From owner-freebsd-security@FreeBSD.ORG Sun May 13 05:37:28 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DF0AB106566C for ; Sun, 13 May 2012 05:37:28 +0000 (UTC) (envelope-from mahdieh.salamat@gmail.com) Received: from mail-pb0-f54.google.com (mail-pb0-f54.google.com [209.85.160.54]) by mx1.freebsd.org (Postfix) with ESMTP id B714B8FC15 for ; Sun, 13 May 2012 05:37:28 +0000 (UTC) Received: by pbbro2 with SMTP id ro2so5488070pbb.13 for ; Sat, 12 May 2012 22:37:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=4O4/8VYQyQl+Y0i0DyrDkEESIXxyIhONGKIajNU3cig=; b=bIp+kZ3oeNh+tGbQWpZt89MarrB0khbHq62V7rtKxfMXYmUpIwjih0oaWwIg/xI+BJ 6fZurQGsGR7RW7ERPW5sKTBvYOC2hMTiL9Gpiz9iowZKIZdJJVZKaijpe1F23ui/HRA9 goqqwwORHCu6qCwT6YIIEYWy2236/dSDgU5rVMhizB2SxSWuHVG0bvztedp2AteWz+TI 7lAriuTd6Lu3bSALWi1IKT8csX1hdr0vg1zNZtmcL1jcKTNwgnkAqvcRbKvSuotDW0YV xH+r+h/GCAUAUseS92iy6QdnHtmM/rnr0mq2ttNtk2hpMvM1WshEDty8lBC7TlIkiatG h0cQ== MIME-Version: 1.0 Received: by 10.68.217.67 with SMTP id ow3mr10587765pbc.16.1336887448367; Sat, 12 May 2012 22:37:28 -0700 (PDT) Received: by 10.68.197.231 with HTTP; Sat, 12 May 2012 22:37:28 -0700 (PDT) Date: Sat, 12 May 2012 22:37:28 -0700 Message-ID: From: mahdieh salamat To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: HSM in Freebsd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 May 2012 05:37:29 -0000 Hi all. I want to use a HSM pc card for security in my system. Can I use it in FreeBSD? FreeBSD support this cards? Thanks From owner-freebsd-security@FreeBSD.ORG Sun May 13 05:58:05 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C338B1065675 for ; Sun, 13 May 2012 05:58:05 +0000 (UTC) (envelope-from mahdieh.salamat@gmail.com) Received: from mail-pb0-f54.google.com (mail-pb0-f54.google.com [209.85.160.54]) by mx1.freebsd.org (Postfix) with ESMTP id 99D898FC08 for ; Sun, 13 May 2012 05:58:05 +0000 (UTC) Received: by pbbro2 with SMTP id ro2so5498541pbb.13 for ; Sat, 12 May 2012 22:58:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=vT5WhFvHW5AYSzS+cFLSos1JmzO5a9ZwAFWyaGlMCtI=; b=UfFpkr+7jYFJYhNp+MEQO4wHZrj7M10KxRr//fBPZ0ltbhkoR7m89Ml+WLANnnu8OY 90a1I9E0gPhu3pPrOg/YpyFojDtF/HvzA+s0vBmBBeTjA5fEkXXHPf657hWpi7DNM3Hr zDC5cMg7IscvfE+nXJH8K+SguWzu7K6Ask1xkvQze9BUyiCOM//VIxpqEGKrDKAMjlNh P0qiosNm3pUrAszE64Gzq7R1Fg0WVYjN8wFExmOda13D8A5O+vNSIVRuoy3SEiTUdq2a Ayg5aEoQAZFzkid1x9wQ5pRFlZ/yN7wfZWrGpTFO0ScFnei51hSg/VnFpyXnT4ZUEJyn UVUw== MIME-Version: 1.0 Received: by 10.68.241.38 with SMTP id wf6mr265768pbc.100.1336888685129; Sat, 12 May 2012 22:58:05 -0700 (PDT) Received: by 10.68.197.231 with HTTP; Sat, 12 May 2012 22:58:04 -0700 (PDT) Date: Sat, 12 May 2012 22:58:04 -0700 Message-ID: From: mahdieh salamat To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: HSM in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 May 2012 05:58:05 -0000 Hi all. I want to use a HSM pc card for security in my system. Can I use it in FreeBSD? FreeBSD support this cards? Thanks From owner-freebsd-security@FreeBSD.ORG Sun May 13 06:07:07 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 658A41065673 for ; Sun, 13 May 2012 06:07:07 +0000 (UTC) (envelope-from mahdieh.salamat@gmail.com) Received: from mail-pb0-f54.google.com (mail-pb0-f54.google.com [209.85.160.54]) by mx1.freebsd.org (Postfix) with ESMTP id 3C9068FC0C for ; Sun, 13 May 2012 06:07:07 +0000 (UTC) Received: by pbbro2 with SMTP id ro2so5503421pbb.13 for ; Sat, 12 May 2012 23:07:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=xQEw/ArGSErDCOWJwaQFsVZnhr7sUpJ6inFmpKB2694=; b=w9kpzB7iEjjk/4Plw7HaYXp+MGZSQNbDT+EI8MysUkYRzKcVhaMzqBNwK8jvvunUXq jhNVvsIYCaiXFyHNjXjZxvVjsSUAkIyha7WF3SKTKEG4x0C/t1nwESwilVqeDHGSxSmL 8l6ToVvtX3JK0/vu2cbP+OKMCOC+gO8CgksBdnF9n/p/x5SsV9MQsCyRgQeXHfZxkeJZ Yk98ezNKE0n0u+Z++43/RPfvevPaWcKSaMVyavtnQcfe/FRh50a6E5p0HjEAbS+Fe8GE 11IJUPKZf0NgB8r6lCtd/TwHCj2WcvDukYTC/yaV2gTHWKSxGboIvCeWGimKbUBfq7UG T7Mg== MIME-Version: 1.0 Received: by 10.68.217.67 with SMTP id ow3mr10751570pbc.16.1336889226900; Sat, 12 May 2012 23:07:06 -0700 (PDT) Received: by 10.68.197.231 with HTTP; Sat, 12 May 2012 23:07:06 -0700 (PDT) Date: Sat, 12 May 2012 23:07:06 -0700 Message-ID: From: mahdieh salamat To: freebsd-security@freebsd.org X-Mailman-Approved-At: Sun, 13 May 2012 08:29:34 +0000 Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: HSM in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 May 2012 06:07:07 -0000 Hi all. I want to use a HSM pc card for security in my system. Can I use it in FreeBSD? FreeBSD support this cards? Thanks From owner-freebsd-security@FreeBSD.ORG Sun May 13 07:39:22 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 63534106566B for ; Sun, 13 May 2012 07:39:22 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id C2FED8FC15 for ; Sun, 13 May 2012 07:39:21 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [IPv6:2001:8b0:151:1:fa1e:dfff:feda:c0bb]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id q4D7dGvY039030 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Sun, 13 May 2012 08:39:17 +0100 (BST) (envelope-from matthew@FreeBSD.org) X-DKIM: OpenDKIM Filter v2.5.2 smtp.infracaninophile.co.uk q4D7dGvY039030 Authentication-Results: smtp.infracaninophile.co.uk/q4D7dGvY039030; dkim=none (no signature); dkim-adsp=none Message-ID: <4FAF651B.6090407@FreeBSD.org> Date: Sun, 13 May 2012 08:39:07 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: mahdieh salamat References: In-Reply-To: X-Enigmail-Version: 1.4.1 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig349BC7187B4CE06D4540DF8B" X-Virus-Scanned: clamav-milter 0.97.4 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk X-Mailman-Approved-At: Sun, 13 May 2012 08:29:48 +0000 Cc: freebsd-security@FreeBSD.org Subject: Re: HSM in FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 May 2012 07:39:22 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig349BC7187B4CE06D4540DF8B Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 13/05/2012 06:58, mahdieh salamat wrote: > Hi all. I want to use a HSM pc card for security in my system. Can I us= e it > in FreeBSD? FreeBSD support this cards? I take it you mean a 'Hardware Security Module' and not 'Hierarchical Storage Management' ? You'ld have to tell us the make and model number of the card (ideally with pointers to the manufacturers website showing technical specs if you can.) Hardware is not generally supported by specific function, but per manufacturer or per chipset. Also, there's no guarantee that all the functions of a particular card are supported, but once we've pinned down what drivers etc. will be used for that hardware, the documentation should cover that. Having said that, I believe that OpenSSL provides an API for accessing many of these sorts of devices, so if OpenSSL supports it, then you're probably in luck. A keyword here is 'cryptoki' (meaning cryptographic token interface) -- that's the standard that OpenSSL implements. