From owner-freebsd-security@FreeBSD.ORG Sat Mar 19 23:27:03 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP
id A8BF716A4CE; Sat, 19 Mar 2005 23:27:03 +0000 (GMT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
by mx1.FreeBSD.org (Postfix) with ESMTP
id 8083A43D2F; Sat, 19 Mar 2005 23:27:03 +0000 (GMT)
(envelope-from csjp@FreeBSD.org)
Received: from freefall.freebsd.org (csjp@localhost [127.0.0.1])
by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j2JNR33f053272;
Sat, 19 Mar 2005 23:27:03 GMT
(envelope-from csjp@freefall.freebsd.org)
Received: (from csjp@localhost)
by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j2JNR3jd053271;
Sat, 19 Mar 2005 23:27:03 GMT
(envelope-from csjp)
Date: Sat, 19 Mar 2005 23:27:03 +0000
From: "Christian S.J. Peron" <csjp@FreeBSD.org>
To: freebsd-hackers@FreeBSD.org
Message-ID: <20050319232703.GA53181@freefall.freebsd.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.2.1i
X-Mailman-Approved-At: Sun, 20 Mar 2005 13:35:12 +0000
cc: freebsd-security@FreeBSD.org
Subject: RE: FreeBSD trusted execution system: beta testers wanted
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Mar 2005 23:27:03 -0000
All
Thanks for all the input. I have updated the code as per some of the comments
which came in around testing. The following changes were made:
-modify setfhash/getfhash to use the filename of the pathname portion.
this will un break set/getfhash if it was invoked using ./ or the complete
pathname.
-the kernel implementation of setfhash was a bad idea. It used to use
the utimes syscall. This especially caused problems with various port
or source builds on NFS file systems exiting with EIO or various other
errors. I replaced the kernel implementation with a sysctl, and modified
the setfhash utility to use this instead.
-add additional printf's to tell people where/why things went wrong. It
should be noted that these printfs are only executed if the module is
compiled with DEBUG set. (See the Makefile).
-change Makefiles and file locations to be more consistent with the
system build practices.
NOTE: IF YOU HAVE ALREADY PATCHED YOUR KERNEL SKIP THE KERNEL PATCH/REBUILD
cd /usr/src/sys
fetch http://www.freebsd.org/~csjp/mac/mac_vnode_mmap.1106783302.diff
patch < mac_vnode_mmap.1106783302.diff
# REBUILD YOUR KERNEL
cd /usr/src/sys/modules
mkdir /usr/src/sys/modules/mac_chkexec
cd /usr/src/sys/modules/mac_chkexec
fetch http://www.freebsd.org/~csjp/mac/Makefile
cd /usr/src/usr.sbin
fetch http://www.freebsd.org/~csjp/mac/getfhash.1111165779.shar
sh getfhash.1111165779.shar
cd getfhash
make
make install
make clean
cd /usr/src/sys/security
fetch http://www.freebsd.org/~csjp/mac/mac_chkexec.1111165827.shar
sh mac_chkexec.1111165827.shar
cd /usr/src/sys/modules/mac_chkexec
make
make install
make clean
--
Christian S.J. Peron
csjp@FreeBSD.ORG
FreeBSD Committer
From owner-freebsd-security@FreeBSD.ORG Sun Mar 20 14:54:56 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id BF3FD16A4CE
for <freebsd-security@freebsd.org>;
Sun, 20 Mar 2005 14:54:56 +0000 (GMT)
Received: from mail26.sea5.speakeasy.net (mail26.sea5.speakeasy.net
[69.17.117.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8D51843D2F
for <freebsd-security@freebsd.org>;
Sun, 20 Mar 2005 14:54:56 +0000 (GMT)
(envelope-from freebsd-security-local@be-well.ilk.org)
Received: (qmail 9161 invoked from network); 20 Mar 2005 14:54:56 -0000
Received: from dsl092-078-145.bos1.dsl.speakeasy.net (HELO be-well.ilk.org)
([66.92.78.145])
(envelope-sender <freebsd-security-local@be-well.ilk.org>)
by mail26.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP
for <freebsd-security@freebsd.org>; 20 Mar 2005 14:54:56 -0000
Received: by be-well.ilk.org (Postfix, from userid 1147)
id 3738C82; Sun, 20 Mar 2005 09:54:55 -0500 (EST)
Sender: lowell@be-well.ilk.org
To: Michael Collette <metrol.net@gmail.com>
References: <c4c5231305031915001b6dbcd4@mail.gmail.com>
From: Lowell Gilbert <freebsd-security-local@be-well.ilk.org>
Date: 20 Mar 2005 09:54:55 -0500
In-Reply-To: <c4c5231305031915001b6dbcd4@mail.gmail.com>
Message-ID: <44hdj6fjuo.fsf@be-well.ilk.org>
Lines: 13
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
cc: FreeBSD Security <freebsd-security@freebsd.org>
Subject: Re: LDAP and Linux compatibility
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Mar 2005 14:54:56 -0000
Michael Collette <metrol.net@gmail.com> writes:
> Please excuse a wee bit of cross posting here. It seems that the
> questions list may not be the appropriate place for this as I've found
> a number of unanswered posts involving this topic.
