From owner-freebsd-security@FreeBSD.ORG Sun May 1 23:08:43 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 09C73106564A for ; Sun, 1 May 2011 23:08:43 +0000 (UTC) (envelope-from gosand1982@yahoo.com) Received: from nm16-vm4.bullet.mail.ne1.yahoo.com (nm16-vm4.bullet.mail.ne1.yahoo.com [98.138.91.176]) by mx1.freebsd.org (Postfix) with SMTP id C42528FC0C for ; Sun, 1 May 2011 23:08:42 +0000 (UTC) Received: from [98.138.90.50] by nm16.bullet.mail.ne1.yahoo.com with NNFMP; 01 May 2011 22:55:25 -0000 Received: from [98.138.87.4] by tm3.bullet.mail.ne1.yahoo.com with NNFMP; 01 May 2011 22:55:25 -0000 Received: from [127.0.0.1] by omp1004.mail.ne1.yahoo.com with NNFMP; 01 May 2011 22:55:25 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 539315.4949.bm@omp1004.mail.ne1.yahoo.com Received: (qmail 89593 invoked by uid 60001); 1 May 2011 22:55:25 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1304290525; bh=NsIOM3hbrcjUufh+BZIN2P0DYasUKR+sq3Hlf3TdU6k=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=cFXYnVbomeRAuqqADtNvWoMyb1TB2kiuZTRYMIowDUDfPZfQT8SOyUix0dKqnLnLfIcZdu3ak21MhPVl8aLFYwUEawFRqL9d21mWlE+jjhyNpN353dHPtLFYOSePJNTjJSqOuKRg3/P2nMBDHeww114zcq5CO1Z3fzhmNaEK5VA= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=IjtsIquGii6kp+DZDd9PfhPGTuM7nPJC6f2B6Bsf8pPsMOqkQddFc+VSdyALS8fdV8koY5vhzhJ0+SnTTnU5aLDJjl913C0nHIiBGShqH/FqrE5AnIMnPQwOI7K8bR5cXCosgVSPhXe27HEdW30P/YQaA/jQ2uFAWBhLE86CIg4=; Message-ID: <349555.87646.qm@web120019.mail.ne1.yahoo.com> X-YMail-OSG: cmU8P60VM1kPs.K0Pp9WH5dh_z8JT8nOkNo612..7Z2B6m4 4R6rp7foK2cWogcnJkx1FDQHT2xjc49OXqdZEhy55lTseuV21JgK3d3yIg03 GypDq.mIYOPMEvXlV_rjSP1VJ2cJwq7jNAt97CZmNK2ElBT_KNwuIhX8SOdg uc25RSW02hy2wfT5D53A_h.H_b8dDTWyAHjeha7SAr1Dr4REhqY6eLQxMnvO p4Mx7VWOp8nek6ZYHbxJzHNMWEk_ZTKRScdki7BieisqbI6DloUfyaE1H0k6 pFohrWY2969IeIhqZvbp8e.23s0JynwyUWXDNpSnQX.rN5.JnGYw- Received: from [12.202.173.2] by web120019.mail.ne1.yahoo.com via HTTP; Sun, 01 May 2011 15:55:25 PDT X-Mailer: YahooMailRC/559 YahooMailWebService/0.8.110.299900 Date: Sun, 1 May 2011 15:55:25 -0700 (PDT) From: George Sanders To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailman-Approved-At: Mon, 02 May 2011 00:02:07 +0000 Subject: limiting pop access to gmail servers ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 May 2011 23:08:43 -0000 We run our own (freebsd) mail server. It's a pretty classic, old fashioned /var/mail/username setup. We have enabled POP so that certain people can pop their mail from us, and use gmail as their mail client. However, we have no other POP users ... and I don't want POP open to the whole world ... BUT, I suspect there are a LOT of possible IPs that google will use to pop mail from us ... Is there an authoritative list ? Anyone else blocking POP access to everyone BUT google ? From owner-freebsd-security@FreeBSD.ORG Mon May 2 06:34:09 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8E7C4106564A for ; Mon, 2 May 2011 06:34:09 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from rack.patpro.net (rack.patpro.net [193.30.227.216]) by mx1.freebsd.org (Postfix) with ESMTP id 145648FC0A for ; Mon, 2 May 2011 06:34:08 +0000 (UTC) Received: from rack.patpro.net (localhost [127.0.0.1]) by rack.patpro.net (Postfix) with ESMTP id 337D61CC022; Mon, 2 May 2011 08:18:35 +0200 (CEST) X-Virus-Scanned: amavisd-new at patpro.net Received: from amavis-at-patpro.net ([127.0.0.1]) by rack.patpro.net (rack.patpro.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eA334S25mYQr; Mon, 2 May 2011 08:18:30 +0200 (CEST) Received: from [IPv6:::1] (localhost [127.0.0.1]) by rack.patpro.net (Postfix) with ESMTP; Mon, 2 May 2011 08:18:30 +0200 (CEST) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: multipart/signed; boundary=Apple-Mail-6--407603604; protocol="application/pkcs7-signature"; micalg=sha1 From: Patrick Proniewski In-Reply-To: <349555.87646.qm@web120019.mail.ne1.yahoo.com> Date: Mon, 2 May 2011 08:18:30 +0200 Message-Id: <3FF47F45-A59F-4542-A65E-6069300D9224@patpro.net> References: <349555.87646.qm@web120019.mail.ne1.yahoo.com> To: George Sanders X-Mailer: Apple Mail (2.1084) X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: limiting pop access to gmail servers ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 May 2011 06:34:09 -0000 --Apple-Mail-6--407603604 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hello, On 02 mai 2011, at 00:55, George Sanders wrote: > BUT, I suspect there are a LOT of possible IPs that google will use to = pop mail=20 > from us ... You are right about that. According to my pop logs, my servers have = encounter about 1000 different IPs from google (920 actually).