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey --------------enig349BC7187B4CE06D4540DF8B Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+vZSMACgkQ8Mjk52CukIxhJwCeKULVn35F/zJoVgrFTkv+7Egs DjMAniRzQdZjUawS7+XayM7S1KKfLWsS =dyDz -----END PGP SIGNATURE----- --------------enig349BC7187B4CE06D4540DF8B-- From owner-freebsd-security@FreeBSD.ORG Sun May 13 13:04:08 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 92E63106564A for ; Sun, 13 May 2012 13:04:08 +0000 (UTC) (envelope-from mahdieh.salamat@gmail.com) Received: from mail-lb0-f182.google.com (mail-lb0-f182.google.com [209.85.217.182]) by mx1.freebsd.org (Postfix) with ESMTP id 168438FC12 for ; Sun, 13 May 2012 13:04:07 +0000 (UTC) Received: by lbon10 with SMTP id n10so3861393lbo.13 for ; Sun, 13 May 2012 06:04:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=QdTEoN8OM9+N4MJib48N1oFjg3encHYavPR+Av2LuuQ=; b=T4PlAf98oF6UwusG/9R/ixw0P0lQP2u/N5/IVvkq/0nuwsj4vnzVuP9Bs1tdNpMdzw AyQKmdB7KQqClF3DdbzKj8n7GfN6EztbfTzm0uV+gqFqz1iF5D/QMTOfq2OowEdRQoOr ZTGwurvFCaRIfHrmkJwuY/rjcCt7Z+NOHu+l14r30MDKog1QaKlU1l+cE2VyGthWwjjE zmHsj6CbEsUGCQa9w/zWo4EgkEoQbrJBIYeKet+rAUDE2arm6mStWOf7zYO+ShtgXFba xDtKggqqgmiRozQRo251IiP95h5BYfP67dFNnfu3iXPCTRK1TO2rIPUlL3BgpkS/YycD p1dA== MIME-Version: 1.0 Received: by 10.112.98.137 with SMTP id ei9mr2024151lbb.102.1336914246856; Sun, 13 May 2012 06:04:06 -0700 (PDT) Received: by 10.112.4.2 with HTTP; Sun, 13 May 2012 06:04:06 -0700 (PDT) Date: Sun, 13 May 2012 06:04:06 -0700 Message-ID: From: mahdieh salamat To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Single user mode X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 May 2012 13:04:08 -0000 Hi everybody. I have a question about single user mode in FreeBSD. Security is so important for me. I want to know that if someone don't know my root's password can access to it? In other words in our FreeBSD we don't have FreeBSD boot loader menu, we delete it for our users becouse of security. I want to know is there any other way except boot loader menu for our user to access to our root's password? Thanks From owner-freebsd-security@FreeBSD.ORG Sun May 13 13:23:27 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 633D0106564A; Sun, 13 May 2012 13:23:27 +0000 (UTC) (envelope-from thetollingbell@lavabit.com) Received: from karen.lavabit.com (karen.lavabit.com [72.249.41.33]) by mx1.freebsd.org (Postfix) with ESMTP id 2F83C8FC0A; Sun, 13 May 2012 13:23:26 +0000 (UTC) Received: from b.earth.lavabit.com (b.earth.lavabit.com [192.168.111.11]) by karen.lavabit.com (Postfix) with ESMTP id 2C8DE11BCB6; Sun, 13 May 2012 07:54:11 -0500 (CDT) Received: from infraware.co.kr (mac2c36d0.tmodns.net [208.54.44.172]) by lavabit.com with ESMTP id K1X3KIFOBQ04; Sun, 13 May 2012 07:54:11 -0500 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=lavabit; d=lavabit.com; b=Cg7WxlF4BsdkuuTiPP4Baa0MdOWwiu86u5cfPmAeTL7+wU8Hxg7thEHiEQBdayfldlk1vtldiDUVxyWnIJyDv4r86qleJC11+bxARJlZZ2uVyrDdiVPRCz9TCdsHvvOTzu62+f40nCyGgpbE9nAGa7Qy6u9hP23eT8ynJALLMU0=; h=From:To:Subject:X-Priority:Importance:Date:MIME-Version:X-Mailer:Content-Type:Content-Transfer-Encoding; From: "thetollingbell@lavabit.com" To: freebsd-security-request@freebsd.org, freebsd-security@freebsd.org X-Priority: 3 Importance: Normal Date: Sun, 13 May 2012 12:53:57 GMT X-Mailer: Infraware POLARIS Mobile Mailer v2.5 Content-Transfer-Encoding: base64 Message-Id: <20120513125411.2C8DE11BCB6@karen.lavabit.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: freebsd-security Digest, Vol 412, Issue 2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 May 2012 13:23:27 -0000 PHA+Jm5ic3A7PC9wPjxwPiZuYnNwOzwvcD48ZGV2M19qank+RnJvbSBteSBBbmRyb2lkIH Bob25l IG9uIFQtTW9iaWxlLiBUaGUgZmlyc3QgbmF0aW9ud2lkZSA0RyBuZXR3b3JrLjwvZGV2M1 9qank+ Cgo8YnIvPjxici8+PGZvbnQ+PGJyPjxicj4tLS0tLS0gT3JpZ2luYWwgTWVzc2FnZSAtLS 0tLS08 L2ZvbnQ+PGJyLz48YnI+CjxkaXY+PGJsb2NrcXVvdGUgZGlyPWx0ciBzdHlsZT1NQVJHSU 4tUklH SFQ6IDBweD48Zm9udD5Gcm9tIDogZnJlZWJzZC1zZWN1cml0eS1yZXF1ZXN0QGZyZWVic2 Qub3Jn PC9mb250Pjxicj48Zm9udD5UbyA6IGZyZWVic2Qtc2VjdXJpdHlAZnJlZWJzZC5vcmc7PC 9mb250 Pjxicj48Zm9udD5TZW50IDogNS8xMy8yMDEyIDg6MDIgQU08L2ZvbnQ+PGJyPjxmb250Pl N1Ympl Y3QgOiBmcmVlYnNkLXNlY3VyaXR5IERpZ2VzdCwgVm9sIDQxMiwgSXNzdWUgMjwvZm9udD 48YnI+ Jm5ic3A7PGRpdj48Zm9udD48cHJlPlNlbmQgZnJlZWJzZC1zZWN1cml0eSBtYWlsaW5nIG xpc3Qg c3VibWlzc2lvbnMgdG8NCglmcmVlYnNkLXNlY3VyaXR5QGZyZWVic2Qub3JnDQoNClRvIH N1YnNj cmliZSBvciB1bnN1YnNjcmliZSB2aWEgdGhlIFdvcmxkIFdpZGUgV2ViLCB2aXNpdA0KCW h0dHA6 Ly9saXN0cy5mcmVlYnNkLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2ZyZWVic2Qtc2VjdXJpdH kNCm9y LCB2aWEgZW1haWwsIHNlbmQgYSBtZXNzYWdlIHdpdGggc3ViamVjdCBvciBib2R5ICdoZW xwJyB0 bw0KCWZyZWVic2Qtc2VjdXJpdHktcmVxdWVzdEBmcmVlYnNkLm9yZw0KDQpZb3UgY2FuIH JlYWNo IHRoZSBwZXJzb24gbWFuYWdpbmcgdGhlIGxpc3QgYXQNCglmcmVlYnNkLXNlY3VyaXR5LW 93bmVy QGZyZWVic2Qub3JnDQoNCldoZW4gcmVwbHlpbmcsIHBsZWFzZSBlZGl0IHlvdXIgU3Viam VjdCBs aW5lIHNvIGl0IGlzIG1vcmUgc3BlY2lmaWMNCnRoYW4gJnF1b3Q7UmU6IENvbnRlbnRzIG 9mIGZy ZWVic2Qtc2VjdXJpdHkgZGlnZXN0Li4uJnF1b3Q7DQoNCg0KVG9kYXkncyBUb3BpY3M6DQ oNCiAm bmJzcDsmbmJzcDsxLiBIU00gaW4gRnJlZWJzZCAobWFoZGllaCBzYWxhbWF0KQ0KICZuYn NwOyZu YnNwOzIuIEhTTSBpbiBGcmVlQlNEIChtYWhkaWVoIHNhbGFtYXQpDQogJm5ic3A7Jm5ic3 A7My4g SFNNIGluIEZyZWVCU0QgKG1haGRpZWggc2FsYW1hdCkNCiAmbmJzcDsmbmJzcDs0LiBSZT ogSFNN IGluIEZyZWVCU0QgKE1hdHRoZXcgU2VhbWFuKQ0KDQoNCi0tLS0tLS0tLS0tLS0tLS0tLS 0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCg0KTW Vzc2Fn ZTogMQ0KRGF0ZTogU2F0LCAxMiBNYXkgMjAxMiAyMjozNzoyOCAtMDcwMA0KRnJvbTogbW FoZGll aCBzYWxhbWF0Jm5ic3A7PG1haGRpZWguc2FsYW1hdEBnbWFpbC5jb20+DQpTdWJqZWN0Oi BIU00g aW4gRnJlZWJzZA0KVG86IGZyZWVic2Qtc2VjdXJpdHlAZnJlZWJzZC5vcmcNCk1lc3NhZ2 UtSUQ6 DQoJPENBTDVtMUJ2blpkTnlPRzV3RG9PX29aaTNhVmE0YUt1RFBTTHdGZGlNb0dkamJxZl UxQUBt YWlsLmdtYWlsLmNvbT4NCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbjsgY2hhcnNldD1JU0 8tODg1 OS0xDQoNCkhpIGFsbC4gSSB3YW50IHRvIHVzZSBhIEhTTSBwYyBjYXJkIGZvciBzZWN1cm l0eSBp biBteSBzeXN0ZW0uIENhbiBJIHVzZSBpdA0KaW4gRnJlZUJTRD8gRnJlZUJTRCBzdXBwb3 J0IHRo aXMgY2FyZHM/DQpUaGFua3MNCg0KDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS 0NCg0K TWVzc2FnZTogMg0KRGF0ZTogU2F0LCAxMiBNYXkgMjAxMiAyMjo1ODowNCAtMDcwMA0KRn JvbTog bWFoZGllaCBzYWxhbWF0Jm5ic3A7PG1haGRpZWguc2FsYW1hdEBnbWFpbC5jb20+DQpTdW JqZWN0 OiBIU00gaW4gRnJlZUJTRA0KVG86IGZyZWVic2Qtc2VjdXJpdHlAZnJlZWJzZC5vcmcNCk 1lc3Nh Z2UtSUQ6DQoJPENBTDVtMUJ2eVNHemY4UFI5PVdZeHNzeVB5c3Z6YkZUTXR1NHYxSFUxd0 5fRE55 Qz1BQUBtYWlsLmdtYWlsLmNvbT4NCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbjsgY2hhcn NldD1J U08tODg1OS0xDQoNCkhpIGFsbC4gSSB3YW50IHRvIHVzZSBhIEhTTSBwYyBjYXJkIGZvci BzZWN1 cml0eSBpbiBteSBzeXN0ZW0uIENhbiBJIHVzZSBpdA0KaW4gRnJlZUJTRD8gRnJlZUJTRC BzdXBw b3J0IHRoaXMgY2FyZHM/DQpUaGFua3MNCg0KDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS 0tLS0t LS0NCg0KTWVzc2FnZTogMw0KRGF0ZTogU2F0LCAxMiBNYXkgMjAxMiAyMzowNzowNiAtMD cwMA0K RnJvbTogbWFoZGllaCBzYWxhbWF0Jm5ic3A7PG1haGRpZWguc2FsYW1hdEBnbWFpbC5jb2 0+DQpT dWJqZWN0OiBIU00gaW4gRnJlZUJTRA0KVG86IGZyZWVic2Qtc2VjdXJpdHlAZnJlZWJzZC 5vcmcN Ck1lc3NhZ2UtSUQ6DQoJPENBTDVtMUJ0NlZ3MXZUaUgwT2hpM2JNd0pmZmFHV2o5NUFnYi 0wUkJy a29DeG1SZUxZd0BtYWlsLmdtYWlsLmNvbT4NCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbj sgY2hh cnNldD1JU08tODg1OS0xDQoNCkhpIGFsbC4gSSB3YW50IHRvIHVzZSBhIEhTTSBwYyBjYX JkIGZv ciBzZWN1cml0eSBpbiBteSBzeXN0ZW0uIENhbiBJIHVzZSBpdA0KaW4gRnJlZUJTRD8gRn JlZUJT RCBzdXBwb3J0IHRoaXMgY2FyZHM/DQpUaGFua3MNCg0KDQotLS0tLS0tLS0tLS0tLS0tLS 0tLS0t LS0tLS0tLS0NCg0KTWVzc2FnZTogNA0KRGF0ZTogU3VuLCAxMyBNYXkgMjAxMiAwODozOT owNyAr MDEwMA0KRnJvbTogTWF0dGhldyBTZWFtYW4mbmJzcDs8bWF0dGhld0BGcmVlQlNELm9yZz 4NClN1 YmplY3Q6IFJlOiBIU00gaW4gRnJlZUJTRA0KVG86IG1haGRpZWggc2FsYW1hdCZuYnNwOz xtYWhk aWVoLnNhbGFtYXRAZ21haWwuY29tPg0KQ2M6IGZyZWVic2Qtc2VjdXJpdHlARnJlZUJTRC 5vcmcN Ck1lc3NhZ2UtSUQ6ICZsdDs0RkFGNjUxQi42MDkwNDA3QEZyZWVCU0Qub3JnJmd0Ow0KQ2 9udGVu dC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFyc2V0PSZxdW90O2lzby04ODU5LTEmcXVvdDsNCg 0KT24g MTMvMDUvMjAxMiAwNjo1OCwgbWFoZGllaCBzYWxhbWF0IHdyb3RlOg0KJmd0OyBIaSBhbG wuIEkg d2FudCB0byB1c2UgYSBIU00gcGMgY2FyZCBmb3Igc2VjdXJpdHkgaW4gbXkgc3lzdGVtLi BDYW4g SSB1c2UgaXQNCiZndDsgaW4gRnJlZUJTRD8gRnJlZUJTRCBzdXBwb3J0IHRoaXMgY2FyZH M/DQoN CkkgdGFrZSBpdCB5b3UgbWVhbiBhICdIYXJkd2FyZSBTZWN1cml0eSBNb2R1bGUnIGFuZC Bub3Qg J0hpZXJhcmNoaWNhbA0KU3RvcmFnZSBNYW5hZ2VtZW50JyA/DQoNCllvdSdsZCBoYXZlIH RvIHRl bGwgdXMgdGhlIG1ha2UgYW5kIG1vZGVsIG51bWJlciBvZiB0aGUgY2FyZCAoaWRlYWxseQ 0Kd2l0 aCBwb2ludGVycyB0byB0aGUgbWFudWZhY3R1cmVycyB3ZWJzaXRlIHNob3dpbmcgdGVjaG 5pY2Fs IHNwZWNzIGlmDQp5b3UgY2FuLikgJm5ic3A7SGFyZHdhcmUgaXMgbm90IGdlbmVyYWxseS BzdXBw b3J0ZWQgYnkgc3BlY2lmaWMgZnVuY3Rpb24sIGJ1dA0KcGVyIG1hbnVmYWN0dXJlciBvci BwZXIg Y2hpcHNldC4gJm5ic3A7QWxzbywgdGhlcmUncyBubyBndWFyYW50ZWUgdGhhdCBhbGwNCn RoZSBm dW5jdGlvbnMgb2YgYSBwYXJ0aWN1bGFyIGNhcmQgYXJlIHN1cHBvcnRlZCwgYnV0IG9uY2 Ugd2Un dmUgcGlubmVkDQpkb3duIHdoYXQgZHJpdmVycyBldGMuIHdpbGwgYmUgdXNlZCBmb3IgdG hhdCBo YXJkd2FyZSwgdGhlIGRvY3VtZW50YXRpb24NCnNob3VsZCBjb3ZlciB0aGF0Lg0KDQpIYX Zpbmcg c2FpZCB0aGF0LCBJIGJlbGlldmUgdGhhdCBPcGVuU1NMIHByb3ZpZGVzIGFuIEFQSSBmb3 IgYWNj ZXNzaW5nDQptYW55IG9mIHRoZXNlIHNvcnRzIG9mIGRldmljZXMsIHNvIGlmIE9wZW5TU0 wgc3Vw cG9ydHMgaXQsIHRoZW4geW91J3JlDQpwcm9iYWJseSBpbiBsdWNrLiAmbmJzcDtBIGtleX dvcmQg aGVyZSBpcyAnY3J5cHRva2knIChtZWFuaW5nIGNyeXB0b2dyYXBoaWMNCnRva2VuIGludG