On the -ports list, somebody pointed out that the linux-base ports
include advice to to edit /compat/linux/etc/yp.conf (I'm using NIS).
I haven't tried this yet, but it makes sense that it would be
necessary. For your case with LDAP, I suspect you would need to
configure nsswitch.conf, probably the same way as the FreeBSD version
in your real /etc directory.
From owner-freebsd-security@FreeBSD.ORG Sun Mar 20 21:37:44 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id AA7C516A4CE
for <freebsd-security@freebsd.org>;
Sun, 20 Mar 2005 21:37:44 +0000 (GMT)
Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.193])
by mx1.FreeBSD.org (Postfix) with ESMTP id 445B343D2D
for <freebsd-security@freebsd.org>;
Sun, 20 Mar 2005 21:37:44 +0000 (GMT)
(envelope-from metrol.net@gmail.com)
Received: by wproxy.gmail.com with SMTP id 68so829137wri
for <freebsd-security@freebsd.org>;
Sun, 20 Mar 2005 13:37:43 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=beta; d=gmail.com;
h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references;
b=EhmWGxWkojGLS7/ZQsqbEDboBTo3TAgbtCmNGDOJSA8ZuSvPOoV1lpVPxEfHYCxs8j8UZ9OFwsqONuRub4BIyKUKXZJFnWBDk/m7NTdLk0J69wCSyGk4yzy84lz17hlguP5YqNn94/AB0H1vxTM0wb4cd4Ee8SoZR3uHoauhCR4=
Received: by 10.54.78.16 with SMTP id a16mr2584142wrb;
Sun, 20 Mar 2005 13:37:43 -0800 (PST)
Received: by 10.54.51.37 with HTTP; Sun, 20 Mar 2005 13:37:43 -0800 (PST)
Message-ID: <c4c5231305032013372c8712dc@mail.gmail.com>
Date: Sun, 20 Mar 2005 13:37:43 -0800
From: Michael Collette <metrol.net@gmail.com>
To: Lowell Gilbert <freebsd-security-local@be-well.ilk.org>
In-Reply-To: <44hdj6fjuo.fsf@be-well.ilk.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
References: <c4c5231305031915001b6dbcd4@mail.gmail.com>
<44hdj6fjuo.fsf@be-well.ilk.org>
cc: FreeBSD Security <freebsd-security@freebsd.org>
Subject: Re: LDAP and Linux compatibility
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Michael Collette <metrol.net@gmail.com>
List-Id: Security issues [members-only posting]
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Mar 2005 21:37:44 -0000
On 20 Mar 2005 09:54:55 -0500, Lowell Gilbert
<freebsd-security-local@be-well.ilk.org> wrote:
> Michael Collette <metrol.net@gmail.com> writes:
>
> > Please excuse a wee bit of cross posting here. It seems that the
> > questions list may not be the appropriate place for this as I've found
> > a number of unanswered posts involving this topic.
