From owner-freebsd-security@FreeBSD.ORG Sun May 28 11:46:14 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B715216A801 for ; Sun, 28 May 2006 11:46:14 +0000 (UTC) (envelope-from iang@iang.org) Received: from mx1.sonance.net (mx1.sonance.net [62.116.45.222]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2489943D46 for ; Sun, 28 May 2006 11:46:14 +0000 (GMT) (envelope-from iang@iang.org) Received: from localhost (mf1 [127.0.0.1]) by mx1.sonance.net (Postfix) with ESMTP id 2987814013; Sun, 28 May 2006 13:46:09 +0200 (CEST) Received: from mx1.sonance.net ([127.0.0.1]) by localhost (mf1 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08388-07; Sun, 28 May 2006 13:46:08 +0200 (CEST) Received: from postix.sonance.net (zentrix [192.168.0.223]) by mx1.sonance.net (Postfix) with ESMTP id DF4571400A; Sun, 28 May 2006 13:46:07 +0200 (CEST) Received: from localhost (zentrix [127.0.0.1]) by postix.sonance.net (Postfix) with ESMTP id DD15717B51D; Sun, 28 May 2006 13:46:06 +0200 (CEST) Received: from postix.sonance.net ([127.0.0.1]) by localhost (zentrix [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00644-06; Sun, 28 May 2006 13:46:03 +0200 (CEST) Received: from [IPv6???1] (zentrix [127.0.0.1]) by postix.sonance.net (Postfix) with ESMTP id 551FD17B4DE; Sun, 28 May 2006 13:46:03 +0200 (CEST) Message-ID: <44798CAE.8000602@iang.org> Date: Sun, 28 May 2006 13:42:38 +0200 From: Ian G Organization: http://iang.org/ User-Agent: Mozilla Thunderbird 1.0.6 (X11/20051013) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Patrick Proniewski References: <4478594C.6080309@iang.org> <458F3682-0DBB-4AC0-A300-C7C38756165A@patpro.net> In-Reply-To: <458F3682-0DBB-4AC0-A300-C7C38756165A@patpro.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: sonance network anti-spam amavisd-new-20030616-p10 controlled spam X-Virus-Scanned: sonance network anti-spam amavisd-new-20030616-p10 controlled spam Cc: FreeBSD Security List Subject: Re: On what versions of FreeBSD can we unreserve ports? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 May 2006 11:46:15 -0000 Patrick Proniewski wrote: > On 27 mai 2006, at 15:51, Ian G wrote: > >> On which versions of FreeBSD is it now possible to >> un-reserve ports? > > >> host$ sysctl net.inet.ip.portrange.reservedhigh=0 > > > > According to freebsd web site, it has first came with 5.1R (http:// > www.freebsd.org/releases/5.1R/relnotes-i386.html). By the way, you > might want to take a look to MAC implementation, and especially: > http://www.freebsd.org/cgi/man.cgi?query=mac_portacl&sektion=4 > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mac.html From link above: "It is now possible to specify the range of ``privileged ports'' (TCP and UDP ports that require superuser access to bind(2) to). The range is now specified with the net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh sysctl variables, defaulting to the traditional UNIX behavior. This feature is intended to help network servers bind to traditionally privileged ports without requiring superuser access. ip(4) has more details." Thanks! iang From owner-freebsd-security@FreeBSD.ORG Sun May 28 21:15:21 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D0AB16D196 for ; Sun, 28 May 2006 21:03:21 +0000 (UTC) (envelope-from lists-freebsd@silverwraith.com) Received: from pear.silverwraith.com (pear.silverwraith.com [69.12.167.160]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D56043D6E for ; Sun, 28 May 2006 21:03:16 +0000 (GMT) (envelope-from lists-freebsd@silverwraith.com) Received: from avleen by pear.silverwraith.com with local (Exim 4.61 (FreeBSD)) (envelope-from ) id 1FkSQd-00030u-EC for freebsd-security@freebsd.org; Sun, 28 May 2006 14:04:03 -0700 Date: Sun, 28 May 2006 14:04:03 -0700 From: Avleen Vig To: freebsd-security@freebsd.org Message-ID: <20060528210403.GB8791@silverwraith.com> References: <20060523120100.37D2B16A54F@hub.freebsd.org> <20060523083944.H96736@eboyr.pbz> <20060524220703.K62075@a2.scoop.co.nz> <44743358.2020304@winbot.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44743358.2020304@winbot.co.uk> User-Agent: Mutt/1.5.11 Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 May 2006 21:15:25 -0000 On Wed, May 24, 2006 at 11:20:08AM +0100, Craig Edwards wrote: > I agree, however, i do not like the gentoo dependency upon python for > its package management system. It has not broken on me yet, however i > can imagine if it does it would be a nightmare to fix, as python is > not a trivial program. If FreeBSD ever were to attempt an emerge-like > system, it would be convenient imho (although probably less > maintainable?) to have it done in something smaller and easier to > manage (and easier repair when broken?) such as perl or shellscript. Python is incredibly trivial. It's much more trivial than perl, that's for sure. I don't want to get into a holy war about languages on-list (anyone interested can email me off list). Having used perl for 5+ years, and starting to use Python in the last year, I can tell you that Python has a very similar learning curve, but is "better" for new (and old) programmers for several reasons: Much more consistant syntax - From this you get code that is easier to read, more portable between developers, etc Designed to be object oriented rather than OO being an after thought These two things alone (IMO) make a HUGE difference to writing apps of any size. Plus Python's traceback feature is really awesome (perl may have one, I haven't seen it, but with python it's just there, always). From owner-freebsd-security@FreeBSD.ORG Mon May 29 07:48:48 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1CDB216A424 for ; Mon, 29 May 2006 07:48:48 +0000 (UTC) (envelope-from artifact.one@googlemail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7AD0343D4C for ; Mon, 29 May 2006 07:48:47 +0000 (GMT) (envelope-from artifact.one@googlemail.com) Received: by ug-out-1314.google.com with SMTP id m3so143381uge for ; Mon, 29 May 2006 00:48:46 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=hulqhY0pd+n1XhVSXFVILhdZX8USAdbmB/ar0jgOCV/4VqDE9qeQ0GhoIEWX+ha+yXtLzBm7Y7Crsq10NVYt12KvKfxkmkp3hZef/E7gLFHjc9jnc55CeHIacBLzC9CdH44hyf6BwvAovd1V5NByHdnFseqll19sS9SrbT1GeFw= Received: by 10.78.33.17 with SMTP id g17mr327282hug; Mon, 29 May 2006 00:48:46 -0700 (PDT) Received: by 10.78.69.15 with HTTP; Mon, 29 May 2006 00:48:46 -0700 (PDT) Message-ID: <8e96a0b90605290048w206fee22tcd711f8064575383@mail.gmail.com> Date: Mon, 29 May 2006 08:48:46 +0100 From: "mal content" To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Request for freebsd-update X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 May 2006 07:48:48 -0000 Hello. Any chance of getting some MAC-enabled kernels built for freebsd-update? As far as I know, the only thing required to actually enable MAC functionality is the option: option MAC. The rest of it is built as modules by default, but you can't actually load them without this option. This is pretty much the only reason I don't currently use freebsd-update, and I'd like to as it would simplify things. cheers, MC From owner-freebsd-security@FreeBSD.ORG Mon May 29 12:35:47 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6654B16A6DC for ; Mon, 29 May 2006 12:35:47 +0000 (UTC) (envelope-from brain@winbot.co.uk) Received: from brainbox.winbot.co.uk (cpc1-mapp3-0-0-cust243.nott.cable.ntl.com [82.20.212.244]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8160343D76 for ; Mon, 29 May 2006 12:35:40 +0000 (GMT) (envelope-from brain@winbot.co.uk) Received: from synapse.brainbox.winbot.co.uk ([10.0.0.2] helo=[192.168.1.10]) by brainbox.winbot.co.uk with esmtp (Exim 4.60 (FreeBSD)) (envelope-from ) id 1Fkh4o-0006MD-Rp; Mon, 29 May 2006 12:42:30 +0000 Message-ID: <447AEA9B.6030005@winbot.co.uk> Date: Mon, 29 May 2006 13:35:39 +0100 From: Craig Edwards Organization: Crypt Software User-Agent: Mozilla Thunderbird 1.0.8 (X11/20060508) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Avleen Vig References: <20060523120100.37D2B16A54F@hub.freebsd.org> <20060523083944.H96736@eboyr.pbz> <20060524220703.K62075@a2.scoop.co.nz> <44743358.2020304@winbot.co.uk> <20060528210403.GB8791@silverwraith.com> In-Reply-To: <20060528210403.GB8791@silverwraith.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: brain@winbot.co.uk List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 May 2006 12:35:53 -0000 I was thinking more of the time-to-repair of a broken install, rather than a broken python or perl program, for example if your perl site-perl folder gets damaged, or your python compiled libs become ABI 'incompatible' somehow (say due to a g++ upgrade?). In this case, both python *and* perl are pretty hard to repair unless you know the language, and can leave a system administrator between a rock and a hard place (reinstall, or seek an expert of that language) I guess the same goes for ruby, i wouldn't know where to start in repairing a broken ruby install... Thanks Craig Avleen Vig wrote: > On Wed, May 24, 2006 at 11:20:08AM +0100, Craig Edwards wrote: > >>I agree, however, i do not like the gentoo dependency upon python for >>its package management system. It has not broken on me yet, however i >>can imagine if it does it would be a nightmare to fix, as python is >>not a trivial program. If FreeBSD ever were to attempt an emerge-like >>system, it would be convenient imho (although probably less >>maintainable?) to have it done in something smaller and easier to >>manage (and easier repair when broken?) such as perl or shellscript. > > > Python is incredibly trivial. > It's much more trivial than perl, that's for sure. > I don't want to get into a holy war about languages on-list (anyone > interested can email me off list). > > Having used perl for 5+ years, and starting to use Python in the last > year, I can tell you that Python has a very similar learning curve, but > is "better" for new (and old) programmers for several reasons: > Much more consistant syntax > - From this you get code that is easier to read, more portable > between developers, etc > Designed to be object oriented rather than OO being an after thought > > These two things alone (IMO) make a HUGE difference to writing apps of > any size. > Plus Python's traceback feature is really awesome (perl may have one, I > haven't seen it, but with python it's just there, always). > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- "Better to reign in Hell than to serve in Heaven" -- Milton From owner-freebsd-security@FreeBSD.ORG Sat May 27 13:50:31 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37CE916A846 for ; Sat, 27 May 2006 13:50:31 +0000 (UTC) (envelope-from iang@systemics.com) Received: from mx1.sonance.net (mx1.sonance.net [62.116.45.222]) by mx1.FreeBSD.org (Postfix) with ESMTP id 996CA43D48 for ; Sat, 27 May 2006 13:50:30 +0000 (GMT) (envelope-from iang@systemics.com) Received: from localhost (mf1 [127.0.0.1]) by mx1.sonance.net (Postfix) with ESMTP id 65F4B13FFC for ; Sat, 27 May 2006 15:50:27 +0200 (CEST) Received: from mx1.sonance.net ([127.0.0.1]) by localhost (mf1 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 11323-08 for ; Sat, 27 May 2006 15:50:25 +0200 (CEST) Received: from postix.sonance.net (zentrix [192.168.0.223]) by mx1.sonance.net (Postfix) with ESMTP id 59F781403C for ; Sat, 27 May 2006 15:50:24 +0200 (CEST) Received: from localhost (zentrix [127.0.0.1]) by postix.sonance.net (Postfix) with ESMTP id 8FA5117B51D for ; Sat, 27 May 2006 15:50:23 +0200 (CEST) Received: from postix.sonance.net ([127.0.0.1]) by localhost (zentrix [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 28309-06 for ; Sat, 27 May 2006 15:50:21 +0200 (CEST) Received: from [IPv6???1] (zentrix [127.0.0.1]) by postix.sonance.net (Postfix) with ESMTP id BE3B617B4DE for ; Sat, 27 May 2006 15:50:21 +0200 (CEST) Message-ID: <44785850.6050509@systemics.com> Date: Sat, 27 May 2006 15:46:56 +0200 From: Ian G Organization: http://financialcryptography.com/ User-Agent: Mozilla Thunderbird 1.0.6 (X11/20051013) X-Accept-Language: en-us, en MIME-Version: 1.0 To: FreeBSD Security List Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: sonance network anti-spam amavisd-new-20030616-p10 controlled spam X-Virus-Scanned: sonance network anti-spam amavisd-new-20030616-p10 controlled spam X-Mailman-Approved-At: Mon, 29 May 2006 21:17:05 +0000 Subject: On what versions of FreeBSD can we unreserve ports? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 May 2006 13:51:00 -0000 On which versions of FreeBSD is it now possible to un-reserve ports? ( I've been waiting for this since forever ... have spent countless days - $$$ - trying to install workarounds, only to junk them later. I've even been paid a consulting gig to develop this, and declined to deploy it on my own servers :-/ ) iang http://askslim.blogspot.com/2006/05/freebsd-61-disabling-reserverd-ports.html Friday, May 26, 2006 FreeBSD 6.1: Disabling Reserverd Ports A common misfeature found on UN*X operating systems is the restriction that only root can bind to ports < 1024. Many a dollar has been wasted on workarounds and -often- the resulting security holes. Fortunately on FreeBSD 6.1 (and probably older versions as well) you can disable this remnant of trust-by-convention. host$ sysctl net.inet.ip.portrange.reservedhigh=0 That simple. Add it to your /etc/sysctl.conf today! posted by Slim @ 4:18 PM From owner-freebsd-security@FreeBSD.ORG Sat May 27 15:24:15 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0D0E16BE1A for ; Sat, 27 May 2006 15:24:15 +0000 (UTC) (envelope-from vvelox@vvelox.net) Received: from mail07.powweb.com (mail07.powweb.com [66.152.97.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 82D2C43D60 for ; Sat, 27 May 2006 15:24:11 +0000 (GMT) (envelope-from vvelox@vvelox.net) Received: from vixen42.vulpes (24-119-225-24.cpe.cableone.net [24.119.225.24]) by mail07.powweb.com (Postfix) with ESMTP id 999C814DA55; Sat, 27 May 2006 08:24:08 -0700 (PDT) Date: Sat, 27 May 2006 10:24:31 -0500 From: "Z.C.B." To: Ian G Message-ID: <20060527102431.0a5d4323@vixen42.vulpes> In-Reply-To: <4478594C.6080309@iang.org> References: <4478594C.6080309@iang.org> X-Mailer: Sylpheed-Claws 2.2.0 (GTK+ 2.8.17; i386-portbld-freebsd5.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Mon, 29 May 2006 21:17:38 +0000 Cc: FreeBSD Security List Subject: Re: On what versions of FreeBSD can we unreserve ports? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 May 2006 15:24:38 -0000 On Sat, 27 May 2006 15:51:08 +0200 Ian G wrote: > On which versions of FreeBSD is it now possible to > un-reserve ports? > > ( I've been waiting for this since forever ... have > spent countless days - $$$ - trying to install > workarounds, only to junk them later. I've even > been paid a consulting gig to develop this, and > declined to deploy it on my own servers :-/ ) > > iang > > > > http://askslim.blogspot.com/2006/05/freebsd-61-disabling-reserverd-ports.html > > Friday, May 26, 2006 > FreeBSD 6.1: Disabling Reserverd Ports > > A common misfeature found on UN*X operating systems is the > restriction that only root can bind to ports < 1024. Many a > dollar has been wasted on workarounds and -often- the > resulting security holes. > > Fortunately on FreeBSD 6.1 (and probably older versions as > well) you can disable this remnant of trust-by-convention. > > > host$ sysctl net.inet.ip.portrange.reservedhigh=0 > > That simple. Add it to your /etc/sysctl.conf today! > > posted by Slim @ 4:18 PM That works on releng_5 as well. Since when is this common for just unix? I would have to double check, but I am certain windows and nearly everything else does this as well. Just on windows users run with what would normally be root privileges. It does server a useful purpose. It prevents any user from running services on them. From owner-freebsd-security@FreeBSD.ORG Sun May 28 02:37:29 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 300B016AB6A for ; Sun, 28 May 2006 02:31:34 +0000 (UTC) (envelope-from josh.carroll@gmail.com) Received: from wx-out-0102.google.com (wx-out-0102.google.com [66.249.82.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E22B43D48 for ; Sun, 28 May 2006 02:31:33 +0000 (GMT) (envelope-from josh.carroll@gmail.com) Received: by wx-out-0102.google.com with SMTP id i31so819wxd for ; Sat, 27 May 2006 19:31:32 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=TlFkUESEy/Tp9+MMJXqpEYyaWCgtcNCNLyDws5GT/o3abQ/IL2Ty4iqT/69A4A03+pslcae6nHBkBqgh3FrPvxqFEMPdiAVr/FnI6pugh9tpxqPf4nYJQxublVZyVVgTtmlQLUygwOVsklnDTWoomnPfVTpzZ4P/WQHzErRuqLU= Received: by 10.70.71.18 with SMTP id t18mr1008932wxa; Sat, 27 May 2006 19:31:32 -0700 (PDT) Received: by 10.70.67.17 with HTTP; Sat, 27 May 2006 19:31:32 -0700 (PDT) Message-ID: <8cb6106e0605271931p55971b2bwdb311275ce21819@mail.gmail.com> Date: Sat, 27 May 2006 19:31:32 -0700 From: "Josh Carroll" Sender: josh.carroll@gmail.com To: "Jeremie Le Hen" In-Reply-To: <20060527172358.GC25953@obiwan.tataz.chchile.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20060526153422.GB25953@obiwan.tataz.chchile.org> <20060526183554.25d5cc0d@kan.dnsalias.net> <20060527172358.GC25953@obiwan.tataz.chchile.org> X-Google-Sender-Auth: 11698bc7444090d2 X-Mailman-Approved-At: Mon, 29 May 2006 21:18:07 +0000 Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org, Alexander Kabaev Subject: Re: [fbsd] Re: Integrating ProPolice/SSP into FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 May 2006 02:37:52 -0000 I agree that having the necessary hooks to enable/disable SSP would be nice. It would also be nice if this can be done for ports in addition to base. Josh On 5/27/06, Jeremie Le Hen wrote: > On Fri, May 26, 2006 at 06:35:54PM -0400, Alexander Kabaev wrote: > > On Fri, 26 May 2006 17:34:22 +0200 > > Jeremie Le Hen wrote: > > > > > Hi, > > > > > > first sorry for cross-posting but I thought this patch might interest > > > -CURRENT users as well as people concerned by security. > > > > > > I wrote a patch that integrates ProPolice/SSP into FreeBSD, one step > > > further than it has been realized so far. > > > > > > It is available here : > > > http://tataz.chchile.org/~tataz/FreeBSD/SSP/ > > > > > > Everything is explained on the web page, but I will repeat some > > > informations here. The patchset is splitted in two parts to ease the > > > review of the patch. The -propolice patch is only the original > > > ProPolice patch for GCC 3.4.4 applied on FreeBSD source tree. The > > > -freebsd patch contains the glue I have written to make things neat. > > > > > > The patch exists in both for CURRENT and RELENG_6. Both introduce a > > > new make.conf(5) (and src.conf(5)) knob to enable stack protection > > > on a per Makefile basis. It if of course possible to compile your > > > world with it. Please refer to the web page for more informations. > > > > > > The patch has been tested and works