=20 Domain names are always like = mail-[a-z][a-z][0-9]-[a-z][0-9][0-9]*.google.com By the way, I'm in europe, I'm not sure USA, Australia or Japan would = see the same gmail POP clients. > Is there an authoritative list ? I don't know. > Anyone else blocking POP access to everyone BUT google ? I don't. patpro= --Apple-Mail-6--407603604-- From owner-freebsd-security@FreeBSD.ORG Mon May 2 07:09:39 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EB891106564A for ; Mon, 2 May 2011 07:09:39 +0000 (UTC) (envelope-from gleb.kurtsou@gmail.com) Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com [209.85.215.182]) by mx1.freebsd.org (Postfix) with ESMTP id 7F4458FC0A for ; Mon, 2 May 2011 07:09:39 +0000 (UTC) Received: by eyg7 with SMTP id 7so2114424eyg.13 for ; Mon, 02 May 2011 00:09:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=cXn5I7D315Sp6fSO0urrbSr6or69pedVmdF4yIGou5M=; b=gUD/ITTq9aSB7ibNXaBbXWPNAdzDQ3AAQSLGWUguzkVo8IM1rRCajOe01+nOZfmsvG B8QDRQkiJBEawq5MTz43KLXaCQ91ODbS3veA3CiUdi8N9WX3fGCIULahzJ+BRRltAf7J O82EFWuHOj/yMiYX5Zu6AJnTW0n4LNQD6jGtQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=BT+xJ8FZwFYQS0xYCO3D8lM5wB+6+BuLVVpNlBif1m2CpWbNvRxeXmR51qvwT+Db7C XaLG2pTgfvIPdbyBDe6aoDVfTQJ4RSHMfXxFVfffUSjxExMhq4W2RkETa/CAkK7XNY+N WdMXzCtSjWbLJ5ICbbOsZjegSUe2zI7b5WcB0= MIME-Version: 1.0 Received: by 10.213.109.134 with SMTP id j6mr3155860ebp.103.1304318524337; Sun, 01 May 2011 23:42:04 -0700 (PDT) Received: by 10.213.112.144 with HTTP; Sun, 1 May 2011 23:42:04 -0700 (PDT) In-Reply-To: <349555.87646.qm@web120019.mail.ne1.yahoo.com> References: <349555.87646.qm@web120019.mail.ne1.yahoo.com> Date: Mon, 2 May 2011 12:42:04 +0600 Message-ID: From: Gleb Kurtsou To: George Sanders Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: limiting pop access to gmail servers ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 May 2011 07:09:40 -0000 On Mon, May 2, 2011 at 4:55 AM, George Sanders wrote= : > > > We run our own (freebsd) mail server. =C2=A0It's a pretty classic, old fa= shioned > /var/mail/username setup. > > We have enabled POP so that certain people can pop their mail from us, an= d use > gmail as their mail client. > > However, we have no other POP users ... and I don't want POP open to the = whole > world ... > > BUT, I suspect there are a LOT of possible IPs that google will use to po= p mail > from us ... > > Is there an authoritative list ? > > Anyone else blocking POP access to everyone BUT google ? Didn't try it myself, just a wild guess. Hopefully google pop clients use real ssl certificates signed by google to authenticate. Mutual ssl authentication is hardly ever used, but still. Setup pop over ssl and check for google certificates instead. Gleb. From owner-freebsd-security@FreeBSD.ORG Mon May 2 07:12:31 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F1F791065670 for ; Mon, 2 May 2011 07:12:31 +0000 (UTC) (envelope-from cronfy@gmail.com) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id B99F58FC16 for ; Mon, 2 May 2011 07:12:31 +0000 (UTC) Received: by iwn33 with SMTP id 33so6251775iwn.13 for ; Mon, 02 May 2011 00:12:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; bh=dMsW/zvROA+3PPn+XNfGG4uqsobRNk1r6qXXhk4LnD4=; b=LjaaKpWTbpDCIhZbeUF1IBsxcpRo2qriyUhFDnGXyt3L/Aeb1xbl0K+uGPnhrXmaik Moa0I3XLoBPV05+mD0ctugOg7sflRMX/38MDWBcjeoeBiqFKOdRp1CdVO1oSPqDD5BXb onx2EI9zxw5HnzhoF1n18R7ogizwqDr3oqK7o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; b=NrrstqwfjC6fKiwsdExANevyF6G0cjE4QOAdwAQjYOfQ8QNdhXfmnkfeQ5fXEoFEpy lnQeym0zcWDAbupCv8o3DW3Z0trVgKLjCkL9fvjb7Q9jCp3aFbFYcbbaFBWuIGTKvsCE LmVk6ST3KKKwnjXs5xxScwlCAI5CPpCcr4cM8= Received: by 10.231.17.4 with SMTP id q4mr3337773iba.81.1304318549251; Sun, 01 May 2011 23:42:29 -0700 (PDT) MIME-Version: 1.0 Received: by 10.231.169.129 with HTTP; Sun, 1 May 2011 23:41:59 -0700 (PDT) In-Reply-To: <3FF47F45-A59F-4542-A65E-6069300D9224@patpro.net> References: <349555.87646.qm@web120019.mail.ne1.yahoo.com> <3FF47F45-A59F-4542-A65E-6069300D9224@patpro.net> From: cronfy Date: Mon, 2 May 2011 10:41:59 +0400 Message-ID: To: freebsd-security@freebsd.org, gosand1982@yahoo.com Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: limiting pop access to gmail servers ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 May 2011 07:12:32 -0000 Hi, > BUT, I suspect there are a LOT of possible IPs that google will use to po= p > mail > > from us ... > > You are right about that. According to my pop logs, my servers have > encounter about 1000 different IPs from google (920 actually). > Domain names are always like mail-[a-z][a-z][0-9]-[a-z][0-9][0-9]*. > google.com > By the way, I'm in europe, I'm not sure USA, Australia or Japan would see > the same gmail POP clients. > You can make active checks for incoming connections. If reverse DNS record is valid (ip -> resolves to name -> resolves to same ip) and it matches '.* google.com$' regexp, then it is Google. --=20 =D0=9E=D0=BB=D0=B5=D0=B3 =D0=9F=D0=B5=D1=82=D1=80=D0=B0=D1=87=D0=B5=D0=B2 From owner-freebsd-security@FreeBSD.ORG Mon May 2 07:51:04 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5C1871065670 for ; Mon, 2 May 2011 07:51:04 +0000 (UTC) (envelope-from freebsd-lists@albury.net.au) Received: from mail.albury.net.au (ali-syd-1.albury.net.au [202.3.36.15]) by mx1.freebsd.org (Postfix) with ESMTP id D72C08FC0A for ; Mon, 2 May 2011 07:51:03 +0000 (UTC) Received: from ali-syd-1.albury.net.au (ali-syd-1.albury.net.au [202.3.36.15]) by mail.albury.net.au (8.13.6/8.13.6) with ESMTP id p427N7Rp090306; Mon, 2 May 2011 17:23:07 +1000 (EST) (envelope-from freebsd-lists@albury.net.au) Date: Mon, 2 May 2011 17:23:07 +1000 (EST) From: freebsd-lists@albury.net.au X-X-Sender: rossw@ali-syd-1.albury.net.au To: George Sanders In-Reply-To: <349555.87646.qm@web120019.mail.ne1.yahoo.com> Message-ID: <20110502171811.Y39066@ali-syd-1.albury.net.au> References: <349555.87646.qm@web120019.mail.ne1.yahoo.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (mail.albury.net.au [202.3.36.15]); Mon, 02 May 2011 17:23:07 +1000 (EST) Cc: freebsd-security@freebsd.org Subject: Re: limiting pop access to gmail servers ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 May 2011 07:51:04 -0000 > We have enabled POP so that certain people can pop their mail from us, and use > gmail as their mail client. > > However, we have no other POP users ... and I don't want POP open to the whole > world ... > > BUT, I suspect there are a LOT of possible IPs that google will use to pop mail > from us ... While not a "strong" solution, out-of-the box, I'd suggest in /etc/hosts.allow (probably after the "paranoid" line to make inetd check fwd/reverse match) ALL : PARANOID : RFC931 20 : deny assuming you use qpopper (change as required) qpopper : .google.com : allow qpopper : x.x.x.0/255.255.255.0 : allow (your directly-connected users) qpopper : all : deny RossW From owner-freebsd-security@FreeBSD.ORG Mon May 2 13:32:19 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D165D106564A for ; Mon, 2 May 2011 13:32:19 +0000 (UTC) (envelope-from kapil@sh3lls.net) Received: from web1.sh3lls.net (web1.sh3lls.net [72.20.6.46]) by mx1.freebsd.org (Postfix) with ESMTP id B27768FC15 for ; Mon, 2 May 2011 13:32:19 +0000 (UTC) Received: from [122.169.34.13] (helo=[192.168.1.6]) by web1.sh3lls.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from ) id 1QGsCM-0001lJ-Qg for freebsd-security@freebsd.org; Mon, 02 May 2011 17:56:02 +0530 References: <20110502120037.ED22D10657C4@hub.freebsd.org> From: Kapil Jain Content-Type: text/plain; charset=utf-8 X-Mailer: iPad Mail (8H7) In-Reply-To: <20110502120037.ED22D10657C4@hub.freebsd.org> Message-Id: <6D96B8FE-5820-47A9-ACA5-CF8A1C06FAB7@sh3lls.net> Date: Mon, 2 May 2011 17:56:38 +0530 To: "freebsd-security@freebsd.org" Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (iPad Mail 8H7) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - web1.sh3lls.net X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - sh3lls.net X-Source: X-Source-Args: X-Source-Dir: Subject: Re: freebsd-security Digest, Vol 371, Issue 1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 May 2011 13:32:19 -0000 Try to change port for pop3 use some weired port, and specify that port in y= our gmail account for fetching, it's not full proof but it might work for yo= u Kapil Jain Sent from my iPad On 02-May-2011, at 5:30 PM, freebsd-security-request@freebsd.org wrote: > Send freebsd-security mailing