From owner-freebsd-security Sun Sep 17 12:48:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from ocis.ocis.net (ocis.ocis.net [209.52.173.1]) by hub.freebsd.org (Postfix) with ESMTP id 74FD137B422 for ; Sun, 17 Sep 2000 12:48:17 -0700 (PDT) Received: from localhost (vdrifter@localhost) by ocis.ocis.net (8.9.3/8.9.3) with ESMTP id MAA25458 for ; Sun, 17 Sep 2000 12:48:12 -0700 Date: Sun, 17 Sep 2000 12:48:11 -0700 (PDT) From: John F Cuzzola To: freebsd-security@FreeBSD.ORG Subject: MTU Path Discovery + ipfw/natd Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Everyone, I have a question on why something works. Suppose I have a private net that a BSD box is masquarading for like this: ROUTER ----------- FreeBSD Box --------- Private Net 192.168.0.0/24 let's suppose the BSD box is masquarading through a public ip of 209.52.173.1. My question has to do with MTU Path Discovery. Suppose a computer 192.168.0.1 sends a packet with the don't fragment bit set. This packet's source address get's changed to 209.52.173.1 and sent to the next-hop (in this example the router). Now let's say the router can't handle the size of the packet and since it is not allowed to fragment, it tries to send a icmp 3.4 message (Fragmentation needed but DF bit set). Well the router will send that ICMP message to 209.52.173.1 and 192.168.0.1 would never receive it. I've never had any problems with ipfw/natd but was curious why this scenario doesn't seem to happen. Can anyone fill me in? Thanks, John To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 17 15: 3:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from ibb0021.ibb.uu.nl (ibb0021.ibb.uu.nl [131.211.124.21]) by hub.freebsd.org (Postfix) with ESMTP id D858D37B423 for ; Sun, 17 Sep 2000 15:03:06 -0700 (PDT) Received: by ibb0021.ibb.uu.nl (Postfix) id 98CE97B4; Mon, 18 Sep 2000 00:01:54 +0200 (CEST) Date: Mon, 18 Sep 2000 00:01:54 +0200 From: Mipam To: John F Cuzzola Cc: freebsd-security@FreeBSD.ORG Subject: Re: MTU Path Discovery + ipfw/natd Message-ID: <20000918000154.B455@ibb0021.ibb.uu.nl> Reply-To: mipam@ibb.net References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from vdrifter@ocis.ocis.net on Sun, Sep 17, 2000 at 12:48:11PM -0700 X-Obviously: All email clients suck. Only Mutt sucks less! X-Editor: Vi X-Operating-System: BSD Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Sep 17, 2000 at 12:48:11PM -0700, John F Cuzzola wrote: > Hello Everyone, > I have a question on why something works. Suppose I have a private net > that a BSD box is masquarading for like this: > > ROUTER ----------- FreeBSD Box --------- Private Net 192.168.0.0/24 > > let's suppose the BSD box is masquarading through a public ip of > 209.52.173.1. My question has to do with MTU Path Discovery. Suppose a > computer 192.168.0.1 sends a packet with the don't fragment bit set. This > packet's source address get's changed to 209.52.173.1 and sent to the > next-hop (in this example the router). Now let's say the router can't > handle the size of the packet and since it is not allowed to fragment, it > tries to send a icmp 3.4 message (Fragmentation needed but DF bit > set). Well the router will send that ICMP message to 209.52.173.1 and > 192.168.0.1 would never receive it. I've never had any problems with > ipfw/natd but was curious why this scenario doesn't seem to happen. Can > anyone fill me in? Well, you are doing nat as you said, so state keeping is done. The icmp type 3 code 4 is send back as a reply on the initial packet. Now, i suppose you'll allow icmp type 3 code 4 in, it'll perfectly arrive back at 192.168.0.1. Btw, i dont know what kind of osses you run inside, but normally netbsd doesnt send packets with the df bit set on the initial packet, i guess also open and freebsd do not just send packets with the df bit set initially. Most systems announce a MSS that is determined from the MTU on the interface that the traffic to the remote system passes out from the system through, look with tcpdump and you'll see it happening. Some systems will send back a packet with the same mss and df bit set. Other will just send a reply back with the same mss or a smaller one, but without the df bit. Bye, Mipam. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 17 15:45:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from camus.cybercable.fr (camus.cybercable.fr [212.198.0.200]) by hub.freebsd.org (Postfix) with SMTP id 5EDB137B43F for ; Sun, 17 Sep 2000 15:45:07 -0700 (PDT) Received: (qmail 18446098 invoked from network); 17 Sep 2000 22:45:05 -0000 Received: from r227m167.cybercable.tm.fr (HELO gits.dyndns.org) ([195.132.227.167]) (envelope-sender ) by camus.cybercable.fr (qmail-ldap-1.03) with SMTP for ; 17 Sep 2000 22:45:05 -0000 Received: (from root@localhost) by gits.dyndns.org (8.9.3/8.9.3) id AAA01823; Mon, 18 Sep 2000 00:45:04 +0200 (CEST) (envelope-from root) From: Cyrille Lefevre Message-Id: <200009172245.AAA01823@gits.dyndns.org> Subject: ports/dhcp3: memory hole in dhclient To: freebsd-ports@freebsd.org, freebsd-security@freebsd.org Date: Mon, 18 Sep 2000 00:45:04 +0200 (CEST) Cc: Ted.Lemon@nominum.com Reply-To: clefevre@citeweb.net Organization: ACME X-Face: V|+c;4!|B?E%BE^{E6);aI.[<97Zd*>^#%Y5Cxv;%Y[PT-LW3;A:fRrJ8+^k"e7@+30g0YD0*^^3jgyShN7o?a]C la*Zv'5NA,=963bM%J^o]C X-Mailer: ELM [version 2.4ME+ PL77 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org the dhclient program from the dhcp3 port, version 3.0.1 patch level 14, has a memory hole which may hang your machine after a long time run. in my case, it sucks "only" 64 MB of memory in a month (36 days). I said "only" because I have the line :memoryuse-cur=64M:\ in the default section of the /etc/login.conf file which restrict the memory usage of common processes. fyi, I'm running FreeBSD 4.1-RC but this problem is probably not OS dependent. I try to restart it, but that's freeze my machine ! no panic, no nothing :( imho, this message is subject to a "Ports Security Advisory". Cyrille. -- home: mailto:clefevre@citeweb.net work: mailto:Cyrille.Lefevre@edf.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 17 22:42:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from vbook.express.ru (vbook.express.ru [212.24.37.106]) by hub.freebsd.org (Postfix) with ESMTP id 94D7A37B422 for ; Sun, 17 Sep 2000 22:42:28 -0700 (PDT) Received: (from vova@localhost) by vbook.express.ru (8.9.3/8.9.3) id JAA26162; Mon, 18 Sep 2000 09:22:45 +0400 (MSD) (envelope-from vova) From: "Vladimir B. Grebenschikov" MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14789.42660.401430.305445@vbook.express.ru> Date: Mon, 18 Sep 2000 09:22:44 +0400 (MSD) To: freebsd-security@freebsd.org Subject: MD5 passwords vs DES X-Mailer: VM 6.72 under 21.1 (patch 9) "Canyonlands" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have a question: Do anybody have ideas to add 'default crypting mode' for utilities like passwd, adduser, etc ? I am not very happy to add new user with adduser, then to edit manualy /etc/passwd adding $1$xxx$xx to password, then lanch passwd to change password for user. In a reality passwd uses old password as salt for new password, but if there was no old password or it was '*' - new password is crypted with DES :( -- TSB Russian Express, Moscow Vladimir B. Grebenschikov, vova@express.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 17 23: 9:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 8F62737B422; Sun, 17 Sep 2000 23:09:54 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id XAA66930; Sun, 17 Sep 2000 23:09:54 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Sun, 17 Sep 2000 23:09:54 -0700 (PDT) From: Kris Kennaway To: "Vladimir B. Grebenschikov" Cc: freebsd-security@freebsd.org, Brian Feldman Subject: Re: MD5 passwords vs DES In-Reply-To: <14789.42660.401430.305445@vbook.express.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 18 Sep 2000, Vladimir B. Grebenschikov wrote: > > I have a question: > > Do anybody have ideas to add 'default crypting mode' for utilities > like passwd, adduser, etc ? > > I am not very happy to add new user with adduser, then to edit manualy > /etc/passwd adding $1$xxx$xx to password, then lanch passwd to change > password for user. In a reality passwd uses old password as salt for > new password, but if there was no old password or it was '*' - new > password is crypted with DES :( Brian Feldman wrote code in -current which fixes this by using a login capability to specify which format to use for new passwords. I'm trying to get him to merge it back to -stable in time for 4.1.1. Brian, whats the latest? Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 18 0:22:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from finland.ispro.net.tr (finland.ispro.net.tr [212.174.120.1]) by hub.freebsd.org (Postfix) with ESMTP id 9A78F37B424; Mon, 18 Sep 2000 00:22:47 -0700 (PDT) Received: from localhost (yurtesen@localhost) by finland.ispro.net.tr (8.9.3/8.9.3) with ESMTP id KAA31024; Mon, 18 Sep 2000 10:24:58 +0300 (EEST) (envelope-from yurtesen@ispro.net.tr) Date: Mon, 18 Sep 2000 10:24:58 +0300 (EEST) From: Evren Yurtesen To: Kris Kennaway Cc: "Vladimir B. Grebenschikov" , freebsd-security@FreeBSD.ORG, Brian Feldman Subject: Re: MD5 passwords vs DES In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If you dont mind the side effects you can try to compile passwd and perl with /usr/lib/libscrypt.a instead of -lcrypt (which defaults to /usr/lib/libcrypt.a which is linked to either DES or MD5 library) when you use libscrypt in your passwd and perl programs the passwords these programs generate will be MD5 by default. The side effect of this is that your users cant change their own passwords if their old password is DES since libscrypt doesnt understand DES and if you have perl scripts which does similar action they may fail. But adduser is a perl script itself so it would generate MD5 passwords automaticly when you add a new user. For passwd program its simple in its makefile just change -lcrypt lines with /usr/lib/libscrypt.a this should do the job I am not sure about perl. Is this a good "temporary" solution for you? On Sun, 17 Sep 2000, Kris Kennaway wrote: > On Mon, 18 Sep 2000, Vladimir B. Grebenschikov wrote: > > > > > I have a question: > > > > Do anybody have ideas to add 'default crypting mode' for utilities > > like passwd, adduser, etc ? > > > > I am not very happy to add new user with adduser, then to edit manualy > > /etc/passwd adding $1$xxx$xx to password, then lanch passwd to change > > password for user. In a reality passwd uses old password as salt for > > new password, but if there was no old password or it was '*' - new > > password is crypted with DES :( > > Brian Feldman wrote code in -current which fixes this by using a login > capability to specify which format to use for new passwords. > > I'm trying to get him to merge it back to -stable in time for > 4.1.1. Brian, whats the latest? > > Kris > > -- > In God we Trust -- all others must submit an X.509 certificate. > -- Charles Forsythe > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 18 0:37:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from toccata.fugue.com (toccata.fugue.com [204.152.186.142]) by hub.freebsd.org (Postfix) with ESMTP id 46C9E37B50C; Mon, 18 Sep 2000 00:33:42 -0700 (PDT) Received: from grosse.bisbee.fugue.com (206-97-58-207.ip.theriver.com [206.97.58.207]) by toccata.fugue.com (8.9.3/8.6.11) with ESMTP id UAA00584; Sat, 16 Sep 2000 20:56:42 -0700 (PDT) Received: from grosse.bisbee.fugue.com (localhost [127.0.0.1]) by grosse.bisbee.fugue.com (8.11.0/8.6.11) with ESMTP id e8I4c1V07634; Sun, 17 Sep 2000 21:38:11 -0700 (MST) Message-Id: <200009180438.e8I4c1V07634@grosse.bisbee.fugue.com> To: clefevre@citeweb.net Cc: freebsd-ports@freebsd.org, freebsd-security@freebsd.org Subject: Re: ports/dhcp3: memory hole in dhclient In-Reply-To: Message from Cyrille Lefevre of "Mon, 18 Sep 2000 00:45:04 +0200." <200009172245.AAA01823@gits.dyndns.org> Date: Sun, 17 Sep 2000 21:38:01 -0700 From: Ted Lemon Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The current version of the software is 3.0b2pl4. I've fixed a number of memory leaks, although I can't promise you that I've fixed yours. _MelloN_ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 18 1:21:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id 45ED637B423; Mon, 18 Sep 2000 01:21:14 -0700 (PDT) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 13awAj-0007th-00; Mon, 18 Sep 2000 10:21:05 +0200 Date: Mon, 18 Sep 2000 10:21:05 +0200 (IST) From: Roman Shterenzon To: Ted Lemon Cc: obrien@freebsd.org, freebsd-security@freebsd.org Subject: Re: ports/dhcp3: memory hole in dhclient Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The current version in ports seems to be dhcp-3.0b1pl17. It wasn't touched for a month and dhcp-3.0b2pl4.tar.gz was released 4 days ago, so you must be mistaken. Which version has the memory leaks fixed then? I was just going to installs dhcpd 3 for dynamic dns updates, but now I'm not so sure. Does dhcp server leaks memory as well? I'm cc'ing the maintainer, I hope that he forgives me :) > The current version of the software is 3.0b2pl4. I've fixed a number > of memory leaks, although I can't promise you that I've fixed yours. --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 18 7:50:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from kronus.com.br (dial-bhn-C8C0B442.bhz.zaz.com.br [200.192.180.66]) by hub.freebsd.org (Postfix) with SMTP id 8F27137B423 for ; Mon, 18 Sep 2000 07:50:28 -0700 (PDT) Received: (qmail 542 invoked by uid 1000); 18 Sep 2000 14:56:43 -0000 Date: Mon, 18 Sep 2000 11:56:43 -0300 From: Fred Souza To: security@freebsd.org Subject: Panic when receiving packets with invalid versions Message-ID: <20000918115643.A470@torment.secfreak.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Note: \x70\x73\x79\x63\x68 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all, I was just playing around with ISIC and noticed something strange on FreeBSD's IP stack (my system is 4.1-STABLE, built with the source-tree of 09/10). It seems, the system cannot handle a certain ammount of packets built with invalid IP version numbers, and will reboot after a short period of time. My first attempt was: torment:ttyv0:~# isic -D -s rand -d 192.168.0.1 -r rand Using random source IP's Compiled against Libnet 1.0.1b Installing Signal Handlers. Seeding with 0 No Maximum traffic limiter Bad IP Version = 10% Odd IP Header Length = 50% Frag'd P cnt = 30% 138.156.122.75 -> 192.168.0.1 tos[57] id[0] ver[4] frag[0] 49.225.236.60 -> 192.168.0.1 tos[236] id[1] ver[4] frag[0] Then.. Fatal trap 12: page fault while in kernel mode fault virtual address = 0x0 fault code = supervisor read, page not present instruction pointer = 0x8:0xc0190b43 stack pointer = 0x10:0xc644acc0 frame pointer = 0x10:0xc644acec code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 238 (isic) interrupt mask = trap number = 12 panic: page fault By this time, I wasn't sure if the fault occurred due to outgoing invalid packets, or the incoming ones. Then, after the reboot, I tried: torment:ttyv2:~# isic -D -s rand -d 192.168.0.1 -r rand -V0 Using random source IP's Compiled against Libnet 1.0.1b Installing Signal Handlers. Seeding with 0 No Maximum traffic limiter Bad IP Version = 0% Odd IP Header Length = 50% Frag'd P cnt = 30% 138.156.122.75 -> 192.168.0.1 tos[57] id[0] ver[4] frag[0] 49.225.236.60 -> 192.168.0.1 tos[236] id[1] ver[4] frag[0] 186.159.114.116 -> 192.168.0.1 tos[41] id[2] ver[4] frag[0] 110.39.117.87 -> 192.168.0.1 tos[4] id[3] ver[4] frag[35696] 144.254.169.98 -> 192.168.0.1 tos[182] id[4] ver[4] frag[45378] [Lots of packets] And no page faults this time. Yet, I tried sending the invalid packets to another host, and again, everything went just fine. This way, I was sure the problem is about incoming invalid packets (or am I wrong about that?). I tried again sending invalid packets to myself, to ensure the first time wasn't "environment trash" just after the reboot, and the same happened. The next step I tried, was to fix it. But due to my limited ability to change kernel code, I couldn't. I'm leaving this to the magicians, real kernel hackers to fix, if there's anything to fix at all (I'm still considering the possibility of this just being *my* fault. I've had the same kind of page faults a few weeks ago with pppd.) :-) As far as I can tell, ip_input.c's ip_input() function checks the ip_v field of each packet and compares to IPVERSION (4). If it doesn't match, the code jumps to the label "bad", where if IPFIREWALL_FORWARD is active, it sets ip_fw_fwd_addr to NULL, and discards the buffer of the incoming packet. Looks just right to me, and that's why I couldn't figure out how to fix this problem. Can anybody else reproduce this kind of error, or should I smash my head against the wall and try to solve this by myself on my box? Peace, .cseg -- "The most difficult thing in the world is to know how to do a thing and to watch someone else do it wrong without comment." -- Theodore H. White To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 18 8:19: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 6FB8837B424; Mon, 18 Sep 2000 08:18:55 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id IAA17570; Mon, 18 Sep 2000 08:18:54 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda17566; Mon Sep 18 08:18:40 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id IAA89508; Mon, 18 Sep 2000 08:18:40 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdx89506; Mon Sep 18 08:18:12 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.0/8.9.1) id e8IFIC501020; Mon, 18 Sep 2000 08:18:12 -0700 (PDT) Message-Id: <200009181518.e8IFIC501020@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdKc1017; Mon Sep 18 08:17:37 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1-RELEASE X-Sender: cy To: security-officer@freebsd.org Cc: freebsd-security@freebsd.org Subject: Ataboy Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 18 Sep 2000 08:17:36 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just a quick not to say that you guys have been doing a great job. The following is an excerpt from the weekly SecurityPortal newsletter. Keep up the good work. It's appreciated. Weekly BSD Security Digest - It was a busy week for FreeBSD. One wonders when (and if) the other BSD's will fix their ports collections. Problems in mailman, screen, eject, xchat, pine and listmanager. http://securityportal.com/topnews/weekly/bsd20000918.html Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 18 9:29:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id B00FD37B423; Mon, 18 Sep 2000 09:29:46 -0700 (PDT) Received: (from root@localhost) by giganda.komkon.org (8.9.3/8.9.3) id MAA16045; Mon, 18 Sep 2000 12:29:45 -0400 (EDT) (envelope-from str) Date: Mon, 18 Sep 2000 12:29:45 -0400 (EDT) From: Igor Roshchin Message-Id: <200009181629.MAA16045@giganda.komkon.org> To: security-advisories@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-00:47.pine Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Would somebody, please, clarify if the older pine3 port is also vulnerable ? I know that it is no longer supported in the ports collection, but it is still being used. Since pine3 port is not formally a pine4 port, although its version is before 4.21, it is not clear if this bug existed since the 3.xx period or it was introduced in 4.xx version. Thanks, Igor > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================= > FreeBSD-SA-00:47 Security Advisory > FreeBSD, Inc. > > Topic: pine4 port allows denial of service > > Category: ports > Module: pine4 > Announced: 2000-09-13 > Affects: Ports collection. > Corrected: 2000-07-17 > Credits: Juhapekka Tolvanen > Vendor status: Contacted > FreeBSD only: NO > > I. Background > > Pine is a popular mail user agent. > > II. Problem Description > > The pine4 port, versions 4.21 and before, contained a bug which would > cause the program to crash when processing a folder which contains an > email message with a malformed X-Keywords header. The message itself > could be deleted within pine if identified, but other operations such > as closing the folder with the message still present would cause the > program to crash with no apparent cause, discarding changes to the > mailbox. > > The FreeBSD port of pine4 was changed on 2000-07-17 to use an updated > version of the c-client library which is used to handle the mailbox > processing. This library does not contain the bug and versions of > pine4 built with it (i.e. ports or packages dated after the correction > date) do not suffer from this vulnerability. > > The pine4 port is not installed by default, nor is it "part of > FreeBSD" as such: it is part of the FreeBSD ports collection, which > contains over 3800 third-party applications in a ready-to-install > format. The ports collections shipped with FreeBSD 4.1 and 3.5.1 > contain this problem since it was discovered after the releases. > > FreeBSD makes no claim about the security of these third-party > applications, although an effort is underway to provide a security > audit of the most security-critical ports. > > III. Impact > > Remote users can cause pine4 to crash when closing a mail folder by > sending a malformed email. > > If you have not chosen to install the pine4 port/package, then > your system is not vulnerable to this problem. > > IV. Workaround > > Deinstall the pine4 port/package, if you have installed it. > > It may be possible to use a mail filtering utility such as procmail > (available in FreeBSD ports as /usr/ports/mail/procmail) to filter out > the malformed X-Keywords header from incoming mail, but this solution > is not discussed here. > > V. Solution > > One of the following: > > 1) Upgrade your entire ports collection and rebuild the pine4 port. > > 2) Deinstall the old package and install a new package dated after the > correction date, obtained from: > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/pine-4.21.