From owner-freebsd-security@FreeBSD.ORG Mon May 22 03:55:11 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 23AAC16A41F for ; Mon, 22 May 2006 03:55:11 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd2mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 69F2943D48 for ; Mon, 22 May 2006 03:55:10 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd2mr6so.prod.shaw.ca (pd2mr6so-qfe3.prod.shaw.ca [10.0.141.9]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IZN00GJIEVXG750@l-daemon> for freebsd-security@freebsd.org; Sun, 21 May 2006 21:55:09 -0600 (MDT) Received: from pn2ml1so.prod.shaw.ca ([10.0.121.145]) by pd2mr6so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IZN00M5CEVXJ920@pd2mr6so.prod.shaw.ca> for freebsd-security@freebsd.org; Sun, 21 May 2006 21:55:09 -0600 (MDT) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0IZN0047EEVWGYE0@l-daemon> for freebsd-security@freebsd.org; Sun, 21 May 2006 21:55:09 -0600 (MDT) Received: (qmail 11059 invoked from network); Mon, 22 May 2006 03:55:08 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Mon, 22 May 2006 03:55:08 +0000 Date: Sun, 21 May 2006 20:55:07 -0700 From: Colin Percival To: freebsd security , FreeBSD Stable Message-id: <4471361B.5060208@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 User-Agent: Thunderbird 1.5 (X11/20060416) Cc: Subject: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2006 03:55:11 -0000 Dear FreeBSD users and system administrators, While the FreeBSD Security Team has traditionally been very good at investigating and responding to security issues in FreeBSD, this only solves half of the security problem: Unless users and administrators of FreeBSD systems apply the security patches provided, the advisories issued accomplish little beyond alerting potential attackers to the presence of vulnerabilities. The Security Team has been concerned for some time by anecdotal reports concerning the number of FreeBSD systems which are not being promptly updated or are running FreeBSD releases which have passed their End of Life dates and are no longer supported. In order to better understand which FreeBSD versions are in use, how people are (or aren't) keeping them updated, and why it seems so many systems are not being updated, I have put together a short survey of 12 questions. The information gathered will inform the work done by the Security Team, as well as my own personal work on FreeBSD this summer. If you administrate system(s) running FreeBSD (in the broad sense of "are responsible for keeping system(s) secure and up to date"), please visit http://people.freebsd.org/~cperciva/survey.html and complete the survey below before May 31st, 2006. Thanks, Colin Percival FreeBSD Security Officer From owner-freebsd-security@FreeBSD.ORG Mon May 22 09:40:18 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 565AE16A420; Mon, 22 May 2006 09:40:18 +0000 (UTC) (envelope-from MH@kernel32.de) Received: from crivens.terrorteam.de (crivens.terrorteam.de [81.169.171.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7F5E643D45; Mon, 22 May 2006 09:40:17 +0000 (GMT) (envelope-from MH@kernel32.de) Received: from localhost (localhost [127.0.0.1]) by crivens.terrorteam.de (Postfix) with ESMTP id 2E7244018; Mon, 22 May 2006 11:40:16 +0200 (CEST) X-Virus-Scanned: amavisd-new at unixoid.de Received: from crivens.terrorteam.de ([127.0.0.1]) by localhost (crivens.unixoid.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id prfcLaPDEUtc; Mon, 22 May 2006 11:40:15 +0200 (CEST) Received: from [10.38.0.12] (unknown [213.238.63.253]) by crivens.terrorteam.de (Postfix) with ESMTP id 607F63F99; Mon, 22 May 2006 11:40:15 +0200 (CEST) Message-ID: <44718700.2060102@kernel32.de> Date: Mon, 22 May 2006 11:40:16 +0200 From: Marian Hettwer User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Scott Long References: <4471361B.5060208@freebsd.org> <20060521231657.O6063@abigail.angeltread.org> <44714FBB.4000603@samsco.org> In-Reply-To: <44714FBB.4000603@samsco.org> X-Enigmail-Version: 0.93.0.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Cc: freebsd security , FreeBSD Stable , Colin Percival , Brent Casavant Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2006 09:40:18 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there, Scott Long wrote: > Brent Casavant wrote: > >> While I find ports to be the single most useful feature of the FreeBSD >> experience, and can't thank contributors enough for the efforts, I on >> the other hand find updating my installed ports collection (for security >> reasons or otherwise) to be quite painful. I typically use portupgrade >> to perform this task. On several occasions I got "bit" by doing a >> portupgrade which wasn't able to completely upgrade all dependencies >> (particularly when X, GUI's, and desktops are in the mix -- though I >> always follow the special Gnome upgrade methods when appropriate). >> Like Scott pointed out below, stick with either building from source, or using packages. Mixing them may have strange side effects. To give an example. I usually use portupgrade without using packages. But last time I needed to update my ports (on a production server, though private not corporate server), I used portupgrade -P (to use packages if available). It updated php, using packages, but unluckily the packages were built against apache13. I'm using apache20, so my php installation was trashed. Argh. But even more painful is the fact that portupgrade _always_ fails on some perl modules. Usually p5-XML-Parser. I don't know why, but it's annoying... > ports tree in the process, the end result is a bit more undefined. One > thing that I wish for is that the ports tree would branch for releases, > and that those branches would get security updates. I know that this > would involve an exponentially larger amount of effort from the ports > team, and I don't fault them for not doing it. Still, it would be nice > to have. I have to agree on that statement. I would love to see branched ports. This can get very important on servers, were you don't want to have major upgrades, but only security updates. I guess it's a question of manpower, hm? Would a survey help? As in ask the ports team and FreeBSD administrators? Maybe some will start to become port maintainer too, just to support the increased work on ports due to branching them... I would :) best regards, Marian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFEcYb+gAq87Uq5FMsRAvAeAKDY0wCnps8sNKkRqUL0+77/WEh/GgCfayuU /PH2TCKdBC7l9M6TrgY+rZM= =hbzY -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon May 22 10:15:52 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A00D316A424 for ; Mon, 22 May 2006 10:15:52 +0000 (UTC) (envelope-from iang@iang.org) Received: from mx1.sonance.net (mx1.sonance.net [62.116.45.222]) by mx1.FreeBSD.org (Postfix) with ESMTP id 259C143D46 for ; Mon, 22 May 2006 10:15:52 +0000 (GMT) (envelope-from iang@iang.org) Received: from localhost (mf1 [127.0.0.1]) by mx1.sonance.net (Postfix) with ESMTP id 36E2B13FF6; Mon, 22 May 2006 12:15:55 +0200 (CEST) Received: from mx1.sonance.net ([127.0.0.1]) by localhost (mf1 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 11038-02; Mon, 22 May 2006 12:15:54 +0200 (CEST) Received: from postix.sonance.net (zentrix [192.168.0.223]) by mx1.sonance.net (Postfix) with ESMTP id 0326913FEF; Mon, 22 May 2006 12:15:53 +0200 (CEST) Received: from [IPv6???1] (zentrix [127.0.0.1]) by postix.sonance.net (Postfix) with ESMTP id 11F1B17B534; Mon, 22 May 2006 12:15:45 +0200 (CEST) Message-ID: <44718E9F.7010007@iang.org> Date: Mon, 22 May 2006 12:12:47 +0200 From: Ian G Organization: http://iang.org/ User-Agent: Mozilla Thunderbird 1.0.6 (X11/20051013) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd security References: <4471361B.5060208@freebsd.org> <20060521231657.O6063@abigail.angeltread.org> <44714FBB.4000603@samsco.org> <44718700.2060102@kernel32.de> In-Reply-To: <44718700.2060102@kernel32.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: sonance network anti-spam amavisd-new-20030616-p10 controlled spam Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2006 10:15:52 -0000 My experience is similar to that of others, with one variation - I've never been able to successfully install from packages, and at best have found that half way through, some port gets dragged in, and I've gradually been sucked into replacing everything with ports. ( Which is fine, for the most part, except on my laptop for X & KDE, it takes something like 1-2 days to compile, and as there is poor ACPI (sp?) support, I have to put a fan over the machine to stop it overheating and triggering the auto-shutdown. ) Installing and upgrading ports tends to have a trickle effect, and I find that all the ports get upgraded, which inevitably results in things breaking. I approach the whole process with trepidation. Overall - and getting to the point - this means I don't upgrade or install that much. I tend to prefer to re-do the whole lot once every 6 months if I can get away with it because of the concern about having to spend a few days with the OS stuck in upgrade cycle. That includes security updates, unfortunately, things which I've never figured out how to do. (Colin, thanks for the survey! Good to see, and it's really great to be able to throw some experiences around.) iang From owner-freebsd-security@FreeBSD.ORG Mon May 22 10:43:49 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E31916A421; Mon, 22 May 2006 10:43:49 +0000 (UTC) (envelope-from MH@kernel32.de) Received: from crivens.terrorteam.de (crivens.terrorteam.de [81.169.171.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5660D43D45; Mon, 22 May 2006 10:43:48 +0000 (GMT) (envelope-from MH@kernel32.de) Received: from localhost (localhost [127.0.0.1]) by crivens.terrorteam.de (Postfix) with ESMTP id DA04D3F39; Mon, 22 May 2006 12:43:46 +0200 (CEST) X-Virus-Scanned: amavisd-new at unixoid.de Received: from crivens.terrorteam.de ([127.0.0.1]) by localhost (crivens.unixoid.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6CfEFdTENtU2; Mon, 22 May 2006 12:43:46 +0200 (CEST) Received: from [10.38.0.12] (unknown [213.238.63.253]) by crivens.terrorteam.de (Postfix) with ESMTP id 0FF6D3F29; Mon, 22 May 2006 12:43:46 +0200 (CEST) Message-ID: <447195E3.4000003@kernel32.de> Date: Mon, 22 May 2006 12:43:47 +0200 From: Marian Hettwer User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Ion-Mihai \"IOnut\" Tetcu" References: <4471361B.5060208@freebsd.org> <20060521231657.O6063@abigail.angeltread.org> <44714FBB.4000603@samsco.org> <44718700.2060102@kernel32.de> <20060522133424.3087acfc@it.buh.tecnik93.com> In-Reply-To: <20060522133424.3087acfc@it.buh.tecnik93.com> X-Enigmail-Version: 0.93.0.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Cc: freebsd security , Scott Long , FreeBSD Stable , Brent Casavant , Colin Percival Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2006 10:43:49 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Ion, Ion-Mihai IOnut Tetcu wrote: >>I have to agree on that statement. I would love to see branched ports. >>This can get very important on servers, were you don't want to have >>major upgrades, but only security updates. >>I guess it's a question of manpower, hm? > > > With the maintainers/commiters/physical_resources we have now this is > impossible. That's what I guessed... > Take a look at pav@'s PR stats page: http://www.oook.cz/bsd/prstats/ > There are ~1000 new ports PRs per month. The PT Team has managed to > close about the same number per month (fewer during the freeze, of > course). > Currently there are 551 open PRs. 238 in feedback state, etc. I see... > > >>Would a survey help? As in ask the ports team and FreeBSD >>administrators? Maybe some will start to become port maintainer too, >>just to support the increased work on ports due to branching them... >>I would :) > > > There are ~4300 unmaintained ports. Maybe you could start maintaining > some of them _now_ ? > I'll have a look into my ports tree. Let me guess, ports which are have the maintainer ports@freebsd.org are unmaintained? regards, Marian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFEcZXhgAq87Uq5FMsRAnqFAJ4t0fO+uQTk/XRDFvTcA9ZLKuy6PACguig5 qAKibfTgwhzrVojGkHPyvpk= =6eKY -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon May 22 10:47:07 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8999616A42B; Mon, 22 May 2006 10:47:07 +0000 (UTC) (envelope-from killing@multiplay.co.uk) Received: from multiplay.co.uk (core6.multiplay.co.uk [85.236.96.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id F235143D5C; Mon, 22 May 2006 10:47:05 +0000 (GMT) (envelope-from killing@multiplay.co.uk) Received: from vader ([212.135.219.179]) by multiplay.co.uk (multiplay.co.uk [85.236.96.23]) (MDaemon.PRO.v8.1.3.R) with ESMTP id md50002582642.msg; Mon, 22 May 2006 11:46:11 +0100 Message-ID: <009101c67d8c$ee013db0$b3db87d4@multiplay.co.uk> From: "Steven Hartland" To: "Brent Casavant" , "Colin Percival" References: <4471361B.5060208@freebsd.org> <20060521231657.O6063@abigail.angeltread.org> Date: Mon, 22 May 2006 11:45:57 +0100 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2869 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 X-Spam-Processed: multiplay.co.uk, Mon, 22 May 2006 11:46:11 +0100 (not processed: message from valid local sender) X-MDRemoteIP: 212.135.219.179 X-Return-Path: killing@multiplay.co.uk X-MDAV-Processed: multiplay.co.uk, Mon, 22 May 2006 11:46:13 +0100 Cc: freebsd security , FreeBSD Stable Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2006 10:47:07 -0000 Brent Casavant wrote: > On Sun, 21 May 2006, Colin Percival wrote: > So, in short, that's why *I* rarely update ports for security reasons. > > There are steps that could be taken at the port maintenance level that > would work well for my particular case, however that's beyond the > scope of the survey. Thanks for taking the time put the survey > together, I certainly hope it proves useful. Perfectly put there Brent portupgrade is all very powerful but: * Take an absolute age to do anything but the simplest updates * Often fails and needs significant manual fixing Here its usually 100 times quicker to just do: pkg_info | awk '{print $1}' > packages.txt cat packages.txt | xargs pkg_delete -f cat packages.txt | xargs pkg_add -r This at least brings you up to a known good set. Alternatively I also use something similar but build from ports the problem with that is often the ports need to be built with custom options to get back to how you started so unless you where very maticuls in noting down the options to every port on every machine you installed something often goes wrong :( On good example of portupgrade "going off on one" is a simple upgrade of mtr we dont install any X on our machines so mtr-nox11 is installed. Whenever I've tried portupgrade in the past its always trolled of and started downloading and build the behemoth that is X, CTRL+C hence always ensues and I forget about upgrading until I really HAVE to. Steve ================================================ This e.mail is private and confidential between Multiplay (UK) Ltd. and the person or entity to whom it is addressed. In the event of misdirection, the recipient is prohibited from using, copying, printing or otherwise disseminating it or any information contained in it. In the event of misdirection, illegible or incomplete transmission please telephone (023) 8024 3137 or return the E.mail to postmaster@multiplay.co.uk. From owner-freebsd-security@FreeBSD.ORG Mon May 22 10:48:39 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 73BC616A423; Mon, 22 May 2006 10:48:39 +0000 (UTC) (envelope-from itetcu@FreeBSD.org) Received: from it.buh.tecnik93.com (it.buh.tecnik93.com [81.196.204.98]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9DAFE43D45; Mon, 22 May 2006 10:48:38 +0000 (GMT) (envelope-from itetcu@FreeBSD.org) Received: from it.buh.tecnik93.com (localhost [127.0.0.1]) by it.buh.tecnik93.com (Postfix) with ESMTP id A3B0517660; Mon, 22 May 2006 13:48:37 +0300 (EEST) Date: Mon, 22 May 2006 13:48:37 +0300 From: Ion-Mihai "IOnut" Tetcu To: Marian Hettwer Message-ID: <20060522134837.0b88d705@it.buh.tecnik93.com> In-Reply-To: <447195E3.4000003@kernel32.de> References: <4471361B.5060208@freebsd.org> <20060521231657.O6063@abigail.angeltread.org> <44714FBB.4000603@samsco.org> <44718700.2060102@kernel32.de> <20060522133424.3087acfc@it.buh.tecnik93.com> <447195E3.4000003@kernel32.de> X-Mailer: Sylpheed-Claws 2.2.0 (GTK+ 2.8.17; i386-portbld-freebsd6.1) Mime-Version: 1.0 Content-Type: multipart/signed; boundary=Sig_A28mgaAKj2kX7rmVPRnBcVV; protocol="application/pgp-signature"; micalg=PGP-SHA1 Cc: Scott Long , FreeBSD Stable , Casavant , freebsd security , Colin Percival , Brent Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2006 10:48:39 -0000 --Sig_A28mgaAKj2kX7rmVPRnBcVV Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Mon, 22 May 2006 12:43:47 +0200 Marian Hettwer wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 >=20 > Hi Ion, >=20 > Ion-Mihai IOnut Tetcu wrote: >=20 > >>I have to agree on that statement. I would love to see branched ports. > >>This can get very important on servers, were you don't want to have > >>major upgrades, but only security updates. > >>I guess it's a question of manpower, hm? > >=20 > >=20 > > With the maintainers/commiters/physical_resources we have now this is > > impossible. > That's what I guessed... And it's not only HR lack problem, we would need more hardware for the package building cluster too. =20 > > Take a look at pav@'s PR stats page: http://www.oook.cz/bsd/prstats/ > > There are ~1000 new ports PRs per month. The PT Team has managed to > > close about the same number per month (fewer during the freeze, of > > course). > > Currently there are 551 open PRs. 238 in feedback state, etc. > I see... >=20 > >=20 > >>Would a survey help? As in ask the ports team and FreeBSD > >>administrators? Maybe some will start to become port maintainer too, > >>just to support the increased work on ports due to branching them... > >>I would :) IMO this could work only with some funding from interested companies. Maybe that could be an idea for a survey. > > There are ~4300 unmaintained ports. Maybe you could start maintaining > > some of them _now_ ? > >=20 > I'll have a look into my ports tree. Let me guess, ports which are have > the maintainer ports@freebsd.org are unmaintained? Yup. Just ' cd /usr/ports/ ; make search key=3Dports@FreeBSD.org ' --=20 IOnut - Un^d^dregistered ;) FreeBSD "user" "Intellectual Property" is nowhere near as valuable as "Intellect" BOFH excuse #324: Your packets were eaten by the terminator --Sig_A28mgaAKj2kX7rmVPRnBcVV Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEcZcFBX6fi0k6KXsRAp0lAKCN+mEVZYwdMNGiiYGSrGuvHpxt2QCgtZTH lwqGJK9FqXeSVKtkWrmiDBA= =kv5w -----END PGP SIGNATURE----- --Sig_A28mgaAKj2kX7rmVPRnBcVV-- From owner-freebsd-security@FreeBSD.ORG Mon May 22 04:07:01 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4270116A445; Mon, 22 May 2006 04:07:01 +0000 (UTC) (envelope-from allbery@ece.cmu.edu) Received: from bache.ece.cmu.edu (BACHE.ECE.CMU.EDU [128.2.129.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6FBEF43D45; Mon, 22 May 2006 04:07:00 +0000 (GMT) (envelope-from allbery@ece.cmu.edu) Received: from [10.9.204.128] (dsl093-061-215.pit1.dsl.speakeasy.net [66.93.61.215]) by bache.ece.cmu.edu (Postfix) with ESMTP id ABE457A; Mon, 22 May 2006 00:06:58 -0400 (EDT) In-Reply-To: <4471361B.5060208@freebsd.org> References: <4471361B.5060208@freebsd.org> Mime-Version: 1.0 (Apple Message framework v750) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <2DB25B04-BCE6-41D2-9D95-03C58A493E2C@ece.cmu.edu> Content-Transfer-Encoding: 7bit From: "Brandon S. Allbery KF8NH" Date: Mon, 22 May 2006 00:06:54 -0400 To: Colin Percival X-Mailer: Apple Mail (2.750) X-Mailman-Approved-At: Mon, 22 May 2006 12:39:01 +0000 Cc: freebsd security , FreeBSD Stable Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2006 04:07:01 -0000 On May 21, 2006, at 11:55 , Colin Percival wrote: > The Security Team has been concerned for some time by anecdotal > reports > concerning the number of FreeBSD systems which are not being promptly > updated or are running FreeBSD releases which have passed their End of > Life dates and are no longer supported. In order to better understand > which FreeBSD versions are in use, how people are (or aren't) keeping > them updated, and why it seems so many systems are not being > updated, I I have a 6-STABLE box that is not going to be updated to 6.1 any time soon, because my personal mail will have to be offline while I do so --- including nuking and rebuilding all ports because the ports tree has been thrashed by multiple low level updates that affect a large percentage of the tree --- and it's only a 600MHz box so it will be offline for most of a week during that upgrade. And I'm uncertain how downgrading it to 6.0-RELEASE+security patches will complicate things (downgrading via cvsup/buildworld is not a supported option, last I checked). Granted, I probably should have stuck with 6.0-R --- but then, experience has shown me that the more reliable option is to wait a week or two after release and then install -STABLE. In short: keeping FreeBSD up to date tends to be painful at best. -- brandon s. allbery [linux,solaris,freebsd,perl] allbery@kf8nh.com system administrator [openafs,heimdal,too many hats] allbery@ece.cmu.edu electrical and computer engineering, carnegie mellon university KF8NH From owner-freebsd-security@FreeBSD.ORG Mon May 22 04:16:44 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9A63116A57D; Mon, 22 May 2006 04:16:44 +0000 (UTC) (envelope-from bc979@lafn.org) Received: from zoot.lafn.org (zoot.lafn.ORG [206.117.18.