From owner-freebsd-security@FreeBSD.ORG Sun Aug 3 05:42:18 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 829B637B401 for ; Sun, 3 Aug 2003 05:42:18 -0700 (PDT) Received: from fw1.internett.de (fw1.internett.de [195.30.142.24]) by mx1.FreeBSD.org (Postfix) with ESMTP id 26F2143FB1 for ; Sun, 3 Aug 2003 05:42:17 -0700 (PDT) (envelope-from michael@nettmail.de) Received: from mx5.internett.de (mx5.internett.de [195.30.142.17]) with ESMTP id h73CgEI29725 for ; Sun, 3 Aug 2003 14:42:14 +0200 Received: (from wwwrun@localhost)id h73CfWU01449 for freebsd-security@freebsd.org; Sun, 3 Aug 2003 14:41:32 +0200 To: freebsd-security@freebsd.org Message-ID: <1059914492.3f2d02fc3de14@mx5.internett.de> Date: Sun, 03 Aug 2003 14:41:32 +0200 (CEST) From: michael MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Originating-IP: 213.146.117.10 X-Virus-Scanned: by AMaViS-perl11-milter (http://amavis.org/) Subject: ipfw or ipf w/stateful behavior X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Aug 2003 12:42:18 -0000 Hi, first i must tell you, that my english is not the best, i hav learned my english from manpages and documentation. Please excuse this. I have setted up a Box w/FreeBSD 4.7-RELEASE for connecting to the w3 through an DSL/ATM-Connection. Now i know the stateful handling of firewall-rules under linux with iptables.In the second i have understand that FreeBSD comes with the netfilter-extensions. Now i have made all rules with the setup/established or keep-state flags (ipfw) and my ftp-connections are not really stateful. I think that these behavior is also so by irc-chat. Now i wont to know, how must i do to become also an stateful behavior for these services, w/o to open the high-ports from the firewall, then at the last time i become over and over with portscans from outside, and i think this is an security reason. i don't realy want to open the high-ports on my box. give it an chance by using ipf and not ipfw?? i have read the documentations, and i have no hint found that solve this problem, my i have seen that in first time ipf is mutch more complex to configure and has more pitfalls to make mistakes, with the ip packet description language. have anyone any idea we i can solve this problem w/o to open the high-ports?? thanks for all best regards and have a good and funny time michael From owner-freebsd-security@FreeBSD.ORG Sun Aug 3 08:20:27 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B61D137B401 for ; Sun, 3 Aug 2003 08:20:27 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2526B43FAF for ; Sun, 3 Aug 2003 08:20:26 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) h73FKEcU013285 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 3 Aug 2003 16:20:18 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)h73FKEXF013284; Sun, 3 Aug 2003 16:20:14 +0100 (BST) (envelope-from matthew) Date: Sun, 3 Aug 2003 16:20:13 +0100 From: Matthew Seaman To: michael Message-ID: <20030803152013.GA12709@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: michael , freebsd-security@freebsd.org References: <1059914492.3f2d02fc3de14@mx5.internett.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="AhhlLboLdkugWU4S" Content-Disposition: inline In-Reply-To: <1059914492.3f2d02fc3de14@mx5.internett.de> User-Agent: Mutt/1.5.4i X-Spam-Status: No, hits=-8.6 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,PGP_SIGNATURE_2, QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT autolearn=ham version=2.55 X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: freebsd-security@freebsd.org Subject: Re: ipfw or ipf w/stateful behavior X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Aug 2003 15:20:28 -0000 --AhhlLboLdkugWU4S Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Aug 03, 2003 at 02:41:32PM +0200, michael wrote: > Now i have made all rules with the setup/established or keep-state flags > (ipfw) and my ftp-connections are not really stateful. I think > that these behavior is also so by irc-chat. >=20 > Now i wont to know, how must i do to become also an stateful behavior > for these services, w/o to open the high-ports from the firewall, > then at the last time i become over and over with portscans from outside, > and i think this is an security reason. >=20 > i don't realy want to open the high-ports on my box. I take it you're trying to access a remote FTP server, not that you're hosting a FTP server at your site? Securing things for an FTP client is rather easier than for an FTP server, especially if you've got a NAT gateway in between. The problem with FTP is that it is one of the oldest designs of any of the commonly used networking protocols, and it suffers from a number of flaws not found in more modern protocols like HTTP. In the days when it was first designed and implemented, the concept of automatically using a packet filtering firewall to protect servers and clients really hadn't yet achieved any real credence. Consequently the designers felt free to do things like require two connections between the client and the server: one channel for data and the other for control messages. See the first part of http://www.faqs.org/rfcs/rfc959.html (1985) for a potted history of the protocol. Traditionally the way an FTP session has been set up is: i) Client connects to port 21 (ftp control) on the server. This establishes the control channel, which is used throughout the session. The client side port is just an arbitrary high-numbered port as used for any outgoing connection. ii) Client can issue various FTP protocol commands however, as soon as a command is sent that requires data to be returned (eg. asking for a directory listing) or if a file has to be transferred in either direction, then the client sends a PORT command to the server, which tells the server to open up a data connection typically from port 20 (ftp-data) on the server end to the given port number on the client. This can happen several times during an FTP session, if more than one file is transferred. Under FreeBSD the client side port number will be bounded by the port numbers given in the net.inet.ip.portrange.hifirst and net.inet.ip.portrange.hilast sysctls, which will usually be something like 49152 -- 65535, but see the 'restrict' command in ftp(1). Now, this is somewhat horrifying to the modern client-side network administrators: either you've got to install a protocol aware firewall, that can detect the outgoing PORT command (with all the pitfalls that entails) and poke just the right hole in the firewall to allow the incoming data connection or you've got to bite the bullet and let external systems make arbitrary incoming connections to the high port range of your systems. As far as I know, there isn't a FTP protocol aware firewall implementation freely available for FreeBSD (although Checkpoint FW-1 is a commercial product that can do that so of thing, but the closest it gets to running on FreeBSD is when it's sold as part of a Nokia firewall appliance: those have an OS called IPSO which is apparently based on FreeBSD 2.x or 3.x) Instead, and pretty much standard nowadays, an FTP client will use passive-mode FTP. All web browsers, when told to retrieve a ftp:// URL will automatically use passive ftp. Under FreeBSD, you can set FTP_PASSIVE_MODE in the environment and the bundled ftp(1) and fetch(1) FTP clients will then assume passive mode, or you can use the ftp(1) 'passive' command within an FTP session to toggle passive mode on or off. In this case the sequence of events is: i) Client connects to port 21 on the server, as before. ii) Now, when it is necessary to open up the data channel, the client sends the server a PASV command, to which the server replies with a suitable port number that the client can open a connection to. This time it's the server that uses a port in the 49152..65535 range (although see the documentation of the -U option in ftpd(8) for ways to modify that, and the client end generally uses some arbitrary port as for any outgoing connection. Here both connections are opened by the client onto the server, which is much more friendly to the client side firewall. You can just write a rule (stateful or not, as you choose) to permit outgoing connections -- either to the high range ports, or more generally to any port: ipfw add allow tcp from ${myip} to any 49152-65535 keep-state out xmit = ${oif} (omit the 49152-65535 part if you want to allow all outgoing connections. ${myip} is your local IP address range, and ${oif} is the outward facing ethernet interface on your firewall: eg. fxp0, rl1) Note that people that run FTP servers would generally prefer to use the original PORT style, rather than PASV so that they in their turn could write nice tight firewall rules. However, as that would prevent most clients accessing their FTP archives they pretty well have to provide PASV support. > give it an chance by using ipf and not ipfw?? Either ipfw(8) or ipf(8) should be able to do the job for you: functionally the two are quite similar but the configuration syntax is fairly different. =20 =20 > i have read the documentations, and i have no hint found > that solve this problem, my i have seen that in first time > ipf is mutch more complex to configure and has more pitfalls > to make mistakes, with the ip packet description language. Stick with what suits you the best. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --AhhlLboLdkugWU4S Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/LSgtdtESqEQa7a0RAoI/AJ9El9ssMDgJTs9scZqqykdtOfgOGwCcD9pY LnvxutiRjz5HNkQYm+btrhE= =vMRm -----END PGP SIGNATURE----- --AhhlLboLdkugWU4S-- From owner-freebsd-security@FreeBSD.ORG Sun Aug 3 09:25:31 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B03E837B401 for ; Sun, 3 Aug 2003 09:25:31 -0700 (PDT) Received: from fw1.internett.de (fw1.internett.de [195.30.142.24]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4389F43F75 for ; Sun, 3 Aug 2003 09:25:30 -0700 (PDT) (envelope-from michael@nettmail.de) Received: from mx5.internett.de (mx5.internett.de [195.30.142.17]) with ESMTP id h73GPSI31695; Sun, 3 Aug 2003 18:25:28 +0200 Received: (from wwwrun@localhost)id h73GOZ016310; Sun, 3 Aug 2003 18:24:35 +0200 To: Matthew Seaman Message-ID: <1059927875.3f2d37432c3fa@mx5.internett.de> Date: Sun, 03 Aug 2003 18:24:35 +0200 (CEST) From: michael References: <1059914492.3f2d02fc3de14@mx5.internett.de> <20030803152013.GA12709@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <20030803152013.GA12709@happy-idiot-talk.infracaninophile.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Originating-IP: 213.146.117.10 X-Virus-Scanned: by AMaViS-perl11-milter (http://amavis.org/) cc: michael cc: freebsd-security@freebsd.org Subject: Re: ipfw or ipf w/stateful behavior X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Aug 2003 16:25:32 -0000 hello Matthew, first thank you for these detailed report from the ftp-protokoll, i think may know that you have to spend a lot of time, alot of koffee, o lot of hard nights to learn this by working everyday. Well, i know all these technics and way where the ftp-protokoll goes. And also i remember "the good old spirit times" where nobody thinks really over stateful firewalls and peer-to(o)-peer-Clients like kaaza, gnutella, morpheus or icq-clients who use https/or http-port.... in honor of the good old times my eyes trop down one or two tears.... may i would not really use linux for my firewaal-box, i would use freebsd with so less as possible third-party-software like the ports. I use standart-ports on most systems i setted up like rsync or webalizer and sqmgrlog, squid and thttp for reviewing the reports. well, back to the essentials: under linux can i load a kernelmodule for masquerading ftp-connections and this allows me to close any port from outside except the ports for Management or administration. these make the firewall secure enaugh. May under FreeBSD it give no KLD_MODULE that solve the problem with ftp/or irc. and i would not open any port unecessary it would be used directly with an time-out to close it up if no data flows trough the socket's. The essential question from me is give it with ipf a solution to solve this problem, the packet's must bee readable by ipf and ipf must held a trackin-table for outgoing connections who also observe a little bit exclusive any ftp-connection or any irc connection, with corresponding the src- and dst-ip. thanks you very much best regards and have a good and funny time michael Quoting Matthew Seaman : > On Sun, Aug 03, 2003 at 02:41:32PM +0200, michael wrote: > > > Now i have made all rules with the setup/established or keep-state > flags > > (ipfw) and my ftp-connections are not really stateful. I think > > that these behavior is also so by irc-chat. > > > > Now i wont to know, how must i do to become also an stateful behavior > > for these services, w/o to open the high-ports from the firewall, > > then at the last time i become over and over with portscans from > outside, > > and i think this is an security reason. > > > > i don't realy want to open the high-ports on my box. > > I take it you're trying to access a remote FTP server, not that you're > hosting a FTP server at your site? Securing things for an FTP client > is rather easier than for an FTP server, especially if you've got a > NAT gateway in between. > > The problem with FTP is that it is one of the oldest designs of any of > the commonly used networking protocols, and it suffers from a number > of flaws not found in more modern protocols like HTTP. In the days > when it was first designed and implemented, the concept of > automatically using a packet filtering firewall to protect servers and > clients really hadn't yet achieved any real credence. Consequently > the designers felt free to do things like require two connections > between the client and the server: one channel for data and the other > for control messages. See the first part of > http://www.faqs.org/rfcs/rfc959.html (1985) for a potted history of > the protocol. > > Traditionally the way an FTP session has been set up is: > > i) Client connects to port 21 (ftp control) on the server. This > establishes the control channel, which is used throughout the > session. The client side port is just an arbitrary > high-numbered port as used for any outgoing connection. > > ii) Client can issue various FTP protocol commands however, as > soon as a command is sent that requires data to be returned > (eg. asking for a directory listing) or if a file has to be > transferred in either direction, then the client sends a PORT > command to the server, which tells the server to open up a > data connection typically from port 20 (ftp-data) on the > server end to the given port number on the client. This can > happen several times during an FTP session, if more than one > file is transferred. > > Under FreeBSD the client side port number will be bounded by > the port numbers given in the net.inet.ip.portrange.hifirst > and net.inet.ip.portrange.hilast sysctls, which will usually > be something like 49152 -- 65535, but see the 'restrict' > command in ftp(1). > > Now, this is somewhat horrifying to the modern client-side network > administrators: either you've got to install a protocol aware > firewall, that can detect the outgoing PORT command (with all the > pitfalls that entails) and poke just the right hole in the firewall to > allow the incoming data connection or you've got to bite the bullet > and let external systems make arbitrary incoming connections to the > high port range of your systems. As far as I know, there isn't a FTP > protocol aware firewall implementation freely available for FreeBSD > (although Checkpoint FW-1 is a commercial product that can do that so > of thing, but the closest it gets to running on FreeBSD is when it's > sold as part of a Nokia firewall appliance: those have an OS called > IPSO which is apparently based on FreeBSD 2.x or 3.x) > > Instead, and pretty much standard nowadays, an FTP client will use > passive-mode FTP. All web browsers, when told to retrieve a ftp:// > URL will automatically use passive ftp. Under FreeBSD, you can set > FTP_PASSIVE_MODE in the environment and the bundled ftp(1) and > fetch(1) FTP clients will then assume passive mode, or you can use the > ftp(1) 'passive' command within an FTP session to toggle passive mode > on or off. > > In this case the sequence of events is: > > i) Client connects to port 21 on the server, as before. > > ii) Now, when it is necessary to open up the data channel, the > client sends the server a PASV command, to which the server > replies with a suitable port number that the client can open a > connection to. This time it's the server that uses a port in > the 49152..65535 range (although see the documentation of the > -U option in ftpd(8) for ways to modify that, and the client > end generally uses some arbitrary port as for any outgoing > connection. > > Here both connections are opened by the client onto the server, which > is much more friendly to the client side firewall. You can just write > a rule (stateful or not, as you choose) to permit outgoing connections > -- either to the high range ports, or more generally to any port: > > ipfw add allow tcp from ${myip} to any 49152-65535 keep-state out > xmit ${oif} > > (omit the 49152-65535 part if you want to allow all outgoing > connections. ${myip} is your local IP address range, and ${oif} is > the outward facing ethernet interface on your firewall: eg. fxp0, rl1) > > Note that people that run FTP servers would generally prefer to use > the original PORT style, rather than PASV so that they in their turn > could write nice tight firewall rules. However, as that would prevent > most clients accessing their FTP archives they pretty well have to > provide PASV support. > > > give it an chance by using ipf and not ipfw?? > > Either ipfw(8) or ipf(8) should be able to do the job for you: > functionally the two are quite similar but the configuration syntax is > fairly different. > > > i have read the documentations, and i have no hint found > > that solve this problem, my i have seen that in first time > > ipf is mutch more complex to configure and has more pitfalls > > to make mistakes, with the ip packet description language. > > Stick with what suits you the best. > > Cheers, > > Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks > Savill Way > PGP: http://www.infracaninophile.co.uk/pgpkey Marlow > Tel: +44 1628 476614 Bucks., SL7 1TH > UK > From owner-freebsd-security@FreeBSD.ORG Sun Aug 3 11:59:37 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6383E37B401; Sun, 3 Aug 2003 11:59:37 -0700 (PDT) Received: from rwcrmhc12.comcast.net (rwcrmhc12.comcast.net [216.148.227.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id ADEBC43FA3; Sun, 3 Aug 2003 11:59:36 -0700 (PDT) (envelope-from rootman22@comcast.net) Received: from 12-209-185-111.client.attbi.com ([12.209.185.111]) by comcast.net (rwcrmhc12) with SMTP id <2003080318592001400nueaie>; Sun, 3 Aug 2003 18:59:20 +0000 From: Joe Warner To: Barney Wolff Date: Sun, 3 Aug 2003 12:59:31 -0600 User-Agent: KMail/1.5.2 References: <200308030920.45437.rootman22@comcast.net> <20030803182647.GA29997@pit.databus.com> In-Reply-To: <20030803182647.GA29997@pit.databus.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200308031259.31577.rootman22@comcast.net> cc: freebsd-security@freebsd.org cc: freebsd-stable@freebsd.org Subject: Re: Forensics CD Toolkit for FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Aug 2003 18:59:37 -0000 On Sunday 03 August 2003 12:26 pm, Barney Wolff wrote: > On Sun, Aug 03, 2003 at 09:20:45AM -0600, Joe Warner wrote: > > I'd like to build a toolkit CD specifically for conducting > > forensics on FreeBSD. I'm not talking about a bootable > > CD but rather one that I could pop into a CD ROM drive > > and run trusted commands like ps, netstat, ls, etc., from. > > 1. It would be fairly rare for the bin's from iso-2 (the bootable > live filesystem) from a release not to work on the corresponding > -stable. Ok, I didn't know that, thanks. > > 2. However you should certainly be booting from the cd, for reasons > already noted. > > 3. make release will enable you to create the equivalent of iso-2 > for your -stable, if you really insist. I'll take that under consideration but don't think it will be necessary for what I'm trying to accomplish. > > 4. You should investigate The Coroner's Toolkit, available (free) > from porcupine.org to really do forensics work. It comes from > Dan Farmer & Wiese Venema, who need no endorsement from me. > I've used it (on Solaris) with very gratifying results. Yes, I've seen that all over the place from my searches on Google but I was hesitant about going any further with that because it said it's only been tested on FreeBSD 2.2.1, 3.4, and 4.4 Do you think I can run TCT from a CD? Thanks Joe From owner-freebsd-security@FreeBSD.ORG Sun Aug 3 17:04:33 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 391AC37B404; Sun, 3 Aug 2003 17:04:33 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4FCCF43FAF; Sun, 3 Aug 2003 17:04:31 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h7404VUp030673; Sun, 3 Aug 2003 17:04:31 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h7404VVL030671; Sun, 3 Aug 2003 17:04:31 -0700 (PDT) Date: Sun, 3 Aug 2003 17:04:31 -0700 (PDT) Message-Id: <200308040004.h7404VVL030671@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 00:04:33 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-03:08.realpath Security Advisory The FreeBSD Project Topic: Single byte buffer overflow in realpath(3) Category: core Module: libc Announced: 2003-08-03 Credits: Janusz Niewiadomski , Wojciech Purczynski , CERT/CC Affects: All releases of FreeBSD up to and including 4.8-RELEASE and 5.0-RELEASE FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC Corrected: 2003-08-03 23:46:24 UTC (RELENG_5_0) 2003-08-03 23:43:43 UTC (RELENG_4_8) 2003-08-03 23:44:12 UTC (RELENG_4_7) 2003-08-03 23:44:36 UTC (RELENG_4_6) 2003-08-03 23:44:56 UTC (RELENG_4_5) 2003-08-03 23:45:41 UTC (RELENG_4_4) 2003-08-03 23:46:03 UTC (RELENG_4_3) 2003-08-03 23:47:39 UTC (RELENG_3) FreeBSD only: NO I. Background The realpath(3) function is used to determine the canonical, absolute pathname from a given pathname which may contain extra ``/'' characters, references to ``/./'' or ``/../'', or references to symbolic links. The realpath(3) function is part of the FreeBSD Standard C Library. II. Problem Description An off-by-one error exists in a portion of realpath(3) that computes the length of the resolved pathname. As a result, if the resolved path name is exactly 1024 characters long and contains at least two directory separators, the buffer passed to realpath(3) will be overwritten by a single NUL byte. III. Impact Applications using realpath(3) MAY be vulnerable to denial of service attacks, remote code execution, and/or privilege escalation. The impact on an individual application is highly dependent upon the source of the pathname passed to realpath, the position of the output buffer on the stack, the architecture on which the application is running, and other factors. Within the FreeBSD base system, several applications use realpath(3). Two applications which are negatively impacted are: (1) lukemftpd(8), an alternative FTP server: realpath(3) is used to process the MLST and MLSD commands. [lukemftpd(8) is not built or installed by default.] (2) sftp-server(8), part of OpenSSH: realpath(3) is used to process chdir commands. In both of the cases above, the realpath(3) vulnerability may be exploitable, leading to arbitrary code execution with the privileges of the authenticated user. This is probably only of concern on otherwise `closed' servers, e.g. servers without shell access. At the time of 4.8-RELEASE, the FreeBSD Ports Collection contained the following applications which appear to use realpath(3). These applications have not been audited, and may or may not be vulnerable. There may be additional applications in the FreeBSD Ports Collection that use realpath(3), particularly statically-linked applications and applications added since 4.8-RELEASE. BitchX-1.0c19_1 Mowitz-0.2.1_1 XFree86-clients-4.3.0_1 abcache-0.14 aim-1.5.234 analog-5.24,1 anjuta-1.0.1_1 aolserver-3.4.2 argus-2.0.5 arm-rtems-gdb-5.2_1 avr-gdb-5.2.1 ccache-2.1.1 cdparanoia-3.9.8_4 cfengine-1.6.3_4 cfengine2-2.0.3 cmake-1.4.7 comserv-1.4.3 criticalmass-0.97 dedit-0.6.2.3_1 drweb_postfix-4.29.10a drweb-4.29.2 drweb_sendmail-4.29.10a edonkey-gui-gtk-0.5.0 enca-0.10.7 epic4-1.0.1_2 evolution-1.2.2_1 exim-3.36_1 exim-4.12_5 exim-ldap-4.12_5 exim-ldap2-4.12_5 exim-mysql-4.12_5 exim-postgresql-4.12_5 fam-2.6.9_2 fastdep-0.15 feh-1.2.4_1 ferite-0.99.6 fileutils-4.1_1 finfo-0.1 firebird-1.0.2 firebird-1.0.r2 frontpage-5.0.2.2623_1 galeon-1.2.8 galeon2-1.3.2_1 gdb-5.3_20030311 gdb-5.2.1_1 gdm2-2.4.1.3 gecc-20021119 gentoo-0.11.34 gkrellmvolume-2.1.7 gltron-0.61 global-4.5.1 gnat-3.15p gnomelibs-1.4.2_1 gprolog-1.2.16 gracula-3.0 gringotts-1.2.3 gtranslator-0.43_1 gvd-1.2.5 hercules-2.16.5 hte-0.7.0 hugs98-200211 i386-rtems-gdb-5.2_1 i960-rtems-gdb-5.2_1 installwatch-0.5.6 ivtools-1.0.6 ja-epic4-1.0.1_2 ja-gnomelibs-1.4.2_1 ja-msdosfs-20001027 ja-samba-2.2.7a.j1.1_1 kdebase-3.1_1 kdelibs-3.1 kermit-8.0.206 ko-BitchX-1.0c16_3 ko-msdosfs-20001027 leocad-0.73 libfpx-1.2.0.4_1 libgnomeui-2.2.0.1 libpdel-0.3.4 librep-0.16.1_1 linux-beonex-0.8.1 linux-divxplayer-0.2.0 linux-edonkey-gui-gtk-0.2.0.a.2002.02.22 linux-gnomelibs-1.2.8_2 linux-mozilla-1.2 linux-netscape-communicator-4.8 linux-netscape-navigator-4.8 linux-phoenix-0.3 linux_base-6.1_4 linux_base-7.1_2 lsh-1.5.1 lukemftpd-1.1_1 m68k-rtems-gdb-5.2_1 mips-rtems-gdb-5.2_1 mod_php4-4.3.1 moscow_ml-2.00_1 mozilla-1.0.2_1 mozilla-1.2.1_1,2 mozilla-1.2.1_2 mozilla-1.3b,1 mozilla-1.3b mozilla-embedded-1.0.2_1 mozilla-embedded-1.2.1_1,2 mozilla-embedded-1.3b,1 msyslog-1.08f_1 netraider-0.0.2 openag-1.1.1_1 openssh-portable-3.5p1_1 openssh-3.5 p5-PPerl-0.23 paragui-1.0.2_2 powerpc-rtems-gdb-5.2_1 psim-freebsd-5.2.1 ptypes-1.7.4 pure-ftpd-1.0.14 qiv-1.8 readlink-20010616 reed-5.4 rox-1.3.6_1 rox-session-0.1.18_1 rpl-1.4.0 rpm-3.0.6_6 samba-2.2.8 samba-3.0a20 scrollkeeper-0.3.11_8,1 sh-rtems-gdb-5.2_1 sharity-light-1.2_1 siag-3.4.10 skipstone-0.8.3 sparc-rtems-gdb-5.2_1 squeak-2.7 squeak-3.2 swarm-2.1.1 tcl-8.2.3_2 tcl-8.3.5 tcl-8.4.1,1 tcl-thread-8.1.b1 teTeX-2.0.2_1 wine-2003.02.19 wml-2.0.8 worker-2.7.0 xbubble-0.2 xerces-c2-2.1.0_1 xerces_c-1.7.0 xnview-1.50 xscreensaver-gnome-4.08 xscreensaver-4.08 xworld-2.0 yencode-0.46_1 zh-cle_base-0.9p1 zh-tcl-8.3.0 zh-tw-BitchX-1.0c19_3 zh-ve-1.0 zh-xemacs-20.4_1 IV. Workaround There is no generally applicable workaround. OpenSSH's sftp-server(8) may be disabled by editing /etc/ssh/sshd_config and commenting out the following line by inserting a `#' as the first character: Subsystem sftp /usr/libexec/sftp-server lukemftpd(8) may be replaced by the default ftpd(8). V. Solution 1) Upgrade your vulnerable system to 4.8-STABLE or to any of the RELENG_5_1 (5.1-RELEASE), RELENG_4_8 (4.8-RELEASE-p1), or RELENG_4_7 (4.7-RELEASE-p11) security branches dated after the respective correction dates. 2) To patch your present system: a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. The following patch has been tested to apply to all FreeBSD 4.x releases and to FreeBSD 5.0-RELEASE. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your operating system as described in . NOTE WELL: Any statically linked applications that are not part of the base system (i.e. from the Ports Collection or other 3rd-party sources) must be recompiled. All affected applications must be restarted for them to use the corrected library. Though not required, rebooting may be the easiest way to accomplish this. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_3 src/lib/libc/stdlib/realpath.c 1.6.2.1 RELENG_4_3 src/UPDATING 1.73.2.28.2.32 src/lib/libc/stdlib/realpath.c 1.9.4.1 src/sys/conf/newvers.sh 1.44.2.14.2.22 RELENG_4_4 src/UPDATING 1.73.2.43.2.45 src/lib/libc/stdlib/realpath.c 1.9.6.1 src/sys/conf/newvers.sh 1.44.2.17.2.36 RELENG_4_5 src/UPDATING 1.73.2.50.2.44 src/lib/libc/stdlib/realpath.c 1.9.8.1 src/sys/conf/newvers.sh 1.44.2.20.2.28 RELENG_4_6 src/UPDATING 1.73.2.68.2.42 src/lib/libc/stdlib/realpath.c 1.9.10.1 src/sys/conf/newvers.sh 1.44.2.23.2.31 RELENG_4_7 src/UPDATING 1.73.2.74.2.14 src/lib/libc/stdlib/realpath.c 1.9.12.1 src/sys/conf/newvers.sh 1.44.2.26.2.13 RELENG_4_8 src/UPDATING 1.73.2.80.2.3 src/lib/libc/stdlib/realpath.c 1.9.14.1 src/sys/conf/newvers.sh 1.44.2.29.2.2 RELENG_5_0 src/UPDATING 1.229.2.14 src/lib/libc/stdlib/realpath.c 1.11.2.1 src/sys/conf/newvers.sh 1.48.2.9 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/LaFvFdaIBMps37IRAoO6AJ4zTutkdp69fekZGR1AcZTr4/HdVgCeK6v3 u9B/doXT8ns+tkXTCb7DX7M= =oS/F -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 00:54:08 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9635F37B401 for ; Mon, 4 Aug 2003 00:54:08 -0700 (PDT) Received: from pd2mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7BE7543FBD for ; Mon, 4 Aug 2003 00:54:07 -0700 (PDT) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from pd6mr1so.prod.shaw.ca (pd6mr1so-qfe3.prod.shaw.ca [10.0.141.216]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) freebsd-security@freebsd.org; Mon, 04 Aug 2003 01:54:06 -0600 (MDT) Received: from pn2ml9so.prod.shaw.ca (pn2ml9so-qfe0.prod.shaw.ca [10.0.121.7]) 2003))freebsd-security@freebsd.org; Mon, 04 Aug 2003 01:54:06 -0600 (MDT) Received: from piii600.wadham.ox.ac.uk (h24-87-233-42.vc.shawcable.net [24.87.233.42])2003)) freebsd-security@freebsd.org; Mon, 04 Aug 2003 01:54:06 -0600 (MDT) Date: Mon, 04 Aug 2003 00:54:00 -0700 From: Colin Percival In-reply-to: <200308040004.h7404VVL030671@freefall.freebsd.org> X-Sender: cperciva@popserver.sfu.ca To: freebsd-security@freebsd.org Message-id: <5.0.2.1.1.20030804004417.02bcc920@popserver.sfu.ca> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 07:54:08 -0000 At 17:04 03/08/2003 -0700, you wrote: >V. Solution >2) To patch your present system: >a) Download the relevant patch... >b) Apply the patch... >c) Recompile your operating system... I hesitate to suggest that people leave their systems unpatched for longer than absolutely necessary, but there *will* be binary patches available for 4.7-RELEASE and 4.8-RELEASE -- as soon as I finish building them (ETA about 17 hours). This only applies to people who performed a binary install of FreeBSD 4.7 or 4.8 ***and have not recompiled the world locally***. Affected applications which were statically linked to the vulnerable code would still need to be recompiled. Once the binary updates are available, FreeBSD Update (security/freebsd-update in the ports tree) will be able to fetch and install them; I'll send another email to this list after they've been built, signed, and uploaded. Colin Percival From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 01:37:59 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5B53637B401 for ; Mon, 4 Aug 2003 01:37:59 -0700 (PDT) Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1248043FCB for ; Mon, 4 Aug 2003 01:37:57 -0700 (PDT) (envelope-from eugen@grosbein.pp.ru) Received: from grosbein.pp.ru (kost [213.184.65.82])h748bt4q099847 for ; Mon, 4 Aug 2003 16:37:55 +0800 (KRAST) (envelope-from eugen@grosbein.pp.ru) Message-ID: <3F2E1B42.8BDE2215@grosbein.pp.ru> Date: Mon, 04 Aug 2003 16:37:22 +0800 From: Eugene Grosbein Organization: SVZServ X-Mailer: Mozilla 4.8 [en] (Win98; U) X-Accept-Language: ru,en MIME-Version: 1.0 To: security@freebsd.org References: <200308040004.h7404VVL030671@freefall.freebsd.org> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 08:37:59 -0000 FreeBSD Security Advisories wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ============================================================================= > FreeBSD-SA-03:08.realpath Security Advisory > The FreeBSD Project > > Topic: Single byte buffer overflow in realpath(3) Hi! I do not see fix for RELENG_4 not in this advisory nor in the Repo. Please MFC to RELENG_4 too. Eugene Grosbein. From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 01:50:34 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BF6D937B401 for ; Mon, 4 Aug 2003 01:50:34 -0700 (PDT) Received: from mailhost.rz.uni-karlsruhe.de (mailhost.rz.uni-karlsruhe.de [129.13.64.98]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9F90843F85 for ; Mon, 4 Aug 2003 01:50:33 -0700 (PDT) (envelope-from cmt@rz.uni-karlsruhe.de) Received: from rz-ewok.rz.uni-karlsruhe.de (postfix@rz-ewok.rz.uni-karlsruhe.de [129.13.80.10]) by mailhost.rz.uni-karlsruhe.de with esmtp (Exim 3.36 #1) id 19jb2z-0006tk-00 for security@freebsd.org; Mon, 04 Aug 2003 10:50:29 +0200 Received: by rz-ewok.rz.uni-karlsruhe.de (Postfix, from userid 1005) id 5E4482C17E; Mon, 4 Aug 2003 10:50:19 +0200 (CEST) Date: Mon, 4 Aug 2003 10:50:19 +0200 From: Christoph Moench-Tegeder To: security@freebsd.org Message-ID: <20030804085018.GA24017@rz-ewok.rz.uni-karlsruhe.de> References: <200308040004.h7404VVL030671@freefall.freebsd.org> <3F2E1B42.8BDE2215@grosbein.