VyZmFj ZSkgLS0gdGhhdCdzIHRoZSBzdGFuZGFyZCB0aGF0IE9wZW5TU0wgaW1wbGVtZW50cy4NCg 0KCUNo ZWVycywNCg0KCU1hdHRoZXcNCg0KLS0gDQpEciBNYXR0aGV3IEogU2VhbWFuIE1BLCBELl BoaWwu DQpQR1A6IGh0dHA6Ly93d3cuaW5mcmFjYW5pbm9waGlsZS5jby51ay9wZ3BrZXkNCg0KDQ otLS0t LS0tLS0tLS0tLSBuZXh0IHBhcnQgLS0tLS0tLS0tLS0tLS0NCkEgbm9uLXRleHQgYXR0YW NobWVu dCB3YXMgc2NydWJiZWQuLi4NCk5hbWU6IHNpZ25hdHVyZS5hc2MNClR5cGU6IGFwcGxpY2 F0aW9u L3BncC1zaWduYXR1cmUNClNpemU6IDI2NyBieXRlcw0KRGVzYzogT3BlblBHUCBkaWdpdG FsIHNp Z25hdHVyZQ0KVXJsIDogaHR0cDovL2xpc3RzLmZyZWVic2Qub3JnL3BpcGVybWFpbC9mcm VlYnNk LXNlY3VyaXR5L2F0dGFjaG1lbnRzLzIwMTIwNTEzL2YzYTNhMWMyL3NpZ25hdHVyZS0wMD AxLnBn cA0KDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCg0KX19fX19fX19fX19fX1 9fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCmZyZWVic2Qtc2VjdXJpdHlAZnJlZW JzZC5v cmcgbWFpbGluZyBsaXN0DQpodHRwOi8vbGlzdHMuZnJlZWJzZC5vcmcvbWFpbG1hbi9saX N0aW5m by9mcmVlYnNkLXNlY3VyaXR5DQpUbyB1bnN1YnNjcmliZSwgc2VuZCBhbnkgbWFpbCB0by AmcXVv dDtmcmVlYnNkLXNlY3VyaXR5LXVuc3Vic2NyaWJlQGZyZWVic2Qub3JnJnF1b3Q7DQoNCk VuZCBv ZiBmcmVlYnNkLXNlY3VyaXR5IERpZ2VzdCwgVm9sIDQxMiwgSXNzdWUgMg0KKioqKioqKi oqKioq KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqDQo8L3ByZT48L2ZvbnQ+PC 9kaXY+ PC9ibG9ja3F1b3RlPjwvZGl2Pg== From owner-freebsd-security@FreeBSD.ORG Sun May 13 13:31:08 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 22754106566C for ; Sun, 13 May 2012 13:31:08 +0000 (UTC) (envelope-from tam.sergio@gmail.com) Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com [209.85.215.182]) by mx1.freebsd.org (Postfix) with ESMTP id AB7808FC17 for ; Sun, 13 May 2012 13:31:07 +0000 (UTC) Received: by eabm6 with SMTP id m6so1491502eab.13 for ; Sun, 13 May 2012 06:31:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=eFx7IhlFlHXibc7XpqNY47zfnyQM4kDM45QIx5yQm74=; b=cRb4YCNKiT6pOrCBHAFCmBvOEoK20wfEeunPadXbz69+zv3+uI2OdFLTo0jNF47nFo 0BStc7xFz7/7IL7/Y/jyGWg92T0jEHh+LQUwhGdH8Cr5D1PJbAWMp8gOTY0cHpKrUc/R lM3wnyEbE6cF47L7qJCCflDDVl6c7Cbe+TvLCO7XFphVxGnxdIByfAD0l5ZfomxWvd1r wpd6UwUzAoe3uKZn9mzlj0+9mFqtvf4AyLvOFnHssP81VGCfLpbPgwby7p5No4WG3s/S 6EQzQrTS++kCpn9RK/ufd8DwW4qqdd8mcsBpvU+AwypvZrcnTl+FXaUK+psCRCciLyeO XQzA== MIME-Version: 1.0 Received: by 10.213.19.17 with SMTP id y17mr790117eba.104.1336915866502; Sun, 13 May 2012 06:31:06 -0700 (PDT) Received: by 10.14.224.201 with HTTP; Sun, 13 May 2012 06:31:06 -0700 (PDT) In-Reply-To: References: Date: Sun, 13 May 2012 08:31:06 -0500 Message-ID: From: Sergio Tam To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Cc: mahdieh salamat Subject: Re: Single user mode X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 May 2012 13:31:08 -0000 2012/5/13 mahdieh salamat : > Hi everybody. I have a question about single user mode in FreeBSD. Security > is so important for me. I want to know that if someone don't know my root's > password can access to it? In other words in our FreeBSD we don't have > FreeBSD boot loader menu, we delete it for our users becouse of security. I > want to know is there any other way except boot loader menu for our user to > access to our root's password? > Thanks http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/boot-init.html 13.6.2 Single-User Mode If the system console is set to insecure in /etc/ttys, then the system prompts for the root password before initiating single-user mode Regards. From owner-freebsd-security@FreeBSD.ORG Sun May 13 14:36:14 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E633F106566C for ; Sun, 13 May 2012 14:36:14 +0000 (UTC) (envelope-from vahid@vahid-shokouhi.net) Received: from cp12-112.cp.c4d.privatedns.biz (cp12-110.cp.c4d.privatedns.biz [209.236.116.110]) by mx1.freebsd.org (Postfix) with ESMTP id B997D8FC14 for ; Sun, 13 May 2012 14:36:14 +0000 (UTC) Received: from localhost ([127.0.0.1]:52618 helo=vahid-shokouhi.net) by cp12-112.cp.c4d.privatedns.biz with esmtpa (Exim 4.77) (envelope-from ) id 1STYvd-0007HN-HC; Sun, 13 May 2012 17:33:41 +0400 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Date: Sun, 13 May 2012 17:33:40 +0400 From: Vahid Shokouhi To: mahdieh salamat In-Reply-To: References: Message-ID: <7439f3d4019914591b036aa45cfd75e7@vahid-shokouhi.net> X-Sender: vahid@vahid-shokouhi.net User-Agent: Roundcube Webmail/0.7.1 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - cp12-112.cp.c4d.privatedns.biz X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - vahid-shokouhi.net Cc: freebsd-security@freebsd.org Subject: Re: Single user mode X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 May 2012 14:36:15 -0000 Hi Yes, it is possible to gain access via single-user, but single-user mode is for root user to configure something as he likes; but if the machine is accessible for others, you need to edit "/etc/tty" to prompt for a password in single user mode, although keep in mind anyone with physical access to the machine can still retrieve your data through various methods. in /etc/tty note "secure" term which actually has different meaning. It means that you consider, for example "console" as a secure mode; so you have to change it to "insecure". After rebooting and entering single user mode, you will be prompted for a password to get to the shell prompt. On 2012-05-13 17:04, mahdieh salamat wrote: > Hi everybody. I have a question about single user mode in FreeBSD. > Security > is so important for me. I want to know that if someone don't know my > root's > password can access to it? In other words in our FreeBSD we don't > have > FreeBSD boot loader menu, we delete it for our users becouse of > security. I > want to know is there any other way except boot loader menu for our > user to > access to our root's password? > Thanks > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Sun May 13 15:24:43 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 991551065670 for ; Sun, 13 May 2012 15:24:43 +0000 (UTC) (envelope-from st41ker@st41ker.net) Received: from ferry-n1.megacom.ua (ferry.megacom.ua [193.28.177.2]) by mx1.freebsd.org (Postfix) with ESMTP id 43DA78FC08 for ; Sun, 13 May 2012 15:24:42 +0000 (UTC) Received: from ferry-n1.megacom.ua (localhost [127.0.0.1]) by ferry-n1.megacom.ua (Postfix) with ESMTP id A7C573F50E for ; Sun, 13 May 2012 18:19:23 +0300 (EEST) X-Virus-Scanned: amavisd-new at megacom.ua Received: from ferry-n1.megacom.ua ([127.0.0.1]) by ferry-n1.megacom.ua (ferry-n1.megacom.ua [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GtJRIu-udwEL for ; Sun, 13 May 2012 18:19:23 +0300 (EEST) Received: from [192.168.1.100] (unknown [95.69.152.218]) by ferry-n1.megacom.ua (Postfix) with ESMTPSA id 0B7FC3F52A for ; Sun, 13 May 2012 18:19:23 +0300 (EEST) Message-ID: <4FAFD0FB.8060502@st41ker.net> Date: Sun, 13 May 2012 18:19:23 +0300 From: st41ker@st41ker.net User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <7439f3d4019914591b036aa45cfd75e7@vahid-shokouhi.net> In-Reply-To: <7439f3d4019914591b036aa45cfd75e7@vahid-shokouhi.