list submissions to > freebsd-security@freebsd.org >=20 > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freebsd.org/mailman/listinfo/freebsd-security > or, via email, send a message with subject or body 'help' to > freebsd-security-request@freebsd.org >=20 > You can reach the person managing the list at > freebsd-security-owner@freebsd.org >=20 > When replying, please edit your Subject line so it is more specific > than "Re: Contents of freebsd-security digest..." >=20 >=20 > Today's Topics: >=20 > 1. limiting pop access to gmail servers ? (George Sanders) > 2. Re: limiting pop access to gmail servers ? (Patrick Proniewski) > 3. Re: limiting pop access to gmail servers ? (Gleb Kurtsou) > 4. Re: limiting pop access to gmail servers ? (cronfy) > 5. Re: limiting pop access to gmail servers ? > (freebsd-lists@albury.net.au) >=20 >=20 > ---------------------------------------------------------------------- >=20 > Message: 1 > Date: Sun, 1 May 2011 15:55:25 -0700 (PDT) > From: George Sanders > Subject: limiting pop access to gmail servers ? > To: freebsd-security@freebsd.org > Message-ID: <349555.87646.qm@web120019.mail.ne1.yahoo.com> > Content-Type: text/plain; charset=3Dus-ascii >=20 >=20 >=20 > We run our own (freebsd) mail server. It's a pretty classic, old fashione= d=20 > /var/mail/username setup. >=20 > We have enabled POP so that certain people can pop their mail from us, and= use=20 > gmail as their mail client. >=20 > However, we have no other POP users ... and I don't want POP open to the w= hole=20 > world ... >=20 > BUT, I suspect there are a LOT of possible IPs that google will use to pop= mail=20 > from us ... >=20 > Is there an authoritative list ? >=20 > Anyone else blocking POP access to everyone BUT google ? >=20 >=20 > ------------------------------ >=20 > Message: 2 > Date: Mon, 2 May 2011 08:18:30 +0200 > From: Patrick Proniewski > Subject: Re: limiting pop access to gmail servers ? > To: George Sanders > Cc: freebsd-security@freebsd.org > Message-ID: <3FF47F45-A59F-4542-A65E-6069300D9224@patpro.net> > Content-Type: text/plain; charset=3D"us-ascii" >=20 > Hello, >=20 > On 02 mai 2011, at 00:55, George Sanders wrote: >=20 >> BUT, I suspect there are a LOT of possible IPs that google will use to po= p mail=20 >> from us ... >=20 > You are right about that. According to my pop logs, my servers have encoun= ter about 1000 different IPs from google (920 actually).=20 > Domain names are always like mail-[a-z][a-z][0-9]-[a-z][0-9][0-9]*.google.= com > By the way, I'm in europe, I'm not sure USA, Australia or Japan would see t= he same gmail POP clients. >=20 >> Is there an authoritative list ? >=20 > I don't know. >=20 >> Anyone else blocking POP access to everyone BUT google ? >=20 > I don't. >=20 > patpro >=20 > ------------------------------ >=20 > Message: 3 > Date: Mon, 2 May 2011 12:42:04 +0600 > From: Gleb Kurtsou > Subject: Re: limiting pop access to gmail servers ? > To: George Sanders > Cc: freebsd-security@freebsd.org > Message-ID: > Content-Type: text/plain; charset=3DUTF-8 >=20 > On Mon, May 2, 2011 at 4:55 AM, George Sanders wrot= e: >>=20 >>=20 >> We run our own (freebsd) mail server. It's a pretty classic, old fashion= ed >> /var/mail/username setup. >>=20 >> We have enabled POP so that certain people can pop their mail from us, an= d use >> gmail as their mail client. >>=20 >> However, we have no other POP users ... and I don't want POP open to the w= hole >> world ... >>=20 >> BUT, I suspect there are a LOT of possible IPs that google will use to po= p mail >> from us ... >>=20 >> Is there an authoritative list ? >>=20 >> Anyone else blocking POP access to everyone BUT google ? >=20 > Didn't try it myself, just a wild guess. Hopefully google pop clients > use real ssl certificates signed by google to authenticate. Mutual ssl > authentication is hardly ever used, but still. >=20 > Setup pop over ssl and check for google certificates instead. >=20 > Gleb. >=20 >=20 > ------------------------------ >=20 > Message: 4 > Date: Mon, 2 May 2011 10:41:59 +0400 > From: cronfy > Subject: Re: limiting pop access to gmail servers ? > To: freebsd-security@freebsd.org, gosand1982@yahoo.com > Message-ID: > Content-Type: text/plain; charset=3DUTF-8 >=20 > Hi, >=20 >> BUT, I suspect there are a LOT of possible IPs that google will use to po= p >> mail >>> from us ... >>=20 >> You are right about that. According to my pop logs, my servers have >> encounter about 1000 different IPs from google (920 actually). >> Domain names are always like mail-[a-z][a-z][0-9]-[a-z][0-9][0-9]*. >> google.com >> By the way, I'm in europe, I'm not sure USA, Australia or Japan would see= >> the same gmail POP clients. >>=20 >=20 >=20 > You can make active checks for incoming connections. If reverse DNS record= > is valid (ip -> resolves to name -> resolves to same ip) and it matches '.