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: <3F2E1B42.8BDE2215@grosbein.pp.ru> User-Agent: Mutt/1.4.1i X-PGP-Key: RSA/2048 0xB816EBBD X-PGP-Fingerprint: 89 2E 6D 05 95 B8 D7 1F 7C 1D C3 1E 95 A0 9B 5D X-GPG: supported Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 08:50:35 -0000 ## Eugene Grosbein (eugen@grosbein.pp.ru): > > Topic: Single byte buffer overflow in realpath(3) > Hi! I do not see fix for RELENG_4 not in this advisory nor in the Repo. > Please MFC to RELENG_4 too. : Affects: All releases of FreeBSD up to and including 4.8-RELEASE : and 5.0-RELEASE : FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ I guess rev. 1.9.2.1 of realpath.c fixed the problem more or less by accident. Regards, Christoph -- Antivirus-software is protection for people against yesterdays threats. Antivirus-software is protection for moronic users against themselves. Antivirus-software is crap. I say we kill the users and be done with it. -- kh@telecomplus.dk From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 02:11:24 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5974437B401 for ; Mon, 4 Aug 2003 02:11:24 -0700 (PDT) Received: from expresso.netweaver.net (expresso.netweaver.net [217.151.99.17]) by mx1.FreeBSD.org (Postfix) with SMTP id CBA3143FBF for ; Mon, 4 Aug 2003 02:11:22 -0700 (PDT) (envelope-from lists@chrishowells.co.uk) Received: (qmail 24990 invoked from network); 4 Aug 2003 09:03:23 -0000 Received: from unknown (HELO 213-78-117-67.friaco.onetel.net.uk) (chris@chrishowells.co.uk@213.78.117.67) by 0 with SMTP; 4 Aug 2003 09:03:23 -0000 From: Chris Howells Organization: http://chrishowells.co.uk To: security@freebsd.org Date: Mon, 4 Aug 2003 10:10:52 +0100 User-Agent: KMail/1.5.9 References: <5.0.2.1.1.20030804004417.02bcc920@popserver.sfu.ca> In-Reply-To: <5.0.2.1.1.20030804004417.02bcc920@popserver.sfu.ca> X-GPG-Fingerprint: 5863 DF82 C34D 7291 CC63 CA1B 17C2 2ED7 3379 5A2C MIME-Version: 1.0 Content-Disposition: inline Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-Id: <200308041010.52904.lists@chrishowells.co.uk> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 09:11:24 -0000 =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, On Monday 04 August 2003 08:54, Colin Percival wrote: > =A0 =A0Affected applications which were statically linked to the vulnerab= le > code would still need to be recompiled. I'm just trying to work out which applications on my system are statically linked or not. Is using ldd the best (well, quickest I suppose) way?: su-2.05b# ldd `which nfsd` ldd: /sbin/nfsd: not a dynamic executable I running a server with stuff like nfs, samba, dhcpd, bind etc, and I'll CV= Sup and rebuild the bast system and kernel, but so far I've only been using binary packages... need to start using ports some time I suppose. Thanks! =2D -- Cheers, Chris Howells -- chris@chrishowells.co.uk, howells@kde.org Web: http://chrishowells.co.uk, PGP ID: 0x33795A2C KDE/Qt/C++/PHP Developer: http://www.kde.org =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQE/LiMcF8Iu1zN5WiwRAgJFAKCSLQulunFSNSj0FIWuiVqB2+ELaQCfRzRh YX+o58phnhzEkEARa80LkH4=3D =3DNFhz =2D----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 02:17:05 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 78CA737B401 for ; Mon, 4 Aug 2003 02:17:05 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 3A89743F75 for ; Mon, 4 Aug 2003 02:17:03 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 6380 invoked from network); 4 Aug 2003 09:08:40 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 4 Aug 2003 09:08:40 -0000 Received: (qmail 75528 invoked by uid 1000); 4 Aug 2003 09:18:01 -0000 Date: Mon, 4 Aug 2003 12:18:00 +0300 From: Peter Pentchev To: Chris Howells Message-ID: <20030804091800.GN349@straylight.oblivion.bg> Mail-Followup-To: Chris Howells , security@freebsd.org References: <5.0.2.1.1.20030804004417.02bcc920@popserver.sfu.ca> <200308041010.52904.lists@chrishowells.co.uk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="SkvwRMAIpAhPCcCJ" Content-Disposition: inline In-Reply-To: <200308041010.52904.lists@chrishowells.co.uk> User-Agent: Mutt/1.5.4i cc: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 09:17:05 -0000 --SkvwRMAIpAhPCcCJ Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Aug 04, 2003 at 10:10:52AM +0100, Chris Howells wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 >=20 > Hi, >=20 > On Monday 04 August 2003 08:54, Colin Percival wrote: > > =A0 =A0Affected applications which were statically linked to the vulner= able > > code would still need to be recompiled. >=20 > I'm just trying to work out which applications on my system are statically > linked or not. Is using ldd the best (well, quickest I suppose) way?: >=20 > su-2.05b# ldd `which nfsd` > ldd: /sbin/nfsd: not a dynamic executable file(1) might be quicker: [roam@straylight ~]> file /sbin/nfsd /sbin/nfsd: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), fo= r FreeBSD 4.8, statically linked, stripped [roam@straylight ~]> file /usr/bin/file /usr/bin/file: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD),= for FreeBSD 4.8, dynamically linked (uses shared libs), stripped G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If you think this sentence is confusing, then change one pig. --SkvwRMAIpAhPCcCJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/LiTI7Ri2jRYZRVMRAgMsAJ492Io2lpYN7xWYvl/Ou0mIf60YSQCfefIC mWwbOAa1ZWtuo8+faeB/qaI= =PSJt -----END PGP SIGNATURE----- --SkvwRMAIpAhPCcCJ-- From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 02:36:20 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B1DC37B401 for ; Mon, 4 Aug 2003 02:36:20 -0700 (PDT) Received: from pd6mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2080F43F75 for ; Mon, 4 Aug 2003 02:36:19 -0700 (PDT) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from pd5mr3so.prod.shaw.ca (pd5mr3so-qfe3.prod.shaw.ca [10.0.141.144]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HJ300JJC8I82Z@l-daemon> for security@freebsd.org; Mon, 04 Aug 2003 03:18:08 -0600 (MDT) Received: from pn2ml7so.prod.shaw.ca (pn2ml7so-qfe0.prod.shaw.ca [10.0.121.151]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HJ300FZP8I8OS@l-daemon> for security@freebsd.org; Mon, 04 Aug 2003 03:18:08 -0600 (MDT) Received: from piii600.wadham.ox.ac.uk (h24-87-233-42.vc.shawcable.net [24.87.233.42]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HJ300J408I7HC@l-daemon> for security@freebsd.org; Mon, 04 Aug 2003 03:18:08 -0600 (MDT) Date: Mon, 04 Aug 2003 02:17:57 -0700 From: Colin Percival In-reply-to: <200308041010.52904.lists@chrishowells.co.uk> X-Sender: cperciva@popserver.sfu.ca To: Chris Howells , security@freebsd.org Message-id: <5.0.2.1.1.20030804021401.02bce1f0@popserver.sfu.ca> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT References: <5.0.2.1.1.20030804004417.02bcc920@popserver.sfu.ca> <5.0.2.1.1.20030804004417.02bcc920@popserver.sfu.ca> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 09:36:20 -0000 At 10:10 04/08/2003 +0100, Chris Howells wrote: >On Monday 04 August 2003 08:54, Colin Percival wrote: > > Affected applications which were statically linked to the vulnerable > > code would still need to be recompiled. > >I'm just trying to work out which applications on my system are statically >linked or not. I'm sure someone else can offer better s >su-2.05b# ldd `which nfsd` >ldd: /sbin/nfsd: not a dynamic executable > >I running a server with stuff like nfs, samba, dhcpd, bind etc, and I'll CVSup >and rebuild the bast system and kernel, but so far I've only been using >binary packages... need to start using ports some time I suppose. From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 02:36:20 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D844F37B401 for ; Mon, 4 Aug 2003 02:36:20 -0700 (PDT) Received: from pd6mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 301B743F75 for ; Mon, 4 Aug 2003 02:36:20 -0700 (PDT) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from pd3mr3so.prod.shaw.ca (pd3mr3so-ser.prod.shaw.ca [10.0.141.179])2003)) with ESMTP id <0HJ300JOF8OG2Z@l-daemon> for security@freebsd.org; Mon, 04 Aug 2003 03:21:52 -0600 (MDT) Received: from pn2ml8so.prod.shaw.ca (pn2ml8so-qfe0.prod.shaw.ca [10.0.121.152]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HJ300E578OGKS@l-daemon> for security@freebsd.org; Mon, 04 Aug 2003 03:21:52 -0600 (MDT) Received: from piii600.wadham.ox.ac.uk (h24-87-233-42.vc.shawcable.net [24.87.233.42]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HJ300L4Z8OF9U@l-daemon> for security@freebsd.org; Mon, 04 Aug 2003 03:21:52 -0600 (MDT) Date: Mon, 04 Aug 2003 02:21:39 -0700 From: Colin Percival X-Sender: cperciva@popserver.sfu.ca To: Chris Howells , security@freebsd.org Message-id: <5.0.2.1.1.20030804021904.02c64f10@popserver.sfu.ca> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 09:36:21 -0000 [My keyboard got stuck with the control key down, so I think a partially written copy of this got sent a moment ago; please disregard it.] At 10:10 04/08/2003 +0100, Chris Howells wrote: >On Monday 04 August 2003 08:54, Colin Percival wrote: > > Affected applications which were statically linked to the vulnerable > > code would still need to be recompiled. > >I'm just trying to work out which applications on my system are statically >linked or not. I'm sure someone else can offer better suggestions, but I'm just doing the following: $ sh -c 'find / -type f -perm +111 | while read x; do file $x; done | grep "statically linked" | cut -f 1 -d ":"' Colin Percival From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 03:11:37 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 91D7537B401 for ; Mon, 4 Aug 2003 03:11:37 -0700 (PDT) Received: from cirb503493.alcatel.com.au (c211-28-27-130.belrs2.nsw.optusnet.com.au [211.28.27.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 832C543F75 for ; Mon, 4 Aug 2003 03:11:34 -0700 (PDT) (envelope-from PeterJeremy@optushome.com.au) Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au [127.0.0.1])h74ABWgh052109 for ; Mon, 4 Aug 2003 20:11:32 +1000 (EST) (envelope-from jeremyp@cirb503493.alcatel.com.au) Received: (from jeremyp@localhost) by cirb503493.alcatel.com.au (8.12.8/8.12.8/Submit) id h74ABVF5052108 for FreeBSD-Security@freebsd.org; Mon, 4 Aug 2003 20:11:31 +1000 (EST) Date: Mon, 4 Aug 2003 20:11:30 +1000 From: Peter Jeremy To: FreeBSD Security Message-ID: <20030804101130.GA51954@cirb503493.alcatel.com.au> References: <200308040004.h7404VVL030671@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200308040004.h7404VVL030671@freefall.freebsd.org> User-Agent: Mutt/1.4.1i Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 10:11:37 -0000 On Sun, Aug 03, 2003 at 05:04:31PM -0700, FreeBSD Security Advisories wrote: >Affects: All releases of FreeBSD up to and including 4.8-RELEASE > and 5.0-RELEASE > FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC ... >V. Solution > >1) Upgrade your vulnerable system to 4.8-STABLE >or to any of the RELENG_5_1 (5.1-RELEASE), RELENG_4_8 >(4.8-RELEASE-p1), or RELENG_4_7 (4.7-RELEASE-p11) security branches >dated after the respective correction dates. I found the reference to RELENG_5_1 in the "Solutions" section but no reference to 5.1-RELEASE in the "Affects" section somewhat confusing. This is compounded by the failure to mention RELENG_5_0 in the "Solutions" section. I gather that 5.1-RELEASE is not vulnerable due to the realpath() rewrite in 1.14. May I suggest that in future, when a release is not vulnerable due to code rewrites or similar, this fact be explicitly mentioned. IMHO, it's far better to err on the side of caution when dealing with security issues. Peter From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 06:05:57 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EC47537B404 for ; Mon, 4 Aug 2003 06:05:57 -0700 (PDT) Received: from smtp.melim.com.br (smtp.melim.com.br [200.215.110.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1348B43FDD for ; Mon, 4 Aug 2003 06:05:57 -0700 (PDT) (envelope-from ronan@melim.com.br) Received: from fazendinha (ressacada.melim.com.br [200.180.44.4]) by smtp.melim.com.br (Postfix) with ESMTP id 4FB06FDB5; Mon, 4 Aug 2003 10:05:52 -0300 (EST) Message-ID: <014201c35a89$6a20a6d0$3aa8a8c0@melim.com.br> From: "Ronan Lucio" To: "Jan Lentfer" References: <00a001c35875$5432f730$3aa8a8c0@melim.com.br> <1059808321.3f2b6441bbaa5@www-mail.lan> Date: Mon, 4 Aug 2003 10:07:53 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 cc: security@freebsd.org Subject: Re: FTP X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 13:05:58 -0000 Jan, > What ftp server are you using? If I remember right ProFTPd allows you to define > what passive ports to use, eg. 50000-50100 or something like that. Then you only > open up that ports you defined in proftpd.conf in the firewall. > Or did you mean outgoing ftp traffic? My main problem is a Internet gateway to provide Internet access for a building where the clients need to access other FTP servers from other servers. For example: We provide Internet access for a building. If the clients of these network need to access the FreeBSD FTP server and Yahoo and etc... I´m permiting ports from 1025 to 65535 to make it possible. Is it right? Thank´s, Ronan From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 07:59:16 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C10637B401 for ; Mon, 4 Aug 2003 07:59:16 -0700 (PDT) Received: from munk.nu (213-152-51-194.dsl.eclipse.net.uk [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id A068C43FCB for ; Mon, 4 Aug 2003 07:59:14 -0700 (PDT) (envelope-from munk@munk.nu) Received: from munk by munk.nu with local (Exim 4.20) id 19jgnp-000ANW-Lf for security@freebsd.org; Mon, 04 Aug 2003 15:59:13 +0100 Date: Mon, 4 Aug 2003 15:59:13 +0100 From: Jez Hancock To: security@freebsd.org Message-ID: <20030804145913.GA39691@users.munk.nu> Mail-Followup-To: security@freebsd.org References: <5.0.2.1.1.20030804004417.02bcc920@popserver.sfu.ca> <200308041010.52904.lists@chrishowells.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200308041010.52904.lists@chrishowells.co.uk> User-Agent: Mutt/1.4.1i Sender: User Munk Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 14:59:16 -0000 On Mon, Aug 04, 2003 at 10:10:52AM +0100, Chris Howells wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > On Monday 04 August 2003 08:54, Colin Percival wrote: > > ? ?Affected applications which were statically linked to the vulnerable > > code would still need to be recompiled. > > I'm just trying to work out which applications on my system are statically > linked or not. Is using ldd the best (well, quickest I suppose) way?: I've just used this: #!/bin/sh cd /var/db/pkg for port in `ls -1d *` do info=`pkg_info -L $port` files=`echo $info | cut -f3 -d:` for file in $files do if [ -x $file ]; then linked=`file $file | grep "statically linked"` if [ -n "$linked" ];then echo "$port contains statically linked files ($file)" break fi fi done done seems to do the trick ok :) -- Jez http://www.munk.nu/ From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 08:04:14 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 189F137B43D for ; Mon, 4 Aug 2003 08:04:14 -0700 (PDT) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by mx1.FreeBSD.org (Postfix) with ESMTP id C218743F85 for ; Mon, 4 Aug 2003 08:04:12 -0700 (PDT) (envelope-from fgleiser@cactus.fi.uba.ar) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by cactus.fi.uba.ar (8.12.3/8.12.3) with ESMTP id h74F0meA059510; Mon, 4 Aug 2003 12:00:48 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Mon, 4 Aug 2003 12:00:48 -0300 (ART) From: Fernando Gleiser To: michael In-Reply-To: <1059927875.3f2d37432c3fa@mx5.internett.de> Message-ID: <20030804115302.J59403-100000@cactus.fi.uba.ar> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Status: No, hits=-120.1 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, QUOTE_TWICE_1,REPLY_WITH_QUOTES,USER_IN_WHITELIST version=2.53 X-Spam-Checker-Version: SpamAssassin 2.53 (1.174.2.15-2003-03-30-exp) cc: freebsd-security@freebsd.org Subject: Re: ipfw or ipf w/stateful behavior X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 15:04:14 -0000 On Sun, 3 Aug 2003, michael wrote: > well, back to the essentials: > > under linux can i load a kernelmodule for masquerading ftp-connections and > this allows me to close any port from outside except the ports for > Management or administration. these make the firewall secure enaugh. with ipf/ipnat there's a built-in ftp proxy, just add map xl0 192.168.0.0/24 -> proxy port ftp ftp/tcp to the top of your ipnat.rules file. Change the IPs and interface to meet your setup. > > May under FreeBSD it give no KLD_MODULE that solve the problem with ftp/or > irc. The above line is the ipf's equivalent of the linux module. Fer From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 09:32:42 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A515037B407 for ; Mon, 4 Aug 2003 09:32:42 -0700 (PDT) Received: from hysteria.spc.org (hysteria.spc.org [195.206.69.234]) by mx1.FreeBSD.org (Postfix) with SMTP id E060F43FA3 for ; Mon, 4 Aug 2003 09:32:40 -0700 (PDT) (envelope-from bms@hysteria.spc.org) Received: (qmail 29735 invoked by uid 5013); 4 Aug 2003 16:30:06 -0000 Date: Mon, 4 Aug 2003 17:30:06 +0100 From: Bruce M Simpson To: Joe Warner Message-ID: <20030804163006.GA5186@spc.org> Mail-Followup-To: Bruce M Simpson , Joe Warner , Barney Wolff , freebsd-security@freebsd.org, freebsd-stable@freebsd.org References: <200308030920.45437.rootman22@comcast.net> <20030803182647.GA29997@pit.databus.com> <200308031259.31577.rootman22@comcast.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200308031259.31577.rootman22@comcast.net> User-Agent: Mutt/1.4.1i Organization: SPC cc: Barney Wolff cc: freebsd-security@freebsd.org cc: freebsd-stable@freebsd.org Subject: Re: Forensics CD Toolkit for FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 16:32:43 -0000 On Sun, Aug 03, 2003 at 12:59:31PM -0600, Joe Warner wrote: > Yes, I've seen that all over the place from my searches on Google but I > was hesitant about going any further with that because it said it's only > been tested on FreeBSD 2.2.1, 3.4, and 4.4 A lot of the code in TCT is fairly portable. I remember TCT well from using it on Solaris at a certain investment bank. > Do you think I can run TCT from a CD? Most of TCT depends on libc functions, I see no problem with running TCT from CD if it's compiled and linked correctly for this purpose. You may even wish to try compiling the tools as standalone binaries so that they can be placed on smaller boot media. BMS From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 10:42:09 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 10E7D37B401 for ; Mon, 4 Aug 2003 10:42:09 -0700 (PDT) Received: from cassandra.itsp.purdue.edu (cassandra.itsp.purdue.edu [128.210.177.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3136A43FB1 for ; Mon, 4 Aug 2003 10:42:08 -0700 (PDT) (envelope-from bhlewis@wossname.net) Received: from localhost (cassandra.itsp.purdue.edu [127.0.0.1]) h74Hg7bH022062 for ; Mon, 4 Aug 2003 12:42:07 -0500 From: Benjamin Lewis To: freebsd-security@freebsd.org In-Reply-To: <200308040004.h7404VVL030671@freefall.freebsd.org> References: <200308040004.h7404VVL030671@freefall.freebsd.org> Content-Type: text/plain Message-Id: <1060018927.21860.12.camel@cassandra.itsp.purdue.edu> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.0 Date: 04 Aug 2003 12:42:07 -0500 Content-Transfer-Encoding: 7bit Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 17:42:09 -0000 On Sun, 2003-08-03 at 19:04, FreeBSD Security Advisories wrote: > 2) To patch your present system: > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. The following patch > has been tested to apply to all FreeBSD 4.x releases and to FreeBSD > 5.0-RELEASE. > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch.asc > > b) Apply the patch. > > # cd /usr/src > # patch < /path/to/patch Is it just me or is the patch referenced above wrong? I followed the instructions above but the patch failed: ##### snip ###### # cd /usr/src-all/current/src # Where my "/usr/src" lives # patch < /tmp/realpath.patch Hmm... Looks like a new-style context diff to me... The text leading up to this was: -------------------------- |Index: lib/libc/stdlib/realpath.c |=================================================================== |RCS file: /home/ncvs/src/lib/libc/stdlib/realpath.c,v |retrieving revision 1.9 |diff -c -c -r1.9 realpath.c |*** lib/libc/stdlib/realpath.c 27 Jan 2000 23:06:50 -0000 1.9 |--- lib/libc/stdlib/realpath.c 3 Aug 2003 17:21:20 -0000 -------------------------- Patching file lib/libc/stdlib/realpath.c using Plan A... Hunk #1 failed at 138. 1 out of 1 hunks failed--saving rejects to lib/libc/stdlib/realpath.c.rej done ##### snip ###### realpath.c.rej contains the entire patch: ##### snip ###### *************** *** 138,144 **** rootd = 0; if (*wbuf) { ! if (strlen(resolved) + strlen(wbuf) + rootd + 1 > MAXPATHLEN) { errno = ENAMETOOLONG; goto err1; } --- 138,145 ---- rootd = 0; if (*wbuf) { ! if (strlen(resolved) + strlen(wbuf) + (1-rootd) + 1 > ! MAXPATHLEN) { errno = ENAMETOOLONG; goto err1; } ##### snip ###### I wasn't really surprised that it failed since it looks like it should apply to crypto/openssh/openbsd-compat/realpath.c rather than lib/libc/stdlib/realpath.c. I assume (from the CVS logs) that cvsup has taken care of the libc version for me. Does the openssh file need to be patched too? -Ben From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 14:00:19 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD13B37B401; Mon, 4 Aug 2003 14:00:19 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B2F643FA3; Mon, 4 Aug 2003 14:00:18 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 81BB554861; Mon, 4 Aug 2003 16:00:17 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 1A43C6D455; Mon, 4 Aug 2003 16:00:17 -0500 (CDT) Date: Mon, 4 Aug 2003 16:00:17 -0500 From: "Jacques A. Vidrine" To: Eugene Grosbein , Christoph Moench-Tegeder , Peter Jeremy Message-ID: <20030804210016.GB10339@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Eugene Grosbein , Christoph Moench-Tegeder , Peter Jeremy , security@freebsd.org, FreeBSD Security References: <200308040004.h7404VVL030671@freefall.freebsd.org> <20030804101130.GA51954@cirb503493.alcatel.com.au> <200308040004.h7404VVL030671@freefall.freebsd.org> <3F2E1B42.8BDE2215@grosbein.pp.ru> <20030804085018.GA24017@rz-ewok.rz.uni-karlsruhe.de> <200308040004.h7404VVL030671@freefall.freebsd.org> <3F2E1B42.8BDE2215@grosbein.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030804101130.GA51954@cirb503493.alcatel.com.au> <20030804085018.GA24017@rz-ewok.rz.uni-karlsruhe.de> <3F2E1B42.8BDE2215@grosbein.pp.ru> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: FreeBSD Security cc: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 21:00:20 -0000 On Mon, Aug 04, 2003 at 04:37:22PM +0800, Eugene Grosbein wrote: > FreeBSD Security Advisories wrote: > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > ============================================================================= > > FreeBSD-SA-03:08.realpath Security Advisory > > The FreeBSD Project > > > > Topic: Single byte buffer overflow in realpath(3) > > Hi! I do not see fix for RELENG_4 not in this advisory nor in the Repo. > Please MFC to RELENG_4 too. RELENG_4 does not currently suffer from the bug, because it has a different realpath implementation. On Mon, Aug 04, 2003 at 10:50:19AM +0200, Christoph Moench-Tegeder wrote: > : Affects: All releases of FreeBSD up to and including 4.8-RELEASE > : and 5.0-RELEASE > : FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > I guess rev. 1.9.2.1 of realpath.c fixed the problem more or less > by accident. Right, that was a new realpath implementation from -CURRENT. On Mon, Aug 04, 2003 at 08:11:30PM +1000, Peter Jeremy wrote: > On Sun, Aug 03, 2003 at 05:04:31PM -0700, FreeBSD Security Advisories wrote: > >Affects: All releases of FreeBSD up to and including 4.8-RELEASE > > and 5.0-RELEASE > > FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC > ... > >V. Solution > > > >1) Upgrade your vulnerable system to 4.8-STABLE > >or to any of the RELENG_5_1 (5.1-RELEASE), RELENG_4_8 > >(4.8-RELEASE-p1), or RELENG_4_7 (4.7-RELEASE-p11) security branches > >dated after the respective correction dates. > > I found the reference to RELENG_5_1 in the "Solutions" section but no > reference to 5.1-RELEASE in the "Affects" section somewhat confusing. I don't understand how to be more clear. 5.1-RELEASE is not affected, so of course it is not listed in `Affects'. > This is compounded by the failure to mention RELENG_5_0 in the > "Solutions" section. RELENG_5_1, RELENG_4_8, and RELENG_4_7 are the currently supported security branches, so that is why they are listed in the `Solution' section. RELENG_5_0 is not a currently supported security branch, and I would not recommend that anyone upgrade to an old security branch. Please see the table at http://www.freebsd.org/security/ or my announcement in this forum dated July 14. > I gather that 5.1-RELEASE is not vulnerable due > to the realpath() rewrite in 1.14. That's correct, 5.1-RELEASE is not vulnerable, which is why it is not listed in the `Affects' section. > May I suggest that in future, when a release is not vulnerable due to > code rewrites or similar, this fact be explicitly mentioned. IMHO, > it's far better to err on the side of caution when dealing with > security issues. Thank you for the suggestion. Would you care to post _exactly_ what wording you think would be better? I cannot think of a way to do so without being redundant or misleading. I have no desire to add a ``Not affected:'' line. Especially at times when we have two -STABLE branches (as we will soon for 4.x and 5.x), it will be common that there is a bug in one release but not another higher-numbered one. I think that if one takes the `Affects' lines (and the rest of the advisory) at face value, without second-guessing, that it is crystal clear what versions of FreeBSD are affected. But of course I would :-) Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 14:00:19 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD13B37B401; Mon, 4 Aug 2003 14:00:19 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B2F643FA3; Mon, 4 Aug 2003 14:00:18 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 81BB554861; Mon, 4 Aug 2003 16:00:17 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 1A43C6D455; Mon, 4 Aug 2003 16:00:17 -0500 (CDT) Date: Mon, 4 Aug 2003 16:00:17 -0500 From: "Jacques A. Vidrine" To: Eugene Grosbein , Christoph Moench-Tegeder , Peter Jeremy Message-ID: <20030804210016.GB10339@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Eugene Grosbein , Christoph Moench-Tegeder , Peter Jeremy , security@freebsd.org, FreeBSD Security References: <200308040004.h7404VVL030671@freefall.freebsd.org> <20030804101130.GA51954@cirb503493.alcatel.com.au> <200308040004.h7404VVL030671@freefall.freebsd.org> <3F2E1B42.8BDE2215@grosbein.pp.ru> <20030804085018.GA24017@rz-ewok.rz.uni-karlsruhe.de> <200308040004.h7404VVL030671@freefall.freebsd.org> <3F2E1B42.8BDE2215@grosbein.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030804101130.GA51954@cirb503493.alcatel.com.au> <20030804085018.GA24017@rz-ewok.rz.uni-karlsruhe.de> <3F2E1B42.8BDE2215@grosbein.pp.ru> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: FreeBSD Security cc: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 21:00:20 -0000 On Mon, Aug 04, 2003 at 04:37:22PM +0800, Eugene Grosbein wrote: > FreeBSD Security Advisories wrote: > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > ============================================================================= > > FreeBSD-SA-03:08.realpath Security Advisory > > The FreeBSD Project > > > > Topic: Single byte buffer overflow in realpath(3) > > Hi! I do not see fix for RELENG_4 not in this advisory nor in the Repo. > Please MFC to RELENG_4 too. RELENG_4 does not currently suffer from the bug, because it has a different realpath implementation. On Mon, Aug 04, 2003 at 10:50:19AM +0200, Christoph Moench-Tegeder wrote: > : Affects: All releases of FreeBSD up to and including 4.8-RELEASE > : and 5.0-RELEASE > : FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > I guess rev. 1.9.2.1 of realpath.c fixed the problem more or less > by accident. Right, that was a new realpath implementation from -CURRENT. On Mon, Aug 04, 2003 at 08:11:30PM +1000, Peter Jeremy wrote: > On Sun, Aug 03, 2003 at 05:04:31PM -0700, FreeBSD Security Advisories wrote: > >Affects: All releases of FreeBSD up to and including 4.8-RELEASE > > and 5.0-RELEASE > > FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC > ... > >V. Solution > > > >1) Upgrade your vulnerable system to 4.8-STABLE > >or to any of the RELENG_5_1 (5.1-RELEASE), RELENG_4_8 > >(4.8-RELEASE-p1), or RELENG_4_7 (4.7-RELEASE-p11) security branches > >dated after the respective correction dates. > > I found the reference to RELENG_5_1 in the "Solutions" section but no > reference to 5.1-RELEASE in the "Affects" section somewhat confusing. I don't understand how to be more clear. 5.1-RELEASE is not affected, so of course it is not listed in `Affects'. > This is compounded by the failure to mention RELENG_5_0 in the > "Solutions" section. RELENG_5_1, RELENG_4_8, and RELENG_4_7 are the currently supported security branches, so that is why they are listed in the `Solution' section. RELENG_5_0 is not a currently supported security branch, and I would not recommend that anyone upgrade to an old security branch. Please see the table at http://www.freebsd.org/security/ or my announcement in this forum dated July 14. > I gather that 5.1-RELEASE is not vulnerable due > to the realpath() rewrite in 1.14. That's correct, 5.1-RELEASE is not vulnerable, which is why it is not listed in the `Affects' section. > May I suggest that in future, when a release is not vulnerable due to > code rewrites or similar, this fact be explicitly mentioned. IMHO, > it's far better to err on the side of caution when dealing with > security issues. Thank you for the suggestion. Would you care to post _exactly_ what wording you think would be better? I cannot think of a way to do so without being redundant or misleading. I have no desire to add a ``Not affected:'' line. Especially at times when we have two -STABLE branches (as we will soon for 4.x and 5.x), it will be common that there is a bug in one release but not another higher-numbered one. I think that if one takes the `Affects' lines (and the rest of the advisory) at face value, without second-guessing, that it is crystal clear what versions of FreeBSD are affected. But of course I would :-) Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 14:06:51 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 18D6537B401 for ; Mon, 4 Aug 2003 14:06:51 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5077C43F93 for ; Mon, 4 Aug 2003 14:06:50 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id D3C065482B; Mon, 4 Aug 2003 16:06:49 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 74A9D6D455; Mon, 4 Aug 2003 16:06:49 -0500 (CDT) Date: Mon, 4 Aug 2003 16:06:49 -0500 From: "Jacques A. Vidrine" To: Benjamin Lewis Message-ID: <20030804210649.GC10339@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Benjamin Lewis , freebsd-security@freebsd.org References: <200308040004.h7404VVL030671@freefall.freebsd.org> <1060018927.21860.12.camel@cassandra.itsp.purdue.