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1CE5443D48; Mon, 22 May 2006 04:16:44 +0000 (GMT) (envelope-from bc979@lafn.org) Received: from [10.0.1.5] (pool-71-109-244-179.lsanca.dsl-w.verizon.net [71.109.244.179]) (authenticated bits=0) by zoot.lafn.org (8.13.4/8.13.4) with ESMTP id k4M4Gg9K034294 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO); Sun, 21 May 2006 21:16:43 -0700 (PDT) (envelope-from bc979@lafn.org) In-Reply-To: <4471361B.5060208@freebsd.org> References: <4471361B.5060208@freebsd.org> Mime-Version: 1.0 (Apple Message framework v750) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <66DF01E1-277C-42EE-896E-1E7F4C2ABDDE@lafn.org> Content-Transfer-Encoding: 7bit From: Doug Hardie Date: Sun, 21 May 2006 21:16:41 -0700 To: Colin Percival X-Mailer: Apple Mail (2.750) X-Virus-Scanned: ClamAV 0.88/1474/Sun May 21 06:18:22 2006 on zoot.lafn.org X-Virus-Status: Clean X-Mailman-Approved-At: Mon, 22 May 2006 12:39:18 +0000 Cc: freebsd security , FreeBSD Stable Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2006 04:16:44 -0000 On May 21, 2006, at 20:55, Colin Percival wrote: > If you administrate system(s) running FreeBSD (in the broad sense > of "are > responsible for keeping system(s) secure and up to date"), please > visit > http://people.freebsd.org/~cperciva/survey.html > and complete the survey below before May 31st, 2006. What doesn't fit into the survey very well is that all my servers are production ones and it causes a lot of grief for users when I bring them down. I try to hold updates to once per year because of that. I am currently in the middle of upgrading from 5.3 to 6.0. The easy machines are done but there are still a few that will take considerable on-site time which is not easy to come by. From owner-freebsd-security@FreeBSD.ORG Mon May 22 04:38:45 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C9F3E16A422; Mon, 22 May 2006 04:38:45 +0000 (UTC) (envelope-from b.j.casavant@ieee.org) Received: from yeppers.tdkt.org (skyline.tdkt.org [209.98.211.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4CB2E43D53; Mon, 22 May 2006 04:38:45 +0000 (GMT) (envelope-from b.j.casavant@ieee.org) Received: from c-24-245-56-101.hsd1.mn.comcast.net (c-24-245-56-101.hsd1.mn.comcast.net [24.245.56.101]) (authenticated bits=0) by yeppers.tdkt.org (8.12.11/8.12.11/erikj-OpenBSD) with ESMTP id k4M4cg8V005096; Sun, 21 May 2006 23:38:43 -0500 (CDT) Date: Sun, 21 May 2006 23:38:42 -0500 (CDT) From: Brent Casavant X-X-Sender: bcasavan@abigail.angeltread.org To: Colin Percival In-Reply-To: <4471361B.5060208@freebsd.org> Message-ID: <20060521231657.O6063@abigail.angeltread.org> References: <4471361B.5060208@freebsd.org> Organization: "Angeltread Software Organization" MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Mailman-Approved-At: Mon, 22 May 2006 12:39:39 +0000 Cc: freebsd security , FreeBSD Stable Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Brent Casavant List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2006 04:38:45 -0000 On Sun, 21 May 2006, Colin Percival wrote: > In order to better understand > which FreeBSD versions are in use, how people are (or aren't) keeping > them updated, and why it seems so many systems are not being updated, I > have put together a short survey of 12 questions. I applaud this survey, however question 9 missed an important point, at least to me. I was torn between answering "less than once a month" and "I never update". While I find ports to be the single most useful feature of the FreeBSD experience, and can't thank contributors enough for the efforts, I on the other hand find updating my installed ports collection (for security reasons or otherwise) to be quite painful. I typically use portupgrade to perform this task. On several occasions I got "bit" by doing a portupgrade which wasn't able to completely upgrade all dependencies (particularly when X, GUI's, and desktops are in the mix -- though I always follow the special Gnome upgrade methods when appropriate). I can't rule out some form of pilot error, but the end result was pain. After several instances of unsatisfactory portupgrades (mostly in the 5.2 through early 5.4 timeframe), I adopted the practice of either not upgrading ports at all for the life of a particular installation on a machine (typically about one year), or when necessary by removing *all* ports from the machine, cvsup'ing, and reinstalling. This has served me quite well, particularly considering the minimal threat profile these particularly systems face. So, in short, that's why *I* rarely update ports for security reasons. There are steps that could be taken at the port maintenance level that would work well for my particular case, however that's beyond the scope of the survey. Thanks for taking the time put the survey together, I certainly hope it proves useful. Thank you, Brent Casavant From owner-freebsd-security@FreeBSD.ORG Mon May 22 05:44:49 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA22116A42D; Mon, 22 May 2006 05:44:48 +0000 (UTC) (envelope-from scottl@samsco.org) Received: from pooker.samsco.org (pooker.samsco.org [168.103.85.57]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE28D43D45; Mon, 22 May 2006 05:44:47 +0000 (GMT) (envelope-from scottl@samsco.org) Received: from [192.168.254.14] (imini.samsco.home [192.168.254.14]) (authenticated bits=0) by pooker.samsco.org (8.13.4/8.13.4) with ESMTP id k4M5icJY094620; Sun, 21 May 2006 23:44:44 -0600 (MDT) (envelope-from scottl@samsco.org) Message-ID: <44714FBB.4000603@samsco.org> Date: Sun, 21 May 2006 23:44:27 -0600 From: Scott Long User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.7) Gecko/20050416 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Brent Casavant References: <4471361B.5060208@freebsd.org> <20060521231657.O6063@abigail.angeltread.org> In-Reply-To: <20060521231657.O6063@abigail.angeltread.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.4 required=3.8 tests=ALL_TRUSTED autolearn=failed version=3.1.1 X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on pooker.samsco.org X-Mailman-Approved-At: Mon, 22 May 2006 12:39:59 +0000 Cc: freebsd security , FreeBSD Stable , Colin Percival Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2006 05:44:49 -0000 Brent Casavant wrote: > On Sun, 21 May 2006, Colin Percival wrote: > > >>In order to better understand >>which FreeBSD versions are in use, how people are (or aren't) keeping >>them updated, and why it seems so many systems are not being updated, I >>have put together a short survey of 12 questions. > > > I applaud this survey, however question 9 missed an important point, > at least to me. I was torn between answering "less than once a month" > and "I never update". > > While I find ports to be the single most useful feature of the FreeBSD > experience, and can't thank contributors enough for the efforts, I on > the other hand find updating my installed ports collection (for security > reasons or otherwise) to be quite painful. I typically use portupgrade > to perform this task. On several occasions I got "bit" by doing a > portupgrade which wasn't able to completely upgrade all dependencies > (particularly when X, GUI's, and desktops are in the mix -- though I > always follow the special Gnome upgrade methods when appropriate). > > I can't rule out some form of pilot error, but the end result was pain. > > After several instances of unsatisfactory portupgrades (mostly in the > 5.2 through early 5.4 timeframe), I adopted the practice of either not > upgrading ports at all for the life of a particular installation on a > machine (typically about one year), or when necessary by removing *all* > ports from the machine, cvsup'ing, and reinstalling. This has served > me quite well, particularly considering the minimal threat profile these > particularly systems face. > > So, in short, that's why *I* rarely update ports for security reasons. > > There are steps that could be taken at the port maintenance level that > would work well for my particular case, however that's beyond the scope > of the survey. Thanks for taking the time put the survey together, I > certainly hope it proves useful. > > Thank you, > Brent Casavant I share this frustration with you. I was once told that the pain in upgrading is due largely to a somewhat invisible difference between installing a pre-compiled package, and building+installing a port. In theory, if you stick to one method or the other, things will stay mostly consistent. But if you mix them, and particularly if you update the ports tree in the process, the end result is a bit more undefined. One thing that I wish for is that the ports tree would branch for releases, and that those branches would get security updates. I know that this would involve an exponentially larger amount of effort from the ports team, and I don't fault them for not doing it. Still, it would be nice to have. Scott From owner-freebsd-security@FreeBSD.ORG Mon May 22 06:49:45 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7D28116A542; Mon, 22 May 2006 06:49:45 +0000 (UTC) (envelope-from mistry.7@osu.edu) Received: from mail.united-ware.com (am-productions.biz [69.61.164.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1A83B43D81; Mon, 22 May 2006 06:49:19 +0000 (GMT) (envelope-from mistry.7@osu.edu) Received: from [192.168.1.100] (am-productions.biz [69.61.164.22]) (authenticated bits=0) by mail.united-ware.com (8.13.4/8.13.6) with ESMTP id k4M6oSvm079391 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 22 May 2006 02:50:34 -0400 (EDT) (envelope-from mistry.7@osu.edu) From: Anish Mistry To: freebsd-stable@freebsd.org Date: Mon, 22 May 2006 02:49:34 -0400 User-Agent: KMail/1.9.1 References: <4471361B.5060208@freebsd.org> <20060521231657.O6063@abigail.angeltread.org> <44714FBB.4000603@samsco.org> In-Reply-To: <44714FBB.4000603@samsco.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2431212.cZZkS9eTYF"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200605220249.50328.mistry.7@osu.edu> X-Spam-Status: No, score=-7.9 required=5.0 tests=ALL_TRUSTED,BAYES_50, J_CHICKENPOX_53,MYFREEBSD2,MYFREEBSD3 autolearn=failed version=3.1.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on mail.united-ware.com X-Virus-Scanned: ClamAV 0.88.2/1474/Sun May 21 09:18:22 2006 on mail.united-ware.com X-Virus-Status: Clean X-Mailman-Approved-At: Mon, 22 May 2006 12:40:20 +0000 Cc: freebsd security , Scott Long , Colin Percival , Brent Casavant Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2006 06:49:46 -0000 --nextPart2431212.cZZkS9eTYF Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 22 May 2006 01:44, Scott Long wrote: > Brent Casavant wrote: > > On Sun, 21 May 2006, Colin Percival wrote: > >>In order to better understand > >>which FreeBSD versions are in use, how people are (or aren't) > >> keeping them updated, and why it seems so many systems are not > >> being updated, I have put together a short survey of 12 > >> questions. > > > > I applaud this survey, however question 9 missed an important > > point, at least to me. I was torn between answering "less than > > once a month" and "I never update". > > > > While I find ports to be the single most useful feature of the > > FreeBSD experience, and can't thank contributors enough for the > > efforts, I on the other hand find updating my installed ports > > collection (for security reasons or otherwise) to be quite > > painful. I typically use portupgrade to perform this task. On > > several occasions I got "bit" by doing a portupgrade which wasn't > > able to completely upgrade all dependencies (particularly when X, > > GUI's, and desktops are in the mix -- though I always follow the > > special Gnome upgrade methods when appropriate). > > > > I can't rule out some form of pilot error, but the end result was > > pain. > > > > After several instances of unsatisfactory portupgrades (mostly in > > the 5.2 through early 5.4 timeframe), I adopted the practice of > > either not upgrading ports at all for the life of a particular > > installation on a machine (typically about one year), or when > > necessary by removing *all* ports from the machine, cvsup'ing, > > and reinstalling. This has served me quite well, particularly > > considering the minimal threat profile these particularly systems > > face. > > > > So, in short, that's why *I* rarely update ports for security > > reasons. > > > > There are steps that could be taken at the port maintenance level > > that would work well for my particular case, however that's > > beyond the scope of the survey. Thanks for taking the time put > > the survey together, I certainly hope it proves useful. > > > > Thank you, > > Brent Casavant > > I share this frustration with you. I was once told that the pain > in upgrading is due largely to a somewhat invisible difference > between installing a pre-compiled package, and building+installing > a port. In theory, if you stick to one method or the other, things > will stay mostly consistent. But if you mix them, and particularly > if you update the ports tree in the process, the end result is a > bit more undefined. One thing that I wish for is that the ports > tree would branch for releases, and that those branches would get > security updates. I know that this would involve an exponentially > larger amount of effort from the ports team, and I don't fault them > for not doing it. Still, it would be nice to have. More ports seem to be separating out their different version into=20 portname20, portname, portname21, etc. This takes out quite a bit of=20 the updating woes without causing too much overhead for the=20 maintainers. Since maintaining a security branch for releases would=20 require too much overhead it might be nice to have mechanism to track=20 the "release version" of the installed software. eg. =46or 6.0 release I installed lang/lua which is lua-5.0 Then when I cvsup next time the maintainer has created a lang/lua50=20 port for the old version and lang/lua is now version 5.1. It would=20 be nice to have a mapping that I can say "Stay with version 5.0.x"=20 and when I do a portupgrade it will see that lua-5.0 is installed so=20 use lang/lua50 instead of lang/lua. As a port maintainer, I could probably live with that extra mapping. Though currently I try to keep a few jails configured on my desktop=20 that match customer's configurations and perform updates in the jail=20 first. Just to see it there will be any hiccups before actually=20 performing the updates on a customer's system. I only have 3 basic=20 configurations that I use so it's not that big of a deal for me. My biggest grip about updating the base system is the mergemaster=20 step, but once mergemaster -U is cut into a release it should fix=20 that annoyance. =2D-=20 Anish Mistry --nextPart2431212.cZZkS9eTYF Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQBEcV8OxqA5ziudZT0RApAxAJ0W62osv7XrsQiI8zsUBH/zJavyoACfbeeS oy5w1KdkFigb4p/HAP6Zwvc= =iEHD -----END PGP SIGNATURE----- --nextPart2431212.cZZkS9eTYF-- From owner-freebsd-security@FreeBSD.ORG Mon May 22 07:27:23 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1919E16A424; Mon, 22 May 2006 07:27:23 +0000 (UTC) (envelope-from bconstant@be.tiauto.com) Received: from smtp.eu.tiauto.com (smtp.eu.tiauto.com [195.127.176.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8FA9343D55; Mon, 22 May 2006 07:27:19 +0000 (GMT) (envelope-from bconstant@be.tiauto.com) Received: by euex01.resource.tiauto.com with Internet Mail Service (5.5.2657.72) id ; Mon, 22 May 2006 09:27:14 +0200 Message-ID: From: "Constant, Benjamin" To: 'Colin Percival' Date: Mon, 22 May 2006 09:27:10 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain X-Mailman-Approved-At: Mon, 22 May 2006 12:40:37 +0000 Cc: freebsd security , FreeBSD Stable Subject: RE: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2006 07:27:23 -0000 Hi, We don't use binary update as we use custom kernels. We're using portaudit for security flaw with the installed ports but I don't think there is any equivalent for the base and kernel? I'm subscribed and I'm monitoring the FreeBSD Security Advisories mailing-list but there is (as far as I know) no easy system like portaudit to compare you installed base and kernel source tree against security advisories. Are there best practices in this area knowing that all my system are not running the same level of patches and non of them are running something else then -STABLE? I'll probably switch from -STABLE to -RELENG in the future (was not possible in the beginning as features we're looking for were only in -STABLE) and apply security fixes but I think it won't change the amount of work to perform compared to a non source based operating system. Regards, Benjamin Constant > -----Original Message----- > From: owner-freebsd-stable@freebsd.org [mailto:owner-freebsd- > stable@freebsd.org] On Behalf Of Colin Percival > Sent: lundi 22 mai 2006 5:55 > To: freebsd security; FreeBSD Stable > Subject: FreeBSD Security Survey > > Dear FreeBSD users and system administrators, > > While the FreeBSD Security Team has traditionally been very good at > investigating and responding to security issues in FreeBSD, this only > solves half of the security problem: Unless users and administrators > of FreeBSD systems apply the security patches provided, the advisories > issued accomplish little beyond alerting potential attackers to the > presence of vulnerabilities. > > The Security Team has been concerned for some time by anecdotal reports > concerning the number of FreeBSD systems which are not being promptly > updated or are running FreeBSD releases which have passed their End of > Life dates and are no longer supported. In order to better understand > which FreeBSD versions are in use, how people are (or aren't) keeping > them updated, and why it seems so many systems are not being updated, I > have put together a short survey of 12 questions. The information gathered > will inform the work done by the Security Team, as well as my own personal > work on FreeBSD this summer. > > If you administrate system(s) running FreeBSD (in the broad sense of "are > responsible for keeping system(s) secure and up to date"), please visit > http://people.freebsd.org/~cperciva/survey.html > and complete the survey below before May 31st, 2006. > > Thanks, > Colin Percival > FreeBSD Security Officer > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. From owner-freebsd-security@FreeBSD.ORG Mon May 22 08:24:12 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0AD7416A421 for ; Mon, 22 May 2006 08:24:12 +0000 (UTC) (envelope-from massimo@cedoc.mo.it) Received: from insomma.datacode.it (ip-174-86.sn2.eutelia.it [83.211.174.86]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1DD3343D49 for ; Mon, 22 May 2006 08:24:10 +0000 (GMT) (envelope-from massimo@cedoc.mo.it) Received: from localhost (localhost.datacode.it [127.0.0.1]) by insomma.datacode.it (Postfix) with SMTP id 829542C906 for ; Mon, 22 May 2006 10:24:08 +0200 (CEST) Received: from insomma.datacode.it (localhost.datacode.it [127.0.0.1]) by insomma.datacode.it (Postfix) with ESMTP id 1D3342C90A; Mon, 22 May 2006 10:24:07 +0200 (CEST) Received: from massimo.datacode.it (massimo.datacode.it [192.168.1.13]) by insomma.datacode.it (Postfix) with ESMTP id CE9122C906; Mon, 22 May 2006 10:24:06 +0200 (CEST) From: Massimo Lusetti To: Scott Long In-Reply-To: <44714FBB.4000603@samsco.org> References: <4471361B.5060208@freebsd.org> <20060521231657.O6063@abigail.angeltread.org> <44714FBB.4000603@samsco.org> Content-Type: text/plain Organization: CEDOC - Modena Date: Mon, 22 May 2006 10:24:06 +0200 Message-Id: <1148286246.4303.3.camel@massimo.datacode.it> Mime-Version: 1.0 X-Mailer: Evolution 2.0.4 (2.0.4-7) Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP X-Mailman-Approved-At: Mon, 22 May 2006 12:40:54 +0000 Cc: freebsd security , FreeBSD Stable , Colin Percival , Brent Casavant Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2006 08:24:12 -0000 On Sun, 2006-05-21 at 23:44 -0600, Scott Long wrote: > ports tree in the process, the end result is a bit more undefined. One > thing that I wish for is that the ports tree would branch for releases, > and that those branches would get security updates. I know that this > would involve an exponentially larger amount of effort from the ports > team, and I don't fault them for not doing it. Still, it would be nice > to have. Yes, totally agree. That's the way OpenBSD ports tree works and it worked very well