From owner-freebsd-security Mon Oct 27 01:41:56 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id BAA00333 for security-outgoing; Mon, 27 Oct 1997 01:41:56 -0800 (PST) (envelope-from owner-freebsd-security) Received: from axl.iafrica.com (axl.iafrica.com [196.31.1.167]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id BAA00290 for ; Mon, 27 Oct 1997 01:40:22 -0800 (PST) (envelope-from sheldonh@axl.iafrica.com) Received: from axl.iafrica.com (localhost [127.0.0.1]) by axl.iafrica.com (8.8.7/8.8.7) with ESMTP id LAA21599 for ; Mon, 27 Oct 1997 11:39:42 +0200 (SAT) (envelope-from sheldonh@axl.iafrica.com) From: Sheldon Hearn To: freebsd-security@freebsd.org Subject: 2.2.5-RELEASE ERRATA.TXT Date: Mon, 27 Oct 1997 11:39:39 +0200 Message-ID: <21595.877945179@axl.iafrica.com> Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk It seems a little unfair to be pissing in the faces of users who don't check the ERRATA.TXT for 2.2.5-RELEASE before asking about security issues like the open() syscall and whether their fixes made it into the release when said errata file is empty. There is a reference to ftp://freebsd.org/pub/CERT/ in the ERRATA.TXT file but the most recent bug at this location is the procfs hole. :) 2c.sheldonh Sheldon Hearn (FreeBSD 2.2-STABLE User) ftp://ftp.freebsd.org/pub/FreeBSD/2.2.5-RELEASE/ERRATA.TXT This file contains post-release ERRATA for 2.2.5 and should always be considered the definitive place to look *first* before reporting a problem with this release. This file will also be periodically updated as new issues are reported so even if you've checked this file recently, check it again before filing a bug report. For 2.2.5 security advisories, see: ftp://freebsd.org/pub/CERT/ For the latest information (note the URL carefully - this is NOT ftp.freebsd.org). ---- Current active security advisories for 2.2.5: None ---- ERRATA: No known errata at this time. From owner-freebsd-security Mon Oct 27 08:01:30 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id IAA28466 for security-outgoing; Mon, 27 Oct 1997 08:01:30 -0800 (PST) (envelope-from owner-freebsd-security) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id IAA28457 for ; Mon, 27 Oct 1997 08:01:25 -0800 (PST) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.7/8.6.9) with ESMTP id IAA02506; Mon, 27 Oct 1997 08:00:58 -0800 (PST) To: Sheldon Hearn cc: freebsd-security@FreeBSD.ORG Subject: Re: 2.2.5-RELEASE ERRATA.TXT In-reply-to: Your message of "Mon, 27 Oct 1997 11:39:39 +0200." <21595.877945179@axl.iafrica.com> Date: Mon, 27 Oct 1997 08:00:58 -0800 Message-ID: <2503.877968058@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > It seems a little unfair to be pissing in the faces of users who don't > check the ERRATA.TXT for 2.2.5-RELEASE before asking about security > issues like the open() syscall and whether their fixes made it into the > release when said errata file is empty. It's only empty now - wait for it to be fleshed out a bit over the next few days. Jordan From owner-freebsd-security Tue Oct 28 16:53:59 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id QAA05702 for security-outgoing; Tue, 28 Oct 1997 16:53:59 -0800 (PST) (envelope-from owner-freebsd-security) Received: from mclink.com (mclink.com [207.137.208.2]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id QAA05682 for ; Tue, 28 Oct 1997 16:53:52 -0800 (PST) (envelope-from admin@foxconn.com) Received: (from uucp@localhost) by mclink.com (8.8.7/8.8.5) with UUCP id QAA01806 for freebsd-security@freebsd.org; Tue, 28 Oct 1997 16:53:47 -0800 (PST) Received: from mail.foxconn.com (mail.foxconn.com [192.1.3.156]) by foxconn.com (8.8.5/8.8.5) with SMTP id QAA16836 for ; Tue, 28 Oct 1997 16:52:13 -0800 (PST) Received: from dns by mail.foxconn.com with smtp (Smail3.1.29.1 #57) id m0xQYWF-000br8C; Wed, 29 Oct 97 08:50 EST Message-Id: Date: Wed, 29 Oct 97 08:50 EST X-Sender: admin@mail.foxconn.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: freebsd-security@freebsd.org From: Jack Yang Subject: subscribe Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk help From owner-freebsd-security Tue Oct 28 18:23:52 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id SAA11209 for security-outgoing; Tue, 28 Oct 1997 18:23:52 -0800 (PST) (envelope-from owner-freebsd-security) Received: from mclink.com (mclink.com [207.137.208.2]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id SAA11193 for ; Tue, 28 Oct 1997 18:23:47 -0800 (PST) (envelope-from admin@foxconn.com) Received: (from uucp@localhost) by mclink.com (8.8.7/8.8.5) with UUCP id SAA02934 for freebsd-security@freebsd.org; Tue, 28 Oct 1997 18:23:46 -0800 (PST) Received: from mail.foxconn.com (mail.foxconn.com [192.1.3.156]) by foxconn.com (8.8.5/8.8.5) with SMTP id SAA17060 for ; Tue, 28 Oct 1997 18:20:09 -0800 (PST) Received: from dns by mail.foxconn.com with smtp (Smail3.1.29.1 #57) id m0xQZtM-000br8C; Wed, 29 Oct 97 10:18 EST Message-Id: Date: Wed, 29 Oct 97 10:18 EST X-Sender: admin@mail.foxconn.