From owner-freebsd-security@FreeBSD.ORG Sun Apr 30 09:57:16 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC5FD16A401; Sun, 30 Apr 2006 09:57:16 +0000 (UTC) (envelope-from brodnik@Svarun.Gotska.IJP.Si) Received: from Svarun.Gotska.IJP.Si (www.brodnik.org [193.77.156.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id ED6D543D45; Sun, 30 Apr 2006 09:57:15 +0000 (GMT) (envelope-from brodnik@Svarun.Gotska.IJP.Si) Received: from Svarun.Gotska.IJP.Si (localhost.Gotska.IJP.Si [127.0.0.1]) by Svarun.Gotska.IJP.Si (8.12.3p2/8.12.3) with ESMTP id k3U9uxQ5019137; Sun, 30 Apr 2006 11:56:59 +0200 (CEST) (envelope-from brodnik@Svarun.Gotska.IJP.Si) Received: (from brodnik@localhost) by Svarun.Gotska.IJP.Si (8.12.3p2/8.12.3/Submit) id k3U9uwBc019136; Sun, 30 Apr 2006 11:56:58 +0200 (CEST) Date: Sun, 30 Apr 2006 11:56:58 +0200 From: "Andrej (Andy) Brodnik" To: Robert Watson Message-ID: <20060430095658.GA18736@Svarun.Gotska.IJP.SI> References: <20060428122811.P40418@fledge.watson.org> <44527E6D.9070001@cloudview.com> <20060429095912.C63668@fledge.watson.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060429095912.C63668@fledge.watson.org> User-Agent: Mutt/1.4.1i Cc: freebsd-security@freebsd.org, John Pettitt Subject: Re: Looking for tor users experiencing crashes X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Apr 2006 09:57:16 -0000 On Sat, Apr 29, 2006 at 10:00:15AM +0100, Robert Watson wrote: > > On Fri, 28 Apr 2006, John Pettitt wrote: > > >>I've had an informal, third or fourth hand report of kernel instability > >>when running Tor under load on unidentified versions of FreeBSD. > >>Obviously, this is a bit vague as bug reports go, but I'm interested in > >>seeing if anyone has had real experience with this happening, and might > >>be interested in helping to track it down. If there are kernel crashes, > >>I'm specifically looking for information on what version of FreeBSD is > >>being used, a panic message / trap message, DDB stack trace, etc. I'm > >>assuming it's likely a networking related bug, which I'm happy to work on > >>fixing. If it's not network-related, I can certainly try to track someone > >>down who could work on it. > > > >For what it's worth I had tor running on my 5.3 co-lo box for about 200 > >days without a problem (had to reboot for a kernel reboot after 400+ days > >of uptime) > > This is a useful report -- so far I've had about a half dozen reports of > absolutely no problems at all on various versions of FreeBSD, and no > reports of crashes. Maybe this is a false alarm, or maybe it was a bug in > a specific version of FreeBSD. Or maybe it just requires very special > circumstances. I'll continue to keep an eye out, and please let me know if > you run into a problem. Hm, I have no problem in general as well. Up-time on my 4.6 machine was more than 200 days (than we had the power shortage) and on my 6.0 machine more than 100 days and then the same power shortage problem brought it down. However, on my 6.0 I wanted to install recently the WLAN card using ndis. The card I wanted to use was dlink (AIRPLUS driver). The generation of the driver using ndisgen went through smoothly, but when I wanted to load the kernel module, the machine simply hang. Any suggestions/proposals would really nice to get. Thanx and LPA (== (Lep pozdrav! Andrej)_{Slovene} == (Best Regards, Andrej) From owner-freebsd-security@FreeBSD.ORG Sun Apr 30 10:53:42 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 98F4116A400 for ; Sun, 30 Apr 2006 10:53:42 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3436C43D46 for ; Sun, 30 Apr 2006 10:53:42 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 0533246C66; Sun, 30 Apr 2006 06:53:41 -0400 (EDT) Date: Sun, 30 Apr 2006 11:53:40 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: "Andrej (Andy) Brodnik" In-Reply-To: <20060430095658.GA18736@Svarun.Gotska.IJP.SI> Message-ID: <20060430115137.N11416@fledge.watson.org> References: <20060428122811.P40418@fledge.watson.org> <44527E6D.9070001@cloudview.com> <20060429095912.C63668@fledge.watson.org> <20060430095658.GA18736@Svarun.Gotska.IJP.SI> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org, John Pettitt Subject: Re: Looking for tor users experiencing crashes X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Apr 2006 10:53:42 -0000 On Sun, 30 Apr 2006, Andrej (Andy) Brodnik wrote: > However, on my 6.0 I wanted to install recently the WLAN card using ndis. > The card I wanted to use was dlink (AIRPLUS driver). The generation of the > driver using ndisgen went through smoothly, but when I wanted to load the > kernel module, the machine simply hang. Any suggestions/proposals would > really nice to get. If you haven't already, and perhaps even if you have, send a report of this to stable@FreeBSD.org. Normally, the debugging instructions at that point will be to build a kernel with the debugger and various debugging features, and see if a more useful failure made can be found (i.e., drop to the debugger / break to the debugger rather than hang), which will help track it down to something more specific. Ideally a bug in FreeBSD and not in the driver, from your perspective, because getting FreeBSD fixed is probably easier :-). Robert N M Watson From owner-freebsd-security@FreeBSD.ORG Mon May 1 21:42:10 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE02416A406 for ; Mon, 1 May 2006 21:42:10 +0000 (UTC) (envelope-from eol1@yahoo.com) Received: from web51910.mail.yahoo.com (web51910.mail.yahoo.com [206.190.48.73]) by mx1.FreeBSD.org (Postfix) with SMTP id E9A0543D46 for ; Mon, 1 May 2006 21:42:09 +0000 (GMT) (envelope-from eol1@yahoo.com) Received: (qmail 79574 invoked by uid 60001); 1 May 2006 21:42:09 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=qQmHI7lAQWanFs2qJIZhXNGxwvWCPG1vydAcF2nN5sYUe/1CddEgDW30nsa0YBk1n5A1fkVexrd25XJJFzTiKJ2Wpo/qUogRLt2YbVQNJYoqmlYs7QSe3CT/5mFJlcEHqhG+8nuNBuMjeU7AW7DBXssBm3h5SJOFYHpmhuYlwdg= ; Message-ID: <20060501214209.79572.qmail@web51910.mail.yahoo.com> Received: from [212.118.13.163] by web51910.mail.yahoo.com via HTTP; Mon, 01 May 2006 14:42:09 PDT Date: Mon, 1 May 2006 14:42:09 -0700 (PDT) From: Peter Thoenen To: Robert Watson , "Andrej \(Andy\) Brodnik" In-Reply-To: <20060430115137.N11416@fledge.watson.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org, John Pettitt Subject: Re: Looking for tor users experiencing crashes X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: eol1@yahoo.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 May 2006 21:42:11 -0000 Its a regression. See: http://www.freebsd.org/cgi/query-pr.cgi?pr=95180 I am the tor-devel maintainer and not only do I get private emails about this at least once a week, I am expereincing it myself and also hear about it on both the OFTC and Freenode tor channels usually every couple days. Enough folk have brought it up that Arma (lead tor developer) is considering NOT recommended FBSD 6 as a server platform for tor in server mode. From owner-freebsd-security@FreeBSD.ORG Mon May 1 22:29:57 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9218B16A403 for ; Mon, 1 May 2006 22:29:57 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 18B8D43D45 for ; Mon, 1 May 2006 22:29:57 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 4FC8546C3C; Mon, 1 May 2006 18:29:56 -0400 (EDT) Date: Mon, 1 May 2006 23:29:56 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Peter Thoenen In-Reply-To: <20060501214209.79572.qmail@web51910.mail.yahoo.com> Message-ID: <20060501231615.S92256@fledge.watson.org> References: <20060501214209.79572.qmail@web51910.mail.yahoo.