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: Single user mode X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 May 2012 15:24:43 -0000 Sorry, but I just have to post the following link here: http://technet.microsoft.com/en-us/library/cc722487.aspx 13.05.2012 16:33, Vahid Shokouhi написал: > > Hi > Yes, it is possible to gain access via single-user, but single-user > mode is for root user to configure something as he likes; but if the > machine is accessible for others, you need to edit "/etc/tty" to > prompt for a password in single user mode, although keep in mind > anyone with physical access to the machine can still retrieve your > data through various methods. > in /etc/tty note "secure" term which actually has different meaning. > It means that you consider, for example "console" as a secure mode; so > you have to change it to "insecure". > After rebooting and entering single user mode, you will be prompted > for a password to get to the shell prompt. > > > > > On 2012-05-13 17:04, mahdieh salamat wrote: >> Hi everybody. I have a question about single user mode in FreeBSD. >> Security >> is so important for me. I want to know that if someone don't know my >> root's >> password can access to it? In other words in our FreeBSD we don't have >> FreeBSD boot loader menu, we delete it for our users becouse of >> security. I >> want to know is there any other way except boot loader menu for our >> user to >> access to our root's password? >> Thanks >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to >> "freebsd-security-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" -- Thanks, St41ker. From owner-freebsd-security@FreeBSD.ORG Mon May 14 01:08:07 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8D608106566B for ; Mon, 14 May 2012 01:08:07 +0000 (UTC) (envelope-from oliver.pntr@gmail.com) Received: from mail-gg0-f182.google.com (mail-gg0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id 4832E8FC17 for ; Mon, 14 May 2012 01:08:07 +0000 (UTC) Received: by ggnm2 with SMTP id m2so3480417ggn.13 for ; Sun, 13 May 2012 18:08:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=iBT7qoTu7+3TuU+xCKRQsaycuA8mSdNUQBbMjm+mN2c=; b=A/boEagx5ILpHjzdqyQokwd8ZqXnqEbCct/FN7UIhBSQb7T/n+flW82aRg4Ps0gEsj YaY7m4FGn36FDBHGhm4+6msHSAI64VHFgMqxzqPo03pUfp9AOAgRgWZMwKhEhmJgFBN7 7oHP+GIevjIyn6W6txGeJ2ms/QMR627nujxyPVrM2Cn//MBucxSErMb2AG+BJVMBd1Hk SPylLrIzGOXOevYyGMQkvDxWNw33pxRBNZMSofK7tMz3NsxzdNWQhQnhY6luZuQWUOjT RVK57u0nrkwXl0YGR13TnPc/82BOtcRaRd1ZrZPcN0bzQzYPy5U0AOiDaTdD3m3ZoMQJ dP4Q== MIME-Version: 1.0 Received: by 10.236.80.66 with SMTP id j42mr6100108yhe.110.1336957680930; Sun, 13 May 2012 18:08:00 -0700 (PDT) Received: by 10.236.108.12 with HTTP; Sun, 13 May 2012 18:08:00 -0700 (PDT) In-Reply-To: References: Date: Mon, 14 May 2012 03:08:00 +0200 Message-ID: From: Oliver Pinter To: mahdieh salamat Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-security@freebsd.org Subject: Re: HSM in Freebsd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 May 2012 01:08:07 -0000 http://www.trustedcomputinggroup.org/resources/bsssd_trusted_computing_now_available_for_freebsd_and_openbsd On 5/13/12, mahdieh salamat wrote: > Hi all. I want to use a HSM pc card for security in my system. Can I use it > in FreeBSD? FreeBSD support this cards? > Thanks > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Mon May 14 08:03:32 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 33E74106567D for ; Mon, 14 May 2012 08:03:32 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id C15978FC08 for ; Mon, 14 May 2012 08:03:31 +0000 (UTC) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:5957:8207:d7b1:fbe7]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPA id 95BF84AC2D; Mon, 14 May 2012 12:03:23 +0400 (MSK) Date: Mon, 14 May 2012 12:03:21 +0400 From: Lev Serebryakov X-Priority: 3 (Normal) Message-ID: <1675571873.20120514120321@serebryakov.spb.ru> To: Oliver Pinter In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: quoted-printable Cc: mahdieh salamat , freebsd-security@freebsd.org Subject: Re: HSM in Freebsd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 May 2012 08:03:32 -0000 Hello, Oliver. You wrote 14 =EC=E0=FF 2012 =E3., 5:08:00: OP> http://www.trustedcomputinggroup.org/resources/bsssd_trusted_computing_= now_available_for_freebsd_and_openbsd Wow! Do we need this in base system? Especially, TPM driver? According to my experience (both as user and as driver author), it is ass in pain have 3rd party modules/drivers in system. --=20 // Black Lion AKA Lev Serebryakov From owner-freebsd-security@FreeBSD.ORG Mon May 14 22:09:18 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 19BDC10656D9; Mon, 14 May 2012 22:09:18 +0000 (UTC) (envelope-from oliver.pntr@gmail.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id B4A368FC15; Mon, 14 May 2012 22:09:17 +0000 (UTC) Received: by yhgm50 with SMTP id m50so6097911yhg.13 for ; Mon, 14 May 2012 15:09:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=O4pSsMgjfjdp4mub1mw7+DpVNZSi80cGocQNkIbh7+4=; b=tPM8+kJFQIx3pObVY6JH5Q7aGJqK8poioJXrnIKyCauplm1WkMnBvkXZGANvFBmS6W YqCg2gQ8SuFiH2hYNWpPdujrLvq3oGVRWN9aOhI7pDcwLUyE2mqWlIbnPcz5zUvuxh4h 9vT1Mw5FWmXWF45XPlfFwyyNUWtFmFkqjspcXHie6SZi5FdbAwBN0qBdcj7i9ZLlBAx1 zK6bftXt4k3NnBrPirA1r8MNY4LGR4QiR0OUNasP2iidGO6ax8UKkzR8UNpAhXzKVlM5 dcMeVId9/y4f/MK3Hpz6avlE1Oz8jfxjKW8XaQ3pECx2GqIL/E+mqLXZTtl9GvkyXTw3 DtPQ== MIME-Version: 1.0 Received: by 10.101.134.40 with SMTP id l40mr2979590ann.33.1337033357000; Mon, 14 May 2012 15:09:17 -0700 (PDT) Received: by 10.236.108.12 with HTTP; Mon, 14 May 2012 15:09:16 -0700 (PDT) In-Reply-To: <1675571873.20120514120321@serebryakov.spb.ru> References: <1675571873.20120514120321@serebryakov.spb.ru> Date: Tue, 15 May 2012 00:09:16 +0200 Message-ID: From: Oliver Pinter To: Lev Serebryakov Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: mahdieh salamat , Eric McCorkle , freebsd-security@freebsd.org Subject: Re: HSM in Freebsd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 May 2012 22:09:18 -0000 On 5/14/12, Lev Serebryakov wrote: > Hello, Oliver. > You wrote 14 =D0=BC=D0=B0=D1=8F 2012 =D0=B3., 5:08:00: > > OP> > http://www.trustedcomputinggroup.org/resources/bsssd_trusted_computing_no= w_available_for_freebsd_and_openbsd > Wow! Do we need this in base system? Especially, TPM driver? > According to my experience (both as user and as driver author), it is > ass in pain have 3rd party modules/drivers in system. Hi Lev! I like to see this and dependet parts of TPM in base system. I not yet have a TPM chip to test it, but in near future plan to purchase one. Some part of bsssd is already in ports: /usr/ports/emulators/tpm-emulator /usr/ports/security/openssl_tpm_engine /usr/ports/security/tpm-tools /usr/ports/security/tpmmanager /usr/ports/security/opencryptoki /usr/ports/security/trousers I think in future should extending the loader to support TPM and it's probably depend on EFI things. > > -- > // Black Lion AKA Lev Serebryakov > > From owner-freebsd-security@FreeBSD.ORG Tue May 15 08:40:11 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BEDD0106566C for ; Tue, 15 May 2012 08:40:11 +0000 (UTC) (envelope-from mahdieh.salamat@gmail.com) Received: from mail-pz0-f54.google.com (mail-pz0-f54.google.com [209.85.210.54]) by mx1.freebsd.org (Postfix) with ESMTP id 894098FC08 for ; Tue, 15 May 2012 08:40:11 +0000 (UTC) Received: by dadv36 with SMTP id v36so7989673dad.13 for ; Tue, 15 May 2012 01:40:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=3MgtK5m9AYSVQj5E7AbteExDOmR58j4SCO7LPi81K/8=; b=T0bNJ4EVsAyORK2Mp0NEBaCSyNujZ+O8n/5wSsbnONcCAoDbr0HG3gKGFwp9EsMxK6 Jctbo5x7yyyBRmUnIcTS6DdgrXUyJKZGyhlazZbnBzYIGuG648kWYUm4hXqOJ7wdu/X5 YqSftC0EGvV0i4c5VAbaOdrPWaUZ29M7XKvngqGiQf9VrVedN5wg5VSEvXgMKHI9zOdt 9S+4r5KwxNkpSRt5hserY/TfzTyA8FWANRxaW+NK7TxylZcc+no9/IkRJt+kPASDPWyV B3tqzASl8VWmrdwssT8ievmgxmZu5mmP5C9puDQgI08s9WCUkA63FOtg7ivXTNCHvGT9 jgtw== MIME-Version: 1.0 Received: by 10.68.72.70 with SMTP id b6mr3227639pbv.58.1337071211049; Tue, 15 May 2012 01:40:11 -0700 (PDT) Received: by 10.68.2.164 with HTTP; Tue, 15 May 2012 01:40:11 -0700 (PDT) In-Reply-To: References: <7439f3d4019914591b036aa45cfd75e7@vahid-shokouhi.net> <40e269c44ec592d0ce3e2d85fd8a032d@vahid-shokouhi.net> Date: Tue, 15 May 2012 01:40:11 -0700 Message-ID: From: mahdieh salamat To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Fwd: Single user mode X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 May 2012 08:40:11 -0000 Thanks all,I have an other question.certainly you see this message in startup FreeBSD:"Hit [Enter] to boot immediately, or any other key for command prompt." after see it if press any key you enter to an other mode and if you type '?' you can see the lists of commands.I want to remove this mode,It's so important that a user can't accss to this mode. Who can help me? Thanks ---------- Forwarded message ---------- From: mahdieh salamat Date: Mon, May 14, 2012 at 4:29 AM Subject: Re: Single user mode To: Vahid Shokouhi I really thank you,it's a really perfect forum,I searched more and more to find a persian website about FreeBSD,now i find it.Thank you On Mon, May 14, 2012 at 2:33 AM, Vahid