From owner-freebsd-security@FreeBSD.ORG Sun Mar 8 08:52:23 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6DC611065670 for ; Sun, 8 Mar 2009 08:52:23 +0000 (UTC) (envelope-from randy@psg.com) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by mx1.freebsd.org (Postfix) with ESMTP id 49CB98FC1E for ; Sun, 8 Mar 2009 08:52:23 +0000 (UTC) (envelope-from randy@psg.com) Received: from localhost ([127.0.0.1] helo=rmac.psg.com) by ran.psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1LgEk8-000NW3-06; Sun, 08 Mar 2009 08:52:21 +0000 Received: from rmac.psg.com.psg.com (localhost [127.0.0.1]) by rmac.psg.com (Postfix) with ESMTP id 13BF0D7F3BB; Sun, 8 Mar 2009 00:52:19 -0800 (PST) Date: Sun, 08 Mar 2009 00:52:19 -0800 Message-ID: From: Randy Bush To: Daniel Marsh In-Reply-To: <1236312264.7184.1.camel@yog-sothoth.rlyeh> References: <1236312264.7184.1.camel@yog-sothoth.rlyeh> User-Agent: Wanderlust/2.15.5 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?ISO-8859-4?Q?Goj=F2?=) APEL/10.7 Emacs/22.3 (i386-apple-darwin9.6.0) MULE/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: freebsd-security@freebsd.org Subject: Re: emacs installs a lot of 777 directories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Mar 2009 08:52:23 -0000 At Fri, 06 Mar 2009 13:04:24 +0900, Daniel Marsh wrote: > > On Fri, 2009-03-06 at 11:15 +0900, Randy Bush wrote: > > foo.on.you:/usr/local/share# find . -type d -perm 777 > > ./emacs/22.3/etc/tree-widget > > ./emacs/22.3/etc/tree-widget/folder > > ./emacs/22.3/etc/tree-widget/default > > ./emacs/22.3/etc/e > > ./emacs/22.3/etc/images > > ./emacs/22.3/etc/images/low-color > > ./emacs/22.3/etc/images/gnus > > ./emacs/22.3/etc/images/icons > > ./emacs/22.3/etc/images/gud > > ./emacs/22.3/etc/images/smilies > > ./emacs/22.3/etc/images/mail > > ./emacs/22.3/etc/images/ezimage > > ./emacs/22.3/lisp > > ./emacs/22.3/lisp/net > > ./emacs/22.3/lisp/progmodes > > ./emacs/22.3/lisp/calc > > ./emacs/22.3/lisp/emacs-lisp > > ./emacs/22.3/lisp/url > > ./emacs/22.3/lisp/emulation > > ./emacs/22.3/lisp/play > > ./emacs/22.3/lisp/erc > > ./emacs/22.3/lisp/term > > ./emacs/22.3/lisp/obsolete > > ./emacs/22.3/lisp/textmodes > > ./emacs/22.3/lisp/mail > > ./emacs/22.3/lisp/eshell > > ./emacs/22.3/lisp/calendar > > ./emacs/22.3/lisp/mh-e > > ./emacs/22.3/lisp/international > > ./emacs/22.3/lisp/gnus > > ./emacs/22.3/lisp/language > > ./emacs/22.3/leim/ja-dic > > ./emacs/22.3/leim/quail > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > Could this simply be an over promiscuous umask being set when Emacs was > installed? ie. umask 000 rather than the default umask 022 for root? root's umask is 022 randy From owner-freebsd-security@FreeBSD.ORG Sun Mar 8 15:42:22 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F2091106566B for ; Sun, 8 Mar 2009 15:42:22 +0000 (UTC) (envelope-from jahilliya@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.233]) by mx1.freebsd.org (Postfix) with ESMTP id C60758FC12 for ; Sun, 8 Mar 2009 15:42:22 +0000 (UTC) (envelope-from jahilliya@gmail.com) Received: by rv-out-0506.google.com with SMTP id f6so1377438rvb.43 for ; Sun, 08 Mar 2009 08:42:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=F4fHbrXLzSQCp3swZdAK7cFA5h5mswzD3SLApp9Iop8=; b=BGWFv3MdAsftOmLBuizX/vSgQMnzPzSzKU9eHFngSbtA2ZgFrmyAbAMnyE9IuYozAY WhAdJ/eL67iA4M3ZE3/uxcmM15Lc29fq/GKQV+O5k1VBkYI8K6VZH6rJqyi7R76VtyYw +qa30jE1YXGWAkgR2cnRLjf1aYoXhvehFPAYc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=eUVCsBeE/i+EFJ2zi+sbHhaVAZZK8sM9dmpTNzchj6AJSjUNEJtupNN4JG4L9/Tm+I uHkGC9Zn6f+xokQo8NKUEKzcL/KK/yXv0ecNJULarCVenDrpWLfjyJaiV5nU90NNjhMs BOJjs67XwWl4fFGVOmW37FshzyApx7b9/z604= MIME-Version: 1.0 Received: by 10.140.173.17 with SMTP id v17mr2521165rve.98.1236526941998; Sun, 08 Mar 2009 08:42:21 -0700 (PDT) In-Reply-To: References: <1236312264.7184.1.camel@yog-sothoth.rlyeh> Date: Mon, 9 Mar 2009 00:42:21 +0900 Message-ID: From: Daniel Marsh To: Randy Bush , freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: Re: emacs installs a lot of 777 directories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Mar 2009 15:42:23 -0000 And who owns the files? On 3/8/09, Randy Bush wrote: > At Fri, 06 Mar 2009 13:04:24 +0900, > Daniel Marsh wrote: >> >> On Fri, 2009-03-06 at 11:15 +0900, Randy Bush wrote: >> > foo.on.you:/usr/local/share# find . -type d -perm 777 >> > ./emacs/22.3/etc/tree-widget >> > ./emacs/22.3/etc/tree-widget/folder >> > ./emacs/22.3/etc/tree-widget/default >> > ./emacs/22.3/etc/e >> > ./emacs/22.3/etc/images >> > ./emacs/22.3/etc/images/low-color >> > ./emacs/22.3/etc/images/gnus >> > ./emacs/22.3/etc/images/icons >> > ./emacs/22.3/etc/images/gud >> > ./emacs/22.3/etc/images/smilies >> > ./emacs/22.3/etc/images/mail >> > ./emacs/22.3/etc/images/ezimage >> > ./emacs/22.3/lisp >> > ./emacs/22.3/lisp/net >> > ./emacs/22.3/lisp/progmodes >> > ./emacs/22.3/lisp/calc >> > ./emacs/22.3/lisp/emacs-lisp >> > ./emacs/22.3/lisp/url >> > ./emacs/22.3/lisp/emulation >> > ./emacs/22.3/lisp/play >> > ./emacs/22.3/lisp/erc >> > ./emacs/22.3/lisp/term >> > ./emacs/22.3/lisp/obsolete >> > ./emacs/22.3/lisp/textmodes >> > ./emacs/22.3/lisp/mail >> > ./emacs/22.3/lisp/eshell >> > ./emacs/22.3/lisp/calendar >> > ./emacs/22.3/lisp/mh-e >> > ./emacs/22.3/lisp/international >> > ./emacs/22.3/lisp/gnus >> > ./emacs/22.3/lisp/language >> > ./emacs/22.3/leim/ja-dic >> > ./emacs/22.3/leim/quail >> > _______________________________________________ >> > freebsd-security@freebsd.org mailing list >> > http://lists.freebsd.org/mailman/listinfo/freebsd-security >> > To unsubscribe, send any mail to >> > "freebsd-security-unsubscribe@freebsd.org" >> >> Could this simply be an over promiscuous umask being set when Emacs was >> installed? ie. umask 000 rather than the default umask 022 for root? > > root's umask is 022 > > randy > -- Sent from my mobile device http://buymeahouse.stiw.org/ From owner-freebsd-security@FreeBSD.ORG Sun Mar 8 15:52:05 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 63AFA106564A for ; Sun, 8 Mar 2009 15:52:05 +0000 (UTC) (envelope-from jahilliya@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.230]) by mx1.freebsd.org (Postfix) with ESMTP id 374768FC0A for ; Sun, 8 Mar 2009 15:52:04 +0000 (UTC) (envelope-from jahilliya@gmail.com) Received: by rv-out-0506.google.com with SMTP id f6so1379999rvb.43 for ; Sun, 08 Mar 2009 08:52:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=Z8iqKnId+N9jNRqpKpEjoMqX5i+IzmQVrsyZeSGOeiM=; b=i/xX9G1hivAuJJzlXYzD4BpWso8LBTm0gKjYfqsPTPr7t803u7OyzMBp/hHbOtrC9t 3s+YlG+6obvxGKtc2UXB4hq40DhncIqBGtXadZSWqyvPGpI/+jKTKxxfscm9C0Hl3VCv bGZ92O6Qafa4U4JMZayKKzKiDlVJye0aIEyZM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=dVKjeu1w/UC9uqY/K4uOdLS2j+WDVHEIZq/xEIo3u3ArMtkc/wppVv6CCMPe3FLzZm OQscQsdkAdnbonTYs+UwRiZ1oUFHhsPrcjZTXyA2cZwZSVf3IqX+LVvTScJpB0fkCZ3f