RE: Strange ipnat behaviour

From owner-freebsd-security Sun Aug 6 2:54:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from smtp8.xs4all.nl (smtp8.xs4all.nl [194.109.127.134]) by hub.freebsd.org (Postfix) with ESMTP id E4E9937B653; Sun, 6 Aug 2000 02:54:43 -0700 (PDT) (envelope-from Lars@lawnet.xs4all.nl) Received: from list1.xs4all.nl (list1.xs4all.nl [194.109.6.52]) by smtp8.xs4all.nl (8.9.3/8.9.3) with ESMTP id LAA25742; Sun, 6 Aug 2000 11:54:42 +0200 (CEST) Received: from gateway.lawnet.xs4all.nl (root@lawnet.xs4all.nl [194.109.54.179]) by list1.xs4all.nl (8.9.3/8.9.3) with ESMTP id LAA20547; Sun, 6 Aug 2000 11:54:41 +0200 (CEST) Received: from lawwnt01.lawnet.xs4all.nl (lawwnt01.lawnet.xs4all.nl [172.16.200.1]) by gateway.lawnet.xs4all.nl (8.9.2/8.9.2/[Lawnet]-1999010301) with ESMTP id VAA09902; Sat, 5 Aug 2000 21:28:42 +0200 (CEST) Received: by lawwnt01.lawnet.xs4all.nl with Internet Mail Service (5.5.2650.21) id ; Sat, 5 Aug 2000 21:25:38 +0200 Message-ID: From: Lars To: "'freebsd-questions@freebsd.org'" , "'freebsd-security@freebsd.org'" Subject: How to install FWTK 2.1 port with transparent proxy support Date: Sat, 5 Aug 2000 21:25:33 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi All, I've a FreeBSD 3.4 Stable system running as a test gateway. I've installed the TIS FWTK v2.1 from the ports collection without any problems. There's just one problem : transparent proxiing doesn't work with this installation. I use Darren Reed's IP filter v 3.3.16 for packet filtering. From the FWTK website you can download a patch with which transparent proxiing should work. Does anybody know how i can implement this patch in the port? The ports make starts anpacking the tar ball from the distfiles dir. and starts compiling right away. How can i implement this patch? Do I have to do something with the dir. called "patches" in the FWTK ports dir.? Just compiling the FWTK 2.1 source (from /usr/tmp/fwtk ie.) on the FBSD box doesn't work, so I have to use the port. Not unimportant : I just want to use the http-gw from the FWTK. i use the build-in ftp proxy from Ipf and it works great! MTIA. Lars Wittebrood The Hague, The Netherlands To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 7 21:29: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id 481BE37B58F for ; Mon, 7 Aug 2000 21:28:46 -0700 (PDT) (envelope-from matt@ARPA.MAIL.NET) Received: (qmail 86949 invoked by uid 1000); 8 Aug 2000 04:28:45 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 8 Aug 2000 04:28:45 -0000 Date: Tue, 8 Aug 2000 00:28:35 -0400 (EDT) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: FreeBSD-PORTS Cc: FreeBSD-SECURITY Subject: pine 4.21 port issues? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I reinstalled the pine 4.21 port a few days ago and I suddenly was greated with the following notice from it upon reading mail: [Mailbox vulnerable - directory /var/mail must have 1777 protection] This is a bad thing. The default permissions on FreeBSD for /var/mail are root:mail 0775 which, in my opinion, is far better than 1777. I'm curious as to why all of the sudden it is reporting the mailbox as 'vulnerable'. I've had a ton of users of mine freak out over this, and I must admit it's odd. Pine aso has a new? depend on c-client4.7 which it did not have a few months ago to my knowledge, as I have one pine build from March 19 that does not have this depend or the mailbox warning. Since very little in FreeBSD is ever done without a reason, I'm curious as to the reason for this. It seems..wrong to have a port report a vulnerable mailbox on a default FreeBSD installation. I would like to apologize for the cross-post, but I felt it relevent to both lists. If this is incorrect please inform me so that I don't make the same mistake again :) Regards, Matt Heckaman * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE5j4x1dMMtMcA1U5ARAvfvAJ45hV8wGtiHYj71fKwRjS0J4QC4oQCghwBh 3Lbel2zCC95gG1UCLdfiLT8= =qbUc -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 7 22: 6:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from wind.imbris.com (wind.imbris.com [216.18.130.7]) by hub.freebsd.org (Postfix) with ESMTP id BF90637B5EE; Mon, 7 Aug 2000 22:06:46 -0700 (PDT) (envelope-from rickm@imbris.com) Received: from wind.imbris.com (wind.imbris.com [216.18.130.7]) by wind.imbris.com (8.9.3/8.9.3) with ESMTP id WAA22487; Mon, 7 Aug 2000 22:07:07 -0700 (PDT) Date: Mon, 7 Aug 2000 22:07:07 -0700 (PDT) From: Rick McGee To: Matt Heckaman Cc: FreeBSD-PORTS , FreeBSD-SECURITY Subject: Re: pine 4.21 port issues? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Matt, no it's ok and it works rather well. If you look up chmod the sticky bit this what you get. 1000 (the sticky bit) When set on a directory, unprivileged users can delete and rename only those files in the directory that are owned by them, regardless of the permissions on the directory. Under FreeBSD, the sticky bit is ignored for executable files and may only be set for directories Rick On Tue, 8 Aug 2000, Matt Heckaman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello, > > I reinstalled the pine 4.21 port a few days ago and I suddenly was greated > with the following notice from it upon reading mail: > > [Mailbox vulnerable - directory /var/mail must have 1777 protection] > > This is a bad thing. The default permissions on FreeBSD for /var/mail are > root:mail 0775 which, in my opinion, is far better than 1777. I'm curious > as to why all of the sudden it is reporting the mailbox as 'vulnerable'. > > I've had a ton of users of mine freak out over this, and I must admit it's > odd. Pine aso has a new? depend on c-client4.7 which it did not have a few > months ago to my knowledge, as I have one pine build from March 19 that > does not have this depend or the mailbox warning. > > Since very little in FreeBSD is ever done without a reason, I'm curious as > to the reason for this. It seems..wrong to have a port report a vulnerable > mailbox on a default FreeBSD installation. I would like to apologize for > the cross-post, but I felt it relevent to both lists. If this is incorrect > please inform me so that I don't make the same mistake again :) > > Regards, > Matt Heckaman > > * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * > * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.2 (FreeBSD) > Comment: http://www.lucida.qc.ca/pgp > > iD8DBQE5j4x1dMMtMcA1U5ARAvfvAJ45hV8wGtiHYj71fKwRjS0J4QC4oQCghwBh > 3Lbel2zCC95gG1UCLdfiLT8= > =qbUc > -----END PGP SIGNATURE----- > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 7 22:34:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id 25D9837B628 for ; Mon, 7 Aug 2000 22:34:04 -0700 (PDT) (envelope-from matt@ARPA.MAIL.NET) Received: (qmail 87249 invoked by uid 1000); 8 Aug 2000 05:33:58 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 8 Aug 2000 05:33:58 -0000 Date: Tue, 8 Aug 2000 01:33:56 -0400 (EDT) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Rick McGee Cc: FreeBSD-PORTS , FreeBSD-SECURITY Subject: Re: pine 4.21 port issues? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 8 Aug 2000, Rick McGee wrote: : : Hi Matt, no it's ok and it works rather well. If you look up chmod the : sticky bit this what you get. 1000 (the sticky bit) When set on a : directory, unprivileged users can delete and rename only those files : in the directory that are owned by them, regardless of the permissions : on the directory. Under FreeBSD, the sticky bit is ignored for : executable files and may only be set for directories : : Rick Yes, I know what the sticky bit does :) The point is, that is NOT set on the directory by default in FreeBSD, nor is the directory world writable, so why is pine reporting this as a vulnerability? I know that it is not, but it's causing panic in my users. The point is, I strictly control world writable directories on my system, making /var/mail world writable to satisfy pine seems a silly thing to do in my opinion. I run qmail on the system through procmail, and all mail files are owned to the user name and group, ie the files themselves are not group owned to mail. Either way, my point is that since FreeBSD by default does not make /var/mail sticky or world writable, should not the port include a patch that modifies this to check based on the proper FreeBSD permissions? pine 4.21 on the 4.0-RELEASE port tree worked fine, and did not display this message, (date: March 19) however 4.1-RELEASE ports pine 4.21 does give this warning message. I'm going to look into it a tad more on the code side, and I'll most likely fix it to check the right permissions for my machines. Is it appropriate for a patch like that to be implimented into the ports patches? I think it's bad that a port reports default FreeBSD permissions as vulnerable :) Regards, Matt Heckaman * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE5j5vFdMMtMcA1U5ARAhvoAKCKNhNflkcFOsHTdlYF8zQAcbjSuwCdEsRq FQ+icogPRkZUHl82q0jDzfI= =hHcc -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 7 22:47:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from srh0902.urh.uiuc.edu (pp-osprey.walkup.uiuc.edu [128.174.199.2]) by hub.freebsd.org (Postfix) with SMTP id 4AECF37B67B for ; Mon, 7 Aug 2000 22:47:22 -0700 (PDT) (envelope-from ftobin@uiuc.edu) Received: (qmail 26172 invoked by uid 1000); 8 Aug 2000 05:47:20 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 8 Aug 2000 05:47:20 -0000 Date: Tue, 8 Aug 2000 00:47:20 -0500 (CDT) From: Frank Tobin X-Sender: ftobin@srh0902.urh.uiuc.edu To: Matt Heckaman Cc: freebsd-security@FreeBSD.ORG Subject: Re: pine 4.21 port issues? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matt Heckaman, at 01:33 -0400 on Tue, 8 Aug 2000, wrote: > The point is, I strictly control world writable directories on my system, > making /var/mail world writable to satisfy pine seems a silly thing to do > in my opinion. I run qmail on the system through procmail, and all mail > files are owned to the user name and group, ie the files themselves are > not group owned to mail. Your safest course of action is actually to probably not even use /var/mail, but rather have mailboxes directly in each user's home directory. Qmail supports this. (/var/qmail/doc/INSTALL.mbox) -- Frank Tobin http://www.uiuc.edu/~ftobin/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 7 22:55:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id EBB3337B96A for ; Mon, 7 Aug 2000 22:55:02 -0700 (PDT) (envelope-from matt@ARPA.MAIL.NET) Received: (qmail 87385 invoked by uid 1000); 8 Aug 2000 05:54:53 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 8 Aug 2000 05:54:53 -0000 Date: Tue, 8 Aug 2000 01:54:51 -0400 (EDT) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Frank Tobin Cc: freebsd-security@FreeBSD.ORG Subject: Re: pine 4.21 port issues? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 8 Aug 2000, Frank Tobin wrote: ... : Your safest course of action is actually to probably not even use : /var/mail, but rather have mailboxes directly in each user's home : directory. Qmail supports this. (/var/qmail/doc/INSTALL.mbox) Yes, I know. Using procmail and /var/mail is simply the easist way for me to maintain out-of-the-box compat with many sendmail based items for me. I've used mailbox setups before, but I prefer using this setup for my particular situation :) : -- : Frank Tobin http://www.uiuc.edu/~ftobin/ * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE5j6CsdMMtMcA1U5ARAiwsAKDeKpiXewKWxKVODTq2U1eNMmMDrwCgyXCQ 7B263WF4DYRcfiq8ETa6WgI= =2fVA -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 7 23:28:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from wind.imbris.com (wind.imbris.com [216.18.130.7]) by hub.freebsd.org (Postfix) with ESMTP id 7DEF037BCFF; Mon, 7 Aug 2000 23:28:47 -0700 (PDT) (envelope-from rickm@imbris.com) Received: from wind.imbris.com (wind.imbris.com [216.18.130.7]) by wind.imbris.com (8.9.3/8.9.3) with ESMTP id XAA33788; Mon, 7 Aug 2000 23:29:16 -0700 (PDT) Date: Mon, 7 Aug 2000 23:29:16 -0700 (PDT) From: Rick McGee To: Matt Heckaman Cc: FreeBSD-PORTS , FreeBSD-SECURITY Subject: Re: pine 4.21 port issues? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matt, I've been using pine since 1995. I've never had a problem. Remember not everyone runs pine. In fact I run imap and ipop3d instead of the traditional popper. If you look at it in the right contents, the settings by FreeBSD is for general user and in their opinion security. I agree but why not set the /etc 751? or chflags schng to the kernel? This would be more secure. The problem is the average new user or in some cases us old ones, would have a tough time. It would mean we might have to read the manual (man page) and heaven forbid if we had to do that! It must be secure but operate under the KISS priciple. Ok, long winded but you get my point. Now for the answer straight from Washington.edu. To protect against conflicts with mail delivery by sendmail, which could cause INBOX corruption, Pine creates lockfiles in the directory /var/spool/mail [1]. The permission setting for that directory should be 1777 (world writable with the sticky bit set). The alternative would be to make all mail programs setgid to some special group -- an unacceptable security risk in the opinion of the Pine developers. By contrast, lockfiles created in the /tmp directory serve interlocking of different Pine sessions with each other, not of Pine with the Mail Delivery Agent. Lockfiles in the /tmp directory are mode 666 because of the case of shared folders (e.g., tenex format) and "kiss of death" functionality (UNIX mbox format and MMDF format). The lock needs to be accessible by processes which may be logged in as another user name; this is a tradeoff between security and functionality. [1] Versions of Pine prior to 3.92 did not warn users when locking in /var/spool/mail failed. Hope it helps. Rick On Tue, 8 Aug 2000, Matt Heckaman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Tue, 8 Aug 2000, Rick McGee wrote: > : > : Hi Matt, no it's ok and it works rather well. If you look up chmod the > : sticky bit this what you get. 1000 (the sticky bit) When set on a > : directory, unprivileged users can delete and rename only those files > : in the directory that are owned by them, regardless of the permissions > : on the directory. Under FreeBSD, the sticky bit is ignored for > : executable files and may only be set for directories > : > : Rick > > Yes, I know what the sticky bit does :) The point is, that is NOT set on > the directory by default in FreeBSD, nor is the directory world writable, > so why is pine reporting this as a vulnerability? I know that it is not, > but it's causing panic in my users. > > The point is, I strictly control world writable directories on my system, > making /var/mail world writable to satisfy pine seems a silly thing to do > in my opinion. I run qmail on the system through procmail, and all mail > files are owned to the user name and group, ie the files themselves are > not group owned to mail. > > Either way, my point is that since FreeBSD by default does not make > /var/mail sticky or world writable, should not the port include a patch > that modifies this to check based on the proper FreeBSD permissions? > > pine 4.21 on the 4.0-RELEASE port tree worked fine, and did not display > this message, (date: March 19) however 4.1-RELEASE ports pine 4.21 does > give this warning message. I'm going to look into it a tad more on the > code side, and I'll most likely fix it to check the right permissions for > my machines. Is it appropriate for a patch like that to be implimented > into the ports patches? > > I think it's bad that a port reports default FreeBSD permissions as > vulnerable :) > > Regards, > Matt Heckaman > > * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * > * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.2 (FreeBSD) > Comment: http://www.lucida.qc.ca/pgp > > iD8DBQE5j5vFdMMtMcA1U5ARAhvoAKCKNhNflkcFOsHTdlYF8zQAcbjSuwCdEsRq > FQ+icogPRkZUHl82q0jDzfI= > =hHcc > -----END PGP SIGNATURE----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 8 3:40:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail2.netcologne.de (mail2.netcologne.de [194.8.194.103]) by hub.freebsd.org (Postfix) with ESMTP id 4DAA437B840; Tue, 8 Aug 2000 03:39:55 -0700 (PDT) (envelope-from pherman@frenchfries.net) Received: from bagabeedaboo.security.at12.de (dial-195-14-235-77.netcologne.de [195.14.235.77]) by mail2.netcologne.de (8.9.3/8.9.3) with ESMTP id MAA05089; Tue, 8 Aug 2000 12:39:53 +0200 (MET DST) Received: from localhost (localhost.security.at12.de [127.0.0.1]) by bagabeedaboo.security.at12.de (8.10.2/8.10.2) with ESMTP id e78Adhk02418; Tue, 8 Aug 2000 12:39:43 +0200 (CEST) Date: Tue, 8 Aug 2000 12:39:43 +0200 (CEST) From: Paul Herman To: Matt Heckaman Cc: Rick McGee , FreeBSD-PORTS , FreeBSD-SECURITY Subject: Re: pine 4.21 port issues? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 8 Aug 2000, Matt Heckaman wrote: > Yes, I know what the sticky bit does :) The point is, that is NOT > set on the directory by default in FreeBSD, nor is the directory > world writable, so why is pine reporting this as a vulnerability? > I know that it is not, but it's causing panic in my users. I'm not 100% sure, but it looks like patch-aw tries to address this. (I haven't tested it in 4.1-STABLE...) -Paul. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 8 6:56:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 7EF3337B8D3; Tue, 8 Aug 2000 06:56:19 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id JAA38930; Tue, 8 Aug 2000 09:56:00 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Tue, 8 Aug 2000 09:56:00 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Matt Heckaman Cc: FreeBSD-PORTS , FreeBSD-SECURITY Subject: Re: pine 4.21 port issues? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 8 Aug 2000, Matt Heckaman wrote: > This is a bad thing. The default permissions on FreeBSD for /var/mail are > root:mail 0775 which, in my opinion, is far better than 1777. I'm curious > as to why all of the sudden it is reporting the mailbox as 'vulnerable'. Dunno, but I agree with your conclusion that 0775 is better :-). > I've had a ton of users of mine freak out over this, and I must admit it's > odd. Pine aso has a new? depend on c-client4.7 which it did not have a few > months ago to my knowledge, as I have one pine build from March 19 that > does not have this depend or the mailbox warning. It sounds like a spurious warning from an over-zealous developer that did not plan for our mail delivery environment. I haven't been using Pine 4.21, but I think this is a warning that can be safely silenced in the port, although you probably want to get confirmation from others familiar with the Pine iand c-client mplementations before going ahead with that. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 8 8: 7:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from darren2.lnk.telstra.net (darren2.lnk.telstra.net [139.130.53.33]) by hub.freebsd.org (Postfix) with ESMTP id 98AEC37B93B for ; Tue, 8 Aug 2000 08:07:11 -0700 (PDT) (envelope-from darrenr@reed.wattle.id.au) Received: (from root@localhost) by darren2.lnk.telstra.net (8.9.1/8.8.7) id PAA22324 for ; Tue, 8 Aug 2000 15:07:08 GMT From: Darren Reed Message-Id: <200008081506.BAA21009@avalon.reed.wattle.id.au> Subject: IP Filter 3.4.9/3.3.18 (fwd) To: security@freebsd.org Date: Wed, 9 Aug 2000 01:06:54 +1000 (EST) X-Mailer: ELM [version 2.4ME+ PL37 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'll look at importing this on the weekend. Any sooner and I don't have time to not do a rush job. Darren > ----- Forwarded message from Darren Reed ----- > > From owner-ipfilter@cairo.anu.edu.au Wed Aug 9 0:20:00 2000 > X-Authentication-Warning: cairo.anu.edu.au: majordomo set sender to owner-ipfilter@coombs.anu.edu.au using -f > From: Darren Reed > Message-Id: <200008081409.AAA20852@avalon.reed.wattle.id.au> > Subject: IP Filter 3.4.9/3.3.18 (fwd) > To: ipfilter@coombs.anu.edu.au > Date: Wed, 9 Aug 2000 00:09:06 +1000 (EST) > X-Mailer: ELM [version 2.4ME+ PL37 (25)] > Sender: owner-ipfilter@coombs.anu.edu.au > > My apologies for the "lockup", but at the last moment I realised > that similar code paths were used in NAT and state and had to fix > a similar ICMP handling but in NAT. I *really* didn't want to > have to make a new version# just for that. Everything should > now be accessible... > > Darren > > > Ok, now I'm relaxed...and the niggles should be ironed out. > > > > 3.4.9/3.3.18 fix up existing problems with the FTP proxy in > > prior versions. The reason it took so long to iron out the > > problem with 3.4.8 is due to a dodgy interface which will be > > addressed for 4.0 (currently exists there too :-/). > > > > The 'global' fr_chksrc can now be 0 (disable checking of > > spoofed source address packets), 1 (enabled) or 2 (log the > > packets which it detects as having spoofed source IP#'s). > > This check is done using the routing table. For FreeBSD 4, > > the sysctl will now show up (I'll merge this into -current > > over the weekend when I'm not in a hurry). > > > > Most of the other changes have been "spurious" except for > > one - the handling of ICMP packets for known state. > > This bug crept in with fr_checkicmpmatchingstate() and has > > been made mention of to me without any real pointers until > > the weekend (which is the impetus for these). That is now > > plugged and all should be well there. If you feel nervous > > about uprading then dig through the patch files for the > > changes to ip_state.c (blocking packets won't help because > > state check happens before that...mmm, having the source.. > > but that'll change soon too, in 4.0alpha O:-). > > > > I will be updating 4.0alpha later... > > > > Darren > > > > ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.4.9.tar.gz > > ftp://coombs.anu.edu.au/pub/net/ip-filter/patch-3.4.9.gz > > ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.3.18.tar.gz > > ftp://coombs.anu.edu.au/pub/net/ip-filter/patch-3.3.18.gz > > > > -------------------------------------------------------------------- > > 3.4.9 08/08/2000 - Released > > > > implement new aging mechanism in fr_tcp_age() > > > > fix icmp state checking bug > > > > revamp buildsunos script and build both sparcv7/sparcv9 for Solaris > > if on an Ultra with a 64bit system & compiler (Caseper Dik) > > > > open ipfilter device read only if we know we can > > > > print out better information for ICMP packets in ipmon > > > > move checking for source spoofed packets to a point where we can generate > > logs of them > > > > return EFAULT from ircopyptr/iwcopyptr > > > > don't do ioctl(SIOCGETFS) for auth stats > > > > fix up freeing mbufs for post-4.3BSD > > > > fix returning of inc from ftp proxy > > > > fix bugs with ipfs -R/-W (Caseper Dik) > > > > 3.4.8 19/07/2000 - Released > > -------------------------------------------------------------------- > > 3.3.18 08/08/2000 - Released > > > > fix up command checking in the ftp proxy > > > > fix getting the version from the kernel for solaris > > > > fix icmp state checking bug > > > > print out better information for ICMP packets in ipmon > > > > open ipfilter device read only if we know we can > > > > 3.3.17 08/07/2000 - Released > > -------------------------------------------------------------------- > > > > ----- End of forwarded message from Darren Reed ----- > > ----- End of forwarded message from Darren Reed ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 8 10:16:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from lark.capnet.state.tx.us (lark.capnet.state.tx.us [204.65.39.249]) by hub.freebsd.org (Postfix) with ESMTP id 78B7737B95E; Tue, 8 Aug 2000 10:16:13 -0700 (PDT) (envelope-from Bryan.Bradsby@capnet.state.tx.us) Received: from localhost (bbradsby@localhost) by lark.capnet.state.tx.us (8.10.0/8.10.0-NO UCE) with ESMTP id e78HG7h13089; Tue, 8 Aug 2000 12:16:07 -0500 (CDT) Date: Tue, 8 Aug 2000 12:16:07 -0500 (CDT) From: Bryan Bradsby To: Robert Watson Cc: Matt Heckaman , FreeBSD-PORTS , FreeBSD-SECURITY Subject: Re: pine 4.21 port issues? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Edit the system wide /usr/local/etc/pine.conf (or the local .pinerc, for single use) and append 'quell-lock-failure-warnings' to 'feature-list=' I wish there was a better answer than suppressing the bogus error message. -bryan bradsby PS: see also /usr/local/etc/pine.conf.fixed for complete control overridding any of your users individual settings. =================================================================== On Tue, 8 Aug 2000, Robert Watson wrote: > On Tue, 8 Aug 2000, Matt Heckaman wrote: > > > This is a bad thing. The default permissions on FreeBSD for /var/mail are > > root:mail 0775 which, in my opinion, is far better than 1777. I'm curious > > as to why all of the sudden it is reporting the mailbox as 'vulnerable'. > > Dunno, but I agree with your conclusion that 0775 is better :-). > > > I've had a ton of users of mine freak out over this, and I must admit it's > > odd. Pine aso has a new? depend on c-client4.7 which it did not have a few > > months ago to my knowledge, as I have one pine build from March 19 that > > does not have this depend or the mailbox warning. > > It sounds like a spurious warning from an over-zealous developer that did > not plan for our mail delivery environment. I haven't been using Pine > 4.21, but I think this is a warning that can be safely silenced in the > port, although you probably want to get confirmation from others familiar > with the Pine iand c-client mplementations before going ahead with that. > > Robert N M Watson > > robert@fledge.watson.org http://www.watson.org/~robert/ > PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 > TIS Labs at Network Associates, Safeport Network Services > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 8 11:29:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id 21C4A37B920 for ; Tue, 8 Aug 2000 11:29:07 -0700 (PDT) (envelope-from matt@ARPA.MAIL.NET) Received: (qmail 94722 invoked by uid 1000); 8 Aug 2000 18:29:03 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 8 Aug 2000 18:29:03 -0000 Date: Tue, 8 Aug 2000 14:29:02 -0400 (EDT) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Robert Watson Cc: FreeBSD-PORTS , FreeBSD-SECURITY Subject: Re: pine 4.21 port issues? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 8 Aug 2000, Robert Watson wrote: ... : It sounds like a spurious warning from an over-zealous developer that did : not plan for our mail delivery environment. I haven't been using Pine : 4.21, but I think this is a warning that can be safely silenced in the : port, although you probably want to get confirmation from others familiar : with the Pine iand c-client mplementations before going ahead with that. Well from what Rick was saying in our private conversation and what the documents say if you read them carefully, pine uses /var/mail for it's locks. My guess is that it assumes since /var/mail is world writable on most systems it can use it as a temporary directory or something :) At the very least, they could make more intelligent error messages, ie: if /var/mail is world writable and not sticky, report that error, however if /var/mail is not world writable report something like, "/var/mail is not writable to us, lock failure." Either way, it's better than screaming "Your mailbox is vulnerable!" I wonder if anyone would commit that patch if I made it? :) : Robert N M Watson * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE5kFFvdMMtMcA1U5ARAvwkAJ9+ByzG3BYunXXeMXIEr1lK2tCC0QCfR6Hn 6/rkkJZOvsNFtH2+NDEVhHQ= =D0Y+ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 8 12:16:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 01DFE37B59E for ; Tue, 8 Aug 2000 12:16:30 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 3364 invoked by uid 0); 8 Aug 2000 19:16:27 -0000 Received: from p3ee21628.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.40) by mail.gmx.net with SMTP; 8 Aug 2000 19:16:27 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id UAA04685 for freebsd-security@freebsd.org; Tue, 8 Aug 2000 20:16:27 +0200 Date: Tue, 8 Aug 2000 20:16:26 +0200 From: Gerhard Sittig To: FreeBSD-SECURITY Subject: Re: pine 4.21 port issues? Message-ID: <20000808201626.I261@speedy.gsinet> Mail-Followup-To: FreeBSD-SECURITY References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from matt@ARPA.MAIL.NET on Tue, Aug 08, 2000 at 12:28:35AM -0400 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Aug 08, 2000 at 00:28 -0400, Matt Heckaman wrote: > > I reinstalled the pine 4.21 port a few days ago and I suddenly > was greated with the following notice from it upon reading > mail: > > [Mailbox vulnerable - directory /var/mail must have 1777 protection] > > This is a bad thing. The default permissions on FreeBSD for > /var/mail are root:mail 0775 which, in my opinion, is far > better than 1777. I'm curious as to why all of the sudden it is > reporting the mailbox as 'vulnerable'. Question: How does Pine (or C-Client in this scenario) modify the mailbox and how does it lock against the MTA delivering into the box? The former could be done "in place", but this would be error prone (at least IMHO). I guess doing a copy-and-modify from inbox to tempbox and rename-tempbox-to-inbox is the more usual case. Unless I'm completely wrong and everything is done via mmapped file handling (especially when mailboxes tend to grow to some megabytes). The latter (locking) is more of a problem if the MUA cannot write into the spool directory. For locking and for modifications to the inbox via copies and renaming (or for creating new inboxes upon first invocation) you need write access to the spool dir. How do you do that with root.mail and 0775? Do you run your MUAs setgid mail? That's what I would _not_ prefer. :) > Pine aso has a new? depend on c-client4.7 which it did not have > a few months ago to my knowledge, as I have one pine build from > March 19 that does not have this depend or the mailbox warning. As long as I can remember (although it's only since pine 3.96:) pine always used to rely on the c-client lib for mailbox handling. That's how it could easily be extended to handle Maildir folders. Maybe the lib's been included in previous releases or ports and it's just new that the lib's an external reference since lately. This had the advantage of independent updatability(sp/id?) of this lib and more ports could make use of this lib without every port bringing a copy of it's own with it. I think some pop servers used to build upon c-client, too. So you end up fetching the same tarballs as before -- pine code and the c-client code. Before you had it in one(?) package and now they're separate but dependant packages. And as soon as other ports use the c-client lib too you end up with reduced traffic. :) virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 8 12:23:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id E251C37B5A2 for ; Tue, 8 Aug 2000 12:23:27 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id PAA15089; Tue, 8 Aug 2000 15:23:18 -0400 (EDT) (envelope-from wollman) Date: Tue, 8 Aug 2000 15:23:18 -0400 (EDT) From: Garrett Wollman Message-Id: <200008081923.PAA15089@khavrinen.lcs.mit.edu> To: Gerhard Sittig Cc: FreeBSD-SECURITY Subject: Re: pine 4.21 port issues? In-Reply-To: <20000808201626.I261@speedy.gsinet> References: <20000808201626.I261@speedy.gsinet> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > For locking and for modifications to the inbox via copies and > renaming (or for creating new inboxes upon first invocation) you > need write access to the spool dir. No, you don't. You only need write access to the spool file. Mutual exclusion is provided by locking the file. Inboxes are *created* only by the LMDA, not by any MUA. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 8 12:25:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id 19FAF37B66C for ; Tue, 8 Aug 2000 12:25:30 -0700 (PDT) (envelope-from matt@ARPA.MAIL.NET) Received: (qmail 95452 invoked by uid 1000); 8 Aug 2000 19:25:28 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 8 Aug 2000 19:25:28 -0000 Date: Tue, 8 Aug 2000 15:25:27 -0400 (EDT) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Gerhard Sittig Cc: FreeBSD-SECURITY Subject: Re: pine 4.21 port issues? In-Reply-To: <20000808201626.I261@speedy.gsinet> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 8 Aug 2000, Gerhard Sittig wrote: ... : Question: How does Pine (or C-Client in this scenario) modify : the mailbox and how does it lock against the MTA delivering into : the box? I do not know. ... : For locking and for modifications to the inbox via copies and : renaming (or for creating new inboxes upon first invocation) you : need write access to the spool dir. How do you do that with : root.mail and 0775? Do you run your MUAs setgid mail? That's : what I would _not_ prefer. :) Negative, I do *not* run pine setgid mail. I do know that even without write access to the spool pine knows and appropriately bails when you start two copies of it. When you get new mail with pine open, it simply updates the list saying you have new mail. It would seem to me that it just keeps scanning the mail spool file and loading it. Though I do not know any of the actual details. ... : So you end up fetching the same tarballs as before -- pine code : and the c-client code. Before you had it in one(?) package and : now they're separate but dependant packages. And as soon as : other ports use the c-client lib too you end up with reduced : traffic. :) Yes, I found out after I wrote that email that pine used to include cclient directly into it's binary. * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE5kF6odMMtMcA1U5ARAp9UAKDjCNfnIU+/cQT/S7H7tB1Fx5sxhQCdEM3W 9XqWu42h7uPS3x5MOthQPG4= =M14/ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 8 16:11:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 1796737B855 for ; Tue, 8 Aug 2000 16:11:54 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id RAA94524; Tue, 8 Aug 2000 17:11:52 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id RAA44058; Tue, 8 Aug 2000 17:11:31 -0600 (MDT) Message-Id: <200008082311.RAA44058@harmony.village.org> To: Frank Tobin Subject: Re: pine 4.21 port issues? Cc: Matt Heckaman , freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Tue, 08 Aug 2000 00:47:20 CDT." References: Date: Tue, 08 Aug 2000 17:11:31 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Frank Tobin writes: : Matt Heckaman, at 01:33 -0400 on Tue, 8 Aug 2000, wrote: : : > The point is, I strictly control world writable directories on my system, : > making /var/mail world writable to satisfy pine seems a silly thing to do : > in my opinion. I run qmail on the system through procmail, and all mail : > files are owned to the user name and group, ie the files themselves are : > not group owned to mail. : : Your safest course of action is actually to probably not even use : /var/mail, but rather have mailboxes directly in each user's home : directory. Qmail supports this. (/var/qmail/doc/INSTALL.mbox) I'm not sure how this is better for well behaved mail programs. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 8 18:52:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from kronus.com.br (dial-bhn-C8C0B48C.bhz.zaz.com.br [200.192.180.140]) by hub.freebsd.org (Postfix) with SMTP id 64F2E37B8DC for ; Tue, 8 Aug 2000 18:52:14 -0700 (PDT) (envelope-from cseg@kronus.com.br) Received: (qmail 952 invoked by uid 1000); 9 Aug 2000 01:58:35 -0000 Date: Tue, 8 Aug 2000 22:58:35 -0300 From: Fred Souza To: Matt Heckaman Cc: security@FreeBSD.org Subject: Re: pine 4.21 port issues? Message-ID: <20000808225835.A934@torment.secfreak.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Your message of "Tue, Aug 08 2000 00:28:35 -0400" X-Note: \x70\x73\x79\x63\x68 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Since very little in FreeBSD is ever done without a reason, I'm curious as > to the reason for this. It seems..wrong to have a port report a vulnerable > mailbox on a default FreeBSD installation. I would like to apologize for > the cross-post, but I felt it relevent to both lists. If this is incorrect > please inform me so that I don't make the same mistake again :) I was experiencing that kind of warning when using Pine 4.21 under 4.0-STABLE, and had to "fix" it with that silly mode-changing thing. Some time after, I decided to uninstall Pine and install Mutt, then returning /var/mail to root.mail 0775. This way, everytime the users were going to handle their incoming mail, they got a message "Mailbox is read-only". Going again into the silly root.mail 1777 solved the problem, but I definately don't like that idea. Any pointers on how to get rid of that? Cheers, Fred N Souza. -- This is what you get when you meet someone who has spent most of his/her entire life, thinking. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 8 19:50: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from srh0902.urh.uiuc.edu (pp-osprey.walkup.uiuc.edu [128.174.199.2]) by hub.freebsd.org (Postfix) with SMTP id B46C437B5CA for ; Tue, 8 Aug 2000 19:49:58 -0700 (PDT) (envelope-from ftobin@uiuc.edu) Received: (qmail 35476 invoked by uid 1000); 9 Aug 2000 02:49:57 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 9 Aug 2000 02:49:57 -0000 Date: Tue, 8 Aug 2000 21:49:34 -0500 (CDT) From: Frank Tobin X-Sender: ftobin@srh0902.urh.uiuc.edu To: freebsd-security@FreeBSD.ORG Subject: Re: pine 4.21 port issues? In-Reply-To: <200008082311.RAA44058@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Warner Losh, at 17:11 -0600 on Tue, 8 Aug 2000, wrote: > : Your safest course of action is actually to probably not even use > : /var/mail, but rather have mailboxes directly in each user's home > : directory. Qmail supports this. (/var/qmail/doc/INSTALL.mbox) > > I'm not sure how this is better for well behaved mail programs. There is a warm snuggly feeling when users have their data in their own directories. It simplifies quota issues, remotely-mounted home directories, additions of new users to the system without modifying /var/mail, etc. - -- Frank Tobin http://www.uiuc.edu/~ftobin/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (FreeBSD) Comment: pgpenvelope 2.9.0 - http://pgpenvelope.sourceforge.net/ iEYEARECAAYFAjmQxtEACgkQVv/RCiYMT6Nu5wCeOi9Wv8wEr3bLPwga+ctoGciV 9/4AoKqiM9/+hPT3l6QJ4h3+UYvYVQQg =pyX/ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 8 19:55:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id 4DCF937B5CA for ; Tue, 8 Aug 2000 19:55:03 -0700 (PDT) (envelope-from matt@ARPA.MAIL.NET) Received: (qmail 563 invoked by uid 1000); 9 Aug 2000 02:55:02 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 9 Aug 2000 02:55:02 -0000 Date: Tue, 8 Aug 2000 22:55:00 -0400 (EDT) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Fred Souza Cc: security@FreeBSD.org Subject: Re: pine 4.21 port issues? In-Reply-To: <20000808225835.A934@torment.secfreak.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 8 Aug 2000, Fred Souza wrote: ... : Going again into the silly root.mail 1777 solved the problem, but I : definately don't like that idea. Any pointers on how to get rid of that? Yeah, just do what someone suggested and what I just put in over here, it gets rid of the messages and doesn't hurt anything that I've seen. Create /usr/local/etc/pine.conf.fixed, in it put: feature-list= quell-lock-failure-warnings That'll enforce that option on all pine clients, effectively shutting up the message. I doubt running pine with /var/mail root:mail 0775 will hurt anything, I've *always* ran it that way. : Cheers, : Fred N Souza. * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE5kMgFdMMtMcA1U5ARAusJAJ4weCAbsNYotLJ+G2ppXOirPa6KQwCeMNbc W9pZh6FI5tk0/QKJXDltvvI= =TFrt -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 8 20: 9:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from impweb.net (imp.ne.mediaone.net [24.218.63.88]) by hub.freebsd.org (Postfix) with ESMTP id 3752A37B6E7 for ; Tue, 8 Aug 2000 20:09:46 -0700 (PDT) (envelope-from maelmord@impweb.net) Received: from localhost (maelmord@localhost) by impweb.net (8.9.3/8.9.3) with ESMTP id XAA00383; Tue, 8 Aug 2000 23:05:36 -0500 (EST) (envelope-from maelmord@impweb.net) Date: Tue, 8 Aug 2000 23:05:36 -0500 (EST) From: Maelmord To: Matt Heckaman Cc: Fred Souza , security@FreeBSD.ORG Subject: Re: pine 4.21 port issues? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Personally, I still prefer 755 regardless of the explanation why they want 1777. Yes, the sticky bit is useful for having them not delete another user's spool and replace it with a different one, but it also allows users to use /var/mail as a personal /tmp.. which is not such a good thing if you have /var or /var/mail as a seperate mount point The chance of running out of space and losing mail is too great. 