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: freebsd-security@freebsd.org From: Jack Yang Subject: subscribe Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk help subscribe From owner-freebsd-security Wed Oct 29 03:13:18 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id DAA09412 for security-outgoing; Wed, 29 Oct 1997 03:13:18 -0800 (PST) (envelope-from owner-freebsd-security) Received: from gate1.rzeczpospolita.pl (gate1.rzeczpospolita.pl [195.116.120.201]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id DAA09399 for ; Wed, 29 Oct 1997 03:13:06 -0800 (PST) (envelope-from szymanek@rzeczpospolita.pl) Received: from ps.rzeczpospolita.pl. (ps [195.116.233.1]) by gate1.rzeczpospolita.pl (8.7.6/8.6.9) with SMTP id NAA02257 for ; Wed, 29 Oct 1997 13:13:01 +0100 (MET) Message-Id: <199710291213.NAA02257@gate1.rzeczpospolita.pl> Comments: Authenticated sender is From: "Piotr Szymanek" To: freebsd-security@freebsd.org Date: Wed, 29 Oct 1997 13:13:36 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: selective pop3 Priority: normal X-mailer: Pegasus Mail for Win32 (v2.54) Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Is it possible to grant access to the pop3 server to some users and reject for the rest? If yes, then is it possible to restrict pop3 access based on clients address? -- Piotrek ================================================ Piotr Szymanek szymanek@rzeczpospolita.pl tel/fax: (48 22) 629-34-54 ==============================================:) From owner-freebsd-security Wed Oct 29 04:02:20 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id EAA11917 for security-outgoing; Wed, 29 Oct 1997 04:02:20 -0800 (PST) (envelope-from owner-freebsd-security) Received: from firewall.ftf.dk (root@mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id EAA11910 for ; Wed, 29 Oct 1997 04:02:16 -0800 (PST) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.2]) by firewall.ftf.dk (8.7.6/8.7.3) with ESMTP id NAA23181; Wed, 29 Oct 1997 13:35:54 +0100 Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.5/8.8.5/prosa-1.1) with ESMTP id NAA02728; Wed, 29 Oct 1997 13:18:45 +0100 (CET) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.5/8.8.5/prosa-1.1) id NAA07681; Wed, 29 Oct 1997 13:00:54 +0100 (CET) Message-ID: <19971029130053.20797@deepo.prosa.dk> Date: Wed, 29 Oct 1997 13:00:53 +0100 From: Philippe Regnauld To: Piotr Szymanek Cc: freebsd-security@FreeBSD.ORG Subject: Re: selective pop3 References: <199710291213.NAA02257@gate1.rzeczpospolita.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Description: Main Body X-Mailer: Mutt 0.69 In-Reply-To: <199710291213.NAA02257@gate1.rzeczpospolita.pl>; from Piotr Szymanek on Wed, Oct 29, 1997 at 01:13:36PM +0000 X-Operating-System: FreeBSD 2.2.1-RELEASE i386 Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Piotr Szymanek writes: > Is it possible to grant access to the pop3 server to some users and > reject for the rest? > > If yes, then is it possible to restrict pop3 access based on clients > address? Tcp wrappers. But you can only do IP level decisions, not user-level. Or hack the pop3 server sources. -- -- Phil -[ Philippe Regnauld / Systems Administrator / regnauld@deepo.prosa.dk ]- -[ Location.: +55.4N +11.3E PGP Key: finger regnauld@hotel.prosa.dk ]- From owner-freebsd-security Wed Oct 29 05:23:43 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id FAA15323 for security-outgoing; Wed, 29 Oct 1997 05:23:43 -0800 (PST) (envelope-from owner-freebsd-security) Received: from cwsys.cwsent.com (66@cschuber.net.gov.bc.ca [142.31.240.113]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id FAA15315 for ; Wed, 29 Oct 1997 05:23:38 -0800 (PST) (envelope-from cy@cwsys.cwsent.com) Received: (from uucp@localhost) by cwsys.cwsent.com (8.8.8/8.6.10) id FAA00906; Wed, 29 Oct 1997 05:22:48 -0800 (PST) Message-Id: <199710291322.FAA00906@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpd000893; Wed Oct 29 13:21:51 1997 X-Mailer: exmh version 2.0gamma 1/27/96 Reply-to: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: cy To: "Piotr Szymanek" cc: freebsd-security@freebsd.org, cschuber@uumail.gov.bc.ca Subject: Re: selective pop3 In-reply-to: Your message of "Wed, 29 Oct 1997 13:13:36 GMT." <199710291213.NAA02257@gate1.rzeczpospolita.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 29 Oct 1997 05:21:50 -0800 Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk If you're using popper, there is a file in /usr/local/etc called pop.auth or pop_auth. I've seen both, depending on what you put into some #define when building the package. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBER@BCSC02.BITNET Government of BC Internet: cschuber@uumail.gov.bc.ca Cy.Schubert@gems8.gov.bc.ca "Quit spooling around, JES do it." > Is it possible to grant access to the pop3 server to some users and > reject for the rest? > > If yes, then is it possible to restrict pop3 access based on clients > address? > > -- Piotrek > > ================================================ > Piotr Szymanek szymanek@rzeczpospolita.pl > tel/fax: (48 22) 629-34-54 > ==============================================:) > From owner-freebsd-security Wed Oct 29 05:38:39 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id FAA15922 for security-outgoing; Wed, 29 Oct 1997 05:38:39 -0800 (PST) (envelope-from owner-freebsd-security) Received: from lab321.ru (anonymous1.omsk.net.ru [194.226.32.34]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id FAA15908 for ; Wed, 29 Oct 1997 05:38:23 -0800 (PST) (envelope-from Eugeny.Kuzakov@lab321.ru) Received: from lab321.ru (kev.l321.omsk.net.ru [194.226.33.68]) by lab321.ru (8.8.5-MVC-230497/8.8.5) with ESMTP id TAA07210; Thu, 30 Oct 1997 19:33:43 +0600 (OSK) Message-ID: <34573B82.8FB93CD1@lab321.ru> Date: Wed, 29 Oct 1997 19:34:58 +0600 From: Eugeny Kuzakov Organization: Powered by FreeBSD. X-Mailer: Mozilla 4.03b8 [en] (X11; I; FreeBSD 3.0-971012-SNAP i386) MIME-Version: 1.0 To: Philippe Regnauld CC: Piotr Szymanek , freebsd-security@FreeBSD.ORG Subject: Re: selective pop3 References: <199710291213.NAA02257@gate1.rzeczpospolita.pl> <19971029130053.20797@deepo.prosa.dk> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Philippe Regnauld wrote: > Or hack the pop3 server sources. ....with libwrap... -- Best wishes, Eugeny Kuzakov Laboratory 321 ( Omsk, Russia ) http://www.lab321.ru/~kev kev@lab321.ru From owner-freebsd-security Wed Oct 29 05:59:56 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id FAA16967 for security-outgoing; Wed, 29 Oct 1997 05:59:56 -0800 (PST) (envelope-from