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/pine-4.21.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/mail/pine-4.21.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/pine-4.21.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/mail/pine-4.21.tgz > > NOTE: Be sure to check the file creation date on the package, because > the version number of the software has not changed. > > 3) download a new port skeleton for the listmanager port from: > > http://www.freebsd.org/ports/ > > and use it to rebuild the port. > > 4) Use the portcheckout utility to automate option (3) above. The > portcheckout port is available in /usr/ports/devel/portcheckout or the > package can be obtained from: > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBOb/kgFUuHi5z0oilAQEwgAQAnYgLOfvgfM88DLjUXgoZBkVRoroeU8rz > 2DXUw4LEQ6ARzruWPepALW2Yls+g5SraDCLHmuTo6tb3vR6kwQ97gQmzNCNDxK9T > /5m4EFYo2ErTOB4nO/MqepJ+/0t4oBPByhaRjQBSqQncaN4FIkWgboqfpbYdL6HC > cnQSlc+0FPs= > =R2n+ > -----END PGP SIGNATURE----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > [Decrypting message... End of raw data.] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 18 9:39:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 40E2637B423; Mon, 18 Sep 2000 09:39:13 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id JAA77029; Mon, 18 Sep 2000 09:39:13 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Mon, 18 Sep 2000 09:39:13 -0700 (PDT) From: Kris Kennaway To: Igor Roshchin Cc: security-advisories@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-00:47.pine In-Reply-To: <200009181629.MAA16045@giganda.komkon.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 18 Sep 2000, Igor Roshchin wrote: > > Would somebody, please, clarify if the older > pine3 port is also vulnerable ? > I know that it is no longer supported in the ports collection, > but it is still being used. > Since pine3 port is not formally a pine4 port, although > its version is before 4.21, it is not clear if this bug > existed since the 3.xx period or it was introduced in 4.xx > version. I have no idea - but you definitely should not be using pine3, there were many security bugs with that version - details escape me, but I think they included remotely exploitable buffer overflows. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 18 10: 2:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from field.videotron.net (field.videotron.net [205.151.222.108]) by hub.freebsd.org (Postfix) with ESMTP id B457037B424 for ; Mon, 18 Sep 2000 10:02:46 -0700 (PDT) Received: from modemcable136.203-201-24.mtl.mc.videotron.ca ([24.201.203.136]) by field.videotron.net (Sun Internet Mail Server sims.3.5.1999.12.14.10.29.p8) with ESMTP id <0G13006H3DYZ0T@field.videotron.net> for security@FreeBSD.ORG; Mon, 18 Sep 2000 13:01:47 -0400 (EDT) Date: Mon, 18 Sep 2000 13:05:25 -0400 (EDT) From: Bosko Milekic Subject: Re: Panic when receiving packets with invalid versions In-reply-to: <20000918115643.A470@torment.secfreak.com> X-Sender: bmilekic@jehovah.technokratis.com To: Fred Souza Cc: security@FreeBSD.ORG Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 18 Sep 2000, Fred Souza wrote: > It seems, the system cannot handle a certain ammount of packets built with > invalid IP version numbers, and will reboot after a short period of time. [...] > Then.. > > Fatal trap 12: page fault while in kernel mode > fault virtual address = 0x0 > fault code = supervisor read, page not present > instruction pointer = 0x8:0xc0190b43 > stack pointer = 0x10:0xc644acc0 > frame pointer = 0x10:0xc644acec > code segment = base 0x0, limit 0xfffff, type 0x1b > = DPL 0, pres 1, def32 1, gran 1 > processor eflags = interrupt enabled, resume, IOPL = 0 > current process = 238 (isic) > interrupt mask = > trap number = 12 > panic: page fault Can you please send a complete traceback, as well as other (more useful) debugging information? -- See the Handbook for more information. Looks like a NULL pointer dereference. Bosko Milekic bmilekic@technokratis.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 18 10:57:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from toccata.fugue.com (toccata.fugue.com [204.152.186.142]) by hub.freebsd.org (Postfix) with ESMTP id 9DC0737B423; Mon, 18 Sep 2000 10:57:21 -0700 (PDT) Received: from grosse.bisbee.fugue.com (a40.pm3-32.theriver.com [206.102.192.104]) by toccata.fugue.com (8.9.3/8.6.11) with ESMTP id HAA03480; Sun, 17 Sep 2000 07:21:54 -0700 (PDT) Received: from grosse.bisbee.fugue.com (localhost [127.0.0.1]) by grosse.bisbee.fugue.com (8.11.0/8.6.11) with ESMTP id e8IHutw00575; Mon, 18 Sep 2000 10:56:57 -0700 (MST) Message-Id: <200009181756.e8IHutw00575@grosse.bisbee.fugue.com> To: Roman Shterenzon Cc: obrien@freebsd.org, freebsd-security@freebsd.org Subject: Re: ports/dhcp3: memory hole in dhclient In-Reply-To: Message from Roman Shterenzon of "Mon, 18 Sep 2000 10:21:05 +0200." Date: Mon, 18 Sep 2000 10:56:55 -0700 From: Ted Lemon Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > The current version in ports seems to be dhcp-3.0b1pl17. > It wasn't touched for a month and dhcp-3.0b2pl4.tar.gz was released 4 days > ago, so you must be mistaken. I think you mistake me. I am using the word "current version" to refer to the most recent version released by the author of the software (me), not the most recent version in the FreeBSD ports collection. It's not helpful to tell me there are bugs in my code when you're not running the current version of my code. > Which version has the memory leaks fixed then? > I was just going to installs dhcpd 3 for dynamic dns updates, but now I'm > not so sure. Does dhcp server leaks memory as well? 3.0b2pl4. However, 3.0b2pl4 is a fairly raw beta, and there are a couple of known problems with it. If you need to be running something in production, I'd suggest you wait a bit. OTOH, free software improves when people try it and report bugs, so you've got a bit of a Catch-22 going there. :'} _MelloN_ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 18 12:15: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6]) by hub.freebsd.org (Postfix) with ESMTP id B8CE837B422 for ; Mon, 18 Sep 2000 12:15:00 -0700 (PDT) Received: from dialup-janus.css.qmw.ac.uk ([138.37.11.110]) by zeta.qmw.ac.uk with esmtp (Exim 3.02 #1) id 13b6NV-0005GP-00 for freebsd-security@freebsd.org; Mon, 18 Sep 2000 20:14:57 +0100 Received: from david by dialup-janus.css.qmw.ac.uk with local (Exim 2.12 #1) id 13b5u7-000BfZ-00 for freebsd-security@FreeBSD.ORG; Mon, 18 Sep 2000 19:44:35 +0100 X-Mailer: exmh version 2.0.2 2/24/98 To: freebsd-security@FreeBSD.ORG Subject: Re: MD5 passwords vs DES In-reply-to: Your message of "Mon, 18 Sep 2000 10:24:58 +0300." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 18 Sep 2000 19:44:34 +0100 From: David Pick Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > If you dont mind the side effects you can try to compile passwd and perl > with /usr/lib/libscrypt.a instead of -lcrypt (which defaults to > /usr/lib/libcrypt.a which is linked to either DES or MD5 library) when you > use libscrypt in your passwd and perl programs the passwords these > programs generate will be MD5 by default. The side effect of this is that > your users cant change their own passwords if their old password is DES > since libscrypt doesnt understand DES and if you have perl scripts which > does similar action they may fail. But adduser is a perl script itself so > it would generate MD5 passwords automaticly when you add a new user. > For passwd program its simple in its makefile just change -lcrypt lines > with /usr/lib/libscrypt.a this should do the job I am not sure about perl. > > Is this a good "temporary" solution for you? I don't recompile anything, I just redirect the symbolic links libcrypt* -> libdescript* to become libcrypt* -> libscrypt* in /usr/lib/ I actually do this during system installation before creating any users so the only DES password is the "root" password. "root" can, of course, reset this (getting a MD5 pasword) without having anything checked against the DES password (because it's "root" doing it). -- David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 18 12:24:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from finland.ispro.net.tr (finland.ispro.net.tr [212.174.120.1]) by hub.freebsd.org (Postfix) with ESMTP id E9FCD37B423 for ; Mon, 18 Sep 2000 12:24:03 -0700 (PDT) Received: from localhost (yurtesen@localhost) by finland.ispro.net.tr (8.9.3/8.9.3) with ESMTP id WAA51101; Mon, 18 Sep 2000 22:26:02 +0300 (EEST) (envelope-from yurtesen@ispro.net.tr) Date: Mon, 18 Sep 2000 22:26:02 +0300 (EEST) From: Evren Yurtesen To: David Pick Cc: freebsd-security@FreeBSD.ORG Subject: Re: MD5 passwords vs DES In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 18 Sep 2000, David Pick wrote: > > If you dont mind the side effects you can try to compile passwd and perl > > with /usr/lib/libscrypt.a instead of -lcrypt (which defaults to > > /usr/lib/libcrypt.a which is linked to either DES or MD5 library) when you > > use libscrypt in your passwd and perl programs the passwords these > > programs generate will be MD5 by default. The side effect of this is that > > your users cant change their own passwords if their old password is DES > > since libscrypt doesnt understand DES and if you have perl scripts which > > does similar action they may fail. But adduser is a perl script itself so > > it would generate MD5 passwords automaticly when you add a new user. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > For passwd program its simple in its makefile just change -lcrypt lines > > with /usr/lib/libscrypt.a this should do the job I am not sure about perl. > > > > Is this a good "temporary" solution for you? > > I don't recompile anything, I just redirect the symbolic links > libcrypt* -> libdescript* > to become > libcrypt* -> libscrypt* > in /usr/lib/ > > I actually do this during system installation before creating any users so > the only DES password is the "root" password. "root" can, of course, reset > this (getting a MD5 pasword) without having anything checked against the > DES password (because it's "root" doing it). > > -- > David Pick But in your solution you expect all the passwords to be MD5 passwords because libscrypt doesnt understand from DES. If you just recompile the passwd and perl and leave the libcrypt* -> libdescrypt you can have a hybrid passwd file with MD5 and DES entries plus your new users and the users which you changed their passwords would have MD5 passwords and in time when you have all users passwords as MD5 then you can change the links from libdescrypt* to libscrypt* Otherwise your users with DES passwords cant login when you have libcrypt linked to libscrypt. My solution was for people who wants to migrate to MD5 passwords slowly. Evren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 18 12:25:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 7DCBA37B422 for ; Mon, 18 Sep 2000 12:25:52 -0700 (PDT) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id PAA31724 for ; Mon, 18 Sep 2000 15:25:51 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Mon, 18 Sep 2000 15:25:51 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: freebsd-security@FreeBSD.org Subject: Re: cvs commit: src/sys/ufs/ufs ufs_vnops.c (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thought this might be of interest to some readers here. As part of the capabilities support in the TrustedBSD tree, I have started doing a cataloging of the use of privilege within the FreeBSD source tree. In response to a question from Garrett Wollman, I pasted some sections into a recent e-mail relating to a UFS suser-related commit. If there are any question or comments, I'd be glad to hear them, either on this mailing list, or on the trustedbsd-discuss@trustedbsd.org mailing list. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services ---------- Forwarded message ---------- Date: Mon, 18 Sep 2000 14:53:54 -0400 (EDT) From: Robert Watson To: Garrett Wollman Cc: developers@FreeBSD.org Subject: Re: cvs commit: src/sys/ufs/ufs ufs_vnops.c Robert Watson wrote: > The following is a list of assertions of privilege that occur within the > UFS source tree. In each case, I attempt to document the situation, the > use of privilege, and whether or not that is a safe use in the context of > jail() process containment. I'd welcome any corrections. Just for reference, I'm going to throw in the mapping of these privileges to POSIX.1e and Linux capabilities. I also left out two uses of privilege: (1) Relating to the adding of the sticky-bit to files, which I recently disabled. Prior to that, privilege could be asserted to allow the sticky bit to be set on objects other than directories, rather than returning EFTYPE. I put this down as a historical curiosity, but feedback on that change would also be welcome; as such, there is no capability reflecting this privilege in my implementation. (2) vaccess() called by ufs_access() allows privilege to override discretionary restrictions on the reading, writing, and executing of files. For files, these map into CAP_DAC_READ_SEARCH, CAP_DAC_WRITE, and CAP_DAC_EXECUTE. For directories, CAP_DAC_READ_SEARCH, CAP_DAC_WRITE, and CAP_DAC_READ_SEARCH (lookup permission). The implementation commited to vfs_subr() isn't quite in synch with this, but it is not enabled so not an issue. > ufs_extattrctl(): If a process wishes to configure extended attribute > support on a UFS file system, it must assert privilege. The assertion of > this privilege is not safe within jail(). CAP_SYS_ADMIN > ufs_extattr_credcheck(): If a process wishes to read or modify a system > namespace extended attribute, it must assert privilege. The assertion of > this privilege is not safe within jail(). CAP_SYS_ADMIN > ufs_lookup(): If a process wishes to remove a file from a directory, and > the directory has the sticky bit set, then either the process must own the > directory, or must own the file to be deleted, unless privilege is > asserted. The assertion of this privilege is safe within jail(). CAP_DAC_WRITE > WRITE(): If a process writes to a file, either by virtue of discretionary > access rights, or assertion of privilege, the setuid and setgid bits will > be removed from that file, unless privilege is asserted. The assertion of > this privilege is safe within jail(). CAP_FSETID > ufs_setattr(): A process is permitted to change the user file flags of a > file if the process has a uid matching that of a file, or via the > assertion of privilege. The assertion of this privilege should be safe > within jail(). CAP_FOWNER > ufs_setattr(): A process is permitted to set system flags of a file via > the assertion of privilege. The assertion of this privilege is not safe > within jail(). CAP_SYS_SETFFLAG ("CAP_LINUX_IMMUTABLE" in Linux-speak) > ufs_setattr(): A process is permitted to change the file utimes if it may > modify the file via discretionary access rights, or via assertion of > privilege. The assertion of this privilege should be safe within jail(). CAP_FOWNER > ufs_chmod(): A process changing the mode of the file is permitted to do so > based on file ownership or assertion of privilege. However, if the sgid > bit will be enabled in the final mode, either the process must be a member > of the group of the file, or privilege must be asserted. The assertion of > these privileges should be safe within jail(). Generally, CAP_FOWNER is used to override ownership requirements, except in the case of setting the setuid and setgid bits, in which case it is CAP_FSETID. Both might be asserted in a particular call. > ufs_chown(): A process is permitted to change the ownership related to a > file only in the following situations: > > (1) To change the owner of a file, the process must assert privilege. CAP_CHOWN > (2) To change the group of the file, the process effective uid must > be the same as the owner of the file, and the target group of the > file must be in the process's effective group membership, or the > process must assert privilege. CAP_CHOWN > The assertion of this privilege should be safe within jail(). > > ufs_chown(): If a process changes the ownership of a file, and either the > owner or the group of the file changes, then unless privilege is asserted, > the setuid and setgid bits on the file will be removed. Ths assertion of > this privilege should be safe within jail(). CAP_FSETID > ufs_rename(): If the process attempts to rename a file and the target > directory of the rename has the sticky bit set, the process must own the > target directory of the rename or the file to be overwritten by the > rename, unless it asserts privilege. The assertion of this privilege > should be safe within jail(). CAP_DAC_WRITE > ufs_makeinode(): If a process creates a new file and requests that the > setgid bid be set, the process must be a member of the group with the gid > of the file, or the setgid bit cannot be set without the assertion of > privilege. The assertion of this privilege should be safe within jail(). CAP_FSETID > There are additional assertions of privilege associated with the quota > code. I have not attempted to understand them fully as yet, so they're > not on my list of jail-safe or jail-not-safe yet. My guess is that they > are split into two categories, one relating to the configuration and > management of quotas, and the other related to quota interaction based on > chown and friends. They will need similar analysis. > > Robert N M Watson > > robert@fledge.watson.org http://www.watson.org/~robert/ > PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 > TIS Labs at Network Associates, Safeport Network Services > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 18 13: 9:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from kronus.com.br (dial-bhn-C8C0B48F.bhz.zaz.com.br [200.192.180.143]) by hub.freebsd.org (Postfix) with SMTP id 45E8037B423 for ; Mon, 18 Sep 2000 13:09:37 -0700 (PDT) Received: (qmail 296 invoked by uid 1000); 18 Sep 2000 20:12:14 -0000 Date: Mon, 18 Sep 2000 17:12:14 -0300 From: Fred Souza To: Bosko Milekic Cc: security@FreeBSD.ORG Subject: Re: Panic when receiving packets with invalid versions Message-ID: <20000918171214.A269@torment.secfreak.com> References: <20000918115643.A470@torment.secfreak.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Your message of "Mon, Sep 18 2000 13:05:25 -0400" X-Note: \x70\x73\x79\x63\x68 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Can you please send a complete traceback, as well as other (more > useful) debugging information? -- See the Handbook for more information. > Looks like a NULL pointer dereference. Hi. Thank you for the time, in advance. I've read the Handbook as you told me to, followed its steps (I ended up having to rebuild the kernel) and generated the dump files, but I don't have enough knowledge to do much from it. I just did exactly how it looked like in the Handbook, and it's almost the same I posted before. Anyways, here goes what I got from it. ----- torment:ttyp1:/usr/src/sys/compile/TORMENT# gdb -k kernel.debug /var/crash/vmcore.0 GNU gdb 4.18 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-freebsd"... IdlePTD 3293184 initial pcb at 2aa060 panicstr: page fault panic messages: --- Fatal trap 12: page fault while in kernel mode fault virtual address = 0x0 fault code = supervisor read, page not present instruction pointer = 0x8:0xc0190b43 stack pointer = 0x10:0xc644dcc0 frame pointer = 0x10:0xc644dcec code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 246 (isic) interrupt mask = trap number = 12 panic: page fault syncing disks... 27 27 13 2 done Uptime: 2m39s dumping to dev #ad/0x40001, offset 139264 dump ata0: resetting devices .. done 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 --- #0 0xc0133214 in boot () (kgdb) where #0 0xc0133214 in boot () #1 0xc0133598 in poweroff_wait () #2 0xc0236e0d in trap_fatal () #3 0xc0236ae5 in trap_pfault () #4 0xc023669f in trap () #5 0xc0190b43 in ip_natout () #6 0xc018e012 in fr_check () #7 0xc0183fd4 in ip_output () #8 0xc018590b in rip_output () #9 0xc0185d4f in rip_send () #10 0xc014f44b in sosend () #11 0xc0152a19 in sendit () #12 0xc0152b0d in sendto () #13 0xc02370b9 in syscall2 () #14 0xc02294b5 in Xint0x80_syscall () #15 0x8049235 in ?? () #16 0x8048ad1 in ?? () (kgdb) up 10 #10 0xc014f44b in sosend () (kgdb) up #11 0xc0152a19 in sendit () (kgdb) up #12 0xc0152b0d in sendto () (kgdb) up #13 0xc02370b9 in syscall2 () (kgdb) up #14 0xc02294b5 in Xint0x80_syscall () (kgdb) up #15 0x8049235 in ?? () (kgdb) up #16 0x8048ad1 in ?? () (kgdb) up Initial frame selected; you cannot go up. (kgdb) list 1 /*- 2 * Copyright (c) 2000 FreeBSD Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright (kgdb) quit torment:ttyp1:/usr/src/sys/compile/TORMENT# exit exit ----- Is it helpful by any chances? If anybody knows what I should be looking for exactly, please tell me and I'll look for it. Peace, .cseg -- "What upsets me is not that you lied to me, but that from now on I can no longer believe you." -- Nietzsche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 18 13:15:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 917D537B422 for ; Mon, 18 Sep 2000 13:15:37 -0700 (PDT) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id e8IKFI629749; Mon, 18 Sep 2000 13:15:18 -0700 (PDT) Date: Mon, 18 Sep 2000 13:15:17 -0700 From: Alfred Perlstein To: Fred Souza Cc: Bosko Milekic , security@FreeBSD.ORG Subject: Re: Panic when receiving packets with invalid versions Message-ID: <20000918131517.I15156@fw.wintelcom.net> References: <20000918115643.A470@torment.secfreak.com> <20000918171214.A269@torment.secfreak.