for me. Thus not to say FreeBSD's one didn't, but it takes a lot more attention, which isn't always a bad thing ;) -- Massimo.run(); From owner-freebsd-security@FreeBSD.ORG Mon May 22 10:34:31 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6CCAD16A462; Mon, 22 May 2006 10:34:31 +0000 (UTC) (envelope-from itetcu@FreeBSD.org) Received: from it.buh.tecnik93.com (it.buh.tecnik93.com [81.196.204.98]) by mx1.FreeBSD.org (Postfix) with ESMTP id CED8643D53; Mon, 22 May 2006 10:34:30 +0000 (GMT) (envelope-from itetcu@FreeBSD.org) Received: from it.buh.tecnik93.com (localhost [127.0.0.1]) by it.buh.tecnik93.com (Postfix) with ESMTP id 8CE3B1765E; Mon, 22 May 2006 13:34:25 +0300 (EEST) Date: Mon, 22 May 2006 13:34:24 +0300 From: Ion-Mihai "IOnut" Tetcu To: Marian Hettwer Message-ID: <20060522133424.3087acfc@it.buh.tecnik93.com> In-Reply-To: <44718700.2060102@kernel32.de> References: <4471361B.5060208@freebsd.org> <20060521231657.O6063@abigail.angeltread.org> <44714FBB.4000603@samsco.org> <44718700.2060102@kernel32.de> X-Mailer: Sylpheed-Claws 2.2.0 (GTK+ 2.8.17; i386-portbld-freebsd6.1) Mime-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_5CY4kOIKwzjAk1s.yC=HJwC"; protocol="application/pgp-signature"; micalg=PGP-SHA1 X-Mailman-Approved-At: Mon, 22 May 2006 12:41:12 +0000 Cc: Scott Long , FreeBSD Stable , Casavant , freebsd security , Colin Percival , Brent Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2006 10:34:31 -0000 --Sig_5CY4kOIKwzjAk1s.yC=HJwC Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Mon, 22 May 2006 11:40:16 +0200 Marian Hettwer wrote: > > ports tree in the process, the end result is a bit more undefined. One > > thing that I wish for is that the ports tree would branch for releases, > > and that those branches would get security updates. I know that this > > would involve an exponentially larger amount of effort from the ports > > team, and I don't fault them for not doing it. Still, it would be nice > > to have. > > I have to agree on that statement. I would love to see branched ports. > This can get very important on servers, were you don't want to have > major upgrades, but only security updates. > I guess it's a question of manpower, hm? With the maintainers/commiters/physical_resources we have now this is impossible. Take a look at pav@'s PR stats page: http://www.oook.cz/bsd/prstats/ There are ~1000 new ports PRs per month. The PT Team has managed to close about the same number per month (fewer during the freeze, of course). Currently there are 551 open PRs. 238 in feedback state, etc. > Would a survey help? As in ask the ports team and FreeBSD > administrators? Maybe some will start to become port maintainer too, > just to support the increased work on ports due to branching them... > I would :) There are ~4300 unmaintained ports. Maybe you could start maintaining some of them _now_ ? --=20 IOnut - Un^d^dregistered ;) FreeBSD "user" "Intellectual Property" is nowhere near as valuable as "Intellect" BOFH excuse #146: Communications satellite used by the military for star wars --Sig_5CY4kOIKwzjAk1s.yC=HJwC Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEcZOwBX6fi0k6KXsRAnfAAJ0YWnJkI9LswFIN7JUQeVhOrIgq6gCfcC+V pypV5rwTzJ/PQFclYYKyoPA= =3KHU -----END PGP SIGNATURE----- --Sig_5CY4kOIKwzjAk1s.yC=HJwC-- From owner-freebsd-security@FreeBSD.ORG Mon May 22 15:46:56 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4BCE816B66E; Mon, 22 May 2006 15:46:56 +0000 (UTC) (envelope-from gorebofh@comcast.net) Received: from sccrmhc14.comcast.net (sccrmhc14.comcast.net [204.127.200.84]) by mx1.FreeBSD.org (Postfix) with ESMTP id CDC8F43D68; Mon, 22 May 2006 15:46:54 +0000 (GMT) (envelope-from gorebofh@comcast.net) Received: from hp.org (c-69-246-87-201.hsd1.mi.comcast.net[69.246.87.201]) by comcast.net (sccrmhc14) with ESMTP id <2006052215465301400kttjme>; Mon, 22 May 2006 15:46:53 +0000 Received: by HP.org (Postfix, from userid 1000) id 44B26507E8; Mon, 22 May 2006 11:49:34 -0400 (EDT) Date: Mon, 22 May 2006 11:49:34 -0400 From: Allen To: freebsd-security@freebsd.org, FreeBSD Stable Message-ID: <20060522154934.GB16937@HP.hsd1.mi.comcast.net> Mail-Followup-To: freebsd-security@freebsd.org, FreeBSD Stable References: <4471361B.5060208@freebsd.org> <2DB25B04-BCE6-41D2-9D95-03C58A493E2C@ece.cmu.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2DB25B04-BCE6-41D2-9D95-03C58A493E2C@ece.cmu.edu> User-Agent: Mutt/1.5.9i Cc: Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2006 15:47:04 -0000 On Mon, May 22, 2006 at 12:06:54AM -0400, Brandon S. Allbery KF8NH wrote: > > On May 21, 2006, at 11:55 , Colin Percival wrote: > > >The Security Team has been concerned for some time by anecdotal > >reports > >concerning the number of FreeBSD systems which are not being promptly > >updated or are running FreeBSD releases which have passed their End of > >Life dates and are no longer supported. In order to better understand > >which FreeBSD versions are in use, how people are (or aren't) keeping > >them updated, and why it seems so many systems are not being > >updated, I > > I have a 6-STABLE box that is not going to be updated to 6.1 any time > soon, because my personal mail will have to be offline while I do so > --- including nuking and rebuilding all ports because the ports tree > has been thrashed by multiple low level updates that affect a large > percentage of the tree --- and it's only a 600MHz box so it will be > offline for most of a week during that upgrade. And I'm uncertain > how downgrading it to 6.0-RELEASE+security patches will complicate > things (downgrading via cvsup/buildworld is not a supported option, > last I checked). Granted, I probably should have stuck with 6.0-R > --- but then, experience has shown me that the more reliable option > is to wait a week or two after release and then install -STABLE. > > In short: keeping FreeBSD up to date tends to be painful at best. I'd have to agree, though it's much better than some systems, it's still something I'd like to see some improvement on. For example, I understand the reasons for how Free BSD does things, I do. However, one thing I'd love to see is a much better tool for handling updates and upgrades. I may get reamed for what I'm about to say, but I'm willing to deal with whatever happens with this: I'd like to see Free BSD include an approach to updates in the way Slackware Linux does... Now before I get 10,000 emails saying I'm stupid or something to that effect let me explain: I've been using supporting and telling about Free BSD for many years. When I got my first computer, I had installed Free BSD not long after and that was coming from Windows 95 / 98 SE. One thing that always made me mad was when a new security flaw came out. On my Slackware machines, it was no problem at all, I'd use wget to grab the patch .tgz file, then do this: upgradepkg *.tgz I'd go get coffee or somethign and come back to all patches being installed. I know about portupgrade, and it's a good start, but I think there would be huge benifit from a tool that allows you to download a tgz file and doing the above to install patches. A lot of Linux only users I know would use Free BSD if the patching system was something more Slackware like. And I don't consider it a rip off to make a system like that because well, Slackware is a supporter of BSD. The Slackware Essentials book I bought has BSD on the back of it and BSD is also listed as a supporter of Slackware, so I see no Moral problem with creating something for Free BSD that would allow this. >From what I've seen in portupgrade, you have to use a key... Which is nice and all, but it defeats the purpose when I've personally seens omeone say "Ugh you have to do all this just to set up portupgrade? and you have to recompile the Kernel for that Telnet update????"... Explanations as to why don't work. I just personally feel there would be a lot more boxes getting patches installed if you could do it like Slackware, or Linux in general, and allow for patches that you just install with one command. RedHat and some other distros use RPM, and they have their own update tools, but if you wanted you could just download the RPMs and do rpm -U to update. Slackware I've shown already. It's a good system. >From what I've understood, Free BSD doesn't usually do binarys.... I could be wrong here as I'm no positive... But I really think it would be for the best if there was something added to Free BSD where you could juts install patches the way you do Linux. I mean you wouldn't have to remove the other system that is in use now, and as I saiud portupgrade is a good start, however for the people I talk to it doesn't seem to be enough. I'd love to see somethign like this added into Free BSD where for the people who like the updates the way they are now could keep using that way, and for the new comers and people who aren't used to it, they could use the other way. Like Is aid Linux has two ways, you can use an update tool like Redhat's up2date, or you can download the RPMs yourself. Slackware has Swaret, slackpkg, and slapt-get, or you can simply download the patches which are already .tgz files, and use upgradepkg to install them. I think the benifits would be great and more people would use it if they knew when a new security problem came out in Free BSD all they had to do was download a patch and type upgradepkg, or type patch and it installed like this. And then a front end could be done where you had a GUI to use for this too, And think of how many new users would be using it when they knew how easy it was? I support Free BSD either way, I buy books, and I buy the CD sets to help out. And I will continue using it either way, I just would love tos ee somethign like this implemented. As would a lot of others in my area. I'd do it all myself and release it if I could code good enough to do something like this but until I can I can at least point out a good idea. -Allen. Buying Free BSD power paks since 4.0 > -- > brandon s. allbery [linux,solaris,freebsd,perl] > allbery@kf8nh.com > system administrator [openafs,heimdal,too many hats] > allbery@ece.cmu.edu > electrical and computer engineering, carnegie mellon university > KF8NH > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Mon May 22 15:14:50 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AFDAC16B383 for ; Mon, 22 May 2006 15:14:50 +0000 (UTC) (envelope-from anonymous@sefao.com) Received: from do.sefao.com (do.sefao.com [66.45.33.203]) by mx1.FreeBSD.org (Postfix) with SMTP id C790243D6E for ; Mon, 22 May 2006 15:14:49 +0000 (GMT) (envelope-from anonymous@sefao.com) Received: (qmail 10729 invoked by uid 80); 22 May 2006 15:20:11 -0000 Date: 22 May 2006 15:20:11 -0000 Message-ID: <20060522152011.10728.qmail@do.sefao.com> From: "FreeBSD User" To: freebsd security FreeBSD Stable X-Mailer: SEFAO Collaboration Suite 2.5 X-Mailman-Approved-At: Mon, 22 May 2006 19:12:30 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: RE: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2006 15:14:57 -0000 As an administrator, time is always an issue. FreeBSD has proven itself time and again. Having said that, one "wish" would be to have a default/built-in security update mechanism. Since time is always and issue, if the system could by default (without an admin having to write scripts and/or apps, or manually update) update itself for both system and installed ports/packages, it likely would reduce security issues exponentially. This of course would be a massive project/challenge. Varying system and kernel configurations alone would make this a huge challenge, not to mention the potential security implications. The survey is a great idea. I suggest adding a section for administrators to add comments and/or "wishes". Sejo Brent Casavant wrote: > On Sun, 21 May 20 06, Colin Percival wrote: > > >>In order to better understand >>which FreeBSD versions are in use, how people are (or aren´t) keeping >>them updated, and why it seems so many systems are not being updated, I >>have put together a short survey of 12 questions. > > > I applaud this survey, however question 9 missed an important point, > at least to me. I was torn between answering "less than once a month" > and "I never update". > > While I find ports to be the single most useful feature of the FreeBSD > experience, and can´t thank contributors enough for the efforts, I on > the other hand find updating my installed ports collection (for security > reasons or otherwise) to be quite painful. I typically use portupgrade > to perform this task. On several occasions I got "bit" by doing a > portupgrade which wasn´t able to completely upgrade all dependencies > (particularly when X, GUI´s, and desktops are in the mix -- though I > always follow the special Gnome upgrade methods when appropriate). > > I can´t rule out some form of pilot error, but the end result was pain. > > After several instances of unsatisfactory portupgrades (mostly in the > 5.2 through early 5.4 timeframe), I adopted the practice of either not > upgrading ports at all for the life of a particular installation on a > machine (typically about one year), or when necessary by removing *all* > ports from the machine, cvsup´ing, and reinstalling. This has served > me quite well, particularly considering the minimal threat profile these > particularly systems face. > > So, in short, that´s why *I* rarely update ports for security reasons. > > There are steps that could be taken at the port maintenance level that > would work well for my particular case, however that´s beyond the scope > of the sur vey. Thanks for taking the time put the survey together, I > certainly hope it proves useful. > > Thank you, > Brent Casavant I share this frustration with you. I was once told that the pain in upgrading is due largely to a somewhat invisible difference between installing a pre-compiled package, and building+installing a port. In theory, if you stick to one method or the other, things will stay mostly consistent. But if you mix them, and particularly if you update the ports tree in the process, the end result is a bit more undefined. One thing that I wish for is that the ports tree would branch for releases, and that those branches would get security updates. I know that this would involve an exponentially larger amount of effort from the ports team, and I don´t fault them for not doing it. Still, it would be nice to have. Scott _____________________________________ __________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Mon May 22 19:23:54 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8004816A91F; Mon, 22 May 2006 19:23:54 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from mail17.syd.optusnet.com.au (mail17.syd.optusnet.com.au [211.29.132.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id D5DEA43D49; Mon, 22 May 2006 19:23:53 +0000 (GMT) (envelope-from peterjeremy@optushome.com.au) Received: from turion.vk2pj.dyndns.org (c220-239-19-236.belrs4.nsw.optusnet.com.au [220.239.19.236]) by mail17.syd.optusnet.com.au (8.12.11/8.12.11) with ESMTP id k4MJNpbD005734 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Tue, 23 May 2006 05:23:51 +1000 Received: from turion.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1]) by turion.vk2pj.dyndns.org (8.13.6/8.13.6) with ESMTP id k4MJNped002458; Tue, 23 May 2006 05:23:51 +1000 (EST) (envelope-from peter@turion.vk2pj.dyndns.org) Received: (from peter@localhost) by turion.vk2pj.dyndns.org (8.13.6/8.13.6/Submit) id k4MJNpGr002457; Tue, 23 May 2006 05:23:51 +1000 (EST) (envelope-from peter) Date: Tue, 23 May 2006 05:23:50 +1000 From: Peter Jeremy To: FreeBSD User Message-ID: <20060522192350.GB712@turion.vk2pj.dyndns.org> References: <20060522152011.10728.qmail@do.sefao.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060522152011.10728.qmail@do.sefao.com> X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.11 Cc: freebsd security , FreeBSD Stable Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2006 19:23:56 -0000 On Mon, 2006-May-22 15:20:11 -0000, FreeBSD User wrote: > Since time is always and issue, if the system could by default > (without an admin having to write scripts and/or apps, or manually > update) update itself for both system and installed ports/packages, it > likely would reduce security issues exponentially. I think it would substantially reduce the reliability and security. Firstly, automatically installing arbitrary "fixes" on a production system is almost always a bad idea. The release engineering and security teams do regression testing but can't test exactly your system configuration and there's a non-trivial likelihood that installing patch X will break something that your configuration relies on. This can be mitigated by using a test system and rolling out the updates from it, but that negates the whole point. It's also likely to inconvenience users. Our ITS department take it upon themselves to automatically roll out (wintel) desktop updates. This almost always results in your desktop machine insisting that it needs to be rebooted immediately when you are in the middle of doing something crucial - thus breaking your concentration and potentially losing data (my manager managed to lose 3 man-hours work once). I, for one, would hate it if my FreeBSD boxes started doing the same. Specific FreeBSD versions aren't maintained forever. An "install it and forget it" philosophy will increase the number of machines that aren't being patched because they are running unmaintained versions of FreeBSD. With the current approach, the sysadmin is aware that particular machines need to be updated to a newer version. If everyting is automatic, the sysadmin will probably forget. Finally, it only takes one security failure in the update process for someone undesirable to "own" all the FreeBSD machines that have been left in this default mode. Despite the best efforts of FreeBSD developers, FreeBSD will always contain bugs and some of them will be security holes. Any automatic update process needs to balance the benefits of reducing the number of unpatched boxes against the risks of the update system being subverted. -- Peter Jeremy From owner-freebsd-security@FreeBSD.ORG Mon May 22 19:35:40 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F03EB16A679 for ; Mon, 22 May 2006 19:35:40 +0000 (UTC) (envelope-from slackwarewolf@comcast.net) Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net [204.127.192.83]) by mx1.FreeBSD.org (Postfix) with ESMTP id 47D6E43D49 for ; Mon, 22 May 2006 19:35:40 +0000 (GMT) (envelope-from slackwarewolf@comcast.net) Received: from hydrocodone.org (c-69-246-87-201.hsd1.mi.comcast.net[69.246.87.201]) by comcast.net (rwcrmhc13) with ESMTP id <20060522193539m1300ghsgse>; Mon, 22 May 2006 19:35:39 +0000 Date: Mon, 22 May 2006 15:35:22 -0400 From: Allen To: freebsd-security@freebsd.org Message-ID: <20060522153522.1be1c362@hydrocodone.org> In-Reply-To: <20060522192350.GB712@turion.vk2pj.dyndns.org> References: <20060522152011.10728.qmail@do.sefao.com> <20060522192350.GB712@turion.vk2pj.dyndns.org> X-Mailer: Sylpheed-Claws 1.0.3 (GTK+ 1.2.10; i686-suse-linux) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2006 19:35:46 -0000 On Tue, 23 May 2006 05:23:50 +1000 Peter Jeremy wrote: > > I think it would substantially reduce the reliability and security. As opposed to people not installing patches in the first place because it takes to long? -Allen From owner-freebsd-security@FreeBSD.ORG Tue May 23 00:02:05 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C45A916A617 for ; Tue, 23 May 2006 00:02:05 +0000 (UTC) (envelope-from tfotoglidis@netscape.net) Received: from imo-d02.mx.aol.com (imo-d02.mx.aol.com [205.188.157.