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org, John Pettitt Subject: Re: Looking for tor users experiencing crashes X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 May 2006 22:29:57 -0000 On Mon, 1 May 2006, Peter Thoenen wrote: > Its a regression. > > See: http://www.freebsd.org/cgi/query-pr.cgi?pr=95180 > > I am the tor-devel maintainer and not only do I get private emails about > this at least once a week, I am expereincing it myself and also hear about > it on both the OFTC and Freenode tor channels usually every couple days. > Enough folk have brought it up that Arma (lead tor developer) is considering > NOT recommended FBSD 6 as a server platform for tor in server mode. It's a pity this wasn't brought to my attention sooner, or there might have been a chance to work on it for 6.1-RELEASE, especially given that it sounds like it has been a moderately long-standing problem. The first I heard about it was a few days ago from someone else at cam.ac.uk, and since then I've been trying to find information. Among other things, I attempted to contact you by private e-mail but didn't hear anything back. Up front, it sounds like we need to do a bit of fact gathering, and if possible, a bit of simplication of the configuration to try and isolate the problem. Specifically, it sounds like the software configuration on your system is complex, and it would help to be able to narrow things down a bit. For example, you mention pf being configured on the box. A first step would be if you could include in the PR a copy of the dmesg output of your box (is it SMP?), as well as the kernel configuration file, rc.conf, loader.conf, etc. It also sounds like significant load is involved in triggering the bug. As someone who hasn't used Tor, and without significant bandwidth resources available to test it, a bit of quantification of the type of load would be very helpful. For example, if I were running in your configuration, would I expect to see 128kbps, 1mbps, 10mbps, 100mbps, 1gbps traffic, etc. Would it primarily be via the TCP protocol, or other protocols? Are we talking about a few very busy connections, or tens of thousands of less busy connections? Does the system generate much DNS traffic? Is the application a multi-process application, a multi-threaded application? If you run netstat and netstat -na at any given moment, how many open sockets might I see? Could you send me typical output from top -S, netstat -m, systat -vmstat 1? If hardware resources are available, it would be good to try running with a simplified configuration, in order to determine that we're not looking at a more complex feature interaction. For example, if you run on a vanilla kernel, without pf, etc, compiled in or loaded, does the reboot still occur, or does it, for example, require that pf also be loaded? Do you have a serial console attached to the system? When the reboot occurs, is there any interesting (or even boring) output on the serial console -- for example, warnings about load, fault messages, etc? If you are using a serial console but there is no output at all (you immediately see the beginning of the bios or OS boot loader after legitimate looking earlier console output), that's also extremely useful to know. Are you currently compiling any debugging features in? Could you try compiling in INVARIANTS? FWIW, spontaneous hardware poweroff and reboot can be tricky to track down, but we can see what we can do. I don't have the resources or setup to run Tor in server mode, and can't easily arrange for them. As such, I need to rely on you (or someone else) to work with me in detail to get this sorted out, so I will be unable to reproduce it directly. Thanks, Robert N M Watson From owner-freebsd-security@FreeBSD.ORG Tue May 2 06:41:39 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F65316A403 for ; Tue, 2 May 2006 06:41:39 +0000 (UTC) (envelope-from arne_woerner@yahoo.com) Received: from web30309.mail.mud.yahoo.com (web30309.mail.mud.yahoo.com [68.142.200.102]) by mx1.FreeBSD.org (Postfix) with SMTP id 457DC43D4C for ; Tue, 2 May 2006 06:41:37 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: (qmail 52651 invoked by uid 60001); 2 May 2006 06:41:36 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=FBVC6v4WTGHKP45o91SZhPJC7qm3G9p6p7KXX0aGutc7DplVAyDbi3jFnA+vpgXeaTTPuZyqrtCLhNspFcXpuKr0jQ6tRXxtay5k9GHQVG9ZsU6aj2ioNV3fCOPddO7JQZabwxPgvTbjiY8VhWnuyF5w5Nl5B1VO/7RrJb66mOM= ; Message-ID: <20060502064136.52649.qmail@web30309.mail.mud.yahoo.com> Received: from [213.54.80.5] by web30309.mail.mud.yahoo.com via HTTP; Mon, 01 May 2006 23:41:36 PDT Date: Mon, 1 May 2006 23:41:36 -0700 (PDT) From: "R. B. Riddick" To: Robert Watson , Peter Thoenen In-Reply-To: <20060501231615.S92256@fledge.watson.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org, John Pettitt Subject: Re: Looking for tor users experiencing crashes X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 May 2006 06:41:40 -0000 --- Robert Watson wrote: > It's a pity this wasn't brought to my attention sooner, or there might have > been a chance to work on it for 6.1-RELEASE, especially given that it sounds > like it has been a moderately long-standing problem. The first I heard about > I can crash FreeBSD R6.0, too... It is more mount/umount and not network related... Although it looks more like an administrator fault, than a kernel fault... So I did not file a PR, when I mentioned it first some weeks ago... See PR kern/96644 for further details... -Arne __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-security@FreeBSD.ORG Tue May 2 13:06:26 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E552316A401 for ; Tue, 2 May 2006 13:06:26 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 827C443D48 for ; Tue, 2 May 2006 13:06:26 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id C1E2446BB7; Tue, 2 May 2006 09:06:25 -0400 (EDT) Date: Tue, 2 May 2006 14:06:25 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: "R. B. Riddick" In-Reply-To: <20060502064136.52649.qmail@web30309.mail.mud.yahoo.com> Message-ID: <20060502140503.O92256@fledge.watson.org> References: <20060502064136.52649.qmail@web30309.mail.mud.yahoo.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org, Peter Thoenen , John Pettitt Subject: Re: Looking for tor users experiencing crashes X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 May 2006 13:06:27 -0000 On Mon, 1 May 2006, R. B. Riddick wrote: > --- Robert Watson wrote: >> It's a pity this wasn't brought to my attention sooner, or there might have >> been a chance to work on it for 6.1-RELEASE, especially given that it sounds >> like it has been a moderately long-standing problem. The first I heard about >> > I can crash FreeBSD R6.0, too... It is more mount/umount and not network > related... Although it looks more like an administrator fault, than a kernel > fault... So I did not file a PR, when I mentioned it first some weeks ago... > > See PR kern/96644 for further details... Not really my area of expertise, I'm afraid -- however, there are a number of mount/unmount related bug fixes in 6.1 having to do with file system race conditions. You may wish to try a 6.1 RC if you haven't already to see if they are fixed there. Robert N M Watson From owner-freebsd-security@FreeBSD.ORG Wed May 3 13:49:42 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B51CF16A405 for ; Wed, 3 May 2006 13:49:42 +0000 (UTC) (envelope-from BORJAMAR@SARENET.ES) Received: from smtp1.sarenet.es (smtp1.sarenet.es [194.30.0.