From owner-freebsd-security Sun Aug 26 5:54:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from relay1.pair.com (relay1.pair.com [209.68.1.20]) by hub.freebsd.org (Postfix) with SMTP id 5BFD037B405 for ; Sun, 26 Aug 2001 05:54:28 -0700 (PDT) (envelope-from mailings@analogon.com) Received: (qmail 11913 invoked from network); 26 Aug 2001 12:54:26 -0000 Received: from pec-124-139.tnt8.m2.uunet.de (HELO laptop) (149.225.124.139) by relay1.pair.com with SMTP; 26 Aug 2001 12:54:26 -0000 X-pair-Authenticated: 149.225.124.139 Message-ID: <003501c12e2e$1129a600$0901a8c0@system> From: "Tom Beer" To: Subject: [OT] ssh client Date: Sun, 26 Aug 2001 14:52:54 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I've searched the net for a ssh client for the M$ platform that provides ssh_2_ support and uses the ssh-keygen generated keys. Neither putty nor the ssh client of the ssh foundation won't work. What I need is a ssh client which accepts my privat key so that I can connect to my firewall without password auth. Any pointers? Thanks Tom To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 26 6: 3:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from rfnj.org (rfnj.org [216.239.237.194]) by hub.freebsd.org (Postfix) with ESMTP id E61C937B409 for ; Sun, 26 Aug 2001 06:03:14 -0700 (PDT) (envelope-from all@biosys.net) Received: from megalomaniac.biosys.net (megalomaniac.rfnj.org [216.239.237.200]) by rfnj.org (Postfix) with ESMTP id 95DC01385C; Sun, 26 Aug 2001 09:02:27 +0000 (GMT) Message-Id: <5.1.0.14.0.20010826090101.00c1d5e0@rfnj.org> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sun, 26 Aug 2001 09:03:13 -0400 To: "Tom Beer" , From: Allen Landsidel Subject: Re: [OT] ssh client In-Reply-To: <003501c12e2e$1129a600$0901a8c0@system> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 14:52 8/26/2001 +0200, Tom Beer wrote: >Hi, > >I've searched the net for a ssh client for the M$ >platform that provides ssh_2_ support and uses >the ssh-keygen generated keys. Neither putty nor >the ssh client of the ssh foundation won't work. >What I need is a ssh client which accepts my privat key >so that I can connect to my firewall without password >auth. Any pointers? You may want to try SecureCRT by vandyke.. it's what I use. http://www.vandyke.com I haven't tried it with the key-auth.. I use password because I feel it's more secure in the sense that someone doesn't just have to hack my box and get my keys to get access to the rest of my boxes.. and I can also login from insecure environments (like at my office) without fear that while I'm away somebody is copying the keys. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 26 7:17: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id 5234237B40D for ; Sun, 26 Aug 2001 07:17:02 -0700 (PDT) (envelope-from rjh@mohawk.net) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.4/8.11.3) with ESMTP id f7QEJIU30187; Sun, 26 Aug 2001 10:19:18 -0400 (EDT) Date: Sun, 26 Aug 2001 10:19:18 -0400 (EDT) From: Ralph Huntington To: Tom Beer Cc: Subject: Re: [OT] ssh client In-Reply-To: <003501c12e2e$1129a600$0901a8c0@system> Message-ID: <20010826101353.F30089-100000@mohegan.mohawk.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I've searched the net for a ssh client for the M$ platform that > provides ssh_2_ support and uses the ssh-keygen generated keys. > Neither putty nor the ssh client of the ssh foundation won't work. > What I need is a ssh client which accepts my privat key so that I can > connect to my firewall without password auth. Any pointers? SecureCRT from Van Dyke Technologies. http://www.vandyke.com/ I like SecureCRT; it's versatile, it works, and it offers a choice of password or public key authentication for ssh2. I am not connected with Van Dyke in any way except as a customer and user of their products. -=r=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 26 10:48:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from femail35.sdc1.sfba.home.com (femail35.sdc1.sfba.home.com [24.254.60.25]) by hub.freebsd.org (Postfix) with ESMTP id 384BC37B407 for ; Sun, 26 Aug 2001 10:48:56 -0700 (PDT) (envelope-from lance@verniernetworks.com) Received: from taz.verniernetworks.com ([24.19.221.239]) by femail35.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP id <20010826174855.SSR19181.femail35.sdc1.sfba.home.com@taz.verniernetworks.com>; Sun, 26 Aug 2001 10:48:55 -0700 Message-Id: <4.3.2.7.2.20010826104541.00c7f180@127.0.0.1> X-Sender: lance@127.0.0.1 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sun, 26 Aug 2001 10:48:55 -0700 To: "Tom Beer" , From: Lance Uyehara Subject: Re: [OT] ssh client In-Reply-To: <003501c12e2e$1129a600$0901a8c0@system> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I use securecrt which is great, but colleagues at work swear by teraterm (which is free), and it's ssh extension. -Lance At 02:52 PM 8/26/01 +0200, Tom Beer wrote: >Hi, > >I've searched the net for a ssh client for the M$ >platform that provides ssh_2_ support and uses >the ssh-keygen generated keys. Neither putty nor >the ssh client of the ssh foundation won't work. >What I need is a ssh client which accepts my privat key >so that I can connect to my firewall without password >auth. Any pointers? > >Thanks Tom > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 26 11:48:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.tgd.net (rand.tgd.net [64.81.67.117]) by hub.freebsd.org (Postfix) with SMTP id BA23937B40A for ; Sun, 26 Aug 2001 11:48:30 -0700 (PDT) (envelope-from sean@mailhost.tgd.net) Received: (qmail 55804 invoked by uid 1001); 26 Aug 2001 18:48:27 -0000 Date: Sun, 26 Aug 2001 11:48:27 -0700 From: Sean Chittenden To: Tom Beer Cc: freebsd-security@FreeBSD.ORG Subject: Re: [OT] ssh client Message-ID: <20010826114827.B55433@rand.tgd.net> References: <003501c12e2e$1129a600$0901a8c0@system> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="qcHopEYAB45HaUaB" Content-Disposition: inline In-Reply-To: <003501c12e2e$1129a600$0901a8c0@system>; from "mailings@analogon.com" on Sun, Aug 26, 2001 at = 02:52:54PM X-PGP-Key: 0x1EDDFAAD X-PGP-Fingerprint: C665 A17F 9A56 286C 5CFB 1DEA 9F4F 5CEF 1EDD FAAD X-Web-Homepage: http://sean.chittenden.org/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --qcHopEYAB45HaUaB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > I've searched the net for a ssh client for the M$ > platform that provides ssh_2_ support and uses > the ssh-keygen generated keys. Neither putty nor > the ssh client of the ssh foundation won't work. > What I need is a ssh client which accepts my privat key > so that I can connect to my firewall without password > auth. Any pointers? Are you sure putty won't work? I think it's got an agent that=20 you can load a key/identity into and log into... I could be wrong=20 though. -sc --=20 Sean Chittenden --qcHopEYAB45HaUaB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: Sean Chittenden iEYEARECAAYFAjuJRHoACgkQn09c7x7d+q1crACg0Fpp9wDMiXJQPTBtWGIelqmx mAUAnRhfJ2rOGDVE8zSwuQytSdvq0lfa =ctVd -----END PGP SIGNATURE----- --qcHopEYAB45HaUaB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 26 16:49:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from sln.esc.edu (sln.esc.edu [138.116.200.3]) by hub.freebsd.org (Postfix) with ESMTP id 7203E37B405 for ; Sun, 26 Aug 2001 16:49:16 -0700 (PDT) (envelope-from Bill.Melvin@esc.edu) Subject: Re: [OT] ssh client To: "Tom Beer" Cc: freebsd-security@FreeBSD.ORG X-Mailer: Lotus Notes Release 5.0.2c February 2, 2000 Message-ID: From: Bill.Melvin@esc.edu Date: Sun, 26 Aug 2001 19:37:21 -0400 X-MIMETrack: Serialize by Router on sln.esc.edu/SUNY(Release 5.0.2c |February 2, 2000) at 08/26/2001 07:48:33 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org try the Cygwin kit (if you dont mind the GPL): http://www.cygwin.com/ which gives you the bonus of bash and all your other favorites Unix-like hits. and look at ssh-agent(1) for a good compromise between passwordless keys and entering your passphrase everytime. /b To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 26 17:18:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from vl7.net (OL51-141.fibertel.com.ar [24.232.141.51]) by hub.freebsd.org (Postfix) with ESMTP id 01BE737B408 for ; Sun, 26 Aug 2001 17:18:36 -0700 (PDT) (envelope-from fox@vl7.net) Received: from localhost (fox@localhost) by vl7.net (8.11.3/8.11.3) with ESMTP id f7R0Mtd00422 for ; Sun, 26 Aug 2001 21:22:56 -0300 (ART) (envelope-from fox@vl7.net) Date: Sun, 26 Aug 2001 21:22:55 -0300 (ART) From: Vladimir Pianykh To: Subject: login.conf In-Reply-To: Message-ID: <20010826211319.W414-100000@vl7.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! I have one question about login.conf file. How can I split different classes for different daemons, for example one for apache and another for mysqld, becouse I agree about sql-servers need so much resouces, but I don't trust users whom make a php-scripts when they going to use recursiv methods. In handbook written about class daemon for every daemons. I tried to assign httpd to a class, but it does not work. Thank you. Best regards, Vladimir. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 26 17:20:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from ares.blahz.ab.ca (h24-64-70-105.cg.shawcable.net [24.64.70.105]) by hub.freebsd.org (Postfix) with SMTP id F0B7937B406 for ; Sun, 26 Aug 2001 17:20:12 -0700 (PDT) (envelope-from bsd-lists@blahz.ab.ca) Received: (qmail 3982 invoked from network); 27 Aug 2001 00:20:15 -0000 Received: from unknown (HELO zeus) (24.64.68.214) by h24-64-70-105.cg.shawcable.net with SMTP; 27 Aug 2001 00:20:15 -0000 From: "Mike Roest" To: "'Tom Beer'" , Subject: RE: [OT] ssh client Date: Sun, 26 Aug 2001 18:22:52 -0600 Message-ID: <000201c12e8e$691cbf90$d6444018@zeus> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 In-Reply-To: <003501c12e2e$1129a600$0901a8c0@system> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If you like free (not SecureCRT) you can grab the devel snapshot of Putty. It does support SSH2. --Mike -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Tom Beer Sent: Sunday, August 26, 2001 6:53 AM To: freebsd-security@FreeBSD.ORG Subject: [OT] ssh client Hi, I've searched the net for a ssh client for the M$ platform that provides ssh_2_ support and uses the ssh-keygen generated keys. Neither putty nor the ssh client of the ssh foundation won't work. What I need is a ssh client which accepts my privat key so that I can connect to my firewall without password auth. Any pointers? Thanks Tom To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 26 17:36:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-172.zoominternet.net [24.154.28.172]) by hub.freebsd.org (Postfix) with ESMTP id 38A7D37B407 for ; Sun, 26 Aug 2001 17:36:07 -0700 (PDT) (envelope-from behanna@zbzoom.net) Received: from topperwein.dyndns.org (topperwein.dyndns.org [192.168.168.10]) by topperwein.dyndns.org (8.11.4/8.11.4) with ESMTP id f7R0b9v41683 for ; Sun, 26 Aug 2001 20:37:09 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Sun, 26 Aug 2001 20:37:04 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: Subject: Re: [OT] ssh client In-Reply-To: <20010826114827.B55433@rand.tgd.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 26 Aug 2001, Sean Chittenden wrote: > > I've searched the net for a ssh client for the M$ > > platform that provides ssh_2_ support and uses > > the ssh-keygen generated keys. Neither putty nor > > the ssh client of the ssh foundation won't work. > > What I need is a ssh client which accepts my privat key > > so that I can connect to my firewall without password > > auth. Any pointers? > > Are you sure putty won't work? I think it's got an agent that > you can load a key/identity into and log into... I could be wrong > though. -sc It does indeed, but it won't grok DSA keys. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 26 17:44:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.tgd.net (rand.tgd.net [64.81.67.117]) by hub.freebsd.org (Postfix) with SMTP id 9FD7537B406 for ; Sun, 26 Aug 2001 17:44:37 -0700 (PDT) (envelope-from sean@mailhost.tgd.net) Received: (qmail 57532 invoked by uid 1001); 27 Aug 2001 00:44:32 -0000 Date: Sun, 26 Aug 2001 17:44:32 -0700 From: Sean Chittenden To: Chris BeHanna Cc: security@freebsd.org Subject: Re: [OT] ssh client Message-ID: <20010826174432.C56385@rand.tgd.net> References: <20010826114827.B55433@rand.tgd.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZARJHfwaSJQLOEUz" Content-Disposition: inline In-Reply-To: ; from "behanna@zbzoom.net" on Sun, Aug 26, 2001 at = 08:37:04PM X-PGP-Key: 0x1EDDFAAD X-PGP-Fingerprint: C665 A17F 9A56 286C 5CFB 1DEA 9F4F 5CEF 1EDD FAAD X-Web-Homepage: http://sean.chittenden.org/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --ZARJHfwaSJQLOEUz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > > Are you sure putty won't work? I think it's got an agent that > > you can load a key/identity into and log into... I could be wrong > > though. -sc >=20 > It does indeed, but it won't grok DSA keys. Bummer. Putty supports SSH 2... strikes me as odd that it doesn't. Documentation says it doesn't, or did you try? Remember dsa keys are stored in a different file, or does this work through a UI of sorts? -sc PS I don't know one way or the other, just tossing out some=20 leading Q's.=09 --=20 Sean Chittenden --ZARJHfwaSJQLOEUz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: Sean Chittenden iEYEARECAAYFAjuJl+8ACgkQn09c7x7d+q1NwQCfcooJhcqvuBIxztzP9GoAuxlJ d4oAn2q5g5v6QoHBQMjBqqRzdI+BUAAr =Zvgt -----END PGP SIGNATURE----- --ZARJHfwaSJQLOEUz-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 26 18:13:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-172.zoominternet.net [24.154.28.172]) by hub.freebsd.org (Postfix) with ESMTP id 8C73B37B403 for ; Sun, 26 Aug 2001 18:13:52 -0700 (PDT) (envelope-from behanna@zbzoom.net) Received: from topperwein.dyndns.org (topperwein.dyndns.org [192.168.168.10]) by topperwein.dyndns.org (8.11.4/8.11.4) with ESMTP id f7R1Esv41786 for ; Sun, 26 Aug 2001 21:14:54 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Sun, 26 Aug 2001 21:14:49 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: Subject: Re: [OT] ssh client In-Reply-To: <20010826174432.C56385@rand.tgd.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 26 Aug 2001, Sean Chittenden wrote: > > > Are you sure putty won't work? I think it's got an agent that > > > you can load a key/identity into and log into... I could be wrong > > > though. -sc > > > > It does indeed, but it won't grok DSA keys. > > Bummer. Putty supports SSH 2... strikes me as odd that it > doesn't. Documentation says it doesn't, or did you try? Remember dsa > keys are stored in a different file, or does this work through a UI of > sorts? -sc At least with the current version that I'm using (which may be behind the times), there are no options to generate anything other than RSA keys. I assumed that meant that you could only add RSA keys to pagent. I agree with another poster: use Cygwin's ssh instead. It's far and away superior to putty, securecrt, teraterm, etc. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 26 19:42:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by hub.freebsd.org (Postfix) with ESMTP id 0763237B401 for ; Sun, 26 Aug 2001 19:42:51 -0700 (PDT) (envelope-from eugen@svzserv.kemerovo.su) Received: from svzserv.kemerovo.su (kost [213.184.65.82]) by www.svzserv.kemerovo.su (8.9.3/8.9.3) with ESMTP id KAA10419; Mon, 27 Aug 2001 10:42:20 +0800 (KRAST) (envelope-from eugen@svzserv.kemerovo.su) Message-ID: <3B89B384.F0A77C82@svzserv.kemerovo.su> Date: Mon, 27 Aug 2001 10:42:12 +0800 From: Eugene Grosbein Organization: SVZServ X-Mailer: Mozilla 4.76 [en] (Win95; U) X-Accept-Language: ru,en MIME-Version: 1.0 To: Vladimir Pianykh Cc: freebsd-security@FreeBSD.ORG Subject: Re: login.conf References: <20010826211319.W414-100000@vl7.net> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Vladimir Pianykh wrote: > How can I split different classes for different daemons, for example one > for apache and another for mysqld, becouse I agree about sql-servers need > so much resouces, but I don't trust users whom make a php-scripts when > they going to use recursiv methods. > > In handbook written about class daemon for every daemons. > > I tried to assign httpd to a class, but it does not work. You will have to patch your httpd to support login classes or force limits with su(1) Eugene Grosbein To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 26 21:48:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from post.webmailer.de (natpost.webmailer.de [192.67.198.65]) by hub.freebsd.org (Postfix) with ESMTP id C682D37B40A for ; Sun, 26 Aug 2001 21:48:06 -0700 (PDT) (envelope-from koester@x-itec.de) Received: from localhost (pD90495B5.dip.t-dialin.net [217.4.149.181]) by post.webmailer.de (8.9.3/8.8.7) with SMTP id GAA10543 for ; Mon, 27 Aug 2001 06:48:05 +0200 (MET DST) Received: (qmail 6562 invoked from network); 27 Aug 2001 06:46:49 -0000 Received: from unknown (HELO x-itec3.de) (trilluser@192.168.0.1) by 192.168.0.99 with SMTP; 27 Aug 2001 06:46:49 -0000 Date: Mon, 27 Aug 2001 06:47:57 +0200 From: =?ISO-8859-1?B?Qm9yaXMgS/ZzdGVy?= X-Mailer: The Bat! (v1.51) UNREG / CD5BF9353B3B7091 Reply-To: =?ISO-8859-1?B?Qm9yaXMgS/ZzdGVy?= Organization: X-ITEC IT-Consulting X-Priority: 3 (Normal) Message-ID: <5311974738.20010827064757@x-itec.de> To: michael dreves Cc: freebsd-security@FreeBSD.ORG Subject: Re: kerberosIV In-Reply-To: <3B83A8BC.BCF790A0@karolinelund.dk> References: <3B83A8BC.BCF790A0@karolinelund.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello michael, Wednesday, August 22, 2001, 2:42:36 PM, you wrote: md> hi, md> kinit: Retry count exceeded (send_to_kdc) md> anyone have a hint? Here is a hint from my book I am writing. If you did a fresh install of KerberosIV, the error Retry count exceeded is nothing special and happens on a lot of machines. Try this: restart your server (yes!), start kerberos manually. Tip: dont use kerberosIV! If you really dont need Kerberos, dont use it. -- Boris Köster [MCSE, CNA] Maintainer of FreeBSD IPSEC-MiniHowto http://www.x-itec.de/projects/tuts/ipsec-howto.txt QSP: Qmail Spamkiller Project: http://www.x-itec.de/QSP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Everything I am writing is (c) by Boris Köster and may not be rewritten or distributed in any way without my permission. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 27 0:19:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe46.law12.hotmail.com [64.4.18.18]) by hub.freebsd.org (Postfix) with ESMTP id 3FA4B37B403; Mon, 27 Aug 2001 00:19:38 -0700 (PDT) (envelope-from default013subscriptions@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 27 Aug 2001 00:19:37 -0700 X-Originating-IP: [24.14.93.185] Reply-To: "default" From: "default" To: , Subject: Logins without full password! Date: Mon, 27 Aug 2001 02:15:22 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Message-ID: X-OriginalArrivalTime: 27 Aug 2001 07:19:37.0977 (UTC) FILETIME=[A16E1E90:01C12EC8] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I just noticed that on one of my FreeBSD machines, one is able to login via any means by typing in only the first 8 or so characters of the password. You can also type the first 8 characters and anything else after that, for example if the password were password, one could type: 'passwordxxxxxxx' and be able to login! I'm not too worried as this is only a test machine that I keep on my internal network, however, I would like to know how it works... Is this normal? How does one disable this? Thanks, Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 27 1: 4: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe46.law12.hotmail.com [64.4.18.18]) by hub.freebsd.org (Postfix) with ESMTP id 00E4A37B405; Mon, 27 Aug 2001 01:03:56 -0700 (PDT) (envelope-from default013subscriptions@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 27 Aug 2001 01:03:55 -0700 X-Originating-IP: [24.14.93.185] Reply-To: "default" From: "default" To: "Colin Percival" , , References: <5.0.0.25.1.20010827004910.0306cfc8@popserver.sfu.ca> Subject: Re: Logins without full password! Date: Mon, 27 Aug 2001 02:59:16 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Message-ID: X-OriginalArrivalTime: 27 Aug 2001 08:03:55.0807 (UTC) FILETIME=[D19ECAF0:01C12ECE] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Doh, ... hmmm there must be some reason why they installed it that way ... are there any compatability issues with MD5? ... How would one change over from DES to MD5? (withoug having to re-install) Thanks for your help, Jordan ----- Original Message ----- From: "Colin Percival" To: "default" Sent: Monday, August 27, 2001 2:51 AM Subject: Re: Logins without full password! > Sounds like you're using DES-encrypted passwords. This is much weaker > than MD5 encryption, and as you've noticed, only uses the first 8 > characters of a password. > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/crypt.html > > At 02:15 AM 8/27/2001 -0500, you wrote: > >Hi, > > > >I just noticed that on one of my FreeBSD machines, one is able to login via > >any means by typing in only the first 8 or so characters of the password. > >You can also type the first 8 characters and anything else after that, for > >example if the password were password, one could type: 'passwordxxxxxxx' and > >be able to login! > > > >I'm not too worried as this is only a test machine that I keep on my > >internal network, however, I would like to know how it works... > > > >Is this normal? How does one disable this? > > > >Thanks, > > > >Jordan > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 27 1: 4:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from stargate.inta.es (stargate.inta.es [130.206.91.98]) by hub.freebsd.org (Postfix) with SMTP id 1F6AF37B401 for ; Mon, 27 Aug 2001 01:04:19 -0700 (PDT) (envelope-from kinchus@jazzfree.com) Received: by stargate.inta.es; id KAA28347; Mon, 27 Aug 2001 10:08:02 +0200 Received: from unknown(130.206.84.14) by stargate.inta.es via smap (V5.5) id xma028343; Mon, 27 Aug 01 10:07:33 +0200 Received: from fargo.inta.es (fargo [130.206.92.25]) by polaris.inta.es (8.8.5/8.7.3) with ESMTP id KAA06928 for ; Mon, 27 Aug 2001 10:06:41 +0200 (MET DST) Received: from ci26171.jazzfree.com ([130.206.86.171]) by fargo.inta.es (Lotus Domino Release 5.0.6a) with ESMTP id 2001082710034239:2271 ; Mon, 27 Aug 2001 10:03:42 +0200 Message-Id: <5.1.0.14.0.20010827094654.00b54ad0@pop.jazzfree.com> X-Sender: kinchus@pop.jazzfree.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 27 Aug 2001 09:53:21 +0200 To: security@freebsd.org From: Kincho Subject: Re: [OT] ssh client In-Reply-To: <003501c12e2e$1129a600$0901a8c0@system> Mime-Version: 1.0 X-MIMETrack: Itemize by SMTP Server on FARGO/Inta(Release 5.0.6a |January 17, 2001) at 27/08/2001 10.03.43, Serialize by Router on FARGO/Inta(Release 5.0.6a |January 17, 2001) at 27/08/2001 10.03.43, Serialize complete at 27/08/2001 10.03.43 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi TeraTerm Pro is a sofisticated and functional terminal emulator that provides ssh2 extensions. I'm not sure about its license but i think it's free (of payment). Search it at Google.. At 14.52 26/8/01 +0200, you wrote: >Hi, > >I've searched the net for a ssh client for the M$ >platform that provides ssh_2_ support and uses >the ssh-keygen generated keys. Neither putty nor >the ssh client of the ssh foundation won't work. >What I need is a ssh client which accepts my privat key >so that I can connect to my firewall without password >auth. Any pointers? > >Thanks Tom > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 27 2: 9:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 50ACF37B403; Mon, 27 Aug 2001 02:09:49 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id DEEE666DE9; Mon, 27 Aug 2001 02:09:47 -0700 (PDT) Date: Mon, 27 Aug 2001 02:09:47 -0700 From: Kris Kennaway To: default Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Logins without full password! Message-ID: <20010827020947.A36941@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="BOKacYhQ+x31HxR3" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from default013subscriptions@hotmail.com on Mon, Aug 27, 2001 at 02:15:22AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --BOKacYhQ+x31HxR3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Aug 27, 2001 at 02:15:22AM -0500, default wrote: > Is this normal? It's the expected behaviour for legacy DES passwords (only useful if you need to share the same password file with other UNIX systems, which isn't likely) > How does one disable this? There's a login capability for setting the default password format (MD5 is the one you want) -- see login.conf(5). Kris --BOKacYhQ+x31HxR3 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7ig5bWry0BWjoQKURAshlAKDeKvXYJY2WkUASFYqrP15wg0QisACgrXDH pM1G2+UB4hhVDJ/gw8uFXyM= =RjqH -----END PGP SIGNATURE----- --BOKacYhQ+x31HxR3-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 27 2:44:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from femail30.sdc1.sfba.home.com (femail30.sdc1.sfba.home.com [24.254.60.20]) by hub.freebsd.org (Postfix) with ESMTP id B1B5137B408; Mon, 27 Aug 2001 02:43:57 -0700 (PDT) (envelope-from agalland2@home.com) Received: from cx578062a ([24.14.128.46]) by femail30.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with SMTP id <20010827094357.VOKK18117.femail30.sdc1.sfba.home.com@cx578062a>; Mon, 27 Aug 2001 02:43:57 -0700 Message-ID: <0b3501c12edc$a6d452a0$2e800e18@mcity1.la.home.com> From: "agalland2" To: , , "default" References: Subject: Re: Logins without full password! Date: Mon, 27 Aug 2001 04:42:56 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I am trying to get out (unsubscribe) from all of these groups involved with majordomo@FreeBSD.org but no matter what I do I continue getting many e-mails from them. Do me a favor and complain about me, maybe they will drop me from there mailing list. complain !!! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 27 3:17: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (discworld.nanolink.com [217.75.135.248]) by hub.freebsd.org (Postfix) with SMTP id D600B37B406 for ; Mon, 27 Aug 2001 03:16:57 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 3153 invoked by uid 1000); 27 Aug 2001 10:15:25 -0000 Date: Mon, 27 Aug 2001 13:15:25 +0300 From: Peter Pentchev To: agalland2 Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Logins without full password! Message-ID: <20010827131525.H2218@ringworld.oblivion.bg> References: <0b3501c12edc$a6d452a0$2e800e18@mcity1.la.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <0b3501c12edc$a6d452a0$2e800e18@mcity1.la.home.com>; from agalland2@home.com on Mon, Aug 27, 2001 at 04:42:56AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Aug 27, 2001 at 04:42:56AM -0500, agalland2 wrote: > I am trying to get out (unsubscribe) from all of these groups involved with > majordomo@FreeBSD.org but no matter what I do I continue getting many > e-mails from them. Do me a favor and complain about me, maybe they will drop > me from there mailing list. > > complain !!! [ -security only bcc'd, this is way off-topic for that list ] How exactly were you trying to unsubscribe? Did you try following Majordomo's instructions (try sending a message with 'help' in *the body* to majordomo@FreeBSD.org)? G'luck, Peter -- This sentence would be seven words long if it were six words shorter. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 27 3:19:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from vindaloo.allsolutions.com.au (vindaloo.allsolutions.com.au [203.111.24.54]) by hub.freebsd.org (Postfix) with ESMTP id CF0BE37B408 for ; Mon, 27 Aug 2001 03:19:26 -0700 (PDT) (envelope-from David_May@allsolutions.com.au) Received: from roganjosh.allsolutions.com.au (roganjosh.allsolutions.com.au [192.9.200.253]) by vindaloo.allsolutions.com.au (8.9.3/8.9.3) with ESMTP id SAA52366; Mon, 27 Aug 2001 18:19:13 +0800 (WST) (envelope-from David_May@allsolutions.com.au) From: David_May@allsolutions.com.au MIME-Version: 1.0 To: Kincho Cc: security@FreeBSD.ORG Subject: Re: [OT] ssh client X-Mailer: Lotus Notes Release 5.0.7 March 21, 2001 Message-ID: Date: Mon, 27 Aug 2001 18:19:14 +0800 X-MIMETrack: Serialize by Router on Perth/All Solutions(Release 5.0.7 |March 21, 2001) at 27/08/2001 06:19:14 PM, Serialize complete at 27/08/2001 06:19:14 PM Content-Type: multipart/alternative; boundary="=_alternative 0038B15E48256AB5_=" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multipart message in MIME format. --=_alternative 0038B15E48256AB5_= Content-Type: text/plain; charset="us-ascii" I do not believe TeraTerm SSH client supports SSH2. TeraTerm does not include scp nor ssh-agent. (Nor does it support session "keep-alive".) In my own testing with PuTTY recently OpenSSH generated SSH1 keys work equally well with PuTTY and TeraTerm SSH. If you need SSH2 you might consider PuTTY instead. PuTTY does include scp and ssh-agent utilities and session "keep-alive". These are features which are valuable for us. On the other hand PuTTY is a lot less user-friendly than TeraTerm SSH for users coming from Windows. And I do not fancy talking a remote Windows user through setting up PuTTY! We have been using TeraTerm for a long time now but will probably migrate our users to PuTTY because the extra functionality is very useful. So long as it is as stable as TeraTerm SSH. Sent by: owner-freebsd-security@FreeBSD.ORG To: security@FreeBSD.ORG cc: Subject: Re: [OT] ssh client Hi TeraTerm Pro is a sofisticated and functional terminal emulator that provides ssh2 extensions. I'm not sure about its license but i think it's free (of payment). Search it at Google.. At 14.52 26/8/01 +0200, you wrote: >Hi, > >I've searched the net for a ssh client for the M$ >platform that provides ssh_2_ support and uses >the ssh-keygen generated keys. Neither putty nor >the ssh client of the ssh foundation won't work. >What I need is a ssh client which accepts my privat key >so that I can connect to my firewall without password >auth. Any pointers? > >Thanks Tom > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message --=_alternative 0038B15E48256AB5_= Content-Type: text/html; charset="us-ascii"
I do not believe TeraTerm SSH client supports SSH2.
TeraTerm does not include scp nor ssh-agent.
(Nor does it support session "keep-alive".)