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE5D043D66 for ; Tue, 23 May 2006 00:02:03 +0000 (GMT) (envelope-from tfotoglidis@netscape.net) Received: from tfotoglidis@netscape.net by imo-d02.mx.aol.com (mail_out_v38_r7.5.) id p.c7.143c8b8b (16238); Mon, 22 May 2006 20:01:56 -0400 (EDT) Received: from mblkn-m10 (mblkn-m10.mblk.aol.com [64.12.170.74]) by air-in03.mx.aol.com (v109.12) with ESMTP id MAILININ32-3f6e447250db2cf; Mon, 22 May 2006 20:01:31 -0400 Date: Mon, 22 May 2006 20:01:32 -0400 Message-Id: <8C84C132EE6302A-D48-D497@mblkn-m10.sysops.aol.com> From: tfotoglidis@netscape.net References: <20060522152011.10728.qmail@do.sefao.com> Received: from 86.131.237.167 by mblkn-m10.sysops.aol.com (64.12.170.74) with HTTP (WebMailUI); Mon, 22 May 2006 20:01:32 -0400 X-MB-Message-Source: WebUI X-MB-Message-Type: User In-Reply-To: <20060522152011.10728.qmail@do.sefao.com> X-Mailer: Netscape WebMail 17673 Content-Type: text/plain; charset="us-ascii"; format=flowed MIME-Version: 1.0 To: fbsd@sefao.com, freebsd-security@freebsd.org X-AOL-IP: 64.12.170.74 X-Spam-Flag: NO Cc: Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 May 2006 00:02:06 -0000 > As an administrator, time is always an issue. FreeBSD has proven > itself time and again. Having said that, one "wish" would be to have > a default/built-in security update mechanism. > Since time is always and issue, if the system could by default > (without an admin having to write scripts and/or apps, or manually > update) update itself for both system and installed ports/packages, it > likely would reduce security issues exponentially. > This of course would be a massive project/challenge. Varying system > and kernel configurations alone would make this a huge challenge, not > to mention the potential security implications. Time is an issue indeed, but I reckon you would have to spend time even if a "default/built-in" mechanism for updates was in place. You would still have to consider new features and do further tweaking of .conf files and yet even write your own apps again to facilitate new needs with the new features. Might be wrong, but anything "auto-magic" sounds like not a very good idea, saves time probably in the short term, but I''m not sure that's what you want... thanos ___________________________________________________ Try the New Netscape Mail Today! Virtually Spam-Free | More Storage | Import Your Contact List http://mail.netscape.com From owner-freebsd-security@FreeBSD.ORG Tue May 23 02:39:45 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 985CC16A4C1 for ; Tue, 23 May 2006 02:39:45 +0000 (UTC) (envelope-from claim@rinux.net) Received: from rinux.net (rinux.net [81.169.157.144]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2478043D45 for ; Tue, 23 May 2006 02:39:45 +0000 (GMT) (envelope-from claim@rinux.net) Received: from localhost (localhost [127.0.0.1]) by rinux.net (Postfix) with ESMTP id 5D2A935309C; Tue, 23 May 2006 04:39:43 +0200 (CEST) X-Virus-Scanned: by amavisd-new using F-Prot/ClamAV at rinux.net Received: from rinux.net ([127.0.0.1]) by localhost (rinux.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S8i10vaQQHM7; Tue, 23 May 2006 04:39:39 +0200 (CEST) Received: from [10.0.0.3] (i53878CFC.versanet.de [83.135.140.252]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rinux.net (Postfix) with ESMTP id 59A7135307B; Tue, 23 May 2006 04:39:39 +0200 (CEST) Message-ID: <447275EA.10505@rinux.net> Date: Tue, 23 May 2006 04:39:38 +0200 From: Clemens Renner User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: Peter Jeremy References: <20060522152011.10728.qmail@do.sefao.com> <20060522192350.GB712@turion.vk2pj.dyndns.org> In-Reply-To: <20060522192350.GB712@turion.vk2pj.dyndns.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd security Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 May 2006 02:39:46 -0000 > Finally, it only takes one security failure in the update process for > someone undesirable to "own" all the FreeBSD machines that have been > left in this default mode. Despite the best efforts of FreeBSD > developers, FreeBSD will always contain bugs and some of them will > be security holes. Any automatic update process needs to balance > the benefits of reducing the number of unpatched boxes against the > risks of the update system being subverted. I couldn't agree more. One of the major problems with unattended/automatic updating is that it is hard to filter them. I don't install updates on a system that doesn't _need_ them. I think that the solution to this problem lies in a reliable and comprehensive notification mechanism for admins that tells them to upgrade once some part (base or ports) of the system is vulnerable to attacks. And as a second part of the solution, I'd like to see handy tools to ease the actual upgrading process for the admin. The notification mechanism is okay via mailing lists, although that requires an admin to memorize a list of installed packages/ports which can be a pain with lots of boxes to take care of. Personally, I like the way portaudit works, notifying me (via the daily run) of any pending issues. It's a very effective system mainly because it keeps nagging you every day and makes it hard to forget about an issue that still applies. In a different corner is portupgrade which basically constitutes a highly usable tool but has minor annoyances that really complicate things. For example, when upgrading MySQL -- even with mysql_enable=YES in rc.conf, portupgrade will stop the sever but not restart it. Is there any plausible reason for this behaviour? I can't think of any. In fact, I resort to # portupgrade mysql-server && /usr/local/etc/rc.d/mysql restart which is really annyoing if a lot of services will be upgraded that aren't automatically restarted. This would be a good thing to take care of. All in all: FreeBSD is my system of choice for servers, Gentoo for workstations (which is pretty much like a Linux-flavoured FreeBSD). Especially due to the still almost painless way of keeping the system current. Cheers Clemens From owner-freebsd-security@FreeBSD.ORG Tue May 23 02:46:03 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 33DBE16A779 for ; Tue, 23 May 2006 02:46:03 +0000 (UTC) (envelope-from fullermd@over-yonder.net) Received: from mail.localelinks.com (web.localelinks.com [64.39.75.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id B399D43D78 for ; Tue, 23 May 2006 02:45:54 +0000 (GMT) (envelope-from fullermd@over-yonder.net) Received: from draco.over-yonder.net (adsl-072-148-013-213.sip.jan.bellsouth.net [72.148.13.213]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.localelinks.com (Postfix) with ESMTP id C29C8168; Mon, 22 May 2006 21:45:53 -0500 (CDT) Received: by draco.over-yonder.net (Postfix, from userid 100) id D00F161C2B; Mon, 22 May 2006 21:45:52 -0500 (CDT) Date: Mon, 22 May 2006 21:45:52 -0500 From: "Matthew D. Fuller" To: Clemens Renner Message-ID: <20060523024552.GB5226@over-yonder.net> References: <20060522152011.10728.qmail@do.sefao.com> <20060522192350.GB712@turion.vk2pj.dyndns.org> <447275EA.10505@rinux.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <447275EA.10505@rinux.net> X-Editor: vi X-OS: FreeBSD User-Agent: Mutt/1.5.11-fullermd.3 Cc: freebsd security Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 May 2006 02:46:07 -0000 On Tue, May 23, 2006 at 04:39:38AM +0200 I heard the voice of Clemens Renner, and lo! it spake thus: > > For example, when upgrading MySQL -- even with mysql_enable=YES in > rc.conf, portupgrade will stop the sever but not restart it. Is > there any plausible reason for this behaviour? In the interest of correctness, it's not portupgrade that stops it, it's the base system pkg_delete(1). The same thing would happen if you deleted the installed package manually. See the +CONTENTS file for the package: @unexec %D/etc/rc.d/mysql-server.sh stop > /dev/null 2>&1 || true -- Matthew Fuller (MF4839) | fullermd@over-yonder.net Systems/Network Administrator | http://www.over-yonder.net/~fullermd/ On the Internet, nobody can hear you scream. From owner-freebsd-security@FreeBSD.ORG Tue May 23 00:42:11 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C411B16B08C for ; Tue, 23 May 2006 00:42:11 +0000 (UTC) (envelope-from anonymous@sefao.com) Received: from do.sefao.com (do.sefao.com [66.45.33.203]) by mx1.FreeBSD.org (Postfix) with SMTP id 5E20443D70 for ; Tue, 23 May 2006 00:41:58 +0000 (GMT) (envelope-from anonymous@sefao.com) Received: (qmail 17237 invoked by uid 80); 23 May 2006 00:47:26 -0000 Date: 23 May 2006 00:47:26 -0000 Message-ID: <20060523004726.17236.qmail@do.sefao.com> From: "FreeBSD User" To: Peter Jeremy X-Mailer: SEFAO Collaboration Suite 2.5 X-Mailman-Approved-At: Tue, 23 May 2006 03:59:38 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd security , FreeBSD Stable Subject: RE: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 May 2006 00:42:12 -0000 Should something like automatic security updates not be a goal? If done correctly, and on a per-stable/version basis, it is "possible" to increase security exponentially. The responsible administrator will naturally keep ontop of all changes and fixes. But just like in the wintel and other *nix worlds, not every administrator updates their servers. Ok, maybe only a few FreeBSD administrators don´t update... What I am trying to suggest is a mechanism that incorporates all security fixes and specified (or installed) ports/packages for a given server, within a per-stable/version basis. Tools that exist already accomplish this, and run by a custom script via cron. There still would likely be a strong need for an administrator to buildworld, especially for those of us who prefer configuring custom kernels and bulilding (mostly) by source. It is naturally a "wish" that could potentially save a busy administrator some time. As I said, this of course would be a massive project/challenge. Varying system and kernel configurations alone would make this a huge challenge, not to mention the potential security implications. Granted, many FreeBSD versions will not be maintained for long periods of time. But are there no out dated versions running now? Is something like this not worth looking at for the future? Sejo -------- Original Message -------- From:Peter Jeremy Sent: Tue 23 May 2006 05:23:50 1000 To: FreeBSD User Subject: Re: FreeBSD Security Survey On Mon, 2006-May-22 15:20:11 -0000, FreeBSD User wrote: > Since time is always and issue, if the system could by default > (without an admin having to write scripts and/or apps, or manually > update) update itself for both system and installed ports/packages, it > likely would reduce security issues exponentially. I think it would substantially reduce the reliability and security. Firstly, automatically installing arbitrary "fixes" on a production system is almost always a bad idea. The release engineering and security teams do regression testing but can´t test exactly your system configuration and there´s a non-trivial likelihood that installing patch X will break something that your configuration relies on. This can be mitigated by using a test system and rolling out the updates from it, but that negates the whole point. It´s also likely to inconvenience users. Our ITS department take it upon themselves to automatically roll out (wintel) desktop updates. This almost always results in your desktop machine insisting that it needs to be rebooted immediately when you are in the middle of doing something crucial - thus breaking your concentration and potentially losing data (my manager managed to lose 3 man-hours work once). I, for one, would hate it if my FreeBSD boxes started doing the same. Specific FreeBSD versions aren´t maintained forever. An "install it and forget it" philosophy will increase the number of machines that aren´t being patched because they are running unmaintained versions of FreeBSD. With the current approach, the sysadmin is aware that particular machines need to be updated to a newer version. If everyting is automatic, the sysadmin will probably forget. Finally, it only takes one security failure in the update process for someone undesirable to "own" all the FreeBSD machines that have been left in this default mode. Despite the best efforts of FreeBSD developers, FreeBSD will always contain bugs and some of them will be security holes. Any automatic upda te process needs to balance the benefits of reducing the number of unpatched boxes against the risks of the update system being subverted. -- Peter Jeremy _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Tue May 23 09:52:23 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D8AE816A41F for ; Tue, 23 May 2006 09:52:23 +0000 (UTC) (envelope-from iang@iang.org) Received: from mx1.sonance.net (mx1.sonance.net [62.116.45.222]) by mx1.FreeBSD.org (Postfix) with ESMTP id 67A4043D53 for ; Tue, 23 May 2006 09:52:22 +0000 (GMT) (envelope-from iang@iang.org) Received: from localhost (mf1 [127.0.0.1]) by mx1.sonance.net (Postfix) with ESMTP id 55BE414012; Tue, 23 May 2006 11:52:26 +0200 (CEST) Received: from mx1.sonance.net ([127.0.0.1]) by localhost (mf1 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 09802-10; Tue, 23 May 2006 11:52:24 +0200 (CEST) Received: from postix.sonance.net (zentrix [192.168.0.223]) by mx1.sonance.net (Postfix) with ESMTP id D500C13EC8; Tue, 23 May 2006 11:52:24 +0200 (CEST) Received: from localhost (zentrix [127.0.0.1]) by postix.sonance.net (Postfix) with ESMTP id 4E08E17B579; Tue, 23 May 2006 11:52:19 +0200 (CEST) Received: from postix.sonance.net ([127.0.0.1]) by localhost (zentrix [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29664-01; Tue, 23 May 2006 11:52:18 +0200 (CEST) Received: from [IPv6???1] (zentrix [127.0.0.1]) by postix.sonance.net (Postfix) with ESMTP id 2C08E17B503; Tue, 23 May 2006 11:52:18 +0200 (CEST) Message-ID: <4472DAA1.2010904@iang.org> Date: Tue, 23 May 2006 11:49:21 +0200 From: Ian G Organization: http://iang.org/ User-Agent: Mozilla Thunderbird 1.0.6 (X11/20051013) X-Accept-Language: en-us, en MIME-Version: 1.0 To: tfotoglidis@netscape.net References: <20060522152011.10728.qmail@do.sefao.com> <8C84C132EE6302A-D48-D497@mblkn-m10.sysops.aol.com> In-Reply-To: <8C84C132EE6302A-D48-D497@mblkn-m10.sysops.aol.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: sonance network anti-spam amavisd-new-20030616-p10 controlled spam X-Virus-Scanned: sonance network anti-spam amavisd-new-20030616-p10 controlled spam Cc: fbsd@sefao.com, freebsd-security@freebsd.org Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 May 2006 09:52:23 -0000 tfotoglidis@netscape.net wrote: > Might be wrong, but anything "auto-magic" sounds like not a very good > idea, saves time probably in the short term, but I''m not sure that's > what you want... Notwithstanding the dangers, I suspect it is an idea who's time has come - for security as well. It is what happens on the Mac OSX, and I for one am jealous of that feature. (Whether the Mac also introduces other problems in this way is an open question ...) iang From owner-freebsd-security@FreeBSD.ORG Tue May 23 09:58:46 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ECE9016A518 for ; Tue, 23 May 2006 09:58:46 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from home.quip.cz (grimm.quip.cz [213.220.192.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7F7E643D46 for ; Tue, 23 May 2006 09:58:45 +0000 (GMT) (envelope-from 000.fbsd@quip.cz) Received: from [192.168.1.2] (qwork.quip.test [192.168.1.2]) by home.quip.cz (Postfix) with ESMTP id 715463FA; Tue, 23 May 2006 11:58:44 +0200 (CEST) Message-ID: <4472DCD4.60203@quip.cz> Date: Tue, 23 May 2006 11:58:44 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cs, cz, en, en-us MIME-Version: 1.0 To: Clemens Renner References: <20060522152011.10728.qmail@do.sefao.com> <20060522192350.GB712@turion.vk2pj.dyndns.org> <447275EA.10505@rinux.net> In-Reply-To: <447275EA.10505@rinux.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd security Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 May 2006 09:58:47 -0000 Clemens Renner wrote: > In a different corner is portupgrade which basically constitutes a > highly usable tool but has minor annoyances that really complicate > things. For example, when upgrading MySQL -- even with mysql_enable=YES > in rc.conf, portupgrade will stop the sever but not restart it. Is there > any plausible reason for this behaviour? I can't think of any. In fact, > I resort to > # portupgrade mysql-server && /usr/local/etc/rc.d/mysql restart > which is really annyoing if a lot of services will be upgraded that > aren't automatically restarted. This would be a good thing to take care of. If you are using portupgrade, you can use /usr/local/etc/pkgtools.conf MAKE_ARGS = { 'databases/mysql41-*' => [ 'WITH_CHARSET=latin2', 'WITH_XCHARSET=all', 'WITH_OPENSSL=yes', 'OVERWRITE_DB=no', ], } AFTERINSTALL = { 'databases/mysql41-server' => proc { |origin| cmd_enable_rc(origin) + ';' + cmd_restart_rc(origin) }, } You must set it one time, you can enjoy it every upgrade. Miroslav Lachman From owner-freebsd-security@FreeBSD.ORG Tue May 23 10:16:34 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA5E416A42B for ; Tue, 23 May 2006 10:16:34 +0000 (UTC) (envelope-from claim@rinux.net) Received: from rinux.net (rinux.net [81.169.157.144]) by mx1.FreeBSD.org (Postfix) with ESMTP id 469A043D48 for ; Tue, 23 May 2006 10:16:34 +0000 (GMT) (envelope-from claim@rinux.net) Received: from localhost (localhost [127.0.0.1]) by rinux.net (Postfix) with ESMTP id B84D135306C; Tue, 23 May 2006 12:16:32 +0200 (CEST) X-Virus-Scanned: by amavisd-new using F-Prot/ClamAV at rinux.net Received: from rinux.net ([127.0.0.1]) by localhost (rinux.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e1Pt2HR0MJ61; Tue, 23 May 2006 12:16:29 +0200 (CEST) Received: from [10.0.0.3] (i53878618.versanet.de [83.135.134.24]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rinux.net (Postfix) with ESMTP id 005DF35305C; Tue, 23 May 2006 12:16:28 +0200 (CEST) Message-ID: <4472E0FC.8010209@rinux.net> Date: Tue, 23 May 2006 12:16:28 +0200 From: Clemens Renner User-Agent: Mozilla Thunderbird 1.0.8 (X11/20060519) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Miroslav Lachman <000.fbsd@quip.cz> References: <20060522152011.10728.qmail@do.sefao.com> <20060522192350.GB712@turion.vk2pj.dyndns.org> <447275EA.10505@rinux.net> <4472DCD4.60203@quip.cz> In-Reply-To: <4472DCD4.60203@quip.cz> X-Enigmail-Version: 0.91.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd security Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 May 2006 10:16:34 -0000 > If you are using portupgrade, you can use /usr/local/etc/pkgtools.conf > > MAKE_ARGS = { > 'databases/mysql41-*' => [ > 'WITH_CHARSET=latin2', > 'WITH_XCHARSET=all', > 'WITH_OPENSSL=yes', > 'OVERWRITE_DB=no', > ], > } > > AFTERINSTALL = { > 'databases/mysql41-server' => proc { |origin| > cmd_enable_rc(origin) + ';' + cmd_restart_rc(origin) > }, > } Thank you for your helpful comments on this one, but I'd rather like to see some discussion about the other part of my message. It's also getting off-topic now. And it really helps my point because this behaviour along with its workaround is not what I would call user-friendly. Clemens From owner-freebsd-security@FreeBSD.ORG Tue May 23 15:38:09 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 43C5D16A420 for ; Tue, 23 May 2006 15:38:09 +0000 (UTC) (envelope-from zkolic@sbb.co.yu) Received: from smtp2.sbb.co.yu (smtp2.sbb.co.yu [82.117.194.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9865543D45 for ; Tue, 23 May 2006 15:38:07 +0000 (GMT) (envelope-from zkolic@sbb.co.yu) Received: from faust.net (dhcp-87-116-183-243.ataman-bg.customer.sbb.co.yu [87.116.183.243]) by smtp2.sbb.co.yu (8.13.6/8.13.6) with ESMTP id k4NFc5Bc018428 for ; Tue, 23 May 2006 17:38:05 +0200 Received: by faust.net (Postfix, from userid 1001) id 79A0F1704B; Tue, 23 May 2006 17:35:18 +0200 (CEST) Date: Tue, 23 May 2006 17:35:18 +0200 From: Zoran Kolic To: freebsd-security@freebsd.org Message-ID: <20060523153518.GA828@faust.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-SMTP-Vilter-Version: 1.3.2 X-SBB-Virus-Status: clean X-SBB-Spam-Score: 0.3 X-SBB-Spam-Level: X Subject: torrent X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 May 2006 15:38:09 -0000 I'd like to know if someone has link to tutorial for managing ipfw for torrent usage. Client side, for start. Best regards Zoran From owner-freebsd-security@FreeBSD.ORG Tue May 23 15:53:01 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9389416A726 for ; Tue, 23 May 2006 15:53:01 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id E7A7D43D46 for ; Tue, 23 May 2006 15:53:00 +0000 (GMT) (envelope-from marquis@roble.com) Date: Tue, 23 May 2006 08:53:00 -0700 (PDT) From: Roger Marquis To: freebsd-security@freebsd.org In-Reply-To: <20060523120100.37D2B16A54F@hub.freebsd.org> Message-ID: <20060523083944.H96736@eboyr.pbz> References: <20060523120100.37D2B16A54F@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 May 2006 15:53:04 -0000 Peter Jeremy wrote: > One of the major problems with unattended/automatic updating is > that it is hard to filter them. It's hard to make a good case for automatic updates when manual updates are so easy. The main area this could be improved on would be in a daily report, emailed to root, detailing which installed ports are out of date. We do this with a shell script . One issue with identifying out-of-date installed ports is the port-version number. We usually ignore port-version-only updates because it's difficult to tell what was changed and few changes aren't detailed in /usr/ports/UPDATING. Another issue has to do with policy regarding -release, -rc, -alpha versioning. Too many ports maintainers think nothing of using -pre-release versions that are usually not appropriate on -release systems. All that said FreeBSD's ports are still the reference implementation, head-and-shoulders better than up2date, yum, rpm, apt-get, or anything else out there. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ From owner-freebsd-security@FreeBSD.ORG Tue May 23 16:00:57 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 022BA16A640 for ; Tue, 23 May 2006 16:00:57 +0000 (UTC) (envelope-from yann@raven.kierun.org) Received: from raven.kierun.org (raven.yorksj.ac.uk [193.61.234.