755 on the otherhand keeps it clean and devoted to mail I've always preferred having the spool kept in the user's directory tho. /home is a seperate mount point, and makes backups/upgrades simpler as that drive isnt touched. --Chris On Tue, 8 Aug 2000, Matt Heckaman wrote: > Date: Tue, 8 Aug 2000 22:55:00 -0400 (EDT) > From: Matt Heckaman > To: Fred Souza > Cc: security@FreeBSD.ORG > Subject: Re: pine 4.21 port issues? > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Tue, 8 Aug 2000, Fred Souza wrote: > ... > : Going again into the silly root.mail 1777 solved the problem, but I > : definately don't like that idea. Any pointers on how to get rid of that? > > Yeah, just do what someone suggested and what I just put in over here, it > gets rid of the messages and doesn't hurt anything that I've seen. > > Create /usr/local/etc/pine.conf.fixed, in it put: > > feature-list= quell-lock-failure-warnings > > That'll enforce that option on all pine clients, effectively shutting up > the message. I doubt running pine with /var/mail root:mail 0775 will hurt > anything, I've *always* ran it that way. > > : Cheers, > : Fred N Souza. > > * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * > * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.2 (FreeBSD) > Comment: http://www.lucida.qc.ca/pgp > > iD8DBQE5kMgFdMMtMcA1U5ARAusJAJ4weCAbsNYotLJ+G2ppXOirPa6KQwCeMNbc > W9pZh6FI5tk0/QKJXDltvvI= > =TFrt > -----END PGP SIGNATURE----- > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 8 20:17:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from kronus.com.br (dial-bhn-C8C0B42A.bhz.zaz.com.br [200.192.180.42]) by hub.freebsd.org (Postfix) with SMTP id 614D437B6E7 for ; Tue, 8 Aug 2000 20:17:04 -0700 (PDT) (envelope-from cseg@kronus.com.br) Received: (qmail 1618 invoked by uid 1000); 9 Aug 2000 03:23:27 -0000 Date: Wed, 9 Aug 2000 00:23:27 -0300 From: Fred Souza To: Matt Heckaman Cc: security@freebsd.org Subject: Re: pine 4.21 port issues? Message-ID: <20000809002327.A1608@torment.secfreak.com> References: <20000808225835.A934@torment.secfreak.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Your message of "Tue, Aug 08 2000 22:55:00 -0400" X-Note: \x70\x73\x79\x63\x68 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Yeah, just do what someone suggested and what I just put in over here, it > gets rid of the messages and doesn't hurt anything that I've seen. > > Create /usr/local/etc/pine.conf.fixed, in it put: > > feature-list= quell-lock-failure-warnings > > That'll enforce that option on all pine clients, effectively shutting up > the message. I doubt running pine with /var/mail root:mail 0775 will hurt > anything, I've *always* ran it that way. Well, the point is that I no longer use Pine. :) I was wondering if there was a "generic" solution for that, since when I was using Pine, it complained, and now that I use Mutt, it says the Mailbox is read-only. -- What upsets me is not that you lied to me, but that from now on I can no longer believe you. -- Nietzsche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 8 22:34:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from iclub.nsu.ru (iclub.nsu.ru [193.124.222.66]) by hub.freebsd.org (Postfix) with ESMTP id 35D1637B69D for ; Tue, 8 Aug 2000 22:34:13 -0700 (PDT) (envelope-from fjoe@iclub.nsu.ru) Received: from localhost (fjoe@localhost) by iclub.nsu.ru (8.9.3/8.9.3) with ESMTP id MAA64863; Wed, 9 Aug 2000 12:32:36 +0700 (NSS) (envelope-from fjoe@iclub.nsu.ru) Date: Wed, 9 Aug 2000 12:32:36 +0700 (NSS) From: Max Khon To: Matt Heckaman Cc: Fred Souza , security@FreeBSD.ORG Subject: Re: pine 4.21 port issues? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hi, there! On Tue, 8 Aug 2000, Matt Heckaman wrote: > : Going again into the silly root.mail 1777 solved the problem, but I > : definately don't like that idea. Any pointers on how to get rid of that? > > Yeah, just do what someone suggested and what I just put in over here, it > gets rid of the messages and doesn't hurt anything that I've seen. > > Create /usr/local/etc/pine.conf.fixed, in it put: > > feature-list= quell-lock-failure-warnings > > That'll enforce that option on all pine clients, effectively shutting up > the message. I doubt running pine with /var/mail root:mail 0775 will hurt > anything, I've *always* ran it that way. as someone else noted here patches/patch-aw has a workaround for this but it somehow does not work. sorry, have no time to investigate further. /fjoe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 9 0:12:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from nenya.ms.mff.cuni.cz (nenya.ms.mff.cuni.cz [195.113.17.179]) by hub.freebsd.org (Postfix) with ESMTP id 7E30F37BD69 for ; Wed, 9 Aug 2000 00:12:08 -0700 (PDT) (envelope-from mencl@nenya.ms.mff.cuni.cz) Received: from localhost (mencl@localhost) by nenya.ms.mff.cuni.cz (8.9.3+Sun/8.9.1) with ESMTP id JAA05630 for ; Wed, 9 Aug 2000 09:12:03 +0200 (MET DST) Date: Wed, 9 Aug 2000 09:12:03 +0200 (MET DST) From: "Vladimir Mencl, MK, susSED" To: FreeBSD-SECURITY Subject: Re: pine 4.21 port issues? In-Reply-To: <20000808201626.I261@speedy.gsinet> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 8 Aug 2000, Gerhard Sittig wrote: > Question: How does Pine (or C-Client in this scenario) modify > the mailbox and how does it lock against the MTA delivering into > the box? > Well, does anybody now, how the locking against the MTA is done? How do multiple copies of the MTA lock against each other (e.g., multiple procmails) ? And how does finally an MUA lock against the MTA ? Is there a convention (or a standard) for this locking? Or is it MTA (e.g., sendmail) specific? (I guess no). Really curious Vlada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 9 3: 2:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13]) by hub.freebsd.org (Postfix) with ESMTP id 74D5C37B9A3 for ; Wed, 9 Aug 2000 03:02:49 -0700 (PDT) (envelope-from ben@scientia.demon.co.uk) Received: from strontium.scientia.demon.co.uk ([192.168.91.36] ident=exim) by scientia.demon.co.uk with esmtp (Exim 3.15 #1) id 13MR8S-000Cuo-00; Wed, 09 Aug 2000 09:22:48 +0100 Received: (from ben) by strontium.scientia.demon.co.uk (Exim 3.15 #1) id 13MR8V-000DC0-00; Wed, 09 Aug 2000 09:22:51 +0100 Date: Wed, 9 Aug 2000 09:22:51 +0100 From: Ben Smithurst To: "Vladimir Mencl, MK, susSED" Cc: FreeBSD-SECURITY Subject: Re: pine 4.21 port issues? Message-ID: <20000809092250.A48327@strontium.scientia.demon.co.uk> References: <20000808201626.I261@speedy.gsinet> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Vladimir Mencl, MK, susSED wrote: > On Tue, 8 Aug 2000, Gerhard Sittig wrote: > >> Question: How does Pine (or C-Client in this scenario) modify >> the mailbox and how does it lock against the MTA delivering into >> the box? >> > > Well, does anybody now, how the locking against the MTA is done? fcntl() or flock() in most cases, I think. Or dotlocking, where to lock $FILE you create $FILE.lock with O_EXCL|O_CREAT so it fails if the lock already exists, but that seems crude really, when fcntl()/flock() are so much easier and probably more efficient and reliable. > How do multiple copies of the MTA lock against each other (e.g., > multiple procmails) ? And how does finally an MUA lock against the MTA ? All the same way. If the file is locked, neither the MTA or the MUA cares or knows what has locked it, they wait until it's unlocked. -- Ben Smithurst / ben@FreeBSD.org / PGP: 0x99392F7D FreeBSD Documentation Project / To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 9 6:52:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 6DEB237BA2D for ; Wed, 9 Aug 2000 06:52:47 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id JAA18476; Wed, 9 Aug 2000 09:52:40 -0400 (EDT) (envelope-from wollman) Date: Wed, 9 Aug 2000 09:52:40 -0400 (EDT) From: Garrett Wollman Message-Id: <200008091352.JAA18476@khavrinen.lcs.mit.edu> To: "Vladimir Mencl, MK, susSED" Cc: FreeBSD-SECURITY Subject: Re: pine 4.21 port issues? In-Reply-To: References: <20000808201626.I261@speedy.gsinet> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Well, does anybody now, how the locking against the MTA is done? Using kernel file locking. > How do multiple copies of the MTA lock against each other (e.g., > multiple procmails) ? And how does finally an MUA lock against the > MTA ? Same way. > Is there a convention (or a standard) for this locking? It's defined by the local mail delivery agent (in FreeBSD, mail.local). If you read the manual page, this is quite clear. (Our mail.local also creates .lock files, but these cannot be relied upon. These files were originally created because early Unix didn't have file locking, and have persisted thanks to Sun brain-damage.) Using file locking permits MUAs to operate without any elevated privilege, without requiring a world-writable spool directory (although the MDA must still run as root in order to write to user mailboxes and potentially chown new mailboxes to their respective users). -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 9 7: 6: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from testbed.baileylink.net (testbed.baileylink.net [63.71.213.24]) by hub.freebsd.org (Postfix) with ESMTP id A1D2037BAF7 for ; Wed, 9 Aug 2000 07:06:02 -0700 (PDT) (envelope-from brad@testbed.baileylink.net) Received: (from brad@localhost) by testbed.baileylink.net (8.9.3/8.9.3) id JAA38173 for freebsd-security@FreeBSD.ORG; Wed, 9 Aug 2000 09:06:26 -0500 (CDT) (envelope-from brad) Date: Wed, 9 Aug 2000 09:06:25 -0500 From: Brad Guillory To: FreeBSD-SECURITY Subject: Re: pine 4.21 port issues? Message-ID: <20000809090625.A35124@baileylink.net> Mail-Followup-To: FreeBSD-SECURITY References: <20000808201626.I261@speedy.gsinet> <200008091352.JAA18476@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <200008091352.JAA18476@khavrinen.lcs.mit.edu>; from wollman@khavrinen.lcs.mit.edu on Wed, Aug 09, 2000 at 09:52:40AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I thought that a significant reason for dot locks is flock does not reliably work over NFS. (Please correct me. I would like to be wrong on this one.) I don't think that this is relevant to FreeBSD-Security though. BMG On Wed, Aug 09, 2000 at 09:52:40AM -0400, Garrett Wollman wrote: > < said: > > > Well, does anybody now, how the locking against the MTA is done? > > Using kernel file locking. > > > How do multiple copies of the MTA lock against each other (e.g., > > multiple procmails) ? And how does finally an MUA lock against the > > MTA ? > > Same way. > > > Is there a convention (or a standard) for this locking? > > It's defined by the local mail delivery agent (in FreeBSD, > mail.local). If you read the manual page, this is quite clear. (Our > mail.local also creates .lock files, but these cannot be relied upon. > These files were originally created because early Unix didn't have > file locking, and have persisted thanks to Sun brain-damage.) Using > file locking permits MUAs to operate without any elevated privilege, > without requiring a world-writable spool directory > (although the MDA must still run as root in order to write to user > mailboxes and potentially chown new mailboxes to their respective > users). > > -GAWollman > > -- > Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same > wollman@lcs.mit.edu | O Siem / The fires of freedom > Opinions not those of| Dance in the burning flame > MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- __O | Information wants to be free! | __O Bike _-\<,_ | FreeBSD:The Power to Serve (easily) | _-\<,_ to (_)/ (_) | OpenBSD:The Power to Serve (securely) | (_)/ (_) Work To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 9 7:54:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from MCSMTP.MC.VANDERBILT.EDU (mcsmtp.mc.Vanderbilt.Edu [160.129.93.202]) by hub.freebsd.org (Postfix) with ESMTP id 097B337BB3A for ; Wed, 9 Aug 2000 07:54:13 -0700 (PDT) (envelope-from George.Giles@mcmail.vanderbilt.edu) Subject: who is port scanning at freebsd.org To: freebsd-security@freebsd.org X-Mailer: Lotus Notes Release 5.0.1a August 17, 1999 Message-ID: From: George.Giles@mcmail.vanderbilt.edu Date: Wed, 9 Aug 2000 09:56:06 -0500 X-MIMETrack: Serialize by Router on MCSMTP/VUMC/Vanderbilt(Release 5.0.3 |March 21, 2000) at 08/09/2000 09:54:36 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org My firewall reported a port scan attempt (8 times, not an accident) from hub.freebsd.org. Is this normal behavior, or has your box been hacked? George To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 9 7:58:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from genius.systems.pavilion.net (genius.systems.pavilion.net [212.74.1.100]) by hub.freebsd.org (Postfix) with ESMTP id B961D37BAF8 for ; Wed, 9 Aug 2000 07:58:27 -0700 (PDT) (envelope-from joe@pavilion.net) Received: by genius.systems.pavilion.net (Postfix, from userid 100) id 57CF29B2A; Wed, 9 Aug 2000 15:58:26 +0100 (BST) Date: Wed, 9 Aug 2000 15:58:26 +0100 From: Josef Karthauser To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@FreeBSD.ORG Subject: Re: who is port scanning at freebsd.org Message-ID: <20000809155826.H22672@pavilion.net> Mail-Followup-To: Josef Karthauser , George.Giles@mcmail.vanderbilt.edu, freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from George.Giles@mcmail.vanderbilt.edu on Wed, Aug 09, 2000 at 09:56:06AM -0500 X-NCC-RegID: uk.pavilion Organisation: Pavilion Internet plc, Lees House, 21-23 Dyke Road, Brighton, England Phone: +44-845-333-5000 Fax: +44-845-333-5001 Mobile: +44-403-596893 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Aug 09, 2000 at 09:56:06AM -0500, George.Giles@mcmail.vanderbilt.edu wrote: > > My firewall reported a port scan attempt (8 times, not an accident) from > hub.freebsd.org. Is this normal behavior, or has your box been hacked? > > George Is it a port scan, or is it just trying to connect to the ident port? Joe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 9 8: 8:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from genius.systems.pavilion.net (genius.systems.pavilion.net [212.74.1.100]) by hub.freebsd.org (Postfix) with ESMTP id BE49937B61C for ; Wed, 9 Aug 2000 08:08:24 -0700 (PDT) (envelope-from joe@pavilion.net) Received: by genius.systems.pavilion.net (Postfix, from userid 100) id 893369B2A; Wed, 9 Aug 2000 16:08:22 +0100 (BST) Date: Wed, 9 Aug 2000 16:08:22 +0100 From: Josef Karthauser To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@FreeBSD.ORG Subject: Re: who is port scanning at freebsd.org Message-ID: <20000809160822.I22672@pavilion.net> Mail-Followup-To: Josef Karthauser , George.Giles@mcmail.vanderbilt.edu, freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from George.Giles@mcmail.vanderbilt.edu on Wed, Aug 09, 2000 at 10:02:34AM -0500 X-NCC-RegID: uk.pavilion Organisation: Pavilion Internet plc, Lees House, 21-23 Dyke Road, Brighton, England Phone: +44-845-333-5000 Fax: +44-845-333-5001 Mobile: +44-403-596893 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Aug 09, 2000 at 10:02:34AM -0500, George.Giles@mcmail.vanderbilt.edu wrote: > > It is a port scan looking for smtpd. You mean a connection to port 25? Joe p.s. please keep freebsd-security on the Cc list. > On Wed, Aug 09, 2000 at 09:56:06AM -0500, > George.Giles@mcmail.vanderbilt.edu wrote: > > > > My firewall reported a port scan attempt (8 times, not an accident) from > > hub.freebsd.org. Is this normal behavior, or has your box been hacked? > > > > George > > Is it a port scan, or is it just trying to connect to the ident port? > > Joe > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 9 9: 4:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from nenya.ms.mff.cuni.cz (nenya.ms.mff.cuni.cz [195.113.17.179]) by hub.freebsd.org (Postfix) with ESMTP id 3082837BB24 for ; Wed, 9 Aug 2000 09:04:49 -0700 (PDT) (envelope-from mencl@nenya.ms.mff.cuni.cz) Received: from localhost (mencl@localhost) by nenya.ms.mff.cuni.cz (8.9.3+Sun/8.9.1) with ESMTP id SAA23483; Wed, 9 Aug 2000 18:04:32 +0200 (MET DST) Date: Wed, 9 Aug 2000 18:04:32 +0200 (MET DST) From: "Vladimir Mencl, MK, susSED" To: Brad Guillory Cc: FreeBSD-SECURITY Subject: Re: pine 4.21 port issues? In-Reply-To: <20000809090625.A35124@baileylink.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 9 Aug 2000, Brad Guillory wrote: > I thought that a significant reason for dot locks is flock does not reliably > work over NFS. > > (Please correct me. I would like to be wrong on this one.) > > I don't think that this is relevant to FreeBSD-Security though. Thanks for the answers, especially to Garrett. I do think this is related to security - this thread came from the question whether we need world-writable directories on mailservers. And unfortunately, I feel that the answers is yes - if we want to avoid mailbox corruption. From reading the man page for mail.local, I see that there're several mailbox locking conventions - and I do not think that every single MUA or a LMDA-helper (e.g., procmail) consults the local mail-delivery policy at compile time. And it seems to me that the only way, how to check this reliably, is to human-read the mail.local page. FreeBSD mail.local tries to comply with as many of these conventions as it can (a flock is done, and a .lock is tried), however, it seems to me, that to avoid collisions with programs relying only on .lock, the only safe way is to allow .lock files in the /var/mail directory. Vlada > On Wed, Aug 09, 2000 at 09:52:40AM -0400, Garrett Wollman wrote: > > > > It's defined by the local mail delivery agent (in FreeBSD, > > mail.local). If you read the manual page, this is quite clear. (Our > > mail.local also creates .lock files, but these cannot be relied upon. > > These files were originally created because early Unix didn't have > > file locking, and have persisted thanks to Sun brain-damage.) Using > > file locking permits MUAs to operate without any elevated privilege, > > without requiring a world-writable spool directory > > (although the MDA must still run as root in order to write to user > > mailboxes and potentially chown new mailboxes to their respective > > users). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 9 9:33:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay3.san.cerf.net (relay3.san.cerf.net [192.215.81.76]) by hub.freebsd.org (Postfix) with ESMTP id 0596B37BE91 for ; Wed, 9 Aug 2000 09:33:23 -0700 (PDT) (envelope-from lwells@goalie-usa.com) Received: from penguin (host6.goalie-usa.com [12.17.221.245]) by relay3.san.cerf.net (8.9.3/8.9.3) with SMTP id QAA01405; Wed, 9 Aug 2000 16:33:18 GMT Message-ID: <002301c0021f$947f8240$2c0100c0@goalieusa.com> From: "Larry Wells" To: Cc: References: <20000809160822.I22672@pavilion.net> Subject: Re: who is port scanning at freebsd.org Date: Wed, 9 Aug 2000 10:33:41 -0600 Organization: Goalie Entertainment MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Wed, Aug 09, 2000 at 10:02:34AM -0500, George.Giles@mcmail.vanderbilt.edu wrote: > > It is a port scan looking for smtpd. > I sincerely hope you are making a joke, George. #1: Your firewall won't tell you what someone is looking for if they are portscanning. #2: I'm guessing your 'smtpd' assumption is based on the fact that multiple attempts were made to connect to port 25 of some machine. #3: I think you have become a victim of the dread hacker program 'Sendmail'. The only remedy is to go buy a book on how networks work. L. Wells To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 9 10: 1:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.pythonvideo.com (mail.pythonvideo.com [207.164.115.15]) by hub.freebsd.org (Postfix) with ESMTP id 377A237BEAF for ; Wed, 9 Aug 2000 10:01:16 -0700 (PDT) (envelope-from joe@webkrew.com) Received: from joe (joe.pythonvideo.com [209.226.29.94]) by mail.pythonvideo.com (8.9.3/8.9.3) with SMTP id NAA69975 for ; Wed, 9 Aug 2000 13:00:41 -0400 (EDT) (envelope-from joe@webkrew.com) From: "Joe Oliveiro" To: Subject: RE: who is port scanning at freebsd.org Date: Wed, 9 Aug 2000 12:59:08 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I Thought we already covered this? -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of George.Giles@mcmail.vanderbilt.edu Sent: August 9, 2000 10:56 AM To: freebsd-security@FreeBSD.ORG Subject: who is port scanning at freebsd.org My firewall reported a port scan attempt (8 times, not an accident) from hub.freebsd.org. Is this normal behavior, or has your box been hacked? George To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 9 11:21:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from grimreaper.grondar.za (grimreaper.grondar.za [196.7.18.138]) by hub.freebsd.org (Postfix) with ESMTP id E042A37BE6F for ; Wed, 9 Aug 2000 11:19:03 -0700 (PDT) (envelope-from mark@grondar.za) Received: from grimreaper.grondar.za (localhost [127.0.0.1]) by grimreaper.grondar.za (8.9.3/8.9.3) with ESMTP id TAA05252; Wed, 9 Aug 2000 19:41:00 +0200 (SAST) (envelope-from mark@grimreaper.grondar.za) Message-Id: <200008091741.TAA05252@grimreaper.grondar.za> To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@FreeBSD.ORG Subject: Re: who is port scanning at freebsd.org References: In-Reply-To: ; from George.Giles@mcmail.vanderbilt.edu "Wed, 09 Aug 2000 09:56:06 EST." Date: Wed, 09 Aug 2000 19:41:00 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > My firewall reported a port scan attempt (8 times, not an accident) from > hub.freebsd.org. Is this normal behavior, or has your box been hacked? Logs, please? M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 9 12:16:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 33B2537B668 for ; Wed, 9 Aug 2000 12:16:38 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 29441 invoked by uid 0); 9 Aug 2000 19:16:36 -0000 Received: from p3ee20a95.dip.t-dialin.net (HELO speedy.gsinet) (62.226.10.149) by mail.gmx.net with SMTP; 9 Aug 2000 19:16:36 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id UAA06790 for freebsd-security@FreeBSD.ORG; Wed, 9 Aug 2000 20:14:54 +0200 Date: Wed, 9 Aug 2000 20:14:54 +0200 From: Gerhard Sittig To: FreeBSD-SECURITY Subject: Re: pine 4.21 port issues? Message-ID: <20000809201454.P261@speedy.gsinet> Mail-Followup-To: FreeBSD-SECURITY References: <20000808201626.I261@speedy.gsinet> <20000809092250.A48327@strontium.scientia.demon.