In my own testing with PuTTY recently OpenSSH
generated SSH1 keys work equally well with PuTTY
and TeraTerm SSH.

If you need SSH2 you might consider PuTTY instead.

PuTTY does include scp and ssh-agent utilities and
session "keep-alive". These are features which are
valuable for us.

On the other hand PuTTY is a lot less user-friendly
than TeraTerm SSH for users coming from Windows. And
I do not fancy talking a remote Windows user through
setting up PuTTY!

We have been using TeraTerm for a long time now but
will probably migrate our users to PuTTY because the
extra functionality is very useful. So long as it is
as stable as TeraTerm SSH.






Sent by:        owner-freebsd-security@FreeBSD.ORG

To:        security@FreeBSD.ORG
cc:        
Subject:        Re: [OT] ssh client


Hi

TeraTerm Pro is a sofisticated and functional terminal emulator that
provides ssh2 extensions.
I'm not sure about its license but i think it's free (of payment). Search
it at Google..


At 14.52 26/8/01 +0200, you wrote:
>Hi,
>
>I've searched the net for a ssh client for the M$
>platform that provides ssh_2_ support and uses
>the ssh-keygen generated keys. Neither putty nor
>the ssh client of the ssh foundation won't work.
>What I need is a ssh client which accepts my privat key
>so that I can connect to my firewall without password
>auth. Any pointers?
>
>Thanks Tom
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

