From owner-freebsd-security Sun Aug 19 1:49:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.ca (epsilon.lucida.ca [209.47.215.67]) by hub.freebsd.org (Postfix) with SMTP id C367237B40E for ; Sun, 19 Aug 2001 01:49:43 -0700 (PDT) (envelope-from matt@LUCIDA.CA) Received: (qmail 84975 invoked by uid 1000); 19 Aug 2001 08:49:42 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 19 Aug 2001 08:49:42 -0000 Date: Sun, 19 Aug 2001 04:49:38 -0400 (EDT) From: Matt Heckaman To: Adam Tuttle Cc: Subject: Re: Rooted In-Reply-To: <000f01c1286d$18df05a0$a38de440@Tracey> Message-ID: <20010819044547.K84927-100000@epsilon.lucida.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, 19 Aug 2001, Adam Tuttle wrote: : My box recently got rooted by a user on mIRC, they said it was because : telnet was to old, where can I get a new version of telnet? Also where : can i find patches for security on my box. mIRC is a CLIENT, not the whole thing. The proper thing to call it is IRC You should follow FreeBSD security advisories and always apply the patches that come out with them. You can sign up for the security advisory mailing list, instructions for this can be found on the web page. Until then, go browse through ftp://ftp.freebsd.org/pub/FreeBSD/CERT/, this is where all of the advisories and patches are kept. Read through them and apply the ones that are relevent for your system! HTH, Matt * Matt Heckaman - mailto:matt@LUCIDA.CA http://www.lucida.ca/gpg * * GPG fingerprint - 53CA 8320 C8F6 32ED 9DDF 036E 3171 C093 4AD3 1364 * The Universe is run by the complex interweaving of three elements: energy, matter, and enlightened self-interest. -- G'Kar, "Survivors" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: http://www.lucida.ca/gpg iD8DBQE7f32mMXHAk0rTE2QRAsHIAJoCYUYE7nBz5O6c4E1FRlPwYTcAawCgjDO5 bhvct/c2YYrx8xM3ldVLqA4= =cE7B -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 19 2: 5:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from p6m7g8.student.umd.edu (p6m7g8.student.umd.edu [129.2.247.12]) by hub.freebsd.org (Postfix) with ESMTP id EF3BA37B406 for ; Sun, 19 Aug 2001 02:05:05 -0700 (PDT) (envelope-from philip@p6m7g8.com) Received: from localhost (philip@localhost) by p6m7g8.student.umd.edu (8.11.3/8.11.3) with ESMTP id f7IA4gj06054; Sat, 18 Aug 2001 05:04:42 -0500 (EST) (envelope-from philip@p6m7g8.com) X-Authentication-Warning: p6m7g8.student.umd.edu: philip owned process doing -bs Date: Sat, 18 Aug 2001 05:04:42 -0500 (EST) From: "Philip M. Gollucci" X-X-Sender: To: Adam Tuttle Cc: Subject: Re: Rooted In-Reply-To: <000f01c1286d$18df05a0$a38de440@Tracey> Message-ID: <20010818050428.E527-100000@p6m7g8.student.umd.edu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org look at the big box on freebsd.org about the security advisory ! ------------------------------------------------------------------------------ Philip M. Gollucci (p6m7g8) philip@p6m7g8.com 301.314.3445 Science, Discovery, & the Universe Webmaster URL: http://www.sdu.umd.edu DEVEL: http://www.test1.p6m7g8.com DEVEL: http://www.test3.p6m7g8.com EJPress.com Database/PERL Programmer & System Admin URL : http://www.ejournalpress.com Resume : http://www.p6m7g8.com/resume-20010424-170825.txt On Sun, 19 Aug 2001, Adam Tuttle wrote: > My box recently got rooted by a user on mIRC, they said it was because telnet was to old, where can I get a new version of telnet? Also where can i find patches for security on my box. > > Thanks > > Adam Tuttle > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 19 7: 9: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from tetard.starbsd.org (port262.ds1-ynoe.adsl.cybercity.dk [212.242.125.143]) by hub.freebsd.org (Postfix) with ESMTP id 3521037B40F for ; Sun, 19 Aug 2001 07:08:54 -0700 (PDT) (envelope-from regnauld@starBSD.org) Received: by tetard.starbsd.org (Postfix, from userid 1001) id D54CE16FA0; Sun, 19 Aug 2001 16:06:53 +0200 (MET DST) Date: Sun, 19 Aug 2001 16:06:53 +0200 From: Phil Regnauld To: Pierre Beyssac Cc: freebsd-security@freebsd.org Subject: Re: [pb@fasterix.freenix.org: bin/29026: fix for traceroute] Message-ID: <20010819160653.C9813@tetard.starbsd.org> References: <20010813222145.A66725@fasterix.frmug.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010813222145.A66725@fasterix.frmug.org>; from pb@fasterix.freenix.org on Mon, Aug 13, 2001 at 10:21:45PM +0200 X-Operating-System: FreeBSD 4.3-STABLE i386 Organization: *BSD Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It works for me on -stable also... Is this being committed, or will we allow plain users to spoof source addresses in 4.4 ? Pierre Beyssac (pb) writes: > Hi, > > Any advice on this? Ruslan advised me to wait a return from the > traceroute list at LBL, but no news from them since I sent the patch > almost a month ago... > > Pierre > > ----- Forwarded message from Pierre Beyssac ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 19 7:42: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 38AEF37B40B for ; Sun, 19 Aug 2001 07:41:57 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (1294 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Sun, 19 Aug 2001 09:39:59 -0500 (CDT) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Sun, 19 Aug 2001 09:39:57 -0500 (CDT) From: James Wyatt To: "Philip M. Gollucci" Cc: Adam Tuttle , freebsd-security@FreeBSD.ORG Subject: Re: Rooted In-Reply-To: <20010818050428.E527-100000@p6m7g8.student.umd.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 18 Aug 2001, Philip M. Gollucci wrote: > look at the big box on freebsd.org about the security advisory ! > > ------------------------------------------------------------------------------ > Philip M. Gollucci (p6m7g8) philip@p6m7g8.com 301.314.3445 > > Science, Discovery, & the Universe > Webmaster > URL: http://www.sdu.umd.edu ^^^^^^^^^^^^^^^^^ Sigh, another Flash(tm)-or-nothing site. Sad to see so many of these. Neither my phone or BSD boxes work well with them. Is there a decent FreeBSD tool that can check these for hack attempts to the older Flash modules as they ride across in HTTP or SMTP? Not completely OT, but close - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 19 7:46:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 5D37237B410; Sun, 19 Aug 2001 07:46:43 -0700 (PDT) (envelope-from trevor@FreeBSD.org) Received: from localhost (trevor@localhost) by freefall.freebsd.org (8.11.4/8.11.4) with ESMTP id f7JEkh695308; Sun, 19 Aug 2001 07:46:43 -0700 (PDT) (envelope-from trevor@freefall.freebsd.org) Date: Sun, 19 Aug 2001 07:46:42 -0700 (PDT) From: Trevor Johnson To: , Subject: Netscape 6 Message-ID: <20010819074514.M95232-100000@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Date: Sun, 19 Aug 2001 07:43:49 -0700 (PDT) From: Trevor Johnson To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: ports/www/linux-netscape6 Makefile distinfo pkg-descr trevor 2001/08/19 07:43:49 PDT Modified files: www/linux-netscape6 Makefile distinfo pkg-descr Log: Update to 6.1. According to Bennett Samowich on the Bugtraq list, this version "does not allow access to privileged ports" whereas the earlier ones do. I have not tested this claim. If true, the change should lessen harm from the HTML form protocol attack described at http://www.remote.org/jochen/sec/hfpa/ . Mark broken, because the menus no longer display correctly. Mention the AIM port. Don't mention the release notes, since they seem to be unmaintained. Touch up FTP list. Revision Changes Path 1.33 +4 -7 ports/www/linux-netscape6/Makefile 1.6 +8 -8 ports/www/linux-netscape6/distinfo 1.9 +4 -5 ports/www/linux-netscape6/pkg-descr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 19 15:17:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f140.pav2.hotmail.com [64.4.37.140]) by hub.freebsd.org (Postfix) with ESMTP id 3FDF337B408 for ; Sun, 19 Aug 2001 15:17:39 -0700 (PDT) (envelope-from rezaj_@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sun, 19 Aug 2001 15:17:39 -0700 Received: from 203.173.250.145 by pv2fd.pav2.hotmail.msn.com with HTTP; Sun, 19 Aug 2001 22:17:38 GMT X-Originating-IP: [203.173.250.145] From: "reza jamshid" To: freebsd-security@freebsd.org Subject: getting DCC fully functioning with ipnat/ipf Date: Mon, 20 Aug 2001 07:47:38 +0930 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 19 Aug 2001 22:17:39.0146 (UTC) FILETIME=[C1CE0AA0:01C128FC] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Up until now my firewall/router (FreeBSD 4.3) works fine, but I havent been able to get DCC resuming and send to work from a machine inside my network. I'm not sure if this has anything to do with my current rules setup, or if i am missing something. >cat /etc/ipnat.rules map ed0 192.168.1.0/24 -> 0/32 >cat /etc/ipf.rules # Pass everything out of tun0 block out all pass out quick on lo0 all pass out quick on ed1 all pass out quick on tun0 proto tcp all flags S/SA keep state keep frags pass out quick on tun0 proto udp all keep state keep frags pass out quick on tun0 proto icmp all keep state keep frags pass out quick on tun0 all # Pass lo0 and dc0, block the rest block in log all pass in quick on lo0 all pass in quick on ed1 all I was told that I need to install an irc proxy like tircproxy? Has anyone done this successfully and can help shed some light? TIA _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 19 15:41:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from xs4nobody.nl (xs4nobody.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id CC50A37B412 for ; Sun, 19 Aug 2001 15:41:22 -0700 (PDT) (envelope-from bart@xs4nobody.nl) Received: (qmail 80407 invoked by uid 1000); 19 Aug 2001 22:41:15 -0000 Date: Mon, 20 Aug 2001 00:41:15 +0200 From: Bart Matthaei To: freebsd-security@freebsd.org Subject: Re: getting DCC fully functioning with ipnat/ipf Message-ID: <20010820004115.B80382@heresy.xs4nobody.nl> Reply-To: Bart Matthaei References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rezaj_@hotmail.com on Mon, Aug 20, 2001 at 07:47:38AM +0930 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Pass the arguments -same_ports -use_sockets to natd :) rgds, Bart Matthaei On Mon, Aug 20, 2001 at 07:47:38AM +0930, reza jamshid wrote: > > Hi, > > Up until now my firewall/router (FreeBSD 4.3) works fine, but I havent been > able to get DCC resuming and send to work from a machine inside my network. > > I'm not sure if this has anything to do with my current rules setup, or if i > am missing something. > > >cat /etc/ipnat.rules > > map ed0 192.168.1.0/24 -> 0/32 > > >cat /etc/ipf.rules > > # Pass everything out of tun0 > > block out all > pass out quick on lo0 all > pass out quick on ed1 all > pass out quick on tun0 proto tcp all flags S/SA keep state keep frags > pass out quick on tun0 proto udp all keep state keep frags > pass out quick on tun0 proto icmp all keep state keep frags > pass out quick on tun0 all > > # Pass lo0 and dc0, block the rest > > block in log all > pass in quick on lo0 all > pass in quick on ed1 all > > > I was told that I need to install an irc proxy like tircproxy? > > Has anyone done this successfully and can help shed some light? > > > TIA > > > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Bart Matthaei | bart@xs4nobody.nl | +31 6 24907042 Cysonet Managed Hosting | bart@cysonet.com ------------------------------------------------- /* It's always funny until someone gets hurt.. * (and then it's just hilarious) */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 19 16:27:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from thunder.shellsandhosting.com (shellsandhosting.com [64.39.176.9]) by hub.freebsd.org (Postfix) with ESMTP id C195137B411 for ; Sun, 19 Aug 2001 16:27:20 -0700 (PDT) (envelope-from admin@shellsandhosting.com) Received: from critter (enzo@critter [10.0.0.2]) by thunder.shellsandhosting.com (8.11.5/8.11.3) with SMTP id f7JJR7O02562; Sun, 19 Aug 2001 19:27:07 GMT (envelope-from admin@shellsandhosting.com) Message-ID: <001201c12906$65605840$0200000a@critter> From: "ShellsAndHosting.com Administration" To: "Bart Matthaei" Cc: References: <20010820004115.B80382@heresy.xs4nobody.nl> Subject: Re: getting DCC fully functioning with ipnat/ipf Date: Sun, 19 Aug 2001 19:26:38 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org He doesn't use natd. Thoose rule don't apply. Jason admin@shellsandhosting.com ----- Original Message ----- From: "Bart Matthaei" To: Sent: Sunday, August 19, 2001 6:41 PM Subject: Re: getting DCC fully functioning with ipnat/ipf > Pass the arguments -same_ports -use_sockets to natd > > :) > > > rgds, > > Bart Matthaei > > On Mon, Aug 20, 2001 at 07:47:38AM +0930, reza jamshid wrote: > > > > Hi, > > > > Up until now my firewall/router (FreeBSD 4.3) works fine, but I havent been > > able to get DCC resuming and send to work from a machine inside my network. > > > > I'm not sure if this has anything to do with my current rules setup, or if i > > am missing something. > > > > >cat /etc/ipnat.rules > > > > map ed0 192.168.1.0/24 -> 0/32 > > > > >cat /etc/ipf.rules > > > > # Pass everything out of tun0 > > > > block out all > > pass out quick on lo0 all > > pass out quick on ed1 all > > pass out quick on tun0 proto tcp all flags S/SA keep state keep frags > > pass out quick on tun0 proto udp all keep state keep frags > > pass out quick on tun0 proto icmp all keep state keep frags > > pass out quick on tun0 all > > > > # Pass lo0 and dc0, block the rest > > > > block in log all > > pass in quick on lo0 all > > pass in quick on ed1 all > > > > > > I was told that I need to install an irc proxy like tircproxy? > > > > Has anyone done this successfully and can help shed some light? > > > > > > TIA > > > > > > > > _________________________________________________________________ > > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > Bart Matthaei | bart@xs4nobody.nl > | +31 6 24907042 > Cysonet Managed Hosting | bart@cysonet.com > ------------------------------------------------- > /* It's always funny until someone gets hurt.. > * (and then it's just hilarious) */ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 19 16:36:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from oksala.org (modemcable048.156-201-24.mtl.mc.videotron.ca [24.201.156.48]) by hub.freebsd.org (Postfix) with ESMTP id 8958337B413 for ; Sun, 19 Aug 2001 16:36:21 -0700 (PDT) (envelope-from silence@oksala.org) Received: from oksala.org (silence@silence [24.201.156.48]) by oksala.org (8.11.5/8.11.1) with ESMTP id f7JNGTR31371 for ; Sun, 19 Aug 2001 19:16:36 -0400 (EDT) (envelope-from silence@oksala.org) Message-ID: <3B8048CD.DCCF51A4@oksala.org> Date: Sun, 19 Aug 2001 19:16:29 -0400 From: Pierre-Luc =?iso-8859-1?Q?Lesp=E9rance?= X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 4.4-PRERELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: getting DCC fully functioning with ipnat/ipf References: <20010820004115.B80382@heresy.xs4nobody.nl> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Bart Matthaei wrote: > > Pass the arguments -same_ports -use_sockets to natd He is using ipf/ipnat so it's not a good idea tu run natd You sould use the "rdr" rules in /etc/ipnat.rules : it looks rdr xl0 your_ip_address/32 port 1234 -> subnet_ip_address port 1234 *This is an example. Actually I don't which port irc client use so you gonna have to change "1234" for the real port It could be a good idea to read the IPFilter HOWTO http://coombs.anu.edu.au/~avalon/ip-filter.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 19 16:40:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.redshells.net (cs26198-116.hot.rr.com [24.26.198.116]) by hub.freebsd.org (Postfix) with SMTP id DDAEF37B40A for ; Sun, 19 Aug 2001 16:40:03 -0700 (PDT) (envelope-from admin@redshells.net) Received: (qmail 37421 invoked from network); 19 Aug 2001 23:41:19 -0000 Received: from unknown (HELO redshells.net) (192.168.0.2) by cs26198-116.hot.rr.com with SMTP; 19 Aug 2001 23:41:19 -0000 Message-ID: <3B804D4D.16BEE19E@redshells.net> Date: Sun, 19 Aug 2001 18:35:41 -0500 From: Chris X-Mailer: Mozilla 4.78 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Pierre-Luc =?iso-8859-1?Q?Lesp=E9rance?= Cc: freebsd-security@freebsd.org Subject: Re: getting DCC fully functioning with ipnat/ipf References: <20010820004115.B80382@heresy.xs4nobody.nl> <3B8048CD.DCCF51A4@oksala.org> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Actually, dcc send uses a random port. Just use tircproxy which can be found in the ports collection. /usr/ports/irc/tircproxy It works fine with ipf. Good luck, Chris Pierre-Luc Lespérance wrote: > Bart Matthaei wrote: > > > > Pass the arguments -same_ports -use_sockets to natd > > He is using ipf/ipnat so it's not a good idea tu run natd > > You sould use the "rdr" rules in /etc/ipnat.rules : it looks > > rdr xl0 your_ip_address/32 port 1234 -> subnet_ip_address port 1234 > > *This is an example. Actually I don't which port irc client use > so you gonna have to change "1234" for the real port > > It could be a good idea to read the IPFilter HOWTO > http://coombs.anu.edu.au/~avalon/ip-filter.html > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 19 16:44:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from xs4nobody.nl (xs4nobody.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 5DE5637B408 for ; Sun, 19 Aug 2001 16:44:36 -0700 (PDT) (envelope-from bart@xs4nobody.nl) Received: (qmail 80524 invoked by uid 1000); 19 Aug 2001 23:44:31 -0000 Date: Mon, 20 Aug 2001 01:44:31 +0200 From: Bart Matthaei To: freebsd-security@freebsd.org Subject: Re: getting DCC fully functioning with ipnat/ipf Message-ID: <20010820014431.A80515@heresy.xs4nobody.nl> Reply-To: Bart Matthaei References: <20010820004115.B80382@heresy.xs4nobody.nl> <3B8048CD.DCCF51A4@oksala.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <3B8048CD.DCCF51A4@oksala.org>; from silence@oksala.org on Sun, Aug 19, 2001 at 07:16:29PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org That doesnt apply.. dcc uses random ports.. so he'll have to come up with a -use_sockets -same_ports kind of solution for ipnat.. dunno how that works :) (i always though ipnat sucked grately) gr, bart On Sun, Aug 19, 2001 at 07:16:29PM -0400, Pierre-Luc Lespérance wrote: > Bart Matthaei wrote: > > > > Pass the arguments -same_ports -use_sockets to natd > > > He is using ipf/ipnat so it's not a good idea tu run natd > > You sould use the "rdr" rules in /etc/ipnat.rules : it looks > > rdr xl0 your_ip_address/32 port 1234 -> subnet_ip_address port 1234 > > *This is an example. Actually I don't which port irc client use > so you gonna have to change "1234" for the real port > > It could be a good idea to read the IPFilter HOWTO > http://coombs.anu.edu.au/~avalon/ip-filter.html > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Bart Matthaei | bart@xs4nobody.nl | +31 6 24907042 Cysonet Managed Hosting | bart@cysonet.com ------------------------------------------------- /* It's always funny until someone gets hurt.. * (and then it's just hilarious) */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 19 16:53: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from ntown.esper.com (ntown.esper.com [216.111.16.26]) by hub.freebsd.org (Postfix) with ESMTP id 2CFEF37B418 for ; Sun, 19 Aug 2001 16:53:02 -0700 (PDT) (envelope-from kcross@ntown.com) Received: from kjcwin2k (kcross.ntown.esper.com [216.111.19.212]) by ntown.esper.com (8.11.4/8.11.4) with SMTP id f7K00BE08044 for ; Sun, 19 Aug 2001 20:00:11 -0400 Message-ID: <017001c1290a$14962300$0200a8c0@kjc2.com> From: "Ken Cross" To: Subject: DENY ACL's Date: Sun, 19 Aug 2001 19:53:01 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi: The current Posix.1e ACL implementation in -current works great as far as it goes. I'm sure this has been kicked around before (although I couldn't find anything in the archives), but it seems like adding "deny" ACL's would be a useful and fairly straightforward extension. For those not familiar with it, deny ACL's are ACL's that explicitly deny access, e.g., group Accountants are allowed access, but user George is denied access even though he is a member of Accountants. They are used extensively in the Windows NT/2K world and I need to support them on a BSD platform. The implementation is pretty straightforward -- always check deny ACL's first and then access ACL's. They'd just be a new acl_type_t value (ACL_TYPE_DENY?). I'd be happy to help with the implementation (especially since I'll be doing it regardless). Any interest or things I should know about? Ken To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 19 17:16:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id EB09637B40B; Sun, 19 Aug 2001 17:16:23 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.5/8.11.5) with SMTP id f7K0GMP34669; Sun, 19 Aug 2001 20:16:22 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Sun, 19 Aug 2001 20:16:21 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: "Andrew R. Reiter" Cc: audit@freebsd.org, security@freebsd.org Subject: Re: login_cap In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Would this make use of the setlogincontext() code in libutil? If so, I'd be very happy to see that used more pervasively through the system. In particular, using LOGIN_SETALL with appropriate bits substracted, rather than specifying individual bits. The reasoning for this is that my MAC code uses a new LOGIN_SETLABEL flag, and I noticed a number of existing uses of setlogincontext() that set only specific bits but leave out parts of the context setup. Likewise, places in the system where uids/etc are manually configured, resulting in incorrect setting of additional groups, resource limits, etc. Given that appropriate enforcement of system resource limits is now vital to maintaining multi-user systems, being consistent about enforcing them in all situations is very important. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services On Fri, 17 Aug 2001, Andrew R. Reiter wrote: > Hey, > > Im wondering if there's any real interest for patches to be made for some > services so that they do login class, etc authentication? Such an example > would be for atrun.c in libexec/atrun/. > > In my opinion, it is probably worth doing and getting commited, but if no > one would commit the patches, I dont see a point in doing them :-) > > btw, if you're unfamiliar with login caps, check out login_cap(3) and > login_class(3). > > Andrew > > *-------------................................................. > | Andrew R. Reiter > | arr@fledge.watson.org > | "It requires a very unusual mind > | to undertake the analysis of the obvious" -- A.N. Whitehead > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 19 17:21:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp10.atl.mindspring.net (smtp10.atl.mindspring.net [207.69.200.246]) by hub.freebsd.org (Postfix) with ESMTP id EE10F37B40F for ; Sun, 19 Aug 2001 17:21:42 -0700 (PDT) (envelope-from lists@alzaid.com) Received: from rami.alzaid.com (user-38ld88t.dsl.mindspring.com [209.86.161.29]) by smtp10.atl.mindspring.net (8.9.3/8.8.5) with ESMTP id UAA24385 for ; Sun, 19 Aug 2001 20:21:41 -0400 (EDT) Message-Id: <5.1.0.14.2.20010819201719.02396ff0@mail.alzaid.com> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sun, 19 Aug 2001 20:21:39 -0400 To: freebsd-security@FreeBSD.ORG From: Rami AlZaid Subject: Re: Rooted In-Reply-To: <20010818212540.W38221-100000@localhost> References: <3.0.32.20010819134033.0287f5cc@smtp.magix.com.sg> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:26 AM 8/19/2001, you wrote: >You may also be backdoored; if you weren't running something like tripwire >to catch changes in your system files, you may want to go ahead and >re-install FreeBSD entirely. May not be necessary, but it shouldn't hurt. Would deleting /usr/src, cvsuping all the source, making world and replacing all the files in /usr/local/etc and /etc remove the backdoors? or is it necessary to wipe the hard disk and install everything all over again? Thanks Rami AlZaid * ICQ # 1071118 WebPages: www.alzaid.com * www.wooyeah.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 19 17:23:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 7DD0A37B401 for ; Sun, 19 Aug 2001 17:23:25 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.5/8.11.5) with SMTP id f7K0NAP34748; Sun, 19 Aug 2001 20:23:11 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Sun, 19 Aug 2001 20:23:10 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Steven Ames Cc: Igor Roshchin , security@FreeBSD.ORG Subject: Re: cvs commit: src/etc inetd.conf In-Reply-To: <021401c1275e$99119540$28d90c42@eservoffice.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 17 Aug 2001, Steven Ames wrote: > So... not having heard any feedback... is it worth spending time on it > to produce patches to inetd (to handle Option #1) and a command line > tool to modify the configuration using either #1 or #2 (below)? Both > are pretty straight forward... Sorry for the delay in responding -- I'm on travel right now. I'm more interested in (2) right now as it maintains compatibility inetd on other platforms, as you suggest. If you build a set of utility routines that can support both a command line tool and a libdialog-based config tool (such as sysinstall), I think this would be great to include in the base system, as it would make it far easier for both new users and experienced users to understand the current configuration, and manage changes. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 19 17:51:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.100.219]) by hub.freebsd.org (Postfix) with ESMTP id 5C1EA37B410 for ; Sun, 19 Aug 2001 17:51:40 -0700 (PDT) (envelope-from martin@dc.cis.okstate.edu) Received: from martin (helo=dc.cis.okstate.edu) by dc.cis.okstate.edu with local-esmtp (Exim 3.13 #1) id 15YdI2-0002Qo-00 for security@FreeBSD.org; Sun, 19 Aug 2001 19:51:38 -0500 To: security@FreeBSD.org Subject: Firewall Rule Logic Date: Sun, 19 Aug 2001 19:51:38 -0500 From: Martin McCormick Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have set up a system in which incoming email is disallowed, but outgoing mail permitted. The rule I wrote is as follows: ${fwcmd} add 400 deny log tcp from any to a.host.okstate.edu 25 The rule works fine and blocks incoming smtp mail as well as producing a line in the log. The firewall passes all ports except this one right now, but I want to invert the logic and deny and log anything not expressly permitted. I am asking the question before I succeed in locking myself out. Can I put a line at the end of the rule chain that goes something like: ${fwcmd} add 400 deny log tcp from any to a.host.okstate.edu all and then put one rule per allowed port in to open up just those ports that we need? The system will be a name server as well as a dhcp server and nobody needs to be trying to start web sessions or be beating on it for other services except dns, dhcp and ssh. That's it for now with the possible exception of snmp, later. I have lists of the low-numbered ports, but I want to make sure this logic is correct before I make my life a lot more trouble for a while as the local console is a bit hard to get to. Martin McCormick WB5AGZ Stillwater, OK OSU Center for Computing and Information Services Data Communications Group To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 19 18: 3: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18]) by hub.freebsd.org (Postfix) with ESMTP id BC1FD37B414 for ; Sun, 19 Aug 2001 18:02:53 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [fec0::1:12]) by Awfulhak.org (8.11.5/8.11.5) with ESMTP id f7K12dv00955; Mon, 20 Aug 2001 02:02:39 +0100 (BST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.4/8.11.4) with ESMTP id f7K12bU08800; Mon, 20 Aug 2001 02:02:37 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200108200102.f7K12bU08800@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: "reza jamshid" Cc: freebsd-security@FreeBSD.ORG, brian@freebsd-services.com Subject: Re: getting DCC fully functioning with ipnat/ipf In-Reply-To: Message from "reza jamshid" of "Mon, 20 Aug 2001 07:47:38 +0930." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 20 Aug 2001 02:02:37 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Given that you're nat'ing on tun0, I guess you might be using ppp(8). If you are, throw away your ipnat/ipf stuff and just use ppp's -nat switch instead. It gets DCC right (as well as other things like pings, traceroute, active ftp etc (pings may be fixed in ipnat these days - I don't know for sure though)). > Hi, > > Up until now my firewall/router (FreeBSD 4.3) works fine, but I havent been > able to get DCC resuming and send to work from a machine inside my network. > > I'm not sure if this has anything to do with my current rules setup, or if i > am missing something. > > >cat /etc/ipnat.rules > > map ed0 192.168.1.0/24 -> 0/32 > > >cat /etc/ipf.rules > > # Pass everything out of tun0 > > block out all > pass out quick on lo0 all > pass out quick on ed1 all > pass out quick on tun0 proto tcp all flags S/SA keep state keep frags > pass out quick on tun0 proto udp all keep state keep frags > pass out quick on tun0 proto icmp all keep state keep frags > pass out quick on tun0 all > > # Pass lo0 and dc0, block the rest > > block in log all > pass in quick on lo0 all > pass in quick on ed1 all > > > I was told that I need to install an irc proxy like tircproxy? > > Has anyone done this successfully and can help shed some light? > > > TIA -- Brian http://www.freebsd-services.com/ Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 19 18:15:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id 01C9A37B414 for ; Sun, 19 Aug 2001 18:15:33 -0700 (PDT) (envelope-from davidk@accretivetg.com) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f7K0AqJ61818; Sun, 19 Aug 2001 17:10:57 -0700 (PDT) Date: Sun, 19 Aug 2001 17:10:52 -0700 (PDT) From: David Kirchner X-X-Sender: To: Rami AlZaid Cc: Subject: Re: Rooted In-Reply-To: <5.1.0.14.2.20010819201719.02396ff0@mail.alzaid.com> Message-ID: <20010819170743.S38221-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 19 Aug 2001, Rami AlZaid wrote: > At 12:26 AM 8/19/2001, you wrote: > >You may also be backdoored; if you weren't running something like tripwire > >to catch changes in your system files, you may want to go ahead and > >re-install FreeBSD entirely. May not be necessary, but it shouldn't hurt. > > Would deleting /usr/src, cvsuping all the source, making world and > replacing all the files in /usr/local/etc and /etc remove the backdoors? or > is it necessary to wipe the hard disk and install everything all over again? > > Thanks If you want to be very careful, wiping the disk would be necessary. A backdoor could be anywhere, including in programs not part of the base system (such as bash from ports). It depends on how paranoid you are however. If you're not too worried, re-installing from a fresh cvsup would probably be good enough. You can check to see what programs are running as servers by running: netstat -aAn | grep LISTEN fstat | grep (example: d29344e0 tcp 0 0 *.25 *.* LISTEN root sendmail 6081 5* internet stream tcp d29344e0) If you see anything weird there, you can track down where it came from and try to re-install that if it turns out to be necessary. I'd suggest installing some program such as tripwire at this point, regardless of what you do. Chances are if there is a backdoor and it gets used, files will be changed/added (little other reason to use a backdoor). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 19 18:25: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.pace.edu (ntutil.pace.edu [205.232.111.9]) by hub.freebsd.org (Postfix) with ESMTP id F033137B413 for ; Sun, 19 Aug 2001 18:24:53 -0700 (PDT) (envelope-from js43064n@pace.edu) Received: from stmail.pace.edu (205.232.111.7) by smtp.pace.edu (LSMTP for Windows NT v1.1b) with SMTP id <0.A8C6D8B0@smtp.pace.edu>; 19 Aug 2001 21:24:53 -0400 Date: Sun, 19 Aug 2001 21:24:51 -0400 Message-Id: <200108192124.AA162071044@stmail.pace.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: "Jonathan Slivko" Reply-To: X-Sender: To: , Rami AlZaid Subject: Re: Rooted X-Mailer: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org A full re-install is much better than what you suggested, IMHO. -- Jonathan -- Jonathan M. Slivko Microsoft, is that some kind of toilet paper? ---------- Original Message ---------------------------------- From: Rami AlZaid Date: Sun, 19 Aug 2001 20:21:39 -0400 >At 12:26 AM 8/19/2001, you wrote: >>You may also be backdoored; if you weren't running something like tripwire >>to catch changes in your system files, you may want to go ahead and >>re-install FreeBSD entirely. May not be necessary, but it shouldn't hurt. > >Would deleting /usr/src, cvsuping all the source, making world and >replacing all the files in /usr/local/etc and /etc remove the backdoors? or >is it necessary to wipe the hard disk and install everything all over again? > >Thanks > >Rami AlZaid * ICQ # 1071118 >WebPages: www.alzaid.com * www.wooyeah.com > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > __________________________________________________________________ ____ Sent via the Pace University Mail system at stmail.pace.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 19 18:30: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 9EF9737B417 for ; Sun, 19 Aug 2001 18:30:05 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.5/8.11.5) with SMTP id f7K1TxP35168; Sun, 19 Aug 2001 21:29:59 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Sun, 19 Aug 2001 21:29:59 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Ken Cross Cc: freebsd-security@freebsd.org Subject: Re: DENY ACL's In-Reply-To: <017001c1290a$14962300$0200a8c0@kjc2.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 19 Aug 2001, Ken Cross wrote: > The current Posix.1e ACL implementation in -current works great as far > as it goes. I'm sure this has been kicked around before (although I > couldn't find anything in the archives), but it seems like adding "deny" > ACL's would be a useful and fairly straightforward extension. > > For those not familiar with it, deny ACL's are ACL's that explicitly > deny access, e.g., group Accountants are allowed access, but user George > is denied access even though he is a member of Accountants. > > They are used extensively in the Windows NT/2K world and I need to > support them on a BSD platform. The implementation is pretty > straightforward -- always check deny ACL's first and then access ACL's. > They'd just be a new acl_type_t value (ACL_TYPE_DENY?). > > I'd be happy to help with the implementation (especially since I'll be > doing it regardless). Any interest or things I should know about? There are some interesting questions about how you would combine the POSIX.1e ACL evaluation with subtractive rights of the sort you're talking about. POSIX.1e does evaluation by a combination of first/best match. It evaluates based on a "first match" of the general class of rights, and then "best match" within that class. Here's the current algorithm based on what's defined in POSIX.1e: Select a "matching" class using the following: (1) if effective uid == the file owner, then the file owner permissions are used (2) if the effective uid == one of the additional users, then the additional user permissions in question are used (3) "best match" from effective gid and additional groups using the base group permissions and additional groups. "best" in this case is defined as the first gid match that grants all the rights requested. I don't believe that, in the event there are multiple matches, there is a defined ordering for the match, but in the FreeBSD implementation, it matches the effective uid before additional groups. (4) other So, if you want "subtractive rights" that mix with positive rights, we'll actually need to fundamentally modify how the algorithm executes. Right now, it is possible to express some sorts of "negative" rights by taking advantage of knowledge of the fixed matching components of the algorith; the "best" matching in the group section does foil some useful attempts. You might want to bring this up on the POSIX.1e mailing list, btw, and see what thoughts the developers of other platforms have on the topic, or whether this has been approached on other POSIX.1e-esque platforms. I'm glad that the existing ACL implementation is coming in useful for you. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 19 18:37:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.pace.edu (ntutil.pace.edu [205.232.111.9]) by hub.freebsd.org (Postfix) with ESMTP id C3BB337B408; Sun, 19 Aug 2001 18:37:08 -0700 (PDT) (envelope-from js43064n@pace.edu) Received: from stmail.pace.edu (205.232.111.7) by smtp.pace.edu (LSMTP for Windows NT v1.1b) with SMTP id <0.A8C6DA01@smtp.pace.edu>; 19 Aug 2001 21:37:08 -0400 Date: Sun, 19 Aug 2001 21:37:06 -0400 Message-Id: <200108192137.AA78709278@stmail.pace.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: "Jonathan Slivko" Reply-To: X-Sender: To: Ken Cross , Robert Watson Cc: Subject: Re: DENY ACL's X-Mailer: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org But there is 1 thing that both of you forgot to account for, how much load it would take in order for the deny ACL's to be loaded and to be read, several times over in a given hour. Any comments on that front? -- Jonathan -- Jonathan M. Slivko js43064n@pace.edu Head Systems Administrator 4EverMail Hosting Services -- ---------- Original Message ---------------------------------- From: Robert Watson Date: Sun, 19 Aug 2001 21:29:59 -0400 (EDT) > >On Sun, 19 Aug 2001, Ken Cross wrote: > >> The current Posix.1e ACL implementation in -current works great as far >> as it goes. I'm sure this has been kicked around before (although I >> couldn't find anything in the archives), but it seems like adding "deny" >> ACL's would be a useful and fairly straightforward extension. >> >> For those not familiar with it, deny ACL's are ACL's that explicitly >> deny access, e.g., group Accountants are allowed access, but user George >> is denied access even though he is a member of Accountants. >> >> They are used extensively in the Windows NT/2K world and I need to >> support them on a BSD platform. The implementation is pretty >> straightforward -- always check deny ACL's first and then access ACL's. >> They'd just be a new acl_type_t value (ACL_TYPE_DENY?). >> >> I'd be happy to help with the implementation (especially since I'll be >> doing it regardless). Any interest or things I should know about? > >There are some interesting questions about how you would combine the >POSIX.1e ACL evaluation with subtractive rights of the sort you're >talking >about. POSIX.1e does evaluation by a combination of first/best match. >It evaluates based on a "first match" of the general class of rights, and >then "best match" within that class. Here's the current algorithm based >on what's defined in POSIX.1e: > >Select a "matching" class using the following: > >(1) if effective uid == the file owner, then the file owner permissions >are used > >(2) if the effective uid == one of the additional users, then the >additional user permissions in question are used > >(3) "best match" from effective gid and additional groups using the base >group permissions and additional groups. "best" in this case is defined >as the first gid match that grants all the rights requested. I don't >believe that, in the event there are multiple matches, there is a defined >ordering for the match, but in the FreeBSD implementation, it matches the >effective uid before additional groups. > >(4) other > >So, if you want "subtractive rights" that mix with positive rights, we'll >actually need to fundamentally modify how the algorithm executes. Right >now, it is possible to express some sorts of "negative" rights by taking >advantage of knowledge of the fixed matching components of the algorith; >the "best" matching in the group section does foil some useful attempts. > >You might want to bring this up on the POSIX.1e mailing list, btw, and see >what thoughts the developers of other platforms have on the topic, or >whether this has been approached on other POSIX.1e-esque platforms. I'm >glad that the existing ACL implementation is coming in useful for you. > >Robert N M Watson FreeBSD Core Team, TrustedBSD Project >robert@fledge.watson.org NAI Labs, Safeport Network Services > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > __________________________________________________________________ ____ Sent via the Pace University Mail system at stmail.pace.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 19 18:53:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 7F23B37B409 for ; Sun, 19 Aug 2001 18:53:40 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.5/8.11.5) with SMTP id f7K1rbP35318; Sun, 19 Aug 2001 21:53:37 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Sun, 19 Aug 2001 21:53:37 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Jonathan Slivko Cc: Ken Cross , freebsd-security@freebsd.org Subject: Re: DENY ACL's In-Reply-To: <200108192137.AA78709278@stmail.pace.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 19 Aug 2001, Jonathan Slivko wrote: > But there is 1 thing that both of you forgot to account for, how much > load it would take in order for the deny ACL's to be loaded and to be > read, several times over in a given hour. Any comments on that front? -- > Jonathan I'm not sure I quite understand the question, but I can speak to the current performance of ACLs in 5.0-CURRENT. Right now, the actual cost of evaluating the ACL is almost negligible. The cost is incurred in the association of the ACL with a file or directory, in particular, due to the current implementation of extended attributes. For details on this, please see my BSDCon and FREENIX papers. The end result is that for un-cached ACLs, you pay a one-seek hit file access control operations (after that, the ACL typically remains in the cache, and you benefit from temporal locality a great deal). For complex operations on un-cached ACLs, you can pay a higher cost, such as for a multi-directory rename operation. As part of our recent DARPA CHATS grant, we have funding to reimplement the EA support in UFS at the FFS layer, with tight soft updates integration. We're still working with SPAWAR to finish our sub-contracting agreements so that our sub-contractors can start work on this. The suggested strategy of introducing an additional ACL type would require an additional EA read for access control decisions. Chances are, for a cached ACL, the cost of this would be unnoticeable. However, for an un-cached evaluation, the cost of access (especially sequential synchronous read operations) is non-trivial. Given that many consumers of ACLs don't use the full available 32 slots of struct acl, I would generally think that a more cost-effective approach would be to integrate the negative ACL entries into the base access and default ACLs. However, that then bumps into the issue I discussed in my previous e-mail, relating to the ACL evaluation algorithm. I'd be interested in learning more about the NT approach to negative ACLs: I know that AFS and Coda support this, but they use a fairly different evaluation scheme for ACLs, which lends itself to this negative notion of ACLs better. They inspect each ACL entry that is relevant, and union the set of positive rights, then subtract the union of the negative rights, without (as I understand it) the "best-match". I also dislike best-match because, when mised with a more fine-grained privilege model, it makes it very difficult to audit exactly what set of privileges authorized an action (as it leaves it ambiguous). Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 19 18:57:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id DB2D437B40C for ; Sun, 19 Aug 2001 18:57:18 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.5/8.11.5) with SMTP id f7K1vGP35340; Sun, 19 Aug 2001 21:57:16 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Sun, 19 Aug 2001 21:57:16 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Jonathan Slivko Cc: Ken Cross , freebsd-security@freebsd.org Subject: Re: DENY ACL's In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Just as a general comment on our current ACL implementation: we use POSIX.1e because it is a (de facto) standard, not because it is perfect. When I looked at the available ACL models in use outside of FreeBSD, it provided the best combination of benefits, when weighing factors such as application portability, UNIX model compatibility, etc. A number of people spent a great deal of time making POSIX.1e ACLs have these properties, and although the standard was never finalized, it's no cooincidence that ACLs on almost all major UNIX platforms have the same semantics, if not the same interface. On the other hand, I'm personally a big fan of AFS ACLs, which are associated only directories (not individual files per se), and exist side-by-side with a user-managed group model. Sadly, that model integrates poorly with standard UFS semantics, and departs significantly from the UNIX/POSIX model in terms of applications failing "nicely" when it comes to security. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 19 19:38:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-172.zoominternet.net [24.154.28.172]) by hub.freebsd.org (Postfix) with ESMTP id 6F11537B408 for ; Sun, 19 Aug 2001 19:38:22 -0700 (PDT) (envelope-from behanna@zbzoom.net) Received: from topperwein.dyndns.org (topperwein.dyndns.org [192.168.168.10]) by topperwein.dyndns.org (8.11.4/8.11.4) with ESMTP id f7K2cXv06318 for ; Sun, 19 Aug 2001 22:38:33 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Sun, 19 Aug 2001 22:38:28 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: Subject: Re: Rooted In-Reply-To: <5.1.0.14.2.20010819201719.02396ff0@mail.alzaid.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 19 Aug 2001, Rami AlZaid wrote: > At 12:26 AM 8/19/2001, you wrote: > >You may also be backdoored; if you weren't running something like tripwire > >to catch changes in your system files, you may want to go ahead and > >re-install FreeBSD entirely. May not be necessary, but it shouldn't hurt. > > Would deleting /usr/src, cvsuping all the source, making world and > replacing all the files in /usr/local/etc and /etc remove the > backdoors? or is it necessary to wipe the hard disk and install > everything all over again? Are you certain that gcc wasn't backdoored, or install, or what-have-you? That's one reason among many that you need to wipe the disk and start over, then install tripwire and chkrootkit the next time around. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 19 20:34: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from ntown.esper.com (ntown.esper.com [216.111.16.26]) by hub.freebsd.org (Postfix) with ESMTP id 648BF37B410; Sun, 19 Aug 2001 20:34:02 -0700 (PDT) (envelope-from kcross@ntown.com) Received: from kjcwin2k (kcross.ntown.esper.com [216.111.19.212]) by ntown.esper.com (8.11.4/8.11.4) with SMTP id f7K3f7E18249; Sun, 19 Aug 2001 23:41:08 -0400 Message-ID: <01ee01c12928$f11fd370$0200a8c0@kjc2.com> From: "Ken Cross" To: "Robert Watson" , References: Subject: Re: DENY ACL's Date: Sun, 19 Aug 2001 23:33:56 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks for the feedback. In NT (or Win2K), ACL's actually apply to *everything*, not just files, but the evaluation is the same regardless. Each Access Control Entry (ACE) in the ACL consists of: * Type (Allow or Deny) * Security ID (SID, basically an elaborate uid or gid) * Access mask -- bit mask of what access is being requested The access check is straightforward: 1. If a Deny ACE exists for the requesting user (i.e., the user's SID or any of his groups' SID's match), access is denied. 2. If an Allow ACE exists for the requesting user, access is allowed. 3. Otherwise, by default, access is denied. Since the users we're working with are in the Windows environment, they'll expect similar behavior. My initial thoughts were just to add step 1. above and then fall through to the existing checks. Heck, if somebody goes to the trouble of setting a Deny ACE, we really need to make sure that user/group gets denied. Step 2. could be the existing ACL tests. I think Step 3. could be accomplished by setting the "standard" mode bits to 000. That way, they'd only get access if an ACE allowed it. All access is via Samba, though, so there could be some goofy things done there. But behavior should be consistent, so I'd rather see it in the filesystem/kernel. Good idea about checking in on the Posix.1e mailing list -- I'll do that. (What's the URL?) Ken ----- Original Message ----- From: "Robert Watson" To: "Ken Cross" Cc: Sent: Sunday, August 19, 2001 9:29 PM Subject: Re: DENY ACL's > > On Sun, 19 Aug 2001, Ken Cross wrote: > > > The current Posix.1e ACL implementation in -current works great as far > > as it goes. I'm sure this has been kicked around before (although I > > couldn't find anything in the archives), but it seems like adding "deny" > > ACL's would be a useful and fairly straightforward extension. > > > > For those not familiar with it, deny ACL's are ACL's that explicitly > > deny access, e.g., group Accountants are allowed access, but user George > > is denied access even though he is a member of Accountants. > > > > They are used extensively in the Windows NT/2K world and I need to > > support them on a BSD platform. The implementation is pretty > > straightforward -- always check deny ACL's first and then access ACL's. > > They'd just be a new acl_type_t value (ACL_TYPE_DENY?). > > > > I'd be happy to help with the implementation (especially since I'll be > > doing it regardless). Any interest or things I should know about? > > There are some interesting questions about how you would combine the > POSIX.1e ACL evaluation with subtractive rights of the sort you're > talking > about. POSIX.1e does evaluation by a combination of first/best match. > It evaluates based on a "first match" of the general class of rights, and > then "best match" within that class. Here's the current algorithm based > on what's defined in POSIX.1e: > > Select a "matching" class using the following: > > (1) if effective uid == the file owner, then the file owner permissions > are used > > (2) if the effective uid == one of the additional users, then the > additional user permissions in question are used > > (3) "best match" from effective gid and additional groups using the base > group permissions and additional groups. "best" in this case is defined > as the first gid match that grants all the rights requested. I don't > believe that, in the event there are multiple matches, there is a defined > ordering for the match, but in the FreeBSD implementation, it matches the > effective uid before additional groups. > > (4) other > > So, if you want "subtractive rights" that mix with positive rights, we'll > actually need to fundamentally modify how the algorithm executes. Right > now, it is possible to express some sorts of "negative" rights by taking > advantage of knowledge of the fixed matching components of the algorith; > the "best" matching in the group section does foil some useful attempts. > > You might want to bring this up on the POSIX.1e mailing list, btw, and see > what thoughts the developers of other platforms have on the topic, or > whether this has been approached on other POSIX.1e-esque platforms. I'm > glad that the existing ACL implementation is coming in useful for you. > > Robert N M Watson FreeBSD Core Team, TrustedBSD Project > robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 19 23:15:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from thunder.shellsandhosting.com (shellsandhosting.com [64.39.176.9]) by hub.freebsd.org (Postfix) with ESMTP id A4D4637B401 for ; Sun, 19 Aug 2001 23:15:28 -0700 (PDT) (envelope-from admin@shellsandhosting.com) Received: from critter (critter [10.0.0.2]) by thunder.shellsandhosting.com (8.11.5/8.11.3) with SMTP id f7K6FOh77681; Mon, 20 Aug 2001 06:15:24 GMT (envelope-from admin@shellsandhosting.com) Message-ID: <000901c1293f$6af67620$0200000a@critter> From: "ShellsAndHosting.com Administration" To: "Chris BeHanna" Cc: References: Subject: Re: Rooted Date: Mon, 20 Aug 2001 02:14:43 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Install /usr/ports/secuity/chkrootkit, run it an see what you come up with before anything. Regards, Jason admin@shellsandhosting.com ----- Original Message ----- From: "Chris BeHanna" To: Sent: Sunday, August 19, 2001 10:38 PM Subject: Re: Rooted > On Sun, 19 Aug 2001, Rami AlZaid wrote: > > > At 12:26 AM 8/19/2001, you wrote: > > >You may also be backdoored; if you weren't running something like tripwire > > >to catch changes in your system files, you may want to go ahead and > > >re-install FreeBSD entirely. May not be necessary, but it shouldn't hurt. > > > > Would deleting /usr/src, cvsuping all the source, making world and > > replacing all the files in /usr/local/etc and /etc remove the > > backdoors? or is it necessary to wipe the hard disk and install > > everything all over again? > > Are you certain that gcc wasn't backdoored, or install, or > what-have-you? > > That's one reason among many that you need to wipe the disk and > start over, then install tripwire and chkrootkit the next time around. > > -- > Chris BeHanna > Software Engineer (Remove "bogus" before responding.) > behanna@bogus.zbzoom.net > I was raised by a pack of wild corn dogs. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 19 23:47:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from guard.ing.nl (guard.ing.nl [194.178.239.66]) by hub.freebsd.org (Postfix) with ESMTP id 1F38037B407 for ; Sun, 19 Aug 2001 23:47:30 -0700 (PDT) (envelope-from Danny.Carroll@mail.ing.nl) Received: by ING-mailhub; id IAA03093; Mon, 20 Aug 2001 08:49:23 +0200 (MET DST) Received: from somewhere by smtpxd content-class: urn:content-classes:message Subject: RE: Code Red is from default setup Date: Mon, 20 Aug 2001 08:50:57 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-ID: <98829DC07ECECD47893074C4D525EFC3115625@citsnl007.europe.intranet> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Code Red is from default setup Thread-Index: AcEoaDZI7Ce3WnsJT7eSoqiTI/xx9wA28PPg From: "Carroll, D. (Danny)" To: Importance: normal X-OriginalArrivalTime: 20 Aug 2001 06:50:57.0420 (UTC) FILETIME=[7701B4C0:01C12944] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To clarify... Index server need NOT be installed or even activated for the vunerability to exist. The problem is in the library that handles to request to be sent to index server. That means that if you install IIS, you have to patch it. Also, it's my experience (in The Netherlands anyway) that the ISP's are being quite helpful. Those that have Code Red on their cable web servers might be blocked until the ISP can contact the client but for the most part, they are not blocking port 80. It seems only to be the real big DLS/Cable companies in some countries that are doing it. -D -----Original Message----- From: Jim Durham [mailto:durham@w2xo.pgh.pa.us] Sent: Sunday, August 19, 2001 6:31 AM To: freebsd-security@freebsd.org Subject: Code Red is from default setup My friends who have to deal with M$ server things tell me that the default setup for Win2k server is that the IIS server is installed. This means that a clueless person installing Win2k server is probably not going to uncheck the little box that says to install it. So, there is this lovely little IIS server sitting there just waiting to be infrected by Code Red. I have tried doing an HTTP connect to perhaps 20 IP addresses collected from "Code Red" attempts on my web server and they *all* report "This page under construction". I believe these are web servers that are running unknown to their owners. If this is the case, then they are *not* going to patch their IIS servers because they probably don't know they have them, and this silliness is going to keep right on going 8-(. One downside of this is that ISPs are starting to block port 80 in an attempt to kill the bug and those of us who have had the ability to run web service on our home DSL or cable services are probably going to lose that ability. Thanks, Bill.... -Jim Durham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----------------------------------------------------------------=0A= ATTENTION:=0A= The information in this electronic mail message is private and=0A= confidential, and only intended for the addressee. Should you=0A= receive this message by mistake, you are hereby notified that=0A= any disclosure, reproduction, distribution or use of this=0A= message is strictly prohibited. Please inform the sender by=0A= reply transmission and delete the message without copying or=0A= opening it.=0A= =0A= Messages and attachments are scanned for all viruses known.=0A= If this message contains password-protected attachments, the=0A= files have NOT been scanned for viruses by the ING mail domain.=0A= Always scan attachments before opening them.=0A= ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 19 23:53:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp8.xs4all.nl (smtp8.xs4all.nl [194.109.127.134]) by hub.freebsd.org (Postfix) with ESMTP id 75E8E37B408 for ; Sun, 19 Aug 2001 23:53:36 -0700 (PDT) (envelope-from wkb@freebie.xs4all.nl) Received: from freebie.xs4all.nl (freebie.xs4all.nl [213.84.32.253]) by smtp8.xs4all.nl (8.9.3/8.9.3) with ESMTP id IAA20653; Mon, 20 Aug 2001 08:53:34 +0200 (CEST) Received: (from wkb@localhost) by freebie.xs4all.nl (8.11.4/8.11.4) id f7K6rY417344; Mon, 20 Aug 2001 08:53:34 +0200 (CEST) (envelope-from wkb) Date: Mon, 20 Aug 2001 08:53:33 +0200 From: Wilko Bulte To: "Carroll, D. (Danny)" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Code Red is from default setup Message-ID: <20010820085333.A17285@freebie.xs4all.nl> References: <98829DC07ECECD47893074C4D525EFC3115625@citsnl007.europe.intranet> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <98829DC07ECECD47893074C4D525EFC3115625@citsnl007.europe.intranet>; from Danny.Carroll@mail.ing.nl on Mon, Aug 20, 2001 at 08:50:57AM +0200 X-OS: FreeBSD 4.3-STABLE X-PGP: finger wilko@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Aug 20, 2001 at 08:50:57AM +0200, Carroll, D. (Danny) wrote: This is *FreeBSD* security, not MickeySoft latest bugs.. > To clarify... > > Index server need NOT be installed or even activated for the > vunerability to exist. > The problem is in the library that handles to request to be sent to > index server. > > That means that if you install IIS, you have to patch it. > > Also, it's my experience (in The Netherlands anyway) that the ISP's are > being quite helpful. Those that have Code Red on their cable web > servers might be blocked until the ISP can contact the client but for > the most part, they are not blocking port 80. > > It seems only to be the real big DLS/Cable companies in some countries > that are doing it. > > -D > > -----Original Message----- > From: Jim Durham [mailto:durham@w2xo.pgh.pa.us] > Sent: Sunday, August 19, 2001 6:31 AM > To: freebsd-security@freebsd.org > Subject: Code Red is from default setup > > > My friends who have to deal with M$ server things tell me that the > default > setup for Win2k server is that the IIS server is installed. -- | / o / / _ Arnhem, The Netherlands email: wilko@FreeBSD.org |/|/ / / /( (_) Bulte To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 0:13: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id 4031937B412 for ; Mon, 20 Aug 2001 00:13:00 -0700 (PDT) (envelope-from bright@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1192) id E959981D13; Mon, 20 Aug 2001 02:12:49 -0500 (CDT) Date: Mon, 20 Aug 2001 02:12:49 -0500 From: Alfred Perlstein To: Wilko Bulte Cc: "Carroll, D. (Danny)" , freebsd-security@FreeBSD.ORG Subject: Re: Code Red is from default setup Message-ID: <20010820021249.A81307@elvis.mu.org> References: <98829DC07ECECD47893074C4D525EFC3115625@citsnl007.europe.intranet> <20010820085333.A17285@freebie.xs4all.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010820085333.A17285@freebie.xs4all.nl>; from wkb@freebie.xs4all.nl on Mon, Aug 20, 2001 at 08:53:33AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Wilko Bulte [010820 01:53] wrote: > On Mon, Aug 20, 2001 at 08:50:57AM +0200, Carroll, D. (Danny) wrote: > > This is *FreeBSD* security, not MickeySoft latest bugs.. Agreed. Although it would be amusing to detect default.ida requests and reply with a similar request the difference being that the reply one reboots/shuts-down the infected box. I'm suprised no one has suggested crafting such a tool. -- -Alfred Perlstein [alfred@freebsd.org] Ok, who wrote this damn function called '??'? And why do my programs keep crashing in it? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 0:16:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from guard.ing.nl (guard.ing.nl [194.178.239.66]) by hub.freebsd.org (Postfix) with ESMTP id 438FF37B406 for ; Mon, 20 Aug 2001 00:16:37 -0700 (PDT) (envelope-from Danny.Carroll@mail.ing.nl) Received: by ING-mailhub; id JAA09493; Mon, 20 Aug 2001 09:18:30 +0200 (MET DST) Received: from somewhere by smtpxd content-class: urn:content-classes:message Subject: RE: Code Red is from default setup Date: Mon, 20 Aug 2001 09:20:03 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-ID: <98829DC07ECECD47893074C4D525EFC3115629@citsnl007.europe.intranet> X-MS-Has-Attach: X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-MS-TNEF-Correlator: Thread-Topic: Code Red is from default setup Thread-Index: AcEpSAnc5Lp5lDLWSn+x3WfR+lCZ+QAABxTw From: "Carroll, D. (Danny)" To: "Alfred Perlstein" , "Wilko Bulte" Cc: Importance: normal X-OriginalArrivalTime: 20 Aug 2001 07:19:58.0936 (UTC) FILETIME=[8507F580:01C12948] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It's been done, except it didn't reboot, but rather patched the box or removed the mappings (can't remember). Then it searched for other machines using the same IPsearch algorithm as Code Red. It wasn't released into the wild, tho, it was just a demonstration that I read about on another security list. -D -----Original Message----- From: Alfred Perlstein [mailto:bright@mu.org] Sent: Monday, August 20, 2001 9:13 AM To: Wilko Bulte Cc: Carroll, D. (Danny); freebsd-security@FreeBSD.ORG Subject: Re: Code Red is from default setup * Wilko Bulte [010820 01:53] wrote: > On Mon, Aug 20, 2001 at 08:50:57AM +0200, Carroll, D. (Danny) wrote: >=20 > This is *FreeBSD* security, not MickeySoft latest bugs.. Agreed. Although it would be amusing to detect default.ida requests and reply with a similar request the difference being that the reply one reboots/shuts-down the infected box. I'm suprised no one has suggested crafting such a tool. --=20 -Alfred Perlstein [alfred@freebsd.org] Ok, who wrote this damn function called '??'? And why do my programs keep crashing in it? -----------------------------------------------------------------=0A= ATTENTION:=0A= The information in this electronic mail message is private and=0A= confidential, and only intended for the addressee. Should you=0A= receive this message by mistake, you are hereby notified that=0A= any disclosure, reproduction, distribution or use of this=0A= message is strictly prohibited. Please inform the sender by=0A= reply transmission and delete the message without copying or=0A= opening it.=0A= =0A= Messages and attachments are scanned for all viruses known.=0A= If this message contains password-protected attachments, the=0A= files have NOT been scanned for viruses by the ING mail domain.=0A= Always scan attachments before opening them.=0A= ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 0:19:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp9.xs4all.nl (smtp9.xs4all.nl [194.109.127.135]) by hub.freebsd.org (Postfix) with ESMTP id 411DC37B40F for ; Mon, 20 Aug 2001 00:19:46 -0700 (PDT) (envelope-from wkb@freebie.xs4all.nl) Received: from freebie.xs4all.nl (freebie.xs4all.nl [213.84.32.253]) by smtp9.xs4all.nl (8.9.3/8.9.3) with ESMTP id JAA23725; Mon, 20 Aug 2001 09:19:44 +0200 (CEST) Received: (from wkb@localhost) by freebie.xs4all.nl (8.11.4/8.11.4) id f7K7JhS20090; Mon, 20 Aug 2001 09:19:43 +0200 (CEST) (envelope-from wkb) Date: Mon, 20 Aug 2001 09:19:43 +0200 From: Wilko Bulte To: Alfred Perlstein Cc: "Carroll, D. (Danny)" , freebsd-security@FreeBSD.ORG Subject: Re: Code Red is from default setup Message-ID: <20010820091943.D17285@freebie.xs4all.nl> References: <98829DC07ECECD47893074C4D525EFC3115625@citsnl007.europe.intranet> <20010820085333.A17285@freebie.xs4all.nl> <20010820021249.A81307@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010820021249.A81307@elvis.mu.org>; from bright@mu.org on Mon, Aug 20, 2001 at 02:12:49AM -0500 X-OS: FreeBSD 4.3-STABLE X-PGP: finger wilko@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Aug 20, 2001 at 02:12:49AM -0500, Alfred Perlstein wrote: > * Wilko Bulte [010820 01:53] wrote: > > On Mon, Aug 20, 2001 at 08:50:57AM +0200, Carroll, D. (Danny) wrote: > > > > This is *FreeBSD* security, not MickeySoft latest bugs.. > > Agreed. Although it would be amusing to detect default.ida requests > and reply with a similar request the difference being that the reply > one reboots/shuts-down the infected box. > > I'm suprised no one has suggested crafting such a tool. I'm pretty sure that would not be legal everywhere, how tempting it might be. -- | / o / / _ Arnhem, The Netherlands email: wilko@FreeBSD.org |/|/ / / /( (_) Bulte To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 0:22: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from yossman.com (yossman.com [206.172.46.172]) by hub.freebsd.org (Postfix) with ESMTP id BF11137B412 for ; Mon, 20 Aug 2001 00:22:04 -0700 (PDT) (envelope-from manero@yossman.com) Received: from localhost (manero@localhost) by yossman.com (8.9.3/8.9.3) with ESMTP id DAA22357; Mon, 20 Aug 2001 03:15:30 -0400 (EDT) (envelope-from manero@yossman.com) Date: Mon, 20 Aug 2001 03:15:30 -0400 (EDT) From: Tony Collen To: Alfred Perlstein Cc: Wilko Bulte , "Carroll, D. (Danny)" , freebsd-security@FreeBSD.ORG Subject: Re: Code Red is from default setup In-Reply-To: <20010820021249.A81307@elvis.mu.org> Message-ID: X-ALL-YOUR-BASE: ARE BELONG TO US MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 20 Aug 2001, Alfred Perlstein wrote: > * Wilko Bulte [010820 01:53] wrote: > > On Mon, Aug 20, 2001 at 08:50:57AM +0200, Carroll, D. (Danny) wrote: > > > > This is *FreeBSD* security, not MickeySoft latest bugs.. > > Agreed. Although it would be amusing to detect default.ida requests > and reply with a similar request the difference being that the reply > one reboots/shuts-down the infected box. > > I'm suprised no one has suggested crafting such a tool. Simple. Just request something like /scripts/root.exe?/c+rundll.exe+user.exe,exitwindows And the box should reboot. You might have to encode the periods and the commas though. -- Anthony Collen manero@manero.org http://manero.org -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 0:33:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 5369D37B40F; Mon, 20 Aug 2001 00:33:00 -0700 (PDT) (envelope-from arr@watson.org) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.5/8.11.5) with SMTP id f7K7Wwn37668; Mon, 20 Aug 2001 03:32:58 -0400 (EDT) (envelope-from arr@watson.org) Date: Mon, 20 Aug 2001 03:32:57 -0400 (EDT) From: "Andrew R. Reiter" To: Robert Watson Cc: audit@freebsd.org, security@freebsd.org Subject: Re: login_cap In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Cool, a response :-) I actually didn't know about setlogincontext() until you mentioned it now. After browsing the login_class.c source, this does seem like a good thing to utilize -- perhaps a patch to the man page would help too. I wonder if it's wise if we come up with a list of pieces of code that we should start moving setlogincontext() into? My first shot would be to go for the set{u,g}id program and network daemons. Thoughts? Cheers, Andrew On Sun, 19 Aug 2001, Robert Watson wrote: : :Would this make use of the setlogincontext() code in libutil? If so, I'd :be very happy to see that used more pervasively through the system. In :particular, using LOGIN_SETALL with appropriate bits substracted, rather :than specifying individual bits. The reasoning for this is that my MAC :code uses a new LOGIN_SETLABEL flag, and I noticed a number of existing :uses of setlogincontext() that set only specific bits but leave out parts :of the context setup. Likewise, places in the system where uids/etc are :manually configured, resulting in incorrect setting of additional groups, :resource limits, etc. Given that appropriate enforcement of system :resource limits is now vital to maintaining multi-user systems, being :consistent about enforcing them in all situations is very important. : :Robert N M Watson FreeBSD Core Team, TrustedBSD Project :robert@fledge.watson.org NAI Labs, Safeport Network Services : :On Fri, 17 Aug 2001, Andrew R. Reiter wrote: : :> Hey, :> :> Im wondering if there's any real interest for patches to be made for some :> services so that they do login class, etc authentication? Such an example :> would be for atrun.c in libexec/atrun/. :> :> In my opinion, it is probably worth doing and getting commited, but if no :> one would commit the patches, I dont see a point in doing them :-) :> :> btw, if you're unfamiliar with login caps, check out login_cap(3) and :> login_class(3). :> :> Andrew :> :> *-------------................................................. :> | Andrew R. Reiter :> | arr@fledge.watson.org :> | "It requires a very unusual mind :> | to undertake the analysis of the obvious" -- A.N. Whitehead :> :> :> To Unsubscribe: send mail to majordomo@FreeBSD.org :> with "unsubscribe freebsd-security" in the body of the message :> : : *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 0:55:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by hub.freebsd.org (Postfix) with ESMTP id E015337B40B for ; Mon, 20 Aug 2001 00:55:19 -0700 (PDT) (envelope-from jan@caustic.org) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.0/ignatz) with ESMTP id f7K7t3C34069; Mon, 20 Aug 2001 00:55:03 -0700 (PDT) Date: Mon, 20 Aug 2001 00:55:02 -0700 (PDT) From: "f.johan.beisser" To: Tony Collen Cc: Alfred Perlstein , Wilko Bulte , "Carroll, D. (Danny)" , freebsd-security@FreeBSD.ORG Subject: Re: Code Red is from default setup In-Reply-To: Message-ID: X-Ignore: This statement isn't supposed to be read by you MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org as interesting as this thread has been, i really don't think it's appropriate for FreeBSD-Security. thanks much, -- jan -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "if my thought-dreams could be seen.. "they'd probably put my head in a gillotine" -- Bob Dylan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 1:16:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.siol.net (odin.siol.net [193.189.160.10]) by hub.freebsd.org (Postfix) with ESMTP id CFB0A37B40F for ; Mon, 20 Aug 2001 01:16:35 -0700 (PDT) (envelope-from solwar@email.si) Received: from AS-96-189.dial-up.siol.net ([212.30.66.189]) by mail.siol.net (InterMail vK.4.02.00.10 201-232-116-110 license 3b7ff800a4377eede9efc7be81e8a7c4) with ESMTP id <20010820081633.NUNR9171.mail@AS-96-189.dial-up.siol.net> for ; Mon, 20 Aug 2001 10:16:33 +0200 Date: Mon, 20 Aug 2001 10:17:55 +0200 (CEST) From: solwar X-X-Sender: To: Subject: debuger Message-ID: <20010820101258.G5213-100000@SOLos.tw> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Anyone know where could i get debuger for FreeBSD which would display strings like strace in linux. Truss displays strings in hex, i need them readable. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 1:19:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 29C8D37B410 for ; Mon, 20 Aug 2001 01:19:38 -0700 (PDT) (envelope-from arr@watson.org) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.5/8.11.5) with SMTP id f7K8JYv38264; Mon, 20 Aug 2001 04:19:34 -0400 (EDT) (envelope-from arr@watson.org) Date: Mon, 20 Aug 2001 04:19:34 -0400 (EDT) From: "Andrew R. Reiter" To: solwar Cc: freebsd-security@FreeBSD.ORG Subject: Re: debuger In-Reply-To: <20010820101258.G5213-100000@SOLos.tw> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ktrace On Mon, 20 Aug 2001, solwar wrote: :Anyone know where could i get debuger for FreeBSD which would display :strings like strace in linux. :Truss displays strings in hex, i need them readable. : : : : : :To Unsubscribe: send mail to majordomo@FreeBSD.org :with "unsubscribe freebsd-security" in the body of the message : *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 1:20: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from hq1.tyfon.net (hq1.tyfon.net [217.27.162.35]) by hub.freebsd.org (Postfix) with ESMTP id 6DBA737B413 for ; Mon, 20 Aug 2001 01:19:53 -0700 (PDT) (envelope-from dl@tyfon.net) Received: from localhost (localhost [127.0.0.1]) by hq1.tyfon.net (Postfix) with ESMTP id 8D3161C808; Mon, 20 Aug 2001 10:19:45 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by hq1.tyfon.net (Postfix) with ESMTP id 37F571C7F9; Mon, 20 Aug 2001 10:19:44 +0200 (CEST) Date: Mon, 20 Aug 2001 10:19:44 +0200 (CEST) From: Dan Larsson To: solwar Cc: Subject: Re: debuger In-Reply-To: <20010820101258.G5213-100000@SOLos.tw> Message-ID: <20010820101907.A27489-100000@hq1.tyfon.net> Organization: Tyfon Svenska AB X-NCC-NIC: DL1999-RIPE X-NCC-RegID: se.tyfon MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by hq1.tyfon.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 20 Aug 2001, solwar wrote: | Anyone know where could i get debuger for FreeBSD which would display | strings like strace in linux. | Truss displays strings in hex, i need them readable. ktrace(1) perhaps? | Regards +------ Dan Larsson | Tel: +46 8 550 120 21 Tyfon Svenska AB | Fax: +46 8 550 120 02 GPG and PGP keys | finger dl@hq1.tyfon.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 2:50:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from mout1.freenet.de (mout1.freenet.de [194.97.50.132]) by hub.freebsd.org (Postfix) with ESMTP id DA92D37B401 for ; Mon, 20 Aug 2001 02:50:29 -0700 (PDT) (envelope-from Alexander@leidinger.net) Received: from [194.97.50.138] (helo=mx0.freenet.de) by mout1.freenet.de with esmtp (Exim 3.32 #1) id 15YlhU-00050L-00; Mon, 20 Aug 2001 11:50:28 +0200 Received: from b849d.pppool.de ([213.7.132.157] helo=Magelan.Leidinger.net) by mx0.freenet.de with esmtp (Exim 3.32 #1) id 15YlhT-000589-00; Mon, 20 Aug 2001 11:50:28 +0200 Received: from Leidinger.net (netchild@localhost [127.0.0.1]) by Magelan.Leidinger.net (8.11.5/8.11.5) with ESMTP id f7K9QiG03818; Mon, 20 Aug 2001 11:26:45 +0200 (CEST) (envelope-from netchild@Leidinger.net) Message-Id: <200108200926.f7K9QiG03818@Magelan.Leidinger.net> Date: Mon, 20 Aug 2001 11:26:43 +0200 (CEST) From: Alexander Leidinger Subject: Re: Code Red is from default setup To: bright@mu.org Cc: wkb@freebie.xs4all.nl, Danny.Carroll@mail.ing.nl, freebsd-security@FreeBSD.ORG In-Reply-To: <20010820021249.A81307@elvis.mu.org> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 20 Aug, Alfred Perlstein wrote: >> This is *FreeBSD* security, not MickeySoft latest bugs.. > > Agreed. Although it would be amusing to detect default.ida requests > and reply with a similar request the difference being that the reply > one reboots/shuts-down the infected box. > > I'm suprised no one has suggested crafting such a tool. http://www.onlamp.com/lpt/a//apache/2001/08/16/code_red.html No, it didn't reboots the infected box, but... Bye, Alexander. -- Loose bits sink chips. http://www.Leidinger.net Alexander @ Leidinger.net GPG fingerprint = C518 BC70 E67F 143F BE91 3365 79E2 9C60 B006 3FE7 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 4: 4: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe41.law12.hotmail.com [64.4.18.98]) by hub.freebsd.org (Postfix) with ESMTP id 6F62037B403; Mon, 20 Aug 2001 04:04:00 -0700 (PDT) (envelope-from default013subscriptions@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 20 Aug 2001 04:03:43 -0700 X-Originating-IP: [24.14.93.185] Reply-To: "default - Subscriptions" From: "default - Subscriptions" To: , Subject: Would like suggestion for an app to write IPFW rules... Date: Mon, 20 Aug 2001 06:02:36 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Message-ID: X-OriginalArrivalTime: 20 Aug 2001 11:03:43.0793 (UTC) FILETIME=[C6DE9210:01C12967] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I am looking for something to enhance my IPFW firewall... (or would take any other firewall under consideration if there is one that comes suggested for this type of application) I would like a suggestion on what would be a good program to detect attacks such as DOSes, port scans, etc., that is capable of writing IPFW on the fly to block the source of the attacks... I believe that Snort can do this, but I am not very familiar with this kind of firewall so... Thanks! Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 5:32: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id 1A5CF37B406; Mon, 20 Aug 2001 05:32:00 -0700 (PDT) (envelope-from rjh@mohawk.net) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.4/8.11.3) with ESMTP id f7KCW8a00938; Mon, 20 Aug 2001 08:32:08 -0400 (EDT) Date: Mon, 20 Aug 2001 08:32:08 -0400 (EDT) From: Ralph Huntington To: default - Subscriptions Cc: , Subject: Re: Would like suggestion for an app to write IPFW rules... In-Reply-To: Message-ID: <20010820083115.L98805-100000@mohegan.mohawk.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org /usr/ports/security/portsentry On Mon, 20 Aug 2001, default - Subscriptions wrote: > Hi, > > I am looking for something to enhance my IPFW firewall... (or would take any > other firewall under consideration if there is one that comes suggested for > this type of application) I would like a suggestion on what would be a good > program to detect attacks such as DOSes, port scans, etc., that is capable > of writing IPFW on the fly to block the source of the attacks... > > I believe that Snort can do this, but I am not very familiar with this kind > of firewall so... > > Thanks! > > Jordan > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 5:37:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-7.dsl.lsan03.pacbell.net [63.207.60.7]) by hub.freebsd.org (Postfix) with ESMTP id EED0B37B40C; Mon, 20 Aug 2001 05:37:27 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 065A466D15; Mon, 20 Aug 2001 05:37:09 -0700 (PDT) Date: Mon, 20 Aug 2001 05:37:09 -0700 From: Kris Kennaway To: default - Subscriptions Cc: freebsd-questions@freebsd.org, freebsd-security@freebsd.org Subject: Re: Would like suggestion for an app to write IPFW rules... Message-ID: <20010820053709.A98564@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="wRRV7LY7NUeQGEoC" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from default013subscriptions@hotmail.com on Mon, Aug 20, 2001 at 06:02:36AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --wRRV7LY7NUeQGEoC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Aug 20, 2001 at 06:02:36AM -0500, default - Subscriptions wrote: > Hi, >=20 > I am looking for something to enhance my IPFW firewall... (or would take = any > other firewall under consideration if there is one that comes suggested f= or > this type of application) I would like a suggestion on what would be a go= od > program to detect attacks such as DOSes, port scans, etc., that is capable > of writing IPFW on the fly to block the source of the attacks... >=20 > I believe that Snort can do this, but I am not very familiar with this ki= nd > of firewall so... Can be a dangerous idea, since it's usually trivial to spoof an "attack" coming from a critical server like your DNS servers, and cause your system to deny itself from the internet. If you have a 'default to deny' firewall and a sensible security policy for the remaining enabled ports then an active response doesn't really buy you anything anyway. Kris --wRRV7LY7NUeQGEoC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7gQR1Wry0BWjoQKURAseWAJ0XtXxvjD1rY/I135Z/COv7BCA6cwCfV3Pp ak7x27UnKI6ZTBJEqeUnzG8= =40wr -----END PGP SIGNATURE----- --wRRV7LY7NUeQGEoC-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 6: 0: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from chhsweb.gsu.edu (chhsweb.gsu.edu [131.96.165.5]) by hub.freebsd.org (Postfix) with ESMTP id E4BBB37B413 for ; Mon, 20 Aug 2001 05:59:58 -0700 (PDT) (envelope-from emlyn@chhsweb.gsu.edu) Received: (from emlyn@localhost) by chhsweb.gsu.edu (8.11.3/8.11.3) id f7KD0BY42664 for freebsd-security@freebsd.org; Mon, 20 Aug 2001 09:00:11 -0400 (EDT) (envelope-from emlyn) Date: Mon, 20 Aug 2001 09:00:10 -0400 From: Emlyn Murphy To: freebsd-security@freebsd.org Subject: yet another ipfw question Message-ID: <20010820090010.A42499@chhsweb.gsu.edu> Reply-To: Emlyn Murphy Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Greetings all, I have a probably easily answerable question about repeatedly denied packets. I run a web server which I use ipfw on to leave open only the ports I use (undoubtably a common scenario). The only weird thing is, every day I get the exact same denied packets. To me, it doesn't seem like a potential problem, but I am still curious as to what causes this sort of thing. This is what I get for the denied packets when the security report runs: > 00900 1995 663805 deny ip from 0.0.0.0/8 to any in recv tl0 > 01800 111327 6146217 deny ip from any to 240.0.0.0/4 in recv tl0 > 65435 183243 28291342 deny log logamount 100 ip from any to any Which is obviously caught by this set of rules (this is only a snippet of my rules): # Stop draft-manning-dsua-01.txt nets on the outside interface $fwcmd add deny all from 0.0.0.0/8 to any in via $oif $fwcmd add deny all from 169.254.0.0/16 to any in via $oif $fwcmd add deny all from 192.0.2.0/24 to any in via $oif $fwcmd add deny all from 224.0.0.0/4 to any in via $oif $fwcmd add deny all from 240.0.0.0/4 to any in via $oif $fwcmd add deny all from any to 0.0.0.0/8 in via $oif $fwcmd add deny all from any to 169.254.0.0/16 in via $oif $fwcmd add deny all from any to 192.0.2.0/24 in via $oif $fwcmd add deny all from any to 224.0.0.0/4 in via $oif $fwcmd add deny all from any to 240.0.0.0/4 in via $oif I'm in a rather chaotic university environment, so I have come to expect a certain amount of weird stuff like this. I was just wondering if anyone could explain what sort of programs cause this repetitive behavior. Thanks in advance! -- Emlyn Murphy http://www.emlyn.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 6:40: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id CBF3937B418; Mon, 20 Aug 2001 06:39:56 -0700 (PDT) (envelope-from ilmar@watson.org) Received: from localhost (ilmar@localhost) by fledge.watson.org (8.11.5/8.11.5) with SMTP id f7KDd4P40772; Mon, 20 Aug 2001 09:39:04 -0400 (EDT) (envelope-from ilmar@watson.org) Date: Mon, 20 Aug 2001 09:39:03 -0400 (EDT) From: "Ilmar S. Habibulin" To: Ken Cross Cc: freebsd-fs@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: DENY ACL's In-Reply-To: <028401c1296d$6b01f8f0$0200a8c0@kjc2.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 20 Aug 2001, Ken Cross wrote: > The particular case you show would work, but others won't. I think that the example given below is the result of badly formed security policy. > For example, suppose the user is a member of GroupA which is allowed access > and also a member of GroupB which is denied access, e.g. "setfacl -m > g:GroupA:rwx,g:GroupB: file". (There's no user-specific ACL.) > All "deny" ACL's must be checked first, so the user should be denied. Under > the current scheme, I think the "best match" would allow access. Yes, user will have access to file, but why shouldn't he have it? > Good thought, though. Thanks. You are welcome. ;-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 7:13: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from ntown.esper.com (ntown.esper.com [216.111.16.26]) by hub.freebsd.org (Postfix) with ESMTP id 7DE7E37B40A; Mon, 20 Aug 2001 07:12:52 -0700 (PDT) (envelope-from kcross@ntown.com) Received: from kjcwin2k (kcross.ntown.esper.com [216.111.19.212]) by ntown.esper.com (8.11.4/8.11.4) with SMTP id f7KEK7E19166; Mon, 20 Aug 2001 10:20:07 -0400 Message-ID: <000f01c12982$321d68c0$0200a8c0@kjc2.com> From: "Ken Cross" To: "Ilmar S. Habibulin" Cc: , References: Subject: Re: DENY ACL's Date: Mon, 20 Aug 2001 10:12:49 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > > The particular case you show would work, but others won't. > > I think that the example given below is the result of badly formed > security policy. Not really. There are real cases in large organizations where that configuration is perfectly legitimate. OTOH, it is often the result of "quick-fix" solutions. But that's the real world... > > > For example, suppose the user is a member of GroupA which is allowed access > > and also a member of GroupB which is denied access, e.g. "setfacl -m > > g:GroupA:rwx,g:GroupB: file". (There's no user-specific ACL.) > > All "deny" ACL's must be checked first, so the user should be denied. Under > > the current scheme, I think the "best match" would allow access. > > Yes, user will have access to file, but why shouldn't he have it? For whatever reason, the administrators decided to explicitly deny access to GroupB. By definition, that *must* be honored first. I don't make the rules, but I gotta live by them. ;-) Ken To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 7:28:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from rush.telenordia.se (mail.telenordia.se [194.213.64.42]) by hub.freebsd.org (Postfix) with SMTP id 7267637B403 for ; Mon, 20 Aug 2001 07:28:13 -0700 (PDT) (envelope-from mark.rowlands@minmail.net) Received: (qmail 16323 invoked from network); 20 Aug 2001 16:28:12 +0200 Received: from bb-62-5-36-29.bb.tninet.se (HELO pcmarpxy.tninet.se) (62.5.36.29) by mail.telenordia.se with SMTP; 20 Aug 2001 16:28:12 +0200 Content-Type: text/plain; charset="iso-8859-1" From: Mark Rowlands To: Kris Kennaway , default - Subscriptions Subject: Re: Would like suggestion for an app to write IPFW rules... Date: Mon, 20 Aug 2001 16:28:21 +0200 X-Mailer: KMail [version 1.2] Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG References: <20010820053709.A98564@xor.obsecurity.org> In-Reply-To: <20010820053709.A98564@xor.obsecurity.org> MIME-Version: 1.0 Message-Id: <01082016282101.04869@pcmarpxy.tninet.se> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Monday 20 August 2001 14:37, Kris Kennaway wrote: > On Mon, Aug 20, 2001 at 06:02:36AM -0500, default - Subscriptions wrote: > > Hi, > > > > I am looking for something to enhance my IPFW firewall... (or would take > > any other firewall under consideration if there is one that comes > > suggested for this type of application) I would like a suggestion on what > > would be a good program to detect attacks such as DOSes, port scans, > > etc., that is capable of writing IPFW on the fly to block the source of > > the attacks... > > > > I believe that Snort can do this, but I am not very familiar with this > > kind of firewall so... > > Can be a dangerous idea, since it's usually trivial to spoof an > "attack" coming from a critical server like your DNS servers, and > cause your system to deny itself from the internet. If you have a > 'default to deny' firewall and a sensible security policy for the > remaining enabled ports then an active response doesn't really buy you > anything anyway. > > Kris but it feels soooooo good :-) seriously though......active response ....bad...you really have no idea whether you are hitting a bad guy or an innocent dupe or even yourself without very big exclude lists....and those will need maintaining ...ussch. snort is very good, it does not actively respond although there is a plugin you can use for that and it is very easy to deploy and comes with some very nice analysis tools these days. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 7:39:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-172.zoominternet.net [24.154.28.172]) by hub.freebsd.org (Postfix) with ESMTP id 036DD37B401; Mon, 20 Aug 2001 07:39:37 -0700 (PDT) (envelope-from behanna@zbzoom.net) Received: from topperwein.dyndns.org (topperwein.dyndns.org [192.168.168.10]) by topperwein.dyndns.org (8.11.4/8.11.4) with ESMTP id f7KEdpv09679; Mon, 20 Aug 2001 10:39:51 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Mon, 20 Aug 2001 10:39:46 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: Cc: Subject: Re: DENY ACL's In-Reply-To: <000f01c12982$321d68c0$0200a8c0@kjc2.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 20 Aug 2001, Ken Cross wrote: > > > The particular case you show would work, but others won't. > > > > I think that the example given below is the result of badly formed > > security policy. > > Not really. There are real cases in large organizations where that > configuration is perfectly legitimate. OTOH, it is often the result of > "quick-fix" solutions. But that's the real world... > > > > > > For example, suppose the user is a member of GroupA which is allowed > access > > > and also a member of GroupB which is denied access, e.g. "setfacl -m > > > g:GroupA:rwx,g:GroupB: file". (There's no user-specific ACL.) > > > All "deny" ACL's must be checked first, so the user should be denied. > Under > > > the current scheme, I think the "best match" would allow access. > > > > Yes, user will have access to file, but why shouldn't he have it? > > For whatever reason, the administrators decided to explicitly deny access to > GroupB. By definition, that *must* be honored first. I don't make the > rules, but I gotta live by them. ;-) Perhaps I misremember, but weren't there access control systems that use "first match" syntax? That would (partly) solve this problem: GroupB: GroupA:rwx Here, GroupB would match first, and the user would be denied; however, another rule can be added: UserA:rwx GroupB: GroupA:rwx and all is well with the world. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 8: 1:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from ntown.esper.com (ntown.esper.com [216.111.16.26]) by hub.freebsd.org (Postfix) with ESMTP id C3F9F37B405; Mon, 20 Aug 2001 08:01:23 -0700 (PDT) (envelope-from kcross@ntown.com) Received: from kjcwin2k (kcross.ntown.esper.com [216.111.19.212]) by ntown.esper.com (8.11.4/8.11.4) with SMTP id f7KF8dE28115; Mon, 20 Aug 2001 11:08:39 -0400 Message-ID: <001b01c12988$f99cabd0$0200a8c0@kjc2.com> From: "Ken Cross" To: "Chris BeHanna" , Cc: References: Subject: Re: DENY ACL's Date: Mon, 20 Aug 2001 11:01:21 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org As currently implemented, the FreeBSD ACL checks use a "best match" algorithm. It checks *all* group ACLs for one that matches the requested permissions. If found (as it would in the case below), access is allowed. That's why I need a "deny" ACL. Ken > Perhaps I misremember, but weren't there access control systems > that use "first match" syntax? That would (partly) solve this > problem: > > GroupB: > GroupA:rwx > > Here, GroupB would match first, and the user would be denied; however, > another rule can be added: > > UserA:rwx > GroupB: > GroupA:rwx > > and all is well with the world. > > -- > Chris BeHanna To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 10:34:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from web20108.mail.yahoo.com (web20108.mail.yahoo.com [216.136.226.45]) by hub.freebsd.org (Postfix) with SMTP id 5123E37B40D for ; Mon, 20 Aug 2001 10:34:33 -0700 (PDT) (envelope-from getzz1@yahoo.com) Message-ID: <20010820173432.18005.qmail@web20108.mail.yahoo.com> Received: from [209.8.72.253] by web20108.mail.yahoo.com; Mon, 20 Aug 2001 10:34:32 PDT Date: Mon, 20 Aug 2001 10:34:32 -0700 (PDT) From: klein brock To: FreeBSD-security@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 10:39:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by hub.freebsd.org (Postfix) with ESMTP id 87D0937B418 for ; Mon, 20 Aug 2001 10:39:12 -0700 (PDT) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.11.3/8.11.3) id f7KHdA637701; Mon, 20 Aug 2001 10:39:10 -0700 (PDT) (envelope-from emechler) Date: Mon, 20 Aug 2001 10:39:10 -0700 From: Erick Mechler To: Martin McCormick Cc: security@FreeBSD.ORG Subject: Re: Firewall Rule Logic Message-ID: <20010820103910.B36920@techometer.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from Martin McCormick on Sun, Aug 19, 2001 at 07:51:38PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You'll want to setup something that goes like this: ...deny spoofing attacks ...allow all from localhost ...allow all established tcp connections ...allow all outgoing tcp connections ...allow specific ports (such as ssh, smtp, etc) ...deny all tcp connections You'll want to duplicate this basic setup for your UDP/ICMP rules, etc. :: Can I put a line at the end of the rule chain that goes :: something like: :: :: ${fwcmd} add 400 deny log tcp from any to a.host.okstate.edu all :: and then put one rule per allowed port in to open up just those :: ports that we need? I have the following rule to disallow all outside access: ${fwcmd} add deny log tcp from any to any in via ${oif} The ${oif} part can be important if your box is doing routing, or has more than one interface. --Erick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 10:51:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts14-srv.bellnexxia.net (tomts14.bellnexxia.net [209.226.175.35]) by hub.freebsd.org (Postfix) with ESMTP id 0CF7137B40F for ; Mon, 20 Aug 2001 10:51:41 -0700 (PDT) (envelope-from adamtuttle@sympatico.ca) Received: from Tracey ([64.228.140.188]) by tomts14-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with SMTP id <20010820175140.FYYZ24413.tomts14-srv.bellnexxia.net@Tracey> for ; Mon, 20 Aug 2001 13:51:40 -0400 Message-ID: <003501c129a1$025e6a20$bc8ce440@Tracey> From: "Adam Tuttle" To: Subject: Protection. Date: Mon, 20 Aug 2001 13:53:24 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0032_01C1297F.7AE073C0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0032_01C1297F.7AE073C0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Thanks guys, I used some of the stuff you told me to and found out I = have no backdoors on my box, now I patched telnet and got it working = fine, I was just wondering if you could name some good types of = protections e.g: firewalls, scanners, etc...=20 Thanks Adam ------=_NextPart_000_0032_01C1297F.7AE073C0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Thanks guys, I used some of the stuff = you told me=20 to and found out I have no backdoors on my box, now I patched telnet and = got it=20 working fine, I was just wondering if you could name some good types of=20 protections e.g: firewalls, scanners, etc...
 