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000809092250.A48327@strontium.scientia.demon.co.uk>; from ben@FreeBSD.org on Wed, Aug 09, 2000 at 09:22:51AM +0100 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Aug 09, 2000 at 09:22 +0100, Ben Smithurst wrote: > Vladimir Mencl, MK, susSED wrote: > > > > Well, does anybody now, how the locking against the MTA is > > done? > > fcntl() or flock() in most cases, I think. Or dotlocking, > where to lock $FILE you create $FILE.lock with O_EXCL|O_CREAT > so it fails if the lock already exists, but that seems crude > really, when fcntl()/flock() are so much easier and probably > more efficient and reliable. > > > How do multiple copies of the MTA lock against each other > > (e.g., multiple procmails) ? And how does finally an MUA lock > > against the MTA ? > > All the same way. If the file is locked, neither the MTA or > the MUA cares or knows what has locked it, they wait until it's > unlocked. But procmail seems to be very aware of that all these locking mechanisms aren't implemented everywhere equally well and have some "tricky aspects" (to avoid the "bugs" or "indeterministic" or "unreliable" words) in various environments. There's a test run at setup time to find a combination of the above three methods that will result in reliable locks in _your_ net. So I guess it's something only procmail does this way and others don't know about. Luckily one can specify lockfiles in procmailrc rules and there's a lockfile(1) command handing procmail's internal (and for _your_ environment well tested) locking into shell scripts in case you need it. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 9 12:16:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 673FF37B6D9 for ; Wed, 9 Aug 2000 12:16:38 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 29467 invoked by uid 0); 9 Aug 2000 19:16:36 -0000 Received: from p3ee20a95.dip.t-dialin.net (HELO speedy.gsinet) (62.226.10.149) by mail.gmx.net with SMTP; 9 Aug 2000 19:16:36 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id UAA06787 for freebsd-security@freebsd.org; Wed, 9 Aug 2000 20:04:12 +0200 Date: Wed, 9 Aug 2000 20:04:12 +0200 From: Gerhard Sittig To: FreeBSD-SECURITY Subject: Re: pine 4.21 port issues? Message-ID: <20000809200412.O261@speedy.gsinet> Mail-Followup-To: FreeBSD-SECURITY References: <20000808201626.I261@speedy.gsinet> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from matt@ARPA.MAIL.NET on Tue, Aug 08, 2000 at 03:25:27PM -0400 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Aug 08, 2000 at 15:25 -0400, Matt Heckaman wrote: > On Tue, 8 Aug 2000, Gerhard Sittig wrote: > ... > : Question: How does Pine (or C-Client in this scenario) modify > : the mailbox and how does it lock against the MTA delivering into > : the box? > > I do not know. Neither did I. Garret Wollman corrected my public demonstration of ignorance ... :) > ... > : For locking and for modifications to the inbox via copies and > : renaming (or for creating new inboxes upon first invocation) you > : need write access to the spool dir. How do you do that with > : root.mail and 0775? Do you run your MUAs setgid mail? That's > : what I would _not_ prefer. :) > > Negative, I do *not* run pine setgid mail. I do know that even > without write access to the spool pine knows and appropriately > bails when you start two copies of it. I took from previous messages that the lock against running multiple MUA instances is located "anywhere" a user can write to (and thus depends on the MUA, but shouldn't be a problem). What I did never like about pine is that the latter(!) instance "wins" and voids any changes you might have done with the first one. But I guess (I'm almost sure) this doesn't belong here. > When you get new mail with pine open, it simply updates the > list saying you have new mail. It would seem to me that it just > keeps scanning the mail spool file and loading it. Though I do > not know any of the actual details. Since I had no biff running ever, the new mail check has to be done by some kind of stat(2) function on the mailbox file (or directory when it comes to Maildir, and I've seen mutt giving false alarms in this). Delivery and user programs defend against each other by locking the mailbox file when trying to write to it, I guess. What I still didn't get yet (since I didn't expect it to be this way) is that mailfolder modification is done "in place". But this is not a security problem either. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 9 15:19: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from alpha.simphost.com (alpha.simphost.com [216.84.199.194]) by hub.freebsd.org (Postfix) with ESMTP id DBCC137B883; Wed, 9 Aug 2000 15:18:52 -0700 (PDT) (envelope-from jslivko@alpha.simphost.com) Received: by alpha.simphost.com (Postfix, from userid 1004) id 4359A3071F; Wed, 9 Aug 2000 16:18:55 -0600 (MDT) Received: from localhost (localhost [127.0.0.1]) by alpha.simphost.com (Postfix) with ESMTP id 3EB642C90F; Wed, 9 Aug 2000 16:18:55 -0600 (MDT) Date: Wed, 9 Aug 2000 16:18:55 -0600 (MDT) From: "Jonathan M. Slivko" To: Matt Heckaman Cc: Rick McGee , FreeBSD-PORTS , FreeBSD-SECURITY Subject: Re: pine 4.21 port issues? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I totally agree, Matt :) On Tue, 8 Aug 2000, Matt Heckaman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Tue, 8 Aug 2000, Rick McGee wrote: > : > : Hi Matt, no it's ok and it works rather well. If you look up chmod the > : sticky bit this what you get. 1000 (the sticky bit) When set on a > : directory, unprivileged users can delete and rename only those files > : in the directory that are owned by them, regardless of the permissions > : on the directory. Under FreeBSD, the sticky bit is ignored for > : executable files and may only be set for directories > : > : Rick > > Yes, I know what the sticky bit does :) The point is, that is NOT set on > the directory by default in FreeBSD, nor is the directory world writable, > so why is pine reporting this as a vulnerability? I know that it is not, > but it's causing panic in my users. > > The point is, I strictly control world writable directories on my system, > making /var/mail world writable to satisfy pine seems a silly thing to do > in my opinion. I run qmail on the system through procmail, and all mail > files are owned to the user name and group, ie the files themselves are > not group owned to mail. > > Either way, my point is that since FreeBSD by default does not make > /var/mail sticky or world writable, should not the port include a patch > that modifies this to check based on the proper FreeBSD permissions? > > pine 4.21 on the 4.0-RELEASE port tree worked fine, and did not display > this message, (date: March 19) however 4.1-RELEASE ports pine 4.21 does > give this warning message. I'm going to look into it a tad more on the > code side, and I'll most likely fix it to check the right permissions for > my machines. Is it appropriate for a patch like that to be implimented > into the ports patches? > > I think it's bad that a port reports default FreeBSD permissions as > vulnerable :) > > Regards, > Matt Heckaman > > * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * > * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.2 (FreeBSD) > Comment: http://www.lucida.qc.ca/pgp > > iD8DBQE5j5vFdMMtMcA1U5ARAhvoAKCKNhNflkcFOsHTdlYF8zQAcbjSuwCdEsRq > FQ+icogPRkZUHl82q0jDzfI= > =hHcc > -----END PGP SIGNATURE----- > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 9 15:30:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.utexas.edu (wb1-a.mail.utexas.edu [128.83.126.134]) by hub.freebsd.org (Postfix) with SMTP id 2A0E837B75B for ; Wed, 9 Aug 2000 15:30:46 -0700 (PDT) (envelope-from oscars@mail.utexas.edu) Received: (qmail 27650 invoked by uid 0); 9 Aug 2000 22:30:44 -0000 Received: from chepe.cc.utexas.edu (HELO chepe.mail.utexas.edu) (128.83.135.25) by umbs-smtp-1 with SMTP; 9 Aug 2000 22:30:44 -0000 Message-Id: <4.3.2.7.2.20000809172222.00b489e0@mail.utexas.edu> X-Sender: oscars@mail.utexas.edu X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 09 Aug 2000 17:27:27 -0500 To: freebsd-security@FreeBSD.ORG From: Oscar Ricardo Silva Subject: Setting up kerberos server on FreeBSD 4.x Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Does anybody have any pointers on where to look on setting up a kerberos server on FreeBSD 4.x? I'm not asking for the easy answer, just some documents or sites where I can read up on setting it up on FreeBSD. I just checked The Complete FreeBSD but didn't see any mention of kerberos there. I did find the information in the Handbook () but I find it easier to work on something when I have multiple references. I'm following the Handbook steps but am already finding some differences. I have edited /etc/defaults/make.conf, uncommenting "MAKE_KERBEROS4= yes" and will rebuild the system. One other minor question: Is the recent vulnerability found in Kerberos 4 fixed in FreeBSD 4.1 ? I saw that 3.5.1 was released but the only thing different from 3.5 was changes in the kerberos code. Any information would be appreciated. Thanks, Oscar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 9 15:44:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id D753737B75B; Wed, 9 Aug 2000 15:44:34 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id PAA57458; Wed, 9 Aug 2000 15:44:32 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Wed, 9 Aug 2000 15:44:32 -0700 (PDT) From: Kris Kennaway To: Oscar Ricardo Silva Cc: freebsd-security@FreeBSD.ORG Subject: Re: Setting up kerberos server on FreeBSD 4.x In-Reply-To: <4.3.2.7.2.20000809172222.00b489e0@mail.utexas.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 9 Aug 2000, Oscar Ricardo Silva wrote: > One other minor question: Is the recent vulnerability found in Kerberos 4 > fixed in FreeBSD 4.1 ? I saw that 3.5.1 was released but the only thing > different from 3.5 was changes in the kerberos code. Well, what does the advisory tell you? Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 9 16:16: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.utexas.edu (wb3-a.mail.utexas.edu [128.83.126.138]) by hub.freebsd.org (Postfix) with SMTP id 4F6BE37B66D for ; Wed, 9 Aug 2000 16:15:59 -0700 (PDT) (envelope-from oscars@mail.utexas.edu) Received: (qmail 24932 invoked by uid 0); 9 Aug 2000 23:15:57 -0000 Received: from chepe.cc.utexas.edu (HELO chepe.mail.utexas.edu) (128.83.135.25) by umbs-smtp-3 with SMTP; 9 Aug 2000 23:15:57 -0000 Message-Id: <4.3.2.7.2.20000809181113.00b9b7d0@mail.utexas.edu> X-Sender: oscars@mail.utexas.edu X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 09 Aug 2000 18:12:29 -0500 To: freebsd-security@FreeBSD.ORG From: Oscar Ricardo Silva Subject: Re: Setting up kerberos server on FreeBSD 4.x In-Reply-To: References: <4.3.2.7.2.20000809172222.00b489e0@mail.utexas.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 03:44 PM 8/9/00 -0700, Kris Kennaway, you wrote: >On Wed, 9 Aug 2000, Oscar Ricardo Silva wrote: > > > One other minor question: Is the recent vulnerability found in Kerberos 4 > > fixed in FreeBSD 4.1 ? I saw that 3.5.1 was released but the only thing > > different from 3.5 was changes in the kerberos code. > >Well, what does the advisory tell you? > >Kris OK, found the answer to that one in FreeBSD-SA-00:33.kerberosIV.asc: At the time it was believed that the implementation of Kerberos distributed with FreeBSD was not vulnerable to these problems, but it was later discovered that FreeBSD 3.x contained an older version of KTH Kerberos 4 which is in fact vulnerable to at least some of these vulnerabilities. FreeBSD 4.0-RELEASE and later are unaffected by this problem, although FreeBSD 3.5-RELEASE is vulnerable. Should've just looked a little further and RTFM. Oscar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 10 0:18:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from kleopatra.acc.umu.se (kleopatra.acc.umu.se [130.239.18.150]) by hub.freebsd.org (Postfix) with ESMTP id BD4C537B939 for ; Thu, 10 Aug 2000 00:18:15 -0700 (PDT) (envelope-from markush@acc.umu.se) Received: from mao.acc.umu.se (root@mao.acc.umu.se [130.239.18.154]) by kleopatra.acc.umu.se (8.11.0/8.11.0) with ESMTP id e7A7Hmd12026 for ; Thu, 10 Aug 2000 09:18:08 +0200 Received: (from markush@localhost) by mao.acc.umu.se (8.9.3/8.9.3/Debian/GNU) id JAA07998 for freebsd-security@freebsd.org; Thu, 10 Aug 2000 09:17:48 +0200 Date: Thu, 10 Aug 2000 09:17:48 +0200 From: Markus Holmberg To: freebsd-security@freebsd.org Subject: Unified diff format in output of /etc/security? Message-ID: <20000810091748.A7931@acc.umu.se> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="/04w6evG8XlLl3ft" Content-Disposition: inline User-Agent: Mutt/1.3-current-20000511i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --/04w6evG8XlLl3ft Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hello.. Is there a reason to not have the diff output of /etc/security to be of unified format? (/etc/periodic/daily/210.backup-aliases already seems to use unified format) If not, attached are patches for /etc/security and /etc/periodic/daily/200.backup-passwd against 4.1-STABLE. Regards, Markus Holmberg. -- Markus Holmberg | Give me Unix or give me a typewriter. markush@acc.umu.se | http://www.freebsd.org/ --/04w6evG8XlLl3ft Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="security.patch" --- /etc/security.orig Thu Aug 10 09:13:41 2000 +++ /etc/security Thu Aug 10 09:14:21 2000 @@ -46,7 +46,7 @@ if cmp ${LOG}/setuid.today ${TMP} >/dev/null; then :; else separator echo "${host} setuid diffs:" - diff -w ${LOG}/setuid.today ${TMP} + diff -uw ${LOG}/setuid.today ${TMP} mv ${LOG}/setuid.today ${LOG}/setuid.yesterday mv ${TMP} ${LOG}/setuid.today fi @@ -62,7 +62,7 @@ if cmp $LOG/mount.today $TMP >/dev/null 2>&1; then :; else separator echo "$host changes in mounted filesystems:" - diff -b $LOG/mount.today $TMP + diff -bu $LOG/mount.today $TMP mv $LOG/mount.today $LOG/mount.yesterday mv $TMP $LOG/mount.today fi @@ -88,7 +88,7 @@ if cmp ${LOG}/ipfw.today ${TMP} >/dev/null; then :; else separator echo "${host} denied packets:" - diff -b ${LOG}/ipfw.today ${TMP} | egrep "^>" + diff -bu ${LOG}/ipfw.today ${TMP} | egrep "^>" mv ${LOG}/ipfw.today ${LOG}/ipfw.yesterday mv ${TMP} ${LOG}/ipfw.today fi @@ -119,7 +119,7 @@ if cmp ${LOG}/dmesg.today ${TMP} >/dev/null 2>&1; then :; else separator echo "${host} kernel log messages:" - diff -b ${LOG}/dmesg.today ${TMP} | egrep "^>" + diff -bu ${LOG}/dmesg.today ${TMP} | egrep "^>" mv ${LOG}/dmesg.today ${LOG}/dmesg.yesterday mv ${TMP} ${LOG}/dmesg.today fi --/04w6evG8XlLl3ft Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="200.backup-passwd.patch" --- /etc/periodic/daily/200.backup-passwd.orig Thu Aug 10 09:05:12 2000 +++ /etc/periodic/daily/200.backup-passwd Thu Aug 10 09:03:32 2000 @@ -15,7 +15,7 @@ if cmp -s $bak/master.passwd.bak /etc/master.passwd; then :; else echo "$host passwd diffs:" - diff $bak/master.passwd.bak /etc/master.passwd |\ + diff -u $bak/master.passwd.bak /etc/master.passwd |\ sed 's/^$[<>] [^:]*$:[^:]*:/\1:(password):/' mv $bak/master.passwd.bak $bak/master.passwd.bak2 cp -p /etc/master.passwd $bak/master.passwd.bak @@ -28,7 +28,7 @@ if cmp -s $bak/group.bak /etc/group; then :; else echo "$host group diffs:" - diff $bak/group.bak /etc/group + diff -u $bak/group.bak /etc/group mv $bak/group.bak $bak/group.bak2 cp -p /etc/group $bak/group.bak fi --/04w6evG8XlLl3ft-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 10 1: 1:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from beta.root-servers.ch (beta.root-servers.ch [195.49.33.19]) by hub.freebsd.org (Postfix) with SMTP id A9C7837BAC4 for ; Thu, 10 Aug 2000 01:01:10 -0700 (PDT) (envelope-from gabriel_ambuehl@buz.ch) Received: (qmail 34874 invoked from network); 10 Aug 2000 08:01:08 -0000 Received: from client98-229.hispeed.ch (HELO 10.2.2.100) (62.2.98.229) by ns3.root-servers.ch with SMTP; 10 Aug 2000 08:01:08 -0000 Date: Thu, 10 Aug 2000 10:02:42 +0200 From: Gabriel Ambuehl X-Mailer: The Bat! (v1.45 Beta/6) Personal Organization: BUZ Internet Services X-Priority: 3 (Normal) Message-ID: <6079420450.20000810100242@buz.ch> To: "Larry Wells" Cc: George.Giles@mcmail.vanderbilt.edu, freebsd-security@FreeBSD.ORG Subject: Re[2]: who is port scanning at freebsd.org In-reply-To: <002301c0021f$947f8240$2c0100c0@goalieusa.com> References: <20000809160822.I22672@pavilion.net> <002301c0021f$947f8240$2c0100c0@goalieusa.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Larry, Wednesday, August 09, 2000, 6:33:41 PM, you wrote: > #3: I think you have become a victim of the dread hacker program 'Sendmail'. > The only remedy is to go buy a book on how networks work. Well, hub.freebsd.org seems actually be using Postfix which is even worse as one can't that easily strike back. SCNR. Best regards, Gabriel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 10 2: 8:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from axl.ops.uunet.co.za (axl.ops.uunet.co.za [196.31.2.163]) by hub.freebsd.org (Postfix) with ESMTP id 9188237B655 for ; Thu, 10 Aug 2000 02:08:13 -0700 (PDT) (envelope-from sheldonh@axl.ops.uunet.co.za) Received: from sheldonh (helo=axl.ops.uunet.co.za) by axl.ops.uunet.co.za with local-esmtp (Exim 3.16 #1) id 13MoJf-000HFZ-00; Thu, 10 Aug 2000 11:07:55 +0200 From: Sheldon Hearn To: Markus Holmberg Cc: freebsd-security@FreeBSD.ORG Subject: Re: Unified diff format in output of /etc/security? In-reply-to: Your message of "Thu, 10 Aug 2000 09:17:48 +0200." <20000810091748.A7931@acc.umu.se> Date: Thu, 10 Aug 2000 11:07:55 +0200 Message-ID: <66312.965898475@axl.ops.uunet.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 10 Aug 2000 09:17:48 +0200, Markus Holmberg wrote: > Is there a reason to not have the diff output of /etc/security to be > of unified format? Yes; the output of a diff on setuid executables is less readable as a unified diff -- you get lots of meaningless lines of output. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 10 7: 0: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 04B3437BDBC for ; Thu, 10 Aug 2000 07:00:01 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id JAA24373; Thu, 10 Aug 2000 09:59:58 -0400 (EDT) (envelope-from wollman) Date: Thu, 10 Aug 2000 09:59:58 -0400 (EDT) From: Garrett Wollman Message-Id: <200008101359.JAA24373@khavrinen.lcs.mit.edu> To: Oscar Ricardo Silva Cc: freebsd-security@FreeBSD.ORG Subject: Setting up kerberos server on FreeBSD 4.x In-Reply-To: <4.3.2.7.2.20000809172222.00b489e0@mail.utexas.edu> References: <4.3.2.7.2.20000809172222.00b489e0@mail.utexas.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Does anybody have any pointers on where to look on setting up a kerberos > server on FreeBSD 4.x? I'd strongly suggest building the Kerberos v5 port (security/krb5). v5 is a far sight superior to v4 in innumerable ways, and v4 is cryptographically weak. (v5 has cryptographic weaknesses as well, but they are not as significant as v4's.) -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 10 7:19:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.utexas.edu (wb1-a.mail.utexas.edu [128.83.126.134]) by hub.freebsd.org (Postfix) with SMTP id BD23837BE42 for ; Thu, 10 Aug 2000 07:19:30 -0700 (PDT) (envelope-from oscars@mail.utexas.edu) Received: (qmail 17680 invoked by uid 0); 10 Aug 2000 14:19:25 -0000 Received: from dhcp-199-210.dsl.utexas.edu (HELO osilva-home.mail.utexas.edu) (128.83.199.210) by umbs-smtp-1 with SMTP; 10 Aug 2000 14:19:25 -0000 Message-Id: <4.3.2.7.2.20000810092008.00b11a80@mail.utexas.edu> X-Sender: oscars@mail.utexas.edu X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 10 Aug 2000 09:21:38 -0500 To: Garrett Wollman From: Oscar Ricardo Silva Subject: Re: Setting up kerberos server on FreeBSD 4.x Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <200008101359.JAA24373@khavrinen.lcs.mit.edu> References: <4.3.2.7.2.20000809172222.00b489e0@mail.utexas.edu> <4.3.2.7.2.20000809172222.00b489e0@mail.utexas.