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1060018927.21860.12.camel@cassandra.itsp.purdue.edu> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 21:06:51 -0000 On Mon, Aug 04, 2003 at 12:42:07PM -0500, Benjamin Lewis wrote: > Is it just me or is the patch referenced above wrong? I followed the > instructions above but the patch failed: > > ##### snip ###### > # cd /usr/src-all/current/src # Where my "/usr/src" lives -CURRENT is unaffected. The patch does not apply to -CURRENT. [...] > I wasn't really surprised that it failed since it looks like it should > apply to crypto/openssh/openbsd-compat/realpath.c rather than > lib/libc/stdlib/realpath.c. I assume (from the CVS logs) that cvsup > has taken care of the libc version for me. Yes, sometime after March 29 of this year. > Does the openssh file need to be patched too? No, it is not used. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 14:17:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF09E37B401 for ; Mon, 4 Aug 2003 14:17:39 -0700 (PDT) Received: from mail-in2.inet.tele.dk (mail-in2.inet.tele.dk [194.182.148.151]) by mx1.FreeBSD.org (Postfix) with ESMTP id D62C243FBD for ; Mon, 4 Aug 2003 14:17:38 -0700 (PDT) (envelope-from th@cogito.dk) Received: from THXP (0x50c791d8.odnxx4.adsl-dhcp.tele.dk [80.199.145.216]) by mail-in2.inet.tele.dk (Postfix) with SMTP id 0C0095FD9 for ; Mon, 4 Aug 2003 23:17:37 +0200 (CEST) Message-ID: <009d01c35acd$c9585230$0201a8c0@THXP> From: "Troels Holm" To: References: <200308040004.h7404VVL030671@freefall.freebsd.org><1060018927.21860.12.camel@cassandra.itsp.purdue.edu> <20030804210649.GC10339@madman.celabo.org> Date: Mon, 4 Aug 2003 23:17:18 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 21:17:40 -0000 Jacques A. Vidrine wrote: >> Does the openssh file need to be patched too? > > No, it is not used. But it states in the advisory that "sftp-server" is negatively impacted....And its a part of OpenSSH. Or did I get you wrong? -- Troels Holm From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 14:32:05 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ACDE037B405 for ; Mon, 4 Aug 2003 14:32:05 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8BBB243FBD for ; Mon, 4 Aug 2003 14:32:04 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 1E7CC5482B; Mon, 4 Aug 2003 16:32:04 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id B21346D455; Mon, 4 Aug 2003 16:32:03 -0500 (CDT) Date: Mon, 4 Aug 2003 16:32:03 -0500 From: "Jacques A. Vidrine" To: Troels Holm Message-ID: <20030804213203.GE10339@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Troels Holm , freebsd-security@freebsd.org References: <20030804210649.GC10339@madman.celabo.org> <009d01c35acd$c9585230$0201a8c0@THXP> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <009d01c35acd$c9585230$0201a8c0@THXP> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 21:32:06 -0000 On Mon, Aug 04, 2003 at 11:17:18PM +0200, Troels Holm wrote: > Jacques A. Vidrine wrote: > >> Does the openssh file need to be patched too? > > > > No, it is not used. > > But it states in the advisory that "sftp-server" is negatively > impacted....And its a part of OpenSSH. > Or did I get you wrong? The realpath.c that is distributed with OpenSSH-portable and found in our CVS tree as /usr/src/crypto/openssh/openbsd-compat/realpath.c is not used. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 14:46:18 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93FBD37B401 for ; Mon, 4 Aug 2003 14:46:18 -0700 (PDT) Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net [204.127.198.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id CEF9B43F75 for ; Mon, 4 Aug 2003 14:46:15 -0700 (PDT) (envelope-from freebsd-security-local@be-well.no-ip.com) Received: from be-well.ilk.org (be-well.no-ip.com[66.30.200.37]) by comcast.net (rwcrmhc13) with ESMTP id <2003080421461501500e745ue>; Mon, 4 Aug 2003 21:46:15 +0000 Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com [66.30.200.37] (may be forged)) by be-well.ilk.org (8.12.9/8.12.9) with ESMTP id h74LkAKS004729 for ; Mon, 4 Aug 2003 17:46:10 -0400 (EDT) (envelope-from freebsd-security-local@be-well.no-ip.com) Received: (from lowell@localhost) by be-well.ilk.org (8.12.9/8.12.6/Submit) id h74LkAG2004726; Mon, 4 Aug 2003 17:46:10 -0400 (EDT) X-Authentication-Warning: be-well.ilk.org: lowell set sender to freebsd-security-local@be-well.ilk.org using -f Sender: lowell@be-well.no-ip.com To: freebsd-security@freebsd.org References: <200308040004.h7404VVL030671@freefall.freebsd.org> <20030804101130.GA51954@cirb503493.alcatel.com.au> <200308040004.h7404VVL030671@freefall.freebsd.org> <3F2E1B42.8BDE2215@grosbein.pp.ru> <20030804085018.GA24017@rz-ewok.rz.uni-karlsruhe.de> <200308040004.h7404VVL030671@freefall.freebsd.org> <3F2E1B42.8BDE2215@grosbein.pp.ru> <20030804210016.GB10339@madman.celabo.org> From: Lowell Gilbert Date: 04 Aug 2003 17:46:10 -0400 In-Reply-To: <20030804210016.GB10339@madman.celabo.org> Message-ID: <44smohjdul.fsf@be-well.ilk.org> Lines: 16 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 21:46:18 -0000 "Jacques A. Vidrine" writes: > Thank you for the suggestion. Would you care to post _exactly_ what > wording you think would be better? I cannot think of a way to do so > without being redundant or misleading. I have no desire to add a > ``Not affected:'' line. Especially at times when we have two -STABLE > branches (as we will soon for 4.x and 5.x), it will be common that > there is a bug in one release but not another higher-numbered one. I suppose you could include the file versions for which the bug no longer affected -STABLE. It's not always easy to determine, but it certainly was in this case. It only took me 5 minutes to work it out on my own, so I'm not convinced of the value, but I suppose it meets what some others were asking for, and I don't *think* it makes the advisory more confusing. From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 15:10:35 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 30CE737B401 for ; Mon, 4 Aug 2003 15:10:35 -0700 (PDT) Received: from mail-in2.inet.tele.dk (mail-in2.inet.tele.dk [194.182.148.151]) by mx1.FreeBSD.org (Postfix) with ESMTP id 903B243F93 for ; Mon, 4 Aug 2003 15:10:34 -0700 (PDT) (envelope-from th@cogito.dk) Received: from THXP (0x50c791d8.odnxx4.adsl-dhcp.tele.dk [80.199.145.216]) by mail-in2.inet.tele.dk (Postfix) with SMTP id 51AA86567 for ; Tue, 5 Aug 2003 00:10:33 +0200 (CEST) Message-ID: <010701c35ad5$2e76d720$0201a8c0@THXP> From: "Troels Holm" To: References: <20030804210649.GC10339@madman.celabo.org><009d01c35acd$c9585230$0201a8c0@THXP> <20030804213203.GE10339@madman.celabo.org> Date: Tue, 5 Aug 2003 00:10:14 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 22:10:35 -0000 Jacques A. Vidrine wrote: > The realpath.c that is distributed with OpenSSH-portable and found in > our CVS tree as /usr/src/crypto/openssh/openbsd-compat/realpath.c is > not used. Just for the record :=) What u say is that the advisory is in error and my "sftp-server" is _not_ affected? Or are you just saying that sftp isnt using the realpath.c from OpenSSH? Thanks, -- Troels Holm From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 15:20:25 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F355437B401 for ; Mon, 4 Aug 2003 15:20:24 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C09543F3F for ; Mon, 4 Aug 2003 15:20:24 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id C271D54840; Mon, 4 Aug 2003 17:20:23 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 5BFCB6D455; Mon, 4 Aug 2003 17:20:23 -0500 (CDT) Date: Mon, 4 Aug 2003 17:20:23 -0500 From: "Jacques A. Vidrine" To: Troels Holm Message-ID: <20030804222023.GB11083@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Troels Holm , freebsd-security@freebsd.org References: <20030804213203.GE10339@madman.celabo.org> <010701c35ad5$2e76d720$0201a8c0@THXP> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <010701c35ad5$2e76d720$0201a8c0@THXP> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 22:20:25 -0000 On Tue, Aug 05, 2003 at 12:10:14AM +0200, Troels Holm wrote: > Jacques A. Vidrine wrote: > > The realpath.c that is distributed with OpenSSH-portable and found in > > our CVS tree as /usr/src/crypto/openssh/openbsd-compat/realpath.c is > > not used. > > Just for the record :=) > What u say is that the advisory is in error and my "sftp-server" is _not_ > affected? Or are you just saying that sftp isnt using the realpath.c from > OpenSSH? The latter. sftp-server *is* affected, just as it says in the advisory. But OpenSSH as bundled with FreeBSD uses realpath(3) from libc, not from src/crypto/openssh/openbsd-compat/realpath.c, and so (in answer to the question by a previous poster) that file does not need patching. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 15:35:13 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 07D9C37B401 for ; Mon, 4 Aug 2003 15:35:13 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3FA5943F93 for ; Mon, 4 Aug 2003 15:35:12 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 8FDF354846 for ; Mon, 4 Aug 2003 17:35:11 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 2D4766D455; Mon, 4 Aug 2003 17:35:11 -0500 (CDT) Date: Mon, 4 Aug 2003 17:35:11 -0500 From: "Jacques A. Vidrine" To: freebsd-security@FreeBSD.org Message-ID: <20030804223511.GC11083@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@FreeBSD.org References: <200308040004.h7404VVL030671@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200308040004.h7404VVL030671@freefall.freebsd.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 Subject: IMPORTANT FOR lukemftpd USERS (was Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 22:35:13 -0000 On Sun, Aug 03, 2003 at 05:04:31PM -0700, FreeBSD Security Advisories wrote: > (1) lukemftpd(8), an alternative FTP server: realpath(3) is used to > process the MLST and MLSD commands. [lukemftpd(8) is not built or > installed by default.] [...] > the realpath(3) vulnerability may be > exploitable, leading to arbitrary code execution with the privileges > of the authenticated user. This is probably only of concern on > otherwise `closed' servers, e.g. servers without shell access. [...] I have a correction to make regarding the above text. In the case of lukemftpd (and lukemftpd only), in some situations the vulnerability may be used to execute code with _superuser privileges_. If lukemftpd is NOT invoked with `-r', then it does NOT completely drop privileges when a user logs in. Thus, a successful exploit will be able to regain superuser privileges. Conversely, if lukemftpd IS invoked with `-r', then the original advisory text above applies. The example usage for lukemftpd that was in /etc/inetd.conf prior to 5.1-RELEASE included the `-r' flag, but there is no longer an example in 5.1-RELEASE. I don't think there was ever an example entry for 4.x. I would normally immediately publish a revised advisory with this additional information, however lukemftpd is neither built nor installed by default. Since that is the case, I will probably wait a few days before revision in case further useful information comes to light. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 16:01:41 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0AFDF37B401; Mon, 4 Aug 2003 16:01:41 -0700 (PDT) Received: from pd5mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 30E0543FAF; Mon, 4 Aug 2003 16:01:40 -0700 (PDT) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from pd6mr2so.prod.shaw.ca (pd6mr2so-qfe3.prod.shaw.ca [10.0.141.217]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HJ400EHRAMRDQ@l-daemon>; Mon, 04 Aug 2003 17:01:39 -0600 (MDT) Received: from pn2ml5so.prod.shaw.ca (pn2ml5so-qfe0.prod.shaw.ca [10.0.121.149]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HJ400FSBAMRXB@l-daemon>; Mon, 04 Aug 2003 17:01:39 -0600 (MDT) Received: from piii600.wadham.ox.ac.uk (h24-87-233-42.vc.shawcable.net [24.87.233.42])2003)) with ESMTP id <0HJ40010TAMP0W@l-daemon>; Mon, 04 Aug 2003 17:01:39 -0600 (MDT) Date: Mon, 04 Aug 2003 16:01:34 -0700 From: Colin Percival In-reply-to: <5.0.2.1.1.20030804004417.02bcc920@popserver.sfu.ca> X-Sender: cperciva@popserver.sfu.ca To: freebsd-security@freebsd.org Message-id: <5.0.2.1.1.20030804044235.02bce1f0@popserver.sfu.ca> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT References: <200308040004.h7404VVL030671@freefall.freebsd.org> cc: "Jacques A. Vidrine" Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 23:01:41 -0000 At 00:54 04/08/2003 -0700, I wrote: > Once the binary updates are available, FreeBSD Update >(security/freebsd-update in the ports tree) will be able to fetch and >install them; I'll send another email to this list after they've been >built, signed, and uploaded. Binary patches can now be installed via FreeBSD Update for any systems with a binary install of 4.7-RELEASE or 4.8-RELEASE which have not have any system binaries rebuilt or replaced locally (except by FreeBSD Update). With a recent copy of the ports tree: 1. cd /usr/ports/security/freebsd-update/ && make all install 2. cp /usr/local/etc/freebsd-update.conf.sample /usr/local/etc/freebsd-update.conf 3. /usr/local/sbin/freebsd-update fetch 4. /usr/local/sbin/freebsd-update install In FreeBSD 4.7, the following binaries were affected by this security advisory: /bin/mv /bin/pwd /bin/realpath /sbin/kldconfig /sbin/mount /sbin/mount_cd9660 /sbin/mount_ext2fs /sbin/mount_fdesc /sbin/mount_kernfs /sbin/mount_linprocfs /sbin/mount_mfs /sbin/mount_msdos /sbin/mount_nfs /sbin/mount_ntfs /sbin/mount_null /sbin/mount_nwfs /sbin/mount_portal /sbin/mount_procfs /sbin/mount_smbfs /sbin/mount_std /sbin/mount_umap /sbin/mount_union /sbin/mountd /sbin/newfs /sbin/umount /usr/bin/make /usr/lib/libc.a /usr/lib/libc.so.4 /usr/lib/libc_p.a /usr/lib/libc_pic.a /usr/lib/libc_r.a /usr/lib/libc_r.so.4 /usr/lib/libc_r_p.a /usr/libexec/lukemftpd /usr/libexec/sftp-server /usr/sbin/config /usr/sbin/pkg_add /usr/sbin/sshd In FreeBSD 4.8, the same binaries were affected, with the exception of /sbin/mount_kernfs (no longer installed), /usr/bin/make (no longer uses realpath), and /usr/libexec/lukemftpd (no longer installed). Colin Percival From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 16:13:23 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E7DCF37B401 for ; Mon, 4 Aug 2003 16:13:23 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A98D43FB1 for ; Mon, 4 Aug 2003 16:13:23 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id C5D4F54861 for ; Mon, 4 Aug 2003 18:13:22 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 505466D45F; Mon, 4 Aug 2003 18:13:22 -0500 (CDT) Date: Mon, 4 Aug 2003 18:13:22 -0500 From: "Jacques A. Vidrine" To: freebsd-security@FreeBSD.org Message-ID: <20030804231322.GA11458@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@FreeBSD.org References: <200308040004.h7404VVL030671@freefall.freebsd.org> <20030804223511.GC11083@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030804223511.GC11083@madman.celabo.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 Subject: Re: IMPORTANT FOR lukemftpd USERS (was Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 23:13:24 -0000 On Mon, Aug 04, 2003 at 05:35:11PM -0500, Jacques A. Vidrine wrote: > I have a correction to make regarding the above text. In the case of > lukemftpd (and lukemftpd only), in some situations the vulnerability > may be used to execute code with _superuser privileges_. > > If lukemftpd is NOT invoked with `-r', then it does NOT completely > drop privileges when a user logs in. Thus, a successful exploit will > be able to regain superuser privileges. (By the way, it was Robert Watson who encouraged me to look at this a second time.) [...] > I would normally immediately publish a revised advisory with this > additional information, however lukemftpd is neither built nor > installed by default. Since that is the case, I will probably wait a > few days before revision in case further useful information comes to > light. Colin Percival pointed out that lukemftpd actually *did* ship with 4.7-RELEASE (!!), so I will be sending out a revision sooner rather than later. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 16:13:38 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1DCF137B416 for ; Mon, 4 Aug 2003 16:13:38 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 76CC443FA3 for ; Mon, 4 Aug 2003 16:13:37 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id 57AAE1524D; Mon, 4 Aug 2003 16:13:37 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id 56C6115247 for ; Mon, 4 Aug 2003 16:13:37 -0700 (PDT) Date: Mon, 4 Aug 2003 16:13:37 -0700 (PDT) From: Mike Hoskins To: security@freebsd.org In-Reply-To: <20030804210016.GB10339@madman.celabo.org> Message-ID: <20030804160226.R88481@fubar.adept.org> References: <200308040004.h7404VVL030671@freefall.freebsd.org> <20030804101130.GA51954@cirb503493.alcatel.com.au> <3F2E1B42.8BDE2215@grosbein.pp.ru> <20030804085018.GA24017@rz-ewok.rz.uni-karlsruhe.de> <3F2E1B42.8BDE2215@grosbein.pp.ru> <20030804210016.GB10339@madman.celabo.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 23:13:38 -0000 On Mon, 4 Aug 2003, Jacques A. Vidrine wrote: > > May I suggest that in future, when a release is not vulnerable due to > > code rewrites or similar, this fact be explicitly mentioned. IMHO, > > it's far better to err on the side of caution when dealing with > > security issues. That's true, but I can also see KISS. If you add more data than absolutely needed, confusion may also arise. I'm not defending either viewpoint (or saying that'd occur in this case), just pointing out possible motivations for the current format. > I think that if one takes the `Affects' lines (and the rest of the > advisory) at face value, without second-guessing, that it is crystal > clear what versions of FreeBSD are affected. But of course I would > :-) By now I would have hoped something as crucial as security advisories for well-accepted operating systems would be fairly standardized. Of course, some "vendor customization" is to be expected/needed, but is it flame bait to ask "What do all the big boys do?" By that, I simply mean, how are the advisories for things like Solaris, IRIX, HP-UX, etc. handled? Wouldn't it behoove everyone if advisories were as "familiar" as possible? Along those lines, I'd expect to see similar field labels, content, etc. If that's just plain silly, it wouldn't be the first time my expectations were wrong... But it does seem like fairly common sense. -mrh -- From: "Spam Catcher" To: spam-catcher@adept.org Do NOT send email to the address listed above or you will be added to a blacklist! From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 16:30:26 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A491A37B401 for ; Mon, 4 Aug 2003 16:30:26 -0700 (PDT) Received: from pimout4-ext.prodigy.net (pimout4-ext.prodigy.net [207.115.63.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id DBBD043F3F for ; Mon, 4 Aug 2003 16:30:25 -0700 (PDT) (envelope-from metrol@metrol.net) Received: from adsl-67-121-60-9.dsl.anhm01.pacbell.net (adsl-67-121-60-9.dsl.anhm01.pacbell.net [67.121.60.9])h74NUNVs150220 for ; Mon, 4 Aug 2003 19:30:24 -0400 From: Michael Collette To: FreeBSD Security Date: Mon, 4 Aug 2003 16:26:41 -0700 User-Agent: KMail/1.5.3 References: <200307301553.40385.metrol@metrol.net> In-Reply-To: <200307301553.40385.metrol@metrol.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200308041626.41760.metrol@metrol.net> Subject: Re: Kerberos to file server X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 23:30:26 -0000 On Wednesday 30 July 2003 03:53 pm, Michael Collette wrote: > I've got this AS/400 with gobs of unused file storage on it that I want to > share across as a file server to a FreeBSD box. The AS/400 side of things > supports NFS and kinda pretends to be a Unix like machine in this role. Since I've received a number of off list replies to this I thought I'd post some additional information about what all I've dug up. Still not working yet, but getting a little smarter about this. Sorry if this folks think this is off-topic, but as this involves both authentication and authorization to a foreign system I still believe this is applicable. As was pointed out to me on and off list, I can connect to the shared NFS files on the AS/400 without Kerberos. The next obvious problem (obvious to me now) is the issue of file ownership. Just getting a connection across doesn't provide any user id mapping by itself. This is where IBM's EIM (Enterprise Identity Manager) kicks in. It provides for a user name translation table so a user on one system is a user on all. In order to make use of EIM a Kerberos based authentication needs to take place. Apparently once this happens, FreeBSD users become AS/400 users in so far as file ownership goes. For those who may be interested: http://publib.boulder.ibm.com/iseries/v5r2/ic2924/index.htm?info/rzalv/rzalvmst.htm That's all of what I've managed to dig up thus far. Here's where I'm lost. The FreeBSD Handbook has a Kerberos tutorial, but it's apparently out of date or something just ain't right. http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kerberos.html First thing it asks me to do is initialize the Kerberos database with the "kdb_init" command. I don't have a kdb_init command on this system. I then just installed the krb5 port, and it doesn't have that command either. Double checked the package list. It looks like a number of things don't match up to the tutorial. Is there some new procedure out there to configure a Kerberos enabled machine, or am I just missing some key component in a perfectly fine tutorial? Thanks, -- "In theory, there is no difference between theory and practice. In practice, there is." - Yogi Berra From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 21:02:20 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3395A37B401 for ; Mon, 4 Aug 2003 21:02:20 -0700 (PDT) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 675F643FBD for ; Mon, 4 Aug 2003 21:02:19 -0700 (PDT) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id 6274E38A for ; Mon, 4 Aug 2003 22:02:18 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id h7542I912856 for FreeBSD-Security@freebsd.org; Mon, 4 Aug 2003 22:02:18 -0600 Date: Mon, 4 Aug 2003 22:02:17 -0600 From: Tillman To: FreeBSD Security Message-ID: <20030804220217.U21076@seekingfire.com> References: <200307301553.40385.metrol@metrol.net> <200308041626.41760.metrol@metrol.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200308041626.41760.metrol@metrol.net>; from metrol@metrol.net on Mon, Aug 04, 2003 at 04:26:41PM -0700 X-Urban-Legend: There is lots of hidden information in headers Subject: Re: Kerberos to file server X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 04:02:20 -0000 On Mon, Aug 04, 2003 at 04:26:41PM -0700, Michael Collette wrote: > The FreeBSD Handbook has a Kerberos tutorial, but it's apparently out of date > or something just ain't right. > http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kerberos.html > > First thing it asks me to do is initialize the Kerberos database with the > "kdb_init" command. I don't have a kdb_init command on this system. I then > just installed the krb5 port, and it doesn't have that command either. > Double checked the package list. > > It looks like a number of things don't match up to the tutorial. Is there > some new procedure out there to configure a Kerberos enabled machine, or am I > just missing some key component in a perfectly fine tutorial? > > Thanks, The handbook is out of date -- it cover Kerberos 4, not 5. Check out my previous posting to the questions@ list on the topic: http://www.mail-archive.com/freebsd-questions@freebsd.org/msg19447.html -T -- The correct way to punctuate a sentence that starts: "Of course it is none of my business but--" is to place a period after the word "but." Don't use excessive force in supplying such moron with a period. Cutting his throat is only a momentary pleasure and is bound to get you talked about. - Robert Heinlein From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 23:01:34 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DD07437B401 for ; Mon, 4 Aug 2003 23:01:34 -0700 (PDT) Received: from pimout1-ext.prodigy.net (pimout1-ext.prodigy.net [207.115.63.77]) by mx1.FreeBSD.org (Postfix) with ESMTP id EED4543FA3 for ; Mon, 4 Aug 2003 23:01:33 -0700 (PDT) (envelope-from metrol@metrol.net) Received: from adsl-67-121-60-9.dsl.anhm01.pacbell.net (adsl-67-121-60-9.dsl.anhm01.pacbell.net [67.121.60.9])h7561WIK052490 for ; Tue, 5 Aug 2003 02:01:32 -0400 From: Michael Collette To: FreeBSD Security Date: Mon, 4 Aug 2003 22:57:01 -0700 User-Agent: KMail/1.5.3 References: <200307301553.40385.metrol@metrol.net> <200308041626.41760.metrol@metrol.net> <20030804220217.U21076@seekingfire.com> In-Reply-To: <20030804220217.U21076@seekingfire.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200308042257.01280.metrol@metrol.net> Subject: Re: Kerberos to file server X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 06:01:35 -0000 On Monday 04 August 2003 09:02 pm, Tillman wrote: > On Mon, Aug 04, 2003 at 04:26:41PM -0700, Michael Collette wrote: > > The FreeBSD Handbook has a Kerberos tutorial, but it's apparently out of > > date or something just ain't right. > > http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kerberos.html > > > > First thing it asks me to do is initialize the Kerberos database with the > > "kdb_init" command. I don't have a kdb_init command on this system. I > > then just installed the krb5 port, and it doesn't have that command > > either. Double checked the package list. > > > > It looks like a number of things don't match up to the tutorial. Is > > there some new procedure out there to configure a Kerberos enabled > > machine, or am I just missing some key component in a perfectly fine > > tutorial? > > > > Thanks, > > The handbook is out of date -- it cover Kerberos 4, not 5. Check out my > previous posting to the questions@ list on the topic: > > http://www.mail-archive.com/freebsd-questions@freebsd.org/msg19447.html > > -T I have been looking at those docs. The part I don't get are the file paths involved, as they're very non-FreeBSD'ish. /usr/local/var?? Do I need to alter environment variables to put things into their proper places, or create the directories that it expects? I would expect config files for a port to be in /usr/local/etc/krb5 or some such. BTW, working with the MIT version now, since installing the port and all. Also got the pam_krb5 port in there as well. I think I'm about ready to really muck this thing up once I understand what all I need to do about file paths. Later on, -- "In theory, there is no difference between theory and practice. In practice, there is." - Yogi Berra From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 02:56:44 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8004F37B401 for ; Tue, 5 Aug 2003 02:56:44 -0700 (PDT) Received: from mail.impress.lt (server.impress.lt [193.219.5.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3198343FAF for ; Tue, 5 Aug 2003 02:56:43 -0700 (PDT) (envelope-from stakys@punktas.lt) Received: from mail.impress.lt (localhost [127.0.0.1]) by mail.impress.lt (Postfix) with SMTP id F2DAF54E6 for ; Tue, 5 Aug 2003 12:56:35 +0000 (GMT) Received: from 81.7.109.95 (SquirrelMail authenticated user stakys@punktas.lt) by mail.impress.lt with HTTP; Tue, 5 Aug 2003 12:56:36 -0000 (GMT) Message-ID: <53106.81.7.109.95.1060088196.squirrel@mail.impress.lt> Date: Tue, 5 Aug 2003 12:56:36 -0000 (GMT) From: stakys@punktas.lt To: freebsd-security@freebsd.org User-Agent: SquirrelMail/1.4.0 MIME-Version: 1.0 Content-Type: text/plain;charset=windows-1257 X-Priority: 3 Importance: Normal Subject: Problems with JAIL in 4.8R X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 09:56:44 -0000 Hi, i've set the outside ip for the jail..It works.. When i try to ssh to jail'ed system from the main system (in which is created jail) the connection is successful, but when i try to connect to jailed system from anywhere else i get this message: ssh: connect to host IP_NUMBER port 22: Operation timed out What can be wrong here? How to solve this problem? From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 03:13:18 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6066837B401 for ; Tue, 5 Aug 2003 03:13:18 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 5C1C843F85 for ; Tue, 5 Aug 2003 03:13:16 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 21207 invoked from network); 5 Aug 2003 10:04:55 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 5 Aug 2003 10:04:54 -0000 Received: (qmail 15405 invoked by uid 1000); 5 Aug 2003 10:14:17 -0000 Date: Tue, 5 Aug 2003 13:14:17 +0300 From: Peter Pentchev To: stakys@punktas.lt Message-ID: <20030805101416.GS358@straylight.oblivion.bg> Mail-Followup-To: stakys@punktas.lt, freebsd-security@freebsd.org References: <53106.81.7.109.95.1060088196.squirrel@mail.impress.lt> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ibvzjYYg+QDzMCy1" Content-Disposition: inline In-Reply-To: <53106.81.7.109.95.1060088196.squirrel@mail.impress.lt> User-Agent: Mutt/1.5.4i cc: freebsd-security@freebsd.org Subject: Re: Problems with JAIL in 4.8R X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 10:13:18 -0000 --ibvzjYYg+QDzMCy1 Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 05, 2003 at 12:56:36PM -0000, stakys@punktas.lt wrote: > Hi, i've set the outside ip for the jail..It works.. When i try to ssh to > jail'ed system from the main system (in which is created jail) the > connection is successful, but when i try to connect to jailed system from > anywhere else i get this message: > ssh: connect to host IP_NUMBER port 22: Operation timed out > What can be wrong here? How to solve this problem? Are you running some sort of firewall on the main system? You might have to add additional rules allowing SSH into the jailed one... G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 You have, of course, just begun reading the sentence that you have just fin= ished reading. --ibvzjYYg+QDzMCy1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/L4N47Ri2jRYZRVMRArBCAKCU9DJkQGOr6/qZIPuXYPeitTRW4QCgtpgo mfEI/5GEkJ+cCESyLc7Y18Y= =WdBg -----END PGP SIGNATURE----- --ibvzjYYg+QDzMCy1-- From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 03:20:30 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E9E6D37B401 for ; Tue, 5 Aug 2003 03:20:30 -0700 (PDT) Received: from mail.impress.lt (server.impress.lt [193.219.5.