Thanks
 
Adam
------=_NextPart_000_0032_01C1297F.7AE073C0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 10:54:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [198.92.199.5]) by hub.freebsd.org (Postfix) with ESMTP id 3569537B40D for ; Mon, 20 Aug 2001 10:54:08 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: (from root@localhost) by mail.wlcg.com (8.11.5/8.11.5) id f7KHs7w96674; Mon, 20 Aug 2001 13:54:07 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.5/8.11.5) with ESMTP id f7KHs1G96667; Mon, 20 Aug 2001 13:54:02 -0400 (EDT) (envelope-from rsimmons@wlcg.com) X-Authentication-Warning: mail.wlcg.com: rsimmons owned process doing -bs Date: Mon, 20 Aug 2001 13:53:58 -0400 (EDT) From: Rob Simmons To: David Kirchner Cc: Rami AlZaid , Subject: Re: Rooted In-Reply-To: <20010819170743.S38221-100000@localhost> Message-ID: <20010820135041.T91853-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 > If you want to be very careful, wiping the disk would be necessary. A > backdoor could be anywhere, including in programs not part of the base > system (such as bash from ports). It depends on how paranoid you are > however. If you're not too worried, re-installing from a fresh cvsup would > probably be good enough. You can check to see what programs are running as > servers by running: > > netstat -aAn | grep LISTEN > fstat | grep sockstat is a utility that combines the functionality of those two commands - good stuff. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7gU65v8Bofna59hYRA9rFAKCNT8RWka5V/fq3kOkU+Q3Phqk9YACfX8HO MXc5KUsToLUm7be6eJAHAF0= =75G4 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 10:56:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from void.xpert.com (xpert.com [199.203.132.1]) by hub.freebsd.org (Postfix) with ESMTP id F0ADC37B411 for ; Mon, 20 Aug 2001 10:56:42 -0700 (PDT) (envelope-from Yonatan@xpert.com) Received: from mailserv.xpert.com ([199.203.132.135]) by void.xpert.com with esmtp (Exim 3.20 #1) id 15YtGc-000530-00; Mon, 20 Aug 2001 20:55:14 +0300 Received: by mailserv.xpert.com with Internet Mail Service (5.5.2650.21) id ; Mon, 20 Aug 2001 20:56:31 +0300 Message-ID: From: Yonatan Bokovza To: 'Adam Tuttle' , freebsd-security@freebsd.org Subject: RE: Protection. Date: Mon, 20 Aug 2001 20:56:25 +0300 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org see http://www.freebsd.org/handbook/security.html Best Regards, Yonatan Bokovza IT Security Consultant Xpert Systems -----Original Message----- From: Adam Tuttle [mailto:adamtuttle@sympatico.ca] Sent: Monday, August 20, 2001 20:53 To: freebsd-security@freebsd.org Subject: Protection. Thanks guys, I used some of the stuff you told me to and found out I have no backdoors on my box, now I patched telnet and got it working fine, I was just wondering if you could name some good types of protections e.g: firewalls, scanners, etc... Thanks Adam To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 11: 5:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 7D5C137B407 for ; Mon, 20 Aug 2001 11:05:07 -0700 (PDT) (envelope-from str@giganda.komkon.org) Received: (from str@localhost) by giganda.komkon.org (8.11.3/8.11.3) id f7KI4sd78245; Mon, 20 Aug 2001 14:04:54 -0400 (EDT) (envelope-from str) Date: Mon, 20 Aug 2001 14:04:54 -0400 (EDT) From: Igor Roshchin Message-Id: <200108201804.f7KI4sd78245@giganda.komkon.org> To: admin@redshells.net, silence@oksala.org Subject: Re: getting DCC fully functioning with ipnat/ipf Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <3B804D4D.16BEE19E@redshells.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I was not able to find out if this proxy works with ipfw. Is there such a proxy that does ? Any other alternatives as for how to get DCC through ipfw on the same host? Thanks, Igor > Date: Sun, 19 Aug 2001 18:35:41 -0500 > From: Chris > > Actually, dcc send uses a random port. Just use tircproxy which can be > found in the ports collection. /usr/ports/irc/tircproxy It works fine > with ipf. > > Good luck, > Chris > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 11:10:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18]) by hub.freebsd.org (Postfix) with ESMTP id 5A0B537B401 for ; Mon, 20 Aug 2001 11:10:23 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [fec0::1:12]) by Awfulhak.org (8.11.5/8.11.5) with ESMTP id f7KIABv13069; Mon, 20 Aug 2001 19:10:11 +0100 (BST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.4/8.11.4) with ESMTP id f7KIA0U89067; Mon, 20 Aug 2001 19:10:00 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200108201810.f7KIA0U89067@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Igor Roshchin Cc: admin@redshells.net, silence@oksala.org, freebsd-security@FreeBSD.ORG, brian@freebsd-services.com Subject: Re: getting DCC fully functioning with ipnat/ipf In-Reply-To: Message from Igor Roshchin of "Mon, 20 Aug 2001 14:04:54 EDT." <200108201804.f7KI4sd78245@giganda.komkon.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 20 Aug 2001 19:10:00 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org libalias (ie, ppp -nat or natd) with the punch_fw command. > I was not able to find out if this proxy works with ipfw. > Is there such a proxy that does ? > > Any other alternatives as for how to get DCC through ipfw on the same host? > > Thanks, > > Igor > > > > Date: Sun, 19 Aug 2001 18:35:41 -0500 > > From: Chris > > > > Actually, dcc send uses a random port. Just use tircproxy which can be > > found in the ports collection. /usr/ports/irc/tircproxy It works fine > > with ipf. > > > > Good luck, > > Chris -- Brian http://www.freebsd-services.com/ Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 13:29:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from falcon.mail.pas.earthlink.net (falcon.mail.pas.earthlink.net [207.217.120.74]) by hub.freebsd.org (Postfix) with ESMTP id 61F6037B403 for ; Mon, 20 Aug 2001 13:29:17 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (dialup-209.247.136.151.Dial1.SanJose1.Level3.net [209.247.136.151]) by falcon.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id NAA15343; Mon, 20 Aug 2001 13:27:57 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f7KKPRM64806; Mon, 20 Aug 2001 13:25:27 -0700 (PDT) (envelope-from cjc) Date: Mon, 20 Aug 2001 13:24:57 -0700 From: "Crist J. Clark" To: Emlyn Murphy Cc: freebsd-security@FreeBSD.ORG Subject: Re: yet another ipfw question Message-ID: <20010820132457.J313@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20010820090010.A42499@chhsweb.gsu.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010820090010.A42499@chhsweb.gsu.edu>; from emlyn@gsu.edu on Mon, Aug 20, 2001 at 09:00:10AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Aug 20, 2001 at 09:00:10AM -0400, Emlyn Murphy wrote: [snip] > > 00900 1995 663805 deny ip from 0.0.0.0/8 to any in recv tl0 Most likely machines looking for DHCP servers. They use 0.0.0.0 as a source address during the discover phase. I've also frequently seen broken packets with source addresses in the 1-net coming in from the Internet. > > 01800 111327 6146217 deny ip from any to 240.0.0.0/4 in recv tl0 Local broadcasts (255.255.255.255) are going to fall into this range. Other than that, there really shouldn't be much going on up there in the Class E range. > > 65435 183243 28291342 deny log logamount 100 ip from any to any You're logging these, so you should see some of them. I assume this is the default deny catching _everything_ that doesn't pass. There is undoubtably a _lot_ of different stuff going on in here. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 14:17:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from ciberteca.com (ciberteca.com [62.22.90.24]) by hub.freebsd.org (Postfix) with SMTP id 0498B37B417 for ; Mon, 20 Aug 2001 14:17:23 -0700 (PDT) (envelope-from koji@ciberteca.com) Received: (qmail 66347 invoked from network); 20 Aug 2001 21:24:03 -0000 Received: from unknown (HELO daemon) (62.82.25.176) by ciberteca.com with SMTP; 20 Aug 2001 21:24:03 -0000 Message-ID: <002601c129bd$b1f58560$0164a8c0@daemon> From: "Koji" To: Subject: chroot named Date: Mon, 20 Aug 2001 23:18:42 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, i'm configuring named with chroot, but i have two questions. Is necesary the files ld-elf.so.1, libc.so.4, libutil.so.3 and named-xfer ? I have trying the named with and without this files and works correctly (two forms works correctly ). what are the files indispensables really? What are the best perms for /etc/namedb/chroot? chown -R bind:bind /etc/namedb/chroot chmod -R 750 /etc/namedb/chroot (handbook's documentation, all files) or chown -R bind:bind /etc/namedb/chroot/etc/namedb/s chmod -R 750 /etc/namedb/chroot/etc/namedb/s (only domain configuration files) thanks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 14:24:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id 5758937B415 for ; Mon, 20 Aug 2001 14:24:32 -0700 (PDT) (envelope-from davidk@accretivetg.com) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f7KKJt663637; Mon, 20 Aug 2001 13:19:55 -0700 (PDT) Date: Mon, 20 Aug 2001 13:19:55 -0700 (PDT) From: David Kirchner X-X-Sender: To: Koji Cc: Subject: Re: chroot named In-Reply-To: <002601c129bd$b1f58560$0164a8c0@daemon> Message-ID: <20010820131925.S38221-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 20 Aug 2001, Koji wrote: > > Hi, i'm configuring named with chroot, but i have two questions. > > Is necesary the files ld-elf.so.1, libc.so.4, libutil.so.3 and named-xfer ? > I have trying the named with and without this files and works correctly > (two forms works correctly ). what are the files indispensables really? You can find out which libraries are needed for a program by running 'ldd' on them, for example: $ ldd /usr/libexec/named-xfer /usr/libexec/named-xfer: libc.so.3 => /usr/lib/libc.so.3 (0x1806a000) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 14:56:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 2FEAD37B409; Mon, 20 Aug 2001 14:56:00 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f7KLtru62773; Mon, 20 Aug 2001 14:55:53 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 20 Aug 2001 14:55:53 -0700 (PDT) Message-Id: <200108202155.f7KLtru62773@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory FreeBSD-SA-01:54.ports-telnetd Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:54 Security Advisory FreeBSD, Inc. Topic: telnetd contains remote buffer overflow Category: ports Modules: krb5/heimdal/SSLtelnet Announced: 2001-08-20 Credits: Sebastian Affects: Ports collection prior to the correction date. Corrected: 2001-07-19 21:43:41 UTC (heimdal) 2001-07-24 15:29:39 UTC (krb5) SSLtelnet port not yet corrected FreeBSD only: NO I. Background telnetd is the server for the telnet remote virtual terminal protocol. II. Problem Description This advisory is closely related to the previously released FreeBSD-SA-01:49.telnetd.v1.1 advisory. That advisory pertains to the telnetd included in the base FreeBSD system. This advisory pertains to optional third-party telnetd implementations found in the FreeBSD ports collection. An overflowable buffer was found in the versions of telnetd included with several ports. These ports include: MIT Kerberos V (security/krb5) prior to version 1.2.2_2 Heimdal (security/heimdal) prior to version 0.4b_1 SSLtelnet (net/SSLtelnet) - this port is not yet fixed; see below. Due to incorrect bounds checking of data buffered for output to the remote client, an attacker can cause the telnetd process to overflow the buffer and crash, or execute arbitrary code as the user running telnetd, usually root. A valid user account and password is not required to exploit this vulnerability, only the ability to connect to a telnetd server. These ports are not installed by default, nor are they "part of FreeBSD" as such: they are part of the FreeBSD ports collection, which contains over 5600 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.3 is vulnerable to this problem since it was discovered after its release, but the problems with the krb5 and heimdal ports were corrected prior to the (forthcoming) release of FreeBSD 4.4. The SSLtelnet vulnerability has not yet been corrected: due to divergences in the code, it is more difficult to correct the vulnerability in that port. This advisory will be reissued once the vulnerability is corrected. III. Impact Remote users can cause arbitrary code to be executed as the user running telnetd, usually root. IV. Workaround 1) Disable the telnet service, which is usually run out of inetd: comment out lines in /etc/inetd.conf that begin with the word `telnet', if present, e.g. telnet stream tcp nowait root /usr/local/libexec/telnetd telnetd telnet stream tcp6 nowait root /usr/local/libexec/telnetd telnetd and execute the following command as root: # kill -HUP `cat /var/run/inetd.pid` 2) Impose access restrictions using TCP wrappers (/etc/hosts.allow), or a network-level packet filter such as ipfw(8) or ipf(8) on the perimeter firewall or the local machine, to limit access to the telnet service to trusted machines. 3) Deinstall the affected ports/packages if they are installed. V. Solution The updated ports include fixes for this vulnerability: krb5-1.2.2_2 and later heimdal-0.4b_1 and later 1) Upgrade your entire ports collection and rebuild the affected ports (packages are not currently available for these ports). 2) Download a new port skeleton for the affected ports from: http://www.freebsd.org/ports/ and use it to rebuild the port. 3) Use the portcheckout utility to automate option (2) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD ports collection. Affected port (module) Path Revision - ------------------------------------------------------------------------- MIT Kerberos V (krb5) ports/security/krb5/Makefile 1.27 ports/security/krb5/files/patch-appl::telnet::telnetd::authenc.c 1.1 ports/security/krb5/files/patch-appl::telnet::telnetd::ext.h 1.2 ports/security/krb5/files/patch-appl::telnet::telnetd::slc.c 1.1 ports/security/krb5/files/patch-appl::telnet::telnetd::state.c 1.2 ports/security/krb5/files/patch-appl::telnet::telnetd::telnetd.c 1.2 ports/security/krb5/files/patch-appl::telnet::telnetd::termstat.c 1.1 ports/security/krb5/files/patch-appl::telnet::telnetd::utility.c 1.2 Heimdal (heimdal) ports/security/heimdal/Makefile 1.39 ports/security/heimdal/files/patch-ad 1.6 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO4GGS1UuHi5z0oilAQENdgQAn48FDb8KqMftJGSS2ueRb9aZPuosS/3T 2I6AC3AOtBIKe+3fhnURdivPIXBWMZ4GyzkctfvQ0NaKUnnVqTzoxdSVN4wStJ1e yXdJ9b4d5lyKvT0+JJI9IMylcA5o5kp5b36OpkB48Oo3y/4ZdiskJn3ZoU4zpBeU +uCUTpg3TGM= =SChg -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 15:56:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.raditex.se (mail.raditex.se [192.5.36.21]) by hub.freebsd.org (Postfix) with ESMTP id 2A2DC37B401 for ; Mon, 20 Aug 2001 15:56:40 -0700 (PDT) (envelope-from gh@gandalf.Raditex.se) Received: from gandalf.Raditex.se (gandalf.raditex.se [192.5.36.18]) by ns.raditex.se (8.9.3/8.9.3) with ESMTP id AAA01454 for ; Tue, 21 Aug 2001 00:56:38 +0200 (CEST) (envelope-from gh@gandalf.Raditex.se) Received: (from gh@localhost) by gandalf.Raditex.se (8.9.3/8.9.3) id AAA61496 for freebsd-security@FreeBSD.ORG; Tue, 21 Aug 2001 00:56:38 +0200 (CEST) (envelope-from gh) Date: Tue, 21 Aug 2001 00:56:38 +0200 (CEST) From: Göran Hasse Message-Id: <200108202256.AAA61496@gandalf.Raditex.se> To: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org auth 16740ba2 subscribe freebsd-security gh@raditex.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 16:16:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from ciberteca.com (ciberteca.com [62.22.90.24]) by hub.freebsd.org (Postfix) with SMTP id EEFDF37B403 for ; Mon, 20 Aug 2001 16:16:10 -0700 (PDT) (envelope-from koji@ciberteca.com) Received: (qmail 66924 invoked from network); 20 Aug 2001 23:22:55 -0000 Received: from unknown (HELO daemon) (62.82.25.176) by ciberteca.com with SMTP; 20 Aug 2001 23:22:55 -0000 Message-ID: <00a401c129ce$4c63df60$0164a8c0@daemon> From: "Koji" To: "David Kirchner" Cc: Subject: RE: chroot named Date: Tue, 21 Aug 2001 01:17:32 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >You can find out which libraries are needed for a program by running 'ldd' >on them, for example: > >$ ldd /usr/libexec/named-xfer >/usr/libexec/named-xfer: > libc.so.3 => /usr/lib/libc.so.3 (0x1806a000) > # ldd /usr/libexec/named-xfer /usr/libexec/named-xfer: libc.so.4 => /usr/lib/libc.so.4 (0x2809c000) # ldd /usr/sbin/named /usr/sbin/named: libc.so.4 => /usr/lib/libc.so.4 (0x280dd000) my chroot environment don't have any library and works correctly. Why ? # ls /etc/namedb/chroot dev etc usr var thanks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 16:25:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id EF47837B409 for ; Mon, 20 Aug 2001 16:25:12 -0700 (PDT) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id 422661361D; Mon, 20 Aug 2001 19:25:12 -0400 (EDT) Date: Mon, 20 Aug 2001 19:25:12 -0400 From: Chris Faulhaber To: Koji Cc: David Kirchner , freebsd-security@freebsd.org Subject: Re: chroot named Message-ID: <20010820192512.A11150@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , Koji , David Kirchner , freebsd-security@freebsd.org References: <00a401c129ce$4c63df60$0164a8c0@daemon> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="VS++wcV0S1rZb1Fb" Content-Disposition: inline In-Reply-To: <00a401c129ce$4c63df60$0164a8c0@daemon> User-Agent: Mutt/1.3.20i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --VS++wcV0S1rZb1Fb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 21, 2001 at 01:17:32AM +0200, Koji wrote: >=20 > # ldd /usr/libexec/named-xfer > /usr/libexec/named-xfer: > libc.so.4 =3D> /usr/lib/libc.so.4 (0x2809c000) >=20 > # ldd /usr/sbin/named > /usr/sbin/named: > libc.so.4 =3D> /usr/lib/libc.so.4 (0x280dd000) >=20 > my chroot environment don't have any library and works correctly. Why ? >=20 > # ls /etc/namedb/chroot > dev etc usr var >=20 Because you aren't doing zone transfers? When you start bind, it executes in the real system then chroots itself, never needing the chrooted bin/libs. If you do zone transfers you will need the appropriate bin (named-xfer) and associated libs in the chrooted dirs. You can also create a statically-linked named-xfer and forget the libs altogether. See http://www.fxp.org/jedgar/misc/bind.txt for step-by-step instructions. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --VS++wcV0S1rZb1Fb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjuBnFcACgkQObaG4P6BelCIaQCeMHychyKZIh6mjgsFBJHvtQm7 ncEAn374GQ9QYb3OXtvZGWRhpc6cg7j6 =UxYF -----END PGP SIGNATURE----- --VS++wcV0S1rZb1Fb-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 16:48:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from theshell.com (arsenic.theshell.com [63.236.138.5]) by hub.freebsd.org (Postfix) with SMTP id E130037B405 for ; Mon, 20 Aug 2001 16:48:10 -0700 (PDT) (envelope-from pavalos@theshell.com) Received: (qmail 10243 invoked from network); 20 Aug 2001 23:48:10 -0000 Received: from oxygen.theshell.com (HELO tequila) (root@63.236.138.8) by arsenic.theshell.com with SMTP; 20 Aug 2001 23:48:10 -0000 From: "Peter Avalos" To: "'Chris Faulhaber'" , "'Koji'" Cc: "'David Kirchner'" , Subject: RE: chroot named Date: Mon, 20 Aug 2001 18:48:58 -0500 Message-ID: <005901c129d2$af7d4ce0$1f01a8c0@tequila> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 In-Reply-To: <20010820192512.A11150@peitho.fxp.org> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > my chroot environment don't have any library and works > correctly. Why > > ? > > > > # ls /etc/namedb/chroot > > dev etc usr var > > > libs come from usr/lib/ --Pete To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 17: 0:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by hub.freebsd.org (Postfix) with ESMTP id AEFCA37B403 for ; Mon, 20 Aug 2001 17:00:47 -0700 (PDT) (envelope-from marka@isc.org) Received: from isc.org (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.11.3/8.11.2) with ESMTP id f7L00Kr15921; Tue, 21 Aug 2001 10:00:21 +1000 (EST) (envelope-from marka@isc.org) Message-Id: <200108210000.f7L00Kr15921@drugs.dv.isc.org> To: David Kirchner Cc: Koji , freebsd-security@FreeBSD.ORG From: Mark.Andrews@isc.org Subject: Re: chroot named In-reply-to: Your message of "Mon, 20 Aug 2001 13:19:55 MST." <20010820131925.S38221-100000@localhost> Date: Tue, 21 Aug 2001 10:00:19 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Or get BIND 9. It doesn't require any libraries in the chroot area. Mark -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 20:25:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta05.mail.mel.aone.net.au (mta05.mail.au.uu.net [203.2.192.85]) by hub.freebsd.org (Postfix) with ESMTP id 2DEA937B409 for ; Mon, 20 Aug 2001 20:25:10 -0700 (PDT) (envelope-from ferni@shafted.com.au) Received: from fernilaptop ([63.34.214.28]) by mta05.mail.mel.aone.net.au with SMTP id <20010821032508.SOSD19580.mta05.mail.mel.aone.net.au@fernilaptop> for ; Tue, 21 Aug 2001 13:25:08 +1000 Message-ID: <006901c129f0$a1047bc0$240aa8c0@fernilaptop> Reply-To: "Andrew Dean" From: "Andrew Dean" To: Subject: tun0 keeping old IP's? Date: Tue, 21 Aug 2001 13:23:20 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is probably the wrong place to post this but anyways My dial up is doing something wierd, its like my tun0 is keeping old ip's [root@powder ppp# ifconfig tun0 tun0: flags=8051 mtu 1524 inet 63.34.218.34 --> 63.12.31.204 netmask 0xffffff00 inet 63.34.216.20 --> 255.255.255.255 netmask 0xffffffff inet 63.34.216.176 --> 63.12.31.203 netmask 0xffffff00 inet 63.34.214.28 --> 63.12.31.202 netmask 0xffffff00 Opened by PID 101 everytime it redails it keeps the old one and just adds a new on on the end To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 20:27:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta02.mail.mel.aone.net.au (mta02.mail.au.uu.net [203.2.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 09A4937B405 for ; Mon, 20 Aug 2001 20:27:45 -0700 (PDT) (envelope-from ferni@shafted.com.au) Received: from fernilaptop ([63.34.214.28]) by mta02.mail.mel.aone.net.au with SMTP id <20010821032743.IGOV4158.mta02.mail.mel.aone.net.au@fernilaptop> for ; Tue, 21 Aug 2001 13:27:43 +1000 Message-ID: <006f01c129f0$fd434a60$240aa8c0@fernilaptop> Reply-To: "Andrew Dean" From: "Andrew Dean" To: Subject: tun0 keeping old IP's? Date: Tue, 21 Aug 2001 13:25:48 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is probably the wrong place to post this but anyways My dial up is doing something wierd, its like my tun0 is keeping old ip's [root@powder ppp# ifconfig tun0 tun0: flags=8051 mtu 1524 inet 63.34.218.34 --> 63.12.31.204 netmask 0xffffff00 inet 63.34.216.20 --> 255.255.255.255 netmask 0xffffffff inet 63.34.216.176 --> 63.12.31.203 netmask 0xffffff00 inet 63.34.214.28 --> 63.12.31.202 netmask 0xffffff00 Opened by PID 101 everytime it redails it keeps the old one and just adds a new on on the end /usr/sbin/ppp -quiet -ddial -nat OZ thats the command i'm using to dial my profile this is my ppp.conf [root@powder ppp# more ppp.conf default: set log Phase Chat LCP IPCP CCP tun command set device /dev/cuaa0 set speed 115200 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATE1Q0 OK-AT-OK \\dATDT\\T TIMEOUT 40 CONNECT " OZ: set phone "14140390101444" #Separate multiple phone numbers with a | set login "TIMEOUT 10 gin:-BREAK-gin: usernamehere word: passwordhere" set timeout 300 #Change to 0 if no timeout desired deny lqr set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 my ppp.linkup [root@powder ppp# more ppp.linkup MYADDR: delete ALL add 0 0 HISADDR is there something i've forgotten? Thanks Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 20:27:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta02.mail.mel.aone.net.au (mta02.mail.au.uu.net [203.2.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 4526737B406 for ; Mon, 20 Aug 2001 20:27:48 -0700 (PDT) (envelope-from ferni@shafted.com.au) Received: from fernilaptop ([63.34.214.28]) by mta02.mail.mel.aone.net.au with SMTP id <20010821032747.IGPK4158.mta02.mail.mel.aone.net.au@fernilaptop> for ; Tue, 21 Aug 2001 13:27:47 +1000 Message-ID: <007001c129f0$ff570f30$240aa8c0@fernilaptop> Reply-To: "Andrew Dean" From: "Andrew Dean" To: Subject: tun0 keeping old IP's? Date: Tue, 21 Aug 2001 13:25:52 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is probably the wrong place to post this but anyways My dial up is doing something wierd, its like my tun0 is keeping old ip's [root@powder ppp# ifconfig tun0 tun0: flags=8051 mtu 1524 inet 63.34.218.34 --> 63.12.31.204 netmask 0xffffff00 inet 63.34.216.20 --> 255.255.255.255 netmask 0xffffffff inet 63.34.216.176 --> 63.12.31.203 netmask 0xffffff00 inet 63.34.214.28 --> 63.12.31.202 netmask 0xffffff00 Opened by PID 101 everytime it redails it keeps the old one and just adds a new on on the end /usr/sbin/ppp -quiet -ddial -nat OZ thats the command i'm using to dial my profile this is my ppp.conf [root@powder ppp# more ppp.conf default: set log Phase Chat LCP IPCP CCP tun command set device /dev/cuaa0 set speed 115200 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATE1Q0 OK-AT-OK \\dATDT\\T TIMEOUT 40 CONNECT " OZ: set phone "14140390101444" #Separate multiple phone numbers with a | set login "TIMEOUT 10 gin:-BREAK-gin: usernamehere word: passwordhere" set timeout 300 #Change to 0 if no timeout desired deny lqr set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 my ppp.linkup [root@powder ppp# more ppp.linkup MYADDR: delete ALL add 0 0 HISADDR is there something i've forgotten? Thanks Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 20:29:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta05.mail.mel.aone.net.au (mta05.mail.au.uu.net [203.2.192.85]) by hub.freebsd.org (Postfix) with ESMTP id C651B37B403 for ; Mon, 20 Aug 2001 20:29:10 -0700 (PDT) (envelope-from ferni@shafted.com.au) Received: from fernilaptop ([63.34.214.28]) by mta05.mail.mel.aone.net.au with SMTP id <20010821032909.SQFQ19580.mta05.mail.mel.aone.net.au@fernilaptop> for ; Tue, 21 Aug 2001 13:29:09 +1000 Message-ID: <007e01c129f1$307bc740$240aa8c0@fernilaptop> Reply-To: "Andrew Dean" From: "Andrew Dean" To: References: <006901c129f0$a1047bc0$240aa8c0@fernilaptop> Subject: Re: tun0 keeping old IP's? Date: Tue, 21 Aug 2001 13:27:12 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org oppps sorry about the multiple copies ----- Original Message ----- From: "Andrew Dean" To: Sent: Tuesday, August 21, 2001 1:23 PM Subject: tun0 keeping old IP's? > This is probably the wrong place to post this but anyways > > My dial up is doing something wierd, its like my tun0 is keeping old ip's > > [root@powder ppp# ifconfig tun0 > tun0: flags=8051 mtu 1524 > inet 63.34.218.34 --> 63.12.31.204 netmask 0xffffff00 > inet 63.34.216.20 --> 255.255.255.255 netmask 0xffffffff > inet 63.34.216.176 --> 63.12.31.203 netmask 0xffffff00 > inet 63.34.214.28 --> 63.12.31.202 netmask 0xffffff00 > Opened by PID 101 > > everytime it redails it keeps the old one and just adds a new on on the end > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 20 21:19:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from softweyr.com (softweyr.com [208.247.99.111]) by hub.freebsd.org (Postfix) with ESMTP id 2E34837B405 for ; Mon, 20 Aug 2001 21:19:38 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from localhost.softweyr.com ([127.0.0.1] helo=softweyr.com) by softweyr.com with esmtp (Exim 3.33 #1) id 15Z39Q-0000L5-00; Mon, 20 Aug 2001 22:28:28 -0600 Message-ID: <3B81E36B.E2CFFEBF@softweyr.com> Date: Mon, 20 Aug 2001 22:28:27 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Matt Piechota Cc: "Carroll, D. (Danny)" , freebsd-security@FreeBSD.ORG Subject: Re: Silly crackers... NT is for kids... References: <20010817165323.F4969-100000@cithaeron.argolis.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Matt Piechota wrote: > > On Fri, 17 Aug 2001, Carroll, D. (Danny) wrote: > > > Even for authentication? > > > > I can understand using a telnet client to manually test SMTP servers or > > other protocols, but I cannot understand why you *need* telnet. > > Mind you I am against using pop3 as well, unless it's encrypted. > > Example 1: > You're on an internal heavily firewalled corporate LAN, where none of your > information is hidden between employees. So you don't care, and you don't > have to worry about installing ssh on every PC's desktop, and teaching > cluon-deprived people to use it. You're not ghosting your systems, or something like that? You're certainly making things much harder on yourself. Install the OS, your basic apps, and putty, and bingo! everyone has a reasonably good ssh client. > Example 2: > You're running realtime applications, or applications that need all > available processing power for performance reasons. The extra overhead of > encrypting and decrypting the ssh traffic may drop your performance. On a generic-user Windows box? I'd rather have a life. If your employer is doing stupid crap like this, you need to vote with your feet. > I'll agree that these aren't all that typical, but they do exist. They aren't all that compelling, either. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 2:31:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from guard.ing.nl (guard.ing.nl [194.178.239.66]) by hub.freebsd.org (Postfix) with ESMTP id 37FF137B413 for ; Tue, 21 Aug 2001 02:31:10 -0700 (PDT) (envelope-from Danny.Carroll@mail.ing.nl) Received: by ING-mailhub; id LAA12214; Tue, 21 Aug 2001 11:33:04 +0200 (MET DST) Received: from somewhere by smtpxd content-class: urn:content-classes:message Subject: ipf / ipfw Which to use? Date: Tue, 21 Aug 2001 11:34:36 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-ID: <98829DC07ECECD47893074C4D525EFC311563C@citsnl007.europe.intranet> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: getting DCC fully functioning with ipnat/ipf Thread-Index: AcEpFGvaYhr2tsevTGSLdNymqy3bvABD7X1g From: "Carroll, D. (Danny)" Cc: Importance: normal X-OriginalArrivalTime: 21 Aug 2001 09:34:36.0456 (UTC) FILETIME=[7E057280:01C12A24] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I've been playing with both of these and I was wondering why are both available? They *seem* to do almost the same thing although ipfw is much more *tweakable*... What's the difference between the two and how should I decide which I should be using...? -D -----------------------------------------------------------------=0A= ATTENTION:=0A= The information in this electronic mail message is private and=0A= confidential, and only intended for the addressee. Should you=0A= receive this message by mistake, you are hereby notified that=0A= any disclosure, reproduction, distribution or use of this=0A= message is strictly prohibited. Please inform the sender by=0A= reply transmission and delete the message without copying or=0A= opening it.=0A= =0A= Messages and attachments are scanned for all viruses known.=0A= If this message contains password-protected attachments, the=0A= files have NOT been scanned for viruses by the ING mail domain.=0A= Always scan attachments before opening them.=0A= ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 2:42: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp3.xs4all.nl (smtp3.xs4all.nl [194.109.127.132]) by hub.freebsd.org (Postfix) with ESMTP id 6333337B408 for ; Tue, 21 Aug 2001 02:41:56 -0700 (PDT) (envelope-from wkb@freebie.xs4all.nl) Received: from freebie.xs4all.nl (freebie.xs4all.nl [213.84.32.253]) by smtp3.xs4all.nl (8.9.3/8.9.3) with ESMTP id LAA04570; Tue, 21 Aug 2001 11:41:55 +0200 (CEST) Received: (from wkb@localhost) by freebie.xs4all.nl (8.11.4/8.11.4) id f7L9fsv25755; Tue, 21 Aug 2001 11:41:54 +0200 (CEST) (envelope-from wkb) Date: Tue, 21 Aug 2001 11:41:54 +0200 From: Wilko Bulte To: "Carroll, D. (Danny)" Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipf / ipfw Which to use? Message-ID: <20010821114154.A25741@freebie.xs4all.nl> References: <98829DC07ECECD47893074C4D525EFC311563C@citsnl007.europe.intranet> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <98829DC07ECECD47893074C4D525EFC311563C@citsnl007.europe.intranet>; from Danny.Carroll@mail.ing.nl on Tue, Aug 21, 2001 at 11:34:36AM +0200 X-OS: FreeBSD 4.3-STABLE X-PGP: finger wilko@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Aug 21, 2001 at 11:34:36AM +0200, Carroll, D. (Danny) wrote: > I've been playing with both of these and I was wondering why are both > available? > They *seem* to do almost the same thing although ipfw is much more > *tweakable*... > > What's the difference between the two and how should I decide which I > should be using...? Largely it is a matter of taste. Ipfilter is multiplatform, ipfw is FreeBSD-only. You can also combine the 2 (e.g. if you want IPfilter and dummynet at the same time). -- | / o / / _ Arnhem, The Netherlands email: wilko@FreeBSD.org |/|/ / / /( (_) Bulte To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 2:54:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from dart.sr.se (dart.SR.SE [193.12.91.98]) by hub.freebsd.org (Postfix) with ESMTP id 5B89D37B40D for ; Tue, 21 Aug 2001 02:54:29 -0700 (PDT) (envelope-from lars.osterberg@ue.sr.se) Received: from honken.sr.se ([134.25.128.27]) by dart.sr.se (8.9.3/8.9.3) with ESMTP id LAA23653 for ; Tue, 21 Aug 2001 11:54:18 +0200 (CEST) (envelope-from lars.osterberg@ue.sr.se) Received: from ue.sr.se (rhdata3.sr.se [134.25.74.21]) by honken.sr.se (8.9.3/8.9.3) with ESMTP id LAA19499 for ; Tue, 21 Aug 2001 11:54:18 +0200 (CEST) (envelope-from lars.osterberg@ue.sr.se) Received: from RHDATA3/SpoolDir by ue.sr.se (Mercury 1.48); 21 Aug 01 11:54:18 +0200 Received: from SpoolDir by RHDATA3 (Mercury 1.48); 21 Aug 01 11:53:54 +0200 Received: from elvisp (134.25.201.210) by ue.sr.se (Mercury 1.48); 21 Aug 01 11:53:44 +0200 From: =?iso-8859-1?Q?Lasse_=D6sterberg?= To: Subject: IPfw and DHCP Date: Tue, 21 Aug 2001 11:53:43 +0200 Message-ID: <002e01c12a27$2a3f30c0$d2c91986@elvisp> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi All, Is there anyway at system startup and/or via a cron job to pass my DHCP ipaddress from my external interface to rc.firewall? So my firewall rules still work if my external DHCP lease gets a new ipaddress. Regards Lasse To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 3: 1:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (dialmess.nanolink.com [217.75.135.246]) by hub.freebsd.org (Postfix) with SMTP id BD5D137B407 for ; Tue, 21 Aug 2001 03:01:15 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 10189 invoked by uid 1000); 21 Aug 2001 09:59:47 -0000 Date: Tue, 21 Aug 2001 12:59:47 +0300 From: Peter Pentchev To: Lasse Osterberg Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPfw and DHCP Message-ID: <20010821125947.C7824@ringworld.oblivion.bg> Mail-Followup-To: Lasse Osterberg , freebsd-security@FreeBSD.ORG References: <002e01c12a27$2a3f30c0$d2c91986@elvisp> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <002e01c12a27$2a3f30c0$d2c91986@elvisp>; from lars.osterberg@ue.sr.se on Tue, Aug 21, 2001 at 11:53:43AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Aug 21, 2001 at 11:53:43AM +0200, Lasse Osterberg wrote: > Hi All, > > Is there anyway at system startup and/or via a cron job to pass my DHCP > ipaddress from my external interface to rc.firewall? > So my firewall rules still work if my external DHCP lease gets a new > ipaddress. You could always use the ipfw 'me' syntax - instead of an IP address, put the word 'me' in the ipfw rule, it matches any IP address assigned to a local interface. So, instead of: ipfw add allow tcp from any to 192.168.5.5 22 setup ..put: ipfw add allow tcp from any to me 22 setup ..and things should be fine. G'luck, Peter -- You have, of course, just begun reading the sentence that you have just finished reading. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 3:35:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from pooh.noc.u-net.net (pooh.noc.u-net.net [195.102.252.112]) by hub.freebsd.org (Postfix) with ESMTP id E044037B401 for ; Tue, 21 Aug 2001 03:35:26 -0700 (PDT) (envelope-from peterm@vianetworks.co.uk) Received: from pooh.noc.u-net.net ([195.102.252.112]) by pooh.noc.u-net.net with smtp (Exim 3.22 #1) id 15Z8sS-0006Xp-00; Tue, 21 Aug 2001 11:35:20 +0100 Content-Type: text/plain; charset="iso-8859-1" From: Peter McGarvey Reply-To: pmcgarvey@vianetworks.co.uk To: "Koji" , Subject: Re: chroot named Date: Tue, 21 Aug 2001 11:35:17 +0100 X-Mailer: KMail [version 1.2] References: <002601c129bd$b1f58560$0164a8c0@daemon> In-Reply-To: <002601c129bd$b1f58560$0164a8c0@daemon> Organization: VIA NETdotWORKS MIME-Version: 1.0 Message-Id: <01082111351702.23035@pooh.noc.u-net.net> Content-Transfer-Encoding: 8bit X-EXIM-FILTER: PASS-s02 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Monday 20 August 2001 22:18, Koji wrote: > Hi, i'm configuring named with chroot, but i have two questions. > All the info you need to run bind 8 in a chroot jail can be found at: http://www.freebsdzine.org/200105a/named.php3 -- TTFN, FNORD Peter McGarvey System Administrator Network Operations, VIA Networks UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 3:42:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from xs4nobody.nl (xs4nobody.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 7C6B237B411 for ; Tue, 21 Aug 2001 03:42:09 -0700 (PDT) (envelope-from bart@xs4nobody.nl) Received: (qmail 84427 invoked by uid 1000); 21 Aug 2001 10:42:03 -0000 Date: Tue, 21 Aug 2001 12:42:03 +0200 From: Bart Matthaei To: freebsd-security@freebsd.org Subject: Re: IPfw and DHCP Message-ID: <20010821124202.B84400@heresy.xs4nobody.nl> Reply-To: Bart Matthaei Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Run dhclient before you load the firewall rules.. and use recv and via instead of ip adresses :) gr, Bart On Tue, Aug 21, 2001 at 11:53:43AM +0200, Lasse Österberg wrote: > Hi All, > > Is there anyway at system startup and/or via a cron job to pass my DHCP > ipaddress from my external interface to rc.firewall? > So my firewall rules still work if my external DHCP lease gets a new > ipaddress. > > Regards Lasse > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Bart Matthaei | bart@xs4nobody.nl | +31 6 24907042 ------------------------------------------------- /* It's always funny until someone gets hurt.. * (and then it's just hilarious) */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 3:55:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from brea.mc.mpls.visi.com (brea.mc.mpls.visi.com [208.42.156.100]) by hub.freebsd.org (Postfix) with ESMTP id A6CA137B407 for ; Tue, 21 Aug 2001 03:55:47 -0700 (PDT) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by brea.mc.mpls.visi.com (Postfix) with ESMTP id BE40D2DDD5C for ; Tue, 21 Aug 2001 05:55:46 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f7LAtiJ24251 for freebsd-security@freebsd.org; Tue, 21 Aug 2001 05:55:44 -0500 (CDT) (envelope-from hawkeyd) Date: Tue, 21 Aug 2001 05:55:44 -0500 From: D J Hawkey Jr To: freebsd-security@freebsd.org Subject: Re: ipf / ipfw Which to use? Message-ID: <20010821055544.A24214@sheol.localdomain> Reply-To: hawkeyd@visi.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 21 Aug 2001 09:42:18 +0000, wkb@freebie.xs4all.nl wrote: > On Tue, Aug 21, 2001 at 11:34:36AM +0200, Carroll, D. (Danny) wrote: > > I've been playing with both of these and I was wondering why are both > > available? > > They *seem* to do almost the same thing although ipfw is much more > > *tweakable*... > > > > What's the difference between the two and how should I decide which I > > should be using...? > > Largely it is a matter of taste. Ipfilter is multiplatform, ipfw is > FreeBSD-only. You can also combine the 2 (e.g. if you want IPfilter and > dummynet at the same time). It's also a matter of efficiency; ipfilter does it all in the kernel, as opposed to the packets having to go to userland and back for 'ipfw' to play with them. It therefore seems to me ipfilter might be more secure, as it can't be compromised by userland? Personally, I think ipfilter more "tweakable" and/or capable, but that's just my opinion. Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 3:57:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (dialmess.nanolink.com [217.75.135.246]) by hub.freebsd.org (Postfix) with SMTP id 44CC437B407 for ; Tue, 21 Aug 2001 03:57:46 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 10500 invoked by uid 1000); 21 Aug 2001 10:56:23 -0000 Date: Tue, 21 Aug 2001 13:56:23 +0300 From: Peter Pentchev To: Bart Matthaei Cc: freebsd-security@freebsd.org Subject: Re: IPfw and DHCP Message-ID: <20010821135623.E7824@ringworld.oblivion.bg> Mail-Followup-To: Bart Matthaei , freebsd-security@freebsd.org References: <20010821124202.B84400@heresy.xs4nobody.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010821124202.B84400@heresy.xs4nobody.nl>; from bart@xs4nobody.nl on Tue, Aug 21, 2001 at 12:42:03PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Aug 21, 2001 at 12:42:03PM +0200, Bart Matthaei wrote: > Run dhclient before you load the firewall rules.. > > and use recv and via instead of ip adresses :) recv and via do not provide the security that an IP address provides. In particular, both 'recv' and 'via ' fail to protect against the following case: NIC 1 xl0 192.168.0.13 RFC1918 LAN NIC 2 xl1 128.128.128.128 public ipfw add allow any recv via xl1 This would let a packet with a destination address of 192.168.0.13 via your public interface. And believe me, the chances of such a packet appearing on the wire are not so slim these days :) A better solution would be to have dhclient run *after* the initial firewall setup (after the firewall rulesets are flushed), and define hooks for obtaining/renewing/expiring a lease, which add or remove firewall rules as appropriate. Unfortunately, I've never done DHCP hooks, and I have no idea on how exactly to provide those. (Maybe it's as simple as putting something similar to /sbin/dhclient-script into /etc/dhclient-exit-hooks?) G'luck, Peter -- Nostalgia ain't what it used to be. > On Tue, Aug 21, 2001 at 11:53:43AM +0200, Lasse Osterberg wrote: > > Hi All, > > > > Is there anyway at system startup and/or via a cron job to pass my DHCP > > ipaddress from my external interface to rc.firewall? > > So my firewall rules still work if my external DHCP lease gets a new > > ipaddress. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 4: 0:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from xs4nobody.nl (xs4nobody.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id B76E737B412 for ; Tue, 21 Aug 2001 04:00:17 -0700 (PDT) (envelope-from bart@xs4nobody.nl) Received: (qmail 84552 invoked by uid 1000); 21 Aug 2001 11:00:16 -0000 Date: Tue, 21 Aug 2001 13:00:16 +0200 From: Bart Matthaei To: Peter Pentchev Cc: freebsd-security@freebsd.org Subject: Re: IPfw and DHCP Message-ID: <20010821130016.A84537@heresy.xs4nobody.nl> Reply-To: Bart Matthaei References: <20010821124202.B84400@heresy.xs4nobody.nl> <20010821135623.E7824@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010821135623.E7824@ringworld.oblivion.bg>; from roam@ringlet.net on Tue, Aug 21, 2001 at 01:56:23PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ipfw add deny all from 192.0.0.0/8 to any via xl1 nuff said :) rgds, Bart On Tue, Aug 21, 2001 at 01:56:23PM +0300, Peter Pentchev wrote: > On Tue, Aug 21, 2001 at 12:42:03PM +0200, Bart Matthaei wrote: > > Run dhclient before you load the firewall rules.. > > > > and use recv and via instead of ip adresses :) > > recv and via do not provide the security that an IP address > provides. In particular, both 'recv' and 'via ' fail to protect > against the following case: > > NIC 1 xl0 192.168.0.13 RFC1918 LAN > NIC 2 xl1 128.128.128.128 public > > ipfw add allow any recv via xl1 > > This would let a packet with a destination address of 192.168.0.13 > via your public interface. And believe me, the chances of such a > packet appearing on the wire are not so slim these days :) > > A better solution would be to have dhclient run *after* the initial > firewall setup (after the firewall rulesets are flushed), and > define hooks for obtaining/renewing/expiring a lease, which add or > remove firewall rules as appropriate. Unfortunately, I've never done > DHCP hooks, and I have no idea on how exactly to provide those. > (Maybe it's as simple as putting something similar to /sbin/dhclient-script > into /etc/dhclient-exit-hooks?) > > G'luck, > Peter > > -- > Nostalgia ain't what it used to be. > > > On Tue, Aug 21, 2001 at 11:53:43AM +0200, Lasse Osterberg wrote: > > > Hi All, > > > > > > Is there anyway at system startup and/or via a cron job to pass my DHCP > > > ipaddress from my external interface to rc.firewall? > > > So my firewall rules still work if my external DHCP lease gets a new > > > ipaddress. -- Bart Matthaei | bart@xs4nobody.nl | +31 6 24907042 ------------------------------------------------- /* It's always funny until someone gets hurt.. * (and then it's just hilarious) */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 4: 0:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (dialmess.nanolink.com [217.75.135.246]) by hub.freebsd.org (Postfix) with SMTP id AEF5037B40F for ; Tue, 21 Aug 2001 04:00:08 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 10512 invoked by uid 1000); 21 Aug 2001 10:58:39 -0000 Date: Tue, 21 Aug 2001 13:58:39 +0300 From: Peter Pentchev To: D J Hawkey Jr Cc: freebsd-security@freebsd.org Subject: Re: ipf / ipfw Which to use? Message-ID: <20010821135839.F7824@ringworld.oblivion.bg> Mail-Followup-To: D J Hawkey Jr , freebsd-security@freebsd.org References: <20010821055544.A24214@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010821055544.A24214@sheol.localdomain>; from hawkeyd@visi.com on Tue, Aug 21, 2001 at 05:55:44AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Aug 21, 2001 at 05:55:44AM -0500, D J Hawkey Jr wrote: > > On 21 Aug 2001 09:42:18 +0000, wkb@freebie.xs4all.nl wrote: > > On Tue, Aug 21, 2001 at 11:34:36AM +0200, Carroll, D. (Danny) wrote: > > > I've been playing with both of these and I was wondering why are both > > > available? > > > They *seem* to do almost the same thing although ipfw is much more > > > *tweakable*... > > > > > > What's the difference between the two and how should I decide which I > > > should be using...? > > > > Largely it is a matter of taste. Ipfilter is multiplatform, ipfw is > > FreeBSD-only. You can also combine the 2 (e.g. if you want IPfilter and > > dummynet at the same time). > > It's also a matter of efficiency; ipfilter does it all in the kernel, as > opposed to the packets having to go to userland and back for 'ipfw' to > play with them. ipfw does not process packets in userland. natd, as used with ipfw, processes NAT'd (diverted) packets in userland. ipnat, as used with ipfilter, processes NAT'd (diverted) packets in the kernel. For bare firewall functionality, without NAT, ipfw and ipfilter should perform similarly. > > It therefore seems to me ipfilter might be more secure, as it can't be > compromised by userland? > Again, this only applies to NAT. > Personally, I think ipfilter more "tweakable" and/or capable, but that's > just my opinion. Both have their strong and weak points. G'luck, Peter -- I've heard that this sentence is a rumor. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 4:18:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from brea.mc.mpls.visi.com (brea.mc.mpls.visi.com [208.42.156.100]) by hub.freebsd.org (Postfix) with ESMTP id 9D5DC37B40F for ; Tue, 21 Aug 2001 04:18:16 -0700 (PDT) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by brea.mc.mpls.visi.com (Postfix) with ESMTP id D38AC2DDB33 for ; Tue, 21 Aug 2001 06:18:15 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f7LBIFR24442 for freebsd-security@freebsd.org; Tue, 21 Aug 2001 06:18:15 -0500 (CDT) (envelope-from hawkeyd) Date: Tue, 21 Aug 2001 06:12:25 -0500 From: D J Hawkey Jr To: freebsd-security@freebsd.com Subject: Re: ipf / ipfw Which to use? Message-ID: <20010821061225.A24329@sheol.localdomain> Reply-To: hawkeyd@visi.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 21 Aug 2001 11:01:40 +0000, roam@ringlet.net wrote: > > On Tue, Aug 21, 2001 at 05:55:44AM -0500, D J Hawkey Jr wrote: > > > > On 21 Aug 2001 09:42:18 +0000, wkb@freebie.xs4all.nl wrote: > > > > > > Largely it is a matter of taste. Ipfilter is multiplatform, ipfw is > > > FreeBSD-only. You can also combine the 2 (e.g. if you want IPfilter and > > > dummynet at the same time). > > > > It's also a matter of efficiency; ipfilter does it all in the kernel, as > > opposed to the packets having to go to userland and back for 'ipfw' to > > play with them. > > ipfw does not process packets in userland. > > natd, as used with ipfw, processes NAT'd (diverted) packets in userland. > ipnat, as used with ipfilter, processes NAT'd (diverted) packets in > the kernel. I stand corrected. Thanks. > G'luck, > Peter You too, Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 4:43:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from breg.mc.mpls.visi.com (breg.mc.mpls.visi.com [208.42.156.101]) by hub.freebsd.org (Postfix) with ESMTP id F17DF37B406 for ; Tue, 21 Aug 2001 04:43:31 -0700 (PDT) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by breg.mc.mpls.visi.com (Postfix) with ESMTP id 3F7E72D0693 for ; Tue, 21 Aug 2001 06:43:31 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f7LBhUf24739 for freebsd-security@freebsd.org; Tue, 21 Aug 2001 06:43:30 -0500 (CDT) (envelope-from hawkeyd) Date: Tue, 21 Aug 2001 06:43:30 -0500 From: D J Hawkey Jr To: security at FreeBSD Subject: Re: ipf / ipfw Which to use? Message-ID: <20010821064330.A24713@sheol.localdomain> Reply-To: hawkeyd@visi.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 21 Aug 2001 11:01:40 +0000, roam@ringlet.net wrote: > > On Tue, Aug 21, 2001 at 05:55:44AM -0500, D J Hawkey Jr wrote: > > > > On 21 Aug 2001 09:42:18 +0000, wkb@freebie.xs4all.nl wrote: > > > > > > Largely it is a matter of taste. Ipfilter is multiplatform, ipfw is > > > FreeBSD-only. You can also combine the 2 (e.g. if you want IPfilter and > > > dummynet at the same time). > > > > It's also a matter of efficiency; ipfilter does it all in the kernel, as > > opposed to the packets having to go to userland and back for 'ipfw' to > > play with them. > > ipfw does not process packets in userland. > > natd, as used with ipfw, processes NAT'd (diverted) packets in userland. > ipnat, as used with ipfilter, processes NAT'd (diverted) packets in > the kernel. I stand corrected. Thanks. > G'luck, > Peter You too, Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 8:20:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18]) by hub.freebsd.org (Postfix) with ESMTP id BE59937B409 for ; Tue, 21 Aug 2001 08:20:12 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [fec0::1:12]) by Awfulhak.org (8.11.5/8.11.5) with ESMTP id f7LFK9v25726; Tue, 21 Aug 2001 16:20:09 +0100 (BST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.4/8.11.4) with ESMTP id f7LFK1U43371; Tue, 21 Aug 2001 16:20:01 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200108211520.f7LFK1U43371@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: "Andrew Dean" Cc: freebsd-security@FreeBSD.ORG, brian@freebsd-services.com Subject: Re: tun0 keeping old IP's? In-Reply-To: Message from "Andrew Dean" of "Tue, 21 Aug 2001 13:25:52 +1000." <007001c129f0$ff570f30$240aa8c0@fernilaptop> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 21 Aug 2001 16:20:01 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > This is probably the wrong place to post this but anyways > > My dial up is doing something wierd, its like my tun0 is keeping old ip's > > [root@powder ppp# ifconfig tun0 > tun0: flags=8051 mtu 1524 > inet 63.34.218.34 --> 63.12.31.204 netmask 0xffffff00 > inet 63.34.216.20 --> 255.255.255.255 netmask 0xffffffff > inet 63.34.216.176 --> 63.12.31.203 netmask 0xffffff00 > inet 63.34.214.28 --> 63.12.31.202 netmask 0xffffff00 > Opened by PID 101 [.....] > is there something i've forgotten? If you put an ``iface clear'' in ppp.linkdown it should solve the problem. Check /usr/share/examples/ppp/ppp.linkdown.samples > Thanks > Andrew -- Brian http://www.freebsd-services.com/ Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 8:35:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from algol.vtrip-ltd.com (algol.vtrip-ltd.com [139.91.200.19]) by hub.freebsd.org (Postfix) with ESMTP id 53A2D37B407 for ; Tue, 21 Aug 2001 08:35:31 -0700 (PDT) (envelope-from verigak@vtrip-ltd.com) Received: from verigak (helo=localhost) by algol.vtrip-ltd.com with local-esmtp (Exim 3.12 #1 (Debian)) id 15ZDWD-0006xd-00; Tue, 21 Aug 2001 18:32:41 +0300 Date: Tue, 21 Aug 2001 18:32:41 +0300 (EEST) From: Giorgos Verigakis To: Brian Somers Cc: Andrew Dean , , Subject: Re: tun0 keeping old IP's? In-Reply-To: <200108211520.f7LFK1U43371@hak.lan.Awfulhak.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org to disable this behavior you have to turn off iface-alias see ppp(8) On Tue, 21 Aug 2001, Brian Somers wrote: > > This is probably the wrong place to post this but anyways > > > > My dial up is doing something wierd, its like my tun0 is keeping old ip's > > > > [root@powder ppp# ifconfig tun0 > > tun0: flags=8051 mtu 1524 > > inet 63.34.218.34 --> 63.12.31.204 netmask 0xffffff00 > > inet 63.34.216.20 --> 255.255.255.255 netmask 0xffffffff > > inet 63.34.216.176 --> 63.12.31.203 netmask 0xffffff00 > > inet 63.34.214.28 --> 63.12.31.202 netmask 0xffffff00 > > Opened by PID 101 > [.....] > > is there something i've forgotten? > > If you put an ``iface clear'' in ppp.linkdown it should solve the > problem. Check /usr/share/examples/ppp/ppp.linkdown.samples > > > Thanks > > Andrew > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 8:55:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 1901B37B403 for ; Tue, 21 Aug 2001 08:55:20 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 68946 invoked by uid 1000); 21 Aug 2001 15:55:40 -0000 Date: Tue, 21 Aug 2001 17:55:40 +0200 From: "Karsten W. Rohrbach" To: reza jamshid Cc: freebsd-security@freebsd.org Subject: Re: getting DCC fully functioning with ipnat/ipf Message-ID: <20010821175540.S45276@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , reza jamshid , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="4ZVTVymsHR1TEBjP" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rezaj_@hotmail.com on Mon, Aug 20, 2001 at 07:47:38AM +0930 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --4ZVTVymsHR1TEBjP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable reza jamshid(rezaj_@hotmail.com)@2001.08.20 07:47:38 +0000: >=20 > Hi, >=20 > Up until now my firewall/router (FreeBSD 4.3) works fine, but I havent be= en=20 > able to get DCC resuming and send to work from a machine inside my networ= k. >=20 > I'm not sure if this has anything to do with my current rules setup, or i= f i=20 > am missing something. >=20 > >cat /etc/ipnat.rules >=20 > map ed0 192.168.1.0/24 -> 0/32 bimap? /k --=20 > Only wimps use tape backups; real men put their software on ftp-servers > and let the rest of the world mirror it. --Linus Torvalds KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --4ZVTVymsHR1TEBjP Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7goR8M0BPTilkv0YRApFPAKCNbFouzqBuLv+hzhVGcvr/jg6E4wCgq+rv P1LuJhWtxDzCzSpIGn1Yd08= =ny2T -----END PGP SIGNATURE----- --4ZVTVymsHR1TEBjP-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 8:57:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id EC67337B409 for ; Tue, 21 Aug 2001 08:57:40 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 68995 invoked by uid 1000); 21 Aug 2001 15:58:02 -0000 Date: Tue, 21 Aug 2001 17:58:02 +0200 From: "Karsten W. Rohrbach" To: David Kirchner Cc: Koji , freebsd-security@FreeBSD.ORG Subject: Re: chroot named Message-ID: <20010821175802.T45276@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , David Kirchner , Koji , freebsd-security@FreeBSD.ORG References: <002601c129bd$b1f58560$0164a8c0@daemon> <20010820131925.S38221-100000@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="wYXww9TlNKyqAMAe" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010820131925.S38221-100000@localhost>; from davidk@accretivetg.com on Mon, Aug 20, 2001 at 01:19:55PM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --wYXww9TlNKyqAMAe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable David Kirchner(davidk@accretivetg.com)@2001.08.20 13:19:55 +0000: > On Mon, 20 Aug 2001, Koji wrote: >=20 > > > > Hi, i'm configuring named with chroot, but i have two questions. > > > > Is necesary the files ld-elf.so.1, libc.so.4, libutil.so.3 and named-xf= er ? > > I have trying the named with and without this files and works correctly > > (two forms works correctly ). what are the files indispensables really? >=20 > You can find out which libraries are needed for a program by running 'ldd' > on them, for example: >=20 > $ ldd /usr/libexec/named-xfer > /usr/libexec/named-xfer: > libc.so.3 =3D> /usr/lib/libc.so.3 (0x1806a000) compiling with LDFLAGS set to include the "-static" option would surely help for chrooting the process... upgrading would surely help, too /k --=20 > "I didn't change a thing and from the moment I didn't change it, > it didn't work anymore." --Anonymous KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --wYXww9TlNKyqAMAe Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7goUKM0BPTilkv0YRAhgYAJ44SMIdQ2KD4ir4v2hB7USQeEQRxACdGyZP 85wNm0GEYB7P+BvYuvbQV88= =NtmY -----END PGP SIGNATURE----- --wYXww9TlNKyqAMAe-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 9: 3:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id BFDD437B403 for ; Tue, 21 Aug 2001 09:03:23 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 69094 invoked by uid 1000); 21 Aug 2001 16:02:49 -0000 Date: Tue, 21 Aug 2001 18:02:49 +0200 From: "Karsten W. Rohrbach" To: "Carroll, D. (Danny)" Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipf / ipfw Which to use? Message-ID: <20010821180249.U45276@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , "Carroll, D. (Danny)" , freebsd-security@FreeBSD.ORG References: <98829DC07ECECD47893074C4D525EFC311563C@citsnl007.europe.intranet> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="gn1ylXQ+YRNuZICZ" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <98829DC07ECECD47893074C4D525EFC311563C@citsnl007.europe.intranet>; from Danny.Carroll@mail.ing.nl on Tue, Aug 21, 2001 at 11:34:36AM +0200 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --gn1ylXQ+YRNuZICZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Carroll, D. (Danny)(Danny.Carroll@mail.ing.nl)@2001.08.21 11:34:36 +0000: > I've been playing with both of these and I was wondering why are both > available? > They *seem* to do almost the same thing although ipfw is much more > *tweakable*... >=20 > What's the difference between the two and how should I decide which I > should be using...? it's a matter of flavour :-> i prefer ipfilter, especially the logging (using daemontools' multilog at my site's firewalls) they perform equally, but IMVHO ipfw lacks the advanced instrumentations of ipfilter (see ipfstat(8), ipmon(8)) > ----------------------------------------------------------------- > ATTENTION: > The information in this electronic mail message is private and > confidential, and only intended for the addressee. Should you > receive this message by mistake, you are hereby notified that > any disclosure, reproduction, distribution or use of this > message is strictly prohibited. Please inform the sender by > reply transmission and delete the message without copying or > opening it. >=20 uh-oh, that's not a matter of flavour. will you sue me now for reading this mailing list? ;-) /k --=20 > Microsoft isn't the answer. Microsoft is the question, and the answer is = no. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --gn1ylXQ+YRNuZICZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7goYpM0BPTilkv0YRAkUzAKCSFSfOdfryR/Qt5ZrDyT9GPxhbegCfdBEl +T8tfLqR7r+qRKR1VGlPYT8= =Afl2 -----END PGP SIGNATURE----- --gn1ylXQ+YRNuZICZ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 9: 4:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id 89F3737B418 for ; Tue, 21 Aug 2001 09:03:56 -0700 (PDT) (envelope-from davidk@accretivetg.com) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f7LEwl765296; Tue, 21 Aug 2001 07:58:47 -0700 (PDT) Date: Tue, 21 Aug 2001 07:58:47 -0700 (PDT) From: David Kirchner X-X-Sender: To: "Karsten W. Rohrbach" Cc: Koji , Subject: Re: chroot named In-Reply-To: <20010821175802.T45276@mail.webmonster.de> Message-ID: <20010821075533.M38221-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 21 Aug 2001, Karsten W. Rohrbach wrote: > compiling with LDFLAGS set to include the "-static" option would surely > help for chrooting the process... Yeah, that's a good step to take as well, although it takes more disk space. Hardlinks work into chroot'd directories (as long as the usual requirements for hardlinks are met), so you can just do: cd /usr/chroot-named mkdir -p usr/lib usr/sbin usr/libexec ln /usr/lib/libc.so.3 usr/lib # (or 4) ln /usr/sbin/named usr/sbin ln /usr/libexec/named-xfer usr/libexec > upgrading would surely help, too > > /k Do later versions of bind come with static binaries automatically? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 9:17:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id 44EBA37B40D for ; Tue, 21 Aug 2001 09:17:13 -0700 (PDT) (envelope-from davidk@accretivetg.com) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f7LFCau65339; Tue, 21 Aug 2001 08:12:36 -0700 (PDT) Date: Tue, 21 Aug 2001 08:12:36 -0700 (PDT) From: David Kirchner X-X-Sender: To: "Karsten W. Rohrbach" Cc: Koji , Subject: Re: chroot named In-Reply-To: <20010821075533.M38221-100000@localhost> Message-ID: <20010821081218.S38221-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 21 Aug 2001, David Kirchner wrote: > > upgrading would surely help, too > > > > /k > > Do later versions of bind come with static binaries automatically? Nevermind, I see the answer from Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 9:25: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from bilver.wjv.com (dhcp-1-88.n01.orldfl01.us.ra.verio.net [157.238.210.88]) by hub.freebsd.org (Postfix) with ESMTP id 9319537B406 for ; Tue, 21 Aug 2001 09:24:55 -0700 (PDT) (envelope-from bill@bilver.wjv.com) Received: (from bill@localhost) by bilver.wjv.com (8.11.5/8.11.1) id f7LGOsS05079 for security@FreeBSD.ORG; Tue, 21 Aug 2001 12:24:54 -0400 (EDT) (envelope-from bill) Date: Tue, 21 Aug 2001 12:24:54 -0400 From: Bill Vermillion To: security@FreeBSD.ORG Subject: Re: chroot named Message-ID: <20010821122453.A4848@wjv.com> Reply-To: bv@wjv.com References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from owner-freebsd-security-digest@FreeBSD.ORG on Tue, Aug 21, 2001 at 09:03:39AM -0700 Organization: W.J.Vermillion / Orlando - Winter Park Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Aug 21, 2001 at 09:03:39AM -0700, security-digest thus sprach: > chroot named > Re: chroot named > Date: Mon, 20 Aug 2001 23:18:42 +0200 > From: "Koji" > Subject: chroot named > Hi, i'm configuring named with chroot, but i have two questions. > Is necesary the files ld-elf.so.1, libc.so.4, libutil.so.3 and > named-xfer ? I have trying the named with and without this files > and works correctly (two forms works correctly ). what are the > files indispensables really? > What are the best perms for /etc/namedb/chroot? > chown -R bind:bind /etc/namedb/chroot > chmod -R 750 /etc/namedb/chroot > (handbook's documentation, all files) > or > chown -R bind:bind /etc/namedb/chroot/etc/namedb/s > chmod -R 750 /etc/namedb/chroot/etc/namedb/s > (only domain configuration files) What are the advantages of doing that versus the flag options to named. #named_flags="-u bind -g bind" # Flags for named As in /etc/passwd we see this: bind:*:53:53:Bind Sandbox:/:/sbin/nologin I really am not sure, that's why I ask. What are the advantages and disadvantatges of each approach. -- Bill Vermillion - bv @ wjv . com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 9:28:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 200A037B409 for ; Tue, 21 Aug 2001 09:28:20 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 69819 invoked by uid 1000); 21 Aug 2001 16:28:41 -0000 Date: Tue, 21 Aug 2001 18:28:41 +0200 From: "Karsten W. Rohrbach" To: David Kirchner Cc: Koji , freebsd-security@FreeBSD.ORG Subject: Re: chroot named Message-ID: <20010821182841.W45276@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , David Kirchner , Koji , freebsd-security@FreeBSD.ORG References: <20010821175802.T45276@mail.webmonster.de> <20010821075533.M38221-100000@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="doUn1Hmx68n+7ij2" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010821075533.M38221-100000@localhost>; from davidk@accretivetg.com on Tue, Aug 21, 2001 at 07:58:47AM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --doUn1Hmx68n+7ij2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable David Kirchner(davidk@accretivetg.com)@2001.08.21 07:58:47 +0000: > > Do later versions of bind come with static binaries automatically? no, bind9 does not depend on bind8's named-xfer binary because AXFR is handled internally. /k --=20 > Black holes are where GOD is dividing by zero KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --doUn1Hmx68n+7ij2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7gow5M0BPTilkv0YRAn8xAJ9auQwzwRX15v+X2LLzoCfgJfy1+QCeJEWI 4Gj3M7op4z8338Dyco+wVdM= =yAJC -----END PGP SIGNATURE----- --doUn1Hmx68n+7ij2-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 11:47:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-24-169-175-136.stny.rr.com [24.169.175.136]) by hub.freebsd.org (Postfix) with ESMTP id 616D437B407 for ; Tue, 21 Aug 2001 11:47:29 -0700 (PDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.11.4/8.11.4) with ESMTP id f7LIksU24118; Tue, 21 Aug 2001 14:46:57 -0400 (EDT) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Tue, 21 Aug 2001 14:46:53 -0400 (EDT) From: Matt Piechota To: Wes Peters Cc: "Carroll, D. (Danny)" , Subject: Re: Silly crackers... NT is for kids... In-Reply-To: <3B81E36B.E2CFFEBF@softweyr.com> Message-ID: <20010821143517.L23909-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 20 Aug 2001, Wes Peters wrote: > You're not ghosting your systems, or something like that? You're certainly > making things much harder on yourself. Install the OS, your basic apps, > and putty, and bingo! everyone has a reasonably good ssh client. While in theory good, the way this place works, it won't happen. The group I work in was created specifically because the overall Site IT dept couldn't give us the level of service the users needed. "Oh, your name is wrong in the Email database? Here's a work ticket and get that taken care of in the next 5-10 business days." They create the PC images, and they wouldn't be terribly receptive to us asking for more software. Once more, they're leary of all free software. I've heard that we had to go through a minefield of politics and paperwork to get emacs installed on our machines. They're a little better now, but but not much. That's what I get for working in a DoD/Old school IT shop. > On a generic-user Windows box? I'd rather have a life. If your employer > is doing stupid crap like this, you need to vote with your feet. No No, on the realtime machine controllers (QNX), or OCR nodes that need all the cpu cycles they can get. I'm talking about the [de|en]crypt on the remote side, not the PC side. Every bit or performance matters, and could be the difference between us and someone else getting a contract. > They aren't all that compelling, either. Fairs fair. I wish I didn't have the restrictions I have, but I need to live with them for the time being. -- Matt Piechota Finger piechota@emailempire.com for PGP key AOL IM: cithaeron To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 12:15: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [198.92.199.5]) by hub.freebsd.org (Postfix) with ESMTP id A2CAB37B40A for ; Tue, 21 Aug 2001 12:15:03 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: (from root@localhost) by mail.wlcg.com (8.11.5/8.11.5) id f7LJEif37192; Tue, 21 Aug 2001 15:14:44 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.5/8.11.5) with ESMTP id f7LJEh737185; Tue, 21 Aug 2001 15:14:43 -0400 (EDT) (envelope-from rsimmons@wlcg.com) X-Authentication-Warning: mail.wlcg.com: rsimmons owned process doing -bs Date: Tue, 21 Aug 2001 15:14:36 -0400 (EDT) From: Rob Simmons To: Matt Piechota Cc: Wes Peters , "Carroll, D. (Danny)" , Subject: Re: Silly crackers... NT is for kids... In-Reply-To: <20010821143517.L23909-100000@cithaeron.argolis.org> Message-ID: <20010821150657.G21383-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 21 Aug 2001, Matt Piechota wrote: > No No, on the realtime machine controllers (QNX), or OCR nodes that need > all the cpu cycles they can get. I'm talking about the [de|en]crypt on > the remote side, not the PC side. Every bit or performance matters, and > could be the difference between us and someone else getting a contract. There should be a way to configure sshd so that only the username/password exchange is encrypted. The rest of the connection would be unencrypted. You would get some of the benefits of ssh without a constant performance hit. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 12:19:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id E556337B403 for ; Tue, 21 Aug 2001 12:19:10 -0700 (PDT) (envelope-from davidk@accretivetg.com) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f7LIEGf65638; Tue, 21 Aug 2001 11:14:16 -0700 (PDT) Date: Tue, 21 Aug 2001 11:14:16 -0700 (PDT) From: David Kirchner X-X-Sender: To: Matt Piechota Cc: Wes Peters , "Carroll, D. (Danny)" , Subject: Re: Silly crackers... NT is for kids... In-Reply-To: <20010821143517.L23909-100000@cithaeron.argolis.org> Message-ID: <20010821111226.Q38221-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 21 Aug 2001, Matt Piechota wrote: > No No, on the realtime machine controllers (QNX), or OCR nodes that need > all the cpu cycles they can get. I'm talking about the [de|en]crypt on > the remote side, not the PC side. Every bit or performance matters, and > could be the difference between us and someone else getting a contract. This is what regular ol TCP clients & servers would be good for, using your own method of authentication. telnet isn't designed for file transfer. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 12:21:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id F187937B407 for ; Tue, 21 Aug 2001 12:21:23 -0700 (PDT) (envelope-from davidk@accretivetg.com) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f7LIGqC65650; Tue, 21 Aug 2001 11:16:52 -0700 (PDT) Date: Tue, 21 Aug 2001 11:16:52 -0700 (PDT) From: David Kirchner X-X-Sender: To: Matt Piechota Cc: Wes Peters , "Carroll, D. (Danny)" , Subject: Re: Silly crackers... NT is for kids... In-Reply-To: <20010821111226.Q38221-100000@localhost> Message-ID: <20010821111632.V38221-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 21 Aug 2001, David Kirchner wrote: > This is what regular ol TCP clients & servers would be good for, using > your own method of authentication. telnet isn't designed for file > transfer. Er.. I should add. "File transfer, or other network-intensive activity." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 13:38:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id F00B037B408 for ; Tue, 21 Aug 2001 13:38:36 -0700 (PDT) (envelope-from keramida@ceid.upatras.gr) Received: from hades.hell.gr (patr530-a132.otenet.gr [212.205.215.132]) by mailsrv.otenet.gr (8.11.1/8.11.1) with ESMTP id f7LKcLT28132; Tue, 21 Aug 2001 23:38:22 +0300 (EEST) Received: (from charon@localhost) by hades.hell.gr (8.11.4/8.11.4) id f7LKWoj97044; Tue, 21 Aug 2001 23:32:50 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Tue, 21 Aug 2001 23:32:49 +0300 From: Giorgos Keramidas To: Rob Simmons Cc: Matt Piechota , Wes Peters , "Carroll, D. (Danny)" , freebsd-security@FreeBSD.ORG Subject: SSH and encryption of passwords only (was: Re: Silly crackers... NT is for kids...) Message-ID: <20010821233249.C96292@hades.hell.gr> References: <20010821143517.L23909-100000@cithaeron.argolis.org> <20010821150657.G21383-100000@mail.wlcg.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010821150657.G21383-100000@mail.wlcg.com>; from rsimmons@wlcg.com on Tue, Aug 21, 2001 at 03:14:36PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org From: Rob Simmons Subject: Re: Silly crackers... NT is for kids... Date: Tue, Aug 21, 2001 at 03:14:36PM -0400 > On Tue, 21 Aug 2001, Matt Piechota wrote: > > > No No, on the realtime machine controllers (QNX), or OCR nodes that need > > all the cpu cycles they can get. I'm talking about the [de|en]crypt on > > the remote side, not the PC side. Every bit or performance matters, and > > could be the difference between us and someone else getting a contract. > > There should be a way to configure sshd so that only the username/password > exchange is encrypted. The rest of the connection would be unencrypted. > You would get some of the benefits of ssh without a constant performance > hit. ... and lose all the security ssh provides for connections made from the server you initially did ssh to. Imagine that only the password exchange is encrypted in SSH, and you use a client to connect from machine A to machine B as user X. Then nobody can 'sniff' the password of X on B, but if you accidentally use anything that requires a password while connected to B, the rest of the session from A to B would not be encrypted and they[1] will be able to get anything that you write. Relying on the fact that they don't know user X's password on B to build arguments such as ``but they have to be connected to B to use this password'' is only a slight bit different from security through obscurity. What happens if some later day they *do* get access to machine B somehow? No, I think that using SSH with only the password exchange part being done with encryption is not a good idea. Of course, I'm just being paranoid again. -giorgos [1] The word 'they' implies that there might be at least two or more script kiddies out there that are interested in what you type while connected with SSH to your production machines. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 13:40: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 7CD2F37B401; Tue, 21 Aug 2001 13:39:31 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f7LKdVm21720; Tue, 21 Aug 2001 13:39:31 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Tue, 21 Aug 2001 13:39:31 -0700 (PDT) Message-Id: <200108212039.f7LKdVm21720@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:55.procfs Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:55 Security Advisory FreeBSD, Inc. Topic: procfs vulnerability leaks set[ug]id process memory Category: core Module: procfs Announced: 2001-08-21 Credits: Joost Pol Affects: FreeBSD 4.x, 4.3-STABLE prior to the correction date. Corrected: 2001-08-12 07:29 PDT (4.3-STABLE) 2001-08-13 12:45 PDT (RELENG_4_3) FreeBSD only: Yes I. Background procfs is the process filesystem, which presents a filesystem interface to the system process table, together with associated data. procfs provides access to the memory space of processes via the synthetic /proc//mem file, subject to access control checks. linprocfs is an implementation of procfs which implements a Linux-style procfs, for use with Linux binaries so they can obtain access to exported kernel data. It uses procfs to provide the /proc//mem file. II. Problem Description Prior to the migration of system monitoring utilities (such as ps(8)) to use the sysctl(8) management interface, these utilities formerly used procfs and direct kernel memory access to extract process information, and they ran with the setgid kmem privilege to allow direct kernel memory access. The procfs code checks for gid kmem privilege when granting access to the /proc//mem file -- however, the code which is used to allow read-only access via the kmem group was incorrect, and inappropriately granted read access to the caller as long as they already had an open file descriptor for the procfs mem file. The result of this problem is that if a process initially has debugging rights to a second process, it may retain access to the target process' memory space, even if the target process has upgraded privilege by virtue of performing an execve() call on a setuid or setgid process. This vulnerability can lead to the leaking of sensitive information from such processes, which could be used as the basis for additional attacks, resulting in escalation of attacker privilege on the system. The linprocfs filesystem is also vulnerable to the problem if procfs support is available in the kernel (statically compiled in, or dynamically loaded as a module). If procfs support is not available then linprocfs is not vulnerable to this problem. All released versions of FreeBSD 4.x including FreeBSD 4.3-RELEASE are vulnerable to this problem if the procfs filesystem is in use. It was corrected prior to the (forthcoming) release of FreeBSD 4.4-RELEASE. III. Impact Attackers may be able to extract sensitive system information, such as password hashes from the /etc/master.passwd file, from setuid or setgid processes, such as su(1). This information could be used by attackers to escalate their privileges, possibly yielding root privileges on the local system. Because this attack may only be used on processes that initially are "debuggable" by the attacking process, this attack is limited to executed processes which gain privilege by virtue of being setuid or setgid, and so it cannot be used against other processes which are already running with privilege such as already-running daemons containing sensitive system information. IV. Workaround To work around the problem, perform the following steps as root: Unmount all instances of the procfs and linprocfs filesystems using the unmount(8) command: # umount -f -a -t procfs # umount -f -a -t linprocfs Disable the automatic mounting of all instances of procfs in /etc/fstab: remove or comment out the line(s) of the following form: proc /proc procfs rw 0 0 proc /compat/linux/proc linprocfs rw 0 0 V. Solution 1) Upgrade your vulnerable system to 4.3-STABLE or the RELENG_4_3 security branch, dated after the respective correction dates. 2) To patch your present system: download the relevant patch from the below location, and execute the following commands as root: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:55/procfs.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:55/procfs.patch.asc Verify the detached PGP signature using your PGP utility. This patch has been verified to apply to FreeBSD 4.3-RELEASE and 4.2-RELEASE (users of 4.2-RELEASE should already have the patch from FreeBSD SA-00:77.procfs installed). It may or may not apply to older, unsupported releases of FreeBSD. # cd /usr/src/sys # patch -p < /path/to/patch If procfs is statically compiled into the kernel (i.e. the kernel configuration file contains the line 'options PROCFS'), then rebuild and reinstall your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system with the new kernel for the changes to take effect. By default procfs is statically compiled in the GENERIC kernel configuration. If procfs is dynamically loaded by KLD (use the kldstat(8) command to verify whether this is the case) and the system securelevel has not been raised to a level of 1 or higher, the system can be patched at run-time without requiring a reboot by performing the following steps after patching the source as described above: # cd /usr/src/sys/modules/procfs # make depend # make all install # umount -f -a -t procfs # kldunload procfs # kldload procfs # mount -a -t procfs 3) FreeBSD 4.3-RELEASE systems: An experimental upgrade package is available for users who wish to provide testing and feedback on the binary upgrade process. This package may be installed on FreeBSD 4.3-RELEASE systems only, and is intended for use on systems for which source patching is not practical or convenient. If you use the upgrade package, feedback (positive or negative) to security-officer@FreeBSD.org is requested so we can improve the process for future advisories. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patched state. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:55/security-patch-procfs-01.55.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:55/security-patch-procfs-01.55.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-procfs-01.55.tgz Restart your system after applying the patch. VI. CVS Revisions The following $FreeBSD$ CVS revisions contain the fixes for this vulnerability. The $FreeBSD$ revision of installed sources can be examined using the ident(1) command. These revision IDs are not updated by applying the patch referenced above. [FreeBSD 4.3-STABLE] Revision Path 1.3.2.5 src/sys/i386/linux/linprocfs/linprocfs_vnops.c 1.32.2.2 src/sys/miscfs/procfs/procfs.h 1.46.2.2 src/sys/miscfs/procfs/procfs_mem.c 1.76.2.5 src/sys/miscfs/procfs/procfs_vnops.c [RELENG_4_3] Revision Path 1.3.2.3.2.1 src/sys/i386/linux/linprocfs/linprocfs_vnops.c 1.32.2.1.2.1 src/sys/miscfs/procfs/procfs.h 1.46.2.1.2.1 src/sys/miscfs/procfs/procfs_mem.c 1.76.2.3.2.1 src/sys/miscfs/procfs/procfs_vnops.c -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO4LGfFUuHi5z0oilAQGvFAP9Es3OpWi/tolP9Kfbw3+EWCfGupQ9QMtP xTKwwmp8epr+So1x+bHNaXBdGm5DJq4fvqUOh5kUHkNM5Gfkp2gPPwWXB9J6Ct3e ut3nUlJBeY8K+qV8DGdH4/InuW4HG+Jvw0WSGCmTZnz6q17K0ESJXp2cS5qB7eeL /66o9YNotkE= =FHFP -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 14: 7:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from falcon.mail.pas.earthlink.net (falcon.mail.pas.earthlink.net [207.217.120.74]) by hub.freebsd.org (Postfix) with ESMTP id 77F3837B401 for ; Tue, 21 Aug 2001 14:07:11 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (dialup-209.245.130.30.Dial1.SanJose1.Level3.net [209.245.130.30]) by falcon.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id OAA09359; Tue, 21 Aug 2001 14:05:49 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f7LL2po72486; Tue, 21 Aug 2001 14:02:51 -0700 (PDT) (envelope-from cjc) Date: Tue, 21 Aug 2001 14:02:30 -0700 From: "Crist J. Clark" To: Rob Simmons Cc: Matt Piechota , Wes Peters , "Carroll, D. (Danny)" , freebsd-security@FreeBSD.ORG Subject: Re: Silly crackers... NT is for kids... Message-ID: <20010821140230.X313@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20010821143517.L23909-100000@cithaeron.argolis.org> <20010821150657.G21383-100000@mail.wlcg.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010821150657.G21383-100000@mail.wlcg.com>; from rsimmons@wlcg.com on Tue, Aug 21, 2001 at 03:14:36PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Aug 21, 2001 at 03:14:36PM -0400, Rob Simmons wrote: > On Tue, 21 Aug 2001, Matt Piechota wrote: > > > No No, on the realtime machine controllers (QNX), or OCR nodes that need > > all the cpu cycles they can get. I'm talking about the [de|en]crypt on > > the remote side, not the PC side. Every bit or performance matters, and > > could be the difference between us and someone else getting a contract. > > There should be a way to configure sshd so that only the username/password > exchange is encrypted. The rest of the connection would be unencrypted. > You would get some of the benefits of ssh without a constant performance > hit. Use one-time passwords with telnet. But I have yet to find a situation where the "constant performance hit" of SSH is noticable. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 15: 9:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from trinity.magpage.com (trinity.magpage.com [216.155.0.8]) by hub.freebsd.org (Postfix) with ESMTP id 79E6637B40B for ; Tue, 21 Aug 2001 15:09:27 -0700 (PDT) (envelope-from dfrazier@magpage.com) Received: from magpage.com (dfrazier@poomba.magpage.com [216.155.24.136]) by trinity.magpage.com (8.11.3/8.11.3) with ESMTP id f7LM9Qw52207 for ; Tue, 21 Aug 2001 18:09:26 -0400 (EDT) Message-ID: <3B82DC14.1040304@magpage.com> Date: Tue, 21 Aug 2001 18:09:24 -0400 From: Daniel Frazier User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.3) Gecko/20010807 X-Accept-Language: en-us MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: question about procfs advisory... Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-RRT-Status: UNKNOWN Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org in section V.2 it says... # cd /usr/src/sys # patch -p < /path/to/patch ...but when I do so patch cannot find the files to patch. Should that have been... # cd /usr/src/ ...instead? -- ---------------------------------------------------------------------- Daniel Frazier Tel: 302-239-5900 Ext. 231 Systems Administrator Fax: 302-239-3909 MAGPAGE, We Power the Internet WWW: http://www.magpage.com/ "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, Historical Review of Pennsylvania, 1759. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 15:10:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id B1CEC37B409 for ; Tue, 21 Aug 2001 15:10:17 -0700 (PDT) (envelope-from davidk@accretivetg.com) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f7LL5mb65968; Tue, 21 Aug 2001 14:05:48 -0700 (PDT) Date: Tue, 21 Aug 2001 14:05:47 -0700 (PDT) From: David Kirchner X-X-Sender: To: Daniel Frazier Cc: Subject: Re: question about procfs advisory... In-Reply-To: <3B82DC14.1040304@magpage.com> Message-ID: <20010821140526.I38221-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I did patch -p0 < /path/to/patch and it worked fine for my 4.2 boxes. On Tue, 21 Aug 2001, Daniel Frazier wrote: > in section V.2 it says... > > # cd /usr/src/sys > # patch -p < /path/to/patch > > > ...but when I do so patch cannot find the files to patch. Should that > have been... > > # cd /usr/src/ > > ...instead? > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 15:30:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from trinity.magpage.com (trinity.magpage.com [216.155.0.8]) by hub.freebsd.org (Postfix) with ESMTP id 34CB137B405 for ; Tue, 21 Aug 2001 15:30:19 -0700 (PDT) (envelope-from dfrazier@magpage.com) Received: from magpage.com (dfrazier@poomba.magpage.com [216.155.24.136]) by trinity.magpage.com (8.11.3/8.11.3) with ESMTP id f7LMUBw58979; Tue, 21 Aug 2001 18:30:11 -0400 (EDT) Message-ID: <3B82E0F3.1080502@magpage.com> Date: Tue, 21 Aug 2001 18:30:11 -0400 From: Daniel Frazier User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.3) Gecko/20010807 X-Accept-Language: en-us MIME-Version: 1.0 To: David Kirchner Cc: freebsd-security@FreeBSD.ORG Subject: Re: question about procfs advisory... References: <20010821140526.I38221-100000@localhost> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-RRT-Status: UNKNOWN Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org David Kirchner wrote: > I did patch -p0 < /path/to/patch and it worked fine for my 4.2 boxes. > isn't -p0 the same as -p? regardless, patch still prompts me for a file to patch. alaska:~# cd /usr/src/sys alaska:/usr/src/sys# patch -p0 < ~/procfs.patch Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: sys/i386/linux/linprocfs/linprocfs_vnops.c |=================================================================== |RCS file: /usr2/ncvs/src/sys/i386/linux/linprocfs/Attic/linprocfs_vnops.c,v |retrieving revision 1.3.2.4 |retrieving revision 1.3.2.5 |diff -u -r1.3.2.4 -r1.3.2.5 |--- sys/i386/linux/linprocfs/linprocfs_vnops.c 2001/06/25 19:46:47 1.3.2.4 |+++ sys/i386/linux/linprocfs/linprocfs_vnops.c 2001/08/12 14:29:19 1.3.2.5 -------------------------- File to patch: > On Tue, 21 Aug 2001, Daniel Frazier wrote: > > >>in section V.2 it says... >> >># cd /usr/src/sys >># patch -p < /path/to/patch >> >> >>...but when I do so patch cannot find the files to patch. Should that >>have been... >> >># cd /usr/src/ >> >>...instead? >> >> >> >> -- ---------------------------------------------------------------------- Daniel Frazier Tel: 302-239-5900 Ext. 231 Systems Administrator Fax: 302-239-3909 MAGPAGE, We Power the Internet WWW: http://www.magpage.com/ "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, Historical Review of Pennsylvania, 1759. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 15:34:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id B499637B40A for ; Tue, 21 Aug 2001 15:34:39 -0700 (PDT) (envelope-from davidk@accretivetg.com) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f7LLU5766011; Tue, 21 Aug 2001 14:30:05 -0700 (PDT) Date: Tue, 21 Aug 2001 14:30:05 -0700 (PDT) From: David Kirchner X-X-Sender: To: Daniel Frazier Cc: Subject: Re: question about procfs advisory... In-Reply-To: <3B82E0F3.1080502@magpage.com> Message-ID: <20010821142938.R38221-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 21 Aug 2001, Daniel Frazier wrote: > David Kirchner wrote: > > I did patch -p0 < /path/to/patch and it worked fine for my 4.2 boxes. > > > > isn't -p0 the same as -p? regardless, patch still prompts me for a file > to patch. I'm not sure what I was thinking in my response. Probably wasn't thinking. I did it from /usr/src. I meant to say "Yes, you're correct." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 16:24:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from femail25.sdc1.sfba.home.com (femail25.sdc1.sfba.home.com [24.254.60.15]) by hub.freebsd.org (Postfix) with ESMTP id A4B0A37B40C for ; Tue, 21 Aug 2001 16:23:52 -0700 (PDT) (envelope-from maneo@icmp.dhs.org) Received: from icmp.dhs.org ([64.59.160.69]) by femail25.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP id <20010821232352.QUIW21066.femail25.sdc1.sfba.home.com@icmp.dhs.org> for ; Tue, 21 Aug 2001 16:23:52 -0700 Date: Tue, 21 Aug 2001 18:24:10 -0500 (CDT) From: "c.s. (maneo) peron" To: Subject: inet socket restriction via group Message-ID: <20010821182214.H81525-100000@icmp.dhs.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org greetings; This is something that i use on a daily basis. I have heard people asking questions on how they might restrict members from a certain group from creating INET sockets. This is a little something I hacked together. Iam currently working on another method of doing this; one that does not rely on the sysctl mechanism. We will see how that goes. But for now.. add "options RESTRICT_SOCKS" to your kernel config Its not complicated, i know there are probably some better ways of going about doing this. However it works. After applying the patches & recompiling your kernel, you will see the following variables in the sysctl: % sysctl -a | grep No kern.ipc.NoInetSocks: 0 kern.ipc.NoInet_GID: 65534 % simply turn the variable on by setting it to 1. Then specify the group you want to restrict. some of you might think its crap, other may find it usefull. Cheers c.s. (maneo) peron snip ---< snip ---< snip ---< options patch *** /usr/src/alpha/sys/conf/options Thu Aug 2 19:47:27 2001 --- /usr/src/sys/conf/options Sat Aug 18 11:29:30 2001 *************** *** 268,273 **** --- 268,274 ---- PPP_DEFLATE opt_ppp.h PPP_FILTER opt_ppp.h RANDOM_IP_ID + RESTRICT_SOCKS opt_resocks.h SLIP_IFF_OPTS opt_slip.h TCPDEBUG TCP_DROP_SYNFIN opt_tcp_input.h snip ---< snip ---< snip ---< uipc_socket.c patch *** uipc_socket.c.orig Thu Jun 14 15:46:06 2001 --- uipc_socket.c Tue Aug 21 10:21:58 2001 *************** *** 35,40 **** --- 35,41 ---- */ #include "opt_inet.h" + #include "opt_resocks.h" #include #include *************** *** 89,94 **** --- 90,120 ---- SYSCTL_INT(_kern_ipc, KIPC_SOMAXCONN, somaxconn, CTLFLAG_RW, &somaxconn, 0, "Maximum pending socket connection queue size"); + #if (defined(RESTRICT_SOCKS)) + /* + * define the sysctl(8) mechanisms that will enable + * the restriction of a certain group member(s) + * from creating network sockets, to prevent potentially + * abusive users from using the system as a springboard. + */ + static int NoInetSocks = 0; /* default to 'off' */ + gid_t NoInet_GID = 65534; /* default to group 'nobody' */ + + SYSCTL_INT(_kern_ipc, + OID_AUTO, + NoInetSocks, + CTLFLAG_RW, + &NoInetSocks, + 0,"AF_INET socket restriction via GID"); + + SYSCTL_INT(_kern_ipc, + OID_AUTO, + NoInet_GID, + CTLFLAG_RW, + &NoInet_GID, + 0,"GID to be restricted"); + #endif /* RESTRICT SOCKS */ + /* * Socket operation routines. * These routines are called by the routines in *************** *** 132,137 **** --- 158,172 ---- register struct protosw *prp; register struct socket *so; register int error; + + #if (defined(RESTRICT_SOCKS)) + if (dom == AF_INET && NoInetSocks) { + if (groupmember(NoInet_GID, (struct ucred *)p->p_cred)) { + uprintf("socreate(AF_INET) - disabled\n"); + return(EPERM); + } + } + #endif /* RESTRICT_SOCKS */ if (proto) prp = pffindproto(dom, proto, type); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 16:26:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 8C15937B50F for ; Tue, 21 Aug 2001 16:26:21 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (2882 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Tue, 21 Aug 2001 18:23:15 -0500 (CDT) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Tue, 21 Aug 2001 18:22:59 -0500 (CDT) From: James Wyatt To: Rob Simmons Cc: Matt Piechota , Wes Peters , "Carroll, D. (Danny)" , freebsd-security@freebsd.org Subject: Re: Silly crackers... NT is for kids... In-Reply-To: <20010821150657.G21383-100000@mail.wlcg.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 21 Aug 2001, Rob Simmons wrote: > On Tue, 21 Aug 2001, Matt Piechota wrote: > > No No, on the realtime machine controllers (QNX), or OCR nodes that need > > all the cpu cycles they can get. I'm talking about the [de|en]crypt on > > the remote side, not the PC side. Every bit or performance matters, and > > could be the difference between us and someone else getting a contract. > > There should be a way to configure sshd so that only the username/password > exchange is encrypted. The rest of the connection would be unencrypted. > You would get some of the benefits of ssh without a constant performance > hit. IMHO, that would be a "bad idea" as it would 1) be easier to insert forged command packets after browsing what was going on, 2) break changing your password because it could be sniffed at change time, 3) not save *that* much CPU for tactical shell sessions, and 4) confuse users who thought SSH was always "safe" to use. When I've worked on embedded systems, if there wasn't enough CPU to encrypt/decrypt the stream, there was likely not enough CPU to run the commands I usually wanted. I avoid doing things that generated a lot of output because the network and system needed real-time priority for everything else going on. Large return flows either hurt the running (lower-priority), filled queues with backlog because a higher-priority task got IO and CPU first, or caused non-deterministic latency on the LAN. Be realistic about the relative overhead of encryption before spreading FUD. If the systems are so close their limits that encryption "hurts", you likely warrant a separate sub-network to reduce packet reception overhead on your nodes. If you do that, you can protect the entrance to that sub-network and save the encryption setup, diskspace, and overhead. - Jy@ btw: I have always been impressed at how much QNX can run in real-time on a SBC. I've also been impressed at how much stuff ports to it easily. I just wish I could afford enough of it to play with on my own more. (Besides the surfing platform on a single floppy demo they sent out...) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 16:36:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from arpa.com (arpa.com [199.245.173.5]) by hub.freebsd.org (Postfix) with ESMTP id B4FBE37B40D for ; Tue, 21 Aug 2001 16:36:01 -0700 (PDT) (envelope-from wd@arpa.com) Received: by arpa.com (Postfix, from userid 1004) id B461EBDB7; Tue, 21 Aug 2001 19:36:00 -0400 (EDT) Date: Tue, 21 Aug 2001 19:36:00 -0400 From: Chip Norkus To: freebsd-security@freebsd.org Subject: Re: inet socket restriction via group Message-ID: <20010821193550.A8013@anduril.org> References: <20010821182214.H81525-100000@icmp.dhs.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010821182214.H81525-100000@icmp.dhs.org>; from maneo@icmp.dhs.org on Tue, Aug 21, 2001 at 06:24:10PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue Aug 21, 2001; 06:24PM -0500 c.s. (maneo) peron used 3.3K bytes of bandwidth to send the following: > greetings; > > This is something that i use on a daily basis. I have heard people > asking questions on how they might restrict members from a certain group > from creating INET sockets. This is a little something I hacked together. > > Iam currently working on another method of doing this; one > that does not rely on the sysctl mechanism. We will see how that goes. > But for now.. > I think you might be reinventing the wheel here, you can do: ipfw add deny ip from any to any gid out To disallow people from sending outbound IP traffic. It doesn't stop them from creating the socket, per-se, but it does stop them from using it for anything. HTH, -wd -- chip norkus(rl); white_dragon('net'); wd@arpa.com "That's Tron. He fights for the users." http://telekinesis.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 16:47:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from femail22.sdc1.sfba.home.com (femail22.sdc1.sfba.home.com [24.0.95.147]) by hub.freebsd.org (Postfix) with ESMTP id 147CE37B414 for ; Tue, 21 Aug 2001 16:46:54 -0700 (PDT) (envelope-from maneo@icmp.dhs.org) Received: from icmp.dhs.org ([64.59.160.69]) by femail22.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP id <20010821234653.BOMP15281.femail22.sdc1.sfba.home.com@icmp.dhs.org> for ; Tue, 21 Aug 2001 16:46:53 -0700 Date: Tue, 21 Aug 2001 18:47:09 -0500 (CDT) From: "c.s. (maneo) peron" To: Subject: Re: inet socket restriction via group (fwd) Message-ID: <20010821184631.H13462-100000@icmp.dhs.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org True you could use ipfw, however i dont believe you can filter a group when using ipf. (correct me if iam wrong) Furthermore, I posted the wrong uipc_socket.c patch :( the other one was no good. This one should work. snip ---< snip ---< snip ---< options patch *** /usr/src/alpha/sys/conf/options Thu Aug 2 19:47:27 2001 --- /usr/src/sys/conf/options Sat Aug 18 11:29:30 2001 *************** *** 268,273 **** --- 268,274 ---- PPP_DEFLATE opt_ppp.h PPP_FILTER opt_ppp.h RANDOM_IP_ID + RESTRICT_SOCKS opt_resocks.h SLIP_IFF_OPTS opt_slip.h TCPDEBUG TCP_DROP_SYNFIN opt_tcp_input.h snip ---< snip ---< snip ---< uipc_socket.c patch *** uipc_socket.c.orig Thu Jun 14 15:46:06 2001 --- uipc_socket.c Tue Aug 21 10:21:58 2001 *************** *** 35,40 **** --- 35,41 ---- */ #include "opt_inet.h" + #include "opt_resocks.h" #include #include *************** *** 89,94 **** --- 90,120 ---- SYSCTL_INT(_kern_ipc, KIPC_SOMAXCONN, somaxconn, CTLFLAG_RW, &somaxconn, 0, "Maximum pending socket connection queue size"); + #if (defined(RESTRICT_SOCKS)) + /* + * define the sysctl(8) mechanisms that will enable + * the restriction of a certain group member(s) + * from creating network sockets, to prevent potentially + * abusive users from using the system as a springboard. + */ + static int NoInetSocks = 0; /* default to 'off' */ + gid_t NoInet_GID = 65534; /* default to group 'nobody' */ + + SYSCTL_INT(_kern_ipc, + OID_AUTO, + NoInetSocks, + CTLFLAG_RW, + &NoInetSocks, + 0,"AF_INET socket restriction via GID"); + + SYSCTL_INT(_kern_ipc, + OID_AUTO, + NoInet_GID, + CTLFLAG_RW, + &NoInet_GID, + 0,"GID to be restricted"); + #endif /* RESTRICT SOCKS */ + /* * Socket operation routines. * These routines are called by the routines in *************** *** 132,137 **** --- 158,172 ---- register struct protosw *prp; register struct socket *so; register int error; + + #if (defined(RESTRICT_SOCKS)) + if (dom == AF_INET && NoInetSocks) { + if (p->p_cred->p_rgid == NoInet_GID) { + uprintf("socreate(AF_INET) - disabled\n"); + return(EPERM); + } + } + #endif /* RESTRICT_SOCKS */ if (proto) prp = pffindproto(dom, proto, type); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 17: 6:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.insweb.com (mail2.insweb.com [204.254.158.36]) by hub.freebsd.org (Postfix) with ESMTP id 629F937B40C for ; Tue, 21 Aug 2001 17:04:53 -0700 (PDT) (envelope-from fbsd-secure@ursine.com) Received: from ursine.com (dhcp-4-45-203.users.insweb.com [10.4.45.203]) by mail2.insweb.com (8.11.0/8.11.0) with ESMTP id f7M04qT26144 for ; Tue, 21 Aug 2001 17:04:52 -0700 (PDT) (envelope-from fbsd-secure@ursine.com) Message-ID: <3B82F724.A0436441@ursine.com> Date: Tue, 21 Aug 2001 17:04:52 -0700 From: Michael Bryan X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Local Sendmail vulnerability, from BugTraq Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org FYI, I would presume this affects FreeBSD boxes... -----Original Message----- From: Dave Ahmed [mailto:da@securityfocus.com] Sent: Tuesday, August 21, 2001 9:04 AM To: bugtraq@securityfocus.com Subject: *ALERT* UPDATED BID 3163 (URGENCY 6.58): Sendmail Debugger Arbitrary Code Execution Vulnerability (fwd) This alert is being posted to Bugtraq as our public release of the vulnerability discovered in Sendmail by Cade Cairns . --------------------------------------------------------------------------- Security Alert Subject: Sendmail Debugger Arbitrary Code Execution Vulnerability BUGTRAQ ID: 3163 CVE ID: CAN-2001-0653 Published: August 17, 2001 MT Updated: August 20, 2001 MT Remote: No Local: Yes Availability: Always Authentication: Not Required Credibility: Vendor Confirmed Ease: No Exploit Available Class: Input Validation Error Impact: 10.00 Severity: 7.50 Urgency: 6.58 Last Change: Updated packages that rectify this issue are now available from Sendmail. --------------------------------------------------------------------------- Vulnerable Systems: Sendmail Consortium Sendmail 8.12beta7 Sendmail Consortium Sendmail 8.12beta5 Sendmail Consortium Sendmail 8.12beta16 Sendmail Consortium Sendmail 8.12beta12 Sendmail Consortium Sendmail 8.12beta10 Sendmail Consortium Sendmail 8.11.5 Sendmail Consortium Sendmail 8.11.4 Sendmail Consortium Sendmail 8.11.3 Sendmail Consortium Sendmail 8.11.2 Sendmail Consortium Sendmail 8.11.1 Sendmail Consortium Sendmail 8.11 Non-Vulnerable Systems: Summary: Sendmail contains an input validation error, may lead to the execution of arbitrary code with elevated privileges. Impact: Local users may be able to write arbitrary data to process memory, possibly allowing the execution of code/commands with elevated privileges. Technical Description: An input validation error exists in Sendmail's debugging functionality. The problem is the result of the use of signed integers in the program's tTflag() function, which is responsible for processing arguments supplied from the command line with the '-d' switch and writing the values to it's internal "trace vector." The vulnerability exists because it is possible to cause a signed integer overflow by supplying a large numeric value for the 'category' part of the debugger arguments. The numeric value is used as an index for the trace vector. Before the vector is written to, a check is performed to ensure that the supplied index value is not greater than the size of the vector. However, because a signed integer comparison is used, it is possible to bypass the check by supplying the signed integer equivalent of a negative value. This may allow an attacker to write data to anywhere within a certain range of locations in process memory. Because the '-d' command-line switch is processed before the program drops its elevated privileges, this could lead to a full system compromise. This vulnerability has been successfully exploited in a laboratory environment. Attack Scenarios: An attacker with local access must determine the memory offsets of the program's internal tTdvect variable and the location to which he or she wishes to have data written. The attacker must craft in architecture specific binary code the commands (or 'shellcode') to be executed with higher privilege. The attacker must then run the program, using the '-d' flag to overwrite a function return address with the location of the supplied shellcode. Exploits: Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com . Mitigating Strategies: Restrict local access to trusted users only. Solutions: Below is a statement from the Sendmail Consortium regarding this issue: -------------------- This vulnerability, present in sendmail open source versions between 8.11.0 and 8.11.5 has been corrected in 8.11.6. sendmail 8.12.0.Beta users should upgrade to 8.12.0.Beta19. The problem was not present in 8.10 or earlier versions. However, as always, we recommend using the latest version. Note that this problem is not remotely exploitable. Additionally, sendmail 8.12 will no longer uses a set-user-id root binary by default. -------------------- Updated packages that rectify this issue are available from the vendor: For Sendmail Consortium Sendmail 8.11: Sendmail Consortium upgrade sendmail 8.11.6 ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz For Sendmail Consortium Sendmail 8.11.1: Sendmail Consortium upgrade sendmail 8.11.6 ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz For Sendmail Consortium Sendmail 8.11.2: Sendmail Consortium upgrade sendmail 8.11.6 ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz For Sendmail Consortium Sendmail 8.11.3: Sendmail Consortium upgrade sendmail 8.11.6 ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz For Sendmail Consortium Sendmail 8.11.4: Sendmail Consortium upgrade sendmail 8.11.6 ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz For Sendmail Consortium Sendmail 8.11.5: Sendmail Consortium upgrade sendmail 8.11.6 ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz For Sendmail Consortium Sendmail 8.12beta10: Sendmail Consortium upgrade sendmail 8.12.0 Beta19 ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz For Sendmail Consortium Sendmail 8.12beta12: Sendmail Consortium upgrade sendmail 8.12.0 Beta19 ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz For Sendmail Consortium Sendmail 8.12beta16: Sendmail Consortium upgrade sendmail 8.12.0 Beta19 ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz For Sendmail Consortium Sendmail 8.12beta5: Sendmail Consortium upgrade sendmail 8.12.0 Beta19 ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz For Sendmail Consortium Sendmail 8.12beta7: Sendmail Consortium upgrade sendmail 8.12.0 Beta19 ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz Credit: Discovered by Cade Cairns of the Security Focus SIA Threat Analysis Team. References: web page: Sendmail Homepage (Sendmail) http://www.sendmail.org/ ChangeLog: Aug 20, 2001: Updated packages that rectify this issue are now available from Sendmail. Aug 20, 2001: Updated versions of Sendmail will be available today at 4:00 PDT. Aug 09, 2001: Initial analysis. --------------------------------------------------------------------------- HOW TO INTERPRET THIS ALERT BUGTRAQ ID: This is a unique identifier assigned to the vulnerability by SecurityFocus.com. CVE ID: This is a unique identifier assigned to the vulnerability by the CVE. Published: The date the vulnerability was first made public. Updated: The date the information was last updated. Remote: Whether this is a remotely exploitable vulnerability. Local: Whether this is a locally exploitable vulnerability. Credibility: Describes how credible the information about the vulnerability is. Possible values are: Conflicting Reports: The are multiple conflicting about the existance of the vulnerability. Single Source: There is a single non-reliable source reporting the existence of the vulnerability. Reliable Source: There is a single reliable source reporting the existence of the vulnerability. Conflicting Details: There is consensus on the existence of the vulnerability but not it's details. Multiple Sources: There is consensus on the existence and details of the vulnerability. Vendor Confirmed: The vendor has confirmed the vulnerability. Class: The class of vulnerability. Possible values are: Boundary Condition Error, Access Validation Error, Origin Validation Error, Input Valiadtion Error, Failure to Handle Exceptional Conditions, Race Condition Error, Serialization Error, Atomicity Error, Environment Error, and Configuration Error. Ease: Rates how easiliy the vulnerability can be exploited. Possible values are: No Exploit Available, Exploit Available, and No Exploit Required. Impact: Rates the impact of the vulnerability. It's range is 1 through 10. Severity: Rates the severity of the vulnerability. It's range is 1 through 10. It's computed from the impact rating and remote flag. Remote vulnerabiliteis with a high impact rating receive a high severity rating. Local vulnerabilities with a low impact rating receive a low severity rating. Urgency: Rates how quickly you should take action to fix or mitigate the vulnerability. It's range is 1 through 10. It's computed from the severity rating, the ease rating, and the credibility rating. High severity vulnerabilities with a high ease rating, and a high confidence rating have a higher urgency rating. Low severity vulnerabilities with a low ease rating, and a low confidence rating have a lower urgency rating. Last Change: The last change made to the vulnerability information. Vulnerable Systems: The list of vulnerable systems. A '+' preceding a system name indicates that one of the system components is vulnerable vulnerable. For example, Windows 98 ships with Internet Explorer. So if a vulnerability is found in IE you may see something like: Microsoft Internet Explorer + Microsoft Windows 98 Non-Vulnerable Systems: The list of non-vulnerable systems. Summary: A concise summary of the vulnerability. Impact: The impact of the vulnerability. Technical Description: The in-depth description of the vulnerability. Attack Scenarios: Ways an attacker may make use of the vulnerability. Exploits: Exploit intructions or programs. Mitigating Strategies: Ways to mitigate the vulnerability. Solutions: Solutions to the vulnerability. Credit: Information about who disclosed the vulnerability. References: Sources of information on the vulnerability. Related Resources: Resources that might be of additional value. ChangeLog: History of changes to the vulnerability record. --------------------------------------------------------------------------- Copyright 2001 SecurityFocus.com https://alerts.securityfocus.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 17:12:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-7.dsl.lsan03.pacbell.net [63.207.60.7]) by hub.freebsd.org (Postfix) with ESMTP id AFB1537B414 for ; Tue, 21 Aug 2001 17:09:35 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 28A0A66D1C; Tue, 21 Aug 2001 17:09:35 -0700 (PDT) Date: Tue, 21 Aug 2001 17:09:35 -0700 From: Kris Kennaway To: Michael Bryan Cc: freebsd-security@freebsd.org Subject: Re: Local Sendmail vulnerability, from BugTraq Message-ID: <20010821170934.A22112@xor.obsecurity.org> References: <3B82F724.A0436441@ursine.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="gKMricLos+KVdGMg" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B82F724.A0436441@ursine.com>; from fbsd-secure@ursine.com on Tue, Aug 21, 2001 at 05:04:52PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --gKMricLos+KVdGMg Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable It's already been fixed in the source tree Kris On Tue, Aug 21, 2001 at 05:04:52PM -0700, Michael Bryan wrote: >=20 > FYI, I would presume this affects FreeBSD boxes... >=20 > -----Original Message----- > From: Dave Ahmed [mailto:da@securityfocus.com] > Sent: Tuesday, August 21, 2001 9:04 AM > To: bugtraq@securityfocus.com > Subject: *ALERT* UPDATED BID 3163 (URGENCY 6.58): Sendmail Debugger > Arbitrary Code Execution Vulnerability (fwd) >=20 >=20 >=20 > This alert is being posted to Bugtraq as our public release of the > vulnerability discovered in Sendmail by Cade Cairns > . >=20 > -------------------------------------------------------------------------= -- > Security Alert >=20 > Subject: Sendmail Debugger Arbitrary Code Execution Vulnerability > BUGTRAQ ID: 3163 CVE ID: CAN-2001-0653 > Published: August 17, 2001 MT Updated: August 20, 2001 MT >=20 > Remote: No Local: Yes > Availability: Always Authentication: Not Required > Credibility: Vendor Confirmed Ease: No Exploit Available > Class: Input Validation Error >=20 > Impact: 10.00 Severity: 7.50 Urgency: 6.58 >=20 > Last Change: Updated packages that rectify this issue are now availab= le > from Sendmail. > -------------------------------------------------------------------------= -- >=20 > Vulnerable Systems: >=20 > Sendmail Consortium Sendmail 8.12beta7 > Sendmail Consortium Sendmail 8.12beta5 > Sendmail Consortium Sendmail 8.12beta16 > Sendmail Consortium Sendmail 8.12beta12 > Sendmail Consortium Sendmail 8.12beta10 > Sendmail Consortium Sendmail 8.11.5 > Sendmail Consortium Sendmail 8.11.4 > Sendmail Consortium Sendmail 8.11.3 > Sendmail Consortium Sendmail 8.11.2 > Sendmail Consortium Sendmail 8.11.1 > Sendmail Consortium Sendmail 8.11 >=20 > Non-Vulnerable Systems: >=20 >=20 >=20 > Summary: >=20 > Sendmail contains an input validation error, may lead to the execution > of arbitrary code with elevated privileges. >=20 > Impact: >=20 > Local users may be able to write arbitrary data to process memory, > possibly allowing the execution of code/commands with elevated > privileges. >=20 > Technical Description: >=20 > An input validation error exists in Sendmail's debugging functionality. >=20 > The problem is the result of the use of signed integers in the > program's tTflag() function, which is responsible for processing > arguments supplied from the command line with the '-d' switch and > writing the values to it's internal "trace vector." The vulnerability > exists because it is possible to cause a signed integer overflow by > supplying a large numeric value for the 'category' part of the debugger > arguments. The numeric value is used as an index for the trace vector. >=20 > Before the vector is written to, a check is performed to ensure that > the supplied index value is not greater than the size of the vector. > However, because a signed integer comparison is used, it is possible to > bypass the check by supplying the signed integer equivalent of a > negative value. This may allow an attacker to write data to anywhere > within a certain range of locations in process memory. >=20 > Because the '-d' command-line switch is processed before the program > drops its elevated privileges, this could lead to a full system > compromise. This vulnerability has been successfully exploited in a > laboratory environment. >=20 > Attack Scenarios: >=20 > An attacker with local access must determine the memory offsets of the > program's internal tTdvect variable and the location to which he or she > wishes to have data written. >=20 > The attacker must craft in architecture specific binary code the > commands (or 'shellcode') to be executed with higher privilege. The > attacker must then run the program, using the '-d' flag to overwrite a > function return address with the location of the supplied shellcode. >=20 > Exploits: >=20 > Currently the SecurityFocus staff are not aware of any exploits for > this issue. If you feel we are in error or are aware of more recent > information, please mail us at: vuldb@securityfocus.com > . >=20 > Mitigating Strategies: >=20 > Restrict local access to trusted users only. >=20 > Solutions: >=20 > Below is a statement from the Sendmail Consortium regarding this issue: >=20 > -------------------- > This vulnerability, present in sendmail open source versions between > 8.11.0 and 8.11.5 has been corrected in 8.11.6. sendmail 8.12.0.Beta > users should upgrade to 8.12.0.Beta19. The problem was not present in > 8.10 or earlier versions. However, as always, we recommend using the > latest version. Note that this problem is not remotely exploitable. > Additionally, sendmail 8.12 will no longer uses a set-user-id root > binary by default. > -------------------- >=20 > Updated packages that rectify this issue are available from the vendor: >=20 > For Sendmail Consortium Sendmail 8.11: >=20 > Sendmail Consortium upgrade sendmail 8.11.6 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz >=20 > For Sendmail Consortium Sendmail 8.11.1: >=20 > Sendmail Consortium upgrade sendmail 8.11.6 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz >=20 > For Sendmail Consortium Sendmail 8.11.2: >=20 > Sendmail Consortium upgrade sendmail 8.11.6 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz >=20 > For Sendmail Consortium Sendmail 8.11.3: >=20 > Sendmail Consortium upgrade sendmail 8.11.6 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz >=20 > For Sendmail Consortium Sendmail 8.11.4: >=20 > Sendmail Consortium upgrade sendmail 8.11.6 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz >=20 > For Sendmail Consortium Sendmail 8.11.5: >=20 > Sendmail Consortium upgrade sendmail 8.11.6 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz >=20 > For Sendmail Consortium Sendmail 8.12beta10: >=20 > Sendmail Consortium upgrade sendmail 8.12.0 Beta19 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz >=20 > For Sendmail Consortium Sendmail 8.12beta12: >=20 > Sendmail Consortium upgrade sendmail 8.12.0 Beta19 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz >=20 > For Sendmail Consortium Sendmail 8.12beta16: >=20 > Sendmail Consortium upgrade sendmail 8.12.0 Beta19 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz >=20 > For Sendmail Consortium Sendmail 8.12beta5: >=20 > Sendmail Consortium upgrade sendmail 8.12.0 Beta19 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz >=20 > For Sendmail Consortium Sendmail 8.12beta7: >=20 > Sendmail Consortium upgrade sendmail 8.12.0 Beta19 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz >=20 > Credit: >=20 > Discovered by Cade Cairns of the Security > Focus SIA Threat Analysis Team. >=20 > References: >=20 > web page: > Sendmail Homepage (Sendmail) > http://www.sendmail.org/ >=20 > ChangeLog: >=20 > Aug 20, 2001: Updated packages that rectify this issue are now > available from Sendmail. > Aug 20, 2001: Updated versions of Sendmail will be available today at > 4:00 PDT. > Aug 09, 2001: Initial analysis. >=20 > -------------------------------------------------------------------------= -- >=20 > HOW TO INTERPRET THIS ALERT >=20 > BUGTRAQ ID: This is a unique identifier assigned to t= he > vulnerability by SecurityFocus.com. >=20 > CVE ID: This is a unique identifier assigned to t= he > vulnerability by the CVE. >=20 > Published: The date the vulnerability was first made public. >=20 > Updated: The date the information was last updated. >=20 > Remote: Whether this is a remotely exploitab= le > vulnerability. >=20 > Local: Whether this is a locally exploitab= le > vulnerability. >=20 > Credibility: Describes how credible the information about t= he > vulnerability is. Possible values are: >=20 > Conflicting Reports: The are multiple conflicti= ng > about the existance of the vulnerability. >=20 > Single Source: There is a single non-reliab= le > source reporting the existence of t= he > vulnerability. >=20 > Reliable Source: There is a single reliable sour= ce > reporting the existence of the vulnerability. >=20 > Conflicting Details: There is consensus on t= he > existence of the vulnerability but not it= 's > details. >=20 > Multiple Sources: There is consensus on t= he > existence and details of the vulnerability. >=20 > Vendor Confirmed: The vendor has confirmed t= he > vulnerability. >=20 > Class: The class of vulnerability. Possible values ar= e: > Boundary Condition Error, Access Validation Erro= r, > Origin Validation Error, Input Valiadtion Erro= r, > Failure to Handle Exceptional Conditions, Ra= ce > Condition Error, Serialization Error, Atomici= ty > Error, Environment Error, and Configuration Error. >=20 > Ease: Rates how easiliy the vulnerability can = be > exploited. Possible values are: No Explo= it > Available, Exploit Available, and No Explo= it > Required. >=20 > Impact: Rates the impact of the vulnerability. It's ran= ge > is 1 through 10. >=20 > Severity: Rates the severity of the vulnerability. It's ran= ge > is 1 through 10. It's computed from the impa= ct > rating and remote flag. Remote vulnerabiliteis wi= th > a high impact rating receive a high severi= ty > rating. Local vulnerabilities with a low impa= ct > rating receive a low severity rating. >=20 > Urgency: Rates how quickly you should take action to fix = or > mitigate the vulnerability. It's range is 1 throu= gh > 10. It's computed from the severity rating, t= he > ease rating, and the credibility rating. Hi= gh > severity vulnerabilities with a high ease ratin= g, > and a high confidence rating have a higher urgen= cy > rating. Low severity vulnerabilities with a l= ow > ease rating, and a low confidence rating have = a > lower urgency rating. >=20 > Last Change: The last change made to the vulnerabili= ty > information. >=20 > Vulnerable Systems: The list of vulnerable systems. A '+' preceding = a > system name indicates that one of the syst= em > components is vulnerable vulnerable. For exampl= e, > Windows 98 ships with Internet Explorer. So if = a > vulnerability is found in IE you may see somethi= ng > like: Microsoft Internet Explorer + Microso= ft > Windows 98 >=20 > Non-Vulnerable Systems: The list of non-vulnerable systems. >=20 > Summary: A concise summary of the vulnerability. >=20 > Impact: The impact of the vulnerability. >=20 > Technical Description: The in-depth description of the vulnerability. >=20 > Attack Scenarios: Ways an attacker may make use of the vulnerabilit= y. >=20 > Exploits: Exploit intructions or programs. >=20 > Mitigating Strategies: Ways to mitigate the vulnerability. >=20 > Solutions: Solutions to the vulnerability. >=20 > Credit: Information about who disclosed the vulnerability. >=20 > References: Sources of information on the vulnerability. >=20 > Related Resources: Resources that might be of additional value. >=20 > ChangeLog: History of changes to the vulnerability record. >=20 > -------------------------------------------------------------------------= -- >=20 > Copyright 2001 SecurityFocus.com >=20 > https://alerts.securityfocus.com/ >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --gKMricLos+KVdGMg Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7gvg+Wry0BWjoQKURAnUhAJ0cbam7PQNp9duiY98OxHLzuaCCSACgnhio 1M2zWdunrAxpoDEeLRk1Mek= =+l3i -----END PGP SIGNATURE----- --gKMricLos+KVdGMg-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 17:15:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-7.dsl.lsan03.pacbell.net [63.207.60.7]) by hub.freebsd.org (Postfix) with ESMTP id ED6FF37B40B for ; Tue, 21 Aug 2001 17:15:11 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 85F1166D1C; Tue, 21 Aug 2001 17:15:11 -0700 (PDT) Date: Tue, 21 Aug 2001 17:15:11 -0700 From: Kris Kennaway To: Daniel Frazier Cc: freebsd-security@FreeBSD.ORG Subject: Re: question about procfs advisory... Message-ID: <20010821171511.A22290@xor.obsecurity.org> References: <3B82DC14.1040304@magpage.