a high level of privilege -- of course, that applies to (1) as well. (3) Only use the X server when running as mls/high, which will allow X to do what it needs to, but will limit what processes can talk to X, effectively meaning you can only X apps at mls/high. Currently, there is no open source multi-level X server that I know of, so if you run X on the machine, you do have to either play by the rules of MLS by running at a single level, or by bypassing the MLS policy selectively. I think it would be great to have open source MLS X server support, but it would be a fair amount of work. > Is it normal, or is something wrong ? Is any additional documentation > about MAC available, more than papers at http://www.trustedbsd.org ? I'd > like to learn a bit more.=20 There are man pages for each policy, a brief section in the FreeBSD Handbook summarizing the MAC policies, and several implementation papers. Currently, there are no tutorials for getting a system up and running -- these features are still considered experimental, and we've placed most of our focus on getting the features productionable and complete. However, we'd be happy to answer questions and fix bugs, as well as work towards having better documentation as we go along :-).=20 Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories From owner-freebsd-security@FreeBSD.ORG Fri Sep 5 08:45:30 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A6D0616A4BF for ; Fri, 5 Sep 2003 08:45:30 -0700 (PDT) Received: from txemail.bankofamerica.com (txemail.bankofamerica.com [171.161.160.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 494D243FBD for ; Fri, 5 Sep 2003 08:45:28 -0700 (PDT) (envelope-from Urvi.Biyala@bankofamerica.com) Received: from tximail.bankofamerica.com (tximail.bankofamerica.com [171.182.168.13])h85FjRfH002004 for ; Fri, 5 Sep 2003 15:45:27 GMT Received: from memscmpl1 (txdalcu01s1340.bankamerica.com [171.178.0.202]) h85FhnF6001898 for ; Fri, 5 Sep 2003 15:45:27 GMT Received: from smtpsw05 (171.178.2.249) by memscmpl1 (Sigaba Gateway v3.5) with SMTP; Fri, 5 Sep 2003 10:45:27 -0500 Date: Fri, 05 Sep 2003 10:45:26 -0500 From: "Biyala, Urvi" To: freebsd-security@freebsd.org Message-id: <5D1AD4FB7DB0AC41879DC46D00FE593B399FB4@ex2k.bankofamerica.com> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft Exchange V6.0.6375.0 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7BIT Content-class: urn:content-classes:message Thread-topic: MAC problems Thread-index: AcNyhQnfoHEN0hAkTyGgbHFcLzsqVAAnIgxw X-MS-Has-Attach: X-MS-TNEF-Correlator: X-OriginalArrivalTime: 05 Sep 2003 15:45:27.0248 (UTC) FILETIME=[BA469D00:01C373C4] Subject: Question about world read permissions on system level files X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Sep 2003 15:45:30 -0000 All, I need to trim the world read permissions from the system sensitive files. I know that it would be safe to trim the permissions from many of the configuration files in /etc. But I was not sure if I could safely tighten the permissions form other system files. Does any one know of any documentation on this. Or can any one tell me if it is safe to trim world read permissions from the system files. Thanks in advance, Urvi From owner-freebsd-security@FreeBSD.ORG Fri Sep 5 09:00:08 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C996516A4BF for ; Fri, 5 Sep 2003 09:00:08 -0700 (PDT) Received: from nbh-gw.newchem.ru (ns.newchem.ru [81.3.149.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id B496B43FF7 for ; Fri, 5 Sep 2003 09:00:06 -0700 (PDT) (envelope-from illich@newchem.ru) Received: from 127.0.0.1 ([192.168.204.4]) by nbh-gw.newchem.ru (8.12.9/8.12.7) with ESMTP id h85BuZGq015114 for ; Fri, 5 Sep 2003 15:56:35 +0400 (MSD) (envelope-from illich@newchem.ru) X-AntiVirus: Checked by Dr.Web (http://www.drweb.net) Date: Fri, 5 Sep 2003 15:56:34 +0400 From: Illia Baidakov X-Mailer: The Bat! (v1.62q) Personal X-Priority: 3 (Normal) Message-ID: <217619099.20030905155634@newchem.ru> To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: MD5 checksum missmatch for bpft4 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Illia Baidakov List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Sep 2003 16:00:08 -0000 Hello freebsd-security, Apologize if it's offtopic, but: The message digest checksum for bpft4 from ports/net/bpft does not matchs the one printed on the sources page at http://www.freebsd.org/cgi/pds.cgi?ports/net/bpft My digests are 3810114b068f438cc7e8e0b1af745953 from top 6 links. Only last ftp://rusunix.org/pub/FreeBSD/distfiles/bpft4-latest.tgz gave the right cheksum - 9bf42e8eabd2de2db1e28dc671651adb. Does it have any relation to "CERT Advisory