>
> On the -ports list, somebody pointed out that the linux-base ports
> include advice to to edit /compat/linux/etc/yp.conf (I'm using NIS).
> I haven't tried this yet, but it makes sense that it would be
> necessary. For your case with LDAP, I suspect you would need to
> configure nsswitch.conf, probably the same way as the FreeBSD version
> in your real /etc directory.
The problem is, NIS is a built in feature of both FreeBSD and Linux.
Configuring FreeBSD to utilize LDAP involves at least 4 additional
ports. You need pam_ldap, nss_ldap, openldap-client, and openssl.
The 4th of course being optional but highly desirable for security
reasons.
Without this additional software neither FreeBSD nor the compat/Linux
install will do a lookup to an LDAP directory. It wouldn't know how,
as you have to properly configure both pam_ldap and nss_ldap so they
know how to query the directory.
I would think that the most desirable behavior would be to have any
Linux calls to getpwuid_r() answered by the FreeBSD libraries rather
than a direct attempt to look at the passwd database. Well, assuming
that's what is happening. It just seems redundant to have to
configure authentication for the base system, then do it again for the
Linux compatiblity.
Later on,
--
"When you come to a fork in the road....Take it"
- Yogi Berra
From owner-freebsd-security@FreeBSD.ORG Tue Mar 22 08:25:49 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id F33E816A4D0
for <freebsd-security@freebsd.org>;
Tue, 22 Mar 2005 08:25:48 +0000 (GMT)
Received: from ruxcon.org.au (mail.ruxcon.org.au [209.9.226.180])
by mx1.FreeBSD.org (Postfix) with ESMTP id 7ED1D43D55
for <freebsd-security@freebsd.org>;
Tue, 22 Mar 2005 08:25:48 +0000 (GMT)
(envelope-from cfp@ruxcon.org.au)
Received: by ruxcon.org.au (Postfix, from userid 1005)
id 7E61C1AD415D; Tue, 22 Mar 2005 08:25:47 +0000 (UTC)
To: freebsd-security@freebsd.org
Message-Id: <20050322082547.7E61C1AD415D@ruxcon.org.au>
Date: Tue, 22 Mar 2005 08:25:47 +0000 (UTC)
From: cfp@ruxcon.org.au (RUXCON Call for Papers)
Subject: RUXCON 2005 Call for Papers
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2005 08:25:49 -0000
Call For Papers
RUXCON would like to announce the call for papers for the third annual RUXCON
conference.
Breaking from the RUXCON tradition of having the conference in winter months,
this year the conference will be ran during the 1st and 2nd of October.
As with previous years, RUXCON will be held at the University of Technology,
Sydney, Australia.
The dead line for submissions is the 31st of August.
What is RUXCON?
RUXCON is a conference organised by and for the computer security
community. It is an attempt to bring together the individual talents
of the security community through live presentations, activities and
demonstrations.
The conference is held over two days in a relaxed atmosphere, allowing
attendees to enjoy themselves whilst expanding their knowledge of
security.
Live presentations, activities and workshops will cover a full range of
defensive and offensive security topics, varying from unpublished
research to required reading for the public security community.
Presentation Information
Presentations are set to run for 50 minutes, and will be of a formal
nature, with slides and a speech.
Workshops are slightly shorter, between 30-40 minutes in length in a
less formal format, more of a general or introductory skill level.
Presentation Submissions
RUXCON would like to invite people who are interested in security to
submit a presentation or workshop.
Topics of interest include, but are not limited to:
* Code analysis
* Exploitation techniques
* Network scanning and analysis
* Cryptography
* Malware Analysis
* Reverse engineering
* Forensics and Anti-forensics
* Social engineering
* Web application security
* Legal aspects of computer security and surrounding issues
* Law enforcement activities
* Telecommunications security (mobile, GSM, fraud issues, etc.)
Submissions should thoroughly outline your desired presentation or
workshop subject. Accompanying your submission should be the slides
you intend to use or a detailed paper explaining your subject.