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="pWyiEgJYm5f9v55/" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B82DC14.1040304@magpage.com>; from dfrazier@magpage.com on Tue, Aug 21, 2001 at 06:09:24PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --pWyiEgJYm5f9v55/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 21, 2001 at 06:09:24PM -0400, Daniel Frazier wrote: > ...but when I do so patch cannot find the files to patch. Should that > have been... >=20 > # cd /usr/src/ >=20 > ...instead? Yes. Kris --pWyiEgJYm5f9v55/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7gvmOWry0BWjoQKURAlGjAKCJTDROpZqBF9VqUBGb8ecRdzNXogCgtzzI uATPFULktxtzrlSUoNMXEwk= =t/XX -----END PGP SIGNATURE----- --pWyiEgJYm5f9v55/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 18:24: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from hawk.mail.pas.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22]) by hub.freebsd.org (Postfix) with ESMTP id 1D1EF37B409 for ; Tue, 21 Aug 2001 18:23:58 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (dialup-209.245.130.30.Dial1.SanJose1.Level3.net [209.245.130.30]) by hawk.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id SAA28152; Tue, 21 Aug 2001 18:23:29 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f7M1MTZ73378; Tue, 21 Aug 2001 18:22:29 -0700 (PDT) (envelope-from cjc) Date: Tue, 21 Aug 2001 18:22:29 -0700 From: "Crist J. Clark" To: "c.s. (maneo) peron" Cc: freebsd-security@FreeBSD.ORG Subject: Re: inet socket restriction via group (fwd) Message-ID: <20010821182229.D313@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20010821184631.H13462-100000@icmp.dhs.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010821184631.H13462-100000@icmp.dhs.org>; from maneo@icmp.dhs.org on Tue, Aug 21, 2001 at 06:47:09PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Aug 21, 2001 at 06:47:09PM -0500, c.s. (maneo) peron wrote: > > True you could use ipfw, however i dont believe you can filter > a group when using ipf. (correct me if iam wrong) You are wrong. ipfw(8) says, uid user Match all TCP or UDP packets sent by or received for a user. A user may be matched by name or identification number. gid group Match all TCP or UDP packets sent by or received for a group. A group may be matched by name or identification number. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 18:28:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from ciberteca.com (ciberteca.com [62.22.90.24]) by hub.freebsd.org (Postfix) with SMTP id AFE6F37B412 for ; Tue, 21 Aug 2001 18:28:10 -0700 (PDT) (envelope-from koji@ciberteca.com) Received: (qmail 73858 invoked from network); 22 Aug 2001 01:35:10 -0000 Received: from unknown (HELO daemon) (62.82.138.77) by ciberteca.com with SMTP; 22 Aug 2001 01:35:10 -0000 Message-ID: <003901c12aa9$e62af8a0$0164a8c0@daemon> From: "Koji" To: Subject: strange message Date: Wed, 22 Aug 2001 03:29:32 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i have a mail with security chek output: mymachine.com kernel log messages: > SR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR> What is that message? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 18:33: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta05-svc.ntlworld.com (mta05-svc.ntlworld.com [62.253.162.45]) by hub.freebsd.org (Postfix) with ESMTP id 4EEB137B412 for ; Tue, 21 Aug 2001 18:32:52 -0700 (PDT) (envelope-from greid@FreeBSD.org) Received: from sobek.lan ([62.252.8.4]) by mta05-svc.ntlworld.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20010822013250.IINP20588.mta05-svc.ntlworld.com@sobek.lan>; Wed, 22 Aug 2001 02:32:50 +0100 Received: (from greid@localhost) by sobek.lan (8.11.5/8.11.5) id f7M1Wng59948; Wed, 22 Aug 2001 02:32:49 +0100 (BST) (envelope-from greid@FreeBSD.org) X-Authentication-Warning: sobek.lan: greid set sender to greid@FreeBSD.org using -f Date: Wed, 22 Aug 2001 02:32:49 +0100 From: George Reid To: Koji Cc: freebsd-security@FreeBSD.org Subject: Re: strange message Message-ID: <20010822023249.A59925@FreeBSD.org> References: <003901c12aa9$e62af8a0$0164a8c0@daemon> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <003901c12aa9$e62af8a0$0164a8c0@daemon>; from koji@ciberteca.com on Wed, Aug 22, 2001 at 03:29:32AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Aug 22, 2001 at 03:29:32AM +0200, Koji wrote: > i have a mail with security chek output: > > mymachine.com kernel log messages: > > SR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR> [...] The CPU features line. -- +-------------------+---------------------+ | George Reid | FreeBSD Committer | | +44 7740 197460 | greid@FreeBSD.org | +-------------------+---------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 18:34:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from alpha.focalnetworks.net (alpha.focalnetworks.net [209.135.104.32]) by hub.freebsd.org (Postfix) with SMTP id 108D337B403 for ; Tue, 21 Aug 2001 18:34:38 -0700 (PDT) (envelope-from project10@alpha.focalnetworks.net) Received: (qmail 67655 invoked by uid 1000); 22 Aug 2001 01:36:50 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 22 Aug 2001 01:36:50 -0000 Date: Tue, 21 Aug 2001 21:36:50 -0400 (EDT) From: project10 To: Koji Cc: Subject: Re: strange message In-Reply-To: <003901c12aa9$e62af8a0$0164a8c0@daemon> Message-ID: <20010821213554.Q66567-100000@alpha.focalnetworks.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Koji, Part of a 'dmesg' line that got cut off. You can probably see the entire line in /var/run/dmesg.boot -- it's most likely, from the looks of it, your CPU's features (i.e. MMX) as detected on boot. -Shawn On Wed, 22 Aug 2001, Koji wrote: > i have a mail with security chek output: > > mymachine.com kernel log messages: > > SR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR> > > What is that message? > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 18:41:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from ciberteca.com (ciberteca.com [62.22.90.24]) by hub.freebsd.org (Postfix) with SMTP id 06CF837B416 for ; Tue, 21 Aug 2001 18:41:28 -0700 (PDT) (envelope-from koji@ciberteca.com) Received: (qmail 73908 invoked from network); 22 Aug 2001 01:48:28 -0000 Received: from unknown (HELO daemon) (62.82.138.77) by ciberteca.com with SMTP; 22 Aug 2001 01:48:28 -0000 Message-ID: <007301c12aab$c1b19720$0164a8c0@daemon> From: "Koji" To: "Johns, Andrew (AU - Hobart)" Subject: RE: strange message Date: Wed, 22 Aug 2001 03:42:49 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----Mensaje original----- De: Johns, Andrew (AU - Hobart) Para: 'Koji' Fecha: miércoles, 22 de agosto de 2001 3:40 Asunto: RE: strange message >It's part of the bootup stage when it's probing the capabililties of the CPU >(MMX, etc). Looks like you've had a reboot. # uptime 3:42AM up 27 days, 15:59, 2 users, load averages: 0.03, 0.01, 0.00 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 18:52:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13]) by hub.freebsd.org (Postfix) with ESMTP id 1734637B408 for ; Tue, 21 Aug 2001 18:52:08 -0700 (PDT) (envelope-from ben@FreeBSD.org) Received: from strontium.shef.vinosystems.com ([192.168.91.36] ident=root) by scientia.demon.co.uk with esmtp (Exim 3.30 #1) id 15ZNBd-0000mJ-00; Wed, 22 Aug 2001 02:52:05 +0100 Received: (from ben@localhost) by strontium.shef.vinosystems.com (8.11.4/8.11.4) id f7M1q5X42313; Wed, 22 Aug 2001 02:52:05 +0100 (BST) (envelope-from ben@FreeBSD.org) X-Authentication-Warning: strontium.shef.vinosystems.com: ben set sender to ben@FreeBSD.org using -f Date: Wed, 22 Aug 2001 02:52:04 +0100 From: Ben Smithurst To: Koji Cc: "Johns, Andrew (AU - Hobart)" , security@FreeBSD.org Subject: Re: strange message Message-ID: <20010822025204.B32992@strontium.shef.vinosystems.com> References: <007301c12aab$c1b19720$0164a8c0@daemon> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="NMuMz9nt05w80d4+" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <007301c12aab$c1b19720$0164a8c0@daemon> X-PGP-Key: http://www.smithurst.org/ben/pgp-key.txt Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --NMuMz9nt05w80d4+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable >> It's part of the bootup stage when it's probing the capabililties of the= CPU >> (MMX, etc). Looks like you've had a reboot. No, because the line was truncated at the start... To be more accurate, what it looks like is that enough new messages have been added to the end of the message buffer that the start of that line has been pushed out, causing the remaining part of the line to appear to the security check as a new line. --=20 Ben Smithurst / ben@FreeBSD.org FreeBSD: The Power To Serve http://www.FreeBSD.org/ --NMuMz9nt05w80d4+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7gxBDbPzJ+yzvRCwRAveKAJ9c3RdmYNldcP9m1IfOzhgiL6S5JgCeMnz5 eZlE/IpaMR4ngf9Reu64ob4= =FkMk -----END PGP SIGNATURE----- --NMuMz9nt05w80d4+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 19:15:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from femail11.sdc1.sfba.home.com (femail11.sdc1.sfba.home.com [24.0.95.107]) by hub.freebsd.org (Postfix) with ESMTP id D358F37B405 for ; Tue, 21 Aug 2001 19:15:15 -0700 (PDT) (envelope-from maneo@icmp.dhs.org) Received: from icmp.dhs.org ([64.59.160.69]) by femail11.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP id <20010822021515.JKZM26962.femail11.sdc1.sfba.home.com@icmp.dhs.org>; Tue, 21 Aug 2001 19:15:15 -0700 Date: Tue, 21 Aug 2001 21:15:30 -0500 (CDT) From: "c.s. (maneo) peron" To: Cc: Subject: Re: inet socket restriction via group (fwd) Message-ID: <20010821211357.B23012-100000@icmp.dhs.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 21 Aug 2001, Crist J. Clark wrote: > On Tue, Aug 21, 2001 at 06:47:09PM -0500, c.s. (maneo) peron wrote: > > > > True you could use ipfw, however i dont believe you can filter > > a group when using ipf. (correct me if iam wrong) Right; please note I acknowledged the fact that you could attain the same results with ipfw. & Please note that I was referencing IPF not to be confused with IPFW when I said I was unsure of the group filtering. I believe that was clear & self evident. ipf != ipfw. regards > > You are wrong. ipfw(8) says, > > uid user > Match all TCP or UDP packets sent by or received for a > user. A user may be matched by name or identification > number. > > gid group > Match all TCP or UDP packets sent by or received for a > group. A group may be matched by name or identification > number. > > -- > Crist J. Clark cjclark@alum.mit.edu > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 19:38:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from lists.unixathome.org (lists.unixathome.org [210.48.103.158]) by hub.freebsd.org (Postfix) with ESMTP id 03AED37B40D; Tue, 21 Aug 2001 19:38:20 -0700 (PDT) (envelope-from dan@lists.unixathome.org) Received: from wocker (lists.unixathome.org [210.48.103.158]) by lists.unixathome.org (8.11.1/8.11.1) with ESMTP id f7M2cG075389; Wed, 22 Aug 2001 14:38:17 +1200 (NZST) (envelope-from dan@lists.unixathome.org) From: "Dan Langille" Organization: novice in training To: security-officer@freebsd.org Date: Tue, 21 Aug 2001 22:38:11 -0400 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:55.procfs Reply-To: dan@langille.org Cc: security@freebsd.org Message-ID: <3B82E2D3.823.D177AF1@localhost> In-reply-to: <200108212039.f7LKdWe21726@freefall.freebsd.org> X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 21 Aug 2001, at 13:39, FreeBSD Security Advisories wrote: > # cd /usr/src/sys > # patch -p < /path/to/patch [dan@xeon:/usr/src/sys] $ sudo patch -p < /usr/patches/procfs.patch Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: sys/i386/linux/linprocfs/linprocfs_vnops.c |=================================================================== |RCS file: /usr2/ncvs/src/sys/i386/linux/linprocfs/Attic/linprocfs_vnops.c,v |retrieving revision 1.3.2.4 |retrieving revision 1.3.2.5 |diff -u -r1.3.2.4 -r1.3.2.5 |--- sys/i386/linux/linprocfs/linprocfs_vnops.c 2001/06/25 19:46:47 1.3.2.4 |+++ sys/i386/linux/linprocfs/linprocfs_vnops.c 2001/08/12 14:29:19 1.3.2.5 -------------------------- File to patch: Is it just me or is this becoming a recurring theme? *grin* I volunteer to test every patch, given that I seem to be the first to report the problem. The patch works if you cd /usr/src, not /usr/src/sys -- Dan Langille - DVL Software Limited FreshPorts - http://freshports.org/ - the place for ports To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 22: 8: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id 5B3DD37B40D for ; Tue, 21 Aug 2001 22:07:28 -0700 (PDT) (envelope-from jdicioccio@epylon.com) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id ; Tue, 21 Aug 2001 22:07:25 -0700 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA02FFF0EE@goofy.epylon.lan> From: Jason DiCioccio To: "'cjclark@alum.mit.edu'" , "c.s. (maneo) peron" Cc: freebsd-security@FreeBSD.ORG Subject: RE: inet socket restriction via group (fwd) Date: Tue, 21 Aug 2001 22:07:23 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes, but he said ipf, not ipfw.. Unless we just both have 2 different understandings of what he's saying. And could be mean groups for the rules (in which case he'd be wrong)? Cheers, - -JD- Jason DiCioccio Unix BOFH - -----Original Message----- From: Crist J. Clark [mailto:cristjc@earthlink.net] Sent: Tuesday, August 21, 2001 6:22 PM To: c.s. (maneo) peron Cc: freebsd-security@FreeBSD.ORG Subject: Re: inet socket restriction via group (fwd) On Tue, Aug 21, 2001 at 06:47:09PM -0500, c.s. (maneo) peron wrote: > > True you could use ipfw, however i dont believe you can filter > a group when using ipf. (correct me if iam wrong) You are wrong. ipfw(8) says, uid user Match all TCP or UDP packets sent by or received for a user. A user may be matched by name or identification number. gid group Match all TCP or UDP packets sent by or received for a group. A group may be matched by name or identification number. - -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use iQA/AwUBO4M/H1CmU62pemyaEQJsRwCgi7hN4TqhHMjd0IzlCSuAv9N8MkUAmwSk nFpjS1bahwxC2/+1WkogoP4/ =k/9L -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 22:17:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id 1CD3937B40D for ; Tue, 21 Aug 2001 22:17:06 -0700 (PDT) (envelope-from christopher@schulte.org) Received: from tarmap.schulte.org (tarmap.schulte.org [209.134.156.198]) by poontang.schulte.org (Postfix) with ESMTP id D1FC3D1471; Wed, 22 Aug 2001 00:16:59 -0500 (CDT) Message-Id: <5.1.0.14.0.20010822001428.029efd40@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 22 Aug 2001 00:16:59 -0500 To: Kris Kennaway From: Christopher Schulte Subject: Re: Local Sendmail vulnerability, from BugTraq Cc: freebsd-security@freebsd.org In-Reply-To: <20010821170934.A22112@xor.obsecurity.org> References: <3B82F724.A0436441@ursine.com> <3B82F724.A0436441@ursine.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org RELENG_4_3 to follow soon? I see 8.11.3 there, imported March 6 2001. At 05:09 PM 8/21/2001 -0700, you wrote: >It's already been fixed in the source tree > >Kris > >On Tue, Aug 21, 2001 at 05:04:52PM -0700, Michael Bryan wrote: > > > > FYI, I would presume this affects FreeBSD boxes... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 22:18:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-7.dsl.lsan03.pacbell.net [63.207.60.7]) by hub.freebsd.org (Postfix) with ESMTP id 3DE0537B40B for ; Tue, 21 Aug 2001 22:18:18 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id C987F66D1C; Tue, 21 Aug 2001 22:18:17 -0700 (PDT) Date: Tue, 21 Aug 2001 22:18:17 -0700 From: Kris Kennaway To: Christopher Schulte Cc: Kris Kennaway , freebsd-security@freebsd.org Subject: Re: Local Sendmail vulnerability, from BugTraq Message-ID: <20010821221817.B25219@xor.obsecurity.org> References: <3B82F724.A0436441@ursine.com> <3B82F724.A0436441@ursine.com> <20010821170934.A22112@xor.obsecurity.org> <5.1.0.14.0.20010822001428.029efd40@pop.schulte.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="JYK4vJDZwFMowpUq" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.1.0.14.0.20010822001428.029efd40@pop.schulte.org>; from christopher@schulte.org on Wed, Aug 22, 2001 at 12:16:59AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --JYK4vJDZwFMowpUq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Aug 22, 2001 at 12:16:59AM -0500, Christopher Schulte wrote: > RELENG_4_3 to follow soon? I see 8.11.3 there, imported March 6 2001. I think the bugfix in question was committed at the same time as RELENG_4. Kris --JYK4vJDZwFMowpUq Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7g0CZWry0BWjoQKURAnW5AKCeD/Z2DuPKS0c1GkuCi7lR0oyaQACdGIys 0aGpcUSKdrNd2xAf66/iY2A= =isAj -----END PGP SIGNATURE----- --JYK4vJDZwFMowpUq-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 22:27:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id 2095837B403 for ; Tue, 21 Aug 2001 22:27:36 -0700 (PDT) (envelope-from christopher@schulte.org) Received: from tarmap.schulte.org (tarmap.schulte.org [209.134.156.198]) by poontang.schulte.org (Postfix) with ESMTP id 363BFD1471; Wed, 22 Aug 2001 00:27:35 -0500 (CDT) Message-Id: <5.1.0.14.0.20010822002319.0277a298@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 22 Aug 2001 00:27:34 -0500 To: Kris Kennaway From: Christopher Schulte Subject: Re: Local Sendmail vulnerability, from BugTraq Cc: freebsd-security@freebsd.org In-Reply-To: <20010821221817.B25219@xor.obsecurity.org> References: <5.1.0.14.0.20010822001428.029efd40@pop.schulte.org> <3B82F724.A0436441@ursine.com> <3B82F724.A0436441@ursine.com> <20010821170934.A22112@xor.obsecurity.org> <5.1.0.14.0.20010822001428.029efd40@pop.schulte.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 10:18 PM 8/21/2001 -0700, Kris Kennaway wrote: >On Wed, Aug 22, 2001 at 12:16:59AM -0500, Christopher Schulte wrote: > > RELENG_4_3 to follow soon? I see 8.11.3 there, imported March 6 2001. > >I think the bugfix in question was committed at the same time as RELENG_4. FYI: I don't see any recent changes to RELENG_4_3's sendmail via cvsweb, and my cvsup logs show no edits to any sendmail source files. >Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 22:31:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-7.dsl.lsan03.pacbell.net [63.207.60.7]) by hub.freebsd.org (Postfix) with ESMTP id D6DE237B42F for ; Tue, 21 Aug 2001 22:30:38 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 85BA166D1C; Tue, 21 Aug 2001 22:30:36 -0700 (PDT) Date: Tue, 21 Aug 2001 22:30:36 -0700 From: Kris Kennaway To: Christopher Schulte Cc: Kris Kennaway , freebsd-security@freebsd.org Subject: Re: Local Sendmail vulnerability, from BugTraq Message-ID: <20010821223036.B25505@xor.obsecurity.org> References: <5.1.0.14.0.20010822001428.029efd40@pop.schulte.org> <3B82F724.A0436441@ursine.com> <3B82F724.A0436441@ursine.com> <20010821170934.A22112@xor.obsecurity.org> <5.1.0.14.0.20010822001428.029efd40@pop.schulte.org> <20010821221817.B25219@xor.obsecurity.org> <5.1.0.14.0.20010822002319.0277a298@pop.schulte.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="qlTNgmc+xy1dBmNv" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.1.0.14.0.20010822002319.0277a298@pop.schulte.org>; from christopher@schulte.org on Wed, Aug 22, 2001 at 12:27:34AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --qlTNgmc+xy1dBmNv Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 22, 2001 at 12:27:34AM -0500, Christopher Schulte wrote: > At 10:18 PM 8/21/2001 -0700, Kris Kennaway wrote: > >On Wed, Aug 22, 2001 at 12:16:59AM -0500, Christopher Schulte wrote: > > > RELENG_4_3 to follow soon? I see 8.11.3 there, imported March 6 2001. > > > >I think the bugfix in question was committed at the same time as RELENG_= 4. >=20 > FYI: >=20 > I don't see any recent changes to RELENG_4_3's sendmail via cvsweb, and m= y=20 > cvsup logs show no edits to any sendmail source files. Yeah, Greg just told me he didn't do it yet. Kris --qlTNgmc+xy1dBmNv Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7g0N7Wry0BWjoQKURAkWpAJ4wk3AI7czFZh5MtU1DyJJEmmsMzwCdHksj SdwY9n51S3vrYxMQMxYscZM= =NPJ8 -----END PGP SIGNATURE----- --qlTNgmc+xy1dBmNv-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 21 22:34:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from horsey.gshapiro.net (horsey.gshapiro.net [209.220.147.178]) by hub.freebsd.org (Postfix) with ESMTP id 12DF037B403 for ; Tue, 21 Aug 2001 22:34:44 -0700 (PDT) (envelope-from gshapiro@gshapiro.net) Received: from horsey.gshapiro.net (gshapiro@localhost [127.0.0.1]) by horsey.gshapiro.net (8.12.0.Beta16/8.12.0.Beta16) with ESMTP id f7M5Yhjq075373 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Tue, 21 Aug 2001 22:34:43 -0700 (PDT) Received: (from gshapiro@localhost) by horsey.gshapiro.net (8.12.0.Beta16/8.12.0.Beta16) id f7M5YhtI075370; Tue, 21 Aug 2001 22:34:43 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15235.17523.218347.856625@horsey.gshapiro.net> Date: Tue, 21 Aug 2001 22:34:43 -0700 From: Gregory Neil Shapiro To: Christopher Schulte Cc: Kris Kennaway , freebsd-security@FreeBSD.ORG Subject: Re: Local Sendmail vulnerability, from BugTraq In-Reply-To: <5.1.0.14.0.20010822002319.0277a298@pop.schulte.org> References: <5.1.0.14.0.20010822001428.029efd40@pop.schulte.org> <3B82F724.A0436441@ursine.com> <20010821170934.A22112@xor.obsecurity.org> <5.1.0.14.0.20010822002319.0277a298@pop.schulte.org> X-Mailer: VM 6.92 under 21.5 (beta1) "anise" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org christopher> I don't see any recent changes to RELENG_4_3's sendmail via christopher> cvsweb, and my cvsup logs show no edits to any sendmail source christopher> files. You are correct. It hadn't been fixed in RELENG_4_3 yet as I was awaiting approval to commit to that branch. It just arrived and the fix is committed. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 22 3:58:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from ik.ku.lt (ik.ku.lt [193.219.76.193]) by hub.freebsd.org (Postfix) with ESMTP id C461A37B412 for ; Wed, 22 Aug 2001 03:58:01 -0700 (PDT) (envelope-from garska@ik.ku.lt) Received: from daemon (daemon.ku.lt [193.219.76.199]) by ik.ku.lt (8.11.3/8.11.3) with SMTP id f7MAwPi08500 for ; Wed, 22 Aug 2001 12:58:26 +0200 (EET) (envelope-from garska@ik.ku.lt) Reply-To: From: "Rolandas Garska" To: Subject: RE: FreeBSD Security Advisory FreeBSD-SA-01:55.procfs Date: Wed, 22 Aug 2001 12:56:04 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2479.0006 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The same problem is in FreeBSD Security Advisory FreeBSD-SA-01:40.fts.v1.1 The patch works if you cd /usr/src/lib/libc/gen, not /usr/src/lib/libc -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Dan Langille Sent: Wednesday, August 22, 2001 4:38 AM To: security-officer@FreeBSD.ORG Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:55.procfs On 21 Aug 2001, at 13:39, FreeBSD Security Advisories wrote: > # cd /usr/src/sys > # patch -p < /path/to/patch [dan@xeon:/usr/src/sys] $ sudo patch -p < /usr/patches/procfs.patch Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: sys/i386/linux/linprocfs/linprocfs_vnops.c |=================================================================== |RCS file: /usr2/ncvs/src/sys/i386/linux/linprocfs/Attic/linprocfs_vnops.c,v |retrieving revision 1.3.2.4 |retrieving revision 1.3.2.5 |diff -u -r1.3.2.4 -r1.3.2.5 |--- sys/i386/linux/linprocfs/linprocfs_vnops.c 2001/06/25 19:46:47 1.3.2.4 |+++ sys/i386/linux/linprocfs/linprocfs_vnops.c 2001/08/12 14:29:19 1.3.2.5 -------------------------- File to patch: Is it just me or is this becoming a recurring theme? *grin* I volunteer to test every patch, given that I seem to be the first to report the problem. The patch works if you cd /usr/src, not /usr/src/sys -- Dan Langille - DVL Software Limited FreshPorts - http://freshports.org/ - the place for ports To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 22 5:49: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from unplugged.karolinelund.dk (cpe.atm0-0-0-133200.virnxx2.customer.tele.dk [62.242.199.233]) by hub.freebsd.org (Postfix) with ESMTP id 0C79A37B40A for ; Wed, 22 Aug 2001 05:48:44 -0700 (PDT) (envelope-from michael@karolinelund.dk) Received: from karolinelund.dk (fubar.int.karolinelund.dk [192.168.0.3]) by unplugged.karolinelund.dk (8.11.5/8.11.3) with ESMTP id f7MEkoG03186 for ; Wed, 22 Aug 2001 14:46:50 GMT (envelope-from michael@karolinelund.dk) Message-ID: <3B83A8BC.BCF790A0@karolinelund.dk> Date: Wed, 22 Aug 2001 14:42:36 +0200 From: michael dreves Reply-To: michael@karolinelund.dk X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: kerberosIV Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms1F2AEF3935CA180EDB43BE33" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a cryptographically signed message in MIME format. --------------ms1F2AEF3935CA180EDB43BE33 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit hi, anyone here running kerberosIV? I follow the handbook instructions to the comma, and it works fine until I want to activate a ticket with kinit. I issue kinit , but after a while kinit responds with : kinit: Retry count exceeded (send_to_kdc) anyone have a hint? Release 4.3. regards, -michael --------------ms1F2AEF3935CA180EDB43BE33 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIH5gYJKoZIhvcNAQcCoIIH1zCCB9MCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC BbkwggKIMIIB8aADAgECAgME+DowDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlpBMRUw EwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhh d3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwg RnJlZW1haWwgUlNBIDIwMDAuOC4zMDAeFw0wMTA2MDYxOTA4MDhaFw0wMjA2MDYxOTA4MDha MEkxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxJjAkBgkqhkiG9w0BCQEWF21p Y2hhZWxAa2Fyb2xpbmVsdW5kLmRrMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7WuW1 38cSIdhVI9UbJuCvoeQRXVtZhMhYDe2RRWu36ibgEgm5N2JO7RbDK/mHrYvEEeV4UzX2uD6o ZziruseGEA6K2W/LMBibVNPEuR9vDgI4ViOTjc4cdJ0mZUqnsplWhe5ImvQRc/0SiHty34Fo EPKtqtTq7G2ZaUfKYwAnBQIDAQABozQwMjAiBgNVHREEGzAZgRdtaWNoYWVsQGthcm9saW5l bHVuZC5kazAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBALSTvQvoRqw54HqKjuyW qivG7Bq02tWNPEKnwkXb0ckb5+ErgStQamw6OOayAh+9DZhBtq44crlmQ3yS8+lGH4f+YRBC hgAn3NtXK+9qVaQ7mKSk1ldx1qrwtxcuUb0PCkAsinjEOoCt+OpeYu9UO7lJhMg2EV8R6din kthPLlbCMIIDKTCCApKgAwIBAgIBDDANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkEx FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFU aGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZp c2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcN AQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAwMDgzMDAwMDAwMFoXDTAy MDgyOTIzNTk1OVowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQ BgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0 ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMDCB nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3jMypmPHCSVFPtJueCdngcXaiBmClw7jRCmK YzUqbXA8+tyu9+50bzC8M5B/+TRxoKNtmPHDT6Jl2w36S/HW3WGl+YXNVZo1Gp2Sdagnrthy +boC9tewkd4c6avgGAOofENCUFGHgzzwObSbVIoTh/+zm51JZgAtCYnslGvpoWkCAwEAAaNO MEwwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDEtMjk3MBIGA1UdEwEB /wQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBAUAA4GBAHMbbyZli/8VNEtZ YortRL5Jx+gNu4+5DWomKmKEH7iHY3QcbbfPGlORS+HN5jjZ7VD0Omw0kqzmkpxuwSMBwgmn 70uuct0GZ/VQby5YuLYLwVBXtewc1+8XttWIm7eiiBrtOVs5fTT8tpYYJU1q9J3Fw5EvqZa4 BTxS/N3pYgNIMYIB9TCCAfECAQEwgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0 ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQL ExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNB IDIwMDAuOC4zMAIDBPg6MAkGBSsOAwIaBQCggbEwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEH ATAcBgkqhkiG9w0BCQUxDxcNMDEwODIyMTI0MjM2WjAjBgkqhkiG9w0BCQQxFgQUzjFX0LZM U545T6eE2BXDOETRN3owUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0D AgICAIAwBwYFKw4DAgcwDQYIKoZIhvcNAwICAUAwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcN AQEBBQAEgYAp+KCyqL9gaeZ4URTYpef8lwGqqnqUXkt4Gd1c9wQdwgQpsoOZgSe+2XoMgOen pzn1sKuZeL0yANJf95U2gHrgia+PKcKTjix2hUnrqTzBPf18BN/GZG0YGClqGQSJ4mgN5y5L 2plqyN61Juwx4Y5I/iRDf9jRJy2N0WRL2sDDGQ== --------------ms1F2AEF3935CA180EDB43BE33-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 22 6: 0:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from apu.eircom.net (mail1.tinet.ie [159.134.237.21]) by hub.freebsd.org (Postfix) with ESMTP id AA20037B401 for ; Wed, 22 Aug 2001 06:00:41 -0700 (PDT) (envelope-from ryand@alpha.eng.eircom.net) Received: from alpha.eng.eircom.net ([159.134.242.178]) by apu.eircom.net with esmtp (Exim 2.05 #1) id 15ZXcb-0004on-00 for freebsd-security@freebsd.org; Wed, 22 Aug 2001 14:00:37 +0100 Received: (from ryand@localhost) by alpha.eng.eircom.net (8.11.3/8.10.1) id f7MD0KX25207 for freebsd-security@freebsd.org; Wed, 22 Aug 2001 14:00:20 +0100 (IST) Date: Wed, 22 Aug 2001 14:00:20 +0100 From: Dave Ryan To: freebsd-security@freebsd.org Subject: Re: kerberosIV Message-ID: <20010822140020.A1911@alpha.eng.eircom.net> Mail-Followup-To: Dave Ryan , freebsd-security@freebsd.org References: <3B83A8BC.BCF790A0@karolinelund.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B83A8BC.BCF790A0@karolinelund.dk>; from michael@karolinelund.dk on Wed, Aug 22, 2001 at 02:42:36PM +0200 Organization: Eircom CIRT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > anyone here running kerberosIV? Is there any particular reason why you are running KerberosIV? I would advise using V (either MIT or Heimdel) > I issue kinit , but after a while kinit responds > with : > > kinit: Retry count exceeded (send_to_kdc) Basically this mean that kinit can't find the server, double check your krb.conf files and all other conf files to make sure there are correct entries for your domain etc. Also check to make sure there is an entry for the KDC in whatever you are using for name resolution (/etc/hosts or DNS?). There is quite a bit of documentation for KerberosV and its quite easy to setup, I would suggest moving to that if you have no specific reason for using kerberosIV. Heimdal is in the ports. Regards. -- Dave Ryan Computer Incident Response Team dave.ryan@eircom.net Eircom Multimedia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 22 6:24:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from crash.devmail.com (crash-gate.devmail.com [199.212.135.199]) by hub.freebsd.org (Postfix) with ESMTP id C9A3937B40F for ; Wed, 22 Aug 2001 06:24:37 -0700 (PDT) (envelope-from Ken@esaquatic.com) Received: from ken3500 (hose.devmail.com [209.112.7.70]) by crash.devmail.com (8.11.3/8.11.3) with SMTP id f7MDLDD79302; Wed, 22 Aug 2001 09:21:13 -0400 (EDT) (envelope-from Ken@esaquatic.com) From: "Ken Brown" To: "James Wyatt" , "Rob Simmons" Cc: "Matt Piechota" , "Wes Peters" , "Carroll, D. (Danny)" , Subject: QNX was RE: Silly crackers... NT is for kids... Date: Wed, 22 Aug 2001 09:27:55 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 In-Reply-To: Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org check out http://get.qnx.com/ For non commmercial playing you can now download it free. You still gotta pay to redistribute though. Ken -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of James Wyatt Sent: August 21, 2001 7:23 PM To: Rob Simmons Cc: Matt Piechota; Wes Peters; Carroll, D. (Danny); freebsd-security@FreeBSD.ORG Subject: Re: Silly crackers... NT is for kids... --- lots of trimming --- btw: I have always been impressed at how much QNX can run in real-time on a SBC. I've also been impressed at how much stuff ports to it easily. I just wish I could afford enough of it to play with on my own more. (Besides the surfing platform on a single floppy demo they sent out...) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 22 6:29:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.tricom.com.ph (phoenix.tricom.com.ph [203.167.87.58]) by hub.freebsd.org (Postfix) with SMTP id 4A39637B411 for ; Wed, 22 Aug 2001 06:29:49 -0700 (PDT) (envelope-from jimmy@tricom.com.ph) Received: (qmail 84014 invoked from network); 22 Aug 2001 13:32:39 -0000 Received: from sphinx.tricom.com.ph (HELO tricom.com.ph) (gpkdap@203.167.87.59) by tricom.com.ph with SMTP; 22 Aug 2001 13:32:39 -0000 Message-ID: <3B83B717.7C7E01AA@tricom.com.ph> Date: Wed, 22 Aug 2001 21:43:51 +0800 From: Jimmy X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.4.9-pre4 i686) X-Accept-Language: en MIME-Version: 1.0 To: security@freebsd.org Subject: master.passwd2smbpasswd Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org is there a way I can convert my master.passwd to smbpasswd? Thanks in advance, Jimmy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 22 6:32:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from magellan.palisadesys.com (magellan.palisadesys.com [192.188.162.211]) by hub.freebsd.org (Postfix) with ESMTP id 503F537B40F; Wed, 22 Aug 2001 06:32:35 -0700 (PDT) (envelope-from ghelmer@palisadesys.com) Received: from mira (mira.palisadesys.com [192.188.162.116]) (authenticated (0 bits)) by magellan.palisadesys.com (8.11.4/8.11.4) with ESMTP id f7MDWOh21703 (using TLSv1/SSLv3 with cipher RC4-MD5 (128 bits) verified NO); Wed, 22 Aug 2001 08:32:25 -0500 From: "Guy Helmer" To: , Cc: Subject: RE: FreeBSD Security Advisory FreeBSD-SA-01:55.procfs Date: Wed, 22 Aug 2001 08:34:11 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: <3B82E2D3.823.D177AF1@localhost> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dan Langille wrote: > On 21 Aug 2001, at 13:39, FreeBSD Security Advisories wrote: > > > # cd /usr/src/sys > > # patch -p < /path/to/patch > > [dan@xeon:/usr/src/sys] $ sudo patch -p < /usr/patches/procfs.patch > Hmm... Looks like a unified diff to me... > The text leading up to this was: > -------------------------- > |Index: sys/i386/linux/linprocfs/linprocfs_vnops.c > |=================================================================== > |RCS file: > /usr2/ncvs/src/sys/i386/linux/linprocfs/Attic/linprocfs_vnops.c,v > |retrieving revision 1.3.2.4 > |retrieving revision 1.3.2.5 > |diff -u -r1.3.2.4 -r1.3.2.5 > |--- sys/i386/linux/linprocfs/linprocfs_vnops.c 2001/06/25 > 19:46:47 1.3.2.4 > |+++ sys/i386/linux/linprocfs/linprocfs_vnops.c 2001/08/12 > 14:29:19 1.3.2.5 > -------------------------- > File to patch: > > Is it just me or is this becoming a recurring theme? *grin* > > I volunteer to test every patch, given that I seem to be the first to > report the problem. > > The patch works if you cd /usr/src, not /usr/src/sys It is my sense from reading some other vendor's advisories (namely RedHat) that advisories go through internal review and correction prior to release. A quick review process by a small group of interested security-minded folks could help catch minor typos like this one. Would security-officer be willing to setup a private mail list for a small group of interested people and give them a few hours to review proposed advisories prior to release? Guy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 22 6:37:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id F10F537B41C for ; Wed, 22 Aug 2001 06:37:31 -0700 (PDT) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id 774E31361D; Wed, 22 Aug 2001 09:37:28 -0400 (EDT) Date: Wed, 22 Aug 2001 09:37:27 -0400 From: Chris Faulhaber To: Jimmy Cc: security@freebsd.org Subject: Re: master.passwd2smbpasswd Message-ID: <20010822093727.A31590@peitho.fxp.org> References: <3B83B717.7C7E01AA@tricom.com.ph> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="KsGdsel6WgEHnImy" Content-Disposition: inline In-Reply-To: <3B83B717.7C7E01AA@tricom.com.ph> User-Agent: Mutt/1.3.20i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --KsGdsel6WgEHnImy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 22, 2001 at 09:43:51PM +0800, Jimmy wrote: > is there a way I can convert my master.passwd to smbpasswd? >=20 > Thanks in advance, >=20 make_smbpasswd < /etc/passwd IIRC, samba uses a different password hashing scheme so you cannot simply convert users *and* passwords. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --KsGdsel6WgEHnImy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjuDtZcACgkQObaG4P6BelBx8gCfbjU2mUwbdKz8Zeupek6unq2U n7wAoKN3BK7h5f8dWhOaKrs2rCgaPUm6 =xCsr -----END PGP SIGNATURE----- --KsGdsel6WgEHnImy-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 22 6:41:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from prox.centtech.com (moat2.centtech.com [206.196.95.21]) by hub.freebsd.org (Postfix) with ESMTP id 3F7D937B40B; Wed, 22 Aug 2001 06:41:11 -0700 (PDT) (envelope-from anderson@centtech.com) Received: (from smap@localhost) by prox.centtech.com (8.9.3+Sun/8.9.3) id IAA23684; Wed, 22 Aug 2001 08:41:00 -0500 (CDT) Received: from sprint.centtech.com(10.177.173.31) by prox via smap (V2.1+anti-relay+anti-spam) id xma023676; Wed, 22 Aug 01 08:40:33 -0500 Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id IAA28698; Wed, 22 Aug 2001 08:40:33 -0500 (CDT) Message-ID: <3B83B651.75B523AB@centtech.com> Date: Wed, 22 Aug 2001 08:40:33 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.14-5.0smp i686) X-Accept-Language: en MIME-Version: 1.0 To: Guy Helmer Cc: dan@langille.org, security-officer@freebsd.org, security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:55.procfs References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I would be interested in helping out for that too.. This is definitely a good idea. Two thumbs up. Eric Anderson Guy Helmer wrote: > > Dan Langille wrote: > > On 21 Aug 2001, at 13:39, FreeBSD Security Advisories wrote: > > > > > # cd /usr/src/sys > > > # patch -p < /path/to/patch > > > > [dan@xeon:/usr/src/sys] $ sudo patch -p < /usr/patches/procfs.patch > > Hmm... Looks like a unified diff to me... > > The text leading up to this was: > > -------------------------- > > |Index: sys/i386/linux/linprocfs/linprocfs_vnops.c > > |=================================================================== > > |RCS file: > > /usr2/ncvs/src/sys/i386/linux/linprocfs/Attic/linprocfs_vnops.c,v > > |retrieving revision 1.3.2.4 > > |retrieving revision 1.3.2.5 > > |diff -u -r1.3.2.4 -r1.3.2.5 > > |--- sys/i386/linux/linprocfs/linprocfs_vnops.c 2001/06/25 > > 19:46:47 1.3.2.4 > > |+++ sys/i386/linux/linprocfs/linprocfs_vnops.c 2001/08/12 > > 14:29:19 1.3.2.5 > > -------------------------- > > File to patch: > > > > Is it just me or is this becoming a recurring theme? *grin* > > > > I volunteer to test every patch, given that I seem to be the first to > > report the problem. > > > > The patch works if you cd /usr/src, not /usr/src/sys > > It is my sense from reading some other vendor's advisories (namely RedHat) > that advisories go through internal review and correction prior to release. > A quick review process by a small group of interested security-minded folks > could help catch minor typos like this one. Would security-officer be > willing to setup a private mail list for a small group of interested people > and give them a few hours to review proposed advisories prior to release? > > Guy > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 Truth is more marvelous than mystery. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 22 6:50:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 6FF2237B40F; Wed, 22 Aug 2001 06:49:57 -0700 (PDT) (envelope-from arr@watson.org) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.5/8.11.5) with SMTP id f7MDn7K66328; Wed, 22 Aug 2001 09:49:07 -0400 (EDT) (envelope-from arr@watson.org) Date: Wed, 22 Aug 2001 09:49:07 -0400 (EDT) From: "Andrew R. Reiter" To: Eric Anderson Cc: Guy Helmer , dan@langille.org, security-officer@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:55.procfs In-Reply-To: <3B83B651.75B523AB@centtech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hurm. I had assumed always that "security-officer" was more than one person and that these people, not necesarily the FreeBSD "security team" (if one wishes to call it that), should be those who review the patch/advisory. Bah, perhaps I just hear things ... andrew On Wed, 22 Aug 2001, Eric Anderson wrote: :I would be interested in helping out for that too.. This is definitely a :good idea. : :Two thumbs up. : :Eric Anderson : : :Guy Helmer wrote: :> :> Dan Langille wrote: :> > On 21 Aug 2001, at 13:39, FreeBSD Security Advisories wrote: :> > :> > > # cd /usr/src/sys :> > > # patch -p < /path/to/patch :> > :> > [dan@xeon:/usr/src/sys] $ sudo patch -p < /usr/patches/procfs.patch :> > Hmm... Looks like a unified diff to me... :> > The text leading up to this was: :> > -------------------------- :> > |Index: sys/i386/linux/linprocfs/linprocfs_vnops.c :> > |=================================================================== :> > |RCS file: :> > /usr2/ncvs/src/sys/i386/linux/linprocfs/Attic/linprocfs_vnops.c,v :> > |retrieving revision 1.3.2.4 :> > |retrieving revision 1.3.2.5 :> > |diff -u -r1.3.2.4 -r1.3.2.5 :> > |--- sys/i386/linux/linprocfs/linprocfs_vnops.c 2001/06/25 :> > 19:46:47 1.3.2.4 :> > |+++ sys/i386/linux/linprocfs/linprocfs_vnops.c 2001/08/12 :> > 14:29:19 1.3.2.5 :> > -------------------------- :> > File to patch: :> > :> > Is it just me or is this becoming a recurring theme? *grin* :> > :> > I volunteer to test every patch, given that I seem to be the first to :> > report the problem. :> > :> > The patch works if you cd /usr/src, not /usr/src/sys :> :> It is my sense from reading some other vendor's advisories (namely RedHat) :> that advisories go through internal review and correction prior to release. :> A quick review process by a small group of interested security-minded folks :> could help catch minor typos like this one. Would security-officer be :> willing to setup a private mail list for a small group of interested people :> and give them a few hours to review proposed advisories prior to release? :> :> Guy :> :> To Unsubscribe: send mail to majordomo@FreeBSD.org :> with "unsubscribe freebsd-security" in the body of the message : :-- :------------------------------------------------------------------------------- :Eric Anderson anderson@centtech.com Centaur Technology (512) :418-5792 :Truth is more marvelous than mystery. :------------------------------------------------------------------------------- : :To Unsubscribe: send mail to majordomo@FreeBSD.org :with "unsubscribe freebsd-security" in the body of the message : *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 22 6:53:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from magellan.palisadesys.com (magellan.palisadesys.com [192.188.162.211]) by hub.freebsd.org (Postfix) with ESMTP id 80F9E37B40E; Wed, 22 Aug 2001 06:53:35 -0700 (PDT) (envelope-from ghelmer@palisadesys.com) Received: from mira (mira.palisadesys.com [192.188.162.116]) (authenticated (0 bits)) by magellan.palisadesys.com (8.11.4/8.11.4) with ESMTP id f7MDrUh21840 (using TLSv1/SSLv3 with cipher RC4-MD5 (128 bits) verified NO); Wed, 22 Aug 2001 08:53:30 -0500 From: "Guy Helmer" To: "Andrew R. Reiter" , "Eric Anderson" Cc: , , Subject: RE: FreeBSD Security Advisory FreeBSD-SA-01:55.procfs Date: Wed, 22 Aug 2001 08:55:16 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Andrew R. Reiter [mailto:arr@watson.org] wrote > Hurm. I had assumed always that "security-officer" was more than one > person and that these people, not necesarily the FreeBSD "security team" > (if one wishes to call it that), should be those who review the > patch/advisory. Bah, perhaps I just hear things ... I am sure "security-officer" is more than one person but a little more "peer review" could apparently help the advisory process. Guy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 22 7:25: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 1AD6037B425; Wed, 22 Aug 2001 07:24:48 -0700 (PDT) (envelope-from arr@watson.org) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.5/8.11.5) with SMTP id f7MEOj266577; Wed, 22 Aug 2001 10:24:45 -0400 (EDT) (envelope-from arr@watson.org) Date: Wed, 22 Aug 2001 10:24:44 -0400 (EDT) From: "Andrew R. Reiter" To: freebsd-audit@FreeBSD.org Cc: freebsd-security@FreeBSD.org Subject: setlogincontext() modifications. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I plan on doing some patches for adding setlogincontext() calls to: libexec/: atrun/atrun.c ftpd/ftpd.c rshd/rshd.c uucpd/uucpd.c as an initial step towards seeing how people react. If people can perhaps recommend a couple more from other parts of the tree that I could write patches for, that would be great. I ask this so that I can perhaps get a bit more of a reaction from some people as this type of patch will effect some network daemons etc... Thanks, Andrew *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 22 7:39:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 5C15437B40E; Wed, 22 Aug 2001 07:39:36 -0700 (PDT) (envelope-from arr@watson.org) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.5/8.11.5) with SMTP id f7MEdYh66692; Wed, 22 Aug 2001 10:39:34 -0400 (EDT) (envelope-from arr@watson.org) Date: Wed, 22 Aug 2001 10:39:33 -0400 (EDT) From: "Andrew R. Reiter" To: freebsd-audit@FreeBSD.ORG Cc: freebsd-security@FreeBSD.ORG Subject: Re: setlogincontext() modifications. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org As a quick follow-up :-) I wonder if at the same time, I should work on auth_* patches as well? Thoughts? On Wed, 22 Aug 2001, Andrew R. Reiter wrote: :Hi, : :I plan on doing some patches for adding setlogincontext() calls to: : :libexec/: : atrun/atrun.c : ftpd/ftpd.c : rshd/rshd.c : uucpd/uucpd.c : :as an initial step towards seeing how people react. If people can perhaps :recommend a couple more from other parts of the tree that I could write :patches for, that would be great. I ask this so that I can perhaps get a :bit more of a reaction from some people as this type of patch will effect :some network daemons etc... : :Thanks, : :Andrew : :*-------------................................................. :| Andrew R. Reiter :| arr@fledge.watson.org :| "It requires a very unusual mind :| to undertake the analysis of the obvious" -- A.N. Whitehead : : :To Unsubscribe: send mail to majordomo@FreeBSD.org :with "unsubscribe freebsd-audit" in the body of the message : *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 22 7:52:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-24-169-175-136.stny.rr.com [24.169.175.136]) by hub.freebsd.org (Postfix) with ESMTP id A833937B412 for ; Wed, 22 Aug 2001 07:52:03 -0700 (PDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.11.4/8.11.4) with ESMTP id f7MEpPs28030; Wed, 22 Aug 2001 10:51:26 -0400 (EDT) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Wed, 22 Aug 2001 10:51:25 -0400 (EDT) From: Matt Piechota To: James Wyatt Cc: Rob Simmons , Wes Peters , "Carroll, D. (Danny)" , Subject: Re: Silly crackers... NT is for kids... In-Reply-To: Message-ID: <20010822104925.S24431-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 21 Aug 2001, James Wyatt wrote: > btw: I have always been impressed at how much QNX can run in real-time on > a SBC. I've also been impressed at how much stuff ports to it easily. I > just wish I could afford enough of it to play with on my own more. > (Besides the surfing platform on a single floppy demo they sent out...) QNX RTP (Real Time Platform, aka QNX6) is a free download for non-commercial uses. Check out their site. I think they Open Sourced a fair amount of it as well. -- Matt Piechota Finger piechota@emailempire.com for PGP key AOL IM: cithaeron To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 22 9:29:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 31D4C37B432 for ; Wed, 22 Aug 2001 09:28:59 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.11.4/8.11.4) id f7MGSud60744; Wed, 22 Aug 2001 12:28:56 -0400 (EDT) (envelope-from wollman) Date: Wed, 22 Aug 2001 12:28:56 -0400 (EDT) From: Garrett Wollman Message-Id: <200108221628.f7MGSud60744@khavrinen.lcs.mit.edu> To: Dave Ryan Cc: freebsd-security@FreeBSD.ORG Subject: Re: kerberosIV In-Reply-To: <20010822140020.A1911@alpha.eng.eircom.net> References: <3B83A8BC.BCF790A0@karolinelund.dk> <20010822140020.A1911@alpha.eng.eircom.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > There is quite a bit of documentation for KerberosV and its quite easy to > setup, I would suggest moving to that if you have no specific reason for > using kerberosIV. Heimdal is in the ports. Furthermore, there are substantial weaknesses in the v4 protocol which are fixed in v5. Unless there is a need to be backward-compatible at an existing site, v4 should never be installed (not even the v5 code in v4-compatibility mode). -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 22 9:42:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from apu.eircom.net (mail1.tinet.ie [159.134.237.21]) by hub.freebsd.org (Postfix) with ESMTP id F41DF37B40E for ; Wed, 22 Aug 2001 09:42:15 -0700 (PDT) (envelope-from ryand@alpha.eng.eircom.net) Received: from alpha.eng.eircom.net ([159.134.242.178]) by apu.eircom.net with esmtp (Exim 2.05 #1) id 15Zb54-0000jR-00 for freebsd-security@FreeBSD.ORG; Wed, 22 Aug 2001 17:42:14 +0100 Received: (from ryand@localhost) by alpha.eng.eircom.net (8.11.3/8.10.1) id f7MGfwe20041 for freebsd-security@FreeBSD.ORG; Wed, 22 Aug 2001 17:41:58 +0100 (IST) Date: Wed, 22 Aug 2001 17:41:57 +0100 From: Dave Ryan To: freebsd-security@FreeBSD.ORG Subject: kerberosV - SecurID Message-ID: <20010822174157.A28071@alpha.eng.eircom.net> Mail-Followup-To: Dave Ryan , freebsd-security@FreeBSD.ORG References: <3B83A8BC.BCF790A0@karolinelund.dk> <20010822140020.A1911@alpha.eng.eircom.net> <200108221628.f7MGSud60744@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200108221628.f7MGSud60744@khavrinen.lcs.mit.edu>; from wollman@khavrinen.lcs.mit.edu on Wed, Aug 22, 2001 at 12:28:56PM -0400 Organization: Eircom CIRT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Does anyone know if RSA Securid OTP's are used anywhere to enhance the ticket granting phase of a kerberos authentication sequence? e.g. A user is challeneged for their username, password and/or PASSCODE, which is then passed onto the KDC, which then talks to an RSA ACE Agent which validates the autenticity of the user based on the credentials supplied. The user is then given a token etc. ... Anyone got any ideas about that? Its been suggested to me to look into the ietf workings around hardware pre authentication. I have seen references for securid support in IV, and I think in a dated version developed by cygnus a while back - I could be wrong. Regards, Dave. - -- Dave Ryan Computer Incident Response Team dave.ryan@eircom.net Eircom Multimedia -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (OpenBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjuD4NIACgkQHSjBCI+q2yIlUQCaAtM+uO7qLjKvOGmUHB8Bhqfg yS0AniMUs3/hBARI8Fq1UsabcX087/8W =P0yh -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 22 9:53:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 5CC0037B433 for ; Wed, 22 Aug 2001 09:52:40 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.11.4/8.11.4) id f7MGqco61050; Wed, 22 Aug 2001 12:52:38 -0400 (EDT) (envelope-from wollman) Date: Wed, 22 Aug 2001 12:52:38 -0400 (EDT) From: Garrett Wollman Message-Id: <200108221652.f7MGqco61050@khavrinen.lcs.mit.edu> To: Dave Ryan Cc: freebsd-security@FreeBSD.ORG Subject: kerberosV - SecurID In-Reply-To: <20010822174157.A28071@alpha.eng.eircom.net> References: <3B83A8BC.BCF790A0@karolinelund.dk> <20010822140020.A1911@alpha.eng.eircom.net> <200108221628.f7MGSud60744@khavrinen.lcs.mit.edu> <20010822174157.A28071@alpha.eng.eircom.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > Does anyone know if RSA Securid OTP's are used anywhere to enhance the ticket > granting phase of a kerberos authentication sequence? Yes. I believe one of the USDOE-funded National Labs is doing so. The process is called ``preauthentication'' in Kerberos terminology. A principal whose REQUIRES_PREAUTH flag is set in the KDC's database must prove to the KDC's satisfaction that it is who it claims to be before the KDC will issue a TGT. (The principal still must have a password which is used as the decryption key for the TGT.) -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 22 10: 7: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from directcommunications.net (mailgate.bridgetrading.com [62.49.201.178]) by hub.freebsd.org (Postfix) with ESMTP id 7F90637B414; Wed, 22 Aug 2001 09:52:45 -0700 (PDT) (envelope-from owner-ringtones@mobiledirect.uk.com) Received: from localhost (mail@localhost) by directcommunications.net (8.11.0/8.11.0) with SMTP id f7MGqQ332067; Wed, 22 Aug 2001 17:52:26 +0100 X-Authentication-Warning: hercules.bti.com: mail owned process doing -bs Received: by hercules.bti.com (bulk_mailer v1.13); Wed, 22 Aug 2001 17:44:45 +0100 Received: from mobiledirect.uk.com (aries.bti.com [10.54.1.1]) by directcommunications.net (8.11.0/8.11.0) with ESMTP id f7MGiiU01504 for ; Wed, 22 Aug 2001 17:44:44 +0100 Message-ID: <3B83E168.2090106@mobiledirect.uk.com> Date: Wed, 22 Aug 2001 17:44:24 +0100 From: Mobile Ringtones User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3+) Gecko/20010817 X-Accept-Language: en-us MIME-Version: 1.0 To: ringtones@mobiledirect.uk.com Subject: Ringtones and Logos Content-Type: multipart/related; boundary="------------050200090204050702040306" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --------------050200090204050702040306 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit newlogo