--=_alternative 0038B15E48256AB5_=-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 27 6: 1:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 440E037B403 for ; Mon, 27 Aug 2001 06:01:12 -0700 (PDT) (envelope-from nectar@nectar.com) Received: from madman.nectar.com (madman.nectar.com [10.0.1.111]) by gw.nectar.com (Postfix) with ESMTP id 9F21447D for ; Mon, 27 Aug 2001 08:01:11 -0500 (CDT) Received: (from nectar@localhost) by madman.nectar.com (8.11.3/8.11.3) id f7RD1BR70615 for freebsd-security@freebsd.org; Mon, 27 Aug 2001 08:01:11 -0500 (CDT) (envelope-from nectar) Date: Mon, 27 Aug 2001 08:01:11 -0500 From: "Jacques A. Vidrine" To: freebsd-security@freebsd.org Subject: procmail, squid: any takers? Message-ID: <20010827080111.D70454@madman.nectar.com> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Url: http://www.nectar.com/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I haven't seen any action on these two issues, so I will handle them this week. If you already have your finger on one of them, please speak up. I know it is boring, but there still appears to be a sizable backlog of advisory to-dos. You may want to check your archive of this list if you have a moment to handle one. Cheers, -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 27 6: 8:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id 4C88637B405 for ; Mon, 27 Aug 2001 06:07:52 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from IBMKA (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with ESMTP id RAA01901; Mon, 27 Aug 2001 17:06:46 +0400 (MSD) Date: Mon, 27 Aug 2001 17:06:45 +0400 From: "Nickolay A.Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A.Kritsky" X-Priority: 3 (Normal) Message-ID: <128254731784.20010827170645@internethelp.ru> To: "Jacques A. Vidrine" Cc: freebsd-security@FreeBSD.ORG Subject: Re: procmail, squid: any takers? In-reply-To: <20010827080111.D70454@madman.nectar.com> References: <20010827080111.D70454@madman.nectar.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Jacques, Monday, August 27, 2001, 5:01:11 PM, you wrote: JAV> I haven't seen any action on these two issues, so I will handle them JAV> this week. If you already have your finger on one of them, please JAV> speak up. JAV> I know it is boring, but there still appears to be a sizable backlog JAV> of advisory to-dos. You may want to check your archive of this list JAV> if you have a moment to handle one. JAV> Cheers, I am not sure that I understood you correctly. Do you mean that squid and procmail ports have some unpatched bugs? WBR ;------------------------------------------- ; NKritsky ; SysAdmin InternetHelp.Ru ; http://www.internethelp.ru ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 27 6:15: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id AE71637B40A for ; Mon, 27 Aug 2001 06:15:04 -0700 (PDT) (envelope-from nectar@nectar.com) Received: from madman.nectar.com (madman.nectar.com [10.0.1.111]) by gw.nectar.com (Postfix) with ESMTP id 2BD8247D; Mon, 27 Aug 2001 08:15:04 -0500 (CDT) Received: (from nectar@localhost) by madman.nectar.com (8.11.3/8.11.3) id f7RDF4B70659; Mon, 27 Aug 2001 08:15:04 -0500 (CDT) (envelope-from nectar) Date: Mon, 27 Aug 2001 08:15:03 -0500 From: "Jacques A. Vidrine" To: "Nickolay A.Kritsky" Cc: freebsd-security@FreeBSD.ORG Subject: Re: procmail, squid: any takers? Message-ID: <20010827081503.F70454@madman.nectar.com> Mail-Followup-To: "Jacques A. Vidrine" , "Nickolay A.Kritsky" , freebsd-security@FreeBSD.ORG References: <20010827080111.D70454@madman.nectar.com> <128254731784.20010827170645@internethelp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <128254731784.20010827170645@internethelp.ru>; from nkritsky@internethelp.ru on Mon, Aug 27, 2001 at 05:06:45PM +0400 X-Url: http://www.nectar.com/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Aug 27, 2001 at 05:06:45PM +0400, Nickolay A.Kritsky wrote: > I am not sure that I understood you correctly. Do you mean that squid > and procmail ports have some unpatched bugs? Oops, I brain-o'd the To: line. No, the squid and procmail had bugs that have been patched, but for which we have not yet issued advisories. Sorry for the confusion, -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 27 10:56:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from trillian.nitro.dk (213.237.101.114.adsl.kh.worldonline.dk [213.237.101.114]) by hub.freebsd.org (Postfix) with SMTP id 0F87737B406 for ; Mon, 27 Aug 2001 10:56:49 -0700 (PDT) (envelope-from simon@nitro.dk) Received: (qmail 359 invoked from network); 27 Aug 2001 17:56:47 -0000 Received: from bofh.bofh (192.168.1.3) by 0 with SMTP; 27 Aug 2001 17:56:47 -0000 Date: Mon, 27 Aug 2001 19:57:14 +0200 (CEST) From: Simon Nielsen X-X-Sender: To: Sean Chittenden Cc: Subject: Re: [OT] ssh client In-Reply-To: <20010826174432.C56385@rand.tgd.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 26 Aug 2001, Sean Chittenden wrote: > > It does indeed, but it won't grok DSA keys. > Bummer. Putty supports SSH 2... strikes me as odd that it > doesn't. Documentation says it doesn't, or did you try? Remember dsa The putty homepage says it is not supported since Windows doesn't have a proper random number generator and that makes DSA unsecure. http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist.html#dsa Simon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 27 13:48:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id C98C437B407; Mon, 27 Aug 2001 13:48:08 -0700 (PDT) (envelope-from str@giganda.komkon.org) Received: (from str@localhost) by giganda.komkon.org (8.11.3/8.11.3) id f7RKm5k67160; Mon, 27 Aug 2001 16:48:05 -0400 (EDT) (envelope-from str) From: Igor Roshchin Message-Id: <200108272048.f7RKm5k67160@giganda.komkon.org> Subject: Re: procmail, squid: any takers? To: n@nectar.com (Jacques A. Vidrine) Date: Mon, 27 Aug 2001 16:48:05 -0400 (EDT) Cc: freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG In-Reply-To: <20010827081503.F70454@madman.nectar.com> from "Jacques A. Vidrine" at Aug 27, 2001 08:15:03 AM X-Mailer: ELM [version 2.5 PL5] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > On Mon, Aug 27, 2001 at 05:06:45PM +0400, Nickolay A.Kritsky wrote: > > I am not sure that I understood you correctly. Do you mean that squid > > and procmail ports have some unpatched bugs? > > Oops, I brain-o'd the To: line. > > No, the squid and procmail had bugs that have been patched, but for > which we have not yet issued advisories. > > Sorry for the confusion, > -- > Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org > Disclaimer: I am not trying to bash anybody here, and I might not have all information available. Upon a quick look at ftp.freebsd.org/pub/FreeBSD/branches/-current/ports/mail/procmail it appears that the last changes to procmail were done on Jun 30 (It looks like the version of the procmail was updated). So, if according to Jacques, some bug was recently patched, it was probably done by the authors of procmail. (As a matter of fact, procmail does list those fixes at http://www.procmail.org/ and http://www.procmail.org/procmail.HISTORY.html ) I was not able to find any FreeBSD advisory issued on that part, It seems to be a rather long delay for an advisory, especially the one for the problem fixed by the vendor. (I admit, I am not sure how serious/exploitable this problem is) I am not sure about squid port, there are too many variations of that port, and in any case, I don't think researching of that makes any sense. The main point is that with the trust of the FreeBSD users to the FreeBSD core-team and security-officer(s) in particular, developed over the years of great work of FreeBSD team, people rely [well, maybe sometimes somewhat reluctantly] on the FreeBSD advisories, and their timely appearance. Regards, Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 27 14:45:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 4616837B406; Mon, 27 Aug 2001 14:44:56 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f7RLiun71146; Mon, 27 Aug 2001 14:44:56 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 27 Aug 2001 14:44:56 -0700 (PDT) Message-Id: <200108272144.f7RLiun71146@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:57.sendmail Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:57 Security Advisory FreeBSD, Inc. Topic: sendmail contains local root vulnerability Category: core Module: sendmail Announced: 2001-08-27 Credits: Cade Cairnss Affects: FreeBSD 4-STABLE after August 27, 2000 and prior to the correction date, FreeBSD 4.1.1-RELEASE, 4.2-RELEASE, 4.3-RELEASE Corrected: 2001-08-21 01:36:37 UTC (FreeBSD 4.3-STABLE) 2001-08-22 05:34:11 UTC (RELENG_4_3) FreeBSD only: NO I. Background sendmail is a mail transfer agent. II. Problem Description Sendmail contains an input validation error which may lead to the execution of arbitrary code with elevated privileges by local users. Due to the improper use of signed integers in code responsible for the processing of debugging arguments, a local user may be able to supply the signed integer equivalent of a negative value supplied to sendmail's "trace vector". This may allow a local user to write data anywhere within a certain range of locations in process memory. Because the '-d' command-line switch is processed before the program drops its elevated privileges, the attacker may be able to cause arbitrary code to be executed with root privileges. III. Impact Local users may be able to execute arbitrary code with root privileges. IV. Workaround Do not allow untrusted users to execute the sendmail binary. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.3-STABLE or the RELENG_4_3 security branch after the respective correction dates. 2) FreeBSD 4.x systems after August 27, 2000 and prior to the correction date: The following patch has been verified to apply to FreeBSD 4.1.1-RELEASE, 4.2-RELEASE, 4.3-RELEASE and 4-STABLE dated prior to the correction date. Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:57/sendmail.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:57/sendmail.patch.asc Execute the following commands as root: # cd /usr/src # patch -p < /path/to/patch # cd /usr/src/lib/libsmutil # make depend && make all # cd /usr/src/usr.sbin/sendmail # make depend && make all install 3) FreeBSD 4.3-RELEASE systems: An experimental upgrade package is available for users who wish to provide testing and feedback on the binary upgrade process. This package may be installed on FreeBSD 4.3-RELEASE systems only, and is intended for use on systems for which source patching is not practical or convenient. If you use the upgrade package, feedback (positive or negative) to security-officer@FreeBSD.org is requested so we can improve the process for future advisories. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patched state. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:57/security-patch-sendmail-01.57.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:57/security-patch-sendmail-01.57.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-sendmail-01:57.tgz Restart sendmail after applying the patch by executing the following commands as root: # killall sendmail # /usr/sbin/sendmail -bd -q30m The flags to sendmail may need to be adjusted as required for the local system configuration. VI. Correction details The following is the sendmail $Id$ revision number of the file that was corrected for the supported branches of FreeBSD. The $Id$ revision number of the installed source can be examined using the ident(1) command. Revision Path 8.20.22.4 src/contrib/sendmail/src/trace.c VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO4q+6lUuHi5z0oilAQH2xQP/e5UR1/UiVoNLjWnZr/3Ufk11/Dx0jeux W43znQ3Hae7ZDK17bUvvJ0t3uSq7mgzP1EmHYhjWWvrVNOaKLNO2C7oiTBWeyNWj J+hk26jZQO74mQDdZVwIr4SbE+tMTUIfEcVcXv7++ZS3xbyh3wyQKZipD5UElnLs ek/7MzKM83E= =Lv0A -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 27 15:36:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from femail48.sdc1.sfba.home.com (femail48.sdc1.sfba.home.com [24.254.60.42]) by hub.freebsd.org (Postfix) with ESMTP id F2BE437B401 for ; Mon, 27 Aug 2001 15:36:09 -0700 (PDT) (envelope-from chris@JEAH.net) Received: from cl3112948a ([24.250.242.36]) by femail48.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with SMTP id <20010827223609.TCIM26637.femail48.sdc1.sfba.home.com@cl3112948a> for ; Mon, 27 Aug 2001 15:36:09 -0700 Message-ID: <004801c12f48$750e3260$24f2fa18@mdsn1.wi.home.com> From: "chris" To: Subject: RE: Sendmail vuln Date: Mon, 27 Aug 2001 17:34:38 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org 220 awww.jeah.net ESMTP Sendmail 8.11.6/8.11.4; Mon, 27 Aug 2001 17:34:26 -0500 (CDT) How do I bring it to 8.11.6/8.11.6? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 27 15:38:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id 705FE37B405 for ; Mon, 27 Aug 2001 15:38:48 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 44633 invoked from network); 27 Aug 2001 22:38:33 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 27 Aug 2001 22:38:33 -0000 Message-ID: <000901c12f49$06c8de30$0d00a8c0@alexus> From: "alexus" To: "chris" , References: <004801c12f48$750e3260$24f2fa18@mdsn1.wi.home.com> Subject: Re: Sendmail vuln Date: Mon, 27 Aug 2001 18:38:43 -0400 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2526.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2526.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org read documentation of sendmail look carefully at m4 cf part of documentation ----- Original Message ----- From: "chris" To: Sent: Monday, August 27, 2001 6:34 PM Subject: RE: Sendmail vuln > 220 awww.jeah.net ESMTP Sendmail 8.11.6/8.11.4; Mon, 27 Aug 2001 > 17:34:26 -0500 (CDT) > > How do I bring it to 8.11.6/8.11.6? > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 27 15:51:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by hub.freebsd.org (Postfix) with ESMTP id B172637B401 for ; Mon, 27 Aug 2001 15:51:16 -0700 (PDT) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.11.3/8.11.3) id f7RMp1N43136; Mon, 27 Aug 2001 15:51:01 -0700 (PDT) (envelope-from emechler) Date: Mon, 27 Aug 2001 15:51:01 -0700 From: Erick Mechler To: chris Cc: security@FreeBSD.ORG Subject: Re: Sendmail vuln Message-ID: <20010827155101.A37720@techometer.net> References: <004801c12f48$750e3260$24f2fa18@mdsn1.wi.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <004801c12f48$750e3260$24f2fa18@mdsn1.wi.home.com>; from chris on Mon, Aug 27, 2001 at 05:34:38PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The config version number ($Z macro, confCF_VERSION) is set when you re-create your .cf from your .mc. You can either set that variable in your .mc file (not necessary), or just re-create you .cf each time you upgrade Sendmail. If not explicitly set, the m4 helper files that ship with Sendmail will update it for you. --Erick At Mon, Aug 27, 2001 at 05:34:38PM -0500, chris said this: :: 220 awww.jeah.net ESMTP Sendmail 8.11.6/8.11.4; Mon, 27 Aug 2001 :: 17:34:26 -0500 (CDT) :: :: How do I bring it to 8.11.6/8.11.6? :: :: :: To Unsubscribe: send mail to majordomo@FreeBSD.org :: with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 27 16:27: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from barry.mail.mindspring.net (barry.mail.mindspring.net [207.69.200.25]) by hub.freebsd.org (Postfix) with ESMTP id 89BE037B401; Mon, 27 Aug 2001 16:27:05 -0700 (PDT) (envelope-from meshko@polkan2.dyndns.org) Received: from user-2ivef38.dsl.mindspring.com (user-2ivef38.dsl.mindspring.com [165.247.60.104]) by barry.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id TAA14905; Mon, 27 Aug 2001 19:27:01 -0400 (EDT) Date: Mon, 27 Aug 2001 19:27:59 -0400 (EDT) From: Mikhail Kruk X-X-Sender: To: Igor Roshchin Cc: "Jacques A. Vidrine" , , Subject: Re: procmail, squid: any takers? In-Reply-To: <200108272048.f7RKm5k67160@giganda.komkon.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > The main point is that with the trust of the FreeBSD users to the > FreeBSD core-team and security-officer(s) in particular, > developed over the years of great work of FreeBSD team, > people rely [well, maybe sometimes somewhat reluctantly] on the > FreeBSD advisories, and their timely appearance. I think anyone who follows advisories for some time knows that they do not go out immediately after a problem is discovered and usually it even takes some time after the problem is fixed. I realize that Security Team is doing what it can, but I think that everyone who subscribes to the list should be notified that they should not rely on the list as the main source of security information. Another possibility (which of course was discussed many times here) is to release informal warnings on the list as soon as a bug is patched and then take as long as needed to release formal advisory... I guess it's not a an acceptable solution for some reason. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 27 16:41:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id E7D1C37B401; Mon, 27 Aug 2001 16:41:22 -0700 (PDT) (envelope-from christopher@schulte.org) Received: from schulte-laptop.schulte.org (nb-97.netbriefings.com [209.134.134.97]) by poontang.schulte.org (Postfix) with ESMTP id 1E658D14B9; Mon, 27 Aug 2001 18:41:21 -0500 (CDT) Message-Id: <5.1.0.14.0.20010827182914.00b00e88@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 27 Aug 2001 18:39:54 -0500 To: Mikhail Kruk , Igor Roshchin From: Christopher Schulte Subject: Re: procmail, squid: any takers? Cc: "Jacques A. Vidrine" , , In-Reply-To: References: <200108272048.f7RKm5k67160@giganda.komkon.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 07:27 PM 8/27/2001 -0400, Mikhail Kruk wrote: >Another possibility (which of course was discussed many times here) is to >release informal warnings on the list as soon as a bug is patched and then >take as long as needed to release formal advisory... I guess it's not a >an acceptable solution for some reason. People who follow RELENG_4_X may be able to stay on top of these things easier, as we can see the changes more clearly in cvsup, and /usr/src/UPDATING now seems to document every commit to this branch. Nice new feature, IMHO. I've been aware of fixed problems long before security advisories have come out, now. I do *still* need to cvsup, or subscribe to cvs-all, or watch the cvs repo via cvsweb to know what's going on. But it's much easier than following every commit to -STABLE, since I know offhand most or all commits are security related and will probably be followed up by an advisory sooner or later. My guess is that way too much support would go into 'informal advisories' as people would be clawing the security officer to death asking for exact directions for applying patches and installing fixed binaries. This is what advisories are for! Then of course when the security officer made a typo or mistake (which would happen), the same crowd would be right there to point out the mistakes. Not to mention the madness when we have differing opinions on how to implement a source fix (remember the telnetd fiasco?). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 27 16:54:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from maynard.mail.mindspring.net (maynard.mail.mindspring.net [207.69.200.243]) by hub.freebsd.org (Postfix) with ESMTP id 9720C37B406 for ; Mon, 27 Aug 2001 16:54:47 -0700 (PDT) (envelope-from meshko@polkan2.dyndns.org) Received: from user-2ivef38.dsl.mindspring.com (user-2ivef38.dsl.mindspring.com [165.247.60.104]) by maynard.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id TAA02729; Mon, 27 Aug 2001 19:54:43 -0400 (EDT) Date: Mon, 27 Aug 2001 19:55:40 -0400 (EDT) From: Mikhail Kruk X-X-Sender: To: Christopher Schulte Cc: Subject: Re: procmail, squid: any takers? In-Reply-To: <5.1.0.14.0.20010827182914.00b00e88@pop.schulte.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > People who follow RELENG_4_X may be able to stay on top of these things > easier, as we can see the changes more clearly in cvsup, and > /usr/src/UPDATING now seems to document every commit to this branch. Nice > new feature, IMHO. Hm... I don't see anything about sendmail in UPDATING. Also things like procmail which are ports don't go into updating anyway, right? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 27 16:58: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id 3B96437B405 for ; Mon, 27 Aug 2001 16:58:03 -0700 (PDT) (envelope-from christopher@schulte.org) Received: from schulte-laptop.schulte.org (nb-97.netbriefings.com [209.134.134.97]) by poontang.schulte.org (Postfix) with ESMTP id E3290D14B9; Mon, 27 Aug 2001 18:58:01 -0500 (CDT) Message-Id: <5.1.0.14.0.20010827185459.022a3de0@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 27 Aug 2001 18:57:30 -0500 To: Mikhail Kruk From: Christopher Schulte Subject: Re: procmail, squid: any takers? Cc: In-Reply-To: References: <5.1.0.14.0.20010827182914.00b00e88@pop.schulte.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 07:55 PM 8/27/2001 -0400, Mikhail Kruk wrote: >Hm... I don't see anything about sendmail in UPDATING. Also things like 20010822: p14 Fix command line argument overflow probelm in sendmail. >procmail which are ports don't go into updating anyway, right? So far as I can tell, no. Just the base userland and kernel. The kind of stuff that a make world or kernel will build and install. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 27 17: 6:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from granger.mail.mindspring.net (granger.mail.mindspring.net [207.69.200.148]) by hub.freebsd.org (Postfix) with ESMTP id AFE2E37B401 for ; Mon, 27 Aug 2001 17:06:36 -0700 (PDT) (envelope-from meshko@polkan2.dyndns.org) Received: from user-2ivef38.dsl.mindspring.com (user-2ivef38.dsl.mindspring.com [165.247.60.104]) by granger.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id UAA19999; Mon, 27 Aug 2001 20:06:34 -0400 (EDT) Date: Mon, 27 Aug 2001 20:07:31 -0400 (EDT) From: Mikhail Kruk X-X-Sender: To: Christopher Schulte Cc: Mikhail Kruk , Subject: Re: procmail, squid: any takers? In-Reply-To: <5.1.0.14.0.20010827185459.022a3de0@pop.schulte.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > At 07:55 PM 8/27/2001 -0400, Mikhail Kruk wrote: > >Hm... I don't see anything about sendmail in UPDATING. Also things like > > 20010822: p14 > Fix command line argument overflow probelm in sendmail. please tell me what am I doing wrong. I'm cvsup'ing to RELENG_4. Using cvsup3.freebsd.org and grab src-all This is the beginning of my UPDATING file: 20010814: The pci attachment for pcic device was merged from current. You should update your pccardd at the same time as you update your kernel. Note: Interrupts will now be shared between the CardBus bridge and the cards. This is a change over the hand configuration before. 20010811: ... > >procmail which are ports don't go into updating anyway, right? > > So far as I can tell, no. Just the base userland and kernel. The kind of > stuff that a make world or kernel will build and install. So following UPDATING or even cvs logs isn't really enough. I still think that it would be a good idea to release informal notifications. I agree that security officer would be burried under cries for help, but I think that there is enough crap (like this discussion :) on the list already. Is it going to be that much worse? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 27 17:11:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id 51D8C37B407 for ; Mon, 27 Aug 2001 17:11:19 -0700 (PDT) (envelope-from christopher@schulte.org) Received: from schulte-laptop.schulte.org (nb-97.netbriefings.com [209.134.134.97]) by poontang.schulte.org (Postfix) with ESMTP id C90FBD14B9; Mon, 27 Aug 2001 19:11:17 -0500 (CDT) Message-Id: <5.1.0.14.0.20010827190703.022a6e20@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 27 Aug 2001 19:10:47 -0500 To: Mikhail Kruk From: Christopher Schulte Subject: Re: procmail, squid: any takers? Cc: Mikhail Kruk , In-Reply-To: References: <5.1.0.14.0.20010827185459.022a3de0@pop.schulte.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 08:07 PM 8/27/2001 -0400, Mikhail Kruk wrote: >please tell me what am I doing wrong. I'm cvsup'ing to RELENG_4. Using >cvsup3.freebsd.org and grab src-all >This is the beginning of my UPDATING file: Sorry, I was referring specifically to the 'security' branch of RELENG_4_3, not -STABLE (RELENG_4). >So following UPDATING or even cvs logs isn't really enough. I still think >that it would be a good idea to release informal notifications. I agree >that security officer would be burried under cries for help, but I think >that there is enough crap (like this discussion :) on the list already. Is >it going to be that much worse? Yes, I think it's possible. And to that, I'll refrain from anymore public replies. For now. ;-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 27 17:45: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 057E337B405; Mon, 27 Aug 2001 17:44:50 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 090E066E33; Mon, 27 Aug 2001 17:44:46 -0700 (PDT) Date: Mon, 27 Aug 2001 17:44:45 -0700 From: Kris Kennaway To: Christopher Schulte Cc: Mikhail Kruk , Igor Roshchin , "Jacques A. Vidrine" , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: procmail, squid: any takers? Message-ID: <20010827174445.C48093@xor.obsecurity.org> References: <200108272048.f7RKm5k67160@giganda.komkon.org> <5.1.0.14.0.20010827182914.00b00e88@pop.schulte.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="oJ71EGRlYNjSvfq7" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.1.0.14.0.20010827182914.00b00e88@pop.schulte.org>; from christopher@schulte.org on Mon, Aug 27, 2001 at 06:39:54PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --oJ71EGRlYNjSvfq7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Aug 27, 2001 at 06:39:54PM -0500, Christopher Schulte wrote: > My guess is that way too much support would go into 'informal advisories'= =20 > as people would be clawing the security officer to death asking for exact= =20 > directions for applying patches and installing fixed binaries. This is= =20 > what advisories are for! Then of course when the security officer made a= =20 > typo or mistake (which would happen), the same crowd would be right there= =20 > to point out the mistakes. Not to mention the madness when we have=20 > differing opinions on how to implement a source fix (remember the telnetd= =20 > fiasco?). That's exactly right. We're not going to start doing "informal advisories" for the above reasons, but there's no reason the community couldn't (or in fact shouldn't) be performing this informal support role themselves. This already happens to some extent. People just need to be aware that interim fixes may be wrong (and in fact the "official fixes" from us may also be wrong, although we of course strive hard to avoid that case and take responsibility for correcting the incorrect information when it occurs) Kris FreeBSD Security Officer --oJ71EGRlYNjSvfq7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7iul9Wry0BWjoQKURAiNxAKDx6Y9cs5r4nJ+x4t8oPefa9u3dBwCgnNJO nRm2Fl6wfCI6fV485MBjLvw= =tFLv -----END PGP SIGNATURE----- --oJ71EGRlYNjSvfq7-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 27 17:45:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 5DF9F37B405 for ; Mon, 27 Aug 2001 17:45:50 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 2784066DE9; Mon, 27 Aug 2001 17:45:49 -0700 (PDT) Date: Mon, 27 Aug 2001 17:45:49 -0700 From: Kris Kennaway To: Mikhail Kruk Cc: Christopher Schulte , freebsd-security@FreeBSD.ORG Subject: Re: procmail, squid: any takers? Message-ID: <20010827174549.D48093@xor.obsecurity.org> References: <5.1.0.14.0.20010827182914.00b00e88@pop.schulte.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="IMjqdzrDRly81ofr" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from meshko@polkan2.dyndns.org on Mon, Aug 27, 2001 at 07:55:40PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --IMjqdzrDRly81ofr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Aug 27, 2001 at 07:55:40PM -0400, Mikhail Kruk wrote: > > People who follow RELENG_4_X may be able to stay on top of these things > > easier, as we can see the changes more clearly in cvsup, and > > /usr/src/UPDATING now seems to document every commit to this branch. N= ice > > new feature, IMHO. >=20 > Hm... I don't see anything about sendmail in UPDATING. Also things like > procmail which are ports don't go into updating anyway, right? That's not the point of UPDATING, which documents pitfalls in the upgrade procedure. Kris --IMjqdzrDRly81ofr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7ium8Wry0BWjoQKURAujHAJ47jnCi7GU8CVWrPNh+dgMte0opjACdH1rn jZmo83NvLqkv4zJo9vEMbkA= =m4Nb -----END PGP SIGNATURE----- --IMjqdzrDRly81ofr-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 27 18:35:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from backup.af.speednet.com.au (afgate.speednet.com.au [202.135.188.244]) by hub.freebsd.org (Postfix) with ESMTP id EC3BF37B403 for ; Mon, 27 Aug 2001 18:35:14 -0700 (PDT) (envelope-from andyf@speednet.com.au) Received: from backup.af.speednet.com.au (backup.af.speednet.com.au [172.22.2.4]) by backup.af.speednet.com.au (8.11.5/8.11.5) with ESMTP id f7S1Xte33601; Tue, 28 Aug 2001 11:33:58 +1000 (EST) (envelope-from andyf@speednet.com.au) Date: Tue, 28 Aug 2001 11:33:53 +1000 (EST) From: Andy Farkas X-X-Sender: To: Eugene Grosbein Cc: Vladimir Pianykh , Subject: Re: login.conf In-Reply-To: <3B89B384.F0A77C82@svzserv.kemerovo.su> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 27 Aug 2001, Eugene Grosbein wrote: > Vladimir Pianykh wrote: > > > How can I split different classes for different daemons, for example one > > for apache and another for mysqld, becouse I agree about sql-servers need > > so much resouces, but I don't trust users whom make a php-scripts when > > they going to use recursiv methods. > > > > In handbook written about class daemon for every daemons. > > > > I tried to assign httpd to a class, but it does not work. > > You will have to patch your httpd to support login classes > or force limits with su(1) > > Eugene Grosbein > http://www.freebsd.org/cgi/query-pr.cgi?pr=13606 -- :{ andyf@speednet.com.au Andy Farkas System Administrator Speednet Communications http://www.speednet.com.au/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 27 21:50:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id DE61237B401; Mon, 27 Aug 2001 21:50:29 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id VAA11586; Mon, 27 Aug 2001 21:50:28 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda11584; Mon Aug 27 21:50:20 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id f7S4oJJ32646; Mon, 27 Aug 2001 21:50:20 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdb32636; Mon Aug 27 21:50:03 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id f7S4nxE03079; Mon, 27 Aug 2001 21:49:59 -0700 (PDT) Message-Id: <200108280449.f7S4nxE03079@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdXU3061; Mon Aug 27 21:49:07 2001 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: ijliao@FreeBSD.org Cc: Cy.Schubert@uumail.gov.bc.ca, freebsd-ports@FreeBSD.org, freebsd-security@FreeBSD.org Subject: Re: ports/29137: Brand New Tripwire-2.3.1 Port In-reply-to: Your message of "Sat, 18 Aug 2001 00:36:40 PDT." <200108180736.f7I7ae119043@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 27 Aug 2001 21:49:07 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <200108180736.f7I7ae119043@freefall.freebsd.org>, ijliao@FreeBSD.org writes: > Synopsis: Brand New Tripwire-2.3.1 Port > > State-Changed-From-To: open->analyzed > State-Changed-By: ijliao > State-Changed-When: Sat Aug 18 00:35:13 PDT 2001 > State-Changed-Why: > why do we need separate ports for 1.2 (tripwire), 1.3.1 (tripwire-131) > and now 2.3.1 (tripwire-231) ? > > http://www.FreeBSD.org/cgi/query-pr.cgi?pr=29137 > Originally 1.3.1 was created because it addressed some memory management issues and was a separate port the license was different enough to warrant it. Now that 2.3.1 is opensource, we can replace both 1.2 and 1.3.1 with 2.3.1. However Tripwire 1.2 and 1.3.1 do not share the same config file format as 2.3.1. For the time being that would leave 1.x users out on the limb until they've converted to 2.3.1 -- unless of course they use the default config file that comes with the any of the ports. I'm open to suggestions. What does the list think? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 28 6:36:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from relay1.pair.com (relay1.pair.com [209.68.1.20]) by hub.freebsd.org (Postfix) with SMTP id 5B8A937B405 for ; Tue, 28 Aug 2001 06:36:47 -0700 (PDT) (envelope-from mailings@analogon.com) Received: (qmail 25992 invoked from network); 28 Aug 2001 13:36:41 -0000 Received: from pec-68-35.tnt4.m2.uunet.de (HELO laptop) (149.225.68.35) by relay1.pair.com with SMTP; 28 Aug 2001 13:36:41 -0000 X-pair-Authenticated: 149.225.68.35 Message-ID: <001f01c12fc6$4c975220$0901a8c0@system> From: "Tom Beer" To: "Simon Nielsen" , "Sean Chittenden" Cc: References: Subject: Re: [OT] ssh client Date: Tue, 28 Aug 2001 15:34:46 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org also the other mentioned ssh clients won't support my (freebsd) generetad dsa keys. The format isn't supported.... Any other way? Tom > > > It does indeed, but it won't grok DSA keys. > > Bummer. Putty supports SSH 2... strikes me as odd that it > > doesn't. Documentation says it doesn't, or did you try? Remember dsa > The putty homepage says it is not supported since Windows doesn't have a > proper random number generator and that makes DSA unsecure. > > http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist.html#dsa > > Simon > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 28 7:42: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from nebula-bsd.dyndns.org (ptldme-cmt2-c3-66-30-32-135.maine.rr.com [66.30.32.135]) by hub.freebsd.org (Postfix) with ESMTP id 08F5137B401 for ; Tue, 28 Aug 2001 07:42:00 -0700 (PDT) (envelope-from richard@nebula-bsd.dyndns.org) Received: from localhost (richard@localhost) by nebula-bsd.dyndns.org (8.11.1/8.11.1) with ESMTP id f7SEfWo36517; Tue, 28 Aug 2001 10:41:32 -0400 (EDT) (envelope-from richard@nebula-bsd.dyndns.org) Date: Tue, 28 Aug 2001 10:41:31 -0400 (EDT) From: Richard Stanaford X-Sender: richard@localhost To: Tom Beer Cc: security@FreeBSD.ORG Subject: Re: [OT] ssh client In-Reply-To: <001f01c12fc6$4c975220$0901a8c0@system> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm surprised no one hasn't mentioned the Authority on the ssh protocol... SSH. http://www.ssh.com Their SSH client, available for both Unix and Windows is free for acedemic/non-commercial use. -Richard On Tue, 28 Aug 2001, Tom Beer wrote: > also the other mentioned ssh clients won't > support my (freebsd) generetad dsa keys. > The format isn't supported.... > Any other way? > > Tom > > > > > It does indeed, but it won't grok DSA keys. > > > Bummer. Putty supports SSH 2... strikes me as odd that it > > > doesn't. Documentation says it doesn't, or did you try? Remember dsa > > The putty homepage says it is not supported since Windows doesn't have a > > proper random number generator and that makes DSA unsecure. > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 28 7:49:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (discworld.nanolink.com [217.75.135.248]) by hub.freebsd.org (Postfix) with SMTP id CA53537B407 for ; Tue, 28 Aug 2001 07:49:04 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 3144 invoked by uid 1000); 28 Aug 2001 14:47:26 -0000 Date: Tue, 28 Aug 2001 17:47:26 +0300 From: Peter Pentchev To: Richard Stanaford Cc: Tom Beer , security@FreeBSD.ORG Subject: Re: [OT] ssh client Message-ID: <20010828174726.A568@ringworld.oblivion.bg> Mail-Followup-To: Richard Stanaford , Tom Beer , security@FreeBSD.ORG References: <001f01c12fc6$4c975220$0901a8c0@system> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from richard@nebula-bsd.dyndns.org on Tue, Aug 28, 2001 at 10:41:31AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Aug 28, 2001 at 10:41:31AM -0400, Richard Stanaford wrote: > > > I'm surprised no one hasn't mentioned the Authority on the ssh > protocol... SSH. > > http://www.ssh.com > > Their SSH client, available for both Unix and Windows is free for > acedemic/non-commercial use. ..and does it understand OpenSSH's DSA keys? Last I checked it did not.. G'luck, Peter -- I had to translate this sentence into English because I could not read the original Sanskrit. > On Tue, 28 Aug 2001, Tom Beer wrote: > > > also the other mentioned ssh clients won't > > support my (freebsd) generetad dsa keys. > > The format isn't supported.... > > Any other way? > > > > Tom > > > > > > > It does indeed, but it won't grok DSA keys. > > > > Bummer. Putty supports SSH 2... strikes me as odd that it > > > > doesn't. Documentation says it doesn't, or did you try? Remember dsa > > > The putty homepage says it is not supported since Windows doesn't have a > > > proper random number generator and that makes DSA unsecure. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 28 8:19:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.tgd.net (rand.tgd.net [64.81.67.117]) by hub.freebsd.org (Postfix) with SMTP id B9DF537B40C for ; Tue, 28 Aug 2001 08:19:19 -0700 (PDT) (envelope-from sean@mailhost.tgd.net) Received: (qmail 89097 invoked by uid 1001); 28 Aug 2001 15:19:16 -0000 Date: Tue, 28 Aug 2001 08:19:16 -0700 From: Sean Chittenden To: Tom Beer Cc: Simon Nielsen , security@freebsd.org Subject: Re: [OT] ssh client Message-ID: <20010828081916.B83939@rand.tgd.net> References: <001f01c12fc6$4c975220$0901a8c0@system> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="24zk1gE8NUlDmwG9" Content-Disposition: inline In-Reply-To: <001f01c12fc6$4c975220$0901a8c0@system>; from "mailings@analogon.com" on Tue, Aug 28, 2001 at = 03:34:46PM X-PGP-Key: 0x1EDDFAAD X-PGP-Fingerprint: C665 A17F 9A56 286C 5CFB 1DEA 9F4F 5CEF 1EDD FAAD X-Web-Homepage: http://sean.chittenden.org/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --24zk1gE8NUlDmwG9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > also the other mentioned ssh clients won't > support my (freebsd) generetad dsa keys. > The format isn't supported.... > Any other way?=20 Other than openssh + cygwin (which works like a charm, btw), not=20 that I know of or have heard. -sc PS Just in case: http://www.cygwin.com/ --=20 Sean Chittenden --24zk1gE8NUlDmwG9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: Sean Chittenden iEYEARECAAYFAjuLtnMACgkQn09c7x7d+q1jswCcDJQWvRSl1OabvMyleQgruIu9 53sAoL3V0zWjYvBO5orju3xfimz9h9rB =Ek8k -----END PGP SIGNATURE----- --24zk1gE8NUlDmwG9-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 28 8:51:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from firstclass.it.rit.edu (firstclass.it.rit.edu [129.21.21.97]) by hub.freebsd.org (Postfix) with ESMTP id BE87D37B403 for ; Tue, 28 Aug 2001 08:51:43 -0700 (PDT) (envelope-from scc4809@it.rit.edu) Message-id: Date: Tue, 28 Aug 2001 11:51:37 -0400 Subject: IP Sharing on a College campus. Firewall?? X-FC-Form-ID: 141 To: security@Freebsd.org From: "Shane Crounse" MIME-Version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Here is my dilemma. I am a student on a college campus. RIT if you couldn’t tell. I am in an apartment that has access to the school network. My problem is that I am limited in the number of IP addresses I can have. (one or two) I have my windows 2k workstation, and at least 3 FreeBSD machines that I would like to put on the network. Last year I did it using windows IP sharing but I had all windows machines. Is there some way of doing IP sharing through one of the BSD machines? Would you suggust a firewall? I know that I will be regularly scanned by students. Hack attempts will occur. Anybody got any ideas? I appreciate the assistance in advance. - I would need to be able to run, SSH, SFTP, FTP, HTTP minimally from all the machines. -Shane Crounse Department of Information Technology Rochester Institute of Technology Shane_Crounse@it.rit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 28 8:58:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from closed-networks.com (shady.org [195.153.248.241]) by hub.freebsd.org (Postfix) with SMTP id 7692E37B401 for ; Tue, 28 Aug 2001 08:58:06 -0700 (PDT) (envelope-from marcr@closed-networks.com) Received: (qmail 22691 invoked by uid 1000); 28 Aug 2001 16:02:20 -0000 Date: Tue, 28 Aug 2001 17:02:20 +0100 From: Marc Rogers To: Shane Crounse Cc: security@Freebsd.org Subject: Re: IP Sharing on a College campus. Firewall?? Message-ID: <20010828170220.I99287@shady.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.4i In-Reply-To: ; from scc4809@it.rit.edu on Tue, Aug 28, 2001 at 11:51:37AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Look up NAT on the freebsd site (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/natd.html) and look up NAT on the ipfilter site either of those options will solve your issues. In a nutshell you will create a NAT gateway that has 1 real ip. Behind it you will be able to use whatever reserved (192.168.0.0 etc) addresses that you desire. The only catch to this is that they will be able to contact the outside world, but the outside world will not be able to contact them. This means if you want to set up services like shares / ftp / web services you will either have to assign real ips to those machines, or learn about transparent proxying / port redirection. hope this helps, Marc Rogers Technical Director EDC On Tue, Aug 28, 2001 at 11:51:37AM -0400, Shane Crounse wrote: > Here is my dilemma. I am a student on a college campus. RIT if you > couldn’t tell. > I am in an apartment that has access to the school network. My problem is > that I am limited in the number of IP addresses I can have. (one or two) > I have my windows 2k workstation, and at least 3 FreeBSD machines that I > would like to put on the network. Last year I did it using windows IP > sharing but I had all windows machines. Is there some way of doing IP > sharing through one of the BSD machines? Would you suggust a firewall? I > know that I will be regularly scanned by students. Hack attempts will > occur. Anybody got any ideas? > > I appreciate the assistance in advance. > > - I would need to be able to run, SSH, SFTP, FTP, HTTP minimally from all > the machines. > > > > > -Shane Crounse > > Department of Information Technology > Rochester Institute of Technology > Shane_Crounse@it.rit.edu > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 28 9:47:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from relay1.pair.com (relay1.pair.com [209.68.1.20]) by hub.freebsd.org (Postfix) with SMTP id 70DED37B401 for ; Tue, 28 Aug 2001 09:47:37 -0700 (PDT) (envelope-from mailings@analogon.com) Received: (qmail 1018 invoked from network); 28 Aug 2001 16:47:35 -0000 Received: from pec-134-42.tnt9.m2.uunet.de (HELO laptop) (149.225.134.42) by relay1.pair.com with SMTP; 28 Aug 2001 16:47:35 -0000 X-pair-Authenticated: 149.225.134.42 Message-ID: <001901c12fe0$f7e5d920$0901a8c0@system> From: "Tom Beer" To: "Peter Pentchev" , "Richard Stanaford" Cc: References: <001f01c12fc6$4c975220$0901a8c0@system> <20010828174726.A568@ringworld.oblivion.bg> Subject: Re: [OT] ssh client Date: Tue, 28 Aug 2001 18:38:32 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > ..and does it understand OpenSSH's DSA keys? > Last I checked it did not.. > It won't! I tryed it with a version downloaded some days ago. But is there _any_ ssh M$ client who understands Unix generated DSA keys? Greetings Tom To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 28 10:12: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (discworld.nanolink.com [217.75.135.248]) by hub.freebsd.org (Postfix) with SMTP id 7255C37B401 for ; Tue, 28 Aug 2001 10:11:56 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 87671 invoked by uid 1000); 28 Aug 2001 17:11:53 -0000 Date: Tue, 28 Aug 2001 20:11:52 +0300 From: Peter Pentchev To: Tom Beer Cc: Richard Stanaford , security@FreeBSD.ORG Subject: Re: [OT] ssh client Message-ID: <20010828201152.B568@ringworld.oblivion.bg> Mail-Followup-To: Tom Beer , Richard Stanaford , security@FreeBSD.ORG References: <001f01c12fc6$4c975220$0901a8c0@system> <20010828174726.A568@ringworld.oblivion.bg> <001901c12fe0$f7e5d920$0901a8c0@system> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001901c12fe0$f7e5d920$0901a8c0@system>; from mailings@analogon.com on Tue, Aug 28, 2001 at 06:38:32PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Aug 28, 2001 at 06:38:32PM +0200, Tom Beer wrote: > > ..and does it understand OpenSSH's DSA keys? > > Last I checked it did not.. > > > It won't! I tryed it with a version > downloaded some days ago. > But is there _any_ ssh M$ client who > understands Unix generated DSA keys? As somebody else mentioned, OpenSSH itself should understand OpenSSH-generated (not Unix-generated, the SSH version from ssh.com can also generate keys on Unix) keys. All you need to do is install the Cygwin compiler suite, then build and install the OpenSSH portable version. There might even be a precompiled version on OpenSSH's web/ftp site, but I would not count on that. G'luck, Peter -- This sentence is false. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 28 10:39:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from sln.esc.edu (sln.esc.edu [138.116.200.3]) by hub.freebsd.org (Postfix) with ESMTP id 6242137B405 for ; Tue, 28 Aug 2001 10:39:43 -0700 (PDT) (envelope-from Bill.Melvin@esc.edu) To: Peter Pentchev Cc: security@FreeBSD.ORG Subject: Re: [OT] ssh client X-Mailer: Lotus Notes Release 5.0.2c February 2, 2000 Message-ID: From: Bill.Melvin@esc.edu Date: Tue, 28 Aug 2001 13:36:55 -0400 X-MIMETrack: MIME-CD by Trend MailScan on mail.esc.edu/SUNY(Release 5.0.4 |June 8, 2000) at 08/28/2001 01:36:56 PM, MIME-CD complete at 08/28/2001 01:36:56 PM, Serialize by Router on sln.esc.edu/SUNY(Release 5.0.2c |February 2, 2000) at 08/28/2001 01:38:58 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > All you need to do is install the Cygwin compiler suite, > then build and install the OpenSSH portable version. The cygwin kit comes with OpenSSH *binaries* that grok (at least) FreeBSD DSA keys (which are OpenSSH-generated). No need to recompile. Cant speak for non-OpenSSH DSA keys. /b To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 28 10:46:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id CDBE737B403 for ; Tue, 28 Aug 2001 10:46:25 -0700 (PDT) (envelope-from brdavis@odin.ac.hmc.edu) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id f7SHk2A20665; Tue, 28 Aug 2001 10:46:02 -0700 Date: Tue, 28 Aug 2001 10:46:02 -0700 From: Brooks Davis To: Peter Pentchev Cc: Tom Beer , Richard Stanaford , security@FreeBSD.ORG Subject: Re: [OT] ssh client Message-ID: <20010828104602.E10481@Odin.AC.HMC.Edu> References: <001f01c12fc6$4c975220$0901a8c0@system> <20010828174726.A568@ringworld.oblivion.bg> <001901c12fe0$f7e5d920$0901a8c0@system> <20010828201152.B568@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="RpqchZ26BWispMcB" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010828201152.B568@ringworld.oblivion.bg>; from roam@ringlet.net on Tue, Aug 28, 2001 at 08:11:52PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --RpqchZ26BWispMcB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 28, 2001 at 08:11:52PM +0300, Peter Pentchev wrote: > As somebody else mentioned, OpenSSH itself should understand > OpenSSH-generated (not Unix-generated, the SSH version from > ssh.com can also generate keys on Unix) keys. All you need > to do is install the Cygwin compiler suite, then build and > install the OpenSSH portable version. There might even be > a precompiled version on OpenSSH's web/ftp site, but I would > not count on that. OpenSSH ships with Cygwin these days. It works quite well. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --RpqchZ26BWispMcB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7i9jZXY6L6fI4GtQRAnOLAJ0bpVwu5YoUym80WobQD9eYZAPxvQCfXkBE HVLeXR9fvYNDqJmcubIbXXo= =3m2n -----END PGP SIGNATURE----- --RpqchZ26BWispMcB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 28 11:32:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id AC7E437B401; Tue, 28 Aug 2001 11:32:46 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 5831366DE9; Tue, 28 Aug 2001 11:32:46 -0700 (PDT) Date: Tue, 28 Aug 2001 11:32:46 -0700 From: Kris Kennaway To: Montgomery Newcom Cc: FreeBSD Security Officer , security@FreeBSD.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:57.sendmail (fwd) Message-ID: <20010828113246.A59237@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="3V7upXqbjpZ4EhLz" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from mn@gblx.net on Tue, Aug 28, 2001 at 03:09:36AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --3V7upXqbjpZ4EhLz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 28, 2001 at 03:09:36AM -0700, Montgomery Newcom wrote: >=20 > Should the setuid bit be removed from this file? >=20 > /usr/libexec/sendmail/.sendmail.security-patch-sendmail-01.57.backup Yes, well spotted. I'll revise the package. Kris --3V7upXqbjpZ4EhLz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7i+PNWry0BWjoQKURAh9TAJ45Z8dElczU7gYF3TwVymEzz5lNRACgsocl x+eHhvjrjqLEYsAQPyp+oqI= =OpMZ -----END PGP SIGNATURE----- --3V7upXqbjpZ4EhLz-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 28 18:45: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from rfnj.org (rfnj.org [216.239.237.194]) by hub.freebsd.org (Postfix) with ESMTP id E424D37B41A for ; Tue, 28 Aug 2001 18:44:44 -0700 (PDT) (envelope-from all@biosys.net) Received: from megalomaniac.biosys.net (megalomaniac.rfnj.org [216.239.237.200]) by rfnj.org (Postfix) with ESMTP id D187A1385C; Tue, 28 Aug 2001 21:44:34 +0000 (GMT) Message-Id: <5.1.0.14.0.20010828214142.00c4af38@rfnj.org> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 28 Aug 2001 21:44:40 -0400 To: Peter Pentchev From: Allen Landsidel Subject: Re: [OT] ssh client Cc: freebsd-security@freebsd.org In-Reply-To: <20010828174726.A568@ringworld.oblivion.bg> References: <001f01c12fc6$4c975220$0901a8c0@system> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 17:47 8/28/2001 +0300, you wrote: >..and does it understand OpenSSH's DSA keys? >Last I checked it did not.. This may be news to you but OpenSSH is the weirdo here, which is why few if any other clients support it. It uses it's own key format, not the SSH2 format. Just do the following to convert your OpenSSH key to a SSH2 key for use on normal, standard clients: ssh-keygen -xf openssh.format.key > ssh2.format.key Your file names will of course vary. About five minutes searching google and another 30 seconds reading the ssh-keygen manpage could have saved a lot of frustration and wasted time. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 29 3:59:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from ida.interface-business.de (ida.interface-business.de [193.101.57.9]) by hub.freebsd.org (Postfix) with ESMTP id D829A37B406; Wed, 29 Aug 2001 03:58:58 -0700 (PDT) (envelope-from j@ida.interface-business.de) Received: (from j@localhost) by ida.interface-business.de id f7TAwiO60957; Wed, 29 Aug 2001 12:58:44 +0200 (MET DST) Date: Wed, 29 Aug 2001 12:58:44 +0200 From: Joerg Wunsch To: audit@freebsd.org Cc: ache@freebsd.org, security@freebsd.org Subject: -a in opiekey(1) doesn't work Message-ID: <20010829125844.E60434@ida.interface-business.de> Reply-To: Joerg Wunsch Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Phone: +49-351-31809-14 X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F 93 21 E0 7D F9 12 D6 4E Organization: interface systems GmbH, Dresden Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dunno who's the best person to tell this. The -a option to opiekey(1) is supposed to suppress password checking, but closer inspection of the code reveals that the value of `aflag' is properly set when the option is provided, but then never used again. This prevents opiekey from becoming a full replacement of the old skey program for users who used to have too short secret passwords. We should either remove it completely if we think providing this option is a bad idea from the beginning, or make it work as advertised. The patch below implements the latter. (Btw., the check against (flags & 2) isn't useful either since flags is passed from the caller as either 0 or 1, hard-coded. We could set flag 2 when aflag is set, but that'd mean to modify 6 calls to opiereadpass() instead of a single line of change as suggested below.) Index: contrib/opie/opiekey.c =================================================================== RCS file: /home/ncvs/src/contrib/opie/opiekey.c,v retrieving revision 1.1.1.2.6.1 diff -u -r1.1.1.2.6.1 opiekey.c --- contrib/opie/opiekey.c 2000/06/09 07:14:56 1.1.1.2.6.1 +++ contrib/opie/opiekey.c 2001/08/29 10:02:02 @@ -116,7 +116,7 @@ } memset(verify, 0, sizeof(verify)); } - if (!(flags & 2) && opiepasscheck(secret)) { + if (!(flags & 2) && !aflag && opiepasscheck(secret)) { memset(secret, 0, sizeof(secret)); fprintf(stderr, "Secret pass phrases must be between %d and %d characters long.\n", OPIE_SECRET_MIN, OPIE_SECRET_MAX); exit(1); -- J"org Wunsch Unix support engineer joerg_wunsch@interface-systems.de http://www.interface-systems.de/~j/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 29 6:11: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 3F06737B406; Wed, 29 Aug 2001 06:10:58 -0700 (PDT) (envelope-from ache@nagual.pp.ru) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id f7TDAdc69656; Wed, 29 Aug 2001 17:10:40 +0400 (MSD) (envelope-from ache) Date: Wed, 29 Aug 2001 17:10:36 +0400 From: "Andrey A. Chernov" To: Joerg Wunsch Cc: audit@freebsd.org, security@freebsd.org Subject: Re: -a in opiekey(1) doesn't work Message-ID: <20010829171034.A69622@nagual.pp.ru> References: <20010829125844.E60434@ida.interface-business.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20010829125844.E60434@ida.interface-business.de> User-Agent: Mutt/1.3.21i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Aug 29, 2001 at 12:58:44 +0200, Joerg Wunsch wrote: > - if (!(flags & 2) && opiepasscheck(secret)) { > + if (!(flags & 2) && !aflag && opiepasscheck(secret)) { Ok from me. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 29 6:20:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from lila.inti.gov.ar (lila.inti.gov.ar [200.10.161.32]) by hub.freebsd.org (Postfix) with ESMTP id 107AD37B401 for ; Wed, 29 Aug 2001 06:20:48 -0700 (PDT) (envelope-from fernan@iib005.iib.unsam.edu.ar) Received: from nav.inti.gov.ar ([200.10.161.45]) by lila.inti.gov.ar with smtp (Exim 3.02 #1) id 15c5H0-0006ES-00 for freebsd-security@freebsd.org; Wed, 29 Aug 2001 10:20:50 -0300 Received: from iib005.iib.unsam.edu.ar ([200.3.113.15]) by NAV.inti.gov.ar (NAVGW 2.5.1.6) with SMTP id M2001082910240002894 for ; Wed, 29 Aug 2001 10:24:00 -0300 Received: (from fernan@localhost) by iib005.iib.unsam.edu.ar (8.11.3/8.11.3) id f7TDKV922347 for freebsd-security@freebsd.org; Wed, 29 Aug 2001 10:20:31 -0300 (ART) (envelope-from fernan) Date: Wed, 29 Aug 2001 10:20:31 -0300 From: Fernan Aguero To: FreeBSD Security Subject: changed /dev/ttys is this normal? Message-ID: <20010829102031.A22076@iib005.iib.unsam.edu.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi I started using tripwire to monitor for changed files on my system. I noticed that /dev/console and /dev/ttys were changed and the tripwire report showed the following: [...] Modified object name: /dev/console Property: Expected Observed ------------- ----------- ----------- Object Type Character Device Character Device Device Number 160768 160768 Inode Number 7208 7208 Mode crw--w--w- crw--w--w- Num Links 1 1 * UID fernan (1001) root (0) GID wheel (0) wheel (0) [...] Modified object name: /dev/ttyp1 Property: Expected Observed ------------- ----------- ----------- Object Type Character Device Character Device Device Number 160768 160768 Inode Number 7537 7537 Mode crw--w---- crw--w---- Num Links 1 1 * UID fernan (1001) root (0) * GID tty (4) wheel (0) [...] Modified object name: /dev/ttyp6 Property: Expected Observed ------------- ----------- ----------- Object Type Character Device Character Device Device Number 160768 160768 Inode Number 7547 7547 * Mode crw-rw-rw- crw--w---- Num Links 1 1 * UID root (0) genhum2001 (1000) * GID wheel (0) tty (4) Is this normal? If so, is it safe to change tripwire's policy to ignore this changes? Thanks in advance for your help. Fernan -- | F e r n a n A g u e r o | B i o i n f o r m a t i c s | | fernan@iib.unsam.edu.ar | genoma.unsam.edu.ar | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 29 6:59:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (discworld.nanolink.com [217.75.135.248]) by hub.freebsd.org (Postfix) with SMTP id D1F2D37B405 for ; Wed, 29 Aug 2001 06:59:33 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 2635 invoked by uid 1000); 29 Aug 2001 13:59:06 -0000 Date: Wed, 29 Aug 2001 16:59:06 +0300 From: Peter Pentchev To: Fernan Aguero Cc: FreeBSD Security Subject: Re: changed /dev/ttys is this normal? Message-ID: <20010829165906.D780@ringworld.oblivion.bg> Mail-Followup-To: Fernan Aguero , FreeBSD Security References: <20010829102031.A22076@iib005.iib.unsam.edu.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010829102031.A22076@iib005.iib.unsam.edu.ar>; from fernan@iib.unsam.edu.ar on Wed, Aug 29, 2001 at 10:20:31AM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Aug 29, 2001 at 10:20:31AM -0300, Fernan Aguero wrote: > Hi > > I started using tripwire to monitor for changed files on my system. > I noticed that /dev/console and /dev/ttys were changed and the > tripwire report showed the following: > > [...] > > Modified object name: /dev/console > > Property: Expected Observed > ------------- ----------- ----------- > Object Type Character Device Character Device > Device Number 160768 160768 > Inode Number 7208 7208 > Mode crw--w--w- crw--w--w- > Num Links 1 1 > * UID fernan (1001) root (0) > GID wheel (0) wheel (0) [snip] > > Is this normal? If so, is it safe to change tripwire's policy to > ignore this changes? Yes, this is normal - the owner of a terminal device is always set to the user who has logged in, so he can open it and perform reads/writes/ioctls on it. I believe that it should be safe to have tripwire ignore terminal devices :) G'luck, Peter -- "yields falsehood, when appended to its quotation." yields falsehood, when appended to its quotation. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 29 7:11:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (discworld.nanolink.com [217.75.135.248]) by hub.freebsd.org (Postfix) with SMTP id 3345037B401 for ; Wed, 29 Aug 2001 07:11:42 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 2826 invoked by uid 1000); 29 Aug 2001 14:11:25 -0000 Date: Wed, 29 Aug 2001 17:11:25 +0300 From: Peter Pentchev To: Fernan Aguero Cc: FreeBSD Security Subject: Re: changed /dev/ttys is this normal? Message-ID: <20010829171125.G780@ringworld.oblivion.bg> Mail-Followup-To: Fernan Aguero , FreeBSD Security References: <20010829102031.A22076@iib005.iib.unsam.edu.ar> <20010829165906.D780@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010829165906.D780@ringworld.oblivion.bg>; from roam@ringlet.net on Wed, Aug 29, 2001 at 04:59:06PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Aug 29, 2001 at 04:59:06PM +0300, Peter Pentchev wrote: > On Wed, Aug 29, 2001 at 10:20:31AM -0300, Fernan Aguero wrote: > > Hi > > > > I started using tripwire to monitor for changed files on my system. > > I noticed that /dev/console and /dev/ttys were changed and the > > tripwire report showed the following: > > > > [...] > > > > Modified object name: /dev/console > > > > Property: Expected Observed > > ------------- ----------- ----------- > > Object Type Character Device Character Device > > Device Number 160768 160768 > > Inode Number 7208 7208 > > Mode crw--w--w- crw--w--w- > > Num Links 1 1 > > * UID fernan (1001) root (0) > > GID wheel (0) wheel (0) > [snip] > > > > Is this normal? If so, is it safe to change tripwire's policy to > > ignore this changes? > > Yes, this is normal - the owner of a terminal device is always > set to the user who has logged in, so he can open it and perform > reads/writes/ioctls on it. > > I believe that it should be safe to have tripwire ignore terminal > devices :) ..but actually, it might be wise if Tripwire would warn you about changes in *anything* but the owner on terminal devices. Also, it would be wise to have it warn you for the appearance of *new* files looking like terminal devices. I've seen more than one rootkit which installed a setuid shell or a config file or whatever as /dev/ttySomething, or as a replacement for one of the higher-numbered tty devices (in the hope that those are reached only very rarely, and this would go unnoticed for quite some time). G'luck, Peter -- This sentence claims to be an Epimenides paradox, but it is lying. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 29 13:11: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 7B19C37B403 for ; Wed, 29 Aug 2001 13:10:59 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 43136 invoked by uid 1000); 29 Aug 2001 20:11:19 -0000 Date: Wed, 29 Aug 2001 22:11:19 +0200 From: "Karsten W. Rohrbach" To: Peter Pentchev Cc: Fernan Aguero , FreeBSD Security Subject: Re: changed /dev/ttys is this normal? Message-ID: <20010829221119.H36662@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Peter Pentchev , Fernan Aguero , FreeBSD Security References: <20010829102031.A22076@iib005.iib.unsam.edu.ar> <20010829165906.D780@ringworld.oblivion.bg> <20010829171125.G780@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="it/zdz3K1bH9Y8/E" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010829171125.G780@ringworld.oblivion.bg>; from roam@ringlet.net on Wed, Aug 29, 2001 at 05:11:25PM +0300 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --it/zdz3K1bH9Y8/E Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Peter Pentchev(roam@ringlet.net)@2001.08.29 17:11:25 +0000: > ..but actually, it might be wise if Tripwire would warn you about > changes in *anything* but the owner on terminal devices. Also, > it would be wise to have it warn you for the appearance of *new* > files looking like terminal devices. I've seen more than one > rootkit which installed a setuid shell or a config file or whatever > as /dev/ttySomething, or as a replacement for one of the higher-numbered > tty devices (in the hope that those are reached only very rarely, > and this would go unnoticed for quite some time). i think it would make sense to monitor /dev for non-devnodes except the MAKEDEV and MAKEDEV.local which should be monitored as plain file. rohrbach@WM:datasink[/dev]139% find . -type f =2E/MAKEDEV.local =2E/MAKEDEV to sum it up (4.3-STABLE): 2 files MAKEDEV/MAKEDEV.local 1 dir fd/ containing 64 chardevs hundreds chardevs all the devnodes depending on config some symlinks depending on audio config et al. 0 blockdevs 0 fifos 0 sockets this could serve as a basis for a subtractive ruleset for monitoring /dev cheers, /k --=20 > "I think pop music has done more for oral intercourse than anything else > that has ever happened, and vice versa." --Frank Zappa KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --it/zdz3K1bH9Y8/E Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7jUxnM0BPTilkv0YRAuTjAJ0albGRIYRhEc8KaB8UANr0tNR8MwCfcB4S wgLabOjId+WldAotBNE/h/8= =VP/Q -----END PGP SIGNATURE----- --it/zdz3K1bH9Y8/E-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 29 14:40:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail1.aprimo.net (Aprimo-45-22.OneCall.Net [216.37.45.22]) by hub.freebsd.org (Postfix) with ESMTP id 35E1E37B415 for ; Wed, 29 Aug 2001 14:40:28 -0700 (PDT) (envelope-from info@ptc.com) Received: from host11.Aprimo.net (OCA1WAPP011 [10.3.202.41]) by mail1.aprimo.net with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id GDPX2TZS; Wed, 29 Aug 2001 16:37:38 -0500 Received: from mail pickup service by host11.Aprimo.net with Microsoft SMTPSVC; Wed, 29 Aug 2001 16:35:41 -0500 From: To: " X" Subject: =?iso-8859-1?B?U3BlY2lhbCBPZmZlciBmb3IgU0RSQyBDdXN0b20=?= =?iso-8859-1?B?ZXJz?= Date: Wed, 29 Aug 2001 16:35:40 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_3976_01C130A8.A4260A80" X-Priority: 3 X-MSMail-Priority: Normal Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Message-ID: <027094135211d81OCA1WAPP011@host11.Aprimo.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_3976_01C130A8.A4260A80 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Special Offer for SDRC Customers Click Here =20 FREE Pro/ENGINEER Special Edition for SDRC Users PTC is offering you a free copy of Pro/ENGINEER=AE Special Edition for SDRC Users , a personal version of Pro/ENGINEER that is intended to help you begin to re-tool your CAD skills.=20 Recent changes and consolidation in the MCAD industry have no doubt raised concerns about the strategic direction of your MCAD installation. Sooner or later you and your company will be addressing issues of functionality, legacy-data migration, learning curves, training and support. At PTC, we have helped thousands of designers and engineers prepare to meet the same challenges. We can give you a competitive edge. To learn more about this special offer, and see the new easy-to-use Pro/ENGINEER software, please visit http://www.ptc.com/go/migration or contact us at: sales@ptc.com or call 1-888-PTC-3776 (1-888-782-3776) or (781) 370-6733).=20 =20 =20 Copyright =A9 2001 Parametric Technology Corporation. All rights reserved.=20 | Privacy | Contact sales | ----- Click here to remove yourself from the mailing list=20 =20 ------=_NextPart_000_3976_01C130A8.A4260A80 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Special Offer for SDRC Customers
Special Offer for SDRC = Customers Click Here
=20
=20