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I wish, OH DO I WISH, I could deal with Kerberos 5, lots more resources and sites. The problem is that the whole reason I was asked to build a Kerberos server was to work with the Amanda backup package and it currently only works with Kerberos 4. Oscar At 09:59 AM 8/10/00 -0400, Garrett Wollman, you wrote: >< said: > > > Does anybody have any pointers on where to look on setting up a kerberos > > server on FreeBSD 4.x? > >I'd strongly suggest building the Kerberos v5 port (security/krb5). >v5 is a far sight superior to v4 in innumerable ways, and v4 is >cryptographically weak. (v5 has cryptographic weaknesses as well, but >they are not as significant as v4's.) > >-GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 10 8: 6:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 7AC9E37BE44 for ; Thu, 10 Aug 2000 08:06:43 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id LAA24738; Thu, 10 Aug 2000 11:06:15 -0400 (EDT) (envelope-from wollman) Date: Thu, 10 Aug 2000 11:06:15 -0400 (EDT) From: Garrett Wollman Message-Id: <200008101506.LAA24738@khavrinen.lcs.mit.edu> To: Oscar Ricardo Silva Cc: freebsd-security@FreeBSD.ORG Subject: Re: Setting up kerberos server on FreeBSD 4.x In-Reply-To: <4.3.2.7.2.20000810092008.00b11a80@mail.utexas.edu> References: <4.3.2.7.2.20000809172222.00b489e0@mail.utexas.edu> <200008101359.JAA24373@khavrinen.lcs.mit.edu> <4.3.2.7.2.20000810092008.00b11a80@mail.utexas.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > I wish, OH DO I WISH, I could deal with Kerberos 5, lots more resources and > sites. The problem is that the whole reason I was asked to build a > Kerberos server was to work with the Amanda backup package and it currently > only works with Kerberos 4. You should install v5 with the v4-compatibility mode enabled. You're still better off (many administrative improvements) than with pure v4. (And v5 works with ssh, too, so you get that additional benefit.) -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 10 8:35:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.utexas.edu (wb2-a.mail.utexas.edu [128.83.126.136]) by hub.freebsd.org (Postfix) with SMTP id 51D6737BE79 for ; Thu, 10 Aug 2000 08:35:25 -0700 (PDT) (envelope-from oscars@mail.utexas.edu) Received: (qmail 6263 invoked by uid 0); 10 Aug 2000 15:35:22 -0000 Received: from chepe.cc.utexas.edu (HELO chepe.mail.utexas.edu) (128.83.135.25) by umbs-smtp-2 with SMTP; 10 Aug 2000 15:35:22 -0000 Message-Id: <4.3.2.7.2.20000810102823.00aefca0@mail.utexas.edu> X-Sender: oscars@mail.utexas.edu X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 10 Aug 2000 10:32:00 -0500 To: Garrett Wollman From: Oscar Ricardo Silva Subject: Re: Setting up kerberos server on FreeBSD 4.x Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <200008101506.LAA24738@khavrinen.lcs.mit.edu> References: <4.3.2.7.2.20000810092008.00b11a80@mail.utexas.edu> <4.3.2.7.2.20000809172222.00b489e0@mail.utexas.edu> <200008101359.JAA24373@khavrinen.lcs.mit.edu> <4.3.2.7.2.20000810092008.00b11a80@mail.utexas.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Oooooooooooh, that's an idea, v4-compatability mode is something I wasn't aware of. Since I hadn't even thought about v5, where should I look to find v4 compatability mode? I have a test machine that I'm installing right now and this might be the way to start off (I just cvsupped and am making the "worlds"). To start, would I have to uncomment the MAKE_KERBEROS4 and MAKE_KERBEROS5 in /etc/defaults/make.conf ? Thanks for the suggestion, this may make this easier to work with. Oscar At 11:06 AM 8/10/00 -0400, Garrett Wollman, you wrote: >< said: > > > I wish, OH DO I WISH, I could deal with Kerberos 5, lots more resources > and > > sites. The problem is that the whole reason I was asked to build a > > Kerberos server was to work with the Amanda backup package and it > currently > > only works with Kerberos 4. > >You should install v5 with the v4-compatibility mode enabled. You're >still better off (many administrative improvements) than with pure >v4. (And v5 works with ssh, too, so you get that additional benefit.) > >-GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 10 10: 3:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id F21B537B8AA for ; Thu, 10 Aug 2000 10:03:38 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id NAA25052; Thu, 10 Aug 2000 13:03:32 -0400 (EDT) (envelope-from wollman) Date: Thu, 10 Aug 2000 13:03:32 -0400 (EDT) From: Garrett Wollman Message-Id: <200008101703.NAA25052@khavrinen.lcs.mit.edu> To: Oscar Ricardo Silva Cc: Garrett Wollman , freebsd-security@FreeBSD.ORG Subject: Re: Setting up kerberos server on FreeBSD 4.x In-Reply-To: <4.3.2.7.2.20000810102823.00aefca0@mail.utexas.edu> References: <4.3.2.7.2.20000810092008.00b11a80@mail.utexas.edu> <4.3.2.7.2.20000809172222.00b489e0@mail.utexas.edu> <200008101359.JAA24373@khavrinen.lcs.mit.edu> <200008101506.LAA24738@khavrinen.lcs.mit.edu> <4.3.2.7.2.20000810102823.00aefca0@mail.utexas.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Oooooooooooh, that's an idea, v4-compatability mode is something I wasn't > aware of. Since I hadn't even thought about v5, where should I look to > find v4 compatability mode? cd /usr/ports/security/krb5 make (it's enabled by default) -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 10 10:29:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from nenya.ms.mff.cuni.cz (nenya.ms.mff.cuni.cz [195.113.17.179]) by hub.freebsd.org (Postfix) with ESMTP id 61B7C37B7A7 for ; Thu, 10 Aug 2000 10:29:38 -0700 (PDT) (envelope-from mencl@nenya.ms.mff.cuni.cz) Received: from localhost (mencl@localhost) by nenya.ms.mff.cuni.cz (8.9.3+Sun/8.9.1) with ESMTP id TAA25257 for ; Thu, 10 Aug 2000 19:29:31 +0200 (MET DST) Date: Thu, 10 Aug 2000 19:29:31 +0200 (MET DST) From: "Vladimir Mencl, MK, susSED" To: freebsd-security@FreeBSD.ORG Subject: suidperl exploit Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I just came over the suidperl + mail vulnerability in Linux, and I was wondering whether it would work in FreeBSD. (See http://www.securityfocus.com/bid/1547 for reference) When I tried the exploit, no effect could be observed. However, significant part of the exploit lies in the undocumented feature of /bin/mail program - interactive behavior and interpretation of ~! sequences, even for stdin not a tty, when the "interactive" environment variable is set. The second part of the exploit is in the fact, that, when the suid script dev+inode# identification changes, suidperl reports it to root by emailing in a very insecure manner - executing bin/mail in exactly the same environment as user provided for running suidperl - and passing the "interactive" variable. On FreeBSD, I've not observed the reporting email even after a fair amount of time devoted to cause the race-condition. Either because I've not succeeded in causing it, or because suidperl avoids reporting the issue. I've not found any security advisory regarding this - can anybody comment on this? Has there be a silent fix to this? Thanks Vlada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 10 11:19:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from link.mirror.org (link.mirror.org [216.38.7.35]) by hub.freebsd.org (Postfix) with ESMTP id 15C3B37B734 for ; Thu, 10 Aug 2000 11:19:38 -0700 (PDT) (envelope-from sgt@netcom.no) Received: from hal (34-d10-1.svg1.netcom.no [212.45.182.227]) by link.mirror.org (8.7.5/8.7.3) with ESMTP id OAA14923 for ; Thu, 10 Aug 2000 14:19:28 -0400 Date: Thu, 10 Aug 2000 20:19:44 +0200 (CEST) From: Torbjorn Kristoffersen X-Sender: sgt@hal.netforce.no To: freebsd-security@FreeBSD.ORG Subject: Re: suidperl exploit In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Vladimir If you type 'strings /usr/bin/suidperl | grep bin/mail' you'll get /bin/mail root Since /bin/mail is hardcoded into suidperl, and FreeBSD has its 'mail' program in /usr/bin instead, you couldn't observe an effect. I don't think there'll be a patch to this problem. Everyone should instead download the recent version. -- Torbjorn Kristoffersen sgt@netcom.no Digiweb Norway A/S On Thu, 10 Aug 2000, Vladimir Mencl, MK, susSED wrote: > > > I just came over the suidperl + mail vulnerability in Linux, and I was > wondering whether it would work in FreeBSD. > > (See http://www.securityfocus.com/bid/1547 for reference) > > When I tried the exploit, no effect could be observed. However, > significant part of the exploit lies in the undocumented feature of > /bin/mail program - interactive behavior and interpretation of ~! > sequences, even for stdin not a tty, when the "interactive" environment > variable is set. > > The second part of the exploit is in the fact, that, when the suid > script dev+inode# identification changes, suidperl reports it to root by > emailing in a very insecure manner - executing bin/mail in exactly the > same environment as user provided for running suidperl - and passing the > "interactive" variable. > > On FreeBSD, I've not observed the reporting email even after a fair > amount of time devoted to cause the race-condition. > > > Either because I've not succeeded in causing it, or because suidperl > avoids reporting the issue. > > > I've not found any security advisory regarding this - can anybody > comment on this? Has there be a silent fix to this? > > > > Thanks > > Vlada > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 10 12:16:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 3D72537BA7F for ; Thu, 10 Aug 2000 12:16:45 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 3482 invoked by uid 0); 10 Aug 2000 19:16:31 -0000 Received: from p3ee21623.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.35) by mail.gmx.net with SMTP; 10 Aug 2000 19:16:31 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id TAA09127 for freebsd-security@FreeBSD.ORG; Thu, 10 Aug 2000 19:37:51 +0200 Date: Thu, 10 Aug 2000 19:37:51 +0200 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: Re: Unified diff format in output of /etc/security? Message-ID: <20000810193750.U261@speedy.gsinet> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20000810091748.A7931@acc.umu.se> <66312.965898475@axl.ops.uunet.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <66312.965898475@axl.ops.uunet.co.za>; from sheldonh@uunet.co.za on Thu, Aug 10, 2000 at 11:07:55AM +0200 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Aug 10, 2000 at 11:07 +0200, Sheldon Hearn wrote: > > On Thu, 10 Aug 2000 09:17:48 +0200, Markus Holmberg wrote: > > > Is there a reason to not have the diff output of > > /etc/security to be of unified format? > > Yes; the output of a diff on setuid executables is less > readable as a unified diff -- you get lots of meaningless lines > of output. Then what about a "diff -u $FILES | grep -v '^ '"? Or "diff -u $FILES | grep '^[+-@]'"? (I guess the first fits better) And what about "diff $DIFFOPT ..." with a setting at the script's beginning? This will make those admins happy who find ed(1) diffs "less readable". And it would make Markus' patch a one line change. And it still leaves room for "diff style categories" like suid/sgid files vs added users vs changed packet filter rules vs anything you can think of. Some of these will surely gain improvements in terms of readability this way. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 10 12:28:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from mercury.mich.com (mercury.mich.com [64.79.64.32]) by hub.freebsd.org (Postfix) with ESMTP id 2826137BA77 for ; Thu, 10 Aug 2000 12:28:31 -0700 (PDT) (envelope-from will@almanac.yi.org) Received: from argon.gryphonsoft.com (pm014-002.dialup.bignet.net [64.79.82.114]) by mercury.mich.com (8.9.3/8.9.3) with ESMTP id PAA05939; Thu, 10 Aug 2000 15:27:43 -0400 Received: by argon.gryphonsoft.com (Postfix, from userid 1000) id A7848191D; Thu, 10 Aug 2000 15:24:27 -0400 (EDT) Date: Thu, 10 Aug 2000 15:24:27 -0400 From: Will Andrews To: Sheldon Hearn Cc: Markus Holmberg , freebsd-security@FreeBSD.ORG Subject: Re: Unified diff format in output of /etc/security? Message-ID: <20000810152427.H1248@argon.gryphonsoft.com> References: <20000810091748.A7931@acc.umu.se> <66312.965898475@axl.ops.uunet.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <66312.965898475@axl.ops.uunet.co.za>; from sheldonh@uunet.co.za on Thu, Aug 10, 2000 at 11:07:55AM +0200 X-Operating-System: FreeBSD 5.0-CURRENT i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Aug 10, 2000 at 11:07:55AM +0200, Sheldon Hearn wrote: > Yes; the output of a diff on setuid executables is less readable as a > unified diff -- you get lots of meaningless lines of output. If you mean non-differentiating lines, you can eliminate those with ``diff -u0'' and then grep out the @@ blah.. @@ lines with a neat grep -v regex. -- Will Andrews GCS/E/S @d- s+:+ a--- C++ UB++++$ P+ L- E--- W+ N-- !o ?K w--- O- M+ V- PS+ PE++ Y+ PGP+>+++ t++ 5 X+ R+ tv+ b++ DI+++ D+ G++ e>++++ h! r- y? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 10 13:52:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from kronus.com.br (dial-bhn-C8C0B41B.bhz.zaz.com.br [200.192.180.27]) by hub.freebsd.org (Postfix) with ESMTP id A482837B616 for ; Thu, 10 Aug 2000 13:52:20 -0700 (PDT) (envelope-from cseg@kronus.com.br) Received: by torment.secfreak.com (Postfix, from userid 1000) id 6F24A47B67; Thu, 10 Aug 2000 17:56:30 -0300 (EST) Date: Thu, 10 Aug 2000 17:56:30 -0300 From: Fred Souza To: "Vladimir Mencl, MK, susSED" Cc: freebsd-security@FreeBSD.ORG Subject: Re: suidperl exploit Message-ID: <20000810175630.A4754@torment.secfreak.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Your message of "Thu, Aug 10 2000 19:29:31 +0200" X-Note: \x70\x73\x79\x63\x68 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On FreeBSD, I've not observed the reporting email even after a fair > amount of time devoted to cause the race-condition. > > > Either because I've not succeeded in causing it, or because suidperl > avoids reporting the issue. > > > I've not found any security advisory regarding this - can anybody > comment on this? Has there be a silent fix to this? This is due to the fact that "/bin/mail" is hard-coded in Perl, and FreeBSD uses /usr/bin/mail. The only way for it to work would be creating a link /bin/mail -> /usr/bin/mail, which would be extremely pointless and the admin who did that should be really hurt. :) The other way for it would be someone else creating that link, which would imply that the system has already been compromised -- Therefore, why would the intruder want to "recompromise" the system using that exploit? The only "reason" I can think of, is to "keep a way back", if he/she gets caught be the sysadm. -- "The most difficult thing in the world is to know how to do a thing and to watch someone else do it wrong without comment." -- Theodore H. White To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 10 14:36:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id C3C5037BA2B; Thu, 10 Aug 2000 14:36:25 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id OAA55604; Thu, 10 Aug 2000 14:36:25 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 10 Aug 2000 14:36:25 -0700 (PDT) From: Kris Kennaway To: "Vladimir Mencl, MK, susSED" Cc: freebsd-security@FreeBSD.ORG Subject: Re: suidperl exploit In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 10 Aug 2000, Vladimir Mencl, MK, susSED wrote: > I just came over the suidperl + mail vulnerability in Linux, and I was > wondering whether it would work in FreeBSD. I believe FreeBSD to be safe from this particular misfeature - FreeBSD's mail(1) program lives in another location, as already noted, and I don't even know if it supports the required features to exploit it. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 10 20:31:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id E75A337BA6E for ; Thu, 10 Aug 2000 20:31:08 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id VAA06375; Thu, 10 Aug 2000 21:31:06 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id VAA31484; Thu, 10 Aug 2000 21:30:37 -0600 (MDT) Message-Id: <200008110330.VAA31484@harmony.village.org> To: "Vladimir Mencl, MK, susSED" Subject: Re: suidperl exploit Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Thu, 10 Aug 2000 19:29:31 +0200." References: Date: Thu, 10 Aug 2000 21:30:37 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message "Vladimir Mencl, MK, susSED" writes: : I just came over the suidperl + mail vulnerability in Linux, and I was : wondering whether it would work in FreeBSD. Nope. We're clean. A fix from the perl folks that disables the code. The code did /bin/mail, but we don't have that, which is why we're clean. : I've not found any security advisory regarding this - can anybody : comment on this? Has there be a silent fix to this? No fix is needed. You are safe. However, we just committed some code to the tree that forces users to specifically enable building and installing suidperl in the future. We know of no exploitable holes in it today, why take the risk? It was present for only one utility in the system, and that was rewritten in 'C'. If you want to be extra careful, you can delete suidperl w/o harm. So no advisory is needed. This is a case where we need a non-vulnerabilty alert :-). Of course, such an alert is likely to cause more problems than it would solve.... Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 10 20:34:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 00EC537B6ED; Thu, 10 Aug 2000 20:34:24 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id VAA06388; Thu, 10 Aug 2000 21:34:22 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id VAA31525; Thu, 10 Aug 2000 21:33:54 -0600 (MDT) Message-Id: <200008110333.VAA31525@harmony.village.org> To: Kris Kennaway Subject: Re: suidperl exploit Cc: "Vladimir Mencl, MK, susSED" , freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Thu, 10 Aug 2000 14:36:25 PDT." References: Date: Thu, 10 Aug 2000 21:33:54 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Kris Kennaway writes: : I believe FreeBSD to be safe from this particular misfeature - FreeBSD's : mail(1) program lives in another location, as already noted, and I don't : even know if it supports the required features to exploit it. We do support getting variables from the environment in our mail. We need to look into all the implications. Of course, most programs on the system use sendmail directly. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 10 20:38:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id C91B637BB96; Thu, 10 Aug 2000 20:38:25 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id UAA96281; Thu, 10 Aug 2000 20:38:25 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 10 Aug 2000 20:38:25 -0700 (PDT) From: Kris Kennaway To: Warner Losh Cc: "Vladimir Mencl, MK, susSED" , freebsd-security@FreeBSD.ORG Subject: Re: suidperl exploit In-Reply-To: <200008110330.VAA31484@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 10 Aug 2000, Warner Losh wrote: > So no advisory is needed. This is a case where we need a > non-vulnerabilty alert :-). Of course, such an alert is likely to > cause more problems than it would solve.... Non-vulnerability alerts like some of the Linux vendors have started issuing are stupid. If there's no problem, there's no problem, and as long as you provide a reliable service when there *are* problems, there's no need to publicize the negative result. The few people who have heard about it through other channels and want specific reassurance can easily be accomodated individually through other means (e.g. this list) with much less effort and without the confusion from people who misinterpet the contents of the "advisory" as meaning they have to take some action. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 10 20:46:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id BCC8937B6ED; Thu, 10 Aug 2000 20:46:20 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id VAA06452; Thu, 10 Aug 2000 21:46:19 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id VAA31632; Thu, 10 Aug 2000 21:45:50 -0600 (MDT) Message-Id: <200008110345.VAA31632@harmony.village.org> To: Kris Kennaway Subject: Re: suidperl exploit Cc: "Vladimir Mencl, MK, susSED" , freebsd-security@FreeBSD.org In-reply-to: Your message of "Thu, 10 Aug 2000 20:38:25 PDT." References: Date: Thu, 10 Aug 2000 21:45:50 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Kris Kennaway writes: : Non-vulnerability alerts like some of the Linux vendors have started : issuing are stupid. If there's no problem, there's no problem, and as long : as you provide a reliable service when there *are* problems, there's no : need to publicize the negative result. The few people who have heard about : it through other channels and want specific reassurance can easily be : accomodated individually through other means (e.g. this list) with much : less effort and without the confusion from people who misinterpet the : contents of the "advisory" as meaning they have to take some action. Yes. I agree completely. If that load gets too high, then we can put up an notice on a web site. Such notice might not be a bad idea anyway, but we don't have a good mechanism for that. It also would artificially bloat the advisory numbers in bugtraq too, which we wouldn't want to do. We want to spend those chits on real problems. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 11 1:27:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from axl.ops.uunet.co.za (axl.ops.uunet.co.za [196.31.2.163]) by hub.freebsd.org (Postfix) with ESMTP id 976DD37B7A8 for ; Fri, 11 Aug 2000 01:27:23 -0700 (PDT) (envelope-from sheldonh@axl.ops.uunet.co.za) Received: from sheldonh (helo=axl.ops.uunet.co.za) by axl.ops.uunet.co.za with local-esmtp (Exim 3.16 #1) id 13NA9e-00034n-00; Fri, 11 Aug 2000 10:27:02 +0200 From: Sheldon Hearn To: Gerhard Sittig Cc: freebsd-security@FreeBSD.ORG Subject: Re: Unified diff format in output of /etc/security? In-reply-to: Your message of "Thu, 10 Aug 2000 19:37:51 +0200." <20000810193750.U261@speedy.gsinet> Date: Fri, 11 Aug 2000 10:27:02 +0200 Message-ID: <11828.965982422@axl.ops.uunet.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 10 Aug 2000 19:37:51 +0200, Gerhard Sittig wrote: > Then what about a "diff -u $FILES | grep -v '^ '"? Or "diff -u > $FILES | grep '^[+-@]'"? (I guess the first fits better) A lot of work for what gain exactly? You want plusses and minuses instead of angle-brackets? Surely there are more important things we could be spending our energy on? :-) Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 11 3:32:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from mercury.mich.com (mercury.mich.com [64.79.64.32]) by hub.freebsd.org (Postfix) with ESMTP id 8837F37BFD8 for ; Fri, 11 Aug 2000 03:32:24 -0700 (PDT) (envelope-from will@almanac.yi.org) Received: from argon.gryphonsoft.com (pm004-013.dialup.bignet.net [64.79.80.157]) by mercury.mich.com (8.9.3/8.9.3) with ESMTP id GAA18274; Fri, 11 Aug 2000 06:32:21 -0400 Received: by argon.gryphonsoft.com (Postfix, from userid 1000) id D14581A05; Fri, 11 Aug 2000 06:29:05 -0400 (EDT) Date: Fri, 11 Aug 2000 06:29:05 -0400 From: Will Andrews To: Sheldon Hearn Cc: Gerhard Sittig , freebsd-security@FreeBSD.ORG Subject: Re: Unified diff format in output of /etc/security? Message-ID: <20000811062905.N1248@argon.gryphonsoft.com> References: <20000810193750.U261@speedy.gsinet> <11828.965982422@axl.ops.uunet.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <11828.965982422@axl.ops.uunet.co.za>; from sheldonh@uunet.co.za on Fri, Aug 11, 2000 at 10:27:02AM +0200 X-Operating-System: FreeBSD 5.0-CURRENT i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Aug 11, 2000 at 10:27:02AM +0200, Sheldon Hearn wrote: > A lot of work for what gain exactly? You want plusses and minuses > instead of angle-brackets? Surely there are more important things we > could be spending our energy on? :-) IMO it is simple enough to modify the script so someone can have their own diff arguments (-wu0 should suffice for his purposes). -- Will Andrews GCS/E/S @d- s+:+ a--- C++ UB++++$ P+ L- E--- W+ N-- !o ?K w--- O- M+ V- PS+ PE++ Y+ PGP+>+++ t++ 5 X+ R+ tv+ b++ DI+++ D+ G++ e>++++ h! r- y? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 11 5:43:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from 01.dhcp.hck.carroll.com (core1.hck.carroll.com [216.44.16.2]) by hub.freebsd.org (Postfix) with ESMTP id 9BFD237B53F for ; Fri, 11 Aug 2000 05:43:37 -0700 (PDT) (envelope-from damien@01.dhcp.hck.carroll.com) Received: (from damien@localhost) by 01.dhcp.hck.carroll.com (8.9.3/8.9.3) id IAA24626 for freebsd-security@freebsd.org; Fri, 11 Aug 2000 08:44:35 -0400 (EDT) (envelope-from damien) Date: Wed, 9 Aug 2000 15:39:24 -0400 From: Damien Tougas To: freebsd-security@freebsd.org Subject: Strange ipnat behaviour Message-ID: <20000809153924.C18771@carroll.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, We are currently running ipnat on FreeBSD version 3.4-Stable, I am not sure exactly what version of ipfilter it is, it is the one that comes as part of the base OS. The problem that we are seeing is that for some reason unknown to us, nat just stops working. The only way to get it to work again is to clear the ipnat tables and rules and re-initialize them using the following sequence: /usr/sbin/ipnat -CF /usr/sbin/ipnat -f /etc/rc.nat After that, everything works just fine. The config file we use (rc.nat) is very simple: map de0 10.0.0.0/8 -> 0/32 portmap tcp/udp 1025:65000 map de0 10.0.0.0/8 -> 0/32 Could that second line be causing the problem? There are currently no ipf rules being used. We ran a tcpdump on the interface while the problem was occurring, just to see what was going on. What we found was that any new connections attempted from 10.0.0.0/8 were going through with the ack bit set only, it is like the initial packet was somehow blocked. As a result, the server we were trying to contact replied with a tcp reset since it thought that we were trying to connect to a session that is non existent. Our first thought was that we might have ran out of ports, but we discovered that there were no more than about 3000 sessions active at the time. Any ideas? Is this a bug, or have we mis-configured something? Thanks for your help. -- Damien Tougas Carroll-Net, Inc. http://www.carroll.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 11 7:30:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from smtp13.bellglobal.com (smtp13.bellglobal.com [204.101.251.52]) by hub.freebsd.org (Postfix) with ESMTP id 30F7337BAF6; Fri, 11 Aug 2000 07:30:38 -0700 (PDT) (envelope-from admin@chemcomp.com) Received: from hermes.chemcomp.com (ppp11084.qc.bellglobal.com [206.172.146.37]) by smtp13.bellglobal.com (8.8.5/8.8.5) with ESMTP id KAA12422; Fri, 11 Aug 2000 10:34:58 -0400 (EDT) Received: from chemcomp.com (sky.chemcomp.com [192.1.1.62]) by hermes.chemcomp.com (Postfix) with ESMTP id D0FBC1682F; Fri, 11 Aug 2000 10:30:15 -0400 (EDT) Message-ID: <39940DF7.B33BC951@chemcomp.com> Date: Fri, 11 Aug 2000 10:30:15 -0400 From: System Administrator Organization: Chemical Computing Group, Inc. X-Mailer: Mozilla 4.72 [en] (X11; I; FreeBSD 4.0-RELEASE i386) X-Accept-Language: fr-CA, fr, en MIME-Version: 1.0 To: Warner Losh Cc: Kris Kennaway , "Vladimir Mencl, MK, susSED" , freebsd-security@FreeBSD.org Subject: Re: suidperl exploit References: <200008110345.VAA31632@harmony.village.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Would it be appropriate to have a part of the website dedicated to the publishing of current security vulnerabilities and how FreeBSD is *not* affected? :) -advocacy, I guess... but I think it would be a good idea since we have a lot of people showing up on the lists saying "is FBSD vulnerable for this?" I guess a website is a bit an overkill... A. Warner Losh wrote: > > In message Kris Kennaway writes: > : Non-vulnerability alerts like some of the Linux vendors have started > : issuing are stupid. If there's no problem, there's no problem, and as long > : as you provide a reliable service when there *are* problems, there's no > : need to publicize the negative result. The few people who have heard about > : it through other channels and want specific reassurance can easily be > : accomodated individually through other means (e.g. this list) with much > : less effort and without the confusion from people who misinterpet the > : contents of the "advisory" as meaning they have to take some action. > > Yes. I agree completely. If that load gets too high, then we can put > up an notice on a web site. Such notice might not be a bad idea > anyway, but we don't have a good mechanism for that. > > It also would artificially bloat the advisory numbers in bugtraq too, > which we wouldn't want to do. We want to spend those chits on real > problems. > > Warner > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Antoine Beaupre System Administrator Chemical Computing Group, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 11 7:39:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.pythonvideo.com (mail.pythonvideo.com [207.164.115.15]) by hub.freebsd.org (Postfix) with ESMTP id ED8DF37BAE3; Fri, 11 Aug 2000 07:39:24 -0700 (PDT) (envelope-from joe@webkrew.com) Received: from joe (joe.pythonvideo.com [209.226.29.94]) by mail.pythonvideo.com (8.9.3/8.9.3) with SMTP id KAA88385; Fri, 11 Aug 2000 10:38:52 -0400 (EDT) (envelope-from joe@webkrew.com) From: "Joe Oliveiro" To: "System Administrator" , "Warner Losh" Cc: "Kris Kennaway" , "Vladimir Mencl, MK, susSED" , Subject: RE: suidperl exploit Date: Fri, 11 Aug 2000 10:37:19 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <39940DF7.B33BC951@chemcomp.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I personally think a website would be a great idea. With all the current exploits around it would make sense to compile a list of what is / isnt fbsd open to and have it online somewhere.. Question is who is willing to do the work? -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of System Administrator Sent: August 11, 2000 10:30 AM To: Warner Losh Cc: Kris Kennaway; Vladimir Mencl, MK, susSED; freebsd-security@FreeBSD.ORG Subject: Re: suidperl exploit Would it be appropriate to have a part of the website dedicated to the publishing of current security vulnerabilities and how FreeBSD is *not* affected? :) -advocacy, I guess... but I think it would be a good idea since we have a lot of people showing up on the lists saying "is FBSD vulnerable for this?" I guess a website is a bit an overkill... A. Warner Losh wrote: > > In message Kris Kennaway writes: > : Non-vulnerability alerts like some of the Linux vendors have started > : issuing are stupid. If there's no problem, there's no problem, and as long > : as you provide a reliable service when there *are* problems, there's no > : need to publicize the negative result. The few people who have heard about > : it through other channels and want specific reassurance can easily be > : accomodated individually through other means (e.g. this list) with much > : less effort and without the confusion from people who misinterpet the > : contents of the "advisory" as meaning they have to take some action. > > Yes. I agree completely. If that load gets too high, then we can put > up an notice on a web site. Such notice might not be a bad idea > anyway, but we don't have a good mechanism for that. > > It also would artificially bloat the advisory numbers in bugtraq too, > which we wouldn't want to do. We want to spend those chits on real > problems. > > Warner > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Antoine Beaupre System Administrator Chemical Computing Group, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 11 7:54:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from vinyl.sentex.ca (vinyl.sentex.ca [209.112.4.14]) by hub.freebsd.org (Postfix) with ESMTP id 5D64537BBCB for ; Fri, 11 Aug 2000 07:54:30 -0700 (PDT) (envelope-from mike@sentex.net) Received: from granite.sentex.net (granite-atm.sentex.ca [209.112.4.1]) by vinyl.sentex.ca (8.9.3/8.9.3) with ESMTP id KAA11944; Fri, 11 Aug 2000 10:54:28 -0400 (EDT) (envelope-from mike@sentex.net) Received: from simoeon.sentex.net (simeon.sentex.ca [209.112.4.47]) by granite.sentex.net (8.8.8/8.6.9) with ESMTP id KAA20971; Fri, 11 Aug 2000 10:54:27 -0400 (EDT) Message-Id: <4.3.2.7.0.20000811104321.00e77900@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 11 Aug 2000 10:50:11 -0400 To: joe@webkrew.com From: Mike Tancsa Subject: RE: suidperl exploit Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: <39940DF7.B33BC951@chemcomp.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:37 AM 8/11/00 -0400, Joe Oliveiro wrote: >I personally think a website would be a great idea. With all the current >exploits around it would make sense to compile a list of what is / isnt >fbsd open to and have it online somewhere.. Question is who is willing to do >the work? This sounds like a duplication of efforts... Why not just update the info on the securityfocus website for the particular exploit listed there saying FreeBSD is not vulnerable to exploit xxx... e.g. http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D1547 It seems Bugtraq/securityfocus has become the defacto Security clearing house. If there is one site/list people follow, its proably that one, and any updates as to what is and what is not vulnerable will get the lionshare of viewers. ---Mike >-----Original Message----- >From: owner-freebsd-security@FreeBSD.ORG >[mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of System >Administrator >Sent: August 11, 2000 10:30 AM >To: Warner Losh >Cc: Kris Kennaway; Vladimir Mencl, MK, susSED; >freebsd-security@FreeBSD.ORG >Subject: Re: suidperl exploit > > >Would it be appropriate to have a part of the website dedicated to the >publishing of current security vulnerabilities and how FreeBSD is *not* >affected? :) > >-advocacy, I guess... but I think it would be a good idea since we have >a lot of people showing up on the lists saying "is FBSD vulnerable for >this?" > >I guess a website is a bit an overkill... > >A. > >Warner Losh wrote: > > > > In message >Kris Kennaway writes: > > : Non-vulnerability alerts like some of the Linux vendors have started > > : issuing are stupid. If there's no problem, there's no problem, and as >long > > : as you provide a reliable service when there *are* problems, there's no > > : need to publicize the negative result. The few people who have heard >about > > : it through other channels and want specific reassurance can easily be > > : accomodated individually through other means (e.g. this list) with much > > : less effort and without the confusion from people who misinterpet the > > : contents of the "advisory" as meaning they have to take some action. > > > > Yes. I agree completely. If that load gets too high, then we can put > > up an notice on a web site. Such notice might not be a bad idea > > anyway, but we don't have a good mechanism for that. > > > > It also would artificially bloat the advisory numbers in bugtraq too, > > which we wouldn't want to do. We want to spend those chits on real > > problems. > > > > Warner > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > >-- >Antoine Beaupre >System Administrator >Chemical Computing Group, Inc. > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message ------------------------------------------------------------------------ Mike Tancsa, tel +1 519 651 3400 Sentex Communications mike@sentex.net Cambridge, Ontario Canada www.sentex.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 11 8:46: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from databits.net (analog.databits.net [207.29.192.55]) by hub.freebsd.org (Postfix) with SMTP id 1AD4637BF7C for ; Fri, 11 Aug 2000 08:46:00 -0700 (PDT) (envelope-from petef@databits.net) Received: (qmail 24309 invoked by uid 1000); 11 Aug 2000 15:45:54 -0000 Date: Fri, 11 Aug 2000 11:45:53 -0400 From: Pete Fritchman To: Damien Tougas Cc: freebsd-security@freebsd.org Subject: Re: Strange ipnat behaviour Message-ID: <20000811114553.A20991@databits.net> References: <20000809153924.C18771@carroll.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20000809153924.C18771@carroll.net>; from damien@carroll.com on Wed, Aug 09, 2000 at 03:39:24PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Since you are pointing the map to a dynamic IP (probably), 0/32, you will have to run "ipf -y" to refresh the rules whenever your dynamic IP changes. Regards, Pete ++ 09/08/00 15:39 -0400 - Damien Tougas: >Hello, > >We are currently running ipnat on FreeBSD version 3.4-Stable, I am not >sure exactly what version of ipfilter it is, it is the one that comes >as part of the base OS. > >The problem that we are seeing is that for some reason unknown to us, >nat just stops working. The only way to get it to work again is to >clear the ipnat tables and rules and re-initialize them using the >following sequence: > >/usr/sbin/ipnat -CF >/usr/sbin/ipnat -f /etc/rc.nat > >After that, everything works just fine. >The config file we use (rc.nat) is very simple: > >map de0 10.0.0.0/8 -> 0/32 portmap tcp/udp 1025:65000 >map de0 10.0.0.0/8 -> 0/32 > >Could that second line be causing the problem? >There are currently no ipf rules being used. > >We ran a tcpdump on the interface while the problem was occurring, >just to see what was going on. What we found was that any new >connections attempted from 10.0.0.0/8 were going through with the ack >bit set only, it is like the initial packet was somehow blocked. As a >result, the server we were trying to contact replied with a tcp reset >since it thought that we were trying to connect to a session that is >non existent. Our first thought was that we might have ran out of >ports, but we discovered that there were no more than about 3000 >sessions active at the time. > >Any ideas? Is this a bug, or have we mis-configured something? > >Thanks for your help. > >-- >Damien Tougas >Carroll-Net, Inc. >http://www.carroll.com > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message -- Pete Fritchman Databits Network Services, Inc http://www.databits.net finger: petef@analog.databits.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 11 9:11: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from 01.dhcp.hck.carroll.com (core1.hck.carroll.com [216.44.16.2]) by hub.freebsd.org (Postfix) with ESMTP id F334B37C046 for ; Fri, 11 Aug 2000 09:10:56 -0700 (PDT) (envelope-from damien@01.dhcp.hck.carroll.com) Received: (from damien@localhost) by 01.dhcp.hck.carroll.com (8.9.3/8.9.3) id MAA28085; Fri, 11 Aug 2000 12:11:55 -0400 (EDT) (envelope-from damien) Date: Fri, 11 Aug 2000 12:11:54 -0400 From: Damien Tougas To: Pete Fritchman Cc: freebsd-security@freebsd.org Subject: Re: Strange ipnat behaviour Message-ID: <20000811121154.A27710@carroll.net> References: <20000809153924.C18771@carroll.net> <20000811114553.A20991@databits.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20000811114553.A20991@databits.net>; from petef@databits.net on Fri, Aug 11, 2000 at 11:45:53AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Aug 11, 2000 at 11:45:53AM -0400, Pete Fritchman wrote: > Since you are pointing the map to a dynamic IP (probably), 0/32, you will have > to run "ipf -y" to refresh the rules whenever your dynamic IP changes. This is in fact a static IP address, we use the 0/32 just to keep the configuration file standard across servers. -- Damien Tougas Carroll-Net, Inc. http://www.carroll.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 11 9:13:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from sn1oexchr02.nextvenue.com (pony.nextvenue.com [209.0.251.199]) by hub.freebsd.org (Postfix) with SMTP id 9EC8B37C099 for ; Fri, 11 Aug 2000 09:13:43 -0700 (PDT) (envelope-from nevans@nextvenue.com) Received: FROM sn1exchmbx.nextvenue.com BY sn1oexchr02.nextvenue.com ; Fri Aug 11 12:13:29 2000 -0400 Received: by sn1exchmbx.nextvenue.com with Internet Mail Service (5.5.2650.21) id ; Fri, 11 Aug 2000 12:13:01 -0400 Message-ID: <712384017032D411AD7B0001023D799B33B223@sn1exchmbx.nextvenue.com> From: Nick Evans To: 'Damien Tougas' , freebsd-security@freebsd.org Subject: RE: Strange ipnat behaviour Date: Fri, 11 Aug 2000 12:12:57 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C003AF.03592D70" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C003AF.03592D70 Content-Type: text/plain; charset="iso-8859-1" Did you turn on ip forwarding? -----Original Message----- From: Damien Tougas [mailto:damien@carroll.com] Sent: Wednesday, August 09, 2000 3:39 PM To: freebsd-security@freebsd.org Subject: Strange ipnat behaviour Hello, We are currently running ipnat on FreeBSD version 3.4-Stable, I am not sure exactly what version of ipfilter it is, it is the one that comes as part of the base OS. The problem that we are seeing is that for some reason unknown to us, nat just stops working. The only way to get it to work again is to clear the ipnat tables and rules and re-initialize them using the following sequence: /usr/sbin/ipnat -CF /usr/sbin/ipnat -f /etc/rc.nat After that, everything works just fine. The config file we use (rc.nat) is very simple: map de0 10.0.0.0/8 -> 0/32 portmap tcp/udp 1025:65000 map de0 10.0.0.0/8 -> 0/32 Could that second line be causing the problem? There are currently no ipf rules being used. We ran a tcpdump on the interface while the problem was occurring, just to see what was going on. What we found was that any new connections attempted from 10.0.0.0/8 were going through with the ack bit set only, it is like the initial packet was somehow blocked. As a result, the server we were trying to contact replied with a tcp reset since it thought that we were trying to connect to a session that is non existent. Our first thought was that we might have ran out of ports, but we discovered that there were no more than about 3000 sessions active at the time. Any ideas? Is this a bug, or have we mis-configured something? Thanks for your help. -- Damien Tougas Carroll-Net, Inc. http://www.carroll.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message ------_=_NextPart_001_01C003AF.03592D70 Content-Type: text/html; charset="iso-8859-1" RE: Strange ipnat behaviour