= * > google.com$' regexp, then it is Google. >=20 >=20 > --=20 > =D0=9E=D0=BB=D0=B5=D0=B3 =D0=9F=D0=B5=D1=82=D1=80=D0=B0=D1=87=D0=B5=D0=B2 >=20 >=20 > ------------------------------ >=20 > Message: 5 > Date: Mon, 2 May 2011 17:23:07 +1000 (EST) > From: freebsd-lists@albury.net.au > Subject: Re: limiting pop access to gmail servers ? > To: George Sanders > Cc: freebsd-security@freebsd.org > Message-ID: <20110502171811.Y39066@ali-syd-1.albury.net.au> > Content-Type: TEXT/PLAIN; charset=3DUS-ASCII; format=3Dflowed >=20 >=20 >=20 >> We have enabled POP so that certain people can pop their mail from us, an= d use >> gmail as their mail client. >>=20 >> However, we have no other POP users ... and I don't want POP open to the w= hole >> world ... >>=20 >> BUT, I suspect there are a LOT of possible IPs that google will use to po= p mail >> from us ... >=20 >=20 > While not a "strong" solution, out-of-the box, I'd suggest in=20 > /etc/hosts.allow (probably after the "paranoid" line to make inetd check=20= > fwd/reverse match) >=20 > ALL : PARANOID : RFC931 20 : deny >=20 > assuming you use qpopper (change as required) >=20 > qpopper : .google.com : allow > qpopper : x.x.x.0/255.255.255.0 : allow (your directly-connected use= rs) > qpopper : all : deny >=20 >=20 > RossW >=20 >=20 > ------------------------------ >=20 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org= " >=20 > End of freebsd-security Digest, Vol 371, Issue 1 > ************************************************ From owner-freebsd-security@FreeBSD.ORG Fri May 6 15:21:12 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0F8FD106566C for ; Fri, 6 May 2011 15:21:12 +0000 (UTC) (envelope-from daniel.jacobsson.90@gmail.com) Received: from mail-ew0-f54.google.com (mail-ew0-f54.google.com [209.85.215.54]) by mx1.freebsd.org (Postfix) with ESMTP id 8CB398FC14 for ; Fri, 6 May 2011 15:21:11 +0000 (UTC) Received: by ewy1 with SMTP id 1so1291609ewy.13 for ; Fri, 06 May 2011 08:21:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=dQMIrhL7rpoyJ5tWevk7YqJMTXo7czb7L+tvnlLFjqo=; b=pX0ATAucQi2q3C1TQ++hkNZOwAM6n6lX7iDlFe2rn8bRgPEkIoV0cuQANfBRjOSUf0 qiFk5iA/RedJssIDXKGyYN/JK4rohw6mZhhe2eN7U7LUrPOLIhJPjiUvezg+Bbw83zIl gig3MlickATDDpi/gYd4B//jSDMdJKEQt5/N8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=Bwv/9oWLgUqbE+sfevsGMGeaSScBvN/ij7vXwCLLY6w+xT30mK291R/UoQXkU+Shk+ ur9x0hSEUHI76qHS+SbvQt4oT1e1yUM07aDJsYL599qePdg182lbjSjE0STgvxkQ3gIc +P5HG8MaDWAWP58epOWi5TtaoNFXsyex0P5dE= Received: by 10.213.29.18 with SMTP id o18mr1033991ebc.130.1304694897162; Fri, 06 May 2011 08:14:57 -0700 (PDT) Received: from [192.168.2.7] (toad.gitty.se [193.11.160.171]) by mx.google.com with ESMTPS id h55sm1393245eeb.23.2011.05.06.08.14.55 (version=SSLv3 cipher=OTHER); Fri, 06 May 2011 08:14:55 -0700 (PDT) Message-ID: <4DC4102E.8000700@gmail.com> Date: Fri, 06 May 2011 17:13:50 +0200 From: Daniel Jacobsson User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; sv-SE; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <4DC40E21.6040503@gmail.com> In-Reply-To: <4DC40E21.6040503@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Fri, 06 May 2011 15:26:52 +0000 Subject: =?iso-8859-1?q?Re=3A_Rooting_FreeBSD_=2C_Privilege_Escalation_us?= =?iso-8859-1?q?ing_Jails_=28P=E9tur=29?