FREE Pro/ENGINEER Special = Edition for SDRC Users

PTC is offering you a free = copy of Pro/ENGINEER® Special Edition for SDRC Users, a = personal version of Pro/ENGINEER that is intended to help you begin to = re-tool your CAD skills.=20

Recent changes and consolidation in the MCAD industry have no doubt = raised concerns about the strategic direction of your MCAD installation. = Sooner or later you and your company will be addressing issues of = functionality, legacy-data migration, learning curves, training and = support. At PTC, we have helped thousands of designers and engineers = prepare to meet the same challenges. We can give you a competitive = edge.

To learn more about this special offer, and see the new easy-to-use = Pro/ENGINEER software, please visit http://www.ptc.com/go/migration<= /a> or contact us at: sales@ptc.com or = call 1-888-PTC-3776 (1-888-782-3776) or (781) 370-6733).

3D""


Copyright © = 2001 Parametric Technology Corporation. All rights reserved.

| Privacy | Contact sales |

 Click here to remove yourself from = the mailing list 

------=_NextPart_000_3976_01C130A8.A4260A80-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 29 15:13:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from tandem.milestonerdl.com (tandem.milestonerdl.com [204.107.138.1]) by hub.freebsd.org (Postfix) with ESMTP id E53C437B401 for ; Wed, 29 Aug 2001 15:13:11 -0700 (PDT) (envelope-from marc@milestonerdl.com) Received: from tandem (tandem [204.107.138.1]) by tandem.milestonerdl.com (8.11.2/8.10.0) with ESMTP id f7TMxaZ00726 for ; Wed, 29 Aug 2001 17:59:36 -0500 (CDT) Date: Wed, 29 Aug 2001 17:59:36 -0500 (CDT) From: Marc Rassbach Cc: X Subject: Background: Re: Special Offer for SDRC Customers In-Reply-To: <027094135211d81OCA1WAPP011@host11.Aprimo.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org SDRC is a CAD package that has just been acquired. (So: if your CAD package is going away, why not move to a different package....hence the SPAM barrage) From http://www.aprimo.com/customers/aprimo_customers.asp a VP of marketing, John Stuart. talks about how wonderful SPAM (err email marketing) has been for them. So, DO call 1-888-782-3776 and ask for Mr. Stuart and let him know how effective SPAM is, K? Remember: calling from a pay phone costs the 888 number MORE than calling from home/office...... On Wed, 29 Aug 2001 info@ptc.com wrote: > Special Offer for SDRC Customers Click Here > To learn more about this special offer, and see the new easy-to-use > Pro/ENGINEER software, please visit http://www.ptc.com/go/migration or > contact us at: sales@ptc.com or call > 1-888-PTC-3776 (1-888-782-3776) or (781) 370-6733). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 29 20:20:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 396E937B408; Wed, 29 Aug 2001 20:19:59 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id UAA22070; Wed, 29 Aug 2001 20:19:53 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda22068; Wed Aug 29 20:19:37 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id f7U3JaV04781; Wed, 29 Aug 2001 20:19:36 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdec4779; Wed Aug 29 20:19:10 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id f7U3JAI01617; Wed, 29 Aug 2001 20:19:10 -0700 (PDT) Message-Id: <200108300319.f7U3JAI01617@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdzg1612; Wed Aug 29 20:18:50 2001 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: ijliao@FreeBSD.ORG Cc: freebsd-ports@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: ports/29137: Brand New Tripwire-2.3.1 Port (fwd) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 29 Aug 2001 20:18:50 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Let's replace the tripwire 1.2 and 1.3.1 ports with the new 2.3.1 port. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC ------- Forwarded Message Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: ijliao@FreeBSD.ORG Cc: Cy.Schubert@uumail.gov.bc.ca, freebsd-ports@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: ports/29137: Brand New Tripwire-2.3.1 Port In-reply-to: Your message of "Sat, 18 Aug 2001 00:36:40 PDT." <200108180736.f7I7ae119043@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 27 Aug 2001 21:49:07 -0700 In message <200108180736.f7I7ae119043@freefall.freebsd.org>, ijliao@FreeBSD.org writes: > Synopsis: Brand New Tripwire-2.3.1 Port > > State-Changed-From-To: open->analyzed > State-Changed-By: ijliao > State-Changed-When: Sat Aug 18 00:35:13 PDT 2001 > State-Changed-Why: > why do we need separate ports for 1.2 (tripwire), 1.3.1 (tripwire-131) > and now 2.3.1 (tripwire-231) ? > > http://www.FreeBSD.org/cgi/query-pr.cgi?pr=29137 > Originally 1.3.1 was created because it addressed some memory management issues and was a separate port the license was different enough to warrant it. Now that 2.3.1 is opensource, we can replace both 1.2 and 1.3.1 with 2.3.1. However Tripwire 1.2 and 1.3.1 do not share the same config file format as 2.3.1. For the time being that would leave 1.x users out on the limb until they've converted to 2.3.1 - -- unless of course they use the default config file that comes with the any of the ports. I'm open to suggestions. What does the list think? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message ------- End of Forwarded Message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 29 23: 8: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from pintail.mail.pas.earthlink.net (pintail.mail.pas.earthlink.net [207.217.120.122]) by hub.freebsd.org (Postfix) with ESMTP id 2ADBC37B401; Wed, 29 Aug 2001 23:08:00 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (dialup-209.245.135.198.Dial1.SanJose1.Level3.net [209.245.135.198]) by pintail.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id XAA18793; Wed, 29 Aug 2001 23:07:26 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f7U67C911854; Wed, 29 Aug 2001 23:07:12 -0700 (PDT) (envelope-from cjc) Date: Wed, 29 Aug 2001 23:07:12 -0700 From: "Crist J. Clark" To: Cy Schubert - ITSD Open Systems Group Cc: ijliao@FreeBSD.ORG, freebsd-ports@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: ports/29137: Brand New Tripwire-2.3.1 Port (fwd) Message-ID: <20010829230711.H9807@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <200108300319.f7U3JAI01617@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200108300319.f7U3JAI01617@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Wed, Aug 29, 2001 at 08:18:50PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Aug 29, 2001 at 08:18:50PM -0700, Cy Schubert - ITSD Open Systems Group wrote: > Let's replace the tripwire 1.2 and 1.3.1 ports with the new 2.3.1 port. As long as the maintainers are still willing to keep them up, I don't see any reason to remove them. Of course, if one of the maintainers (you for example) no longer wish to support one, unless someone else speaks up to support it, it should go. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 1:27: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 33F3837B403; Thu, 30 Aug 2001 01:27:01 -0700 (PDT) (envelope-from sheldonh@starjuice.net) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 15cNAz-000P91-00; Thu, 30 Aug 2001 10:27:49 +0200 From: Sheldon Hearn To: cjclark@alum.mit.edu Cc: Cy Schubert - ITSD Open Systems Group , ijliao@FreeBSD.ORG, freebsd-ports@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: ports/29137: Brand New Tripwire-2.3.1 Port (fwd) In-reply-to: Your message of "Wed, 29 Aug 2001 23:07:12 MST." <20010829230711.H9807@blossom.cjclark.org> Date: Thu, 30 Aug 2001 10:27:49 +0200 Message-ID: <96658.999160069@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 29 Aug 2001 23:07:12 MST, "Crist J. Clark" wrote: > As long as the maintainers are still willing to keep them up, I don't > see any reason to remove them. Of course, if one of the maintainers > (you for example) no longer wish to support one, unless someone else > speaks up to support it, it should go. I think you're approaching this from the wrong angle. The default should be to update existing ports rather than spawn new ones. Special considerations may motivate you to add new ports (e.g. a new version of a package with an incompatible configuration file syntax), but that should never be the default. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 1:52: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from avocet.mail.pas.earthlink.net (avocet.mail.pas.earthlink.net [207.217.121.50]) by hub.freebsd.org (Postfix) with ESMTP id 071BC37B407; Thu, 30 Aug 2001 01:52:01 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from dialup-209.247.136.30.dial1.sanjose1.level3.net ([209.247.136.30] helo=blossom.cjclark.org) by avocet.mail.pas.earthlink.net with esmtp (Exim 3.32 #2) id 15cNYN-0004gl-00; Thu, 30 Aug 2001 01:52:00 -0700 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f7U8pVc12310; Thu, 30 Aug 2001 01:51:31 -0700 (PDT) (envelope-from cjc) Date: Thu, 30 Aug 2001 01:51:31 -0700 From: "Crist J. Clark" To: Sheldon Hearn Cc: cjclark@alum.mit.edu, Cy Schubert - ITSD Open Systems Group , ijliao@FreeBSD.ORG, freebsd-ports@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: ports/29137: Brand New Tripwire-2.3.1 Port (fwd) Message-ID: <20010830015131.J9807@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20010829230711.H9807@blossom.cjclark.org> <96658.999160069@axl.seasidesoftware.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <96658.999160069@axl.seasidesoftware.co.za>; from sheldonh@starjuice.net on Thu, Aug 30, 2001 at 10:27:49AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Aug 30, 2001 at 10:27:49AM +0200, Sheldon Hearn wrote: > > > On Wed, 29 Aug 2001 23:07:12 MST, "Crist J. Clark" wrote: > > > As long as the maintainers are still willing to keep them up, I don't > > see any reason to remove them. Of course, if one of the maintainers > > (you for example) no longer wish to support one, unless someone else > > speaks up to support it, it should go. > > I think you're approaching this from the wrong angle. The default > should be to update existing ports rather than spawn new ones. Special > considerations may motivate you to add new ports (e.g. a new version of > a package with an incompatible configuration file syntax), but that > should never be the default. But weren't you the one who posted the reasons, and they are valid reasons, why there are different ports? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 2: 5:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 8D4CC37B401; Thu, 30 Aug 2001 02:05:41 -0700 (PDT) (envelope-from sheldonh@starjuice.net) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 15cNn4-000PPG-00; Thu, 30 Aug 2001 11:07:10 +0200 From: Sheldon Hearn To: cjclark@alum.mit.edu Cc: Cy Schubert - ITSD Open Systems Group , ijliao@FreeBSD.ORG, freebsd-ports@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: ports/29137: Brand New Tripwire-2.3.1 Port (fwd) In-reply-to: Your message of "Thu, 30 Aug 2001 01:51:31 MST." <20010830015131.J9807@blossom.cjclark.org> Date: Thu, 30 Aug 2001 11:07:10 +0200 Message-ID: <97665.999162430@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 30 Aug 2001 01:51:31 MST, "Crist J. Clark" wrote: > But weren't you the one who posted the reasons, and they are valid > reasons, why there are different ports? Um, I doubt it. If I am, I need a holiday. :-) Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 2:14:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.debolaz.com (november.debolaz.com [193.71.19.191]) by hub.freebsd.org (Postfix) with ESMTP id 6562737B405 for ; Thu, 30 Aug 2001 02:14:41 -0700 (PDT) (envelope-from debolaz@debolaz.com) Received: from november.debolaz.com ([193.71.19.191] helo=webmail.debolaz.com) by mail.debolaz.com with smtp (Exim 3.33 #1) id 15cNuK-000CI2-00 for freebsd-security@freebsd.org; Thu, 30 Aug 2001 11:14:40 +0200 Received: from 193.71.80.164 (SquirrelMail authenticated user debolaz) by webmail.debolaz.com with HTTP; Thu, 30 Aug 2001 11:14:40 +0200 (CEST) Message-ID: <4215.193.71.80.164.999162880.squirrel@webmail.debolaz.com> Date: Thu, 30 Aug 2001 11:14:40 +0200 (CEST) Subject: Re: ports/29137: Brand New Tripwire-2.3.1 Port (fwd) From: "Anders Nor Berle" To: freebsd-security@freebsd.org X-Mailer: SquirrelMail (version 1.0.6) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Well, in any case, just decide. Me and many others have been waiting for a tripwire 2.3.1 port. :) Personally, I think the port should be named tripwire2, and tripwire-131 becomes tripwire if you really want to make things slimmer. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 4:59: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 6F86937B403; Thu, 30 Aug 2001 04:58:45 -0700 (PDT) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f7UBweU02805; Thu, 30 Aug 2001 14:58:40 +0300 (EEST) (envelope-from ru) Date: Thu, 30 Aug 2001 14:58:40 +0300 From: Ruslan Ermilov To: net@FreeBSD.org, security@FreeBSD.org Subject: Proposed change to route(4) sockets to make them available to non-superuser Message-ID: <20010830145840.A1554@sunbay.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="17pEHd4RhPHOinZp" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --17pEHd4RhPHOinZp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi! The attached patch allows non-superuser to open, listen to, and send safe commands on the routing socket. Superuser privilege is required for all commands but RTM_GET. This has been in NetBSD and OpenBSD since 1997. This also allows us to drop setuid root privilege from the route(8) command. I would like to commit this patch on Monday if I hear no reasonable objections. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --17pEHd4RhPHOinZp Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=p Index: sys/net/raw_usrreq.c =================================================================== RCS file: /home/ncvs/src/sys/net/raw_usrreq.c,v retrieving revision 1.19 diff -u -p -r1.19 raw_usrreq.c --- sys/net/raw_usrreq.c 2000/10/29 16:06:43 1.19 +++ sys/net/raw_usrreq.c 2001/08/30 11:53:09 @@ -153,12 +153,9 @@ static int raw_uattach(struct socket *so, int proto, struct proc *p) { struct rawcb *rp = sotorawcb(so); - int error; if (rp == 0) return EINVAL; - if (p && (error = suser(p)) != 0) - return error; return raw_attach(so, proto); } Index: sys/net/rtsock.c =================================================================== RCS file: /home/ncvs/src/sys/net/rtsock.c,v retrieving revision 1.55 diff -u -p -r1.55 rtsock.c --- sys/net/rtsock.c 2001/08/02 19:56:29 1.55 +++ sys/net/rtsock.c 2001/08/30 11:53:12 @@ -326,6 +326,14 @@ route_output(m, so) else senderr(ENOBUFS); } + + /* + * Verify that the caller has the appropriate privilege; RTM_GET + * is the only operation the non-superuser is allowed. + */ + if (rtm->rtm_type != RTM_GET && suser(curproc) != 0) + senderr(EACCES); + switch (rtm->rtm_type) { case RTM_ADD: Index: sbin/route/Makefile =================================================================== RCS file: /home/ncvs/src/sbin/route/Makefile,v retrieving revision 1.13 diff -u -p -r1.13 Makefile --- sbin/route/Makefile 2001/03/26 14:33:22 1.13 +++ sbin/route/Makefile 2001/08/30 11:53:12 @@ -7,7 +7,6 @@ SRCS= route.c keywords.h CFLAGS+=-I. -Wall -DNS CFLAGS+=-DINET6 CLEANFILES+=keywords.h -BINMODE=4555 keywords.h: keywords sed -e '/^#/d' -e '/^$$/d' ${.CURDIR}/keywords > _keywords.tmp Index: sbin/route/route.c =================================================================== RCS file: /home/ncvs/src/sbin/route/route.c,v retrieving revision 1.55 diff -u -p -r1.55 route.c --- sbin/route/route.c 2001/08/20 14:53:05 1.55 +++ sbin/route/route.c 2001/08/30 11:53:23 @@ -100,13 +100,14 @@ union sockunion { } so_dst, so_gate, so_mask, so_genmask, so_ifa, so_ifp; typedef union sockunion *sup; -int pid, rtm_addrs, uid; +int pid, rtm_addrs; int s; int forcehost, forcenet, doflush, nflag, af, qflag, tflag, keyword(); int iflag, verbose, aflen = sizeof (struct sockaddr_in); int locking, lockrest, debugonly; struct rt_metrics rt_metrics; u_long rtm_inits; +uid_t uid; int atalk_aton __P((const char *, struct at_addr *)); char *atalk_ntoa __P((struct at_addr)); const char *routename(), *netname(); @@ -176,7 +177,6 @@ main(argc, argv) s = socket(PF_ROUTE, SOCK_RAW, 0); if (s < 0) err(EX_OSERR, "socket"); - setuid(uid); if (*argv) switch (keyword(*argv)) { case K_GET: --17pEHd4RhPHOinZp-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 5:22: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 8FF4537B403; Thu, 30 Aug 2001 05:21:59 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id FAA23776; Thu, 30 Aug 2001 05:21:27 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda23774; Thu Aug 30 05:21:09 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id f7UCL8G07250; Thu, 30 Aug 2001 05:21:08 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdaY7248; Thu Aug 30 05:20:30 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id f7UCKTa04717; Thu, 30 Aug 2001 05:20:29 -0700 (PDT) Message-Id: <200108301220.f7UCKTa04717@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdTi4713; Thu Aug 30 05:20:04 2001 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: cjclark@alum.mit.edu Cc: Cy Schubert - ITSD Open Systems Group , ijliao@FreeBSD.ORG, freebsd-ports@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: ports/29137: Brand New Tripwire-2.3.1 Port (fwd) In-reply-to: Your message of "Wed, 29 Aug 2001 23:07:12 PDT." <20010829230711.H9807@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 30 Aug 2001 05:20:04 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <20010829230711.H9807@blossom.cjclark.org>, "Crist J. Clark" writes: > On Wed, Aug 29, 2001 at 08:18:50PM -0700, Cy Schubert - ITSD Open Systems Gro > up wrote: > > Let's replace the tripwire 1.2 and 1.3.1 ports with the new 2.3.1 port. > > As long as the maintainers are still willing to keep them up, I don't > see any reason to remove them. Of course, if one of the maintainers > (you for example) no longer wish to support one, unless someone else > speaks up to support it, it should go. That's not necessarily true. One of the committers suggested it didn't make sense to maintain three ports. The points I made were not all that strong, so I put it to the list. As the list had no interest in the topic and as I had no desire to argue the issue, I acquiesced. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 6:22:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 773BC37B406; Thu, 30 Aug 2001 06:21:54 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA23906; Thu, 30 Aug 2001 06:20:29 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda23904; Thu Aug 30 06:20:20 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id f7UDKKv07404; Thu, 30 Aug 2001 06:20:20 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdpe7384; Thu Aug 30 06:19:30 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id f7UDJTU07565; Thu, 30 Aug 2001 06:19:29 -0700 (PDT) Message-Id: <200108301319.f7UDJTU07565@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdjA7436; Thu Aug 30 06:19:17 2001 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Sheldon Hearn Cc: cjclark@alum.mit.edu, Cy Schubert - ITSD Open Systems Group , ijliao@FreeBSD.ORG, freebsd-ports@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: ports/29137: Brand New Tripwire-2.3.1 Port (fwd) In-reply-to: Your message of "Thu, 30 Aug 2001 11:07:10 +0200." <97665.999162430@axl.seasidesoftware.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 30 Aug 2001 06:19:17 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <97665.999162430@axl.seasidesoftware.co.za>, Sheldon Hearn writes: > > > On Thu, 30 Aug 2001 01:51:31 MST, "Crist J. Clark" wrote: > > > But weren't you the one who posted the reasons, and they are valid > > reasons, why there are different ports? > > Um, I doubt it. If I am, I need a holiday. :-) Actually I was the one to identify the reasons. Let me state them again. When I created the tripwire 1.3.1 port approximately 2 years ago, it was suggested that it replace 1.2. I suggested that it wasn't a good idea because the 1.2 license is more open than 1.3.1 license. Hence if one could live with a more restrictive license one would have the bugfixes. Tripwire version 2 made considerable changes to the config file format. The issues are, 1. 2.3.1 fixes a serious memory management problem with version 1 which limits the number of files that can be monitored before you see strange things like abends and flagging of files that have not changed. 2. 2.3.1 is GPL. Ideally, if there is no requirement for to support users with the old config file format, then replacing the two version 1 ports with a version 2 port would be best. Given that there might be users of Tripwire version 1 who cannot convert right now, we may have to support port version 1 and 2, and I cannot answer this question. First question, do we want support a version 1 and version 2 of this port? Given that 1.3.1 fixes some bugs in 1.2 but IMO has a more restrictive license do we have one or two version 1 ports? Tripwire version 2 is a complete rewrite of the product. The memory management issues of version 1 no longer exist. Version 2.3.1 is GPL making its license more restrictive than 1.2 but less restrictive than 1.3.1. If given a choice, and I had to choose one, I'd replace both version 1 ports with 2.3.1. If I could keep one version 1 port and the version 2 port I would keep the 1.3.1 port, with its more restrictive license, and the 2.3.1 ports in the tree. Finally, thinking about it a little more (the more I think of this the more I'm convinced that the committer was right and I was wrong), maintaining an old port forever doesn't make much sense. I'd publish on -security, -ports, and -announce that as of date XXX both Tripwire version 1 ports will cease to exist. I suppose we could mark the old ports broken or restricted for 6 months with the explanation that they will be going away on, for example, March 1, 2002. This way we can satisfy the requirement that users of the old ports will have time to convert. So I'm back to my original question. Given the licensing and functional reasons, what do we want to do? If nobody cares, I'd be happy to replace both version 1 ports with a version 2 port. If anyone does care I'd be happy to continue maintaining 1.3.1 and 2.3.1 (I don't maintain the 1.2 port), please speak up or forever hold your peace. I'd be happy either way as long as we have a version 2 port (which explains the ambiguity of my first two notes). I don't have a strong opinion about keeping the old ports, though I do have a strong opinion about having the version 2 port in the tree. In regards to the version 1 ports I only want to do what the list wants to do. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 7:40:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id E5E1C37B403 for ; Thu, 30 Aug 2001 07:40:33 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA24123; Thu, 30 Aug 2001 07:39:31 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda24121; Thu Aug 30 07:39:17 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id f7UEd2k10250; Thu, 30 Aug 2001 07:39:02 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdp10248; Thu Aug 30 07:38:48 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id f7UEcVd10501; Thu, 30 Aug 2001 07:38:31 -0700 (PDT) Message-Id: <200108301438.f7UEcVd10501@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdu10495; Thu Aug 30 07:38:08 2001 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Peter Pentchev Cc: Fernan Aguero , FreeBSD Security Subject: Re: changed /dev/ttys is this normal? In-reply-to: Your message of "Wed, 29 Aug 2001 17:11:25 +0300." <20010829171125.G780@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 30 Aug 2001 07:38:08 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <20010829171125.G780@ringworld.oblivion.bg>, Peter Pentchev writes: > On Wed, Aug 29, 2001 at 04:59:06PM +0300, Peter Pentchev wrote: > > On Wed, Aug 29, 2001 at 10:20:31AM -0300, Fernan Aguero wrote: > > > Hi > > > > > > I started using tripwire to monitor for changed files on my system. > > > I noticed that /dev/console and /dev/ttys were changed and the > > > tripwire report showed the following: > > > > > > [...] > > > > > > Modified object name: /dev/console > > > > > > Property: Expected Observed > > > ------------- ----------- ----------- > > > Object Type Character Device Character Device > > > Device Number 160768 160768 > > > Inode Number 7208 7208 > > > Mode crw--w--w- crw--w--w- > > > Num Links 1 1 > > > * UID fernan (1001) root (0) > > > GID wheel (0) wheel (0) > > [snip] > > > > > > Is this normal? If so, is it safe to change tripwire's policy to > > > ignore this changes? > > > > Yes, this is normal - the owner of a terminal device is always > > set to the user who has logged in, so he can open it and perform > > reads/writes/ioctls on it. > > > > I believe that it should be safe to have tripwire ignore terminal > > devices :) > > ..but actually, it might be wise if Tripwire would warn you about > changes in *anything* but the owner on terminal devices. Also, > it would be wise to have it warn you for the appearance of *new* > files looking like terminal devices. I've seen more than one > rootkit which installed a setuid shell or a config file or whatever > as /dev/ttySomething, or as a replacement for one of the higher-numbered > tty devices (in the hope that those are reached only very rarely, > and this would go unnoticed for quite some time). The upcoming Tripwire 2.3.1 port (PR is in but not committed yet) actually does this. E.g., /dev/console -> $(SEC_TTY) ; /dev/ttyv0 -> $(SEC_TTY) ; ... Where SEC_TTY is defined as, SEC_TTY = $(Dynamic)-ugp ; # Tty files that change ownership at login Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 8:34:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 52C2B37B403; Thu, 30 Aug 2001 08:34:04 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.11.4/8.11.4) id f7UFXYT64952; Thu, 30 Aug 2001 11:33:34 -0400 (EDT) (envelope-from wollman) Date: Thu, 30 Aug 2001 11:33:34 -0400 (EDT) From: Garrett Wollman Message-Id: <200108301533.f7UFXYT64952@khavrinen.lcs.mit.edu> To: Ruslan Ermilov Cc: net@FreeBSD.ORG, security@FreeBSD.ORG Subject: Proposed change to route(4) sockets to make them available to non-superuser In-Reply-To: <20010830145840.A1554@sunbay.com> References: <20010830145840.A1554@sunbay.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > raw_uattach(struct socket *so, int proto, struct proc *p) > { > struct rawcb *rp = sotorawcb(so); > - int error; > if (rp == 0) > return EINVAL; > - if (p && (error = suser(p)) != 0) > - return error; > return raw_attach(so, proto); > } This allows *anyone* to open any raw socket. This change should not be made; use a specialized route_uattach instead. > + if (rtm->rtm_type != RTM_GET && suser(curproc) != 0) Ick. I worked hard several years ago to get rid of all references to `curproc' in the network stack; I'm none too pleased to see them coming back. Since we already save the credentials of the process which opened the socket, we should do the access-control on the basis of those credentials, not on the basis of the process that happens to be running. (Consider, for example, a daemon which opens its sockets and then changes credentials for safety.) -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 10:43: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id BCEEC37B403; Thu, 30 Aug 2001 10:42:52 -0700 (PDT) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f7UHfWs48175; Thu, 30 Aug 2001 20:41:32 +0300 (EEST) (envelope-from ru) Date: Thu, 30 Aug 2001 20:41:32 +0300 From: Ruslan Ermilov To: Garrett Wollman Cc: net@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Proposed change to route(4) sockets to make them available to non-superuser Message-ID: <20010830204132.A47482@sunbay.com> References: <20010830145840.A1554@sunbay.com> <200108301533.f7UFXYT64952@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200108301533.f7UFXYT64952@khavrinen.lcs.mit.edu>; from wollman@khavrinen.lcs.mit.edu on Thu, Aug 30, 2001 at 11:33:34AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Aug 30, 2001 at 11:33:34AM -0400, Garrett Wollman wrote: > < said: > > > raw_uattach(struct socket *so, int proto, struct proc *p) > > { > > struct rawcb *rp = sotorawcb(so); > > - int error; > > > if (rp == 0) > > return EINVAL; > > - if (p && (error = suser(p)) != 0) > > - return error; > > return raw_attach(so, proto); > > } > > This allows *anyone* to open any raw socket. This change should not > be made; use a specialized route_uattach instead. > Not any, as almost all domains don't use raw_usrreqs, but you are of course right. At least PF_KEY_V2 raw sockets were affected. > > + if (rtm->rtm_type != RTM_GET && suser(curproc) != 0) > > Ick. I worked hard several years ago to get rid of all references to > `curproc' in the network stack; I'm none too pleased to see them > coming back. Since we already save the credentials of the process > which opened the socket, we should do the access-control on the basis > of those credentials, not on the basis of the process that happens to > be running. (Consider, for example, a daemon which opens its sockets > and then changes credentials for safety.) > How about this one (kernel part only)? Index: rtsock.c =================================================================== RCS file: /home/ncvs/src/sys/net/rtsock.c,v retrieving revision 1.55 diff -u -p -r1.55 rtsock.c --- rtsock.c 2001/08/02 19:56:29 1.55 +++ rtsock.c 2001/08/30 17:37:56 @@ -123,7 +123,7 @@ rts_attach(struct socket *so, int proto, */ s = splnet(); so->so_pcb = (caddr_t)rp; - error = raw_usrreqs.pru_attach(so, proto, p); + error = raw_attach(so, proto); rp = sotorawcb(so); if (error) { splx(s); @@ -326,6 +326,14 @@ route_output(m, so) else senderr(ENOBUFS); } + + /* + * Verify that the caller has the appropriate privilege; RTM_GET + * is the only operation the non-superuser is allowed. + */ + if (rtm->rtm_type != RTM_GET && so->so_cred->cr_uid != 0) + senderr(EACCES); + switch (rtm->rtm_type) { case RTM_ADD: Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 11:12:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from ida.interface-business.de (ida.interface-business.de [193.101.57.9]) by hub.freebsd.org (Postfix) with ESMTP id 4BF8E37B403; Thu, 30 Aug 2001 11:12:45 -0700 (PDT) (envelope-from j@ida.interface-business.de) Received: (from j@localhost) by ida.interface-business.de id f7UIB3F70486; Thu, 30 Aug 2001 20:11:03 +0200 (MET DST) Date: Thu, 30 Aug 2001 20:11:02 +0200 From: Joerg Wunsch To: audit@freebsd.org Cc: security@freebsd.org Subject: why does telnetd run as root? Message-ID: <20010830201102.O69247@ida.interface-business.de> Reply-To: Joerg Wunsch Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Phone: +49-351-31809-14 X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F 93 21 E0 7D F9 12 D6 4E Organization: interface systems GmbH, Dresden Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Upon answering the question in , i noticed that the only reason for it is that login(1) currently requires root permissions in case -h hostname is given on its invocation. (Port 23 is bound by inetd anyway.) But then, it's IMHO much safer to run telnetd as user `daemon', and have login(1) allow user daemon to pass -h. This minimally increases the chance that someone might fake a hostname to be logged in utmp/wtmp (although user dameon is not supposed to be a usable account anyway), but adds us the ability to run telnetd with the little-privileged ID of daemon, so the next buffer overflow at least won't pose a root compromise... Index: login.c =================================================================== RCS file: /home/ncvs/src/usr.bin/login/login.c,v retrieving revision 1.51.2.11 diff -u -r1.51.2.11 login.c --- login.c 2001/08/07 09:28:52 1.51.2.11 +++ login.c 2001/08/30 16:17:46 @@ -131,6 +131,7 @@ #define DEFAULT_RETRIES 10 #define DEFAULT_PROMPT "login: " #define DEFAULT_PASSWD_PROMPT "Password:" +#define DAEMONUSER "daemon" /* * This bounds the time given to login. Not a define so it can @@ -158,7 +159,7 @@ struct utmp utmp; int rootok, retries, backoff; int ask, ch, cnt, fflag, hflag, pflag, quietlog, rootlogin, rval; - int changepass; + int changepass, allowhopt; time_t warntime; uid_t uid, euid; gid_t egid; @@ -167,6 +168,7 @@ char tname[sizeof(_PATH_TTY) + 10]; char *shell = NULL; login_cap_t *lc = NULL; + struct passwd *daemonuser; #ifdef USE_PAM pid_t pid; int e; @@ -201,13 +203,26 @@ uid = getuid(); euid = geteuid(); egid = getegid(); + /* + * Try finding user "daemon". If it exists, we will allow it to + * set the -h option, in addition to uid == 0. This allows telnetd + * to be run as daemon instead of root. + */ + allowhopt = 0; + if (uid == 0) + allowhopt = 1; + else { + daemonuser = getpwnam(DAEMONUSER); + if (daemonuser && uid == daemonuser->pw_uid) + allowhopt = 1; + } while ((ch = getopt(argc, argv, "fh:p")) != -1) switch (ch) { case 'f': fflag = 1; break; case 'h': - if (uid) + if (!allowhopt) errx(1, "-h option: %s", strerror(EPERM)); hflag = 1; strncpy(full_hostname, optarg, sizeof(full_hostname)-1); -- J"org Wunsch Unix support engineer joerg_wunsch@interface-systems.de http://www.interface-systems.de/~j/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 11:18:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 9D95137B639; Thu, 30 Aug 2001 11:18:25 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.11.4/8.11.4) id f7UIHNa66577; Thu, 30 Aug 2001 14:17:23 -0400 (EDT) (envelope-from wollman) Date: Thu, 30 Aug 2001 14:17:23 -0400 (EDT) From: Garrett Wollman Message-Id: <200108301817.f7UIHNa66577@khavrinen.lcs.mit.edu> To: Joerg Wunsch Cc: audit@FreeBSD.ORG, security@FreeBSD.ORG Subject: why does telnetd run as root? In-Reply-To: <20010830201102.O69247@ida.interface-business.de> References: <20010830201102.O69247@ida.interface-business.de> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > But then, it's IMHO much safer to run telnetd as user > `daemon', and have login(1) allow user daemon to pass -h. Only works for cleartext password authentication. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 11:21:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id AAA0B37B401; Thu, 30 Aug 2001 11:21:35 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.11.4/8.11.4) id f7UIKGZ66585; Thu, 30 Aug 2001 14:20:16 -0400 (EDT) (envelope-from wollman) Date: Thu, 30 Aug 2001 14:20:16 -0400 (EDT) From: Garrett Wollman Message-Id: <200108301820.f7UIKGZ66585@khavrinen.lcs.mit.edu> To: Ruslan Ermilov Cc: net@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Proposed change to route(4) sockets to make them available to non-superuser In-Reply-To: <20010830204132.A47482@sunbay.com> References: <20010830145840.A1554@sunbay.com> <200108301533.f7UFXYT64952@khavrinen.lcs.mit.edu> <20010830204132.A47482@sunbay.