From owner-freebsd-security@FreeBSD.ORG Sat Sep 17 23:20:58 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B6600106564A for ; Sat, 17 Sep 2011 23:20:58 +0000 (UTC) (envelope-from idaho@bydgoszcz.wsinf.edu.pl) Received: from mail.bydgoszcz.wsinf.edu.pl (onm164.internetdsl.tpnet.pl [83.0.218.164]) by mx1.freebsd.org (Postfix) with ESMTP id 75FB68FC0C for ; Sat, 17 Sep 2011 23:20:58 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by mail.bydgoszcz.wsinf.edu.pl (Postfix) with ESMTP id 8AFD6104B5; Sun, 18 Sep 2011 00:50:24 +0200 (CEST) Message-ID: <4E752431.9040002@bydgoszcz.wsinf.edu.pl> Date: Sun, 18 Sep 2011 00:50:25 +0200 From: =?UTF-8?B?xYF1a2FzeiBXxIVzaWtvd3NraQ==?= User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2 MIME-Version: 1.0 To: d@delphij.net References: <86boukbk8s.fsf@ds4.des.no> <4E738794.4050908@delphij.net> In-Reply-To: <4E738794.4050908@delphij.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sun, 18 Sep 2011 00:56:11 +0000 Cc: =?UTF-8?B?RGFnLUVybGluZyBTbcO4cmdyYXY=?= , Xin LI , freebsd-security@freebsd.org Subject: Re: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Sep 2011 23:20:58 -0000 W dniu 20:59, Xin LI pisze: >> We currently have a number of PAM modules in ports, and while some >> of them are specific to certain third-party software, many aren't. >> I believe we would benefit from importing at least some of these >> into base. My question is: which ones? > LDAP? (We do currently have some work on LDAP integration but not > sure if the community would be interested -- this would need an import > of stripped down OpenLDAP) and modifies OpenSSH to support public key > in LDAP directory. I'd love to see LDAP integration, I'm looking forward to it. -- Best regards, Lukasz Wasikowski From owner-freebsd-security@FreeBSD.ORG Sun Sep 18 18:03:17 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0EF93106566B for ; Sun, 18 Sep 2011 18:03:17 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id B27D58FC0A for ; Sun, 18 Sep 2011 18:03:16 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id A88FF1FFC35; Sun, 18 Sep 2011 18:03:15 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 8285A845D8; Sun, 18 Sep 2011 20:03:15 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: d@delphij.net References: <86boukbk8s.fsf@ds4.des.no> <4E738794.4050908@delphij.net> Date: Sun, 18 Sep 2011 20:03:15 +0200 In-Reply-To: <4E738794.4050908@delphij.net> (Xin LI's message of "Fri, 16 Sep 2011 10:29:56 -0700") Message-ID: <86zki1afto.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Sep 2011 18:03:17 -0000 Xin LI writes: > LDAP? (We do currently have some work on LDAP integration but not > sure if the community would be interested -- this would need an import > of stripped down OpenLDAP) and modifies OpenSSH to support public key > in LDAP directory. I would vote for importing a *complete* OpenLDAP, unless there are good reasons not to; "slim base" isn't, considering how useful LDAP is. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Sun Sep 18 18:43:18 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 54B7A1065674 for ; Sun, 18 Sep 2011 18:43:18 +0000 (UTC) (envelope-from ohartman@zedat.fu-berlin.de) Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) by mx1.freebsd.org (Postfix) with ESMTP id 11F9E8FC13 for ; Sun, 18 Sep 2011 18:43:17 +0000 (UTC) Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost1.zedat.fu-berlin.de (Exim 4.69) with esmtp (envelope-from ) id <1R5MKe-0007vU-4i>; Sun, 18 Sep 2011 20:43:12 +0200 Received: from e178041066.adsl.alicedsl.de ([85.178.41.66] helo=thor.walstatt.dyndns.org) by inpost2.zedat.fu-berlin.de (Exim 4.69) with esmtpsa (envelope-from ) id <1R5MKe-0001kp-25>; Sun, 18 Sep 2011 20:43:12 +0200 Message-ID: <4E763BBF.6060306@zedat.fu-berlin.de> Date: Sun, 18 Sep 2011 20:43:11 +0200 From: "Hartmann, O." User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:6.0.2) Gecko/20110916 Thunderbird/6.0.2 MIME-Version: 1.0 To: =?UTF-8?B?RGFnLUVybGluZyBTbcO4cmdyYXY=?= References: <86boukbk8s.fsf@ds4.des.no> <4E738794.4050908@delphij.net> <86zki1afto.fsf@ds4.des.no> In-Reply-To: <86zki1afto.fsf@ds4.des.no> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Originating-IP: 85.178.41.66 Cc: freebsd-security@freebsd.org, d@delphij.net Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Sep 2011 18:43:18 -0000 On 09/18/11 20:03, Dag-Erling Smørgrav wrote: > Xin LI writes: >> LDAP? (We do currently have some work on LDAP integration but not >> sure if the community would be interested -- this would need an import >> of stripped down OpenLDAP) and modifies OpenSSH to support public key >> in LDAP directory. > I would vote for importing a *complete* OpenLDAP, unless there are good > reasons not to; "slim base" isn't, considering how useful LDAP is. > > DES If this is a real opportunity, +1 for that. From owner-freebsd-security@FreeBSD.ORG Mon Sep 19 18:01:03 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 157431065670 for ; Mon, 19 Sep 2011 18:01:03 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca [IPv6:2607:f3e0:0:1::12]) by mx1.freebsd.org (Postfix) with ESMTP id CB24D8FC15 for ; Mon, 19 Sep 2011 18:01:02 +0000 (UTC) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.4/8.14.4) with ESMTP id p8JI0wLZ037286; Mon, 19 Sep 2011 14:00:59 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <4E778357.1030206@sentex.net> Date: Mon, 19 Sep 2011 14:00:55 -0400 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: Corey Smith References: In-Reply-To: X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.71 on IPv6:2607:f3e0:0:1::12 Cc: freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Sep 2011 18:01:03 -0000 On 9/16/2011 3:10 PM, Corey Smith wrote: > On 09/16/2011 11:05 AM, Dag-Erling Smrgrav wrote: >> My question is: which ones? > > security/pam_ssh_agent_auth > > It is BSD licensed and handy for sudo. Neato, I didnt know of this module for sudo! However, with the default install on AMD64, I am getting coredump. I added # auth auth include system - +auth sufficient /usr/local/lib/pam_ssh_agent_auth.so file=/etc/sudokeys debug # account account include system to /usr/local/etc/pam.d/sudo and added --- sudoers.sample 2011-09-19 13:24:56.000000000 -0400 +++ sudoers 2011-09-19 13:29:17.000000000 -0400 @@ -62,6 +62,10 @@ ## Uncomment to enable special input methods. Care should be taken as ## this may allow users to subvert the command being run via sudo. # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" + +Defaults env_keep += SSH_AUTH_SOCK + + I must be missing something obvious? ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-security@FreeBSD.ORG Mon Sep 19 20:29:02 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D80E81065670 for ; Mon, 19 Sep 2011 20:29:02 +0000 (UTC) (envelope-from patfbsd@davenulle.org) Received: from smtp.lamaiziere.net (net.lamaiziere.net [94.23.254.147]) by mx1.freebsd.org (Postfix) with ESMTP id 99D1D8FC13 for ; Mon, 19 Sep 2011 20:29:02 +0000 (UTC) Received: from baby-jane.lamaiziere.net (unknown [192.168.1.10]) by smtp.lamaiziere.net (Postfix) with ESMTP id A8945FAA2C87; Mon, 19 Sep 2011 22:09:05 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by baby-jane.lamaiziere.net (Postfix) with ESMTP id 0588C2CEC1E; Mon, 19 Sep 2011 22:11:58 +0200 (CEST) Date: Mon, 19 Sep 2011 22:11:55 +0200 From: Patrick Lamaiziere To: Corey Smith Message-ID: <20110919221155.05ca86b0@davenulle.org> In-Reply-To: References: X-Mailer: Claws Mail 3.7.9 (GTK+ 2.22.1; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Sep 2011 20:29:02 -0000 Le Fri, 16 Sep 2011 15:10:09 -0400, Corey Smith a crit : Hello, > >My question is: which ones? > > security/pam_ssh_agent_auth > > It is BSD licensed and handy for sudo. But sudo itself is not the in base, so? (while i'm here, +1 for ldap) Regards. From owner-freebsd-security@FreeBSD.ORG Tue Sep 20 19:13:40 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 29C21106566C for ; Tue, 20 Sep 2011 19:13:40 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca [IPv6:2607:f3e0:0:1::12]) by mx1.freebsd.org (Postfix) with ESMTP id B39C38FC16 for ; Tue, 20 Sep 2011 19:13:39 +0000 (UTC) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.4/8.14.4) with ESMTP id p8KJDbOF024390; Tue, 20 Sep 2011 15:13:38 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <4E78E5DC.6050600@sentex.net> Date: Tue, 20 Sep 2011 15:13:32 -0400 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: Corey Smith References: <4E778357.1030206@sentex.net> In-Reply-To: <4E778357.1030206@sentex.net> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.71 on IPv6:2607:f3e0:0:1::12 Cc: freebsd-security@freebsd.org Subject: pam_ssh_agent_auth coredump on AMD64 (was Re: PAM modules) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2011 19:13:40 -0000 On 9/19/2011 2:00 PM, Mike Tancsa wrote: > On 9/16/2011 3:10 PM, Corey Smith wrote: >> On 09/16/2011 11:05 AM, Dag-Erling Smrgrav wrote: >>> My question is: which ones? >> >> security/pam_ssh_agent_auth >> >> It is BSD licensed and handy for sudo. > > > Neato, I didnt know of this module for sudo! However, with the default > install on AMD64, I am getting coredump. Actually, I tried the same setup on i386 and it seems to work just fine. However, on an AMD64 machine, sudo just coredumps. Anyone running this setup on amd64 ? Running with -D9, normally it looks something like % sudo -D9 su sudo: settings: debug_level=9 sudo: settings: progname=sudo sudo: settings: network_addrs=.... sudo: sudo_mode 1 sudo: policy plugin returns 1 sudo: command info: umask=022 sudo: command info: command=/usr/bin/su sudo: command info: runas_uid=0 sudo: command info: runas_gid=0 sudo: command info: runas_groups=0,5 sudo: command info: closefrom=3 sudo: command info: set_utmp=true sudo: command info: login_class=default where as on amd64, % sudo -D9 su sudo: settings: debug_level=9 sudo: settings: progname=sudo sudo: settings: network_addrs=.... sudo: sudo_mode 1 Segmentation fault It seems to die in the call to static int policy_check(struct plugin_container *plugin, int argc, char * const argv[], char *env_add[], char **command_info[], char **argv_out[], char **user_env_out[]) { return plugin->u.policy->check_policy(argc, argv, env_add, command_info, argv_out, user_env_out); } I cant get it to coredump since its setuid. Before I start adding more debug printfs, does anyone have any suggestions as to what it might be ? ---Mike > > I added > > > # auth > auth include system > - > +auth sufficient /usr/local/lib/pam_ssh_agent_auth.so > file=/etc/sudokeys debug > # account > account include system > > to /usr/local/etc/pam.d/sudo > > and added > > --- sudoers.sample 2011-09-19 13:24:56.000000000 -0400 > +++ sudoers 2011-09-19 13:29:17.000000000 -0400 > @@ -62,6 +62,10 @@ > ## Uncomment to enable special input methods. Care should be taken as > ## this may allow users to subvert the command being run via sudo. > # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE > QT_IM_SWITCHER" > + > +Defaults env_keep += SSH_AUTH_SOCK > + > + > > > I must be missing something obvious? > > ---Mike > > -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-security@FreeBSD.ORG Tue Sep 20 19:21:02 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BAE9D106566C for ; Tue, 20 Sep 2011 19:21:02 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from noop.in-addr.com (mail.in-addr.com [IPv6:2001:470:8:162::1]) by mx1.freebsd.org (Postfix) with ESMTP id 8D69A8FC08 for ; Tue, 20 Sep 2011 19:21:02 +0000 (UTC) Received: from gjp by noop.in-addr.com with local (Exim 4.76 (FreeBSD)) (envelope-from ) id 1R65sK-000D8g-L4; Tue, 20 Sep 2011 15:21:00 -0400 Date: Tue, 20 Sep 2011 15:21:00 -0400 From: Gary Palmer To: Mike Tancsa Message-ID: <20110920192100.GF10165@in-addr.com> References: <4E778357.1030206@sentex.net> <4E78E5DC.6050600@sentex.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4E78E5DC.6050600@sentex.net> X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: gpalmer@freebsd.org X-SA-Exim-Scanned: No (on noop.in-addr.com); SAEximRunCond expanded to false Cc: Corey Smith , freebsd-security@freebsd.org Subject: Re: pam_ssh_agent_auth coredump on AMD64 (was Re: PAM modules) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2011 19:21:02 -0000 On Tue, Sep 20, 2011 at 03:13:32PM -0400, Mike Tancsa wrote: > On 9/19/2011 2:00 PM, Mike Tancsa wrote: > > On 9/16/2011 3:10 PM, Corey Smith wrote: > >> On 09/16/2011 11:05 AM, Dag-Erling Sm?rgrav wrote: > >>> My question is: which ones? > >> > >> security/pam_ssh_agent_auth > >> > >> It is BSD licensed and handy for sudo. > > > > > > Neato, I didnt know of this module for sudo! However, with the default > > install on AMD64, I am getting coredump. > > Actually, I tried the same setup on i386 and it seems to work just fine. > However, on an AMD64 machine, sudo just coredumps. Anyone running this > setup on amd64 ? > > Running with -D9, normally it looks something like > > % sudo -D9 su > sudo: settings: debug_level=9 > sudo: settings: progname=sudo > sudo: settings: network_addrs=.... > sudo: sudo_mode 1 > sudo: policy plugin returns 1 > sudo: command info: umask=022 > sudo: command info: command=/usr/bin/su > sudo: command info: runas_uid=0 > sudo: command info: runas_gid=0 > sudo: command info: runas_groups=0,5 > sudo: command info: closefrom=3 > sudo: command info: set_utmp=true > sudo: command info: login_class=default > > where as on amd64, > > % sudo -D9 su > sudo: settings: debug_level=9 > sudo: settings: progname=sudo > sudo: settings: network_addrs=.... > sudo: sudo_mode 1 > Segmentation fault > > It seems to die in the call to > > static int > policy_check(struct plugin_container *plugin, int argc, char * const argv[], > char *env_add[], char **command_info[], char **argv_out[], > char **user_env_out[]) > { > return plugin->u.policy->check_policy(argc, argv, env_add, command_info, > argv_out, user_env_out); > } > > > I cant get it to coredump since its setuid. Before I start adding more > debug printfs, does anyone have any suggestions as to what it might be ? If you do sysctl kern.sugid_coredump=1 can you get a coredump? Gary From owner-freebsd-security@FreeBSD.ORG Tue Sep 20 19:32:23 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A78D2106566C for ; Tue, 20 Sep 2011 19:32:23 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id 8DCE58FC14 for ; Tue, 20 Sep 2011 19:32:23 +0000 (UTC) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 4B10677BC; Tue, 20 Sep 2011 12:32:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1316547143; bh=2IIBGedpR1lY6lQjOBbzHMY6Eb+ZzQABlXDHEycLxFo=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=EwG9o9QIlmsYAHpJYdBOPgUWPs6/SdDPv7zF4QdJs7IqRwth8DWTTQjsdmnMC2owB KB4YYifBt3XfAn5ay2qtQXAoHM11q+k07hG/Vh1icoq/m0Ta3ourMLgeFl3Sft3EzN v7KT0kRWsjUlshUNhedLQ7XH7Hdfc7sbOGpuKDjM= Message-ID: <4E78EA46.2080806@delphij.net> Date: Tue, 20 Sep 2011 12:32:22 -0700 From: Xin LI Organization: The FreeBSD Project MIME-Version: 1.0 To: =?UTF-8?B?RGFnLUVybGluZyBTbcO4cmdyYXY=?= References: <86boukbk8s.fsf@ds4.des.no> <4E738794.4050908@delphij.net> <86zki1afto.fsf@ds4.des.no> In-Reply-To: <86zki1afto.fsf@ds4.des.no> OpenPGP: id=3FCA37C1; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org, d@delphij.net Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2011 19:32:23 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 09/18/11 11:03, Dag-Erling Smørgrav wrote: > Xin LI writes: >> LDAP? (We do currently have some work on LDAP integration but >> not sure if the community would be interested -- this would need >> an import of stripped down OpenLDAP) and modifies OpenSSH to >> support public key in LDAP directory. > > I would vote for importing a *complete* OpenLDAP, unless there are > good reasons not to; "slim base" isn't, considering how useful LDAP > is. The main concern I have is that users might want to stay on an older FreeBSD release, while wanting features of a new OpenLDAP. That's why I would prefer a libxml style import -- users always have choice to install a new OpenLDAP without any concern of breaking their system and we can always deliver security fixes with freebsd-update. Would that make the trimmed down and renamed OpenLDAP import sound sensible? Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iQEcBAEBCAAGBQJOeOpGAAoJEATO+BI/yjfBmX4H/0fx3Ld8+EkkbYX5LTXSyBt4 9x2ARzTi18+G/j+eYaiNutD4P+9voLnIGEiJwSTa5tXCtKkysRKZUkvetr+8uV7z 6aykrn+oaD0ol6nhWHESL4sCZh8nAoXLzQYaXKqw3FYH9pbQlckjr26UM4WGT8k/ Z129X0fh6TVN8vaztruJGNkLle69ruAgWpxMvTfligC8+Pbj7mV6YmdAwUidH3hL YtlM7UoogZZzex3qpTUMq6gpKOA0BZTxPhOXWKhfgEz8enFuiYCo1Vs4DpS8S1i+ sbRcn6fTImRkC1FVDpPXEj/piwN/cIb/xv70gfeqgjxUL4LMFSrn9L5kkQ4K0wY= =mRAO -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Sep 20 20:08:26 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 175F6106567D; Tue, 20 Sep 2011 20:08:26 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca [IPv6:2607:f3e0:0:1::12]) by mx1.freebsd.org (Postfix) with ESMTP id CB0108FC1B; Tue, 20 Sep 2011 20:08:25 +0000 (UTC) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.4/8.14.4) with ESMTP id p8KK8NdX034514; Tue, 20 Sep 2011 16:08:23 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <4E78F2B1.90302@sentex.net> Date: Tue, 20 Sep 2011 16:08:17 -0400 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: Gary Palmer References: <4E778357.1030206@sentex.net> <4E78E5DC.6050600@sentex.net> <20110920192100.GF10165@in-addr.com> In-Reply-To: <20110920192100.GF10165@in-addr.com> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.71 on IPv6:2607:f3e0:0:1::12 Cc: Corey Smith , freebsd-security@freebsd.org Subject: Re: pam_ssh_agent_auth coredump on AMD64 (was Re: PAM modules) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2011 20:08:26 -0000 On 9/20/2011 3:21 PM, Gary Palmer wrote: > > If you do > > sysctl kern.sugid_coredump=1 > > can you get a coredump? Tried that too. % sysctl -a | grep core kern.corefile: %N.core kern.nodump_coredump: 0 kern.coredump: 1 kern.sugid_coredump: 1 debug.elf64_legacy_coredump: 1 debug.elf32_legacy_coredump: 1 Actually, my mistake on i386. It seems the plugin works with sudo-1.8.1_5 but not 1.8.2 Seems to die in the function policy_check in sudo.c return plugin->u.policy->check_policy(argc, argv, env_add, command_info, argv_out, user_env_out); } ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-security@FreeBSD.ORG Tue Sep 20 21:19:14 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DD33A106566B for ; Tue, 20 Sep 2011 21:19:14 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id A0DDC8FC0A for ; Tue, 20 Sep 2011 21:19:14 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 09F241FFC35; Tue, 20 Sep 2011 21:19:12 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id AD3DB8456D; Tue, 20 Sep 2011 23:19:11 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: d@delphij.net References: <86boukbk8s.fsf@ds4.des.no> <4E738794.4050908@delphij.net> <86zki1afto.fsf@ds4.des.no> <4E78EA46.2080806@delphij.net> Date: Tue, 20 Sep 2011 23:19:11 +0200 In-Reply-To: <4E78EA46.2080806@delphij.net> (Xin LI's message of "Tue, 20 Sep 2011 12:32:22 -0700") Message-ID: <86ty86zzcg.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2011 21:19:14 -0000 Xin LI writes: > The main concern I have is that users might want to stay on an older > FreeBSD release, while wanting features of a new OpenLDAP. That's why > I would prefer a libxml style import -- users always have choice to > install a new OpenLDAP without any concern of breaking their system > and we can always deliver security fixes with freebsd-update. Would > that make the trimmed down and renamed OpenLDAP import sound sensible? Yes, you have a point. So you're saying: - client side only (for nss_ldap, pam_ldap etc) - namespace hacks to avoid colliding with the port right? I would definitely support that. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Sep 20 21:39:58 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 38BB3106564A for ; Tue, 20 Sep 2011 21:39:58 +0000 (UTC) (envelope-from corsmith@gmail.com) Received: from mail-qy0-f182.google.com (mail-qy0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id D49F88FC08 for ; Tue, 20 Sep 2011 21:39:57 +0000 (UTC) Received: by qyk4 with SMTP id 4so1137110qyk.13 for ; Tue, 20 Sep 2011 14:39:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=qvWdIkWao2VXKiLOy+1o8hT9cfZNGqwcZXL3D7S+XxM=; b=ZcKY9O3yn3zp00HE3PFjHu1AUOwov4nbOtOpUADgRMWVZ0ZmLMSXaxdguSnNs8EDLP iuBN7beWVsaHyStBk6Pv0e5RTTGqSQCEi38fBB6YmNzhr6mJpfQ5srIG+PwQv2zc/cNZ cWluxAv9ImBBtCGtIz7TUo8Ex63fUpcFI1z9g= MIME-Version: 1.0 Received: by 10.52.175.135 with SMTP id ca7mr1353055vdc.171.1316554796938; Tue, 20 Sep 2011 14:39:56 -0700 (PDT) Received: by 10.52.184.162 with HTTP; Tue, 20 Sep 2011 14:39:56 -0700 (PDT) In-Reply-To: <4E78F2B1.90302@sentex.net> References: <4E778357.1030206@sentex.net> <4E78E5DC.6050600@sentex.net> <20110920192100.GF10165@in-addr.com> <4E78F2B1.90302@sentex.net> Date: Tue, 20 Sep 2011 17:39:56 -0400 Message-ID: From: Corey Smith To: Mike Tancsa Content-Type: text/plain; charset=ISO-8859-1 X-Mailman-Approved-At: Tue, 20 Sep 2011 22:11:35 +0000 Cc: Gary Palmer , freebsd-security@freebsd.org Subject: Re: pam_ssh_agent_auth coredump on AMD64 (was Re: PAM modules) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2011 21:39:58 -0000 On Tue, Sep 20, 2011 at 4:08 PM, Mike Tancsa wrote: > Seems to die in the function policy_check in sudo.c I am able to reproduce it as well on 8.2-RELEASE amd64, pam_ssh_agent_auth-0.9.3 and sudo-1.8.2. I wonder if this change from dragonfly would work in FreeBSD: http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/5c627295bf5ad6364bd3914b62c1075f370443d6 -Corey Smith From owner-freebsd-security@FreeBSD.ORG Tue Sep 20 22:25:46 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 29796106566C for ; Tue, 20 Sep 2011 22:25:46 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id BD69C8FC18 for ; Tue, 20 Sep 2011 22:25:45 +0000 (UTC) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:f803:edca:622b:8392]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPA id D808B4AC1C; Wed, 21 Sep 2011 02:25:43 +0400 (MSD) Date: Wed, 21 Sep 2011 02:25:41 +0400 From: Lev Serebryakov X-Priority: 3 (Normal) Message-ID: <1251419684.20110921022541@serebryakov.spb.ru> To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= In-Reply-To: <86ty86zzcg.fsf@ds4.des.no> References: <86boukbk8s.fsf@ds4.des.no> <4E738794.4050908@delphij.net> <86zki1afto.fsf@ds4.des.no> <4E78EA46.2080806@delphij.net> <86ty86zzcg.fsf@ds4.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, d@delphij.net Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2011 22:25:46 -0000 Hello, Dag-Erling. You wrote 21 =D1=81=D0=B5=D0=BD=D1=82=D1=8F=D0=B1=D1=80=D1=8F 2011 =D0=B3.,= 1:19:11: > Yes, you have a point. So you're saying: > - client side only (for nss_ldap, pam_ldap etc) > - namespace hacks to avoid colliding with the port > right? I would definitely support that. Maybe, BSD implementation, based on asn.1 to C compiler from Lev Walkin (http://lionet.info/asn1c/blog/)? ;-) Client-only part doesn't look very hard to implement, when all boilerplate code (packing/unpacking/network processing, etc) is auto-generated from RFCs. --=20 // Black Lion AKA Lev Serebryakov From owner-freebsd-security@FreeBSD.ORG Tue Sep 20 22:34:12 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0368E106566B; Tue, 20 Sep 2011 22:34:12 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id DAE398FC14; Tue, 20 Sep 2011 22:34:11 +0000 (UTC) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 556407BE8; Tue, 20 Sep 2011 15:34:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1316558051; bh=w+ildCs8/6FdcppEvoMb0DnuGDyLEb8eEdpRK1XXMLs=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=lKQJNA4cZ7xg9DHE7IPFOtQGhHnCIeZzSS9IJK4qCyNeOOyPtc3JBHJDX0A3bvAzx PF3FS7j7kDGjHH43K30Su4y3U/IqSIs1qWlkrekN5ot6CYeaF+c2NXITvloDtGFiqk /LXBaI1VXWHVdydl3BJ+fYS4OnNM+CdRU3dPqdFU= Message-ID: <4E7914E1.6040408@delphij.net> Date: Tue, 20 Sep 2011 15:34:09 -0700 From: Xin LI Organization: The FreeBSD Project MIME-Version: 1.0 To: Lev Serebryakov References: <86boukbk8s.fsf@ds4.des.no> <4E738794.4050908@delphij.net> <86zki1afto.fsf@ds4.des.no> <4E78EA46.2080806@delphij.net> <86ty86zzcg.fsf@ds4.des.no> <1251419684.20110921022541@serebryakov.spb.ru> In-Reply-To: <1251419684.20110921022541@serebryakov.spb.ru> OpenPGP: id=3FCA37C1; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: =?UTF-8?B?RGFnLUVybGluZyBTbcO4cmdyYXY=?= , d@delphij.net, freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2011 22:34:12 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 09/20/11 15:25, Lev Serebryakov wrote: > Hello, Dag-Erling. You wrote 21 сентября 2011 г., 1:19:11: > >> Yes, you have a point. So you're saying: - client side only (for >> nss_ldap, pam_ldap etc) - namespace hacks to avoid colliding with >> the port right? I would definitely support that. > Maybe, BSD implementation, based on asn.1 to C compiler from Lev > Walkin (http://lionet.info/asn1c/blog/)? ;-) > > Client-only part doesn't look very hard to implement, when all > boilerplate code (packing/unpacking/network processing, etc) is > auto-generated from RFCs. That's true but is there any very compelling reason to do that (not say no if someone really want to invest time on this and maintain it) instead of just using an actively maintained codebase? The OpenLDAP license is pretty similar to a BSD license: =================================== The OpenLDAP Public License Version 2.8, 17 August 2003 Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the following conditions are met: 1. Redistributions in source form must retain copyright statements and notices, 2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution, and 3. Redistributions must contain a verbatim copy of this document. The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version number. You may use this Software under terms of this license revision or under the terms of any subsequent revision of the license. THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale, use or other dealing in this Software without specific, written prior permission. Title to copyright in this Software shall at all times remain with copyright holders. OpenLDAP is a registered trademark of the OpenLDAP Foundation. Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted. =================================== Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iQEcBAEBCAAGBQJOeRThAAoJEATO+BI/yjfBZc0H/1AftG4jvcAcA4vKVVDum6Bo 4tzA2sm1bK5ci/158ATF6VFvAEYQ3+rmRCDopkXvpbtJDzbuKOUEszI9SW2qfhz+ R0PIl64jYHngP3T6jw5theo+LJ/RHb/pIP7oIll1zANcpJIMHv9N00HY0HAFq4XQ go3ASif1DU8OjHKWxH5zPLSBvGck6mBj+31J+0/FlohinEG3JJZBLQ+cAElTUV5r fKhQ4rIlR1wwP7TrStapzdTHsyysAwblIOQ/WtzBhqxJcgh52TxI1QmJmILpmKQ7 vqFMpDnmOmgRZjfzSXfCSpd6ehx1Ko54KOm1m9WaFXI1zv8sTeP7AIoe1HO2fug= =7ySY -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Sep 20 22:43:52 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 25196106564A; Tue, 20 Sep 2011 22:43:51 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id 6C2C28FC1C; Tue, 20 Sep 2011 22:43:51 +0000 (UTC) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:f803:edca:622b:8392]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPA id 0BFA24AC2D; Wed, 21 Sep 2011 02:43:49 +0400 (MSD) Date: Wed, 21 Sep 2011 02:43:47 +0400 From: Lev Serebryakov X-Priority: 3 (Normal) Message-ID: <849327678.20110921024347@serebryakov.spb.ru> To: Xin LI In-Reply-To: <4E7914E1.6040408@delphij.net> References: <86boukbk8s.fsf@ds4.des.no> <4E738794.4050908@delphij.net> <86zki1afto.fsf@ds4.des.no> <4E78EA46.2080806@delphij.net> <86ty86zzcg.fsf@ds4.des.no> <1251419684.20110921022541@serebryakov.spb.ru> <4E7914E1.6040408@delphij.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= , Lev Serebryakov , d@delphij.net, freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2011 22:43:52 -0000 Hello, Xin. You wrote 21 =D1=81=D0=B5=D0=BD=D1=82=D1=8F=D0=B1=D1=80=D1=8F 2011 =D0=B3.,= 2:34:09: > That's true but is there any very compelling reason to do that (not > say no if someone really want to invest time on this and maintain it) > instead of just using an actively maintained codebase? The OpenLDAP > license is pretty similar to a BSD license: My point is not a license. I don't know, what is simpler: (a) strip-down and rename API for OpenLDAP and later import new releases, with new strip-downs and renames (IMHO, it is harder, than import and support almost-intact code, like sendmail or bind), or (b) maintain local code, most of which is auto-generated from standard by very mature and stable tool, as Lev's asn1c is. I know Lev personally, and he says, that this tool is used by many Telco operators and other Big Companies and he is not aware about any outstanding bugs (from year 2007!) even when very complex (much more complex than LDAPv3) ASN.1 rules are processed. Sometimes he is contacted for support, but always it is not bugs in compiler, but some other problems. Maybe, import and maintaining of hacked OpenLDAP is simpler in long-standing perspective. Maybe not. I only want to point, that if we want our own LDAP client library, we don't need to write tons of non-obvious, error-prone and security-sensitive code by hands. --=20 // Black Lion AKA Lev Serebryakov From owner-freebsd-security@FreeBSD.ORG Tue Sep 20 23:05:23 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 22C441065670 for ; Tue, 20 Sep 2011 23:05:23 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from mail.zoral.com.ua (mx0.zoral.com.ua [91.193.166.200]) by mx1.freebsd.org (Postfix) with ESMTP id 9717E8FC0A for ; Tue, 20 Sep 2011 23:05:22 +0000 (UTC) Received: from alf.home (alf.kiev.zoral.com.ua [10.1.1.177]) by mail.zoral.com.ua (8.14.2/8.14.2) with ESMTP id p8KMpAbR069068 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 21 Sep 2011 01:51:11 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: from alf.home (kostik@localhost [127.0.0.1]) by alf.home (8.14.5/8.14.5) with ESMTP id p8KMp9FF011372; Wed, 21 Sep 2011 01:51:09 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: (from kostik@localhost) by alf.home (8.14.5/8.14.5/Submit) id p8KMp9CV011371; Wed, 21 Sep 2011 01:51:09 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: alf.home: kostik set sender to kostikbel@gmail.com using -f Date: Wed, 21 Sep 2011 01:51:09 +0300 From: Kostik Belousov To: Lev Serebryakov Message-ID: <20110920225109.GF1511@deviant.kiev.zoral.com.ua> References: <86boukbk8s.fsf@ds4.des.no> <4E738794.4050908@delphij.net> <86zki1afto.fsf@ds4.des.no> <4E78EA46.2080806@delphij.net> <86ty86zzcg.fsf@ds4.des.no> <1251419684.20110921022541@serebryakov.spb.ru> <4E7914E1.6040408@delphij.net> <849327678.20110921024347@serebryakov.spb.