owner-freebsd-security) Received: from shift-f1.com (MAIL.SHIFT-F1.COM [208.152.204.161] (may be forged)) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id FAA16960 for ; Wed, 29 Oct 1997 05:59:51 -0800 (PST) (envelope-from shashi@shift-f1.com) Received: (from shashi@localhost) by shift-f1.com (8.8.5/8.8.5) id IAA11330; Wed, 29 Oct 1997 08:57:06 -0500 (EST) From: Shashi Joshi Message-Id: <199710291357.IAA11330@shift-f1.com> Subject: Re: selective pop3 In-Reply-To: <199710291213.NAA02257@gate1.rzeczpospolita.pl> from Piotr Szymanek at "Oct 29, 97 01:13:36 pm" To: szymanek@rzeczpospolita.pl (Piotr Szymanek) Date: Wed, 29 Oct 1997 08:57:06 -0500 (EST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL31 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk As you so eloquently worked magic with your keyboard once again -> > Is it possible to grant access to the pop3 server to some users and > reject for the rest? > > If yes, then is it possible to restrict pop3 access based on clients > address? > > -- Piotrek If you put a username in /etc/ftpusers, they can't ftp at all no matter what. Such users will ALSO NOT BE ABLE TO USE POP3. They can login if they are not restricted thru /etc/login.access But if you want the POP3 disabled users to have ftp access, then this will NOT work. I accidently discovered this when I couldn't get my own mail via POP3! ------------------------------------------------------------------------ Shift-F1, Inc. | Shashi Joshi | shashi@shift-f1.com Your KEY to Help! | 770-370-5325 (Day) | Page: 911@shift-f1.com PO Box 3055 | | Ph: 770-424-6958 Marietta GA 30061-3055 | | Fx: 770-424-4689 ------------------------------------------------------------------------ From owner-freebsd-security Wed Oct 29 07:51:38 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id HAA23203 for security-outgoing; Wed, 29 Oct 1997 07:51:38 -0800 (PST) (envelope-from owner-freebsd-security) Received: from dpi.dgtu.donetsk.ua (root@dipt-57.6K-dgtu-gw.dgtu.donetsk.ua [194.44.183.221]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id HAA23186 for ; Wed, 29 Oct 1997 07:51:11 -0800 (PST) (envelope-from yk@info.dgtu.donetsk.ua) Received: from info.dgtu.donetsk.ua (root@info.dgtu.donetsk.ua [194.44.183.7]) by dpi.dgtu.donetsk.ua (8.8.7/8.8.7) with ESMTP id RAA23888; Wed, 29 Oct 1997 17:48:11 +0200 (EET) Received: (from yk@localhost) by info.dgtu.donetsk.ua (8.8.7/8.8.5) id RAA16604; Wed, 29 Oct 1997 17:48:06 +0200 (EET) From: Yury Yaroshevsky Message-Id: <199710291548.RAA16604@info.dgtu.donetsk.ua> Subject: Re: selective pop3 To: regnauld@deepo.prosa.dk (Philippe Regnauld) Date: Wed, 29 Oct 1997 17:48:04 +0200 (EET) Cc: freebsd-security@freebsd.org In-Reply-To: <19971029130053.20797@deepo.prosa.dk> from "Philippe Regnauld" at Oct 29, 97 01:00:53 pm X-Mailer: ELM [version 2.4 PL24 ME8a] Content-Type: text Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > Piotr Szymanek writes: > > Is it possible to grant access to the pop3 server to some users and > > reject for the rest? Yes. Use for this Tcp wrappers. > > > > If yes, then is it possible to restrict pop3 access based on clients > > address? > > Tcp wrappers. But you can only do IP level decisions, not user-level. ^^^^^^^^^ Only IP level??? If uses ident , you can restrict pop3 access for some account. See man hosts_options USERNAME LOOKUP rfc931 [ timeout_in_seconds ] Look up the client user name with the RFC 931 (TAP, IDENT, RFC 1413) protocol. This option is silently ignored in case of services based on transports other than TCP. It requires that the client system runs an RFC 931 (IDENT, etc.) -compliant daemon, and may cause noticeable delays with connections from non-UNIX clients. The timeout period is optional. If no timeout is specified a compile-time defined default value is taken. -- Yury V. Yaroshevsky | 380 (622) 356455 Donetsk State Technical University | yk@dgtu.donetsk.ua From owner-freebsd-security Wed Oct 29 08:02:13 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id IAA24006 for security-outgoing; Wed, 29 Oct 1997 08:02:13 -0800 (PST) (envelope-from owner-freebsd-security) Received: from server.local.sunyit.edu (A-T34.rh.sunyit.edu [150.156.210.241]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id IAA23994 for ; Wed, 29 Oct 1997 08:02:04 -0800 (PST) (envelope-from perlsta@cs.sunyit.edu) Received: from localhost (perlsta@localhost) by server.local.sunyit.edu (8.8.7/8.8.5) with SMTP id MAA06237 for ; Wed, 29 Oct 1997 12:06:53 -0500 (EST) X-Authentication-Warning: server.local.sunyit.edu: perlsta owned process doing -bs Date: Wed, 29 Oct 1997 12:06:53 -0500 (EST) From: Alfred Perlstein X-Sender: perlsta@server.local.sunyit.edu To: freebsd-security@FreeBSD.ORG Subject: Re: selective pop3 In-Reply-To: <19971029130053.20797@deepo.prosa.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk it wouldn't seem that hard to use the DB package to implement ACL (access control lists) with the pop3 server. On Wed, 29 Oct 1997, Philippe Regnauld wrote: > Piotr Szymanek writes: > > Is it possible to grant access to the pop3 server to some users and > > reject for the rest? > > > > If yes, then is it possible to restrict pop3 access based on clients > > address? > > Tcp wrappers. But you can only do IP level decisions, not user-level. > Or hack the pop3 server sources. > > -- > -- Phil > > -[ Philippe Regnauld / Systems Administrator / regnauld@deepo.prosa.dk ]- > -[ Location.: +55.4N +11.3E PGP Key: finger regnauld@hotel.prosa.dk ]- > From owner-freebsd-security Wed Oct 29 08:56:37 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id IAA27432 for security-outgoing; Wed, 29 Oct 1997 08:56:37 -0800 (PST) (envelope-from owner-freebsd-security) Received: from mp.EUnet-Bretagne.fr ([193.107.210.130]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id IAA27423 for ; Wed, 29 Oct 1997 08:56:26 -0800 (PST) (envelope-from Eric.Feillant@EUnet-Bretagne.fr) Received: from ericf.EUnet-Bretagne.fr (ericf.EUnet-Bretagne.fr [193.107.210.161]) by mp.EUnet-Bretagne.fr (8.8.7/8.8.7) with SMTP id SAA10447; Wed, 29 Oct 1997 18:07:07 GMT Message-ID: <34576F47.393@EUnet-Bretagne.fr> Date: Wed, 29 Oct 1997 18:15:51 +0100 From: Eric Feillant Reply-To: Eric.Feillant@EUnet-Bretagne.fr Organization: EUnet BRETAGNE groupe EUnet X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: Yury Yaroshevsky CC: Philippe Regnauld , freebsd-security@FreeBSD.ORG Subject: Re: selective pop3 References: <199710291548.RAA16604@info.dgtu.donetsk.ua> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Yury Yaroshevsky wrote: > > > > > Piotr Szymanek writes: > > > Is it possible to grant access to the pop3 server to some users and > > > reject for the rest? > Yes. Use for this Tcp wrappers. Here another pop3 question: Is it possible to choose another file for pop users than /etc/passwd ? Thanks, eric. -- ========= ____ ===== Eric Feillant ======== / / / ___ ___ /_ ====== EUnet BRETAGNE ======= /---- / / / / /___/ / ======= 140, bd de Creach Gwen ====== /____ /___/ / / /___ /_ ======== 29000 QUIMPER, France ===== Bretagne ========= Tel:(+33) 298101620 Fax:(+33) 298101629 Eric.Feillant@EUnet.fr http://www.EUnet.fr Partenaire CISCO, CHECKPOINT (FIREWALL), BAY NETWORKS, NEWBRIDGE, SUN, CITRIX From owner-freebsd-security Wed Oct 29 09:16:08 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id JAA28608 for security-outgoing; Wed, 29 Oct 1997 09:16:08 -0800 (PST) (envelope-from owner-freebsd-security) Received: from dpi.dgtu.donetsk.ua (root@dipt-57.6K-dgtu-gw.dgtu.donetsk.ua [194.44.183.221]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id JAA28523 for ; Wed, 29 Oct 1997 09:15:30 -0800 (PST) (envelope-from yk@info.dgtu.donetsk.ua) Received: from info.dgtu.donetsk.ua (root@info.dgtu.donetsk.ua [194.44.183.7]) by dpi.dgtu.donetsk.ua (8.8.7/8.8.7) with ESMTP id TAA24919; Wed, 29 Oct 1997 19:15:14 +0200 (EET) Received: (from yk@localhost) by info.dgtu.donetsk.ua (8.8.7/8.8.5) id TAA18098; Wed, 29 Oct 1997 19:15:12 +0200 (EET) From: Yury Yaroshevsky Message-Id: <199710291715.TAA18098@info.dgtu.donetsk.ua> Subject: Re: selective pop3 To: Eric.Feillant@EUnet-Bretagne.fr Date: Wed, 29 Oct 1997 19:15:12 +0200 (EET) Cc: freebsd-security@freebsd.org In-Reply-To: <34576F47.393@EUnet-Bretagne.fr> from "Eric Feillant" at Oct 29, 97 06:15:51 pm X-Mailer: ELM [version 2.4 PL24 ME8a] Content-Type: text Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > > Piotr Szymanek writes: > > > > Is it possible to grant access to the pop3 server to some users and > > > > reject for the rest? > > Yes. Use for this Tcp wrappers. > > Here another pop3 question: > > Is it possible to choose another file for pop users than /etc/passwd ? Yes, if you pop server understand APOP. Please help me found client which uses APOP. Under FreeBSD and (sorry) Win95. -- Yury V. Yaroshevsky | 380 (622) 356455 Donetsk State Technical University | yk@dgtu.donetsk.ua From owner-freebsd-security Wed Oct 29 11:10:18 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id LAA05882 for security-outgoing; Wed, 29 Oct 1997 11:10:18 -0800 (PST) (envelope-from owner-freebsd-security) Received: from gvr.gvr.org (root@gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id LAA05440; Wed, 29 Oct 1997 11:02:33 -0800 (PST) (envelope-from security-officer@freebsd.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.6/8.8.5) id UAA05565; Wed, 29 Oct 1997 20:02:18 +0100 (MET) Message-Id: <199710291902.UAA05565@gvr.gvr.org> From: FreeBSD Security Officer To: freebsd-security-notifications@FreeBSD.ORG, freebsd-announce@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, first-teams@first.org Subject: FreeBSD Security Advisory: FreeBSD-SA-97:05.open Date: Wed, 29 Oct 1997 20:01:00 +0100 (MET) Reply-To: security-officer@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-97:05 Security Advisory FreeBSD, Inc. Topic: security compromise via open() Category: core Module: kern Announced: 1997-10-29 Affects: FreeBSD 2.1.*, FreeBSD 2.2.*, FreeBSD-stable and FreeBSD-current Corrected: FreeBSD-current as of 1997/10/23 (partly even on 1997/04/14) FreeBSD-stable as of 1997/10/24 FreeBSD 2.1-stable as of 1997/10/29 FreeBSD only: yes Patches: ftp://freebsd.org/pub/CERT/patches/SA-97:05/ ============================================================================= I. Background In FreeBSD, the open() system call is used in normal file operations. When calling open(), the caller should specify if the file is to be opened for reading, for writing or for both. The right to reading from and/or writing to a file is controlled by the file's mode bits in the filesystem. In FreeBSD, open() is also used to obtain the right to do privileged io instructions. II. Problem Description A problem exists in the open() syscall that allows processes to obtain a valid file descriptor without having read or write permissions on the file being opened. This is normally not a problem. The FreeBSD way of obtaining the right to do io instructions however, is based on the right to open a specific file (/dev/io). III. Impact The problem can be used by any user on the system to do unauthorised io instructions. IV. Workaround No workaround is available. V. Solution Apply the following patches. The first one in /usr/src/sys/kern, and the second one in /usr/src/sys/i386/i386, Rebuild your kernel, install it and reboot your system. patch 1: For FreeBSD-current before 1997/10/23: Index: vfs_syscalls.c =================================================================== RCS file: /home/cvsup/freebsd/CVS/src/sys/kern/vfs_syscalls.c,v retrieving revision 1.76 retrieving revision 1.77 diff -u -r1.76 -r1.77 --- vfs_syscalls.c 1997/10/12 20:24:27 1.76 +++ vfs_syscalls.c 1997/10/22 07:28:51 1.77 @@ -863,11 +863,13 @@ struct flock lf; struct nameidata nd; + flags = FFLAGS(SCARG(uap, flags)); + if ((flags & FREAD + FWRITE) == 0) + return (EINVAL); error = falloc(p, &nfp, &indx); if (error) return (error); fp = nfp; - flags = FFLAGS(SCARG(uap, flags)); cmode = ((SCARG(uap, mode) &~ fdp->fd_cmask) & ALLPERMS) &~ S_ISTXT; NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), p); p->p_dupfd = -indx - 1; /* XXX check for fdopen */ For FreeBSD 2.1.