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 468E443F93 for ; Tue, 5 Aug 2003 03:20:30 -0700 (PDT) (envelope-from stakys@punktas.lt) Received: from mail.impress.lt (localhost [127.0.0.1]) by mail.impress.lt (Postfix) with SMTP id 284A754BC for ; Tue, 5 Aug 2003 13:20:23 +0000 (GMT) Received: from 81.7.109.95 (SquirrelMail authenticated user stakys@punktas.lt) by mail.impress.lt with HTTP; Tue, 5 Aug 2003 13:20:23 -0000 (GMT) Message-ID: <53210.81.7.109.95.1060089623.squirrel@mail.impress.lt> Date: Tue, 5 Aug 2003 13:20:23 -0000 (GMT) From: stakys@punktas.lt To: freebsd-security@freebsd.org User-Agent: SquirrelMail/1.4.0 MIME-Version: 1.0 Content-Type: text/plain;charset=windows-1257 X-Priority: 3 Importance: Normal Subject: Re: Problems with JAIL in 4.8R X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 10:20:31 -0000 On Tue, Aug 05, 2003 at 12:56:36PM -0000, stakys@punktas.lt wrote: > Hi, i've set the outside ip for the jail..It works.. When i try to ssh to > jail'ed system from the main system (in which is created jail) the > connection is successful, but when i try to connect to jailed system from > anywhere else i get this message: > ssh: connect to host IP_NUMBER port 22: Operation timed out > What can be wrong here? How to solve this problem? >>Are you running some sort of firewall on the main system? You might >>have to add additional rules allowing SSH into the jailed one... >>G'luck, >>Peter I'm running IPFW but i put such a lines to ipfw.rules to be sure that it's not firewall's fault, about connecting to jail'ed system from outside. Here are the lines: ipfw add 50 allow ip from any to any via lo0 ipfw add 51 allow ip from any to any via rl0 From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 03:35:36 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A39E637B401 for ; Tue, 5 Aug 2003 03:35:36 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 2166343F85 for ; Tue, 5 Aug 2003 03:35:35 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 24935 invoked from network); 5 Aug 2003 10:27:14 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 5 Aug 2003 10:27:13 -0000 Received: (qmail 15699 invoked by uid 1000); 5 Aug 2003 10:36:36 -0000 Date: Tue, 5 Aug 2003 13:36:36 +0300 From: Peter Pentchev To: stakys@punktas.lt Message-ID: <20030805103636.GU358@straylight.oblivion.bg> Mail-Followup-To: stakys@punktas.lt, freebsd-security@freebsd.org References: <53210.81.7.109.95.1060089623.squirrel@mail.impress.lt> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="eWbcAUUbgrfSEG1c" Content-Disposition: inline In-Reply-To: <53210.81.7.109.95.1060089623.squirrel@mail.impress.lt> User-Agent: Mutt/1.5.4i cc: freebsd-security@freebsd.org Subject: Re: Problems with JAIL in 4.8R X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 10:35:36 -0000 --eWbcAUUbgrfSEG1c Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 05, 2003 at 01:20:23PM -0000, stakys@punktas.lt wrote: > On Tue, Aug 05, 2003 at 12:56:36PM -0000, stakys@punktas.lt wrote: > > Hi, i've set the outside ip for the jail..It works.. When i try to ssh = to > > jail'ed system from the main system (in which is created jail) the > > connection is successful, but when i try to connect to jailed system fr= om > > anywhere else i get this message: > > ssh: connect to host IP_NUMBER port 22: Operation timed out > > What can be wrong here? How to solve this problem? >=20 > >>Are you running some sort of firewall on the main system? You might > >>have to add additional rules allowing SSH into the jailed one... >=20 > >>G'luck, > >>Peter >=20 > I'm running IPFW but i put such a lines to ipfw.rules to be sure that it's > not firewall's fault, about connecting to jail'ed system from outside. > Here are the lines: > ipfw add 50 allow ip from any to any via lo0 > ipfw add 51 allow ip from any to any via rl0 If it would not be a great security risk, could you post the whole set of ipfw rules that you are using? Alternatively, could you add a 'log' clause to all the 'deny' rules, and then watch for denied packets in the syslog? As another alternative, you could 'ipfw -f' for the duration of the test... Sorry if I seem fixated on ipfw, but in my limited experience, it is the single most common reason for jail network connectivity problems :) Closely followed by missing /etc/resolv.conf files in jail/chroot filesystems, but that's another story... G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 because I didn't think of a good beginning of it. --eWbcAUUbgrfSEG1c Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/L4i07Ri2jRYZRVMRAmsFAKCEOZFUxXDrpO9xUBdml2ThTAzhLgCgrTo1 LP34wMzB493b7nXGrwED3RU= =sWL5 -----END PGP SIGNATURE----- --eWbcAUUbgrfSEG1c-- From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 03:38:20 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A1CA737B401 for ; Tue, 5 Aug 2003 03:38:20 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id EE45A43F3F for ; Tue, 5 Aug 2003 03:38:18 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 25330 invoked from network); 5 Aug 2003 10:29:58 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 5 Aug 2003 10:29:57 -0000 Received: (qmail 15804 invoked by uid 1000); 5 Aug 2003 10:39:20 -0000 Date: Tue, 5 Aug 2003 13:39:20 +0300 From: Peter Pentchev To: stakys@punktas.lt Message-ID: <20030805103919.GV358@straylight.oblivion.bg> Mail-Followup-To: stakys@punktas.lt, freebsd-security@freebsd.org References: <53210.81.7.109.95.1060089623.squirrel@mail.impress.lt> <20030805103636.GU358@straylight.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Nj4mAaUCx+wbOcQD" Content-Disposition: inline In-Reply-To: <20030805103636.GU358@straylight.oblivion.bg> User-Agent: Mutt/1.5.4i cc: freebsd-security@freebsd.org Subject: Re: Problems with JAIL in 4.8R X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 10:38:20 -0000 --Nj4mAaUCx+wbOcQD Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 05, 2003 at 01:36:36PM +0300, Peter Pentchev wrote: > On Tue, Aug 05, 2003 at 01:20:23PM -0000, stakys@punktas.lt wrote: > > On Tue, Aug 05, 2003 at 12:56:36PM -0000, stakys@punktas.lt wrote: > > > Hi, i've set the outside ip for the jail..It works.. When i try to ss= h to > > > jail'ed system from the main system (in which is created jail) the > > > connection is successful, but when i try to connect to jailed system = =66rom > > > anywhere else i get this message: > > > ssh: connect to host IP_NUMBER port 22: Operation timed out > > > What can be wrong here? How to solve this problem? > >=20 > > >>Are you running some sort of firewall on the main system? You might > > >>have to add additional rules allowing SSH into the jailed one... > >=20 > > >>G'luck, > > >>Peter > >=20 > > I'm running IPFW but i put such a lines to ipfw.rules to be sure that i= t's > > not firewall's fault, about connecting to jail'ed system from outside. > > Here are the lines: > > ipfw add 50 allow ip from any to any via lo0 > > ipfw add 51 allow ip from any to any via rl0 >=20 > If it would not be a great security risk, could you post the whole > set of ipfw rules that you are using? Alternatively, could you add a > 'log' clause to all the 'deny' rules, and then watch for denied packets > in the syslog? As another alternative, you could 'ipfw -f' for the > duration of the test... *THWAP*... Of course I meant 'ipfw flush' :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 The rest of this sentence is written in Thailand, on --Nj4mAaUCx+wbOcQD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/L4lX7Ri2jRYZRVMRAtAJAKCSGatl9fvE/VqWMD1BIcKLYMGDXQCeOdm5 mzzsAawR0rI+Lpww654iF74= =RnPa -----END PGP SIGNATURE----- --Nj4mAaUCx+wbOcQD-- From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 04:53:48 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6CB7737B401 for ; Tue, 5 Aug 2003 04:53:48 -0700 (PDT) Received: from mail.takas.lt (mail-src.takas.lt [212.59.31.78]) by mx1.FreeBSD.org (Postfix) with ESMTP id E003F43F75 for ; Tue, 5 Aug 2003 04:53:46 -0700 (PDT) (envelope-from stakys@punktas.lt) Received: from ss ([81.7.109.95]) by mail.takas.lt with Microsoft SMTPSVC(5.0.2195.5329); Tue, 5 Aug 2003 14:53:44 +0300 Message-ID: <006601c35b48$35e3cb80$0900a8c0@ss> From: "stakys" To: Date: Tue, 5 Aug 2003 14:53:39 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-OriginalArrivalTime: 05 Aug 2003 11:53:44.0805 (UTC) FILETIME=[38F7E950:01C35B48] Subject: Re: Problems with JAIL in 4.8R X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 11:53:48 -0000 sockstat -4l | grep sshd root sshd 76407 3 tcp4 Jailed_system_outside_ip:22 *:* root sshd 111 4 tcp4 *:22 *:* I get this... Btw: i have just that firewall rules for testing if it's not ipfw fault. Also as i see for now i need to set for my main system and for jail'ed system to ListenAddress options yes? Ok i tried to do so, and changed ListenAddress parameter in jail'ed and main system sshd_config, the sockstat shows: root sshd 294 3 tcp4 Jailed_system_outside_ip:22 *:* root sshd 111 3 tcp4 Main_system_outside_ip:22 *:* But when i tried to connect to the jail'ed system from outside i get the message of connection timed out. > ----- Original Message ----- > From: "Sander de Leeuw" > To: > Sent: Tuesday, August 05, 2003 1:22 PM > Subject: RE: Problems with JAIL in 4.8R > > > > > > Hi, > > > > I'm not really sure about this, just writing what comes up in my mind. I > > also have running jails in FreeBSD 4.8, and one is running sshd without > > problems. First of all, I assume that you followed the procedure > > explained in 'man jail'. It is important to be sure that if you run some > > sort of daemon in a jail, while running the same daemon in you're host > > environment, they do NOT bind on the same TCP socket. So, doing a > > 'sockstat -4l | grep sshd' should return something like this: > > > > root sshd 19906 3 tcp4 192.168.25.16:22 *:* > > root sshd 116 3 tcp4 192.168.25.1:22 *:* > > > > AND NOT: > > > > root sshd 19906 3 tcp4 192.168.25.16:22 *:* > > root sshd 116 3 tcp4 *:22 *:* > > > > In this case you should set the ListenAddress parameter in you're > > /etc/ssh/sshd_config file. > > > > I hope you can do something with it, good luck. > > Sander de Leeuw > > sander@delete-it.nl > > > > > > -----Oorspronkelijk bericht----- > > Van: owner-freebsd-security@freebsd.org > > [mailto:owner-freebsd-security@freebsd.org] Namens stakys@punktas.lt > > Verzonden: dinsdag 5 augustus 2003 14:57 > > Aan: freebsd-security@freebsd.org > > Onderwerp: Problems with JAIL in 4.8R > > > > Hi, i've set the outside ip for the jail..It works.. When i try to ssh > > to > > jail'ed system from the main system (in which is created jail) the > > connection is successful, but when i try to connect to jailed system > > from > > anywhere else i get this message: > > ssh: connect to host IP_NUMBER port 22: Operation timed out > > What can be wrong here? How to solve this problem? > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > > "freebsd-security-unsubscribe@freebsd.org" > > > > > From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 05:02:41 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C1BA037B401; Tue, 5 Aug 2003 05:02:41 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE91743FBF; Tue, 5 Aug 2003 05:02:39 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h75C2dUp072237; Tue, 5 Aug 2003 05:02:39 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h75C2dED072234; Tue, 5 Aug 2003 05:02:39 -0700 (PDT) Date: Tue, 5 Aug 2003 05:02:39 -0700 (PDT) Message-Id: <200308051202.h75C2dED072234@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 12:02:42 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-03:08.realpath Security Advisory The FreeBSD Project Topic: Single byte buffer overflow in realpath(3) Category: core Module: libc Announced: 2003-08-03 Credits: Janusz Niewiadomski , Wojciech Purczynski , CERT/CC Affects: All releases of FreeBSD up to and including 4.8-RELEASE and 5.0-RELEASE FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC Corrected: 2003-08-03 23:46:24 UTC (RELENG_5_0) 2003-08-03 23:43:43 UTC (RELENG_4_8) 2003-08-03 23:44:12 UTC (RELENG_4_7) 2003-08-03 23:44:36 UTC (RELENG_4_6) 2003-08-03 23:44:56 UTC (RELENG_4_5) 2003-08-03 23:45:41 UTC (RELENG_4_4) 2003-08-03 23:46:03 UTC (RELENG_4_3) 2003-08-03 23:47:39 UTC (RELENG_3) FreeBSD only: NO 0. Revision History v1.0 2003-08-03 Initial release v1.1 2003-08-04 Updated information for lukemftpd I. Background The realpath(3) function is used to determine the canonical, absolute pathname from a given pathname which may contain extra ``/'' characters, references to ``/./'' or ``/../'', or references to symbolic links. The realpath(3) function is part of the FreeBSD Standard C Library. II. Problem Description An off-by-one error exists in a portion of realpath(3) that computes the length of the resolved pathname. As a result, if the resolved path name is exactly 1024 characters long and contains at least two directory separators, the buffer passed to realpath(3) will be overwritten by a single NUL byte. III. Impact Applications using realpath(3) MAY be vulnerable to denial of service attacks, remote code execution, and/or privilege escalation. The impact on an individual application is highly dependent upon the source of the pathname passed to realpath, the position of the output buffer on the stack, the architecture on which the application is running, and other factors. Within the FreeBSD base system, several applications use realpath(3). Two applications which are negatively impacted are: (1) lukemftpd(8), an alternative FTP server: realpath(3) is used to process the MLST and MLSD commands. The vulnerability may be exploitable, leading to code execution with superuser privileges. lukemftpd(8) was installed (but not enabled) by default in 4.7-RELEASE and in 4-STABLE dated Jun 20 21:13:33 2002 UTC through Nov 12 17:32:47 2002 UTC. It is not built or installed by default in any other release. If the `-r' option to lukemftpd is used (as suggested by the example /etc/inetd.conf supplied in 4.7-RELEASE), then successful exploitation leads leads to code execution with the privileges of the authenticated user (rather than superuser privileges). (2) sftp-server(8), part of OpenSSH: realpath(3) is used to process chdir commands. This vulnerability may be exploitable, leading to code execution with the privileges of the authenticated user. At the time of 4.8-RELEASE, the FreeBSD Ports Collection contained the following applications which appear to use realpath(3). These applications have not been audited, and may or may not be vulnerable. There may be additional applications in the FreeBSD Ports Collection that use realpath(3), particularly statically-linked applications and applications added since 4.8-RELEASE. BitchX-1.0c19_1 Mowitz-0.2.1_1 XFree86-clients-4.3.0_1 abcache-0.14 aim-1.5.234 analog-5.24,1 anjuta-1.0.1_1 aolserver-3.4.2 argus-2.0.5 arm-rtems-gdb-5.2_1 avr-gdb-5.2.1 ccache-2.1.1 cdparanoia-3.9.8_4 cfengine-1.6.3_4 cfengine2-2.0.3 cmake-1.4.7 comserv-1.4.3 criticalmass-0.97 dedit-0.6.2.3_1 drweb_postfix-4.29.10a drweb-4.29.2 drweb_sendmail-4.29.10a edonkey-gui-gtk-0.5.0 enca-0.10.7 epic4-1.0.1_2 evolution-1.2.2_1 exim-3.36_1 exim-4.12_5 exim-ldap-4.12_5 exim-ldap2-4.12_5 exim-mysql-4.12_5 exim-postgresql-4.12_5 fam-2.6.9_2 fastdep-0.15 feh-1.2.4_1 ferite-0.99.6 fileutils-4.1_1 finfo-0.1 firebird-1.0.2 firebird-1.0.r2 frontpage-5.0.2.2623_1 galeon-1.2.8 galeon2-1.3.2_1 gdb-5.3_20030311 gdb-5.2.1_1 gdm2-2.4.1.3 gecc-20021119 gentoo-0.11.34 gkrellmvolume-2.1.7 gltron-0.61 global-4.5.1 gnat-3.15p gnomelibs-1.4.2_1 gprolog-1.2.16 gracula-3.0 gringotts-1.2.3 gtranslator-0.43_1 gvd-1.2.5 hercules-2.16.5 hte-0.7.0 hugs98-200211 i386-rtems-gdb-5.2_1 i960-rtems-gdb-5.2_1 installwatch-0.5.6 ivtools-1.0.6 ja-epic4-1.0.1_2 ja-gnomelibs-1.4.2_1 ja-msdosfs-20001027 ja-samba-2.2.7a.j1.1_1 kdebase-3.1_1 kdelibs-3.1 kermit-8.0.206 ko-BitchX-1.0c16_3 ko-msdosfs-20001027 leocad-0.73 libfpx-1.2.0.4_1 libgnomeui-2.2.0.1 libpdel-0.3.4 librep-0.16.1_1 linux-beonex-0.8.1 linux-divxplayer-0.2.0 linux-edonkey-gui-gtk-0.2.0.a.2002.02.22 linux-gnomelibs-1.2.8_2 linux-mozilla-1.2 linux-netscape-communicator-4.8 linux-netscape-navigator-4.8 linux-phoenix-0.3 linux_base-6.1_4 linux_base-7.1_2 lsh-1.5.1 lukemftpd-1.1_1 m68k-rtems-gdb-5.2_1 mips-rtems-gdb-5.2_1 mod_php4-4.3.1 moscow_ml-2.00_1 mozilla-1.0.2_1 mozilla-1.2.1_1,2 mozilla-1.2.1_2 mozilla-1.3b,1 mozilla-1.3b mozilla-embedded-1.0.2_1 mozilla-embedded-1.2.1_1,2 mozilla-embedded-1.3b,1 msyslog-1.08f_1 netraider-0.0.2 openag-1.1.1_1 openssh-portable-3.5p1_1 openssh-3.5 p5-PPerl-0.23 paragui-1.0.2_2 powerpc-rtems-gdb-5.2_1 psim-freebsd-5.2.1 ptypes-1.7.4 pure-ftpd-1.0.14 qiv-1.8 readlink-20010616 reed-5.4 rox-1.3.6_1 rox-session-0.1.18_1 rpl-1.4.0 rpm-3.0.6_6 samba-2.2.8 samba-3.0a20 scrollkeeper-0.3.11_8,1 sh-rtems-gdb-5.2_1 sharity-light-1.2_1 siag-3.4.10 skipstone-0.8.3 sparc-rtems-gdb-5.2_1 squeak-2.7 squeak-3.2 swarm-2.1.1 tcl-8.2.3_2 tcl-8.3.5 tcl-8.4.1,1 tcl-thread-8.1.b1 teTeX-2.0.2_1 wine-2003.02.19 wml-2.0.8 worker-2.7.0 xbubble-0.2 xerces-c2-2.1.0_1 xerces_c-1.7.0 xnview-1.50 xscreensaver-gnome-4.08 xscreensaver-4.08 xworld-2.0 yencode-0.46_1 zh-cle_base-0.9p1 zh-tcl-8.3.0 zh-tw-BitchX-1.0c19_3 zh-ve-1.0 zh-xemacs-20.4_1 IV. Workaround There is no generally applicable workaround. OpenSSH's sftp-server(8) may be disabled by editing /etc/ssh/sshd_config and commenting out the following line by inserting a `#' as the first character: Subsystem sftp /usr/libexec/sftp-server lukemftpd(8) may be replaced by the default ftpd(8). V. Solution 1) Upgrade your vulnerable system to 4.8-STABLE or to any of the RELENG_5_1 (5.1-RELEASE), RELENG_4_8 (4.8-RELEASE-p1), or RELENG_4_7 (4.7-RELEASE-p11) security branches dated after the respective correction dates. 2) To patch your present system: a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. The following patch has been tested to apply to all FreeBSD 4.x releases and to FreeBSD 5.0-RELEASE. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your operating system as described in . NOTE WELL: Any statically linked applications that are not part of the base system (i.e. from the Ports Collection or other 3rd-party sources) must be recompiled. All affected applications must be restarted for them to use the corrected library. Though not required, rebooting may be the easiest way to accomplish this. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_3 src/lib/libc/stdlib/realpath.c 1.6.2.1 RELENG_4_3 src/UPDATING 1.73.2.28.2.32 src/lib/libc/stdlib/realpath.c 1.9.4.1 src/sys/conf/newvers.sh 1.44.2.14.2.22 RELENG_4_4 src/UPDATING 1.73.2.43.2.45 src/lib/libc/stdlib/realpath.c 1.9.6.1 src/sys/conf/newvers.sh 1.44.2.17.2.36 RELENG_4_5 src/UPDATING 1.73.2.50.2.44 src/lib/libc/stdlib/realpath.c 1.9.8.1 src/sys/conf/newvers.sh 1.44.2.20.2.28 RELENG_4_6 src/UPDATING 1.73.2.68.2.42 src/lib/libc/stdlib/realpath.c 1.9.10.1 src/sys/conf/newvers.sh 1.44.2.23.2.31 RELENG_4_7 src/UPDATING 1.73.2.74.2.14 src/lib/libc/stdlib/realpath.c 1.9.12.1 src/sys/conf/newvers.sh 1.44.2.26.2.13 RELENG_4_8 src/UPDATING 1.73.2.80.2.3 src/lib/libc/stdlib/realpath.c 1.9.14.1 src/sys/conf/newvers.sh 1.44.2.29.2.2 RELENG_5_0 src/UPDATING 1.229.2.14 src/lib/libc/stdlib/realpath.c 1.11.2.1 src/sys/conf/newvers.sh 1.48.2.9 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/L5wUFdaIBMps37IRAiY7AJ9k0TOFUzlwC5rHbax4bXa8lluyFACfc82w xpJrfCeDU4qOs8q33dXSsvw= =5z4e -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 06:45:27 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2295737B401 for ; Tue, 5 Aug 2003 06:45:27 -0700 (PDT) Received: from mail.takas.lt (mail-src.takas.lt [212.59.31.78]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB97743FAF for ; Tue, 5 Aug 2003 06:45:25 -0700 (PDT) (envelope-from stakys@punktas.lt) Received: from ss ([81.7.109.95]) by mail.takas.lt with Microsoft SMTPSVC(5.0.2195.5329); Tue, 5 Aug 2003 16:45:24 +0300 Message-ID: <00f701c35b57$cf704670$0900a8c0@ss> From: "stakys" To: "Konstantin M Volevatch" , References: <53210.81.7.109.95.1060089623.squirrel@mail.impress.lt> <200308051631.52531.cox@rosnet.ru> Date: Tue, 5 Aug 2003 16:45:19 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-OriginalArrivalTime: 05 Aug 2003 13:45:24.0661 (UTC) FILETIME=[D264CE50:01C35B57] Subject: Re: Problems with JAIL in 4.8R X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 13:45:27 -0000 Didn't help. Any more suggesstions about solving this problem? ----- Original Message ----- From: "Konstantin M Volevatch" To: ; Sent: Tuesday, August 05, 2003 3:31 PM Subject: Re: Problems with JAIL in 4.8R > Try this: > ipfw add 52 allow ip from any to me via rl0 > > ÷ ÓÏÏÂÝÅÎÉÉ ÏÔ 5 á×ÇÕÓÔ 2003 17:20 stakys@punktas.lt ÎÁÐÉÓÁÌ: > > On Tue, Aug 05, 2003 at 12:56:36PM -0000, stakys@punktas.lt wrote: > > > Hi, i've set the outside ip for the jail..It works.. When i try to ssh to > > > jail'ed system from the main system (in which is created jail) the > > > connection is successful, but when i try to connect to jailed system from > > > anywhere else i get this message: > > > ssh: connect to host IP_NUMBER port 22: Operation timed out > > > What can be wrong here? How to solve this problem? > > > > > >>Are you running some sort of firewall on the main system? You might > > >>have to add additional rules allowing SSH into the jailed one... > > >> > > >>G'luck, > > >>Peter > > > > I'm running IPFW but i put such a lines to ipfw.rules to be sure that it's > > not firewall's fault, about connecting to jail'ed system from outside. > > Here are the lines: > > ipfw add 50 allow ip from any to any via lo0 > > ipfw add 51 allow ip from any to any via rl0 > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > -- > Konstantin M. Volevatch > Internet Service Division, RosNet JSC, Moscow > (095) 7813332 [local:4341] > From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 07:44:13 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E315437B401 for ; Tue, 5 Aug 2003 07:44:13 -0700 (PDT) Received: from 4ph.com (imail.4ph.com [66.197.0.9]) by mx1.FreeBSD.org (Postfix) with SMTP id F303543F3F for ; Tue, 5 Aug 2003 07:44:08 -0700 (PDT) (envelope-from loman@cluj.astral.ro) Received: (qmail 84635 invoked from network); 5 Aug 2003 10:44:07 -0400 Received: from unknown (HELO void.cluj.astral.ro) (194.105.28.75) by 0 with SMTP; 5 Aug 2003 10:44:07 -0400 Date: Tue, 5 Aug 2003 17:43:51 +0300 (EEST) From: Emilian Ursu To: stakys In-Reply-To: <00f701c35b57$cf704670$0900a8c0@ss> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: Problems with JAIL in 4.8R X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 14:44:14 -0000 I suppose it would be silly to ask if you're trying to connect to private ips (rfc1928) from "outside". On Tue, 5 Aug 2003, stakys wrote: > Didn't help. Any more suggesstions about solving this problem? > ----- Original Message ----- From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 07:46:29 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6200E37B401 for ; Tue, 5 Aug 2003 07:46:29 -0700 (PDT) Received: from mail.takas.lt (mail-src.takas.lt [212.59.31.78]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D43543F93 for ; Tue, 5 Aug 2003 07:46:28 -0700 (PDT) (envelope-from stakys@punktas.lt) Received: from ss ([81.7.109.95]) by mail.takas.lt with Microsoft SMTPSVC(5.0.2195.5329); Tue, 5 Aug 2003 17:46:26 +0300 Message-ID: <016101c35b60$56a9c320$0900a8c0@ss> From: "stakys" To: "Konstantin M Volevatch" , References: <53210.81.7.109.95.1060089623.squirrel@mail.impress.lt> <200308051631.52531.cox@rosnet.ru> Date: Tue, 5 Aug 2003 17:46:21 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-OriginalArrivalTime: 05 Aug 2003 14:46:27.0062 (UTC) FILETIME=[595AD960:01C35B60] Subject: Re: Problems with JAIL in 4.8R X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 14:46:29 -0000 Mayby i have to add some rules to ipfw to that rl0 alias somehow? I dont know how to add rule for rl0 alias, to allow all traffic. Because if just adding rules for rl0 it do not helps. ----- Original Message ----- From: "Konstantin M Volevatch" To: ; Sent: Tuesday, August 05, 2003 3:31 PM Subject: Re: Problems with JAIL in 4.8R > Try this: > ipfw add 52 allow ip from any to me via rl0 > > ÷ ÓÏÏÂÝÅÎÉÉ ÏÔ 5 á×ÇÕÓÔ 2003 17:20 stakys@punktas.lt ÎÁÐÉÓÁÌ: > > On Tue, Aug 05, 2003 at 12:56:36PM -0000, stakys@punktas.lt wrote: > > > Hi, i've set the outside ip for the jail..It works.. When i try to ssh to > > > jail'ed system from the main system (in which is created jail) the > > > connection is successful, but when i try to connect to jailed system from > > > anywhere else i get this message: > > > ssh: connect to host IP_NUMBER port 22: Operation timed out > > > What can be wrong here? How to solve this problem? > > > > > >>Are you running some sort of firewall on the main system? You might > > >>have to add additional rules allowing SSH into the jailed one... > > >> > > >>G'luck, > > >>Peter > > > > I'm running IPFW but i put such a lines to ipfw.rules to be sure that it's > > not firewall's fault, about connecting to jail'ed system from outside. > > Here are the lines: > > ipfw add 50 allow ip from any to any via lo0 > > ipfw add 51 allow ip from any to any via rl0 > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > -- > Konstantin M. Volevatch > Internet Service Division, RosNet JSC, Moscow > (095) 7813332 [local:4341] > From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 07:48:38 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7DDDE37B401 for ; Tue, 5 Aug 2003 07:48:38 -0700 (PDT) Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.61.12.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6EEFC43F85 for ; Tue, 5 Aug 2003 07:48:36 -0700 (PDT) (envelope-from hnunez@vianetworks.com.ar) Received: from pchnunez (admin-red1.via-net-works.net.ar [200.61.12.51]) h75EmTVp000852 for ; Tue, 5 Aug 2003 11:48:30 -0300 (ART) (envelope-from hnunez@vianetworks.com.ar) From: Hernan Nunez Message-ID: <02be01c35b60$948136b0$330c3dc8@ms.vianetworks.net.ar> To: References: <53210.81.7.109.95.1060089623.squirrel@mail.impress.lt><200308051631.52531.cox@rosnet.ru> <00f701c35b57$cf704670$0900a8c0@ss> Date: Tue, 5 Aug 2003 11:48:05 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Re: Problems with JAIL in 4.8R X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hnunez@vianetworks.com.ar List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 14:48:38 -0000 Try using sshd in debug mode [SSHD(8)]. Inside the jail run sshd -ddd, setting up ListenAddress jail.ip.addr in your sshd_config .,., Tip: If you are using , in your jail, an ip addr (alias address) from the same network than outside you must use a host mask 255.255.255.255 in your alias addrs.,., Hernan ----- Original Message ----- From: "stakys" To: "Konstantin M Volevatch" ; Sent: Tuesday, August 05, 2003 10:45 AM Subject: Re: Problems with JAIL in 4.8R > Didn't help. Any more suggesstions about solving this problem? > ----- Original Message ----- > From: "Konstantin M Volevatch" > To: ; > Sent: Tuesday, August 05, 2003 3:31 PM > Subject: Re: Problems with JAIL in 4.8R > > > > Try this: > > ipfw add 52 allow ip from any to me via rl0 > > > > ÷ ÓÏÏÂÝÅÎÉÉ ÏÔ 5 á×ÇÕÓÔ 2003 17:20 stakys@punktas.lt ÎÁÐÉÓÁÌ: > > > On Tue, Aug 05, 2003 at 12:56:36PM -0000, stakys@punktas.lt wrote: > > > > Hi, i've set the outside ip for the jail..It works.. When i try to ssh > to > > > > jail'ed system from the main system (in which is created jail) the > > > > connection is successful, but when i try to connect to jailed system > from > > > > anywhere else i get this message: > > > > ssh: connect to host IP_NUMBER port 22: Operation timed out > > > > What can be wrong here? How to solve this problem? > > > > > > > >>Are you running some sort of firewall on the main system? You might > > > >>have to add additional rules allowing SSH into the jailed one... > > > >> > > > >>G'luck, > > > >>Peter > > > > > > I'm running IPFW but i put such a lines to ipfw.rules to be sure that > it's > > > not firewall's fault, about connecting to jail'ed system from outside. > > > Here are the lines: > > > ipfw add 50 allow ip from any to any via lo0 > > > ipfw add 51 allow ip from any to any via rl0 > > > _______________________________________________ > > > freebsd-security@freebsd.org mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > > > > -- > > Konstantin M. Volevatch > > Internet Service Division, RosNet JSC, Moscow > > (095) 7813332 [local:4341] > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 08:41:55 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0AE0B37B401 for ; Tue, 5 Aug 2003 08:41:55 -0700 (PDT) Received: from mail.takas.lt (mail-src.takas.lt [212.59.31.78]) by mx1.FreeBSD.org (Postfix) with ESMTP id E4CAB43FB1 for ; Tue, 5 Aug 2003 08:41:53 -0700 (PDT) (envelope-from stakys@punktas.lt) Received: from ss ([81.7.110.225]) by mail.takas.lt with Microsoft SMTPSVC(5.0.2195.5329); Tue, 5 Aug 2003 18:41:52 +0300 Message-ID: <01bc01c35b68$14ebf400$0900a8c0@ss> From: "stakys" To: , References: <53210.81.7.109.95.1060089623.squirrel@mail.impress.lt><200308051631.52531.cox@rosnet.ru><00f701c35b57$cf704670$0900a8c0@ss> <02be01c35b60$948136b0$330c3dc8@ms.vianetworks.net.ar> Date: Tue, 5 Aug 2003 18:41:47 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-OriginalArrivalTime: 05 Aug 2003 15:41:52.0801 (UTC) FILETIME=[17A65910:01C35B68] Subject: Re: Problems with JAIL in 4.8R X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 15:41:55 -0000 I've tried in debug mode but do not gives any error when i get the timeout, also my netmask set as you said. Any ideas how to solve it? ----- Original Message ----- From: "Hernan Nunez" To: Sent: Tuesday, August 05, 2003 5:48 PM Subject: Re: Problems with JAIL in 4.8R > Try using sshd in debug mode [SSHD(8)]. Inside the jail run sshd -ddd, > setting up ListenAddress jail.ip.addr in your sshd_config .,., > > Tip: > If you are using , in your jail, an ip addr (alias address) from the same > network than outside you must use a host mask 255.255.255.255 in your alias > addrs.,., > > Hernan > > > ----- Original Message ----- > From: "stakys" > To: "Konstantin M Volevatch" ; > Sent: Tuesday, August 05, 2003 10:45 AM > Subject: Re: Problems with JAIL in 4.8R > > > > Didn't help. Any more suggesstions about solving this problem? > > ----- Original Message ----- > > From: "Konstantin M Volevatch" > > To: ; > > Sent: Tuesday, August 05, 2003 3:31 PM > > Subject: Re: Problems with JAIL in 4.8R > > > > > > > Try this: > > > ipfw add 52 allow ip from any to me via rl0 > > > > > > ÷ ÓÏÏÂÝÅÎÉÉ ÏÔ 5 á×ÇÕÓÔ 2003 17:20 stakys@punktas.lt ÎÁÐÉÓÁÌ: > > > > On Tue, Aug 05, 2003 at 12:56:36PM -0000, stakys@punktas.lt wrote: > > > > > Hi, i've set the outside ip for the jail..It works.. When i try to > ssh > > to > > > > > jail'ed system from the main system (in which is created jail) the > > > > > connection is successful, but when i try to connect to jailed system > > from > > > > > anywhere else i get this message: > > > > > ssh: connect to host IP_NUMBER port 22: Operation timed out > > > > > What can be wrong here? How to solve this problem? > > > > > > > > > >>Are you running some sort of firewall on the main system? You might > > > > >>have to add additional rules allowing SSH into the jailed one... > > > > >> > > > > >>G'luck, > > > > >>Peter > > > > > > > > I'm running IPFW but i put such a lines to ipfw.rules to be sure that > > it's > > > > not firewall's fault, about connecting to jail'ed system from outside. > > > > Here are the lines: > > > > ipfw add 50 allow ip from any to any via lo0 > > > > ipfw add 51 allow ip from any to any via rl0 > > > > _______________________________________________ > > > > freebsd-security@freebsd.org mailing list > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > > > To unsubscribe, send any mail to > > "freebsd-security-unsubscribe@freebsd.org" > > > > > > -- > > > Konstantin M. Volevatch > > > Internet Service Division, RosNet JSC, Moscow > > > (095) 7813332 [local:4341] > > > > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 08:49:13 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6AC7B37B401 for ; Tue, 5 Aug 2003 08:49:13 -0700 (PDT) Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.61.12.