If you have any enquiries about submissions, or would like to make a
submission, please send an e-mail to presentations ruxcon org au. The
deadline for submissions is the 31st of August.
If approved we will additionally require:
* A brief personal biography (between 2-5 paragraphs in length),
including: skill set, experience, and credentials.
* A description on your presentation or workshop (between 2-5
paragraphs in length).
Selection Criteria
Presentation selection will be based on technical merit. Presentations
discussion new, previously undisclosed, defensive or offensive security
related material will receive first priority.
Contact Details
Presentation Submissions: presentations ruxcon org au
General Enquiries: ruxcon ruxcon org au
From owner-freebsd-security@FreeBSD.ORG Tue Mar 22 15:39:09 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id D4C5216A4CE
for <freebsd-security@freebsd.org>;
Tue, 22 Mar 2005 15:39:09 +0000 (GMT)
Received: from gandalf.osk.com.ua (osk.com.ua [195.5.17.76])
by mx1.FreeBSD.org (Postfix) with ESMTP id CBAFF43D4C
for <freebsd-security@freebsd.org>;
Tue, 22 Mar 2005 15:39:08 +0000 (GMT)
(envelope-from subscriber@osk.com.ua)
Received: from oleg.osk.lan (unknown [192.168.0.20])
by gandalf.osk.com.ua (Postfix) with ESMTP id 552A678C4F
for <freebsd-security@freebsd.org>;
Tue, 22 Mar 2005 17:39:31 +0200 (EET)
Date: Tue, 22 Mar 2005 17:40:55 +0200
From: FreeBSD MailList <subscriber@osk.com.ua>
X-Mailer: The Bat! (v3.0.1.33) Professional
X-Priority: 3 (Normal)
Message-ID: <1014664959.20050322174055@osk.com.ua>
To: freebsd-security@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: PAM fails to change user password
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: FreeBSD MailList <subscriber@osk.com.ua>
List-Id: Security issues [members-only posting]
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2005 15:39:10 -0000
Hi, freebsd-security.
I have FreeBSD 5.3-STABLE.
When I try to change user's password (via passwd) I recieve the
following:
passwd: entry inconsistent
passwd: pam_chauthtok(): error in service module
passwd: in pam_sm_chauthtok(): pw_copy() failed
and password stays unchanged.
There are no other errors in the authorization system at all.
Contents of /etc/pam.d stayed unchanged (compared to /usr/src/pam.d)
Permissions:
/etc/group 644 root:wheel
/etc/passwd 644 root:wheel
/etc/master.passwd 600 root:wheel
I have /usr/ports/security/pam_mysql installed, but this problem (as I
remember) was here from the beginning, long before I installed
pam_mysql.
Because of need I created pam.conf with some opts. But if I remove it
and reboot the problem persists.
What could go wrong?