Personalise You Nokia with these great Logos!!!

Picture of Logo

Picture of BITCH
Picture of HOPE
Picture of Bomb
Picture of Dragon
Picture of BEER
Bitch
21692
Hope
21716
Sex Bomb
21740
Dragon 1
20110
Love Beer
20203
Picture of Fcuk
Picture of eyes
Picture of Trust
Picture ot rizla
Picture of Simpsons
fcuk
21951
Loving Eyes 20142
Trust No One 20409
Rizla
21256 
The Simpsons 20399



Call Now ON  "0906 400 2144"

Quote the 5 digit number and your logo / Ringtone will be sent immediately!!
 For many more please visit www.mobiledirect.uk.com




Get Your Mobile Rocking with these great Ringtones!!!

Picture of ringtones

Description
Code
Listen
Baha Men - Who let the dogs out
10138
Bob the Builder - Can We Fix It?
11107
Shaggy Feat Rikrok - It Wasn't Me
11762
The Simpsons
10009
James Bond Theme
10000
Star Wars Imperial March
10085


Please note: the call costs £1.50 per minute and the average call length is 2 minutes. Please ask bill payer for permission. Calls from mobiles cost more depending on service. The following phones receive both logos and tones - Nokia 3210, 3310,6090, 6110, 6130, 6150, 6210, 6250, 7110, 8110i, 8210, 8810, 8850, 9000i and 9110. Nokia models: 402 and 51XX receive logos only. Motorola T250, T2288, V50, V100, V2288, V8088 receive ring tones only. Please make sure that your mobile is listed here before ordering. Mobile Direct reserves the right not to refund your money if your phone is not listed here. If you experience any problem, call Customer Service on 0800 015 1175. Orders normally sent immediately, depending on network.