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 18DD243F3F for ; Tue, 5 Aug 2003 08:49:12 -0700 (PDT) (envelope-from hnunez@vianetworks.com.ar) Received: from pchnunez (admin-red1.via-net-works.net.ar [200.61.12.51]) h75FnAVp086577; Tue, 5 Aug 2003 12:49:10 -0300 (ART) (envelope-from hnunez@vianetworks.com.ar) From: Hernan Nunez Message-ID: <041101c35b69$0eb9b0d0$330c3dc8@ms.vianetworks.net.ar> To: "stakys" , References: <53210.81.7.109.95.1060089623.squirrel@mail.impress.lt><200308051631.52531.cox@rosnet.ru><00f701c35b57$cf704670$0900a8c0@ss> <02be01c35b60$948136b0$330c3dc8@ms.vianetworks.net.ar> <01bc01c35b68$14ebf400$0900a8c0@ss> Date: Tue, 5 Aug 2003 12:48:46 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Re: Problems with JAIL in 4.8R X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hnunez@vianetworks.com.ar List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 15:49:13 -0000 Do you have configured your /etc/resolv.conf and /etc/hosts ?? Do you use /etc/hosts.allow ?? ----- Original Message ----- From: "stakys" To: ; Sent: Tuesday, August 05, 2003 12:41 PM Subject: Re: Problems with JAIL in 4.8R > I've tried in debug mode but do not gives any error when i get the timeout, > also my netmask set as you said. Any ideas how to solve it? > ----- Original Message ----- > From: "Hernan Nunez" > To: > Sent: Tuesday, August 05, 2003 5:48 PM > Subject: Re: Problems with JAIL in 4.8R > > > > Try using sshd in debug mode [SSHD(8)]. Inside the jail run sshd -ddd, > > setting up ListenAddress jail.ip.addr in your sshd_config .,., > > > > Tip: > > If you are using , in your jail, an ip addr (alias address) from the same > > network than outside you must use a host mask 255.255.255.255 in your > alias > > addrs.,., > > > > Hernan > > > > > > ----- Original Message ----- > > From: "stakys" > > To: "Konstantin M Volevatch" ; > > > Sent: Tuesday, August 05, 2003 10:45 AM > > Subject: Re: Problems with JAIL in 4.8R > > > > > > > Didn't help. Any more suggesstions about solving this problem? > > > ----- Original Message ----- > > > From: "Konstantin M Volevatch" > > > To: ; > > > Sent: Tuesday, August 05, 2003 3:31 PM > > > Subject: Re: Problems with JAIL in 4.8R > > > > > > > > > > Try this: > > > > ipfw add 52 allow ip from any to me via rl0 > > > > > > > > ÷ ÓÏÏÂÝÅÎÉÉ ÏÔ 5 á×ÇÕÓÔ 2003 17:20 stakys@punktas.lt ÎÁÐÉÓÁÌ: > > > > > On Tue, Aug 05, 2003 at 12:56:36PM -0000, stakys@punktas.lt wrote: > > > > > > Hi, i've set the outside ip for the jail..It works.. When i try to > > ssh > > > to > > > > > > jail'ed system from the main system (in which is created jail) the > > > > > > connection is successful, but when i try to connect to jailed > system > > > from > > > > > > anywhere else i get this message: > > > > > > ssh: connect to host IP_NUMBER port 22: Operation timed out > > > > > > What can be wrong here? How to solve this problem? > > > > > > > > > > > >>Are you running some sort of firewall on the main system? You > might > > > > > >>have to add additional rules allowing SSH into the jailed one... > > > > > >> > > > > > >>G'luck, > > > > > >>Peter > > > > > > > > > > I'm running IPFW but i put such a lines to ipfw.rules to be sure > that > > > it's > > > > > not firewall's fault, about connecting to jail'ed system from > outside. > > > > > Here are the lines: > > > > > ipfw add 50 allow ip from any to any via lo0 > > > > > ipfw add 51 allow ip from any to any via rl0 > > > > > _______________________________________________ > > > > > freebsd-security@freebsd.org mailing list > > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > > > > To unsubscribe, send any mail to > > > "freebsd-security-unsubscribe@freebsd.org" > > > > > > > > -- > > > > Konstantin M. Volevatch > > > > Internet Service Division, RosNet JSC, Moscow > > > > (095) 7813332 [local:4341] > > > > > > > > > > _______________________________________________ > > > freebsd-security@freebsd.org mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > > To unsubscribe, send any mail to > > "freebsd-security-unsubscribe@freebsd.org" > > > > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 08:56:47 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5051537B401 for ; Tue, 5 Aug 2003 08:56:47 -0700 (PDT) Received: from ms-smtp-03.texas.rr.com (ms-smtp-03.texas.rr.com [24.93.36.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id 74F3F43F93 for ; Tue, 5 Aug 2003 08:56:46 -0700 (PDT) (envelope-from cboyd@gizmopartners.com) Received: from gizmopartners.com (cs24359-109.austin.rr.com [24.243.59.109]) h75Fuj0p029684 for ; Tue, 5 Aug 2003 10:56:45 -0500 (CDT) Date: Tue, 5 Aug 2003 10:56:45 -0500 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v552) From: Chris Boyd To: freebsd-security@freebsd.org Content-Transfer-Encoding: 7bit In-Reply-To: <5.0.2.1.1.20030804044235.02bce1f0@popserver.sfu.ca> Message-Id: <69C7377D-C75D-11D7-9563-00039375B178@gizmopartners.com> X-Mailer: Apple Mail (2.552) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 15:56:47 -0000 Many thanks for building this, Colin. When I do the update on a 4.8-RELEASE box, should all the files noted be replaced? On my two test machines, only /usr/libexec/sftp-server was replaced. Both machines are running custom kernels, but I've never built world or used the free-bsd update before on them. --Chris On Monday, August 4, 2003, at 06:01 PM, Colin Percival wrote: > At 00:54 04/08/2003 -0700, I wrote: > > Once the binary updates are available, FreeBSD Update > >(security/freebsd-update in the ports tree) will be able to fetch and > >install them; I'll send another email to this list after they've been > >built, signed, and uploaded. > > Binary patches can now be installed via FreeBSD Update for any > systems with a binary install of 4.7-RELEASE or 4.8-RELEASE which have > not have any system binaries rebuilt or replaced locally (except by > FreeBSD Update). > With a recent copy of the ports tree: > 1. cd /usr/ports/security/freebsd-update/ && make all install > 2. cp /usr/local/etc/freebsd-update.conf.sample > /usr/local/etc/freebsd-update.conf > 3. /usr/local/sbin/freebsd-update fetch > 4. /usr/local/sbin/freebsd-update install > > In FreeBSD 4.7, the following binaries were affected by this > security advisory: > /bin/mv > /bin/pwd > /bin/realpath > /sbin/kldconfig > /sbin/mount > /sbin/mount_cd9660 > /sbin/mount_ext2fs > /sbin/mount_fdesc > /sbin/mount_kernfs > /sbin/mount_linprocfs > /sbin/mount_mfs > /sbin/mount_msdos > /sbin/mount_nfs > /sbin/mount_ntfs > /sbin/mount_null > /sbin/mount_nwfs > /sbin/mount_portal > /sbin/mount_procfs > /sbin/mount_smbfs > /sbin/mount_std > /sbin/mount_umap > /sbin/mount_union > /sbin/mountd > /sbin/newfs > /sbin/umount > /usr/bin/make > /usr/lib/libc.a > /usr/lib/libc.so.4 > /usr/lib/libc_p.a > /usr/lib/libc_pic.a > /usr/lib/libc_r.a > /usr/lib/libc_r.so.4 > /usr/lib/libc_r_p.a > /usr/libexec/lukemftpd > /usr/libexec/sftp-server > /usr/sbin/config > /usr/sbin/pkg_add > /usr/sbin/sshd > > In FreeBSD 4.8, the same binaries were affected, with the exception > of /sbin/mount_kernfs (no longer installed), /usr/bin/make (no longer > uses realpath), and /usr/libexec/lukemftpd (no longer installed). > > Colin Percival > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 08:58:16 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 51FFD37B401 for ; Tue, 5 Aug 2003 08:58:16 -0700 (PDT) Received: from mail.takas.lt (mail-src.takas.lt [212.59.31.78]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C8A343F75 for ; Tue, 5 Aug 2003 08:58:14 -0700 (PDT) (envelope-from stakys@punktas.lt) Received: from ss ([81.7.110.225]) by mail.takas.lt with Microsoft SMTPSVC(5.0.2195.5329); Tue, 5 Aug 2003 18:58:13 +0300 Message-ID: <01ea01c35b6a$5d67a380$0900a8c0@ss> From: "stakys" To: , References: <53210.81.7.109.95.1060089623.squirrel@mail.impress.lt><200308051631.52531.cox@rosnet.ru><00f701c35b57$cf704670$0900a8c0@ss><02be01c35b60$948136b0$330c3dc8@ms.vianetworks.net.ar><01bc01c35b68$14ebf400$0900a8c0@ss> <041101c35b69$0eb9b0d0$330c3dc8@ms.vianetworks.net.ar> Date: Tue, 5 Aug 2003 18:58:08 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-OriginalArrivalTime: 05 Aug 2003 15:58:13.0460 (UTC) FILETIME=[602B0940:01C35B6A] Subject: Re: Problems with JAIL in 4.8R X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 15:58:16 -0000 I've set in my resolv.conf the same nameservers as in main system, and in jailed system /etc/hosts file i've set this: JAILED_OUTSIDE_IP clnt.xxx.com clnt Also file hosts.allow i do not use. ----- Original Message ----- From: "Hernan Nunez" To: "stakys" ; Sent: Tuesday, August 05, 2003 6:48 PM Subject: Re: Problems with JAIL in 4.8R > Do you have configured your /etc/resolv.conf and /etc/hosts ?? > Do you use /etc/hosts.allow ?? > > ----- Original Message ----- > From: "stakys" > To: ; > Sent: Tuesday, August 05, 2003 12:41 PM > Subject: Re: Problems with JAIL in 4.8R > > > > I've tried in debug mode but do not gives any error when i get the > timeout, > > also my netmask set as you said. Any ideas how to solve it? > > ----- Original Message ----- > > From: "Hernan Nunez" > > To: > > Sent: Tuesday, August 05, 2003 5:48 PM > > Subject: Re: Problems with JAIL in 4.8R > > > > > > > Try using sshd in debug mode [SSHD(8)]. Inside the jail run sshd -ddd, > > > setting up ListenAddress jail.ip.addr in your sshd_config .,., > > > > > > Tip: > > > If you are using , in your jail, an ip addr (alias address) from the > same > > > network than outside you must use a host mask 255.255.255.255 in your > > alias > > > addrs.,., > > > > > > Hernan > > > > > > > > > ----- Original Message ----- > > > From: "stakys" > > > To: "Konstantin M Volevatch" ; > > > > > Sent: Tuesday, August 05, 2003 10:45 AM > > > Subject: Re: Problems with JAIL in 4.8R > > > > > > > > > > Didn't help. Any more suggesstions about solving this problem? > > > > ----- Original Message ----- > > > > From: "Konstantin M Volevatch" > > > > To: ; > > > > Sent: Tuesday, August 05, 2003 3:31 PM > > > > Subject: Re: Problems with JAIL in 4.8R > > > > > > > > > > > > > Try this: > > > > > ipfw add 52 allow ip from any to me via rl0 > > > > > > > > > > ÷ ÓÏÏÂÝÅÎÉÉ ÏÔ 5 á×ÇÕÓÔ 2003 17:20 stakys@punktas.lt ÎÁÐÉÓÁÌ: > > > > > > On Tue, Aug 05, 2003 at 12:56:36PM -0000, stakys@punktas.lt wrote: > > > > > > > Hi, i've set the outside ip for the jail..It works.. When i try > to > > > ssh > > > > to > > > > > > > jail'ed system from the main system (in which is created jail) > the > > > > > > > connection is successful, but when i try to connect to jailed > > system > > > > from > > > > > > > anywhere else i get this message: > > > > > > > ssh: connect to host IP_NUMBER port 22: Operation timed out > > > > > > > What can be wrong here? How to solve this problem? > > > > > > > > > > > > > >>Are you running some sort of firewall on the main system? You > > might > > > > > > >>have to add additional rules allowing SSH into the jailed one... > > > > > > >> > > > > > > >>G'luck, > > > > > > >>Peter > > > > > > > > > > > > I'm running IPFW but i put such a lines to ipfw.rules to be sure > > that > > > > it's > > > > > > not firewall's fault, about connecting to jail'ed system from > > outside. > > > > > > Here are the lines: > > > > > > ipfw add 50 allow ip from any to any via lo0 > > > > > > ipfw add 51 allow ip from any to any via rl0 > > > > > > _______________________________________________ > > > > > > freebsd-security@freebsd.org mailing list > > > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > > > > > To unsubscribe, send any mail to > > > > "freebsd-security-unsubscribe@freebsd.org" > > > > > > > > > > -- > > > > > Konstantin M. Volevatch > > > > > Internet Service Division, RosNet JSC, Moscow > > > > > (095) 7813332 [local:4341] > > > > > > > > > > > > > _______________________________________________ > > > > freebsd-security@freebsd.org mailing list > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > > > To unsubscribe, send any mail to > > > "freebsd-security-unsubscribe@freebsd.org" > > > > > > > > > > _______________________________________________ > > > freebsd-security@freebsd.org mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > > To unsubscribe, send any mail to > > "freebsd-security-unsubscribe@freebsd.org" > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 09:01:09 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 39FF837B401 for ; Tue, 5 Aug 2003 09:01:09 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id A60CC43FA3 for ; Tue, 5 Aug 2003 09:01:06 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 22037 invoked from network); 5 Aug 2003 15:52:44 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 5 Aug 2003 15:52:44 -0000 Received: (qmail 17768 invoked by uid 1000); 5 Aug 2003 16:02:06 -0000 Date: Tue, 5 Aug 2003 19:02:06 +0300 From: Peter Pentchev To: stakys Message-ID: <20030805160206.GE358@straylight.oblivion.bg> Mail-Followup-To: stakys , hnunez@vianetworks.com.ar, freebsd-security@freebsd.org References: <02be01c35b60$948136b0$330c3dc8@ms.vianetworks.net.ar> <01bc01c35b68$14ebf400$0900a8c0@ss> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="FJ0JV+AOCbvjFtNn" Content-Disposition: inline In-Reply-To: <01bc01c35b68$14ebf400$0900a8c0@ss> User-Agent: Mutt/1.5.4i cc: freebsd-security@freebsd.org Subject: Re: Problems with JAIL in 4.8R X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 16:01:09 -0000 --FJ0JV+AOCbvjFtNn Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 05, 2003 at 06:41:47PM +0300, stakys wrote: > I've tried in debug mode but do not gives any error when i get the timeou= t, > also my netmask set as you said. Any ideas how to solve it? I would *still* bet on the firewall. Could you add a 'log' keyword to all the 'deny' rules in your ipfw ruleset (if you think that there are none, please double-check to make sure that there really are none; does ipfw list really not show any of them?), and see in your syslog if something is being denied? Also, it might be the firewall on the machine that you are trying to connect *from* - the machine that you are running the SSH client on. Are you sure it will not block an attempt to connect to the jail's IP address on port 22? A third option would be any devices between the two machines: routers, cable modem gateways, other computers acting as gateways.. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence would be seven words long if it were six words shorter. --FJ0JV+AOCbvjFtNn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/L9T+7Ri2jRYZRVMRAkqoAJ4gnIntM9GQ393brPI3qaJVos8+2ACgka7g m3Jq7VZZNxMchJ7euuvCIeQ= =mTve -----END PGP SIGNATURE----- --FJ0JV+AOCbvjFtNn-- From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 09:05:06 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F09637B401 for ; Tue, 5 Aug 2003 09:05:06 -0700 (PDT) Received: from orion.interexc.com (orion.interexc.com [193.108.123.252]) by mx1.FreeBSD.org (Postfix) with ESMTP id 23F6E43F75 for ; Tue, 5 Aug 2003 09:05:05 -0700 (PDT) (envelope-from sat@orion.interexc.com) Received: from orion.interexc.com (localhost [127.0.0.1]) by orion.interexc.com (8.12.9/8.12.9) with ESMTP id h75G5lBF001033 for ; Tue, 5 Aug 2003 19:05:47 +0300 (EEST) (envelope-from sat@orion.interexc.com) Received: (from sat@localhost) by orion.interexc.com (8.12.9/8.12.9/Submit) id h75G5laL001032 for security@freebsd.org; Tue, 5 Aug 2003 19:05:47 +0300 (EEST) Date: Tue, 5 Aug 2003 19:05:47 +0300 From: Oleg Shevtsov To: security@freebsd.org Message-ID: <20030805160547.GA959@orion.interexc.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: Direct access to SCSI cdrw X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 16:05:06 -0000 Hello, I tried to install Yamaha cdrw at FreeBSD 5.1. At 4.8 stable all was Ok. Now I have in kernel configuration sym device. But cdrecord shows message "No such file or directory. Cannot open SCSI driver". Maybe I must have /dev/sym0 device or something else? If yes, then how to create it with help of devfs? There are no much info in devfs's manual. -- Oleg Shevtsov From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 09:40:19 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D24A37B401 for ; Tue, 5 Aug 2003 09:40:19 -0700 (PDT) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C8B143F93 for ; Tue, 5 Aug 2003 09:40:18 -0700 (PDT) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id 581B52F5 for ; Tue, 5 Aug 2003 10:40:15 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id h75GeF313591 for FreeBSD-Security@freebsd.org; Tue, 5 Aug 2003 10:40:15 -0600 Date: Tue, 5 Aug 2003 10:40:15 -0600 From: Tillman To: FreeBSD Security Message-ID: <20030805104015.W21076@seekingfire.com> References: <200307301553.40385.metrol@metrol.net> <200308041626.41760.metrol@metrol.net> <20030804220217.U21076@seekingfire.com> <200308042257.01280.metrol@metrol.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200308042257.01280.metrol@metrol.net>; from metrol@metrol.net on Mon, Aug 04, 2003 at 10:57:01PM -0700 X-Urban-Legend: There is lots of hidden information in headers Subject: Re: Kerberos to file server X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 16:40:19 -0000 On Mon, Aug 04, 2003 at 10:57:01PM -0700, Michael Collette wrote: > On Monday 04 August 2003 09:02 pm, Tillman wrote: > > The handbook is out of date -- it cover Kerberos 4, not 5. Check out my > > previous posting to the questions@ list on the topic: > > > > http://www.mail-archive.com/freebsd-questions@freebsd.org/msg19447.html > > I have been looking at those docs. The part I don't get are the file paths > involved, as they're very non-FreeBSD'ish. /usr/local/var?? Like many 3rd-party packages, they put things in locations that make sense to them and then write their documentation to match. > Do I need to alter environment variables to put things into their proper > places, or create the directories that it expects? I would expect config > files for a port to be in /usr/local/etc/krb5 or some such. krb5.conf and krb5.keytab are an exception to my explanation below, they reside in /etc. > BTW, working with the MIT version now, since installing the port and all. > Also got the pam_krb5 port in there as well. I think I'm about ready to > really muck this thing up once I understand what all I need to do about file > paths. Ignore the file paths in the MIT documentation - the FreeBSD port puts things in the "correct" paths. Take a peek through /usr/ports/security/krb5/pkg-plist for details (pre-pending /usr/local/ to the paths you find in there). -T -- Knowing others is intelligence. Knowing yourself is true wisdom. - Lao Tse From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 09:43:11 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2AF0737B401 for ; Tue, 5 Aug 2003 09:43:11 -0700 (PDT) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9860143F3F for ; Tue, 5 Aug 2003 09:43:10 -0700 (PDT) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id 16F402F5 for ; Tue, 5 Aug 2003 10:43:10 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id h75GhAI13709 for freebsd-security@FreeBSD.ORG; Tue, 5 Aug 2003 10:43:10 -0600 Date: Tue, 5 Aug 2003 10:43:09 -0600 From: Tillman To: FreeBSD-Security Message-ID: <20030805104309.X21076@seekingfire.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i X-Urban-Legend: There is lots of hidden information in headers Subject: Kerberos in the handbook X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 16:43:11 -0000 Is anyone currently working on updating the Kerberos documentation in the Handbook? if so, I'd like to help. If not, I'm hoping to find someone who can get me up to speed on the FreeBSD docbook extensions :-) -T -- "The truly paranoid administrator may wish to place motion detectors in the air ducts." - Practical UNIX & Internet Security, 2nd Edition From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 09:58:47 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1383337B401; Tue, 5 Aug 2003 09:58:47 -0700 (PDT) Received: from mordrede.visionsix.com (mordrede.visionsix.com [65.202.119.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB53743F85; Tue, 5 Aug 2003 09:58:43 -0700 (PDT) (envelope-from lists@visionsix.com) Received: from vsis169 (unverified [65.202.119.169]) by mordrede.visionsix.com (Vircom SMTPRS 2.1.258) with SMTP id ; Tue, 5 Aug 2003 11:58:42 -0500 Message-ID: <01b201c35b72$cdcb7bd0$df0a0a0a@vsis169> From: "Lewis Watson" To: References: <200308051202.h75C2e6S072245@freefall.freebsd.org> Date: Tue, 5 Aug 2003 11:58:33 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 16:58:47 -0000 > NOTE WELL: Any statically linked applications that are not part of > the base system (i.e. from the Ports Collection or other 3rd-party > sources) must be recompiled. > > All affected applications must be restarted for them to use the > corrected library. Though not required, rebooting may be the easiest > way to accomplish this. > I have upgraded my 4.8 box to 4.8 p1. How do I verify what applications need to be patched and how do I make sure that the above noted statically linked applications are patched after I am done? Thanks a bunch! Lewis ----- Original Message ----- From: "FreeBSD Security Advisories" To: "FreeBSD Security Advisories" Sent: Tuesday, August 05, 2003 7:02 AM Subject: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED] > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ========================================================================== === > FreeBSD-SA-03:08.realpath Security Advisory > The FreeBSD Project > > Topic: Single byte buffer overflow in realpath(3) > > Category: core > Module: libc > Announced: 2003-08-03 > Credits: Janusz Niewiadomski , > Wojciech Purczynski , > CERT/CC > Affects: All releases of FreeBSD up to and including 4.8-RELEASE > and 5.0-RELEASE > FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC > Corrected: 2003-08-03 23:46:24 UTC (RELENG_5_0) > 2003-08-03 23:43:43 UTC (RELENG_4_8) > 2003-08-03 23:44:12 UTC (RELENG_4_7) > 2003-08-03 23:44:36 UTC (RELENG_4_6) > 2003-08-03 23:44:56 UTC (RELENG_4_5) > 2003-08-03 23:45:41 UTC (RELENG_4_4) > 2003-08-03 23:46:03 UTC (RELENG_4_3) > 2003-08-03 23:47:39 UTC (RELENG_3) > FreeBSD only: NO > > 0. Revision History > > v1.0 2003-08-03 Initial release > v1.1 2003-08-04 Updated information for lukemftpd > > I. Background > > The realpath(3) function is used to determine the canonical, > absolute pathname from a given pathname which may contain extra > ``/'' characters, references to ``/./'' or ``/../'', or references > to symbolic links. The realpath(3) function is part of the FreeBSD > Standard C Library. > > II. Problem Description > > An off-by-one error exists in a portion of realpath(3) that computes > the length of the resolved pathname. As a result, if the resolved > path name is exactly 1024 characters long and contains at least > two directory separators, the buffer passed to realpath(3) will be > overwritten by a single NUL byte. > > III. Impact > > Applications using realpath(3) MAY be vulnerable to denial of service > attacks, remote code execution, and/or privilege escalation. The > impact on an individual application is highly dependent upon the > source of the pathname passed to realpath, the position of the output > buffer on the stack, the architecture on which the application is > running, and other factors. > > Within the FreeBSD base system, several applications use realpath(3). > Two applications which are negatively impacted are: > > (1) lukemftpd(8), an alternative FTP server: realpath(3) is used to > process the MLST and MLSD commands. The vulnerability may be > exploitable, leading to code execution with superuser privileges. > > lukemftpd(8) was installed (but not enabled) by default in > 4.7-RELEASE and in 4-STABLE dated Jun 20 21:13:33 2002 UTC through > Nov 12 17:32:47 2002 UTC. It is not built or installed by default > in any other release. > > If the `-r' option to lukemftpd is used (as suggested by the > example /etc/inetd.conf supplied in 4.7-RELEASE), then successful > exploitation leads leads to code execution with the privileges of > the authenticated user (rather than superuser privileges). > > (2) sftp-server(8), part of OpenSSH: realpath(3) is used to process > chdir commands. This vulnerability may be exploitable, leading > to code execution with the privileges of the authenticated user. > > At the time of 4.8-RELEASE, the FreeBSD Ports Collection contained > the following applications which appear to use realpath(3). These > applications have not been audited, and may or may not be vulnerable. > There may be additional applications in the FreeBSD Ports Collection > that use realpath(3), particularly statically-linked applications and > applications added since 4.8-RELEASE. > > BitchX-1.0c19_1 > Mowitz-0.2.1_1 > XFree86-clients-4.3.0_1 > abcache-0.14 > aim-1.5.234 > analog-5.24,1 > anjuta-1.0.1_1 > aolserver-3.4.2 > argus-2.0.5 > arm-rtems-gdb-5.2_1 > avr-gdb-5.2.1 > ccache-2.1.1 > cdparanoia-3.9.8_4 > cfengine-1.6.3_4 > cfengine2-2.0.3 > cmake-1.4.7 > comserv-1.4.3 > criticalmass-0.97 > dedit-0.6.2.3_1 > drweb_postfix-4.29.10a > drweb-4.29.2 > drweb_sendmail-4.29.10a > edonkey-gui-gtk-0.5.0 > enca-0.10.7 > epic4-1.0.1_2 > evolution-1.2.2_1 > exim-3.36_1 > exim-4.12_5 > exim-ldap-4.12_5 > exim-ldap2-4.12_5 > exim-mysql-4.12_5 > exim-postgresql-4.12_5 > fam-2.6.9_2 > fastdep-0.15 > feh-1.2.4_1 > ferite-0.99.6 > fileutils-4.1_1 > finfo-0.1 > firebird-1.0.2 > firebird-1.0.r2 > frontpage-5.0.2.2623_1 > galeon-1.2.8 > galeon2-1.3.2_1 > gdb-5.3_20030311 > gdb-5.2.1_1 > gdm2-2.4.1.3 > gecc-20021119 > gentoo-0.11.34 > gkrellmvolume-2.1.7 > gltron-0.61 > global-4.5.1 > gnat-3.15p > gnomelibs-1.4.2_1 > gprolog-1.2.16 > gracula-3.0 > gringotts-1.2.3 > gtranslator-0.43_1 > gvd-1.2.5 > hercules-2.16.5 > hte-0.7.0 > hugs98-200211 > i386-rtems-gdb-5.2_1 > i960-rtems-gdb-5.2_1 > installwatch-0.5.6 > ivtools-1.0.6 > ja-epic4-1.0.1_2 > ja-gnomelibs-1.4.2_1 > ja-msdosfs-20001027 > ja-samba-2.2.7a.j1.1_1 > kdebase-3.1_1 > kdelibs-3.1 > kermit-8.0.206 > ko-BitchX-1.0c16_3 > ko-msdosfs-20001027 > leocad-0.73 > libfpx-1.2.0.4_1 > libgnomeui-2.2.0.1 > libpdel-0.3.4 > librep-0.16.1_1 > linux-beonex-0.8.1 > linux-divxplayer-0.2.0 > linux-edonkey-gui-gtk-0.2.0.a.2002.02.22 > linux-gnomelibs-1.2.8_2 > linux-mozilla-1.2 > linux-netscape-communicator-4.8 > linux-netscape-navigator-4.8 > linux-phoenix-0.3 > linux_base-6.1_4 > linux_base-7.1_2 > lsh-1.5.1 > lukemftpd-1.1_1 > m68k-rtems-gdb-5.2_1 > mips-rtems-gdb-5.2_1 > mod_php4-4.3.1 > moscow_ml-2.00_1 > mozilla-1.0.2_1 > mozilla-1.2.1_1,2 > mozilla-1.2.1_2 > mozilla-1.3b,1 > mozilla-1.3b > mozilla-embedded-1.0.2_1 > mozilla-embedded-1.2.1_1,2 > mozilla-embedded-1.3b,1 > msyslog-1.08f_1 > netraider-0.0.2 > openag-1.1.1_1 > openssh-portable-3.5p1_1 > openssh-3.5 > p5-PPerl-0.23 > paragui-1.0.2_2 > powerpc-rtems-gdb-5.2_1 > psim-freebsd-5.2.1 > ptypes-1.7.4 > pure-ftpd-1.0.14 > qiv-1.8 > readlink-20010616 > reed-5.4 > rox-1.3.6_1 > rox-session-0.1.18_1 > rpl-1.4.0 > rpm-3.0.6_6 > samba-2.2.8 > samba-3.0a20 > scrollkeeper-0.3.11_8,1 > sh-rtems-gdb-5.2_1 > sharity-light-1.2_1 > siag-3.4.10 > skipstone-0.8.3 > sparc-rtems-gdb-5.2_1 > squeak-2.7 > squeak-3.2 > swarm-2.1.1 > tcl-8.2.3_2 > tcl-8.3.5 > tcl-8.4.1,1 > tcl-thread-8.1.b1 > teTeX-2.0.2_1 > wine-2003.02.19 > wml-2.0.8 > worker-2.7.0 > xbubble-0.2 > xerces-c2-2.1.0_1 > xerces_c-1.7.0 > xnview-1.50 > xscreensaver-gnome-4.08 > xscreensaver-4.08 > xworld-2.0 > yencode-0.46_1 > zh-cle_base-0.9p1 > zh-tcl-8.3.0 > zh-tw-BitchX-1.0c19_3 > zh-ve-1.0 > zh-xemacs-20.4_1 > > IV. Workaround > > There is no generally applicable workaround. > > OpenSSH's sftp-server(8) may be disabled by editing > /etc/ssh/sshd_config and commenting out the following line by > inserting a `#' as the first character: > > Subsystem sftp /usr/libexec/sftp-server > > lukemftpd(8) may be replaced by the default ftpd(8). > > V. Solution > > 1) Upgrade your vulnerable system to 4.8-STABLE > or to any of the RELENG_5_1 (5.1-RELEASE), RELENG_4_8 > (4.8-RELEASE-p1), or RELENG_4_7 (4.7-RELEASE-p11) security branches > dated after the respective correction dates. > > 2) To patch your present system: > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. The following patch > has been tested to apply to all FreeBSD 4.x releases and to FreeBSD > 5.0-RELEASE. > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch.asc > > b) Apply the patch. > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile your operating system as described in > . > > NOTE WELL: Any statically linked applications that are not part of > the base system (i.e. from the Ports Collection or other 3rd-party > sources) must be recompiled. > > All affected applications must be restarted for them to use the > corrected library. Though not required, rebooting may be the easiest > way to accomplish this. > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > Branch Revision > Path > - ---------------------------------------------------------------------- --- > RELENG_3 > src/lib/libc/stdlib/realpath.c 1.6.2.1 > RELENG_4_3 > src/UPDATING 1.73.2.28.2.32 > src/lib/libc/stdlib/realpath.c 1.9.4.1 > src/sys/conf/newvers.sh 1.44.2.14.2.22 > RELENG_4_4 > src/UPDATING 1.73.2.43.2.45 > src/lib/libc/stdlib/realpath.c 1.9.6.1 > src/sys/conf/newvers.sh 1.44.2.17.2.36 > RELENG_4_5 > src/UPDATING 1.73.2.50.2.44 > src/lib/libc/stdlib/realpath.c 1.9.8.1 > src/sys/conf/newvers.sh 1.44.2.20.2.28 > RELENG_4_6 > src/UPDATING 1.73.2.68.2.42 > src/lib/libc/stdlib/realpath.c 1.9.10.1 > src/sys/conf/newvers.sh 1.44.2.23.2.31 > RELENG_4_7 > src/UPDATING 1.73.2.74.2.14 > src/lib/libc/stdlib/realpath.c 1.9.12.1 > src/sys/conf/newvers.sh 1.44.2.26.2.13 > RELENG_4_8 > src/UPDATING 1.73.2.80.2.3 > src/lib/libc/stdlib/realpath.c 1.9.14.1 > src/sys/conf/newvers.sh 1.44.2.29.2.2 > RELENG_5_0 > src/UPDATING 1.229.2.14 > src/lib/libc/stdlib/realpath.c 1.11.2.1 > src/sys/conf/newvers.sh 1.48.2.9 > - ---------------------------------------------------------------------- --- > > VII. References > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.2 (FreeBSD) > > iD8DBQE/L5wUFdaIBMps37IRAiY7AJ9k0TOFUzlwC5rHbax4bXa8lluyFACfc82w > xpJrfCeDU4qOs8q33dXSsvw= > =5z4e > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security-notifications@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications > To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 10:29:47 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD40A37B401 for ; Tue, 5 Aug 2003 10:29:47 -0700 (PDT) Received: from pimout4-ext.prodigy.net (pimout4-ext.prodigy.net [207.115.63.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id C2E0643F75 for ; Tue, 5 Aug 2003 10:29:46 -0700 (PDT) (envelope-from metrol@metrol.net) Received: from adsl-67-121-60-9.dsl.anhm01.pacbell.net (adsl-67-121-60-9.dsl.anhm01.pacbell.net [67.121.60.9]) h75HTiVs051158; Tue, 5 Aug 2003 13:29:45 -0400 From: Michael Collette To: FreeBSD Security Date: Tue, 5 Aug 2003 10:25:55 -0700 User-Agent: KMail/1.5.3 References: <20030805104309.X21076@seekingfire.com> In-Reply-To: <20030805104309.X21076@seekingfire.