--
Best regards,
Tarasov Oleg mailto:subscriber@osk.com.ua
From owner-freebsd-security@FreeBSD.ORG Wed Mar 23 09:48:51 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id D7BED16A4CE
for <freebsd-security@freebsd.org>;
Wed, 23 Mar 2005 09:48:51 +0000 (GMT)
Received: from bgo1smout1.broadpark.no (bgo1smout1.broadpark.no [217.13.4.94])
by mx1.FreeBSD.org (Postfix) with ESMTP id 7321243D1D
for <freebsd-security@freebsd.org>;
Wed, 23 Mar 2005 09:48:51 +0000 (GMT) (envelope-from des@des.no)
Received: from bgo1sminn1.broadpark.no ([217.13.4.93])
by bgo1smout1.broadpark.no
(Sun Java System Messaging Server 6.1 HotFix 0.05 (built Oct 21 2004))
with ESMTP id <0IDS00A1GTO8L740@bgo1smout1.broadpark.no> for
freebsd-security@freebsd.org; Wed, 23 Mar 2005 10:43:20 +0100 (CET)
Received: from dsa.des.no ([80.203.228.37]) by bgo1sminn1.broadpark.no
(Sun Java System Messaging Server 6.1 HotFix 0.05 (built Oct 21 2004))
with ESMTP id <0IDS0084YU06FYDE@bgo1sminn1.broadpark.no> for
freebsd-security@freebsd.org; Wed, 23 Mar 2005 10:50:30 +0100 (CET)
Received: by dsa.des.no (Pony Express, from userid 666) id CD2A7BDC37; Wed,
23 Mar 2005 10:48:49 +0100 (CET)
Received: from xps.des.no (xps.des.no [10.0.0.12]) by dsa.des.no (Pony
Express)
with ESMTP id 29573BDC3E; Wed, 23 Mar 2005 10:48:45 +0100 (CET)
Received: by xps.des.no (Postfix, from userid 1001) id 1EEB233C1B; Wed,
23 Mar 2005 10:48:45 +0100 (CET)
Date: Wed, 23 Mar 2005 10:48:45 +0100
From: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=)
In-reply-to: <1014664959.20050322174055@osk.com.ua>
To: FreeBSD MailList <subscriber@osk.com.ua>
Message-id: <86sm2mofpe.fsf@xps.des.no>
MIME-version: 1.0
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: quoted-printable
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on dsa.des.no
References: <1014664959.20050322174055@osk.com.ua>
User-Agent: Gnus/5.110002 (No Gnus v0.2) Emacs/21.3 (berkeley-unix)
X-Spam-Status: No, score=-2.8 required=5.0 tests=ALL_TRUSTED,AWL
autolearn=disabled version=3.0.2
X-Spam-Level:
cc: freebsd-security@freebsd.org
Subject: Re: PAM fails to change user password
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2005 09:48:52 -0000
FreeBSD MailList <subscriber@osk.com.ua> writes:
> When I try to change user's password (via passwd) I recieve the
> following:
>
> passwd: entry inconsistent
> passwd: pam_chauthtok(): error in service module
> passwd: in pam_sm_chauthtok(): pw_copy() failed
Do you by any chance have multiple entries for the same user in
master.passwd? If you do, use vipw(8) to remove all but one, and try
again.
DES
--=20
Dag-Erling Sm=F8rgrav - des@des.no
From owner-freebsd-security@FreeBSD.ORG Wed Mar 23 19:25:34 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 78FAE16A4CE
for <freebsd-security@freebsd.org>;
Wed, 23 Mar 2005 19:25:34 +0000 (GMT)
Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.197])
by mx1.FreeBSD.org (Postfix) with ESMTP id 923C343D48
for <freebsd-security@freebsd.org>;
Wed, 23 Mar 2005 19:25:33 +0000 (GMT)
(envelope-from metrol.net@gmail.com)
Received: by wproxy.gmail.com with SMTP id 70so268354wra
for <freebsd-security@freebsd.org>;
Wed, 23 Mar 2005 11:25:33 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=beta; d=gmail.com;
h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references;
b=YVvq6pfWQePHGsi9Are92sBNXQTaeik9gcpWuQ/QSbknG+qvPENUUzNmlpX+uj3chsg+smIqPlda28TlQFhL37fzoVEMZPIt8I1UWNgNedpRiwR4PNzWXML/5uVMOeMekEXl5jIow0kGDP/L0fZFsljuwBKek9aFgVhy8f2AWUw=
Received: by 10.54.96.14 with SMTP id t14mr570832wrb;
Wed, 23 Mar 2005 11:25:25 -0800 (PST)
Received: by 10.54.51.37 with HTTP; Wed, 23 Mar 2005 11:25:19 -0800 (PST)
Message-ID: <c4c52313050323112589201b1@mail.gmail.com>
Date: Wed, 23 Mar 2005 11:25:19 -0800
From: Michael Collette <metrol.net@gmail.com>
To: Lowell Gilbert <freebsd-security-local@be-well.ilk.org>
In-Reply-To: <c4c5231305032013372c8712dc@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
References: <c4c5231305031915001b6dbcd4@mail.gmail.com>
<44hdj6fjuo.fsf@be-well.ilk.org>
<c4c5231305032013372c8712dc@mail.gmail.com>
cc: FreeBSD Security <freebsd-security@freebsd.org>
Subject: Re: LDAP and Linux compatibility
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Michael Collette <metrol.net@gmail.com>
List-Id: Security issues [members-only posting]
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2005 19:25:34 -0000
Well, came up with a solution as well as a new problem. Thought I'd
at least share the solution here.