Shokouhi wrote: > You are most welcome. > > [I don't know if you know this place, assuming you don't know, I let you > know] : > > www.imenpardis.com > > This site which is actually for "Imen Pardis" company, is owned by > Mr.Babak Farrokhi, who is a famous port-maintainer in freeBSD project (The > only person in the middle east), and author of a great book on FreeBSD > administration. He is a guru in all Unix family: Unix, Solaris, BDS, Linux > ; you can google his name and get some info about him. He is a well-known > Unix expert in the world. > You can join its forum and can ask your question and also help others > solve their problem. I don't know all people in the forum, but as > Mr.Farrokhi is always supportive and available to answer your question, you > can get the right answer from the right person. If I know one word in > FreeBSD, he knows thousands.. > > Regards > > > > > > > > > > On 2012-05-14 13:08, mahdieh salamat wrote: > >> thanks dear vahid,it was so useful for me.I will edit /etc/tty. >> Thanks alot >> >> On Sun, May 13, 2012 at 11:58 PM, Vahid Shokouhi >> wrote: >> >> Hi >>> >>> Well, there are 2 approaches to any machine security. First, You >>> have a fresh machine and it's supposed to be only for you; second, >>> you are admin of a machine which others have access to machine for >>> their work purpose. Your question seems close to first scenario. >>> >>> As I wrote before, yes it's possible (by default) that any user >>> gain access to your machine resources in single-user mode; so we >>> talked about editing /etc/tty. The other place which needs to be >>> take caring of, is /ETC/LOGIN.ACCESS ; every time a user wants to >>> >>> log in, FreeBSD check this files and it's rules. By default there >>> >> is >> >>> NO rule defined which means NO restriction to log in. You can >>> >> config >> >>> this file in 2 ways : [like switch and router's ACL] ; you can use >>> "_permit-based_" rules - in which you first permit specific user(s) >>> and then deny others. And you can _"deny-based_" rules - in which >>> >>> you deny ALL and then permit some one. You should be familiar with >>> syntax and format of this file, for example it uses "+" to give >>> access and "-" to reject access. For example : >>> >>> >>> >>> The following is "permit-based"; it gives "wheel" group console >>> access and rejects the others (ALL). note the "+" & "-" >>> >>> +:WHEEL: CONSOLE >>> -:ALL:CONSOLE >>> >>> >>> The following is "deny-based". note the syntax that how "permit" is >>> given: >>> >>> -:ALL EXCEPT WHEEL: CONSOLE [EXCEPT is permit definer] >>> >>> >>> >>> >>> The second format is more preferred and recommended it is both >>> short and somehow more secure. >>> >>> >>> >>> >>> >>> Anyway, this is for 1st situation that the machine is only yours; >>> and you can protect your machine with implying some physical-access >>> rules. But in real world you have to deal the second condition. >>> >> Then >> >>> you have to focus on many things: limiting users to use any >>> >> resource >> >>> by editing /ETC/LOGIN.CONF , the permission of files, the flags, >>> >>> clearing your machine from unknown/unnecessary users (daemons), >>> using jail and so on.. >>> >>> >>> >>> I hope it is helpful for you and give you some hints on securing. >>> >>> >>> >>> If there is any question, please feel free and don't hesitate to >>> ask. >>> >>> >>> >>> Regards >>> >>> Vahid Shokouhi >>> >>> >>> >>> >>> >>> >>> >>> On 2012-05-14 09:53, mahdieh salamat wrote: >>> >>>> Thanks for yor help, it was so useful, I want to know that when a >>>> >>> user >>> >>>> is using a machine and he/she doesn't has root's password, can >>>> >>> he/she >>> >>>> access to it? for example by single user mode or other modes? >>>> >>>> On Sun, May 13, 2012 at 6:33 AM, Vahid Shokouhi >>>> wrote: >>>> >>>> Hi >>>>> Yes, it is possible to gain access via single-user, but >>>>> single-user mode is for root user to configure something as he >>>>> likes; but if the machine is accessible for others, you need to >>>>> >>>> edit >>>> >>>>> "/etc/tty" to prompt for a password in single user mode, >>>>> >>>> although >>> >>>> keep in mind anyone with physical access to the machine can >>>>> >>>> still >>> >>>> retrieve your data through various methods. >>>>> in /etc/tty note "secure" term which actually has different >>>>> meaning. It means that you consider, for example "console" as a >>>>> secure mode; so you have to change it to "insecure". >>>>> After rebooting and entering single user mode, you will be >>>>> prompted for a password to get to the shell prompt. >>>>> >>>>> On 2012-05-13 17:04, mahdieh salamat wrote: >>>>> >>>>> Hi everybody. I have a question about single user mode in >>>>>> FreeBSD. Security >>>>>> is so important for me. I want to know that if someone don't >>>>>> know my root's >>>>>> password can access to it? In other words in our FreeBSD we >>>>>> don't have >>>>>> FreeBSD boot loader menu, we delete it for our users becouse of >>>>>> security. I >>>>>> want to know is there any other way except boot loader menu for >>>>>> our user to >>>>>> access to our root's password? >>>>>> Thanks >>>>>> ______________________________**_________________ >>>>>> freebsd-security@freebsd.org [1] mailing list >>>>>> http://lists.freebsd.org/**mailman/listinfo/freebsd-**security[2] >>>>>> To unsubscribe, send any mail to >>>>>> "freebsd-security-unsubscribe@**freebsd.org[3]" >>>>>> >>>>> >>>> >>>> >>>> Links: >>>> ------ >>>> [1] mailto:freebsd-security@**freebsd.org >>>> [2] http://lists.freebsd.org/**mailman/listinfo/freebsd-**security >>>> [3] mailto:freebsd-security-**unsubscribe@freebsd.org >>>> [4] mailto:vahid@vahid-shokouhi.**net >>>> >>> >>> >>> >> >> >> >> Links: >> ------ >> [1] mailto:vahid@vahid-shokouhi.**net >> > > From owner-freebsd-security@FreeBSD.ORG Tue May 15 09:53:25 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3AF08106564A for ; Tue, 15 May 2012 09:53:25 +0000 (UTC) (envelope-from vahid@vahid-shokouhi.net) Received: from cp12-112.cp.c4d.privatedns.biz (cp12-110.cp.c4d.privatedns.biz [209.236.116.110]) by mx1.freebsd.org (Postfix) with ESMTP id 040BA8FC08 for ; Tue, 15 May 2012 09:53:25 +0000 (UTC) Received: from localhost ([127.0.0.1]:51216 helo=vahid-shokouhi.net) by cp12-112.cp.c4d.privatedns.biz with esmtpa (Exim 4.77) (envelope-from ) id 1SUERQ-0004uH-GZ; Tue, 15 May 2012 13:53:16 +0400 MIME-Version: 1.0 Date: Tue, 15 May 2012 13:53:16 +0400 From: Vahid Shokouhi To: mahdieh salamat In-Reply-To: References: <7439f3d4019914591b036aa45cfd75e7@vahid-shokouhi.net> <40e269c44ec592d0ce3e2d85fd8a032d@vahid-shokouhi.net> Message-ID: <498a30cb02045f5cc24747b535581a61@vahid-shokouhi.net> X-Sender: vahid@vahid-shokouhi.net User-Agent: Roundcube Webmail/0.7.1 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - cp12-112.cp.c4d.privatedns.biz X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - vahid-shokouhi.net Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Freebsd Security Subject: Re: Fwd: Single user mode X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 May 2012 09:53:25 -0000 Hi The mode that you mentioned only has some basic commands to bring up your machine somehow customized. If you worry about the result of misusing this mode by some one else, note that running command(s) in this mode result in temporary changes only in THIS boot; which means you can remove/undo changes by rebooting your machine. There is no direct way to jump over this mode. But you can modify /BOOT/LOADER.CONF in "_autoboot_delay=" _part_. _this parameter determines the wait time in second before booting immediately. It seems that if we set this value to "0"; then it could pass this part and can not be interrupted; but for some historical reason, it is possible to interrupt auto-boot even with "0". So, it is recommended to set this value to "-1". You can make some changes to some file or using some tool to customize this menu behavior, but the following solution seems easier. Regards V.Sh On 2012-05-15 12:40, mahdieh salamat