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200308051025.55848.metrol@metrol.net> Subject: Re: Kerberos in the handbook X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 17:29:48 -0000 On Tuesday 05 August 2003 09:43 am, Tillman wrote: > Is anyone currently working on updating the Kerberos documentation in > the Handbook? if so, I'd like to help. If not, I'm hoping to find > someone who can get me up to speed on the FreeBSD docbook extensions :-) > > -T It feels like I'm going to be helping to write some of this documentation as it is. :) Tell you what. I haven't a clue about docbook as of yet, but if you can get together the text I will figure out how to get it formatted proper. Got the docbook handbook up on screen now. Later on, -- "In theory, there is no difference between theory and practice. In practice, there is." - Yogi Berra From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 10:59:41 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F193F37B401; Tue, 5 Aug 2003 10:59:40 -0700 (PDT) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A24643FBF; Tue, 5 Aug 2003 10:59:40 -0700 (PDT) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id A566C2FA; Tue, 5 Aug 2003 11:59:39 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id h75Hxdx13939; Tue, 5 Aug 2003 11:59:39 -0600 Date: Tue, 5 Aug 2003 11:59:39 -0600 From: Tillman To: "Simon L. Nielsen" , freebsd-doc@FreeBSD.org, freebsd-security@FreeBSD.org Message-ID: <20030805115939.Y21076@seekingfire.com> References: <20030805104309.X21076@seekingfire.com> <20030805171153.GC504@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030805171153.GC504@FreeBSD.org>; from simon@FreeBSD.org on Tue, Aug 05, 2003 at 07:11:55PM +0200 X-Urban-Legend: There is lots of hidden information in headers Subject: Re: Kerberos in the handbook X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 17:59:41 -0000 On Tue, Aug 05, 2003 at 07:11:55PM +0200, Simon L. Nielsen wrote: > On 2003.08.05 10:43:09 -0600, Tillman wrote: > > > Is anyone currently working on updating the Kerberos documentation in > > the Handbook? if so, I'd like to help. If not, I'm hoping to find > > someone who can get me up to speed on the FreeBSD docbook extensions :-) > > Have a look at > http://www.freebsd.org/doc/en_US.ISO8859-1/books/fdp-primer/ and if you > have any questions with regards to SGML/DocBook the > freebsd-doc@freebsd.org mailing list can help. I've read the fdp-primer and find it's a great document. I tend to work best (think best?) in LaTeX and am finding docbook different enough to need serious study. I've now subscribed to freebsd-doc@. > Any further discussion of updating the Kerberos chapter, should probably > be moved to -doc where it's more on-topic. Good point. I'll move this over to -doc. -T -- Belief gets in the way of learning. - Robert Heinlein From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 11:12:28 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 19F7F37B409 for ; Tue, 5 Aug 2003 11:12:28 -0700 (PDT) Received: from pd4mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB96343FAF for ; Tue, 5 Aug 2003 11:12:26 -0700 (PDT) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from pd4mr1so.prod.shaw.ca (pd4mr1so-qfe3.prod.shaw.ca [10.0.141.212]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) freebsd-security@freebsd.org; Tue, 05 Aug 2003 12:08:15 -0600 (MDT) Received: from pn2ml8so.prod.shaw.ca (pn2ml8so-qfe0.prod.shaw.ca [10.0.121.152]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) freebsd-security@freebsd.org; Tue, 05 Aug 2003 12:08:15 -0600 (MDT) Received: from piii600.wadham.ox.ac.uk (h24-87-233-42.vc.shawcable.net [24.87.233.42])2003)) freebsd-security@freebsd.org; Tue, 05 Aug 2003 12:08:15 -0600 (MDT) Date: Tue, 05 Aug 2003 11:07:05 -0700 From: Colin Percival In-reply-to: <69C7377D-C75D-11D7-9563-00039375B178@gizmopartners.com> X-Sender: cperciva@popserver.sfu.ca To: freebsd-security@freebsd.org Message-id: <5.0.2.1.1.20030805110111.02c9d4e8@popserver.sfu.ca> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT References: <5.0.2.1.1.20030804044235.02bce1f0@popserver.sfu.ca> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 18:12:28 -0000 At 10:56 05/08/2003 -0500, Chris Boyd wrote: >When I do the update on a 4.8-RELEASE box, should all the files noted be >replaced? On my two test machines, only /usr/libexec/sftp-server was >replaced. Both machines are running custom kernels, but I've never built >world or used the free-bsd update before on them. I was just about to send out an email asking if anyone had seen that -- I've seen (in the server logs) a few machines do that, and I have no idea why (most machines are updating properly). I'll take this to private email, but if anyone else has seen any behaviour from FreeBSD Update which looks odd, please contact me. Colin Percival From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 11:40:06 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6AC6037B401; Tue, 5 Aug 2003 11:40:06 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5F89343FBD; Tue, 5 Aug 2003 11:40:03 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id E220B54840; Tue, 5 Aug 2003 13:40:02 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 690FE6D455; Tue, 5 Aug 2003 13:40:02 -0500 (CDT) Date: Tue, 5 Aug 2003 13:40:02 -0500 From: "Jacques A. Vidrine" To: Lewis Watson Message-ID: <20030805184002.GA14737@madman.celabo.org> References: <200308051202.h75C2e6S072245@freefall.freebsd.org> <01b201c35b72$cdcb7bd0$df0a0a0a@vsis169> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <01b201c35b72$cdcb7bd0$df0a0a0a@vsis169> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: security-advisories@freebsd.org cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 18:40:06 -0000 On Tue, Aug 05, 2003 at 11:58:33AM -0500, Lewis Watson wrote: > I have upgraded my 4.8 box to 4.8 p1. How do I verify what applications > need to be patched Recompiling static applications is the only sure-fire way. You may be able to use ident(1) to determine if a statically-linked application uses realpath, but probably not. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 11:51:17 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D7C4837B401 for ; Tue, 5 Aug 2003 11:51:17 -0700 (PDT) Received: from mx7.roble.com (mx7.roble.com [206.40.34.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 89BB443FB1 for ; Tue, 5 Aug 2003 11:51:17 -0700 (PDT) (envelope-from marquis@roble.com) Date: Tue, 5 Aug 2003 11:51:17 -0700 (PDT) From: Roger Marquis To: freebsd-security@freebsd.org In-Reply-To: <20030805155842.6D55937B405@hub.freebsd.org> References: <20030805155842.6D55937B405@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-Id: <20030805185117.41860DAC5F@mx7.roble.com> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 18:51:18 -0000 Mike Hoskins wrote: >... but I can also see KISS. If you add more data than >absolutely needed, confusion may also arise... > >> I think that if one takes the `Affects' lines (and the rest of the >> advisory) at face value, without second-guessing, that it is crystal >> clear what versions of FreeBSD are affected. Along those lines it might be worth moving Affects: to the top of advisories page format, ahead of Credits:, Announced:, Module:, and Category:. A "REL-Advisories" list would also be helpful to those of us who don't use beta releases (aka -STABLE). -- Roger Marquis Roble Systems Consulting http://www.roble.com/ From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 12:07:03 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 16AA237B401 for ; Tue, 5 Aug 2003 12:07:03 -0700 (PDT) Received: from mail.takas.lt (mail-src.takas.lt [212.59.31.78]) by mx1.FreeBSD.org (Postfix) with ESMTP id C251143F75 for ; Tue, 5 Aug 2003 12:07:01 -0700 (PDT) (envelope-from stakys@punktas.lt) Received: from ss ([81.7.111.26]) by mail.takas.lt with Microsoft SMTPSVC(5.0.2195.5329); Tue, 5 Aug 2003 22:07:00 +0300 Message-ID: <02a101c35b84$bc567820$0900a8c0@ss> From: "stakys" To: "Konstantin M Volevatch" , References: <53210.81.7.109.95.1060089623.squirrel@mail.impress.lt> <200308051631.52531.cox@rosnet.ru> <016101c35b60$56a9c320$0900a8c0@ss> <200308052214.39994.cox@rosnet.ru> Date: Tue, 5 Aug 2003 22:06:54 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-OriginalArrivalTime: 05 Aug 2003 19:07:00.0579 (UTC) FILETIME=[BFA83B30:01C35B84] Subject: Re: Problems with JAIL in 4.8R X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 19:07:03 -0000 I've tried and didn't help... Now i know that its really not firewalls problem:/ Got any ideas how to solve this ? ----- Original Message ----- From: "Konstantin M Volevatch" To: "stakys" ; Sent: Tuesday, August 05, 2003 9:14 PM Subject: Re: Problems with JAIL in 4.8R > Sorry, use rule: > ipfw add 52 allow tcp from any to JAIL_IP 22 > instead my previous reccomendation, becourse 'me' does not include aliased IP > > ÷ ÓÏÏÂÝÅÎÉÉ ÏÔ 5 á×ÇÕÓÔ 2003 18:46 stakys ÎÁÐÉÓÁÌ: > > Mayby i have to add some rules to ipfw to that rl0 alias somehow? I dont > > know how to add rule for rl0 alias, to allow all traffic. Because if just > > adding rules for rl0 it do not helps. > > ----- Original Message ----- > > From: "Konstantin M Volevatch" > > To: ; > > Sent: Tuesday, August 05, 2003 3:31 PM > > Subject: Re: Problems with JAIL in 4.8R > > > > > Try this: > > > ipfw add 52 allow ip from any to me via rl0 > > -- > Konstantin M. Volevatch > Internet Service Division, RosNet JSC, Moscow > [095] 755 85 94 [local:4341] > From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 12:39:36 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C845837B401; Tue, 5 Aug 2003 12:39:36 -0700 (PDT) Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id B648643F85; Tue, 5 Aug 2003 12:39:35 -0700 (PDT) (envelope-from simon@arthur.nitro.dk) Received: by arthur.nitro.dk (Postfix, from userid 1000) id 1E9BA10BF82; Tue, 5 Aug 2003 21:39:34 +0200 (CEST) Date: Tue, 5 Aug 2003 21:39:34 +0200 From: "Simon L. Nielsen" To: David.E.Tweten@nasa.gov Message-ID: <20030805193932.GA9631@FreeBSD.org> References: <88080.1060111084@gilmore.nas.nasa.gov> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="h31gzZEtNLTqOjlF" Content-Disposition: inline In-Reply-To: <88080.1060111084@gilmore.nas.nasa.gov> User-Agent: Mutt/1.5.4i cc: freebsd-security@freebsd.org cc: freebsd-doc@freebsd.org Subject: Re: Security-officer PGP Key? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 19:39:37 -0000 --h31gzZEtNLTqOjlF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003.08.05 12:18:04 -0700, Dave Tweten wrote: > I just received a PGP signed message, supposedly from=20 > security-officer@freebsd.org, for which I did not have the matching publi= c=20 > key. Reflexively, I fetched it, and then began looking into it with an= =20 > eye toward signing it so PGP would no longer call it "untrusted." >=20 > To my shock, I found I had two public keys for security-officer, one=20 > vintage 4/22/1996, =46rom: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/pgpkeys.html#PGPK= EYS-OFFICERS pub 1024D/CA6CDFB2 2002-08-27 FreeBSD Security Officer Key fingerprint =3D C374 0FC5 69A6 FBB1 4AED B131 15D6 8804 CA6C DFB2 sub 2048g/A3071809 2002-08-27 pub 1024R/73D288A5 1996-04-22 FreeBSD Security Officer (Deprecated key) Key fingerprint =3D 41 08 4E BB DB 41 60 71 F9 E5 0E 98 73 AF 3F 11 uid FreeBSD Security Officer I just checked that the the announcment I recieved was signed with CA6CDFB2 which is listed as the current key. The new key CA6CDFB2 is, among others, signed by the old key 73D288A5. > My next step was to check the list of valid keys at the back of the=20 > FreeBSD Handbook. Further shock. It lists the 4/22/1996 key and not the= =20 > more recent one just downloaded. I immediately deleted the more recent= =20 > key, and drafted this message. Which exact handbook version are you refering to? Everything looks OK to me. --=20 Simon L. Nielsen FreeBSD Documentation Team --h31gzZEtNLTqOjlF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/MAf0h9pcDSc1mlERAsxHAJ0ZHg6CaAuyE49xgZ/enel2Go7N3gCdHX7c VbQ2yOdY33ToO0k0oYjFUb4= =fxGg -----END PGP SIGNATURE----- --h31gzZEtNLTqOjlF-- From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 14:32:06 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E0E7237B401 for ; Tue, 5 Aug 2003 14:32:06 -0700 (PDT) Received: from web10104.mail.yahoo.com (web10104.mail.yahoo.com [216.136.130.54]) by mx1.FreeBSD.org (Postfix) with SMTP id 8676243F3F for ; Tue, 5 Aug 2003 14:32:06 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20030805213206.60517.qmail@web10104.mail.yahoo.com> Received: from [68.5.49.41] by web10104.mail.yahoo.com via HTTP; Tue, 05 Aug 2003 14:32:06 PDT Date: Tue, 5 Aug 2003 14:32:06 -0700 (PDT) From: twig les To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: killing UUCP X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 21:32:07 -0000 Hey *, I'm getting an audit coming down the pipes and I have 2 4.6 release boxes to clean up. I say "clean up" because they have some requirements that I missed despite due diligence. My specific question is: To what extent can I get rid of UUCP? Aside from the SUID/SGID stuff that pops up via my finds, I simply see no reason to have any UUCP stuff on these boxes. Is this stuff simply around because it is legacy and turned off so it's a low priority? ===== ----------------------------------------------------------- Emo is what happens when the glee club goes punk. ----------------------------------------------------------- __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 16:57:24 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C2A637B401 for ; Tue, 5 Aug 2003 16:57:24 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id F197E43F75 for ; Tue, 5 Aug 2003 16:57:23 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id E5CFB15256; Tue, 5 Aug 2003 16:57:23 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id E36D71524D for ; Tue, 5 Aug 2003 16:57:23 -0700 (PDT) Date: Tue, 5 Aug 2003 16:57:23 -0700 (PDT) From: Mike Hoskins To: security@freebsd.org In-Reply-To: <20030805213206.60517.qmail@web10104.mail.yahoo.com> Message-ID: <20030805164850.C6218@fubar.adept.org> References: <20030805213206.60517.qmail@web10104.mail.yahoo.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: killing UUCP X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 23:57:24 -0000 On Tue, 5 Aug 2003, twig les wrote: > Aside from the SUID/SGID stuff that pops up via my finds, I > simply see no reason to have any UUCP stuff on these boxes. Is > this stuff simply around because it is legacy and turned off so > it's a low priority? i may just be thinking of another case, or not thinking at all... but i recall buildworld issues if certain users weren't in the password file. (granted, this memory is coming from 2-3 years ago.) as a result, i've always just removed the SUID/SGID bits and pointed the uucp user's shell to nologin. i would also clean uucppublic, in particular, as it can create a local DoS of sorts... providing a world-writable place for local users to fill /var (bad if your logs go there too). however, now that make.conf has, #NOUUCP= true # do not build uucp related programs you may be able to define that and do away with the user all together. someone else can confirm (i've built with NOUUCP=true, but i have not tried deleting the uucp user.) -mrh -- From: "Spam Catcher" To: spam-catcher@adept.org Do NOT send email to the address listed above or you will be added to a blacklist! From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 16:59:46 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A6C6F37B401 for ; Tue, 5 Aug 2003 16:59:46 -0700 (PDT) Received: from obsecurity.dyndns.org (adsl-63-207-60-135.dsl.lsan03.pacbell.net [63.207.60.135]) by mx1.FreeBSD.org (Postfix) with ESMTP id CBEC743F85 for ; Tue, 5 Aug 2003 16:59:41 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: from rot13.obsecurity.org (rot13.obsecurity.org [10.0.0.5]) by obsecurity.dyndns.org (Postfix) with ESMTP id A8D6C66B04; Tue, 5 Aug 2003 16:59:25 -0700 (PDT) Received: by rot13.obsecurity.org (Postfix, from userid 1000) id 6314B4D4; Tue, 5 Aug 2003 16:59:25 -0700 (PDT) Date: Tue, 5 Aug 2003 16:59:25 -0700 From: Kris Kennaway To: Oleg Shevtsov Message-ID: <20030805235925.GA65875@rot13.obsecurity.org> References: <20030805160547.GA959@orion.interexc.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="CE+1k2dSO48ffgeK" Content-Disposition: inline In-Reply-To: <20030805160547.GA959@orion.interexc.com> User-Agent: Mutt/1.4.1i cc: security@freebsd.org Subject: Re: Direct access to SCSI cdrw X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 23:59:46 -0000 --CE+1k2dSO48ffgeK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 05, 2003 at 07:05:47PM +0300, Oleg Shevtsov wrote: > Hello, >=20 > I tried to install Yamaha cdrw at FreeBSD 5.1. > At 4.8 stable all was Ok. > Now I have in kernel configuration sym device. > But cdrecord shows message "No such file or directory.=20 > Cannot open SCSI driver". > Maybe I must have /dev/sym0 device or something else? > If yes, then how to create it with help of devfs? > There are no much info in devfs's manual. This has nothing to do with security. Kris --CE+1k2dSO48ffgeK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/METdWry0BWjoQKURAuKaAKCa7RlRT+qkIhxcPlBNHhlWIABHCwCfUXKL ube3Bv1m1cttH65kvk5gkhI= =DD32 -----END PGP SIGNATURE----- --CE+1k2dSO48ffgeK-- From owner-freebsd-security@FreeBSD.ORG Wed Aug 6 09:29:45 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8A84737B401 for ; Wed, 6 Aug 2003 09:29:45 -0700 (PDT) Received: from kosh.etchings.com (kosh.etchings.com [216.231.38.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D1B643FCB for ; Wed, 6 Aug 2003 09:29:45 -0700 (PDT) (envelope-from brian@etchings.com) Received: by kosh.etchings.com (Postfix, from userid 1000) id E9659117040; Wed, 6 Aug 2003 09:31:24 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by kosh.etchings.com (Postfix) with ESMTP id E82BA11703F for ; Wed, 6 Aug 2003 09:31:24 -0700 (PDT) Date: Wed, 6 Aug 2003 09:31:24 -0700 (PDT) From: Brian Kraemer To: freebsd-security@freebsd.org Message-ID: <20030806092431.O18916-100000@kosh.etchings.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: statically compiled files left over after a 'make world' X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Aug 2003 16:29:45 -0000 Hello, I recently did a 'make world' to update my base system due to the realpath bug. After that finished, I noticed that I still had the following statically compiled binaries laying around that did not get updated during a 'make world'. I track 4-STABLE. /usr/bin/miniperl /sbin/mount_kernfs /sbin/mount_devfs /sbin/modunload /sbin/modload /sbin/ft /stand/boot_crunch /stand/find /stand/sed /stand/test /stand/pwd /stand/ppp /stand/newfs /stand/minigzip /stand/cpio /stand/bad144 /stand/fsck /stand/ifconfig /stand/route /stand/slattach /stand/mount_nfs /stand/dhclient /stand/arp /stand/gzip /stand/gunzip /stand/zcat /stand/-sh /stand/[ /stand/sh Since they were not updated during a 'make world', does that mean that they are deprecated and can be safely removed? If not, why weren't they updated during a 'make world'? Is it a security risk having them stick around since they haven't been re-linked against the new libc? Thanks, -Brian From owner-freebsd-security@FreeBSD.ORG Wed Aug 6 09:53:00 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5020037B404 for ; Wed, 6 Aug 2003 09:53:00 -0700 (PDT) Received: from mail.uk.alink.co.za (mail.alink.co.za [213.253.1.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id 34A0F43F85 for ; Wed, 6 Aug 2003 09:52:59 -0700 (PDT) (envelope-from george@alink.co.za) Received: from [195.8.70.199] (helo=spoem) by mail.uk.alink.co.za with smtp (Exim 3.36 #5) id 19kRWx-000BiT-00; Wed, 06 Aug 2003 17:52:55 +0100 Message-ID: <02c101c35c3b$62258dc0$c74608c3@spoem> From: "George Barnett" To: "Mike Hoskins" , References: <20030805213206.60517.qmail@web10104.mail.yahoo.com> <20030805164850.C6218@fubar.adept.org> Date: Wed, 6 Aug 2003 17:54:21 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Re: killing UUCP X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Aug 2003 16:53:00 -0000 From: "Mike Hoskins" > i may just be thinking of another case, or not thinking at all... but i > recall buildworld issues if certain users weren't in the password file. > (granted, this memory is coming from 2-3 years ago.) as a result, i've This is true - a buildworld fails if there's no uucp user (I got caught out some time back): [mail] /dev $ ls -l | grep uucp crw-rw---- 1 uucp dialer 28, 128 Jan 2 1999 cuaa0 crw-rw---- 1 uucp dialer 28, 129 Jan 2 1999 cuaa1 crw-rw---- 1 uucp dialer 28, 130 Jan 2 1999 cuaa2 crw-rw---- 1 uucp dialer 28, 131 Jan 2 1999 cuaa3 crw-rw---- 1 uucp dialer 28, 160 Jan 2 1999 cuaia0 crw-rw---- 1 uucp dialer 28, 161 Jan 2 1999 cuaia1 crw-rw---- 1 uucp dialer 28, 162 Jan 2 1999 cuaia2 crw-rw---- 1 uucp dialer 28, 163 Jan 2 1999 cuaia3 crw-rw---- 1 uucp dialer 28, 192 Jan 2 1999 cuala0 crw-rw---- 1 uucp dialer 28, 193 Jan 2 1999 cuala1 crw-rw---- 1 uucp dialer 28, 194 Jan 2 1999 cuala2 crw-rw---- 1 uucp dialer 28, 195 Jan 2 1999 cuala3 crw-rw---- 1 uucp dialer 124, 0 Jan 2 1999 umodem0 Cheers --george From owner-freebsd-security@FreeBSD.ORG Wed Aug 6 10:02:47 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A7B0B37B401 for ; Wed, 6 Aug 2003 10:02:47 -0700 (PDT) Received: from travelers.mail.cornell.edu (travelers.mail.cornell.edu [132.236.56.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id C833043FBF for ; Wed, 6 Aug 2003 10:02:46 -0700 (PDT) (envelope-from bks10@cornell.edu) Received: from travelers.mail.cornell.edu (travelers.mail.cornell.edu [132.236.56.13]) by travelers.mail.cornell.edu (8.9.3p2/8.9.3) with SMTP id NAA14118; Wed, 6 Aug 2003 13:02:43 -0400 (EDT) Date: Wed, 6 Aug 2003 13:02:43 -0400 (EDT) From: bks10@cornell.edu X-Sender: bks10@travelers.mail.cornell.edu To: Brian Kraemer In-Reply-To: <20030806092431.O18916-100000@kosh.etchings.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: statically compiled files left over after a 'make world' X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Aug 2003 17:02:47 -0000 If you track 4-STABLE you have nothing to worry about anyway. The bug did not affect 4-STABLE, only 4.8, 4.7, etc... Peace. On Wed, 6 Aug 2003, Brian Kraemer wrote: > Hello, > > I recently did a 'make world' to update my base system due to the realpath > bug. After that finished, I noticed that I still had the following > statically compiled binaries laying around that did not get updated during > a 'make world'. I track 4-STABLE. > > /usr/bin/miniperl > /sbin/mount_kernfs > /sbin/mount_devfs > /sbin/modunload > /sbin/modload > /sbin/ft > /stand/boot_crunch > /stand/find > /stand/sed > /stand/test > /stand/pwd > /stand/ppp > /stand/newfs > /stand/minigzip > /stand/cpio > /stand/bad144 > /stand/fsck > /stand/ifconfig > /stand/route > /stand/slattach > /stand/mount_nfs > /stand/dhclient > /stand/arp > /stand/gzip > /stand/gunzip > /stand/zcat > /stand/-sh > /stand/[ > /stand/sh > > Since they were not updated during a 'make world', does that mean that > they are deprecated and can be safely removed? > > If not, why weren't they updated during a 'make world'? Is it a security > risk having them stick around since they haven't been re-linked against the > new libc? > > Thanks, > > -Brian > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Wed Aug 6 10:30:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1EE8E37B401 for ; Wed, 6 Aug 2003 10:30:02 -0700 (PDT) Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A9EB43FB1 for ; Wed, 6 Aug 2003 10:30:01 -0700 (PDT) (envelope-from emechler@radix.cryptio.net) Received: from radix.cryptio.net (localhost [127.0.0.1]) by radix.cryptio.net (8.12.9/8.12.9) with ESMTP id h76HTxmd047520; Wed, 6 Aug 2003 10:29:59 -0700 (PDT) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.12.9/8.12.9/Submit) id h76HTx1i047519; Wed, 6 Aug 2003 10:29:59 -0700 (PDT) Date: Wed, 6 Aug 2003 10:29:59 -0700 From: Erick Mechler To: Brian Kraemer Message-ID: <20030806172959.GF19339@techometer.net> References: <20030806092431.O18916-100000@kosh.etchings.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030806092431.O18916-100000@kosh.etchings.com> User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: statically compiled files left over after a 'make world' X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Aug 2003 17:30:02 -0000 :: Since they were not updated during a 'make world', does that mean that :: they are deprecated and can be safely removed? The files in /stand/ aren't installed when doing a 'make world'. You have to go into /usr/sys/release/sysinstall/ and do a 'make all install' after your system is back up to update those files. See section 21.4.12 of the Handbook. Cheers - Erick From owner-freebsd-security@FreeBSD.ORG Wed Aug 6 11:23:10 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F1C537B401 for ; Wed, 6 Aug 2003 11:23:10 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 99AB443FBF for ; Wed, 6 Aug 2003 11:23:08 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) h76IMnMN029853 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 6 Aug 2003 19:22:58 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)h76IMngc029852; Wed, 6 Aug 2003 19:22:49 +0100 (BST) (envelope-from matthew) Date: Wed, 6 Aug 2003 19:22:49 +0100 From: Matthew Seaman To: bks10@cornell.edu Message-ID: <20030806182249.GB29265@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: bks10@cornell.edu, Brian Kraemer , freebsd-security@freebsd.org References: <20030806092431.O18916-100000@kosh.etchings.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="H1spWtNR+x+ondvy" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.4i X-Spam-Status: No, hits=-8.3 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,MAILTO_TO_SPAM_ADDR, PGP_SIGNATURE_2,QUOTED_EMAIL_TEXT,REFERENCES, REPLY_WITH_QUOTES,USER_AGENT_MUTT autolearn=ham version=2.55 X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: freebsd-security@freebsd.org Subject: Re: statically compiled files left over after a 'make world' X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Aug 2003 18:23:10 -0000 --H1spWtNR+x+ondvy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 06, 2003 at 01:02:43PM -0400, bks10@cornell.edu wrote: > If you track 4-STABLE you have nothing to worry about anyway. The bug did= =20 > not affect 4-STABLE, only 4.8, 4.7, etc... Incorrect. It says very plainly in the advisory: FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC and it also affected all releases made prior to that date. That is, all releases except 5.1-RELEASE which came out after the correction was made to the sources. =20 > Peace. >=20 > On Wed, 6 Aug 2003, Brian Kraemer wrote: >=20 > > Hello, > >=20 > > I recently did a 'make world' to update my base system due to the realp= ath > > bug. After that finished, I noticed that I still had the following > > statically compiled binaries laying around that did not get updated dur= ing > > a 'make world'. I track 4-STABLE. > >=20 > > /usr/bin/miniperl > > /sbin/mount_kernfs > > /sbin/mount_devfs > > /sbin/modunload > > /sbin/modload > > /sbin/ft miniperl is (clearly) part of perl 5.005.03 -- as far as I can remember, it's only needed during the compilation of perl in order to bootstrap the compilation of the various loadable modules. mount_kernfs and mount_devfs have been removed from stable -- mount_kernfs went fairly recently as I remember. Similarly modunload, modload and ft are no longer present on a recent 4-STABLE system. So, yes, all of those can be removed safely. > > /stand/boot_crunch > > /stand/find > > /stand/sed > > /stand/test > > /stand/pwd > > /stand/ppp > > /stand/newfs > > /stand/minigzip > > /stand/cpio > > /stand/bad144 > > /stand/fsck > > /stand/ifconfig > > /stand/route > > /stand/slattach > > /stand/mount_nfs > > /stand/dhclient > > /stand/arp > > /stand/gzip > > /stand/gunzip > > /stand/zcat > > /stand/-sh > > /stand/[ > > /stand/sh As other posters have said, you need to update /stand separately from the rest of the system. Note that all of those files should be hard linked together -- if you run ls -lai /stand you should see that they all share the same inode number. You may need to fix up that linkage manually after rebuilding /stand/sysinstall > > Since they were not updated during a 'make world', does that mean that > > they are deprecated and can be safely removed? > > If not, why weren't they updated during a 'make world'? Is it a security > > risk having them stick around since they haven't been re-linked against= the > > new libc? In general, the most effective way finding files that have become surplus to requirements over time is, as you have noted, to do a fresh 'make installworld' and hunt for files with timestamps older than the rest. Even so, you need to apply a little discretion rather than automatically deleting any older files. Or make sure you have good backups readily available... One important point: before starting on such an exercise, you need to make sure that you haven't set: INSTALL=3Dinstall -C in /etc/make.conf -- that would cause install(1) to avoid overwriting any files which was identical to what would be installed. In that case, any statically linked binary that used the realpath(3) function would necessarily be different to a version compiled before the fix, and so certainly would have been replaced. Conversely, a dynamically linked binary might not have been updated, even if it did use realpath(3), as the applicable realpath(3) code would only affect the shared library. As to the files being a security risk -- potentially yes, but this bug does take some effort to exploit: not all programs that use realpath(3) may be exploitable, and in general, unless the programs are SUID or SGID or accessible remotely (ie. by users without a login on the system) the impact of exploiting the buffer overrun is not going to allow the attacker to achieve significant privilege escalation. In this case, subverting one of the programs under /stand would gain the attacker nothing more than he could gain by simply running /stand/sh directly. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --H1spWtNR+x+ondvy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/MUd5dtESqEQa7a0RAmYmAJ4j6i2wopWx0GDP+7qSKcXzRGgyXwCdEstl W1xPuEW7ZEkrGEfm+Cqn5j4= =89XQ -----END PGP SIGNATURE----- --H1spWtNR+x+ondvy-- From owner-freebsd-security@FreeBSD.ORG Wed Aug 6 12:33:48 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 360B437B401 for ; Wed, 6 Aug 2003 12:33:48 -0700 (PDT) Received: from lakemtao05.cox.net (lakemtao05.cox.net [68.1.17.116]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C42C43F75 for ; Wed, 6 Aug 2003 12:33:47 -0700 (PDT) (envelope-from freebsd@critesclan.com) Received: from helaman ([68.107.163.57]) by lakemtao05.cox.net (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with SMTP id <20030806193347.DNKD20948.lakemtao05.cox.net@helaman> for ; Wed, 6 Aug 2003 15:33:47 -0400 From: To: Date: Wed, 6 Aug 2003 14:34:28 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal In-Reply-To: Subject: RE: statically compiled files left over after a 'make world' X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd@critesclan.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Aug 2003 19:33:48 -0000 I'm not sure that answered his question. I believe the issue is that there are os programs that are not compiled/recompiled during a make world, and so what does that mean. Does it mean they are no longer needed and can be safely removed? I'm thinking that is not the case. I have a single script that does a CVSup (tag=.), then does a buildworld and installworld, then does a buildkernel and installkernel, then reboots the system. In theory, everything on my system should be completely rebuilt after this process (which starts every Saturday evening at 10pm). When I check on Monday morning, I see the kernel is compiled the past weekend, etc, so I'm a happy guy. When I got this message, I did a check, and I found that 3 mount_XXX files have not been changed since my initial installation date, and that a whole slew of items in /stand have various other dates. I can deal with the help files having their original date, but the programs are still based upon my initial install date. I'm not sure if there is a "deal" to be made over this, but the question still remains. What do you do with those programs that have not been rebuilt in a buildworld? Are they security risks? Are they simply things missed in the make, and someone needs to add them in? The impression I have is that anything not rebuilt after the above process is an error condition that should be addressed. Am I wrong? Lee -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org]On Behalf Of bks10@cornell.edu Sent: Wednesday, 06 August 2003 12:03 To: Brian Kraemer Cc: freebsd-security@freebsd.org Subject: Re: statically compiled files left over after a 'make world' If you track 4-STABLE you have nothing to worry about anyway. The bug did not affect 4-STABLE, only 4.8, 4.7, etc... Peace. On Wed, 6 Aug 2003, Brian Kraemer wrote: > Hello, > > I recently did a 'make world' to update my base system due to the realpath > bug. After that finished, I noticed that I still had the following > statically compiled binaries laying around that did not get updated during > a 'make world'. I track 4-STABLE. > > /usr/bin/miniperl > /sbin/mount_kernfs > /sbin/mount_devfs > /sbin/modunload > /sbin/modload > /sbin/ft > /stand/boot_crunch > /stand/find > /stand/sed > /stand/test > /stand/pwd > /stand/ppp > /stand/newfs > /stand/minigzip > /stand/cpio > /stand/bad144 > /stand/fsck > /stand/ifconfig > /stand/route > /stand/slattach > /stand/mount_nfs > /stand/dhclient > /stand/arp > /stand/gzip > /stand/gunzip > /stand/zcat > /stand/-sh > /stand/[ > /stand/sh > > Since they were not updated during a 'make world', does that mean that > they are deprecated and can be safely removed? > > If not, why weren't they updated during a 'make world'? Is it a security > risk having them stick around since they haven't been re-linked against the > new libc? > > Thanks, > > -Brian > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Wed Aug 6 15:00:55 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7306737B401 for ; Wed, 6 Aug 2003 15:00:55 -0700 (PDT) Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net [204.127.198.