* and 2.2.*: Index: vfs_syscalls.c =================================================================== RCS file: /home/cvsup/freebsd/CVS/src/sys/kern/vfs_syscalls.c,v retrieving revision 1.51.2.5 diff -u -r1.51.2.5 vfs_syscalls.c --- vfs_syscalls.c 1997/10/01 06:23:48 1.51.2.5 +++ vfs_syscalls.c 1997/10/28 22:04:43 @@ -688,11 +688,13 @@ struct flock lf; struct nameidata nd; + flags = FFLAGS(uap->flags); + if ((flags & FREAD + FWRITE) == 0) + return (EINVAL); error = falloc(p, &nfp, &indx); if (error) return (error); fp = nfp; - flags = FFLAGS(uap->flags); cmode = ((uap->mode &~ fdp->fd_cmask) & ALLPERMS) &~ S_ISTXT; NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, uap->path, p); p->p_dupfd = -indx - 1; /* XXX check for fdopen */ patch 2: For FreeBSD 2.1.* and 2.2.* and For FreeBSD-current before 1997/04/14: Index: mem.c =================================================================== RCS file: /home/cvsup/freebsd/CVS/src/sys/i386/i386/mem.c,v retrieving revision 1.38 retrieving revision 1.38.2.1 diff -u -r1.38 -r1.38.2.1 --- mem.c 1996/09/27 13:25:06 1.38 +++ mem.c 1997/10/23 22:14:24 1.38.2.1 @@ -169,6 +169,7 @@ int fmt; struct proc *p; { + int error; struct trapframe *fp; switch (minor(dev)) { @@ -179,6 +180,11 @@ return ENODEV; #endif case 14: + error = suser(p->p_ucred, &p->p_acflag); + if (error != 0) + return (error); + if (securelevel > 0) + return (EPERM); fp = (struct trapframe *)curproc->p_md.md_regs; fp->tf_eflags |= PSL_IOPL; break; ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNFeHI1UuHi5z0oilAQEtvAQAgMrMQvRpBOiV1nWzPzDSsnQOz4bBppcT SMEssoeRrr0cQQACZ4su3vlb71XJzgXi3bakEvvZgsMSSKb3sNxEl0RHR93cDNlE L9x3sDjbY7l1q2W4BldTly7W4WDjnJt5KEVbi7DKhXb+SuxgaSN0lsow5Cgd54jX skpX4qluhBM= =47P3 -----END PGP SIGNATURE----- From owner-freebsd-security Wed Oct 29 14:16:49 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id OAA19939 for security-outgoing; Wed, 29 Oct 1997 14:16:49 -0800 (PST) (envelope-from owner-freebsd-security) Received: from ns1.yes.no (ns1.yes.no [195.119.24.10]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id OAA19897; Wed, 29 Oct 1997 14:16:23 -0800 (PST) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [194.198.43.36]) by ns1.yes.no (8.8.7/8.8.7) with ESMTP id WAA08309; Wed, 29 Oct 1997 22:16:11 GMT Received: (from eivind@localhost) by bitbox.follo.net (8.8.6/8.8.6) id XAA03735; Wed, 29 Oct 1997 23:16:08 +0100 (MET) Date: Wed, 29 Oct 1997 23:16:08 +0100 (MET) Message-Id: <199710292216.XAA03735@bitbox.follo.net> From: Eivind Eklund To: security-officer@FreeBSD.ORG CC: freebsd-security@FreeBSD.ORG, first-teams@first.org In-reply-to: FreeBSD Security Officer's message of Wed, 29 Oct 1997 20:01:00 +0100 (MET) Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-97:05.open References: <199710291902.UAA05565@gvr.gvr.org> Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > ============================================================================= > FreeBSD-SA-97:05 Security Advisory > FreeBSD, Inc. > > Topic: security compromise via open() > > Category: core > Module: kern > Announced: 1997-10-29 > Affects: FreeBSD 2.1.*, FreeBSD 2.2.*, > FreeBSD-stable and FreeBSD-current > Corrected: FreeBSD-current as of 1997/10/23 (partly even on 1997/04/14) > FreeBSD-stable as of 1997/10/24 > FreeBSD 2.1-stable as of 1997/10/29 > FreeBSD only: yes This is not correct. It affected NetBSD and OpenBSD, too, and was originally discovered by a NetBSD developer (and forwarded off the NetBSD developers list to best-of-security by someone I'll have mercy enough to leave nameless). Eivind. From owner-freebsd-security Wed Oct 29 15:22:42 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id PAA24094 for security-outgoing; Wed, 29 Oct 1997 15:22:42 -0800 (PST) (envelope-from owner-freebsd-security) Received: from sasami.jurai.net (winter@sasami.jurai.net [207.96.1.17]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id PAA24084 for ; Wed, 29 Oct 1997 15:22:36 -0800 (PST) (envelope-from winter@jurai.net) Received: from localhost (winter@localhost) by sasami.jurai.net (8.8.7/8.8.7) with SMTP id SAA11400; Wed, 29 Oct 1997 18:22:20 -0500 (EST) Date: Wed, 29 Oct 1997 18:22:19 -0500 (EST) From: "Matthew N. Dodd" To: Piotr Szymanek cc: freebsd-security@FreeBSD.ORG Subject: Re: selective pop3 In-Reply-To: <199710291213.NAA02257@gate1.rzeczpospolita.pl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Wed, 29 Oct 1997, Piotr Szymanek wrote: > Is it possible to grant access to the pop3 server to some users and > reject for the rest? > > If yes, then is it possible to restrict pop3 access based on clients > address? I'm really fond of making pop3 not authenticate from the password file, but thats me. /* Matthew N. Dodd | A memory retaining a love you had for life winter@jurai.net | As cruel as it seems nothing ever seems to http://www.jurai.net/~winter | go right - FLA M 3.1:53 */ From owner-freebsd-security Wed Oct 29 19:41:53 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id TAA09885 for security-outgoing; Wed, 29 Oct 1997 19:41:53 -0800 (PST) (envelope-from owner-freebsd-security) Received: from lab321.ru (anonymous1.omsk.net.ru [194.226.32.34]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id