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > + if (rtm->rtm_type != RTM_GET && so->so_cred->cr_uid != 0) > + senderr(EACCES); I'm certain rwatson would object to this. suser_xxx() allows checking on the basis of credentials rather than a process, so that's what should be used. In any case, the correct error is EPERM, not EACCES. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 12:18:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 2362837B403; Thu, 30 Aug 2001 12:18:12 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f7UJFu235418; Thu, 30 Aug 2001 12:15:56 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Thu, 30 Aug 2001 12:15:56 -0700 (PDT) Message-Id: <200108301915.f7UJFu235418@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:58.lpd Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:58 Security Advisory FreeBSD, Inc. Topic: lpd contains remote root vulnerability Category: core Module: lpd Announced: 2001-08-30 Credits: ISS X-Force Affects: All released versions FreeBSD 4.x, 3.x, FreeBSD 4.3-STABLE, 3.5.1-STABLE prior to the correction date Corrected: 2001-08-30 09:27:41 UTC (FreeBSD 4.3-STABLE) 2001-08-30 09:28:35 UTC (RELENG_4_3) 2001-08-30 09:46:44 UTC (FreeBSD 3.5.1-STABLE) FreeBSD only: NO I. Background lpd is the BSD line printer daemon used to print local and remote print jobs. II. Problem Description Users on the local machine or on remote systems which are allowed to access the local line printer daemon may be able to cause a buffer overflow. By submitting a specially-crafted incomplete print job and subsequently requesting a display of the printer queue, a static buffer overflow may be triggered. This may cause arbitrary code to be executed on the local machine as root. In order to remotely exploit this vulnerability, the remote machine must be given access to the local printer daemon via a hostname entry in /etc/hosts.lpd or /etc/hosts.equiv. lpd is not enabled on FreeBSD by default. All versions of FreeBSD prior to the correction date including FreeBSD 4.3 contain this problem. The base system that will ship with FreeBSD 4.4 does not contain this problem since it was corrected before the release. III. Impact Users on the local machine and on remote systems which are allowed to connect to the local printer daemon may be able to trigger a buffer overflow causing arbitrary code to be executed on the local system as root. lpd is not enabled by default. If you have not enabled lpd, your system is not vulnerable. IV. Workaround Disable lpd by executing the following command as root: # killall lpd V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.3-STABLE or the RELENG_4_3 security branch after the respective correction dates. 2) FreeBSD 3.x, 4.x systems prior to the correction date: The following patches have been verified to apply to FreeBSD 4.2-RELEASE, 4.3-RELEASE, 4.3-STABLE and 3.5.1-STABLE dated prior to the correction date. It may or may not apply to older, unsupported versions of FreeBSD. Download the relevant patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. [FreeBSD 4.3-RELEASE, 4.3-STABLE] # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:58/lpd-4.3.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:58/lpd-4.3.patch.asc [FreeBSD 4.2-RELEASE, 3.5.1-STABLE] # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:58/lpd-3.x-4.2.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:58/lpd-3.x-4.2.patch.asc Execute the following commands as root: # cd /usr/src # patch -p < /path/to/patch # cd /usr/src/usr.sbin/lpr # make depend && make all install 3) FreeBSD 4.3-RELEASE systems: An experimental upgrade package is available for users who wish to provide testing and feedback on the binary upgrade process. This package may be installed on FreeBSD 4.3-RELEASE systems only, and is intended for use on systems for which source patching is not practical or convenient. If you use the upgrade package, feedback (positive or negative) to security-officer@FreeBSD.org is requested so we can improve the process for future advisories. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patched state. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:58/security-patch-lpd-01.58.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:58/security-patch-lpd-01.58.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-lpd-01.58.tgz Restart lpd after applying the patch by executing the following commands as root: # killall lpd # /usr/sbin/lpd VI. Correction details The following is the $FreeBSD$ revision number of the file that was corrected for the supported branches of FreeBSD. The $FreeBSD$ revision number of the installed source can be examined using the ident(1) command. The patch provided above does not cause these revision numbers to be updated. [FreeBSD 4.3-STABLE] Revision Path 1.15.2.8 src/usr.sbin/lpr/common_source/displayq.c [RELENG_4_3] Revision Path 1.15.2.3.2.1 src/usr.sbin/lpr/common_source/displayq.c [FreeBSD 3.5.1-STABLE] Revision Path 1.14.2.2 src/usr.sbin/lpr/common_source/displayq.c VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO46QLFUuHi5z0oilAQEJQQQAkjEeA8fQMhbFswTq743vCdfGKTSZbXRI IF1hbTPKQ8G+dX57lMDgkR7WiFOf/DR9AFuX6gevCslCNJo8hySW74UxnnRv67/6 lsNUqWfAXD+d/yDUMO6amWUlz8xFNpIHa5Zf8F1QaPI3TBzrKKPekFUa3sHwlBD1 WSFK0ZoFMgw= =8ZK/ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 12:21:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 6A09C37B409; Thu, 30 Aug 2001 12:21:17 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f7UJK2O35713; Thu, 30 Aug 2001 12:20:02 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Thu, 30 Aug 2001 12:20:02 -0700 (PDT) Message-Id: <200108301920.f7UJK2O35713@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:57.sendmail [REVISED] Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:57 Security Advisory FreeBSD, Inc. Topic: sendmail contains local root vulnerability [REVISED] Category: core Module: sendmail Announced: 2001-08-27 Revised: 2001-08-30 Credits: Cade Cairnss Affects: FreeBSD 4-STABLE after August 27, 2000 and prior to the correction date, FreeBSD 4.1.1-RELEASE, 4.2-RELEASE, 4.3-RELEASE Corrected: 2001-08-21 01:36:37 UTC (FreeBSD 4.3-STABLE) 2001-08-22 05:34:11 UTC (RELENG_4_3) FreeBSD only: NO 0. Revision History v1.0 2001-08-27 Initial release v1.1 2001-08-30 Update package to remove setuid bit from saved file; add non-openssl package; correct typo in package instructions; note that $Id$ not updated in RELENG_4_3. I. Background sendmail is a mail transfer agent. II. Problem Description Sendmail contains an input validation error which may lead to the execution of arbitrary code with elevated privileges by local users. Due to the improper use of signed integers in code responsible for the processing of debugging arguments, a local user may be able to supply the signed integer equivalent of a negative value supplied to sendmail's "trace vector". This may allow a local user to write data anywhere within a certain range of locations in process memory. Because the '-d' command-line switch is processed before the program drops its elevated privileges, the attacker may be able to cause arbitrary code to be executed with root privileges. III. Impact Local users may be able to execute arbitrary code with root privileges. IV. Workaround Do not allow untrusted users to execute the sendmail binary. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.3-STABLE or the RELENG_4_3 security branch after the respective correction dates. 2) FreeBSD 4.x systems after August 27, 2000 and prior to the correction date: The following patch has been verified to apply to FreeBSD 4.1.1-RELEASE, 4.2-RELEASE, 4.3-RELEASE and 4-STABLE dated prior to the correction date. Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:57/sendmail.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:57/sendmail.patch.asc Execute the following commands as root: # cd /usr/src # patch -p < /path/to/patch # cd /usr/src/lib/libsmutil # make depend && make all # cd /usr/src/usr.sbin/sendmail # make depend && make all install 3) FreeBSD 4.3-RELEASE systems: ** NOTE: The initial version of the upgrade package did not remove ** setuid root privileges from the saved copy of the sendmail binary. ** To correct this, deinstall the old package using the pkg_delete(1) ** command and install the corrected package as described below. An experimental upgrade package is available for users who wish to provide testing and feedback on the binary upgrade process. This package may be installed on FreeBSD 4.3-RELEASE systems only, and is intended for use on systems for which source patching is not practical or convenient. If you use the upgrade package, feedback (positive or negative) to security-officer@FreeBSD.org is requested so we can improve the process for future advisories. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patched state. Two versions of the package are available, depending on whether or not OpenSSL is installed. If the file /usr/lib/libcrypto.so exists on the local system, follow the directions in section 1a) below, otherwise follow the directions in section 1b). After adding the package, proceed with the instructions in section 2). 1a) If crypto is installed: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:57/security-patch-sendmail-crypto-01.57.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:57/security-patch-sendmail-crypto-01.57.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-sendmail-crypto-01.57.tgz 1b) If crypto is not installed: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:57/security-patch-sendmail-nocrypto-01.57.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:57/security-patch-sendmail-nocrypto-01.57.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-sendmail-nocrypto-01.57.tgz 2) Restart sendmail after applying the patch by executing the following commands as root: # killall sendmail # /usr/sbin/sendmail -bd -q30m The flags to sendmail may need to be adjusted as required for the local system configuration. VI. Correction details The following is the sendmail $Id$ revision number of the file that was corrected for the supported branches of FreeBSD. The $Id$ revision number of the installed source can be examined using the ident(1) command. Note that the $Id$ tag was not updated on the RELENG_4_3 branch because a newer vendor release of sendmail was not imported, instead only this vulnerability was patched. Revision Path 8.20.22.4 src/contrib/sendmail/src/trace.c VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO46RWlUuHi5z0oilAQH+VwP+MBpBopVejzWdHAjm0cEslleHZThEjja4 qNd28CAQOy5KAdDcP61pqT2LcxlFUXyjRPjcVo6eqGaO63Lz3Ov2nnm3LPfcyR18 PQaQkezGxTIfORuXxZiNA4EI51zjoquIRVWwMJaR1Azx+vf/u9XPIDVKA7rkL3df wvTf9D4V7ZU= =L1XV -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 12:34:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [198.92.199.5]) by hub.freebsd.org (Postfix) with ESMTP id 3787637B405 for ; Thu, 30 Aug 2001 12:34:35 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: (from root@localhost) by mail.wlcg.com (8.11.6/8.11.6) id f7UJXxO31217 for freebsd-security@freebsd.org; Thu, 30 Aug 2001 15:33:59 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.6/8.11.6) with ESMTP id f7UJXvq31210 for ; Thu, 30 Aug 2001 15:33:57 -0400 (EDT) (envelope-from rsimmons@wlcg.com) X-Authentication-Warning: mail.wlcg.com: rsimmons owned process doing -bs Date: Thu, 30 Aug 2001 15:33:54 -0400 (EDT) From: Rob Simmons To: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:58.lpd In-Reply-To: <200108301915.f7UJFv735421@freefall.freebsd.org> Message-ID: <20010830153246.K69164-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 I'm assuming that running lpd with -p to prevent it from opening a port is also safe? I didn't see that mentioned in the advisory. Robert Simmons Systems Administrator http://www.wlcg.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7jpUlv8Bofna59hYRA69lAJ46wjTs5JCYIWAQ9aDTqPVTmDUzSQCfU8vX oVnVU8I/9wWbeI/jHd0Xf1g= =3Mi+ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 12:42:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from salseiros.melim.com.br (salseiros.melim.com.br [200.215.110.23]) by hub.freebsd.org (Postfix) with ESMTP id 4BA0137B409 for ; Thu, 30 Aug 2001 12:42:33 -0700 (PDT) (envelope-from ronan@melim.com.br) Received: from fazendinha (ressacada.melim.com.br [200.215.110.4]) by salseiros.melim.com.br (8.11.3/8.11.3) with SMTP id f7UJc9057255 for ; Thu, 30 Aug 2001 16:38:09 -0300 (BRT) (envelope-from ronan@melim.com.br) Message-ID: <08ab01c1318b$defef2f0$2aa8a8c0@melim.com.br> From: "Ronan Lucio" To: Subject: Sendmail Date: Thu, 30 Aug 2001 16:42:15 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, If I have a machine that any user has shell access. It´s just a mail server. Is such machine vulnerable for sendmail? [ ]´s Ronan Lucio To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 12:51:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 93F1D37B407 for ; Thu, 30 Aug 2001 12:51:32 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simoeon.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by smtp1.sentex.ca (8.11.6/8.11.6) with ESMTP id f7UJmrn74639; Thu, 30 Aug 2001 15:48:53 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20010830154128.04ac4ec0@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 30 Aug 2001 15:43:17 -0400 To: "Ronan Lucio" , From: Mike Tancsa Subject: Re: Sendmail In-Reply-To: <08ab01c1318b$defef2f0$2aa8a8c0@melim.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Probably not.. But, you never know. Someone could devise some clever way=20 for some other process to exploit the bug. ---Mike At 04:42 PM 8/30/01 -0300, Ronan Lucio wrote: >Hi all, > >If I have a machine that any user has shell access. It=B4s just a mail= server. >Is such machine vulnerable for sendmail? > >[ ]=B4s > >Ronan Lucio > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 12:56:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id 42FED37B406 for ; Thu, 30 Aug 2001 12:56:24 -0700 (PDT) (envelope-from christopher@schulte.org) Received: from schulte-laptop.schulte.org (nb-97.netbriefings.com [209.134.134.97]) by poontang.schulte.org (Postfix) with ESMTP id C0202D14D3; Thu, 30 Aug 2001 14:54:14 -0500 (CDT) Message-Id: <5.1.0.14.0.20010830144937.022f4c80@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 30 Aug 2001 14:53:41 -0500 To: "Ronan Lucio" , From: Christopher Schulte Subject: Re: Sendmail In-Reply-To: <08ab01c1318b$defef2f0$2aa8a8c0@melim.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:57.sendmail.= asc This link explains exactly what's vulnerable. >Topic: sendmail contains local root vulnerability So, if users have local access, then yes you're probably vulnerable. Read= =20 the advisory for specific details. At 04:42 PM 8/30/2001 -0300, Ronan Lucio wrote: >Hi all, > >If I have a machine that any user has shell access. It=B4s just a mail= server. >Is such machine vulnerable for sendmail? > >[ ]=B4s > >Ronan Lucio -c To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 13: 9:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from light.imasy.or.jp (light.imasy.or.jp [202.227.24.4]) by hub.freebsd.org (Postfix) with ESMTP id 05AD337B407 for ; Thu, 30 Aug 2001 13:09:47 -0700 (PDT) (envelope-from ume@mahoroba.org) Received: (from uucp@localhost) by light.imasy.or.jp (8.11.6+3.4W/8.11.6/light) with UUCP id f7UK5PN16957; Fri, 31 Aug 2001 05:05:25 +0900 (JST) (envelope-from ume@mahoroba.org) Received: from peace.mahoroba.org (IDENT:YcU+ueiYK3kWri9hq5A/BTN1k5NmJ7CAsJUPDJOjtgP05n5J3GqaC/K5GfjQUcRv@peace.mahoroba.org [3ffe:505:2:0:200:f8ff:fe05:3eae]) (authenticated as ume with CRAM-MD5) by mail.mahoroba.org (8.11.6/8.11.6/chaos) with ESMTP/inet6 id f7UK4qj07548; Fri, 31 Aug 2001 05:04:52 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Fri, 31 Aug 2001 05:04:49 +0900 (JST) Message-Id: <20010831.050449.26350219.ume@mahoroba.org> To: mike@sentex.net Cc: ronan@melim.com.br, security@FreeBSD.ORG Cc: ume@mahoroba.org Subject: Re: Sendmail From: Hajimu UMEMOTO In-Reply-To: <5.1.0.14.0.20010830154128.04ac4ec0@marble.sentex.ca> References: <08ab01c1318b$defef2f0$2aa8a8c0@melim.com.br> <5.1.0.14.0.20010830154128.04ac4ec0@marble.sentex.ca> X-Mailer: xcite1.38> Mew version 1.95b119 on Emacs 20.7 / Mule 4.0 =?iso-2022-jp?B?KBskQjJWMWMbKEIp?= X-PGP-Public-Key: http://www.imasy.org/~ume/publickey.asc X-PGP-Fingerprint: 6B 0C 53 FC 5D D0 37 91 05 D0 B3 EF 36 9B 6A BC X-URL: http://www.imasy.org/~ume/ X-Operating-System: FreeBSD 5.0-CURRENT Mime-Version: 1.0 Content-Type: Text/Plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> On Thu, 30 Aug 2001 15:43:17 -0400 >>>>> Mike Tancsa said: mike> Probably not.. But, you never know. Someone could devise some cle= ver way = mike> for some other process to exploit the bug. sendmail 8.11.15 had local-exploit. If you use old version of sendmail, you must upgrade to 8.11.16. Don't forget to drop setuid bit of old sendmail binary or remove it. mike> At 04:42 PM 8/30/01 -0300, Ronan Lucio wrote: >Hi all, > >If I have a machine that any user has shell access. It=B4s just a mail= server. >Is such machine vulnerable for sendmail? -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 13:17: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 0A67137B405 for ; Thu, 30 Aug 2001 13:16:54 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id BDEBD66EA0; Thu, 30 Aug 2001 12:39:48 -0700 (PDT) Date: Thu, 30 Aug 2001 12:39:48 -0700 From: Kris Kennaway To: Rob Simmons Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:58.lpd Message-ID: <20010830123948.A23605@xor.obsecurity.org> References: <200108301915.f7UJFv735421@freefall.freebsd.org> <20010830153246.K69164-100000@mail.wlcg.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="SLDf9lqlvOQaIe6s" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010830153246.K69164-100000@mail.wlcg.com>; from rsimmons@wlcg.com on Thu, Aug 30, 2001 at 03:33:54PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --SLDf9lqlvOQaIe6s Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Aug 30, 2001 at 03:33:54PM -0400, Rob Simmons wrote: > I'm assuming that running lpd with -p to prevent it from opening a port is > also safe? I didn't see that mentioned in the advisory. It would probably make it safe from being *remotely* exploited. Local users who can submit jobs can still do it. Kris --SLDf9lqlvOQaIe6s Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7jpaDWry0BWjoQKURAsSGAJ9hBHJeL5F5KfBqtgCo5A/PUiv4FwCeL5pu ohRW54SDcqu4XCRLgBzF7d4= =0MCz -----END PGP SIGNATURE----- --SLDf9lqlvOQaIe6s-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 13:17:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.22.40]) by hub.freebsd.org (Postfix) with ESMTP id 566F337B405 for ; Thu, 30 Aug 2001 13:17:15 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.11.3/8.11.3) with ESMTP id f7UKEUl138684; Thu, 30 Aug 2001 16:14:30 -0400 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <20010830153246.K69164-100000@mail.wlcg.com> References: <20010830153246.K69164-100000@mail.wlcg.com> Date: Thu, 30 Aug 2001 16:14:28 -0400 To: Rob Simmons , From: Garance A Drosihn Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:58.lpd Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 3:33 PM -0400 8/30/01, Rob Simmons wrote: > >I'm assuming that running lpd with -p to prevent it from opening a >port is also safe? I didn't see that mentioned in the advisory. > >Robert Simmons >Systems Administrator That would be a quick workaround to prevent any remote attacks. It of course means that you won't be accepting jobs from any remote hosts, even if they are listed in /etc/hosts.lpd . Note, however, that '-p' is fairly recent [July 2000], so this workaround would not be available to any older releases. I think that option first showed up in 4.1-RELEASE. -- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 13:24: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from salseiros.melim.com.br (salseiros.melim.com.br [200.215.110.23]) by hub.freebsd.org (Postfix) with ESMTP id 3D4FF37B401 for ; Thu, 30 Aug 2001 13:24:04 -0700 (PDT) (envelope-from ronan@melim.com.br) Received: from fazendinha (ressacada.melim.com.br [200.215.110.4]) by salseiros.melim.com.br (8.11.3/8.11.3) with SMTP id f7UKJ3072020 for ; Thu, 30 Aug 2001 17:19:04 -0300 (BRT) (envelope-from ronan@melim.com.br) Message-ID: <091701c13191$e2c8e480$2aa8a8c0@melim.com.br> From: "Ronan Lucio" To: References: <08ab01c1318b$defef2f0$2aa8a8c0@melim.com.br><5.1.0.14.0.20010830154128.04ac4ec0@marble.sentex.ca> <20010831.050449.26350219.ume@mahoroba.org> Subject: Re: Sendmail Date: Thu, 30 Aug 2001 17:25:18 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Hajimu, > mike> Probably not.. But, you never know. Someone could devise some clever way > mike> for some other process to exploit the bug. > > sendmail 8.11.15 had local-exploit. If you use old version of > sendmail, you must upgrade to 8.11.16. Don't forget to drop setuid > bit of old sendmail binary or remove it. How can I do it? I typed ls -l /usr/sbin, it shows me: lrwxrwxrwx 1 root wheel 21 Aug 28 06:33 sendmail -> /usr/sbin/mailwrapper -r-xr-xr-x 1 root wheel 4928 Apr 21 06:10 mailwrapper Is it right? Thank you very much, Ronan Lucio To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 13:24:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from salseiros.melim.com.br (salseiros.melim.com.br [200.215.110.23]) by hub.freebsd.org (Postfix) with ESMTP id 9A0BE37B401 for ; Thu, 30 Aug 2001 13:24:19 -0700 (PDT) (envelope-from ronan@melim.com.br) Received: from fazendinha (ressacada.melim.com.br [200.215.110.4]) by salseiros.melim.com.br (8.11.3/8.11.3) with SMTP id f7UJUB054655 for ; Thu, 30 Aug 2001 16:30:12 -0300 (BRT) (envelope-from ronan@melim.com.br) Message-ID: <089901c1318a$c2db89e0$2aa8a8c0@melim.com.br> From: "Ronan Lucio" To: References: <20010830145840.A1554@sunbay.com><200108301533.f7UFXYT64952@khavrinen.lcs.mit.edu><20010830204132.A47482@sunbay.com> <200108301820.f7UIKGZ66585@khavrinen.lcs.mit.edu> Subject: Jail question Date: Thu, 30 Aug 2001 16:34:17 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I want to install the jail for a mail server. Is the best way to do it install the jail in one machine and the mail server in another machine or have to install the jail and the mail server in the same computer? I´m a little mess about it Ronan Lucio To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 13:29: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 534CD37B403 for ; Thu, 30 Aug 2001 13:28:58 -0700 (PDT) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id EB1251361D; Thu, 30 Aug 2001 16:26:35 -0400 (EDT) Date: Thu, 30 Aug 2001 16:26:35 -0400 From: Chris Faulhaber To: Ronan Lucio Cc: security@freebsd.org Subject: Re: Sendmail Message-ID: <20010830162635.A46456@peitho.fxp.org> References: <08ab01c1318b$defef2f0$2aa8a8c0@melim.com.br><5.1.0.14.0.20010830154128.04ac4ec0@marble.sentex.ca> <20010831.050449.26350219.ume@mahoroba.org> <091701c13191$e2c8e480$2aa8a8c0@melim.com.br> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="lrZ03NoBR/3+SXJZ" Content-Disposition: inline In-Reply-To: <091701c13191$e2c8e480$2aa8a8c0@melim.com.br> User-Agent: Mutt/1.3.20i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --lrZ03NoBR/3+SXJZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 30, 2001 at 05:25:18PM -0300, Ronan Lucio wrote: > Hi Hajimu, >=20 > > mike> Probably not.. But, you never know. Someone could devise some cle= ver > way > > mike> for some other process to exploit the bug. > > > > sendmail 8.11.15 had local-exploit. If you use old version of > > sendmail, you must upgrade to 8.11.16. Don't forget to drop setuid > > bit of old sendmail binary or remove it. >=20 > How can I do it? >=20 > I typed ls -l /usr/sbin, it shows me: >=20 > lrwxrwxrwx 1 root wheel 21 Aug 28 06:33 sendmail -> /usr/sbin/mailwrap= per > -r-xr-xr-x 1 root wheel 4928 Apr 21 06:10 mailwrapper >=20 > Is it right? >=20 > Thank you very much, >=20 Perhaps you should review the advisory which explains the corrective measures in detail. http://docs.freebsd.org/mail/current/freebsd-security-notifications.html --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --lrZ03NoBR/3+SXJZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjuOoXsACgkQObaG4P6BelBodACghYHYkZvN1VngAUq5GNOkq8pk je0AnRNsDbF4jbd//KxhJnzeinmP96Zq =g5sX -----END PGP SIGNATURE----- --lrZ03NoBR/3+SXJZ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 13:29:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id 25FF637B403 for ; Thu, 30 Aug 2001 13:29:10 -0700 (PDT) (envelope-from bright@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1192) id 5284A81D06; Thu, 30 Aug 2001 15:27:38 -0500 (CDT) Date: Thu, 30 Aug 2001 15:27:38 -0500 From: Alfred Perlstein To: Ronan Lucio Cc: security@freebsd.org Subject: Re: Jail question Message-ID: <20010830152738.F81307@elvis.mu.org> References: <20010830145840.A1554@sunbay.com><200108301533.f7UFXYT64952@khavrinen.lcs.mit.edu><20010830204132.A47482@sunbay.com> <200108301820.f7UIKGZ66585@khavrinen.lcs.mit.edu> <089901c1318a$c2db89e0$2aa8a8c0@melim.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <089901c1318a$c2db89e0$2aa8a8c0@melim.com.br>; from ronan@melim.com.br on Thu, Aug 30, 2001 at 04:34:17PM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Ronan Lucio [010830 15:25] wrote: > Hi, > > I want to install the jail for a mail server. > Is the best way to do it install the jail in one machine and > the mail server in another machine or have to install the > jail and the mail server in the same computer? > > I´m a little mess about it This is the wrong list to post such questions, try freebsd-questions. -- -Alfred Perlstein [alfred@freebsd.org] 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 13:30:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from shark.amis.net (shark.amis.net [212.18.32.14]) by hub.freebsd.org (Postfix) with ESMTP id 8E20C37B401 for ; Thu, 30 Aug 2001 13:30:13 -0700 (PDT) (envelope-from blaz@inlimbo.org) Received: from gold.inlimbo.org (gold.inlimbo.org [212.18.32.254]) by shark.amis.net (Postfix) with ESMTP id 2AD647C6A for ; Thu, 30 Aug 2001 22:28:57 +0200 (CEST) Received: by gold.inlimbo.org (Postfix, from userid 1000) id 67E9A17BC5B; Thu, 30 Aug 2001 22:28:55 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by gold.inlimbo.org (Postfix) with ESMTP id 590CE32BD1F for ; Thu, 30 Aug 2001 22:28:55 +0200 (CEST) Date: Thu, 30 Aug 2001 22:28:55 +0200 (CEST) From: Blaz Zupan To: Subject: Security update packages don't recognized patched 4.3-RELEASE Message-ID: <20010830222555.M49399-100000@gold.inlimbo.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I usually cvsup RELENG_4_3 to update our servers, but this time I wanted to quickly patch the lpd hole by simply installing the update package. Unfortunatelly it complains that it can only be installed on 4.3-RELEASE. Well, I *am* running 4.3-RELEASE, but patched up to 4.3-RELEASE-p14. I believe the +INSTALL script should support this, what do others think? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 13:33: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from shemp.palomine.net (shemp.palomine.net [205.198.88.200]) by hub.freebsd.org (Postfix) with SMTP id 7729037B401 for ; Thu, 30 Aug 2001 13:33:02 -0700 (PDT) (envelope-from cjohnson@palomine.net) Received: (qmail 22727 invoked by uid 1000); 30 Aug 2001 20:30:16 -0000 Date: Thu, 30 Aug 2001 16:30:16 -0400 From: Chris Johnson To: Ronan Lucio Cc: security@freebsd.org Subject: Re: Sendmail Message-ID: <20010830163016.A22666@palomine.net> References: <08ab01c1318b$defef2f0$2aa8a8c0@melim.com.br><5.1.0.14.0.20010830154128.04ac4ec0@marble.sentex.ca> <20010831.050449.26350219.ume@mahoroba.org> <091701c13191$e2c8e480$2aa8a8c0@melim.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Mutt/1.2.5i In-Reply-To: <091701c13191$e2c8e480$2aa8a8c0@melim.com.br>; from ronan@melim.com.br on Thu, Aug 30, 2001 at 05:25:18PM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Aug 30, 2001 at 05:25:18PM -0300, Ronan Lucio wrote: > > sendmail 8.11.15 had local-exploit. If you use old version of > > sendmail, you must upgrade to 8.11.16. Don't forget to drop setuid > > bit of old sendmail binary or remove it. >=20 > How can I do it? >=20 > I typed ls -l /usr/sbin, it shows me: >=20 > lrwxrwxrwx 1 root wheel 21 Aug 28 06:33 sendmail -> /usr/sbin/mailwrap= per > -r-xr-xr-x 1 root wheel 4928 Apr 21 06:10 mailwrapper >=20 > Is it right? /usr/libexec/sendmail/sendmail is the actual executable. Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 13:36:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from salseiros.melim.com.br (salseiros.melim.com.br [200.215.110.23]) by hub.freebsd.org (Postfix) with ESMTP id E89A737B401 for ; Thu, 30 Aug 2001 13:36:31 -0700 (PDT) (envelope-from ronan@melim.com.br) Received: from fazendinha (ressacada.melim.com.br [200.215.110.4]) by salseiros.melim.com.br (8.11.3/8.11.3) with SMTP id f7UKVp076460 for ; Thu, 30 Aug 2001 17:32:02 -0300 (BRT) (envelope-from ronan@melim.com.br) Message-ID: <094601c13193$b2d176f0$2aa8a8c0@melim.com.br> From: "Ronan Lucio" To: References: <20010830145840.A1554@sunbay.com><200108301533.f7UFXYT64952@khavrinen.lcs.mit.edu><20010830204132.A47482@sunbay.com> <200108301820.f7UIKGZ66585@khavrinen.lcs.mit.edu> <089901c1318a$c2db89e0$2aa8a8c0@melim.com.br> <20010830152738.F81307@elvis.mu.org> Subject: Re: Jail question Date: Thu, 30 Aug 2001 17:38:06 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Alfred, For all I know, it´s a security list about FreeBSD It looks me you don´t understand my question: I run FreBSD in my machines and want to increase the security. Thank´s Ronan Lucio > * Ronan Lucio [010830 15:25] wrote: > > Hi, > > > > I want to install the jail for a mail server. > > Is the best way to do it install the jail in one machine and > > the mail server in another machine or have to install the > > jail and the mail server in the same computer? > > > > I´m a little mess about it > > This is the wrong list to post such questions, try freebsd-questions. > > -- > -Alfred Perlstein [alfred@freebsd.org] > 'Instead of asking why a piece of software is using "1970s technology," > start asking why software is ignoring 30 years of accumulated wisdom.' > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 13:44:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 895FE37B407 for ; Thu, 30 Aug 2001 13:44:12 -0700 (PDT) (envelope-from bart@dreamflow.nl) Received: (qmail 15934 invoked by uid 1000); 30 Aug 2001 20:26:13 -0000 Date: Thu, 30 Aug 2001 22:26:13 +0200 From: Bart Matthaei To: security@freebsd.org Subject: GnuPG Message-ID: <20010830222613.B15893@heresy.dreamflow.nl> Reply-To: Bart Matthaei Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, is there any way to change (or add) a email-address in the key's comment ? Regards, Bart Matthaei -- Bart Matthaei | bart@dreamflow.nl | +31 6 24907042 _________________________________________________ /* It's always funny until someone gets hurt.. * (and then it's just hilarious) */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 13:46:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 2EB0737B403 for ; Thu, 30 Aug 2001 13:46:14 -0700 (PDT) (envelope-from bart@dreamflow.nl) Received: (qmail 15934 invoked by uid 1000); 30 Aug 2001 20:26:13 -0000 Date: Thu, 30 Aug 2001 22:26:13 +0200 From: Bart Matthaei To: security@freebsd.org Subject: GnuPG Message-ID: <20010830222613.B15893@heresy.dreamflow.nl> Reply-To: Bart Matthaei Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, is there any way to change (or add) a email-address in the key's comment ? Regards, Bart Matthaei -- Bart Matthaei | bart@dreamflow.nl | +31 6 24907042 _________________________________________________ /* It's always funny until someone gets hurt.. * (and then it's just hilarious) */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 13:51:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 5759137B401 for ; Thu, 30 Aug 2001 13:51:23 -0700 (PDT) (envelope-from bart@dreamflow.nl) Received: (qmail 16980 invoked by uid 1000); 30 Aug 2001 20:48:16 -0000 Date: Thu, 30 Aug 2001 22:48:16 +0200 From: Bart Matthaei To: security@freebsd.org Subject: Re: GnuPG Message-ID: <20010830224815.A16971@heresy.dreamflow.nl> Reply-To: Bart Matthaei Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sorry for that folks. I entered the To: address wrong, and changed the email while still in the queue.. I guess something got mixxed up and sended the email 4 times. Regards, Bart Matthaei -- Bart Matthaei | bart@dreamflow.nl | +31 6 24907042 _________________________________________________ /* It's always funny until someone gets hurt.. * (and then it's just hilarious) */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 14: 6:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [198.92.199.5]) by hub.freebsd.org (Postfix) with ESMTP id 49C2937B406 for ; Thu, 30 Aug 2001 14:06:38 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: (from root@localhost) by mail.wlcg.com (8.11.6/8.11.6) id f7UL4Kb46671; Thu, 30 Aug 2001 17:04:20 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.6/8.11.6) with ESMTP id f7UL4Ih46664; Thu, 30 Aug 2001 17:04:19 -0400 (EDT) (envelope-from rsimmons@wlcg.com) X-Authentication-Warning: mail.wlcg.com: rsimmons owned process doing -bs Date: Thu, 30 Aug 2001 17:04:12 -0400 (EDT) From: Rob Simmons To: Bart Matthaei Cc: Subject: Re: GnuPG In-Reply-To: <20010830222613.B15893@heresy.dreamflow.nl> Message-ID: <20010830170314.Q42655-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 - --comment from gpg(1) man page. Robert Simmons Systems Administrator http://www.wlcg.com/ On Thu, 30 Aug 2001, Bart Matthaei wrote: > Hi all, > > is there any way to change (or add) a email-address in the key's comment ? > > Regards, > > Bart Matthaei > > -- > Bart Matthaei | bart@dreamflow.nl > | +31 6 24907042 > _________________________________________________ > /* It's always funny until someone gets hurt.. > * (and then it's just hilarious) */ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7jqpSv8Bofna59hYRA+k5AKCO8ZHbcppoBs+I6nLcRoHdjs4ztgCglI6t yjxeQOq8N274uEoMAmZhKjs= =fIZ2 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 14:10:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 6E13737B405 for ; Thu, 30 Aug 2001 14:10:12 -0700 (PDT) (envelope-from bart@dreamflow.nl) Received: (qmail 17063 invoked by uid 1000); 30 Aug 2001 21:07:41 -0000 Date: Thu, 30 Aug 2001 23:07:41 +0200 From: Bart Matthaei To: security@freebsd.org Subject: Re: GnuPG Message-ID: <20010830230741.D16993@heresy.dreamflow.nl> Reply-To: Bart Matthaei References: <20010830224815.A16971@heresy.dreamflow.