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id C045E43F75 for ; Wed, 6 Aug 2003 15:00:54 -0700 (PDT) (envelope-from freebsd-security-local@be-well.no-ip.com) Received: from be-well.ilk.org (be-well.no-ip.com[66.30.200.37]) by comcast.net (rwcrmhc13) with ESMTP id <2003080622005401500b8b8he>; Wed, 6 Aug 2003 22:00:54 +0000 Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com [66.30.200.37] (may be forged)) by be-well.ilk.org (8.12.9/8.12.9) with ESMTP id h76M0nKS020432; Wed, 6 Aug 2003 18:00:53 -0400 (EDT) (envelope-from freebsd-security-local@be-well.no-ip.com) Received: (from lowell@localhost) by be-well.ilk.org (8.12.9/8.12.6/Submit) id h76M0nkq020429; Wed, 6 Aug 2003 18:00:49 -0400 (EDT) X-Authentication-Warning: be-well.ilk.org: lowell set sender to freebsd-security-local@be-well.ilk.org using -f Sender: lowell@be-well.no-ip.com To: freebsd@critesclan.com References: From: Lowell Gilbert Date: 06 Aug 2003 18:00:49 -0400 In-Reply-To: Message-ID: <44llu6v432.fsf@be-well.ilk.org> Lines: 20 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-security@freebsd.org Subject: Re: statically compiled files left over after a 'make world' X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Aug 2003 22:00:55 -0000 writes: > I'm not sure if there is a "deal" to be made over this, but the question > still remains. What do you do with those programs that have not been rebuilt > in a buildworld? Are they security risks? Are they simply things missed in > the make, and someone needs to add them in? > > The impression I have is that anything not rebuilt after the above process > is an error condition that should be addressed. Am I wrong? With a couple of exceptions, you're right. The exceptions, however, are important. One is programs that weren't in the base system to begin with; there are again two types of these: those that have been mistakenly installed to base system directories (this occasionally happens with broken ports), and /stand, which is installed by the initial install but is not part of the base system (if you want an updated version, you have to build it separately). The other exception is things that *used* to be in the base system, but have been removed. These (an example is kernfs support) can be safely removed, but there is currently no mechanism to do so automatically. From owner-freebsd-security@FreeBSD.ORG Wed Aug 6 15:39:57 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7164F37B401 for ; Wed, 6 Aug 2003 15:39:57 -0700 (PDT) Received: from dfmm.org (walter.dfmm.org [209.151.233.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC3AA43F3F for ; Wed, 6 Aug 2003 15:39:56 -0700 (PDT) (envelope-from freebsd-security@dfmm.org) Received: (qmail 48442 invoked by uid 1000); 6 Aug 2003 22:39:56 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 6 Aug 2003 22:39:56 -0000 Date: Wed, 6 Aug 2003 15:39:55 -0700 (PDT) From: Jason Stone X-X-Sender: jason@walter To: freebsd-security@freebsd.org In-Reply-To: Message-ID: <20030806140451.J3417@walter> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: RE: statically compiled files left over after a 'make world' X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Aug 2003 22:39:57 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > /usr/bin/miniperl > > /sbin/mount_kernfs > > /sbin/mount_devfs > > /sbin/modunload > > /sbin/modload > > /sbin/ft > I'm not sure that answered his question. I believe the issue is that > there are os programs that are not compiled/recompiled during a make > world, and so what does that mean. Does it mean they are no longer > needed and can be safely removed? miniperl and kernfs are definitely deprecated and should be removed - not sure about the others in /sbin, but I would guess that they too are deprecated. /stand, as already mentioned, comes from src/release and is not built during a buildworld. Something that I have long thought would be a good idea is some mechanism for having installworld (or maybe mergemaster) remove deprecated files. -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE/MYO8swXMWWtptckRAj+jAJ9JSR6+4exBjoxlLpVFfKq+pdM20QCfWVWW rK0AELeTe7BfoYCz7I3cZUg= =eiYT -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Aug 6 17:02:27 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2191437B401 for ; Wed, 6 Aug 2003 17:02:26 -0700 (PDT) Received: from mail1.acecape.com (mail1.acecape.com [66.114.74.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id F400443F85 for ; Wed, 6 Aug 2003 17:02:25 -0700 (PDT) (envelope-from lists@natserv.com) Received: from p65-147.acedsl.com (p65-147.acedsl.com [66.114.65.147]) by mail1.acecape.com (8.12.9/8.12.9) with ESMTP id h7702PNL030560 for ; Wed, 6 Aug 2003 20:02:25 -0400 Date: Wed, 6 Aug 2003 20:02:49 -0400 (EDT) From: Francisco Reyes X-X-Sender: fran@zoraida.natserv.net To: FreeBSD Security List Message-ID: <20030806195732.U69121@zoraida.natserv.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Checking realpath file up to date X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2003 00:02:27 -0000 On the advisory about the realpath problem it says that it was corrected: RELENG_4_8 src/UPDATING 1.73.2.80.2.3 src/lib/libc/stdlib/realpath.c 1.9.14.1 src/sys/conf/newvers.sh 1.44.2.29.2.2 I ran cvsup and when I look at my src/lib/libc/stdlib/realpath.c I see src/lib/libc/stdlib/realpath.c,v 1.9.2.2 2003/06/02 and the date is 6-24. That version is higher than the one said to have been corrected on 8-3 (1.9.14.1), but the file is from 6-24. Did I cvsuped an old file? Got my sources from cvsup16. From owner-freebsd-security@FreeBSD.ORG Wed Aug 6 17:08:33 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D73D37B401 for ; Wed, 6 Aug 2003 17:08:33 -0700 (PDT) Received: from pd5mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 067C143FBD for ; Wed, 6 Aug 2003 17:08:32 -0700 (PDT) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from pd3mr1so.prod.shaw.ca (pd3mr1so-ser.prod.shaw.ca [10.0.141.177])2003))freebsd-security@freebsd.org; Wed, 06 Aug 2003 18:08:31 -0600 (MDT) Received: from pn2ml1so.prod.shaw.ca (pn2ml1so-qfe0.prod.shaw.ca [10.0.121.145]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) freebsd-security@freebsd.org; Wed, 06 Aug 2003 18:08:31 -0600 (MDT) Received: from piii600.wadham.ox.ac.uk (h24-87-233-42.vc.shawcable.net [24.87.233.42])2003)) freebsd-security@freebsd.org; Wed, 06 Aug 2003 18:08:31 -0600 (MDT) Date: Wed, 06 Aug 2003 17:08:11 -0700 From: Colin Percival In-reply-to: <20030806195732.U69121@zoraida.natserv.net> X-Sender: cperciva@popserver.sfu.ca To: Francisco Reyes , FreeBSD Security List Message-id: <5.0.2.1.1.20030806170555.02cc8cf0@popserver.sfu.ca> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT Subject: Re: Checking realpath file up to date X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2003 00:08:33 -0000 At 20:02 06/08/2003 -0400, Francisco Reyes wrote: >I ran cvsup and when I look at my src/lib/libc/stdlib/realpath.c I see >src/lib/libc/stdlib/realpath.c,v 1.9.2.2 2003/06/02 >and the date is 6-24. > >That version is higher than the one said to have been corrected on 8-3 >(1.9.14.1), but the file is from 6-24. Did I cvsuped an old file? 1.9.2.2 is on RELENG_4 (aka 4-STABLE). It has the bugfix, but it might not be the version you're looking for. Colin Percival From owner-freebsd-security@FreeBSD.ORG Wed Aug 6 17:12:51 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A018737B401 for ; Wed, 6 Aug 2003 17:12:51 -0700 (PDT) Received: from mail1.acecape.com (mail1.acecape.com [66.114.74.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id E683743F93 for ; Wed, 6 Aug 2003 17:12:50 -0700 (PDT) (envelope-from lists@natserv.com) Received: from p65-147.acedsl.com (p65-147.acedsl.com [66.114.65.147]) by mail1.acecape.com (8.12.9/8.12.9) with ESMTP id h770CoNL032341; Wed, 6 Aug 2003 20:12:50 -0400 Date: Wed, 6 Aug 2003 20:13:14 -0400 (EDT) From: Francisco Reyes X-X-Sender: fran@zoraida.natserv.net To: Colin Percival In-Reply-To: <5.0.2.1.1.20030806170555.02cc8cf0@popserver.sfu.ca> Message-ID: <20030806201241.U69121@zoraida.natserv.net> References: <5.0.2.1.1.20030806170555.02cc8cf0@popserver.sfu.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: FreeBSD Security List Subject: Re: Checking realpath file up to date X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2003 00:12:51 -0000 On Wed, 6 Aug 2003, Colin Percival wrote: > 1.9.2.2 is on RELENG_4 (aka 4-STABLE). It has the bugfix, but it might > not be the version you're looking for. > Colin Percival What do you mean it might not be the version I am looking for? From owner-freebsd-security@FreeBSD.ORG Wed Aug 6 19:07:24 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C160837B401 for ; Wed, 6 Aug 2003 19:07:24 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id ED44943FA3 for ; Wed, 6 Aug 2003 19:07:23 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 5432C5482B; Wed, 6 Aug 2003 21:07:23 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id CAAB86D461; Wed, 6 Aug 2003 21:07:22 -0500 (CDT) Date: Wed, 6 Aug 2003 21:07:22 -0500 From: "Jacques A. Vidrine" To: Francisco Reyes Message-ID: <20030807020722.GA78718@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Francisco Reyes , FreeBSD Security List References: <20030806195732.U69121@zoraida.natserv.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030806195732.U69121@zoraida.natserv.net> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: FreeBSD Security List Subject: Re: Checking realpath file up to date X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2003 02:07:25 -0000 On Wed, Aug 06, 2003 at 08:02:49PM -0400, Francisco Reyes wrote: > On the advisory about the realpath problem it says that it was corrected: > RELENG_4_8 > src/UPDATING 1.73.2.80.2.3 > src/lib/libc/stdlib/realpath.c 1.9.14.1 > src/sys/conf/newvers.sh 1.44.2.29.2.2 > > I ran cvsup and when I look at my src/lib/libc/stdlib/realpath.c I see > src/lib/libc/stdlib/realpath.c,v 1.9.2.2 2003/06/02 > and the date is 6-24. Sounds like you cvsup'd RELENG_4, not RELENG_4_8. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Thu Aug 7 00:40:38 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BF1D537B401 for ; Thu, 7 Aug 2003 00:40:38 -0700 (PDT) Received: from noname.csdl.lt (noname.csdl.lt [194.176.40.182]) by mx1.FreeBSD.org (Postfix) with SMTP id 0145343FBD for ; Thu, 7 Aug 2003 00:40:37 -0700 (PDT) (envelope-from paulius@kaktusas.org) Received: (qmail 91019 invoked by uid 1000); 7 Aug 2003 07:40:35 -0000 Date: Thu, 7 Aug 2003 10:40:35 +0300 From: Paulius Bulotas To: freebsd-security@freebsd.org Message-ID: <20030807074035.GA90819@kaktusas.org> Mail-Followup-To: freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-URL: http://www.kaktusas.org/ Subject: Re: statically compiled files left over after a 'make world' X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2003 07:40:39 -0000 Hello, what about make variable INSTALL in /etc/make.conf: #INSTALL=install -C IMO, if you have it uncommented, then it's possible, that you will get more unchanged files after installworld and delete some useful files. Of course, -C is not the default and I doubt anyone needs it (or someone explain why ;) Regards, Paulius From owner-freebsd-security@FreeBSD.ORG Thu Aug 7 01:49:45 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0FCEB37B401 for ; Thu, 7 Aug 2003 01:49:45 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 30B4743FAF for ; Thu, 7 Aug 2003 01:49:43 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) h778nVMN037187 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 7 Aug 2003 09:49:38 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)h778nVVZ037186 for freebsd-security@freebsd.org; Thu, 7 Aug 2003 09:49:31 +0100 (BST) (envelope-from matthew) Date: Thu, 7 Aug 2003 09:49:30 +0100 From: Matthew Seaman To: freebsd-security@freebsd.org Message-ID: <20030807084930.GA36595@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: freebsd-security@freebsd.org References: <20030807074035.GA90819@kaktusas.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="PEIAKu/WMn1b1Hv9" Content-Disposition: inline In-Reply-To: <20030807074035.GA90819@kaktusas.org> User-Agent: Mutt/1.5.4i X-Spam-Status: No, hits=-8.5 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,PGP_SIGNATURE_2, QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT autolearn=ham version=2.55 X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) Subject: Re: statically compiled files left over after a 'make world' X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2003 08:49:45 -0000 --PEIAKu/WMn1b1Hv9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 07, 2003 at 10:40:35AM +0300, Paulius Bulotas wrote: > Hello, >=20 > what about make variable INSTALL in /etc/make.conf: > #INSTALL=3Dinstall -C >=20 > IMO, if you have it uncommented, then it's possible, that you will get > more unchanged files after installworld and delete some useful files. > Of course, -C is not the default and I doubt anyone needs it (or someone > explain why ;) The most useful thing that the -C option gets you is that it helps you avoid making unnecessary backup copies of most of the system when you're using an incremental backup scheme. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --PEIAKu/WMn1b1Hv9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/MhKadtESqEQa7a0RAh7CAJ9e3ol/Zluh2qJmwHjGVO24+6dFggCeO0n3 fXNb3tl+x73/hpjoq5u7keE= =ceFQ -----END PGP SIGNATURE----- --PEIAKu/WMn1b1Hv9-- From owner-freebsd-security@FreeBSD.ORG Thu Aug 7 01:54:49 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BCD8637B401 for ; Thu, 7 Aug 2003 01:54:49 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id A3C2B43F75 for ; Thu, 7 Aug 2003 01:54:46 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 5670 invoked from network); 7 Aug 2003 08:46:21 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 7 Aug 2003 08:46:21 -0000 Received: (qmail 46652 invoked by uid 1000); 7 Aug 2003 08:54:44 -0000 Date: Thu, 7 Aug 2003 11:54:43 +0300 From: Peter Pentchev To: freebsd-security@freebsd.org Message-ID: <20030807085443.GH358@straylight.oblivion.bg> Mail-Followup-To: freebsd-security@freebsd.org References: <20030807074035.GA90819@kaktusas.org> <20030807084930.GA36595@happy-idiot-talk.infracaninophile.co.uk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="y06s9PvpQ1Ch5mdL" Content-Disposition: inline In-Reply-To: <20030807084930.GA36595@happy-idiot-talk.infracaninophile.co.uk> User-Agent: Mutt/1.5.4i Subject: Re: statically compiled files left over after a 'make world' X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2003 08:54:50 -0000 --y06s9PvpQ1Ch5mdL Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 07, 2003 at 09:49:30AM +0100, Matthew Seaman wrote: > On Thu, Aug 07, 2003 at 10:40:35AM +0300, Paulius Bulotas wrote: > > Hello, > >=20 > > what about make variable INSTALL in /etc/make.conf: > > #INSTALL=3Dinstall -C > >=20 > > IMO, if you have it uncommented, then it's possible, that you will get > > more unchanged files after installworld and delete some useful files. > > Of course, -C is not the default and I doubt anyone needs it (or someone > > explain why ;) >=20 > The most useful thing that the -C option gets you is that it helps you > avoid making unnecessary backup copies of most of the system when > you're using an incremental backup scheme. Also, it reduces the list of different files produced by the daily security check scripts to the actually changed files only. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If this sentence didn't exist, somebody would have invented it. --y06s9PvpQ1Ch5mdL Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/MhPT7Ri2jRYZRVMRAvmDAJ4/I3CIs2huewKZOlRXBOqEpoEsXwCgkesP 8YuPFkgAn4dngGWW1K1Yu8o= =Y71p -----END PGP SIGNATURE----- --y06s9PvpQ1Ch5mdL-- From owner-freebsd-security@FreeBSD.ORG Thu Aug 7 05:50:31 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 148A037B405; Thu, 7 Aug 2003 05:50:31 -0700 (PDT) Received: from mail1.acecape.com (mail1.acecape.com [66.114.74.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4B6EE43FB1; Thu, 7 Aug 2003 05:50:29 -0700 (PDT) (envelope-from lists@natserv.com) Received: from p65-147.acedsl.com (p65-147.acedsl.com [66.114.65.147]) by mail1.acecape.com (8.12.9/8.12.9) with ESMTP id h77CoSNL030267; Thu, 7 Aug 2003 08:50:28 -0400 Date: Thu, 7 Aug 2003 08:50:56 -0400 (EDT) From: Francisco Reyes X-X-Sender: fran@zoraida.natserv.net To: "Jacques A. Vidrine" In-Reply-To: <20030807020722.GA78718@madman.celabo.org> Message-ID: <20030807084916.F77388@zoraida.natserv.net> References: <20030806195732.U69121@zoraida.natserv.net> <20030807020722.GA78718@madman.celabo.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: FreeBSD Security List Subject: Re: Checking realpath file up to date X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2003 12:50:32 -0000 On Wed, 6 Aug 2003, Jacques A. Vidrine wrote: > Sounds like you cvsup'd RELENG_4, not RELENG_4_8. I went back to the handbook to read the difference between these two. If I understand correct RELENG_4 is basically the latest of the 4.X branch. The RELENG_# are basically only security patches for a particular 4.# release. Do I understand it correctly? From owner-freebsd-security@FreeBSD.ORG Thu Aug 7 05:57:51 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D090837B401 for ; Thu, 7 Aug 2003 05:57:51 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 1732B43FBF for ; Thu, 7 Aug 2003 05:57:09 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 14164 invoked from network); 7 Aug 2003 12:48:42 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 7 Aug 2003 12:48:42 -0000 Received: (qmail 49754 invoked by uid 1000); 7 Aug 2003 12:57:05 -0000 Date: Thu, 7 Aug 2003 15:57:05 +0300 From: Peter Pentchev To: Francisco Reyes Message-ID: <20030807125705.GO358@straylight.oblivion.bg> Mail-Followup-To: Francisco Reyes , "Jacques A. Vidrine" , FreeBSD Security List References: <20030806195732.U69121@zoraida.natserv.net> <20030807020722.GA78718@madman.celabo.org> <20030807084916.F77388@zoraida.natserv.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="lRMsAdG4hjP4MFkn" Content-Disposition: inline In-Reply-To: <20030807084916.F77388@zoraida.natserv.net> User-Agent: Mutt/1.5.4i cc: "Jacques A. Vidrine" cc: FreeBSD Security List Subject: Re: Checking realpath file up to date X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2003 12:57:52 -0000 --lRMsAdG4hjP4MFkn Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 07, 2003 at 08:50:56AM -0400, Francisco Reyes wrote: > On Wed, 6 Aug 2003, Jacques A. Vidrine wrote: >=20 > > Sounds like you cvsup'd RELENG_4, not RELENG_4_8. >=20 >=20 > I went back to the handbook to read the difference between these two. > If I understand correct RELENG_4 is basically the latest of the 4.X > branch. The RELENG_# are basically only security patches for a particular > 4.# release. Do I understand it correctly? If you meant RELENG_4_# where you said RELENG_#, then yes, this is correct. The RELENG_4 branch was not affected, since shortly after FreeBSD 4.8-RELEASE was out, a new version of realpath(3) was imported into the tree, and it did not have this problem. Thus, if you have a reasonably recent -STABLE (you seem to, since you mention realpath.c rev. 1.9.2.2), there's nothing to fear - not for this problem, at least. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I am the meaning of this sentence. --lRMsAdG4hjP4MFkn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/Mkyg7Ri2jRYZRVMRAj40AJsGeEIBc6zyIDtadKY4XKDtjOCDFwCfdKwq kavc2RaWT2zynUYpdOh6kv8= =BCiB -----END PGP SIGNATURE----- --lRMsAdG4hjP4MFkn-- From owner-freebsd-security@FreeBSD.ORG Thu Aug 7 07:49:06 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9558F37B401 for ; Thu, 7 Aug 2003 07:49:06 -0700 (PDT) Received: from lakemtao08.cox.net (lakemtao08.cox.net [68.1.17.113]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8298543FAF for ; Thu, 7 Aug 2003 07:49:05 -0700 (PDT) (envelope-from freebsd@critesclan.com) Received: from helaman ([68.107.163.57]) by lakemtao08.cox.net (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with SMTP id <20030807144905.NAYN7627.lakemtao08.cox.net@helaman> for ; Thu, 7 Aug 2003 10:49:05 -0400 From: To: "Freebsd-Security@Freebsd. Org" Date: Thu, 7 Aug 2003 09:49:42 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal In-Reply-To: <20030807125705.GO358@straylight.oblivion.bg> Subject: versions and up-to-date... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd@critesclan.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2003 14:49:06 -0000 This is not really a security related issue, but since we're talking about releases and such, it kind of ties in. I do a CVSup every week, using the "tag=." method. It is my assumption that I am getting the latest-and-greatest version, so I'm on the bleeding edge of the 5.X system. Is that correct? Further, I assume that as soon as any security patch is available, I will get it as well, since I'm keeping up-to-date with the latest-and-greatest. So are my two assumptions correct? Thanks muchly... Lee -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org]On Behalf Of Peter Pentchev Sent: Thursday, 07 August 2003 07:57 To: Francisco Reyes Cc: Jacques A. Vidrine; FreeBSD Security List Subject: Re: Checking realpath file up to date On Thu, Aug 07, 2003 at 08:50:56AM -0400, Francisco Reyes wrote: > On Wed, 6 Aug 2003, Jacques A. Vidrine wrote: > > > Sounds like you cvsup'd RELENG_4, not RELENG_4_8. > > > I went back to the handbook to read the difference between these two. > If I understand correct RELENG_4 is basically the latest of the 4.X > branch. The RELENG_# are basically only security patches for a particular > 4.# release. Do I understand it correctly? If you meant RELENG_4_# where you said RELENG_#, then yes, this is correct. The RELENG_4 branch was not affected, since shortly after FreeBSD 4.8-RELEASE was out, a new version of realpath(3) was imported into the tree, and it did not have this problem. Thus, if you have a reasonably recent -STABLE (you seem to, since you mention realpath.c rev. 1.9.2.2), there's nothing to fear - not for this problem, at least. G'luck, Peter -- Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I am the meaning of this sentence. From owner-freebsd-security@FreeBSD.ORG Thu Aug 7 08:23:21 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A9F2337B401 for ; Thu, 7 Aug 2003 08:23:21 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 9B2ED43F75 for ; Thu, 7 Aug 2003 08:23:19 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 5835 invoked from network); 7 Aug 2003 15:14:54 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 7 Aug 2003 15:14:54 -0000 Received: (qmail 50596 invoked by uid 1000); 7 Aug 2003 15:23:17 -0000 Date: Thu, 7 Aug 2003 18:23:17 +0300 From: Peter Pentchev To: freebsd@critesclan.com Message-ID: <20030807152317.GB49999@straylight.oblivion.bg> Mail-Followup-To: freebsd@critesclan.com, "Freebsd-Security@Freebsd. Org" References: <20030807125705.GO358@straylight.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="V0207lvV8h4k8FAm" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.4i cc: "Freebsd-Security@Freebsd. Org" Subject: Re: versions and up-to-date... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2003 15:23:22 -0000 --V0207lvV8h4k8FAm Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 07, 2003 at 09:49:42AM -0500, freebsd@critesclan.com wrote: > On Thu, Aug 07, 2003 at some time lost in the quoting, I wrote: > > On Thu, Aug 07, 2003 at 08:50:56AM -0400, Francisco Reyes wrote: > > > On Wed, 6 Aug 2003, Jacques A. Vidrine wrote: > > > > > > > Sounds like you cvsup'd RELENG_4, not RELENG_4_8. > > > > > > > > > I went back to the handbook to read the difference between these two. > > > If I understand correct RELENG_4 is basically the latest of the 4.X > > > branch. The RELENG_# are basically only security patches for a partic= ular > > > 4.# release. Do I understand it correctly? > >=20 > > If you meant RELENG_4_# where you said RELENG_#, then yes, this is > > correct. The RELENG_4 branch was not affected, since shortly after > > FreeBSD 4.8-RELEASE was out, a new version of realpath(3) was imported > > into the tree, and it did not have this problem. > >=20 > > Thus, if you have a reasonably recent -STABLE (you seem to, since you > > mention realpath.c rev. 1.9.2.2), there's nothing to fear - not for > > this problem, at least. >=20 > This is not really a security related issue, but since we're talking about > releases and such, it kind of ties in. I do a CVSup every week, using the > "tag=3D." method. It is my assumption that I am getting the > latest-and-greatest version, so I'm on the bleeding edge of the 5.X syste= m. > Is that correct? Yes, that is correct; of course, this also means that you are liable to get hit at any time by any temporary instability in the couple of hours or days before it is fixed (this is -CURRENT, after all), but I'd say that the new features, development and bugfixes kind of offset that danger.. most of the time :) > Further, I assume that as soon as any security patch is > available, I will get it as well, since I'm keeping up-to-date with the > latest-and-greatest. Yes. Actually, if you update your system regularly, you'll probably get the fix well *before* the time it is announced. This is in some degree also true for those who track -STABLE (RELENG_4 for the present, RELENG_4 and RELENG_5 in the near future): security fixes are backported relatively quickly, and are given some (not much, but still some time) to be "shaken out" - tested by the early adopters around the world - before they are merged into the real security branches and announced. This time is usually on the order of a day or three, sometimes only a couple of hours, and sometimes it may be more, depending on the particular problem and the way its disclosure is coordinated with the other OS and software vendors. This is just my opinion as a FreeBSD user. Maybe I should not really be the one to comment on this - if I've messed things up horribly, the Security Officer team should feel free to put me straight :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Thit sentence is not self-referential because "thit" is not a word. --V0207lvV8h4k8FAm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/Mm7l7Ri2jRYZRVMRArfYAJ4iFhmfhs1HiT6hCw5rov3qtJXgkwCgiYHs hjnkEirro5QTsslGyMBd0oo= =wXqx -----END PGP SIGNATURE----- --V0207lvV8h4k8FAm-- From owner-freebsd-security@FreeBSD.ORG Thu Aug 7 10:13:48 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3AB0B37B404 for ; Thu, 7 Aug 2003 10:13:48 -0700 (PDT) Received: from emerald.incredible.com.na (NSP.inc.net.na [196.44.138.114]) by mx1.FreeBSD.org (Postfix) with ESMTP id CA46043FBF for ; Thu, 7 Aug 2003 10:13:46 -0700 (PDT) (envelope-from schalk@home.incredible.com.na) Received: from [10.222.101.2] (helo=Fujitsu) by emerald.incredible.com.na with smtp (Exim 4.12) id 19koIr-0009ZY-00 for freebsd-security@freebsd.org; Thu, 07 Aug 2003 18:11:54 +0100 Message-ID: <00dd01c35d07$44a5b2d0$0265de0a@Fujitsu> From: "Schalk Erasmus" To: Date: Thu, 7 Aug 2003 18:13:49 +0100 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: FreeBSD - Secure by DEFAULT ?? [hosts.allow] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2003 17:13:48 -0000 Hi, I need to know what the implications are to make use of the hosts.allow file on a FreeBSD Production Server (ISP Setup)? The reason I'm asking, is that I've recently decommisioned a Linux SendMail Server to a FreeBSD Exim Server, but with no Firewall (IPTABLES) yet. Besides the fact that it only runs EXIM and Apache, is it necessary to Configure rc.Firewall? or can I only make use of the hosts.allow file? Currently I would only like to allow SSH access from my Home Network, instead of allowing the WORLD. I've seen OpenBSD Servers using hosts.deny and hosts.allow files, but based on the new "Access Control File", it is all merged together in one file: # hosts.allow access control file for "tcp wrapped" applications. # $FreeBSD: src/etc/hosts.allow,v 1.8.2.7 2002/04/17 19:44:22 dougb Exp $ # I take that I should allow the other Services, in this order: sshd : myhomepc : allow exim : ALL : allow httpd : ALL : allow ftpd : ALL : allow ALL : ALL : deny What kind of protection does FreeBSD need by Default? Since OpenBSD goes around saying: "SECURE BY DEFAULT" !? Just asking..... Regards Schalk Erasmus Incredible Networks Windhoek, Namibia From owner-freebsd-security@FreeBSD.ORG Thu Aug 7 11:11:20 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37C9F37B404 for ; Thu, 7 Aug 2003 11:11:20 -0700 (PDT) Received: from 100m.mpr200-2.esr.lvcm.net (100m.mpr200-2.esr.lvcm.net [24.234.0.81]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9AB8C43FDD for ; Thu, 7 Aug 2003 11:11:19 -0700 (PDT) (envelope-from chris@redstarnetworks.net) Received: from delllaptop (ip68-108-123-213.lv.lv.cox.net [68.108.123.213]) by 100m.mpr200-2.esr.lvcm.net (Mirapoint Messaging Server MOS 2.9.3.5) with ESMTP id AZE62293; Thu, 7 Aug 2003 11:11:16 -0700 (PDT) From: "Chris Odell" To: Date: Thu, 7 Aug 2003 11:05:49 -0700 Organization: Red Star Networks, INC Message-ID: <000101c35d0e$88c43070$0b05a8c0@delllaptop> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Subject: RE: FreeBSD - Secure by DEFAULT ?? [hosts.allow] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: chris@redstarnetworks.