CA-2003-21" or it's another problem? -- Best regards, Illia mailto:illich@newchem.ru From owner-freebsd-security@FreeBSD.ORG Fri Sep 5 09:03:41 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E703616A4C0 for ; Fri, 5 Sep 2003 09:03:41 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 3C98843FDF for ; Fri, 5 Sep 2003 09:03:39 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 17960 invoked from network); 5 Sep 2003 15:55:54 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 5 Sep 2003 15:55:54 -0000 Received: (qmail 84830 invoked by uid 1000); 5 Sep 2003 16:03:35 -0000 Date: Fri, 5 Sep 2003 19:03:35 +0300 From: Peter Pentchev To: Illia Baidakov Message-ID: <20030905160335.GF556@straylight.oblivion.bg> Mail-Followup-To: Illia Baidakov , freebsd-security@freebsd.org, ports@FreeBSD.org, vampiro@rusunix.org References: <217619099.20030905155634@newchem.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="yH1ZJFh+qWm+VodA" Content-Disposition: inline In-Reply-To: <217619099.20030905155634@newchem.ru> User-Agent: Mutt/1.5.4i cc: ports@FreeBSD.org cc: freebsd-security@freebsd.org cc: vampiro@rusunix.org Subject: Re: MD5 checksum missmatch for bpft4 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Sep 2003 16:03:42 -0000 --yH1ZJFh+qWm+VodA Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Sep 05, 2003 at 03:56:34PM +0400, Illia Baidakov wrote: > Hello freebsd-security, >=20 > Apologize if it's offtopic, but: > The message digest checksum for bpft4 from ports/net/bpft does not > matchs the one printed on the sources page at > http://www.freebsd.org/cgi/pds.cgi?ports/net/bpft > My digests are 3810114b068f438cc7e8e0b1af745953 from top 6 links. > Only last ftp://rusunix.org/pub/FreeBSD/distfiles/bpft4-latest.tgz > gave the right cheksum - 9bf42e8eabd2de2db1e28dc671651adb. > Does it have any relation to "CERT Advisory CA-2003-21" or it's > another problem? I think the proper place to ask would be either the ports@FreeBSD.org list (CC'd), or, even better, the net/bpft port maintainer - the address listed in ports/net/bpft/Makefile under the 'MAINTAINER' variable: vampiro@rusunix.org (also CC'd). G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence was in the past tense. --yH1ZJFh+qWm+VodA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/WLPX7Ri2jRYZRVMRApDeAKC8Tsa2tDoSHcNoALeUOprSE4YSwgCgw3RP YPyF6VzLz1d1oGY9zAhbSLo= =5sCQ -----END PGP SIGNATURE----- --yH1ZJFh+qWm+VodA-- From owner-freebsd-security@FreeBSD.ORG Fri Sep 5 12:16:37 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8191D16A4BF for ; Fri, 5 Sep 2003 12:16:37 -0700 (PDT) Received: from smtp808.mail.sc5.yahoo.com (smtp808.mail.sc5.yahoo.com [66.163.168.187]) by mx1.FreeBSD.org (Postfix) with SMTP id C823044005 for ; Fri, 5 Sep 2003 12:16:36 -0700 (PDT) (envelope-from fscked@pacbell.net) Received: from adsl-63-196-6-33.dsl.snfc21.pacbell.net (HELO pacbell.net) (fscked@pacbell.net@63.196.6.33 with plain) by smtp-sbc-v1.mail.vip.sc5.yahoo.com with SMTP; 5 Sep 2003 19:16:36 -0000 Message-ID: <3F58E113.10509@pacbell.net> Date: Fri, 05 Sep 2003 12:16:35 -0700 From: richard childers / kg6hac User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20030905190045.7F07916A4DA@hub.freebsd.org> In-Reply-To: <20030905190045.7F07916A4DA@hub.freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: re: world read permissions on system level files X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Sep 2003 19:16:37 -0000 From: "Biyala, Urvi" >I need to trim the world read permissions from the system sensitive files. I know that it would be safe to trim the permissions from many of the configuration files in /etc. But I was not sure if I could safely tighten the permissions form other system files. Does any one know of any documentation on this. Or can any one tell me if it is safe to trim world read permissions from the system files. > This needs to be done on a application-by-application, file-by-file basis. There are a spectrum of possibilities. For instance, there is no need for files read during boot to be world-readable; it is the root that is carrying out all of the operations, starting the system. At the other end of the spectrum, if you disable world-readability from /etc/passwd, your shell cannot determine its home directory, and problems will ensue. If this is consequent to BofA's layoff and replacement of their entire IT infrastructure, I would definitely recommend something along the following lines: find /etc -type f -exec chmod 0000 {} \; This will maximize security, at the expense of some inconvenience. Drily, -- richard Richard Childers / (415) 759-5571 Senior Engineer / Daemonized Networking Services https://www.daemonized.com