pretty well. My laptop and my > > > workstation at work are compiled with SSP : world, kernel and ports, > > > including X.org. > > > > > > I hope you will enjoy it. > > > Regards, > > > -- > > > Jeremie Le Hen > > > < jeremie at le-hen dot org >< ttz at chchile dot org > > > > _______________________________________________ > > > freebsd-security@freebsd.org mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > > To unsubscribe, send any mail to > > > "freebsd-security-unsubscribe@freebsd.org" > > > > How does this compare to GCC 4.x mudflap feature? I do not plan to > > include Propolice patch into base system any time soon and will object > > anyone trying to do so due to future maintenance headaches this will > > inevitably create. GCC 4.1.1 import is in the works though and should b= e > > available shortly. > > I wasn't aware of the mudflap feature. I had a quick look at it > through [1], and it appears mudflap focuses on pointer dereferencement. > ProPolice focuses on stack-based buffer overflows, this is mostly the > same as StackGuard, which is presented in the paper. According to > Wikipedia [2], StackGuard isn't maintained any longuer, while > ProPolice has been merged into GCC 4.1. > > I understand you are working on GCC 4.1.1 import and that modifying > contributed sources will be a problem for you, though I must admit I > am not sure to understand the whole pain this creates. I will try to > maintain the patch on my own until GCC 4.1.1 import, so that users > will be able to make the best of ProPolice. > > BTW, given that GCC 4.1.1 will contain ProPolice bits, I think I will > be worth having some knobs to turn SSP on or off for the base system. > I have become pretty confident with the build system and problems > that libssp triggers. I would be glad to provide you some of the > glue I have written so far in my patch (the -freebsd part). > Please, let me know if you are interested in this. If your current > work is publicly accessible, I'd be glad if you gave me the URL. > > [1] http://gcc.fyxm.net/summit/2003/mudflap.pdf > [2] http://en.wikipedia.org/wiki/ProPolice > > Thank you. > Best regards, > -- > Jeremie Le Hen > < jeremie at le-hen dot org >< ttz at chchile dot org > > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org= " > From owner-freebsd-security@FreeBSD.ORG Sun May 28 14:01:07 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BCB3A16B0E1 for ; Sun, 28 May 2006 14:01:07 +0000 (UTC) (envelope-from caelian@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 804EA43D5F for ; Sun, 28 May 2006 14:01:05 +0000 (GMT) (envelope-from caelian@gmail.com) Received: by nf-out-0910.google.com with SMTP id a27so111625nfc for ; Sun, 28 May 2006 07:01:04 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:subject:from:to:cc:in-reply-to:references:content-type:date:message-id:mime-version:x-mailer:content-transfer-encoding; b=JQ8H3UYZUSFMADC/576OiKn07NKppaGG2+jR0fwTzR3A7v7QRz/nKB809srJ0yRkvw45PEMCdIYJK6m6cxA9MnjllpYgBi0/hKiTIZQ2oUweG1DvbOit9Dom+hyux8wQ0bjwh+/bhatbA+HHYN+5W3strY++Nu5RDXraNfv7kts= Received: by 10.49.51.15 with SMTP id d15mr968751nfk; Sun, 28 May 2006 06:33:34 -0700 (PDT) Received: from aphrodite.OFFIS.Uni-Oldenburg.DE ( [134.106.53.21]) by mx.gmail.com with ESMTP id n22sm2722822nfc.2006.05.28.06.33.34; Sun, 28 May 2006 06:33:34 -0700 (PDT) From: Pascal Hofstee To: Josh Carroll In-Reply-To: <8cb6106e0605271931p55971b2bwdb311275ce21819@mail.gmail.com> References: <20060526153422.GB25953@obiwan.tataz.chchile.org> <20060526183554.25d5cc0d@kan.dnsalias.net> <20060527172358.GC25953@obiwan.tataz.chchile.org> <8cb6106e0605271931p55971b2bwdb311275ce21819@mail.gmail.com> Content-Type: text/plain Date: Sun, 28 May 2006 15:34:07 +0200 Message-Id: <1148823247.83337.7.camel@aphrodite.offis.uni-oldenburg.de> Mime-Version: 1.0 X-Mailer: Evolution 2.6.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Mon, 29 May 2006 21:21:05 +0000 Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org, Jeremie Le Hen , Alexander Kabaev Subject: Re: [fbsd] Re: Integrating ProPolice/SSP into FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 May 2006 14:01:20 -0000 On Sat, 2006-05-27 at 19:31 -0700, Josh Carroll wrote: > I agree that having the necessary hooks to enable/disable SSP would be > nice. It would also be nice if this can be done for ports in addition > to base. Being one of the people that extensively helped build/run-testing Jeremie's patchsets i can safely say that we went through a lot of iterations before we ended with the following functionality (which should be present in the current patchset): on CURRENT /usr/src builds use /etc/src.conf to provide make variables identical to /etc/make.conf on non-CURRENT. This way setting WITH_SSP=yes in /etc/src.conf will enable the SSP-bits for world building. Jeremie and i wanted to explicitely make enabling SSP for ports build as well as easy and straight forward as possible. To that end we made some minor changes to some of the bsd.*.mk files so that simply specifying the same WITH_SSP=yes in your /make.conf is enough for the entire ports tree to pick up the SSP settings and use them. So in short this patchset enables the following on CURRENT: /etc/src.conf WITH_SSP=yes enable SSP for buildworld /etc/make.conf WITH_SSP=yes enable SSP for port builds (not 100% sure if /etc/make.conf is processed along with /etc/src.conf here) on non-CURRENT: /etc/make.conf WITH_SSP=yes enable SSP for both buildworld and ports It couldn't get any easier than this ... i think :) -- Pascal Hofstee From owner-freebsd-security@FreeBSD.ORG Tue May 30 08:21:32 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2194A16A466 for ; Tue, 30 May 2006 08:21:32 +0000 (UTC) (envelope-from yann@raven.kierun.org) Received: from raven.kierun.org (raven.yorksj.ac.uk [193.61.234.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 85B0A43D46 for ; Tue, 30 May 2006 08:21:31 +0000 (GMT) (envelope-from yann@raven.kierun.org) Received: from yann by raven.kierun.org with local (Exim 4.62 (FreeBSD)) (envelope-from ) id 1FkzTo-000BbH-Hi; Tue, 30 May 2006 09:21:32 +0100 Date: Tue, 30 May 2006 09:21:32 +0100 From: Yann Golanski To: Garance A Drosihn Message-ID: <20060530082132.GB39650@kierun.org> References: <20060523120100.37D2B16A54F@hub.freebsd.org> <20060523083944.H96736@eboyr.pbz> <20060523160051.GA78620@kierun.org> <44741A43.40302@kernel32.de> <20060524144537.46463a90@hydrocodone.org> <20060525082821.GA93011@kierun.