wrote: > Thanks all,I have an other question.certainly you see this message in > startup FreeBSD:"Hit [Enter] to boot immediately, or any other key for > command prompt." > after see it if press any key you enter to an other mode and if you type > '?' you can see the lists of commands.I want to remove this mode,It's so > important that a user can't accss to this mode. > Who can help me? > Thanks > > > > ---------- Forwarded message ---------- > From: mahdieh salamat > Date: Mon, May 14, 2012 at 4:29 AM > Subject: Re: Single user mode > To: Vahid Shokouhi > > > I really thank you,it's a really perfect forum,I searched more and more to > find a persian website about FreeBSD,now i find it.Thank you > > > On Mon, May 14, 2012 at 2:33 AM, Vahid Shokouhi > wrote: > >> You are most welcome. >> >> [I don't know if you know this place, assuming you don't know, I let you >> know] : >> >> www.imenpardis.com >> >> This site which is actually for "Imen Pardis" company, is owned by >> Mr.Babak Farrokhi, who is a famous port-maintainer in freeBSD project (The >> only person in the middle east), and author of a great book on FreeBSD >> administration. He is a guru in all Unix family: Unix, Solaris, BDS, Linux >> ; you can google his name and get some info about him. He is a well-known >> Unix expert in the world. >> You can join its forum and can ask your question and also help others >> solve their problem. I don't know all people in the forum, but as >> Mr.Farrokhi is always supportive and available to answer your question, you >> can get the right answer from the right person. If I know one word in >> FreeBSD, he knows thousands.. >> >> Regards >> >> >> >> >> >> >> >> >> >> On 2012-05-14 13:08, mahdieh salamat wrote: >> >>> thanks dear vahid,it was so useful for me.I will edit /etc/tty. >>> Thanks alot >>> >>> On Sun, May 13, 2012 at 11:58 PM, Vahid Shokouhi >>> wrote: >>> >>> Hi >>>> >>>> Well, there are 2 approaches to any machine security. First, You >>>> have a fresh machine and it's supposed to be only for you; second, >>>> you are admin of a machine which others have access to machine for >>>> their work purpose. Your question seems close to first scenario. >>>> >>>> As I wrote before, yes it's possible (by default) that any user >>>> gain access to your machine resources in single-user mode; so we >>>> talked about editing /etc/tty. The other place which needs to be >>>> take caring of, is /ETC/LOGIN.ACCESS ; every time a user wants to >>>> >>>> log in, FreeBSD check this files and it's rules. By default there >>>> >>> is >>> >>>> NO rule defined which means NO restriction to log in. You can >>>> >>> config >>> >>>> this file in 2 ways : [like switch and router's ACL] ; you can use >>>> "_permit-based_" rules - in which you first permit specific user(s) >>>> and then deny others. And you can _"deny-based_" rules - in which >>>> >>>> you deny ALL and then permit some one. You should be familiar with >>>> syntax and format of this file, for example it uses "+" to give >>>> access and "-" to reject access. For example : >>>> >>>> >>>> >>>> The following is "permit-based"; it gives "wheel" group console >>>> access and rejects the others (ALL). note the "+" & "-" >>>> >>>> +:WHEEL: CONSOLE >>>> -:ALL:CONSOLE >>>> >>>> >>>> The following is "deny-based". note the syntax that how "permit" is >>>> given: >>>> >>>> -:ALL EXCEPT WHEEL: CONSOLE [EXCEPT is permit definer] >>>> >>>> >>>> >>>> >>>> The second format is more preferred and recommended it is both >>>> short and somehow more secure. >>>> >>>> >>>> >>>> >>>> >>>> Anyway, this is for 1st situation that the machine is only yours; >>>> and you can protect your machine with implying some physical-access >>>> rules. But in real world you have to deal the second condition. >>>> >>> Then >>> >>>> you have to focus on many things: limiting users to use any >>>> >>> resource >>> >>>> by editing /ETC/LOGIN.CONF , the permission of files, the flags, >>>> >>>> clearing your machine from unknown/unnecessary users (daemons), >>>> using jail and so on.. >>>> >>>> >>>> >>>> I hope it is helpful for you and give you some hints on securing. >>>> >>>> >>>> >>>> If there is any question, please feel free and don't hesitate to >>>> ask. >>>> >>>> >>>> >>>> Regards >>>> >>>> Vahid Shokouhi >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On 2012-05-14 09:53, mahdieh salamat wrote: >>>> >>>>> Thanks for yor help, it was so useful, I want to know that when a >>>>> >>>> user >>>> >>>>> is using a machine and he/she doesn't has root's password, can >>>>> >>>> he/she >>>> >>>>> access to it? for example by single user mode or other modes? >>>>> >>>>> On Sun, May 13, 2012 at 6:33 AM, Vahid Shokouhi >>>>> wrote: >>>>> >>>>> Hi >>>>>> Yes, it is possible to gain access via single-user, but >>>>>> single-user mode is for root user to configure something as he >>>>>> likes; but if the machine is accessible for others, you need to >>>>>> >>>>> edit >>>>> >>>>>> "/etc/tty" to prompt for a password in single user mode, >>>>>> >>>>> although >>>> >>>>> keep in mind anyone with physical access to the machine can >>>>>> >>>>> still >>>> >>>>> retrieve your data through various methods. >>>>>> in /etc/tty note "secure" term which actually has different >>>>>> meaning. It means that you consider, for example "console" as a >>>>>> secure mode; so you have to change it to "insecure". >>>>>> After rebooting and entering single user mode, you will be >>>>>> prompted for a password to get to the shell prompt. >>>>>> >>>>>> On 2012-05-13 17:04, mahdieh salamat wrote: >>>>>> >>>>>> Hi everybody. I have a question about single user mode in >>>>>>> FreeBSD. Security >>>>>>> is so important for me. I want to know that if someone don't >>>>>>> know my root's >>>>>>> password can access to it? In other words in our FreeBSD we >>>>>>> don't have >>>>>>> FreeBSD boot loader menu, we delete it for our users becouse of >>>>>>> security. I >>>>>>> want to know is there any other way except boot loader menu for >>>>>>> our user to >>>>>>> access to our root's password? >>>>>>> Thanks >>>>>>> ______________________________**_________________ >>>>>>> freebsd-security@freebsd.org [1] mailing list >>>>>>> http://lists.freebsd.org/**mailman/listinfo/freebsd-**security[2] >>>>>>> To unsubscribe, send any mail to >>>>>>> "freebsd-security-unsubscribe@**freebsd.org[3]" >>>>>>> >>>>>> >>>>> >>>>> >>>>> Links: >>>>> ------ >>>>> [1] mailto:freebsd-security@**freebsd.org >>>>> [2] http://lists.freebsd.org/**mailman/listinfo/freebsd-**security >>>>> [3] mailto:freebsd-security-**unsubscribe@freebsd.org >>>>> [4] mailto:vahid@vahid-shokouhi.**net >>>>> >>>> >>>> >>>> >>> >>> >>> >>> Links: >>> ------ >>> [1] mailto:vahid@vahid-shokouhi.**net >>> >> >> > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Tue May 15 08:57:21 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A06E9106566B for ; Tue, 15 May 2012 08:57:21 +0000 (UTC) (envelope-from wout@canodus.be) Received: from mail1.canodus2.canodus.be (mail1.canodus2.canodus.be [83.149.89.9]) by mx1.freebsd.org (Postfix) with ESMTP id 3B11A8FC08 for ; Tue, 15 May 2012 08:57:21 +0000 (UTC) Received: by mail1.canodus2.canodus.be (Postfix, from userid 65534) id 6DCBA32AD00; Tue, 15 May 2012 10:51:59 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mail1.canodus2.canodus.be X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=unavailable version=3.3.2 Received: from [192.168.1.131] (94-224-50-199.access.telenet.be [94.224.50.199]) by mail1.canodus2.canodus.be (Postfix) with ESMTPSA id 1DC2332AC85; Tue, 15 May 2012 10:51:53 +0200 (CEST) From: Wout =?ISO-8859-1?Q?Decr=E9?