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id BADE543D6D for ; Tue, 23 May 2006 16:00:48 +0000 (GMT) (envelope-from yann@raven.kierun.org) Received: from yann by raven.kierun.org with local (Exim 4.62 (FreeBSD)) (envelope-from ) id 1FiZJT-000KSl-5u for freebsd-security@freebsd.org; Tue, 23 May 2006 17:00:51 +0100 Date: Tue, 23 May 2006 17:00:51 +0100 From: Yann Golanski To: freebsd-security@freebsd.org Message-ID: <20060523160051.GA78620@kierun.org> References: <20060523120100.37D2B16A54F@hub.freebsd.org> <20060523083944.H96736@eboyr.pbz> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ew6BAiZeqk4r7MaW" Content-Disposition: inline In-Reply-To: <20060523083944.H96736@eboyr.pbz> User-Agent: Mutt/1.5.11 Sender: "Yann Golanski, University of York, +44(0)1904-433088" Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 May 2006 16:01:21 -0000 --ew6BAiZeqk4r7MaW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Quoth Roger Marquis on Tue, May 23, 2006 at 08:53:00 -0700 > Peter Jeremy wrote: > >One of the major problems with unattended/automatic updating is > >that it is hard to filter them. > It's hard to make a good case for automatic updates when manual > updates are so easy.=20 So, here is a question: I have three machines, all on different hardware but with the same version of FreeBSD that are updated manually. Now, how about I get a dozen machines... How do I do that in a reasonable amount of time? --=20 yann@kierun.org -=3D*=3D- www.kierun.= org PGP: 009D 7287 C4A7 FD4F 1680 06E4 F751 7006 9DE2 6318 --ew6BAiZeqk4r7MaW Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEczGz91FwBp3iYxgRAmy5AJ9yGvdpW1g9t2I4BrYl+04byXTokgCfZsi2 KjuF7mBdO1v0tazPJkvGjWc= =1q// -----END PGP SIGNATURE----- --ew6BAiZeqk4r7MaW-- From owner-freebsd-security@FreeBSD.ORG Tue May 23 19:03:32 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 27B4A16A854 for ; Tue, 23 May 2006 19:03:32 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from mail18.syd.optusnet.com.au (mail18.syd.optusnet.com.au [211.29.132.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2471A43D49 for ; Tue, 23 May 2006 19:03:30 +0000 (GMT) (envelope-from peterjeremy@optushome.com.au) Received: from turion.vk2pj.dyndns.org (c220-239-19-236.belrs4.nsw.optusnet.com.au [220.239.19.236]) by mail18.syd.optusnet.com.au (8.12.11/8.12.11) with ESMTP id k4NJ3R26005076 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Wed, 24 May 2006 05:03:28 +1000 Received: from turion.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1]) by turion.vk2pj.dyndns.org (8.13.6/8.13.6) with ESMTP id k4NJ3RVf053080; Wed, 24 May 2006 05:03:27 +1000 (EST) (envelope-from peter@turion.vk2pj.dyndns.org) Received: (from peter@localhost) by turion.vk2pj.dyndns.org (8.13.6/8.13.6/Submit) id k4NJ3RQ9053079; Wed, 24 May 2006 05:03:27 +1000 (EST) (envelope-from peter) Date: Wed, 24 May 2006 05:03:27 +1000 From: Peter Jeremy To: Roger Marquis Message-ID: <20060523190327.GE769@turion.vk2pj.dyndns.org> References: <20060523120100.37D2B16A54F@hub.freebsd.org> <20060523083944.H96736@eboyr.pbz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060523083944.H96736@eboyr.pbz> X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.11 Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 May 2006 19:03:35 -0000 On Tue, 2006-May-23 08:53:00 -0700, Roger Marquis wrote: >Peter Jeremy wrote: >>One of the major problems with unattended/automatic updating is >>that it is hard to filter them. Actually, I didn't. -- Peter Jeremy From owner-freebsd-security@FreeBSD.ORG Tue May 23 20:10:30 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7735616AA6C for ; Tue, 23 May 2006 20:10:30 +0000 (UTC) (envelope-from thomas@pbegames.com) Received: from shiva.breakawaygames.com (mail1.breakawaygames.com [65.111.82.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id D7ED743D64 for ; Tue, 23 May 2006 20:10:29 +0000 (GMT) (envelope-from thomas@pbegames.com) Received: from Azathoth.pbegames.com ([192.168.100.36]) by shiva.breakawaygames.com (8.13.4/8.13.4) with ESMTP id k4NKAohq026737 for ; Tue, 23 May 2006 16:10:51 -0400 (EDT) (envelope-from thomas@pbegames.com) Message-Id: <6.1.2.0.2.20060523154530.03eb5d50@mail.pbegames.com> X-Sender: thomas@mail.pbegames.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.1.2.0 Date: Tue, 23 May 2006 16:10:08 -0400 To: freebsd-security@freebsd.org From: Mark Thomas Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: ipsec-tools to Windows ISA 2004 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 May 2006 20:10:38 -0000 Good day, Has anyone managed to successfully create a site to site IPSec tunnel between BSD with ipsec-tools and Windows ISA 2004? We're trying to get this up and running locally on a test network and not having much success. The tunnel between the two sites comes up, and traffic from BSD private to ISA private seems to be flowing, but return traffic appears to be flowing from the ISA private side to the BSD public address. I was just curious if anyone has done any work getting these two talking so I can not reinvent the wheel. Thanks, Mark Thomas - thomas@pbegames.com http://www.pbegames.com/~thomas From owner-freebsd-security@FreeBSD.ORG Tue May 23 21:04:36 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0460A16ABF5 for ; Tue, 23 May 2006 21:04:36 +0000 (UTC) (envelope-from ltning@anduin.net) Received: from anduin.net (anduin.net [213.225.74.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id D9E6E43D7C for ; Tue, 23 May 2006 21:04:23 +0000 (GMT) (envelope-from ltning@anduin.net) Received: from box248146.sdsl.no ([212.62.248.146] helo=[192.168.1.107]) by anduin.net with esmtpa (Exim 4.54 (FreeBSD)) id 1Fie34-000C46-G2 for freebsd-security@freebsd.org; Tue, 23 May 2006 23:04:22 +0200 Mime-Version: 1.0 (Apple Message framework v750) Content-Transfer-Encoding: quoted-printable Message-Id: <626F25E3-D4B6-4EEB-9361-DC70D49CFAA4@anduin.net> Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed To: freebsd-security@freebsd.org From: =?ISO-8859-1?Q?Eirik_=D8verby?= Date: Tue, 23 May 2006 23:03:59 +0200 X-Mailer: Apple Mail (2.750) X-Spam-Score: -4.0 X-Spam-Level: ---- Subject: HSM devices and FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 May 2006 21:04:40 -0000 Hello all, first, if this is disallowed by the rules for this list (I'm a bit =20 uncertain..), then please forgive me. I am working for a company doing services for the credit card =20 industry. Among other things, we specialize in authentication systems =20= (3-D Secure) for internet-based trade, and are subject to very strict =20= security requirements (obviously). The relevant systems are all running on FreeBSD, and so far we have =20 had little or no problems passing all the requirements, save for one =20 thing: HSM devices. When the system was originally set up about 4 years ago, an agreement =20= was made with Thales e-Security, Inc. that they should deliver a =20 FreeBSD version of their pkcs#11 libraries and OpenSSL engine =20 implementation for their WebSentry devices. This was indeed done, but =20= there has been no support or updates since, and the software vendor =20 we are using have since started moving to other ways of interacting =20 with their supported HSMs - meaning that we are slowly being left in =20 the dust. I am therefore researching other possible vendors of HSM devices. =20 They need to be external and network-attached (i.e. no kernel mode =20 drivers necessary), and they need to fulfill certain requirements, =20 first and foremost the FIPS 140-1 levels 2 and (for some =20 applications) 3. In addition, the software APIs supplied should =20 include a pkcs#11 library, an openssl engine implementation, and a =20 Java implementation (possibly using JNI for the communications, ref. =20 the pkcs#11 library). Does anyone know of any such products that have any sort of FreeBSD =20 support at all? Please note that these are not simply crypto =20 accelerators; they also store keys etc. securely. With best regards, Eirik =D8verby Unicore AS Oslo, Norway= From owner-freebsd-security@FreeBSD.ORG Wed May 24 08:33:11 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2653416A4F0 for ; Wed, 24 May 2006 08:33:11 +0000 (UTC) (envelope-from MH@kernel32.de) Received: from crivens.terrorteam.de (crivens.terrorteam.de [81.169.171.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id 630A443D46 for ; Wed, 24 May 2006 08:33:10 +0000 (GMT) (envelope-from MH@kernel32.de) Received: from localhost (localhost [127.0.0.1]) by crivens.terrorteam.de (Postfix) with ESMTP id A2C534021; Wed, 24 May 2006 10:33:08 +0200 (CEST) X-Virus-Scanned: amavisd-new at unixoid.de Received: from crivens.terrorteam.de ([127.0.0.1]) by localhost (crivens.unixoid.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mVYFL5WP9fVz; Wed, 24 May 2006 10:33:08 +0200 (CEST) Received: from [10.38.0.12] (unknown [213.238.63.253]) by crivens.terrorteam.de (Postfix) with ESMTP id F19D83FE7; Wed, 24 May 2006 10:33:07 +0200 (CEST) Message-ID: <44741A43.40302@kernel32.de> Date: Wed, 24 May 2006 10:33:07 +0200 From: Marian Hettwer User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Yann Golanski References: <20060523120100.37D2B16A54F@hub.freebsd.org> <20060523083944.H96736@eboyr.pbz> <20060523160051.GA78620@kierun.org> In-Reply-To: <20060523160051.GA78620@kierun.org> X-Enigmail-Version: 0.93.0.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 May 2006 08:33:11 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hej Yann, Yann Golanski wrote: > Quoth Roger Marquis on Tue, May 23, 2006 at 08:53:00 -0700 > >>Peter Jeremy wrote: >> >>>One of the major problems with unattended/automatic updating is >>>that it is hard to filter them. >> >>It's hard to make a good case for automatic updates when manual >>updates are so easy. > > > So, here is a question: I have three machines, all on different hardware > but with the same version of FreeBSD that are updated manually. Now, > how about I get a dozen machines... How do I do that in a reasonable > amount of time? You get yourself a build machine. Say you have 10 amd64 machines and 10 intel boxes, well, then you'll need one amd64 machine and one intel machine. Set up jails on this build host. Each jail having the specific make.conf and stuff configuration you like. Let's say intel machine: jail-1 --> for your MySQL machines jail-2 --> for your Apaches jail-3 --> for your mailservers go to each jail and built yourself some packages (make package). Then use those packages to install them on your production machines. You may want to abuse these jails to do some testing wether the packages are okay too... It really depends on how many machines you have, on how many different tasks they have and on which archictures you're running. The answer is: build host + jails for a testing environment... This'll reduce your actual downtime. regards, Marian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFEdBpBgAq87Uq5FMsRAnAxAJ91Hwn1+D316JMQIzzFuY8vCmh7IACg0d5o mjsNREbuXX1GrDpMcxo8JWE= =wqUj -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed May 24 09:33:43 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0C0016A48F for ; Wed, 24 May 2006 09:33:43 +0000 (UTC) (envelope-from mureninc@gmail.com) Received: from wx-out-0102.google.com (wx-out-0102.google.com [66.249.82.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id F12AC43D6D for ; Wed, 24 May 2006 09:33:33 +0000 (GMT) (envelope-from mureninc@gmail.com) Received: by wx-out-0102.google.com with SMTP id i31so1218158wxd for ; Wed, 24 May 2006 02:33:33 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=HBm5N66InxdsinllWUn3nyltpvl2dv89uX19FbhoSHK1TmkiGl90M3I7pTgxHRztX6ifLORhnKeD/Gwz1+aLWe7x26kkFFiBsYEh6bkmt5+S1TRsjq82/s0A06+eMnVB78ssf4YI6jyFf8OEoYTgTJVnYllbvINikUxCVdEUiMw= Received: by 10.70.111.19 with SMTP id j19mr1879680wxc; Wed, 24 May 2006 02:33:32 -0700 (PDT) Received: by 10.70.35.9 with HTTP; Wed, 24 May 2006 02:33:32 -0700 (PDT) Message-ID: Date: Wed, 24 May 2006 10:33:32 +0100 From: "Constantine A. Murenin" To: "Roger Marquis" In-Reply-To: <20060523083944.H96736@eboyr.pbz> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20060523120100.37D2B16A54F@hub.freebsd.org> <20060523083944.H96736@eboyr.pbz> Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 May 2006 09:33:46 -0000 On 23/05/06, Roger Marquis wrote: > All that said FreeBSD's ports are still the reference > implementation, head-and-shoulders better than up2date, yum, rpm, > apt-get, or anything else out there. I guess you haven't looked at OpenBSD's branch of FreeBSD's pkg_add(1), where they've added some cool support for automatic port updating, which seems to work quite well: http://www.openbsd.org/faq/faq15.html#PkgUpdate http://www.openbsd.org/papers/ven05-espie/ Cheers, Constantine. From owner-freebsd-security@FreeBSD.ORG Wed May 24 10:09:21 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D09FD16A42F for ; Wed, 24 May 2006 10:09:21 +0000 (UTC) (envelope-from andrew@scoop.co.nz) Received: from a2.scoop.co.nz (a2.scoop.co.nz [202.50.109.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 31F2B43D46 for ; Wed, 24 May 2006 10:09:20 +0000 (GMT) (envelope-from andrew@scoop.co.nz) Received: from a2.scoop.co.nz (localhost [127.0.0.1]) by a2.scoop.co.nz (8.13.6/8.13.1) with ESMTP id k4OA9Ips099248; Wed, 24 May 2006 22:09:18 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Received: from localhost (andrew@localhost) by a2.scoop.co.nz (8.13.6/8.13.1/Submit) with ESMTP id k4OA9II8099245; Wed, 24 May 2006 22:09:18 +1200 (NZST) (envelope-from andrew@scoop.co.nz) X-Authentication-Warning: a2.scoop.co.nz: andrew owned process doing -bs Date: Wed, 24 May 2006 22:09:18 +1200 (NZST) From: Andrew McNaughton To: "Constantine A. Murenin" In-Reply-To: Message-ID: <20060524220703.K62075@a2.scoop.co.nz> References: <20060523120100.37D2B16A54F@hub.freebsd.org> <20060523083944.H96736@eboyr.pbz> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0 (a2.scoop.co.nz [127.0.0.1]); Wed, 24 May 2006 22:09:18 +1200 (NZST) X-Virus-Scanned: ClamAV 0.88.1/1479/Wed May 24 17:17:23 2006 on a2.scoop.co.nz X-Virus-Status: Clean Cc: freebsd-security@freebsd.org, Roger Marquis Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 May 2006 10:09:22 -0000 On Wed, 24 May 2006, Constantine A. Murenin wrote: > On 23/05/06, Roger Marquis wrote: >> All that said FreeBSD's ports are still the reference >> implementation, head-and-shoulders better than up2date, yum, rpm, >> apt-get, or anything else out there. > > I guess you haven't looked at OpenBSD's branch of FreeBSD's > pkg_add(1), where they've added some cool support for automatic port > updating, which seems to work quite well: > > http://www.openbsd.org/faq/faq15.html#PkgUpdate > http://www.openbsd.org/papers/ven05-espie/ Come to that, gentoo's emerge system is pretty good, having learnt a lot from FreeBSD's ports system, and then gone a few steps further. Andrew ------------------------------------------------------------------- Andrew McNaughton http://www.scoop.co.nz/ andrew@scoop.co.nz Mobile: +61 422 753 792 pgp keyid: 1C7A8CFD -- "We are trying to figure out how you conduct a war against something other than a nation-state and how ... you conduct a war in countries that you are not at war with," -- Donald Rumsfeld, 27 Jan 2006 From owner-freebsd-security@FreeBSD.ORG Wed May 24 10:20:13 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C30C316A421 for ; Wed, 24 May 2006 10:20:13 +0000 (UTC) (envelope-from brain@winbot.co.uk) Received: from brainbox.winbot.co.uk (cpc1-mapp3-0-0-cust243.nott.cable.ntl.com [82.20.212.244]) by mx1.FreeBSD.org (Postfix) with ESMTP id 374E943D49 for ; Wed, 24 May 2006 10:20:10 +0000 (GMT) (envelope-from brain@winbot.co.uk) Received: from synapse.brainbox.winbot.co.uk ([10.0.0.2] helo=[192.168.1.10]) by brainbox.winbot.co.uk with esmtp (Exim 4.60 (FreeBSD)) (envelope-from ) id 1FiqZs-000BwK-Al; Wed, 24 May 2006 10:26:56 +0000 Message-ID: <44743358.2020304@winbot.co.uk> Date: Wed, 24 May 2006 11:20:08 +0100 From: Craig Edwards Organization: Crypt Software User-Agent: Mozilla Thunderbird 1.0.8 (X11/20060508) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Andrew McNaughton , freebsd-security@freebsd.org References: <20060523120100.37D2B16A54F@hub.freebsd.org> <20060523083944.H96736@eboyr.pbz> <20060524220703.K62075@a2.scoop.co.nz> In-Reply-To: <20060524220703.K62075@a2.scoop.co.nz> Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: brain@winbot.co.uk List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 May 2006 10:20:14 -0000 > Come to that, gentoo's emerge system is pretty good, having learnt a lot > from FreeBSD's ports system, and then gone a few steps further. > > Andrew > I agree, however, i do not like the gentoo dependency upon python for its package management system. It has not broken on me yet, however i can imagine if it does it would be a nightmare to fix, as python is not a trivial program. If FreeBSD ever were to attempt an emerge-like system, it would be convenient imho (although probably less maintainable?) to have it done in something smaller and easier to manage (and easier repair when broken?) such as perl or shellscript. Craig -- "Better to reign in Hell than to serve in Heaven" -- Milton From owner-freebsd-security@FreeBSD.ORG Wed May 24 11:31:19 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 983AF16A425 for ; Wed, 24 May 2006 11:31:19 +0000 (UTC) (envelope-from andrew@scoop.co.nz) Received: from a2.scoop.co.nz (a2.scoop.co.nz [202.50.109.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB08543D53 for ; Wed, 24 May 2006 11:31:18 +0000 (GMT) (envelope-from andrew@scoop.co.nz) Received: from a2.scoop.co.nz (localhost [127.0.0.1]) by a2.scoop.co.nz (8.13.6/8.13.1) with ESMTP id k4OBVH3R001603; Wed, 24 May 2006 23:31:17 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Received: from localhost (andrew@localhost) by a2.scoop.co.nz (8.13.6/8.13.1/Submit) with ESMTP id k4OBVH4M001600; Wed, 24 May 2006 23:31:17 +1200 (NZST) (envelope-from andrew@scoop.co.nz) X-Authentication-Warning: a2.scoop.co.nz: andrew owned process doing -bs Date: Wed, 24 May 2006 23:31:17 +1200 (NZST) From: Andrew McNaughton To: Craig Edwards In-Reply-To: <44743358.2020304@winbot.co.uk> Message-ID: <20060524232827.J62075@a2.scoop.co.nz> References: <20060523120100.37D2B16A54F@hub.freebsd.org> <20060523083944.H96736@eboyr.pbz> <20060524220703.K62075@a2.scoop.co.nz> <44743358.2020304@winbot.co.uk> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0 (a2.scoop.co.nz [127.0.0.1]); Wed, 24 May 2006 23:31:17 +1200 (NZST) X-Virus-Scanned: ClamAV 0.88.1/1479/Wed May 24 17:17:23 2006 on a2.scoop.co.nz X-Virus-Status: Clean Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 May 2006 11:31:19 -0000 On Wed, 24 May 2006, Craig Edwards wrote: >> Come to that, gentoo's emerge system is pretty good, having learnt a lot >> from FreeBSD's ports system, and then gone a few steps further. >> >> Andrew >> > > I agree, however, i do not like the gentoo dependency upon python for its > package management system. It has not broken on me yet, however i can imagine > if it does it would be a nightmare to fix, as python is not a trivial > program. If FreeBSD ever were to attempt an emerge-like system, it would be > convenient imho (although probably less maintainable?) to have it done in > something smaller and easier to manage (and easier repair when broken?) such > as perl or shellscript. I'm a fan of perl myself, but I don't really see that dependency on python is more of an issue than dependency on perl would be, or more of an issue than the current dependency of the portupgrade tools on ruby. Andrew ------------------------------------------------------------------- Andrew McNaughton http://www.scoop.co.nz/ andrew@scoop.co.nz Mobile: +61 422 753 792 pgp keyid: 1C7A8CFD -- "We are trying to figure out how you conduct a war against something other than a nation-state and how ... you conduct a war in countries that you are not at war with," -- Donald Rumsfeld, 27 Jan 2006 From owner-freebsd-security@FreeBSD.ORG Wed May 24 18:45:54 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA04216A44B for ; Wed, 24 May 2006 18:45:53 +0000 (UTC) (envelope-from slackwarewolf@comcast.net) Received: from rwcrmhc12.comcast.net (rwcrmhc12.comcast.net [204.127.192.