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="PNTmBPCT7hxwcZjr" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.11 Sender: "Yann Golanski, University of York, +44(0)1904-433088" Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 May 2006 08:21:34 -0000 --PNTmBPCT7hxwcZjr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Quoth Garance A Drosihn on Thu, May 25, 2006 at 15:19:20 -0400 > This thread started because *Colin* set up a security > survey. He *already* realizes that the project needs to > do something so that more people are willing and able to > apply security fixes once the project comes up with > them. So don't go all pouty and claim that no one here > appreciates your situation. Many people work very hard > to provide the operating system and ports collection > for *NO COST*, so don't pretend that we're some greedy > bastards who are insensitive to your zero budget. Chill man. =20 I love FreeBSD because of the support and good work that has gone into it. I moved from Linux because of the ease of use of the port collections and the helpful handbook. The whole FreeBSD team does a fantastic job. You utterly misunderstood what I said. =20 Things can be made better and that's what Colin is doing and he has my thanks. I'm just passing my current state of affairs so that he can see how other folks use FreeBSD. I did not mean to offend either you or him.=20 --=20 yann@kierun.org -=3D*=3D- www.kierun.= org PGP: 009D 7287 C4A7 FD4F 1680 06E4 F751 7006 9DE2 6318 --PNTmBPCT7hxwcZjr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEfACM91FwBp3iYxgRAtglAJ9CTL4wQwn5+ZQVCjMwLumJhYmcgwCfZooV bubR1uyqk9pODqJNYkB+Rrk= =O6Na -----END PGP SIGNATURE----- --PNTmBPCT7hxwcZjr-- From owner-freebsd-security@FreeBSD.ORG Tue May 30 12:18:47 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA83E16A4DE; Tue, 30 May 2006 12:18:47 +0000 (UTC) (envelope-from frode@nordahl.net) Received: from smtp1.powertech.no (smtp1.powertech.no [195.159.0.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id 61A1D43D7C; Tue, 30 May 2006 12:18:41 +0000 (GMT) (envelope-from frode@nordahl.net) Received: from [195.159.6.17] (dhcp17.ns5.powertech.no [195.159.6.17]) by smtp1.powertech.no (Postfix) with ESMTP id EC3D1AD52; Tue, 30 May 2006 14:18:39 +0200 (CEST) Mime-Version: 1.0 (Apple Message framework v750) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Frode Nordahl Date: Tue, 30 May 2006 14:18:42 +0200 To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.750) Cc: Colin Percival Subject: FreeBSD Update, kernel.debug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 May 2006 12:18:55 -0000 Hello, I recently had a crash on one of my servers running 6.0-SECURITY. However, I am unable to debug it because kernel.debug is not distributed with FreeBSD update. Is it available from the build cluster, or is it at least possible to make it available in future updates? I am looking for a kernel.debug for this kernel: # uname -a FreeBSD xxx.yyy.no 6.0-SECURITY FreeBSD 6.0-SECURITY #0: Tue Feb 28 22:53:43 UTC 2006 root@builder.daemonology.net:/usr/obj/usr/src/ sys/GENERIC i386 Frode Nordahl frode@nordahl.net From owner-freebsd-security@FreeBSD.ORG Wed May 31 01:22:15 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5BD6516A6E2 for ; Wed, 31 May 2006 01:22:15 +0000 (UTC) (envelope-from v.velox@vvelox.net) Received: from mail07.powweb.com (mail07.powweb.com [66.152.97.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1928C43D58 for ; Wed, 31 May 2006 01:22:14 +0000 (GMT) (envelope-from v.velox@vvelox.net) Received: from vixen42.vulpes (24-119-225-24.cpe.cableone.net [24.119.225.24]) by mail07.powweb.com (Postfix) with ESMTP id 6871C14DB02; Tue, 30 May 2006 18:22:12 -0700 (PDT) Date: Tue, 30 May 2006 20:23:25 -0500 From: Vulpes Velox To: brain@winbot.co.uk Message-ID: <20060530202325.1398cc84@vixen42.vulpes> In-Reply-To: <447AEA9B.6030005@winbot.co.uk> References: <20060523120100.37D2B16A54F@hub.freebsd.org> <20060523083944.H96736@eboyr.pbz> <20060524220703.K62075@a2.scoop.co.nz> <44743358.2020304@winbot.co.uk> <20060528210403.GB8791@silverwraith.com> <447AEA9B.6030005@winbot.co.uk> X-Mailer: Sylpheed-Claws 2.2.0 (GTK+ 2.8.17; i386-portbld-freebsd5.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 May 2006 01:22:16 -0000 On Mon, 29 May 2006 13:35:39 +0100 Craig Edwards wrote: > I was thinking more of the time-to-repair of a broken install, > rather than a broken python or perl program, for example if your > perl site-perl folder gets damaged, or your python compiled libs > become ABI 'incompatible' somehow (say due to a g++ upgrade?). > > In this case, both python *and* perl are pretty hard to repair > unless you know the language, and can leave a system administrator > between a rock and a hard place (reinstall, or seek an expert of > that language) > > I guess the same goes for ruby, i wouldn't know where to start in > repairing a broken ruby install... It's been awhile since I've done something stupid that fragged ruby. It was easy to fix though. I just rebuilt all the ruby stuff using portupgrade. The same thing needs done with lots of perl modules as well after perl is upgraded. From owner-freebsd-security@FreeBSD.ORG Wed May 31 22:50:42 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E333016A997; Wed, 31 May 2006 22:50:42 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A1F343D48; Wed, 31 May 2006 22:50:42 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k4VMogkk086237; Wed, 31 May 2006 22:50:42 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k4VMogiw086235; Wed, 31 May 2006 22:50:42 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 31 May 2006 22:50:42 GMT Message-Id: <200605312250.k4VMogiw086235@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-06:15.ypserv X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: security-advisories@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 May 2006 22:50:46 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:15.ypserv Security Advisory The FreeBSD Project Topic: Inoperative access controls in ypserv(8) Category: core Module: ypserv Announced: 2006-05-31 