= To: mahdieh salamat In-Reply-To: References: <7439f3d4019914591b036aa45cfd75e7@vahid-shokouhi.net> <40e269c44ec592d0ce3e2d85fd8a032d@vahid-shokouhi.net> Content-Type: text/plain; charset="UTF-8" Organization: Canodus Date: Tue, 15 May 2012 10:52:54 +0200 Message-ID: <1337071974.2352.1.camel@debian.wout-thinkpad> Mime-Version: 1.0 X-Mailer: Evolution 2.30.3 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Tue, 15 May 2012 11:11:26 +0000 Cc: freebsd-security@freebsd.org Subject: Re: Fwd: Single user mode X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 May 2012 08:57:21 -0000 On Tue, 2012-05-15 at 01:40 -0700, mahdieh salamat wrote: > Thanks all,I have an other question.certainly you see this message in > startup FreeBSD:"Hit [Enter] to boot immediately, or any other key for > command prompt." > after see it if press any key you enter to an other mode and if you type > '?' you can see the lists of commands.I want to remove this mode,It's so > important that a user can't accss to this mode. Set autoboot_delay="-1" in /boot/loader.conf. See /boot/defaults/loader.conf for more information. > Who can help me? > Thanks > > > > ---------- Forwarded message ---------- > From: mahdieh salamat > Date: Mon, May 14, 2012 at 4:29 AM > Subject: Re: Single user mode > To: Vahid Shokouhi > > > I really thank you,it's a really perfect forum,I searched more and more to > find a persian website about FreeBSD,now i find it.Thank you > > > On Mon, May 14, 2012 at 2:33 AM, Vahid Shokouhi wrote: > > > You are most welcome. > > > > [I don't know if you know this place, assuming you don't know, I let you > > know] : > > > > www.imenpardis.com > > > > This site which is actually for "Imen Pardis" company, is owned by > > Mr.Babak Farrokhi, who is a famous port-maintainer in freeBSD project (The > > only person in the middle east), and author of a great book on FreeBSD > > administration. He is a guru in all Unix family: Unix, Solaris, BDS, Linux > > ; you can google his name and get some info about him. He is a well-known > > Unix expert in the world. > > You can join its forum and can ask your question and also help others > > solve their problem. I don't know all people in the forum, but as > > Mr.Farrokhi is always supportive and available to answer your question, you > > can get the right answer from the right person. If I know one word in > > FreeBSD, he knows thousands.. > > > > Regards > > > > > > > > > > > > > > > > > > > > On 2012-05-14 13:08, mahdieh salamat wrote: > > > >> thanks dear vahid,it was so useful for me.I will edit /etc/tty. > >> Thanks alot > >> > >> On Sun, May 13, 2012 at 11:58 PM, Vahid Shokouhi > >> wrote: > >> > >> Hi > >>> > >>> Well, there are 2 approaches to any machine security. First, You > >>> have a fresh machine and it's supposed to be only for you; second, > >>> you are admin of a machine which others have access to machine for > >>> their work purpose. Your question seems close to first scenario. > >>> > >>> As I wrote before, yes it's possible (by default) that any user > >>> gain access to your machine resources in single-user mode; so we > >>> talked about editing /etc/tty. The other place which needs to be > >>> take caring of, is /ETC/LOGIN.ACCESS ; every time a user wants to > >>> > >>> log in, FreeBSD check this files and it's rules. By default there > >>> > >> is > >> > >>> NO rule defined which means NO restriction to log in. You can > >>> > >> config > >> > >>> this file in 2 ways : [like switch and router's ACL] ; you can use > >>> "_permit-based_" rules - in which you first permit specific user(s) > >>> and then deny others. And you can _"deny-based_" rules - in which > >>> > >>> you deny ALL and then permit some one. You should be familiar with > >>> syntax and format of this file, for example it uses "+" to give > >>> access and "-" to reject access. For example : > >>> > >>> > >>> > >>> The following is "permit-based"; it gives "wheel" group console > >>> access and rejects the others (ALL). note the "+" & "-" > >>> > >>> +:WHEEL: CONSOLE > >>> -:ALL:CONSOLE > >>> > >>> > >>> The following is "deny-based". note the syntax that how "permit" is > >>> given: > >>> > >>> -:ALL EXCEPT WHEEL: CONSOLE [EXCEPT is permit definer] > >>> > >>> > >>> > >>> > >>> The second format is more preferred and recommended it is both > >>> short and somehow more secure. > >>> > >>> > >>> > >>> > >>> > >>> Anyway, this is for 1st situation that the machine is only yours; > >>> and you can protect your machine with implying some physical-access > >>> rules. But in real world you have to deal the second condition. > >>> > >> Then > >> > >>> you have to focus on many things: limiting users to use any > >>> > >> resource > >> > >>> by editing /ETC/LOGIN.CONF , the permission of files, the flags, > >>> > >>> clearing your machine from unknown/unnecessary users (daemons), > >>> using jail and so on.. > >>> > >>> > >>> > >>> I hope it is helpful for you and give you some hints on securing. > >>> > >>> > >>> > >>> If there is any question, please feel free and don't hesitate to > >>> ask. > >>> > >>> > >>> > >>> Regards > >>> > >>> Vahid Shokouhi > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> On 2012-05-14 09:53, mahdieh salamat wrote: > >>> > >>>> Thanks for yor help, it was so useful, I want to know that when a > >>>> > >>> user > >>> > >>>> is using a machine and he/she doesn't has root's password, can > >>>> > >>> he/she > >>> > >>>> access to it? for example by single user mode or other modes? > >>>> > >>>> On Sun, May 13, 2012 at 6:33 AM, Vahid Shokouhi > >>>> wrote: > >>>> > >>>> Hi > >>>>> Yes, it is possible to gain access via single-user, but > >>>>> single-user mode is for root user to configure something as he > >>>>> likes; but if the machine is accessible for others, you need to > >>>>> > >>>> edit > >>>> > >>>>> "/etc/tty" to prompt for a password in single user mode, > >>>>> > >>>> although > >>> > >>>> keep in mind anyone with physical access to the machine can > >>>>> > >>>> still > >>> > >>>> retrieve your data through various methods. > >>>>> in /etc/tty note "secure" term which actually has different > >>>>> meaning. It means that you consider, for example "console" as a > >>>>> secure mode; so you have to change it to "insecure". > >>>>> After rebooting and entering single user mode, you will be > >>>>> prompted for a password to get to the shell prompt. > >>>>> > >>>>> On 2012-05-13 17:04, mahdieh salamat wrote: > >>>>> > >>>>> Hi everybody. I have a question about single user mode in > >>>>>> FreeBSD. Security > >>>>>> is so important for me. I want to know that if someone don't > >>>>>> know my root's > >>>>>> password can access to it? In other words in our FreeBSD we > >>>>>> don't have > >>>>>> FreeBSD boot loader menu, we delete it for our users becouse of > >>>>>> security. I > >>>>>> want to know is there any other way except boot loader menu for > >>>>>> our user to > >>>>>> access to our root's password? > >>>>>> Thanks > >>>>>> ______________________________**_________________ > >>>>>> freebsd-security@freebsd.org [1] mailing list > >>>>>> http://lists.freebsd.org/**mailman/listinfo/freebsd-**security[2] > >>>>>> To unsubscribe, send any mail to > >>>>>> "freebsd-security-unsubscribe@**freebsd.org[3]" > >>>>>> > >>>>> > >>>> > >>>> > >>>> Links: > >>>> ------ > >>>> [1] mailto:freebsd-security@**freebsd.org > >>>> [2] http://lists.freebsd.org/**mailman/listinfo/freebsd-**security > >>>> [3] mailto:freebsd-security-**unsubscribe@freebsd.org > >>>> [4] mailto:vahid@vahid-shokouhi.**net > >>>> > >>> > >>> > >>> > >> > >> > >> > >> Links: > >> ------ > >> [1] mailto:vahid@vahid-shokouhi.