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5970E43D48 for ; Wed, 3 May 2006 13:49:42 +0000 (GMT) (envelope-from BORJAMAR@SARENET.ES) Received: from [127.0.0.1] (borja.sarenet.es [192.148.167.77]) by smtp1.sarenet.es (Postfix) with ESMTP id 58C9723C for ; Wed, 3 May 2006 15:49:40 +0200 (CEST) Mime-Version: 1.0 (Apple Message framework v749.3) Content-Transfer-Encoding: 7bit Message-Id: Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: freebsd-security@freebsd.org From: Borja Marcos Date: Wed, 3 May 2006 15:49:39 +0200 X-Mailer: Apple Mail (2.749.3) Subject: MAC policies and shared hosting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 May 2006 13:49:42 -0000 Hello, I've been looking at the different MAC modules available and how they cold help to implement a less insecure than usual shared hosting web server. I've not been able to come up with a suitable configuration, looking at mac_bsdextended, mac_biba and mac_mls, but I think that a MAC module with the following policies could be very useful for such an environment. Have I missed anything? Has something similar been done? The module would (roughly) work as follows: Defining security levels in a similar way to mac_mls or mac_biba, we define a range of uids as sysctl variables to be used as "compartiments". For example, mac.mac_uids.lowuid mac.mac_uids.highid And it would be implemented so that: Below a given security level, (mac.mac_uids.enforce_below) - Any operation of a subject with uid x (between lowuid and highuid) on an object with uid y (between lowuid and highuid) would fail. - A subject with a given security level could not modify an object with a higher security level. This, combined with a chroot tree would (I think) be much better than the typical solutions available. The webserver process would be launched as a low-security subject, and it is assumed that it would make a setuid() before launching a CGI process. And perhaps it wouldn't be so hard to modify an existing webserver so that it changed the uid when serving a page associated with a virtual server, adding a uid parameter to virtual servers. What do you think? Ideas? (This is only a quick and dirty idea) Borja. From owner-freebsd-security@FreeBSD.ORG Thu May 4 13:36:02 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A248516A400 for ; Thu, 4 May 2006 13:36:02 +0000 (UTC) (envelope-from nospam@mgedv.net) Received: from mgedv.at (mail.mgedv.at [195.3.87.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3496A43D45 for ; Thu, 4 May 2006 13:36:01 +0000 (GMT) (envelope-from nospam@mgedv.net) Received: from metis (localhost [127.0.0.1]) by mgedv.at (SMTPServer) with ESMTP id A710E186864; Thu, 4 May 2006 15:35:50 +0200 (MEST) From: "No@SPAM@mgEDV.net" To: Date: Thu, 4 May 2006 15:36:03 +0200 Message-ID: <000001c66f7f$b148b620$01010101@avalon.lan> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 Thread-Index: AcZvf6jiNRp8GRsmRoejAvF62XNQbw== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Cc: freebsd-security@freebsd.org Subject: RE: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: nospam@mgedv.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 May 2006 13:36:02 -0000 > I recently did something like this. I have a webserver in a jail that > needs to talk to a database, and the webserver is the only thing that > should talk to the databse. > My solution was to use 2 jails: one for the webserver, and another for the > database. > Jail 1: > * runs webserver > * binds to real interface with real, routable IP > Jail 2: > * runs database server > * binds to loopback interface, isn't directly reachable > from outside the box just to clarify that for me: you did setup this layout or you tried to setup this? as i read it, i understand that you did! i tried exactly the same but currently jails are bound to the specific ip-address assigned with them so i wonder, how the webserver on a real ip-address can communicate with the database bound to the loopback ip? if you could kindly tell, how you solved this issue (we're using 6.1). From owner-freebsd-security@FreeBSD.ORG Thu May 4 14:15:43 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77FDE16A403 for ; Thu, 4 May 2006 14:15:43 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id A43A443D46 for ; Thu, 4 May 2006 14:15:42 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (atmzeb@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k44EFYDe043029; Thu, 4 May 2006 16:15:39 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k44EFYKF043028; Thu, 4 May 2006 16:15:34 +0200 (CEST) (envelope-from olli) Date: Thu, 4 May 2006 16:15:34 +0200 (CEST) Message-Id: <200605041415.k44EFYKF043028@lurza.secnetix.de> From: Oliver Fromme To: freebsd-security@FreeBSD.ORG, nospam@mgedv.net In-Reply-To: <000001c66f7f$b148b620$01010101@avalon.lan> X-Newsgroups: list.freebsd-security User-Agent: tin/1.8.0-20051224 ("Ronay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Thu, 04 May 2006 16:15:39 +0200 (CEST) Cc: Subject: Re: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-security@FreeBSD.ORG, nospam@mgedv.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 May 2006 14:15:43 -0000 No@SPAM@mgEDV.net wrote: > > > I recently did something like this. I have a webserver in a jail that > > needs to talk to a database, and the webserver is the only thing that > > should talk to the databse. > > > My solution was to use 2 jails: one for the webserver, and another for the > > > database. > > > Jail 1: > > * runs webserver > > * binds to real interface with real, routable IP > > > Jail 2: > > * runs database server > > * binds to loopback interface, isn't directly reachable > > from outside the box > > just to clarify that for me: you did setup this layout or you > tried to setup this? as i read it, i understand that you did! > > i tried exactly the same but currently jails are bound to the specific > ip-address assigned with them so i wonder, how the webserver on a real > ip-address can communicate with the database bound to the loopback ip? > if you could kindly tell, how you solved this issue (we're using 6.1). In fact, it is a good idea to _always_ bind jails to non- routable loopback IPs. For example: jail 1 (webserver) on 127.0.0.2 jail 2 (database) on 127.0.0.3 If a service needs to be accessible from the outside, you can use IPFW FWD rules to forward packets destined to the real IP to the jail's loopback IP. Of course there's no problem accessing the database from the webserver. Note that you have complete control over who can access what, by using your favourite packet filter (IPFW, IPF, PF). Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "One of the main causes of the fall of the Roman Empire was that, lacking zero, they had no way to indicate successful termination of their C programs." -- Robert Firth From owner-freebsd-security@FreeBSD.ORG Thu May 4 15:07:12 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C381B16A484 for ; Thu, 4 May 2006 15:07:12 +0000 (UTC) (envelope-from nospam@mgedv.net) Received: from mgedv.at (mail.mgedv.at [195.3.87.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0965943D46 for ; Thu, 4 May 2006 15:07:11 +0000 (GMT) (envelope-from nospam@mgedv.net) Received: from metis (localhost [127.0.0.1]) by mgedv.at (SMTPServer) with ESMTP id D2125186864; Thu, 4 May 2006 17:07:00 +0200 (MEST) From: "No@SPAM@mgEDV.net" To: Date: Thu, 4 May 2006 17:07:15 +0200 Message-ID: <001401c66f8c$6dd0e8b0$01010101@avalon.lan> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 Thread-Index: AcZvhTUr30GjDFkITxGWAZgnE7GGqQABlB6w X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 In-Reply-To: <200605041415.k44EFYKF043028@lurza.secnetix.de> Cc: 'Oliver Fromme' Subject: RE: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: nospam@mgedv.