= X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 May 2011 15:21:12 -0000 Daniel Jacobsson skrev 2011-05-06 17:05: > I read this (http://www.petur.eu/blog/?p=459) blog post today. It's > about that a remote user with root privilegs to a FreeBSD jail & user > privileges to the jails host machine can obtain root privileges on the > host machine. > Can someone confirm if this bugg/exploit works? Ah, think i found an old post (http://freebsd.1045724.n5.nabble.com/Thoughts-on-jail-privilege-FAQ-submission-td4219099.html) about this subject, so it seems to be old news. From owner-freebsd-security@FreeBSD.ORG Fri May 6 15:37:43 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D3A741065679 for ; Fri, 6 May 2011 15:37:43 +0000 (UTC) (envelope-from daniel.jacobsson.90@gmail.com) Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com [209.85.215.182]) by mx1.freebsd.org (Postfix) with ESMTP id 5B7798FC14 for ; Fri, 6 May 2011 15:37:42 +0000 (UTC) Received: by eyg7 with SMTP id 7so1291797eyg.13 for ; Fri, 06 May 2011 08:37:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:user-agent:mime-version:to :subject:content-type:content-transfer-encoding; bh=19r/w2xR2WflbcZ0XD5QQk/rfCJwLyvVAuNsLcQA0ao=; b=hGRY1z40uWtxrUtl09pKAEYjWfbyXDx5G3VhFSv9OaOpdfgy+KSV0lojDU1ylgCqnN K5SRviwXYrmgHKbg/TQ0g5UyjAAU2TsferAyHGoUm8X0ywCGROijmonyk5ubie1M6gnB ClFEMF9WkLjE0yj2cr1gmW5qiWbk1SwHStO4I= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; b=k6Jw5WE3XmaFghXnerz0UcnLUXI+yrvfk7E+jRxRUo3W72wC/7jEkqPq3ZXFABmizz 0AdBynuiI5tSppgc+vFrtRnL7t5QwWslp2hnCqpgA8R2iLfqSwhaXTEuJEvTr4I9zURo a6Mt8q8tvKe7RSQAt7zhVGteypqeWMLTRvJ6Q= Received: by 10.213.7.2 with SMTP id b2mr1038134ebb.28.1304694473495; Fri, 06 May 2011 08:07:53 -0700 (PDT) Received: from [192.168.2.7] (toad.gitty.se [193.11.160.171]) by mx.google.com with ESMTPS id z1sm1425983eeb.7.2011.05.06.08.07.51 (version=SSLv3 cipher=OTHER); Fri, 06 May 2011 08:07:52 -0700 (PDT) Message-ID: <4DC40E21.6040503@gmail.com> Date: Fri, 06 May 2011 17:05:05 +0200 From: Daniel Jacobsson User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; sv-SE; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10 MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Fri, 06 May 2011 16:01:07 +0000 Subject: =?iso-8859-1?q?Rooting_FreeBSD_=2C_Privilege_Escalation_using_Ja?= =?iso-8859-1?q?ils_=28P=E9tur=29?= X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 May 2011 15:37:43 -0000 I read this (http://www.petur.eu/blog/?p=459) blog post today. It's about that a remote user with root privilegs to a FreeBSD jail & user privileges to the jails host machine can obtain root privileges on the host machine. Can someone confirm if this bugg/exploit works? From owner-freebsd-security@FreeBSD.ORG Fri May 6 16:03:13 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B6F581065675 for ; Fri, 6 May 2011 16:03:13 +0000 (UTC) (envelope-from utisoft@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 3D1A38FC21 for ; Fri, 6 May 2011 16:03:13 +0000 (UTC) Received: by bwz12 with SMTP id 12so3825099bwz.13 for ; Fri, 06 May 2011 09:03:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:reply-to:date:message-id:subject :from:to:cc:content-type; bh=P+xVt+wYZn9iE3pkuJ5osZPv6EbxEXUjonlMXMKykBk=; b=nON8IguYNu2RRHssvgYuWq4E7gTLA9PmuuFeq6xUHVX0ne+g8GQYiH2AR9+GNI+E4B 9qzWk4zp+y8MZvvSe2cistUefQe6NO8hCvyMgz294BFKVUTpivVGT6gjq4DHGmvbZu/w Dq39RVBZGkDNZSZY1M79eaOOUCjl5w2hzsIec= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:reply-to:date:message-id:subject:from:to:cc :content-type; b=kCUJcdAcnJhOPUrzqwV8G2rXCWXiMoPj0kdURBaNS+xPhvQQ+/4cMR479zKeSrmuQ4 ZU610+g4lqjzNHjdoBj36b+ZCNNHkVME4aWx3cNl+ONsoKMF+8s+Ly6T53lyuKAltuRY JXJxhGWRIsG/Hwo8555Mb2EEfF8IFlP3z7IWo= MIME-Version: 1.0 Received: by 10.204.81.203 with SMTP id y11mr94735bkk.124.1304696314527; Fri, 06 May 2011 08:38:34 -0700 (PDT) Received: by 10.204.42.21 with HTTP; Fri, 6 May 2011 08:38:34 -0700 (PDT) Received: by 10.204.42.21 with HTTP; Fri, 6 May 2011 08:38:34 -0700 (PDT) Date: Fri, 6 May 2011 16:38:34 +0100 Message-ID: From: Chris Rees To: Daniel Jacobsson Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: =?iso-8859-1?q?Re=3A_Rooting_FreeBSD_=2C_Privilege_Escalation_us?= =?iso-8859-1?q?ing_Jails_=28P=E9tur=29?= X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: utisoft@gmail.