From owner-freebsd-security@FreeBSD.ORG Mon Jul 15 04:01:00 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id EE9B8CEB for ; Mon, 15 Jul 2013 04:01:00 +0000 (UTC) (envelope-from cfp@ruxcon.org.au) Received: from ruxcon.com.au (ruxcon.com.au [106.186.24.76]) by mx1.freebsd.org (Postfix) with ESMTP id C810465A for ; Mon, 15 Jul 2013 04:01:00 +0000 (UTC) Received: by ruxcon.com.au (Postfix, from userid 1000) id A645D2EE29; Mon, 15 Jul 2013 13:54:32 +1000 (EST) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ruxcon X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.3.2 Received: from [127.0.0.1] (localhost [127.0.0.1]) by ruxcon.com.au (Postfix) with ESMTP id DFF522EE37 for ; Mon, 15 Jul 2013 13:54:29 +1000 (EST) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: Ruxcon 2013 Final Call For Papers From: cfp@ruxcon.org.au To: freebsd-security@freebsd.org Message-Id: <20130715035429.DFF522EE37@ruxcon.com.au> Date: Mon, 15 Jul 2013 13:54:29 +1000 (EST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Jul 2013 04:01:01 -0000 Ruxcon 2013 Final Call For Papers Melbourne, Australia, October 26th-27th CQ Function Centre http://www.ruxcon.org.au/call-for-papers/ The Ruxcon team is pleased to announce the final call for papers for Ruxcon. This year the conference will take place over the weekend of the 26th and 27th of October at the CQ Function Centre, Melbourne, Australia. The deadline for submissions is the 31st of August. .[x]. About Ruxcon .[x]. Ruxcon is ia premier technical computer security conference in the Australia. The conference aims to bring together the individual talents of the best and brightest security folk in the region, through live presentations, activities and demonstrations. The conference is held over two days in a relaxed atmosphere, allowing attendees to enjoy themselves whilst networking within the community and expanding their knowledge of security. For more information, please visit the http://www.ruxcon.org.au .[x]. Important Dates .[x]. August 31 - Call For Presentations Close October 26-27 - Ruxcon Conference .[x]. Topic Scope .[x]. o Topics of interest include, but are not limited to: o Mobile Device Security o Virtualization, Hypervisor, and Cloud Security o Malware Analysis o Reverse Engineering o Exploitation Techniques o Rootkit Development o Code Analysis o Forensics and Anti-Forensics o Embedded Device Security o Web Application Security o Network Traffic Analysis o Wireless Network Security o Cryptography and Cryptanalysis o Social Engineering o Law Enforcement Activities o Telecommunications Security (SS7, 3G/4G, GSM, VOIP, etc) .[x]. Submission Guidelines .[x]. In order for us to process your submission we require the following information: 1. Presentation title 2. Detailed summary of your presentation material 3. Name/Nickname 4. Mobile phone number 5. Brief personal biography 6. Description of any demonstrations involved in the presentation 7. Information on where the presentation material has or will be presented before Ruxcon * As a general guideline, Ruxcon presentations are between 45 and 60 minutes, including question time. If you have any enquiries about submissions, or would like to make a submission, please send an email to presentations@ruxcon.org.au The deadline for submissions is the 31st of August. .[x]. Contact .[x]. o Email: presentations@ruxcon.org.au o Twitter: @ruxcon From owner-freebsd-security@FreeBSD.ORG Thu Jul 18 13:09:11 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 7AB70CD9; Thu, 18 Jul 2013 13:09:11 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from land.berklix.org (land.berklix.org [144.76.10.75]) by mx1.freebsd.org (Postfix) with ESMTP id EBC33CF3; Thu, 18 Jul 2013 13:09:10 +0000 (UTC) Received: from park.js.berklix.net (p5DCBEACA.dip0.t-ipconnect.de [93.203.234.202]) (authenticated bits=128) by land.berklix.org (8.14.5/8.14.5) with ESMTP id r6ID98KV022403; Thu, 18 Jul 2013 13:09:08 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by park.js.berklix.net (8.14.3/8.14.3) with ESMTP id r6ID8xhO004288; Thu, 18 Jul 2013 15:08:59 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.4/8.14.4) with ESMTP id r6ID8eGI023276; Thu, 18 Jul 2013 15:08:46 +0200 (CEST) (envelope-from jhs@fire.js.berklix.net) Message-Id: <201307181308.r6ID8eGI023276@fire.js.berklix.net> To: freebsd-jail@freebsd.org, freebsd-security@freebsd.org Subject: /dev/pts/0 in a jail shows no one is observing from outer prison. From: "Julian H. Stacey" Organization: http://berklix.com BSD Linux Unix Consultancy, Munich Germany User-agent: EXMH on FreeBSD http://www.berklix.com/free/ X-URL: http://www.berklix.com/~jhs/cv/ Date: Thu, 18 Jul 2013 15:08:40 +0200 Sender: jhs@berklix.com Cc: np@bsn.com X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jul 2013 13:09:11 -0000 Hi freebsd-jail@freebsd.org, freebsd-security@freebsd.org cc: np@bsn.com I noticed something within a jail that seems a little slack: A ssh to a jail followed by Who, if it shows just pts/0, shows no one else is logged in { within jail And Also Outer Prison [And presumably also other parallel jails] }. (OK Yes, an admin might be logged in to prison on on a direct wire or ttyv but most unlikely in the common case of a remote server farm) So the person logging in to the jail is effectively told "Owner of the prison is also absent, now is a good time to try exploits." Ideally within a jail, logins would get no indication if the prison & other jails were were logged in or not. (OK, Yes, one might argue on a traditional non prison & jails server, one can also see who is, or not, logged in on one large common system, but presumably one benefit of putting users in jails should be the jailed should no longer see presence of outside users ?) Is it viable to tighten the default ? man jail has: devfs_ruleset zero (default) I was using a jail created by ezjail. The outer prison (names obfuscated) mount | grep dev devfs on /dev (devfs, local, multilabel) devfs on /tank4/ezjail/jail1.org/dev (devfs, local, multilabel) fdescfs on /tank4/ezjail/jail1.org/dev/fd (fdescfs) devfs on /tank4/ezjail/jail2.org/dev (devfs, local, multilabel) fdescfs on /tank4/ezjail/jail2.org/dev/fd (fdescfs) Why I noticed: My DSL link timed out, ( no sshd with TCPKeepAlive=Yes, & failed ping -i 120 -q my-isp.de ) Within jail, after who & ps -t to kill junk, new logins persisted at pts/1, not pts/0. Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com Reply below not above, like a play script. Indent old text with "> ". Send plain text. No quoted-printable, HTML, base64, multipart/alternative. From owner-freebsd-security@FreeBSD.ORG Fri Jul 19 06:35:27 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 01AB447E; Fri, 19 Jul 2013 06:35:27 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id BB77F2BD; Fri, 19 Jul 2013 06:35:26 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id A6FB247C9; Fri, 19 Jul 2013 06:35:19 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 8A265353D9; Fri, 19 Jul 2013 08:34:50 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: "Julian H. Stacey" Subject: Re: /dev/pts/0 in a jail shows no one is observing from outer prison. References: <201307181308.r6ID8eGI023276@fire.js.berklix.net> Date: Fri, 19 Jul 2013 08:34:45 +0200 In-Reply-To: <201307181308.r6ID8eGI023276@fire.js.berklix.net> (Julian H. Stacey's message of "Thu, 18 Jul 2013 15:08:40 +0200") Message-ID: <86d2qfdpmi.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, freebsd-jail@freebsd.org, np@bsn.com X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Jul 2013 06:35:27 -0000 "Julian H. Stacey" writes: > A ssh to a jail followed by Who, if it shows just pts/0, shows > no one else is logged in { within jail And Also Outer Prison > [And presumably also other parallel jails] }. Not really, it just shows that pts/0 was available. Like file descriptors, pseudo-ttys are allocated on a first-unused basis. There could be twenty people logged in; if the first logs out, the twenty-first gets pts/0. Also, please read the warning at the start of the jail chapter in the FreeBSD handbook. I should probably update it to note that there are many ways in which information can leak between jails and the host. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Fri Jul 19 22:39:38 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 31912BC7; Fri, 19 Jul 2013 22:39:38 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from land.berklix.org (land.berklix.org [144.76.10.75]) by mx1.freebsd.org (Postfix) with ESMTP id 9FE94663; Fri, 19 Jul 2013 22:39:36 +0000 (UTC) Received: from park.js.berklix.net (p5DCBFD87.dip0.t-ipconnect.de [93.203.253.135]) (authenticated bits=128) by land.berklix.org (8.14.5/8.14.5) with ESMTP id r6JMdYbK005494; Fri, 19 Jul 2013 22:39:34 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by park.js.berklix.net (8.14.3/8.14.3) with ESMTP id r6JMdLuO006152; Sat, 20 Jul 2013 00:39:21 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.4/8.14.4) with ESMTP id r6JMcvO2083730; Sat, 20 Jul 2013 00:39:03 +0200 (CEST) (envelope-from jhs@fire.js.berklix.net) Message-Id: <201307192239.r6JMcvO2083730@fire.js.berklix.net> To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= Subject: Re: /dev/pts/0 in a jail shows no one is observing from outer prison. From: "Julian H. Stacey" Organization: http://berklix.com BSD Unix Linux Consultancy, Munich Germany User-agent: EXMH on FreeBSD http://berklix.com/free/ X-URL: http://www.berklix.com In-reply-to: Your message "Fri, 19 Jul 2013 08:34:45 +0200." <86d2qfdpmi.fsf@nine.des.no> Date: Sat, 20 Jul 2013 00:38:57 +0200 Sender: jhs@berklix.com Cc: freebsd-security@freebsd.org, freebsd-jail@freebsd.org, np@bsn.com X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Jul 2013 22:39:38 -0000 Hi, Reference: > From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= > Date: Fri, 19 Jul 2013 08:34:45 +0200 =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= wrote: > "Julian H. Stacey" writes: > > A ssh to a jail followed by Who, if it shows just pts/0, shows > > no one else is logged in { within jail And Also Outer Prison > > [And presumably also other parallel jails] }. > > Not really, it just shows that pts/0 was available. Like file > descriptors, pseudo-ttys are allocated on a first-unused basis. There > could be twenty people logged in; if the first logs out, the > twenty-first gets pts/0. Thanks DES, Yes, I suppose so, on busy hardware. It was more obvious what was going on with my prison & jail as that was lightly logged in. If FreeBSD wanted to obscure the information, I suppose one could do a kernel tweak to do pty allocation from a cyclic buffer, (like PID IDs) rather than searching sequentially from 0 each time, but I guess there's more interesting things to do than that. > Also, please read the warning at the start of the jail chapter in the > FreeBSD handbook. Wow ! Light dawns brightly ! > I should probably update it to note that there are > many ways in which information can leak between jails and the host. If so do, maybe add http://lists.freebsd.org/mailman/listinfo/freebsd-jail next to http://lists.freebsd.org/mailman/listinfo/freebsd-questions If you think appropriate. Thanks. Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com Reply below not above, like a play script. Indent old text with "> ". Send plain text. No quoted-printable, HTML, base64, multipart/alternative.