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 May 2006 15:07:13 -0000 > In fact, it is a good idea to _always_ bind jails to non- > routable loopback IPs. For example: > jail 1 (webserver) on 127.0.0.2 > jail 2 (database) on 127.0.0.3 > If a service needs to be accessible from the outside, you > can use IPFW FWD rules to forward packets destined to the > real IP to the jail's loopback IP. ok, technically i get this, but wouldn't it confuse the daemons and slow down the network connections if i use packet forwarding for each packet let's say a daemon reads from syslog-services and writes to databases? > Of course there's no problem accessing the database from > the webserver. Note that you have complete control over > who can access what, by using your favourite packet filter > (IPFW, IPF, PF). this part i definitely don't get. let's assume this one: 192.168.10.1 = jail ip of the ws 127.0.0.1 = jail ip of the db sending to 127.0.0.1 is not possible on 192.168.134.1 (kernel re-routes it to 192.168.134.1 if man jail is correct) if i setup forwarding rules i'd have to setup something for the real ip's port, no? and, i assumed that the setup mentioned can live without additional firewall rules. i for sure have some "what the hell... how-to" problem with jails, currently ;-) From owner-freebsd-security@FreeBSD.ORG Thu May 4 15:27:49 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A262B16A500 for ; Thu, 4 May 2006 15:27:49 +0000 (UTC) (envelope-from arne_woerner@yahoo.com) Received: from web30304.mail.mud.yahoo.com (web30304.mail.mud.yahoo.com [68.142.200.97]) by mx1.FreeBSD.org (Postfix) with SMTP id 2B37943D49 for ; Thu, 4 May 2006 15:27:49 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: (qmail 7792 invoked by uid 60001); 4 May 2006 15:27:48 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=HJvUvF8D4dSMz0fpHEu4Wygw6yklB71AJG/ww9ZFrXLlCrY+PipPH3zHdvQkogba1EAuBlFrHmsw5/6zl7Xh2r6ZlvzrkKPdxASPc6oXTWFBLCEvDI40sXzfwJiuH8TB4ATI/nHP4P17abgiBXKtM3c9qLxWLRMEasWbxtRnDCg= ; Message-ID: <20060504152748.7790.qmail@web30304.mail.mud.yahoo.com> Received: from [213.54.80.130] by web30304.mail.mud.yahoo.com via HTTP; Thu, 04 May 2006 08:27:48 PDT Date: Thu, 4 May 2006 08:27:48 -0700 (PDT) From: "R. B. Riddick" To: nospam@mgedv.net, freebsd-security@FreeBSD.ORG In-Reply-To: <001401c66f8c$6dd0e8b0$01010101@avalon.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: RE: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 May 2006 15:27:49 -0000 --- "No@SPAM@mgEDV.net" wrote: > this part i definitely don't get. let's assume this one: > > 192.168.10.1 = jail ip of the ws > 127.0.0.1 = jail ip of the db > sending to 127.0.0.1 is not possible on 192.168.134.1 (kernel > re-routes it to 192.168.134.1 if man jail is correct) > if i setup forwarding rules i'd have to setup something for > the real ip's port, no? > What do u mean with "real ip"? I assume u mean, something that does not start with 127... Then u could give ur jails IPs, that start with 10... (e. g. 10.2.2.2) > and, i assumed that the setup mentioned can live without additional > firewall rules. > Isn't the overhead caused by pf or ipfw neglectible? I just did a test with and without ipfw and found, that the minimum ping time without ipfw was 0.987sec and with 1.024sec, which possibly was caused by powerd, which throttled the CPU... I say, maybe u want to do some funny experiments to find it out? -Arne __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-security@FreeBSD.ORG Thu May 4 15:39:30 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B940216A400 for ; Thu, 4 May 2006 15:39:30 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A6B143D6B for ; Thu, 4 May 2006 15:39:25 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (gbshkj@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k44FdIBQ046876; Thu, 4 May 2006 17:39:23 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k44FdIpP046875; Thu, 4 May 2006 17:39:18 +0200 (CEST) (envelope-from olli) Date: Thu, 4 May 2006 17:39:18 +0200 (CEST) Message-Id: <200605041539.k44FdIpP046875@lurza.secnetix.de> From: Oliver Fromme To: freebsd-security@FreeBSD.ORG, nospam@mgedv.net In-Reply-To: <001401c66f8c$6dd0e8b0$01010101@avalon.lan> X-Newsgroups: list.freebsd-security User-Agent: tin/1.8.0-20051224 ("Ronay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Thu, 04 May 2006 17:39:23 +0200 (CEST) Cc: Subject: Re: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-security@FreeBSD.ORG, nospam@mgedv.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 May 2006 15:39:31 -0000 No@SPAM@mgEDV.net wrote: > > > In fact, it is a good idea to _always_ bind jails to non- > > routable loopback IPs. For example: > > > > jail 1 (webserver) on 127.0.0.2 > > jail 2 (database) on 127.0.0.3 > > > > If a service needs to be accessible from the outside, you > > can use IPFW FWD rules to forward packets destined to the > > real IP to the jail's loopback IP. > > ok, technically i get this, but wouldn't it confuse the daemons No, it doesn't confuse the daemons. Why should it? > and slow down the network connections if i use packet forwarding > for each packet let's say a daemon reads from syslog-services > and writes to databases? No, the overhead is negligible. The only thing that IPFW FWD does is to adjust the forwarding path of the packet. > > Of course there's no problem accessing the database from > > the webserver. Note that you have complete control over > > who can access what, by using your favourite packet filter > > (IPFW, IPF, PF). > > this part i definitely don't get. let's assume this one: > > 192.168.10.1 = jail ip of the ws > 127.0.0.1 = jail ip of the db Don't use those IPs. In particular it's probably not a good idea to use localhost as a jail IP. Use only loopback IPs (other than localhost), like the example that I wrote above. And of course you should use appropriate packetfilter rules to enforce what kind of access between the jails is allowed. Only allow what you need. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "... there are two ways of constructing a software design: One way is to make it so simple that there are _obviously_ no deficiencies and the other way is to make it so complicated that there are no _obvious_ deficiencies." -- C.A.R. Hoare, ACM Turing Award Lecture, 1980 From owner-freebsd-security@FreeBSD.ORG Thu May 4 16:19:30 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C07B16A598 for ; Thu, 4 May 2006 16:19:30 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id CBE4D43D5A for ; Thu, 4 May 2006 16:19:28 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 8A54746D3D; Thu, 4 May 2006 12:19:22 -0400 (EDT) Date: Thu, 4 May 2006 17:19:22 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Peter Thoenen In-Reply-To: <20060501231615.S92256@fledge.watson.org> Message-ID: <20060504171823.K17611@fledge.watson.org> References: <20060501214209.79572.qmail@web51910.mail.yahoo.com> <20060501231615.S92256@fledge.watson.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org, John Pettitt Subject: Re: Looking for tor users experiencing crashes X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 May 2006 16:19:31 -0000 On Mon, 1 May 2006, Robert Watson wrote: > On Mon, 1 May 2006, Peter Thoenen wrote: > >> Its a regression. >> >> See: http://www.freebsd.org/cgi/query-pr.cgi?pr=95180 >> >> I am the tor-devel maintainer and not only do I get private emails about >> this at least once a week, I am expereincing it myself and also hear about >> it on both the OFTC and Freenode tor channels usually every couple days. >> Enough folk have brought it up that Arma (lead tor developer) is >> considering NOT recommended FBSD 6 as a server platform for tor in server >> mode. > > It's a pity this wasn't brought to my attention sooner, or there might have > been a chance to work on it for 6.1-RELEASE, especially given that it sounds > like it has been a moderately long-standing problem. The first I heard > about it was a few days ago from someone else at cam.ac.uk, and since then > I've been trying to find information. Among other things, I attempted to > contact you by private e-mail but didn't hear anything back. ping. I'd like to work with you to track this down, but am leaving on travel on Monday for a week to attend the FreeBSD Developer Summit, BSDCan, etc, in Ottawa, Canada, so won't be available online much during that period. Getting some basic information now would be helpful. Thanks, Robert N M Watson > > Up front, it sounds like we need to do a bit of fact gathering, and if > possible, a bit of simplication of the configuration to try and isolate the > problem. > > Specifically, it sounds like the software configuration on your system is > complex, and it would help to be able to narrow things down a bit. For > example, you mention pf being configured on the