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="KvB7u8NuoXBZIbZd" Content-Disposition: inline In-Reply-To: <849327678.20110921024347@serebryakov.spb.ru> User-Agent: Mutt/1.4.2.3i X-Virus-Scanned: clamav-milter 0.95.2 at skuns.kiev.zoral.com.ua X-Virus-Status: Clean X-Spam-Status: No, score=-3.3 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, DNS_FROM_OPENWHOIS autolearn=no version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on skuns.kiev.zoral.com.ua Cc: Dag-Erling Sm??rgrav , Xin LI , d@delphij.net, freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2011 23:05:23 -0000 --KvB7u8NuoXBZIbZd Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 21, 2011 at 02:43:47AM +0400, Lev Serebryakov wrote: > Hello, Xin. > You wrote 21 =D3=C5=CE=D4=D1=C2=D2=D1 2011 =C7., 2:34:09: >=20 > > That's true but is there any very compelling reason to do that (not > > say no if someone really want to invest time on this and maintain it) > > instead of just using an actively maintained codebase? The OpenLDAP > > license is pretty similar to a BSD license: > My point is not a license. I don't know, what is simpler: > (a) strip-down and rename API for OpenLDAP and later import new releases, > with new strip-downs and renames (IMHO, it is harder, than import and > support almost-intact code, like sendmail or bind), > or > (b) maintain local code, most of which is auto-generated from standard > by very mature and stable tool, as Lev's asn1c is. I know Lev > personally, and he says, that this tool is used by many Telco > operators and other Big Companies and he is not aware about any > outstanding bugs (from year 2007!) even when very complex (much more > complex than LDAPv3) ASN.1 rules are processed. Sometimes he is > contacted for support, but always it is not bugs in compiler, but some > other problems. >=20 > Maybe, import and maintaining of hacked OpenLDAP is simpler in > long-standing perspective. Maybe not. I only want to point, that if we > want our own LDAP client library, we don't need to write tons of > non-obvious, error-prone and security-sensitive code by hands. >=20 Yes, the question of maintanence of the OpenLDAP code in the base is not trivial by any means. I remember that openldap once broke the ABI on its stable-like branch. Having API renamed during the import for the actively-developed third-party component is probably a stopper. I am aware of the rename done for ssh import in ssh_namespace.h, but I do not think such approach scale. Would the import of openldap and nss + pam ldap modules in src/ give any benefits over having openldap and ldap nss + pam modules on the dvd1 ? --KvB7u8NuoXBZIbZd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk55GN0ACgkQC3+MBN1Mb4gvNQCeIakbf5IsRiJxRgxhziQ7q/er ZXIAnjY2BMwjyprhJ9Yak9Z9OGeCznei =iyCy -----END PGP SIGNATURE----- --KvB7u8NuoXBZIbZd-- From owner-freebsd-security@FreeBSD.ORG Wed Sep 21 00:21:05 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E04D9106566C; Wed, 21 Sep 2011 00:21:04 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id C12518FC15; Wed, 21 Sep 2011 00:21:04 +0000 (UTC) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 722737705; Tue, 20 Sep 2011 17:21:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1316564464; bh=/FnD/pheTFbPDxaNaOr25US0PgyWeOK+VwJSYRgyjWI=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=xtMuLjlrFihKJGdBrqIZM2b0wO8UwOagMMs7RA0aPcuh/V3EzCz9oN9oVegzaiR4R vrrLcoE1wJtoWOI2dBZgJXpZnJACnT9ZFISyE4yD5rWx96S0rXuqsah4RQfIvlYQs2 l5QTj44YOsLgKJR8MtNFA9H/qi+3AFJjb1F4i7R8= Message-ID: <4E792DEF.30209@delphij.net> Date: Tue, 20 Sep 2011 17:21:03 -0700 From: Xin LI Organization: The FreeBSD Project MIME-Version: 1.0 To: Kostik Belousov References: <86boukbk8s.fsf@ds4.des.no> <4E738794.4050908@delphij.net> <86zki1afto.fsf@ds4.des.no> <4E78EA46.2080806@delphij.net> <86ty86zzcg.fsf@ds4.des.no> <1251419684.20110921022541@serebryakov.spb.ru> <4E7914E1.6040408@delphij.net> <849327678.20110921024347@serebryakov.spb.ru> <20110920225109.GF1511@deviant.kiev.zoral.com.ua> In-Reply-To: <20110920225109.GF1511@deviant.kiev.zoral.com.ua> OpenPGP: id=3FCA37C1; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 7bit Cc: Dag-Erling Sm??rgrav , Lev Serebryakov , d@delphij.net, freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Sep 2011 00:21:05 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 09/20/11 15:51, Kostik Belousov wrote: [...] > Yes, the question of maintanence of the OpenLDAP code in the base > is not trivial by any means. I remember that openldap once broke > the ABI on its stable-like branch. That happen a few times however these are either not essential client library (libldap and liblber) API or it's not changing parameters or removing interfaces. Moreover, like the base libbsdxml.so, it's only intended to be used by base system only so it's relatively easier to maintain ABI stability, e.g. we can probably just expose only symbols that we use, etc. > Having API renamed during the import for the actively-developed > third-party component is probably a stopper. I am aware of the > rename done for ssh import in ssh_namespace.h, but I do not think > such approach scale. That's right. We did use a similar approach but again, if it's just libldap and liblber, the change would be quite slow over years. We do need to patch files. > Would the import of openldap and nss + pam ldap modules in src/ > give any benefits over having openldap and ldap nss + pam modules > on the dvd1 ? Well, for ldap nss + pam models, people usually want them to "just work" rather than wanting new features provided by a port installed OpenLDAP. That's said, the user expects he can update any port without risking into being locked out from the system plus these modules can be upgraded or updated with existing binary update mechanisms. The proposed approach would not be a whole OpenLDAP import (selected client libraries only) nor would replace the port by the way. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iQEcBAEBCAAGBQJOeS3vAAoJEATO+BI/yjfB7K4H/jumiosXs6OWZ02l5ntDb06k MySle3NfvRBPIc0NL3FQUToJ2k1VzBJce53nAwXev/+YMOlbMjGcGlSuEzKSkQdE j+Iwop+Od8/3sF4rIl7kBREMYzhZEiyT+Wf6LUxqVYqepso0PEoMlc5AoUZt1ghy V1fdKrU7imhIM0IPgJJEi0LjK3z31CoujciuU8arnuBMbKNi5gZpJLRgB/L1s4jo pSdNH95fCF487OsXu6sQZW0jdutaKxOsUiL1HFlwlFMzi8vCEFaG+TkwedmSeP7p Ng4hTVTLM8JSmImVVTjF6qdQpZS8omVzt1MB4lE7gn/YwsUbLkSI+e8ejn1FP34= =DQuu -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Sep 21 00:51:19 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D945A106566C for ; Wed, 21 Sep 2011 00:51:19 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id BE5918FC08 for ; Wed, 21 Sep 2011 00:51:19 +0000 (UTC) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 5510F7753; Tue, 20 Sep 2011 17:51:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1316566279; bh=8r6UHkXGhMqmJIzj7Rs5V1CLOOr8KoMhNnNCReQ9pq0=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=zO2Rdc1D9Q7KEdTxbCcfP6qHTvYt9VdnrkXn5yft+8wJLS+fGmU6mTJlOXvxcsq87 y/NklAdodd4tGJVgfXSRIh3yXlqjaIDJ78DrXQapB0NRP88L6W9e0MfmkvPX59H8vQ 2J7KTR49uHdAJd/pfAB4+KRVNrJuVoyrMspV48b0= Message-ID: <4E793506.1070402@delphij.net> Date: Tue, 20 Sep 2011 17:51:18 -0700 From: Xin LI Organization: The FreeBSD Project MIME-Version: 1.0 To: =?UTF-8?B?RGFnLUVybGluZyBTbcO4cmdyYXY=?= References: <86boukbk8s.fsf@ds4.des.no> <4E738794.4050908@delphij.net> <86zki1afto.fsf@ds4.des.no> <4E78EA46.2080806@delphij.net> <86ty86zzcg.fsf@ds4.des.no> In-Reply-To: <86ty86zzcg.fsf@ds4.des.no> OpenPGP: id=3FCA37C1; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org, d@delphij.net Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Sep 2011 00:51:19 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 09/20/11 14:19, Dag-Erling Smørgrav wrote: > Xin LI writes: >> The main concern I have is that users might want to stay on an >> older FreeBSD release, while wanting features of a new OpenLDAP. >> That's why I would prefer a libxml style import -- users always >> have choice to install a new OpenLDAP without any concern of >> breaking their system and we can always deliver security fixes >> with freebsd-update. Would that make the trimmed down and >> renamed OpenLDAP import sound sensible? > > Yes, you have a point. So you're saying: > > - client side only (for nss_ldap, pam_ldap etc) - namespace hacks > to avoid colliding with the port > > right? I would definitely support that. Yes exactly, the current version is just library to support these nss and pam modules and have namespace hacks (so programs linking against port OpenLDAP library will not see conflicts as well). Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iQEcBAEBCAAGBQJOeTUGAAoJEATO+BI/yjfBRCAIAKQzG1dJhrLyKyYxJEH5qfXS pm11L5cuQQto9yqm1TeMeT3qNMuNBo+bWt2QPJ0ef6qaOiL1oYIHdDyAkHqlDh1Z q5zuwxZFzNAaBYF+QZLE0jSJpV05YpuN5bdkM5GilYw/xzbI4QmOstgJMyPS92WD //oFfz9jHdQxJ0jZdp8dTDKMbgpOfUDfm/82zdDJPRnoK4dbJyn1xNFOB2H7KQyI l246YN/W4/yR1wUDZlgjQ6zVoG4I6WvK1Lv7MU3YD2sNqfsnxoC+928U4Swd05Di A1KXRWLsSB+2ZFnCXbGq3D22KhnmD4GQqxEZn5PZj0p2mDF3kjYDf3zlsUoofmw= =DG1c -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Sep 21 09:29:51 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2F6B21065672 for ; Wed, 21 Sep 2011 09:29:51 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id DD3CA8FC12 for ; Wed, 21 Sep 2011 09:29:50 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id BC6871FFC35; Wed, 21 Sep 2011 09:29:49 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 51FFF8452F; Wed, 21 Sep 2011 11:29:49 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Kostik Belousov References: <86boukbk8s.fsf@ds4.des.no> <4E738794.4050908@delphij.net> <86zki1afto.fsf@ds4.des.no> <4E78EA46.2080806@delphij.net> <86ty86zzcg.fsf@ds4.des.no> <1251419684.20110921022541@serebryakov.spb.ru> <4E7914E1.6040408@delphij.net> <849327678.20110921024347@serebryakov.spb.ru> <20110920225109.GF1511@deviant.kiev.zoral.com.ua> Date: Wed, 21 Sep 2011 11:29:49 +0200 In-Reply-To: <20110920225109.GF1511@deviant.kiev.zoral.com.ua> (Kostik Belousov's message of "Wed, 21 Sep 2011 01:51:09 +0300") Message-ID: <86ipomz1iq.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: d@delphij.net, Lev Serebryakov , Xin LI , freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Sep 2011 09:29:51 -0000 Kostik Belousov writes: > Yes, the question of maintanence of the OpenLDAP code in the base > is not trivial by any means. I remember that openldap once broke > the ABI on its stable-like branch. That's irrelevant. Our own renamed subset of OpenLDAP would only be used by our own code, primarily nss_ldap and pam_ldap, and would be updated when and only when we decided that it needed updating, not every time a new OpenLDAP release shipped. We did this successfully with expat (libbsdxml), and there's no reason why it wouldn't work with OpenLDAP. > Having API renamed during the import for the actively-developed > third-party component is probably a stopper. I am aware of the rename > done for ssh import in ssh_namespace.h, but I do not think such > approach scale. The entire point of ssh_namespace.h is to minimize the amount of changes required. Actually, when I say minimize, I mean "reduce to zero", and the file itself is autogenerated, except for lining up the columns, which I do manually. I don't know why you think it doesn't scale. I don't think we have anything to gain by writing our own LDAP library. Firstly, new code means new bugs, and this is security-critical code. Secondly, any LDAP client library we wrote would have to have an API that closely paralells OpenLDAP's; otherwise, we would also have to rewrite nss_ldap and pam_ldap. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Wed Sep 21 09:58:19 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0FCC51065678; Wed, 21 Sep 2011 09:58:19 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from mail.zoral.com.ua (mx0.zoral.com.ua [91.193.166.200]) by mx1.freebsd.org (Postfix) with ESMTP id 87A578FC0A; Wed, 21 Sep 2011 09:58:18 +0000 (UTC) Received: from alf.home (alf.kiev.zoral.com.ua [10.1.1.177]) by mail.zoral.com.ua (8.14.2/8.14.2) with ESMTP id p8L9uptu094373 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 21 Sep 2011 12:56:51 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: from alf.home (kostik@localhost [127.0.0.1]) by alf.home (8.14.5/8.14.5) with ESMTP id p8L9upaB013392; Wed, 21 Sep 2011 12:56:51 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: (from kostik@localhost) by alf.home (8.14.5/8.14.5/Submit) id p8L9upA3013391; Wed, 21 Sep 2011 12:56:51 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: alf.home: kostik set sender to kostikbel@gmail.com using -f Date: Wed, 21 Sep 2011 12:56:51 +0300 From: Kostik Belousov To: Dag-Erling Sm??rgrav Message-ID: <20110921095651.GJ1511@deviant.kiev.zoral.com.ua> References: <86boukbk8s.fsf@ds4.des.no> <4E738794.4050908@delphij.net> <86zki1afto.fsf@ds4.des.no> <4E78EA46.2080806@delphij.net> <86ty86zzcg.fsf@ds4.des.no> <1251419684.20110921022541@serebryakov.spb.ru> <4E7914E1.6040408@delphij.net> <849327678.20110921024347@serebryakov.spb.ru> <20110920225109.GF1511@deviant.kiev.zoral.com.ua> <86ipomz1iq.fsf@ds4.des.no> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="E2AOuUyqcJWq6+RR" Content-Disposition: inline In-Reply-To: <86ipomz1iq.fsf@ds4.des.no> User-Agent: Mutt/1.4.2.3i X-Virus-Scanned: clamav-milter 0.95.2 at skuns.kiev.zoral.com.ua X-Virus-Status: Clean X-Spam-Status: No, score=-3.3 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, DNS_FROM_OPENWHOIS autolearn=no version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on skuns.kiev.zoral.com.ua Cc: d@delphij.net, Lev Serebryakov , Xin LI , freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Sep 2011 09:58:19 -0000 --E2AOuUyqcJWq6+RR Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 21, 2011 at 11:29:49AM +0200, Dag-Erling Sm??rgrav wrote: > Kostik Belousov writes: > > Yes, the question of maintanence of the OpenLDAP code in the base > > is not trivial by any means. I remember that openldap once broke > > the ABI on its stable-like branch. >=20 > That's irrelevant. Our own renamed subset of OpenLDAP would only be > used by our own code, primarily nss_ldap and pam_ldap, and would be > updated when and only when we decided that it needed updating, not every > time a new OpenLDAP release shipped. We did this successfully with > expat (libbsdxml), and there's no reason why it wouldn't work with > OpenLDAP. >=20 > > Having API renamed during the import for the actively-developed > > third-party component is probably a stopper. I am aware of the rename > > done for ssh import in ssh_namespace.h, but I do not think such > > approach scale. >=20 > The entire point of ssh_namespace.h is to minimize the amount of changes > required. Actually, when I say minimize, I mean "reduce to zero", and > the file itself is autogenerated, except for lining up the columns, > which I do manually. I don't know why you think it doesn't scale. >=20 > I don't think we have anything to gain by writing our own LDAP library. > Firstly, new code means new bugs, and this is security-critical code. > Secondly, any LDAP client library we wrote would have to have an API > that closely paralells OpenLDAP's; otherwise, we would also have to > rewrite nss_ldap and pam_ldap. I do not think that we would benefit from writing our own LDAP library either. But I also doubt that importing ldap support in base would offer any advantages in sum. --E2AOuUyqcJWq6+RR Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk55tOIACgkQC3+MBN1Mb4gohwCgonT5z23OlA9LYG1plkuXioP+ 40UAoKVK3oqizW0h95Ff6vkA9YHJzTLJ =WKDX -----END PGP SIGNATURE----- --E2AOuUyqcJWq6+RR-- From owner-freebsd-security@FreeBSD.ORG Wed Sep 21 13:16:13 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F104B1065670; Wed, 21 Sep 2011 13:16:13 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca [IPv6:2607:f3e0:0:1::12]) by mx1.freebsd.org (Postfix) with ESMTP id AF6948FC0C; Wed, 21 Sep 2011 13:16:13 +0000 (UTC) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.4/8.14.4) with ESMTP id p8LDGA3N018981; Wed, 21 Sep 2011 09:16:10 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <4E79E392.4020300@sentex.net> Date: Wed, 21 Sep 2011 09:16:02 -0400 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: Corey Smith References: <4E778357.1030206@sentex.net> <4E78E5DC.6050600@sentex.net> <20110920192100.GF10165@in-addr.com> <4E78F2B1.90302@sentex.net> In-Reply-To: X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.71 on IPv6:2607:f3e0:0:1::12 Cc: Gary Palmer , freebsd-security@freebsd.org Subject: Re: pam_ssh_agent_auth coredump on AMD64 (was Re: PAM modules) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Sep 2011 13:16:14 -0000 On 9/20/2011 5:39 PM, Corey Smith wrote: > On Tue, Sep 20, 2011 at 4:08 PM, Mike Tancsa wrote: >> Seems to die in the function policy_check in sudo.c > > I am able to reproduce it as well on 8.2-RELEASE amd64, > pam_ssh_agent_auth-0.9.3 and sudo-1.8.2. > I posted the question on the sudo list and there seems to be a work around posted there! http://www.sudo.ws/pipermail/sudo-users/2011-September/004831.html ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-security@FreeBSD.ORG Wed Sep 21 14:14:18 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1D9311065677; Wed, 21 Sep 2011 14:14:18 +0000 (UTC) (envelope-from brooks@lor.one-eyed-alien.net) Received: from lor.one-eyed-alien.net (lor.one-eyed-alien.net [69.66.77.232]) by mx1.freebsd.org (Postfix) with ESMTP id B26228FC18; Wed, 21 Sep 2011 14:14:16 +0000 (UTC) Received: from lor.one-eyed-alien.net (localhost [127.0.0.1]) by lor.one-eyed-alien.net (8.14.4/8.14.4) with ESMTP id p8LDgo12061962; Wed, 21 Sep 2011 08:42:50 -0500 (CDT) (envelope-from brooks@lor.one-eyed-alien.net) Received: (from brooks@localhost) by lor.one-eyed-alien.net (8.14.4/8.14.4/Submit) id p8LDgmvI061961; Wed, 21 Sep 2011 08:42:48 -0500 (CDT) (envelope-from brooks) Date: Wed, 21 Sep 2011 08:42:48 -0500 From: Brooks Davis To: d@delphij.net Message-ID: <20110921134248.GA55273@lor.one-eyed-alien.net> References: <86boukbk8s.fsf@ds4.des.no> <4E738794.4050908@delphij.net> <86zki1afto.fsf@ds4.des.no> <4E78EA46.2080806@delphij.net> <86ty86zzcg.fsf@ds4.des.no> <1251419684.20110921022541@serebryakov.spb.ru> <4E7914E1.6040408@delphij.net> <849327678.20110921024347@serebryakov.spb.ru> <20110920225109.GF1511@deviant.kiev.zoral.com.ua> <4E792DEF.30209@delphij.