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010830224815.A16971@heresy.dreamflow.nl>; from bart@dreamflow.nl on Thu, Aug 30, 2001 at 10:48:16PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org 2 times even :) On Thu, Aug 30, 2001 at 10:48:16PM +0200, Bart Matthaei wrote: > Sorry for that folks. > I entered the To: address wrong, and changed the email while still in the queue.. I guess something got mixxed up and sended the email 4 times. > > Regards, > > Bart Matthaei > > -- > Bart Matthaei | bart@dreamflow.nl > | +31 6 24907042 > _________________________________________________ > /* It's always funny until someone gets hurt.. > * (and then it's just hilarious) */ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Bart Matthaei | bart@dreamflow.nl | +31 6 24907042 _________________________________________________ /* It's always funny until someone gets hurt.. * (and then it's just hilarious) */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 14:30:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id 904D537B401 for ; Thu, 30 Aug 2001 14:30:44 -0700 (PDT) (envelope-from rich@rdrose.org) Received: from localhost (rik@localhost) by pkl.net (8.9.3/8.9.3) with ESMTP id WAA22056; Thu, 30 Aug 2001 22:28:06 +0100 Date: Thu, 30 Aug 2001 22:28:06 +0100 (BST) From: rich@rdrose.org X-Sender: rik@pkl.net To: Alfred Perlstein Cc: Ronan Lucio , security@FreeBSD.ORG Subject: Re: Jail question In-Reply-To: <20010830152738.F81307@elvis.mu.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 30 Aug 2001, Alfred Perlstein wrote: > > I=B4m a little mess about it >=20 > This is the wrong list to post such questions, try freebsd-questions. Peronsally, I think this was the correct list for the question, it's just the Ronan has not understood the jail concept, which hopefully, I will be able to help with now. A jail is a kind of virtual machine that can be created under FreeBSD. It is not a *complete* virtual machine, like VMWare is, merely a set of processes and permissions that are completely unconnected to those outside that jail. Note that "outside that jail" can mean both on the rest of the machine, and in other jails on the same machine. It is similar chroot, but far stronger, imposing more restrictions on what the proccesses inside the jail can affect on the machine, and what they can tell about the machine. The purpose is to separate things as completely as possible. There is a large benefit to be gained by putting the mail daemon into a jail. You will make the rest of the Operating System much harder to break into, even if the mail daemon is broken into. As I said, this is just my opinion. I do not run a mail server of any significant size, nor do I claim to be a security or jail expert. The choice of whether to use jail or not is up to you. People obsessed with security would do it without thinking. People not concerned at all would not even think about it. You have to decide what you are prepared to do. Personally, I would advise trying it at least, on a test machine, just so that you know how to do it later, even if you then decide it is not worth doing to the production mail server. If I ran a production mail server, I would put the mail daemon in a jail. For general questions, about setting up jail, rather than the security implications of jail, I would agree that questions@freebsd.org is a better list, but for question about the security of jail, then this list if the one to choose. One more disclaimer - I do not claim to be a jail expert, what I have set up is merely my understanding of jail. I could be wrong, and if I am, I hope to be corrected on the list, before you you have taken any bad decisions based on what I have said. rik To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 14:57:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id D045337B405 for ; Thu, 30 Aug 2001 14:57:07 -0700 (PDT) (envelope-from brdavis@odin.ac.hmc.edu) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id f7ULNeS16066; Thu, 30 Aug 2001 14:23:40 -0700 Date: Thu, 30 Aug 2001 14:23:40 -0700 From: Brooks Davis To: Garance A Drosihn Cc: Rob Simmons , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:58.lpd Message-ID: <20010830142340.A15795@Odin.AC.HMC.Edu> References: <20010830153246.K69164-100000@mail.wlcg.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ikeVEW9yuYc//A+q" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from drosih@rpi.edu on Thu, Aug 30, 2001 at 04:14:28PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --ikeVEW9yuYc//A+q Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 30, 2001 at 04:14:28PM -0400, Garance A Drosihn wrote: > That would be a quick workaround to prevent any remote attacks. > It of course means that you won't be accepting jobs from any remote > hosts, even if they are listed in /etc/hosts.lpd . >=20 > Note, however, that '-p' is fairly recent [July 2000], so this > workaround would not be available to any older releases. I think > that option first showed up in 4.1-RELEASE. I'd been meaning to ask, is there any good reason not to make the default lpd_flags value "-p", at least in 5.0? After all, most machines are not print servers even if they do run lpd so they can print. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --ikeVEW9yuYc//A+q Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7jq7bXY6L6fI4GtQRAvRnAKDjxP415BAFn5IxY1w+aKyi8iiwpgCeKvVc thEuu108YR5JWx5/8FfBMKk= =OAQk -----END PGP SIGNATURE----- --ikeVEW9yuYc//A+q-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 15: 1:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.22.40]) by hub.freebsd.org (Postfix) with ESMTP id 402B137B403 for ; Thu, 30 Aug 2001 15:01:25 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.11.3/8.11.3) with ESMTP id f7ULw2l143758; Thu, 30 Aug 2001 17:58:02 -0400 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <20010830142340.A15795@Odin.AC.HMC.Edu> References: <20010830153246.K69164-100000@mail.wlcg.com> <20010830142340.A15795@Odin.AC.HMC.Edu> Date: Thu, 30 Aug 2001 17:57:59 -0400 To: Brooks Davis From: Garance A Drosihn Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:58.lpd Cc: freebsd-security@FreeBSD.ORG Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 2:23 PM -0700 8/30/01, Brooks Davis wrote: >On Thu, Aug 30, 2001, Garance A Drosihn wrote: > > That would be a quick workaround to prevent any remote attacks. >> It of course means that you won't be accepting jobs from any remote >> hosts, even if they are listed in /etc/hosts.lpd . >> >> Note, however, that '-p' is fairly recent [July 2000], so this >> workaround would not be available to any older releases. I think >> that option first showed up in 4.1-RELEASE. > >I'd been meaning to ask, is there any good reason not to make the default >lpd_flags value "-p", at least in 5.0? After all, most machines are >not print servers even if they do run lpd so they can print. I want to add "-s" (secure) as a synonym for -p, to match -s in netbsd's lpr (which predate's freebsd's -p by a few years!). I think it would make sense to have "-s" setup as the default flags for lpd, but I'll let the people who have thought more about default-settings say exactly how that should be implemented. [actually, I almost think that lpd should default to "secure" operation, and require someone to specify some startup flag if they DO want to accept remote print jobs, but that is probably too dramatic of a change. I also don't know how these flags would interact with the popular alternatives to the standard lpr/lpd, such as lprNG...] -- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 15:43:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from rfnj.org (rfnj.org [216.239.237.194]) by hub.freebsd.org (Postfix) with ESMTP id D9D2037B401 for ; Thu, 30 Aug 2001 15:43:13 -0700 (PDT) (envelope-from all@biosys.net) Received: from megalomaniac.biosys.net (megalomaniac.rfnj.org [216.239.237.200]) by rfnj.org (Postfix) with ESMTP id 6BE2813ADE for ; Thu, 30 Aug 2001 18:20:00 +0000 (GMT) Message-Id: <5.1.0.14.0.20010830181608.00bd4df0@rfnj.org> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 30 Aug 2001 18:20:14 -0400 To: freebsd-security@FreeBSD.ORG From: Allen Landsidel Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:58.lpd In-Reply-To: <20010830123948.A23605@xor.obsecurity.org> References: <20010830153246.K69164-100000@mail.wlcg.com> <200108301915.f7UJFv735421@freefall.freebsd.org> <20010830153246.K69164-100000@mail.wlcg.com> Mime-Version: 1.0 Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 12:39 8/30/2001 -0700, Kris Kennaway wrote: ....ems Is there some reason in particular that some of you (picks Kris out of the crowd for being closest) choose to use MIME attachments for your text-only messages instead of just wrapping a normal text/plain message? This question has been digging in my head for a while and I figured I'd finally ask it outloud. Some people do it the (imho) proper way, and I applaud them. MIME attachments aren't really needed unless there is going to be binary data in the attachment. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use iQA/AwUBO468Ho06eIXREedLEQJs9ACgtCghgRtTPRQw7IAUOmVSRcg+2jAAn1Ig 20CcmHoyZPBE+6dHtlOOgNry =NIEI -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 16:33: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from mixtim.homeip.net (cg392862-a.adubn1.nj.home.com [65.2.79.221]) by hub.freebsd.org (Postfix) with ESMTP id 128CB37B403 for ; Thu, 30 Aug 2001 16:33:00 -0700 (PDT) (envelope-from mojojojo@mixtim.homeip.net) Received: by mixtim.homeip.net (Postfix, from userid 1000) id 3488B9894; Thu, 30 Aug 2001 19:29:42 -0400 (EDT) Date: Thu, 30 Aug 2001 19:29:42 -0400 From: Mixtim To: Allen Landsidel Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:58.lpd Message-ID: <20010830192942.A6865@mixtim.homeip.net> Reply-To: Mixtim References: <20010830153246.K69164-100000@mail.wlcg.com> <200108301915.f7UJFv735421@freefall.freebsd.org> <20010830153246.K69164-100000@mail.wlcg.com> <20010830123948.A23605@xor.obsecurity.org> <5.1.0.14.0.20010830181608.00bd4df0@rfnj.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.1.0.14.0.20010830181608.00bd4df0@rfnj.org>; from all@biosys.net on Thu, Aug 30, 2001 at 06:20:14PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Aug 30, 2001 at 06:20:14PM -0400, Allen Landsidel wrote: > This question has been digging in my head for a while and I figured I'd > finally ask it outloud. Some people do it the (imho) proper way, and I > applaud them. MIME attachments aren't really needed unless there is going > to be binary data in the attachment. http://www.imc.org/smime-pgpmime.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 17:47:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-172.zoominternet.net [24.154.28.172]) by hub.freebsd.org (Postfix) with ESMTP id 753F537B405 for ; Thu, 30 Aug 2001 17:47:24 -0700 (PDT) (envelope-from behanna@zbzoom.net) Received: from topperwein.dyndns.org (topperwein.dyndns.org [192.168.168.10]) by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id f7UMqdX07147 for ; Thu, 30 Aug 2001 18:52:39 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Thu, 30 Aug 2001 18:52:34 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: Subject: Re: GnuPG Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 30 Aug 2001, Bart Matthaei wrote: > is there any way to change (or add) a email-address in the key's comment ? gpg --edit-key name "name" is your username. You get a submenu of commands. You want "adduid". Note that "man gpg" is a much faster source of information, as is "gpg --help | more". -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 18:48:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 7F31C37B403 for ; Thu, 30 Aug 2001 18:48:41 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id B8DB266D0B; Thu, 30 Aug 2001 18:45:33 -0700 (PDT) Date: Thu, 30 Aug 2001 18:45:33 -0700 From: Kris Kennaway To: Garance A Drosihn Cc: Brooks Davis , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:58.lpd Message-ID: <20010830184533.C27546@xor.obsecurity.org> References: <20010830153246.K69164-100000@mail.wlcg.com> <20010830142340.A15795@Odin.AC.HMC.Edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Yylu36WmvOXNoKYn" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from drosih@rpi.edu on Thu, Aug 30, 2001 at 05:57:59PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Yylu36WmvOXNoKYn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Aug 30, 2001 at 05:57:59PM -0400, Garance A Drosihn wrote: > [actually, I almost think that lpd should default to "secure" operation, > and require someone to specify some startup flag if they DO want to > accept remote print jobs, but that is probably too dramatic of a change. > I also don't know how these flags would interact with the popular > alternatives to the standard lpr/lpd, such as lprNG...] I think that would be a reasonable thing to do at least in 5.0. Kris --Yylu36WmvOXNoKYn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7juw9Wry0BWjoQKURAvtcAKDeq2/0f5zwgu7xeG5ohS7VJJnw7wCgvB/P 8+3PYtc4r6KOS2aLoEAsUaE= =q2Aw -----END PGP SIGNATURE----- --Yylu36WmvOXNoKYn-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 18:57:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id 4533837B401 for ; Thu, 30 Aug 2001 18:57:35 -0700 (PDT) (envelope-from brdavis@odin.ac.hmc.edu) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id f7V1ojv13068; Thu, 30 Aug 2001 18:50:45 -0700 Date: Thu, 30 Aug 2001 18:50:45 -0700 From: Brooks Davis To: Kris Kennaway Cc: Garance A Drosihn , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:58.lpd Message-ID: <20010830185045.A12765@Odin.AC.HMC.Edu> References: <20010830153246.K69164-100000@mail.wlcg.com> <20010830142340.A15795@Odin.AC.HMC.Edu> <20010830184533.C27546@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="RnlQjJ0d97Da+TV1" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010830184533.C27546@xor.obsecurity.org>; from kris@obsecurity.org on Thu, Aug 30, 2001 at 06:45:33PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 30, 2001 at 06:45:33PM -0700, Kris Kennaway wrote: > On Thu, Aug 30, 2001 at 05:57:59PM -0400, Garance A Drosihn wrote: >=20 > > [actually, I almost think that lpd should default to "secure" operation, > > and require someone to specify some startup flag if they DO want to > > accept remote print jobs, but that is probably too dramatic of a change. > > I also don't know how these flags would interact with the popular > > alternatives to the standard lpr/lpd, such as lprNG...] >=20 > I think that would be a reasonable thing to do at least in 5.0. I agree, maybe what we should do is change lpd_flags to -p or -s or what ever for 4.5-RELEASE (it's too late for 4.4 IMO). That would be better for over all security, but wouldn't change lpd's options, just what we pass to it by default. Then for 5.0 we fix lpd to have the sane default and require a new flag to bind a port. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --RnlQjJ0d97Da+TV1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7ju11XY6L6fI4GtQRAgZ5AKCMwt8895/vSC35p7VlGYb7vTrCoACeOB/p P2SPqnwXeFsZmgJCrALt1rA= =VGN1 -----END PGP SIGNATURE----- --RnlQjJ0d97Da+TV1-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 20:14:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 0C74C37B401 for ; Thu, 30 Aug 2001 20:14:27 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 8339266DDA; Thu, 30 Aug 2001 18:47:00 -0700 (PDT) Date: Thu, 30 Aug 2001 18:47:00 -0700 From: Kris Kennaway To: Blaz Zupan Cc: security@freebsd.org Subject: Re: Security update packages don't recognized patched 4.3-RELEASE Message-ID: <20010830184700.D27546@xor.obsecurity.org> References: <20010830222555.M49399-100000@gold.inlimbo.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="QRj9sO5tAVLaXnSD" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010830222555.M49399-100000@gold.inlimbo.org>; from blaz@inlimbo.org on Thu, Aug 30, 2001 at 10:28:55PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --QRj9sO5tAVLaXnSD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Aug 30, 2001 at 10:28:55PM +0200, Blaz Zupan wrote: > I usually cvsup RELENG_4_3 to update our servers, but this time I wanted to > quickly patch the lpd hole by simply installing the update package. > Unfortunatelly it complains that it can only be installed on 4.3-RELEASE. > Well, I *am* running 4.3-RELEASE, but patched up to 4.3-RELEASE-p14. I believe > the +INSTALL script should support this, what do others think? It was a deliberate decision to only support 4.3-RELEASE, not arbitrary cvsup dates of RELENG_4_3 so we don't have to worry about possible weird package interactions with changes on that branch at some point. Basically, we expect that if you can cvsup once, you can cvsup twice :) Kris --QRj9sO5tAVLaXnSD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7juyUWry0BWjoQKURAohrAKDTU9gMhEcqEiszVJvOsJYSNfNpowCg+gp8 epO3HnyuU5Vx+TlofG/wQTI= =rIIJ -----END PGP SIGNATURE----- --QRj9sO5tAVLaXnSD-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 20:38:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from theinternet.com.au (co3040619-a.kelvn1.qld.optushome.com.au [203.164.207.8]) by hub.freebsd.org (Postfix) with ESMTP id B182237B401 for ; Thu, 30 Aug 2001 20:38:22 -0700 (PDT) (envelope-from akm@theinternet.com.au) Received: (from akm@localhost) by theinternet.com.au (8.11.4/8.11.4) id f7V3Psh88783; Fri, 31 Aug 2001 13:25:54 +1000 (EST) (envelope-from akm) Date: Fri, 31 Aug 2001 13:25:54 +1000 From: Andrew Kenneth Milton To: Kris Kennaway Cc: Blaz Zupan , security@FreeBSD.ORG Subject: Re: Security update packages don't recognized patched 4.3-RELEASE Message-ID: <20010831132554.T21855@zeus.theinternet.com.au> References: <20010830222555.M49399-100000@gold.inlimbo.org> <20010830184700.D27546@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <20010830184700.D27546@xor.obsecurity.org>; from Kris Kennaway on Thu, Aug 30, 2001 at 06:47:00PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org +-------[ Kris Kennaway ]---------------------- | On Thu, Aug 30, 2001 at 10:28:55PM +0200, Blaz Zupan wrote: | > I usually cvsup RELENG_4_3 to update our servers, but this time I wanted to | > quickly patch the lpd hole by simply installing the update package. | > Unfortunatelly it complains that it can only be installed on 4.3-RELEASE. | > Well, I *am* running 4.3-RELEASE, but patched up to 4.3-RELEASE-p14. I believe | > the +INSTALL script should support this, what do others think? | | It was a deliberate decision to only support 4.3-RELEASE, not | arbitrary cvsup dates of RELENG_4_3 so we don't have to worry about | possible weird package interactions with changes on that branch at | some point. Basically, we expect that if you can cvsup once, you can | cvsup twice :) Do they work with arbitrary combinations of binary updates ? Which is to say are they generated from 4.3-RELEASE or generated from 4.3-RELEASE + previous binary updates? I'm not sure there would be any contention there, but, I can see how it could lead to the same situation as cvsupping (given enough updates). -- Totally Holistic Enterprises Internet| | Andrew Milton The Internet (Aust) Pty Ltd | | ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au| To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 21: 4:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 968E637B405 for ; Thu, 30 Aug 2001 21:04:19 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 9992E66D0B; Thu, 30 Aug 2001 20:30:17 -0700 (PDT) Date: Thu, 30 Aug 2001 20:30:17 -0700 From: Kris Kennaway To: Andrew Kenneth Milton Cc: Kris Kennaway , Blaz Zupan , security@FreeBSD.ORG Subject: Re: Security update packages don't recognized patched 4.3-RELEASE Message-ID: <20010830203017.A29026@xor.obsecurity.org> References: <20010830222555.M49399-100000@gold.inlimbo.org> <20010830184700.D27546@xor.obsecurity.org> <20010831132554.T21855@zeus.theinternet.com.au> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ibTvN161/egqYuK8" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010831132554.T21855@zeus.theinternet.com.au>; from akm@theinternet.com.au on Fri, Aug 31, 2001 at 01:25:54PM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --ibTvN161/egqYuK8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Aug 31, 2001 at 01:25:54PM +1000, Andrew Kenneth Milton wrote: > +-------[ Kris Kennaway ]---------------------- > | On Thu, Aug 30, 2001 at 10:28:55PM +0200, Blaz Zupan wrote: > | > I usually cvsup RELENG_4_3 to update our servers, but this time I wan= ted to > | > quickly patch the lpd hole by simply installing the update package. > | > Unfortunatelly it complains that it can only be installed on 4.3-RELE= ASE. > | > Well, I *am* running 4.3-RELEASE, but patched up to 4.3-RELEASE-p14. = I believe > | > the +INSTALL script should support this, what do others think? > |=20 > | It was a deliberate decision to only support 4.3-RELEASE, not > | arbitrary cvsup dates of RELENG_4_3 so we don't have to worry about > | possible weird package interactions with changes on that branch at > | some point. Basically, we expect that if you can cvsup once, you can > | cvsup twice :) >=20 > Do they work with arbitrary combinations of binary updates ? Yes, because I know what packages have been installed and can introduce appropriate dependencies to ensure correct ordering, if we have the need. I can't do that if someone cvsups and then installs a binary upgrade. Kris --ibTvN161/egqYuK8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7jwTJWry0BWjoQKURAqpGAJ9tGg4mz1tEryyzhc88RPlBUeNGgwCg8MW2 nWpHEN7Qrg7JFV8RtJyEnFE= =ST77 -----END PGP SIGNATURE----- --ibTvN161/egqYuK8-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 30 22:10:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from postal.admin.gil.com.au (postal.admin.gil.com.au [202.47.47.23]) by hub.freebsd.org (Postfix) with ESMTP id EE0D337B403 for ; Thu, 30 Aug 2001 22:10:04 -0700 (PDT) (envelope-from GHollings@admin.gil.com.au) content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: Broken SU X-MimeOLE: Produced By Microsoft Exchange V6.0.4712.0 Date: Fri, 31 Aug 2001 15:06:30 +1000 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Broken SU Thread-Index: AcEx2rJjOYQEmwOORHiJAnE8VJsKaw== From: "Glen Hollings" To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Has anyone ever experenced a broken SU command? I cant seem to SU to root when logged in as any 'normal' user.... eg normuser@bsdbox normuser]$su -m Password: (stalls after this) Or if I put in the wrong password normuser@bsdbox normuser]$su -m Password: Sorry (stalls after this) it does this... putting sshd into debug mode doesnt seem to reveal anything of use.. Here is an strace output of an attempted su: $strace su execve("/usr/bin/su", ["su"], [/* 20 vars */]) =3D 0 __sysctl([hw.pagesize], 2, "\0\20\0\0", [4], NULL, 0) =3D 0 mmap(0, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) =3D 0x4005e000 geteuid(0xbfbffc1c) =3D 0 getuid() =3D 1002 (euid 0) open("/var/run/ld-elf.so.hints", O_RDONLY) =3D 3 read(3, "Ehnt\1\0\0\0\200\0\0\0(\0\0\0\0\0\0\0\'\0\0\0\0\0\0\0\0"..., = 128) =3D 128 lseek(3, 128, SEEK_SET) =3D 128 read(3, "/usr/lib:/usr/lib/compat:/usr/lo"..., 40) =3D 40 close(3) =3D 0 access("/usr/lib/libutil.so.3", F_OK) =3D 0 open("/usr/lib/libutil.so.3", O_RDONLY) =3D 3 fstat(3, {st_mode=3DS_IFREG|0444, st_size=3D32848, ...}) =3D 0 read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0h#\0\000"..., = 4096) =3D 4096 mmap(0, 36864, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =3D 0x40066000 mmap(0x4006e000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x7000) =3D 0x4006e000 close(3) =3D 0 access("/usr/lib/libskey.so.2", F_OK) =3D 0 open("/usr/lib/libskey.so.2", O_RDONLY) =3D 3 fstat(3, {st_mode=3DS_IFREG|0444, st_size=3D24252, ...}) =3D 0 read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0008\23\0"..., = 4096) =3D 4096 mmap(0, 28672, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =3D 0x4006f000 mmap(0x40073000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x3000) =3D 0x40073000 close(3) =3D 0 access("/usr/lib/libmd.so.2", F_OK) =3D 0 open("/usr/lib/libmd.so.2", O_RDONLY) =3D 3 fstat(3, {st_mode=3DS_IFREG|0444, st_size=3D34272, ...}) =3D 0 read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0P\17\0\000"..., = 4096) =3D 4096 mmap(0, 36864, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =3D 0x40076000 mmap(0x4007e000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x7000) =3D 0x4007e000 close(3) =3D 0 access("/usr/lib/libcrypt.so.2", F_OK) =3D 0 open("/usr/lib/libcrypt.so.2", O_RDONLY) =3D 3 fstat(3, {st_mode=3DS_IFREG|0444, st_size=3D28588, ...}) =3D 0 read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220\16"..., = 4096) =3D 4096 mmap(0, 102400, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =3D 0x4007f000 mmap(0x40086000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x6000) =3D 0x40086000 mmap(0x40087000, 69632, PROT_READ|PROT_WRITE, = MAP_PRIVATE|MAP_FIXED|MAP_ANON, -1, 0) =3D 0x40087000 close(3) =3D 0 access("/usr/lib/libc.so.4", F_OK) =3D 0 open("/usr/lib/libc.so.4", O_RDONLY) =3D 3 fstat(3, {st_mode=3DS_IFREG|0444, st_size=3D572588, ...}) =3D 0 read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\314-\1"..., = 4096) =3D 4096 mmap(0, 622592, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =3D 0x40098000 mmap(0x40118000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x7f000) =3D 0x40118000 mmap(0x4011c000, 81920, PROT_READ|PROT_WRITE, = MAP_PRIVATE|MAP_FIXED|MAP_ANON, -1, 0) =3D 0x4011c000 close(3) =3D 0 access("/usr/lib/libcrypt.so.2", F_OK) =3D 0 access("/usr/lib/libmd.so.2", F_OK) =3D 0 sigaction(SIGILL, {0x4004f0fc, [], 0}, {SIG_DFL}) =3D 0 sigprocmask(SIG_BLOCK, NULL, []) =3D 0 sigaction(SIGILL, {SIG_DFL}, NULL) =3D 0 sigprocmask(SIG_BLOCK, ~[ILL TRAP ABRT EMT FPE BUS SEGV SYS], []) =3D 0 sigprocmask(SIG_SETMASK, [], NULL) =3D 0 readlink("/etc/malloc.conf", 0xbfbff6f4, 63) =3D -1 ENOENT (No such file = or directory) mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) =3D = 0x40130000 break(0x804d000) =3D 0 getpriority(PRIO_PROCESS, 0) =3D 0 setpriority(PRIO_PROCESS, 0, -2) =3D 0 getuid() =3D 1002 (euid 0) getlogin(0x401203f8, 0x11) =3D 0 geteuid(0x4011b304) =3D 0 break(0x804e000) =3D 0 stat("/etc/spwd.db", {st_mode=3DS_IFREG|0600, st_size=3D40960, ...}) =3D = 0 open("/etc/spwd.db", O_RDONLY) =3D 3 fcntl(3, F_SETFD, FD_CLOEXEC) =3D 0 read(3, "\0\6\25a\0\0\0\2\0\0\4\322\0\0\20\0\0\0\0\f\0\0\1\0\0\0"..., = 260) =3D 260 break(0x804f000) =3D 0 break(0x8050000) =3D 0 break(0x8051000) =3D 0 lseek(3, 28672, SEEK_SET) =3D 28672 read(3, "\30\0\373\17\302\17\275\17r\17l\17$\17\37\17\344\16\337"..., = 4096) =3D 4096 break(0x8052000) =3D 0 close(3) =3D 0 geteuid(0x4011b304) =3D 0 stat("/etc/spwd.db", {st_mode=3DS_IFREG|0600, st_size=3D40960, ...}) =3D = 0 open("/etc/spwd.db", O_RDONLY) =3D 3 fcntl(3, F_SETFD, FD_CLOEXEC) =3D 0 read(3, "\0\6\25a\0\0\0\2\0\0\4\322\0\0\20\0\0\0\0\f\0\0\1\0\0\0"..., = 260) =3D 260 break(0x8053000) =3D 0 lseek(3, 24576, SEEK_SET) =3D 24576 read(3, "\26\0\373\17\301\17\272\17i\17d\17\23\17\n\17\321\16\314"..., = 4096) =3D 4096 close(3) =3D 0 geteuid(0x4006e3bc) =3D 0 getegid(0x4006e3bc) =3D 1002 setegid(0Password: anyone have any ideas?? please! Thanks ********************************************** *Glen Hollings | There Cant Be * *Network Administrator | a Crisis Today,* *Global Info Links | my schedule is * *ghollings@admin.gil.com.au | already full. * ********************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 31 4:38: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from ida.interface-business.de (ida.interface-business.de [193.101.57.9]) by hub.freebsd.org (Postfix) with ESMTP id ADFA237B401; Fri, 31 Aug 2001 04:37:55 -0700 (PDT) Received: (from j@localhost) by ida.interface-business.de id f7VBbn777148; Fri, 31 Aug 2001 13:37:49 +0200 (MET DST) Date: Fri, 31 Aug 2001 13:37:49 +0200 From: Joerg Wunsch To: Garrett Wollman Cc: audit@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: why does telnetd run as root? Message-ID: <20010831133749.H76749@ida.interface-business.de> Reply-To: Joerg Wunsch References: <20010830201102.O69247@ida.interface-business.de> <200108301817.f7UIHNa66577@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200108301817.f7UIHNa66577@khavrinen.lcs.mit.edu>; from wollman@khavrinen.lcs.mit.edu on Thu, Aug 30, 2001 at 02:17:23PM -0400 X-Phone: +49-351-31809-14 X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F 93 21 E0 7D F9 12 D6 4E Organization: interface systems GmbH, Dresden Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org As Garrett Wollman wrote: > < said: > > > But then, it's IMHO much safer to run telnetd as user > > `daemon', and have login(1) allow user daemon to pass -h. > > Only works for cleartext password authentication. Not really, but you're right, it doesn't work for SRA telnet. It works for anything that can be handled by /usr/bin/login, i just tried OPIE which does well. Still, allowing this as an option seems useful to me. (If i want encryption, i'll use ssh anyway. Telnet is only a fallback if no encryption is available for whatever reason. It is very unlikely i'll find a client that could do SRA telnet but could not do ssh.) -- J"org Wunsch Unix support engineer joerg_wunsch@interface-systems.de http://www.interface-systems.de/~j/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 31 8:44:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.22.40]) by hub.freebsd.org (Postfix) with ESMTP id F1E8337B407 for ; Fri, 31 Aug 2001 08:44:08 -0700 (PDT) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.11.3/8.11.3) with ESMTP id f7VFhsU132714; Fri, 31 Aug 2001 11:43:54 -0400 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <20010830184533.C27546@xor.obsecurity.org> References: <20010830153246.K69164-100000@mail.wlcg.com> <20010830142340.A15795@Odin.AC.HMC.Edu> <20010830184533.C27546@xor.obsecurity.org> Date: Fri, 31 Aug 2001 11:43:52 -0400 To: Kris Kennaway From: Garance A Drosihn Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:58.lpd Cc: Brooks Davis , freebsd-security@FreeBSD.ORG Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 6:45 PM -0700 8/30/01, Kris Kennaway wrote: >On Thu, Aug 30, 2001, Garance A Drosihn wrote: > >> [actually, I almost think that lpd should default to "secure" > > operation, and require someone to specify some startup flag if > > they DO want to accept remote print jobs, but that is probably > > too dramatic of a change. I also don't know how these flags > > would interact with the popular alternatives to the standard > > lpr/lpd, such as lprNG...] > >I think that would be a reasonable thing to do at least in 5.0. Hmm. Well, let me think about it a bit more, and see if any other alternatives come to mind. -- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 31 9:20:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id D35EF37B406; Fri, 31 Aug 2001 09:20:39 -0700 (PDT) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.11.4/8.11.4) id f7VGKRg78913; Fri, 31 Aug 2001 12:20:27 -0400 (EDT) (envelope-from wollman) Date: Fri, 31 Aug 2001 12:20:27 -0400 (EDT) From: Garrett Wollman Message-Id: <200108311620.f7VGKRg78913@khavrinen.lcs.mit.edu> To: Joerg Wunsch Cc: audit@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: why does telnetd run as root? In-Reply-To: <20010831133749.H76749@ida.interface-business.de> References: <20010830201102.O69247@ida.interface-business.de> <200108301817.f7UIHNa66577@khavrinen.lcs.mit.edu> <20010831133749.H76749@ida.interface-business.de> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > Not really, but you're right, it doesn't work for SRA telnet. Doesn't work for Kerberos either. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 31 12: 9:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id 4946C37B405 for ; Fri, 31 Aug 2001 12:09:27 -0700 (PDT) Received: (qmail 9337 invoked from network); 31 Aug 2001 19:08:55 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 31 Aug 2001 19:08:55 -0000 Message-ID: <005801c13250$71a55e40$0d00a8c0@nexgen.com> From: "alexus" To: "Ronan Lucio" , References: <20010830145840.A1554@sunbay.com><200108301533.f7UFXYT64952@khavrinen.lcs.mit.edu><20010830204132.A47482@sunbay.com> <200108301820.f7UIKGZ66585@khavrinen.lcs.mit.edu> <089901c1318a$c2db89e0$2aa8a8c0@melim.com.br> Subject: Re: Jail question Date: Fri, 31 Aug 2001 15:09:22 -0400 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org use dns to point your mx record to seperate machine and don't let anyone go on that machine then it would be pretty much safe, close all ports but port 25 you don't even need to set up jail for that ----- Original Message ----- From: "Ronan Lucio" To: Sent: Thursday, August 30, 2001 3:34 PM Subject: Jail question > Hi, > > I want to install the jail for a mail server. > Is the best way to do it install the jail in one machine and > the mail server in another machine or have to install the > jail and the mail server in the same computer? > > I´m a little mess about it > > Ronan Lucio > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 31 12:24:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f220.law8.hotmail.com [216.33.241.220]) by hub.freebsd.org (Postfix) with ESMTP id 3A1F437B405; Fri, 31 Aug 2001 12:24:04 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 31 Aug 2001 12:24:04 -0700 Received: from 200.212.177.158 by lw8fd.law8.hotmail.msn.com with HTTP; Fri, 31 Aug 2001 19:24:03 GMT X-Originating-IP: [200.212.177.158] From: "Not Going to Tell You" To: freebsd-stable@FreeBSD.ORG Cc: security@FreeBSD.org Subject: Security Oficer mail bouncing back Date: Fri, 31 Aug 2001 19:24:03 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 31 Aug 2001 19:24:04.0238 (UTC) FILETIME=[7EFE32E0:01C13252] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org FYI, Mail I sent to Security-Officer@FreeBSD.org has bounced back. THis is the address listed in the FreeBSD.org/security web page. LUCKY _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 31 12:34: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f221.law8.hotmail.com [216.33.241.221]) by hub.freebsd.org (Postfix) with ESMTP id 3C41037B405; Fri, 31 Aug 2001 12:33:52 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 31 Aug 2001 12:33:52 -0700 Received: from 200.212.177.158 by lw8fd.law8.hotmail.msn.com with HTTP; Fri, 31 Aug 2001 19:33:51 GMT X-Originating-IP: [200.212.177.158] From: "Not Going to Tell You" To: security@FreeBSD.org, freebsd-stable@FreeBSD.ORG Subject: Possible New Security Tool For FreeBSD, Need Your Help. Date: Fri, 31 Aug 2001 19:33:51 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 31 Aug 2001 19:33:52.0183 (UTC) FILETIME=[DD6F7C70:01C13253] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sorry for the blank e-mail. I have an idea, maybe you either know if it is already been done or you can help me write this software: What if I would scan 5 ports in a defined order, within a define period of time on my remote box. A program on the box would recognize these 5 port scans as a "Key" from a remote user to open a port or to activate another software. Why would this be good? I could close all the ports on my box except those needed to provide a service (i.e. port 80), however, how can I remote manage it? So then I would have to open a sshd port also. But this leads to a potential security problem when scanned by a hacker. So, what if I had a program that sent a type of "Key" to the box and the box recognized that the key sequence order was from me, then opened the sshd port. After I was finished with the sshd session, I would run another program to close the port behind me? Any thoughts and help is welcomed. Lucky _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 31 12:39:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from stuart.microshaft.org (ns1.microshaft.org [208.201.249.2]) by hub.freebsd.org (Postfix) with ESMTP id A30AE37B407; Fri, 31 Aug 2001 12:39:46 -0700 (PDT) Received: (from jono@localhost) by stuart.microshaft.org (8.9.3/8.9.3) id MAA42827; Fri, 31 Aug 2001 12:39:45 -0700 (PDT) (envelope-from jono) Date: Fri, 31 Aug 2001 12:39:45 -0700 From: "Jon O ." To: Not Going to Tell You Cc: security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. Message-ID: <20010831123945.E42488@networkcommand.com> Reply-To: "jono@networkcommand.com" References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from luckywolf19@hotmail.com on Fri, Aug 31, 2001 at 07:33:51PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I already have this ported to FreeBSD. It uses libpcap to watch for syn packets. The original is called cd00r.c and is available here: http://www.phenoelit.de/fr/tools.html My FreeBSD port is available if you send an email, I've got to dig it up... On 31-Aug-2001, Not Going to Tell You wrote: > Sorry for the blank e-mail. > > I have an idea, maybe you either know if it is already been done or you can > help me write this software: > > What if I would scan 5 ports in a defined order, within a define period of > time on my remote box. A program on the box would recognize these 5 port > scans as a "Key" from a remote user to open a port or to activate another > software. > > Why would this be good? > I could close all the ports on my box except those needed to provide a > service (i.e. port 80), however, how can I remote manage it? So then I would > have to open a sshd port also. But this leads to a potential security > problem when scanned by a hacker. So, what if I had a program that sent a > type of "Key" to the box and the box recognized that the key sequence order > was from me, then opened the sshd port. After I was finished with the sshd > session, I would run another program to close the port behind me? > > Any thoughts and help is welcomed. > > Lucky > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 31 12:40:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from prox.centtech.com (moat2.centtech.com [206.196.95.21]) by hub.freebsd.org (Postfix) with ESMTP id 2F9BF37B42F for ; Fri, 31 Aug 2001 12:40:38 -0700 (PDT) Received: (from smap@localhost) by prox.centtech.com (8.9.3+Sun/8.9.3) id OAA00089; Fri, 31 Aug 2001 14:40:35 -0500 (CDT) Received: from sprint.centtech.com(10.177.173.31) by prox via smap (V2.1+anti-relay+anti-spam) id xma000083; Fri, 31 Aug 01 14:40:05 -0500 Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id OAA03378; Fri, 31 Aug 2001 14:40:05 -0500 (CDT) Message-ID: <3B8FE815.C7999028@centtech.com> Date: Fri, 31 Aug 2001 14:40:05 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.14-5.0smp i686) X-Accept-Language: en MIME-Version: 1.0 To: Not Going to Tell You Cc: security@freebsd.org Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org it wouldn't be too hard to randomly try these until you got the "key", or even just sniff the traffic (assuming you have that access) and replicate it.. this doesnt sound like a benefit to me.. good thinking, but I'm not sure how it's different from having a nice and tight box with strict ipfilter rules and/or tcpwrappers running.. Eric Not Going to Tell You wrote: > > Sorry for the blank e-mail. > > I have an idea, maybe you either know if it is already been done or you can > help me write this software: > > What if I would scan 5 ports in a defined order, within a define period of > time on my remote box. A program on the box would recognize these 5 port > scans as a "Key" from a remote user to open a port or to activate another > software. > > Why would this be good? > I could close all the ports on my box except those needed to provide a > service (i.e. port 80), however, how can I remote manage it? So then I would > have to open a sshd port also. But this leads to a potential security > problem when scanned by a hacker. So, what if I had a program that sent a > type of "Key" to the box and the box recognized that the key sequence order > was from me, then opened the sshd port. After I was finished with the sshd > session, I would run another program to close the port behind me? > > Any thoughts and help is welcomed. > > Lucky > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 Truth is more marvelous than mystery. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 31 12:42:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from bluenugget.net (bsd.st [64.3.150.188]) by hub.freebsd.org (Postfix) with ESMTP id E7DAE37B401; Fri, 31 Aug 2001 12:42:37 -0700 (PDT) Received: by bluenugget.net (Postfix, from userid 1000) id 92EB513616; Fri, 31 Aug 2001 12:43:48 -0700 (PDT) Date: Fri, 31 Aug 2001 12:43:48 -0700 From: Jason DiCioccio To: Not Going to Tell You Cc: security@FreeBSD.org, freebsd-stable@FreeBSD.ORG Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. Message-ID: <20010831124348.B2253@bluenugget.net> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="V0207lvV8h4k8FAm" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.21i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --V0207lvV8h4k8FAm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Actually you could even have it so it would only accept() for about 10 seco= nds. it doesn't have to be accepting connections when you're SSH'd in. The prob= lem with this of course is it's another key that can be sniffed. I don't see h= ow it would hurt though as long as you're using secure protocols/services as w= ell. Basically, just don't put all of your trust into that one key :) Cheers, -JD- On Fri, Aug 31, 2001 at 07:33:51PM +0000, Not Going to Tell You wrote: > Sorry for the blank e-mail. >=20 > I have an idea, maybe you either know if it is already been done or you c= an=20 > help me write this software: >=20 > What if I would scan 5 ports in a defined order, within a define period o= f=20 > time on my remote box. A program on the box would recognize these 5 port= =20 > scans as a "Key" from a remote user to open a port or to activate another= =20 > software. >=20 > Why would this be good? > I could close all the ports on my box except those needed to provide a=20 > service (i.e. port 80), however, how can I remote manage it? So then I wo= uld=20 >=20 > have to open a sshd port also. But this leads to a potential security=20 > problem when scanned by a hacker. So, what if I had a program that sent a= =20 > type of "Key" to the box and the box recognized that the key sequence ord= er=20 > was from me, then opened the sshd port. After I was finished with the ss= hd=20 > session, I would run another program to close the port behind me? >=20 > Any thoughts and help is welcomed. >=20 > Lucky >=20 > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 --=20 Jason DiCioccio - geniusj@bsd.st - PGP Key @ http://bsd.st/~geniusj/pgpkey.= asc --V0207lvV8h4k8FAm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBO4/o9NNQlZYENnwIEQIwcQCfRt60q4zGmFFawlmrG+ffhol6LrEAoLqW Ecb6W/Im9TynUpoTZs92FpqJ =WTqJ -----END PGP SIGNATURE----- --V0207lvV8h4k8FAm-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 31 13: 0:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f229.law8.hotmail.com [216.33.241.229]) by hub.freebsd.org (Postfix) with ESMTP id 9F89937B407 for ; Fri, 31 Aug 2001 13:00:28 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 31 Aug 2001 13:00:28 -0700 Received: from 200.212.177.158 by lw8fd.law8.hotmail.msn.com with HTTP; Fri, 31 Aug 2001 20:00:28 GMT X-Originating-IP: [200.212.177.158] From: "Not Going to Tell You" To: anderson@centtech.com Cc: security@freebsd.org Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. Date: Fri, 31 Aug 2001 20:00:28 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 31 Aug 2001 20:00:28.0598 (UTC) FILETIME=[94F91560:01C13257] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org First, I stated that the only port that would be open would be the port 80 http. And it is assumed that I would have already had a tight box with strict rules. But even tight boxes still show which ports are opened. As for guessing the key sequence..I doubt it, if the program was able to tell if port scanning was taking place. And do not for get the timer. As for sniffing, well 99.9% of all the hackers that I have seen come from the Internet where would they put the sniffer? Lucky >From: Eric Anderson >Reply-To: anderson@centtech.com >To: Not Going to Tell You >CC: security@freebsd.org >Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. >Date: Fri, 31 Aug 2001 14:40:05 -0500 > >it wouldn't be too hard to randomly try these until you got the "key", >or even just sniff the traffic (assuming you have that access) and >replicate it.. this doesnt sound like a benefit to me.. good thinking, >but I'm not sure how it's different from having a nice and tight box >with strict ipfilter rules and/or tcpwrappers running.. > >Eric > > >Not Going to Tell You wrote: > > > > Sorry for the blank e-mail. > > > > I have an idea, maybe you either know if it is already been done or you >can > > help me write this software: > > > > What if I would scan 5 ports in a defined order, within a define period >of > > time on my remote box. A program on the box would recognize these 5 port > > scans as a "Key" from a remote user to open a port or to activate >another > > software. > > > > Why would this be good? > > I could close all the ports on my box except those needed to provide a > > service (i.e. port 80), however, how can I remote manage it? So then I >would > > have to open a sshd port also. But this leads to a potential security > > problem when scanned by a hacker. So, what if I had a program that sent >a > > type of "Key" to the box and the box recognized that the key sequence >order > > was from me, then opened the sshd port. After I was finished with the >sshd > > session, I would run another program to close the port behind me? > > > > Any thoughts and help is welcomed. > > > > Lucky > > > > _________________________________________________________________ > > Get your FREE download of MSN Explorer at >http://explorer.msn.com/intl.asp > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > >-- >------------------------------------------------------------------------------- >Eric Anderson anderson@centtech.com Centaur Technology (512) >418-5792 >Truth is more marvelous than mystery. >------------------------------------------------------------------------------- > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 31 13: 6:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 9EBC637B405; Fri, 31 Aug 2001 13:06:20 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 587AA66E9A; Fri, 31 Aug 2001 13:06:20 -0700 (PDT) Date: Fri, 31 Aug 2001 13:06:20 -0700 From: Kris Kennaway To: Not Going to Tell You Cc: freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Security Oficer mail bouncing back Message-ID: <20010831130620.D85955@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="pQhZXvAqiZgbeUkD" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from luckywolf19@hotmail.com on Fri, Aug 31, 2001 at 07:24:03PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --pQhZXvAqiZgbeUkD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Aug 31, 2001 at 07:24:03PM +0000, Not Going to Tell You wrote: > FYI, Mail I sent to Security-Officer@FreeBSD.org has bounced back. THis i= s=20 > the address listed in the FreeBSD.org/security web page. It should work..I've received other mail there today. Perhaps you have e.g. DNS problems on your end and it's being bounced by the freebsd.org mail server for that reason. Kris --pQhZXvAqiZgbeUkD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7j+46Wry0BWjoQKURAt6YAJ9mr+L0T8gAqezgaq3RmonjPsCAGACg6+tG C4XxSkwDNTZB7mCVbID75EQ= =zVH5 -----END PGP SIGNATURE----- --pQhZXvAqiZgbeUkD-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 31 13:30:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from prox.centtech.com (moat2.centtech.com [206.196.95.21]) by hub.freebsd.org (Postfix) with ESMTP id 5FFF137B405 for ; Fri, 31 Aug 2001 13:30:12 -0700 (PDT) Received: (from smap@localhost) by prox.centtech.com (8.9.3+Sun/8.9.3) id PAA01408; Fri, 31 Aug 2001 15:30:10 -0500 (CDT) Received: from sprint.centtech.com(10.177.173.31) by prox via smap (V2.1+anti-relay+anti-spam) id xma001406; Fri, 31 Aug 01 15:29:44 -0500 Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id PAA04877; Fri, 31 Aug 2001 15:29:43 -0500 (CDT) Message-ID: <3B8FF3B7.39F7646E@centtech.com> Date: Fri, 31 Aug 2001 15:29:43 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.14-5.0smp i686) X-Accept-Language: en MIME-Version: 1.0 To: Not Going to Tell You Cc: security@freebsd.org Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I guess what I meant by tight was that you would only allow packets from know trusted ip's (like the one's you would be coming from) anad deny all to everyone else. Of course someone could spoof your ip, but they would have a hard time finding out that ip. The comment on sniffing was to cover the bases, not to say it happens all the time, but you can't rule things out on the basis that "99.9% of all hackers".. thats a bad mentality to have when dealing with security issues I think.. It's a good idea, I'm just asking what benefit it gives you over a strict ipfilter list? Also, would you have a "client" tool to use to do this? if it was software that did it, wouldn't it be better to do a LOT of ports, in a certain order, etc? Like 100-200? 5 is way too few to make it unhackable. By the way, guessing key sequences isn't hard, it's simple, it just takes time, and that's something that computers have a lot of. Yes, it would take a long time, but it could do it.. I'm just saying it could be a false security. Why not do something thats based on time? Like, sshd (or anything you want) will be at port X at time Y depending on Z (where Z is a 'salt' kind of thing you define). So, using an algorithm with X, Y, and Z, and the time, your server and client use the same calculations to find what X will be at a given Y. You would just need your clocks synced. This isn't perfect either, just more stuff to throw in to the mess. :) Eric Not Going to Tell You wrote: > > First, I stated that the only port that would be open would be the port 80 > http. And it is assumed that I would have already had a tight box with > strict rules. But even tight boxes still show which ports are opened. > > As for guessing the key sequence..I doubt it, if the program was able to > tell if port scanning was taking place. And do not for get the timer. > > As for sniffing, well 99.9% of all the hackers that I have seen come from > the Internet where would they put the sniffer? > > Lucky > > >From: Eric Anderson > >Reply-To: anderson@centtech.com > >To: Not Going to Tell You > >CC: security@freebsd.org > >Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. > >Date: Fri, 31 Aug 2001 14:40:05 -0500 > > > >it wouldn't be too hard to randomly try these until you got the "key", > >or even just sniff the traffic (assuming you have that access) and > >replicate it.. this doesnt sound like a benefit to me.. good thinking, > >but I'm not sure how it's different from having a nice and tight box > >with strict ipfilter rules and/or tcpwrappers running.. > > > >Eric > > > > > >Not Going to Tell You wrote: > > > > > > Sorry for the blank e-mail. > > > > > > I have an idea, maybe you either know if it is already been done or you > >can > > > help me write this software: > > > > > > What if I would scan 5 ports in a defined order, within a define period > >of > > > time on my remote box. A program on the box would recognize these 5 port > > > scans as a "Key" from a remote user to open a port or to activate > >another > > > software. > > > > > > Why would this be good? > > > I could close all the ports on my box except those needed to provide a > > > service (i.e. port 80), however, how can I remote manage it? So then I > >would > > > have to open a sshd port also. But this leads to a potential security > > > problem when scanned by a hacker. So, what if I had a program that sent > >a > > > type of "Key" to the box and the box recognized that the key sequence > >order > > > was from me, then opened the sshd port. After I was finished with the > >sshd > > > session, I would run another program to close the port behind me? > > > > > > Any thoughts and help is welcomed. > > > > > > Lucky > > > > > > _________________________________________________________________ > > > Get your FREE download of MSN Explorer at > >http://explorer.msn.com/intl.asp > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > >-- > >------------------------------------------------------------------------------- > >Eric Anderson anderson@centtech.com Centaur Technology (512) > >418-5792 > >Truth is more marvelous than mystery. > >------------------------------------------------------------------------------- > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 Truth is more marvelous than mystery. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 31 13:56:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id E3EDE37B403; Fri, 31 Aug 2001 13:56:06 -0700 (PDT) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.5/8.11.5) with SMTP id f7VKu0P11997; Fri, 31 Aug 2001 16:56:01 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Fri, 31 Aug 2001 16:56:00 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: "Andrew R. Reiter" Cc: freebsd-audit@FreeBSD.org, freebsd-security@FreeBSD.org Subject: Re: setlogincontext() modifications. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I guess my response would actually be surprise that it isn't used already. :-) Do those use setusercontext() at all? Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services On Wed, 22 Aug 2001, Andrew R. Reiter wrote: > Hi, > > I plan on doing some patches for adding setlogincontext() calls to: > > libexec/: > atrun/atrun.c > ftpd/ftpd.c > rshd/rshd.c > uucpd/uucpd.c > > as an initial step towards seeing how people react. If people can perhaps > recommend a couple more from other parts of the tree that I could write > patches for, that would be great. I ask this so that I can perhaps get a > bit more of a reaction from some people as this type of patch will effect > some network daemons etc... > > Thanks, > > Andrew > > *-------------................................................. > | Andrew R. Reiter > | arr@fledge.watson.org > | "It requires a very unusual mind > | to undertake the analysis of the obvious" -- A.N. Whitehead > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-audit" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 31 14:51:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [198.92.199.5]) by hub.freebsd.org (Postfix) with ESMTP id DB22037B405 for ; Fri, 31 Aug 2001 14:51:46 -0700 (PDT) Received: (from root@localhost) by mail.wlcg.com (8.11.6/8.11.6) id f7VLpk677294; Fri, 31 Aug 2001 17:51:46 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.6/8.11.6) with ESMTP id f7VLpju77278; Fri, 31 Aug 2001 17:51:45 -0400 (EDT) (envelope-from rsimmons@wlcg.com) X-Authentication-Warning: mail.wlcg.com: rsimmons owned process doing -bs Date: Fri, 31 Aug 2001 17:51:43 -0400 (EDT) From: Rob Simmons To: Eric Anderson Cc: Not Going to Tell You , Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. In-Reply-To: <3B8FF3B7.39F7646E@centtech.com> Message-ID: <20010831174446.R50234-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Why not require the incoming packets to be spoofed from a preordained set of IP addresses to obfuscate it even more. Robert Simmons Systems Administrator http://www.wlcg.com/ On Fri, 31 Aug 2001, Eric Anderson wrote: > I guess what I meant by tight was that you would only allow packets from > know trusted ip's (like the one's you would be coming from) anad deny > all to everyone else. Of course someone could spoof your ip, but they > would have a hard time finding out that ip. The comment on sniffing was > to cover the bases, not to say it happens all the time, but you can't > rule things out on the basis that "99.9% of all hackers".. thats a bad > mentality to have when dealing with security issues I think.. It's a > good idea, I'm just asking what benefit it gives you over a strict > ipfilter list? > > Also, would you have a "client" tool to use to do this? if it was > software that did it, wouldn't it be better to do a LOT of ports, in a > certain order, etc? Like 100-200? 5 is way too few to make it > unhackable. By the way, guessing key sequences isn't hard, it's simple, > it just takes time, and that's something that computers have a lot of. > Yes, it would take a long time, but it could do it.. I'm just saying it > could be a false security. > > Why not do something thats based on time? Like, sshd (or anything you > want) will be at port X at time Y depending on Z (where Z is a 'salt' > kind of thing you define). So, using an algorithm with X, Y, and Z, and > the time, your server and client use the same calculations to find what > X will be at a given Y. You would just need your clocks synced. This > isn't perfect either, just more stuff to throw in to the mess. :) > > Eric To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 31 14:53:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id 03A7B37B405 for ; Fri, 31 Aug 2001 14:53:12 -0700 (PDT) Received: by elvis.mu.org (Postfix, from userid 1192) id EB64F81D01; Fri, 31 Aug 2001 16:53:06 -0500 (CDT) Date: Fri, 31 Aug 2001 16:53:06 -0500 From: Alfred Perlstein To: Rob Simmons Cc: Eric Anderson , Not Going to Tell You , security@freebsd.org Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. Message-ID: <20010831165306.T81307@elvis.mu.org> References: <3B8FF3B7.39F7646E@centtech.com> <20010831174446.R50234-100000@mail.wlcg.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010831174446.R50234-100000@mail.wlcg.com>; from rsimmons@wlcg.com on Fri, Aug 31, 2001 at 05:51:43PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Rob Simmons [010831 16:51] wrote: > Why not require the incoming packets to be spoofed from a preordained set > of IP addresses to obfuscate it even more. Obfuscation isn't security, it is the illusion of it. -- -Alfred Perlstein [alfred@freebsd.org] 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 31 14:57:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [198.92.199.5]) by hub.freebsd.org (Postfix) with ESMTP id C35A537B405 for ; Fri, 31 Aug 2001 14:57:09 -0700 (PDT) Received: (from root@localhost) by mail.wlcg.com (8.11.6/8.11.6) id f7VLv9r77616; Fri, 31 Aug 2001 17:57:09 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.6/8.11.6) with ESMTP id f7VLv8x77609; Fri, 31 Aug 2001 17:57:08 -0400 (EDT) (envelope-from rsimmons@wlcg.com) X-Authentication-Warning: mail.wlcg.com: rsimmons owned process doing -bs Date: Fri, 31 Aug 2001 17:57:04 -0400 (EDT) From: Rob Simmons To: Alfred Perlstein Cc: Eric Anderson , Not Going to Tell You , Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. In-Reply-To: <20010831165306.T81307@elvis.mu.org> Message-ID: <20010831175635.D50234-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Oops, I forgot the ;) Robert Simmons Systems Administrator http://www.wlcg.com/ On Fri, 31 Aug 2001, Alfred Perlstein wrote: > * Rob Simmons [010831 16:51] wrote: > > Why not require the incoming packets to be spoofed from a preordained set > > of IP addresses to obfuscate it even more. > > Obfuscation isn't security, it is the illusion of it. > > -- > -Alfred Perlstein [alfred@freebsd.org] > 'Instead of asking why a piece of software is using "1970s technology," > start asking why software is ignoring 30 years of accumulated wisdom.' > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7kAg0v8Bofna59hYRA2epAJ4wE0L0mWjjT/ntJ5atFgb/Fd5s6wCeOhbt cwQL3P5GbJLb1+HvpMNv5F0= =Xyd5 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 31 19:10:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from chmls16.mediaone.net (chmls16.mediaone.net [24.147.1.151]) by hub.freebsd.org (Postfix) with ESMTP id 550F037B407 for ; Fri, 31 Aug 2001 19:10:39 -0700 (PDT) Received: from mediaone.net (h002078d665ae.ne.mediaone.net [66.30.93.217]) by chmls16.mediaone.net (8.11.1/8.11.1) with ESMTP id f812ArT01371 for ; Fri, 31 Aug 2001 22:10:53 -0400 (EDT) Message-ID: <3B900B4B.119FBA2F@mediaone.net> Date: Fri, 31 Aug 2001 22:10:19 +0000 From: "The Marino's" Reply-To: postroad@mediaone.net X-Mailer: Mozilla 4.7C-CCK-MCD {C-UDP; EBM-APPLE} (Macintosh; I; PPC) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Tagged by Spissatus Content-Type: text/plain; charset=us-ascii; x-mac-type="54455854"; x-mac-creator="4D4F5353" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I was configuring a new server and foolishly put it on the wire while I was configuring. Anonymous ftp was enabled and I got an Upload that was a nasty directory tree with some Divx files; Tagged: By Spissatus: Scan by Riot 667 Upload by spissatus Dx2 Missing files Deep Blue Sea: Lots of DiVX files. Is this as simple as it looks or is this a deeper exploit that may have comprimised any user accounts?? I yanked out world write access but it came back a few hours later. The GID of the ftp user is 5(operator) and the /var/ftp directory is root:operator. Is that normal for a 4.3-stable release out of the box or have they gotten enough information to run "chown" and "chmod"? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 31 21: 8:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-172.zoominternet.net [24.154.28.172]) by hub.freebsd.org (Postfix) with ESMTP id 766A737B405 for ; Fri, 31 Aug 2001 21:08:12 -0700 (PDT) Received: from topperwein.dyndns.org (topperwein.dyndns.org [192.168.168.10]) by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id f8148EP01614 for ; Sat, 1 Sep 2001 00:08:14 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Sat, 1 Sep 2001 00:08:09 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 31 Aug 2001, Not Going to Tell You wrote: > First, I stated that the only port that would be open would be the port 80 > http. And it is assumed that I would have already had a tight box with > strict rules. But even tight boxes still show which ports are opened. > > As for guessing the key sequence..I doubt it, if the program was able to > tell if port scanning was taking place. And do not for get the timer. > > As for sniffing, well 99.9% of all the hackers that I have seen come from > the Internet where would they put the sniffer? If your machine is attached to a cable modem, then there are 253 other hosts in your neighborhood who can very easily sniff your traffic. If you're trying to open ports remotely, then your key traffic is going over the internet. Do a traceroute between the host you're using and the host you're trying to manage, and ponder someone sniffing along any of those hops. Although this is unlikely for the casual user, it becomes more likely if the remote host is a corporate-owned machine in a highly competitive area of industry. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 31 22:15:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from shinatama.hayai.de (tekkno.tv [212.222.165.65]) by hub.freebsd.org (Postfix) with ESMTP id BD43B37B40C for ; Fri, 31 Aug 2001 22:15:19 -0700 (PDT) Received: (from marco@localhost) by shinatama.hayai.de (8.11.6/8.11.3) id f817FmE56738; Sat, 1 Sep 2001 07:15:48 GMT (envelope-from marco) Date: Sat, 1 Sep 2001 07:15:48 +0000 From: Marco Wertejuk To: Not Going to Tell You Cc: security@FreeBSD.ORG Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. Message-ID: <20010901071548.A56606@localhost.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from luckywolf19@hotmail.com on Fri, Aug 31, 2001 at 07:33:51PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, have you ever thought about a VPN for your server? You can easily bind sshd to the webservers vpn ip and therefore the webserver has no unneccessarily open ports. -- Mit freundlichen Gruessen, Marco Wertejuk - mwcis.com Computer/Internet/Security-Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 1 1:11:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.bsdimp.com [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id AD9A737B401; Sat, 1 Sep 2001 01:11:25 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.3/8.11.3) with ESMTP id f818BNX05073; Sat, 1 Sep 2001 02:11:24 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.11.3/8.11.4) with ESMTP id f818BNh09810; Sat, 1 Sep 2001 02:11:23 -0600 (MDT) (envelope-from imp@harmony.village.org) Message-Id: <200109010811.f818BNh09810@harmony.village.org> To: "Not Going to Tell You" Subject: Re: Security Oficer mail bouncing back Cc: freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG In-reply-to: Your message of "Fri, 31 Aug 2001 19:24:03 -0000." References: Date: Sat, 01 Sep 2001 02:11:23 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message "Not Going to Tell You" writes: : FYI, Mail I sent to Security-Officer@FreeBSD.org has bounced back. THis is : the address listed in the FreeBSD.org/security web page. I keep getting mail to security-officer@freebsd.org. Be less vague. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 1 1:30:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from I-Sphere.COM (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id B6A4037B403 for ; Sat, 1 Sep 2001 01:30:09 -0700 (PDT) Received: (from fasty@localhost) by I-Sphere.COM (8.11.6/8.11.6) id f818YPm79702 for freebsd-security@freebsd.org; Sat, 1 Sep 2001 01:34:25 -0700 (PDT) (envelope-from fasty) Date: Sat, 1 Sep 2001 01:34:25 -0700 From: faSty To: freebsd-security@freebsd.org Subject: honeypot question Message-ID: <20010901013425.A79660@i-sphere.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi guys, I am wondering, do we have honeypot deception for FreeBSD and Let me know. i found nice information about deception toolkit URL: http://www.all.net/dtk/ -trev -- Elevators smell different to midgets To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 1 8:21: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id BE82837B409; Sat, 1 Sep 2001 08:20:55 -0700 (PDT) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.6/8.11.5) with SMTP id f81FKo022547; Sat, 1 Sep 2001 11:20:50 -0400 (EDT) (envelope-from arr@watson.org) Date: Sat, 1 Sep 2001 11:20:50 -0400 (EDT) From: "Andrew R. Reiter" To: Robert Watson Cc: freebsd-audit@FreeBSD.org, freebsd-security@FreeBSD.org Subject: Re: setlogincontext() modifications. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Actually yes... as of 4.4-RC, the following utilize setusercontext(): ftpd/ftpd.c: setusercontext(lc, pw, (uid_t)0, LOGIN_SETLOGIN|LOGIN_SETGROUP|LOGIN_SETPRIORITY| LOGIN_SETRESOURCES|LOGIN_SETUMASK); /* and code to reset */ rshd/rshd.c: if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETALL) != 0) On Fri, 31 Aug 2001, Robert Watson wrote: :I guess my response would actually be surprise that it isn't used already. ::-) Do those use setusercontext() at all? : :Robert N M Watson FreeBSD Core Team, TrustedBSD Project :robert@fledge.watson.org NAI Labs, Safeport Network Services : :On Wed, 22 Aug 2001, Andrew R. Reiter wrote: : :> Hi, :> :> I plan on doing some patches for adding setlogincontext() calls to: :> :> libexec/: :> atrun/atrun.c :> ftpd/ftpd.c :> rshd/rshd.c :> uucpd/uucpd.c :> :> as an initial step towards seeing how people react. If people can perhaps :> recommend a couple more from other parts of the tree that I could write :> patches for, that would be great. I ask this so that I can perhaps get a :> bit more of a reaction from some people as this type of patch will effect :> some network daemons etc... :> :> Thanks, :> :> Andrew :> :> *-------------................................................. :> | Andrew R. Reiter :> | arr@fledge.watson.org :> | "It requires a very unusual mind :> | to undertake the analysis of the obvious" -- A.N. Whitehead :> :> :> To Unsubscribe: send mail to majordomo@FreeBSD.org :> with "unsubscribe freebsd-audit" in the body of the message :> : : *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 1 12:18:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.suntop-cn.com (www.suntop-cn.com [61.140.76.155]) by hub.freebsd.org (Postfix) with ESMTP id C5AE937B401 for ; Sat, 1 Sep 2001 12:18:21 -0700 (PDT) Received: from win ([61.144.147.220]) (authenticated) by www.suntop-cn.com (8.11.3/8.11.3) with ESMTP id f81JIJB70566 for ; Sun, 2 Sep 2001 03:18:20 +0800 (CST) (envelope-from slack@suntop-cn.com) Message-ID: <003101c1331a$dd96d320$9201a8c0@home.net> From: "edwin chan" To: Subject: how can I find general security infomation ? Date: Sun, 2 Sep 2001 03:18:21 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org recently, I try to enhance security for my freebsd box, I feel lack general security knowladge and concept of attack manner. where I can find deep infomation about ? edwin chen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message