box. A first step would be > if you could include in the PR a copy of the dmesg output of your box (is it > SMP?), as well as the kernel configuration file, rc.conf, loader.conf, etc. > > It also sounds like significant load is involved in triggering the bug. As > someone who hasn't used Tor, and without significant bandwidth resources > available to test it, a bit of quantification of the type of load would be > very helpful. For example, if I were running in your configuration, would I > expect to see 128kbps, 1mbps, 10mbps, 100mbps, 1gbps traffic, etc. Would it > primarily be via the TCP protocol, or other protocols? Are we talking about > a few very busy connections, or tens of thousands of less busy connections? > Does the system generate much DNS traffic? Is the application a > multi-process application, a multi-threaded application? If you run netstat > and netstat -na at any given moment, how many open sockets might I see? > > Could you send me typical output from top -S, netstat -m, systat -vmstat 1? > > If hardware resources are available, it would be good to try running with a > simplified configuration, in order to determine that we're not looking at a > more complex feature interaction. For example, if you run on a vanilla > kernel, without pf, etc, compiled in or loaded, does the reboot still occur, > or does it, for example, require that pf also be loaded? > > Do you have a serial console attached to the system? When the reboot occurs, > is there any interesting (or even boring) output on the serial console -- for > example, warnings about load, fault messages, etc? If you are using a serial > console but there is no output at all (you immediately see the beginning of > the bios or OS boot loader after legitimate looking earlier console output), > that's also extremely useful to know. > > Are you currently compiling any debugging features in? Could you try > compiling in INVARIANTS? FWIW, spontaneous hardware poweroff and reboot can > be tricky to track down, but we can see what we can do. > > I don't have the resources or setup to run Tor in server mode, and can't > easily arrange for them. As such, I need to rely on you (or someone else) to > work with me in detail to get this sorted out, so I will be unable to > reproduce it directly. > > Thanks, > > Robert N M Watson > From owner-freebsd-security@FreeBSD.ORG Thu May 4 16:28:31 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4767916A413 for ; Thu, 4 May 2006 16:28:31 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B47843D48 for ; Thu, 4 May 2006 16:28:29 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 01EC846B46; Thu, 4 May 2006 12:28:25 -0400 (EDT) Date: Thu, 4 May 2006 17:28:24 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Borja Marcos In-Reply-To: Message-ID: <20060504172309.D17611@fledge.watson.org> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: MAC policies and shared hosting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 May 2006 16:28:32 -0000 On Wed, 3 May 2006, Borja Marcos wrote: > I've been looking at the different MAC modules available and how they cold > help to implement a less insecure than usual shared hosting web server. I think this sounds interesting :-). I think the approach you've described sounds like the right sort of approach -- a hybrid model that allows the web server to tell the kernel when its switching to a particular user domain, taking advantage of existing user credential elements, etc. I guess what I'd start out by doing is identifying what it is you want to protect against, and specifically, write a couple of short stories (a few sentences) describing specific sequences of events you want to protect against with the policy. It sounds like, in particular, you're looking for an outcome that could be expressed using mac_bsdextended, but perhaps not efficiently due to the number of rules it would take to implement. Part of what you describe sounds like you're thinking of assigning levels to objects and subjects. I guess I would caution that this adds significant complexity to a policy, so you might think about whether it's necessary to protect against the sorts of attacks you're worried about. If you need it, then it can be done, but if you can avoid it, it may significantly reduce the complexity. BTW, you might want to take a look at some of the recent changes made by David Malone to mac_bsdextended, which allow you to add security rules involving file systems, so you can say things like "users in group X can't write to /usr" and the like. It might be you could add a bit more flexibility to mac_bsdextended to get some of what you're looking for. Robert N M Watson > > I've not been able to come up with a suitable configuration, looking at > mac_bsdextended, mac_biba and mac_mls, but I think that a MAC module with the > following policies could be very useful for such an environment. Have I > missed anything? Has something similar been done? > > The module would (roughly) work as follows: > > Defining security levels in a similar way to mac_mls or mac_biba, > > we define a range of uids as sysctl variables to be used as "compartiments". > For example, > > mac.mac_uids.lowuid > mac.mac_uids.highid > > And it would be implemented so that: > > Below a given security level, (mac.mac_uids.enforce_below) > > - Any operation of a subject with uid x (between lowuid and highuid) on an > object with uid y (between lowuid and highuid) would fail. > > - A subject with a given security level could not modify an object with a > higher security level. > > This, combined with a chroot tree would (I think) be much better than the > typical solutions available. The webserver process would be launched as a > low-security subject, and it is assumed that it would make a setuid() before > launching a CGI process. And perhaps it wouldn't be so hard to modify an > existing webserver so that it changed the uid when serving a page associated > with a virtual server, adding a uid parameter to virtual servers. > > What do you think? Ideas? (This is only a quick and dirty idea) > > > > > > > > Borja. > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Fri May 5 09:09:32 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 92E9416A402; Fri, 5 May 2006 09:09:32 +0000 (UTC) (envelope-from BORJAMAR@SARENET.ES) Received: from smtp2.sarenet.es (orhi.sarenet.es [192.148.167.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D0D643D55; Fri, 5 May 2006 09:09:30 +0000 (GMT) (envelope-from BORJAMAR@SARENET.ES) Received: from [127.0.0.1] (borja.sarenet.es [192.148.167.77]) by smtp2.sarenet.es (Postfix) with ESMTP id 4539DCAF0; Fri, 5 May 2006 11:09:28 +0200 (CEST) In-Reply-To: <20060504172309.D17611@fledge.watson.org> References: <20060504172309.D17611@fledge.watson.org> Mime-Version: 1.0 (Apple Message framework v749.