In /etc/profile I'm calling a shell script called inituser.sh. Got
this running to insure the user's basic environment is all setup. In
this script I now have it write to a file in /tmp with a line that
looks like...
bob:*:1000:1000:Bob Smith:/home/bob
I then have a symbolic link from this file to
/compat/linux/etc/passwd. With this in play, FreeBSD is properly
performing an LDAP lookup, and Linux apps have somewhere to look for a
proper user id. There are some security concerns I have with this,
and it sure feels like a nasty little hack, but it seems to work for
the moment.
Now my problem has to do with linux-fontconfig. Neither acroread7 nor
reaplay will run due to complaining about fontconfig not being setup
properly. Still futzing with this one. Thankfully though, neither
app is still complaining about not being able to lookup a user id.
Later on,
On Sun, 20 Mar 2005 13:37:43 -0800, Michael Collette
<metrol.net@gmail.com> wrote:
> On 20 Mar 2005 09:54:55 -0500, Lowell Gilbert
> <freebsd-security-local@be-well.ilk.org> wrote:
> > Michael Collette <metrol.net@gmail.com> writes:
> >
> > > Please excuse a wee bit of cross posting here. It seems that the
> > > questions list may not be the appropriate place for this as I've found
> > > a number of unanswered posts involving this topic.
> >
> > On the -ports list, somebody pointed out that the linux-base ports
> > include advice to to edit /compat/linux/etc/yp.conf (I'm using NIS).
> > I haven't tried this yet, but it makes sense that it would be
> > necessary. For your case with LDAP, I suspect you would need to
> > configure nsswitch.conf, probably the same way as the FreeBSD version
> > in your real /etc directory.
>
> The problem is, NIS is a built in feature of both FreeBSD and Linux.
> Configuring FreeBSD to utilize LDAP involves at least 4 additional
> ports. You need pam_ldap, nss_ldap, openldap-client, and openssl.
> The 4th of course being optional but highly desirable for security
> reasons.
>
> Without this additional software neither FreeBSD nor the compat/Linux
> install will do a lookup to an LDAP directory. It wouldn't know how,
> as you have to properly configure both pam_ldap and nss_ldap so they
> know how to query the directory.
>
> I would think that the most desirable behavior would be to have any
> Linux calls to getpwuid_r() answered by the FreeBSD libraries rather
> than a direct attempt to look at the passwd database. Well, assuming
> that's what is happening. It just seems redundant to have to
> configure authentication for the base system, then do it again for the
> Linux compatiblity.
>
> Later on,
> --
> "When you come to a fork in the road....Take it"
> - Yogi Berra
>
--
"When you come to a fork in the road....Take it"
- Yogi Berra
From owner-freebsd-security@FreeBSD.ORG Fri Mar 25 08:08:01 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id F1B6B16A4CE
for <freebsd-security@FreeBSD.org>;
Fri, 25 Mar 2005 08:08:01 +0000 (GMT)
Received: from gandalf.osk.com.ua (osk.com.ua [195.5.17.76])
by mx1.FreeBSD.org (Postfix) with ESMTP id 34CE743D1F
for <freebsd-security@FreeBSD.org>;
Fri, 25 Mar 2005 08:08:01 +0000 (GMT)
(envelope-from subscriber@osk.com.ua)
Received: from oleg.osk.lan (unknown [192.168.0.20])
by gandalf.osk.com.ua (Postfix) with ESMTP id B677278C5C;
Fri, 25 Mar 2005 10:08:23 +0200 (EET)
Date: Fri, 25 Mar 2005 10:09:48 +0200
From: Oleg Tarasov <subscriber@osk.com.ua>
X-Mailer: The Bat! (v3.0.1.33) Professional
X-Priority: 3 (Normal)
Message-ID: <1971222958.20050325100948@osk.com.ua>
To: "Jason L. Schwab" <jlschwab@jlschwab.com>
In-Reply-To: <2B21B68AD68D364A8B241C972772CE110A8CB6@ms08.mse3.exchange.ms>
References: <2B21B68AD68D364A8B241C972772CE110A8CB6@ms08.mse3.exchange.ms>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
cc: freebsd-security@FreeBSD.org
Subject: Re: PAM fails to change user password
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: FreeBSD MailList <subscriber@osk.com.ua>
List-Id: Security issues [members-only posting]
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Mar 2005 08:08:02 -0000
Hello,
Jason L. Schwab <jlschwab@jlschwab.com> wrote:
> Tarasov Oleg;
> (as root)
> # pwd_mkdb /etc/master.passwd
> It seems that the actual database file is fine, but the plaintext
> versions think that they are corrupt, this should solve your issue.