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <20000918171214.A269@torment.secfreak.com>; from cseg@kronus.com.br on Mon, Sep 18, 2000 at 05:12:14PM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Fred Souza [000918 13:09] wrote: > > Can you please send a complete traceback, as well as other (more > > useful) debugging information? -- See the Handbook for more information. > > Looks like a NULL pointer dereference. > > Hi. Thank you for the time, in advance. I've read the Handbook as you > told me to, followed its steps (I ended up having to rebuild the kernel) > and generated the dump files, but I don't have enough knowledge to do > much from it. > > I just did exactly how it looked like in the Handbook, and it's almost the > same I posted before. Anyways, here goes what I got from it. > > ----- > torment:ttyp1:/usr/src/sys/compile/TORMENT# gdb -k kernel.debug /var/crash/vmcore.0 > GNU gdb 4.18 > Copyright 1998 Free Software Foundation, Inc. > GDB is free software, covered by the GNU General Public License, and you are > welcome to change it and/or distribute copies of it under certain conditions. > Type "show copying" to see the conditions. > There is absolutely no warranty for GDB. Type "show warranty" for details. > This GDB was configured as "i386-unknown-freebsd"... > IdlePTD 3293184 > initial pcb at 2aa060 > panicstr: page fault > panic messages: > --- > Fatal trap 12: page fault while in kernel mode > fault virtual address = 0x0 > fault code = supervisor read, page not present > instruction pointer = 0x8:0xc0190b43 > stack pointer = 0x10:0xc644dcc0 > frame pointer = 0x10:0xc644dcec > code segment = base 0x0, limit 0xfffff, type 0x1b > = DPL 0, pres 1, def32 1, gran 1 > processor eflags = interrupt enabled, resume, IOPL = 0 > current process = 246 (isic) > interrupt mask = > trap number = 12 > panic: page fault > > syncing disks... 27 27 13 2 > done > Uptime: 2m39s > > dumping to dev #ad/0x40001, offset 139264 > dump ata0: resetting devices .. done > 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 > --- > #0 0xc0133214 in boot () > (kgdb) where > #0 0xc0133214 in boot () > #1 0xc0133598 in poweroff_wait () > #2 0xc0236e0d in trap_fatal () > #3 0xc0236ae5 in trap_pfault () > #4 0xc023669f in trap () > #5 0xc0190b43 in ip_natout () > #6 0xc018e012 in fr_check () > #7 0xc0183fd4 in ip_output () > #8 0xc018590b in rip_output () > #9 0xc0185d4f in rip_send () > #10 0xc014f44b in sosend () > #11 0xc0152a19 in sendit () > #12 0xc0152b0d in sendto () > #13 0xc02370b9 in syscall2 () > #14 0xc02294b5 in Xint0x80_syscall () > #15 0x8049235 in ?? () > #16 0x8048ad1 in ?? () > (kgdb) up 10 > #10 0xc014f44b in sosend () > (kgdb) up > #11 0xc0152a19 in sendit () > (kgdb) up > #12 0xc0152b0d in sendto () > (kgdb) up > #13 0xc02370b9 in syscall2 () > (kgdb) up > #14 0xc02294b5 in Xint0x80_syscall () > (kgdb) up > #15 0x8049235 in ?? () > (kgdb) up > #16 0x8048ad1 in ?? () > (kgdb) up > Initial frame selected; you cannot go up. > (kgdb) list > 1 /*- > 2 * Copyright (c) 2000 FreeBSD Inc. > 3 * All rights reserved. > 4 * > 5 * Redistribution and use in source and binary forms, with or without > 6 * modification, are permitted provided that the following conditions > 7 * are met: > 8 * 1. Redistributions of source code must retain the above copyright > 9 * notice, this list of conditions and the following disclaimer. > 10 * 2. Redistributions in binary form must reproduce the above copyright > (kgdb) quit > torment:ttyp1:/usr/src/sys/compile/TORMENT# exit > exit > ----- > > Is it helpful by any chances? If anybody knows what I should be looking for > exactly, please tell me and I'll look for it. So close! :) You don't want to do 'up 10' you want to go 'up' until you hit the frame above 'trap' which is 'ip_natout', that's where you want to do your 'list' and 'print' of some of the variables that appear. you may also want to printout several variables by prefixing * to them to get the structure contents. This looks like it may be a bug in ipfilter. -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 18 14:22:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from kronus.com.br (dial-bhn-C8C0B488.bhz.zaz.com.br [200.192.180.136]) by hub.freebsd.org (Postfix) with SMTP id 56E8D37B423 for ; Mon, 18 Sep 2000 14:22:07 -0700 (PDT) Received: (qmail 1107 invoked by uid 1000); 18 Sep 2000 21:26:29 -0000 Date: Mon, 18 Sep 2000 18:26:29 -0300 From: Fred Souza To: Alfred Perlstein Cc: Bosko Milekic , security@FreeBSD.ORG Subject: Re: Panic when receiving packets with invalid versions Message-ID: <20000918182629.A1082@torment.secfreak.com> References: <20000918115643.A470@torment.secfreak.com> <20000918171214.A269@torment.secfreak.com> <20000918131517.I15156@fw.wintelcom.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Your message of "Mon, Sep 18 2000 13:15:17 -0700" <20000918131517.I15156@fw.wintelcom.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > So close! :) Whoa! Luck? :) > You don't want to do 'up 10' you want to go 'up' until you hit the > frame above 'trap' which is 'ip_natout', that's where you want to > do your 'list' and 'print' of some of the variables that appear. Ok, thanks a lot. I'll surely remember that next time I need to debug the kernel (or anything else). > you may also want to printout several variables by prefixing * to > them to get the structure contents. Ok. > This looks like it may be a bug in ipfilter. Absolutely right on that, sir! To be exact, the mistake was that I was loading NAT rules through interface ppp0 at boot-time. Once my box doesn't connect to the ISP at boot-time, that mapping maps to "nothing". Unloading the mapping when ppp0 is not active solved the problem. Thank you _very_much_ for your help. Peace, .cseg -- This is what you get when you meet someone who has spent most of his/her entire life, thinking. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 18 17:44:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 375A337B42C for ; Mon, 18 Sep 2000 17:44:54 -0700 (PDT) Received: from lafontaine.cybercable.fr (lafontaine.cybercable.fr [212.198.0.202]) by mx1.FreeBSD.org (Postfix) with SMTP id 474BE6E29A8 for ; Mon, 18 Sep 2000 17:44:53 -0700 (PDT) Received: (qmail 15498283 invoked from network); 19 Sep 2000 00:43:51 -0000 Received: from r227m167.cybercable.tm.fr (HELO gits.dyndns.org) ([195.132.227.167]) (envelope-sender ) by lafontaine.cybercable.fr (qmail-ldap-1.03) with SMTP for ; 19 Sep 2000 00:43:51 -0000 Received: (from root@localhost) by gits.dyndns.org (8.9.3/8.9.3) id CAA44783; Tue, 19 Sep 2000 02:43:50 +0200 (CEST) (envelope-from root) From: Cyrille Lefevre Message-Id: <200009190043.CAA44783@gits.dyndns.org> Subject: Re: ports/dhcp3: memory hole in dhclient In-Reply-To: <200009180438.e8I4c1V07634@grosse.bisbee.fugue.com> "from Ted Lemon at Sep 17, 2000 09:38:01 pm" To: Ted Lemon Date: Tue, 19 Sep 2000 02:43:50 +0200 (CEST) Cc: freebsd-ports@freebsd.org, freebsd-security@freebsd.org Reply-To: clefevre@citeweb.net Organization: ACME X-Face: V|+c;4!|B?E%BE^{E6);aI.[<97Zd*>^#%Y5Cxv;%Y[PT-LW3;A:fRrJ8+^k"e7@+30g0YD0*^^3jgyShN7o?a]C la*Zv'5NA,=963bM%J^o]C X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ted Lemon wrote: > > The current version of the software is 3.0b2pl4. I've fixed a number > of memory leaks, although I can't promise you that I've fixed yours. thanks. hope there is no more memory leaks. ports updated : http://www.freebsd.org/cgi/query-pr.cgi?pr=21379 Cyrille. -- home: mailto:clefevre@citeweb.net work: mailto:Cyrille.Lefevre@edf.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 19 5:18:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id B3E9C37B423 for ; Tue, 19 Sep 2000 05:18:09 -0700 (PDT) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id OAA20559; Tue, 19 Sep 2000 14:17:55 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Alfred Perlstein Cc: Fred Souza , Bosko Milekic , security@FreeBSD.ORG Subject: Re: Panic when receiving packets with invalid versions References: <20000918115643.A470@torment.secfreak.com> <20000918171214.A269@torment.secfreak.com> <20000918131517.I15156@fw.wintelcom.net> From: Dag-Erling Smorgrav Date: 19 Sep 2000 14:17:55 +0200 In-Reply-To: Alfred Perlstein's message of "Mon, 18 Sep 2000 13:15:17 -0700" Message-ID: Lines: 11 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Alfred Perlstein writes: > You don't want to do 'up 10' you want to go 'up' until you hit the > frame above 'trap' which is 'ip_natout', that's where you want to > do your 'list' and 'print' of some of the variables that appear. Just do 'up 5' (since the number in front of ip_natout() is 5) and then 'list'. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 19 5:40:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from sunny.fishnet.com (sunny.fishnet.com [209.150.200.6]) by hub.freebsd.org (Postfix) with ESMTP id CEE3E37B42C for ; Tue, 19 Sep 2000 05:40:16 -0700 (PDT) Received: from walleye.corp.fishnet.com (209.150.192.114) by sunny.fishnet.com (5.0.048) id 39A431C7000DE6E6 for security@freebsd.org; Tue, 19 Sep 2000 07:40:11 -0500 Message-ID: From: "Hudson, Henrik H." To: "'security@freebsd.org'" Subject: IPFW Log Auditing? Date: Tue, 19 Sep 2000 07:42:54 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Morning List- I have been trying to find something will do log auditing/scanning of already existing IPFW logs? Does such a tool exist? There is IPLOG, but doesn't that generate it's own logs and scan those? or snort, but that's almost like IPLOG, right? Of course, I could be reading the FAQ's backwards too. While on this subject, if I have to use something like IPLOG/snort, does this still capture info about packets that IPFW has denied? What's the performance decrease on a machine that is running IPFW rules and iplog? anything noticable besides increased disk space needs? Any other thoughts I should be having? Thanks for your time. Henrik hhudson@eschelon.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 19 7:44:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from guru.cit-ua.net (office.radio.vostok.net [194.44.7.187]) by hub.freebsd.org (Postfix) with SMTP id 4241837B423 for ; Tue, 19 Sep 2000 07:44:02 -0700 (PDT) Received: (qmail 10426 invoked by uid 5046); 19 Sep 2000 17:43:55 +0300 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 19 Sep 2000 17:43:55 +0300 Date: Tue, 19 Sep 2000 17:43:55 +0300 (EEST) From: Sergey Vishnevetskiy To: "Hudson, Henrik H." Cc: "'security@freebsd.org'" Subject: Re: IPFW Log Auditing? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi there! On Tue, 19 Sep 2000, Hudson, Henrik H. wrote: > Morning List- > > I have been trying to find something will do log auditing/scanning of > already existing IPFW logs? Does such a tool exist? What do you actually want to get from its logs, some accounting? Good luck. Serg. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 19 8: 0:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 86D3837B422 for ; Tue, 19 Sep 2000 08:00:14 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id IAA21516; Tue, 19 Sep 2000 08:00:04 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda21514; Tue Sep 19 08:00:01 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id IAA96459; Tue, 19 Sep 2000 08:00:01 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdZ96443; Tue Sep 19 07:59:48 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.0/8.9.1) id e8JExlb06601; Tue, 19 Sep 2000 07:59:47 -0700 (PDT) Message-Id: <200009191459.e8JExlb06601@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdwt6594; Tue Sep 19 07:58:56 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1-RELEASE X-Sender: cy To: "Hudson, Henrik H." Cc: "'security@freebsd.org'" Subject: Re: IPFW Log Auditing? In-reply-to: Your message of "Tue, 19 Sep 2000 07:42:54 CDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 19 Sep 2000 07:58:56 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , " Hudson, Henrik H." writes: > Morning List- > > I have been trying to find something will do log auditing/scanning of > already existing IPFW logs? Does such a tool exist? > > There is IPLOG, but doesn't that generate it's own logs and scan those? or > snort, but that's almost like IPLOG, right? Of course, I could be reading > the FAQ's backwards too. > > While on this subject, if I have to use something like IPLOG/snort, does > this still capture info about packets that IPFW has denied? What's the > performance decrease on a machine that is running IPFW rules and iplog? > anything noticable besides increased disk space needs? > > Any other thoughts I should be having? Take a look at swatch. At home I run it daily to produce a colourized listing of my firewall logs. At work we run it as a daemon to initiate automated call-out to our pager/cell phones. The next phase of our automated logging project will use swatch to open Remedy tickets. Swatch is in the ports collection. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 19 12:43:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from lafontaine.cybercable.fr (lafontaine.cybercable.fr [212.198.0.202]) by hub.freebsd.org (Postfix) with SMTP id 360BB37B43C for ; Tue, 19 Sep 2000 12:43:09 -0700 (PDT) Received: (qmail 16146938 invoked from network); 19 Sep 2000 19:42:25 -0000 Received: from r227m167.cybercable.tm.fr (HELO gits.dyndns.org) ([195.132.227.167]) (envelope-sender ) by lafontaine.cybercable.fr (qmail-ldap-1.03) with SMTP for ; 19 Sep 2000 19:42:25 -0000 Received: (from root@localhost) by gits.dyndns.org (8.11.0/8.11.0) id e8JJgMc03338; Tue, 19 Sep 2000 21:42:22 +0200 (CEST) (envelope-from root) From: Cyrille Lefevre Message-Id: <200009191942.e8JJgMc03338@gits.dyndns.org> Subject: Re: wats so special about freeBSD? In-Reply-To: <89731E9AF92BD411869200D0B71BB4DC0FC297@ASERVER> "from Akbar at Sep 19, 2000 12:29:35 pm" To: Akbar Date: Tue, 19 Sep 2000 21:42:20 +0200 (CEST) Cc: freebsd-advocacy@freebsd.org, freebsd-chat@freebsd.org Reply-To: clefevre@citeweb.net Organization: ACME X-Face: V|+c;4!|B?E%BE^{E6);aI.[<97Zd*>^#%Y5Cxv;%Y[PT-LW3;A:fRrJ8+^k"e7@+30g0YD0*^^3jgyShN7o?a]C la*Zv'5NA,=963bM%J^o]C X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Akbar wrote: [snip] > wat is so special about BSD? wat is the major difference between BSD and > Linux?? if its so robust then why is linux so hyped? i am a bit confused. i BSD vs GNU/Linux central development (non central development dor linux boxes) ports system (aka rpm for linux boxes) from my point of view, much more unix philosophy compliant public domain (/usr/local) != userland (/) where linux boxes merges both and many more reasons... > am seeking out a career in security area and i am seriously thinking of > learning 1 unix based OS. and i am stuck. which one would be best to learn?? for security purpose, OpenBSD is well suitable. > linux or BSD?? and how far the knowledge of each OS would allow me to shift > to other OS? i mean, if i learn BSD would be easy for me to program in > Linux? or vice versa?? you'll probably get better habits w/ BSD than w/ GNU/Linux. much better is to follow standards and not to use all those non-standard libraries whatever they are easy to use. so, your programs would runs on many unix flavors. > p.s. if i start to learn BSD which version or distribution is best suited? for x86, FreeBSD 4.1 would be apropriate and have a bigger audience than others BSD (OpenBSD and NetBSD). > (i have programming experience of C, C++ and java and i have worked on Unix > some 3 yrs back) sounds good :) much better is to follow this thread in freebsd-advocacy@freebsd.org or freebsd-chat@freebsd.org. CC: positionned. Cyrille. -- home: mailto:clefevre@citeweb.net work: mailto:Cyrille.Lefevre@edf.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 19 17:51:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id B6FFB37B423 for ; Tue, 19 Sep 2000 17:51:29 -0700 (PDT) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id UAA53670 for ; Tue, 19 Sep 2000 20:51:29 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Tue, 19 Sep 2000 20:51:29 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: freebsd-security@FreeBSD.org Subject: Capability patch 0.5.4 (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Figured this might be of interest to people on the freebsd-security side; apologies to those who receive two copies. Any replies to trustedbsd-discuss@TrustedBSD.org if appropriate, please. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services ---------- Forwarded message ---------- Date: Tue, 19 Sep 2000 20:48:31 -0400 (EDT) From: Robert Watson To: trustedbsd-discuss@TrustedBSD.org Subject: Capability patch 0.5.4 Wow, it even has release notes. Attached below, including build instructions, how to enable capabilities on disk, and a list of changes since the prior revision 0.4. I've committed a number of updates to the base tree in terms of documentation, et al, so you'll need to update to FreeBSD 5.0-CURRENT from around 9/19/2000. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services --- Capability Patch 0.5.4 TO USE Recompile, install world to get userland binary changes. Recompile, install your kernel with FFS_EXTATTR and CAPABILITIES options. Compile cap_test tree. Reboot. Your kernel should now have capability support. You can use sysctl kern.security.capabilities_enabled and sysctl kern.security.suser_enabled To check to see whether capabilities and/or superuser support are currently enabled. kern.security.capabilities_enabled will only be defined if the kernel is compiled to support capabilities. To enable file system support for capabilities, you'll first need to create a backing file for the extended attribute $posix1e.cap. This need only be done once. mkdir /.attribute extattrctl initattr -p / 24 /.attribute/'$posix1e.cap' Add the following line to your /etc/rc.conf, assuming you merged in the new /etc/rc from your source tree: extattr_root="YES" This will automatically enable extended attributes in the root file system based on the name of the file in /.attribute. To manually start the POSIX.1e capabilities attribute without rebooting, run the following: extattrctl start / extattrctl enable / '$posix1e.cap' /.attribute/'$posix1e.cap' If the backing file format or capability structures change, removing and regenerating the attribute file may be required. In the cap_test directory, there is a tool named fsetsomecaps. Running this tool will configure a number of base system binaries. This will only succeed if capabilities are enabled for the file systems containing these binaries, so some caution is required. Name Description ---- ----------- /usr/sbin/traceroute Remove setuid root, replace with CAP_NET_RAW /usr/sbin/traceroute6 Remove setuid root, replace with CAP_NET_RAW /sbin/ping Remove setuid root, replace with CAP_NET_RAW /sbin/ping6 Remove setuid root, replace with CAP_NET_RAW /usr/bin/rlogin Remove setuid root, replace with CAP_NET_BIND_SERVICE /usr/bin/rsh Remove setuid root, replace with CAP_NET_BIND_SERVICE As long as capabilities are enabled both in the kernel (kern.security.capabilities_enabled=1) and file system support is enabled for the file system storing the binary in question, these programs will work. Disabling capabilities will cause them to fail, as they will no longer have the privilege required to execute. Warning: Disabling kern.security.suser_enabled will result in an unusable system, unless you have done a lot more work than that which is described above. This is because CAP_SYS_ADMIN is required to modify sysctl's after suser() has been disabled, and the instructions above do not provide any processes with that capability. CHANGES 0.5.3 -> 0.5.4 o capability.h CAP_* entries redone based on some inconsistencies in their allocation. This means old capability backing files from prior capability patches will no longer behave properly, and must be deleted and recreated. o cap_from_text() and cap_to_text() implemented and documented for libposix1e. The man pages have been committed to the base FreeBSD CVS repository and as such are not included in the patch. o Some man page cleanups, most committed to the base repo and not included in the patch. o cap_test programs rewritten a bit to take advantage of new library calls, but still not posix.2c-happy. Please see the README file in the cap_test-0.5.4.tgz for descriptions of what these utilities do. o /etc/rc, /etc/defaults/rc.conf modified to support automatic starting of capabilities at boot for the root file system. 0.4 -> 0.5.3 o Changed struct cap to use u_int64_t instead of arrays of ints, greatly simplifying the handling of capability objects. This bounds the number of unique capabilities at 64, but that is probably fine in practice. The new capability format is binary-compatible with the old one on x86 hardward, so existing capability EAs should be fine. o Many, many more suser()->cap_check() changes throughout the kernel source code. Pretty much all kern/*, net*/*, and {fs,miscfs}/*/* done. Hardware driver suser()'s generally not done. o New sysctl's kern.security.