For hundreds more ringtones and logos just click on to www.mobiledirect.uk.com - pass this on to a friend or stick it on the notice board

Important Notice: If you do not wish to receive any more emails, please mail us on majordomo@mobiledirect.uk.com and click "send." and your address will removed


--------------050200090204050702040306 Content-Type: image/gif; name="Sent" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="Sent" R0lGODlhiAFAAPcAAP////39/Z+fn/n5+ZycnO7u7tXV1b29verq6vv7+/f399vb27GxsX9/ f2NjY7a2tnx8fPT09M/Pz2RkZOHh4fDw8IWFhY6OjpmZmZubm/Ly8tjY2KysrIuLi6Kiot3d 3cbGxtfX16SkpLOzs9HR0ZSUlMjIyLm5uaqqqu3t7dPT0+Pj4+fn56amps3NzYCAgIeHh6Cg oIKCgsPDw+Xl5cTExJKSkq6urqioqImJid7e3sDAwFVVVZeXl3FxcWdnZ/74+bq6umlpacvL yywsLHZ2duUsTB4eHkhISPEsT09PT2FhYXR0dFZWVj09PVBQUCMjI1paWisrKzQ0NM3NtRwc HCQkJAcHBzs7O0VFRScnJzExMQgICO8AKhYWFg4ODgAAAA0NDRAQEBISEgUFBd4AJwICAuU5 V3l5eY2NjdPTvunp6ZCQkLW1tfz8+m5ububm2uzs40dHR2tra3Nzc9bWw+wsTr6+vhoaGlNT U3p6euMsTPb28RkZGS4uLjIyMu4CLNKvtQsLCykpKUBAQENDQ2xsbO4sTv77/BUVFSAgIDc3 Nzg4OEtLS0xMTFlZWVxcXOMkReMlRucsTegsTfEpTPErTvorUO85Wu9QbOpbdNCts9CvteTG zOvDyv75+v7+/gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACwAAAAAiAFAAAAI/gABCBxIsKDBgwgTKlzIsKHD hxAjSpxIsaLFixgzatwI0Q2cOlRCihxJsqTJkyhTqlzJsqXLlzBjypxJs6bNmzhz0qwDx01D Pmp0Ch1KtKjRo0iTKl16Uw2fhW6CqonDsarVq1izat3KtavXhHGk+kwIh4qasV/Tql3Ltq3b t1ijUoGjMChVuHjz6t3Lt2/GOFTqKAzpt7Dhw4gTfyWckLHix5AjS54MwPFBy5Qza97MWSvm gp87ix5NuvRlKoNRm17NunXm0ANhu55Nu3Zb2ZVV297Nu7dn3ad9Cx9OnCJu3MWTKxd+HPjy 59B5N48IqLr164AIXh+I3eB27diz/nMP370gefPfwVcHQD79eOsQyzd0j/B8/fD35aOHX3VN Dx9LOCDggA4sQYcHKRgUQQxFEEiggTEkKNAQAi6RhkMJQBDgHAjEEKADKkDkAgxLfOjggzCA 5pyK1LXHH3sv4qeeeAK5+J6NN9oHI33bubhejvTlF6SQCvlII5Av1ujjjPpZFEEPeIAh5ZRU TkmECKAIBAoOWlTppZR+CCCQCFM64RAoVUy5gANTjtAQKCM0QsaXdPrBYmMrLmTkj+npuCON Riq5pKCD+tnjoIQ2edChP+qZ5H6I/qnjnoC2p9EPdGZKgEAwZEqnDACgMKUcZx6hpiFtNtSA p3ROcSdC/sh5tyehSM6YqH2z3oqrjLQGquuji/IHbLCNyuqrpJPmGmlFOiQypRhHHCHIlGNE K8aUVawBChRTXhHtt+BOK6UgLIwwKoY5+OBDEQVgKqWbC40w55RhgGvvt1U88Wpw8T36XZ/J 8snjkbRCWmx3lvY67I3gMfRvsQkNiSyTiaJ3K8XuQUxRGlMWskIEEaAxZQ8gbzDIlBlIgO0M ILfscgh9tPnAlEhQtESqCzVBZRUhKODzz0ADva9BsUJq9J9IVrqeouwZS7CkBiPbKKNP29ri 0hoTSSzECA8pXpNdZ40RBCMP1KmUmwqks5Q5mDDlBAshMWUbM0uZBSh45423/gIBEBSABDWA YAIoN7/L0NpSLgGA3ozrTXSesUEesb9Txwjfw1iLvbXTm1OtMI5S9yvx5qQbPXrBpvOa0apS XigQ62CkDQDiHbjw9kJyTPlA3WAIQsTvwP/uhxMwIKClH2aQIcgHc+CsEA9UjuFH8NT/LoUU MwytvaOIApz590gfzbD4tlKdnfmqJ+xwkFWjTj7D7F8+LOZMTwT7BQPBLjv0UtY+pQO40x3v WAWGPqQIFCcDAxmY57yE8I+AVWrD9iJ3NT+FL3yeix/XgOU1+QkMfMf61Xz00z73WS11GvMc 50SIkfvlb0r7m5L/pARAheROSruDIJXYAAApSIkL/gw03EIeqEMhUhBPFVSU975mKQ0SzImd E1YTl6WrIk2xhBd83+eepsL3WdB+U8Lf62A4kAfOEAxwU4jccMi7KkxgAg6awA/+MCUtVMAP PwwiGO7AECJq4QdwPJGDQkSQ6YjufAOrnCLDtsFGcnF+HlQaIytoxQ+eTmId/N4TI1k6LUrE hWNEWxllWIMpKU6Nc+OdIxISAUWMiwR0BAMQmyclPi4kD1T6gXEklxtKZvGCGZMRCSmXwkSC r1ang9EJV1ixSrYPbPQ7kvmipszxWQSUANDfKNm2gSkpIgYhCIEKxknODYzAWVIKAu+cYIB2 urOdGyAAOsOwgS1I6QoU/qDDlJRgAnGS858hAMAjdiaCDbzzoO0MwQYmKJCinTCYi2SSJUFn wl+VB6LoG6b6mPnLre3qWJSy6BJVRxFsalMgD0yRFajEhSu49KVX4AKVvrACc0nJDDCFqUzL pAA8guEKHwjBThXY0py61AsJGIG4plRUo8LUCgzt5SFzZE1jLvKLmSwUMSNpqI06jaIeFWau RCpJ0IGVImSTkhgBkNbYDQRxDQBADIoopRsA4AZ0FcMMQOFTMgQUVQQURAUAQCa6ggEPUXWo NaEGzK0ezKsVJetiJxbCsxoMshKVTwgtelmNkpQiepiS6wAQWlEKRAlT0sOYprBUOnFhCj0Q /kgLdBgGJ/BxW1MiAQAiAAFFmMFTZJAQBxrRh3kR0AuJ5WUnMWi5Yjq2hJckqRMRedb6fVWS kwPrF4GUXUwmEyIhwIAAMhBQgYRXAARYqEB2kAEBYKC8i9vADQgggPraF703WECWBEIB+taX AAAOMAEykIEbfKBvAEgABzAA4AIMRAMziEEGBCxgDwyAICm4w4ApzGEMxCC50QlxaUABhBIT hMQmPnGJEdEQRHyixPudjCFFTOPJZKISSUiCHYywByPYIcc6nkSPDwFkO0hiEkaYBJGBzGQm U4LHPs6xJS7hCVBEoAAJGAjeFjeAFERAy6BIQQo0MJAIrADBGqgA/ijSvN8AtLlveCuAl3db ACvXGcQ1zrNVLmwVSZThz4AOtKAHTehCG7oLnDAQAZYAgwQkoAkfJkAjBJCGJei2CHmIAQH4 qIAlMCEGStjUHXKABQgwYL8wmMKFIEAHAKRBDgC2KwhKgAUm4IDPR4SVcgeCaz37Wi2TMLSw h01sQAMiEIrgoblqAAAvpOgNixAIHh4BgEIQIgAITkMVEvSCNwhEZQwgCCS+YIVHEwIAE1DE ABAMgBSAIbaPS82v512YYBf73vj+87H9EFsNkCEDADhCivSABz0wwQkSVEIVGkCALC2i1QUJ ARkkOJA8MEEIS4hCIwDwhi80oHgCSQEZ/mRXSF4qlt4o54q9881yYe8b4CsAg12rYAEA0AEK nfowAOQghy3PLg8CWUENskQCMrhpv0qAgMQVsXEhKAIUWRZIAcgAbzynXMTs5kskWs71Qndh E39AAgSeEAUEJIDmNmfEXaGwqUZAQQYv8AAAQrAIC02hAUSfuM3t+gQfAMAHYAD6GxLxAhj0 IMtTr3rJ5X31xrdFE2eIvOQnT/nKW/7ymMdEJ1xwAxGYQEs7+AAANgACgdSAjyQYQQxiYMsU xCANLnjwCRK0gwUAwAUBBcUDYr8BBrRABCPIEihOsAJ+6drxyE8+V2as/OY7HyPMf770p++Q 6FP/+thfPBI5/rKBAzjYIC44AQDWcAD1YqX7EkLIAA4Qe4GEXy3on8j7tZKAAwzBIBWowQEO UBg0+P///scGwQcAaABwBtEBHWAQOoAGtoRhaGBXNEAAMACAaMAGd9A3GYAGB3EDaJB+amF9 F+ECEPB9BbEGC5UCECABWiGCJIgQacABA2GCaiEBEOCBDyGDW5EGKGAQI/ACBqBbfjEBQkCB RfBGsTUBa0UQ/mcQCzAB4VYQCDABBJACQjABbwCAdPBGEnQBaVQQBDABxsMW0dcGLTAC9uUB G3AH9iUCazB391VfOFABNNhea9iGI8ABAVAAKZgAJ/CGIqADBrEGIvCGAqABgviG/h4AiDRY ACsgAIRkeoXoajkgADB4hwEQAoQYhwMAfBxwXygwAAOAAoRofgOBifdlAyNYAZ14X3EIAAdA iMxmiSHgAYS4Apt4h544AKr4hpooivf1AjBYEBxgAXegW4d4X4m4iXewiipIEAPgAfAiEGoY Acd4hoDoAgLQhgPBAcEoEEhoEBrgAxr4jQaxhAXRhE9IEFFIAE2ocwTRhJvChQfxhWG4FtHH ATLwfRVgAQTAZzQAAfxHaV8mEAaQgos4ECwAkABQXwCghxJAARDAbFJnAd04EAcAAfW4W/UH ATQwEAVAkQCwiA5JEBcpEC+4WwspJgI5EAWpgmlAAAMJ/gAgAAEUAJGfNxAJEJMDsZLfNoIX 2ZEEmYJsxQFRJxCDxZACwAYxeZAvGZMzSQE/yZIpCJESaZIVKRAckAMUUHxROZEw+JJ8ppNW SZIQ4Ioc6ZEgeZA7KSYDMQEQAAJwGZc1MAdlSY4FYY7v6IQGsY7ouJdSCADyaBD0eBsm5xwc MFquVpEKyZAeaZAjSBCLKSYOCZE98ItXCQA6YAMdwIopUJIEcZIiKZQWWZaJuZYpSRAjeZID AZEUoAEZAAPISIoCwZg9WQAXeV8ZIJQcAAN0WF/MhpRsWZuluZo0eZv2lZsPSZOfeZmHOZoF cZKq6YIVWZKeORCg+Zim2ZZv/rSd3BkEf7cEBMAA4jmeV2gQKzABPuAB4ymeMSCFfQmFfxmY XgiGhMl424iY0clWAal4CSkBNJh+AxCZDTmVECCbDaFgN3CRMRkAOQCDodl+AjECpJkGLWCa AsCfQpmfrHkQJsBDBXGhBMGCF9lrCYEAEFABSIkBBMGUFcmaI2oQEEmKHcCco6WgA8GgX3mZ n1mhzmmjAoGjIQkBLEAQ4kUQbhmXcRkEQlCWKgAB3MmdGmgQJ/AGT7qd7KiX8BmPXUgQgymG hVkQGWABCJYAFuCOFQABbnIHEFAC9gUDMEADdyAD/iUAHWABAVUCbBAAKxCRFZAGMnBfGEAB BlEA/mx6nDAwBCEgA5tZX2zwAve3AxyZADbwAv5FAGkAAWR2AxCQATCIpwGgpoUqAG5KAwNg ATwalCEyp/UFA3ZVEKBqXyUAASsQAhawqIwaoW/YASWQAJ76qvWFigVQqqcKAAWpArRqq0kJ ABXQAX9aXxiQA+64kzCAYIlqq406BKUarQahqeJVX5c6d4pqX9cKADTgpvYlgTZgpEn4o3QQ peO3APAKrxtQngehp/EKrzXgnhOwgwVxnloaYwPRA/TppfaZfW2hlpNRnRVhhRfQsA6bhQkI ACvgsA7rAxMQsQYBAhR7AWkwBxMwAmuwBBMAAxTbAR7rJu35BhvrpEIgx5aL8aUGqxYrUABy pqmDBRkzWwBrEAOkaRFV+kYQEAMD2YRPCgEecLMGwQBPKgQw0AZ9swAEYLHbyWhOuzhtAANV uJ1v0AHwZY8wG7NfUQPcyI1V+RjLOLbNCLbad3xq27bOB4JuG7f0BrdyW7d5Rrd2m7fRgRsg cRd6+7chBhhqoBBlcRaAe7jLIRd0kRByMRWI+7jCERZmgRYIARRMcbmYm7mau7mc27mc6xQN 4REg4bmkW7qme7qom7pCwROUC7mu63gBAQAAOw== --------------050200090204050702040306 Content-Type: image/gif; name="Sent" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="Sent" R0lGODlhmgEFAID/AP///zMzmSH/C0FET0JFOklSMS4wAt7tACH5BAAAAAAALAAAAACaAQUA AAJBhI+py+0Po5y02ouz3rz7D4biSJbmiabqygbuC8fyTNf2jef6zvf+DwwKh8Si8YiEsZbM pvMJjUqn1Kr1is1qEQUAOw== --------------050200090204050702040306 Content-Type: image/gif; name="Sent" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="Sent" R0lGODlhUABIAPcAAP////f1//b29vX18e7v9+7u//Du8O3n+Obm7+Xl5t/l6+Df+Njl4d7d 8N7g597d4NPb5tnZ8dXU5tjX39XU1c7W383Y1MnW3MXW09PQ387O4s7N3sfO2MzMzMLN0MTE 1sXGxHz3fLPMvsDI1L3FzbzCxsW/18K/zb27xb290Ly8vHbsdru7uLa8yLO6v762x7i6trW0 z3Pmc7y0vruzuLW1xbS1tra2vbS0rq6zxK20vHPbc6y0s7etv6OytaC9pbWts2vcaq6qxLOv rXPWc62uvK2tra2ttaurqKOquqSrtrOos2vWa6aqra+kvqepqKymtWXUYqymr6imu6qmp6Sl taWlpaWlrZ+ktp6irGbMZqKcs5uopWrEaqaarXm6gaadpp6ct2PFY52crZyapaOVtaaRrKST o5mZmZmZmZmZmWO+Y5+VrZyVpJeXpV28XWW4Z1y7YJSTqZuMpVy4X2avc5KOn2mpeVq1Wmau ZpOLlI6MoI2Pko2NjWaldVqtWmSobICJmGibfFKxUWaZd02qUlelVmmVfYOEioWDlWaZZoWE hXePhlKlUmaVeGiKcV2aXIB9i3x9j1CaUHl8em2AeXp4hlWTWEyZTFWVVVeVZmmEZmd8b0qU SmGAZFGLUXRzh3Nzc3VzfHBxblqHWVWCX02MS2x0fXBrgm5yclCIT1p7Z3RsdWV2bEWLRUuE SWtsdFp2ZkKEQmtmdGZmZkh6RmZmZlJzW0x6UGRmdVlpZEJ5QmRebjx5PFZiaUdsVWJdYkZu Rjt1R09jVFxcbTpzOldaYlBlTllXWDxpST9lP0xbVjdtN1hPX1ZVVlNPXFNSVDNmM1BHYD9a Q0VPVU5NTU5JVktIV0pJSz9SSDFeMTVUNitYKzpMQD9HPTBQMEVDRkc8UkJCQilSKTRNOTpE OidMJz49Oy5BNzg6QTo6OSw/KyNIIy08MCFCITMzMx86Hxs3GyssLhkxGScnKRYqFiEiHhIm EhAhEA4bDgsXCwgQCAUJBQAIAAAAAGbMZiH/C05FVFNDQVBFMi4wAwEAAAAh+QQFSAD/ACwA AAAAUABIAAAI/wABAHjAYsiTgwgTKlzIsKHDhxATWiHDQoDABxQ6qLCBo6PHjyBDihxJsqTJ jkaMkFnExwBGChRUIDGCY4jNmzdr4tyZk6fPn0CD2kRiRQ8lYGhYdOhQogQII1aeWIl60MqV K1kkPrly8OrVLFGvSKFyxQqVJleakDW79QmSJgibwH1C5axcugflzn1i48giYMhoGWGhwogD AC/GpMWS9sgRLEcUNzlSJIuRLFWuFBGy5QjmJkp6QFEidnQPIJmlGNFsY0rKI1Bu2IAypQmQ IjlsLCmipAgUITaUTNHQYFG1as6e1LyiAIANK6stG6lSZXX1JlWg0JRr3ciQI1dWY/8psrqJ 9ypFbBhJcsQIlPZD3hvZXYQH5SI4bue4f39KBgSWiIMNNNAh8UQCAOTgRnjlGYFWSlegd5l5 V711hWNXTSFFFuGJ1UNkRwxxRRjkWWaDFE3QAMSFNhRRhQ03THHEDaLBKOMRFyhgiTrgVFPg EwgAcIMcaWGV1oNVYAZFE1lgh6JcVUxRhRKT4VBEZVIcoQQSUvhmhA7aTVnFEjxAUYQUUEAB RJkyStFXEfdNVgEClKgjjo9G8CWAACopgYVcWYTxZxO1PTEGFlQi4QMJGJDg4gcf1ODBBRlw MMIHJBjhwwQp6ICBC1zcEIEGcB4hxYW9AQHbWbvpcMQUU1z/oUQVEwhQ553QPXEDAARUAV1a Dl41XRVyRYihEhxUIMEHyH5QgQYt6HDBAhxcUAIGHBShAgY8GGFBBAt8kEV6EeoAZnpLQKGD fUfYAISZUHQAACJ24vmEDgEIUMSCDjY5BJMyCntZEWI1mkIEI3jwwQYkZEEGCRBwsAEHCtQg RwsV+FCCARuAS7AOZ96nZg7agewEECAvUQUHBCxSL3RWsACAAVNIdqis4DUxhlyOWTaGERWM UIQEC0TwAQYXaGBCBRyYkEERGkhwQw4boAABARlE0AAIo+nQl3a+FaHDEkc0UcQUXnt2QgH0 4pqnzARIYQV4WYC3hRIOSjZlv0ag/9BCFTdooIELLnygwQUb6ODCCVhUkUEHObRgwgY51FAD CScUgQR/KTWBww1OlH0lZUcg4cG877hthQq8VkGGeUQdkaTZDsq1M4XjIZEFFDxUsQWKWUzh YhhGIDGeDbLygJV2VPaFnnp82WD2DS4egRoWRnQgQNt4rg6AAlvsDMUVio1/BRRV3H4FouFN 0Vt2WEnR5RZcEgsEEFIkUYVqTdhQ3RIXqo0RZDdAWH2nce45wlYeBoA+pK57rEPAGciQpK8o BivuqwKioGADF/BGCUrwwRSEICW0jI82VMjC7rKkAxBW4V1FqIGr2uUY2YDHCFRyDFpU44YP NPCBMCtB6/+gQywctCgHKFABboCwhSuAwQ56kEQiEmGJU4hCFKyABSxoAYtZ8IIYvPCFL3hB C1rwIhewyAUqQMHGRLSBDGCYzA2EoIIb1CAFKsiBbHCWhdM5UHUgAAACXCeFF8wAClKoghwQ EQlUkBEYz7jGNbpRjmxYspLZ6IY3LjmNbJQDHd4oBzm8EcpyhBId5ShHOtIBjmu00hjEMAYr ECGJPWzhPTdAQWSuAAIB/LF7gXwAGbCnh1kQwxrSCMc72vGOb3xjG9OYRjCCUYtX1OISn1BF Ni/BzUtkopvc/IQ4x3kJVZjiFa/4RC1qEYxpbOOZ5EAHOtJxDWk0Ixd7uNIYagD/AD4AESqB HKQbcvEOcwijGJq4gx/EoIWGOvShEI2oRCdKUS3UwQ9+EAQuvmEPecCCQ0L0JyABUIAb8EIY jYhDEJgQhZZW9KUwjakWWtrSIGjBEK+gByiK4IEAiBSYAEjAGHARhZXK9KhIjWkQgmAKZIwh Bf38pxUCmQA7dCGpWH0oE7TAhK5q1atd3apEg/AIO2zghyMNgB3WkFWsMkEMjdBCIzrRiK3u YAdzbcQO/tCJSYgVolE4hB0sAAA9SDWQBFhrW7E6D38wQRbRyIc2dsCMTsiCGfooRieiUQ9z /NWhURCEHDgQ1ZEiYA9sXexRmTCOfohhBTuIxz5kUI9x/8hAG/roxQpkMA5/SDQKd7ADVH8K s0D69A2qPaoMeuHYTuwjGlyVBSZ2IAN44OMPzxXDZx3aBTTICw2HBUAAEkGH5Mp0B73gxw7g sQ9taEMG/DCHLMyRj0Zwgx/a4MZE12AHCpQWqAHYQxzMe1SGikEMeCgvQ9+AhzW8FcHllega 9nA64gJUvOSV6B82nNqG/iGuDvWHNlarBW74g6FtXUMiSGvhqYrXEniQqD9mXA86vKEXrnDF PnqB4n34oxg2fekaGlEMf+yjGJPoRYy1EAQZbHe/kThri40rCeRG1B/mwIQ/6OoPffwBH/7A RzRkoA9/8EMWMngpHZxr5E7MWP8fdGACPPKBCUPEQwu9uLOE95CB/xZXvIEY8JXH4Y584CEf M5aFO2bMj2K8AR4z7kWaJ7pcfphZG7Lwx6HZIYt++KMXWr6tbyWcCP9OGQACyPCVZ3yPaMzY H/PIxzyY6w9mhIDWaJaoDDJd6z+EINPauAc/6oEPVzRi0dy4x6gjmoc+XMDPF57XkiH6alY3 wsci/rU/7sGERph523TYgUNlgAdlWzquO+C1iGGNiXzEgxlt/q0j7AABaLs4wIKmdj1cXe0Z ayMEJnaHNvzRCEiHWRYOlUWZ/QEPb49D22IQdqzZ0Q9ZGIIfvZhoFAixBwnYO5DbizC1mUHr vtJaH/H/mLE5osGPELhDH/y27aL7EQ19uGMF++DGrf3xcnjweh8rgHTGf0uIREzg4wJBxLQf +mp2TEIGTS7yjOPRia7uAx6d6MQ9zKGFaDBhxOPAxyQ64Yp5MLkT8YCHNv7wdXbgwc35oOjG 9XCYUwPADiJ/aC96IYsd/FUGmOC7UbWgaHewgx3i3qpde6uPuTaUCTtYakOD4Pc/4FjuhLBD 3cMLADfkG6IyELdEiQDRuz4eol398NLbGlo7PADpACDD5wlMe41znAGwB8Psa8970DqiDEGy Owo63Pviz9QRU1gA7GNAfOPzPrBVMADsh+9840fBEVIYAFqBCoAONL/6WVW8/+9vYBFESJV1 AJhAF7p9j3jUQxZBBn9Mu+0Przc0Co84QQAAsIjzX+Sqb6AN8zAObCd/5xUPkVWAUVAJLxAk vwQz6DcBcMBVYlAPjRB/BvhSQYB441BXDVUJH0AA2weBAuEAyRAFTAYPKJaBMBUE7sAE5lBX UVAHluBxAhAJLwMVMgMAB8AIKChXLChTG+gO+IAHLFUHfDAB+4eDqoN+BMAFKOhVXGV8iid6 MvUGKBYFgOAGEhAABbAjbsMXIggAPxAFf7ALTrYGxRBWXCWF4pdUlrcCjcAODgZWYSVWUih5 MwUIYWAAAbAAopCDSHAFHgcAIhAE3uYKO0BsKzB2TP9AB5jgClogBpPwBpOwgvP3B1umZXDl Cg42Ca4Aiobgd321UpggCwylhVVAAAHgAKEgiFfwes5RCHjAav7ADp2gD/fADUUWD+7gZpnm gTLFBLUIa77VCOZwD94GabJlCNxQD/zgCsyAcSjmCE1gAATgioJoBX0GACcACLUYDdHgi+6w D+NgDsWwD67gD7vgD1omjPNXi73gYwFoDv6QaW7mCvwwjfPgDsUQDfNQD2/ABGtwCj1AUhvw im6jEj4EABTwBYPgD5MQAvdwD5iwj67gasz1ZZAGjzBFjASnBY2nD5CWaZnGXP+ID8WACZjg DmbHBH/QDCYgECRAC+fgNrr/Q1oAIAFfEAWT4GCNoFeN4AqYQAeNYIlM8AZ9hYkxRYlvEAQx ppSVOJVvcJRMYFmG4HhbZQjAsAEFYAAfAAs3iSeDmAIWcQCH8JSPp3h3OIVs6Fanx4biZ4dv GQTtMApdeAAxYJMLaQU5IIIDIAqX8INBiFRMMAn0EAkLUAANkANiuZBkcAUIEgBuQAp5UJhI FQRrsA7vsAfSxwBJMAtjCR2XQQayiALJQApdQJiYSVEw+QrrkA4+sCcegAWPiSerMQZCJEi5 8A2QkAdMsFJtyYJR0FU1pQWQoAzqYA/E4AACMAApsAW3SZrkYwMCEAAB4ALd0A7H8AqmcAmG YAiY/3CJLEVT5nme6Jme6klTeRCef4AHmfAL07AO9HANRXCdCjAFWZAKo1k8hLIFHaAACZAB Y8ALxnAN4SAN1JAN4IANw3AMw/Cgx4ALuBALq3ALv1AKq7ChnlAKt+AJnrAKsbAJnhALnrAJ q8AJm7AJsdAKLiqiujAMy2AMuqALz/AMxmAMouA4CNAAL4AGVxAK/bk5NTAGbtACHAApNpAF YzAGZPBGT4oGdjAHdtAGbDAHc8AGZpClXtAGbTAHXmAGZeAFXnClXjAGYyqmZgAGYLAFTgAG bCAHc2AGY1AFcMoGYEAFVRADNYACJsABNeAG98IKY/kExXMEKQAeVdADNf9gA0OAAzMBA3AC AzfAA0NAAy7AA5RKHjCQqTbAAz5gBDRwA+YiqUpgAy2iAzhAA/hBqTcAA0oEBIThAjDAAiww AyqQq6TqKkxaBTogpKrTBCdwAy9AMjWwHyxwrFPQqL3RAsGhR68yA60BHK8iG1DQAzcAG9h6 rS5AMrIBBDdwA/eDAjMABDTwAjUAAzMgGzYwrDaAAjmQHc+aCg+EBmTAB4iACKIQCleUCrAQ Cvy6r6cAC6kAsAArClrECgqrsKOQCqwQCqwwCqHQsA+bCv7asLDQsBrbsKGQCqOwsBBrsSKr Rf4KsFoEDvKgDtXAAotwFNUgDuoQs+dwDjFbszNhS7PqgLM3m7M0u7M5y7M9e7NCK7Qyq7NF G7Q+ew7vIA/0YA+UMAB8ABjVAA7iULVWe7VYm7Vau7Vc27Vee7XvYA/IgCAGgAbA4AzQcBxq u7Zs27Zu+7ZwG7dy27aUgCABAQAh+QQFUAD/ACwPAB0AMQALAAAI/wC1CBxIsKDBgwOZDBSD ECGTIAkVPiQI0aHCNWKCaBTzUGOQHTsQBnFVj2GQaLKYmIP3hwmTRvXwBGHXi1u+fPXq6cuH qR6+nfjqTYI3L+e4RnQO7ujlj6GMcftk3PPHTUYQTP7+yNDHrZc7d/7qmWOHdR67r+Y6+YvH zlw9f42UMnUKVUY+ePjGrWjkD8/WcUQE7pMVYgUeuCs07vX3ZoUMMfPMKSy4tKmWp1H1jduh LxpTv5pDauHXaweTP/5Sh11sSOGKePVEE6zMEfNWdiu05EsNmp1of8VCrtEmqzgmGXwNaWzE b57shJj2Sfenj52MffFkMBGzL6sMf/BkCFj0x0z8G3+9fvIjH49p6nprRHYqRr+XS1mdJveK toZJr/wCFdOIQpBFUwwz9GEyTy/MIPjGZA1pQURgEkKoxS6uXFZRhQMFodCEgUEkg3gRljgQ SCamWFBAACH5BAVYAP8ALA0AHQAzAAoAAAj/AP/9W1PMHyY69fz1WiOwoYwgQfA0msiwoUWB fyY2uvhvUqePnSb++6PPn8mT/vL9+deoWDFtIflFYxZPVsNiM4sJZLaPWbRo2ly61DZPm7af 2vS9Obnvnj5890ya23HUlax58zBhMmfzDZ5O8Fy5GsfO3T8xvdx1wjPJqixZkxr9gecOj7ti 7BodlfVmUq9ojcw1YtaLXydMvRqZnPTPqLlO5uK96dWJ6klZWhL6a9rrD7dijfTpE0ikETt9 MsXskIHvXyd/svzBE2M1iCx37P4RcQePnT88YvxxawRvXy9/9zDheePOnTkZ3JALlIUTU7TP WpgIV9yP2Qo8+ri9157HD5+YeP7mMXnT+h8/fv7iRd+HKYSYcfvqvanXvpdPbv+s0MkaWvDD jGbjNEKHP39g4g8TeLhyXHydFcMPN9H4w08vb2Ayjz/msKNNPrCpBSAeJ+GjhQwr+OcSM1qA GA08y5nU0yTuMPFhNP+8IQMzzj220T+9EAVPNHjs0xGGsvTSyy5M/HPiPT4ZYtNKtBni0kjR yNKSOf8wIctRPP6Dxz+Y6IVUPgCOlBY8cMIjy5ksTcLNPnDiw84a/MQT54V9wjPPPfXo4+Uu yNUDZ3eNYNIJYwEBACH5BAlYAP8ALAAAAABQAEgAAAj/AP8JHEiwoMGDCBMqXMiwocOHECNK nEixosWLGDNq3Mixo8ePIEOKHEmypMmTKFOqXMmypcuXMGPKnEmzps2bOHPq3Mmzp8+fQIMK HZpTi9GjRwmO88dU37+kBhsJJEKESS94WPHhm5ePHVKoGr8iZcLkX1lz8OrVY+YOrFEx3O79 axQtWqdiYmTImsdNRhB9g8RuFItUzBsmMnr566RNFjd+TAiP0zJOjBhXsuLVK9ZpnLl65rT1 euo2I+GvO1b8GSf1j7Zifr8yMffnXpBGWmS4uqft3rhecQ2RLo1Ri0CxQZj80RzPHTxDvfSx m2eOrPEg0epp09eJnxZz+f5p/+tU7988TGK0RSZ+0fhwo0wauWMab57AcfnyxevnD96kP0Fg xw4TOzSGBzsraPPGClpow4w547Czg2BhHUcWgbIwVQweK4QAzz9MyRLCP67Mhw8dO+wgA1my rCEcN/i4M0lc9+gFTxAUmnYdHo24wk4n/pgTAo5asMOUP73goeIK9eBjCDPc/NGIGPCs8c8b eNwTTTG9xMOONn+4sx57FhnVCD9HHrkLE9rkc8+RDnaCxx/6pMnUOLJg4t48e7njHDc+5jgY M8w0YqihhpRn36GNFENoI8xEYwijf9STnBZv0BENpvrgs88aRSJF1KiklmrqqaimquqqrLbq 6quwxhYq66y01mrrrbjmquuuvPbq66/AyhoQADs= --------------050200090204050702040306 Content-Type: image/gif; name="Sent" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="Sent" R0lGODlhSAAOAIAAAP///wAAACwAAAAASAAOAAACjYSPGctxDJo00lEIk96U13U5HziGIrhZ 3JWSGVY2ESpnirraj0ujIVLr8TQ6TxEmBPpmQ+YJ51ztdMipEhe0ZK9LU8mLXVKLThl4hBaa mVcu8XNOf9nmcbi5ja+nYp62f/dkwsYH1dKF9Hfn9lLlJkXYVgfIqBZpBdn1M7nIR5h3Axlh NPGDWagCqqBRAAA7 --------------050200090204050702040306 Content-Type: image/gif; name="Sent" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="Sent" R0lGODlhSAAOAIAAAP///wAAACwAAAAASAAOAAAChoQPgZuhDKOclD3onMwo63Z1nuGNEVeJ 5WKaR6nBFNq9H+iqJL0rHF/T2VSPnOUCBO0amxCN18rBkDebLzYVopJQ6fQH/q5Yn2JISCTL xOHKj9mED63ma69anRmPyh59uGXnN3bH1lWIl6gERpdlRXKHocYnUrhkmZKQualHNbeZxyk6 GlEAADs= --------------050200090204050702040306 Content-Type: image/gif; name="Sent" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="Sent" R0lGODlhSAAOAIAAAP///wAAACwAAAAASAAOAAACiISPqcvtD6OcMVgLQqa8P41cBnhhZQai o7iSqcl+ytmKJ7bWWrnDfdxIjTZE4TDUO7yIm19TGeQthUamEnd8Dklb6ALHc9CA1ia3GzIz wNJKGUWFThM7L/0XhtSRquxeK2eHJEV2dWPz4oJoQweHNUhYpVPT10cDl7VVqNPm4fnpmAc6 ykHYUAAAOw== --------------050200090204050702040306 Content-Type: image/gif; name="Sent" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="Sent" R0lGODlhSAAOAIAAAP///wAAACwAAAAASAAOAEACkISPaRHqD+NpErJ7UcNMA7pkyyc6VDdx mYpZJAt7cKuA3DuHd5qq+p4AhWqnm/BxGhWPMtqn1nMCJ7+SxrqxXm3RaCnLGuaq0+erQh6h qU+mK2majSXLMBLnM8Vjxw3+W5aXtoVC2MFlh4TltFdX+OfXJvhT5aVldmZmFPPHE+Qo+NgV IcqptqL2WYiy4nZQAAA7 --------------050200090204050702040306 Content-Type: image/gif; name="Sent" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="Sent" R0lGODlhSAAOAIAAAP///wAAACwAAAAASAAOAEACgoyPqcvt74AEalpZZ9AbL55RnZhYyIVu p8aB3ni8Jri+X3TVuYHKnh3b8WamYGrUQ6Z6pBKNKVT6ikaatFkFDq3bJfTKImK7IWPomexS j+dp0p2DUuTgMVL3rm33Hy2fe4cX5iTEpoaVdtYXZQbj2NEI+adlqLe4Q5cpBsHZ6fmZUAAA Ow== --------------050200090204050702040306 Content-Type: image/gif; name="Sent" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="Sent" R0lGODdhSAAOAIAAAP///wAAACwAAAAASAAOAAACc4yBicbqDyM8UrH2aN08hw5cmvWB5jZW Yumk55u40dqu7GJ7843XfCia/Ho+0k4XGwIvwqaTiDRCPcyo1CoDIpXJau2JUrq8Epo1CcqO S1wcGX2GT6/y7BLzjU/VvxH/PSfXlUfSx4PXhSjoEyQUtAa2VAAAOw== --------------050200090204050702040306 Content-Type: image/gif; name="Sent" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="Sent" R0lGODlhSAAOAIAAAP///wAAACwAAAAASAAOAEACc4SPqWvhD2NgQB5bpab3de1R4JZEXOks JBJmI8h+0OlOH3226IwrGLOqvSYzj0mUkg2TvqUlNEIyla7ecNfjOIONTXF6zPJwYeF1KqTp zNydM8Mua79EmGqbhKbkbtZxfXflpwSIkoOm9gNkgnjYmFVCUQAAOw== --------------050200090204050702040306 Content-Type: image/gif; name="Sent" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="Sent" R0lGODlhSAAOAIAAAP///wAAACwAAAAASAAOAEACZYSPqcvtz0Iw8lRwsZyZTg2G3nhVXXJC SKq27gvH8kzXTvmF5rejPPdbBXG6nAUo3HgyHaImtQkWWbaq1RjDWmHKaHH5M0ZzXh9OCVY4 v2XRCLRmD8e+t5yEJcb1c/v2DxgoiFAAADs= --------------050200090204050702040306 Content-Type: image/gif; name="Sent" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="Sent" R0lGODlhSAAOAIAAAP///wAAACH5BAAAAAAALAAAAABIAA4AAAKCBIKJdmqamGN00otzhbF1 HkgdBmniqE0jyp1hisKL+cyeCG9vVtK33zgJLzEbKWSUAW+WIDEZw0Vtq92zhXserZufDhR1 sYzhpBgK7h1rZGuZe4ZT50qvs1a/smnh7fB+N/fyQWfSdzWYxmYBtucB5wLUo/ioArJYKTNj ttTp+UlTAAA7 --------------050200090204050702040306 Content-Type: image/gif; name="Sent" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="Sent" R0lGODlhSAAOAIAAAP///wAAACwAAAAASAAOAEACkQSCqcZtwaCb50BE85IR36s5IEh9DXem nai0oVih6vxi9PMk2fmZu66rlG6d1mJiE1pkOOSOiHK5WDAhc2X9WZrBCOyK8xxfTSWvzDQa taOnJ/ykddXTKtnudSdn6zyVN+aUBLYUwzdF8geXOCRGFhQI6dM4pCGzlyehefXmh+RYVrk1 WsJBGHqaSRqHWtrWUAAAOw== --------------050200090204050702040306 Content-Type: image/gif; name="Sent" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="Sent" R0lGODlhmgEFAID/AP///zMzmSH/C0FET0JFOklSMS4wAt7tACH5BAAAAAAALAAAAACaAQUA AAJBhI+py+0Po5y02ouz3rz7D4biSJbmiabqygbuC8fyTNf2jef6zvf+DwwKh8Si8YiEsZbM pvMJjUqn1Kr1is1qEQUAOw== --------------050200090204050702040306 Content-Type: image/gif; name="Sent" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="Sent" R0lGODlhmgEFAID/AP///zMzmSH/C0FET0JFOklSMS4wAt7tACH5BAAAAAAALAAAAACaAQUA AAJBhI+py+0Po5y02ouz3rz7D4biSJbmiabqygbuC8fyTNf2jef6zvf+DwwKh8Si8YiEsZbM pvMJjUqn1Kr1is1qEQUAOw== --------------050200090204050702040306 Content-Type: image/gif; name="Sent" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="Sent" R0lGODlhUABLAPcAAP////f39/L08/Hz8fPy8/Py8u/v7+rt7Ojs6eHs7uvq6ubm5uHk5N7k 4Obe5t7e3tve2dnc29fd2NbW1s/W1M/U0MjY28bTyrbS28zMzMXLxr/Mw8XFxcXJysDFw73D vsW9xbfEvLXFtb2+vZbSr63Csri+u7W8t7y5uLW1vbW1tZy7xaK+rau1ta61rpu8pY3JpqW1 rYrCoKC3vK+wsa2trY+8oZ20pIm7naetqqWtpYLAnIO5l5mwpY22nH7AmaWmpaWlraGmoJGt n4K2mIO0lZ6lop2lnY6vm4iwl320lIKrkpyfoHmrknmrjpmZmZmZmZmZmZmZmXSrioybk4Kg pXmojHOoioyVkYyUjYeSi3Kbg4uMjG2cgIWMiWyaf4KMhHOUhGSefH6IgmuVe4SEhIWHiWWT eHyGgWmOeHqFfWqKdXaCeWONdWCJbnp+fF6IcHZ7e3F7dF+DblOObW14cVyGbHJycmF7bGxz cU2DZF1+amp0bld6ZlR5ZEp6X0d4XVNzYWZmZmZmZmZmZmZmZlFyXl5oYkxyXFRuX09tW1xk YVdhW0trW0toVVVgXExmV1hcW0piUkRfT1NaWUJjSlJaUktXUFFTUUJbS0pRUT1XSUlOTDZc RUJUSD5TRUlJSTdRREFJSD9JRThMQkJCQjROQDVIOztEQStJOjBCOCJJMzY6OyZEMzU4OiJB MS46Mio3LSg7MTMzMyQ8LyE6KRo2KCsvMycyKiQyKCgoKBoxIyMrJyEpIxgpICEjJyAgIBkh HRgfGgwnGRAkGBkZGRQaFhIWEw8PDwkUDgoKCgAAAP///wAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFFADMACwA AAAAUABLAAAI/wABCBxIsKDBgwgTKlzIsKHDhxAjSpxIsaLFixgzatzIsaPHjyBDQjwA4YDI kwUVVDhR44SGCgpQimSQg0qNERkeIHjQYYFMjwqEjAHiocOEAwGSPsgw4KdGAkDiPPnwoUOD AwKSJp1QIYDTix7eeDmhgkaGDBIOHBigVUCGCF8pGsgxRoUJJjk8TBjxYcEBAwS0KsgQMy7E CjpUZKjBxcgJDxoQ5NCgdkBgrxEyeDXMMMAIHRo8MBlDJYeKDxq45mCA4EABrQEqPODM8IQO CRm85GHzBIgLEx4qNGCSAQECA1m9IshgkjbCDFSAaxG0m4qQlqglUGCyoDVbrREmOP9H6IKK Dh1sIpmRk+WIaRMcKkxwUcG4gddeDVTwOb6gCus6PEEJF3J48YQOLjymwQMsLbAAW5cBwEBX /RHEAYA5HPIGGGpYV8NpGmRQAQUNDEBBB1oBEMAEDFQ40ANUHIHgGItgIQcW7v0GGYkTGDGG HAgkJRACE2xW4QBHHJiDEJRgwQYYTwiR4AcZTHBCGYt4oQICAgj0gHwtugiAC1ic5wIfcXjB RoymfeDCGIfEQQUFfwGAABK4cDFBBEb2p0EWQiCoBSNPsMcEgh+gEckYJ0jAQAEHiFDED6ug csIE/FX4AI465JADI1xsGGUOJggBBgcTPKDABT7sQEIbtAT/A8aCfToXABOH5nCCGnwQGCOC JoTIgAQvKMGDFZ4o44stoLiAqZj/deqCDpFwUYcWvbmgQgURlFAEDDhM0ksuvCgCSDBeWFUr bRVwqisfd6DR4RHbbpAED1s0soUTmaiSCRlt7IJJDhEU1t8BT8iYmIDWYuHSDVbwIIMqvnxB BizCSDLHHp3wgoUGDKzLWQ1KkrpImiqEsIQTOMjgiDKywKFIJob0kYgkiPjCBw0PNNcfdEB4 akIWlDDBQRM88KCEIsEE84kie/gRCCSSkJLJK6gcwaLIcRlwhBA5fHgCJW98kIQSTuwBizGT tNGHIpNM8sknkMCSSi9emNCdiyfI/+hCDR6AgYkKMYjRRRu9GKNIH45Isgkpp2SyBB6yECPI aiFr6neCJ2hihgZbnKHEKcI4QgowkH+yRx9brIHLMLA8cZTPttYAtgsuaPBGJB70IEYTmxzT izCxbKJIGp6Q4QkyivyhBg0cCJD5zzm64CYmT4DuR+LHqLKHG2lsAUkvp3ThwwYAeHBCAAsY UKEBgeKuWByCZDBELscgI8seinxCRizB6AMRWDCBAgBABSMIgAHC1J8PHKEGuNNADh7BhAts QhiICIQd7OAHXpDiCjYIQc+QAgQKBGAA0xtPA3J0ghNkoA6CqAAVWgEHP7ghF7nwgxJekIEG LIABEegAE/9G8AABKIB2znGBb8iSASFcggkUCIUpeHGMTYjBB5eCgAQ4gBMaoEEzBkChiybw wCllgA+LmAAVkkELPUzhBvGZgAdyMIIFBEAFZgiAAO7DgC71JwBmOgF9mCAKLESgEXRAAnw4 kIEcACEDFkjAA7jwAQD8ZQDGcZEGjKAtFUCGEZoYwSY9YALUPAELLVgBBiYAhCcI5C8GWKCL BnC7FlIAC5yIoQfodYI45CELVZgBChjTIgEsYI8I6KOLPiAEGrRQAyM4BCXqcJYTPOEYugDV E1RQAyAIAFLJzACJkEgbBBghB5yjABryEAk+fOABGqiBGZ5wExF5gQELRIAJIsD/AAZkqj8n kBITdXAtShxCEG9gghG4QAOcMOAJKDCOB2jwlwMc00ULOIK2ToCTOlCBCahgBR8ikYUyPOEE qGpkAwzQmwcZQC1iCmiCtuUkF2SBE6LgxBO8wAQaBOcB2kEYDQzwpQYYrD8Z3aj6+ECvHNzh ZGVggmIokCAPZIABDYhAHR9wUb4J9AQVUIMWPmSCHDyBVFYFAg1YpIH21aAC+SQnbTJaA2c2 kg/o1NEHIOMjLjQKUxTIwlG49E+Ago0GJnjhNm3DBCDUIANv0AQX0CKBBXTgDUfppx3FlFGz busIcjiBF+qQAw6oAAgmKANoSukBCRARNxJ4gPvEVCos/wjBAxfIwxEoUYo4cKGsVMqAEWgQ HqYwgAb+dJCY7HQEJrzBBRR4AhsEMQuytQQ+T1ADEDoQngOcAAgGOI4CCLBcEwAhqpDJwxPG ACgmSEkDmMAEFzpQAQmwFAsQWIACWrNcBTzQNLd8w13KIIQRqCAHWFiEETwgygqYlwF7YtFy AeDAHEDPA4I4Ah9EIYgsqGDBpATCCRiQmgPs5YcP4BpnvKbWS2lBDXn4hSsiYQS7eOAJZjDL BI6Sg57oFwET1sATnMkBDFMhD3KgQsK0pYlc0rcBDzCDB/opvQkHAGwmuNRoVXAELqAWCEZY BCewAJkQ+VUCAxBAA1TMmQocIf/LHPjAIqggCE1ElQZUGEENPhC2lXBLAWHc7ITDlmUKeIEP lNAFKijxBG194Alc8AA8MdUdAxTWRRA4qUs8sAg5UCJLSvaUJiIhYL1AgDURAPKEBeKCI9jS C4c4AhbAQCogZMEVqECDCymQqgjMZtUCeeiUOMAINXx6EagdQw6Y4ALIVODZl55w37Isw0uw 4ha34IMXNGqCbnsAMqoG9kAIwOwToOYRIcXEjYzQKRWQxQNNEXdBMsCELGcAC5pgwxi0gIUo deq2bF51DXTgbUYcQg37VnK/KyDvhGS0hRx4wij4gHA2xAEI0W74QO6NIBcsYtGHAEMGNM6Q CrA7oGoGwIJmnBMQACH5BAUUAMwALCQABAAKABIAAAhzAJkJZLZgwsCDzCKUQThQAbARDJkZ OPYrAEMDs5YJYrhARZxlKBAyCAmqlMgazB78qnCQAUpmglS0fIkl5ECXArMYHHgApYInFplR GDFCpocMAu8oW6bsCbMDArksm7pMyMFSVIsxOEjD1a1ILBEe2MowIAAh+QQFFADMACw1AAoA DAASAAAIjgCZCRTIgcbAgwMzUEKIkMGyhQwFRrgDjFNEZh0EBdC1KOKDZVgMGOvAkAGoZRzi mGHYgQkQYG+eMJxQzICQZSNKAtMVAFQNhhlycAFlRibCDAZrFMtxcEEEDj+ZlenILECcYsqA MWVGQBADZneWiV0GRGAALAsWFBura4HACmWZZbnF8cHAEW4FLvgaMSAAIfkECRQAzAAsAAAA AFAASwAACN0AmQkcSLCgwYMIEypcyLChw4cQIwpcMEGixYsYI5TByLEjQwXARngcSVKggWO/ ApRcidHArGWCWMqMuEBFnGUoZupkyCAnqFI7gyJkUIPZg19CkxIkKjCmUqVMmWF5CrUosyxU kx4oquBJ1p0URoxQwcxDhq8z7yhbpszrAbQyuSybu0wI3Jml6BZjcFcmDVe3IlXoO/MAX8KI EytezLix48eQI0ueTLmy5cuYM2vezLmz58+gQ4seTbq06dOoU6tezbq169ewY8ueTbu27du4 c+vezbu379/Ag1cOCAA7 --------------050200090204050702040306 Content-Type: image/gif; name="Sent" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="Sent" R0lGODlhEAAWAKIGAGV/ov///wAAAGB7nzJAUrbD0////wAAACH5BAEAAAYALAAAAAAQABYA AANTaLrc/jBKIeQiQABLhiiF1AFAEWwKqnTBF5zpxXomrBKBObTCq66Dwo7W+xk6ulbGRspg hhSfg8JywR6CjnVjVGRJUkPXkP0UVOPyeFqxuN9wRgIAOw== --------------050200090204050702040306 Content-Type: image/gif; name="Sent" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="Sent" R0lGODlhEAAWAKIGAGV/ov///wAAAGB7nzJAUrbD0////wAAACH5BAEAAAYALAAAAAAQABYA AANTaLrc/jBKIeQiQABLhiiF1AFAEWwKqnTBF5zpxXomrBKBObTCq66Dwo7W+xk6ulbGRspg hhSfg8JywR6CjnVjVGRJUkPXkP0UVOPyeFqxuN9wRgIAOw== --------------050200090204050702040306 Content-Type: image/gif; name="Sent" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="Sent" R0lGODlhEAAWAKIGAGV/ov///wAAAGB7nzJAUrbD0////wAAACH5BAEAAAYALAAAAAAQABYA AANTaLrc/jBKIeQiQABLhiiF1AFAEWwKqnTBF5zpxXomrBKBObTCq66Dwo7W+xk6ulbGRspg hhSfg8JywR6CjnVjVGRJUkPXkP0UVOPyeFqxuN9wRgIAOw== --------------050200090204050702040306 Content-Type: image/gif; name="Sent" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="Sent" R0lGODlhEAAWAKIGAGV/ov///wAAAGB7nzJAUrbD0////wAAACH5BAEAAAYALAAAAAAQABYA AANTaLrc/jBKIeQiQABLhiiF1AFAEWwKqnTBF5zpxXomrBKBObTCq66Dwo7W+xk6ulbGRspg hhSfg8JywR6CjnVjVGRJUkPXkP0UVOPyeFqxuN9wRgIAOw== --------------050200090204050702040306 Content-Type: image/gif; name="Sent" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="Sent" R0lGODlhEAAWAKIGAGV/ov///wAAAGB7nzJAUrbD0////wAAACH5BAEAAAYALAAAAAAQABYA AANTaLrc/jBKIeQiQABLhiiF1AFAEWwKqnTBF5zpxXomrBKBObTCq66Dwo7W+xk6ulbGRspg hhSfg8JywR6CjnVjVGRJUkPXkP0UVOPyeFqxuN9wRgIAOw== --------------050200090204050702040306 Content-Type: image/gif; name="Sent" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="Sent" R0lGODlhEAAWAKIGAGV/ov///wAAAGB7nzJAUrbD0////wAAACH5BAEAAAYALAAAAAAQABYA AANTaLrc/jBKIeQiQABLhiiF1AFAEWwKqnTBF5zpxXomrBKBObTCq66Dwo7W+xk6ulbGRspg hhSfg8JywR6CjnVjVGRJUkPXkP0UVOPyeFqxuN9wRgIAOw== --------------050200090204050702040306 Content-Type: image/gif; name="Sent" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="Sent" R0lGODlhmgEFAID/AP///zMzmSH/C0FET0JFOklSMS4wAt7tACH5BAAAAAAALAAAAACaAQUA AAJBhI+py+0Po5y02ouz3rz7D4biSJbmiabqygbuC8fyTNf2jef6zvf+DwwKh8Si8YiEsZbM pvMJjUqn1Kr1is1qEQUAOw== --------------050200090204050702040306 Content-Type: image/gif; name="Sent" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="Sent" R0lGODlhmgEFAID/AP///zMzmSH/C0FET0JFOklSMS4wAt7tACH5BAAAAAAALAAAAACaAQUA AAJBhI+py+0Po5y02ouz3rz7D4biSJbmiabqygbuC8fyTNf2jef6zvf+DwwKh8Si8YiEsZbM pvMJjUqn1Kr1is1qEQUAOw== --------------050200090204050702040306 Content-Type: image/gif; name="Sent" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="Sent" R0lGODlhmgEFAID/AP///zMzmSH/C0FET0JFOklSMS4wAt7tACH5BAAAAAAALAAAAACaAQUA AAJBhI+py+0Po5y02ouz3rz7D4biSJbmiabqygbuC8fyTNf2jef6zvf+DwwKh8Si8YiEsZbM pvMJjUqn1Kr1is1qEQUAOw== --------------050200090204050702040306-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 22 10:31:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp8.xs4all.nl (smtp8.xs4all.nl [194.109.127.134]) by hub.freebsd.org (Postfix) with ESMTP id 0A55C37B406 for ; Wed, 22 Aug 2001 10:31:39 -0700 (PDT) (envelope-from wkb@freebie.xs4all.nl) Received: from freebie.xs4all.nl (freebie.xs4all.nl [213.84.32.253]) by smtp8.xs4all.nl (8.9.3/8.9.3) with ESMTP id TAA28544; Wed, 22 Aug 2001 19:31:29 +0200 (CEST) Received: (from wkb@localhost) by freebie.xs4all.nl (8.11.4/8.11.4) id f7MHVSd32092; Wed, 22 Aug 2001 19:31:28 +0200 (CEST) (envelope-from wkb) Date: Wed, 22 Aug 2001 19:31:28 +0200 From: Wilko Bulte To: Matt Piechota Cc: James Wyatt , Rob Simmons , Wes Peters , "Carroll, D. (Danny)" , freebsd-security@FreeBSD.ORG Subject: Re: Silly crackers... NT is for kids... Message-ID: <20010822193128.B32043@freebie.xs4all.nl> References: <20010822104925.S24431-100000@cithaeron.argolis.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010822104925.S24431-100000@cithaeron.argolis.org>; from piechota@argolis.org on Wed, Aug 22, 2001 at 10:51:25AM -0400 X-OS: FreeBSD 4.3-STABLE X-PGP: finger wilko@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Aug 22, 2001 at 10:51:25AM -0400, Matt Piechota wrote: > On Tue, 21 Aug 2001, James Wyatt wrote: > > > btw: I have always been impressed at how much QNX can run in real-time on > > a SBC. I've also been impressed at how much stuff ports to it easily. I > > just wish I could afford enough of it to play with on my own more. > > (Besides the surfing platform on a single floppy demo they sent out...) > > QNX RTP (Real Time Platform, aka QNX6) is a free download for > non-commercial uses. Check out their site. I think they Open Sourced a > fair amount of it as well. *** SIGH *** Can we please take this discussion elsewhere? It has nothing to do with FreeBSD/security -- | / o / / _ Arnhem, The Netherlands email: wilko@FreeBSD.org |/|/ / / /( (_) Bulte To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 22 14:10:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 4052237B40D for ; Wed, 22 Aug 2001 14:10:28 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.4/8.11.2) id f7MLAJU78729; Wed, 22 Aug 2001 14:10:19 -0700 (PDT) (envelope-from dillon) Date: Wed, 22 Aug 2001 14:10:19 -0700 (PDT) From: Matt Dillon Message-Id: <200108222110.f7MLAJU78729@earth.backplane.com> To: James Wyatt Cc: Rob Simmons , Matt Piechota , Wes Peters , "Carroll, D. (Danny)" , freebsd-security@FreeBSD.ORG Subject: Re: Silly crackers... NT is for kids... References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :> On Tue, 21 Aug 2001, Matt Piechota wrote: :> > No No, on the realtime machine controllers (QNX), or OCR nodes that need :> > all the cpu cycles they can get. I'm talking about the [de|en]crypt on :> > the remote side, not the PC side. Every bit or performance matters, and :> > could be the difference between us and someone else getting a contract. :> :> There should be a way to configure sshd so that only the username/password :> exchange is encrypted. The rest of the connection would be unencrypted. :> You would get some of the benefits of ssh without a constant performance :> hit. : :IMHO, that would be a "bad idea" as it would 1) be easier to insert forged :command packets after browsing what was going on, 2) break changing your :password because it could be sniffed at change time, 3) not save *that* :much CPU for tactical shell sessions, and 4) confuse users who thought SSH :.. There is the ability to specify '-c none' (no cipher) to ssh. Our ssh does not compile the 'none' cipher in by default but you should be able to build the distribution with that feature. I am not sure whether it still encrypts passwords or key-exchange when -c none is specified, but I do know it doesn't encrypt the data stream once the connection is operational. Perhaps someone more knowledgeable in regards to ssh can answer the question. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 22 15:57:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp-1.enteract.com (smtp-1.enteract.com [207.229.143.33]) by hub.freebsd.org (Postfix) with ESMTP id 36C2237B409 for ; Wed, 22 Aug 2001 15:57:05 -0700 (PDT) (envelope-from tez@enteract.com) Received: from shell-1.enteract.com (shell-1.enteract.com [207.229.143.40]) by smtp-1.enteract.com (Postfix) with ESMTP id 8F0667E29; Wed, 22 Aug 2001 17:57:04 -0500 (CDT) Date: Wed, 22 Aug 2001 17:57:04 -0500 (CDT) From: Tim Zingelman Reply-To: tez@enteract.com To: freebsd-security@FreeBSD.ORG Cc: Dave Ryan Subject: Re: kerberosV - SecurID Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 22 Aug 2001, Dave Ryan wrote: > Does anyone know if RSA Securid OTP's are used anywhere to enhance the > ticket granting phase of a kerberos authentication sequence? The place I work uses hardware challenge/response tokens from www.cryptocard.com integrated into our (MIT based) kdc. If you are coming from a non-kerberos aware location (ie. you have no ticket), you are challenged with a code that you type into the card and use the response as a one time password. The cards also require a PIN number to operate. None of our machines are supposed to accept a password except at the console. - Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 22 16: 1:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-7.dsl.lsan03.pacbell.net [63.207.60.7]) by hub.freebsd.org (Postfix) with ESMTP id 0EDC237B42B; Wed, 22 Aug 2001 16:01:07 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 9879666D1C; Wed, 22 Aug 2001 16:01:06 -0700 (PDT) Date: Wed, 22 Aug 2001 16:01:06 -0700 From: Kris Kennaway To: Guy Helmer Cc: dan@langille.org, security-officer@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:55.procfs Message-ID: <20010822160106.C35838@xor.obsecurity.org> References: <3B82E2D3.823.D177AF1@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="jho1yZJdad60DJr+" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from ghelmer@palisadesys.com on Wed, Aug 22, 2001 at 08:34:11AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --jho1yZJdad60DJr+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Aug 22, 2001 at 08:34:11AM -0500, Guy Helmer wrote: > It is my sense from reading some other vendor's advisories (namely RedHat) > that advisories go through internal review and correction prior to release. > A quick review process by a small group of interested security-minded folks > could help catch minor typos like this one. Would security-officer be > willing to setup a private mail list for a small group of interested people > and give them a few hours to review proposed advisories prior to release? Well, it might be worth a shot for the times when we have the advisory ready in advance, but for cases like this one I had to finish writing and editing it immediately before it went out. Kris --jho1yZJdad60DJr+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7hDmxWry0BWjoQKURAiqzAKDnObjShSgZ7UXkeQyPm+N5PvgIrgCfbdU2 NUoN8iWBwxXuTAu1A48PDr0= =0Y29 -----END PGP SIGNATURE----- --jho1yZJdad60DJr+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 22 16: 3:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-7.dsl.lsan03.pacbell.net [63.207.60.7]) by hub.freebsd.org (Postfix) with ESMTP id C428937B491 for ; Wed, 22 Aug 2001 16:03:07 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 6588466D1C; Wed, 22 Aug 2001 16:03:07 -0700 (PDT) Date: Wed, 22 Aug 2001 16:03:07 -0700 From: Kris Kennaway To: rolandas.garska@ik.ku.lt Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:55.procfs Message-ID: <20010822160307.A36065@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="fUYQa+Pmc3FrFX/N" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from garska@ik.ku.lt on Wed, Aug 22, 2001 at 12:56:04PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --fUYQa+Pmc3FrFX/N Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Aug 22, 2001 at 12:56:04PM +0200, Rolandas Garska wrote: > The same problem is in FreeBSD Security Advisory FreeBSD-SA-01:40.fts.v1.1 > The patch works if you cd /usr/src/lib/libc/gen, not /usr/src/lib/libc That patch was corrected already. Kris --fUYQa+Pmc3FrFX/N Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7hDoqWry0BWjoQKURAkZhAKCtOUKHq61Q2qzMFMup8RnDZHIyWgCgkILA F8GY+eTc71HFYANNUSXw9c8= =OfHR -----END PGP SIGNATURE----- --fUYQa+Pmc3FrFX/N-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 22 16: 5:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from primus.vsservices.com (primus.vsservices.com [63.66.136.75]) by hub.freebsd.org (Postfix) with ESMTP id A852937B411 for ; Wed, 22 Aug 2001 16:05:00 -0700 (PDT) (envelope-from gclarkii@vsservices.com) Received: from prime.vsservices.com (conr-adsl-dhcp-28-213.txucom.net [209.34.28.213]) by primus.vsservices.com (8.11.3/8.11.3) with SMTP id f7MA0Y497595 for ; Wed, 22 Aug 2001 03:00:34 -0700 (PDT) (envelope-from gclarkii@vsservices.com) Content-Type: text/plain; charset="iso-8859-1" From: GB Clark II To: security@freebsd.org Subject: Code Red Response (look at URL) Date: Wed, 22 Aug 2001 05:00:34 -0500 X-Mailer: KMail [version 1.2] MIME-Version: 1.0 Message-Id: <0108220500340D.77652@prime.vsservices.com> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org HI, For those that might have that auto modify system in place, take a look at this URL... It looks like no good deed goes unpunished! http://www.plastic.com/article.pl?sid=01/08/19/1719259&from=rdf GB -- GB Clark II | Roaming FreeBSD Admin gclarkii@VSServices.COM | General Geek CTHULU for President - Why choose the lesser of two evils? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 22 19:54:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from frankcole.lvcm.com (cm025.52.234.24.lvcm.com [24.234.52.25]) by hub.freebsd.org (Postfix) with ESMTP id 197A537B407 for ; Wed, 22 Aug 2001 19:54:46 -0700 (PDT) (envelope-from fwc@frankcole.lvcm.com) Received: from localhost (fwc@localhost) by frankcole.lvcm.com (8.11.3/8.11.3) with ESMTP id f7N2sjM06415 for ; Wed, 22 Aug 2001 19:54:45 -0700 (PDT) (envelope-from fwc@frankcole.lvcm.com) Date: Wed, 22 Aug 2001 19:54:45 -0700 (PDT) From: User FWC To: Subject: Re: Silly crackers... NT is for kids... (fwd) Message-ID: <20010822195408.W6403-100000@frankcole.lvcm.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org For personal use it's free. You can also get the gcc compiler for it, gratis. I've been looking at it off and on for a work project. It *is* a little different though. Frank C. vegas Apologies to Matt, posted wrong first time. On Wed, 22 Aug 2001, Matt Piechota wrote: > On Tue, 21 Aug 2001, James Wyatt wrote: > > > btw: I have always been impressed at how much QNX can run in real-time on > > a SBC. I've also been impressed at how much stuff ports to it easily. I > > just wish I could afford enough of it to play with on my own more. > > (Besides the surfing platform on a single floppy demo they sent out...) > > QNX RTP (Real Time Platform, aka QNX6) is a free download for > non-commercial uses. Check out their site. I think they Open Sourced a > fair amount of it as well. > > -- > Matt Piechota > Finger piechota@emailempire.com for PGP key > AOL IM: cithaeron > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 22 22:15:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from unplugged.karolinelund.dk (cpe.atm0-0-0-133200.virnxx2.customer.tele.dk [62.242.199.233]) by hub.freebsd.org (Postfix) with ESMTP id 595A237B40A for ; Wed, 22 Aug 2001 22:15:45 -0700 (PDT) (envelope-from michael@karolinelund.dk) Received: from karolinelund.dk (fubar.int.karolinelund.dk [192.168.0.3]) by unplugged.karolinelund.dk (8.11.5/8.11.3) with ESMTP id f7N7DrG62476; Thu, 23 Aug 2001 07:13:53 GMT (envelope-from michael@karolinelund.dk) Message-ID: <3B849018.90691B3D@karolinelund.dk> Date: Thu, 23 Aug 2001 07:09:44 +0200 From: michael dreves Reply-To: michael@karolinelund.dk X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Dave Ryan , freebsd-security@FreeBSD.ORG Subject: Re: kerberosIV References: <3B83A8BC.BCF790A0@karolinelund.dk> <20010822140020.A1911@alpha.eng.eircom.net> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------msDA1126E78C1902A4CB8C0FF5" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a cryptographically signed message in MIME format. --------------msDA1126E78C1902A4CB8C0FF5 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Dave Ryan wrote: > > anyone here running kerberosIV? > > Is there any particular reason why you are running KerberosIV? I would advise > using V (either MIT or Heimdel) > dave - thanks for the advice - moved to heimdal, and it works much nicer. michael --------------msDA1126E78C1902A4CB8C0FF5 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIH5gYJKoZIhvcNAQcCoIIH1zCCB9MCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC BbkwggKIMIIB8aADAgECAgME+DowDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlpBMRUw EwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhh d3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwg RnJlZW1haWwgUlNBIDIwMDAuOC4zMDAeFw0wMTA2MDYxOTA4MDhaFw0wMjA2MDYxOTA4MDha MEkxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxJjAkBgkqhkiG9w0BCQEWF21p Y2hhZWxAa2Fyb2xpbmVsdW5kLmRrMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7WuW1 38cSIdhVI9UbJuCvoeQRXVtZhMhYDe2RRWu36ibgEgm5N2JO7RbDK/mHrYvEEeV4UzX2uD6o ZziruseGEA6K2W/LMBibVNPEuR9vDgI4ViOTjc4cdJ0mZUqnsplWhe5ImvQRc/0SiHty34Fo EPKtqtTq7G2ZaUfKYwAnBQIDAQABozQwMjAiBgNVHREEGzAZgRdtaWNoYWVsQGthcm9saW5l bHVuZC5kazAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBALSTvQvoRqw54HqKjuyW qivG7Bq02tWNPEKnwkXb0ckb5+ErgStQamw6OOayAh+9DZhBtq44crlmQ3yS8+lGH4f+YRBC hgAn3NtXK+9qVaQ7mKSk1ldx1qrwtxcuUb0PCkAsinjEOoCt+OpeYu9UO7lJhMg2EV8R6din kthPLlbCMIIDKTCCApKgAwIBAgIBDDANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkEx FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFU aGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZp c2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcN AQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAwMDgzMDAwMDAwMFoXDTAy MDgyOTIzNTk1OVowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQ BgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0 ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMDCB nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3jMypmPHCSVFPtJueCdngcXaiBmClw7jRCmK YzUqbXA8+tyu9+50bzC8M5B/+TRxoKNtmPHDT6Jl2w36S/HW3WGl+YXNVZo1Gp2Sdagnrthy +boC9tewkd4c6avgGAOofENCUFGHgzzwObSbVIoTh/+zm51JZgAtCYnslGvpoWkCAwEAAaNO MEwwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDEtMjk3MBIGA1UdEwEB /wQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBAUAA4GBAHMbbyZli/8VNEtZ YortRL5Jx+gNu4+5DWomKmKEH7iHY3QcbbfPGlORS+HN5jjZ7VD0Omw0kqzmkpxuwSMBwgmn 70uuct0GZ/VQby5YuLYLwVBXtewc1+8XttWIm7eiiBrtOVs5fTT8tpYYJU1q9J3Fw5EvqZa4 BTxS/N3pYgNIMYIB9TCCAfECAQEwgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0 ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQL ExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNB IDIwMDAuOC4zMAIDBPg6MAkGBSsOAwIaBQCggbEwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEH ATAcBgkqhkiG9w0BCQUxDxcNMDEwODIzMDUwOTQ1WjAjBgkqhkiG9w0BCQQxFgQU62pl6eeE Zx7hyh5ejzl5lCzWk0gwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0D AgICAIAwBwYFKw4DAgcwDQYIKoZIhvcNAwICAUAwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcN AQEBBQAEgYB8FGpYiOQ4qInSBmRdu8RxWkVDQSe8OyjtcNatZlww3KetWDPrHlltM5+uoG4f GkSJnYb1qkIwDKwy4cN71CsivefmrqfQ+k7m+Oqobqeo7VjKyh1jtOwQwifemarnVGzpaPXL 861TgUqUiPZVSaLumYQg1vaGaifuS0G6/19G6Q== --------------msDA1126E78C1902A4CB8C0FF5-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 2:25:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from corp.e-scape.net (corp.e-scape.net [216.13.52.6]) by hub.freebsd.org (Postfix) with ESMTP id D641937B401 for ; Thu, 23 Aug 2001 02:25:38 -0700 (PDT) (envelope-from stefanos@e-scape.net) Received: from corp.e-scape.net (localhost.e.scape.net [127.0.0.1]) by corp.e-scape.net (8.9.3/8.9.3) with ESMTP id LAA96346 for ; Thu, 23 Aug 2001 11:54:30 -0400 (EDT) (envelope-from stefanos@corp.e-scape.net) Message-Id: <200108231554.LAA96346@corp.e-scape.net> To: security@freebsd.org Subject: Compromised system. Date: Thu, 23 Aug 2001 11:54:30 -0400 From: Stefanos Kiakas Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, I was recently investigating a systems that may be compromised. The reason I say this is because of the following entries in the output of the ps -ax command. PID TT STAT TIME COMMAND 0 ?? DLs 0:04.35 (swapper) 1 ?? ILs 0:00.07 /sbin/init -- 48474 ?? S 0:00.00 ./klogd 79612 ?? I 0:00.00 ./klogd 79613 ?? S 25:46.29 ./klogd 79623 ?? D 901:01.50 ./init 45 1103527590.log And the /tmp directory contains 2 . entries with approximately 92M in the second one. 123# cd /tmp 123# ls -al total 23 drwxrwxrwt 3 root wheel 512 Aug 23 16:39 . drwxr-xr-x 2 root wheel 512 Aug 3 11:48 . drwxr-xr-x 20 root wheel 512 Apr 4 04:46 .. How do I access the second . directory to see what is in it? I have tried everything I can thing of but I cannot list any of the contents. Please cc me at stefanos@e-scape.net. Thank you, Stefanos Kiakas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 2:31:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 1074C37B409 for ; Thu, 23 Aug 2001 02:31:19 -0700 (PDT) (envelope-from str@giganda.komkon.org) Received: (from str@localhost) by giganda.komkon.org (8.11.3/8.11.3) id f7N9VDX27439; Thu, 23 Aug 2001 05:31:13 -0400 (EDT) (envelope-from str) Date: Thu, 23 Aug 2001 05:31:13 -0400 (EDT) From: Igor Roshchin Message-Id: <200108230931.f7N9VDX27439@giganda.komkon.org> To: security@FreeBSD.ORG, stefanos@e-scape.net Subject: Re: Compromised system. In-Reply-To: <200108231554.LAA96346@corp.e-scape.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You have some non-ASCII symbol in the name of the directory. Use -b or -B options for the ls (read man pages on ls(1)) to see what "invisible" symbols participate in the name of the "extra" directory. Use that name to access the directory in question. Igor > From owner-freebsd-security@FreeBSD.ORG Thu Aug 23 05:25:58 2001 > To: security@FreeBSD.ORG > Subject: Compromised system. > Date: Thu, 23 Aug 2001 11:54:30 -0400 > From: Stefanos Kiakas > > > Hello, > > I was recently investigating a systems that may > be compromised. The reason I say this is because of the > following entries in the output of the ps -ax command. > > PID TT STAT TIME COMMAND > 0 ?? DLs 0:04.35 (swapper) > 1 ?? ILs 0:00.07 /sbin/init -- > 48474 ?? S 0:00.00 ./klogd > 79612 ?? I 0:00.00 ./klogd > 79613 ?? S 25:46.29 ./klogd > 79623 ?? D 901:01.50 ./init 45 1103527590.log > > > And the /tmp directory contains 2 . entries with approximately > 92M in the second one. > > 123# cd /tmp > 123# ls -al > total 23 > drwxrwxrwt 3 root wheel 512 Aug 23 16:39 . > drwxr-xr-x 2 root wheel 512 Aug 3 11:48 . > drwxr-xr-x 20 root wheel 512 Apr 4 04:46 .. > > How do I access the second . directory to see what > is in it? I have tried everything I can thing of but > I cannot list any of the contents. > > Please cc me at stefanos@e-scape.net. > > Thank you, > > Stefanos Kiakas > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 3: 9:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from terminus.dnttm.ro (terminus.dnttm.ro [193.226.98.11]) by hub.freebsd.org (Postfix) with ESMTP id E03B837B408 for ; Thu, 23 Aug 2001 03:09:17 -0700 (PDT) (envelope-from titus@edc.dnttm.ro) Received: from unix.edc.dnttm.ro (edc.dnttm.ro [193.226.98.104]) by terminus.dnttm.ro (8.9.3/8.9.3) with ESMTP id NAA28038 for ; Thu, 23 Aug 2001 13:09:11 +0300 Received: (from root@localhost) by unix.edc.dnttm.ro (8.11.4/8.11.2) id f7NA9BX80883 for freebsd-security@freebsd.org; Thu, 23 Aug 2001 13:09:11 +0300 (EEST) (envelope-from titus) Received: (from titus@localhost) by unix.edc.dnttm.ro (8.11.4/8.11.2av) id f7NA9Al80875 for freebsd-security@freebsd.org; Thu, 23 Aug 2001 13:09:10 +0300 (EEST) (envelope-from titus) Date: Thu, 23 Aug 2001 13:09:09 +0300 From: titus manea To: freebsd-security@freebsd.org Subject: Re: Compromised system. Message-ID: <20010823130909.A80836@unix.edc.dnttm.ro> References: <200108231554.LAA96346@corp.e-scape.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200108231554.LAA96346@corp.e-scape.net>; from stefanos@e-scape.net on Thu, Aug 23, 2001 at 11:54:30AM -0400 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You may ls -F and then you will see ./ ../ . / The attacker maybe did a mkdir ". "; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 3:14:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from arpa.com (arpa.com [199.245.173.5]) by hub.freebsd.org (Postfix) with ESMTP id EDCD237B407 for ; Thu, 23 Aug 2001 03:14:33 -0700 (PDT) (envelope-from wd@arpa.com) Received: by arpa.com (Postfix, from userid 1004) id EFCFABB67; Thu, 23 Aug 2001 06:14:32 -0400 (EDT) Date: Thu, 23 Aug 2001 06:14:32 -0400 From: Chip Norkus To: Stefanos Kiakas Cc: security@freebsd.org Subject: Re: Compromised system. Message-ID: <20010823061432.C70948@anduril.org> References: <200108231554.LAA96346@corp.e-scape.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200108231554.LAA96346@corp.e-scape.net>; from stefanos@e-scape.net on Thu, Aug 23, 2001 at 11:54:30AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu Aug 23, 2001; 11:54AM -0400 Stefanos Kiakas used 1.0K bytes of bandwidth to send the following: > [snip] > total 23 > drwxrwxrwt 3 root wheel 512 Aug 23 16:39 . > drwxr-xr-x 2 root wheel 512 Aug 3 11:48 . > drwxr-xr-x 20 root wheel 512 Apr 4 04:46 .. > > How do I access the second . directory to see what > is in it? I have tried everything I can thing of but > I cannot list any of the contents. > This is, of course, only a guess, but there may be strange things like terminal codes (or even a space after the name) in that file's name, in /tmp, you might want to do: ls -Ba /tmp You'll then need to decode the output. Alternatively, after chucking out everything else in tmp, you might try: cd *. cd .* cd *.* (until one of them works) > Please cc me at stefanos@e-scape.net. > Good luck! > Thank you, > > Stefanos Kiakas > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -wd -- chip norkus(rl); white_dragon('net'); wd@arpa.com "That's Tron. He fights for the users." http://telekinesis.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 3:21:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from atdot.dotat.org (atdot.dotat.org [150.101.89.3]) by hub.freebsd.org (Postfix) with ESMTP id B4E2937B40F for ; Thu, 23 Aug 2001 03:21:19 -0700 (PDT) (envelope-from newton@atdot.dotat.org) Received: (from newton@localhost) by atdot.dotat.org (8.11.0/8.9.3) id f7NAStB78029 for freebsd-security@freebsd.org; Thu, 23 Aug 2001 19:58:55 +0930 (CST) (envelope-from newton) Date: Thu, 23 Aug 2001 19:58:55 +0930 From: Mark Newton To: freebsd-security@freebsd.org Subject: Attempts to overflow rpc.statd Message-ID: <20010823195855.A77982@atdot.dotat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Mutt/1.2.5i X-PGP-Key: http://slash.dotat.org/~newton/pgpkey.txt Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I've been seeing these in syslog for the last week or so. Has anyone else run across them? It looks like a buffer overflow attempt on rpc.statd, but since there aren't any FreeBSD advisories about it I'm guessing that the script kiddies are hitting on it at random without necessarily knowing about what kind of architecture or OS they're trying to attack. Does it look familiar to anyone else? - mark Aug 23 19:16:36 foo rpc.statd: invalid hostname to sm_stat: ^X=F7=FF=BF^X= =F7=FF=BF^Y=F7=FF=BF^Y=F7=FF=BF^Z=F7=FF=BF^Z=F7=FF=BF^[=F7=FF=BF^[=F7=FF=BF= %8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^PM-^PM-^PM-^PM-^PM-^P -------------------------------------------------------------------- I tried an internal modem, newton@atdot.dotat.org but it hurt when I walked. Mark Newton ----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-82231777 ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 3:22:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from hq1.tyfon.net (hq1.tyfon.net [217.27.162.35]) by hub.freebsd.org (Postfix) with ESMTP id 2974137B408 for ; Thu, 23 Aug 2001 03:22:26 -0700 (PDT) (envelope-from dl@tyfon.net) Received: from localhost (localhost [127.0.0.1]) by hq1.tyfon.net (Postfix) with ESMTP id 03B7A1C7F0; Thu, 23 Aug 2001 12:22:19 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by hq1.tyfon.net (Postfix) with ESMTP id 130C41C7F9; Thu, 23 Aug 2001 12:22:18 +0200 (CEST) Date: Thu, 23 Aug 2001 12:22:18 +0200 (CEST) From: Dan Larsson To: titus manea Cc: Subject: Re: Compromised system. In-Reply-To: <20010823130909.A80836@unix.edc.dnttm.ro> Message-ID: <20010823122027.P88176-100000@hq1.tyfon.net> Organization: Tyfon Svenska AB X-NCC-NIC: DL1999-RIPE X-NCC-RegID: se.tyfon MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by hq1.tyfon.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 23 Aug 2001, titus manea wrote: | You may ls -F and then you will see ./ ../ . / | The attacker maybe did a mkdir ". "; An easy way to find out what exactly is in the directory one could use the below perl one-liner: % cd /suspiscious/directory % perl -we '$d=".";opendir(D,$d);while($_=readdir(D)){print"($_) "}closedir(D);print"\n"' | Regards +------ Dan Larsson DL1999-RIPE Tyfon Svenska AB | Tel: +46 8 550 120 21 GPG public key | finger dl@hq1.tyfon.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 3:50:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id AA90337B40B for ; Thu, 23 Aug 2001 03:50:12 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 57FE666D1C; Thu, 23 Aug 2001 03:50:09 -0700 (PDT) Date: Thu, 23 Aug 2001 03:50:08 -0700 From: Kris Kennaway To: Mark Newton Cc: freebsd-security@FreeBSD.ORG Subject: Re: Attempts to overflow rpc.statd Message-ID: <20010823035008.A96330@xor.obsecurity.org> References: <20010823195855.A77982@atdot.dotat.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="y0ulUmNC+osPPQO6" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010823195855.A77982@atdot.dotat.org>; from newton@atdot.dotat.org on Thu, Aug 23, 2001 at 07:58:55PM +0930 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --y0ulUmNC+osPPQO6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 23, 2001 at 07:58:55PM +0930, Mark Newton wrote: > I've been seeing these in syslog for the last week or so. Has anyone > else run across them? >=20 > It looks like a buffer overflow attempt on rpc.statd, but since there > aren't any FreeBSD advisories about it I'm guessing that the script > kiddies are hitting on it at random without necessarily knowing about > what kind of architecture or OS they're trying to attack. >=20 > Does it look familiar to anyone else? Yes, it's an old Linux vulnerability. Kris --y0ulUmNC+osPPQO6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7hN/fWry0BWjoQKURAkgZAJ9M3x8qMFDiUNuPvT+4QMX/zmF3ngCgv8lx 4mr7w2tAUn4uhJfZaCYzkW0= =lPH+ -----END PGP SIGNATURE----- --y0ulUmNC+osPPQO6-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 3:55:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp9.xs4all.nl (smtp9.xs4all.nl [194.109.127.135]) by hub.freebsd.org (Postfix) with ESMTP id 0710437B40A for ; Thu, 23 Aug 2001 03:55:45 -0700 (PDT) (envelope-from b.lefevere@copernicus-it.nl) Received: from dragoneer8 ([213.73.181.20]) by smtp9.xs4all.nl (8.9.3/8.9.3) with SMTP id MAA00287 for ; Thu, 23 Aug 2001 12:55:43 +0200 (CEST) Message-ID: <010901c12bc0$18e6ab10$0b01a8c0@dragoneer8> From: "Bob Lefevere" To: References: <20010823122027.P88176-100000@hq1.tyfon.net> Subject: Re: Compromised system. Date: Thu, 23 Aug 2001 12:40:58 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > An easy way to find out what exactly is in the directory one could use the > below perl one-liner: > > % cd /suspiscious/directory > % perl -we '$d=".";opendir(D,$d);while($_=readdir(D)){print"($_) "}closedir(D);print"\n"' Er.. Shouldn't ls -la suffice ? Bob Lefevere Copernicus Interchange Technology To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 4: 7:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from hq1.tyfon.net (hq1.tyfon.net [217.27.162.35]) by hub.freebsd.org (Postfix) with ESMTP id 7263637B40C for ; Thu, 23 Aug 2001 04:07:14 -0700 (PDT) (envelope-from dl@tyfon.net) Received: from localhost (localhost [127.0.0.1]) by hq1.tyfon.net (Postfix) with ESMTP id A50411C7BD; Thu, 23 Aug 2001 13:07:12 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by hq1.tyfon.net (Postfix) with ESMTP id 271A41C5CC; Thu, 23 Aug 2001 13:07:11 +0200 (CEST) Date: Thu, 23 Aug 2001 13:07:11 +0200 (CEST) From: Dan Larsson To: Bob Lefevere Cc: Subject: Re: Compromised system. In-Reply-To: <010901c12bc0$18e6ab10$0b01a8c0@dragoneer8> Message-ID: <20010823130243.Y89248-100000@hq1.tyfon.net> Organization: Tyfon Svenska AB X-NCC-NIC: DL1999-RIPE X-NCC-RegID: se.tyfon MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by hq1.tyfon.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 23 Aug 2001, Bob Lefevere wrote: | > An easy way to find out what exactly is in the directory one could use the | > below perl one-liner: | > | > % cd /suspiscious/directory | > % perl -we '$d=".";opendir(D,$d);while($_=readdir(D)){print"($_) | "}closedir(D);print"\n"' | | Er.. Shouldn't ls -la suffice ? How would that show the actual number of spaces in the directory name? % ls -la total 3 drwxr-xr-x 3 dl tyfon 512 23 Aug 12:14 . drwxr-xr-x 2 dl tyfon 512 23 Aug 12:13 . drwxr-xr-x 3 dl tyfon 512 23 Aug 12:12 .. -rw-r--r-- 1 dl tyfon 0 23 Aug 12:13 file.txt -rw-r--r-- 1 dl tyfon 0 23 Aug 12:13 garbage.foo % perl -we '$d=".";opendir(D,$d);while($_=readdir(D)){print"($_) "}closedir(D);print"\n"' (.) (..) (. ) (file.txt) (garbage.foo) % The perl method will, 'ls -la' just shows it's there. Regards +------ Dan Larsson DL1999-RIPE Tyfon Svenska AB | Tel: +46 8 550 120 21 GPG public key | finger dl@hq1.tyfon.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 4:31:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from backfire.skif.net (backfire.skif.net [195.58.224.34]) by hub.freebsd.org (Postfix) with ESMTP id D99F137B405 for ; Thu, 23 Aug 2001 04:31:16 -0700 (PDT) (envelope-from simplyi@skif.net) Received: from brick.dol.donetsk.ua (office-noc-128K.skif.net [195.58.225.122]) by backfire.skif.net (8.11.6/8.11.6) with ESMTP id f7NBVDS11360 for ; Thu, 23 Aug 2001 14:31:13 +0300 (EEST) Received: from simplyi2 (simplyi.skif.net [195.58.224.69]) by brick.dol.donetsk.ua (8.9.3/8.9.3) with SMTP id OAA09868 for ; Thu, 23 Aug 2001 14:31:06 +0300 (EEST) (envelope-from simplyi@skif.net) Message-ID: <00fa01c12bc7$4f0505a0$45e03ac3@skif.net> From: "Igor Melnichuk" To: Subject: jail & security Date: Thu, 23 Aug 2001 14:32:30 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Our company provides web-hosting. Trying to increase level of security we are planning to create jail for each virtual host. But I have 3 question's without an answer. + Is it nowdays jail is enough security enviroment for multiuser hosting ? + Is it possible to limit resources allocated by each VM (jail)? + Can I use disk-quota inside VM ? Thanks in advance - igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 4:41: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from relay2.agava.net.ru (2.oivt.mipt.ru [193.125.142.2]) by hub.freebsd.org (Postfix) with ESMTP id D5B7737B406 for ; Thu, 23 Aug 2001 04:40:59 -0700 (PDT) (envelope-from frank@agava.com) Received: from gw.office.agava.ru (2.oivt.mipt.ru [193.125.142.2]) by relay2.agava.net.ru (Postfix) with ESMTP id CC53B4385C for ; Thu, 23 Aug 2001 15:40:53 +0400 (MSD) Received: from hellbell.domain (hellbell.domain [192.168.1.12]) by gw.office.agava.ru (Postfix) with ESMTP id 0944F6070 for ; Thu, 23 Aug 2001 15:40:53 +0400 (MSD) Received: from localhost (localhost [127.0.0.1]) by hellbell.domain (Postfix) with ESMTP id AFF80CCF3 for ; Thu, 23 Aug 2001 15:40:52 +0400 (MSD) Date: Thu, 23 Aug 2001 15:40:52 +0400 (MSD) From: Alexey Zakirov X-X-Sender: Cc: Subject: Re: jail & security In-Reply-To: <00fa01c12bc7$4f0505a0$45e03ac3@skif.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 23 Aug 2001, Igor Melnichuk wrote: > + Is it nowdays jail is enough security enviroment for multiuser hosting ? in the some aspects. > + Is it possible to limit resources allocated by each VM (jail)? no chances. It's a very pain jail feature (weakness). :( > + Can I use disk-quota inside VM ? yes. But you have to do it from the outside of a jail, because quotactl(2) doesn't work inside jail. jail(2) is a very helpful for creating a security environment but it doesn't give 100% warranty. *** WBR, Alexey Zakirov (frank@agava.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 4:51:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.euroweb.hu (mail.euroweb.hu [193.226.220.4]) by hub.freebsd.org (Postfix) with ESMTP id AA9D537B412 for ; Thu, 23 Aug 2001 04:51:10 -0700 (PDT) (envelope-from hu006co@mail.euroweb.hu) Received: (from hu006co@localhost) by mail.euroweb.hu (8.8.5/8.8.5) id NAA23897; Thu, 23 Aug 2001 13:51:06 +0200 (MET DST) Received: (from zgabor@localhost) by zg.CoDe.hu (8.11.3/8.11.1) id f7NBOF900413; Thu, 23 Aug 2001 11:24:15 GMT (envelope-from zgabor) Date: Thu, 23 Aug 2001 11:24:15 +0000 From: Gabor Zahemszky To: Stefanos Kiakas Cc: freebsd-security@freebsd.org Subject: Re: Compromised system. Message-ID: <20010823112415.A379@zg.CoDe.hu> References: <200108231554.LAA96346@corp.e-scape.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200108231554.LAA96346@corp.e-scape.net>; from stefanos@e-scape.net on Thu, Aug 23, 2001 at 11:54:30AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! On Thu, Aug 23, 2001 at 11:54:30AM -0400, Stefanos Kiakas wrote: > 123# cd /tmp > 123# ls -al > total 23 > drwxrwxrwt 3 root wheel 512 Aug 23 16:39 . > drwxr-xr-x 2 root wheel 512 Aug 3 11:48 . > drwxr-xr-x 20 root wheel 512 Apr 4 04:46 .. $ ls -1a | cat -tve cat: -v: print everything in "readable form" -t: the , too -e: print a ``$'' at the end of the line So: $ cd /tmp $ mkdir ".^B^D^F" $ ls -1a To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 6: 5:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from designcurve.net (cc131689-a.chmchl1.ca.home.com [65.12.101.48]) by hub.freebsd.org (Postfix) with SMTP id 33C9037B406 for ; Thu, 23 Aug 2001 06:05:38 -0700 (PDT) (envelope-from shannon@designcurve.net) Received: (qmail 20503 invoked from network); 23 Aug 2001 13:05:17 -0000 Received: from mail.needhams.com (HELO shannon) (209.63.39.71) by 192.168.10.25 with SMTP; 23 Aug 2001 13:05:17 -0000 Message-ID: <004401c12bd5$21918d60$3303a8c0@needhams.com> From: "Shannon Johnson" To: Subject: Re: jail & security Date: Thu, 23 Aug 2001 06:11:32 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Thu, 23 Aug 2001, Igor Melnichuk wrote: > no chances. It's a very pain jail feature (weakness). :( I actually disagree. It it possible to limit a users resources within a jail. You can use login classes in a jail just as you can outside it. See login.conf(5) www.designcurve.net/articles/os/freebsd/doc/man/?section=&topic=login.conf Setting up a jail actually affords allot more security than if you were to contain all services running in the base system. By using a jail, you can limit users resources, strip all potentially destructive binaries (e.g. compilers, suid bin's that are not necessary, etc.), and bind all services to a local IP separate from the host. In addition to this you can now set up more restrictive firewall rules that prevent any user, or compromised user from using any ports such as ftp, ssh/sftp, etc. I have used it extensively both at work and home and am very impressed with both the security and flexibility of a FreeBSD jail. As with all things in life, nothing is a 100% guarantee, however, by adding more layers, you can increase the time it takes to compromise/damage a system. On a personal note the man page for jail www.designcurve.net/articles/os/freebsd/doc/man/?section=&topic=jail recommends that you mount a proc file system within the jailed environment. I personally disagree with this and have not mounted a proc file system within the base system or the jailed environment. I know that it may break some binaries (e.g. Linux), however, please make sure that if you are running a 4.2 and 3.x system, make sure that you have the patch for the procfs vulnerability http://lists.doddsnet.com/bugtraq/2000/12-Dec/0501.html Shannon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 6:24: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from relay2.agava.net.ru (2.oivt.mipt.ru [193.125.142.2]) by hub.freebsd.org (Postfix) with ESMTP id C931437B40B for ; Thu, 23 Aug 2001 06:23:59 -0700 (PDT) (envelope-from frank@agava.com) Received: from gw.office.agava.ru (2.oivt.mipt.ru [193.125.142.2]) by relay2.agava.net.ru (Postfix) with ESMTP id DEECE43860; Thu, 23 Aug 2001 17:23:56 +0400 (MSD) Received: from hellbell.domain (hellbell.domain [192.168.1.12]) by gw.office.agava.ru (Postfix) with ESMTP id 2039B6095; Thu, 23 Aug 2001 17:23:55 +0400 (MSD) Received: from localhost (localhost [127.0.0.1]) by hellbell.domain (Postfix) with ESMTP id BD57DCCEF; Thu, 23 Aug 2001 17:23:54 +0400 (MSD) Date: Thu, 23 Aug 2001 17:23:54 +0400 (MSD) From: Alexey Zakirov X-X-Sender: To: Shannon Johnson Cc: Subject: Re: jail & security In-Reply-To: <004401c12bd5$21918d60$3303a8c0@needhams.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 23 Aug 2001, Shannon Johnson wrote: > > no chances. It's a very pain jail feature (weakness). :( > > I actually disagree. It it possible to limit a users resources within a sorry, I have to repeat "no chances". You CAN'T limit whole jail limits. If I had the superuser priviliges in your jail(2) I'd trash your system. You can set users limits but you can't resist against root compromise as ASPLinux and UML linux do. > jail. You can use login classes in a jail just as you can outside it. See sure, I do it. > I have used it extensively both at work and home and am very impressed with > both the security and flexibility of a FreeBSD jail. As with all things in I had to fix several shell servers to fix kernel signal race exploit. jail(2) didn't help me in that case. > some binaries (e.g. Linux), however, please make sure that if you are > running a 4.2 and 3.x system, make sure that you have the patch for the > procfs vulnerability http://lists.doddsnet.com/bugtraq/2000/12-Dec/0501.html The most important patch IMO is the kern/18209. *** WBR, Alexey Zakirov (frank@agava.