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 87EC243D46 for ; Wed, 24 May 2006 18:45:53 +0000 (GMT) (envelope-from slackwarewolf@comcast.net) Received: from hydrocodone.org (c-69-246-87-201.hsd1.mi.comcast.net[69.246.87.201]) by comcast.net (rwcrmhc12) with ESMTP id <20060524184552m1200pq4a7e>; Wed, 24 May 2006 18:45:52 +0000 Date: Wed, 24 May 2006 14:45:37 -0400 From: Allen To: freebsd-security@freebsd.org Message-ID: <20060524144537.46463a90@hydrocodone.org> In-Reply-To: <44741A43.40302@kernel32.de> References: <20060523120100.37D2B16A54F@hub.freebsd.org> <20060523083944.H96736@eboyr.pbz> <20060523160051.GA78620@kierun.org> <44741A43.40302@kernel32.de> X-Mailer: Sylpheed-Claws 1.0.3 (GTK+ 1.2.10; i686-suse-linux) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 May 2006 18:45:54 -0000 On Wed, 24 May 2006 10:33:07 +0200 Marian Hettwer wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hej Yann, > > Yann Golanski wrote: > > Quoth Roger Marquis on Tue, May 23, 2006 at 08:53:00 -0700 > > > >>Peter Jeremy wrote: > >> > >>>One of the major problems with unattended/automatic updating is > >>>that it is hard to filter them. > >> > >>It's hard to make a good case for automatic updates when manual > >>updates are so easy. > > > > > > So, here is a question: I have three machines, all on different hardware > > but with the same version of FreeBSD that are updated manually. Now, > > how about I get a dozen machines... How do I do that in a reasonable > > amount of time? > > You get yourself a build machine. > Say you have 10 amd64 machines and 10 intel boxes, well, then you'll > need one amd64 machine and one intel machine. > Set up jails on this build host. Each jail having the specific make.conf > and stuff configuration you like. > Let's say > intel machine: > jail-1 --> for your MySQL machines > jail-2 --> for your Apaches > jail-3 --> for your mailservers > > go to each jail and built yourself some packages (make package). Then > use those packages to install them on your production machines. > You may want to abuse these jails to do some testing wether the packages > are okay too... > > It really depends on how many machines you have, on how many different > tasks they have and on which archictures you're running. > > The answer is: build host + jails for a testing environment... > This'll reduce your actual downtime. > Did you just tell him to get another computer for each arch to have as a build machine??? Being a broke college student I don't think that's something I'd ever do to install updates on my boxes. I can't afford another computer just to build updates when every other OS I use does updates in another way.... I still say it would be best for all to ahve something in FreeBSD similar to Slackware where yuo just use wget or smoething to grab a patch .tgz file and use upgradepkg to install it without having to do this. Some people say this isn't right or it's not a secure way to do this, but what's worse? the very small chance fo a patch in this way having a problem, or the people I've seen reply saying they don't install patches at all? I'd rather install a patch than not do it but with the current system it just takes way to long. I have two routers and a switch in front of my mahcines, and Linux boxes in front of that, and really, it's much easier to type upgradepkg *.tgz than it is to go through the process that I'd need to do for FreeBSD. As I've said before portupdate and FreeBSDupdate arwe a great start, but the fact remains, buildworld over a telnet patch is just terrible. And as I've also pointed out, I'll continue using FreeBSD regaulrdess of if the way I'd like is there or not, but a lot of people using other OSs, they just don't think there is any worth in going through this much trouble over a patch. Specially the peopel coming to Free BSD from Windows. They remember patches breaking more than they helped, and when they see what you have to do to get most fo these insatlled theya re going to say the hll with it and not install any of them. The FreeBSD summer of code is coming up here, and I'd really love to see someone add something to freeBSD that allows patches to be installed with an app in the way Linux does it. This would for sure help out a lot. I mean someone can argue all they want how yuo can't do this or that when you're installing oatches like Linux does, but when you consider how mahy people don't even install patches because of how much time it takes, or when someone liek I quoted says buy ANOTHER computer for every arch you're using to use as a build box.... That just isn't going to happen for most people. Either way I'll continue sending my 1,000 dollars out for Free BSD, but I'd just liek to see the money I spend on it and the Free BSD mall, go to something good like making a new way to install security and bug fixes. -Allen From owner-freebsd-security@FreeBSD.ORG Wed May 24 19:40:27 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3BC3D16A44D for ; Wed, 24 May 2006 19:40:27 +0000 (UTC) (envelope-from drosih@rpi.edu) Received: from smtp5.server.rpi.edu (smtp1.server.rpi.edu [128.113.2.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id CCB2743D46 for ; Wed, 24 May 2006 19:40:26 +0000 (GMT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.netel.rpi.edu [128.113.24.47]) by smtp5.server.rpi.edu (8.13.1/8.13.1) with ESMTP id k4OJeOSD003590; Wed, 24 May 2006 15:40:25 -0400 Mime-Version: 1.0 Message-Id: In-Reply-To: <20060524144537.46463a90@hydrocodone.org> References: <20060523120100.37D2B16A54F@hub.freebsd.org> <20060523083944.H96736@eboyr.pbz> <20060523160051.GA78620@kierun.org> <44741A43.40302@kernel32.de> <20060524144537.46463a90@hydrocodone.org> Date: Wed, 24 May 2006 15:40:23 -0400 To: Allen , freebsd-security@freebsd.org From: Garance A Drosihn Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-CanItPRO-Stream: default X-RPI-SA-Score: undef - spam-scanning disabled X-Scanned-By: CanIt (www . canit . ca) Cc: Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 May 2006 19:40:27 -0000 At 2:45 PM -0400 5/24/06, Allen wrote: > > > > It really depends on how many machines you have, on how > > many different tasks they have and on which archictures > > you're running. > > >> The answer is: build host + jails for a testing environment... >> This'll reduce your actual downtime. >> > >Did you just tell him to get another computer for each arch >to have as a build machine??? > >Being a broke college student I don't think that's something >I'd ever do to install updates on my boxes. I can't afford >another computer just to build updates when every other OS >I use does updates in another way.... If you are a college student with a few machines that you work with, then you can afford some downtime. Note that the person was talking about the problems of doing source updates on TEN machines. If you own ten machines, and if all of those ten machines must have zero downtime and rock-solid reliability, then you really have to find the money for an eleventh machine. That is just the cost of doing business. Find the money to do the job right, or expect to go out of business the first day that Murphy's Law comes knockin' at your door. That issue of ten or more machines is completely separate from the issue of how well the ports collection itself should work, of course. But you can't complain about the cost of one machine *WHEN* you are moaning about the problems of owning ten machines which must be up 24/7. "Pity the poor college student, with their personally- owned data center of 50 machines split across five different architectures." Uh, no. I won't. Anyone who can afford that much hardware has more money than I do! -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu From owner-freebsd-security@FreeBSD.ORG Thu May 25 05:25:37 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 06C9416A427 for ; Thu, 25 May 2006 05:25:37 +0000 (UTC) (envelope-from slackwarewolf@comcast.net) Received: from rwcrmhc14.comcast.net (rwcrmhc14.comcast.net [216.148.227.154]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8980E43D45 for ; Thu, 25 May 2006 05:25:34 +0000 (GMT) (envelope-from slackwarewolf@comcast.net) Received: from hydrocodone.org (c-69-246-87-201.hsd1.mi.comcast.net[69.246.87.201]) by comcast.net (rwcrmhc14) with ESMTP id <20060525052533m1400drlnke>; Thu, 25 May 2006 05:25:33 +0000 Date: Thu, 25 May 2006 01:25:19 -0400 From: Allen To: freebsd-security@freebsd.org Message-ID: <20060525012519.4e4e626d@hydrocodone.org> In-Reply-To: References: <20060523120100.37D2B16A54F@hub.freebsd.org> <20060523083944.H96736@eboyr.pbz> <20060523160051.GA78620@kierun.org> <44741A43.40302@kernel32.de> <20060524144537.46463a90@hydrocodone.org> X-Mailer: Sylpheed-Claws 1.0.3 (GTK+ 1.2.10; i686-suse-linux) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 May 2006 05:25:37 -0000 On Wed, 24 May 2006 15:40:23 -0400 Garance A Drosihn wrote: > At 2:45 PM -0400 5/24/06, Allen wrote: > > > > > > It really depends on how many machines you have, on how > > > many different tasks they have and on which archictures > > > you're running. > > > > >> The answer is: build host + jails for a testing environment... > >> This'll reduce your actual downtime. > >> > > > >Did you just tell him to get another computer for each arch > >to have as a build machine??? > > > >Being a broke college student I don't think that's something > >I'd ever do to install updates on my boxes. I can't afford > >another computer just to build updates when every other OS > >I use does updates in another way.... > > If you are a college student with a few machines that > you work with, then you can afford some downtime. > > Note that the person was talking about the problems of > doing source updates on TEN machines. If you own ten > machines, and if all of those ten machines must have zero > downtime and rock-solid reliability, then you really > have to find the money for an eleventh machine. That is > just the cost of doing business. Find the money to do > the job right, or expect to go out of business the first > day that Murphy's Law comes knockin' at your door. > > That issue of ten or more machines is completely separate > from the issue of how well the ports collection itself > should work, of course. But you can't complain about > the cost of one machine *WHEN* you are moaning about the > problems of owning ten machines which must be up 24/7. > > "Pity the poor college student, with their personally- > owned data center of 50 machines split across five > different architectures." Uh, no. I won't. Anyone > who can afford that much hardware has more money than > I do! > Yes, I can afford down time. There is one thing I've kept with me in my two years of using Unix / Linux / BSD: It's better to bring a machine down or reboot because you're installing updates, than to do so because you were rooted with an exploit that a patch was released for 3 months ago.. Served me well. As I've said, I will continue to not only use, but support FreeBSD, no matter if they take my ideas or not. It doesn't matter, I'll use it anyway and continue to buy the CD sets and the books and the shirts, the stickers, and even the boxers (Comfy boxers by the way) because I believe in it. I'd just like to be able to have the option of installing fixes the way Linux does because then you don't need a build box. And you don't need to take a machine down for a while as you're installing them. I'm not saying dump the current system, not even close, I'm just saying it would be nice to have the option to install patches like slackware at least. IF I was a good programmer I'd be working on that now, but, I have very little coding skill. I can do some very little Perl, and I'm working on learning C because I want to help with FreeBSD and Linux. And because I'd never really be bored. I mean seriously, a pot of coffee or a case of RedBull and a BSD or Linux box, you don't even need X if you know how to code, you'd be able to do something. It's one of my goals in life, to be a Unix wizard. Which is of course why I've chosen Perl and C. Perl was made for Unix and so was C. Anyway I'm rambling on. So my idea is that for.... Hmm I counted a good number of people, who said they don't install patches because it just takes to much time. That's a lot of people, considering not everyone is going to reply, and not everyone who uses it is on thie list... And that's dangerous considering what someone can do to an un patched machine. So for those people and me who can't really spend a day or so doing updates, I'd just like it if Free BSD had a system in place (Which could be added to sysinstall) where you can sit down, use wget to grab some patches, and then either use upgradepkg or an app similar to it, to install the patch. It would save a LOT of time, and people would be more likely to install patches who don't now. The people who install their patches right now aren't going to care. They would most likely continue using what they do now... The people who said they won't install them probably would because it would be easier to do, and hell you could even make a little Perl script that checkes a BSD update server each night for new updates and then grabs and installs them. I'd love that. I'm sure I'm not alone. And as I've said before, I'm not comparing FreeBSD to Slackware, but I don't think it's any secret that Slackware loves FreeBSD. FreeBsdmall and the Slackware store, if you make an order from both, they come in the same box! Each semester I get some cash from my college, I use it for things I need, and so I blew 700 dollars at FreeBSDmall and the Slackware store. I paid extra for the overnight and second day shipping, and the next day, not even 20 hours after I placed my order, it was at my house. Both of them. in the same box. -Allen > -- > Garance Alistair Drosehn = gad@gilead.netel.rpi.edu > Senior Systems Programmer or gad@freebsd.org > Rensselaer Polytechnic Institute or drosih@rpi.edu > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Thu May 25 08:28:25 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 91ED416A436 for ; Thu, 25 May 2006 08:28:25 +0000 (UTC) (envelope-from yann@raven.kierun.org) Received: from raven.kierun.org (raven.yorksj.ac.uk [193.61.234.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 181D843D5A for ; Thu, 25 May 2006 08:28:22 +0000 (GMT) (envelope-from yann@raven.kierun.org) Received: from yann by raven.kierun.org with local (Exim 4.62 (FreeBSD)) (envelope-from ) id 1FjBCf-000ODH-6Q; Thu, 25 May 2006 09:28:21 +0100 Date: Thu, 25 May 2006 09:28:21 +0100 From: Yann Golanski To: Garance A Drosihn Message-ID: <20060525082821.GA93011@kierun.org> References: <20060523120100.37D2B16A54F@hub.freebsd.org> <20060523083944.H96736@eboyr.pbz> <20060523160051.GA78620@kierun.org> <44741A43.40302@kernel32.de> <20060524144537.46463a90@hydrocodone.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="k+w/mQv8wyuph6w0" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.11 Sender: "Yann Golanski, University of York, +44(0)1904-433088" Cc: freebsd-security@freebsd.org, Allen Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 May 2006 08:28:27 -0000 --k+w/mQv8wyuph6w0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Quoth Garance A Drosihn on Wed, May 24, 2006 at 15:40:23 -0400 > >> The answer is: build host + jails for a testing environment... > >> This'll reduce your actual downtime. > >Did you just tell him to get another computer for each arch > >to have as a build machine??? > > > >Being a broke college student I don't think that's something > >I'd ever do to install updates on my boxes. I can't afford > >another computer just to build updates when every other OS > >I use does updates in another way.... >=20 > If you are a college student with a few machines that > you work with, then you can afford some downtime. Why? Just because I am from a mathematics department with no money for hardware at all does not mean that our VLE does not have to run all the time. =20 So, same question with three machines: home, office and off shore server. How do I keep them all up to date without having to run the patches three times?...=20 BTW, I consider pre-compiled packages to good (easy to install, etc...)=20 and bad (no fine tuning, etc...) while compile are good for exactly the opposite reasons. Not sure which is best. --=20 yann@kierun.org -=3D*=3D- www.kierun.= org PGP: 009D 7287 C4A7 FD4F 1680 06E4 F751 7006 9DE2 6318 --k+w/mQv8wyuph6w0 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEdWql91FwBp3iYxgRAt6EAJ9o9/ErS8prfkTlRbZigXggNyPjSwCcDdDv Kb1x/5LIy6qCpH0SPRlduS4= =K8JC -----END PGP SIGNATURE----- --k+w/mQv8wyuph6w0-- From owner-freebsd-security@FreeBSD.ORG Thu May 25 19:19:26 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B085B16B0A8 for ; Thu, 25 May 2006 19:19:26 +0000 (UTC) (envelope-from drosih@rpi.edu) Received: from smtp4.server.rpi.edu (smtp4.server.rpi.edu [128.113.2.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD4BE43D73 for ; Thu, 25 May 2006 19:19:25 +0000 (GMT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.netel.rpi.edu [128.113.24.47]) by smtp4.server.rpi.edu (8.13.1/8.13.1) with ESMTP id k4PJJMMF010301; Thu, 25 May 2006 15:19:24 -0400 Mime-Version: 1.0 Message-Id: In-Reply-To: <20060525082821.GA93011@kierun.org> References: <20060523120100.37D2B16A54F@hub.freebsd.org> <20060523083944.H96736@eboyr.pbz> <20060523160051.GA78620@kierun.org> <44741A43.40302@kernel32.de> <20060524144537.46463a90@hydrocodone.org> <20060525082821.GA93011@kierun.org> Date: Thu, 25 May 2006 15:19:20 -0400 To: Yann Golanski From: Garance A Drosihn Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-CanItPRO-Stream: default X-RPI-SA-Score: undef - spam-scanning disabled X-Scanned-By: CanIt (www . canit . ca) on 128.113.2.4 Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 May 2006 19:19:37 -0000 At 9:28 AM +0100 5/25/06, Yann Golanski wrote: >Quoth Garance A Drosihn on Wed, May 24, 2006 at 15:40:23 -0400 >> >> The answer is: build host + jails for a testing environment... > > >> This'll reduce your actual downtime. > > > > > > Did you just tell him to get another computer for > > > each arch to have as a build machine??? > > > > > > Being a broke college student I don't think that's > > > something I'd ever do to install updates on my boxes. > > > I can't afford another computer just to build updates > > > when every other OS I use does updates in another way.... > > >> If you are a college student with a few machines that >> you work with, then you can afford some downtime. > >Why? Just because I am from a mathematics department >with no money for hardware at all does not mean that >our VLE does not have to run all the time. Because if you have many machines which have to be up 100% of the time, then the ports collection is not the only thing which is going to haunt you. The ports collection can be improved upon, of course, but even a perfect ports collection will not solve all the problems of running a large collection of mission-critical computers. What I am saying is that the message which said "Buy another machine" was *NOT* directed to every single user of the ports collection. It was merely advice to anyone who has a large collection of hardware that they need to keep running all the time. There are several unavoidable costs to running computers 24/7. Those costs do not disappear simply because you have no budget. If someone "can not afford downtime", then they have to find a budget to cover those expenses. That is just friendly advice from people who *DO* run lots of computers. There are many things that can go wrong, most of which have nothing to do with the ports collection. Also note that the advice (which is still in the above quote) included the idea of using jails for testing the ports-environment changes. So, the advice didn't even demand that *anyone* had to buy new hardware. This thread started because *Colin* set up a security survey. He *already* realizes that the project needs to do something so that more people are willing and able to apply security fixes once the project comes up with them. So don't go all pouty and claim that no one here appreciates your situation. Many people work very hard to provide the operating system and ports collection for *NO COST*, so don't pretend that we're some greedy bastards who are insensitive to your zero budget. -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu From owner-freebsd-security@FreeBSD.ORG Fri May 26 07:38:42 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E4FB916A599 for ; Fri, 26 May 2006 07:38:42 +0000 (UTC) (envelope-from gpr@nvnpp.vrn.ru) Received: from relay.nvnpp.vrn.ru (relay.nvnpp.vrn.ru [195.98.93.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7565343D4C for ; Fri, 26 May 2006 07:38:39 +0000 (GMT) (envelope-from gpr@nvnpp.vrn.ru) Received: from gpr by relay.nvnpp.vrn.ru with local (Exim 4.62 (FreeBSD)) (envelope-from ) id 1FjWu5-0004aq-1Y; Fri, 26 May 2006 11:38:37 +0400 Date: Fri, 26 May 2006 11:38:36 +0400 From: Gennady Proskurin To: freebsd-security@freebsd.org Message-ID: <20060526073836.GC15280@relay.nvnpp.vrn.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.11 Subject: IPSEC - tcp port match X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 May 2006 07:38:43 -0000 Hello. I try to configure IPSEC to bybass ssh protocol. For example: setkey -FP setkey -F setkey -c << EOF spdadd 10.1.1.1/32 10.6.10.50[22] tcp -P in none ; spdadd 10.1.1.1/32 10.6.10.50 tcp -P in ipsec ah/transport//require ; EOF (Pass incoming ssh packets to 10.6.10.50, block other tcp packets) This works under fresh 7-CURRENT(FAST_IPSEC). On fresh 6-STABLE (neither FAST_IPSEC nor KAME IPSEC) it doesn't work, first string "spdadd 10.1.1.1/32 10.6.10.50[22] tcp -P in none" never matches. Is it bug in 6-STABLE or I missing something? Does anybody successfuly use IPSEC with tcp port matching under 6-STABLE? -- Gennady From owner-freebsd-security@FreeBSD.ORG Fri May 26 08:16:06 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37B7616A50F for ; Fri, 26 May 2006 08:16:06 +0000 (UTC) (envelope-from MH@kernel32.de) Received: from crivens.terrorteam.de (crivens.terrorteam.de [81.169.171.