{capabilities_enabled,suser_enabled} replace kern.suser_enabled, permitting toggling of capabilities and suser support on demand. Don't turn both off at once. kern.suser_permitted remains also, toggling support for the traditional suser() call, but once suser() goes away, it will go away also. o Remove inheritable checking on cap_valid() to better support D17 inheritance properties. o Modify cap_subset() to be more clear, and check all of effective, permitted, and inheritable, rather than just permitted. o Initialize init with all capabilities set permitted|effective, and not inheritable. More consistent with model of booting with capabilities, allowing init to pass capabilities on to /etc/rc and friends as required, rather than tagging them on binaries, increasing post-boot risk. o Conditionalize capability loading from the binary in cap_inherit() on kern.security.capabilities_enabled, as well as CAPABILITIES ifdef. Fix inheritence rules to more closely match D17, as well as move setugid protection stuff out of cap_inherit, using a return of 1 to indicate protection is needed, 0 if not. Change protection rules to protect only for permitted or effective set. o Update cap_check() to use emulate suser(), and to check sysctls as appropriate. Remove cap_check_xxx() and just use cap_check(). o Push lock handling down from syscall interface to cap_get_vp() in most cases. o Implemented cap_get_fd() and cap_set_fd() o As cap_inherit() now returns a value, add protection of process to execve() after cap processing, and now also handle the file handle safety issue dealt with in setugidsafety() which seems to be a horrible hack. o Generally adapt to inclusion of p_can code in base tree, removing a number of differences from the base tree. More than made up for by suser() changes. Adapt capability inclusion in inter-process authorization checking as a result. o Cleanup of capability handling in UFS-derived file systems o Adapt for *_access() -> vaccess() DAC change o There is no POSIX.1e capability for setting the sticky bit on non-directories, and it appears to be a historical curiosity, so simply disallow it. TODO: o Per-fs capability support toggle (mount flag?) o Inherited capability bounds o Rewrite jail() to use inherited capability bounds o Catch the rest of the suser() calls o Verify that all privilege uses suser_used() o CAP_NET_BROADCAST unused, probably should be somewhere. o Allow CAP_MAC_* to break out of jail() o Do capability stuff in exec() in a different order so that execution can fail if appropriate capabilities cannot be acquired due to a bounding set. o CANSIGNAL() still makes an exception in the signal case based on membership in a process session and the signal is SIGCONT. Not sure what to do about this. o Allow sysctl entries to depend on a capability rather than suser o CAP_SYS_ADMIN is a catch-all -- deal with it. o Check SysV IPC protection model and capabaility use o POSIX.2c capability command-line tools o Generalize EA startup so that it can occur for all file systems. o Figure out relationship between kernel-authorized EA writes, immutable flags, etc. Right now, normal authorization checks are only performed for un-privileged users in ufs_extattr_credcheck() and may need fixing. To Unsubscribe: send mail to majordomo@trustedbsd.org with "unsubscribe trustedbsd-discuss" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 19 21:58:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from mta07.onebox.com (mta07.onebox.com [216.35.104.107]) by hub.freebsd.org (Postfix) with ESMTP id 2C89B37B422 for ; Tue, 19 Sep 2000 21:58:34 -0700 (PDT) Received: from onebox.com ([216.33.158.154]) by mta07.onebox.com (InterMail vM.4.01.02.27 201-229-119-110) with SMTP id <20000920045948.JSIZ10559.mta07.onebox.com@onebox.com> for ; Tue, 19 Sep 2000 21:59:48 -0700 Received: from [203.107.232.70] by onebox.com with HTTP; Tue, 19 Sep 2000 21:58:34 -0700 Date: Tue, 19 Sep 2000 21:58:34 -0700 Subject: How to prevent relaying host. From: "Chutima S." To: freebsd-security@FreeBSD.ORG Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Message-Id: <20000920045948.JSIZ10559.mta07.onebox.com@onebox.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear all I found that my host running FreeBSD 3.4 with sendmail version 8.9.3 have receive mail from strange people and target is not our users hundreds messages a day. Is it was relay host for some spam site? How can I reject those mail? I already visited www.sendmail.org and read about relaying host but I don't understand M4 config, I know only I use /etc/sendmail.cf to config my sendmail process. And /etc/mail contains only 2 file Makefile and README. Thanks in advance, Chutima Subsirin chutima_s@zdnetonebox.com - email ___________________________________________________________________ To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, all in one place - sign up today at http://www.zdnetonebox.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 19 22:24: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from finland.ispro.net.tr (finland.ispro.net.tr [212.174.120.1]) by hub.freebsd.org (Postfix) with ESMTP id EAC0437B424 for ; Tue, 19 Sep 2000 22:23:59 -0700 (PDT) Received: from localhost (yurtesen@localhost) by finland.ispro.net.tr (8.9.3/8.9.3) with ESMTP id IAA86823; Wed, 20 Sep 2000 08:26:16 +0300 (EEST) (envelope-from yurtesen@ispro.net.tr) Date: Wed, 20 Sep 2000 08:26:16 +0300 (EEST) From: Evren Yurtesen To: "Chutima S." Cc: freebsd-security@FreeBSD.ORG Subject: Re: How to prevent relaying host. In-Reply-To: <20000920045948.JSIZ10559.mta07.onebox.com@onebox.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Are you sure you receive this email and your users are not sending them? Because I think the sendmail.cf in FreeBSD automatically blocks relaying as default by starting at version 3.1 I guess. how does your users send mail? they login to the machine and send or via smtp remotely? As it comes to m4 configuration I found it easy to go to /usr/src/contrib/sendmail/cf/cf and then fallow the instructions on sendmails web page (if you installed sources you can have this directory) there are also some sample configurations in there. Evren On Tue, 19 Sep 2000, Chutima S. wrote: > Dear all > > I found that my host running FreeBSD 3.4 with sendmail version 8.9.3 > have receive mail from strange people and target is not our users hundreds > messages a day. Is it was relay host for some spam site? How can I > reject those mail? > > I already visited www.sendmail.org and read about relaying host but I > don't understand M4 config, I know only I use /etc/sendmail.cf to config > my sendmail process. And /etc/mail contains only 2 file Makefile and > README. > > Thanks in advance, > Chutima Subsirin > chutima_s@zdnetonebox.com - email > > > ___________________________________________________________________ > To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, > all in one place - sign up today at http://www.zdnetonebox.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 19 22:33:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.fpsn.net (mail.fpsn.net [63.224.69.57]) by hub.freebsd.org (Postfix) with ESMTP id 8BCD537B423 for ; Tue, 19 Sep 2000 22:33:35 -0700 (PDT) Received: from fpsn.net (control.fpsn.net [63.224.69.60]) by mail.fpsn.net (8.9.3/8.9.3) with ESMTP id XAA57244; Tue, 19 Sep 2000 23:31:35 -0600 (MDT) (envelope-from cfaber@fpsn.net) Message-ID: <39C84B86.77CC382B@fpsn.net> Date: Tue, 19 Sep 2000 23:30:46 -0600 From: Colin Faber Reply-To: cfaber@fpsn.net Organization: fpsn.net, Inc. X-Mailer: Mozilla 4.6 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: Evren Yurtesen Cc: "Chutima S." , freebsd-security@FreeBSD.ORG Subject: Re: How to prevent relaying host. References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Really the only way to allow any users with out limits for relaying is to have FEATURE(promiscuous_relay) in your m4 file, By default freebsd 3.4 should ban traffic to any outward domain if the sender isn't localhost. Check your config, for 3.4 I believe you can find the default under /usr/src/etc/sendmail/freebsd.mc Evren Yurtesen wrote: > > Are you sure you receive this email and your users are not sending > them? Because I think the sendmail.cf in FreeBSD automatically blocks > relaying as default by starting at version 3.1 I guess. > how does your users send mail? they > login to the machine and send or via smtp remotely? > As it comes to m4 configuration I found it easy to go to > /usr/src/contrib/sendmail/cf/cf and then fallow the instructions on > sendmails web page (if you installed sources you can have this directory) > there are also some sample configurations in there. > Evren > > > On Tue, 19 Sep 2000, Chutima S. wrote: > > > Dear all > > > > I found that my host running FreeBSD 3.4 with sendmail version 8.9.3 > > have receive mail from strange people and target is not our users hundreds > > messages a day. Is it was relay host for some spam site? How can I > > reject those mail? > > > > I already visited www.sendmail.org and read about relaying host but I > > don't understand M4 config, I know only I use /etc/sendmail.cf to config > > my sendmail process. And /etc/mail contains only 2 file Makefile and > > README. > > > > Thanks in advance, > > Chutima Subsirin > > chutima_s@zdnetonebox.com - email > > > > > > ___________________________________________________________________ > > To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, > > all in one place - sign up today at http://www.zdnetonebox.com > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 19 22:49:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 3FCE837B423 for ; Tue, 19 Sep 2000 22:49:56 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id XAA07747; Tue, 19 Sep 2000 23:49:48 -0600 (MDT) Message-Id: <4.3.2.7.2.20000919233124.04dc4540@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 19 Sep 2000 23:41:25 -0600 To: "Chutima S." , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: How to prevent relaying host. In-Reply-To: <20000920045948.JSIZ10559.mta07.onebox.com@onebox.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If you did not install full sources you do not have all of the files you need to rebuild sendmail.cf using m4 (which is by far the best way to do it; editing sendmail.cf by hand is painful). Since 8.9.3 is now a fairly old version of Sendmail, it might be worth your while to download the latest one from sendmail.org and build it. Note, however, that the locations of files are different (and more consistent) in the latest version. All of the configuration files, including sendmail.cf, now reside in /etc/mail. --Brett At 10:58 PM 9/19/2000, Chutima S. wrote: >Dear all > >I found that my host running FreeBSD 3.4 with sendmail version 8.9.3 >have receive mail from strange people and target is not our users hundreds >messages a day. Is it was relay host for some spam site? How can I >reject those mail? > >I already visited www.sendmail.org and read about relaying host but I >don't understand M4 config, I know only I use /etc/sendmail.cf to config >my sendmail process. And /etc/mail contains only 2 file Makefile and >README. > >Thanks in advance, >Chutima Subsirin >chutima_s@zdnetonebox.com - email > > >___________________________________________________________________ >To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, >all in one place - sign up today at http://www.zdnetonebox.com > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 19 23:23:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from sanson.reyes.somos.net (freyes.static.inch.com [216.223.199.224]) by hub.freebsd.org (Postfix) with ESMTP id A92A237B424; Tue, 19 Sep 2000 23:23:09 -0700 (PDT) Received: from tomasa (tomasa.reyes.somos.net [10.0.0.11]) by sanson.reyes.somos.net (8.9.3/8.9.3) with SMTP id CAA59230; Wed, 20 Sep 2000 02:13:52 -0400 (EDT) (envelope-from fran@reyes.somos.net) Message-Id: <200009200613.CAA59230@sanson.reyes.somos.net> From: "Francisco Reyes" To: "Jeremy Norris" , "Matthew N. Dodd" Cc: "net@FreeBSD.ORG" , "security@FreeBSD.ORG" Date: Wed, 20 Sep 2000 02:17:48 -0400 Reply-To: "Francisco Reyes" X-Mailer: PMMail 2000 Professional (2.10.2010) For Windows 98 (4.10.2222) In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Subject: Re: ip filtering along side ipx Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 15 Sep 2000 19:04:58 -0400 (EDT), Matthew N. Dodd wrote: >I setup my 2 ethernet interfaces with differnet IPX networks, enabled >ipxgateway and IPXrouted and everything works. Care to share some info on how you setup the IPX/netware compatibility on your FreeBSD box. The instructions at freebsd.org/~bp are probably complete, but not the most intuitive (maybe is just my lack of ipx knowledge). For instance there is a part of the docs at freebsd.org/~bp which reads: "select network number exactly the same as on NetWare server for Ethernet_II frame. " How does one find the network number for existing netware servers? francisco Moderator of the Corporate BSD list http://www.egroups.com/group/BSD_Corporate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 20 5: 4:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from iclub.nsu.ru (iclub.nsu.ru [193.124.222.66]) by hub.freebsd.org (Postfix) with ESMTP id 5B8E337B423 for ; Wed, 20 Sep 2000 05:04:27 -0700 (PDT) Received: from localhost (fjoe@localhost) by iclub.nsu.ru (8.9.3/8.9.3) with ESMTP id SAA30307; Wed, 20 Sep 2000 18:55:24 +0700 (NSS) (envelope-from fjoe@iclub.nsu.ru) Date: Wed, 20 Sep 2000 18:55:24 +0700 (NSS) From: Max Khon To: Matt Heckaman Cc: Fred Souza , security@FreeBSD.ORG Subject: Re: pine 4.21 port issues? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1638822970-969450924=:29670" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-1638822970-969450924=:29670 Content-Type: TEXT/PLAIN; charset=US-ASCII hi, there! On Tue, 8 Aug 2000, Matt Heckaman wrote: > : Going again into the silly root.mail 1777 solved the problem, but I > : definately don't like that idea. Any pointers on how to get rid of that? > > Yeah, just do what someone suggested and what I just put in over here, it > gets rid of the messages and doesn't hurt anything that I've seen. > > Create /usr/local/etc/pine.conf.fixed, in it put: > > feature-list= quell-lock-failure-warnings > > That'll enforce that option on all pine clients, effectively shutting up > the message. I doubt running pine with /var/mail root:mail 0775 will hurt > anything, I've *always* ran it that way. this is hardly a security issue but pine4 always had patches/patch-aw to quell this warning. but since libc-client has been moved to separate port it does not have this patch (pine4 port now uses libc-client from /ports/mail/cclient/ and all imap patches in it are useless). add attached patch to to ports/mail/cclient/patches and rebuild it. port maintainer of mail/cclient has been contacted. /fjoe --0-1638822970-969450924=:29670 Content-Type: TEXT/PLAIN; charset=US-ASCII; name=patch-ae Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename=patch-ae LS0tIHNyYy9vc2RlcC91bml4L2Vudl91bml4LmMub3JpZwlUaHUgTWF5ICA0 IDAwOjMzOjAxIDIwMDANCisrKyBzcmMvb3NkZXAvdW5peC9lbnZfdW5peC5j CVdlZCBTZXAgMjAgMTc6NDQ6MzcgMjAwMA0KQEAgLTg0OCw3ICs4NDgsOCBA QA0KIAkgICAgICB9DQogCSAgICAgIGNsb3NlIChwaVswXSk7IGNsb3NlIChw aVsxXSk7DQogCSAgICB9DQotCSAgICBpZiAobG9ja0VhY2Nlc0Vycm9yKXsv KiBwdW50IHNpbGVudGx5IGlmIHBhcmFub2lkIHNpdGUgKi8NCisJICAgIGlm IChzdHJuY21wKGJhc2UtPmxvY2ssIi92YXIvbWFpbC8iLDEwKSAmJiBsb2Nr RWFjY2VzRXJyb3IpIHsNCisJICAgIC8qIHB1bnQgc2lsZW50bHkgaWYgcGFy YW5vaWQgc2l0ZSAqLw0KIAkgICAgICBzcHJpbnRmICh0bXAsIk1haWxib3gg dnVsbmVyYWJsZSAtIGRpcmVjdG9yeSAlLjgwcyIsaGl0Y2gpOw0KIAkgICAg ICBpZiAocyA9IHN0cnJjaHIgKHRtcCwnLycpKSAqcyA9ICdcMCc7DQogCSAg ICAgIHN0cmNhdCAodG1wLCIgbXVzdCBoYXZlIDE3NzcgcHJvdGVjdGlvbiIp Ow0K --0-1638822970-969450924=:29670-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 20 14:22: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 34F0F37B42C; Wed, 20 Sep 2000 14:21:37 -0700 (PDT) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:46.screen [UPDATED] Reply-To: security-advisories@freebsd.org Message-Id: <20000920212137.34F0F37B42C@hub.freebsd.org> Date: Wed, 20 Sep 2000 14:21:37 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:46 Security Advisory FreeBSD, Inc. Topic: screen port contains local root compromise Category: ports Module: screen Announced: 2000-09-13 Updated: 2000-09-20 Affects: Ports collection prior to the correction date. Corrected: 2000-09-01 Credits: Jouko Pynnönen Vendor status: Updated version released FreeBSD only: NO I. Background screen is a popular application that multiplexes a physical terminal between several processes. II. Problem Description The screen port, versions 3.9.5 and before, contains a vulnerability which allows local users to gain root privileges. This is accomplished by inserting string-formatting operators into configuration parameters, which may allow arbitrary code to be executed. The screen port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3800 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.1 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Local users can obtain root privileges. If you have not chosen to install the screen port/package, then your system is not vulnerable to this problem. IV. Workaround Remove the setuid bit on the program: execute the following command as root: chmod 555 /usr/local/bin/screen-3.9.5 Note that this should be considered a temporary measure and may affect the behaviour of the screen program. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the screen port. NOTE: Be sure to delete the old package using pkg_delete before installing the new one! If you do not remove the old package you may still have a vulnerable setuid binary on your system. To check for old screen packages which are still installed, execute the following command: ls -d /var/db/pkg/screen-* For each returned entry, run pkg_delete on the directory name (e.g. pkg_delete screen-3.9.5). You will get warnings if more than one package is installed, but ignore them and proceed to rebuild the latest version of the screen port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/misc/screen-3.9.8.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/misc/screen-3.9.8.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/misc/screen-3.9.8.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/misc/screen-3.9.8.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/misc/screen-3.9.8.tgz NOTE: It may be several days before updated packages are available. 3) download a new port skeleton for the screen port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz VI. Revision History v1.0 2000-09-13 Initial release v1.1 2000-09-20 Add warning statement about properly deleting the old package before rebuilding the port -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOckp91UuHi5z0oilAQECagQAjaQoHD2VSikfT0Lj4V3T1V4gFOYO/10z iTV+lZUhzE5EWGCdvitxjjJyjYAt+oTDzAZoOUn7uVX33rUl11860o0wIu9NCZrh EIQVAXHK9pzhfUNE0iLpCEtmCvNsOMoIxg3RmZ0QqaP4+iw+UvyOMxFqS/BXKWyN 7V3hKDfWN18= =UMEK -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 20 15:34:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 43F7437B424; Wed, 20 Sep 2000 15:34:34 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id PAA56588; Wed, 20 Sep 2000 15:34:34 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Wed, 20 Sep 2000 15:34:34 -0700 (PDT) From: Kris Kennaway To: ports@Freebsd/prg.FreeBSD.ORG Cc: security@freebsd.org Subject: Package Vulnerability scanner (CVS commit: pkgsrc (fwd)) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Anyone care to adapt this for FreeBSD? I don't have time right now. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe ---------- Forwarded message ---------- Date: Tue, 19 Sep 2000 22:23:17 +0300 (EEST) From: Alistair G. Crooks To: source-changes@netbsd.org Subject: CVS commit: pkgsrc Module Name: pkgsrc Committed By: agc Date: Tue Sep 19 19:23:17 UTC 2000 Update of /cvsroot/pkgsrc/security/audit-packages In directory netbsd.hut.fi:/tmp/cvs-serv6663 Log Message: Initial import of a package to scan a vulnerability list, looking for installed packages which are insecure and open to exploitation. The original idea came from Roland Dowdeswell and Bill Sommerfeld, quite independently, the unorthodox implementation by me. This package contains two scripts: (1) download-vulnerability-list, which downloads a list of vulnerable packages from the NetBSD ftp server, and (2) audit-packages, which scans all the packages installed on the local machine, looking for packages which are vulnerable. Status: Vendor Tag: TNF Release Tags: pkgsrc-base N pkgsrc/security/audit-packages/Makefile N pkgsrc/security/audit-packages/files/download-vulnerability-list N pkgsrc/security/audit-packages/files/audit-packages N pkgsrc/security/audit-packages/pkg/COMMENT N pkgsrc/security/audit-packages/pkg/DESCR N pkgsrc/security/audit-packages/pkg/PLIST No conflicts created by this import To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 20 17:18:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id D98E337B422; Wed, 20 Sep 2000 17:18:13 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id RAA74892; Wed, 20 Sep 2000 17:18:13 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Wed, 20 Sep 2000 17:18:13 -0700 (PDT) From: Kris Kennaway To: Will Andrews Cc: James Housley , ports@FreeBSD.ORG, security@FreeBSD.org Subject: Re: Package Vulnerability scanner (CVS commit: pkgsrc (fwd)) In-Reply-To: <20000920184458.S35550@radon.gryphonsoft.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 20 Sep 2000, Will Andrews wrote: > On Wed, Sep 20, 2000 at 07:37:42PM -0400, James Housley wrote: > > Unless I hear someone has started I will take a crack at this. > > Beat you to it. I already submitted one to Kris. The real difficulty here is developing the list of vulnerable packages - in order for it to be useful, we should at least cover the advisories released this year. NetBSD also integrated it into their bsd.pkg.mk somehow - I didn't check what they did. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 21 0:45:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id AED4937B422; Thu, 21 Sep 2000 00:45:43 -0700 (PDT) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 13c13F-0007yL-00; Thu, 21 Sep 2000 09:45:49 +0200 Date: Thu, 21 Sep 2000 09:45:49 +0200 (IST) From: Roman Shterenzon To: Kris Kennaway Cc: freebsd-security@freebsd.org Subject: Re: Package Vulnerability scanner (CVS commit: pkgsrc (fwd)) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I can build a perl script which will: 1) download advisories 2) pgp check them 3) check the a)pkg version (if fixed in later version) b)install date of a package (if fixed only in ports) vs. the "fixed" date in the advisory. 