Did you turn on ip forwarding?

-----Original Message-----
From: Damien Tougas [mailto:damien@carroll.com]
Sent: Wednesday, August 09, 2000 3:39 PM
To: freebsd-security@freebsd.org
Subject: Strange ipnat behaviour

Hello,

We are currently running ipnat on FreeBSD version 3.4-Stable, I am not
sure exactly what version of ipfilter it is, it is the one that comes
as part of the base OS.

The problem that we are seeing is that for some reason unknown to us,
nat just stops working. The only way to get it to work again is to
clear the ipnat tables and rules and re-initialize them using the
following sequence:

/usr/sbin/ipnat -CF
/usr/sbin/ipnat -f /etc/rc.nat

After that, everything works just fine.
The config file we use (rc.nat) is very simple:

map de0 10.0.0.0/8 -> 0/32 portmap tcp/udp 1025:65000
map de0 10.0.0.0/8 -> 0/32

Could that second line be causing the problem?
There are currently no ipf rules being used.

We ran a tcpdump on the interface while the problem was occurring,
just to see what was going on. What we found was that any new
connections attempted from 10.0.0.0/8 were going through with the ack
bit set only, it is like the initial packet was somehow blocked. As a
result, the server we were trying to contact replied with a tcp reset
since it thought that we were trying to connect to a session that is
non existent. Our first thought was that we might have ran out of
ports, but we discovered that there were no more than about 3000
sessions active at the time.

Any ideas? Is this a bug, or have we mis-configured something?