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="y0ulUmNC+osPPQO6" Content-Disposition: inline In-Reply-To: <4E792DEF.30209@delphij.net> User-Agent: Mutt/1.5.21 (2010-09-15) X-Mailman-Approved-At: Wed, 21 Sep 2011 15:54:00 +0000 Cc: Kostik Belousov , Dag-Erling Sm??rgrav , Lev Serebryakov , freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Sep 2011 14:14:18 -0000 --y0ulUmNC+osPPQO6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 20, 2011 at 05:21:03PM -0700, Xin LI wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 >=20 > On 09/20/11 15:51, Kostik Belousov wrote: > [...] > > Yes, the question of maintanence of the OpenLDAP code in the base=20 > > is not trivial by any means. I remember that openldap once broke=20 > > the ABI on its stable-like branch. >=20 > That happen a few times however these are either not essential client > library (libldap and liblber) API or it's not changing parameters or > removing interfaces. Moreover, like the base libbsdxml.so, it's only > intended to be used by base system only so it's relatively easier to > maintain ABI stability, e.g. we can probably just expose only symbols > that we use, etc. >=20 > > Having API renamed during the import for the actively-developed > > third-party component is probably a stopper. I am aware of the > > rename done for ssh import in ssh_namespace.h, but I do not think > > such approach scale. >=20 > That's right. We did use a similar approach but again, if it's just > libldap and liblber, the change would be quite slow over years. We do > need to patch files. >=20 > > Would the import of openldap and nss + pam ldap modules in src/ > > give any benefits over having openldap and ldap nss + pam modules > > on the dvd1 ? >=20 > Well, for ldap nss + pam models, people usually want them to "just > work" rather than wanting new features provided by a port installed > OpenLDAP. That's said, the user expects he can update any port > without risking into being locked out from the system plus these > modules can be upgraded or updated with existing binary update mechanisms. This is certainly the largest benefit. I used a variant of pam_ldap for authentication at $WORK for many years and the instability of the OpenLDAP API was a constant headache. That isn't to say that importing it into base is the only possible solution. It is likely the most straightforward. -- Brooks --y0ulUmNC+osPPQO6 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (FreeBSD) iD8DBQFOeenYXY6L6fI4GtQRApF3AKCXGpfYzayedoJZyZ7A9TjfWpO5agCgnJ0y ZcN/P6gSlw3U+plhXoKS8kI= =Rgwm -----END PGP SIGNATURE----- --y0ulUmNC+osPPQO6-- From owner-freebsd-security@FreeBSD.ORG Wed Sep 21 17:10:54 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A4448106566B for ; Wed, 21 Sep 2011 17:10:54 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-yi0-f54.google.com (mail-yi0-f54.google.com [209.85.218.54]) by mx1.freebsd.org (Postfix) with ESMTP id 56C7A8FC17 for ; Wed, 21 Sep 2011 17:10:53 +0000 (UTC) Received: by yia13 with SMTP id 13so1684391yia.13 for ; Wed, 21 Sep 2011 10:10:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to; bh=NAe2Xex1tgv5VAznk2davcWSsK8crSdI3fAHu1Xz5OA=; b=Fq36wjz9WQAW/+tSHpNrfKcwirnQz973OzB7bA/aEvxwVipjQceSUncB85fkJudEeX HsHg3PV2jN1cCXuQweZ9CviDwTMfjcT1ruzbIkvkp9ZV5GIMgZkd27hXueDT/E+aI5X6 /TPSFdfrbZCPLsFyqr7ppw6WtXp+FNhWUWFlE= Received: by 10.236.187.1 with SMTP id x1mr7284948yhm.7.1316625053457; Wed, 21 Sep 2011 10:10:53 -0700 (PDT) Received: from DataIX.net (adsl-99-190-81-85.dsl.klmzmi.sbcglobal.net. [99.190.81.85]) by mx.google.com with ESMTPS id z53sm7437031yhj.7.2011.09.21.10.10.50 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 21 Sep 2011 10:10:51 -0700 (PDT) Sender: Jason Hellenthal Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id p8LHAmDu022267 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 21 Sep 2011 13:10:48 -0400 (EDT) (envelope-from jhell@DataIX.net) Received: (from jhell@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id p8LHAkw9022266; Wed, 21 Sep 2011 13:10:46 -0400 (EDT) (envelope-from jhell@DataIX.net) Date: Wed, 21 Sep 2011 13:10:46 -0400 From: Jason Hellenthal To: Brooks Davis Message-ID: <20110921171046.GA80753@DataIX.net> References: <4E738794.4050908@delphij.net> <86zki1afto.fsf@ds4.des.no> <4E78EA46.2080806@delphij.net> <86ty86zzcg.fsf@ds4.des.no> <1251419684.20110921022541@serebryakov.spb.ru> <4E7914E1.6040408@delphij.net> <849327678.20110921024347@serebryakov.spb.ru> <20110920225109.GF1511@deviant.kiev.zoral.com.ua> <4E792DEF.30209@delphij.net> <20110921134248.GA55273@lor.one-eyed-alien.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20110921134248.GA55273@lor.one-eyed-alien.net> Cc: Kostik Belousov , Dag-Erling Sm??rgrav , Lev Serebryakov , d@delphij.net, freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Sep 2011 17:10:54 -0000 On Wed, Sep 21, 2011 at 08:42:48AM -0500, Brooks Davis wrote: > On Tue, Sep 20, 2011 at 05:21:03PM -0700, Xin LI wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA256 > > > > On 09/20/11 15:51, Kostik Belousov wrote: > > [...] > > > Yes, the question of maintanence of the OpenLDAP code in the base > > > is not trivial by any means. I remember that openldap once broke > > > the ABI on its stable-like branch. > > > > That happen a few times however these are either not essential client > > library (libldap and liblber) API or it's not changing parameters or > > removing interfaces. Moreover, like the base libbsdxml.so, it's only > > intended to be used by base system only so it's relatively easier to > > maintain ABI stability, e.g. we can probably just expose only symbols > > that we use, etc. > > > > > Having API renamed during the import for the actively-developed > > > third-party component is probably a stopper. I am aware of the > > > rename done for ssh import in ssh_namespace.h, but I do not think > > > such approach scale. > > > > That's right. We did use a similar approach but again, if it's just > > libldap and liblber, the change would be quite slow over years. We do > > need to patch files. > > > > > Would the import of openldap and nss + pam ldap modules in src/ > > > give any benefits over having openldap and ldap nss + pam modules > > > on the dvd1 ? > > > > Well, for ldap nss + pam models, people usually want them to "just > > work" rather than wanting new features provided by a port installed > > OpenLDAP. That's said, the user expects he can update any port > > without risking into being locked out from the system plus these > > modules can be upgraded or updated with existing binary update mechanisms. > > This is certainly the largest benefit. I used a variant of pam_ldap for > authentication at $WORK for many years and the instability of the > OpenLDAP API was a constant headache. > > That isn't to say that importing it into base is the only possible > solution. It is likely the most straightforward. > Base package system that comes pre-installed ? or just ships with the discs ? > -- Brooks From owner-freebsd-security@FreeBSD.ORG Wed Sep 21 17:36:35 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 11FEB106564A; Wed, 21 Sep 2011 17:36:35 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id E4F6F8FC14; Wed, 21 Sep 2011 17:36:34 +0000 (UTC) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 4644676F2; Wed, 21 Sep 2011 10:36:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1316626594; bh=ZHomeJMB4arvZ5WR99VfyP+nZ7tMFV2ef51b+7IjOzo=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=TzcXE1hveGgNQAWIwtsRzONLjO3i6htJwqO5GBkQkHUI2Z5UH8tjWq6Xirk8GYIbp aCFjcxTxHify0ya84OYEjODBMys3e4C5KER+AofylFjuu4XmWiiRLTSSnGDxm+wV2P 9YNFxnZBovJtsVFkFQnFVREtyFewBpD+TWZJqtw0= Message-ID: <4E7A20A1.4010902@delphij.net> Date: Wed, 21 Sep 2011 10:36:33 -0700 From: Xin LI Organization: The FreeBSD Project MIME-Version: 1.0 To: Jason Hellenthal References: <4E738794.4050908@delphij.net> <86zki1afto.fsf@ds4.des.no> <4E78EA46.2080806@delphij.net> <86ty86zzcg.fsf@ds4.des.no> <1251419684.20110921022541@serebryakov.spb.ru> <4E7914E1.6040408@delphij.net> <849327678.20110921024347@serebryakov.spb.ru> <20110920225109.GF1511@deviant.kiev.zoral.com.ua> <4E792DEF.30209@delphij.net> <20110921134248.GA55273@lor.one-eyed-alien.net> <20110921171046.GA80753@DataIX.net> In-Reply-To: <20110921171046.GA80753@DataIX.net> OpenPGP: id=3FCA37C1; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Brooks Davis , d@delphij.net, freebsd-security@freebsd.org, Lev Serebryakov , Kostik Belousov , Dag-Erling Sm??rgrav Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Sep 2011 17:36:35 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 09/21/11 10:10, Jason Hellenthal wrote: > > > On Wed, Sep 21, 2011 at 08:42:48AM -0500, Brooks Davis wrote: >> On Tue, Sep 20, 2011 at 05:21:03PM -0700, Xin LI wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >>> >>> On 09/20/11 15:51, Kostik Belousov wrote: [...] >>>> Yes, the question of maintanence of the OpenLDAP code in the >>>> base is not trivial by any means. I remember that openldap >>>> once broke the ABI on its stable-like branch. >>> >>> That happen a few times however these are either not essential >>> client library (libldap and liblber) API or it's not changing >>> parameters or removing interfaces. Moreover, like the base >>> libbsdxml.so, it's only intended to be used by base system only >>> so it's relatively easier to maintain ABI stability, e.g. we >>> can probably just expose only symbols that we use, etc. >>> >>>> Having API renamed during the import for the >>>> actively-developed third-party component is probably a >>>> stopper. I am aware of the rename done for ssh import in >>>> ssh_namespace.h, but I do not think such approach scale. >>> >>> That's right. We did use a similar approach but again, if it's >>> just libldap and liblber, the change would be quite slow over >>> years. We do need to patch files. >>> >>>> Would the import of openldap and nss + pam ldap modules in >>>> src/ give any benefits over having openldap and ldap nss + >>>> pam modules on the dvd1 ? >>> >>> Well, for ldap nss + pam models, people usually want them to >>> "just work" rather than wanting new features provided by a port >>> installed OpenLDAP. That's said, the user expects he can >>> update any port without risking into being locked out from the >>> system plus these modules can be upgraded or updated with >>> existing binary update mechanisms. >> >> This is certainly the largest benefit. I used a variant of >> pam_ldap for authentication at $WORK for many years and the >> instability of the OpenLDAP API was a constant headache. >> >> That isn't to say that importing it into base is the only >> possible solution. It is likely the most straightforward. >> > > Base package system that comes pre-installed ? or just ships with > the discs ? Well first and most important, someone will need to implement that, but to be more specific there are a lot of issues that needs to be solved like: - How to update your system? LPK patchset for instance needs to be a part of OpenSSH (not a loadable module) so we end up with a modified sshd binary. "make installworld" need to know and don't patch it; - How to patch your system? A mechanism like freebsd-update needs to be implemented for these essential security services; - How to update these "base packages"? There need to be a way that is no harder than 'make installworld' in my opinion. That's said, all these are not impossible without direct base system integration, but integration is the most straightforward way at this moment. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iQEcBAEBCAAGBQJOeiCgAAoJEATO+BI/yjfB0gUH/2Sv52kW8GEACIisgkA+qfcS eVjViqR5f4JE8JmSEnblHX5RWw96MEi9rsdgHiHFAmBed4CxG/SLr4Xjc5Ozv9EV 0zwThyAan5V0AuJjvAd9/pO/FkilzlQG4N2+wrzjB46FdH8YpBLcV57eSKUVpHO1 SA2t27qTC5Mo6ysQUutwQV00ujEtXL1KtsXl6iJLPKuKe9wdeJNBXQ3lkeCOsG/H nBCPsAbb17H+RseSePCXTox4za5hLHCD2wsaqtydD08WO1bUf4hhYkQoy0IZ+q4z DteS4qtDYzpoP5sbX/iY5vkXGHglOWpZzWcsfuHR5ZgIaXeEuk47UDHf0H632BE= =BuI/ -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Sep 21 20:52:43 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BE619106566B for ; Wed, 21 Sep 2011 20:52:43 +0000 (UTC) (envelope-from gleb.kurtsou@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 4C4048FC08 for ; Wed, 21 Sep 2011 20:52:42 +0000 (UTC) Received: by bkbzs8 with SMTP id zs8so2467775bkb.13 for ; Wed, 21 Sep 2011 13:52:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=jy8e0LrJn/YxbqaLDjg0P8u3jCZgI7J5KA6TdOCxVP4=; b=JZacGJjYoTX+L6WJ9EtCzCfeZdR4tX1QmMS91aqnUi9OEhKQYNJk/ljs2P0l+OhBBy DTnE4qUU+eE63PPQlQmRwwyX7f5v5SGkVLNdxIyXwyHDowOWMU2Id73OS+Co7MnRrdC+ xgN4g3GyceXI/e0wsc6JjNAYKe+1x2o0jscI8= Received: by 10.204.149.82 with SMTP id s18mr882578bkv.387.1316637040701; Wed, 21 Sep 2011 13:30:40 -0700 (PDT) Received: from localhost (lan-78-157-92-5.vln.skynet.lt. [78.157.92.5]) by mx.google.com with ESMTPS id t18sm6104578bkb.9.2011.09.21.13.30.38 (version=SSLv3 cipher=OTHER); Wed, 21 Sep 2011 13:30:39 -0700 (PDT) Date: Wed, 21 Sep 2011 23:29:17 +0300 From: Gleb Kurtsou To: Xin LI Message-ID: <20110921202917.GA25278@tops> References: <86boukbk8s.fsf@ds4.des.no> <4E738794.4050908@delphij.net> <86zki1afto.fsf@ds4.des.no> <4E78EA46.2080806@delphij.net> <86ty86zzcg.fsf@ds4.des.no> <4E793506.1070402@delphij.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <4E793506.1070402@delphij.net> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: Dag-Erling =?utf-8?B?U23DuHJncmF2?= , d@delphij.net, freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Sep 2011 20:52:43 -0000 On (20/09/2011 17:51), Xin LI wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 09/20/11 14:19, Dag-Erling Smørgrav wrote: > > Xin LI writes: > >> The main concern I have is that users might want to stay on an > >> older FreeBSD release, while wanting features of a new OpenLDAP. > >> That's why I would prefer a libxml style import -- users always > >> have choice to install a new OpenLDAP without any concern of > >> breaking their system and we can always deliver security fixes > >> with freebsd-update. Would that make the trimmed down and > >> renamed OpenLDAP import sound sensible? > > > > Yes, you have a point. So you're saying: > > > > - client side only (for nss_ldap, pam_ldap etc) - namespace hacks > > to avoid colliding with the port > > > > right? I would definitely support that. > > Yes exactly, the current version is just library to support these nss > and pam modules and have namespace hacks (so programs linking against > port OpenLDAP library will not see conflicts as well). It wasn't explicitly mentioned, but instead of adding ssh-namespace.h like hacks we could add local symbol versions to ldap shared libraries. That would make impact on OpenLDAP from ports and its users minimal. Binary could be linked against both OpenLDAP and ldap from base in case when libbsdldap.so is indirect dependency used by another library from base. That is not the case with libbsdxml.so Thanks, Gleb. > > Cheers, > - -- > Xin LI https://www.delphij.net/ > FreeBSD - The Power to Serve! Live free or die > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.18 (FreeBSD) > > iQEcBAEBCAAGBQJOeTUGAAoJEATO+BI/yjfBRCAIAKQzG1dJhrLyKyYxJEH5qfXS > pm11L5cuQQto9yqm1TeMeT3qNMuNBo+bWt2QPJ0ef6qaOiL1oYIHdDyAkHqlDh1Z > q5zuwxZFzNAaBYF+QZLE0jSJpV05YpuN5bdkM5GilYw/xzbI4QmOstgJMyPS92WD > //oFfz9jHdQxJ0jZdp8dTDKMbgpOfUDfm/82zdDJPRnoK4dbJyn1xNFOB2H7KQyI > l246YN/W4/yR1wUDZlgjQ6zVoG4I6WvK1Lv7MU3YD2sNqfsnxoC+928U4Swd05Di > A1KXRWLsSB+2ZFnCXbGq3D22KhnmD4GQqxEZn5PZj0p2mDF3kjYDf3zlsUoofmw= > =DG1c > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Wed Sep 21 21:32:37 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id A2880106566C for ; Wed, 21 Sep 2011 21:32:37 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from 172-17-198-245.globalsuite.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id 5CC401501FC; Wed, 21 Sep 2011 21:32:36 +0000 (UTC) Message-ID: <4E7A57F3.20109@FreeBSD.org> Date: Wed, 21 Sep 2011 14:32:35 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:6.0.2) Gecko/20110912 Thunderbird/6.0.2 MIME-Version: 1.0 To: =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= References: <86boukbk8s.fsf@ds4.des.no> In-Reply-To: <86boukbk8s.fsf@ds4.des.no> X-Enigmail-Version: undefined OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Sep 2011 21:32:37 -0000 On 09/16/2011 08:05, Dag-Erling Smrgrav wrote: > We currently have a number of PAM modules in ports, and while some of > them are specific to certain third-party software, many aren't. I > believe we would benefit from importing at least some of these into > base. My question is: which ones? For the sake of having the opposing viewpoint represented, I'm opposed to importing more of this stuff into the base. Given that it works just fine as it is, the benefits of importing it would have to overwhelmingly compensate for the negatives of having to keep them up to date in the base. Taking ldap as an example, the subset of our users who need this functionality are already able to get it from the ports tree, where it is easier to keep up to date across multiple FreeBSD versions. Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ From owner-freebsd-security@FreeBSD.ORG Thu Sep 22 08:17:12 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BB194106564A for ; Thu, 22 Sep 2011 08:17:12 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id 5BC028FC13 for ; Thu, 22 Sep 2011 08:17:12 +0000 (UTC) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:d578:b545:b004:4d]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPA id 44DF14AC1C for ; Thu, 22 Sep 2011 12:17:10 +0400 (MSD) Date: Thu, 22 Sep 2011 12:17:06 +0400 From: Lev Serebryakov X-Priority: 3 (Normal) Message-ID: <679126918.20110922121706@serebryakov.spb.ru> To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: quoted-printable Subject: pam_ldap and nss_ldap : checken and egg problem with "wheel" group and "su" utility X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Sep 2011 08:17:12 -0000 Hello, Freebsd-security. I have chicken-adn-egg problem with wheel group and su utility when all users but root are stored in LDAP. wheel group should be in /etc/group to allow basic system services to start before LDAP is available. But when "wheel" is in /etc/group with only "root" member (as all other members are in LDAP), system never takes "wheel" members from LDAP (because /etc/group has priority) and "su" doesn't work! What is proper way to resolve this problem? --=20 // Black Lion AKA Lev Serebryakov From owner-freebsd-security@FreeBSD.ORG Thu Sep 22 15:21:29 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 811691065670; Thu, 22 Sep 2011 15:21:29 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 43B5E8FC13; Thu, 22 Sep 2011 15:21:29 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 2F5251FFC35; Thu, 22 Sep 2011 15:21:28 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 839E88456D; Thu, 22 Sep 2011 17:21:27 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Lev Serebryakov References: <679126918.20110922121706@serebryakov.spb.ru> Date: Thu, 22 Sep 2011 17:21:27 +0200 In-Reply-To: <679126918.20110922121706@serebryakov.spb.ru> (Lev Serebryakov's message of "Thu, 22 Sep 2011 12:17:06 +0400") Message-ID: <86d3esy554.