4) optional - delete and install newer version. is it what you have proposed? On Wed, 20 Sep 2000, Kris Kennaway wrote: > Anyone care to adapt this for FreeBSD? I don't have time right now. > > Kris > > -- > In God we Trust -- all others must submit an X.509 certificate. > -- Charles Forsythe > > ---------- Forwarded message ---------- > Date: Tue, 19 Sep 2000 22:23:17 +0300 (EEST) > From: Alistair G. Crooks > To: source-changes@netbsd.org > Subject: CVS commit: pkgsrc > > > Module Name: pkgsrc > Committed By: agc > Date: Tue Sep 19 19:23:17 UTC 2000 > > Update of /cvsroot/pkgsrc/security/audit-packages > In directory netbsd.hut.fi:/tmp/cvs-serv6663 > > Log Message: > Initial import of a package to scan a vulnerability list, looking for > installed packages which are insecure and open to exploitation. > > The original idea came from Roland Dowdeswell and Bill Sommerfeld, quite > independently, the unorthodox implementation by me. > > This package contains two scripts: > (1) download-vulnerability-list, which downloads a list of vulnerable > packages from the NetBSD ftp server, and > (2) audit-packages, which scans all the packages installed on the > local machine, looking for packages which are vulnerable. > > Status: > > Vendor Tag: TNF > Release Tags: pkgsrc-base > > N pkgsrc/security/audit-packages/Makefile > N pkgsrc/security/audit-packages/files/download-vulnerability-list > N pkgsrc/security/audit-packages/files/audit-packages > N pkgsrc/security/audit-packages/pkg/COMMENT > N pkgsrc/security/audit-packages/pkg/DESCR > N pkgsrc/security/audit-packages/pkg/PLIST > > No conflicts created by this import > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 21 1:27: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id AFACD37B422; Thu, 21 Sep 2000 01:27:00 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id BAA89897; Thu, 21 Sep 2000 01:27:00 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 21 Sep 2000 01:27:00 -0700 (PDT) From: Kris Kennaway To: Roman Shterenzon Cc: freebsd-security@freebsd.org Subject: Re: Package Vulnerability scanner (CVS commit: pkgsrc (fwd)) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 21 Sep 2000, Roman Shterenzon wrote: > I can build a perl script which will: > 1) download advisories > 2) pgp check them > 3) check the a)pkg version (if fixed in later version) b)install date of > a package (if fixed only in ports) vs. the "fixed" date in the advisory. > 4) optional - delete and install newer version. Hmm. Thats an interesting idea - if we use a consistent description format in the advisory (and upload them in a timely manner to a repository - which will happen now that I have access to the FTP site) then the scanner can be essentially self-updating. I actually haven't looked at the NetBSD implementation I forwarded, but I think it's just a static database of vulnerable packages which must be manually updated on the ftp site. With the new package versioning system, each security fix will cause a version update of the package version number, making detection of vulnerable versions easy. Upgrading the package is not so easy when it has dependencies - this is a problem which we've wanted someone to come along and solve for ages now, but if you want to have a crack at it it would also be great. Thanks for your offer of help! Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 21 2:33: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from icon.icon-bg.net (icon.bg [62.176.80.58]) by hub.freebsd.org (Postfix) with SMTP id 3EA9E37B43E for ; Thu, 21 Sep 2000 02:32:51 -0700 (PDT) Received: (qmail 70385 invoked by uid 1144); 21 Sep 2000 09:35:00 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 21 Sep 2000 09:35:00 -0000 Date: Thu, 21 Sep 2000 12:34:51 +0300 (EEST) From: Victor Ivanov To: freebsd-security@freebsd.org Cc: freebsd-security@freebsd.org Subject: Re: Ports upgrade [was Package Vulnerability scanner...] In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hi and sorry, this message is not related to security I have updated the ports collection and the 3.5 stable base source, tar-ed everything and then use it to upgrade a newly installed 3.4-release to 3.5-stable. But the pm3 port was the old 1.1.13 and cvsup depended on 1.1.14 (on the newest ports collection). Now I have to download 20 megabytes just for this reason: 'Upgrade to pm3-1.1.14. This eliminates 103 patch files. :-)' Is there any way to update the ports distfiles (something like cvsup)? I see there are both pm3-1.1.13 and pm3-1.1.14 distfiles on ftp.freebsd.org... Maybe a target in the makefile which extracts the package distfile (first find what version we have), download the (small) patches, apply them and optionaly re-create the archive (and rename it)? Ofcorse, someone should create the patches :) Players win and Winners play Have a lucky day On Thu, 21 Sep 2000, Kris Kennaway wrote: > On Thu, 21 Sep 2000, Roman Shterenzon wrote: > [cut] > > Upgrading the package is not so easy when it has dependencies - this is a > problem which we've wanted someone to come along and solve for ages now, > but if you want to have a crack at it it would also be great. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQCVAwUBOcnWQ/D9M5lef5W3AQFwkgP+IrC5akac2VnFyAyO+6rIug2uQSSkJHEz 7aV/F5/l5EfBkbC/inyAF8K5WPBMH0CgHDWNcVrw0Bbm3MnPrRhFKReVdcw02g+q 0e6i85FEZGuCNzxRKnxr/m40NwHSF8lqHQ2ct8IQZqnJZF8lJJBivOiMxmnA0RbL YhPAg6a29Hs= =ojOY -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 21 2:33: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from icon.icon-bg.net (icon.bg [62.176.80.58]) by hub.freebsd.org (Postfix) with SMTP id 3E72B37B43C for ; Thu, 21 Sep 2000 02:32:51 -0700 (PDT) Received: (qmail 70385 invoked by uid 1144); 21 Sep 2000 09:35:00 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 21 Sep 2000 09:35:00 -0000 Date: Thu, 21 Sep 2000 12:34:51 +0300 (EEST) From: Victor Ivanov To: freebsd-security@freebsd.org Cc: freebsd-security@freebsd.org Subject: Re: Ports upgrade [was Package Vulnerability scanner...] In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hi and sorry, this message is not related to security I have updated the ports collection and the 3.5 stable base source, tar-ed everything and then use it to upgrade a newly installed 3.4-release to 3.5-stable. But the pm3 port was the old 1.1.13 and cvsup depended on 1.1.14 (on the newest ports collection). Now I have to download 20 megabytes just for this reason: 'Upgrade to pm3-1.1.14. This eliminates 103 patch files. :-)' Is there any way to update the ports distfiles (something like cvsup)? I see there are both pm3-1.1.13 and pm3-1.1.14 distfiles on ftp.freebsd.org... Maybe a target in the makefile which extracts the package distfile (first find what version we have), download the (small) patches, apply them and optionaly re-create the archive (and rename it)? Ofcorse, someone should create the patches :) Players win and Winners play Have a lucky day On Thu, 21 Sep 2000, Kris Kennaway wrote: > On Thu, 21 Sep 2000, Roman Shterenzon wrote: > [cut] > > Upgrading the package is not so easy when it has dependencies - this is a > problem which we've wanted someone to come along and solve for ages now, > but if you want to have a crack at it it would also be great. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQCVAwUBOcnWQ/D9M5lef5W3AQFwkgP+IrC5akac2VnFyAyO+6rIug2uQSSkJHEz 7aV/F5/l5EfBkbC/inyAF8K5WPBMH0CgHDWNcVrw0Bbm3MnPrRhFKReVdcw02g+q 0e6i85FEZGuCNzxRKnxr/m40NwHSF8lqHQ2ct8IQZqnJZF8lJJBivOiMxmnA0RbL YhPAg6a29Hs= =ojOY -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 21 7:42:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from mgw1.MEIway.com (mgw1.meiway.com [212.73.210.75]) by hub.freebsd.org (Postfix) with ESMTP id 4ECC437B423 for ; Thu, 21 Sep 2000 07:42:21 -0700 (PDT) Received: from mail.Go2France.com (ms1.meiway.com [212.73.210.73]) by mgw1.MEIway.com (Postfix Relay Hub) with ESMTP id 31B526A905 for ; Thu, 21 Sep 2000 16:42:20 +0200 (CEST) Received: from sv.Go2France.com [212.73.210.79] by mail.Go2France.com with ESMTP (SMTPD32-6.04) id AF35174E0266; Thu, 21 Sep 2000 16:46:13 +0200 Message-Id: <5.0.0.25.0.20000921160730.03582040@mail.Go2France.com> X-Sender: lconrad%Go2France.com@mail.Go2France.com X-Mailer: QUALCOMM Windows Eudora Version 5.0 Date: Thu, 21 Sep 2000 16:42:17 +0200 To: freebsd-security@freebsd.org From: Len Conrad Subject: Kame VPN/IPsec FreeBSD srvr to Win32 VPN clients? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What experience does anybody have with the above? Using which Win32 VPN client? tia, Len http://BIND8NT.MEIway.com: ISC BIND 8.2.2 p5 installable binary for NT4 http://IMGate.MEIway.com: Build free, hi-perf, anti-spam mail gateways To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 21 8:18:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from lunatic.oneinsane.net (lunatic.oneinsane.net [207.113.133.231]) by hub.freebsd.org (Postfix) with ESMTP id 5DD0F37B422 for ; Thu, 21 Sep 2000 08:18:16 -0700 (PDT) Received: by lunatic.oneinsane.net (Postfix, from userid 1000) id AE8B615551; Thu, 21 Sep 2000 08:18:15 -0700 (PDT) Date: Thu, 21 Sep 2000 08:18:15 -0700 From: Ron 'The InSaNe One' Rosson To: freebsd-security@freebsd.org Subject: Re: Kame VPN/IPsec FreeBSD srvr to Win32 VPN clients? Message-ID: <20000921081815.A65154@lunatic.oneinsane.net> Reply-To: Ron Rosson Mail-Followup-To: freebsd-security@freebsd.org References: <5.0.0.25.0.20000921160730.03582040@mail.Go2France.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.0.0.25.0.20000921160730.03582040@mail.Go2France.com>; from lconrad@Go2France.com on Thu, Sep 21, 2000 at 04:42:17PM +0200 X-Operating-System: FreeBSD lunatic.oneinsane.net 4.1-STABLE X-Moon: The Moon is Waning Crescent (45% of Full) X-Opinion: What you read here is my IMHO X-WWW: http://www.oneinsane.net X-GPG-FINGERPRINT: 3F11 DB43 F080 C037 96F0 F8D3 5BD2 652B 171C 86DB X-Uptime: 8:15AM up 6 days, 20:57, 1 user, load averages: 1.04, 1.06, 1.07 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Len Conrad (lconrad@Go2France.com) wrote: > What experience does anybody have with the above? > > Using which Win32 VPN client? > I am looking for the same thing but I want FreeBSD as a client too. Also want to know if I can use the private IP space for the VPN addresses on the VPN server and use NAT to allow them to use the network that they VPN'd to. or am I thinking the impossible? ;-) TIA -- ------------------------------------------------------------------------------ Ron Rosson ... and a UNIX user said ... The InSaNe One rm -rf * insane@oneinsane.net and all was /dev/null and *void() ------------------------------------------------------------------------------ I haven't lost my mind; Kosh has a backup. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 21 8:56: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from peony.ezo.net (peony.ezo.net [206.102.130.11]) by hub.freebsd.org (Postfix) with ESMTP id C2B9437B43E for ; Thu, 21 Sep 2000 08:55:56 -0700 (PDT) Received: from localhost (jflowers@localhost) by peony.ezo.net (8.11.0.Beta3/8.11.0.Beta3) with ESMTP id e8LGCSS56077; Thu, 21 Sep 2000 12:12:28 -0400 (EDT) Date: Thu, 21 Sep 2000 12:12:28 -0400 (EDT) From: Jim Flowers To: "Ron 'The InSaNe One' Rosson" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kame VPN/IPsec FreeBSD srvr to Win32 VPN clients? In-Reply-To: <20000921081815.A65154@lunatic.oneinsane.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Can't speak to Kame/IPSec but it works well with the FreeBSD port of SKIP. The answer to all of your questions is yes. Jim Flowers #4 ranked ISP on C|NET #1 in Ohio On Thu, 21 Sep 2000, Ron 'The InSaNe One' Rosson wrote: > Len Conrad (lconrad@Go2France.com) wrote: > > What experience does anybody have with the above? > > > > Using which Win32 VPN client? > > > > I am looking for the same thing but I want FreeBSD as a client too. Also > want to know if I can use the private IP space for the VPN addresses on > the VPN server and use NAT to allow them to use the network that they > VPN'd to. > > or am I thinking the impossible? ;-) > > TIA > -- > ------------------------------------------------------------------------------ > Ron Rosson ... and a UNIX user said ... > The InSaNe One rm -rf * > insane@oneinsane.net and all was /dev/null and *void() > ------------------------------------------------------------------------------ > I haven't lost my mind; Kosh has a backup. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 21 12: 6:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id A3CB337B446; Thu, 21 Sep 2000 12:06:11 -0700 (PDT) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 13cBer-0004l9-00; Thu, 21 Sep 2000 21:05:21 +0200 Date: Thu, 21 Sep 2000 21:05:21 +0200 From: Neil Blakey-Milner To: Brett Glass Cc: cjclark@alum.mit.edu, Jordan Hubbard , Laurence Berland , security@FreeBSD.org Subject: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) Message-ID: <20000921210521.A17973@mithrandr.moria.org> Reply-To: nbm@mithrandr.moria.org, security@FreeBSD.org References: <99016.969437392@winston.osd.bsdi.com> <99016.969437392@winston.osd.bsdi.com> <20000920125405.D22272@149.211.6.64.reflexcom.com> <4.3.2.7.2.20000921113652.053d4960@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <4.3.2.7.2.20000921113652.053d4960@localhost>; from brett@lariat.org on Thu, Sep 21, 2000 at 11:38:51AM -0600 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [ Cc trimmed, advocacy,chat -> security ] On Thu 2000-09-21 (11:38), Brett Glass wrote: > >>From a review of /etc/defaults/rc.conf, 5.0-CURRENT has turned off the > >three biggies that I didn't like the default YES, > > > > inetd_enable="NO" > > sendmail_enable="NO" > > portmap_enable="NO" > > But rc.conf turns them on! > > >But I assume /stand/sysinstall will ask if these should be turned on. > >This is good. > > It still leaves all of these on WITHOUT ASKING. I have an idea. Why don't you submit a patch that'll make sysinstall ask about them, instead of using those scary capital letters and exclamation marks that make it sound like you're incredibly shocked over all this, on inappropriate mailing lists? Or, you could ask on one of the mailing lists if someone is willing to do the work for you, if you're unable to. Or maybe bring it to light on one of the appropriate mailing lists? Don't take this personally - it just seemed incredibly ironic at the time. Since we're here - does anyone feel up to writing a patch to make these questions instead, and I'll review them before passing it on to Jordan. Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 21 17:33:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id A621E37B443 for ; Thu, 21 Sep 2000 17:33:35 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id SAA29812; Thu, 21 Sep 2000 18:33:04 -0600 (MDT) Message-Id: <4.3.2.7.2.20000921182152.046d6ee0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 21 Sep 2000 18:32:48 -0600 To: Wes Peters , nbm@mithrandr.moria.org From: Brett Glass Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) Cc: security@freebsd.org In-Reply-To: <39CA8E45.7DA45048@softweyr.com> References: <99016.969437392@winston.osd.bsdi.com> <99016.969437392@winston.osd.bsdi.com> <20000920125405.D22272@149.211.6.64.reflexcom.com> <4.3.2.7.2.20000921113652.053d4960@localhost> <20000921210521.A17973@mithrandr.moria.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 04:40 PM 9/21/2000, Wes Peters wrote: >Brett, did it ever occur to you THESE ARE THE DEFAULTS because MOST PEOPLE >WANT THEM THAT WAY? Most people who install FreeBSD just want telnet, mail, >and NFS to work, IMHO: Telnet is dangerous and should be disabled now that SSH is in common use and is not encumbered by patents. sshd should be on unless the user asks for it not to be. (He or she should still be asked.) Mail should be an option that defaults to "on" but lets the user ask that it not be activated at install time. Many of us like to reconfigure before turning it on. And others will be using FreeBSD as a workstation and will be using an e-mail client.... Sendmail doesn't need to be running. As for NFS: I would take issue with the assertion that most people want it on. Also, last time I checked the default install of FreeSBD turned on /sbin/portmap even if the user explicitly asks for no NFS! This is unnecessary and is a security breach just waiting to happen. >they don't want to spend hours agonizing over the configuration >of every single computer they install. I wind up spending hours agonizing over the configuration of every FreeBSD install I do, because I have to turn off many of the defaults which could potentially compromise security or waste resources. >They rely on firewalls, prayer, or >abject cluelessness to secure their systems, and that's just fine. Windows users do that. FreeBSD users should have it better. >Have you considered using OpenBSD? It does install with a more secure (i.e. >"doesn't work for most people") configuration out of the box. I have not only considered it -- I've used it quite a bit. On the table next to me are machines with the latest releases of FreeBSD, NetBSD, and OpenBSD. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 21 18:25:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from pericles.IPAustralia.gov.au (pericles.IPAustralia.gov.au [202.14.186.30]) by hub.freebsd.org (Postfix) with ESMTP id A3B7437B449 for ; Thu, 21 Sep 2000 18:25:11 -0700 (PDT) Received: (from smap@localhost) by pericles.IPAustralia.gov.au (8.9.3/8.9.3) id MAA89178 for ; Fri, 22 Sep 2000 12:25:09 +1100 (EST) (envelope-from anwsmh@IPAustralia.Gov.AU) Received: from wf-133.aipo.gov.au(192.168.1.133) by pericles.IPAustralia.gov.au via smap (V2.0) id xma089173; Fri, 22 Sep 00 12:25:01 +1100 Received: from localhost (anwsmh@localhost) by stan (8.9.3/8.9.3) with ESMTP id MAA00778 for ; Fri, 22 Sep 2000 12:24:59 +1100 (EST) (envelope-from anwsmh@IPAustralia.Gov.AU) X-Authentication-Warning: stan: anwsmh owned process doing -bs Date: Fri, 22 Sep 2000 12:24:59 +1100 (EST) From: Stanley Hopcroft X-Sender: anwsmh@stan To: security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: whats so special about freeBSD?) In-Reply-To: <4.3.2.7.2.20000921182152.046d6ee0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear Ladies and Gentlemen, I am writing to suggest that the criteria for deciding about these things is consider who will benefit from changing the default settings or what market one aims for ? If ones customers are naive users, then sure take the MS Windows approach and do it (whatever it is) all for them and hope they eventually realise what you have done for/to them and appreciate it. If there's a benefit by adopting the firewall principal of disabling whatever's unnecessary, or equivalently, a reducible or unacceptable cost in not doing so, then disabling stuff seems sensible. As Mr Glass says, optimising these settings to harden many of the boxen I deal with (routers, terminal servers, DNS servers etc) is time consuming. It would be nice to only enable what I want rather than bear the risk of *not* disabling stuff. That said, one of the lovely things about Unix is that it *is* configurable. The only thing I might add is that setting up a workstation on memory strapped hardware (eg the a P133/32 MB when I'd like to run kde, netscape etc) is unfortunately fairly painful and shows up the different trade offs in the MS and Unix environment. Since this has no bearing on seecurity and is probably caused by applications or the different kernel approaches (not to mention the disgusting lack of MS integrity that surely must infect their code), its hardly worth mentioning in this context. However, it would be a lovely advertisement to be able to highlight the robustness and grunt of FreeBSD by showing it run good looking applications with the same apparent carelessness as MS Windows on the same gutless hardware. As for me, my workstations happy thrashing FreeBSD. Thank you, Yours sincerely. S Hopcroft Network Specialist IP Australia +61 2 6283 3189 +61 2 6281 1353 FAX To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 21 19:21:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from proxy.OBK.ru (ovk.barrt.ru [194.84.233.130]) by hub.freebsd.org (Postfix) with ESMTP id A0D3937B424 for ; Thu, 21 Sep 2000 19:21:30 -0700 (PDT) Received: from localhost (subs@localhost) by proxy.OBK.ru (8.9.3/8.9.3) with ESMTP id JAA22761 for ; Fri, 22 Sep 2000 09:26:54 +0700 (NOVST) (envelope-from subs@proxy.obk.ru) Date: Fri, 22 Sep 2000 09:26:54 +0700 (NOVST) From: "Yuri A. Wolf" To: freebsd-security@FreeBSD.org Subject: I thinked it is fixed Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greetings! May be it's not a big bug, but I think important for security, that's why I sent it here: 1. Login normally as root 2. Do the next #/usr/bin/login -f userx Now I'm non-root user 'userx'. 3. Exit back $^D # Now I'm root, right? But try to do "who", "who am i", "finger", they all say 'userx'. Althou "whoami" works correctly, shows 'root'. I'm agree absolutely that normally hacker can't be a root, but it's possible to hide himself as non-root user if he gained root access... I noted it in 3.4, but I thinked it is fixed in 4.x. Yesterday I tested it on 4.1, result was the same. I asked to test it on Linux, and they said it shows correctly at last step, ie 'root'. Please, guide me if I'm wrong. Thanks, Yuri. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 21 19:33: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 853E037B422 for ; Thu, 21 Sep 2000 19:33:02 -0700 (PDT) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id WAA10152; Thu, 21 Sep 2000 22:32:53 -0400 (EDT) (envelope-from wollman) Date: Thu, 21 Sep 2000 22:32:53 -0400 (EDT) From: Garrett Wollman Message-Id: <200009220232.WAA10152@khavrinen.lcs.mit.edu> To: "Yuri A. Wolf" Cc: freebsd-security@FreeBSD.ORG Subject: I thinked it is fixed In-Reply-To: References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > 1. Login normally as root > 2. Do the next > #/usr/bin/login -f userx > Now I'm non-root user 'userx'. > 3. Exit back > $^D > # > Now I'm root, right? But try to do "who", "who am i", "finger", they all > say 'userx'. Don't do that then. (Perhaps login(8) should fail if it's not the session leader. I'm not sure there's actually a way to reliably detect whether it is or not.) -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 21 22:39:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 7610937B423 for ; Thu, 21 Sep 2000 22:39:46 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 13cF0f-0000RF-00; Thu, 21 Sep 2000 16:40:05 -0600 Message-ID: <39CA8E45.7DA45048@softweyr.com> Date: Thu, 21 Sep 2000 16:40:05 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 4.1-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: nbm@mithrandr.moria.org Cc: Brett Glass , security@freebsd.org Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) References: <99016.969437392@winston.osd.bsdi.com> <99016.969437392@winston.osd.bsdi.com> <20000920125405.D22272@149.211.6.64.reflexcom.com> <4.3.2.7.2.20000921113652.053d4960@localhost> <20000921210521.A17973@mithrandr.moria.