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 6:39:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from umc-mail01.missouri.edu (umc-mail01.missouri.edu [128.206.10.216]) by hub.freebsd.org (Postfix) with ESMTP id C9EF637B410 for ; Thu, 23 Aug 2001 06:39:33 -0700 (PDT) (envelope-from dooleyr@missouri.edu) Received: by umc-mail01.missouri.edu with Internet Mail Service (5.5.2653.19) id ; Thu, 23 Aug 2001 08:39:29 -0500 Message-ID: <44D2ED0AC0121146BF01366481060EBE01917F1D@umc-mail02.missouri.edu> From: "Dooley, Ryan" To: 'Mark Newton' , freebsd-security@freebsd.org Subject: RE: Attempts to overflow rpc.statd Date: Thu, 23 Aug 2001 08:39:25 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yeah, we're getting that as well. I'm not sure the kiddies are trying = with, but it's been popping up on console (and /var/log/messages) on a couple = of my machines. Cheers, Ryan -----Original Message----- From: Mark Newton [mailto:newton@atdot.dotat.org] Sent: Thursday, August 23, 2001 5:29 AM To: freebsd-security@freebsd.org Subject: Attempts to overflow rpc.statd I've been seeing these in syslog for the last week or so. Has anyone else run across them? It looks like a buffer overflow attempt on rpc.statd, but since there aren't any FreeBSD advisories about it I'm guessing that the script kiddies are hitting on it at random without necessarily knowing about what kind of architecture or OS they're trying to attack. Does it look familiar to anyone else? - mark Aug 23 19:16:36 foo rpc.statd: invalid hostname to sm_stat: ^X=F7=FF=BF^X=F7=FF=BF^Y=F7=FF=BF^Y=F7=FF=BF^Z=F7=FF=BF^Z=F7=FF=BF^[=F7=FF= =BF^[=F7=FF=BF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%1 37x%n%10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P -------------------------------------------------------------------- I tried an internal modem, newton@atdot.dotat.org but it hurt when I walked. Mark Newton ----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-82231777 ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 6:40:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.needhams.com (mail.needhams.com [209.63.39.71]) by hub.freebsd.org (Postfix) with SMTP id C8E6D37B40D for ; Thu, 23 Aug 2001 06:40:51 -0700 (PDT) (envelope-from shannon@needhams.com) Received: (qmail 13962 invoked from network); 23 Aug 2001 13:40:41 -0000 Received: from unknown (HELO shannon) (192.168.3.51) by mail.needhams.com with SMTP; 23 Aug 2001 13:40:41 -0000 Message-ID: <00b001c12bda$09996fc0$3303a8c0@needhams.com> From: "Shannon Johnson" To: "Alexey Zakirov" Cc: References: Subject: Re: jail & security Date: Thu, 23 Aug 2001 06:46:40 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Thu, 23 Aug 2001, Alexey Zakirov wrote: > > > > no chances. It's a very pain jail feature (weakness). :( > > > > I actually disagree. It it possible to limit a users resources within a > > sorry, I have to repeat "no chances". > You CAN'T limit whole jail limits. If I had the superuser priviliges in > your jail(2) I'd trash your system. You can set users limits but you can't > resist against root compromise as ASPLinux and UML linux do. Alexey, correct me if I am wrong, but Igor was asking if it was possible to limit "resources allocated by each VM (jail)." I simply addressed it on this issue and not on "root compromise." That is why I refered him to login classes. By the way, it is nice to know that you would trash my system if given root access within the jail. However, there are ways to prevent people like yourself from destroying a system (e.g. read only file system, setting the system immutable flag, etc.) Remind me to never give you a shell account. --- Shannon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 6:44: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from backfire.skif.net (backfire.skif.net [195.58.224.34]) by hub.freebsd.org (Postfix) with ESMTP id 3C78A37B410 for ; Thu, 23 Aug 2001 06:43:58 -0700 (PDT) (envelope-from simplyi@skif.net) Received: from brick.dol.donetsk.ua (office-noc-128K.skif.net [195.58.225.122]) by backfire.skif.net (8.11.6/8.11.6) with ESMTP id f7NDhsS25298 for ; Thu, 23 Aug 2001 16:43:54 +0300 (EEST) Received: from simplyi2 (simplyi.skif.net [195.58.224.69]) by brick.dol.donetsk.ua (8.9.3/8.9.3) with SMTP id QAA10503 for ; Thu, 23 Aug 2001 16:43:47 +0300 (EEST) (envelope-from simplyi@skif.net) Message-ID: <002901c12bd9$d7ecc300$45e03ac3@skif.net> From: "Igor Melnichuk" To: References: <004401c12bd5$21918d60$3303a8c0@needhams.com> Subject: Re: jail & security Date: Thu, 23 Aug 2001 16:45:11 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > no chances. It's a very pain jail feature (weakness). :( > > I actually disagree. It it possible to limit a users resources within a > jail. You can use login classes in a jail just as you can outside it. See > login.conf(5) > www.designcurve.net/articles/os/freebsd/doc/man/?section=&topic=login.conf 100% true and it works fine. But You can't restrict 'root' in case when You have to delegate this privileges to somebody (to make customization of apache for instance). Such user can always override 'login.conf' so this is not 'perfect' solution. I prefer 'system' control. igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 6:46:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id 5841E37B406 for ; Thu, 23 Aug 2001 06:46:49 -0700 (PDT) (envelope-from bright@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1192) id 509DF81D06; Thu, 23 Aug 2001 08:46:49 -0500 (CDT) Date: Thu, 23 Aug 2001 08:46:49 -0500 From: Alfred Perlstein To: Shannon Johnson Cc: Alexey Zakirov , freebsd-security@freebsd.org Subject: Re: jail & security Message-ID: <20010823084649.A81307@elvis.mu.org> References: <00b001c12bda$09996fc0$3303a8c0@needhams.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <00b001c12bda$09996fc0$3303a8c0@needhams.com>; from shannon@needhams.com on Thu, Aug 23, 2001 at 06:46:40AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Shannon Johnson [010823 08:41] wrote: > > On Thu, 23 Aug 2001, Alexey Zakirov wrote: > > > > > > no chances. It's a very pain jail feature (weakness). :( > > > > > > I actually disagree. It it possible to limit a users resources within a > > > > sorry, I have to repeat "no chances". > > You CAN'T limit whole jail limits. If I had the superuser priviliges in > > your jail(2) I'd trash your system. You can set users limits but you can't > > resist against root compromise as ASPLinux and UML linux do. > > Alexey, correct me if I am wrong, but Igor was asking if it was possible to > limit "resources allocated by each VM (jail)." I simply addressed it on > this issue and not on "root compromise." That is why I refered him to login > classes. > > By the way, it is nice to know that you would trash my system if given root > access within the jail. However, there are ways to prevent people like > yourself from destroying a system (e.g. read only file system, setting the > system immutable flag, etc.) > > Remind me to never give you a shell account. Alexey is wrong in stating 'You CAN'T limit whole jail limits.' you actually can given the right patches to the jail subsystem. :) -- -Alfred Perlstein [alfred@freebsd.org] Ok, who wrote this damn function called '??'? And why do my programs keep crashing in it? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 7: 0:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from sens.com.au (sens.com.au [210.215.28.71]) by hub.freebsd.org (Postfix) with ESMTP id 2FD5B37B40E for ; Thu, 23 Aug 2001 07:00:26 -0700 (PDT) (envelope-from sens@sens.com.au) Received: from sens.com.au (feral.sens.com.au [192.168.1.8]) by sens.com.au (Postfix) with ESMTP id 1AEC75EB2; Thu, 23 Aug 2001 23:15:50 +0930 (CST) Message-ID: <3B850D3E.4DF406B3@sens.com.au> Date: Thu, 23 Aug 2001 23:33:42 +0930 From: Phil Pittard Organization: South East Network Solutions X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Mark Newton Cc: freebsd-security@freebsd.org Subject: Re: Attempts to overflow rpc.statd References: <20010823195855.A77982@atdot.dotat.org> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org There was a Linux rpc.statd attack I saw last year which looked like this.... I just did some hunting & found some refs to it at this url: http://www.havelmark.com/~rmartin/31337.html theres a link there to RedHat with the patch... no idea what effect, if any, it would have on FreeBSD.... my guess would be none. Phil. ==== Mark Newton wrote: > > I've been seeing these in syslog for the last week or so. Has anyone > else run across them? > > It looks like a buffer overflow attempt on rpc.statd, but since there > aren't any FreeBSD advisories about it I'm guessing that the script > kiddies are hitting on it at random without necessarily knowing about > what kind of architecture or OS they're trying to attack. > > Does it look familiar to anyone else? > > - mark > > Aug 23 19:16:36 foo rpc.statd: invalid hostname to sm_stat: ^X÷˙ż^X÷˙ż^Y÷˙ż^Y÷˙ż^Z÷˙ż^Z÷˙ż^[÷˙ż^[÷˙ż%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > > -------------------------------------------------------------------- > I tried an internal modem, newton@atdot.dotat.org > but it hurt when I walked. Mark Newton > ----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-82231777 ----- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Phil Pittard IT Consultant SENS/SECNET http://www.sens.com.au http://www.itsupport4schools.com ================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 7: 0:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.needhams.com (mail.needhams.com [209.63.39.71]) by hub.freebsd.org (Postfix) with SMTP id 4768037B40A for ; Thu, 23 Aug 2001 07:00:44 -0700 (PDT) (envelope-from shannon@needhams.com) Received: (qmail 14022 invoked from network); 23 Aug 2001 14:00:44 -0000 Received: from unknown (HELO shannon) (192.168.3.51) by mail.needhams.com with SMTP; 23 Aug 2001 14:00:44 -0000 Message-ID: <00da01c12bdc$d676e480$3303a8c0@needhams.com> From: "Shannon Johnson" To: Cc: "Igor Melnichuk" References: <004401c12bd5$21918d60$3303a8c0@needhams.com> <002901c12bd9$d7ecc300$45e03ac3@skif.net> Subject: Re: jail & security Date: Thu, 23 Aug 2001 07:06:43 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: Igor Melnichuk To: Sent: Thursday, August 23, 2001 6:45 AM Subject: Re: jail & security > > > no chances. It's a very pain jail feature (weakness). :( > > > > I actually disagree. It it possible to limit a users resources within a > > jail. You can use login classes in a jail just as you can outside it. See > > login.conf(5) > > www.designcurve.net/articles/os/freebsd/doc/man/?section=&topic=login.conf > > 100% true and it works fine. But You can't restrict 'root' in case when You > have to delegate this privileges to somebody (to make customization of > apache for instance). Such user can always override 'login.conf' so this is > not 'perfect' solution. > > I prefer 'system' control. > > igor I personally disable the root account in all of my jailed environments (e.g. setting the shell to /sbin/nologin and diabling the password "*") and use the following script to perform customization within the jail http://www.designcurve.net/downloads/os/freebsd/scripts/enter-jail This script assumes that you set up the jail in the form of /jail/192.168.x.x/serivce (e.g. /jail/192.168.3.45/www). In order to use this script you must be in the host environment (outside of the jail). --- Shannon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 7:25:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from euphoria.confusion.net (208-219-21-30.dsl.aros.net [208.219.21.30]) by hub.freebsd.org (Postfix) with ESMTP id D65F337B40B for ; Thu, 23 Aug 2001 07:25:04 -0700 (PDT) (envelope-from stuyman@euphoria.confusion.net) Received: from localhost (localhost [127.0.0.1]) by euphoria.confusion.net (8.11.2/8.11.2) with SMTP id f7NEOtc09017; Thu, 23 Aug 2001 07:24:56 -0700 (PDT) Date: Thu, 23 Aug 2001 07:24:55 -0700 (PDT) From: Laurence Berland To: Bob Lefevere Cc: freebsd-security@FreeBSD.ORG Subject: Re: Compromised system. In-Reply-To: <010901c12bc0$18e6ab10$0b01a8c0@dragoneer8> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org umm... ls -l .?* perhaps? On Thu, 23 Aug 2001, Bob Lefevere wrote: > > An easy way to find out what exactly is in the directory one could use the > > below perl one-liner: > > > > % cd /suspiscious/directory > > % perl -we '$d=".";opendir(D,$d);while($_=readdir(D)){print"($_) > "}closedir(D);print"\n"' > > Er.. Shouldn't ls -la suffice ? > > Bob Lefevere > Copernicus Interchange Technology > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Laurence Berland http://www.isp.northwestern.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 7:31:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from euphoria.confusion.net (208-219-21-30.dsl.aros.net [208.219.21.30]) by hub.freebsd.org (Postfix) with ESMTP id AC81037B407 for ; Thu, 23 Aug 2001 07:31:46 -0700 (PDT) (envelope-from stuyman@euphoria.confusion.net) Received: from localhost (localhost [127.0.0.1]) by euphoria.confusion.net (8.11.2/8.11.2) with SMTP id f7NEUwc09074; Thu, 23 Aug 2001 07:30:58 -0700 (PDT) Date: Thu, 23 Aug 2001 07:30:57 -0700 (PDT) From: Laurence Berland To: Bob Lefevere Cc: freebsd-security@FreeBSD.ORG Subject: Re: Compromised system. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sorry, that should be ls -la .??* the a because I figure there might be hidden files in there somewhere, the second ? mark because I'm hoping it's got at least two characters after the ., otherwise, use one ? (but then you also get .., which may or may not bother you a lot. On Thu, 23 Aug 2001, Laurence Berland wrote: > umm... ls -l .?* perhaps? > > On Thu, 23 Aug 2001, Bob Lefevere wrote: > > > > An easy way to find out what exactly is in the directory one could use the > > > below perl one-liner: > > > > > > % cd /suspiscious/directory > > > % perl -we '$d=".";opendir(D,$d);while($_=readdir(D)){print"($_) > > "}closedir(D);print"\n"' > > > > Er.. Shouldn't ls -la suffice ? > > > > Bob Lefevere > > Copernicus Interchange Technology > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > Laurence Berland > http://www.isp.northwestern.edu > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Laurence Berland http://www.isp.northwestern.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 7:42:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from blinx.net (ns2.blinx.net [205.205.72.1]) by hub.freebsd.org (Postfix) with SMTP id 3180E37B409 for ; Thu, 23 Aug 2001 07:42:43 -0700 (PDT) (envelope-from wacky@blinx.net) Received: (qmail 12069 invoked from network); 23 Aug 2001 14:42:38 -0000 Received: from ce3021279-a.montvlle1.ct.home.com (HELO home) (@24.180.62.220) by www.blinx.net with SMTP; 23 Aug 2001 14:42:38 -0000 Message-ID: <00c701c12be0$ae04bfa0$0700a8c0@com.home.com> From: "Mike" To: , "Stefanos Kiakas" References: <200108231554.LAA96346@corp.e-scape.net> Subject: Re: Compromised system. Date: Thu, 23 Aug 2001 10:34:12 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Try doing, cd "./" or "." or "/." one of those. ----- Original Message ----- From: "Stefanos Kiakas" To: Sent: Thursday, August 23, 2001 11:54 AM Subject: Compromised system. > > Hello, > > I was recently investigating a systems that may > be compromised. The reason I say this is because of the > following entries in the output of the ps -ax command. > > PID TT STAT TIME COMMAND > 0 ?? DLs 0:04.35 (swapper) > 1 ?? ILs 0:00.07 /sbin/init -- > 48474 ?? S 0:00.00 ./klogd > 79612 ?? I 0:00.00 ./klogd > 79613 ?? S 25:46.29 ./klogd > 79623 ?? D 901:01.50 ./init 45 1103527590.log > > > And the /tmp directory contains 2 . entries with approximately > 92M in the second one. > > 123# cd /tmp > 123# ls -al > total 23 > drwxrwxrwt 3 root wheel 512 Aug 23 16:39 . > drwxr-xr-x 2 root wheel 512 Aug 3 11:48 . > drwxr-xr-x 20 root wheel 512 Apr 4 04:46 .. > > How do I access the second . directory to see what > is in it? I have tried everything I can thing of but > I cannot list any of the contents. > > Please cc me at stefanos@e-scape.net. > > Thank you, > > Stefanos Kiakas > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 8:26:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from trinity.magpage.com (trinity.magpage.com [216.155.0.8]) by hub.freebsd.org (Postfix) with ESMTP id 5DB7037B409 for ; Thu, 23 Aug 2001 08:26:10 -0700 (PDT) (envelope-from dfrazier@magpage.com) Received: from trinity (trinity [216.155.0.8]) by trinity.magpage.com (8.11.6/8.11.3) with ESMTP id f7NFP3E74713; Thu, 23 Aug 2001 11:25:03 -0400 (EDT) Date: Thu, 23 Aug 2001 11:25:03 -0400 (EDT) From: Daniel Frazier To: michael dreves Cc: Dave Ryan , Subject: [OT] Re: kerberosIV In-Reply-To: <3B849018.90691B3D@karolinelund.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-RRT-Status: UNKNOWN Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 23 Aug 2001, michael dreves wrote: > Dave Ryan wrote: > > > > anyone here running kerberosIV? > > > > Is there any particular reason why you are running KerberosIV? I would advise > > using V (either MIT or Heimdel) > > > > dave - thanks for the advice - moved to heimdal, and it works much nicer. > > michael > > this is odd, mozilla consistantly crashes when I open Michael's email. this happening for anyone else? -- ---------------------------------------------------------------------- Daniel Frazier Tel: 302-239-5900 Ext. 231 System Administrator Fax: 302-239-3909 MAGPAGE, We Power the Internet WWW: http://www.magpage.com/ "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, Historical Review of Pennsylvania, 1759. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 11:26:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from relay2.agava.net.ru (2.oivt.mipt.ru [193.125.142.2]) by hub.freebsd.org (Postfix) with ESMTP id 8BB0137B403 for ; Thu, 23 Aug 2001 11:26:26 -0700 (PDT) (envelope-from frank@agava.com) Received: from gw.office.agava.ru (2.oivt.mipt.ru [193.125.142.2]) by relay2.agava.net.ru (Postfix) with ESMTP id 288F94384D for ; Thu, 23 Aug 2001 22:26:24 +0400 (MSD) Received: from hellbell.domain (hellbell.domain [192.168.1.12]) by gw.office.agava.ru (Postfix) with ESMTP id 0C09560DA for ; Thu, 23 Aug 2001 22:26:23 +0400 (MSD) Received: from localhost (localhost [127.0.0.1]) by hellbell.domain (Postfix) with ESMTP id CD5F2CCEF for ; Thu, 23 Aug 2001 22:26:22 +0400 (MSD) Date: Thu, 23 Aug 2001 22:26:22 +0400 (MSD) From: Alexey Zakirov X-X-Sender: Cc: Subject: Re: jail & security In-Reply-To: <002901c12bd9$d7ecc300$45e03ac3@skif.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 23 Aug 2001, Igor Melnichuk wrote: > > jail. You can use login classes in a jail just as you can outside it. See > > login.conf(5) > > www.designcurve.net/articles/os/freebsd/doc/man/?section=&topic=login.conf > > 100% true and it works fine. But You can't restrict 'root' in case when You > have to delegate this privileges to somebody (to make customization of > apache for instance). Such user can always override 'login.conf' so this is yep. you can do it for trusted users. but you can't do it for _untrusted_ users. There is a pretty simple patch that doesn't allow change the limits inside a jail(2), but it also requires very experience to get it safe. *** WBR, Alexey Zakirov (frank@agava.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 11:36:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from designcurve.net (cc131689-a.chmchl1.ca.home.com [65.12.101.48]) by hub.freebsd.org (Postfix) with SMTP id A98F837B406 for ; Thu, 23 Aug 2001 11:36:46 -0700 (PDT) (envelope-from shannon@designcurve.net) Received: (qmail 22615 invoked from network); 23 Aug 2001 18:36:28 -0000 Received: from mail.needhams.com (HELO shannon) (209.63.39.71) by 192.168.10.25 with SMTP; 23 Aug 2001 18:36:28 -0000 Message-ID: <001901c12c03$65c4b9c0$3303a8c0@needhams.com> From: "Shannon Johnson" To: Cc: "Alexey Zakirov" References: Subject: Re: jail & security Date: Thu, 23 Aug 2001 11:42:43 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Thu, 23 Aug 2001, Alexey Zakirov wrote: > > yep. you can do it for trusted users. but you can't do it for _untrusted_ > users. There is a pretty simple patch that doesn't allow change the limits > inside a jail(2), but it also requires very experience to get it safe. Where can this "simple patch" be located? In the future, to help myself and other fellow FreeBSD users, please refer to where we can locate any patches, scripts, or documentation that may not be included in the source tree. Thanks. --- Shannon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 11:40:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from relay2.agava.net.ru (2.oivt.mipt.ru [193.125.142.2]) by hub.freebsd.org (Postfix) with ESMTP id 80E3337B403 for ; Thu, 23 Aug 2001 11:39:50 -0700 (PDT) (envelope-from frank@agava.com) Received: from gw.office.agava.ru (2.oivt.mipt.ru [193.125.142.2]) by relay2.agava.net.ru (Postfix) with ESMTP id 083EC43459; Thu, 23 Aug 2001 22:39:49 +0400 (MSD) Received: from hellbell.domain (hellbell.domain [192.168.1.12]) by gw.office.agava.ru (Postfix) with ESMTP id 1192060D3; Thu, 23 Aug 2001 22:39:48 +0400 (MSD) Received: from localhost (localhost [127.0.0.1]) by hellbell.domain (Postfix) with ESMTP id CBF5DCCEF; Thu, 23 Aug 2001 22:39:47 +0400 (MSD) Date: Thu, 23 Aug 2001 22:39:47 +0400 (MSD) From: Alexey Zakirov X-X-Sender: To: Shannon Johnson Cc: Subject: Re: jail & security In-Reply-To: <00b001c12bda$09996fc0$3303a8c0@needhams.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Alexey, correct me if I am wrong, but Igor was asking if it was possible to > limit "resources allocated by each VM (jail)." I simply addressed it on > this issue and not on "root compromise." That is why I refered him to login > classes. > > By the way, it is nice to know that you would trash my system if given root > access within the jail. However, there are ways to prevent people like > yourself from destroying a system (e.g. read only file system, setting the > system immutable flag, etc.) jail(2) is GREAT feature. I'm thank PHK for did it. It's really pretend to be a great security help in the unixos. > Remind me to never give you a shell account. It IS a problem. Shell is not a problem, but there is the PR/18209. If you want a shell account: http://register.h1.ru/index.shtml *** WBR, Alexey Zakirov (frank@agava.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 11:43:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from relay2.agava.net.ru (2.oivt.mipt.ru [193.125.142.2]) by hub.freebsd.org (Postfix) with ESMTP id B3CCE37B409 for ; Thu, 23 Aug 2001 11:43:11 -0700 (PDT) (envelope-from frank@agava.com) Received: from gw.office.agava.ru (2.oivt.mipt.ru [193.125.142.2]) by relay2.agava.net.ru (Postfix) with ESMTP id 4C1AB4384F for ; Thu, 23 Aug 2001 22:43:10 +0400 (MSD) Received: from hellbell.domain (hellbell.domain [192.168.1.12]) by gw.office.agava.ru (Postfix) with ESMTP id 8253960D3 for ; Thu, 23 Aug 2001 22:43:09 +0400 (MSD) Received: from localhost (localhost [127.0.0.1]) by hellbell.domain (Postfix) with ESMTP id 5B71ECCEF for ; Thu, 23 Aug 2001 22:43:09 +0400 (MSD) Date: Thu, 23 Aug 2001 22:43:09 +0400 (MSD) From: Alexey Zakirov X-X-Sender: Cc: Subject: Re: jail & security In-Reply-To: <20010823084649.A81307@elvis.mu.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 23 Aug 2001, Alfred Perlstein wrote: > > yourself from destroying a system (e.g. read only file system, setting the > > system immutable flag, etc.) > > > > Remind me to never give you a shell account. > > Alexey is wrong in stating 'You CAN'T limit whole jail limits.' you > actually can given the right patches to the jail subsystem. :) Am I wrong? Can you setup jail that limits his CPU/MEM for particular jail? *** WBR, Alexey Zakirov (frank@agava.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 11:44:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from hq1.tyfon.net (hq1.tyfon.net [217.27.162.35]) by hub.freebsd.org (Postfix) with ESMTP id 45A3737B40C for ; Thu, 23 Aug 2001 11:44:16 -0700 (PDT) (envelope-from dl@tyfon.net) Received: from localhost (localhost [127.0.0.1]) by hq1.tyfon.net (Postfix) with ESMTP id 67E0F1C5C4; Thu, 23 Aug 2001 20:44:14 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by hq1.tyfon.net (Postfix) with ESMTP id 5A95C1C5C1; Thu, 23 Aug 2001 20:44:13 +0200 (CEST) Date: Thu, 23 Aug 2001 20:44:13 +0200 (CEST) From: Dan Larsson To: Alexey Zakirov Cc: Shannon Johnson , Subject: Re: jail & security In-Reply-To: Message-ID: <20010823204332.K95564-100000@hq1.tyfon.net> Organization: Tyfon Svenska AB X-NCC-NIC: DL1999-RIPE X-NCC-RegID: se.tyfon MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by hq1.tyfon.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 23 Aug 2001, Alexey Zakirov wrote: | > Alexey, correct me if I am wrong, but Igor was asking if it was possible to | | > limit "resources allocated by each VM (jail)." I simply addressed it on | > this issue and not on "root compromise." That is why I refered him to login | > classes. | > | > By the way, it is nice to know that you would trash my system if given root | > access within the jail. However, there are ways to prevent people like | > yourself from destroying a system (e.g. read only file system, setting the | > system immutable flag, etc.) | | jail(2) is GREAT feature. I'm thank PHK for did it. It's really pretend to | be a great security help in the unixos. | | > Remind me to never give you a shell account. | | It IS a problem. Shell is not a problem, but there is the PR/18209. | If you want a shell account: http://register.h1.ru/index.shtml Perhaps this is worth looking at http://sektor7.ath.cx:8080/openroot/index.php Regards +------ Dan Larsson -+- Tyfon Svenska AB -+- DL1999-RIPE 2AA5 90AE 5185 5924 1E0B 1A99 EC8A EA84 406B 06B9 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 11:53: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from relay2.agava.net.ru (2.oivt.mipt.ru [193.125.142.2]) by hub.freebsd.org (Postfix) with ESMTP id 45F0937B40F for ; Thu, 23 Aug 2001 11:52:57 -0700 (PDT) (envelope-from frank@agava.com) Received: from gw.office.agava.ru (2.oivt.mipt.ru [193.125.142.2]) by relay2.agava.net.ru (Postfix) with ESMTP id 5EB9B4384F; Thu, 23 Aug 2001 22:52:55 +0400 (MSD) Received: from hellbell.domain (hellbell.domain [192.168.1.12]) by gw.office.agava.ru (Postfix) with ESMTP id 3CD1360D3; Thu, 23 Aug 2001 22:52:54 +0400 (MSD) Received: from localhost (localhost [127.0.0.1]) by hellbell.domain (Postfix) with ESMTP id E7D3CCCEF; Thu, 23 Aug 2001 22:52:53 +0400 (MSD) Date: Thu, 23 Aug 2001 22:52:53 +0400 (MSD) From: Alexey Zakirov X-X-Sender: To: Shannon Johnson Cc: Subject: Re: jail & security In-Reply-To: <001901c12c03$65c4b9c0$3303a8c0@needhams.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 23 Aug 2001, Shannon Johnson wrote: > > inside a jail(2), but it also requires very experience to get it safe. > > Where can this "simple patch" be located? In the future, to help myself and no it's just a possibility. > other fellow FreeBSD users, please refer to where we can locate any patches, > scripts, or documentation that may not be included in the source tree. /sys/ufs/ufs gets you enough clue. *** WBR, Alexey Zakirov (frank@agava.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 11:54:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from designcurve.net (cc131689-a.chmchl1.ca.home.com [65.12.101.48]) by hub.freebsd.org (Postfix) with SMTP id D320837B40C for ; Thu, 23 Aug 2001 11:54:08 -0700 (PDT) (envelope-from shannon@designcurve.net) Received: (qmail 22714 invoked from network); 23 Aug 2001 18:53:50 -0000 Received: from mail.needhams.com (HELO shannon) (209.63.39.71) by 192.168.10.25 with SMTP; 23 Aug 2001 18:53:50 -0000 Message-ID: <003b01c12c05$d2e89100$3303a8c0@needhams.com> From: "Shannon Johnson" To: Cc: "Alexey Zakirov" References: Subject: Re: jail & security Date: Thu, 23 Aug 2001 12:00:05 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Thu, 23 Aug 2001, Alexey Zakirov wrote: > > > > yourself from destroying a system (e.g. read only file system, setting the > > > system immutable flag, etc.) > > > > > > Remind me to never give you a shell account. > > > > Alexey is wrong in stating 'You CAN'T limit whole jail limits.' you > > actually can given the right patches to the jail subsystem. :) > > Am I wrong? Can you setup jail that limits his CPU/MEM for particular > jail? Yes, infact you are incorrect. I have set up literally dozens of jails both at home and work. Through this I have experimented with allot of configurations, including login classes. One way that I tested this out was to write a simple c program to test that the cpu/memory limits were being properly limited by login.conf. Here tis... int main(void) { while(1) malloc(100); } This is obviously required allot of memory/CPU. But it proved my point. By the way, where are the patches that you referred to earlier. --- Shannon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 13:57:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id DD99037B40C; Thu, 23 Aug 2001 13:57:11 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f7NKvBL50874; Thu, 23 Aug 2001 13:57:11 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Thu, 23 Aug 2001 13:57:11 -0700 (PDT) Message-Id: <200108232057.f7NKvBL50874@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:56.tcp_wrappers Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:56 Security Advisory FreeBSD, Inc. Topic: tcp_wrappers PARANOID hostname checking does not work Category: core Module: tcp_wrappers Announced: 2001-08-23 Credits: Tony Finch Affects: FreeBSD 4.1.1-RELEASE FreeBSD 4.2-RELEASE FreeBSD 4.3-RELEASE FreeBSD 4.3-STABLE before the correction date Corrected: 2001-07-04 20:18:11 UTC (FreeBSD 4.3-STABLE) 2001-07-04 20:18:54 UTC (RELENG_4_3) FreeBSD only: Yes I. Background FreeBSD has included Wietse Venema's tcp_wrappers since 3.2-RELEASE. tcp_wrappers allows one to add host-based ACLs to network applications, and additionally provides connection logging and some detection of DNS spoofing. II. Problem Description The addition of a flawed check for a numeric result during reverse DNS lookup causes tcp_wrappers to skip some of its sanity checking of DNS results. These sanity checks are only enabled by the 'PARANOID' ACL option in the configuration file, and simply weaken the 'PARANOID' host checks to the level of assurance provided by the regular host ACLs. This vulnerability was corrected prior to the (forthcoming) release of FreeBSD 4.4-RELEASE. III. Impact An attacker that can influence the results of reverse DNS lookups can bypass certain tcp_wrappers PARANOID ACL restrictions by impersonating a trusted host. Such an attacker would need to be able to spoof reverse DNS lookups, or more simply the attacker may be the administrator of the DNS zone including the IP address of the remote host. IV. Workaround None. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.3-STABLE or the RELENG_4_3 security branch after the respective correction dates. 2) FreeBSD 4.x systems prior to the correction date: The following patche has been verified to apply to FreeBSD 4.2-RELEASE, 4.3-RELEASE and 4.3-STABLE dated prior to the correction date. This patch may or may not apply to older, unsupported releases of FreeBSD. Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:56/tcp_wrappers.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:56/tcp_wrappers.patch.asc # cd /usr/src/ # patch -p < /path/to/patch # cd /usr/src/lib/libwrap # make depend && make all install One must also recompile any statically linked applications that link against libwrap.a. There are no such applications in the base system. 3) FreeBSD 4.3-RELEASE systems: An experimental upgrade package is available for users who wish to provide testing and feedback on the binary upgrade process. This package may be installed on FreeBSD 4.3-RELEASE systems only, and is intended for use on systems for which source patching is not practical or convenient. If you use the upgrade package, feedback (positive or negative) to security-officer@FreeBSD.org is requested so we can improve the process for future advisories. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patched state. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:56/security-patch-tcp_wrappers-01.56.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:56/security-patch-tcp_wrappers-01.56.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-tcp_wrappers-01.56.tgz VI. Correction details The following list contains the $FreeBSD$ revision numbers of each file that was corrected, for the supported branches of FreeBSD. The $FreeBSD$ revision of installed sources can be examined using the ident(1) command. The patch provided above does not cause these revision numbers to be updated. [FreeBSD 4.3-STABLE] Revision Path 1.2.2.3 src/contrib/tcp_wrappers/socket.c [RELENG_4_3] Revision Path 1.2.2.2.2.1 src/contrib/tcp_wrappers/socket.c VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO4VsbFUuHi5z0oilAQGSLgQAlmWnYpSy1Da8Yvs4XkpQTgN32/9aBhM0 yMM+qnd80ZYUayTNyqxKvgJDc7nROUa/qt+lWp6U1a9wuQEPX72Zq7549l8/SfuB IkCsnwf6w8lzMCVYzTQeWm7qvf00QOWsqPCvIbw61SwPN1FfF8WLYBUCuT3hShJx r8mBg+t55eY= =az63 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 23 19:44:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from humbert.bcs.ru (humbert.bcs.ru [195.239.100.77]) by hub.freebsd.org (Postfix) with ESMTP id B5A8137B406 for ; Thu, 23 Aug 2001 19:44:25 -0700 (PDT) (envelope-from azrael@bcs.ru) Received: from wks75.bcs.ru (wks75.bcs.ru [195.239.100.75]) by humbert.bcs.ru (8.11.1/8.11.1) with ESMTP id f7O2iOO52129 for ; Fri, 24 Aug 2001 09:44:24 +0700 (NOVST) (envelope-from azrael@bcs.ru) Date: Fri, 24 Aug 2001 09:44:32 +0700 From: "Andrey S.Petrov" X-Mailer: The Bat! (v1.49) Reply-To: "Andrey S.Petrov" Organization: BCS Co. Ltd. X-Priority: 3 (Normal) Message-ID: <94888056.20010824094432@bcs.ru> To: freebsd-security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org auth bdbbf942 unsubscribe freebsd-security azrael@bcs.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 24 0:58:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from tvt.ne.jp (tvtsv2.tvt.ne.jp [210.253.56.5]) by hub.freebsd.org (Postfix) with ESMTP id 991D937B40A for ; Fri, 24 Aug 2001 00:58:29 -0700 (PDT) (envelope-from chand@tvt.ne.jp) Received: from tigerlair.tvt.ne.jp (pcnadmin.tvt.ne.jp [210.253.56.9]) by tvt.ne.jp (8.10.1/8.10.1) with ESMTP id f7O7wB162239 for ; Fri, 24 Aug 2001 16:58:11 +0900 (JST) Message-Id: <4.3.2-J.20010824165539.02ce6720@mail.tvt.ne.jp> X-Sender: chand@mail.tvt.ne.jp X-Mailer: QUALCOMM Windows Eudora Version 4.3.2-J Date: Fri, 24 Aug 2001 17:02:03 +0900 To: freebsd-security@freebsd.org From: Martin Chandler Subject: strange log messages Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hello, This may be the wrong list to post to, but please forgive me. I have recently been seeing this in my log files, seeming to occur roughly every half hour for periods of time. Aug 24 16:29:09 tvtsv2 inetd[59868]: warning: /etc/hosts.allow, line 29: can't verify hostname: gethostbyname(tm1665-4.oninet.ne.jp) failed line 29 of /etc/hosts.allow is: ALL : localhost localhost.tvt.ne.jp : allow The system is, unfortunately, Freebsd 3.3-RELEASE, but with relevant security patches applied (hopefully!). Would anyone be able to clue me in as to what might be going on? Thanks, MRC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 24 6: 1:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from titan.parkline.ru (titan.parkline.ru [195.209.63.162]) by hub.freebsd.org (Postfix) with ESMTP id 703A737B406 for ; Fri, 24 Aug 2001 06:01:36 -0700 (PDT) (envelope-from aronov@parkline.ru) Received: from ami.gpt.ru (ami.gpt.ru [195.209.50.5]) by titan.parkline.ru (8.9.2/8.9.2) with ESMTP id RAA09295; Fri, 24 Aug 2001 17:01:24 +0400 (MSD) (envelope-from aronov@parkline.ru) Date: Fri, 24 Aug 2001 17:00:21 +0400 (MSD) From: Mikhail Aronov X-X-Sender: To: Martin Chandler Cc: Subject: Re: strange log messages In-Reply-To: <4.3.2-J.20010824165539.02ce6720@mail.tvt.ne.jp> Message-ID: <20010824165718.R578-100000@ami.gpt.ru> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Aug 24, 2001, Martin Chandler wrote: >hello, > >This may be the wrong list to post to, but please forgive me. > >I have recently been seeing this in my log files, seeming to occur roughly >every half hour for periods of time. > >Aug 24 16:29:09 tvtsv2 inetd[59868]: warning: /etc/hosts.allow, line 29: >can't verify hostname: gethostbyname(tm1665-4.oninet.ne.jp) failed > >line 29 of /etc/hosts.allow is: > >ALL : localhost localhost.tvt.ne.jp : allow > >The system is, unfortunately, Freebsd 3.3-RELEASE, but with relevant >security patches applied (hopefully!). >Would anyone be able to clue me in as to what might be going on? >Thanks, >MRC tcpd applies /etc/hosts.allow rules only if direct and reverse DNS get success. Here we can see - #host tm1665-4.oninet.ne.jp Host not found. So - can't verify hostname: gethostbyname(tm1665-4.oninet.ne.jp) failed Yours, Mikhail Aronov aronov@parkline.ru Garant-Park-Telecom, System administrator To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 24 7: 2:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from saigon.cpd.ufsm.br (saigon.cpd.ufsm.br [200.18.32.130]) by hub.freebsd.org (Postfix) with ESMTP id 5603337B407 for ; Fri, 24 Aug 2001 07:02:32 -0700 (PDT) (envelope-from marcio@cpd.ufsm.br) Received: from marcio by saigon.cpd.ufsm.br with local (Exim 3.16 #7) id 15aHXN-0007Cw-00 for freebsd-security@FreeBSD.org; Fri, 24 Aug 2001 11:02:17 -0300 Date: Fri, 24 Aug 2001 11:02:17 -0300 (GRNLNDST) From: Marcio d'Avila Scheibler To: freebsd-security@FreeBSD.org Subject: Help with Binary Upgrade Packages Message-ID: X-Mailer: Pine 4.05 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have some doubts about binary upgrade packages that have being released for the base system due to security fixes, and until now I couldn't get the answer from documentation... For instance, suppose we have two hipothetical advisories #102 and #105, with their respective binary upgrade packages, and due to the problem, both replaces same file, /usr/lib/somelib.so, but #102 also replaces other files that #105 does not and so on... Suppose that at a first time, I installed just patch-something-105.tgz, will applied /usr/lib/somelib.so file also incorporate fix #102 ? At a second time time, I install a optional component/set/feature that I didn't need before. Since this optional component had some announced bugs, I needed install patch-something-102.tgz. Conclusion (but still a question): Will we need to retrieve and install the complete sequence of binary upgrades no matter about not used features ? ------------------------------------------------------------------------------ Marcio d'Avila Scheibler - Divisao de Suporte (marcio@cpd.ufsm.br) Centro de Processamento de Dados - Campus Universitario - CEP 97105-900 Universidade Federal de Santa Maria - RS - Brasil ============================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 24 7:47: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 5FC0937B401 for ; Fri, 24 Aug 2001 07:47:05 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id IAA14239 for ; Fri, 24 Aug 2001 08:46:39 -0600 (MDT) Message-Id: <4.3.2.7.2.20010824084523.048664e0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 24 Aug 2001 08:46:29 -0600 To: security@freebsd.org From: Brett Glass Subject: Updating Sendmail Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I've got a few systems which need to be updated to patch the Sendmail local root exploit. Does FreeBSD have 8.11.6 as a package in the ports collection? I'd rather not do a full build on each machine. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 24 7:55:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (sentinel.office1.bg [217.75.135.254]) by hub.freebsd.org (Postfix) with SMTP id 5770E37B410 for ; Fri, 24 Aug 2001 07:55:16 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 3221 invoked by uid 1000); 24 Aug 2001 14:53:49 -0000 Date: Fri, 24 Aug 2001 17:53:49 +0300 From: Peter Pentchev To: Brett Glass Cc: security@freebsd.org Subject: Re: Updating Sendmail Message-ID: <20010824175349.D1774@ringworld.oblivion.bg> Mail-Followup-To: Brett Glass , security@freebsd.org References: <4.3.2.7.2.20010824084523.048664e0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.7.2.20010824084523.048664e0@localhost>; from brett@lariat.org on Fri, Aug 24, 2001 at 08:46:29AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Aug 24, 2001 at 08:46:29AM -0600, Brett Glass wrote: > I've got a few systems which need to be updated to patch the Sendmail > local root exploit. Does FreeBSD have 8.11.6 as a package in the ports > collection? I'd rather not do a full build on each machine. Why not see for yourself? http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/mail/sendmail/Makefile ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/ Bento has not built the package yet, but the port is updated. G'luck, Peter -- If this sentence were in Chinese, it would say something else. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 24 8: 5:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from softweyr.com (softweyr.com [208.247.99.111]) by hub.freebsd.org (Postfix) with ESMTP id 884E637B40A for ; Fri, 24 Aug 2001 08:05:08 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from localhost.softweyr.com ([127.0.0.1] helo=softweyr.com) by softweyr.com with esmtp (Exim 3.33 #1) id 15aIeY-0000RP-00; Fri, 24 Aug 2001 09:13:46 -0600 Message-ID: <3B866F2A.A6FEBEBE@softweyr.com> Date: Fri, 24 Aug 2001 09:13:46 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Brett Glass Cc: security@freebsd.org Subject: Re: Updating Sendmail References: <4.3.2.7.2.20010824084523.048664e0@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brett Glass wrote: > > I've got a few systems which need to be updated to patch the Sendmail > local root exploit. Does FreeBSD have 8.11.6 as a package in the ports > collection? I'd rather not do a full build on each machine. I you have a machine with a current build on it, you should be able to build from the sendmail directory, then install the binaries on all of your machines. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 24 8:10:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6]) by hub.freebsd.org (Postfix) with ESMTP id C76E937B40E for ; Fri, 24 Aug 2001 08:10:24 -0700 (PDT) (envelope-from d.m.pick@qmw.ac.uk) Received: from xi.css.qmw.ac.uk ([138.37.8.11]) by zeta.qmw.ac.uk with esmtp (Exim 3.16 #1) id 15aIa5-0004Mf-00; Fri, 24 Aug 2001 16:09:09 +0100 Received: from cgaa180 by xi.css.qmw.ac.uk with local (Exim 1.92 #1) id 15aIa5-0001T9-00; Fri, 24 Aug 2001 16:09:09 +0100 X-Mailer: exmh version 2.0.2 2/24/98 To: Brett Glass Cc: security@freebsd.org Subject: Re: Updating Sendmail In-reply-to: Your message of "Fri, 24 Aug 2001 08:46:29 MDT." <4.3.2.7.2.20010824084523.048664e0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 24 Aug 2001 16:09:09 +0100 From: David Pick Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I've got a few systems which need to be updated to patch the Sendmail > local root exploit. Does FreeBSD have 8.11.6 as a package in the ports > collection? I'd rather not do a full build on each machine. If it doesn't, do a full (port) build on one machine: make install and then do a: make package to make a package file you can move to the others and use. -- David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 24 8:10:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 3628537B405 for ; Fri, 24 Aug 2001 08:10:41 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id JAA14578; Fri, 24 Aug 2001 09:10:18 -0600 (MDT) Message-Id: <4.3.2.7.2.20010824090638.04896420@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 24 Aug 2001 09:09:40 -0600 To: Wes Peters From: Brett Glass Subject: Re: Updating Sendmail Cc: security@freebsd.org In-Reply-To: <3B866F2A.A6FEBEBE@softweyr.com> References: <4.3.2.7.2.20010824084523.048664e0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 09:13 AM 8/24/2001, Wes Peters wrote: >I you have a machine with a current build on it, you should be able to >build from the sendmail directory, then install the binaries on all of >your machines. You're assuming that the machine has more than a current build.... It needs to have full sources. I rarely install full sources on any machine; too much code that will never be touched. Unless I'm specifically hacking on part of FreeBSD, it's binaries only. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 24 8:27:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6]) by hub.freebsd.org (Postfix) with ESMTP id 2AF0337B40B for ; Fri, 24 Aug 2001 08:27:14 -0700 (PDT) (envelope-from d.m.pick@qmw.ac.uk) Received: from xi.css.qmw.ac.uk ([138.37.8.11]) by zeta.qmw.ac.uk with esmtp (Exim 3.16 #1) id 15aIrY-0004VH-00; Fri, 24 Aug 2001 16:27:12 +0100 Received: from cgaa180 by xi.css.qmw.ac.uk with local (Exim 1.92 #1) id 15aIrX-0001Ur-00; Fri, 24 Aug 2001 16:27:11 +0100 X-Mailer: exmh version 2.0.2 2/24/98 To: Spades Cc: security@freebsd.org Subject: Re: Updating Sendmail In-reply-to: Your message of "Fri, 24 Aug 2001 23:36:47 +0800." <3.0.32.20010824233647.0076a230@smtp.magix.com.sg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 24 Aug 2001 16:27:11 +0100 From: David Pick Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sorry, I think (now) Brett was asking how to build sendmail *as included in the base OS* without doing a full OS build. I don't know the answer to that one. The question I actually answered was: "How do I get a package if there's a port available but no pre-built package file available on the FTP servers". -- David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 24 8:41:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 835FB37B403 for ; Fri, 24 Aug 2001 08:41:19 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id JAA15047; Fri, 24 Aug 2001 09:40:45 -0600 (MDT) Message-Id: <4.3.2.7.2.20010824093513.048b8dc0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 24 Aug 2001 09:40:06 -0600 To: David Pick , Spades From: Brett Glass Subject: Re: Updating Sendmail Cc: security@FreeBSD.ORG In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 09:27 AM 8/24/2001, David Pick wrote: >Sorry, I think (now) Brett was asking how to build sendmail >*as included in the base OS* without doing a full OS build. >I don't know the answer to that one. The other thing I don't want to do is clobber vital files on a working server or take the server down for very long. Installing Sendmail from scratch, or even rebuilding it, could clobber the .mc, .cf, aliases, et cetera. (Yes, I plan to back these up, but it'd be nice if there were an upgrade procedure that would eliminate the need for this.) It'd be nice to replace the binary, kill the task, restart, and go... nice and quick, so that users don't notice and no mail is lost or delayed appreciably. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 24 9: 8:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id D463637B408 for ; Fri, 24 Aug 2001 09:08:03 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simoeon.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by smtp1.sentex.ca (8.11.6/8.11.6) with ESMTP id f7OG6nx01116; Fri, 24 Aug 2001 12:06:49 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20010824115419.05759280@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Fri, 24 Aug 2001 12:01:14 -0400 To: Brett Glass From: Mike Tancsa Subject: Re: Updating Sendmail Cc: security@FreeBSD.ORG In-Reply-To: <4.3.2.7.2.20010824093513.048b8dc0@localhost> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 09:40 AM 8/24/01 -0600, Brett Glass wrote: >At 09:27 AM 8/24/2001, David Pick wrote: > > >Sorry, I think (now) Brett was asking how to build sendmail > >*as included in the base OS* without doing a full OS build. > >I don't know the answer to that one. > >The other thing I don't want to do is clobber vital files on Just a thought and not sure if it will work. But what about nfs mounting /usr/src and /usr/obj from another upto date machine. cd /usr/src/usr.sbin/sendmail make depend make make install ---Mike >a working server or take the server down for very long. Installing >Sendmail from scratch, or even rebuilding it, could clobber the >.mc, .cf, aliases, et cetera. (Yes, I plan to back these up, but >it'd be nice if there were an upgrade procedure that would eliminate >the need for this.) It'd be nice to replace the binary, kill the >task, restart, and go... nice and quick, so that users don't >notice and no mail is lost or delayed appreciably. > >--Brett > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 24 9:31: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from picard.teleservice.net (mail.komvux.sjobo.se [195.17.56.7]) by hub.freebsd.org (Postfix) with ESMTP id A660A37B406 for ; Fri, 24 Aug 2001 09:31:01 -0700 (PDT) (envelope-from per@visimedia.com) Received: from [195.17.56.62] by picard.sjobo.nu (NTMail 6.00.0014/NU2793.00.7d60c732) with ESMTP id xfaefaaa for security@FreeBSD.ORG; Fri, 24 Aug 2001 18:14:46 +0200 Message-ID: <01d301c12cba$2f804840$0200a8c0@priya> From: "Per Claesson" To: References: <5.1.0.14.0.20010824115419.05759280@marble.sentex.ca> Subject: Patch problem Date: Fri, 24 Aug 2001 18:31:05 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org When trying to install the latest tcp-wrappers patch I get the following = message: # patch -p < patches/tcp_wrappers.patch Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |--- contrib/tcp_wrappers/socket.c 2000/09/25 00:41:55 1.5 |+++ contrib/tcp_wrappers/socket.c 2001/07/04 20:16:18 1.6 -------------------------- File to patch: What should I do? /Per Claesson VisiMedia S=E4teriv=E4gen 11 270 33 Vollsj=F6 Tel 0416-300 07, 070 99 22 55 9 Fax 0416-300 03 www.visimedia.com ----- Original Message -----=20 From: "Mike Tancsa" To: "Brett Glass" Cc: Sent: Friday, August 24, 2001 6:01 PM Subject: Re: Updating Sendmail=20 > At 09:40 AM 8/24/01 -0600, Brett Glass wrote: > >At 09:27 AM 8/24/2001, David Pick wrote: > > > > >Sorry, I think (now) Brett was asking how to build sendmail > > >*as included in the base OS* without doing a full OS build. > > >I don't know the answer to that one. > > > >The other thing I don't want to do is clobber vital files on >=20 >=20 > Just a thought and not sure if it will work. But what about nfs = mounting=20 > /usr/src and /usr/obj from another upto date machine. > cd /usr/src/usr.sbin/sendmail > make depend > make > make install >=20 >=20 > ---Mike >=20 >=20 > >a working server or take the server down for very long. Installing > >Sendmail from scratch, or even rebuilding it, could clobber the > >.mc, .cf, aliases, et cetera. (Yes, I plan to back these up, but > >it'd be nice if there were an upgrade procedure that would eliminate > >the need for this.) It'd be nice to replace the binary, kill the > >task, restart, and go... nice and quick, so that users don't > >notice and no mail is lost or delayed appreciably. > > > >--Brett > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 24 9:48:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from lists.eahd.or.ug (wawa.eahd.or.ug [216.129.132.164]) by hub.freebsd.org (Postfix) with ESMTP id F0CFA37B407 for ; Fri, 24 Aug 2001 09:48:10 -0700 (PDT) (envelope-from patrick@eahd.or.ug) Received: from spice.eahd.or.ug (unknown [216.129.132.178]) by lists.eahd.or.ug (Postfix) with ESMTP id 6332BD1446; Fri, 24 Aug 2001 20:00:21 +0000 (GMT) Date: Fri, 24 Aug 2001 20:51:01 +0300 (EAT) From: Patrick To: Per Claesson Cc: Subject: Re: Patch problem In-Reply-To: <01d301c12cba$2f804840$0200a8c0@priya> Message-ID: <20010824204855.C2147-100000@nemesis.eahd.or.ug> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 24 Aug 2001, Per Claesson wrote: > When trying to install the latest tcp-wrappers patch I get the following message: > > # patch -p < patches/tcp_wrappers.patch > Hmm... Looks like a unified diff to me... > The text leading up to this was: > -------------------------- > |--- contrib/tcp_wrappers/socket.c 2000/09/25 00:41:55 1.5 > |+++ contrib/tcp_wrappers/socket.c 2001/07/04 20:16:18 1.6 > -------------------------- > File to patch: > > What should I do make sure you do this in the directory /usr/src (if you have your sources). if it still asks for that then type /usr/src/contrib/tcp_wrappers/socket.c (if that file exists on your system). HTH Patrick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 24 10:47:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 7775737B412 for ; Fri, 24 Aug 2001 10:47:26 -0700 (PDT) (envelope-from str@giganda.komkon.org) Received: (from str@localhost) by giganda.komkon.org (8.11.3/8.11.3) id f7OHl2172284; Fri, 24 Aug 2001 13:47:02 -0400 (EDT) (envelope-from str) Date: Fri, 24 Aug 2001 13:47:02 -0400 (EDT) From: Igor Roshchin Message-Id: <200108241747.f7OHl2172284@giganda.komkon.org> To: brett@lariat.org Subject: Re: Updating Sendmail Cc: security@freebsd.org In-Reply-To: <4.3.2.7.2.20010824093513.048b8dc0@localhost> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brett: As somebody already mentioned, an updated sendmail is avialable in ports collection. Just build it there, and install. Unless you change the destination directory, it installs everything in /usr/local/..., so you'll have to change your starting path in /etc/rc.conf Also, edit /etc/mail/mailer.conf (if you want to read about this file, man mailwrapper) For smrsh, you'll need to change the path to it in your /etc/mail/sendmail.cf If you have any links in /usr/libexec/sm.bin, do cp -RP /usr/libexec/sm.bin /usr/local/libexec/sm.bin and correct the link to the new location of vacation(1) (/usr/local/bin/vacation) I hope I didn't miss anything. Take a look at pkg-plist in /usr/ports/mail/sendmail - it does not seem to install any configuration files you were worrying about. Why worry about somethings without looking at it ? ...ports/mail/sendmail#less pkg-plist @comment $FreeBSD: ports/mail/sendmail/pkg-plist,v 1.3 2001/06/15 17:27:58 dinoe x Exp $ bin/hoststat bin/mailq bin/newaliases bin/purgestat bin/rmail bin/vacation libexec/mail.local libexec/smrsh sbin/mailstats sbin/makemap sbin/praliases sbin/sendmail %%PORTDOCS%%share/doc/sendmail/DEVTOOLS %%PORTDOCS%%share/doc/sendmail/SENDMAIL %%PORTDOCS%%share/doc/sendmail/MAIL.LOCAL %%PORTDOCS%%share/doc/sendmail/SMRSH ---------------------- Hope, that helps. Igor > From owner-freebsd-security@FreeBSD.ORG Fri Aug 24 11:44:08 2001 > Date: Fri, 24 Aug 2001 09:40:06 -0600 > To: David Pick , Spades > From: Brett Glass > Subject: Re: Updating Sendmail > Cc: security@FreeBSD.ORG > > At 09:27 AM 8/24/2001, David Pick wrote: > > >Sorry, I think (now) Brett was asking how to build sendmail > >*as included in the base OS* without doing a full OS build. > >I don't know the answer to that one. > > The other thing I don't want to do is clobber vital files on > a working server or take the server down for very long. Installing > Sendmail from scratch, or even rebuilding it, could clobber the > .mc, .cf, aliases, et cetera. (Yes, I plan to back these up, but > it'd be nice if there were an upgrade procedure that would eliminate > the need for this.) It'd be nice to replace the binary, kill the > task, restart, and go... nice and quick, so that users don't > notice and no mail is lost or delayed appreciably. > > --Brett > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 24 10:56:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from train.zsk.lub.pl (train.zsk.lub.pl [62.233.130.73]) by hub.freebsd.org (Postfix) with ESMTP id 014C537B40C for ; Fri, 24 Aug 2001 10:56:21 -0700 (PDT) (envelope-from siedar@zsk.lub.pl) Received: from haven (pl105.lublin.sdi.tpnet.pl [217.96.195.105]) by train.zsk.lub.pl (8.11.6/8.11.1) with SMTP id f7OHrRp55797; Fri, 24 Aug 2001 19:53:27 +0200 (CEST) (envelope-from siedar@zsk.lub.pl) Message-ID: <00dc01c12cc5$c09d2c70$1900000a@haven> From: "Dariusz Siedlecki" To: , "Brett Glass" References: <4.3.2.7.2.20010824084523.048664e0@localhost> Subject: Re: Updating Sendmail Date: Fri, 24 Aug 2001 19:53:53 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I've got a few systems which need to be updated to patch the Sendmail > local root exploit. Does FreeBSD have 8.11.6 as a package in the ports > collection? I'd rather not do a full build on each machine. I have been updated just the Sendmail. And I also made package. on FreeBSD 4.3 Stable so if you need, it's under link below: http://www.zsk.lub.pl/~siedar/sendmail-8.11.6.tgz Greetings siedar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 24 12:18:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 9745B37B40B for ; Fri, 24 Aug 2001 12:18:22 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 2299166D1C; Fri, 24 Aug 2001 12:18:22 -0700 (PDT) Date: Fri, 24 Aug 2001 12:18:21 -0700 From: Kris Kennaway To: Marcio d'Avila Scheibler Cc: freebsd-security@FreeBSD.ORG Subject: Re: Help with Binary Upgrade Packages Message-ID: <20010824121821.A81523@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="C7zPtVaVf+AK4Oqc" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from marcio@cpd.ufsm.br on Fri, Aug 24, 2001 at 11:02:17AM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --C7zPtVaVf+AK4Oqc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Aug 24, 2001 at 11:02:17AM -0300, Marcio d'Avila Scheibler wrote: > For instance, suppose we have two hipothetical advisories #102 and > #105, with their respective binary upgrade packages, and due to > the problem, both replaces same file, /usr/lib/somelib.so, > but #102 also replaces other files that #105 does not and > so on... >=20 > Suppose that at a first time, I installed just=20 > patch-something-105.tgz, will applied /usr/lib/somelib.so > file also incorporate fix #102 ? Not completely. The #105 patch will only change /usr/lib/somelib.so to include both fixes to that file, but that may break other binaries which were patched by your #102. This situation hasnt arisen yet in RELENG_4_3, but we'd install a dependency in the package to make sure you have #102 already installed so you can't shoot your foot ofg. > At a second time time, I install a optional component/set/feature > that I didn't need before. Since this optional component had > some announced bugs, I needed install patch-something-102.tgz. This is trickier to guard against. If you do this, then you'll have to remove and reapply all of the binary patches which apply to the new files. > Will we need to retrieve and install the complete sequence of > binary upgrades no matter about not used features ? If you're not using something and know you never will, and leaving it unpatches won't compromise your system (e.g. you don't have local users) it's theoretically safe to leave it unpatched. Of course, it's dangerous if you decide 2 months down the line to set up that feature, and forget about the unpatched vulnerability. Probably best to apply them all and be safe. Kris --C7zPtVaVf+AK4Oqc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7hqh9Wry0BWjoQKURAnPGAKCQQExKTKj8ijxGImzSJAZqKA5EmgCZATZ4 z5JGowvCj/NeK0lyNGJdKIA= =/KCr -----END PGP SIGNATURE----- --C7zPtVaVf+AK4Oqc-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 24 13:50:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from saigon.cpd.ufsm.br (saigon.cpd.ufsm.br [200.18.32.130]) by hub.freebsd.org (Postfix) with ESMTP id D6E6037B408 for ; Fri, 24 Aug 2001 13:50:33 -0700 (PDT) (envelope-from marcio@cpd.ufsm.br) Received: from marcio by saigon.cpd.ufsm.br with local (Exim 3.16 #7) id 15aNtR-0007T4-00; Fri, 24 Aug 2001 17:49:29 -0300 Date: Fri, 24 Aug 2001 17:49:29 -0300 (GRNLNDST) From: Marcio d'Avila Scheibler To: Kris Kennaway Cc: freebsd-security@FreeBSD.ORG Subject: Re: Help with Binary Upgrade Packages In-Reply-To: <20010824121821.A81523@xor.obsecurity.org> Message-ID: X-Mailer: Pine 4.05 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ok, thanks... ------------------------------------------------------------------------------ Marcio d'Avila Scheibler - Divisao de Suporte (marcio@cpd.ufsm.br) Centro de Processamento de Dados - Campus Universitario - CEP 97105-900 Universidade Federal de Santa Maria - RS - Brasil ============================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 24 15:52:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from softweyr.com (mail.dobox.com [208.187.122.44]) by hub.freebsd.org (Postfix) with ESMTP id BE34037B406 for ; Fri, 24 Aug 2001 15:52:29 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from localhost ([127.0.0.1] helo=softweyr.com) by softweyr.com with esmtp (Exim 3.33 #1) id 15aPxT-0000Cr-00; Fri, 24 Aug 2001 17:01:47 -0600 Message-ID: <3B86DCDB.FBF5AD91@softweyr.com> Date: Fri, 24 Aug 2001 17:01:47 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Brett Glass Cc: security@freebsd.org Subject: Re: Updating Sendmail References: <4.3.2.7.2.20010824084523.048664e0@localhost> <4.3.2.7.2.20010824090638.04896420@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brett Glass wrote: > > At 09:13 AM 8/24/2001, Wes Peters wrote: > > >I you have a machine with a current build on it, you should be able to > >build from the sendmail directory, then install the binaries on all of > >your machines. > > You're assuming that the machine has more than a current build.... It > needs to have full sources. I rarely install full sources on any machine; > too much code that will never be touched. Unless I'm specifically hacking > on part of FreeBSD, it's binaries only. Right. In your case, where you have a number of customers, you may find it useful to keep one of your own machines up to date with either -STABLE or the RELEASE_4_3 branch, so you can build up to date binaries. You could then install these binaries in your client machines, using a network, a USB Zip drive, or whatever transport presents itself. This is essentially what is found in the binary update packages. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 25 9:25:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp-server2.tampabay.rr.com (smtp-server2.cfl.rr.com [65.32.2.69]) by hub.freebsd.org (Postfix) with ESMTP id C948F37B405 for ; Sat, 25 Aug 2001 09:25:08 -0700 (PDT) (envelope-from colk@tampabay.rr.com) Received: from kriss (24161242hfc240.tampabay.rr.com [24.161.242.240]) by smtp-server2.tampabay.rr.com (8.11.2/8.11.2) with SMTP id f7PGP7j05016 for ; Sat, 25 Aug 2001 12:25:07 -0400 (EDT) Message-ID: <001901c12d82$8083bc40$f0f2a118@tampabay.rr.com> From: "Kristen Doyle" To: "Moo Moo Moo" Subject: Question Date: Sat, 25 Aug 2001 12:25:01 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0016_01C12D60.F61B9E40" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0016_01C12D60.F61B9E40 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Does anyone know if shutdown should be setuid to work or if it dosent = need it ------=_NextPart_000_0016_01C12D60.F61B9E40 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Does anyone know if shutdown should be = setuid to=20 work or if it dosent need it
------=_NextPart_000_0016_01C12D60.F61B9E40-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 25 10:20:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp-server1.tampabay.rr.com (smtp-server1.cfl.rr.com [65.32.2.68]) by hub.freebsd.org (Postfix) with ESMTP id AF43537B403 for ; Sat, 25 Aug 2001 10:20:18 -0700 (PDT) (envelope-from colk@tampabay.rr.com) Received: from kriss (24161242hfc240.tampabay.rr.com [24.161.242.240]) by smtp-server1.tampabay.rr.com (8.11.2/8.11.2) with SMTP id f7PHKD220856; Sat, 25 Aug 2001 13:20:17 -0400 (EDT) Message-ID: <000b01c12d8a$350d85e0$f0f2a118@tampabay.rr.com> From: "Kristen Doyle" To: "Mike" , "Moo Moo Moo" References: <001901c12d82$8083bc40$f0f2a118@tampabay.rr.com> <006001c12d83$2ada4d80$0700a8c0@com.home.com> Subject: Re: Question Date: Sat, 25 Aug 2001 13:20:08 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0008_01C12D68.A9806FE0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0008_01C12D68.A9806FE0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable As i thought I belive someone exploited that to reboot the box ( its a = shell server with about 20 users on it so I only want shutdown really = working from su or with a password ----- Original Message -----=20 From: Mike=20 To: Kristen Doyle=20 Sent: Saturday, August 25, 2001 12:29 PM Subject: Re: Question No shutdown does not need to be suid but if you do set it -s then I = would chmod 700 it. -Mike ----- Original Message -----=20 From: Kristen Doyle=20 To: Moo Moo Moo=20 Sent: Saturday, August 25, 2001 12:25 PM Subject: Question Does anyone know if shutdown should be setuid to work or if it = dosent need it ------=_NextPart_000_0008_01C12D68.A9806FE0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
As i thought I belive someone exploited = that to=20 reboot the box ( its a shell server with about 20 users on it so I only = want=20 shutdown really working from su or with a password
----- Original Message -----
From:=20 Mike =
Sent: Saturday, August 25, 2001 = 12:29=20 PM
Subject: Re: Question