> Then try changing the users password, it should be successful.
> -Jason
Thanx, that was the problem. Actually I changed master.passwd by hands
and forgot to use pwd_mkdb. My mistake, a lesson to me. Sorry for
inconfidence.
--
Best regards,
Oleg Tarasov mailto:subscriber@osk.com.ua
From owner-freebsd-security@FreeBSD.ORG Fri Mar 25 12:49:03 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP id 4336D16A4CE
for <freebsd-security@FreeBSD.org>;
Fri, 25 Mar 2005 12:49:03 +0000 (GMT)
Received: from cowbert.2y.net (d46h180.public.uconn.edu [137.99.46.180])
by mx1.FreeBSD.org (Postfix) with SMTP id ADD8643D1F
for <freebsd-security@FreeBSD.org>;
Fri, 25 Mar 2005 12:49:02 +0000 (GMT)
(envelope-from sirmoo@cowbert.2y.net)
Received: (qmail 6504 invoked by uid 1001); 25 Mar 2005 12:49:02 -0000
Date: Fri, 25 Mar 2005 07:49:02 -0500
From: "Peter C. Lai" <sirmoo@cowbert.2y.net>
To: Oleg Tarasov <subscriber@osk.com.ua>
Message-ID: <20050325124902.GF1856@cowbert.2y.net>
References: <2B21B68AD68D364A8B241C972772CE110A8CB6@ms08.mse3.exchange.ms>
<1971222958.20050325100948@osk.com.ua>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1971222958.20050325100948@osk.com.ua>
User-Agent: Mutt/1.5.6i
X-Mailman-Approved-At: Fri, 25 Mar 2005 13:56:22 +0000
cc: "Jason L. Schwab" <jlschwab@jlschwab.com>
cc: freebsd-security@FreeBSD.org
Subject: Re: PAM fails to change user password
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Mar 2005 12:49:03 -0000
On Fri, Mar 25, 2005 at 10:09:48AM +0200, Oleg Tarasov wrote:
> Hello,
>
> Jason L. Schwab <jlschwab@jlschwab.com> wrote:
>
> > Tarasov Oleg;
>
>
>
> > (as root)
> > # pwd_mkdb /etc/master.passwd
>
> > It seems that the actual database file is fine, but the plaintext
> > versions think that they are corrupt, this should solve your issue.
>
> > Then try changing the users password, it should be successful.
>
> > -Jason
>
> Thanx, that was the problem. Actually I changed master.passwd by hands
> and forgot to use pwd_mkdb. My mistake, a lesson to me. Sorry for
> inconfidence.
You CAN change master.passwd by hand, if you use vipw(8). vipw(8) will sync
the two databases for you.
>
>
>
> --
> Best regards,
> Oleg Tarasov mailto:subscriber@osk.com.ua
>
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
--
Peter C. Lai
University of Connecticut
Dept. of Molecular and Cell Biology
Yale University School of Medicine
SenseLab | Research Assistant
http://cowbert.2y.net/