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD4DE43D46 for ; Fri, 26 May 2006 08:16:05 +0000 (GMT) (envelope-from MH@kernel32.de) Received: from localhost (localhost [127.0.0.1]) by crivens.terrorteam.de (Postfix) with ESMTP id 039A43FE7; Fri, 26 May 2006 10:16:04 +0200 (CEST) X-Virus-Scanned: amavisd-new at unixoid.de Received: from crivens.terrorteam.de ([127.0.0.1]) by localhost (crivens.unixoid.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OlOLgJs6g4f2; Fri, 26 May 2006 10:16:03 +0200 (CEST) Received: from [10.38.0.12] (unknown [213.238.63.253]) by crivens.terrorteam.de (Postfix) with ESMTP id 561513F39; Fri, 26 May 2006 10:16:03 +0200 (CEST) Message-ID: <4476B944.20706@kernel32.de> Date: Fri, 26 May 2006 10:16:04 +0200 From: Marian Hettwer User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Allen References: <20060523120100.37D2B16A54F@hub.freebsd.org> <20060523083944.H96736@eboyr.pbz> <20060523160051.GA78620@kierun.org> <44741A43.40302@kernel32.de> <20060524144537.46463a90@hydrocodone.org> In-Reply-To: <20060524144537.46463a90@hydrocodone.org> X-Enigmail-Version: 0.93.0.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 May 2006 08:16:06 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Allen wrote: >> > > > Did you just tell him to get another computer for each arch to have as a build machine??? Yes I did... > > Being a broke college student I don't think that's something I'd ever do to install updates on my boxes. > I can't afford another computer just to build updates when every other OS I use does updates in another way.... I though we're talking about Servers and Datacenters, not about being a broke student with one or two PC's... My thoughts went into something like having 50+ servers to manage... ./Marian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFEdrlCgAq87Uq5FMsRApSvAKDPLDfKaWlQS4hwLskIBA7GjQmEQwCfd4ty ZaEfvQ4bogDEFxelTtbESv0= =4qvH -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri May 26 08:20:12 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D3D616A51D for ; Fri, 26 May 2006 08:20:12 +0000 (UTC) (envelope-from MH@kernel32.de) Received: from crivens.terrorteam.de (crivens.terrorteam.de [81.169.171.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B84243D62 for ; Fri, 26 May 2006 08:20:00 +0000 (GMT) (envelope-from MH@kernel32.de) Received: from localhost (localhost [127.0.0.1]) by crivens.terrorteam.de (Postfix) with ESMTP id 061AD3FE7; Fri, 26 May 2006 10:20:00 +0200 (CEST) X-Virus-Scanned: amavisd-new at unixoid.de Received: from crivens.terrorteam.de ([127.0.0.1]) by localhost (crivens.unixoid.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oz7oJPUvI8Sh; Fri, 26 May 2006 10:19:59 +0200 (CEST) Received: from [10.38.0.12] (unknown [213.238.63.253]) by crivens.terrorteam.de (Postfix) with ESMTP id 662E53F39; Fri, 26 May 2006 10:19:59 +0200 (CEST) Message-ID: <4476BA30.2090607@kernel32.de> Date: Fri, 26 May 2006 10:20:00 +0200 From: Marian Hettwer User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Garance A Drosihn References: <20060523120100.37D2B16A54F@hub.freebsd.org> <20060523083944.H96736@eboyr.pbz> <20060523160051.GA78620@kierun.org> <44741A43.40302@kernel32.de> <20060524144537.46463a90@hydrocodone.org> In-Reply-To: X-Enigmail-Version: 0.93.0.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Allen Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 May 2006 08:20:12 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Garance A Drosihn wrote: > At 2:45 PM -0400 5/24/06, Allen wrote: >> Did you just tell him to get another computer for each arch >> to have as a build machine??? >> >> Being a broke college student I don't think that's something >> I'd ever do to install updates on my boxes. I can't afford >> another computer just to build updates when every other OS >> I use does updates in another way.... > > > If you are a college student with a few machines that > you work with, then you can afford some downtime. > > Note that the person was talking about the problems of > doing source updates on TEN machines. If you own ten > machines, and if all of those ten machines must have zero > downtime and rock-solid reliability, then you really > have to find the money for an eleventh machine. That is ACK. That's what I was talking about :) At work we have roughly 900 Debian Linux servers, and frankly, the way of upgrading those boxes is pretty easy (apt-get update, apt-get upgrade). However, we still have build machines for custom packages and of course test machines to test updates... The point then is, of course, sometimes a buildworld is overkill and it would be great to have an easier way of upgrading, but still you need the "eleventh" machine for testing / reducing downtime / whatever. > > "Pity the poor college student, with their personally- > owned data center of 50 machines split across five > different architectures." Uh, no. I won't. Anyone > who can afford that much hardware has more money than > I do! > "me too" ;-) ./Marian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFEdrougAq87Uq5FMsRAt1/AKDh1K5v4UqHnFcMyevFGHOTvvgHEgCcDA8q Mv6Y44brsN/v9Zrj57uIIBg= =iYr9 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri May 26 15:35:06 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 38BB316A43C; Fri, 26 May 2006 15:35:06 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from smtp5-g19.free.fr (smtp5-g19.free.fr [212.27.42.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 005A643D64; Fri, 26 May 2006 15:34:59 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (tataz.chchile.org [82.233.239.98]) by smtp5-g19.free.fr (Postfix) with ESMTP id F170027608; Fri, 26 May 2006 17:34:58 +0200 (CEST) Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25]) by tatooine.tataz.chchile.org (Postfix) with ESMTP id C0E099CCE8; Fri, 26 May 2006 15:35:14 +0000 (UTC) Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000) id A3C5C40A5; Fri, 26 May 2006 17:34:22 +0200 (CEST) Date: Fri, 26 May 2006 17:34:22 +0200 From: Jeremie Le Hen To: freebsd-current@FreeBSD.org, freebsd-security@FreeBSD.org Message-ID: <20060526153422.GB25953@obiwan.tataz.chchile.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.11 Cc: Subject: Integrating ProPolice/SSP into FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 May 2006 15:35:08 -0000 Hi, first sorry for cross-posting but I thought this patch might interest -CURRENT users as well as people concerned by security. I wrote a patch that integrates ProPolice/SSP into FreeBSD, one step further than it has been realized so far. It is available here : http://tataz.chchile.org/~tataz/FreeBSD/SSP/ Everything is explained on the web page, but I will repeat some informations here. The patchset is splitted in two parts to ease the review of the patch. The -propolice patch is only the original ProPolice patch for GCC 3.4.4 applied on FreeBSD source tree. The -freebsd patch contains the glue I have written to make things neat. The patch exists in both for CURRENT and RELENG_6. Both introduce a new make.conf(5) (and src.conf(5)) knob to enable stack protection on a per Makefile basis. It if of course possible to compile your world with it. Please refer to the web page for more informations. The patch has been tested and works pretty well. My laptop and my workstation at work are compiled with SSP : world, kernel and ports, including X.org. I hope you will enjoy it. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-security@FreeBSD.ORG Fri May 26 18:41:33 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4FC7316AC82; Fri, 26 May 2006 18:41:33 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 53BB443D5E; Fri, 26 May 2006 18:41:32 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 6116746CB3; Fri, 26 May 2006 14:41:31 -0400 (EDT) Date: Fri, 26 May 2006 19:41:31 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Jeremie Le Hen In-Reply-To: <20060526153422.GB25953@obiwan.tataz.chchile.org> Message-ID: <20060526193048.Y77521@fledge.watson.org> References: <20060526153422.GB25953@obiwan.tataz.chchile.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@FreeBSD.org, freebsd-current@FreeBSD.org Subject: Re: Integrating ProPolice/SSP into FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 May 2006 18:41:40 -0000 On Fri, 26 May 2006, Jeremie Le Hen wrote: > first sorry for cross-posting but I thought this patch might interest > -CURRENT users as well as people concerned by security. > > I wrote a patch that integrates ProPolice/SSP into FreeBSD, one step further > than it has been realized so far. This looks very neat. Could you remind me what, if any, ABI issues might exist? I'm familiar with the ideas behind ProPolice, but not the implementation. Can I use SSP-compied libraries with pre-SSP applications? Can I use post-SSP applications with pre-SSP binaries? At various points in the past, the issue of integrating stack protection techniques into the gcc code has come up. Did this ever go anywhere? Even Microsoft's compiler suite ships with statically compiled stack protection these days. In the past we've avoided local compiler changes in order to make it easier to track the vendor and avoid losing local compiler changes when upgrading. Robert N M Watson > > It is available here : > http://tataz.chchile.org/~tataz/FreeBSD/SSP/ > > Everything is explained on the web page, but I will repeat some > informations here. The patchset is splitted in two parts to ease the > review of the patch. The -propolice patch is only the original > ProPolice patch for GCC 3.4.4 applied on FreeBSD source tree. The > -freebsd patch contains the glue I have written to make things neat. > > The patch exists in both for CURRENT and RELENG_6. Both introduce a > new make.conf(5) (and src.conf(5)) knob to enable stack protection > on a per Makefile basis. It if of course possible to compile your > world with it. Please refer to the web page for more informations. > > The patch has been tested and works pretty well. My laptop and my > workstation at work are compiled with SSP : world, kernel and ports, > including X.org. > > I hope you will enjoy it. > Regards, > -- > Jeremie Le Hen > < jeremie at le-hen dot org >< ttz at chchile dot org > > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Fri May 26 18:49:25 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4066B16AF8E; Fri, 26 May 2006 18:49:25 +0000 (UTC) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F8BD43D5F; Fri, 26 May 2006 18:49:20 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id EC5971A4DAC; Fri, 26 May 2006 11:49:19 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 60A9851203; Fri, 26 May 2006 14:49:19 -0400 (EDT) Date: Fri, 26 May 2006 14:49:19 -0400 From: Kris Kennaway To: Robert Watson Message-ID: <20060526184919.GA69830@xor.obsecurity.org> References: <20060526153422.GB25953@obiwan.tataz.chchile.org> <20060526193048.Y77521@fledge.watson.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="u3/rZRmxL6MmkK24" Content-Disposition: inline In-Reply-To: <20060526193048.Y77521@fledge.watson.org> User-Agent: Mutt/1.4.2.1i Cc: freebsd-security@FreeBSD.org, freebsd-current@FreeBSD.org, Jeremie Le Hen Subject: Re: Integrating ProPolice/SSP into FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 May 2006 18:49:37 -0000 --u3/rZRmxL6MmkK24 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, May 26, 2006 at 07:41:31PM +0100, Robert Watson wrote: >=20 > On Fri, 26 May 2006, Jeremie Le Hen wrote: >=20 > >first sorry for cross-posting but I thought this patch might interest=20 > >-CURRENT users as well as people concerned by security. > > > >I wrote a patch that integrates ProPolice/SSP into FreeBSD, one step=20 > >further than it has been realized so far. >=20 > This looks very neat. >=20 > Could you remind me what, if any, ABI issues might exist? I'm familiar= =20 > with the ideas behind ProPolice, but not the implementation. Can I use= =20 > SSP-compied libraries with pre-SSP applications? Can I use post-SSP=20 > applications with pre-SSP binaries? Last time I tried it (several years ago, when I maintained my own local patch for world integration), backwards binary compatibility was an issue, i.e. it was possible to hose your system when trying to revert the changes (since all rebuilt binaries all depend on symbols no longer provided in libc). Kris --u3/rZRmxL6MmkK24 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEd02uWry0BWjoQKURAonjAJ9Vq+exWJiVtiEvm/NaVCOjD2k0RgCghglV jQB5zxd1bKDjQG0rlF+EkUA= =fcJN -----END PGP SIGNATURE----- --u3/rZRmxL6MmkK24-- From owner-freebsd-security@FreeBSD.ORG Fri May 26 19:08:16 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A7C3216ADAF; Fri, 26 May 2006 19:08:16 +0000 (UTC) (envelope-from gad@FreeBSD.org) Received: from smtp2.server.rpi.edu (smtp2.server.rpi.edu [128.113.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2D28F43D7E; Fri, 26 May 2006 19:08:06 +0000 (GMT) (envelope-from gad@FreeBSD.org) Received: from [128.113.24.47] (gilead.netel.rpi.edu [128.113.24.47]) by smtp2.server.rpi.edu (8.13.1/8.13.1) with ESMTP id k4QJ84ZQ006108; Fri, 26 May 2006 15:08:05 -0400 Mime-Version: 1.0 Message-Id: In-Reply-To: <20060526184919.GA69830@xor.obsecurity.org> References: <20060526153422.GB25953@obiwan.tataz.chchile.org> <20060526193048.Y77521@fledge.watson.org> <20060526184919.GA69830@xor.obsecurity.org> Date: Fri, 26 May 2006 15:08:03 -0400 To: Kris Kennaway , Robert Watson From: Garance A Drosehn Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-CanItPRO-Stream: default X-RPI-SA-Score: undef - spam-scanning disabled X-Scanned-By: CanIt (www . canit . ca) on 128.113.2.2 X-Mailman-Approved-At: Fri, 26 May 2006 22:20:38 +0000 Cc: freebsd-security@FreeBSD.org, Jeremie Le Hen Subject: Re: Integrating ProPolice/SSP into FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 May 2006 19:08:27 -0000 At 2:49 PM -0400 5/26/06, Kris Kennaway wrote: >On Fri, May 26, 2006, Robert Watson wrote: > > >> On Fri, 26 May 2006, Jeremie Le Hen wrote: >> > > > > first sorry for cross-posting but I thought this patch > > > might interest -CURRENT users as well as people concerned > > > by security. This makes the assumption that people running -current are not interested in security... > > > I wrote a patch that integrates ProPolice/SSP into FreeBSD, > > > one step further than it has been realized so far. > > > > This looks very neat. Certainly I'd like to see this available to FreeBSD users. Thanks very much for working on it. > > Could you remind me what, if any, ABI issues might exist? > > I'm familiar with the ideas behind ProPolice, but not the > > implementation. Can I use SSP-compied libraries with > > pre-SSP applications? Can I use post-SSP applications > > with pre-SSP binaries? > >Last time I tried it (several years ago, when I maintained >my own local patch for world integration), backwards binary >compatibility was an issue, i.e. it was possible to hose >your system when trying to revert the changes (since all >rebuilt binaries all depend on symbols no longer provided >in libc). Could we do something to ease in the transition? First add some kind of stubs for those routines, and then later do the switch to bring in ProPolice? Or something else like that? I should also dust off the ideas I worked on for the 64-bit time_t change. I was closing in on a way to reliably switch back-and-forth between kernels which had some incompatible change. -- Garance Alistair Drosehn = drosehn@rpi.edu Senior Systems Programmer or gad@FreeBSD.org Rensselaer Polytechnic Institute; Troy, NY; USA From owner-freebsd-security@FreeBSD.ORG Fri May 26 19:45:22 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0168216B6A1; Fri, 26 May 2006 19:45:22 +0000 (UTC) (envelope-from deischen@freebsd.org) Received: from mail.ntplx.net (mail.ntplx.net [204.213.176.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E97A43D7F; Fri, 26 May 2006 19:45:17 +0000 (GMT) (envelope-from deischen@freebsd.org) Received: from sea.ntplx.net (sea.ntplx.net [204.213.176.11]) by mail.ntplx.net (8.13.6/8.13.6/NETPLEX) with ESMTP id k4QJjFJt005994; Fri, 26 May 2006 15:45:15 -0400 (EDT) Date: Fri, 26 May 2006 15:45:15 -0400 (EDT) From: Daniel Eischen X-X-Sender: eischen@sea.ntplx.net To: Kris Kennaway In-Reply-To: <20060526184919.GA69830@xor.obsecurity.org> Message-ID: References: <20060526153422.GB25953@obiwan.tataz.chchile.org> <20060526193048.Y77521@fledge.watson.org> <20060526184919.GA69830@xor.obsecurity.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: by AMaViS and Clam AntiVirus (mail.ntplx.net) X-Mailman-Approved-At: Fri, 26 May 2006 22:22:00 +0000 Cc: Jeremie Le Hen , freebsd-security@freebsd.org, freebsd-current@freebsd.org, Robert Watson Subject: Re: Integrating ProPolice/SSP into FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Daniel Eischen List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 May 2006 19:45:31 -0000 On Fri, 26 May 2006, Kris Kennaway wrote: > On Fri, May 26, 2006 at 07:41:31PM +0100, Robert Watson wrote: >> >> On Fri, 26 May 2006, Jeremie Le Hen wrote: >> >>> first sorry for cross-posting but I thought this patch might interest >>> -CURRENT users as well as people concerned by security. >>> >>> I wrote a patch that integrates ProPolice/SSP into FreeBSD, one step >>> further than it has been realized so far. >> >> This looks very neat. >> >> Could you remind me what, if any, ABI issues might exist? I'm familiar >> with the ideas behind ProPolice, but not the implementation. Can I use >> SSP-compied libraries with pre-SSP applications? Can I use post-SSP >> applications with pre-SSP binaries? > > Last time I tried it (several years ago, when I maintained my own > local patch for world integration), backwards binary compatibility was > an issue, i.e. it was possible to hose your system when trying to > revert the changes (since all rebuilt binaries all depend on symbols > no longer provided in libc). As I understand it, the symbols would be added to libc (and stay there). And with symbol versioning, they would always have to stay there regardless of whether you build your binaries with or without SSP. A comment to the patch itself... You need to put the added symbol(s) in one of libc's Symbol.map files or else they won't be visible when symbol versioning is enabled. -- DE From owner-freebsd-security@FreeBSD.ORG Fri May 26 22:35:50 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DCA7416B3BF for ; Fri, 26 May 2006 22:35:49 +0000 (UTC) (envelope-from kabaev@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC1D243D73 for ; Fri, 26 May 2006 22:35:48 +0000 (GMT) (envelope-from kabaev@gmail.com) Received: by wr-out-0506.google.com with SMTP id i24so160230wra for ; Fri, 26 May 2006 15:35:48 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:date:from:to:cc:subject:message-id:in-reply-to:references:x-mailer:mime-version:content-type; b=f5O36VtjC1z2+A3Z+giyMZhfq6rIFiiJih94u/EiqwBZggw2dZVcZP+eArelnZRzrGXqiB2K9SARTz35zMY+nyn26fYVIRW/2obo2aIEEUaDMqvTgdt5fRNHIrw1vbt1TKsrJR/gW1HNZ5nd00ff4guv9SbK95S3ODtu3eqQ5jc= Received: by 10.65.219.8 with SMTP id w8mr2075912qbq; Fri, 26 May 2006 15:35:48 -0700 (PDT) Received: from kan.dnsalias.net ( [24.63.93.195]) by mx.gmail.com with ESMTP id e19sm274369qbe.2006.05.26.15.35.47; Fri, 26 May 2006 15:35:47 -0700 (PDT) Date: Fri, 26 May 2006 18:35:54 -0400 From: Alexander Kabaev To: Jeremie Le Hen Message-ID: <20060526183554.25d5cc0d@kan.dnsalias.net> In-Reply-To: <20060526153422.GB25953@obiwan.tataz.chchile.org> References: <20060526153422.GB25953@obiwan.tataz.chchile.org> X-Mailer: Sylpheed-Claws 2.2.0 (GTK+ 2.8.17; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_c/0KbfSaUeTfzD870VcpDvZ"; protocol="application/pgp-signature"; micalg=PGP-SHA1 X-Mailman-Approved-At: Fri, 26 May 2006 22:38:51 +0000 Cc: freebsd-security@FreeBSD.org, freebsd-current@FreeBSD.org Subject: Re: Integrating ProPolice/SSP into FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 May 2006 22:35:55 -0000 --Sig_c/0KbfSaUeTfzD870VcpDvZ Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Fri, 26 May 2006 17:34:22 +0200 Jeremie Le Hen wrote: > Hi, >=20 > first sorry for cross-posting but I thought this patch might interest > -CURRENT users as well as people concerned by security. >=20 > I wrote a patch that integrates ProPolice/SSP into FreeBSD, one step > further than it has been realized so far. >=20 > It is available here : > http://tataz.chchile.org/~tataz/FreeBSD/SSP/ >=20 > Everything is explained on the web page, but I will repeat some > informations here. The patchset is splitted in two parts to ease the > review of the patch. The -propolice patch is only the original > ProPolice patch for GCC 3.4.4 applied on FreeBSD source tree. The > -freebsd patch contains the glue I have written to make things neat. >=20 > The patch exists in both for CURRENT and RELENG_6. Both introduce a > new make.conf(5) (and src.conf(5)) knob to enable stack protection > on a per Makefile basis. It if of course possible to compile your > world with it. Please refer to the web page for more informations. > =20 > The patch has been tested and works pretty well. My laptop and my > workstation at work are compiled with SSP : world, kernel and ports, > including X.org. >=20 > I hope you will enjoy it. > Regards, > --=20 > Jeremie Le Hen > < jeremie at le-hen dot org >< ttz at chchile dot org > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" How does this compare to GCC 4.x mudflap feature? I do not plan to include Propolice patch into base system any time soon and will object anyone trying to do so due to future maintenance headaches this will inevitably create. GCC 4.1.1 import is in the works though and should be available shortly. --=20 Alexander Kabaev --Sig_c/0KbfSaUeTfzD870VcpDvZ Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEd4LQQ6z1jMm+XZYRAjHnAKDOWtvyQ+zrn6Zvnh+EKskJpp2oKwCdHMYg 4AyTmQUN25bjEgP2qQ78FtU= =yfuW -----END PGP SIGNATURE----- --Sig_c/0KbfSaUeTfzD870VcpDvZ-- From owner-freebsd-security@FreeBSD.ORG Fri May 26 23:02:26 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B71316A796; Fri, 26 May 2006 23:02:26 +0000 (UTC) (envelope-from sgk@troutmask.apl.washington.edu) Received: from troutmask.apl.washington.edu (troutmask.apl.washington.edu [128.208.78.105]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1631643D46; Fri, 26 May 2006 23:02:26 +0000 (GMT) (envelope-from sgk@troutmask.apl.washington.edu) Received: from troutmask.apl.washington.edu (localhost.apl.washington.edu [127.0.0.1]) by troutmask.apl.washington.edu (8.13.6/8.13.6) with ESMTP id k4QN2PUl001044; Fri, 26 May 2006 16:02:25 -0700 (PDT) (envelope-from sgk@troutmask.apl.washington.edu) Received: (from sgk@localhost) by troutmask.apl.washington.edu (8.13.6/8.13.6/Submit) id k4QN2Pg2001043; Fri, 26 May 2006 16:02:25 -0700 (PDT) (envelope-from sgk) Date: Fri, 26 May 2006 16:02:25 -0700 From: Steve Kargl To: Alexander Kabaev Message-ID: <20060526230225.GB946@troutmask.apl.washington.edu> References: <20060526153422.GB25953@obiwan.tataz.chchile.org> <20060526183554.25d5cc0d@kan.dnsalias.