From owner-freebsd-security Wed Jan 24 02:13:29 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id CAA16600 for security-outgoing; Wed, 24 Jan 1996 02:13:29 -0800 (PST) Received: from statler.csc.calpoly.edu (statler-srv.csc.calpoly.edu [129.65.241.4]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id CAA16592 for ; Wed, 24 Jan 1996 02:13:25 -0800 (PST) Received: (from nlawson@localhost) by statler.csc.calpoly.edu (8.6.12/N8) id CAA11879; Wed, 24 Jan 1996 02:12:18 -0800 From: Nathan Lawson Message-Id: <199601241012.CAA11879@statler.csc.calpoly.edu> Subject: Re: Ownership of files/tcp_wrappers port To: jseng@stf.org.sg (James Seng) Date: Wed, 24 Jan 1996 02:12:18 -0800 (PST) Cc: security@freebsd.org In-Reply-To: from "James Seng" at Jan 24, 96 10:39:41 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org Precedence: bulk > On Tue, 23 Jan 1996, Nathan Lawson wrote: > > denies. That way, all you get originally is increased logging, and you can > > add the RFC931 and PARANOID options to the /etc/hosts.allow files _without_ > > recompiling (if you should desire). > > Ah great. Lets get Wieste and see if he has that time to hack it in? *8P I think you misunderstand. The PARANOID and RFC931 options can be added to the hosts.* file to enable them, even if the compiled binary has them disabled by default. This allows you to use a stripped-down default version, but upgrade it to as strict as you wish (even being stricter per service). > Before we get over paranoid over security, lets us remember that the > primary aim of a base distribution is to provide an dynamic system, of > course minus the security bugs. Well, then FreeBSD has failed. See the recent telnetd environment bug for an example of this. If you had wrapped telnetd and only allowed connects from certain sites, you could have limited the scope of this vulnerability. Bugs are going to show up no matter what. If having the extra logging and easy access control of tcp_wrappers at the installer's fingertips could have prevented even one breakin, I'd be all for it. > I wish to remind all of us here that there is a few dozen of ways tcpd > could be installed, each site adopting to their need. You could put in a > "generic" tcpd into /usr/libexec but if it is not properly installed, it is > almost as good as useless. In fact, i believe it would drive a false > sense of security ("Hey, dont worry..i got tcpd install by default!") into > some people which could be worst. Yes, but I think more people would say "wow, all I have to do is change the hosts.allow file according to its comments and it will have access control". > Now perhaps it is time to sit down and let the core member of FreeBSD to > think about what they are trying to archive. Are they trying to provide a > dynamic un*x or are they trying to provide a secure C2 system (ok C2 is too > much *8)? Well, they might be shooting for C2 in some ways. They've got shadowed passwords already. The extra logging of C2 could be useful to some people. > IMHO, so long the base code is clean and no loopholes exist, it should > be good enough. Lets not blob the bindist further unneccessary... Ok. You can go through and prove all the code in FreeBSD and I'll look over your results. If you can't find any loopholes, but I can, do I get a free lunch? :) > Just a thought...maybe they could add a new section, say "SECURITY TOOLS" > in sysinstall whereby all security tools like tcpd, tiger, cops, tripwire etc > could be installed...? It would be nice to have all these but i think not > all people would want it.... Now this is a good idea. What I'd REALLY like to see is builtin access control, perhaps based on tcpd. For instance, have telnetd log connects. That way each program could take care of itself and you wouldn't have the complaints about the fork/exec overhead of tcp_wrappers. It would be a bit more work, which is why I suggested adding tcp_wrappers instead. -- Nate Lawson \Yeah, I was dreaming through the 'howzlife', yawning, car black, Owner: \when she told me 'mad and meaningless as ever...' and a song Cal Poly State \came on the radio like a cemetery rhyme for a million crying University \corpses in their tragedy of respectable existence. - BR