From owner-freebsd-security@FreeBSD.ORG Mon Feb 6 14:00:03 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8AC571065672 for ; Mon, 6 Feb 2012 14:00:03 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from tower.berklix.org (tower.berklix.org [83.236.223.114]) by mx1.freebsd.org (Postfix) with ESMTP id 751528FC13 for ; Mon, 6 Feb 2012 14:00:01 +0000 (UTC) Received: from mart.js.berklix.net (pD9FBE080.dip.t-dialin.net [217.251.224.128]) (authenticated bits=0) by tower.berklix.org (8.14.2/8.14.2) with ESMTP id q16DTunS017021; Mon, 6 Feb 2012 13:30:01 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id q16DVxk9057113; Mon, 6 Feb 2012 14:31:59 +0100 (CET) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.4/8.14.4) with ESMTP id q16DVfb4061206; Mon, 6 Feb 2012 14:31:47 +0100 (CET) (envelope-from jhs@fire.js.berklix.net) Message-Id: <201202061331.q16DVfb4061206@fire.js.berklix.net> To: freebsd-security@freebsd.org From: "Julian H. Stacey" Organization: http://www.berklix.com BSD Unix Linux Consultancy, Munich Germany User-agent: EXMH on FreeBSD http://www.berklix.com/free/ X-URL: http://www.berklix.com/~jhs/cv/ Date: Mon, 06 Feb 2012 14:31:41 +0100 Sender: jhs@berklix.com Cc: Kerstin Mende-Stief Subject: Code contribution: Further development of a Security Suite for Unix/Linux (Anoubis) (fwd) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Feb 2012 14:00:03 -0000 Hi freebsd-security@freebsd.org, "Kerstin Mende-Stief" (CC'd) posted this below to , there was no follow up on http://lists.freebsd.org/pipermail/freebsd-hackers/2012-January/037603.html & of more interest to this list so forwarding. Please retain: cc: "Kerstin Mende-Stief" PS Kerstin, If no response from this freebsd-security@, try : http://lists.freebsd.org/mailman/listinfo/freebsd-ports Good luck Kerstin, Nice of you to offer us free code :-) Julian S Forwarded from: "Julian Stacey" http://www.berklix.com/~jhs/ - ------- Forwarded Message >From owner-freebsd-hackers@freebsd.org Sun Jan 29 21:00:09 2012 From: Kerstin Mende-Stief To: freebsd-hackers@freebsd.org Date: Sun, 29 Jan 2012 20:42:24 +0100 Message-ID: <1327866144.19568.53.camel@pataplan.genua.de> X-BeenThere: freebsd-hackers@freebsd.org List-Archive: List-Post: List-Help: List-Subscribe: , Hello, quite not sure, if you are the right people to contact. I spoke to various BSD-people on German open source events like OpenRheinRuhr, FrOSCon and Software Freedom Day and they recommended to contact this list first. I want to make a code contribution. The code is available at Sourceforge and I am looking for a community, that is willing and able to further develop the software. The software is a security suite for Unix/Linux systems called Anoubis and contains several security stages like sandbox, secure filesystem, application level firewall and playground. It is written in C/C++ and published under the BSD licence. Available distros are, amongst others, OpenBSD and sources for generic kernels. We at GeNUA developed the software suite on demand of a German Authority (Federal Office for Information Security) a couple of years ago. Unfortunately the project has been stopped after a while due to several reasons and we on the other hand missed to build up a community to keep the project alive. The code has been last updated in early 2010. The latest version of Anoubis is based on the kernel in OpenBSD 4.6. It would be a great pity to waste the software and all the work we put in. So I think it is worth a try to ask you, if you want to take the code and keep it up-to-date. Integrate it into FreeBSD (ports), keep it stand alone...just do what you want -- it doesn´t matter as long as the code stays alive :) Below are some links providing further information. Please let me know if you are interested in continuing the project. I ask you prefered, because we develop our solutions based on BSD and Anoubis would feel most comfortable in BSD environments further on :) We at GeNUA would be available for answering questions and giving you support within the beginning of