No shutdown does not need to be suid = but if you=20 do set it -s then I would chmod 700 it.
-Mike
----- Original Message -----
From:=20 Kristen=20 Doyle
To: Moo Moo Moo
Sent: Saturday, August 25, = 2001 12:25=20 PM
Subject: Question

Does anyone know if shutdown should = be setuid=20 to work or if it dosent need=20 it
------=_NextPart_000_0008_01C12D68.A9806FE0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 25 11:15:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id 938C937B40A for ; Sat, 25 Aug 2001 11:15:52 -0700 (PDT) (envelope-from davidk@accretivetg.com) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f7PHB2U76112; Sat, 25 Aug 2001 10:11:08 -0700 (PDT) Date: Sat, 25 Aug 2001 10:11:02 -0700 (PDT) From: David Kirchner X-X-Sender: To: Kristen Doyle Cc: Mike , Moo Moo Moo Subject: Re: Question In-Reply-To: <000b01c12d8a$350d85e0$f0f2a118@tampabay.rr.com> Message-ID: <20010825095954.I38221-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm not aware of any exploits for the shutdown command. If shutdown was used, you'll see it in the 'last' output and in /var/log/messages. On all of my FreeBSD systems, shutdown is setuid-root and is also owned by the operator group, so anyone in operator can reboot the box through shutdown. Without more information, I would guess that your server was rebooted through a different exploit, or perhaps it rebooted because it panic'd and you have DDB and DDB_UNATTENDED(IIRC) configured in the kernel. On Sat, 25 Aug 2001, Kristen Doyle wrote: > As i thought I belive someone exploited that to reboot the box ( its a shell server with about 20 users on it so I only want shutdown really working from su or with a password > ----- Original Message ----- > From: Mike > To: Kristen Doyle > Sent: Saturday, August 25, 2001 12:29 PM > Subject: Re: Question > > > No shutdown does not need to be suid but if you do set it -s then I would chmod 700 it. > -Mike > ----- Original Message ----- > From: Kristen Doyle > To: Moo Moo Moo > Sent: Saturday, August 25, 2001 12:25 PM > Subject: Question > > > Does anyone know if shutdown should be setuid to work or if it dosent need it > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 25 11:54: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp-server3.tampabay.rr.com (smtp-server3.tampabay.rr.com [65.32.1.41]) by hub.freebsd.org (Postfix) with ESMTP id CEFCD37B409 for ; Sat, 25 Aug 2001 11:53:57 -0700 (PDT) (envelope-from colk@tampabay.rr.com) Received: from kriss (24161242hfc240.tampabay.rr.com [24.161.242.240]) by smtp-server3.tampabay.rr.com (8.11.2/8.11.2) with SMTP id f7PIrmU18699; Sat, 25 Aug 2001 14:53:49 -0400 (EDT) Message-ID: <001201c12d97$46124a80$f0f2a118@tampabay.rr.com> From: "Kristen Doyle" To: "David Kirchner" Cc: "Mike" , "Moo Moo Moo" References: <20010825095954.I38221-100000@localhost> Subject: Re: Question Date: Sat, 25 Aug 2001 14:53:46 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ahh ok i guess it must have paniced what kinds of things would make it panic? ----- Original Message ----- From: "David Kirchner" To: "Kristen Doyle" Cc: "Mike" ; "Moo Moo Moo" Sent: Saturday, August 25, 2001 1:11 PM Subject: Re: Question > I'm not aware of any exploits for the shutdown command. If shutdown was > used, you'll see it in the 'last' output and in /var/log/messages. > > On all of my FreeBSD systems, shutdown is setuid-root and is also owned by > the operator group, so anyone in operator can reboot the box through > shutdown. > > Without more information, I would guess that your server was rebooted > through a different exploit, or perhaps it rebooted because it panic'd and > you have DDB and DDB_UNATTENDED(IIRC) configured in the kernel. > > On Sat, 25 Aug 2001, Kristen Doyle wrote: > > > As i thought I belive someone exploited that to reboot the box ( its a shell server with about 20 users on it so I only want shutdown really working from su or with a password > > ----- Original Message ----- > > From: Mike > > To: Kristen Doyle > > Sent: Saturday, August 25, 2001 12:29 PM > > Subject: Re: Question > > > > > > No shutdown does not need to be suid but if you do set it -s then I would chmod 700 it. > > -Mike > > ----- Original Message ----- > > From: Kristen Doyle > > To: Moo Moo Moo > > Sent: Saturday, August 25, 2001 12:25 PM > > Subject: Question > > > > > > Does anyone know if shutdown should be setuid to work or if it dosent need it > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message