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Borja Marcos Date: Fri, 5 May 2006 11:09:31 +0200 To: Robert Watson X-Mailer: Apple Mail (2.749.3) Cc: freebsd-security@freebsd.org Subject: Re: MAC policies and shared hosting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 May 2006 09:09:32 -0000 > I think the approach you've described sounds like the right sort of > approach -- a hybrid model that allows the web server to tell the > kernel when its switching to a particular user domain, taking > advantage of existing user credential elements, etc. I guess what > I'd start out by doing is identifying what it is you want to > protect against, and specifically, write a couple of short stories > (a few sentences) describing specific sequences of events you want > to protect against with the policy. It sounds like, in particular, > you're looking for an outcome that could be expressed using > mac_bsdextended, but perhaps not efficiently due to the number of > rules it would take to implement. The problem is: Is it possible to run a shared web hosting for many servers (imagine 1000) on FreeBSD with a reasonable security level? Most of them would be low-traffic websites with a couple of .html files, some images... And some of them need the ability to run CGIs and PHP, which creates a real nightmare. I know there exists the jail mechanism, but it's complex to manage, and you loose the flexibility of virtual hosts, needing a different IP address for each hosted server. Moreover, you need a lot of chroot trees (one for each user). A hybrid scheme would need to create a single chroot, imagine: /chroot/ /chroot/etc /chroot/usr/ .... /chroot/webs/user1 /chroot/webs/user2 but it has an important shortcoming: 1- User directories must be visible in order to be accesible by unprivileged web server processes. However, it's not desirable to allow a CGI or PHP script by a given user to access a directory belonging to another user. I would like the CGI and PHP scripts to be as flexible as possible, but without compromising the other users. I had a look at the different MAC modules, and saw that mac_bsdextended could be really useful for this. However, it has some problems: 1- Lack of flexibility to specify general rules. 2- Rule number limitation, I guess because a lot of rules would impose a serious performance penalty. This could be changed by implementing a set of orderless rules stored in the form of a sparse matrix, so that an access from a subject with uid X to an object with uid Y would be checked in a very short time, instead of looking for a match for each of the rules. So, for example, imagine that I want each uid belonging to the set [10000,20000] unable to act on objects belonging to users in the same range, I could define something like: # deny for uid belonging to [10000,20000] on uid belonging to [10000,20000], being both # different ugidfw add subject uid 10000-20000 object different uid 10000-20000 mode # allow for uid belonging to the interval, on uid belonging to the same interval, being # both uids the same ugidfw add subject uid 10000-20000 object uid 10000-20000 mode arswxn I'm testing this approach by a quick'n dirty way. I've got mac_bsdextended, and doing some trivial changes I've created a new mac module called mac_isolateduids. It specifies a range of uids (security.mac.isolateduid.uid_min and security.mac.isolateduid.uid_max). I've changed the mac_bsdextended_check so that: if uid of subject belongs to [uid_min,uid_max] and uid of subject belongs to [uid_min,uid_max], and uid(subject) != uid(object) the access is always denied. It's a quick and dirty solution, but it would implement the desired behavior. I'm right now tinkering with it and will let you know the results :) Of course, this policy could be extended, for example, to forbid execution of setuid/setgid programs, etc. Right now, mine is a simple experiment (but it could go into actual production). I think there is a great work in the MAC framework, but security policies are hard to understand, manage and implement. We should look for something similar to the Unix model, but more flexible. Perhaps some rework of the whole bsdextended idea could enhance it. Regarding the multi-level idea, it would be a second phase. I would like to be able to contain effectively a possible root escalation from a poorly written CGI or PHP script. I know, it would be anyway extremely hard. But if we could launch the web server process with an additional lower security level inherited by all of its child processes, we could prevent damage to the system even by a child processes that escalated to root. I guess I should sit down this weekend and prepare a properly written paper, but I think the idea is quite clear here :) The possible practical implementation of this scheme would use Zeus webserver, which has an option to execute each CGI with the uid of its owner. Of course, it could be interesting to add some functionality, for example, to Apache, in order to take advantage of the new security mechanisms. Best regards, Borja. From owner-freebsd-security@FreeBSD.ORG Fri May 5 09:24:34 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2235916A402; Fri, 5 May 2006 09:24:34 +0000 (UTC) (envelope-from BORJAMAR@SARENET.ES) Received: from smtp1.sarenet.es (smtp1.sarenet.es [194.30.0.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id B115A43D53; Fri, 5 May 2006 09:24:33 +0000 (GMT) (envelope-from BORJAMAR@SARENET.ES) Received: from [127.0.0.1] (borja.sarenet.es [192.148.167.77]) by smtp1.sarenet.es (Postfix) with ESMTP id 4B9392C6; Fri, 5 May 2006 11:24:31 +0200 (CEST) In-Reply-To: References: <20060504172309.D17611@fledge.watson.org> Mime-Version: 1.0 (Apple Message framework v749.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <38D971A6-3942-4115-B2CE-40D6592E1F17@SARENET.ES> Content-Transfer-Encoding: 7bit From: Borja Marcos Date: Fri, 5 May 2006 11:24:34 +0200 To: Borja Marcos X-Mailer: Apple Mail (2.749.3) Cc: freebsd-security@freebsd.org, Robert Watson Subject: Re: MAC policies and shared hosting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 May 2006 09:24:34 -0000 > Regarding the multi-level idea, it would be a second phase. I would > like to be able to contain effectively a possible root escalation > from a poorly written CGI or PHP script. I know, it would be anyway > extremely hard. But if we could launch the web server process with > an additional lower security level inherited by all of its child > processes, we could prevent damage to the system even by a child > processes that escalated to root. And I answer myself :) (forgot to add this) Another desired functionality involves making sure that code injected into a poorly written PHP or CGI module cannot (for example) establish unauthorized network connections, listen(), etc. The FreeBSD ipfw has a lot of potential, but, unfortunately, ftp complicates the implementation of a simple uid-based limitation. Security levels would help here as well. Borja. From owner-freebsd-security@FreeBSD.ORG Fri May 5 12:21:16 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 622AC16A416; Fri, 5 May 2006 12:21:16 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Received: from www.ebusiness-leidinger.de (jojo.ms-net.de [84.16.236.246]) by mx1.FreeBSD.org (Postfix) with ESMTP id 59B1543D4C; Fri, 5 May 2006 12:21:15 +0000 (GMT) (envelope-from Alexander@Leidinger.net) Received: from Andro-Beta.Leidinger.net (p54A5CCDB.dip.t-dialin.net [84.165.204.219]) (authenticated bits=0) by www.ebusiness-leidinger.de (8.13.4/8.13.1) with ESMTP id k45CD0t3026771; Fri, 5 May 2006 14:13:01 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from localhost (localhost [127.0.0.1]) by Andro-Beta.Leidinger.net (8.13.4/8.13.3) with ESMTP id k45CL4E1041439; Fri, 5 May 2006 14:21:04 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde MIME library) with HTTP; Fri, 05 May 2006 14:21:03 +0200 Message-ID: <20060505142103.8iu70vc9ic0ocgs0@netchild.homeip.net> X-Priority: 3 (Normal) Date: Fri, 05 May 2006 14:21:03 +0200 From: Alexander Leidinger To: Borja Marcos References: <20060504172309.D17611@fledge.watson.org> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1) / FreeBSD-4.11 X-Virus-Scanned: by amavisd-new X-Mailman-Approved-At: Fri, 05 May 2006 12:25:42 +0000 Cc: freebsd-security@freebsd.org, Robert Watson Subject: Re: MAC policies and shared hosting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 May 2006 12:21:16 -0000 Quoting Borja Marcos (from Fri, 5 May 2006 =20 11:09:31 +0200): > The possible practical implementation of this scheme would use Zeus > webserver, which has an option to execute each CGI with the uid of its > owner. Of course, it could be interesting to add some functionality, > for example, to Apache, in order to take advantage of the new security > mechanisms. FYI: apache has the suexec wrapper. But it only covers real CGI's, not =20 apache modules like php, mod_perl, ... or plain html files serving. =20 For this to work either apache would have to run a httpd process for =20 every virtual host, or the OS has to provide the possibility to allow =20 to change the UID of a particular user (here: www) to some other user =20 (as configured in the virtual host part of the apache config) without =20 entering a password (maybe via RBAC "allow su from uid www to uid =20 [1000,2000] nopwd"). Bye, Alexander. --=20 http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137 Intellect annuls Fate. So far as a man thinks, he is free. =09=09-- Ralph Waldo Emerson From owner-freebsd-security@FreeBSD.ORG Fri May 5 21:41:20 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 382F216A420 for ; Fri, 5 May 2006 21:41:20 +0000 (UTC) (envelope-from bigby@ephemeron.org) Received: from dsl.ephemeron.org (dsl092-035-072.lax1.dsl.speakeasy.net [66.92.35.