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060526183554.25d5cc0d@kan.dnsalias.net> User-Agent: Mutt/1.4.2.1i X-Mailman-Approved-At: Sat, 27 May 2006 02:20:43 +0000 Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org, Jeremie Le Hen Subject: Re: Integrating ProPolice/SSP into FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 May 2006 23:02:36 -0000 On Fri, May 26, 2006 at 06:35:54PM -0400, Alexander Kabaev wrote: > > How does this compare to GCC 4.x mudflap feature? I do not plan to > include Propolice patch into base system any time soon and will object > anyone trying to do so due to future maintenance headaches this will > inevitably create. GCC 4.1.1 import is in the works though and should be > available shortly. > At one time mudflap would lead to internal compiler errors on amd64. I haven't tried it in a long time. What language frontends do you intend to support when 4.1.1 comes into the tree? FreeBSD currently has a Fortran 77 compiler via g77. g77 is no longer supported in the 4.x series, and its replacement is a Fortran 95 compiler. -- Steve From owner-freebsd-security@FreeBSD.ORG Sat May 27 03:28:29 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA89516A42C for ; Sat, 27 May 2006 03:28:29 +0000 (UTC) (envelope-from kabaev@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id C28B143D46 for ; Sat, 27 May 2006 03:28:28 +0000 (GMT) (envelope-from kabaev@gmail.com) Received: by nz-out-0102.google.com with SMTP id 9so256218nzo for ; Fri, 26 May 2006 20:28:28 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:date:from:to:cc:subject:message-id:in-reply-to:references:x-mailer:mime-version:content-type; b=osf9WVEfLFvizRAkiqxIdRromUoe2rNNtXW67QzjONiIvttKAM/gQbyHqvHaaCAdQo+ZpSPGUb/s+soHT89gi7E4zh3s6gxs/Bd88B+SfBgsKfk/45rbkG7d9EOzBnvgVGoPUkRp5iaKMdbzBDIsTjlZonLxA+EeB9ovp9yXD8o= Received: by 10.65.188.10 with SMTP id q10mr23851qbp; Fri, 26 May 2006 20:28:28 -0700 (PDT) Received: from kan.dnsalias.net ( [24.63.93.195]) by mx.gmail.com with ESMTP id a5sm314177qbd.2006.05.26.20.28.27; Fri, 26 May 2006 20:28:27 -0700 (PDT) Date: Fri, 26 May 2006 23:28:37 -0400 From: Alexander Kabaev To: Steve Kargl Message-ID: <20060526232837.113456d0@kan.dnsalias.net> In-Reply-To: <20060526230225.GB946@troutmask.apl.washington.edu> References: <20060526153422.GB25953@obiwan.tataz.chchile.org> <20060526183554.25d5cc0d@kan.dnsalias.net> <20060526230225.GB946@troutmask.apl.washington.edu> X-Mailer: Sylpheed-Claws 2.2.0 (GTK+ 2.8.17; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: multipart/signed; boundary=Sig_02NYj5sHHjUJG_c+iU1QepF; protocol="application/pgp-signature"; micalg=PGP-SHA1 X-Mailman-Approved-At: Sat, 27 May 2006 03:33:11 +0000 Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org, Jeremie Le Hen Subject: Re: Integrating ProPolice/SSP into FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 May 2006 03:28:30 -0000 --Sig_02NYj5sHHjUJG_c+iU1QepF Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Fri, 26 May 2006 16:02:25 -0700 Steve Kargl wrote: > On Fri, May 26, 2006 at 06:35:54PM -0400, Alexander Kabaev wrote: > >=20 > > How does this compare to GCC 4.x mudflap feature? I do not plan to > > include Propolice patch into base system any time soon and will > > object anyone trying to do so due to future maintenance headaches > > this will inevitably create. GCC 4.1.1 import is in the works > > though and should be available shortly. > >=20 >=20 > At one time mudflap would lead to internal compiler errors > on amd64. I haven't tried it in a long time. >=20 > What language frontends do you intend to support when 4.1.1 > comes into the tree? FreeBSD currently has a Fortran 77 > compiler via g77. g77 is no longer supported in the 4.x > series, and its replacement is a Fortran 95 compiler. >=20 > --=20 > Steve The current plan is to import c/c++ frontends only. --=20 Alexander Kabaev --Sig_02NYj5sHHjUJG_c+iU1QepF Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEd8dpQ6z1jMm+XZYRAgeZAKCDyQVMdQf1J1X5eqzEmEHCLvYZ3QCgzf7I FnpZvQ9krrCPKKSWWtoNtks= =RfC+ -----END PGP SIGNATURE----- --Sig_02NYj5sHHjUJG_c+iU1QepF-- From owner-freebsd-security@FreeBSD.ORG Sat May 27 13:54:49 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 19A4416AB45 for ; Sat, 27 May 2006 13:54:49 +0000 (UTC) (envelope-from iang@iang.org) Received: from mx1.sonance.net (mx1.sonance.net [62.116.45.222]) by mx1.FreeBSD.org (Postfix) with ESMTP id 49F8A43D68 for ; Sat, 27 May 2006 13:54:38 +0000 (GMT) (envelope-from iang@iang.org) Received: from localhost (mf1 [127.0.0.1]) by mx1.sonance.net (Postfix) with ESMTP id 78F1214038 for ; Sat, 27 May 2006 15:54:37 +0200 (CEST) Received: from mx1.sonance.net ([127.0.0.1]) by localhost (mf1 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 11884-03 for ; Sat, 27 May 2006 15:54:36 +0200 (CEST) Received: from postix.sonance.net (zentrix [192.168.0.223]) by mx1.sonance.net (Postfix) with ESMTP id 3D07013FEF for ; Sat, 27 May 2006 15:54:36 +0200 (CEST) Received: from localhost (zentrix [127.0.0.1]) by postix.sonance.net (Postfix) with ESMTP id 801DD17B51D for ; Sat, 27 May 2006 15:54:35 +0200 (CEST) Received: from postix.sonance.net ([127.0.0.1]) by localhost (zentrix [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 30807-04 for ; Sat, 27 May 2006 15:54:34 +0200 (CEST) Received: from [IPv6???1] (zentrix [127.0.0.1]) by postix.sonance.net (Postfix) with ESMTP id E29C217B4DE for ; Sat, 27 May 2006 15:54:33 +0200 (CEST) Message-ID: <4478594C.6080309@iang.org> Date: Sat, 27 May 2006 15:51:08 +0200 From: Ian G Organization: http://iang.org/ User-Agent: Mozilla Thunderbird 1.0.6 (X11/20051013) X-Accept-Language: en-us, en MIME-Version: 1.0 To: FreeBSD Security List Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: sonance network anti-spam amavisd-new-20030616-p10 controlled spam X-Virus-Scanned: sonance network anti-spam amavisd-new-20030616-p10 controlled spam Subject: On what versions of FreeBSD can we unreserve ports? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 May 2006 13:55:03 -0000 On which versions of FreeBSD is it now possible to un-reserve ports? ( I've been waiting for this since forever ... have spent countless days - $$$ - trying to install workarounds, only to junk them later. I've even been paid a consulting gig to develop this, and declined to deploy it on my own servers :-/ ) iang http://askslim.blogspot.com/2006/05/freebsd-61-disabling-reserverd-ports.html Friday, May 26, 2006 FreeBSD 6.1: Disabling Reserverd Ports A common misfeature found on UN*X operating systems is the restriction that only root can bind to ports < 1024. Many a dollar has been wasted on workarounds and -often- the resulting security holes. Fortunately on FreeBSD 6.1 (and probably older versions as well) you can disable this remnant of trust-by-convention. host$ sysctl net.inet.ip.portrange.reservedhigh=0 That simple. Add it to your /etc/sysctl.conf today! posted by Slim @ 4:18 PM From owner-freebsd-security@FreeBSD.ORG Sat May 27 17:23:47 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2444316ADEB; Sat, 27 May 2006 17:23:47 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from smtp4-g19.free.fr (smtp4-g19.free.fr [212.27.42.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 44A6C43D4C; Sat, 27 May 2006 17:23:44 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (tataz.chchile.org [82.233.239.98]) by smtp4-g19.free.fr (Postfix) with ESMTP id 457C554861; Sat, 27 May 2006 19:23:43 +0200 (CEST) Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25]) by tatooine.tataz.chchile.org (Postfix) with ESMTP id 8F41A9C718; Sat, 27 May 2006 17:23:58 +0000 (UTC) Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000) id 3CED14071; Sat, 27 May 2006 19:23:58 +0200 (CEST) Date: Sat, 27 May 2006 19:23:58 +0200 From: Jeremie Le Hen To: Alexander Kabaev Message-ID: <20060527172358.GC25953@obiwan.tataz.chchile.org> References: <20060526153422.GB25953@obiwan.tataz.chchile.org> <20060526183554.25d5cc0d@kan.dnsalias.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060526183554.25d5cc0d@kan.dnsalias.net> User-Agent: Mutt/1.5.11 Cc: freebsd-security@FreeBSD.org, freebsd-current@FreeBSD.org, Jeremie Le Hen Subject: Re: [fbsd] Re: Integrating ProPolice/SSP into FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 May 2006 17:24:04 -0000 On Fri, May 26, 2006 at 06:35:54PM -0400, Alexander Kabaev wrote: > On Fri, 26 May 2006 17:34:22 +0200 > Jeremie Le Hen wrote: > > > Hi, > > > > first sorry for cross-posting but I thought this patch might interest > > -CURRENT users as well as people concerned by security. > > > > I wrote a patch that integrates ProPolice/SSP into FreeBSD, one step > > further than it has been realized so far. > > > > It is available here : > > http://tataz.chchile.org/~tataz/FreeBSD/SSP/ > > > > Everything is explained on the web page, but I will repeat some > > informations here. The patchset is splitted in two parts to ease the > > review of the patch. The -propolice patch is only the original > > ProPolice patch for GCC 3.4.4 applied on FreeBSD source tree. The > > -freebsd patch contains the glue I have written to make things neat. > > > > The patch exists in both for CURRENT and RELENG_6. Both introduce a > > new make.conf(5) (and src.conf(5)) knob to enable stack protection > > on a per Makefile basis. It if of course possible to compile your > > world with it. Please refer to the web page for more informations. > > > > The patch has been tested and works pretty well. My laptop and my > > workstation at work are compiled with SSP : world, kernel and ports, > > including X.org. > > > > I hope you will enjoy it. > > Regards, > > -- > > Jeremie Le Hen > > < jeremie at le-hen dot org >< ttz at chchile dot org > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > > "freebsd-security-unsubscribe@freebsd.org" > > How does this compare to GCC 4.x mudflap feature? I do not plan to > include Propolice patch into base system any time soon and will object > anyone trying to do so due to future maintenance headaches this will > inevitably create. GCC 4.1.1 import is in the works though and should be > available shortly. I wasn't aware of the mudflap feature. I had a quick look at it through [1], and it appears mudflap focuses on pointer dereferencement. ProPolice focuses on stack-based buffer overflows, this is mostly the same as StackGuard, which is presented in the paper. According to Wikipedia [2], StackGuard isn't maintained any longuer, while ProPolice has been merged into GCC 4.1. I understand you are working on GCC 4.1.1 import and that modifying contributed sources will be a problem for you, though I must admit I am not sure to understand the whole pain this creates. I will try to maintain the patch on my own until GCC 4.1.1 import, so that users will be able to make the best of ProPolice. BTW, given that GCC 4.1.1 will contain ProPolice bits, I think I will be worth having some knobs to turn SSP on or off for the base system. I have become pretty confident with the build system and problems that libssp triggers. I would be glad to provide you some of the glue I have written so far in my patch (the -freebsd part). Please, let me know if you are interested in this. If your current work is publicly accessible, I'd be glad if you gave me the URL. [1] http://gcc.fyxm.net/summit/2003/mudflap.pdf [2] http://en.wikipedia.org/wiki/ProPolice Thank you. Best regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-security@FreeBSD.ORG Sat May 27 17:25:14 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D1D516C5C6; Sat, 27 May 2006 17:25:14 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from smtp1-g19.free.fr (smtp1-g19.free.fr [212.27.42.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B01F43D55; Sat, 27 May 2006 17:25:02 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (tataz.chchile.org [82.233.239.98]) by smtp1-g19.free.fr (Postfix) with ESMTP id 087319AA18; Sat, 27 May 2006 19:25:00 +0200 (CEST) Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25]) by tatooine.tataz.chchile.org (Postfix) with ESMTP id 286249C718; Sat, 27 May 2006 17:25:12 +0000 (UTC) Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000) id 2560E4071; Sat, 27 May 2006 19:25:12 +0200 (CEST) Date: Sat, 27 May 2006 19:25:12 +0200 From: Jeremie Le Hen To: Garance A Drosehn Message-ID: <20060527172512.GD25953@obiwan.tataz.chchile.org> References: <20060526153422.GB25953@obiwan.tataz.chchile.org> <20060526193048.Y77521@fledge.watson.org> <20060526184919.GA69830@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.11 Cc: Jeremie Le Hen , freebsd-security@FreeBSD.org, Robert Watson , Kris Kennaway Subject: Re: [fbsd] Re: Integrating ProPolice/SSP into FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 May 2006 17:25:25 -0000 HI, Robert, Kris, Garance, On Fri, May 26, 2006 at 03:08:03PM -0400, Garance A Drosehn wrote: > At 2:49 PM -0400 5/26/06, Kris Kennaway wrote: > >On Fri, May 26, 2006, Robert Watson wrote: > > > > >> On Fri, 26 May 2006, Jeremie Le Hen wrote: > >> > > > > > first sorry for cross-posting but I thought this patch > > > > might interest -CURRENT users as well as people concerned > > > > by security. > > This makes the assumption that people running -current are > not interested in security... I expressed myself clumsily and I didn't intend to mean this. BTW, I use a SSP'ified -CURRENT :-). > > > > I wrote a patch that integrates ProPolice/SSP into FreeBSD, > > > > one step further than it has been realized so far. > > > > > > This looks very neat. > > Certainly I'd like to see this available to FreeBSD users. > Thanks very much for working on it. > > > > Could you remind me what, if any, ABI issues might exist? > > > I'm familiar with the ideas behind ProPolice, but not the > > > implementation. Can I use SSP-compied libraries with > > > pre-SSP applications? Can I use post-SSP applications > > > with pre-SSP binaries? > > > >Last time I tried it (several years ago, when I maintained > >my own local patch for world integration), backwards binary > >compatibility was an issue, i.e. it was possible to hose > >your system when trying to revert the changes (since all > >rebuilt binaries all depend on symbols no longer provided > >in libc). Kris is right here. The SSP functionality requires two symbols: __guard, the canary pushed on the stack in the function's prologue and checked during the function's epilogue, and __stack_smash_handler() which is called when a stack-based buffer overflow has been detected. There is also a contructor called __guard_setup() used to fill the canary with a random value at startup time, but the latter is declared as static in the file. For the sake of simplicity, I decided to pull them in libc, though GCC 4.1 provides them in libssp (*). You can indeed use SSP'ed libraries along with pre-SSP applications, as long as the latter is linked against the newest libc. If, by chance(?), a pre-SSP application is linked against an older libc that doesn't provide the necessary symbols and in the same time against the lastest SSP'ed libz, the runtime loader will complain about missing symbols. In order to workaround these cases, that I may have wrongly considered as edge cases, I have provided libssp.so as well, so that one can plug in the missing symbols using LD_PRELOAD whenever it's required. It is perfectly possible to use SSP'ed applications with older libraries, as long as we are not speaking of an older libc, of course. The pre-SSP library won't have reference to SSP symbols anyway, and a collision in the symbol namespace is not very likely. I agree with Kris that reverting from a SSP world to a non-SSP one is painful without any help. However, the LD_PRELOAD trick to load libssp.so will bring a lot of ease, and installworld from a pre-SSP source won't break. By the way, this procedure is documented in the FAQ on my web page. OTOH, if the patch is to be merged in the source tree, the SSP -> non-SSP transition has but a few chances to occur. (*) Although having SSP symbols in libssp rather than in libc seems more relevant given the fact that this is the way GCC 4.1 works, this leads to a more intrusive patch (modifying LIBGCC_SPEC). Furthermore, in spite this would indeed allow to make all shared objects depend on libssp, this also leads to the following dead-end problem: In order to avoid linking libssp unconditionally, I modified LIBGCC_SPEC to add "-lssp" on the ld(1) command-line solely when "-fstack-protector" compile-time option is used. This leads to a problem when one want to produce a statically-linked non-SSP binary that uses a library which does require SSP symbols. In that case the ld(1) command issued by gcc won't hold "-lssp" and there will be a link-time error. IMHO, this is a strong POLA breakage. I found no easy way to circumvent this, but hacking gcc to catch this. This is the main reason I gave up using libssp. Note that the problem doesn't arise with dynamic objects since those that require SSP symbols can have a dependency on libssp.so. > Could we do something to ease in the transition? First add > some kind of stubs for those routines, and then later do > the switch to bring in ProPolice? Or something else like > that? Yes, it is perferctly possible to only apply the ProPolice patch, the user will then be able to use -fstack-protector. The original patch puts SSP symbols in libgcc, which only exists as a static library on FreeBSD. Nevertheless, I don't think it is worthwhile. The glue I have written is fairly little intrusive: a user applying the patch on his source tree without specifying WITH_SSP=yes, wouldn't notice anything at all, except the existence of a new GCC option and two new symbols in libc. I hope these informations will help. Best regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-security@FreeBSD.ORG Sat May 27 21:24:20 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB88616CC23 for ; Sat, 27 May 2006 21:22:10 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from smtp6-g19.free.fr (smtp6-g19.free.fr [212.27.42.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5542143D55 for ; Sat, 27 May 2006 21:22:10 +0000 (GMT) (envelope-from patpro@patpro.net) Received: from [82.235.12.223] (boleskine.patpro.net [82.235.12.223]) by smtp6-g19.free.fr (Postfix) with ESMTP id CD4982252D; Sat, 27 May 2006 23:22:08 +0200 (CEST) In-Reply-To: <4478594C.6080309@iang.org> References: <4478594C.6080309@iang.org> Mime-Version: 1.0 (Apple Message framework v750) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <458F3682-0DBB-4AC0-A300-C7C38756165A@patpro.net> Content-Transfer-Encoding: 7bit From: Patrick Proniewski Date: Sat, 27 May 2006 23:22:07 +0200 To: Ian G X-Mailer: Apple Mail (2.750) Cc: FreeBSD Security List Subject: Re: On what versions of FreeBSD can we unreserve ports? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 May 2006 21:24:21 -0000 On 27 mai 2006, at 15:51, Ian G wrote: > On which versions of FreeBSD is it now possible to > un-reserve ports? > host$ sysctl net.inet.ip.portrange.reservedhigh=0 According to freebsd web site, it has first came with 5.1R (http:// www.freebsd.org/releases/5.1R/relnotes-i386.html). By the way, you might want to take a look to MAC implementation, and especially: http://www.freebsd.org/cgi/man.cgi?query=mac_portacl&sektion=4 http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mac.html patpro