**net > >> > > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Tue May 15 11:24:03 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 94DB8106566C for ; Tue, 15 May 2012 11:24:03 +0000 (UTC) (envelope-from matt@chronos.org.uk) Received: from chronos.org.uk (chronos-pt.tunnel.tserv5.lon1.ipv6.he.net [IPv6:2001:470:1f08:12b::2]) by mx1.freebsd.org (Postfix) with ESMTP id DE70A8FC0A for ; Tue, 15 May 2012 11:24:02 +0000 (UTC) Received: from workstation1.localnet (workstation1.local.chronos.org.uk [IPv6:2001:470:1f09:12b::20]) (authenticated bits=0) by chronos.org.uk (8.14.5/8.14.5) with ESMTP id q4FBNxdv074947 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 15 May 2012 12:23:59 +0100 (BST) (envelope-from matt@chronos.org.uk) X-DKIM: OpenDKIM Filter v2.5.2 chronos.org.uk q4FBNxdv074947 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=chronos.org.uk; s=mail; t=1337081039; bh=Mlams959is2uGciVHFuW2fst0KxGef3xX34PrIyOgMs=; h=From:To:Subject:Date:References:In-Reply-To; b=kuYXwcXUCbuP8wVYrwurjEc4SE+wmsnro+pphKUsvW5wZNVwn6UtqkAWQGewjGbp6 UdtVtoNxsRR0jB952d3WenshqlSCmOU/ZakcqU4V7WJxcV+xOLC/5VPz/W2a7/JDn2 V0g9Y4sN0zARwp1D5hk7l53i5nLc0IjSH1xA1dTo= From: Matt Dawson To: freebsd-security@freebsd.org Date: Tue, 15 May 2012 12:23:56 +0100 User-Agent: KMail/1.13.7 (FreeBSD/9.0-RELEASE; KDE/4.7.4; amd64; ; ) References: <498a30cb02045f5cc24747b535581a61@vahid-shokouhi.net> In-Reply-To: <498a30cb02045f5cc24747b535581a61@vahid-shokouhi.net> X-Face: -a*{KS?gYyH>pt=1?H+(>B2Z'>b6WxX:^O@+VaMV>l\tOh@[x`#&AHSdl`m<-EEhk=1%t9iRthI|; ~8)mN@qxJ}x5l:zhDO( =?utf-8?q?=2Eas=0A?= NeO!\oL7huHfsoF'I5,0G+Yo[G-G"FG,l`QJ$IgwH/[\a]vRH^'=`; cY+*_{Or` MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <201205151223.58643.matt@chronos.org.uk> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (chronos.org.uk [IPv6:2001:470:1f09:12b::1]); Tue, 15 May 2012 12:23:59 +0100 (BST) X-Spam-Status: No, score=-99.6 required=3.0 tests=BAYES_00, DATE_IN_FUTURE_96_Q, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,SPF_PASS,T_RP_MATCHES_RCVD, USER_IN_WHITELIST autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on central.local.chronos.org.uk Subject: Re: Fwd: Single user mode X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 May 2012 11:24:03 -0000 On Tuesday 15 May 2012 10:53:16 Vahid Shokouhi wrote: > note that running command(s) in this mode result in temporary > changes only in THIS boot; which means you can remove/undo changes > by rebooting your machine. Utter tosh. After (re)mounting you have as much access to the local filesystems as you would from a root prompt and such configuration changes are permanent. Rule 1 of security applies whatever OS you're running: If someone else can access your system then it's not your system any more. Physical security can be as important as electronic. If you're worried about local opportunists messing about with your systems: 1) Password protect the boot in the NVRAM so that even a power cycle/ hard reset disables opportunistic access; 2) Disable the three fingered salute reboot in syscons (options SC_DISABLE_REBOOT in the kernconf); 3) Set the console as insecure; 4) Disable dropping to loader in the beastie menu; 5) Lock the damned door. None of this is foolproof: 1 can be overridden by clearing the NVRAM with the good old Mk1 shorting jumper, 2 is defeated by a hard reset, 3/4 can be defeated by using a live system that can read UFS (frenzy spings to mind) and 5 with a prybar. If you need that level of security, geli full FS encryption is your only option. If someone *really* wants in and has access to the machine you'll have a hard time keeping him out. You may also want "Beware of the leopard" on the machine room door along with a hungry rottweiler (if you're concerned with accuracy of signage, paint him) and a few bored gorillas in security suits. Alternatively, disguise the server as a crippled old 386 with a couple of 7segs on the front panel displaying "25" and the turbo LED on in a dusty corner with an old EPROM burner on the desk and a few 2732s scattered about - nobody is going to pay that dinosaur any attention whatsoever. -- Matt Dawson GW0VNR MTD15-RIPE From owner-freebsd-security@FreeBSD.ORG Wed May 16 09:06:02 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C8E7C106564A for ; Wed, 16 May 2012 09:06:02 +0000 (UTC) (envelope-from tevans.uk@googlemail.com) Received: from mail-vb0-f54.google.com (mail-vb0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 74BD68FC12 for ; Wed, 16 May 2012 09:06:02 +0000 (UTC) Received: by vbmv11 with SMTP id v11so635989vbm.13 for ; Wed, 16 May 2012 02:06:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=2KY4xKJo36epvtZolTdLDJHY2XWefbuAJVUrrgpi0uU=; b=PeioM7Lh0nEtNSB/6p4MR6RUCtujLi1x32TYkajFlgT67YD1gRg0Qj1XzyCz1Pxq4G QPNeVXw86E0AIYptlMuVs6uDsyEwd1+vbK33YKQbZsI6Os/oNCNhpZPkABCnMQpHzVrb j0W+Q9kvP+HBgaN6HgV6FqJ1LxUPpjnijLWqcF9vV5RJok/ExvLwFhjXtRVfRk0GCwR4 tYdxzR/ppNRUzZAdfBPYYbH0mGf/HOe69I6Lzve3uXYngGOB+aCCfzCTvOE2k6v73dNv Rd05ICsl2v+zG2NGV4R2O8scYmRiuhXHNQZeP/3UNDOCE1gkWNFWibZeZFxbY4CnBuw8 /lew== MIME-Version: 1.0 Received: by 10.52.90.233 with SMTP id bz9mr264113vdb.93.1337159161586; Wed, 16 May 2012 02:06:01 -0700 (PDT) Received: by 10.52.28.240 with HTTP; Wed, 16 May 2012 02:06:01 -0700 (PDT) In-Reply-To: References: <7439f3d4019914591b036aa45cfd75e7@vahid-shokouhi.net> <40e269c44ec592d0ce3e2d85fd8a032d@vahid-shokouhi.net> Date: Wed, 16 May 2012 10:06:01 +0100 Message-ID: From: Tom Evans To: mahdieh salamat Content-Type: text/plain; charset=UTF-8 Cc: freebsd-security@freebsd.org Subject: Re: Single user mode X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 May 2012 09:06:02 -0000 On Tue, May 15, 2012 at 9:40 AM, mahdieh salamat wrote: > Thanks all,I have an other question.certainly you see this message in > startup FreeBSD:"Hit [Enter] to boot immediately, or any other key for > command prompt." > after see it if press any key you enter to an other mode and if you type > '?' you can see the lists of commands.I want to remove this mode,It's so > important that a user can't accss to this mode. > Who can help me? > Thanks > If your users have physical access to the machine then it is difficult to prevent them from booting from alternate media - a USB key, a CD - mounting your disks and changing the root password. Actually, I would add a separate root user (toor2), as the root password changing is somewhat detectable. You can fix boot order in the BIOS, but a BIOS can be reset simply by removing the BIOS battery briefly. In addition to that, many BIOS will also offer a boot menu option - which cannot be disabled - allowing the user to choose which device to boot from without entering the BIOS. Cheers Tom From owner-freebsd-security@FreeBSD.ORG Wed May 16 10:28:51 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 17744106566B for ; Wed, 16 May 2012 10:28:51 +0000 (UTC) (envelope-from fabian@wenks.ch) Received: from batman.home4u.ch (batman.home4u.ch [IPv6:2001:8a8:1005:1::2]) by mx1.freebsd.org (Postfix) with ESMTP id 9407F8FC12 for ; Wed, 16 May 2012 10:28:50 +0000 (UTC) X-Virus-Scanned: amavisd-new at home4u.ch Received: from flashback.wenks.ch (fabian@flashback.wenks.ch [62.12.173.4]) (authenticated bits=0) by batman.home4u.ch (8.14.4/8.14.4) with ESMTP id q4GASmXR088032 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Wed, 16 May 2012 12:28:48 +0200 (CEST) (envelope-from fabian@wenks.ch) Message-ID: <4FB3815F.8000208@wenks.ch> Date: Wed, 16 May 2012 12:28:47 +0200 From: Fabian Wenk User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0.4) Gecko/20120421 Thunderbird/10.0.4 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <7439f3d4019914591b036aa45cfd75e7@vahid-shokouhi.net> <40e269c44ec592d0ce3e2d85fd8a032d@vahid-shokouhi.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Single user mode X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 May 2012 10:28:51 -0000 Hello On 16.05.2012 11:06, Tom Evans wrote: > You can fix boot order in the BIOS, but a BIOS can be reset simply by > removing the BIOS battery briefly. In addition to that, many BIOS will > also offer a boot menu option - which cannot be disabled - allowing > the user to choose which device to boot from without entering the > BIOS. In addition you should use computer cases, which can be prevented from opening with a padlock. So removing the hard disk or resetting the BIOS needs a lot more effort. Also you should chain the computer to something, which is fixed to the building, so it can not be removed easily. I do know student computer rooms with Linux workstations, which are "protected" with this measures. But there is also the regular system monitoring in place, and if a systems goes down unexpected, you will know it and can do something about it. bye Fabian