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9E5E443D46 for ; Fri, 5 May 2006 21:41:19 +0000 (GMT) (envelope-from bigby@ephemeron.org) Received: from home.ephemeron.org (root@home.fake.net [10.0.2.3]) by dsl.ephemeron.org (8.12.11/8.12.11) with ESMTP id k45LfIPx081474; Fri, 5 May 2006 14:41:18 -0700 (PDT) (envelope-from bigby@ephemeron.org) Received: from home.ephemeron.org (bigby@localhost [127.0.0.1]) by home.ephemeron.org (8.13.4/8.13.4) with ESMTP id k45Lfp42035288; Fri, 5 May 2006 14:41:52 -0700 (PDT) (envelope-from bigby@ephemeron.org) Received: from localhost (bigby@localhost) by home.ephemeron.org (8.13.4/8.13.4/Submit) with ESMTP id k45Lfmx8035284; Fri, 5 May 2006 14:41:49 -0700 (PDT) (envelope-from bigby@ephemeron.org) X-Authentication-Warning: home.ephemeron.org: bigby owned process doing -bs Date: Fri, 5 May 2006 14:41:48 -0700 (PDT) From: Bigby Findrake To: freebsd-security@freebsd.org, nospam@mgedv.net In-Reply-To: <200605041539.k44FdIpP046875@lurza.secnetix.de> Message-ID: <20060505142334.G26390@home.ephemeron.org> References: <200605041539.k44FdIpP046875@lurza.secnetix.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Subject: Re: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 May 2006 21:41:20 -0000 On Thu, 4 May 2006, Oliver Fromme wrote: > > 192.168.10.1 = jail ip of the ws > > 127.0.0.1 = jail ip of the db > > Don't use those IPs. In particular it's probably not a > good idea to use localhost as a jail IP. Use only loopback > IPs (other than localhost), like the example that I wrote > above. I agree with Oliver here - there's a difference between using the loopback adapter and using the localhost (127.0.0.1) IP. I would strongly recommend against using localhost as a jail IP unless you have a specific reason *to* do that - in other words, just assign an alias to the loopback adapter and use that alias for the jail. One reason that comes to mind immediately in response to the unasked question, "why not use the loopback address for a jail?" is that using the loopback address for a jail makes it hard to seperate (for use by packet filters, for instance) host machine traffic from jail machine traffic. There are probably other good reasons for *not* using the loopback address for a jail as well, but I can't think of any of them. > And of course you should use appropriate packetfilter rules to enforce > what kind of access between the jails is allowed. Only allow what you > need. I agree again. If you're using the jail for security, lock it down, only allow traffic that should be going to (and from!) the jail, and disallow everything else. Servers tend to accept connections, and not initiate them. If this is the case for your server processes, use stateful firewall rules to enforce the direction of connections - for instance, you might want to allow connections to port 80 on your jail, but you probably wouldn't want people launching attacks *from* port 80 on your jail once they compromise your webserver. Assume that your jail will get hacked, and do all you can to prevent that jail from being a useful staging point for your attackers next wave of attacks. /-------------------------------------------------------------------------/ That's where the money was. -- Willie Sutton, on being asked why he robbed a bank finger://bigby@ephemeron.org http://www.ephemeron.org/~bigby/ irc://irc.ephemeron.org/#the_pub news://news.ephemeron.org/alt.lemurs /-------------------------------------------------------------------------/ From owner-freebsd-security@FreeBSD.ORG Sat May 6 11:11:46 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 99B4316A400 for ; Sat, 6 May 2006 11:11:46 +0000 (UTC) (envelope-from nospam@mgedv.net) Received: from mgedv.at (mail.mgedv.at [195.3.87.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1361B43D4C for ; Sat, 6 May 2006 11:11:45 +0000 (GMT) (envelope-from nospam@mgedv.net) Received: from metis (localhost [127.0.0.1]) by mgedv.at (SMTPServer) with ESMTP id EFCDC186864 for ; Sat, 6 May 2006 13:11:32 +0200 (MEST) From: "No@SPAM@mgEDV.net" To: Date: Sat, 6 May 2006 13:11:39 +0200 Message-ID: <000001c670fd$d9169350$01010101@avalon.lan> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 Thread-Index: AcZw/dbmAwA0p4rGSXSPVFU97AvcYw== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Subject: kern.randompid: jot generation senseful? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: nospam@mgedv.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 May 2006 11:11:46 -0000 hi, is a random pid generation really a security enhancement? if yes, would it make sense to setup something like: --> sysctl kern.randompid=`jot -r 1 500 2000` in cron to be executed every X mins/hrs? and finally, what are the recommended minimum (security) and maximum (performance) values for kern.randompid? From owner-freebsd-security@FreeBSD.ORG Sat May 6 11:31:14 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4156316A400 for ; Sat, 6 May 2006 11:31:14 +0000 (UTC) (envelope-from nospam@mgedv.net) Received: from mgedv.at (mail.mgedv.at [195.3.87.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id C270243D48 for ; Sat, 6 May 2006 11:31:13 +0000 (GMT) (envelope-from nospam@mgedv.net) Received: from metis (localhost [127.0.0.1]) by mgedv.at (SMTPServer) with ESMTP id EEA4A186864 for ; Sat, 6 May 2006 13:31:01 +0200 (MEST) From: "No@SPAM@mgEDV.net" To: Date: Sat, 6 May 2006 13:31:08 +0200 Message-ID: <000101c67100$91e4fdc0$01010101@avalon.lan> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 Thread-Index: AcZwjL+qdKOwUvlTRv6Jir47Oo5tqAAcsmFA X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 In-Reply-To: <20060505142334.G26390@home.ephemeron.org> Subject: RE: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: nospam@mgedv.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 May 2006 11:31:14 -0000 > Bigby Findrake > Sent: Friday, May 05, 2006 11:42 PM > On Thu, 4 May 2006, Oliver Fromme wrote: > > > 192.168.10.1 = jail ip of the ws > > > 127.0.0.1 = jail ip of the db > > > > Don't use those IPs. In particular it's probably not a > > good idea to use localhost as a jail IP. Use only loopback > > IPs (other than localhost), like the example that I wrote > > above. > > I agree with Oliver here - there's a difference between using > the loopback > adapter and using the localhost (127.0.0.1) IP. I would strongly > recommend against using localhost as a jail IP unless you > have a specific > reason *to* do that - in other words, just assign an alias to > the loopback > adapter and use that alias for the jail. > > One reason that comes to mind immediately in response to the unasked > question, "why not use the loopback address for a jail?" is > that using the > loopback address for a jail makes it hard to seperate (for > use by packet > filters, for instance) host machine traffic from jail machine traffic. > > There are probably other good reasons for *not* using the > loopback address > for a jail as well, but I can't think of any of them. > > > And of course you should use appropriate packetfilter rules > to enforce > > what kind of access between the jails is allowed. Only > allow what