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: pam_ldap and nss_ldap : checken and egg problem with "wheel" group and "su" utility X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Sep 2011 15:21:29 -0000 Lev Serebryakov writes: > But when "wheel" is in /etc/group with only "root" member (as all > other members are in LDAP), system never takes "wheel" members from > LDAP (because /etc/group has priority) and "su" doesn't work! Did you try changing the priority in /etc/nsswitch.conf? DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Fri Sep 23 02:34:48 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5B1FA106566C for ; Fri, 23 Sep 2011 02:34:48 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from dmz-mailsec-scanner-4.mit.edu (DMZ-MAILSEC-SCANNER-4.MIT.EDU [18.9.25.15]) by mx1.freebsd.org (Postfix) with ESMTP id 0ACEB8FC0A for ; Fri, 23 Sep 2011 02:34:47 +0000 (UTC) X-AuditID: 1209190f-b7b44ae000000a24-3c-4e7bec24a4b3 Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id E4.0D.02596.42CEB7E4; Thu, 22 Sep 2011 22:17:08 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id p8N2JiaA028370; Thu, 22 Sep 2011 22:19:44 -0400 Received: from multics.mit.edu (MULTICS.MIT.EDU [18.187.1.73]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id p8N2Jfhq011837 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 22 Sep 2011 22:19:42 -0400 (EDT) Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id p8N2Jfcv027699; Thu, 22 Sep 2011 22:19:41 -0400 (EDT) Date: Thu, 22 Sep 2011 22:19:41 -0400 (EDT) From: Benjamin Kaduk To: d@delphij.net In-Reply-To: <4E792DEF.30209@delphij.net> Message-ID: References: <86boukbk8s.fsf@ds4.des.no> <4E738794.4050908@delphij.net> <86zki1afto.fsf@ds4.des.no> <4E78EA46.2080806@delphij.net> <86ty86zzcg.fsf@ds4.des.no> <1251419684.20110921022541@serebryakov.spb.ru> <4E7914E1.6040408@delphij.net> <849327678.20110921024347@serebryakov.spb.ru> <20110920225109.GF1511@deviant.kiev.zoral.com.ua> <4E792DEF.30209@delphij.net> User-Agent: Alpine 1.10 (GSO 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrDIsWRmVeSWpSXmKPExsUixCmqravyptrPYME9I4vjO4wsejY9YXNg 8vg/6w6Tx4xP81kCmKK4bFJSczLLUov07RK4Mk7vXcFScJ6rYmPnAfYGxs0cXYycHBICJhLL /3exQNhiEhfurWfrYuTiEBLYxygxfflGZghnA6PEjr/roDIHmCR+P9nJBOE0MErMvL6UGaSf RUBbYkr7BTCbTUBFYuabjUAdHBwiAoIS/9bEg4SZBRQk3j8+yQRiCwtISKy/uY0VpIRTQFPi fjsvSJhXwF7i7qFGRojxr5gkJn1YCzZSVEBHYvX+KSwQRYISJ2c+YYGYaSlx7s91tgmMgrOQ pGYhSS1gZFrFKJuSW6Wbm5iZU5yarFucnJiXl1qka6KXm1mil5pSuokRHKiS/DsYvx1UOsQo wMGoxMN7M7baT4g1say4MvcQoyQHk5Io79dXQCG+pPyUyozE4oz4otKc1OJDjBIczEoivO6X gXK8KYmVValF+TApaQ4WJXHexh0OfkIC6YklqdmpqQWpRTBZGQ4OJQneBGBECgkWpaanVqRl 5pQgpJk4OEGG8wANDwep4S0uSMwtzkyHyJ9iVJQS5zUESQiAJDJK8+B6YYnkFaM40CvCvLEg VTzAJATX/QpoMBPQYKXCSpDBJYkIKakGRts25W+9RZcCXv7km659W9PRosBhSXPJD47PJxb9 YFndeb6MsUjQlMel3zH5T8XW03af6pu2pZ7RC/60YkaWk4LgXbV2Vr505sxeq/uhm71Seu9M MV0Vsm6f5eGKz07lctYPLGvTdra1dZe1/H1/9LL8xeC4fS5mb3hu8+kVrY2OcbqxI+mVEktx RqKhFnNRcSIAMsgv1f8CAAA= Cc: freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2011 02:34:48 -0000 On Tue, 20 Sep 2011, Xin LI wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 09/20/11 15:51, Kostik Belousov wrote: > [...] >> Yes, the question of maintanence of the OpenLDAP code in the base >> is not trivial by any means. I remember that openldap once broke >> the ABI on its stable-like branch. > > That happen a few times however these are either not essential client > library (libldap and liblber) API or it's not changing parameters or > removing interfaces. Moreover, like the base libbsdxml.so, it's only > intended to be used by base system only so it's relatively easier to > maintain ABI stability, e.g. we can probably just expose only symbols > that we use, etc. This is not without its own failures. For example, I sometimes find myself wanting a kgetcred(1) from heimdal, but we do not build it as part of our base heimdal. As a separate utility, this is not so bad; for a library, things can get much more annoying. Only exposing a limited set of symbols can make third-party tools that want extra symbols very sad, unless it is easy to drop in a full version from ports and still have all of base "just work". I do not quite think that the current state of ports for ldap would "just work" without some extra configuration (though, nor have I tried something like it). -Ben Kaduk From owner-freebsd-security@FreeBSD.ORG Fri Sep 23 10:07:11 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2E78F106564A for ; Fri, 23 Sep 2011 10:07:11 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id 0ECA48FC13 for ; Fri, 23 Sep 2011 10:07:11 +0000 (UTC) Received: from delta.delphij.net (c-76-102-50-245.hsd1.ca.comcast.net [76.102.50.245]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id C5A187E84; Fri, 23 Sep 2011 03:07:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1316772430; bh=yozNS36DUQcPNiCL6/fDdeg/LY/xgpwTYocnFc6kpgQ=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=dk4th8NZBtapmesBTzSfob0Tqj8qaTXbVDH/oC0ThAri/1E757S/pjvP/oYgP/TEm 9JbCtmHd79xSUKJMis7O4IDU2ZNsb5mQDwxhlOLXzOYktzBgBYxqwhPBrCZccPmOs7 0DTrBi473RYSjp3TWtLz3LbSOZH4799qXW23BI18= Message-ID: <4E7C5A49.9050507@delphij.net> Date: Fri, 23 Sep 2011 03:07:05 -0700 From: Xin LI Organization: The FreeBSD Project MIME-Version: 1.0 To: Benjamin Kaduk References: <86boukbk8s.fsf@ds4.des.no> <4E738794.4050908@delphij.net> <86zki1afto.fsf@ds4.des.no> <4E78EA46.2080806@delphij.net> <86ty86zzcg.fsf@ds4.des.no> <1251419684.20110921022541@serebryakov.spb.ru> <4E7914E1.6040408@delphij.net> <849327678.20110921024347@serebryakov.spb.ru> <20110920225109.GF1511@deviant.kiev.zoral.com.ua> <4E792DEF.30209@delphij.net> In-Reply-To: OpenPGP: id=3FCA37C1; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, d@delphij.net Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2011 10:07:11 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 09/22/11 19:19, Benjamin Kaduk wrote: > On Tue, 20 Sep 2011, Xin LI wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >> >> On 09/20/11 15:51, Kostik Belousov wrote: [...] >>> Yes, the question of maintanence of the OpenLDAP code in the >>> base is not trivial by any means. I remember that openldap once >>> broke the ABI on its stable-like branch. >> >> That happen a few times however these are either not essential >> client library (libldap and liblber) API or it's not changing >> parameters or removing interfaces. Moreover, like the base >> libbsdxml.so, it's only intended to be used by base system only >> so it's relatively easier to maintain ABI stability, e.g. we can >> probably just expose only symbols that we use, etc. > > This is not without its own failures. For example, I sometimes > find myself wanting a kgetcred(1) from heimdal, but we do not build > it as part of our base heimdal. As a separate utility, this is not > so bad; for a library, things can get much more annoying. Only > exposing a limited set of symbols can make third-party tools that > want extra symbols very sad, unless it is easy to drop in a full > version from ports and still have all of base "just work". I do > not quite think that the current state of ports for ldap would > "just work" without some extra configuration (though, nor have I > tried something like it). Third party utilities should use symbols provided by port OpenLDAP library because base system symbols are namespaced and third party application have no chance to reference them (e.g. no header installed, etc) unless they are part of base system and be built with it. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iQEcBAEBCAAGBQJOfFpHAAoJEATO+BI/yjfBjxwH/iKLFZkvzkowW50FyuxnesmQ r4f9bvOLAH8iRva8GJEJDJaTqQHKWVJ8yIkT49WC8VgoNAcpkvzkOXm2Xe658yuz Ca5TNIFvJccw6MtH6nicE4REy+YEOwcnSQTLHqcPBKiSLH3RFrklOZ3YjGrR8qgX 9WmVI6rZ9CbHwUVsWyJUOUYrCsAPsLpraqyfhwM1/ZXnr3mGNKayb8KMjgmy0gGI V2J9bIjPd2E6vDLl8vYJxQZ+pPrUcuPJ06v+SFN9vmbC7UadRWZr37DsX1Kba4pN 3qRKemze61qMPi39Xd8Wt7Og6+GAIKnMV2cX2+a+3gExO0haMl4E/V9BU6UpVUA= =t3Ti -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Sep 23 19:08:08 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A23731065733 for ; Fri, 23 Sep 2011 19:08:08 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id 692198FC1D for ; Fri, 23 Sep 2011 19:08:08 +0000 (UTC) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:d578:b545:b004:4d]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPA id 9A59B4AC1C; Fri, 23 Sep 2011 23:08:07 +0400 (MSD) Date: Fri, 23 Sep 2011 23:08:02 +0400 From: Lev Serebryakov X-Priority: 3 (Normal) Message-ID: <964986730.20110923230802@serebryakov.spb.ru> To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= In-Reply-To: <86d3esy554.fsf@ds4.des.no> References: <679126918.20110922121706@serebryakov.spb.ru> <86d3esy554.fsf@ds4.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: pam_ldap and nss_ldap : checken and egg problem with "wheel" group and "su" utility X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2011 19:08:08 -0000 Hello, Dag-Erling. You wrote 22 =D1=81=D0=B5=D0=BD=D1=82=D1=8F=D0=B1=D1=80=D1=8F 2011 =D0=B3.,= 19:21:27: > Lev Serebryakov writes: >> But when "wheel" is in /etc/group with only "root" member (as all >> other members are in LDAP), system never takes "wheel" members from >> LDAP (because /etc/group has priority) and "su" doesn't work! > Did you try changing the priority in /etc/nsswitch.conf? It gives very long boot time, as nss_ldap waits for answer from non-started server, again and again, etc. --=20 // Black Lion AKA Lev Serebryakov From owner-freebsd-security@FreeBSD.ORG Sat Sep 24 12:03:33 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 82C101065675; Sat, 24 Sep 2011 12:03:33 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 43CD18FC18; Sat, 24 Sep 2011 12:03:33 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 793391FFC35; Sat, 24 Sep 2011 12:03:32 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 6506484498; Sat, 24 Sep 2011 14:03:32 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Lev Serebryakov References: <679126918.20110922121706@serebryakov.spb.ru> <86d3esy554.fsf@ds4.des.no> <964986730.20110923230802@serebryakov.spb.ru> Date: Sat, 24 Sep 2011 14:03:32 +0200 In-Reply-To: <964986730.20110923230802@serebryakov.spb.ru> (Lev Serebryakov's message of "Fri, 23 Sep 2011 23:08:02 +0400") Message-ID: <86r5369mgb.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: pam_ldap and nss_ldap : checken and egg problem with "wheel" group and "su" utility X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Sep 2011 12:03:33 -0000 Lev Serebryakov writes: > Dag-Erling writes: > > Did you try changing the priority in /etc/nsswitch.conf? > It gives very long boot time, as nss_ldap waits for answer from > non-started server, again and again, etc. The only solution I can think of is to try to figure out how to reduce or eliminate this delay, because the system is doing exactly what you asked it to, i.e. treating /etc/group as authoritative and using LDAP only for groups it can't find there. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no