Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 2 Jun 2006 10:57:49 +0200
From:      =?UTF-8?Q?Kenyeres_M=C3=A1rton?= <mkenyeres@konvergencia.hu>
To:        Jeff <dt@defcon.org>
Cc:        freebsd-security@freebsd.org
Subject:   Re: mac_bsdextended log information
Message-ID:  <1149238669.657.6.camel@dell1.kvg.hu>
In-Reply-To: <7.0.1.0.2.20060601142921.2284c5b0@wheresmymailserver.com>
References:  <7.0.1.0.2.20060601142921.2284c5b0@wheresmymailserver.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, 2006-06-01 at 14:40 -0700, Jeff wrote:
> Hey everyone,=20
>=20
> I'm hoping someone can point me in the right direction. I'm running a 6=
.1 box with mac_bsdextended compiled. I've created my ugidfw rules, and a=
ll seems well in the universe.
>=20
> I've got rules set up so the web process uid 80 and gid 80 can only rea=
d uid 1010 and gid 1010 owned files. When the web server tries to do some=
thing else, it throws an error such as:
>=20
> <authpriv.emerg> www kernel: mac_bsdextended: 80:80 request 256 on 0:0 =
failed.
>=20
> So the question is, what file did the www process try to muck with? It =
is a root owned file, and it is important that it want to act on it. Secu=
rity problem, or benign problem? Who knows without being able to know wha=
t the file is. A look at the source code implies that the "request 256" m=
eans that the web process tried to read the vnode numbered 256. Is that a=
ccurate?
> If it is, how do I go about associating vnode numbers to files, so I ha=
ve a hope of troubleshooting these errors.
>=20

There are many legitimate reasons for a webserver to open root owned
files. Looking up users in the password database would be my first
guess. Maybe you shoud consider changing your rules to some more fine
grained ones?

> Searching seems to turn up no tool or easy way to get this vnode -> fil=
e information. Help!

Try:

$ find -inum 256 /

>=20
> Jeff
>=20

Cheers,

m.

> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.=
org"
--=20
Kenyeres M=E1rton <mkenyeres@konvergencia.hu>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1149238669.657.6.camel>