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2003 18:11:20 -0000 May I recommend IPF, FreeBSD's firewall daemon? Having this in place - and yes on localhost, will be more of what you want to accomplish. You will also be able to control a whole lot more as far as traffice to/from your box. It is very simple to configure, as long as you can recompile it in your kernel. Just my 2 cents... Chris Odell chris@redstarnetworks.net -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Schalk Erasmus Sent: Thursday, August 07, 2003 10:14 AM To: freebsd-security@freebsd.org Subject: FreeBSD - Secure by DEFAULT ?? [hosts.allow] Hi, I need to know what the implications are to make use of the hosts.allow file on a FreeBSD Production Server (ISP Setup)? The reason I'm asking, is that I've recently decommisioned a Linux SendMail Server to a FreeBSD Exim Server, but with no Firewall (IPTABLES) yet. Besides the fact that it only runs EXIM and Apache, is it necessary to Configure rc.Firewall? or can I only make use of the hosts.allow file? Currently I would only like to allow SSH access from my Home Network, instead of allowing the WORLD. I've seen OpenBSD Servers using hosts.deny and hosts.allow files, but based on the new "Access Control File", it is all merged together in one file: # hosts.allow access control file for "tcp wrapped" applications. # $FreeBSD: src/etc/hosts.allow,v 1.8.2.7 2002/04/17 19:44:22 dougb Exp $ # I take that I should allow the other Services, in this order: sshd : myhomepc : allow exim : ALL : allow httpd : ALL : allow ftpd : ALL : allow ALL : ALL : deny What kind of protection does FreeBSD need by Default? Since OpenBSD goes around saying: "SECURE BY DEFAULT" !? Just asking..... Regards Schalk Erasmus Incredible Networks Windhoek, Namibia _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Thu Aug 7 12:19:26 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA2E837B401 for ; Thu, 7 Aug 2003 12:19:26 -0700 (PDT) Received: from web10108.mail.yahoo.com (web10108.mail.yahoo.com [216.136.130.58]) by mx1.FreeBSD.org (Postfix) with SMTP id 8B13743F3F for ; Thu, 7 Aug 2003 12:19:26 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20030807191926.50590.qmail@web10108.mail.yahoo.com> Received: from [68.5.49.41] by web10108.mail.yahoo.com via HTTP; Thu, 07 Aug 2003 12:19:26 PDT Date: Thu, 7 Aug 2003 12:19:26 -0700 (PDT) From: twig les To: chris@redstarnetworks.net, freebsd-security@freebsd.org In-Reply-To: <000101c35d0e$88c43070$0b05a8c0@delllaptop> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: RE: FreeBSD - Secure by DEFAULT ?? [hosts.allow] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2003 19:19:27 -0000 Yes I've had great luck with simple host protection via IPFW, and there is a nice tutorial here: http://www.onlamp.com/pub/a/bsd/2001/04/25/FreeBSD_Basics.html. It's a bit old but I'm using IPFW on several 4.x boxes without any big changes. Sorry I don't have a more definitive answer. --- Chris Odell wrote: > > May I recommend IPF, FreeBSD's firewall daemon? Having this > in place - > and yes on localhost, will be more of what you want to > accomplish. You > will also be able to control a whole lot more as far as > traffice to/from > your box. It is very simple to configure, as long as you can > recompile > it in your kernel. > > Just my 2 cents... > > Chris Odell > chris@redstarnetworks.net > > -----Original Message----- > From: owner-freebsd-security@freebsd.org > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of > Schalk Erasmus > Sent: Thursday, August 07, 2003 10:14 AM > To: freebsd-security@freebsd.org > Subject: FreeBSD - Secure by DEFAULT ?? [hosts.allow] > > > Hi, > > I need to know what the implications are to make use of the > hosts.allow > file on a FreeBSD Production Server (ISP Setup)? The reason > I'm asking, > is that I've recently decommisioned a Linux SendMail Server to > a FreeBSD > Exim Server, but with no Firewall (IPTABLES) yet. > > Besides the fact that it only runs EXIM and Apache, is it > necessary to > Configure rc.Firewall? or can I only make use of the > hosts.allow file? > > Currently I would only like to allow SSH access from my Home > Network, > instead of allowing the WORLD. > > I've seen OpenBSD Servers using hosts.deny and hosts.allow > files, but > based on the new "Access Control File", it is all merged > together in one > file: > > # hosts.allow access control file for "tcp wrapped" > applications. # > $FreeBSD: src/etc/hosts.allow,v 1.8.2.7 2002/04/17 19:44:22 > dougb Exp $ > # > > I take that I should allow the other Services, in this order: > > sshd : myhomepc : allow > exim : ALL : allow > httpd : ALL : allow > ftpd : ALL : allow > ALL : ALL : deny > > > What kind of protection does FreeBSD need by Default? Since > OpenBSD goes > around saying: "SECURE BY DEFAULT" !? > > Just asking..... > > Regards > > Schalk Erasmus > Incredible Networks > Windhoek, Namibia > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" ===== ----------------------------------------------------------- Emo is what happens when the glee club goes punk. ----------------------------------------------------------- __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com From owner-freebsd-security@FreeBSD.ORG Thu Aug 7 14:05:01 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 82DA537B401 for ; Thu, 7 Aug 2003 14:05:01 -0700 (PDT) Received: from mail.redstarnetworks.net (www.redstarnetworks.net [216.240.150.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id D3F7C43FBD for ; Thu, 7 Aug 2003 14:05:00 -0700 (PDT) (envelope-from chris@redstarnetworks.net) Received: (qmail 4718 invoked by uid 85); 7 Aug 2003 21:01:22 -0000 Received: from chris@redstarnetworks.net by colowww.redstarnetworks.net by uid 0 with qmail-scanner-1.16 (clamscan: 0.54. spamassassin: 2.50. Clear:. Processed in 0.639699 secs); 07 Aug 2003 21:01:22 -0000 Received: from unknown (HELO delllaptop) (208.57.57.9) by mail.redstarnetworks.net with SMTP; 7 Aug 2003 21:01:21 -0000 From: "Chris Odell" To: Date: Thu, 7 Aug 2003 13:59:27 -0700 Organization: Red Star Networks, INC Message-ID: <000001c35d26$cd0827b0$0304a8c0@delllaptop> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 In-Reply-To: <20030807191926.50590.qmail@web10108.mail.yahoo.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 cc: schalk@home.incredible.com.na Subject: RE: FreeBSD - Secure by DEFAULT ?? [hosts.allow] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: chris@redstarnetworks.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2003 21:05:01 -0000 But why IPFW? IPF is *BSD native wall. I actually use both - IPF for firewalling, and IPFW for throttling via dummy net. My recommended reading for IPF and IPFW is "Building Linux and OpenBSD Firewalls" and Google for "IPF, host based, web server" If you will like I can send a few examples to show this, as its will be very simple after seeing real world rules. I would be more then happy to help anyone thought this process, and may even write a paper on it. There are plenty of sites that show how to build a nat/ipf router but not really much on localhost based IPF. Chris Odell -----Original Message----- From: twig les [mailto:twigles@yahoo.com] Sent: Thursday, August 07, 2003 12:19 PM To: chris@redstarnetworks.net; freebsd-security@freebsd.org Subject: RE: FreeBSD - Secure by DEFAULT ?? [hosts.allow] Yes I've had great luck with simple host protection via IPFW, and there is a nice tutorial here: http://www.onlamp.com/pub/a/bsd/2001/04/25/FreeBSD_Basics.html. It's a bit old but I'm using IPFW on several 4.x boxes without any big changes. Sorry I don't have a more definitive answer. --- Chris Odell wrote: > > May I recommend IPF, FreeBSD's firewall daemon? Having this in place > - and yes on localhost, will be more of what you want to > accomplish. You > will also be able to control a whole lot more as far as > traffice to/from > your box. It is very simple to configure, as long as you can > recompile > it in your kernel. > > Just my 2 cents... > > Chris Odell > chris@redstarnetworks.net > > -----Original Message----- > From: owner-freebsd-security@freebsd.org > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Schalk > Erasmus > Sent: Thursday, August 07, 2003 10:14 AM > To: freebsd-security@freebsd.org > Subject: FreeBSD - Secure by DEFAULT ?? [hosts.allow] > > > Hi, > > I need to know what the implications are to make use of the > hosts.allow file on a FreeBSD Production Server (ISP Setup)? The > reason I'm asking, > is that I've recently decommisioned a Linux SendMail Server to > a FreeBSD > Exim Server, but with no Firewall (IPTABLES) yet. > > Besides the fact that it only runs EXIM and Apache, is it necessary to > Configure rc.Firewall? or can I only make use of the > hosts.allow file? > > Currently I would only like to allow SSH access from my Home Network, > instead of allowing the WORLD. > > I've seen OpenBSD Servers using hosts.deny and hosts.allow files, but > based on the new "Access Control File", it is all merged > together in one > file: > > # hosts.allow access control file for "tcp wrapped" applications. # > $FreeBSD: src/etc/hosts.allow,v 1.8.2.7 2002/04/17 19:44:22 > dougb Exp $ > # > > I take that I should allow the other Services, in this order: > > sshd : myhomepc : allow > exim : ALL : allow > httpd : ALL : allow > ftpd : ALL : allow > ALL : ALL : deny > > > What kind of protection does FreeBSD need by Default? Since OpenBSD > goes around saying: "SECURE BY DEFAULT" !? > > Just asking..... > > Regards > > Schalk Erasmus > Incredible Networks > Windhoek, Namibia > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" ===== ----------------------------------------------------------- Emo is what happens when the glee club goes punk. ----------------------------------------------------------- __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com From owner-freebsd-security@FreeBSD.ORG Thu Aug 7 15:22:58 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7714937B401 for ; Thu, 7 Aug 2003 15:22:58 -0700 (PDT) Received: from zimbo.cs.wm.edu (zimbo.cs.wm.edu [128.239.2.64]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9BA4A43FA3 for ; Thu, 7 Aug 2003 15:22:57 -0700 (PDT) (envelope-from zvezdan@dali.cs.wm.edu) Received: from dali.cs.wm.edu (dali [128.239.26.26]) by zimbo.cs.wm.edu (8.12.8/8.12.8) with ESMTP id h77MMuaC027618 for ; Thu, 7 Aug 2003 18:22:56 -0400 Received: (from zvezdan@localhost) by dali.cs.wm.edu (8.12.8/8.12.8/Submit) id h77MMtjo018461 for freebsd-security@freebsd.org; Thu, 7 Aug 2003 18:22:55 -0400 Date: Thu, 7 Aug 2003 18:22:55 -0400 From: Zvezdan Petkovic To: freebsd-security@freebsd.org Message-ID: <20030807222255.GA18430@dali.cs.wm.edu> Mail-Followup-To: freebsd-security@freebsd.org References: <20030807191926.50590.qmail@web10108.mail.yahoo.com> <000001c35d26$cd0827b0$0304a8c0@delllaptop> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <000001c35d26$cd0827b0$0304a8c0@delllaptop> User-Agent: Mutt/1.4.1i Subject: Re: FreeBSD - Secure by DEFAULT ?? [hosts.allow] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2003 22:22:58 -0000 On Thu, Aug 07, 2003 at 01:59:27PM -0700, Chris Odell wrote: > > But why IPFW? IPF is *BSD native wall. I actually use both - IPF for > firewalling, and IPFW for throttling via dummy net. My recommended > reading for IPF and IPFW is "Building Linux and OpenBSD Firewalls"... Where did you get this information? Native firewall for FreeBSD is ipfw, AFAIK. It's even used on OS X as a native firewall, due to Darwin's FreeBSD roots. Also, OpenBSD stopped using ipf four releases ago. The native firewall for OpenBSD is pf. pf inherited much of the syntax from ipf, but also extended it and added some features. That said, I personally find ipf quite a good stateful firewall and its syntax can feel more natural than ipfw syntax. It also works on Solaris and other OS's besides *BSDs. -- Zvezdan Petkovic http://www.cs.wm.edu/~zvezdan/ From owner-freebsd-security@FreeBSD.ORG Thu Aug 7 17:46:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ABE8C37B404 for ; Thu, 7 Aug 2003 17:45:58 -0700 (PDT) Received: from ridiculum.woohaw.com (ridiculum.woohaw.com [206.107.23.194]) by mx1.FreeBSD.org (Postfix) with SMTP id 7E35F43FAF for ; Thu, 7 Aug 2003 17:45:57 -0700 (PDT) (envelope-from glitch@ridiculum.woohaw.com) Received: (qmail 2238 invoked by uid 1000); 8 Aug 2003 00:45:56 -0000 Date: Thu, 7 Aug 2003 17:45:56 -0700 From: Kevin Glick To: freebsd-security@freebsd.org Message-ID: <20030808004556.GA2051@ridiculum.woohaw.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.4i Subject: IPSec delays X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Aug 2003 00:46:02 -0000 I've been using IPSec and racoon alot lately creating tunnels between FreeBSD machines. Everything works as it should once I've got it running. I do however seem to get delays when one, or both ends of the tunnel drop or are rebooted. On reboot, once the machine starts racoon, it takes two or three minutes for the tunnel to come back up. If I stop and restart racoon, it takes only 60 seconds. I'd prefer to cut this time down on both to 30 seconds or less. Below is my racoon.conf. I've watched the racoon logs, and it doesn't give me any errors, or failed negotiations. Any ideas? path pre_shared_key "/usr/local/etc/racoon/psk.txt"; remote anonymous { exchange_mode aggressive; doi ipsec_doi; situation identity_only; \ nonce_size 256; lifetime time 30 min; # sec,min,hour initial_contact on; support_mip6 off; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 30 min; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } Kevin Glick glitch@ridiculum.woohaw.com From owner-freebsd-security@FreeBSD.ORG Thu Aug 7 23:50:01 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1EDF337B404 for ; Thu, 7 Aug 2003 23:50:01 -0700 (PDT) Received: from darkpossum.medill.northwestern.edu (darkpossum.medill.northwestern.edu [129.105.51.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7B79043F75 for ; Thu, 7 Aug 2003 23:49:59 -0700 (PDT) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: from darkpossum.medill.northwestern.edu (8cc33db0cd059a6eda9776b36f511f6e@localhost.medill.northwestern.edu [127.0.0.1])h786fJCk064386 for ; Fri, 8 Aug 2003 01:41:20 -0500 (CDT) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: (from possum@localhost)h786fJm3064385 for freebsd-security@freebsd.org; Fri, 8 Aug 2003 01:41:19 -0500 (CDT) Date: Fri, 8 Aug 2003 01:41:18 -0500 From: Redmond Militante To: freebsd-security@freebsd.org Message-ID: <20030808064118.GA64362@darkpossum> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ikeVEW9yuYc//A+q" Content-Disposition: inline User-Agent: Mutt/1.4i X-Sender: redmond@darkpossum.medill.northwestern.edu X-URL: http://darkpossum.medill.northwestern.edu/modules.php?name=Content&pa=showpage&pid=1 X-DSS-PGP-Fingerprint: F9E7 AFEA 0209 B164 7F83 E727 5213 FAFA 1511 7836 X-High-Score-In-Unreal-Tournament: 7639 Subject: problems with ipfilter on 5.1-RELEASE X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Redmond Militante List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Aug 2003 06:50:01 -0000 --ikeVEW9yuYc//A+q Content-Type: text/plain; charset=us-ascii Content-Disposition: inline hi all i'm trying to get ipfilter set up on my new 5.1-RELEASE box. ipfilter seems to be working fine. i just have a couple of issues that are probably not very serious... one thing is that during network startup at boot, i get the message IPFilter: already initialized repeated 4 times. i think i have everything configured properly my kernel config looks like options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK my /etc/rc.conf looks like ipfilter_enable="YES" ipfilter_flags="" ipfilter_rules="/etc/ipfilter.rules" ipmon_enable="YES" ipmon_flags="-Dsvn" the other problem i have is that: it now seems that ipmon is logging to /var/log/messages. i've set up ipfilter successfully on many freebsd 4x boxes, but this is the first time i've tried to set it up on 5x. in my /etc/syslog.conf i have local0.* /var/log/firewall_logs *.notice;local0.none;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages am i missing some things that i should be doing to set up ipfilter on 5x-RELEASE? on 4x-RELEASE, i've set up ipfilter successfully, following the procedures outlined at schlacter.net to set up ipfilter. i'm basically following the same procedures here, with unexpected results. any advice would be appreciated thanks redmond --ikeVEW9yuYc//A+q Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE/M0YOFNjun16SvHYRAidPAJsHcG7UyePb3H04oXvesh/GrhwPDwCfT8ge gGtAaQNsWLeiiqcRfJ/P+u0= =KefZ -----END PGP SIGNATURE----- --ikeVEW9yuYc//A+q-- From owner-freebsd-security@FreeBSD.ORG Fri Aug 8 15:49:50 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5BEE237B401 for ; Fri, 8 Aug 2003 15:49:50 -0700 (PDT) Received: from cowbert.2y.net (d46h180.public.uconn.edu [137.99.46.180]) by mx1.FreeBSD.org (Postfix) with SMTP id 8061743F75 for ; Fri, 8 Aug 2003 15:49:49 -0700 (PDT) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 11167 invoked by uid 1001); 8 Aug 2003 22:49:48 -0000 Date: Fri, 8 Aug 2003 18:49:48 -0400 From: "Peter C. Lai" To: freebsd-security@freebsd.org Message-ID: <20030808224948.GC2559@cowbert.2y.net> References: <20030807191926.50590.qmail@web10108.mail.yahoo.com> <000001c35d26$cd0827b0$0304a8c0@delllaptop> <20030807222255.GA18430@dali.cs.wm.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030807222255.GA18430@dali.cs.wm.edu> User-Agent: Mutt/1.4i Subject: Re: FreeBSD - Secure by DEFAULT ?? [hosts.allow] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: peter.lai@uconn.edu List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Aug 2003 22:49:50 -0000 What are you meaning by "native"? They both exist as part of the base FreeBSD kernel; so in that sense, both ipf and ipfw are "native" to FreeBSD. I don't see how this argument is appropriate for choosing one over the other anyway. On Thu, Aug 07, 2003 at 06:22:55PM -0400, Zvezdan Petkovic wrote: > On Thu, Aug 07, 2003 at 01:59:27PM -0700, Chris Odell wrote: > > > > But why IPFW? IPF is *BSD native wall. I actually use both - IPF for > > firewalling, and IPFW for throttling via dummy net. My recommended > > reading for IPF and IPFW is "Building Linux and OpenBSD Firewalls"... > > Where did you get this information? > > Native firewall for FreeBSD is ipfw, AFAIK. It's even used on OS X as a > native firewall, due to Darwin's FreeBSD roots. > > Also, OpenBSD stopped using ipf four releases ago. The native firewall > for OpenBSD is pf. pf inherited much of the syntax from ipf, but also > extended it and added some features. > > That said, I personally find ipf quite a good stateful firewall and its > syntax can feel more natural than ipfw syntax. It also works on Solaris > and other OS's besides *BSDs. > > -- > Zvezdan Petkovic > http://www.cs.wm.edu/~zvezdan/ > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology Yale University School of Medicine SenseLab | Research Assistant http://cowbert.2y.net/ From owner-freebsd-security@FreeBSD.ORG Sat Aug 9 03:39:49 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9EC3A37B401 for ; Sat, 9 Aug 2003 03:39:49 -0700 (PDT) Received: from buexe.b-5.de (buexe.b-5.de [80.148.32.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 05C8943F75 for ; Sat, 9 Aug 2003 03:39:48 -0700 (PDT) (envelope-from lupe@lupe-christoph.de) Received: from antalya.lupe-christoph.de ([172.17.0.9])h79AdiJ31776; Sat, 9 Aug 2003 12:39:45 +0200 Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id 459585CD; Sat, 9 Aug 2003 12:39:39 +0200 (CEST) Date: Sat, 9 Aug 2003 12:39:39 +0200 To: Kevin Glick Message-ID: <20030809103939.GC25445@lupe-christoph.de> References: <20030808004556.GA2051@ridiculum.woohaw.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030808004556.GA2051@ridiculum.woohaw.com> User-Agent: Mutt/1.5.4i From: lupe@lupe-christoph.de (Lupe Christoph) cc: freebsd-security@freebsd.org Subject: Re: IPSec delays X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Aug 2003 10:39:49 -0000 On Thursday, 2003-08-07 at 17:45:56 -0700, Kevin Glick wrote: > I've been using IPSec and racoon alot lately creating tunnels between FreeBSD machines. Everything works as it should once I've got it running. I do however seem to get delays when one, or both ends of the tunnel drop or are rebooted. On reboot, once the machine starts racoon, it takes two or three minutes for the tunnel to come back up. If I stop and restart racoon, it takes only 60 seconds. I'd prefer to cut this time down on both to 30 seconds or less. Below is my racoon.conf. I've watched the racoon logs, and it doesn't give me any errors, or failed negotiations. Any ideas? I had something like this with a Racoon/FreeS/WAN setup. I found out that the algorithms did no match, and the tunnel would only be built from the Racoon side. Seems FreeS/WAN was set up to accept a wider range of algorithms than Racoon. I have to confess I did not understand if you can specify more than one algorithm to Racoon. Switch on debugging and look for rejected connection attempts. HTH, Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett | From owner-freebsd-security@FreeBSD.ORG Sat Aug 9 08:32:15 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7B4837B404 for ; Sat, 9 Aug 2003 08:32:15 -0700 (PDT) Received: from zimbo.cs.wm.edu (zimbo.cs.wm.edu [128.239.2.64]) by mx1.FreeBSD.org (Postfix) with ESMTP id A327843FB1 for ; Sat, 9 Aug 2003 08:32:14 -0700 (PDT) (envelope-from zvezdan@dali.cs.wm.edu) Received: from dali.cs.wm.edu (dali [128.239.26.26]) by zimbo.cs.wm.edu (8.12.8/8.12.8) with ESMTP id h79FWDaC017717 for ; Sat, 9 Aug 2003 11:32:13 -0400 Received: (from zvezdan@localhost) by dali.cs.wm.edu (8.12.8/8.12.8/Submit) id h79FWDwS002421 for freebsd-security@freebsd.org; Sat, 9 Aug 2003 11:32:13 -0400 Date: Sat, 9 Aug 2003 11:32:13 -0400 From: Zvezdan Petkovic To: freebsd-security@freebsd.org Message-ID: <20030809153213.GA2391@dali.cs.wm.edu> Mail-Followup-To: freebsd-security@freebsd.org References: <20030807191926.50590.qmail@web10108.mail.yahoo.com> <000001c35d26$cd0827b0$0304a8c0@delllaptop> <20030807222255.GA18430@dali.cs.wm.edu> <20030808224948.GC2559@cowbert.2y.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030808224948.GC2559@cowbert.2y.net> User-Agent: Mutt/1.4.1i Subject: Re: FreeBSD - Secure by DEFAULT ?? [hosts.allow] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Aug 2003 15:32:16 -0000 On Fri, Aug 08, 2003 at 06:49:48PM -0400, Peter C. Lai wrote: > What are you meaning by "native"? They both exist as part of the base FreeBSD > kernel; so in that sense, both ipf and ipfw are "native" to FreeBSD. Notice that I said "AFAIK" in the original message below. But let me elaborate. I had in mind this sentence from FreeBSD Handbook, Section 10.7.1 "FreeBSD comes with a kernel packet filter (known as IPFW), which is what the rest of this section will concentrate on." The handbook does _not_ talk about IPF. Also, this document http://www.freebsd.org/news/status/report-may-2002-june-2002.html says (notice the word "native" in the first sentence, please): "In summer 2002 the native FreeBSD firewall has been completely rewritten in a form that uses BPF-like instructions to perform packet matching in a more effective way. The external user interface is completely backward compatible, though you can make use of some newer match patterns (e.g. to handle sparse sets of IP addresses) which can dramatically simplify the writing of ruleset (and speed up their processing). The new firewall, called ipfw2, is much faster and easier to extend than the old one. It has been already included in FreeBSD-CURRENT, and patches for FreeBSD-STABLE are available from the author." I rest my case. > I don't see how this argument is appropriate for choosing one over the > other anyway. That was exactly my point. Chris Odell admonished the original poster for using IPFW stating that IPF is native to *BSD. I simply wanted to point out that is not the exact state of affairs. > > On Thu, Aug 07, 2003 at 06:22:55PM -0400, Zvezdan Petkovic wrote: > > On Thu, Aug 07, 2003 at 01:59:27PM -0700, Chris Odell wrote: > > > > > > But why IPFW? IPF is *BSD native wall. I actually use both - IPF for > > > firewalling, and IPFW for throttling via dummy net. My recommended > > > reading for IPF and IPFW is "Building Linux and OpenBSD Firewalls"... > > > > Where did you get this information? > > > > Native firewall for FreeBSD is ipfw, AFAIK. It's even used on OS X as a > > native firewall, due to Darwin's FreeBSD roots. > > > > Also, OpenBSD stopped using ipf four releases ago. The native firewall > > for OpenBSD is pf. pf inherited much of the syntax from ipf, but also > > extended it and added some features. > > > > That said, I personally find ipf quite a good stateful firewall and its > > syntax can feel more natural than ipfw syntax. It also works on Solaris > > and other OS's besides *BSDs. Best regards, -- Zvezdan Petkovic http://www.cs.wm.edu/~zvezdan/ From owner-freebsd-security@FreeBSD.ORG Sat Aug 9 10:19:00 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DDF5637B401 for ; Sat, 9 Aug 2003 10:18:59 -0700 (PDT) Received: from 100m.mpr200-1.esr.lvcm.net (100m.mpr200-1.esr.lvcm.net [24.234.0.78]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C9C843F85 for ; Sat, 9 Aug 2003 10:18:59 -0700 (PDT) (envelope-from chris@redstarnetworks.net) Received: from delllaptop (ip68-108-123-213.lv.lv.cox.net [68.108.123.213]) by 100m.mpr200-1.esr.lvcm.net (Mirapoint Messaging Server MOS 2.9.3.5) with ESMTP id BBV06077; Sat, 9 Aug 2003 10:18:57 -0700 (PDT) From: "Chris Odell" To: "'Zvezdan Petkovic'" , Date: Sat, 9 Aug 2003 10:13:27 -0700 Organization: Red Star Networks, INC Message-ID: <000d01c35e99$8ce83020$0b05a8c0@delllaptop> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: <20030809153213.GA2391@dali.cs.wm.edu> Importance: Normal Subject: RE: FreeBSD - Secure by DEFAULT ?? [hosts.allow] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: chris@redstarnetworks.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Aug 2003 17:19:00 -0000 I AM WRONG..... I AM VERY SORRY..... I cant believe it takes fifty different people to bash me, as I think I tucked my tail between my legs after the first time being told I was wrong. I accepted it and didn't argue, so now I think the rest of you people should give up on it now. You have proved your point, now get off me. I bought a computer mainly as a way to ignore my wife, now im not sure what is worse - Your bitching or hers? Chris Odell -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Zvezdan Petkovic Sent: Saturday, August 09, 2003 8:32 AM To: freebsd-security@freebsd.org Subject: Re: FreeBSD - Secure by DEFAULT ?? [hosts.allow] On Fri, Aug 08, 2003 at 06:49:48PM -0400, Peter C. Lai wrote: > What are you meaning by "native"? They both exist as part of the base > FreeBSD kernel; so in that sense, both ipf and ipfw are "native" to > FreeBSD. Notice that I said "AFAIK" in the original message below. But let me elaborate. I had in mind this sentence from FreeBSD Handbook, Section 10.7.1 "FreeBSD comes with a kernel packet filter (known as IPFW), which is what the rest of this section will concentrate on." The handbook does _not_ talk about IPF. Also, this document http://www.freebsd.org/news/status/report-may-2002-june-2002.html says (notice the word "native" in the first sentence, please): "In summer 2002 the native FreeBSD firewall has been completely rewritten in a form that uses BPF-like instructions to perform packet matching in a more effective way. The external user interface is completely backward compatible, though you can make use of some newer match patterns (e.g. to handle sparse sets of IP addresses) which can dramatically simplify the writing of ruleset (and speed up their processing). The new firewall, called ipfw2, is much faster and easier to extend than the old one. It has been already included in FreeBSD-CURRENT, and patches for FreeBSD-STABLE are available from the author." I rest my case. > I don't see how this argument is appropriate for choosing one over the > other anyway. That was exactly my point. Chris Odell admonished the original poster for using IPFW stating that IPF is native to *BSD. I simply wanted to point out that is not the exact state of affairs. > > On Thu, Aug 07, 2003 at 06:22:55PM -0400, Zvezdan Petkovic wrote: > > On Thu, Aug 07, 2003 at 01:59:27PM -0700, Chris Odell wrote: > > > > > > But why IPFW? IPF is *BSD native wall. I actually use both - IPF > > > for firewalling, and IPFW for throttling via dummy net. My > > > recommended reading for IPF and IPFW is "Building Linux and > > > OpenBSD Firewalls"... > > > > Where did you get this information? > > > > Native firewall for FreeBSD is ipfw, AFAIK. It's even used on OS X > > as a native firewall, due to Darwin's FreeBSD roots. > > > > Also, OpenBSD stopped using ipf four releases ago. The native > > firewall for OpenBSD is pf. pf inherited much of the syntax from > > ipf, but also extended it and added some features. > > > > That said, I personally find ipf quite a good stateful firewall and > > its syntax can feel more natural than ipfw syntax. It also works on > > Solaris and other OS's besides *BSDs. Best regards, -- Zvezdan Petkovic http://www.cs.wm.edu/~zvezdan/ _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Sat Aug 9 20:30:10 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0412D37B411 for ; Sat, 9 Aug 2003 20:30:10 -0700 (PDT) Received: from zim.sifl.net (zim.sifl.net [207.246.130.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6871F43FBD for ; Sat, 9 Aug 2003 20:29:59 -0700 (PDT) (envelope-from jesse@206underground.net) Received: from 206underground.net (localhost [127.0.0.1]) by zim.sifl.net (8.12.8/8.12.6) with ESMTP id h7A3Tn21098426; Sat, 9 Aug 2003 20:29:49 -0700 (PDT) (envelope-from jesse@206underground.net) From: "Jesse" To: chris@redstarnetworks.net Date: Sat, 9 Aug 2003 20:29:44 +0900 Message-Id: <20030809202944.M87994@206underground.net> In-Reply-To: <000d01c35e99$8ce83020$0b05a8c0@delllaptop> References: <20030809153213.GA2391@dali.cs.wm.edu> <000d01c35e99$8ce83020$0b05a8c0@delllaptop> X-Mailer: Open WebMail 1.64 20020415 X-OriginatingIP: 12.228.120.117 (jesse) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 cc: security@freebsd.org Subject: RE: FreeBSD - Secure by DEFAULT ?? [hosts.allow] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Aug 2003 03:30:10 -0000 \I bought a computer > mainly as a way to ignore my wife, now im not sure what is worse - Your > bitching or hers? Thank you for injecting some rare humor into what is usually/supposedly an otherwise quiet, boring list ;P > > Chris Odell > > -----Original Message----- > From: owner-freebsd-security@freebsd.org > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Zvezdan > Petkovic > Sent: Saturday, August 09, 2003 8:32 AM > To: freebsd-security@freebsd.org > Subject: Re: FreeBSD - Secure by DEFAULT ?? [hosts.allow] > > On Fri, Aug 08, 2003 at 06:49:48PM -0400, Peter C. Lai wrote: > > What are you meaning by "native"? They both exist as part of the base > > FreeBSD kernel; so in that sense, both ipf and ipfw are "native" to > > FreeBSD. > > Notice that I said "AFAIK" in the original message below. But let me > elaborate. > > I had in mind this sentence from FreeBSD Handbook, Section 10.7.1 > > "FreeBSD comes with a kernel packet filter (known as IPFW), > which is what the rest of this section will concentrate on." > > The handbook does _not_ talk about IPF. > > Also, this document > > http://www.freebsd.org/news/status/report-may-2002-june-2002.html > says (notice the word "native" in the first sentence, please): > > "In summer 2002 the native FreeBSD firewall has been completely > rewritten in a form that uses BPF-like instructions to perform > packet matching in a more effective way. The external user > interface is completely backward compatible, though you can make > use of some newer match patterns (e.g. to handle sparse sets of > IP addresses) which can dramatically simplify the writing of > ruleset (and speed up their processing). The new firewall, > called ipfw2, is much faster and easier to extend than the old > one. It has been already included in FreeBSD-CURRENT, and > patches for FreeBSD-STABLE are available from the author." > > I rest my case. > > > I don't see how this argument is appropriate for choosing one over the > > > other anyway. > > That was exactly my point. Chris Odell admonished the original > poster for using IPFW stating that IPF is native to *BSD. I simply > wanted to point out that is not the exact state of affairs. > > > > > On Thu, Aug 07, 2003 at 06:22:55PM -0400, Zvezdan Petkovic wrote: > > > On Thu, Aug 07, 2003 at 01:59:27PM -0700, Chris Odell wrote: > > > > > > > > But why IPFW? IPF is *BSD native wall. I actually use both - IPF > > > > for firewalling, and IPFW for throttling via dummy net. My > > > > recommended reading for IPF and IPFW is "Building Linux and > > > > OpenBSD Firewalls"... > > > > > > Where did you get this information? > > > > > > Native firewall for FreeBSD is ipfw, AFAIK. It's even used on OS X > > > as a native firewall, due to Darwin's FreeBSD roots. > > > > > > Also, OpenBSD stopped using ipf four releases ago. The native > > > firewall for OpenBSD is pf. pf inherited much of the syntax from > > > ipf, but also extended it and added some features. > > > > > > That said, I personally find ipf quite a good stateful firewall and > > > its syntax can feel more natural than ipfw syntax. It also works on > > > > Solaris and other OS's besides *BSDs. > > Best regards, > -- > Zvezdan Petkovic http://www.cs.wm.edu/~zvezdan/ > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" ------- End of Original Message -------