UD0Cueh3v36+oKf7Zo/oy7xSmRRpJOWS+8t6A= MIME-Version: 1.0 Received: by 10.141.84.21 with SMTP id m21mr2516578rvl.228.1236527524774; Sun, 08 Mar 2009 08:52:04 -0700 (PDT) In-Reply-To: References: <1236312264.7184.1.camel@yog-sothoth.rlyeh> Date: Mon, 9 Mar 2009 00:52:04 +0900 Message-ID: From: Daniel Marsh To: Randy Bush , freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: Re: emacs installs a lot of 777 directories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Mar 2009 15:52:05 -0000 Sorry, but when was emaca installed? If you deinstall and reinstall after verifying the suspect directories are deleted, and roots umask is 022 do you get the same problem? Are you doing make install as a user and letting the port escalate privaleges? Or do you login , sudo or su to root? Login via tty as root, check umask and install port Make install as user will su to root but you need to check the users umask Sudo will use the users umask not root su is the same as sudo > su - root This will work as it simulates a login and sets roots environment, including the umask Umask is set during login, most privilege escalation commands arth the euid to root but not the uid, they also don't run through the login process (ie ~/.login ) which sets up your environment Regards Daniel On 3/8/09, Randy Bush wrote: > At Fri, 06 Mar 2009 13:04:24 +0900, > Daniel Marsh wrote: >> >> On Fri, 2009-03-06 at 11:15 +0900, Randy Bush wrote: >> > foo.on.you:/usr/local/share# find . -type d -perm 777 >> > ./emacs/22.3/etc/tree-widget >> > ./emacs/22.3/etc/tree-widget/folder >> > ./emacs/22.3/etc/tree-widget/default >> > ./emacs/22.3/etc/e >> > ./emacs/22.3/etc/images >> > ./emacs/22.3/etc/images/low-color >> > ./emacs/22.3/etc/images/gnus >> > ./emacs/22.3/etc/images/icons >> > ./emacs/22.3/etc/images/gud >> > ./emacs/22.3/etc/images/smilies >> > ./emacs/22.3/etc/images/mail >> > ./emacs/22.3/etc/images/ezimage >> > ./emacs/22.3/lisp >> > ./emacs/22.3/lisp/net >> > ./emacs/22.3/lisp/progmodes >> > ./emacs/22.3/lisp/calc >> > ./emacs/22.3/lisp/emacs-lisp >> > ./emacs/22.3/lisp/url >> > ./emacs/22.3/lisp/emulation >> > ./emacs/22.3/lisp/play >> > ./emacs/22.3/lisp/erc >> > ./emacs/22.3/lisp/term >> > ./emacs/22.3/lisp/obsolete >> > ./emacs/22.3/lisp/textmodes >> > ./emacs/22.3/lisp/mail >> > ./emacs/22.3/lisp/eshell >> > ./emacs/22.3/lisp/calendar >> > ./emacs/22.3/lisp/mh-e >> > ./emacs/22.3/lisp/international >> > ./emacs/22.3/lisp/gnus >> > ./emacs/22.3/lisp/language >> > ./emacs/22.3/leim/ja-dic >> > ./emacs/22.3/leim/quail >> > _______________________________________________ >> > freebsd-security@freebsd.org mailing list >> > http://lists.freebsd.org/mailman/listinfo/freebsd-security >> > To unsubscribe, send any mail to >> > "freebsd-security-unsubscribe@freebsd.org" >> >> Could this simply be an over promiscuous umask being set when Emacs was >> installed? ie. umask 000 rather than the default umask 022 for root? > > root's umask is 022 > > randy > -- Sent from my mobile device http://buymeahouse.stiw.org/ From owner-freebsd-security@FreeBSD.ORG Sun Mar 8 18:21:40 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1B3A81065673 for ; Sun, 8 Mar 2009 18:21:40 +0000 (UTC) (envelope-from randy@psg.com) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by mx1.freebsd.org (Postfix) with ESMTP id E6A9F8FC08 for ; Sun, 8 Mar 2009 18:21:39 +0000 (UTC) (envelope-from randy@psg.com) Received: from localhost ([127.0.0.1] helo=rmac.psg.com) by ran.psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1LgNd4-000OED-D0; Sun, 08 Mar 2009 18:21:38 +0000 Received: from rmac.psg.com.psg.com (localhost [127.0.0.1]) by rmac.psg.com (Postfix) with ESMTP id 16D57DB58C4; Sun, 8 Mar 2009 11:21:38 -0700 (PDT) Date: Sun, 08 Mar 2009 11:21:37 -0700 Message-ID: From: Randy Bush To: Daniel Marsh In-Reply-To: References: <1236312264.7184.1.camel@yog-sothoth.rlyeh> User-Agent: Wanderlust/2.15.5 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?ISO-8859-4?Q?Goj=F2?=) APEL/10.7 Emacs/22.3 (i386-apple-darwin9.6.0) MULE/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: freebsd-security@freebsd.org Subject: Re: emacs installs a lot of 777 directories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Mar 2009 18:21:40 -0000 > And who owns the files? >>> On Fri, 2009-03-06 at 11:15 +0900, Randy Bush wrote: >>>> foo.on.you:/usr/local/share# find . -type d -perm 777 >>>> ./emacs/22.3/etc/tree-widget >>>> ./emacs/22.3/etc/tree-widget/folder >>>> ./emacs/22.3/etc/tree-widget/default >>> Could this simply be an over promiscuous umask being set when Emacs was >>> installed? ie. umask 000 rather than the default umask 022 for root? >> root's umask is 022 root From owner-freebsd-security@FreeBSD.ORG Tue Mar 10 14:59:26 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 64F1C1065676 for ; Tue, 10 Mar 2009 14:59:26 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.227]) by mx1.freebsd.org (Postfix) with ESMTP id 327488FC38 for ; Tue, 10 Mar 2009 14:59:26 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: by rv-out-0506.google.com with SMTP id f6so2438450rvb.43 for ; Tue, 10 Mar 2009 07:59:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=+gG8E/83nkRlCe1aMDAHMsTapMy2YP9NqAm3h6JiuDo=; b=af71uEfadlD9AbiSrsBVN5W3U3TrAyXWn9iR6yhD5+lDwwbTCYGEMB/4aF539IPbq5 8bWJ3yZx9NWWOBoTBDsiegMyKso+dUiGLI0TmwRmsmpcMM27M4CQ2A29UnWtqScIJgUK k6t8Q0eLsUvrZdxstn6JXQlNGoYURiWuVsMEI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=FX/BKgUXFnNiI8JRw/Ut3AME7B/a0UUsCdLqXMGRQemGG5cNsaRmBtxhVvV9OqrEnV 8T8tnKTUaKI6dlBSYlT45eH6+eVQ5aD8kBv/LqWMAMnSwP6L8otxaEmlEh4WlkVt+OYt Q8fp17gR9LGd0dRyRtY6+yWLBDE/T/5+fGgcY= MIME-Version: 1.0 Received: by 10.141.19.16 with SMTP id w16mr3778294rvi.149.1236697165825; Tue, 10 Mar 2009 07:59:25 -0700 (PDT) In-Reply-To: <86eixd9e0m.fsf@ds4.des.no> References: <670f29e20902240717m49f53bfx67166c151c01384b@mail.gmail.com> <86eixnfwr2.fsf@ds4.des.no> <670f29e20902270618m23eed4acg15a8a3e7b43fe327@mail.gmail.com> <670f29e20902270810h22adc102rd9500d74208b1f11@mail.gmail.com> <86fxhxh2mq.fsf@ds4.des.no> <670f29e20903032109r7f577b82k59fcec55b0452385@mail.gmail.com> <86tz69a4yy.fsf@ds4.des.no> <670f29e20903040447u3d19ba47g10201e267a43875e@mail.gmail.com> <86eixd9e0m.fsf@ds4.des.no> Date: Tue, 10 Mar 2009 20:29:25 +0530 Message-ID: <670f29e20903100759g2cb54108o5d51d10ec73c7206@mail.gmail.com> From: Ivan Grover To: =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: PAM rules inside pam.d X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Mar 2009 14:59:27 -0000 I am really sorry for this. Now the problem is resolved from our application. The only change we made was to use crypt_r instead of crypt. thanks very much On Thu, Mar 5, 2009 at 2:55 AM, Dag-Erling Sm=F8rgrav wrote: > Ivan Grover writes: > > Dag-Erling Sm=F8rgrav writes: > > > Ivan Grover writes: > > > > I will plan to upgrade the PAM library and see how it goes. > > > Upgrade what from what to what? > > from Linux-PAM-0.78 to Linux-PAM-1.0.3. > > Uh, so, why did you post to a FreeBSD mailing list? This has nothing to > do with FreeBSD, since FreeBSD does not use Linux-PAM (not since 5.1 > came out). > > And why didn't you answer this question the first time I asked it? Why > did you not tell us right away which version of which library you were > using, on which operating system? How can we answer your question if > you won't tell us what the question is? > > Suggested reading: > > http://www.gerv.net/hacking/how-to-ask-good-questions/ > > DES > -- > Dag-Erling Sm=F8rgrav - des@des.no > From owner-freebsd-security@FreeBSD.ORG Wed Mar 11 21:14:55 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D93801065677 for ; Wed, 11 Mar 2009 21:14:55 +0000 (UTC) (envelope-from esykes@opnet.com) Received: from nc.opnet.com (nc.opnet.com [65.161.183.4]) by mx1.freebsd.org (Postfix) with ESMTP id CD9188FC08 for ; Wed, 11 Mar 2009 21:14:53 +0000 (UTC) (envelope-from esykes@opnet.com) Received: from [172.18.1.50] (mlpc88.opnet.com [172.18.1.50]) by nc.opnet.com (8.13.6/8.12.6) with ESMTP id n2BKxcRP021449; Wed, 11 Mar 2009 16:59:38 -0400 (EDT) Message-ID: <49B8263A.3000006@opnet.com> Date: Wed, 11 Mar 2009 16:59:38 -0400 From: Ed Sykes User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-MailScanner: Found to be clean X-MailScanner-SpamCheck: Subject: HSM devices and FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2009 21:14:56 -0000 I am essentially asking the same question that Eirik Overby asked a couple of years ago. Is anyone aware of PCI-X/PCIe hardware security modules that are supported on FreeBSD? I have not seen any on the FreeBSD hardware compatibility lists. Again, as Eirik noted in his question, HSMs are not simply crypto accelerators (which are supported on FreeBSD), they also are a means of storing keys with physical, tamper-resistant security. Thanks. Ed Sykes From owner-freebsd-security@FreeBSD.ORG Wed Mar 11 22:52:52 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2A961106564A for ; Wed, 11 Mar 2009 22:52:52 +0000 (UTC) (envelope-from ltning@anduin.net) Received: from mail.anduin.net (mail.anduin.net [213.225.74.249]) by mx1.freebsd.org (Postfix) with ESMTP id E02338FC13 for ; Wed, 11 Mar 2009 22:52:51 +0000 (UTC) (envelope-from ltning@anduin.net) Received: from [212.62.248.148] (helo=[192.168.2.173]) by mail.anduin.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1LhWwd-0000P3-12; Wed, 11 Mar 2009 23:30:35 +0100 Message-Id: <6F15EC76-7AC8-4C63-98B9-9CA9B5B9D6EA@anduin.net> From: =?ISO-8859-1?Q?Eirik_=D8verby?= To: Ed Sykes In-Reply-To: <49B8263A.3000006@opnet.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v931) Date: Wed, 11 Mar 2009 23:30:37 +0100 References: <49B8263A.3000006@opnet.com> X-Mailer: Apple Mail (2.931) Cc: freebsd-security@freebsd.org Subject: Re: HSM devices and FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2009 22:52:52 -0000 On 11. mars. 2009, at 21.59, Ed Sykes wrote: > I am essentially asking the same question that Eirik Overby asked a > couple of years ago. Is anyone aware of PCI-X/PCIe hardware > security modules that are supported on FreeBSD? I have not seen any > on the FreeBSD hardware compatibility lists. Again, as