TAA09848 for ; Wed, 29 Oct 1997 19:40:28 -0800 (PST) (envelope-from kev@lab321.ru) Received: from localhost (localhost.l321.omsk.net.ru [127.0.0.1]) by lab321.ru (8.8.5-MVC-230497/8.8.5) with ESMTP id JAA01511; Fri, 31 Oct 1997 09:37:17 +0600 (OSK) Date: Fri, 31 Oct 1997 09:37:16 +0600 (OSK) From: Eugeny Kuzakov To: Yury Yaroshevsky cc: Philippe Regnauld , freebsd-security@FreeBSD.ORG Subject: Re: selective pop3 In-Reply-To: <199710291548.RAA16604@info.dgtu.donetsk.ua> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Wed, 29 Oct 1997, Yury Yaroshevsky wrote: > > Tcp wrappers. But you can only do IP level decisions, not user-level. > ^^^^^^^^^ > Only IP level??? > If uses ident , you can restrict pop3 access for some account. > See man hosts_options Pop3 clint machine can have or no pidentd.... Best wishes, Eugeny Kuzakov Laboratory 321 ( Omsk, Russia ) kev@lab321.ru From owner-freebsd-security Thu Oct 30 05:25:41 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id FAA08071 for security-outgoing; Thu, 30 Oct 1997 05:25:41 -0800 (PST) (envelope-from owner-freebsd-security) Received: from squid.pdc.kth.se (squid.pdc.kth.se [130.237.221.65]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id FAA08066 for ; Thu, 30 Oct 1997 05:25:39 -0800 (PST) (envelope-from jas@squid.pdc.kth.se) Received: (from jas@localhost) by squid.pdc.kth.se (8.8.7/8.8.7) id OAA27436; Thu, 30 Oct 1997 14:25:18 +0100 (MET) To: "Matthew N. Dodd" Cc: Piotr Szymanek , freebsd-security@FreeBSD.ORG Subject: Re: selective pop3 References: Mime-Version: 1.0 (generated by tm-edit 7.108) Content-Type: text/plain; charset=US-ASCII From: Simon Josefsson Date: 30 Oct 1997 14:25:15 +0100 In-Reply-To: "Matthew N. Dodd"'s message of "Wed, 29 Oct 1997 18:22:19 -0500 (EST)" Message-ID: Lines: 14 X-Mailer: Quassia Gnus v0.12/XEmacs 20.3(beta94) - "Madrid" Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk "Matthew N. Dodd" writes: > > Is it possible to grant access to the pop3 server to some users and > > reject for the rest? > > > > If yes, then is it possible to restrict pop3 access based on clients > > address? > > I'm really fond of making pop3 not authenticate from the password file, > but thats me. I would be fond of it too, if I only can find a POP3-server that uses a stand-alone configuration file with username, password and spool-file to read from. Can you (or anyone else) help me? From owner-freebsd-security Thu Oct 30 05:29:11 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id FAA08195 for security-outgoing; Thu, 30 Oct 1997 05:29:11 -0800 (PST) (envelope-from owner-freebsd-security) Received: from gvr.gvr.org (root@gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id FAA08185; Thu, 30 Oct 1997 05:29:01 -0800 (PST) (envelope-from guido@gvr.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.6/8.8.5) id OAA08595; Thu, 30 Oct 1997 14:28:39 +0100 (MET) From: Guido van Rooij Message-Id: <199710301328.OAA08595@gvr.gvr.org> Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-97:05.open In-Reply-To: <199710292216.XAA03735@bitbox.follo.net> from Eivind Eklund at "Oct 29, 97 11:16:08 pm" To: perhaps@yes.no Date: Thu, 30 Oct 1997 14:28:39 +0100 (MET) Cc: security-officer@freebsd.org, freebsd-security@freebsd.org, first-teams@first.org X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Eivind Eklund wrote: > > ============================================================================= > > FreeBSD-SA-97:05 Security Advisory > > FreeBSD, Inc. > > > > Topic: security compromise via open() > > > > Category: core > > Module: kern > > Announced: 1997-10-29 > > Affects: FreeBSD 2.1.*, FreeBSD 2.2.*, > > FreeBSD-stable and FreeBSD-current > > Corrected: FreeBSD-current as of 1997/10/23 (partly even on 1997/04/14) > > FreeBSD-stable as of 1997/10/24 > > FreeBSD 2.1-stable as of 1997/10/29 > > FreeBSD only: yes > > This is not correct. It affected NetBSD and OpenBSD, too, and was > originally discovered by a NetBSD developer (and forwarded off the > NetBSD developers list to best-of-security by someone I'll have mercy > enough to leave nameless). > But the open problem in itsself does not impose a hole. -Guido From owner-freebsd-security Thu Oct 30 06:14:44 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id GAA10712 for security-outgoing; Thu, 30 Oct 1997 06:14:44 -0800 (PST) (envelope-from owner-freebsd-security) Received: from cwsys.cwsent.com (66@cschuber.net.gov.bc.ca [142.31.240.113]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id GAA10705 for ; Thu, 30 Oct 1997 06:14:39 -0800 (PST) (envelope-from cy@cwsys.cwsent.com) Received: (from uucp@localhost) by cwsys.cwsent.com (8.8.8/8.6.10) id GAA06472; Thu, 30 Oct 1997 06:08:13 -0800 (PST) Message-Id: <199710301408.GAA06472@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpd006448; Thu Oct 30 14:07:13 1997 X-Mailer: exmh version 2.0gamma 1/27/96 Reply-to: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: cy To: Eugeny Kuzakov cc: Yury Yaroshevsky , Philippe Regnauld , freebsd-security@freebsd.org, cschuber@uumail.gov.bc.ca Subject: Re: selective pop3 In-reply-to: Your message of "Fri, 31 Oct 1997 09:37:16 +0600." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 30 Oct 1997 06:07:09 -0800 Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > On Wed, 29 Oct 1997, Yury Yaroshevsky wrote: > > > > Tcp wrappers. But you can only do IP level decisions, not user-level. > > ^^^^^^^^^ > > Only IP level??? > > If uses ident , you can restrict pop3 access for some account. > > See man hosts_options > Pop3 clint machine can have or no pidentd.... Auth (identd) should not be used for user authentication, as anyone with root, e.g. any PC, can send you any information he/she pleases. This is one the problems with all of the original Berkeley "r" commands: Authentification was done at the client. Unless your POP users are connecting from a UNIX host that you control, there is no way you can trust identd (or the Berkeley "r" commands). In short identd should only be used in logging. Even then you should consider the information gathered from a remote identd suspect. > > Best wishes, Eugeny Kuzakov > Laboratory 321 ( Omsk, Russia ) > kev@lab321.ru > > Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBER@BCSC02.BITNET Government of BC Internet: cschuber@uumail.gov.bc.ca Cy.Schubert@gems8.gov.bc.ca "Quit spooling around, JES do it." From owner-freebsd-security Thu Oct 30 18:11:54 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id SAA01926 for security-outgoing; Thu, 30 Oct 1997 18:11:54 -0800 (PST) (envelope-from owner-freebsd-security) Received: from smtp2.erols.com (smtp2.erols.com [205.252.116.102]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id SAA01907 for ; Thu, 30 Oct 1997 18:11:46 -0800 (PST) (envelope-from wightman@acm.org) Received: from default (phd-as15s35.erols.com [207.172.163.162]) by smtp2.erols.com (8.8.6/8.8.5) with SMTP id VAA25020; Thu, 30 Oct 1997 21:11:13 -0500 (EST) Message-Id: <3.0.3.32.19971030210658.0084a8a0@pop.erols.com> X-Sender: bwightman@pop.erols.com X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.3 (32) Date: Thu, 30 Oct 1997 21:06:58 -0500 To: Simon Josefsson , "Matthew N. Dodd" From: "Brian T. Wightman" Subject: Re: selective pop3 Cc: Piotr Szymanek , freebsd-security@FreeBSD.ORG In-Reply-To: References: <"Matthew N. Dodd"'s message of "Wed, 29 Oct 1997 18:22:19 -0500 (EST)"> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Check out qmail / qpopper(www.qmail.org). But this diverges - probably take followups to djb-qmail@koobera.math.uic.edu. Brian At 02:25 PM 10/30/97 +0100, Simon Josefsson wrote: >"Matthew N. Dodd" writes: > >> > Is it possible to grant access to the pop3 server to some users and >> > reject for the rest? >> > >> > If yes, then is it possible to restrict pop3 access based on clients >> > address? >> >> I'm really fond of making pop3 not authenticate from the password file, >> but thats me. > >I would be fond of it too, if I only can find a POP3-server that uses >a stand-alone configuration file with username, password and >spool-file to read from. Can you (or anyone else) help me? > > -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBNFk9QYVcmMo9wkyzEQLlvQCdE1+iqnMy5o6rQjLqqwrYZcl3K7cAn0gv /OSNK6hzCbgHKZzyXKSQT2bX =nCwl -----END PGP SIGNATURE----- From owner-freebsd-security Fri Oct 31 08:18:45 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id IAA17223 for security-outgoing; Fri, 31 Oct 1997 08:18:45 -0800 (PST) (envelope-from owner-freebsd-security) Received: from socrates.i-pi.com (socrates.i-pi.com [198.49.217.5]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id IAA17214 for ; Fri, 31 Oct 1997 08:18:41 -0800 (PST) (envelope-from ingham@i-pi.com) Received: (from ingham@localhost) by socrates.i-pi.com (8.8.7/8.8.5) id JAA14244; Fri, 31 Oct 1997 09:18:04 -0700 (MST) Message-ID: <19971031091803.02389@socrates.i-pi.com> Date: Fri, 31 Oct 1997 09:18:03 -0700 From: Kenneth Ingham To: security@freebsd.org Subject: NIS: how secure is it? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.74 Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk One of my clients has a firewall. The external network has three FreeBSD machines on it (plus a router, of course): mail ftp/www authentication server server server The network to which these machines are connected is completely inside of the machine room, and is considered secure from taps by the bad guys (if this assumption is violated, we have much bigger problems). Currently each machine has a separate password file, along with the maintenance headaches that accompany such a setup. They all really need a shared password file. The machines are separate to provide a bit of isolation---in case one is compromised, we want to keep the damage as contained as possible. The kerberos docs specifically recommend against using it as a common password file between machines which will be used by more than one person at a time. That leaves me with NIS. Can I trust NIS if I set it up as follows? The authentication server is the NIS master. This machine has nearly no network services running (only ssh and telnet+s/key required and tcp wrappers on these), and has schg flags on most every file, set at time of install. Making it the master and each other machine a slave means that the master doesn't have to have another open port; it generates all the traffic. The other two machines are NIS slave servers. The only network traffic should be when someone changes a password, and the master pushes the update to the slaves. Losing a machine doesn't affect the others (except the auth server being down prevents password changes). What kind of exposure do I have if the mail or ftw machine is broken into? I would assume that we're open to password guessing if root is compromised. Right now, we have the same exposure, except that each machine has a different password file, so it could be possible for people to have different passwords on each machine (I doubt it, and I initialized the ftp server with the password file from the mail server). Comments? Kenneth From owner-freebsd-security Fri Oct 31 08:51:43 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id IAA18937 for security-outgoing; Fri, 31 Oct 1997 08:51:43 -0800 (PST) (envelope-from owner-freebsd-security) Received: from socrates.i-pi.com (socrates.i-pi.com [198.49.217.5]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id IAA18921 for ; Fri, 31 Oct 1997 08:51:37 -0800 (PST) (envelope-from ingham@i-pi.com) Received: (from ingham@localhost) by socrates.i-pi.com (8.8.7/8.8.5) id JAA14340; Fri, 31 Oct 1997 09:51:05 -0700 (MST) Message-ID: <19971031095105.51034@socrates.i-pi.com> Date: Fri, 31 Oct 1997 09:51:05 -0700 From: Kenneth Ingham To: security@freebsd.org Subject: Addendum to the NIS security question Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.74 Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk The router is blocking all NIS traffic, so it should not be possible for an external machine to bind to one of the machines on the external net as a client. Kenneth From owner-freebsd-security Fri Oct 31 11:12:49 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id LAA28313 for security-outgoing; Fri, 31 Oct 1997 11:12:49 -0800 (PST) (envelope-from owner-freebsd-security) Received: from vdp01.vailsystems.com (root@vdp01.vailsystems.com [207.152.98.18]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id LAA28306 for ; Fri, 31 Oct 1997 11:12:47 -0800 (PST) (envelope-from hal@vailsys.com) Received: from crocodile.vale.com (crocodile [192.168.128.47]) by vdp01.vailsystems.com (8.8.3/8.7.3) with ESMTP id NAA19295; Fri, 31 Oct 1997 13:12:45 -0600 (CST) Received: from jaguar.vale.com (jaguar.vale.com [192.168.129.46]) by crocodile.vale.com (8.8.3/8.7.3) with SMTP id NAA28933; Fri, 31 Oct 1997 13:12:40 -0600 (CST) From: hal@vailsys.com (Hal Snyder) To: "Matthew N. Dodd" Cc: Piotr Szymanek , freebsd-security@FreeBSD.ORG Subject: Re: selective pop3 Date: Fri, 31 Oct 1997 13:12:40 -0600 Organization: Vail Systems Message-ID: <345e2d57.323115755@w3> References: In-Reply-To: X-Mailer: Forte Agent 1.0/32.390 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id LAA28309 Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Wed, 29 Oct 1997 18:22:19 -0500 (EST), "Matthew N. Dodd" wrote: [snip] >I'm really fond of making pop3 not authenticate from the password file, >but thats me. Sounds like a really good idea. And the best way is ... ? >/* > Matthew N. Dodd | A memory retaining a love you had for life > winter@jurai.net | As cruel as it seems nothing ever seems to > http://www.jurai.net/~winter | go right - FLA M 3.1:53 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Forbidden You don't have permission to access /~winter/index.html on this server. From owner-freebsd-security Fri Oct 31 17:30:22 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id RAA19476 for security-outgoing; Fri, 31 Oct 1997 17:30:22 -0800 (PST) (envelope-from owner-freebsd-security) Received: from smtp3.erols.com (smtp3.erols.com [205.252.116.103]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id RAA19471 for ; Fri, 31 Oct 1997 17:30:19 -0800 (PST) (envelope-from wightman@acm.org) Received: from default (phd-as7s36.erols.com [207.172.161.163]) by smtp3.erols.com (8.8.6/8.8.5) with SMTP id UAA06208; Fri, 31 Oct 1997 20:21:47 -0500 Message-Id: <3.0.3.32.19971031201651.0082dbe0@pop.erols.com> X-Sender: bwightman@pop.erols.com X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.3 (32) Date: Fri, 31 Oct 1997 20:16:51 -0500 To: hal@vailsys.com (Hal Snyder), "Matthew N. Dodd" From: "Brian T. Wightman" Subject: Re: selective pop3 Cc: Piotr Szymanek , freebsd-security@FreeBSD.ORG In-Reply-To: <345e2d57.323115755@w3> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Look at qmail (http://www.qmail.org/) for the qmail-popup stuff. This is one alternative. Basically the formula for this setup is to break the POP3 service into two parts - authentication, and the program that does the real work. You can then write (or use someone else's) authentication module and not much with the back end. (I am only biased towards qmail b/c that is what I have the most experience with. I am sure there are other schemes that do just as good of a job.) Brian At 01:12 PM 10/31/97 -0600, Hal Snyder wrote: >On Wed, 29 Oct 1997 18:22:19 -0500 (EST), "Matthew N. Dodd" >wrote: > >[snip] >>I'm really fond of making pop3 not authenticate from the password file, >>but thats me. > >Sounds like a really good idea. And the best way is ... ? > >>/* >> Matthew N. Dodd | A memory retaining a love you had for life >> winter@jurai.net | As cruel as it seems nothing ever seems to > >> http://www.jurai.net/~winter | go right - FLA M 3.1:53 > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >Forbidden >You don't have permission to access /~winter/index.html on this server. > > > -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBNFqDA4VcmMo9wkyzEQImbwCeORIc76b5vbWFrqL3qjdELCF3/sQAnAqP Tv1XTMtHWIaW6rgwLVAa28WK =vYZ1 -----END PGP SIGNATURE----- From owner-freebsd-security Fri Oct 31 18:06:18 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id SAA21527 for security-outgoing; Fri, 31 Oct 1997 18:06:18 -0800 (PST) (envelope-from owner-freebsd-security) Received: from sasami.jurai.net (winter@sasami.jurai.net [207.96.1.17]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id SAA21522 for ; Fri, 31 Oct 1997 18:06:15 -0800 (PST) (envelope-from winter@jurai.net) Received: from localhost (winter@localhost) by sasami.jurai.net (8.8.7/8.8.7) with SMTP id VAA04250; Fri, 31 Oct 1997 21:04:57 -0500 (EST) Date: Fri, 31 Oct 1997 21:04:56 -0500 (EST) From: "Matthew N. Dodd" To: Hal Snyder cc: Piotr Szymanek , freebsd-security@FreeBSD.ORG Subject: Re: selective pop3 In-Reply-To: <345e2d57.323115755@w3> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Fri, 31 Oct 1997, Hal Snyder wrote: > > http://www.jurai.net/~winter | go right - FLA M 3.1:53 > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > Forbidden > You don't have permission to access /~winter/index.html on this server. Thats right. -YOU- don't have permission. :) /* Matthew N. Dodd | A memory retaining a love you had for life winter@jurai.net | As cruel as it seems nothing ever seems to http://www.jurai.net/~winter | go right - FLA M 3.1:53 */