you > > need. > > I agree again. If you're using the jail for security, lock > it down, only > allow traffic that should be going to (and from!) the jail, > and disallow > everything else. Servers tend to accept connections, and not > initiate > them. If this is the case for your server processes, use stateful > firewall rules to enforce the direction of connections - for > instance, you > might want to allow connections to port 80 on your jail, but > you probably > wouldn't want people launching attacks *from* port 80 on your > jail once > they compromise your webserver. Assume that your jail will > get hacked, > and do all you can to prevent that jail from being a useful > staging point > for your attackers next wave of attacks. > well, with your configurations i'm really concerned about the overlapping configurations of ip-addresses on the loopback- adapter. lo0 is originally configured with 127/8 and i'm not sure, if there's not a chance to confuse something if you add ip's in the same range (127.0.1.1/32). as far as i read on other posts about overlapping ip's it's not recommended (at least by some guys). what about configuring something like: ifconfig lo1 plumb ifconfig lo1 10.10.10.1 netmask 255.255.255.252 up ... and so on for futher jails? also, the handling of 127/8 would be much clearer in the fw, as far as my understandings are. to your security concerns about jailed processes, that are overtaken by hackers: my primary goal is not protecting the box (yes, we backup them ,-) ), it's more protecting the data on it. and if i have very good and tight jails and an attacker is able to eg. download all customer data by code injection on the http-frontend, i guess a less tight jail is one of my last problems! and the jail can be as tight as possible, if there's just one php-script that fails, all the jailing/fw-rules don't help, because the communication between ws<--->db has to work anyway. From owner-freebsd-security@FreeBSD.ORG Sat May 6 07:15:33 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6F5B516A402 for ; Sat, 6 May 2006 07:15:33 +0000 (UTC) (envelope-from John.Ryan@genedata.com) Received: from mail.core.genedata.com (mail.core.genedata.com [157.161.173.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id AE10243D49 for ; Sat, 6 May 2006 07:15:31 +0000 (GMT) (envelope-from John.Ryan@genedata.com) Received: from relay.core.genedata.com (root@nila-e0.core.genedata.com [172.20.16.64]) (authenticated bits=128) by mail.core.genedata.com (8.13.1/8.13.1) with ESMTP id k467FUxt024476 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Sat, 6 May 2006 09:15:31 +0200 Received: from relay.ch.genedata.com (root@vesuvio-e0.ch.genedata.com [172.20.16.80]) (authenticated bits=128) by relay.core.genedata.com (8.13.1/8.13.1) with ESMTP id k467FUrK031475 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Sat, 6 May 2006 09:15:30 +0200 Received: from [172.20.36.51] (biosa.ch.genedata.com [172.20.36.51]) by relay.ch.genedata.com (8.13.1/8.13.1) with ESMTP id k467FT4B029728 for ; Sat, 6 May 2006 09:15:30 +0200 Message-ID: <445C4D11.10200@genedata.com> Date: Sat, 06 May 2006 09:15:29 +0200 From: John Ryan User-Agent: Thunderbird 1.5 (X11/20051201) MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Filter-Version: 1.15 (nila) X-Mailman-Approved-At: Sat, 06 May 2006 12:41:27 +0000 Cc: Subject: IPsec with racoon2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 May 2006 07:15:33 -0000 Hi, I'm trying to get IPsec running between 2 FreeBSD (VMware) boxes, using racoon2. spmd and iked start up okay, but I get an error when I try a ping across the tunnel. /var/log/messages shows: May 5 13:52:36 biosa-vm4 iked: [INTERNAL_ERR]: if_spmd.c:726: SLID failed: 550 Operation failed May 5 13:52:36 biosa-vm4 iked: [INTERNAL_ERR]: isakmp.c:647:isakmp_initiate_cont(): 0:172.20.36.55[0] - 172.20.36.52[0]:0x0:can't find selector (index (null)) 2006-05-05 13:53:54 [INFO]: main.c:269:main(): starting iked for racoon2 20051102a 2006-05-05 13:53:54 [INFO]: main.c:272:main(): OPENSSLDIR: "/etc/ssl" 2006-05-05 13:53:54 [INFO]: main.c:282:main(): reading config /usr/local/etc/racoon2.conf 2006-05-05 13:53:54 [DEBUG]: ike_conf.c:3247:ike_conf_check_consistency(): checking configuration 2006-05-05 13:53:54 [DEBUG]: if_spmd.c:350: spmd I/F connection ok: 220 F8A......76C2B9 2006-05-05 13:53:54 [DEBUG]: cfsetup.c:3306: spmd_read_password_file([/usr/local/etc/racoon2/spmd.pwd], [cfsetup.c:3376], 1) 2006-05-05 13:53:54 [DEBUG]: cfsetup.c:3351: read 16 bytes 2006-05-05 13:53:54 [DEBUG]: if_spmd.c:413: spmd LOGIN ok: 250 OK 2006-05-05 13:53:54 [INFO]: isakmp.c:339:isakmp_open(): socket 5 bind 172.20.36.55[500] Heres my network: (Running under vmware on Linux) The host has 2 network cards and they're functional from vmware. ifconfig_lnc0="inet 172.20.36.55 netmask 0xfffff800" ifconfig_lnc1="inet 192.168.4.1 netmask 0xffffff00" # _______________________ _______________________ # / Ext IP A.B.C.D \ tunnel / Ext IP W.X.Y.Z \ # ---| Int IP 192.168.1.1/24 |===============| Int IP 192.168.4.1/24 |--- # \_______________________/ \_______________________/ # For host "A.B.C.D" # gif_interfaces="gif0" # gifconfig_gif0="A.B.C.D W.X.Y.Z" # ifconfig_gif0="inet 192.168.1.1 192.168.4.1 netmask 0xffffffff" # static_routes="vpn" # route_vpn="-net 192.168.4.0/24 192.168.4.1" gif_interfaces="gif0" gifconfig_gif0="172.20.36.55 172.20.36.52" ifconfig_gif0="inet 192.168.4.1 192.168.1.1 netmask 0xffffffff" static_routes="vpn" route_vpn="-net 192.168.1.0/24 192.168.1.1" Without IPsec running, I can ping the remote interfaces 192.168.[14].1 both ways My racoon2.conf looks like: setval { PSKDIR "/usr/local/etc/racoon2/psk"; CERTDIR "/usr/local/etc/racoon2/cert"; }; # interface info interface { ike { MY_IPV4%lnc0; }; spmd { unix "/var/run/racoon/spmif"; }; spmd_password "/usr/local/etc/racoon2/spmd.pwd"; }; # resolver info resolver { resolver off; }; # # default section # default { remote { ikev2 { logmode normal; kmp_sa_lifetime_time infinite; kmp_sa_lifetime_byte infinite; max_retry_to_send 3; interval_to_send 10 sec; times_per_send 1; kmp_sa_nego_time_limit 60 sec; ipsec_sa_nego_time_limit 40 sec; kmp_enc_alg { aes256_cbc; 3des_cbc; }; kmp_hash_alg { hmac_sha1; hmac_md5; aes_xcbc; }; kmp_auth_method { dss; }; kmp_dh_group { 1; 2; 5; 14; 15; }; random_pad_content on; random_padlen on; max_padlen 50 bytes; }; }; policy { ipsec_mode tunnel; ipsec_level unique; # Not Yet Implemented, always 'unique' }; ipsec { ipsec_sa_lifetime_time infinite; ipsec_sa_lifetime_byte infinite; }; sa { esp_enc_alg { aes128_cbc; 3des_cbc; }; esp_auth_alg { hmac_sha1; hmac_md5; }; }; }; ipsec ipsec_ah_esp { ipsec_sa_lifetime_time 28800 sec; sa_index { ah_01; esp_01; }; }; ipsec ipsec_esp { ipsec_sa_lifetime_time 28800 sec; sa_index esp_01; }; sa ah_01 { sa_protocol ah; ah_auth_alg { hmac_sha1; hmac_md5; }; }; sa esp_01 { sa_protocol esp; esp_enc_alg { aes128_cbc; 3des_cbc; }; esp_auth_alg { hmac_sha1; hmac_md5; }; }; # biosa-vm1.ch.genedata.com remote biosa-vm1.nowhere.com { acceptable_kmp { ikev2; }; ikev2 { my_id fqdn "biosa-vm4.nowhere.com"; peers_id fqdn "biosa-vm1.nowhere.com"; peers_ipaddr 172.20.36.52 port 500; kmp_enc_alg { aes256_cbc; aes192_cbc; 3des_cbc; }; kmp_prf_alg { hmac_md5; hmac_sha1; aes128_cbc; }; kmp_hash_alg { hmac_md5; hmac_sha1; aes_xcbc; }; kmp_dh_group { 5; }; kmp_auth_method { psk; }; pre_shared_key "${PSKDIR}/secret.psk"; }; selector_index 42; }; selector 41 { direction outbound; src 172.20.36.55; dst 172.20.36.52; upper_layer_protocol "tcp"; policy_index TUNNEL; }; selector 42 { direction inbound; dst 172.20.36.52; src 172.20.36.55; upper_layer_protocol "tcp"; policy_index TUNNEL; }; policy TUNNEL { action auto_ipsec; remote_index biosa-vm1.nowhere.com; ipsec_mode tunnel; ipsec_index { ipsec_esp; }; ipsec_level unique; peers_sa_ipaddr 172.20.36.52; my_sa_ipaddr 172.20.36.55; }; Anyone got any idea what I'm doing wrong? Thanks in advance John Ryan