Credits: Hokan Affects: All FreeBSD 5.x and FreeBSD 6.x releases Corrected: 2006-05-31 22:31:21 UTC (RELENG_6, 6.1-STABLE) 2006-05-31 22:31:42 UTC (RELENG_6_1, 6.1-RELEASE-p1) 2006-05-31 22:32:04 UTC (RELENG_6_0, 6.0-RELEASE-p8) 2006-05-31 22:32:22 UTC (RELENG_5, 5.5-STABLE) 2006-05-31 22:32:49 UTC (RELENG_5_5, 5.5-RELEASE-p1) 2006-05-31 22:33:17 UTC (RELENG_5_4, 5.4-RELEASE-p15) 2006-05-31 22:33:41 UTC (RELENG_5_3, 5.3-RELEASE-p30) CVE Name: CVE-2006-2655 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ypserv(8) utility is a server which distributes NIS databases to client systems within an NIS domain. II. Problem Description There are two documented methods of restricting access to NIS maps through ypserv(8): through the use of the /var/yp/securenets file, and through the /etc/hosts.allow file. While both mechanisms are implemented in the server, a change in the build process caused the "securenets" access restrictions to be inadvertantly disabled. III. Impact ypserv(8) will not load or process any of the networks or hosts specified in the /var/yp/securenets file, rendering those access controls ineffective. IV. Workaround One possible workaround is to use /etc/hosts.allow for access control, as shown by examples in that file. Another workaround is to use a firewall (e.g., ipfw(4), ipf(4), or pf(4)) to limit access to RPC functions from untrusted systems or networks, but due to the complexities of RPC, it might be difficult to create a set of firewall rules which accomplish this without blocking all access to the machine in question. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE or 6-STABLE, or to the RELENG_6_1, RELENG_6_0, RELENG_5_5, RELENG_5_4, or RELENG_5_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 5.3, 5.4, 5.5, 6.0, and 6.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-06:15/ypserv.patch # fetch http://security.FreeBSD.org/patches/SA-06:15/ypserv.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/usr.sbin/ypserv # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5 src/usr.sbin/ypserv/yp_access.c 1.22.6.1 RELENG_5_5 src/UPDATING 1.342.2.35.2.1 src/sys/conf/newvers.sh 1.62.2.21.2.3 src/usr.sbin/ypserv/yp_access.c 1.22.18.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.24 src/sys/conf/newvers.sh 1.62.2.18.2.20 src/usr.sbin/ypserv/yp_access.c 1.22.10.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.33 src/sys/conf/newvers.sh 1.62.2.15.2.35 src/usr.sbin/ypserv/yp_access.c 1.22.8.1 RELENG_6 src/usr.sbin/ypserv/yp_access.c 1.22.12.1 RELENG_6_1 src/UPDATING 1.416.2.22.2.3 src/sys/conf/newvers.sh 1.69.2.11.2.3 src/usr.sbin/ypserv/yp_access.c 1.22.16.1 RELENG_6_0 src/UPDATING 1.416.2.3.2.13 src/sys/conf/newvers.sh 1.69.2.8.2.9 src/usr.sbin/ypserv/yp_access.c 1.22.14.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2655 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-06:15.ypserv.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEfhuUFdaIBMps37IRAhH5AJ9cpTLcR+aWSRPUa1zUDYThhKDqowCggYr1 4OyjFHW/C+NB9nMIX8Wf7IE= =NNUN -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed May 31 22:50:48 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B48116A9F4; Wed, 31 May 2006 22:50:48 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B3DF443D4C; Wed, 31 May 2006 22:50:47 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k4VMol8B086279; Wed, 31 May 2006 22:50:47 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k4VMolr7086277; Wed, 31 May 2006 22:50:47 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 31 May 2006 22:50:47 GMT Message-Id: <200605312250.k4VMolr7086277@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-06:16.smbfs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: security-advisories@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 May 2006 22:50:51 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:16.smbfs Security Advisory The FreeBSD Project Topic: smbfs chroot escape Category: core Module: smbfs Announced: 2006-05-31 Credits: Mark Moseley Affects: All FreeBSD releases. Corrected: 2006-05-31 22:31:21 UTC (RELENG_6, 6.1-STABLE) 2006-05-31 22:31:42 UTC (RELENG_6_1, 6.1-RELEASE-p1) 2006-05-31 22:32:04 UTC (RELENG_6_0, 6.0-RELEASE-p8) 2006-05-31 22:32:22 UTC (RELENG_5, 5.5-STABLE) 2006-05-31 22:32:49 UTC (RELENG_5_5, 5.5-RELEASE-p1) 2006-05-31 22:33:17 UTC (RELENG_5_4, 5.4-RELEASE-p15) 2006-05-31 22:33:41 UTC (RELENG_5_3, 5.3-RELEASE-p30) 2006-05-31 22:34:32 UTC (RELENG_4, 4.11-STABLE) 2006-05-31 22:34:53 UTC (RELENG_4_11, 4.11-RELEASE-p18) 2006-05-31 22:35:32 UTC (RELENG_4_10, 4.10-RELEASE-p24) CVE Name: CVE-2006-2654 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background smbfs is a network file-system used to access file servers using the SMB/CIFS protocol. chroot(2) is system call designed to limit a process's access to a particular subset of a file-system. II. Problem Description smbfs does not properly sanitize paths containing a backslash character; in particular the directory name '..\' is interpreted as the parent directory by the SMB/CIFS server, but smbfs handles it in the same manner as any other directory. III. Impact When inside a chroot environment which resides on a smbfs mounted file-system it is possible for an attacker to escape out of this chroot to any other directory on the smbfs mounted file-system. IV. Workaround Mount the smbfs file-systems which need to be used with chroot on top, in a way so the chroot directory is exactly on the mount point and not a sub directory. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE, or to the RELENG_6_1, RELENG_6_0, RELENG_5_5, RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, 5.3, 5.4, 5.5, 6.0, and 6.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-06:16/smbfs.patch # fetch http://security.FreeBSD.org/patches/SA-06:16/smbfs.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/fs/smbfs/smbfs_vnops.c 1.2.2.11 RELENG_4_11 src/UPDATING 1.73.2.91.2.19 src/sys/conf/newvers.sh 1.44.2.39.2.22 src/sys/fs/smbfs/smbfs_vnops.c 1.2.2.10.4.1 RELENG_4_10 src/UPDATING 1.73.2.90.2.25 src/sys/conf/newvers.sh 1.44.2.34.2.26 src/sys/fs/smbfs/smbfs_vnops.c 1.2.2.10.2.1 RELENG_5 src/sys/fs/smbfs/smbfs_vnops.c 1.46.2.2 RELENG_5_5 src/UPDATING 1.342.2.35.2.1 src/sys/conf/newvers.sh 1.62.2.21.2.3 src/sys/fs/smbfs/smbfs_vnops.c 1.46.2.1.4.