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Neil Blakey-Milner wrote: > > [ Cc trimmed, advocacy,chat -> security ] > > On Thu 2000-09-21 (11:38), Brett Glass wrote: > > >>From a review of /etc/defaults/rc.conf, 5.0-CURRENT has turned off the > > >three biggies that I didn't like the default YES, > > > > > > inetd_enable="NO" > > > sendmail_enable="NO" > > > portmap_enable="NO" > > > > But rc.conf turns them on! > > > > >But I assume /stand/sysinstall will ask if these should be turned on. > > >This is good. > > > > It still leaves all of these on WITHOUT ASKING. > > I have an idea. Why don't you submit a patch that'll make sysinstall > ask about them, instead of using those scary capital letters and > exclamation marks that make it sound like you're incredibly shocked over > all this, on inappropriate mailing lists? Brett, did it ever occur to you THESE ARE THE DEFAULTS because MOST PEOPLE WANT THEM THAT WAY? Most people who install FreeBSD just want telnet, mail, and NFS to work, they don't want to spend hours agonizing over the configuration of every single computer they install. They rely on firewalls, prayer, or abject cluelessness to secure their systems, and that's just fine. Have you considered using OpenBSD? It does install with a more secure (i.e. "doesn't work for most people") configuration out of the box. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 21 23: 8:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from tandem.milestonerdl.com (tandem.milestonerdl.com [204.107.138.1]) by hub.freebsd.org (Postfix) with ESMTP id 0BEE537B422 for ; Thu, 21 Sep 2000 23:08:10 -0700 (PDT) Received: from tandem (tandem [204.107.138.1]) by tandem.milestonerdl.com (8.10.0/8.10.0) with ESMTP id e8M67ZL53534; Fri, 22 Sep 2000 01:07:35 -0500 (CDT) Date: Fri, 22 Sep 2000 01:07:35 -0500 (CDT) From: Marc Rassbach To: Brett Glass Cc: Wes Peters , nbm@mithrandr.moria.org, security@freebsd.org Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) In-Reply-To: <4.3.2.7.2.20000921182152.046d6ee0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As an effort to attempt to keep 'the peace'....why not provide the options of a 'install nothing' (like openbsd) 'install like a desktop' 'install like a server' 'install everything' and these options are from the 'easy install' (in the past called novice) Or, perhaps as part of a net install, load your install profile over the wire. (that fully scriptable install fantasy....) In such a scripting world, the standard as shipped can be as BSDi/FreeBSD wants, and BrettBSD can be set up as Mr. Glass wants. Set options to suck the script from net/cd/floppy/audio tape on the cassette interface/paper tape/data lines and load swich/telepathic link/whatever..... I could make a whole bunch of suggestions, but then I'd have to code them, so I'll sit back down and shut up. On Thu, 21 Sep 2000, Brett Glass wrote: > I wind up spending hours agonizing over the configuration of every > FreeBSD install I do, because I have to turn off many of the defaults > which could potentially compromise security or waste resources. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 0:12:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id 7546037B422 for ; Fri, 22 Sep 2000 00:12:13 -0700 (PDT) Received: by elvis.mu.org (Postfix, from userid 1088) id DEC622B209; Fri, 22 Sep 2000 02:12:07 -0500 (CDT) Date: Fri, 22 Sep 2000 02:12:07 -0500 From: Dave McKay To: Brett Glass Cc: Wes Peters , nbm@mithrandr.moria.org, security@freebsd.org Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) Message-ID: <20000922021207.A90466@elvis.mu.org> References: <99016.969437392@winston.osd.bsdi.com> <99016.969437392@winston.osd.bsdi.com> <20000920125405.D22272@149.211.6.64.reflexcom.com> <4.3.2.7.2.20000921113652.053d4960@localhost> <20000921210521.A17973@mithrandr.moria.org> <39CA8E45.7DA45048@softweyr.com> <4.3.2.7.2.20000921182152.046d6ee0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <4.3.2.7.2.20000921182152.046d6ee0@localhost>; from brett@lariat.org on Thu, Sep 21, 2000 at 06:32:48PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass (brett@lariat.org) wrote: *snip* > Telnet is dangerous and should be disabled now that SSH is in common use > and is not encumbered by patents. sshd should be on unless the user > asks for it not to be. (He or she should still be asked.) SSH is in common use? It is still third party on Linux and Windows, and Solaris. Telnet *IS* however installed by default on every major OS I can think of. > I wind up spending hours agonizing over the configuration of every > FreeBSD install I do, because I have to turn off many of the defaults > which could potentially compromise security or waste resources. This is not healthy. Editing /etc/inetd.conf and /etc/rc.conf shouldn't take one hours, this sounds like a personal problem. > >They rely on firewalls, prayer, or > >abject cluelessness to secure their systems, and that's just fine. > > Windows users do that. FreeBSD users should have it better. uhm.. can't find the words.. > >Have you considered using OpenBSD? It does install with a more secure (i.e. > >"doesn't work for most people") configuration out of the box. > > I have not only considered it -- I've used it quite a bit. On the table > next to me are machines with the latest releases of FreeBSD, NetBSD, > and OpenBSD. You'll have to forgive me, I don't subscribe to the netbsd or openbsd lists, but do you suggest these ideas to *BSD? If everyone in the world was straw- berry then no one would taste good. -- Dave McKay Network Engineer - Google Inc. dave@mu.org - dave@sneakerz.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 0:47:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id BC64B37B423 for ; Fri, 22 Sep 2000 00:47:43 -0700 (PDT) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 13cNY5-0006PQ-00; Fri, 22 Sep 2000 09:47:09 +0200 Date: Fri, 22 Sep 2000 09:47:09 +0200 From: Neil Blakey-Milner To: Marc Rassbach Cc: Brett Glass , Wes Peters , security@freebsd.org Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) Message-ID: <20000922094709.A24619@mithrandr.moria.org> References: <4.3.2.7.2.20000921182152.046d6ee0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from marc@milestonerdl.com on Fri, Sep 22, 2000 at 01:07:35AM -0500 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri 2000-09-22 (01:07), Marc Rassbach wrote: > As an effort to attempt to keep 'the peace'....why not provide the options > of a 'install nothing' (like openbsd) 'install like a desktop' 'install > like a server' 'install everything' and these options are from the 'easy > install' (in the past called novice) > > I could make a whole bunch of suggestions, but then I'd have to code them, > so I'll sit back down and shut up. Too late, we're already waiting for your patches... ;) Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 1:35: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id 8CAD737B423 for ; Fri, 22 Sep 2000 01:34:56 -0700 (PDT) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 13cOIA-0006aV-00; Fri, 22 Sep 2000 10:34:46 +0200 Date: Fri, 22 Sep 2000 10:34:46 +0200 From: Neil Blakey-Milner To: Brett Glass Cc: Wes Peters , security@freebsd.org Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) Message-ID: <20000922103446.A25222@mithrandr.moria.org> References: <99016.969437392@winston.osd.bsdi.com> <99016.969437392@winston.osd.bsdi.com> <20000920125405.D22272@149.211.6.64.reflexcom.com> <4.3.2.7.2.20000921113652.053d4960@localhost> <20000921210521.A17973@mithrandr.moria.org> <39CA8E45.7DA45048@softweyr.com> <4.3.2.7.2.20000921182152.046d6ee0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <4.3.2.7.2.20000921182152.046d6ee0@localhost>; from brett@lariat.org on Thu, Sep 21, 2000 at 06:32:48PM -0600 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu 2000-09-21 (18:32), Brett Glass wrote: > IMHO: > > Telnet is dangerous and should be disabled now that SSH is in common use > and is not encumbered by patents. sshd should be on unless the user > asks for it not to be. (He or she should still be asked.) This happens already: if (write_header) { ... fprintf(rcSite, "sshd_enable=\"YES\"\n"); } { " Sshd", "This machine wants to run the ssh daemon", dmenuVarCheck, dmenuToggleVariable, NULL, "sshd_enable=YES" }, > Mail should be an option that defaults to "on" but lets the user ask that > it not be activated at install time. Many of us like to reconfigure before > turning it on. And others will be using FreeBSD as a workstation and will > be using an e-mail client.... Sendmail doesn't need to be running. email clients use sendmail to send mail. If sendmail isn't running, it doesn't queue. We'll just lose that mail to a black hole. That isn't obvious. Again, the case you state above is already in place: if (write_header) { ... fprintf(rcSite, "sendmail_enable=\"YES\"\n"); } { " Sendmail", "This machine wants to run the sendmail daemon", dmenuVarCheck, dmenuToggleVariable, NULL, "sendmail_enable=YES" }, > As for NFS: I would take issue with the assertion that most people > want it on. Also, last time I checked the default install of FreeSBD > turned on /sbin/portmap even if the user explicitly asks for no NFS! > This is unnecessary and is a security breach just waiting to happen. If the user doesn't say 'portmap_enable="NO"', the user isn't explicitly asking for portmap not to run. I'm investigating moving the portmap check to the NFS check. I've also got permission to add an inetd check. > >they don't want to spend hours agonizing over the configuration > >of every single computer they install. > > I wind up spending hours agonizing over the configuration of every > FreeBSD install I do, because I have to turn off many of the defaults > which could potentially compromise security or waste resources. vi /etc/rc.conf The "defaults" these days leave very little running. Of course, if you actually _contributed_, we'd do these things faster, so you wouldn't have to whine constantly. Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 1:39: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from atlas.bit.net.au (atlas.bit.net.au [203.18.94.3]) by hub.freebsd.org (Postfix) with ESMTP id 5EE4437B422 for ; Fri, 22 Sep 2000 01:39:03 -0700 (PDT) Received: (from pdh@localhost) by atlas.bit.net.au (8.11.0/8.11.0) id e8M8cab31964; Fri, 22 Sep 2000 18:38:36 +1000 Date: Fri, 22 Sep 2000 18:38:36 +1000 From: Phil Homewood To: Neil Blakey-Milner Cc: security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) Message-ID: <20000922183836.G27376@atlas.bit.net.au> References: <99016.969437392@winston.osd.bsdi.com> <99016.969437392@winston.osd.bsdi.com> <20000920125405.D22272@149.211.6.64.reflexcom.com> <4.3.2.7.2.20000921113652.053d4960@localhost> <20000921210521.A17973@mithrandr.moria.org> <39CA8E45.7DA45048@softweyr.com> <4.3.2.7.2.20000921182152.046d6ee0@localhost> <20000922103446.A25222@mithrandr.moria.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20000922103446.A25222@mithrandr.moria.org>; from nbm@mithrandr.moria.org on Fri, Sep 22, 2000 at 10:34:46AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Neil Blakey-Milner wrote: > email clients use sendmail to send mail. If sendmail isn't running, it > doesn't queue. We'll just lose that mail to a black hole. That isn't > obvious. You could default to running sendmail without the "-bd" flag and have a checkbox to enable "this machine wants to accept email from the network", maybe? Just a thought... -- Phil Homewood pdh@asiaonline.net Senior Technician +61 7 3620 1930 Asia Online (Brisbane) http://www.asiaonline.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 1:42:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id AF88537B424 for ; Fri, 22 Sep 2000 01:42:32 -0700 (PDT) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 13cOPU-0006cY-00; Fri, 22 Sep 2000 10:42:20 +0200 Date: Fri, 22 Sep 2000 10:42:20 +0200 From: Neil Blakey-Milner To: Phil Homewood Cc: security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) Message-ID: <20000922104220.A25438@mithrandr.moria.org> References: <99016.969437392@winston.osd.bsdi.com> <99016.969437392@winston.osd.bsdi.com> <20000920125405.D22272@149.211.6.64.reflexcom.com> <4.3.2.7.2.20000921113652.053d4960@localhost> <20000921210521.A17973@mithrandr.moria.org> <39CA8E45.7DA45048@softweyr.com> <4.3.2.7.2.20000921182152.046d6ee0@localhost> <20000922103446.A25222@mithrandr.moria.org> <20000922183836.G27376@atlas.bit.net.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <20000922183836.G27376@atlas.bit.net.au>; from pdh@bit.net.au on Fri, Sep 22, 2000 at 06:38:36PM +1000 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri 2000-09-22 (18:38), Phil Homewood wrote: > Neil Blakey-Milner wrote: > > email clients use sendmail to send mail. If sendmail isn't running, it > > doesn't queue. We'll just lose that mail to a black hole. That isn't > > obvious. > > You could default to running sendmail without the "-bd" flag > and have a checkbox to enable "this machine wants to accept > email from the network", maybe? > > Just a thought... I'm awaiting feedback on a suggestion to do just that. Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 5:10:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from kendra.ne.mediaone.net (kendra.ne.mediaone.net [24.218.227.234]) by hub.freebsd.org (Postfix) with ESMTP id B6FE237B422 for ; Fri, 22 Sep 2000 05:10:47 -0700 (PDT) Received: from kew.com (xena.hh.kew.com [192.168.203.148]) by kendra.ne.mediaone.net (Postfix) with ESMTP id CBDCE8C34 for ; Fri, 22 Sep 2000 08:10:42 -0400 (EDT) Message-ID: <39CB4C42.1A59669C@kew.com> Date: Fri, 22 Sep 2000 08:10:42 -0400 From: Drew Derbyshire Organization: Kendra Electronic Wonderworks, Stoneham MA 02180 (http://www.kew.com) X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Neil Blakey-Milner wrote: > Brett, did it ever occur to you THESE ARE THE DEFAULTS because MOST > PEOPLE WANT THEM THAT WAY? Did you take a survey? > Most people who install FreeBSD just want telnet, mail, and NFS to work, Most people also want a secure system. Don't even get me started about rlogin/rsh being on by default in /etc/inetd.conf. IMHO, many people wouldn't know NFS if it bit them in the nose. If an NFS startup is enabled and the associated required portmap server is not, then a improved RC script can override the setting and start portmap automatically (with a suitable nasty warning to console and/or log). Turning in portmap by default because someone MAY want NFS is not suitable. > they don't want to spend hours agonizing over the configuration of every > single computer they install. They rely on firewalls, prayer, or abject > cluelessness to secure their systems, and that's just fine. God looks after fools and small children. Despise appearances, naive system admins don't officially qualify for "fool" status, so the OS developers need to step in for God. Like others, I would prefer mail was left disabled or prompted for: 1. Mail running behind a firewall normally has to be reconfigured to work properly to see the enterprise mail relay. 2. Mail running on a firewall normally has be reconfigured to work properly to allow mail from the machines behind it. Note that "prompted" for would including putting up the the current "enable network components" screen. In summary, if the install is going to prompt for network services, it needs to prompt consistently. Prompting for many of the services and not others makes one feel like that the job is done, and it's not. -ahd- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 6:56:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 427E737B42C for ; Fri, 22 Sep 2000 06:56:07 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA07813; Fri, 22 Sep 2000 06:54:07 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda07811; Fri Sep 22 06:54:00 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id GAA15939; Fri, 22 Sep 2000 06:54:00 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdd15931; Fri Sep 22 06:53:08 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.0/8.9.1) id e8MDr7M10945; Fri, 22 Sep 2000 06:53:07 -0700 (PDT) Message-Id: <200009221353.e8MDr7M10945@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdS10939; Fri Sep 22 13:52:19 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1-RELEASE X-Sender: cy To: Brett Glass Cc: Wes Peters , nbm@mithrandr.moria.org, security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) In-reply-to: Your message of "Thu, 21 Sep 2000 18:32:48 MDT." <4.3.2.7.2.20000921182152.046d6ee0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 22 Sep 2000 06:52:19 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <4.3.2.7.2.20000921182152.046d6ee0@localhost>, Brett Glass writes: > At 04:40 PM 9/21/2000, Wes Peters wrote: > > >Brett, did it ever occur to you THESE ARE THE DEFAULTS because MOST PEOPLE > >WANT THEM THAT WAY? Most people who install FreeBSD just want telnet, mail, > >and NFS to work, > > IMHO: > > Telnet is dangerous and should be disabled now that SSH is in common use > and is not encumbered by patents. sshd should be on unless the user > asks for it not to be. (He or she should still be asked.) I submitted two awk scripts to this list late last week that disable services in inetd that those of us who are paranoid would normally remove. Absolutely no one was interested. For that matter I didn't even receive a comment about the scripts from you. Absolutely nobody is interested in this issue. The defaults are there because the majority wants them there. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 7: 1:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id 52A0037B423 for ; Fri, 22 Sep 2000 07:01:39 -0700 (PDT) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 13cTOG-0007l1-00; Fri, 22 Sep 2000 16:01:24 +0200 Date: Fri, 22 Sep 2000 16:01:24 +0200 From: Neil Blakey-Milner To: Cy Schubert - ITSD Open Systems Group Cc: Brett Glass , Wes Peters , security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) Message-ID: <20000922160123.A29787@mithrandr.moria.org> References: <4.3.2.7.2.20000921182152.046d6ee0@localhost> <200009221353.e8MDr7M10945@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <200009221353.e8MDr7M10945@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Fri, Sep 22, 2000 at 06:52:19AM -0700 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri 2000-09-22 (06:52), Cy Schubert - ITSD Open Systems Group wrote: > I submitted two awk scripts to this list late last week that disable > services in inetd that those of us who are paranoid would normally > remove. Absolutely no one was interested. For that matter I didn't > even receive a comment about the scripts from you. Absolutely nobody > is interested in this issue. The defaults are there because the > majority wants them there. If you could tell us how to plug them in somewhere, it might be nice. Do we have 'awk' on the install disk so it can be used there? (personally, I'd prefer we have /etc/inetd.conf (commented) and /etc/inetd.conf.wideopen, and we twiddle some bits in sysinstall to see which one gets started in rc. maybe inetd_wideopen_enabled or something.) Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 7:19:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 61E5C37B422 for ; Fri, 22 Sep 2000 07:19:43 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA07949; Fri, 22 Sep 2000 07:17:47 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda07947; Fri Sep 22 07:17:42 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id HAA16154; Fri, 22 Sep 2000 07:16:17 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdT16150; Fri Sep 22 07:15:22 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.0/8.9.1) id e8MEF9o11149; Fri, 22 Sep 2000 07:15:09 -0700 (PDT) Message-Id: <200009221415.e8MEF9o11149@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdv11136; Fri Sep 22 14:14:39 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1-RELEASE X-Sender: cy To: Garrett Wollman Cc: "Yuri A. Wolf" , freebsd-security@FreeBSD.ORG Subject: Re: I thinked it is fixed In-reply-to: Your message of "Thu, 21 Sep 2000 22:32:53 EDT." <200009220232.WAA10152@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 22 Sep 2000 07:14:38 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200009220232.WAA10152@khavrinen.lcs.mit.edu>, Garrett Wollman write s: > < ru> said: > > > 1. Login normally as root > > 2. Do the next > > #/usr/bin/login -f userx > > Now I'm non-root user 'userx'. > > 3. Exit back > > $^D > > # > > Now I'm root, right? But try to do "who", "who am i", "finger", they all > > say 'userx'. > > Don't do that then. > > (Perhaps login(8) should fail if it's not the session leader. I'm not > sure there's actually a way to reliably detect whether it is or not.) Solaris does this: dragon# login -f foobar No utmpx entry. You must exec "login" from the lowest level "shell". dragon# Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 7:37:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 7D44F37B422 for ; Fri, 22 Sep 2000 07:37:48 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA08040; Fri, 22 Sep 2000 07:36:08 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda08038; Fri Sep 22 07:35:58 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id HAA16384; Fri, 22 Sep 2000 07:35:58 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdP16379; Fri Sep 22 07:35:13 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.0/8.9.1) id e8MEZCs11279; Fri, 22 Sep 2000 07:35:12 -0700 (PDT) Message-Id: <200009221435.e8MEZCs11279@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdz11270; Fri Sep 22 14:34:31 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1-RELEASE X-Sender: cy To: Neil Blakey-Milner Cc: Cy Schubert - ITSD Open Systems Group , Brett Glass , Wes Peters , security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) In-reply-to: Your message of "Fri, 22 Sep 2000 16:01:24 +0200." <20000922160123.A29787@mithrandr.moria.