Eirik noted > in his question, HSMs are not simply crypto accelerators (which are > supported on FreeBSD), they also are a means of storing keys with > physical, tamper-resistant security. Thanks for re-iterating this question. I now work for the software developer I previously accused of leaving us in the dust, and have managed to convert the company to using FreeBSD as our primary hosting platform ;) The problem with supported HSM devices, however, lingers. For one device (Thales RG8000), we've done our own software (Java) implementation of their communications library, specific to our application. This is a network-attached device. For the other device we use (Thales WebSentry), we're using the Linux pkcs#11/openssl engine implementation and associated openssl binaries, along with our internal tools compiled on Linux. All this under Linux emulation on FreeBSD. This works - so far - well, however it is impossible to use Java JNI to interface with Linux binaries, so we're still at a disadvantage. So the question still stands - Are there HSM devies out there, internal or external, with proper FreeBSD support? /Eirik From owner-freebsd-security@FreeBSD.ORG Thu Mar 12 08:38:04 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 934C51065670 for ; Thu, 12 Mar 2009 08:38:04 +0000 (UTC) (envelope-from krassi@bulinfo.net) Received: from mx.bulinfo.net (mx.bulinfo.net [193.194.156.1]) by mx1.freebsd.org (Postfix) with ESMTP id 12E6C8FC17 for ; Thu, 12 Mar 2009 08:38:03 +0000 (UTC) (envelope-from krassi@bulinfo.net) Received: from localhost (localhost [127.0.0.1]) by mx.bulinfo.net (Postfix) with ESMTP id D0F79CA09; Thu, 12 Mar 2009 10:37:59 +0200 (EET) Received: from mx.bulinfo.net ([127.0.0.1]) by localhost (mx.bulinfo.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 64222-02; Thu, 12 Mar 2009 10:37:58 +0200 (EET) Received: from [192.168.2.188] (pythia.bulinfo.net [212.72.195.5]) by mx.bulinfo.net (Postfix) with ESMTP id 53EC8C9DE; Thu, 12 Mar 2009 10:37:58 +0200 (EET) Message-ID: <49B8C9E6.9070308@bulinfo.net> Date: Thu, 12 Mar 2009 10:37:58 +0200 From: Krassimir Slavchev User-Agent: Thunderbird 2.0.0.19 (X11/20090225) MIME-Version: 1.0 To: Ed Sykes References: <49B8263A.3000006@opnet.com> In-Reply-To: <49B8263A.3000006@opnet.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at mx.bulinfo.net Cc: freebsd-security@freebsd.org Subject: Re: HSM devices and FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2009 08:38:04 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 AFAIR nCipher have had drivers for FreeBSD but now it is not listed. http://www.ncipher.com/en/Products/Hardware Security Modules/nShield.aspx http://www.mail-archive.com/freebsd-hackers%40freebsd.org/msg18436.html Ed Sykes wrote: > I am essentially asking the same question that Eirik Overby asked a > couple of years ago. Is anyone aware of PCI-X/PCIe hardware security > modules that are supported on FreeBSD? I have not seen any on the > FreeBSD hardware compatibility lists. Again, as Eirik noted in his > question, HSMs are not simply crypto accelerators (which are supported > on FreeBSD), they also are a means of storing keys with physical, > tamper-resistant security. > > Thanks. > > Ed Sykes > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQFJuMnlxJBWvpalMpkRAtVjAJ9cHO2KLzkB+WZ4yh/2rk+ZhQfJPQCfanIL 0AQucILSKzgqkamVvjW1yNc= =xmc+ -----END PGP SIGNATURE-----