Thanks for your help.

--
Damien Tougas
Carroll-Net, Inc.
http://www.carroll.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

------_=_NextPart_001_01C003AF.03592D70-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 11 12:16:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id A4FA237B839 for ; Fri, 11 Aug 2000 12:16:27 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 31800 invoked by uid 0); 11 Aug 2000 19:16:26 -0000 Received: from p3ee21650.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.80) by mail.gmx.net with SMTP; 11 Aug 2000 19:16:26 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id UAA11255 for freebsd-security@FreeBSD.ORG; Fri, 11 Aug 2000 20:23:52 +0200 Date: Fri, 11 Aug 2000 20:23:52 +0200 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: Re: Unified diff format in output of /etc/security? Message-ID: <20000811202352.E261@speedy.gsinet> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20000810193750.U261@speedy.gsinet> <11828.965982422@axl.ops.uunet.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <11828.965982422@axl.ops.uunet.co.za>; from sheldonh@uunet.co.za on Fri, Aug 11, 2000 at 10:27:02AM +0200 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Aug 11, 2000 at 10:27 +0200, Sheldon Hearn wrote: > > On Thu, 10 Aug 2000 19:37:51 +0200, Gerhard Sittig wrote: > > > Then what about a "diff -u $FILES | grep -v '^ '"? Or "diff > > -u $FILES | grep '^[+-@]'"? (I guess the first fits better) > > A lot of work for what gain exactly? You want plusses and > minuses instead of angle-brackets? Surely there are more > important things we could be spending our energy on? :-) It's not exactly me who wants this change. But I can feel very well where this wish comes from. Since "readability" sometimes is a question of getting used to or having anything in a similar manner I'm almost sure that this simple change will make quite many admins happy. And I'm very aware of the fact that not every diff format is equally suitable for any kind of document or change style. BTW: The angle brackets can cause irritation(sp?) quite easily, especially when sent by email. The new code looks like a citation then. With all the consequences a mail frontend can do to these in contrast to the other parts of the message. And have you ever tried to read a unified diff with a MS "mail frontend" in its default setup? Not that I did (I keep away from those as much as I can), but I've seen how it gets mangled. :) And despite of the fact that I don't think context diffs are readable there are a few people out there who think they are. And they might feel strong about this. So let everyone have _their_ preferred format and enjoy the positive feedback. :> virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 11 12:16:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 4BD1837B984 for ; Fri, 11 Aug 2000 12:16:36 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 31784 invoked by uid 0); 11 Aug 2000 19:16:25 -0000 Received: from p3ee21650.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.80) by mail.gmx.net with SMTP; 11 Aug 2000 19:16:25 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id UAA11250 for freebsd-security@freebsd.org; Fri, 11 Aug 2000 20:05:25 +0200 Date: Fri, 11 Aug 2000 20:05:25 +0200 From: Gerhard Sittig To: freebsd-security@freebsd.org Subject: Re: Strange ipnat behaviour Message-ID: <20000811200525.D261@speedy.gsinet> Mail-Followup-To: freebsd-security@freebsd.org References: <20000809153924.C18771@carroll.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000809153924.C18771@carroll.net>; from damien@carroll.com on Wed, Aug 09, 2000 at 03:39:24PM -0400 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Aug 09, 2000 at 15:39 -0400, Damien Tougas wrote: > > [ ... ipnat on FreeBSD 3.4-Stable ... ] > > The problem that we are seeing is that for some reason unknown > to us, nat just stops working. The only way to get it to work > again is to clear the ipnat tables and rules and re-initialize > them using the following sequence: > > /usr/sbin/ipnat -CF > /usr/sbin/ipnat -f /etc/rc.nat > > After that, everything works just fine. > The config file we use (rc.nat) is very simple: > > map de0 10.0.0.0/8 -> 0/32 portmap tcp/udp 1025:65000 > map de0 10.0.0.0/8 -> 0/32 Do you get different ip addresses and then it fails? Your mapping to 0/32 means "use the interface's address" and won't work when it's not any longer the address assigned at "ipnat -f" time. Read "man ipf" and especially watch out for the -y switch. I had to put something this way into ppp.linkup and ppp.linkdown to make things work. > Our first thought was that we might have ran out of ports, but > we discovered that there were no more than about 3000 sessions > active at the time. So the number of ports is not a problem, but is memory? These 3000 sessions have their state to be kept somewhere. Could you decrease the timeout to handle more connections with the same amount of RAM? virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 11 12:42: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id 973AF37B515 for ; Fri, 11 Aug 2000 12:42:04 -0700 (PDT) (envelope-from matt@ARPA.MAIL.NET) Received: (qmail 871 invoked by uid 1000); 11 Aug 2000 19:41:58 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 11 Aug 2000 19:41:58 -0000 Date: Fri, 11 Aug 2000 15:41:56 -0400 (EDT) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Gerhard Sittig Cc: freebsd-security@FreeBSD.ORG Subject: Re: Unified diff format in output of /etc/security? In-Reply-To: <20000811202352.E261@speedy.gsinet> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 11 Aug 2000, Gerhard Sittig wrote: ... : So let everyone have _their_ preferred format and enjoy the : positive feedback. :> I must agree with you. While I can read context diffs, I have always found it more difficult to read than a unified diff. I'm sure other people feel this way as well, and if there was an easy way to choose between the two, I think it's great. Remember, the more flexible we make FreeBSD, as long as it doesn't hurt anything, the better. :) : virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 : Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE5lFcGdMMtMcA1U5ARAhFzAKCEysrWXcYPkbZeCvDV7gu0ZRnKOQCgjSJ+ wsAOu27f/a7bTdKcLe6zP5A= =Vdnw -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 11 22:17: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from shiva.art-service.net.ua (shiva.art-service.net.ua [194.44.107.1]) by hub.freebsd.org (Postfix) with ESMTP id 6B6D037BB47 for ; Fri, 11 Aug 2000 22:17:00 -0700 (PDT) (envelope-from raccoon@shiva.art-service.net.ua) Received: (from raccoon@localhost) by shiva.art-service.net.ua (8.9.3/8.9.3) id IAA34340 for freebsd-security@freebsd.org; Sat, 12 Aug 2000 08:17:05 +0300 (EEST) (envelope-from raccoon) Date: Sat, 12 Aug 2000 08:17:05 +0300 From: Vladimir Melnik To: freebsd-security@freebsd.org Subject: php-3.0.12 and apache-1.3.9: it this a bug or some feature? Message-ID: <20000812081705.I98373@art-service.net.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i X-Homepage: http://raccoon.art-service.net.ua/ X-Operating-System: FreeBSD 3.3-RELEASE Organisation: ISP "ART-service" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, citizens. Tonight I saw strange behavior of apache-1.3.9 with php-3.0.12 on one of FreeBSD-3.4 box and I can't understand it. Look... I have some php3-scripts at my web-server. Ok, let's run Internet Browser and type URL: http://my.web.server/index.html Oh, well, it's ok, file `index.html' exists and my apache shows it. Now let's check this: http://my.web.server/something.php3 Wow! It's ok too, `cause this file exists too! ;-) Now we'll do something unusual... http://my.web.server/something.php3/boo-boo/oops/ or even http://my.web.server/something.php3/../../../../ Oops... I can see this document, but, #$%%^%^!.. But where is all images?! ;-) I can't see any of my

displayed correctly. 404. But why do I see html-document? Ok, let's try: http://my.web.server/index.html/boo-boo/oops/ 404, sir. Ok. But what's happened to my php?! ;-) It's interesting to think about, isn't it? ;-) What is your guessings? -- V.Melnik P.S. Sorry for my English, please. :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 12 8:11:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from kleopatra.acc.umu.se (kleopatra.acc.umu.se [130.239.18.150]) by hub.freebsd.org (Postfix) with ESMTP id 7C79F37B6CB for ; Sat, 12 Aug 2000 08:11:31 -0700 (PDT) (envelope-from markush@acc.umu.se) Received: from mao.acc.umu.se (root@mao.acc.umu.se [130.239.18.154]) by kleopatra.acc.umu.se (8.11.0/8.11.0) with ESMTP id e7CFBQd35240; Sat, 12 Aug 2000 17:11:27 +0200 Received: (from markush@localhost) by mao.acc.umu.se (8.9.3/8.9.3/Debian/GNU) id RAA32737; Sat, 12 Aug 2000 17:11:26 +0200 Date: Sat, 12 Aug 2000 17:11:26 +0200 From: Markus Holmberg To: Sheldon Hearn Cc: Gerhard Sittig , freebsd-security@FreeBSD.ORG Subject: Re: Unified diff format in output of /etc/security? Message-ID: <20000812171126.A27987@acc.umu.se> References: <20000810193750.U261@speedy.gsinet> <11828.965982422@axl.ops.uunet.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3-current-20000511i In-Reply-To: <11828.965982422@axl.ops.uunet.co.za>; from sheldonh@uunet.co.za on Fri, Aug 11, 2000 at 10:27:02AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Until I read Sheldon's motivation I never considered using any other diff format than unified (for anything), just because I had gotten so used to it. But after thinking about it for a while I realized that the default format isn't that bad for setuid/setgid logs.. I used my own patches for a few days of course but they didn't get used that much, so I didn't realize it wasn't that much of an improvment. So I can personally live with the default format for now. Funny how things turn out in the end :). Regards, Markus. On Fri Aug 11, 2000 at 10:27:02AM +0200, Sheldon Hearn wrote: > > > On Thu, 10 Aug 2000 19:37:51 +0200, Gerhard Sittig wrote: > > > Then what about a "diff -u $FILES | grep -v '^ '"? Or "diff -u > > $FILES | grep '^[+-@]'"? (I guess the first fits better) > > A lot of work for what gain exactly? You want plusses and minuses > instead of angle-brackets? Surely there are more important things we > could be spending our energy on? :-) > > Ciao, > Sheldon. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Markus Holmberg | Give me Unix or give me a typewriter. markush@acc.umu.se | http://www.freebsd.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 12 8:32:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from viagara.salon.com (viagara.salon.com [208.48.211.122]) by hub.freebsd.org (Postfix) with ESMTP id BD4C037B763 for ; Sat, 12 Aug 2000 08:32:53 -0700 (PDT) (envelope-from spidaman@salon.com) Received: from localhost (spidaman@localhost) by viagara.salon.com (8.9.3/8.9.3) with ESMTP id IAA41298; Sat, 12 Aug 2000 08:32:40 -0700 (PDT) (envelope-from spidaman@salon.com) X-Authentication-Warning: viagara.salon.com: spidaman owned process doing -bs Date: Sat, 12 Aug 2000 08:32:40 -0700 (PDT) From: Ian Kallen To: Vladimir Melnik Cc: freebsd-security@FreeBSD.ORG Subject: Re: php-3.0.12 and apache-1.3.9: it this a bug or some feature? In-Reply-To: <20000812081705.I98373@art-service.net.ua> Message-ID: X-fish: cod MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Where is the freebsd-security issue? This has to do with Apache and PHP configuration, settings you might have that can produce confusing results interpretting PATH_INFO. Therefore comp.infosystems.www.servers.unix is a more appropriate place to ask this and without posting a representative httpd.conf, probably difficult to answer. Today, Vladimir Melnik frothed and...: > Hello, citizens. > > Tonight I saw strange behavior of apache-1.3.9 with php-3.0.12 on > one of FreeBSD-3.4 box and I can't understand it. Look... I have > some php3-scripts at my web-server. Ok, let's run Internet > Browser and type URL: > > http://my.web.server/index.html > > Oh, well, it's ok, file `index.html' exists and my apache shows > it. Now let's check this: > > http://my.web.server/something.php3 > > Wow! It's ok too, `cause this file exists too! ;-) Now we'll do > something unusual... > > http://my.web.server/something.php3/boo-boo/oops/ > > or even > > http://my.web.server/something.php3/../../../../ > > Oops... I can see this document, but, #$%%^%^!.. But where is all > images?! ;-) I can't see any of my

displayed > correctly. 404. But why do I see html-document? Ok, let's try: > > http://my.web.server/index.html/boo-boo/oops/ > > 404, sir. Ok. But what's happened to my php?! ;-) It's interesting > to think about, isn't it? ;-) What is your guessings? > > -- Salon Internet http://www.salon.com/ Manager, Software and Systems "Livin' La Vida Unix!" Ian Kallen / AIM: iankallen / Fax: (415) 354-3326 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 12 11:13: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.everyday.cx (cr308584-a.wlfdle1.on.wave.home.com [24.114.52.208]) by hub.freebsd.org (Postfix) with ESMTP id 9274C37B70C for ; Sat, 12 Aug 2000 11:12:56 -0700 (PDT) (envelope-from webbie@everyday.cx) Received: from apollo (apollo.objtech.com [192.168.111.5]) by mail.everyday.cx (Postfix) with ESMTP id DE0133132 for ; Sat, 12 Aug 2000 14:12:54 -0400 (EDT) Date: Sat, 12 Aug 2000 14:12:54 -0400 From: Webbie X-Mailer: The Bat! (v1.45) UNREG / CD5BF9353B3B7091 Reply-To: Webbie X-Priority: 3 (Normal) Message-ID: <14031005493.20000812141254@everyday.cx> To: freebsd-security@FreeBSD.ORG Subject: Fwd: A little favor... Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a forwarded message From: Buliwyf McGraw To: webbie@everyday.cx Date: Saturday, August 12, 2000, 1:28:44 PM Subject: A little favor... ===8<==============Original message text=============== Hi, im subscribed to the FreeBSD Security List but for some reason i cant post in the list and i need to do a query... can you put it on the list for me please? (Thanks a lot) If you want, this is the question: Subject: About Natd and ipfw... Hello, i want to do ip masquerade and transparent proxy for an intranet using a FreeBSD like a gateway. Everything in the same machine. I mean, the server FreeBSD will do all the interface betewen Internet and the computers of my intranet. We have a router Cisco, and it is configured for sending all request of the clients to the server FreeBSD. In this moment, masquerading is working good (it is for irc, telnet, etc)... the problem is that we want to do transparent proxy, using squid on the same server (The FreeBSD). Whats going on?... well, the server have only one network card, and we dont know what rules use to make it work like a transparent proxy WITHOUT masquerading the http requests from the computers of the intranet. We tried several rules, but when we redirect packets to the port 8080 in the same machine, all of them are masqueraded and the squid dont get nothing. The point is, with the same network interface is possible that ip masquerade and transparente proxy (with squid in the same machine) works ??? Thanks... ======================================================================= Buliwyf McGraw Administrador del Servidor Libertad Centro de Servicios de Informacion Universidad del Valle ======================================================================= ===8<===========End of original message text=========== -- Webbie \\|// (o o) +-------------------------oOOo-(_)-oOOo-----------------------------+ EMail : mailto:webbie(at)everyday(dot)cx PGP Key : http://www.everyday.cx/pgpkey.txt PGP Fingerprint: 0B9F E081 35CD B9AF 58EA 7E43 38EC C84F 4AB4 792C +-------------------------------------------------------------------+ Stray Alpha Particles from memory packaging caused Hard Memory Error on Server. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 12 22:18:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id E72B837BE13; Sat, 12 Aug 2000 22:18:33 -0700 (PDT) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id PAA07250; Sun, 13 Aug 2000 15:18:32 +1000 (EST) From: Darren Reed Message-Id: <200008130518.PAA07250@cairo.anu.edu.au> Subject: ipfilter 3.4.9 imported To: current@freebsd.org Date: Sun, 13 Aug 2000 15:18:32 +1000 (Australia/NSW) Cc: security@freebsd.org X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Forwarded message: > From owner-freebsd-hackers@FreeBSD.ORG Sun Aug 13 15:15 EST 2000 > From: owner-freebsd-hackers@FreeBSD.ORG > To: avalon@coombs.anu.edu.au > Subject: Excessive cross-posting: 3 lists. > Message-Id: <20000813051533.1141637BFA6@hub.freebsd.org> > Date: Sat, 12 Aug 2000 22:15:33 -0700 (PDT) > Content-Type: text > Content-Length: 1542 > > do not send mail to more than two lists! > you sent mail to: > hackers@freebsd.org > current@freebsd.org > security@freebsd.org > > > > From owner-freebsd-hackers@FreeBSD.ORG Sat Aug 12 22:15:31 2000 > Return-Path: > Delivered-To: freebsd-hackers@freebsd.org > Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) > by hub.freebsd.org (Postfix) with ESMTP > id 3B58D37BE13; Sat, 12 Aug 2000 22:15:26 -0700 (PDT) > (envelope-from avalon@cairo.anu.edu.au) > Received: (from avalon@localhost) > by cairo.anu.edu.au (8.9.3/8.9.3) id PAA06842; > Sun, 13 Aug 2000 15:15:22 +1000 (EST) > From: Darren Reed > Message-Id: <200008130515.PAA06842@cairo.anu.edu.au> > Subject: ipfilter 3.4.9 imported > To: hackers@freebsd.org, current@freebsd.org > Date: Sun, 13 Aug 2000 15:15:22 +1000 (Australia/NSW) > Cc: security@freebsd.org > X-Mailer: ELM [version 2.5 PL1] > MIME-Version: 1.0 > Content-Type: text/plain; charset=us-ascii > Content-Transfer-Encoding: 7bit > Sender: avalon@cairo.anu.edu.au > > > I have just imported IP Filter 3.4.9 into -current. My attempts to compile > a kernel on freefall/builder failed due to kern_sig.c/machdep.c so I don't > know if all is well there (i.e. don't blame me for not making use of > available resources - I tried to use them but they failed and nobody > has responded to an email about this)...it built cleanly in the IP Filter > directly. If there are no problems, *maybe* next weekend (if not later) > I'll look at pulling it up into -stable. > > Darren > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message