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 May 2011 16:03:13 -0000 On 6 May 2011 16:27, "Daniel Jacobsson" wrote: > > Daniel Jacobsson skrev 2011-05-06 17:05: >> >> I read this (http://www.petur.eu/blog/?p=459) blog post today. It's about that a remote user with root privilegs to a FreeBSD jail & user privileges to the jails host machine can obtain root privileges on the host machine. >> Can someone confirm if this bugg/exploit works? > > Ah, think i found an old post ( http://freebsd.1045724.n5.nabble.com/Thoughts-on-jail-privilege-FAQ-submission-td4219099.html) about this subject, so it seems to be old news. Oops, looks like I broke my promise to make a doc entry... Thanks for reminding me! Chris From owner-freebsd-security@FreeBSD.ORG Fri May 6 16:16:54 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 30A7D106568D for ; Fri, 6 May 2011 16:16:54 +0000 (UTC) (envelope-from feld@feld.me) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 03B828FC16 for ; Fri, 6 May 2011 16:16:53 +0000 (UTC) Received: by iwn33 with SMTP id 33so3910125iwn.13 for ; Fri, 06 May 2011 09:16:53 -0700 (PDT) Received: by 10.231.202.132 with SMTP id fe4mr508569ibb.183.1304697243994; Fri, 06 May 2011 08:54:03 -0700 (PDT) Received: from tech304 (supranet-tech.secure-on.net [66.170.8.18]) by mx.google.com with ESMTPS id f28sm1385943ibh.67.2011.05.06.08.54.02 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 06 May 2011 08:54:02 -0700 (PDT) Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes To: freebsd-security@freebsd.org References: <4DC40E21.6040503@gmail.com> <4DC4102E.8000700@gmail.com> Date: Fri, 06 May 2011 10:54:01 -0500 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: "Mark Felder" Message-ID: In-Reply-To: <4DC4102E.8000700@gmail.com> User-Agent: Opera Mail/11.50 (FreeBSD) Subject: Re: =?utf-8?q?Rooting_FreeBSD_=2C_Privilege_Escalation_using_Jail?= =?utf-8?b?cyAoUMOpdHVyKQ==?= X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 May 2011 16:16:54 -0000 On Fri, 06 May 2011 10:13:50 -0500, Daniel Jacobsson wrote: > Can someone confirm if this bugg/exploit works? It's really not a bug or exploit... it's just the guy being crafty. It only makes sense: the jails access the same filesystem as the host. Put a file setuid in the jail and use your user on the host to execute that file and voila, you're now running that executable as root. Your users should NEVER have access to the host of the jail. From owner-freebsd-security@FreeBSD.ORG Fri May 6 18:12:30 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 889A81065672 for ; Fri, 6 May 2011 18:12:30 +0000 (UTC) (envelope-from utisoft@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 1118E8FC13 for ; Fri, 6 May 2011 18:12:29 +0000 (UTC) Received: by bwz12 with SMTP id 12so3949526bwz.13 for ; Fri, 06 May 2011 11:12:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:reply-to:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=KkAa3eJ3pLx1sNBBaK/z7u7RWfvQwa8tzxvBlJIMPRg=; b=o3swtrbSSfH9t5a5mm5P5IkImWvD79K7OIDiPEAcSS14QyiiAfx6a819G68gRJAdy6 m6XW7wH9cy206D06mKdaLmN4o09KdgeVfw1VKtzvNkVkPP9d0hUNfEP28WeiBbdEj6GM m3hHdivuAj/WiFmdio39GsnsjuZDInI/ukf5s= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; b=ZOalJm6a3Sl201qvN6/GPExQH4AOC3ivMGX0tg16SSwvORyEW022qtJugap8FE7E+a JLTypCBjfFIwaLvbq7bSRVYPq123WXIX4TLIahN+iWIr2FtBTzELcQwkUQGvgluwFost 8SfuHYee3CBIMBYS5yjeckuCwt7QLLd7+0o4M= MIME-Version: 1.0 Received: by 10.204.231.198 with SMTP id jr6mr2057847bkb.205.1304705548743; Fri, 06 May 2011 11:12:28 -0700 (PDT) Received: by 10.204.42.21 with HTTP; Fri, 6 May 2011 11:12:28 -0700 (PDT) Received: by 10.204.42.21 with HTTP; Fri, 6 May 2011 11:12:28 -0700 (PDT) In-Reply-To: References: <4DC40E21.6040503@gmail.com> <4DC4102E.8000700@gmail.com> Date: Fri, 6 May 2011 19:12:28 +0100 Message-ID: From: Chris Rees To: Mark Felder Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: =?iso-8859-1?q?Re=3A_Rooting_FreeBSD_=2C_Privilege_Escalation_us?= =?iso-8859-1?q?ing_Jails_=28P=E9tur=29?= X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: utisoft@gmail.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 May 2011 18:12:30 -0000 On 6 May 2011 17:18, "Mark Felder" wrote: > > On Fri, 06 May 2011 10:13:50 -0500, Daniel Jacobsson < daniel.jacobsson.90@gmail.com> wrote: > >> Can someone confirm if this bugg/exploit works? > > > It's really not a bug or exploit... it's just the guy being crafty. It only makes sense: the jails access the same filesystem as the host. Put a file setuid in the jail and use your user on the host to execute that file and voila, you're now running that executable as root. > > Your users should NEVER have access to the host of the jail. > > From owner-freebsd-security@FreeBSD.ORG Fri May 6 20:56:05 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E65EE1065673 for ; Fri, 6 May 2011 20:56:05 +0000 (UTC) (envelope-from utisoft@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 709B58FC13 for ; Fri, 6 May 2011 20:56:04 +0000 (UTC) Received: by bwz12 with SMTP id 12so4091895bwz.13 for ; Fri, 06 May 2011 13:56:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to:cc:content-type; bh=yS5xKX0PkmNRepj/JzexPTJGFdly0iI42QQUubyr5q0=; b=S20c464UvdvjoJnZ/Va2dB4jkIhMh5HxMhPrIxlYVppIpvptBIlTNmf8rRjZLWT/dG A31Bo4VukvR6MFsrzkVI3W3aYjYk26BlMTKZmyd0uhxrailSUDMnS4DdV6KxhQV+xCeL EqPzs7QCJTVnsFEAfJe6riy47MaPX3DKBaB1w= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; b=oOdBE6HPP9ZeqjhVu79kCs+6AwsDkVt1fU/pwL8Yd0chV9Hs1yzzH0u+6I4vc3eoy/ Ol60yFgiaoEdgx9+f/8p29jkLFI+9we0kt/byS0s0FLB+x5J8t+Rqj0WiNY62h36AJqH toruWuwl1DUcm8MhfzyFxXawL/UwlGi0Fjxds= Received: by 10.204.41.16 with SMTP id m16mr676663bke.151.1304715363184; Fri, 06 May 2011 13:56:03 -0700 (PDT) MIME-Version: 1.0 Received: by 10.204.42.21 with HTTP; Fri, 6 May 2011 13:55:33 -0700 (PDT) In-Reply-To: References: <4DC40E21.6040503@gmail.com> <4DC4102E.8000700@gmail.com> From: Chris Rees Date: Fri, 6 May 2011 21:55:33 +0100 Message-ID: To: Mark Felder Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-security@freebsd.org Subject: =?iso-8859-1?q?Re=3A_Rooting_FreeBSD_=2C_Privilege_Escalation_us?= =?iso-8859-1?q?ing_Jails_=28P=E9tur=29?= X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: utisoft@gmail.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 May 2011 20:56:06 -0000 On 6 May 2011 16:54, Mark Felder wrote: > On Fri, 06 May 2011 10:13:50 -0500, Daniel Jacobsson > wrote: > >> Can someone confirm if this bugg/exploit works? > > It's really not a bug or exploit... it's just the guy being crafty. It only > makes sense: the jails access the same filesystem as the host. Put a file > setuid in the jail and use your user on the host to execute that file and > voila, you're now running that executable as root. > > Your users should NEVER have access to the host of the jail. All the same, I've sent a PR [1] with some doc patches to make people more aware of this -- fulfilling my promise of 2+ years ago :S Thanks! Chris [1] http://www.freebsd.org/cgi/query-pr.cgi?pr=156853 From owner-freebsd-security@FreeBSD.ORG Sat May 7 22:31:50 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 684A0106566C for ; Sat, 7 May 2011 22:31:50 +0000 (UTC) (envelope-from jamie@bishopston.net) Received: from pacha.mail.bishopston.net (pacha.mail.bishopston.net [IPv6:2001:5c0:1100:200::3]) by mx1.freebsd.org (Postfix) with ESMTP id 1E4EA8FC0C for ; Sat, 7 May 2011 22:31:50 +0000 (UTC) X-Catflap-Envelope-From: X-Catflap-Envelope-To: freebsd-security@freebsd.org Received: from catflap.bishopston.net (jamie@localhost [127.0.0.1]) by catflap.bishopston.net (8.14.4/8.14.3) with ESMTP id p47MVl8P035492; Sat, 7 May 2011 23:31:47 +0100 (BST) (envelope-from jamie@catflap.bishopston.net) Received: (from jamie@localhost) by catflap.bishopston.net (8.14.4/8.12.9/Submit) id p47MVktY035491; Sat, 7 May 2011 23:31:46 +0100 (BST) From: Jamie Landeg Jones Message-Id: <201105072231.p47MVktY035491@catflap.bishopston.net> Date: Sat, 07 May 2011 23:31:46 +0100 Organization: http://www.bishopston.com/jamie/ To: utisoft@gmail.com, feld@feld.me References: <4DC40E21.6040503@gmail.com> <4DC4102E.8000700@gmail.com> In-Reply-To: User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: Rooting FreeBSD , Privilege Escalation using Jails =?iso-8859-1?q?=28P=EF=BF=BDtur=29?= X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 May 2011 22:31:50 -0000 > All the same, I've sent a PR [1] with some doc patches to make people > more aware of this -- fulfilling my promise of 2+ years ago :S > > Thanks! > > Chris > > [1] http://www.freebsd.org/cgi/query-pr.cgi?pr=156853 Um. Some problems here. A jail won't work for not-root users if the jail root directory is chmod 700 - although there is obviously a 'chroot' running withing the jail, the jailed user still needs to have read permission from the hosts / -- chmod 700 therefore locks all non-root users out. I would suggest you add to the docs about the UID clash problem - untrusted users on the host shouldn't have the same UID/GID as jailed users, as they will have access to their files. And of course, the bit mentioned earlier where an untrusted jail user with jail-root access should NEVER have access to the host!o Among other things, my password file in both jails and the host has this line: # 8000 to 9999 - Reserved for use within jails - do not use in main host! cheers, Jamie