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.24 src/sys/conf/newvers.sh 1.62.2.18.2.20 src/sys/fs/smbfs/smbfs_vnops.c 1.46.2.1.2.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.33 src/sys/conf/newvers.sh 1.62.2.15.2.35 src/sys/fs/smbfs/smbfs_vnops.c 1.46.4.1 RELENG_6 src/sys/fs/smbfs/smbfs_vnops.c 1.61.2.2 RELENG_6_1 src/UPDATING 1.416.2.22.2.3 src/sys/conf/newvers.sh 1.69.2.11.2.3 src/sys/fs/smbfs/smbfs_vnops.c 1.61.2.1.2.1 RELENG_6_0 src/UPDATING 1.416.2.3.2.13 src/sys/conf/newvers.sh 1.69.2.8.2.9 src/sys/fs/smbfs/smbfs_vnops.c 1.61.4.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2654 The following three references correspond to independent bugs which affect the Linux kernel but have the same impact: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1863 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1864 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189434 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-06:16.smbfs.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEfhueFdaIBMps37IRAquuAJ0eCPAahUu19kdTjKpVHrrtQ9q16gCfZ5sC xknjanFlpMxJAZ7iYSxBvcI= =PvoL -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Jun 1 21:44:40 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C09916BD40 for ; Thu, 1 Jun 2006 21:44:40 +0000 (UTC) (envelope-from dtangent@defcon.org) Received: from colossus.datamerica.com (colossus.blackhat.com [216.231.63.50]) by mx1.FreeBSD.org (Postfix) with SMTP id 2F67B43D48 for ; Thu, 1 Jun 2006 21:44:40 +0000 (GMT) (envelope-from dtangent@defcon.org) Received: from mail-1.datamerica.com (mail-1.datamerica.com [10.168.25.25]) by colossus.datamerica.com with SMTP id k51LiddF013000 for ; Thu, 1 Jun 2006 14:44:39 -0700 (PDT) Received: (qmail 6325 invoked from network); 1 Jun 2006 21:50:22 -0000 Received: from ispy2.blackhat.com (HELO ispy2.defcon.org) (10.168.1.59) by mail-1.datamerica.com with SMTP; 1 Jun 2006 21:50:22 -0000 Message-Id: <7.0.1.0.2.20060601142921.2284c5b0@wheresmymailserver.com> X-Mailer: QUALCOMM Windows Eudora Version 7.0.1.0 Date: Thu, 01 Jun 2006 14:40:50 -0700 To: freebsd-security@freebsd.org From: Jeff Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: mac_bsdextended log information X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jun 2006 21:44:47 -0000 Hey everyone, I'm hoping someone can point me in the right direction. I'm running a 6.1 box with mac_bsdextended compiled. I've created my ugidfw rules, and all seems well in the universe. I've got rules set up so the web process uid 80 and gid 80 can only read uid 1010 and gid 1010 owned files. When the web server tries to do something else, it throws an error such as: www kernel: mac_bsdextended: 80:80 request 256 on 0:0 failed. So the question is, what file did the www process try to muck with? It is a root owned file, and it is important that it want to act on it. Security problem, or benign problem? Who knows without being able to know what the file is. A look at the source code implies that the "request 256" means that the web process tried to read the vnode numbered 256. Is that accurate? If it is, how do I go about associating vnode numbers to files, so I have a hope of troubleshooting these errors. Searching seems to turn up no tool or easy way to get this vnode -> file information. Help! Jeff From owner-freebsd-security@FreeBSD.ORG Fri Jun 2 08:58:01 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7EAA616A421 for ; Fri, 2 Jun 2006 08:58:01 +0000 (UTC) (envelope-from mkenyeres@konvergencia.hu) Received: from konvergencia.hu (konvergencia.hu [195.228.254.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8FA5343D48 for ; Fri, 2 Jun 2006 08:58:00 +0000 (GMT) (envelope-from mkenyeres@konvergencia.hu) Received: from dsl540265a6.pool.t-online.hu ([84.2.101.166] helo=scalix.kvg.hu) by konvergencia.hu with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.52 (FreeBSD)) id 1Fm5Tu-0006Ll-HM; Fri, 02 Jun 2006 10:58:11 +0200 Received: from scalix.kvg.hu (localhost [127.0.0.1]) by scalix.kvg.hu (8.13.4/8.13.4/SuSE Linux 0.7) with ESMTP id k528voxE008249; Fri, 2 Jun 2006 10:57:53 +0200 Received: from scalix.kvg.hu (root@localhost) by scalix.kvg.hu (8.13.4/8.13.4/Submit) with ESMTP id k528voBE008245; Fri, 2 Jun 2006 10:57:50 +0200 Received: from dell1.kvg.hu (dell1.kvg.hu 10.0.0.98) by scalix.kvg.hu (Scalix SMTP Relay 10.0.1.3) via ESMTP; Fri, 02 Jun 2006 10:57:50 +0200 (CEST) Date: Fri, 2 Jun 2006 10:57:49 +0200 From: =?UTF-8?Q?Kenyeres_M=C3=A1rton?= To: Jeff Message-ID: <1149238669.657.6.camel@dell1.kvg.hu> In-Reply-To: <7.0.1.0.2.20060601142921.2284c5b0@wheresmymailserver.com> References: <7.0.1.0.2.20060601142921.2284c5b0@wheresmymailserver.com> x-scalix-Hops: 1 X-Mailer: Evolution 2.4.2.1 FreeBSD GNOME Team Port Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by scalix.kvg.hu id k528voxE008249 X-Spam_score: 0.3 X-Spam_level: / Cc: freebsd-security@freebsd.org Subject: Re: mac_bsdextended log information X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jun 2006 08:58:02 -0000 On Thu, 2006-06-01 at 14:40 -0700, Jeff wrote: > Hey everyone,=20 >=20 > I'm hoping someone can point me in the right direction. I'm running a 6= .1 box with mac_bsdextended compiled. I've created my ugidfw rules, and a= ll seems well in the universe. >=20 > I've got rules set up so the web process uid 80 and gid 80 can only rea= d uid 1010 and gid 1010 owned files. When the web server tries to do some= thing else, it throws an error such as: >=20 > www kernel: mac_bsdextended: 80:80 request 256 on 0:0 = failed. >=20 > So the question is, what file did the www process try to muck with? It = is a root owned file, and it is important that it want to act on it. Secu= rity problem, or benign problem? Who knows without being able to know wha= t the file is. A look at the source code implies that the "request 256" m= eans that the web process tried to read the vnode numbered 256. Is that a= ccurate? > If it is, how do I go about associating vnode numbers to files, so I ha= ve a hope of troubleshooting these errors. >=20 There are many legitimate reasons for a webserver to open root owned files. Looking up users in the password database would be my first guess. Maybe you shoud consider changing your rules to some more fine grained ones? > Searching seems to turn up no tool or easy way to get this vnode -> fil= e information. Help! Try: $ find -inum 256 / >=20 > Jeff >=20 Cheers, m. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.= org" --=20 Kenyeres M=E1rton From owner-freebsd-security@FreeBSD.ORG Fri Jun 2 09:05:27 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9FF0816A4A3 for ; Fri, 2 Jun 2006 09:05:27 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from smtp.univ-lyon2.fr (smtp.univ-lyon2.fr [159.84.143.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 581B543D60 for ; Fri, 2 Jun 2006 09:05:23 +0000 (GMT) (envelope-from patpro@patpro.net) Received: from localhost (localhost [127.0.0.1]) by smtp.univ-lyon2.fr (Postfix) with ESMTP id B442A3A0F47C; Fri, 2 Jun 2006 11:05:22 +0200 (CEST) X-Virus-Scanned: amavisd-new at univ-lyon2.fr Received: from smtp.univ-lyon2.fr ([127.0.0.1]) by localhost (smtp.univ-lyon2.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qYpKw8570RRT; Fri, 2 Jun 2006 11:05:21 +0200 (CEST) Received: from [159.84.142.99] (patpro.univ-lyon2.fr [159.84.142.99]) by smtp.univ-lyon2.fr (Postfix) with ESMTP id 588DB3A0F45C; Fri, 2 Jun 2006 11:05:21 +0200 (CEST) In-Reply-To: <1149238669.657.6.camel@dell1.kvg.hu> References: <7.0.1.0.2.20060601142921.2284c5b0@wheresmymailserver.com> <1149238669.657.6.camel@dell1.kvg.hu> Mime-Version: 1.0 (Apple Message framework v750) Content-Type: multipart/signed; micalg=sha1; boundary=Apple-Mail-2--866772422; protocol="application/pkcs7-signature" Message-Id: From: Patrick Proniewski Date: Fri, 2 Jun 2006 11:05:18 +0200 To: Jeff X-Mailer: Apple Mail (2.750) X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: mac_bsdextended log information X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jun 2006 09:05:29 -0000 --Apple-Mail-2--866772422 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed On 2 juin 06, at 10:57, Kenyeres M=E1rton wrote: >> www kernel: mac_bsdextended: 80:80 request 256 on =20= >> 0:0 failed. > > $ find -inum 256 / I'm not sure it's an inode, it might be a rule number (like for a =20 firewall in fact). But it's just a guess. And may be the file name is to be found in apache's error log. patpro= --Apple-Mail-2--866772422-- From owner-freebsd-security@FreeBSD.ORG Fri Jun 2 19:24:55 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E3D116A470 for ; Fri, 2 Jun 2006 19:24:55 +0000 (UTC) (envelope-from jm@defcon.org) Received: from colossus.datamerica.com (colossus.blackhat.com [216.231.63.50]) by mx1.FreeBSD.org (Postfix) with SMTP id 7DE8743D4C for ; Fri, 2 Jun 2006 19:24:49 +0000 (GMT) (envelope-from jm@defcon.org) Received: from mail-1.datamerica.com (mail-1.datamerica.com [10.168.25.25]) by colossus.datamerica.com with SMTP id k52JOkfi029132 for ; Fri, 2 Jun 2006 12:24:46 -0700 (PDT) Received: (qmail 6616 invoked from network); 2 Jun 2006 19:28:37 -0000 Received: from ispy2.blackhat.com (HELO ispy2.defcon.org) (10.168.1.59) by mail-1.datamerica.com with SMTP; 2 Jun 2006 19:28:37 -0000 Message-Id: <7.0.1.0.2.20060602104259.21f07b40@blackhat.com> X-Mailer: QUALCOMM Windows Eudora Version 7.0.1.0 Date: Fri, 02 Jun 2006 12:24:40 -0700 To: freebsd-security@freebsd.org From: Jeff In-Reply-To: <1149238669.657.6.camel@dell1.kvg.hu> References: <7.0.1.0.2.20060601142921.2284c5b0@wheresmymailserver.com> <1149238669.657.6.camel@dell1.kvg.hu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: Re: mac_bsdextended log information X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jun 2006 19:25:05 -0000 At 01:57 AM 6/2/2006, you wrote: >On Thu, 2006-06-01 at 14:40 -0700, Jeff wrote: >> Hey everyone, >> >> I'm hoping someone can point me in the right direction. I'm running a 6.1 box with mac_bsdextended compiled. I've created my ugidfw rules, and all seems well in the universe. >> >> I've got rules set up so the web process uid 80 and gid 80 can only read uid 1010 and gid 1010 owned files. When the web server tries to do something else, it throws an error such as: >> >> www kernel: mac_bsdextended: 80:80 request 256 on 0:0 failed. >> >> So the question is, what file did the www process try to muck with? It is a root owned file, and it is important that it want to act on it. Security problem, or benign problem? Who knows without being able to know what the file is. A look at the source code implies that the "request 256" means that the web process tried to read the vnode numbered 256. Is that accurate? >> If it is, how do I go about associating vnode numbers to files, so I have a hope of troubleshooting these errors. >> > >There are many legitimate reasons for a webserver to open root owned >files. Looking up users in the password database would be my first >guess. Maybe you shoud consider changing your rules to some more fine >grained ones? Well considering that there are no user accounts, and the web server is not dynamic there is no reason for it to read root owned files. That was the point of the whole excercise and I am so close. >> Searching seems to turn up no tool or easy way to get this vnode -> file information. Help! > >Try: > >$ find -inum 256 / I'll try that.. nope didn't work. When I looked at the source for bsdextended I find: /* * Is the access permitted? */ if ((rule->mbr_mode & acc_mode) != acc_mode) { if (mac_bsdextended_logging) log(LOG_AUTHPRIV, "mac_bsdextended: %d:%d request %d" " on %d:%d failed. \n", cred->cr_ruid, cred->cr_rgid, acc_mode, object_uid, object_gid); return (EACCES); /* Matching rule denies access */ } So in my example the "request 256" is being generated by "acc_mode" in the code above. From http://fxr.watson.org/fxr/ident?v=RELENG61;i=acc_mode acc_mode reveals: Defined as a variable in: * kern/vfs_subr.c, line 3181 Which shows /* 3169 * Common filesystem object access control check routine. Accepts a 3170 * vnode's type, "mode", uid and gid, requested access mode, credentials, 3171 * and optional call-by-reference privused argument allowing vaccess() 3172 * to indicate to the caller whether privilege was used to satisfy the 3173 * request (obsoleted). Returns 0 on success, or an errno on failure. 3174 */ So it looks like it is returning an errno, and in this case it is errno 256. I have also seen errno 8192. The question then becomes, what the heck does error number 256 or 8192 mean? Thanks for any help! Jeff