your work. So please do not hesitate to contact me for further information. I will be present at the GUUG Fruehjahrsfachgespraech in Munich in March, I´ll be around at the CeBIT in Hannover and you can meet me at the Linuxtag in Berlin in May. My jabber ID is onlyk@jabber.ccc.de. Phone me, mail me.....find me :) Thank you very much and I ask for your apologies if this post may have bothered you. But I'd be so glad if I could find somebody, who takes the code and keep it alive. Best regards Kerstin Links: http://www.anoubis.org/index_1_en.html http://sourceforge.net/projects/anoubis/develop https://www.bsi.bund.de/ContentBSI/Themen/ProdukteTools/Anoubis/Anoubis.html (german site) - - -- Kerstin Mende-Stief Technical Sales Private Enterprise - - --------------------------------------------------------------- GeNUA (Gesellschaft fuer Netzwerk- und Unix-Administration) mbH - - --------------------------------------------------------------- Domagkstr. 7, D-85551 Kirchheim bei Muenchen Tel: +49 (89) 991950 107 Cel: +49 151 26426 107 Fax: +49 (89) 991950 999 Mail: Kerstin_Mende-Stief@GeNUA.de - - --------------------------------------------------------------- Geschaeftsfuehrer: Dr. Magnus Harlander, Dr. Michaela Harlander, Bernhard Schneck Amtsgericht Muenchen HRB 98238 _______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" ------- End of Forwarded Message From owner-freebsd-security@FreeBSD.ORG Wed Feb 8 12:45:09 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 74B651065675 for ; Wed, 8 Feb 2012 12:45:09 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from rack.patpro.net (rack.patpro.net [193.30.227.216]) by mx1.freebsd.org (Postfix) with ESMTP id C7D368FC12 for ; Wed, 8 Feb 2012 12:45:03 +0000 (UTC) Received: from rack.patpro.net (localhost [127.0.0.1]) by rack.patpro.net (Postfix) with ESMTP id 464F51CC020 for ; Wed, 8 Feb 2012 13:28:42 +0100 (CET) X-Virus-Scanned: amavisd-new at patpro.net Received: from amavis-at-patpro.net ([127.0.0.1]) by rack.patpro.net (rack.patpro.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vknlxMl1RFNA for ; Wed, 8 Feb 2012 13:28:36 +0100 (CET) Received: from [127.0.0.1] (localhost [127.0.0.1]) by rack.patpro.net (Postfix) with ESMTP for ; Wed, 8 Feb 2012 13:28:36 +0100 (CET) From: Patrick Proniewski Content-Type: multipart/signed; boundary=Apple-Mail-348-357081921; protocol="application/pkcs7-signature"; micalg=sha1 Date: Wed, 8 Feb 2012 13:28:36 +0100 Message-Id: <277F2E3F-AB7F-491A-ABB5-9178B0AC44BB@patpro.net> To: Liste FreeBSD-security Mime-Version: 1.0 (Apple Message framework v1084) X-Mailer: Apple Mail (2.1084) X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: zfs noexec override, sort of. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Feb 2012 12:45:09 -0000 --Apple-Mail-348-357081921 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hi, Not sure if it's a real security issue, or if it's a feature. ZFS allows the admin to create noexec volumes, so that users won't be = able to execute binaries sitting on these volume. But as soon as one of = these binaries is available on a snapshot, it becomes available for the = user to execute: # zfs create tank/test-exec # ls test-exec # zfs get -r exec tank/test-exec NAME PROPERTY VALUE SOURCE tank/test-exec exec off local # cp /bin/ls /tank/test-exec/ # /tank/test-exec/ls bash: /tank/test-exec/ls: Permission denied # zfs snapshot tank/test-exec@noexec # zfs get -r exec tank/test-exec NAME PROPERTY VALUE SOURCE tank/test-exec exec off local tank/test-exec@noexec exec off inherited from tank/test-exec # /tank/test-exec/.zfs/snapshot/noexec/ls test-exec Once the snapshot is accessed, it's mounted automatically, and gets back = an exec=3Don property: # zfs get -r exec tank/test-exec NAME PROPERTY VALUE SOURCE tank/test-exec exec off local tank/test-exec@noexec exec on temporary So it makes it very easy for a user to install and use binaries on a = shared server where (for example) every home is a ZFS volume with daily = snapshots. regards, patpro --Apple-Mail-348-357081921--