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 22 Sep 2000 07:34:31 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20000922160123.A29787@mithrandr.moria.org>, Neil Blakey-Milner writ es: > On Fri 2000-09-22 (06:52), Cy Schubert - ITSD Open Systems Group wrote: > > I submitted two awk scripts to this list late last week that disable > > services in inetd that those of us who are paranoid would normally > > remove. Absolutely no one was interested. For that matter I didn't > > even receive a comment about the scripts from you. Absolutely nobody > > is interested in this issue. The defaults are there because the > > majority wants them there. > > If you could tell us how to plug them in somewhere, it might be nice. > Do we have 'awk' on the install disk so it can be used there? > > (personally, I'd prefer we have /etc/inetd.conf (commented) and > /etc/inetd.conf.wideopen, and we twiddle some bits in sysinstall to see > which one gets started in rc. maybe inetd_wideopen_enabled or > something.) Search the -security and -arch archives for the subject "Option 3". Plugging in the awk scripts somewhere, could be in /etc or /usr/sbin, and an option in sysinstall. (Editing inetd.conf after an install is a pain). My team has used various forms of the scripts, because some customers prefer systems that are more open. Of course my recommendation to my customers, which is the most secure recommendation I can make and also keeps my butt out of a sling should they not want to use my recommendation and get broken into, is to disable all services and use SSH and Kerberos. I also recommend to my customers that if they do want to enable telnet, for example, that they document the reason why so that the auditor doesn't have to dig around as much to find out why an insecure service is enabled on a particular system. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 7:57:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id 6724737B43C for ; Fri, 22 Sep 2000 07:57:39 -0700 (PDT) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 13cUGT-0007wt-00; Fri, 22 Sep 2000 16:57:25 +0200 Date: Fri, 22 Sep 2000 16:57:25 +0200 From: Neil Blakey-Milner To: Cy Schubert - ITSD Open Systems Group Cc: Brett Glass , Wes Peters , security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) Message-ID: <20000922165725.A30364@mithrandr.moria.org> References: <20000922160123.A29787@mithrandr.moria.org> <200009221435.e8MEZCs11279@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <200009221435.e8MEZCs11279@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Fri, Sep 22, 2000 at 07:34:31AM -0700 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri 2000-09-22 (07:34), Cy Schubert - ITSD Open Systems Group wrote: > > If you could tell us how to plug them in somewhere, it might be nice. > > Do we have 'awk' on the install disk so it can be used there? > > something.) > > Search the -security and -arch archives for the subject "Option 3". I have read it. It is in my "reasons why inetd's current configuration format sucks" mailbox encouraging me to propose an additional way to configure inetd using a directory + file structure. > Plugging in the awk scripts somewhere, could be in /etc or /usr/sbin, > and an option in sysinstall. (Editing inetd.conf after an install is a > pain). I asked how, not "where do you place scripts on a filesystem?", or "what is the name of the installer?". I don't think we want to make even more sysinstall hacks, as it is exceedingly complicated and time-consuming (especially according to Mr. Glass - hours of painstaking choices). I think inetd_enable="YES"/"NO" is mostly sufficient. Anything beyond that is the realm of the administrator. Perhaps we can put your scripts in /usr/share/examples/inetd/, along with example configurations, like inetd.conf.rsh, inetd.conf.ftp, inetd.conf.full. Then have a mostly-empty /etc/inetd.conf that isn't self-documenting, with ftp and commented out telnet and (internal) auth. What else do people run out of inetd? (I don't know - I don't have any systems that run inetd, except one with only internal auth so I can IRC from it) Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 8:57:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 81B8037B424 for ; Fri, 22 Sep 2000 08:57:25 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id IAA08276; Fri, 22 Sep 2000 08:55:30 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda08274; Fri Sep 22 08:55:27 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id IAA16847; Fri, 22 Sep 2000 08:55:27 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdy16845; Fri Sep 22 08:55:17 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.0/8.9.1) id e8MFtGK11604; Fri, 22 Sep 2000 08:55:16 -0700 (PDT) Message-Id: <200009221555.e8MFtGK11604@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdl11591; Fri Sep 22 15:54:34 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1-RELEASE X-Sender: cy To: Neil Blakey-Milner Cc: Cy Schubert - ITSD Open Systems Group , Brett Glass , Wes Peters , security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) In-reply-to: Your message of "Fri, 22 Sep 2000 16:57:25 +0200." <20000922165725.A30364@mithrandr.moria.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 22 Sep 2000 08:54:34 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20000922165725.A30364@mithrandr.moria.org>, Neil Blakey-Milner writ es: > I don't think we want to make even more sysinstall hacks, as it is > exceedingly complicated and time-consuming (especially according to Mr. > Glass - hours of painstaking choices). > > I think inetd_enable="YES"/"NO" is mostly sufficient. Anything beyond > that is the realm of the administrator. Perhaps we can put your scripts > in /usr/share/examples/inetd/, along with example configurations, like > inetd.conf.rsh, inetd.conf.ftp, inetd.conf.full. Then have a > mostly-empty /etc/inetd.conf that isn't self-documenting, with ftp and > commented out telnet and (internal) auth. Thinking about it further, I don't think it really matters that much. Managing a heterogeneous environment, customisations have to be made anyhow -- at least on my part. (I must have been on drugs over the past week to create such a ruckus on -arch over this issue. I was definitely not thinking rationally.) Ideally a post-install process (my awk script could be part of it) might be the best way to go. If the process is generic enough it could be used anywhere. Having said that, before anyone asks for patches, this has been on my todo list for a while now. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 11:12: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id CB39237B424 for ; Fri, 22 Sep 2000 11:11:58 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA08651; Fri, 22 Sep 2000 12:11:33 -0600 (MDT) Message-Id: <4.3.2.7.2.20000922120415.00c7bdc0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 22 Sep 2000 12:11:25 -0600 To: Dave McKay From: Brett Glass Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) Cc: Wes Peters , nbm@mithrandr.moria.org, security@freebsd.org In-Reply-To: <20000922021207.A90466@elvis.mu.org> References: <4.3.2.7.2.20000921182152.046d6ee0@localhost> <99016.969437392@winston.osd.bsdi.com> <99016.969437392@winston.osd.bsdi.com> <20000920125405.D22272@149.211.6.64.reflexcom.com> <4.3.2.7.2.20000921113652.053d4960@localhost> <20000921210521.A17973@mithrandr.moria.org> <39CA8E45.7DA45048@softweyr.com> <4.3.2.7.2.20000921182152.046d6ee0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:12 AM 9/22/2000, Dave McKay wrote: >SSH is in common use? It is still third party on Linux and Windows, and >Solaris. So are Netscape Navigator, RealPlayer, etc. -- and everyone downloads them! The fact that Microsoft doesn't make one is, IMHO, a good thing. They'd probably insert their own less secure authentication schemes and turn them on by default -- or, worse yet, try to hijack the standard by introducing incompatibilities. > Telnet *IS* however installed by default on every major OS I can >think of. It should not be. It sends passwords in the clear. This is not acceptable on today's Internet. >> I wind up spending hours agonizing over the configuration of every >> FreeBSD install I do, because I have to turn off many of the defaults >> which could potentially compromise security or waste resources. > >This is not healthy. Editing /etc/inetd.conf and /etc/rc.conf shouldn't >take one hours, this sounds like a personal problem. Don't argue ad hominem; it doesn't strengthen your argument and in fact makes it suspect. The fact is that it really CAN take hours to reconfigure FreeBSD to secure it. This includes recompiling the kernel (to get IP Filter in there, save resources, turn off BPF, etc.), editing rc.conf, editing sshd.conf, and much more. >You'll have to forgive me, I don't subscribe to the netbsd or openbsd lists, >but do you suggest these ideas to *BSD? If everyone in the world was straw- >berry then no one would taste good. I fail to see your point. Security is good on ALL platforms, and if the defaults are good and options are offered it can save a great deal of time and frustration. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 11:17:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 8FC1537B424 for ; Fri, 22 Sep 2000 11:17:28 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA08736; Fri, 22 Sep 2000 12:17:18 -0600 (MDT) Message-Id: <4.3.2.7.2.20000922121247.00c7d7f0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 22 Sep 2000 12:17:11 -0600 To: Neil Blakey-Milner From: Brett Glass Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) Cc: Wes Peters , security@freebsd.org In-Reply-To: <20000922103446.A25222@mithrandr.moria.org> References: <4.3.2.7.2.20000921182152.046d6ee0@localhost> <99016.969437392@winston.osd.bsdi.com> <99016.969437392@winston.osd.bsdi.com> <20000920125405.D22272@149.211.6.64.reflexcom.com> <4.3.2.7.2.20000921113652.053d4960@localhost> <20000921210521.A17973@mithrandr.moria.org> <39CA8E45.7DA45048@softweyr.com> <4.3.2.7.2.20000921182152.046d6ee0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:34 AM 9/22/2000, Neil Blakey-Milner wrote: >If the user doesn't say 'portmap_enable="NO"', the user isn't explicitly >asking for portmap not to run. > >I'm investigating moving the portmap check to the NFS check. > >I've also got permission to add an inetd check. Excellent! inetd could also be made dependent upon whether other things were enabled. >vi /etc/rc.conf I wish it were that simple! These days, I also have to edit inetd.conf (if I need it to run), plus many other configuration files. And load important ports. And recompile the kernel. And.... Doing it right takes a lot more time than I'd like. >The "defaults" these days leave very little running. Of course, if you >actually _contributed_, we'd do these things faster, so you wouldn't >have to whine constantly. My reason for not contributing code is not that I can't (though I am really an assembly language specialist and avoid C like the plague). It's territoriality. Whenever I've tried, the "owner" of that bit of code or that section of the OS has acted as if I have invaded his territory. So, I've made suggestions and hoped that the people who want to maintain those parts would follow through. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 11:22:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id CEBF237B423 for ; Fri, 22 Sep 2000 11:22:23 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA08791; Fri, 22 Sep 2000 12:22:08 -0600 (MDT) Message-Id: <4.3.2.7.2.20000922121808.00c7cc30@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 22 Sep 2000 12:22:00 -0600 To: Drew Derbyshire , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! In-Reply-To: <39CB4C42.1A59669C@kew.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 06:10 AM 9/22/2000, Drew Derbyshire wrote: >Most people also want a secure system. Don't even get me started about >rlogin/rsh being on by default in /etc/inetd.conf. That's a change that should be committed YESTERDAY. All in favor? >IMHO, many people wouldn't know NFS if it bit them in the nose. I think you are correct. >If an NFS startup is enabled and the associated required portmap server is >not, then a improved RC script can override the setting and start portmap >automatically (with a suitable nasty warning to console and/or log). >Turning in portmap by default because someone MAY want NFS is not suitable. Agree. >Like others, I would prefer mail was left disabled or prompted for: > > 1. Mail running behind a firewall normally has to be reconfigured to work > properly to see the enterprise mail relay. > 2. Mail running on a firewall normally has be reconfigured to work > properly to allow mail from the machines behind it. Ironically, these are some of the very things that Sendmail.com uses to add value to its commercial version of Sendmail. They provide Web-based forms to help set things like this up. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 11:24:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id 0BD9337B423 for ; Fri, 22 Sep 2000 11:24:24 -0700 (PDT) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 13cXTk-0008Oe-00; Fri, 22 Sep 2000 20:23:20 +0200 Date: Fri, 22 Sep 2000 20:23:19 +0200 From: Neil Blakey-Milner To: Brett Glass Cc: Dave McKay , Wes Peters , security@freebsd.org Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) Message-ID: <20000922202319.A32175@mithrandr.moria.org> References: <99016.969437392@winston.osd.bsdi.com> <99016.969437392@winston.osd.bsdi.com> <20000920125405.D22272@149.211.6.64.reflexcom.com> <4.3.2.7.2.20000921113652.053d4960@localhost> <20000921210521.A17973@mithrandr.moria.org> <39CA8E45.7DA45048@softweyr.com> <4.3.2.7.2.20000921182152.046d6ee0@localhost> <20000922021207.A90466@elvis.mu.org> <4.3.2.7.2.20000922120415.00c7bdc0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <4.3.2.7.2.20000922120415.00c7bdc0@localhost>; from brett@lariat.org on Fri, Sep 22, 2000 at 12:11:25PM -0600 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri 2000-09-22 (12:11), Brett Glass wrote: > > Telnet *IS* however installed by default on every major OS I can > >think of. > > It should not be. It sends passwords in the clear. This is not > acceptable on today's Internet. Which is fine, except I don't see 'ssh' on the OSen you might be using to access your machine from remote. Windows, especially. > >> I wind up spending hours agonizing over the configuration of every > >> FreeBSD install I do, because I have to turn off many of the defaults > >> which could potentially compromise security or waste resources. > > > >This is not healthy. Editing /etc/inetd.conf and /etc/rc.conf shouldn't > >take one hours, this sounds like a personal problem. > > The fact is that it really CAN take hours to reconfigure FreeBSD to secure > it. This includes recompiling the kernel (to get IP Filter in there, save > resources, turn off BPF, etc.), editing rc.conf, editing sshd.conf, and > much more. ipfilter is available as a module, btw. And a kernel build, even on my venerable p166mmx doesn't take more than a few minutes. Can you explain exactly your thought processes as you're editing rc.conf and sshd.conf? If we know _what_ you are changing, and why, maybe we'll be enlightened. I personally can't take more than a minute editing rc.conf. I know that sshd.conf is safe enough - I may bind to a specific IP, though. What else is there? I really can't see how it can take hours. Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 11:27:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id B1B9837B422 for ; Fri, 22 Sep 2000 11:27:54 -0700 (PDT) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 13cXXr-0008PY-00; Fri, 22 Sep 2000 20:27:35 +0200 Date: Fri, 22 Sep 2000 20:27:35 +0200 From: Neil Blakey-Milner To: Brett Glass Cc: Wes Peters , security@freebsd.org Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) Message-ID: <20000922202735.B32175@mithrandr.moria.org> References: <99016.969437392@winston.osd.bsdi.com> <99016.969437392@winston.osd.bsdi.com> <20000920125405.D22272@149.211.6.64.reflexcom.com> <4.3.2.7.2.20000921113652.053d4960@localhost> <20000921210521.A17973@mithrandr.moria.org> <39CA8E45.7DA45048@softweyr.com> <4.3.2.7.2.20000921182152.046d6ee0@localhost> <20000922103446.A25222@mithrandr.moria.org> <4.3.2.7.2.20000922121247.00c7d7f0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <4.3.2.7.2.20000922121247.00c7d7f0@localhost>; from brett@lariat.org on Fri, Sep 22, 2000 at 12:17:11PM -0600 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri 2000-09-22 (12:17), Brett Glass wrote: > My reason for not contributing code is not that I can't (though I am > really an assembly language specialist and avoid C like the plague). > It's territoriality. Whenever I've tried, the "owner" of that bit of > code or that section of the OS has acted as if I have invaded his > territory. So, I've made suggestions and hoped that the people who > want to maintain those parts would follow through. It's quite simple. Submit a PR. If the maintainer of that area doesn't address it in sufficient time, reply to the PR stating so, and send mail to an appropriate mailing list. Last time you submitted PRs, they were done (except the man page one, but that's quite complex). Just try again. Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 11:36: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 2DECD37B422 for ; Fri, 22 Sep 2000 11:36:07 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA08978; Fri, 22 Sep 2000 12:35:55 -0600 (MDT) Message-Id: <4.3.2.7.2.20000922122414.00c7c420@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 22 Sep 2000 12:25:20 -0600 To: Neil Blakey-Milner , Cy Schubert - ITSD Open Systems Group From: Brett Glass Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) Cc: Wes Peters , security@FreeBSD.ORG In-Reply-To: <20000922165725.A30364@mithrandr.moria.org> References: <200009221435.e8MEZCs11279@cwsys.cwsent.com> <20000922160123.A29787@mithrandr.moria.org> <200009221435.e8MEZCs11279@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 08:57 AM 9/22/2000, Neil Blakey-Milner wrote: >I don't think we want to make even more sysinstall hacks, as it is >exceedingly complicated and time-consuming (especially according to Mr. >Glass - hours of painstaking choices). No; the LACK of certain things in the default install and in sysinstall leads to tedious work. It'd be nice to do it once and for all. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 11:50:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from orthanc.ab.ca (207-167-15-66.dsl.worldgate.ca [207.167.15.66]) by hub.freebsd.org (Postfix) with ESMTP id CDFE537B424 for ; Fri, 22 Sep 2000 11:50:31 -0700 (PDT) Received: from orthanc.ab.ca (localhost [127.0.0.1]) by orthanc.ab.ca (8.11.0.Beta3/8.11.0.Beta3) with ESMTP id e8MInS116911; Fri, 22 Sep 2000 12:49:28 -0600 (MDT) Message-Id: <200009221849.e8MInS116911@orthanc.ab.ca> To: Brett Glass Cc: Dave McKay , Wes Peters , nbm@mithrandr.moria.org, security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) In-reply-to: Your message of "Fri, 22 Sep 2000 12:11:25 MDT." <4.3.2.7.2.20000922120415.00c7bdc0@localhost> Date: Fri, 22 Sep 2000 12:49:28 -0600 From: Lyndon Nerenberg Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Brett" == Brett Glass writes: Brett> It should not be. It sends passwords in the clear. This is Brett> not acceptable on today's Internet. In certain situations. There is hardware (e.g. terminal servers, hubs) that speak only telnet for remote configuration, and will never support anything but telnet for remote configuration. Remote could mean it's three feet away but doesn't have a serial console. If these devices are accessed from secure LANs where packets can't be sniffed then telnet is a perfectly secure protocol in that context. In other cases, using telnet in it's default mode is just silly from a security standpoint. And you most certainly have options for securing telnet: RFC1411: Telnet Authentication: Kerberos Version 4 RFC1416: Telnet Authentication Option * defines authentication methods for Kerberos IV and 5, and an RSA based mechanism, among others) RFC2289: A One-Time Password System * Completely usable over telnet Also, I believe Chris Newman is working on a SASL authentication option for telnet. Note that FreeBSD supports Kerberized telnet if you've built with MAKE_KERBEROS4=yes (which also builds Kerberized rsh/rlogin). The correct solution is to make sure we support current authentication technologies where appropriate (ftp[d] lacks here as well), and provide knobs to disable/enable the individual authentication mechanisms, and ship with the insecure ones disabled. Simply throwing out a perfectly useful tool is absurd. --lyndon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 11:57:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id 12E6437B422 for ; Fri, 22 Sep 2000 11:57:24 -0700 (PDT) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 13cY0N-0008Ug-00; Fri, 22 Sep 2000 20:57:03 +0200 Date: Fri, 22 Sep 2000 20:57:03 +0200 From: Neil Blakey-Milner To: Brett Glass Cc: Cy Schubert - ITSD Open Systems Group , Wes Peters , security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) Message-ID: <20000922205703.A32523@mithrandr.moria.org> References: <200009221435.e8MEZCs11279@cwsys.cwsent.com> <20000922160123.A29787@mithrandr.moria.org> <200009221435.e8MEZCs11279@cwsys.cwsent.com> <20000922165725.A30364@mithrandr.moria.org> <4.3.2.7.2.20000922122414.00c7c420@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <4.3.2.7.2.20000922122414.00c7c420@localhost>; from brett@lariat.org on Fri, Sep 22, 2000 at 12:25:20PM -0600 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri 2000-09-22 (12:25), Brett Glass wrote: > >I don't think we want to make even more sysinstall hacks, as it is > >exceedingly complicated and time-consuming (especially according to Mr. > >Glass - hours of painstaking choices). > > No; the LACK of certain things in the default install and in sysinstall > leads to tedious work. It'd be nice to do it once and for all. Could you actually read my whole message and look at my suggestion, and comment on that? Or you write the complex code that other people aren't interested in writing to do all this tedious work. Personally, I can't see what else sysinstall should do that isn't really hard to write. Anyone who has a problem adding comments in front of inetd.conf lines, or removing them, probably wouldn't be helped by a CUI hack in libdialog either. Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 12:40:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id 9302137B424 for ; Fri, 22 Sep 2000 12:40:18 -0700 (PDT) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 13cYg0-0008b4-00; Fri, 22 Sep 2000 21:40:04 +0200 Date: Fri, 22 Sep 2000 21:40:04 +0200 From: Neil Blakey-Milner To: Brett Glass Cc: Wes Peters , security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) Message-ID: <20000922214004.A33011@mithrandr.moria.org> References: <200009221435.e8MEZCs11279@cwsys.cwsent.com> <20000922160123.A29787@mithrandr.moria.org> <200009221435.e8MEZCs11279@cwsys.cwsent.com> <20000922165725.A30364@mithrandr.moria.org> <4.3.2.7.2.20000922122414.00c7c420@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <4.3.2.7.2.20000922122414.00c7c420@localhost>; from brett@lariat.org on Fri, Sep 22, 2000 at 12:25:20PM -0600 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri 2000-09-22 (12:25), Brett Glass wrote: > No; the LACK of certain things in the default install and in sysinstall > leads to tedious work. It'd be nice to do it once and for all. If you could be so kind as to check out sysinstall and test out jkh's new security config levels, your feedback would be appreciated. High security does: + variable_set2("inetd_enable", "NO", 1); + variable_set2("portmap_enable", "NO", 1); + variable_set2("sendmail_enable", "NO", 1); + variable_set2("sshd_enable", "NO", 1); + variable_set2("nfs_server_enable", "NO", 1); + variable_set2("kern_securelevel_enable", "YES", 1); + variable_set2("kern_securelevel", "2", 1); Medium: + variable_set2("inetd_enable", "YES", 1); + if (!variable_cmp("nfs_client_enable", "YES") || + !variable_cmp("nfs_server_enable", "YES")) + variable_set2("portmap_enable", "YES", 1); + if (!variable_cmp("nfs_server_enable", "YES")) + variable_set2("nfs_reserved_port_only", "YES", 1); + variable_set2("sendmail_enable", "YES", 1); + variable_set2("sshd_enable", "YES", 1); Liberal: + variable_set2("inetd_enable", "YES", 1); + variable_set2("portmap_enable", "YES", 1); + variable_set2("sendmail_enable", "YES", 1); + variable_set2("sshd_enable", "YES", 1); Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 12:56:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id EF95737B423; Fri, 22 Sep 2000 12:56:18 -0700 (PDT) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 13cYvg-0008dD-00; Fri, 22 Sep 2000 21:56:16 +0200 Date: Fri, 22 Sep 2000 21:56:16 +0200 From: Neil Blakey-Milner To: security@FreeBSD.org Cc: Peter Wemm Subject: sendmail default run state Message-ID: <20000922215616.A33103@mithrandr.moria.org> References: <200009100358.e8A3wUG76071@netplex.com.au> <200009100415.e8A4F4G76156@netplex.com.au> <20000910154357.A78311@mithrandr.moria.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <20000910154357.A78311@mithrandr.moria.org>; from nbm@mithrandr.moria.org on Sun, Sep 10, 2000 at 03:43:57PM +0200 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [ moved to security@ ] > > I've had a few followup comments already. A modification: > > sendmail_enable="outbound" # choices: YES, NO, outbound > > sendmail_flags="-bd -q30m" # flags for full in/out mode > > sendmail_outbound_flags="-q30m" # for when $sendmail_enable="outbound" > > > > and we set sendamil_enable="outbound" by default. That will break the > > least number of people. If people only had sendmail_enable="YES", then my > > first proposed change would break them. > > I think we should keep the "YES"/"NO" nature of *_enable if at all > possible, even if it means having to do a bit more work, or to have to > mention things in release notes or upgrade guides. From a glance, it > seems this would be the first *_enable to take anything but "YES" or > "NO". I've also noticed we'd need to teach sysinstall about it - it has toggle stuff for sendmail_enable at the moment. > sendmail_enable="YES" # run the sendmail MTA > sendmail_outboundonly_enable="YES" # don't listen for messages from the network > sendmail_queuetime="30" # time in minutes between re-trying queued items > sendmail_flags="" # additional sendmail flags > > Then, when we call sendmail much more complexly: > > case ${sendmail_enable} in > [Yy][Ee][Ss]) > case ${sendmail_outbound_enable} in > [Nn][Oo] | '') > ;; > *) > case ${sendmail_flags} in > *-bd*) > ;; > *) > # don't add -bd if we already have it (necessary?) > sendmail_flags="${sendmail_flags} -bd" > ;; > esac > ;; > esac > > case ${sendmail_flags} in > * -q*) > ;; > *) > # only add -q if we not set in sendmail_flags > sendmail_flags="${sendmail_flags} -q${sendmail_queuetime}m" > ;; > esac > > if [ -r /etc/mail/sendmail.cf ]; then > echo -n ' sendmail'; /usr/sbin/sendmail ${sendmail_flags} > fi > ;; > esac What do others think of this? (orignally Peter's idea) I personally would really like 'sendmail_outbound_only="YES"' to be the default in /etc/defaults/rc.conf, with an option in sysinstall's Network Services for turning it on/off. Reason being the most common situations I see are multi-system networks, where you read mail on just one, and not necessarily running sendmail on the machine that does receives mail. In the single-user case, also, people don't tend to want to allow connections. It's more a special case to receive mail, and it's quite simple to flick the switch, since you have to set up sendmail to receive mail for your domain anyway. Obviously this would require a heads-up to current@ when implemented, and a heads-up to stable@ when MFC'd, and an entry in the release notes and in UPDATING, and finally an entry in rc.conf(5). Comments eagerly sought, Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 13: 7:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id B181237B424 for ; Fri, 22 Sep 2000 13:07:26 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id OAA11466; Fri, 22 Sep 2000 14:07:24 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id OAA70947; Fri, 22 Sep 2000 14:07:23 -0600 (MDT) Message-Id: <200009222007.OAA70947@harmony.village.org> To: Lyndon Nerenberg Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) Cc: Brett Glass , Dave McKay , Wes Peters , nbm@mithrandr.moria.org, security@FreeBSD.ORG In-reply-to: Your message of "Fri, 22 Sep 2000 12:49:28 MDT." <200009221849.e8MInS116911@orthanc.ab.ca> References: <200009221849.e8MInS116911@orthanc.ab.ca> Date: Fri, 22 Sep 2000 14:07:23 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200009221849.e8MInS116911@orthanc.ab.ca> Lyndon Nerenberg writes: : RFC2289: A One-Time Password System I think that FreeBSD supports this as well. Ftp also now supports secure passowrd exchange, although I've never set it up. Unencrypted telnet is dangerous, but there are enough interesting things going on that telnet itself isn't too bad if you can use the security enhancing parts in your environment. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 13:11:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from orthanc.ab.ca (207-167-15-66.dsl.worldgate.ca [207.167.15.66]) by hub.freebsd.org (Postfix) with ESMTP id 7F1C637B423 for ; Fri, 22 Sep 2000 13:11:06 -0700 (PDT) Received: from orthanc.ab.ca (localhost [127.0.0.1]) by orthanc.ab.ca (8.11.0.Beta3/8.11.0.Beta3) with ESMTP id e8MKAv117254; Fri, 22 Sep 2000 14:10:57 -0600 (MDT) Message-Id: <200009222010.e8MKAv117254@orthanc.ab.ca> To: Neil Blakey-Milner Cc: security@FreeBSD.ORG, Peter Wemm Subject: Re: sendmail default run state In-reply-to: Your message of "Fri, 22 Sep 2000 21:56:16 +0200." <20000922215616.A33103@mithrandr.moria.org> Date: Fri, 22 Sep 2000 14:10:57 -0600 From: Lyndon Nerenberg Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Neil" == Neil Blakey-Milner writes: Neil> Reason being the most common situations I see are Neil> multi-system networks, where you read mail on just one, and Neil> not necessarily running sendmail on the machine that does Neil> receives mail. In the single-user case, also, people don't Neil> tend to want to allow connections. It's more a special case Neil> to receive mail, and it's quite simple to flick the switch, Neil> since you have to set up sendmail to receive mail for your Neil> domain anyway. It sounds like you're describing a desktop client type environment where you're running a local MUA that talks IMAP or POP to a central server. Many of those MUAs want to inject mail through the local (to the machine they are running on) SMTP server. By outright disabling local SMTP service you run into POLA issues -- making this change can break MUA functionality. Wouldn't it be better instead to keep local SMTP enabled, but switch in a sendmail.cf thats based on FEATURE(nullclient)? This allows the local MUAs to continue to work unmodified while preserving the "no local mail" environment. And the nullclient config can drop root priv's right after the daemon sockets are bound since it doesn't have to invoke the local mailer. --lyndon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 13:12:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id A888737B42C for ; Fri, 22 Sep 2000 13:12:43 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id OAA11489; Fri, 22 Sep 2000 14:12:34 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id OAA70984; Fri, 22 Sep 2000 14:12:34 -0600 (MDT) Message-Id: <200009222012.OAA70984@harmony.village.org> To: Neil Blakey-Milner Subject: Re: sendmail default run state Cc: security@FreeBSD.ORG, Peter Wemm In-reply-to: Your message of "Fri, 22 Sep 2000 21:56:16 +0200." <20000922215616.A33103@mithrandr.moria.org> References: <20000922215616.A33103@mithrandr.moria.org> <200009100358.e8A3wUG76071@netplex.com.au> <200009100415.e8A4F4G76156@netplex.com.au> <20000910154357.A78311@mithrandr.moria.org> Date: Fri, 22 Sep 2000 14:12:34 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20000922215616.A33103@mithrandr.moria.org> Neil Blakey-Milner writes: : I personally would really like 'sendmail_outbound_only="YES"' to be the : default in /etc/defaults/rc.conf, with an option in sysinstall's Network : Services for turning it on/off. I like this a lot. We have several machines in the Village that ARE NOT FOR EMAIL (caps ment to describe the tone of voice we have when we talk about them). These machiens generate email all the time, but should never receive email. We solve this problem with a simple cron job that runs once a day after the daily/weekly/monthly scripts run to deal with failures to send those right away. Speaking of daily logs, I was wondering. Let's say I have 100 machines that are in my network. All of them send root mail to me. I spool the message to a folder, but rarely read them because the volume is so large. Does anybody have a tool that would read them and report things outside the normal? I had thought (and have tried) a daily diff, but that works well for some things (like passwordless accounts, say), but poorly for others (suid files changing, disk usage, etc). I'd like to be able to setup a filter that will look at each message and tell me if it is out of the ordinary. Or if a machine goes quiet. With 10 machines I notice which ones I'm missing, but with 100 I don't notice. Has anybody implemented something like this? Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 13:13:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 4F4E337B424 for ; Fri, 22 Sep 2000 13:13:12 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id NAA09287; Fri, 22 Sep 2000 13:12:36 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda09285; Fri Sep 22 13:12:32 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id NAA19156; Fri, 22 Sep 2000 13:12:32 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdV19142; Fri Sep 22 13:12:27 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.0/8.9.1) id e8MKCRF12785; Fri, 22 Sep 2000 13:12:27 -0700 (PDT) Message-Id: <200009222012.e8MKCRF12785@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdm12775; Fri Sep 22 20:11:52 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1-RELEASE X-Sender: cy To: Neil Blakey-Milner Cc: security@FreeBSD.ORG, Peter Wemm Subject: Re: sendmail default run state In-reply-to: Your message of "Fri, 22 Sep 2000 21:56:16 +0200." <20000922215616.A33103@mithrandr.moria.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 22 Sep 2000 13:11:51 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20000922215616.A33103@mithrandr.moria.org>, Neil Blakey-Milner writ es: > [ moved to security@ ] > > > > I've had a few followup comments already. A modification: > > > sendmail_enable="outbound" # choices: YES, NO, outbound > > > sendmail_flags="-bd -q30m" # flags for full in/out mode > > > sendmail_outbound_flags="-q30m" # for when $sendmail_enable="outbound" > > > > > > and we set sendamil_enable="outbound" by default. That will break the > > > least number of people. If people only had sendmail_enable="YES", then m > y > > > first proposed change would break them. > > > > I think we should keep the "YES"/"NO" nature of *_enable if at all > > possible, even if it means having to do a bit more work, or to have to > > mention things in release notes or upgrade guides. From a glance, it > > seems this would be the first *_enable to take anything but "YES" or > > "NO". > > I've also noticed we'd need to teach sysinstall about it - it has toggle > stuff for sendmail_enable at the moment. > > > sendmail_enable="YES" # run the sendmail MTA > > sendmail_outboundonly_enable="YES" # don't listen for messages from the net > work > > sendmail_queuetime="30" # time in minutes between re-trying queued items > > sendmail_flags="" # additional sendmail flags > > > > Then, when we call sendmail much more complexly: > > > > case ${sendmail_enable} in > > [Yy][Ee][Ss]) > > case ${sendmail_outbound_enable} in > > [Nn][Oo] | '') > > ;; > > *) > > case ${sendmail_flags} in > > *-bd*) > > ;; > > *) > > # don't add -bd if we already have it (necessary?) > > sendmail_flags="${sendmail_flags} -bd" > > ;; > > esac > > ;; > > esac > > > > case ${sendmail_flags} in > > * -q*) > > ;; > > *) > > # only add -q if we not set in sendmail_flags > > sendmail_flags="${sendmail_flags} -q${sendmail_queuetime}m" > > ;; > > esac > > > > if [ -r /etc/mail/sendmail.cf ]; then > > echo -n ' sendmail'; /usr/sbin/sendmail ${sendmail_flags > } > > fi > > ;; > > esac > > What do others think of this? (orignally Peter's idea) > > I personally would really like 'sendmail_outbound_only="YES"' to be the > default in /etc/defaults/rc.conf, with an option in sysinstall's Network > Services for turning it on/off. > > Reason being the most common situations I see are multi-system networks, > where you read mail on just one, and not necessarily running sendmail on > the machine that does receives mail. In the single-user case, also, > people don't tend to want to allow connections. It's more a special > case to receive mail, and it's quite simple to flick the switch, since > you have to set up sendmail to receive mail for your domain anyway. > > Obviously this would require a heads-up to current@ when implemented, > and a heads-up to stable@ when MFC'd, and an entry in the release notes > and in UPDATING, and finally an entry in rc.conf(5). > > Comments eagerly sought, Good idea. I'm not sure how many FreeBSD users use Sendmail. I use Obtuse Systems Smtpd (the smtpd port) for inbound and Sendmail for outbound. One can use Postfix for inbound and Sendmail for outbound as well. I would guess that most people on this list probably use Qmail, so this may not even be an issue. I suppose it depends on that the majority wants. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 13:15:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id B1E6037B422 for ; Fri, 22 Sep 2000 13:15:51 -0700 (PDT) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 01E781C41; Fri, 22 Sep 2000 16:15:46 -0400 (EDT) Date: Fri, 22 Sep 2000 16:15:45 -0400 From: Bill Fumerola To: Brett Glass Cc: Drew Derbyshire , freebsd-security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! Message-ID: <20000922161545.G34501@jade.chc-chimes.com> References: <39CB4C42.1A59669C@kew.com> <4.3.2.7.2.20000922121808.00c7cc30@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <4.3.2.7.2.20000922121808.00c7cc30@localhost>; from brett@lariat.org on Fri, Sep 22, 2000 at 12:22:00PM -0600 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Sep 22, 2000 at 12:22:00PM -0600, Brett Glass wrote: > >Most people also want a secure system. Don't even get me started about > >rlogin/rsh being on by default in /etc/inetd.conf. > > That's a change that should be committed YESTERDAY. All in favor? rlogin/rsh aren't always insecure. people's usage of them often are. -- Bill Fumerola - Network Architect, BOFH / Chimes, Inc. billf@chimesnet.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 13:16:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from orthanc.ab.ca (207-167-15-66.dsl.worldgate.ca [207.167.15.66]) by hub.freebsd.org (Postfix) with ESMTP id 862D937B422 for ; Fri, 22 Sep 2000 13:16:46 -0700 (PDT) Received: from orthanc.ab.ca (localhost [127.0.0.1]) by orthanc.ab.ca (8.11.0.Beta3/8.11.0.Beta3) with ESMTP id e8MKGK117301; Fri, 22 Sep 2000 14:16:20 -0600 (MDT) Message-Id: <200009222016.e8MKGK117301@orthanc.ab.ca> To: Warner Losh Cc: Brett Glass , Dave McKay , Wes Peters , nbm@mithrandr.moria.org, security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) In-reply-to: Your message of "Fri, 22 Sep 2000 14:07:23 MDT." <200009222007.OAA70947@harmony.village.org> Date: Fri, 22 Sep 2000 14:16:20 -0600 From: Lyndon Nerenberg Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Warner" == Warner Losh writes: Warner> Lyndon Nerenberg writes: : RFC2289: A One-Time Password Warner> System Warner> I think that FreeBSD supports this as well. It does. We've been using it with FTP for a couple of years. Telnetd supports it indirectly through login and skey. --lyndon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 13:19:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 5C0D537B423 for ; Fri, 22 Sep 2000 13:19:34 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA10434; Fri, 22 Sep 2000 14:19:22 -0600 (MDT) Message-Id: <4.3.2.7.2.20000922141517.00ddf570@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 22 Sep 2000 14:19:16 -0600 To: Lyndon Nerenberg From: Brett Glass Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) Cc: security@FreeBSD.ORG In-Reply-To: <200009221849.e8MInS116911@orthanc.ab.ca> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:49 PM 9/22/2000, Lyndon Nerenberg wrote: >>>>>> "Brett" == Brett Glass writes: > > Brett> It should not be. It sends passwords in the clear. This is > Brett> not acceptable on today's Internet. > >In certain situations. There is hardware (e.g. terminal servers, hubs) that >speak only telnet for remote configuration, and will never support >anything but telnet for remote configuration. Remote could mean it's three >feet away but doesn't have a serial console. If these devices are accessed >from secure LANs where packets can't be sniffed then telnet is a >perfectly secure protocol in that context. In other cases, using >telnet in it's default mode is just silly from a security standpoint. These are special cases, though! I think that you will agree that by default, on FreeBSD (as opposed to hubs, etc.), we should leave telnetd off. (The telnet application, on the other hand, might be run under certain circumstances.) As for authentication: Kerberos, S/key, etc. are useful if one must use Telnet. But they're a lot harder to set up and use than SSH! (In the case of Kerberos, *much* harder.) --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 13:20:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id 7771437B422 for ; Fri, 22 Sep 2000 13:20:37 -0700 (PDT) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 13cZJ4-0008hi-00; Fri, 22 Sep 2000 22:20:26 +0200 Date: Fri, 22 Sep 2000 22:20:26 +0200 From: Neil Blakey-Milner To: Lyndon Nerenberg Cc: security@FreeBSD.ORG, Peter Wemm Subject: Re: sendmail default run state Message-ID: <20000922222026.A33410@mithrandr.moria.org> References: <20000922215616.A33103@mithrandr.moria.org> <200009222010.e8MKAv117254@orthanc.ab.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <200009222010.e8MKAv117254@orthanc.ab.ca>; from lyndon@orthanc.ab.ca on Fri, Sep 22, 2000 at 02:10:57PM -0600 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri 2000-09-22 (14:10), Lyndon Nerenberg wrote: > It sounds like you're describing a desktop client type environment > where you're running a local MUA that talks IMAP or POP to a central > server. Many of those MUAs want to inject mail through the local (to > the machine they are running on) SMTP server. By outright disabling > local SMTP service you run into POLA issues -- making this change > can break MUA functionality. The only one I can think of is fetchmail. What other ones behave like this? It is a good point, though. Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 13:26:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 6D43837B422 for ; Fri, 22 Sep 2000 13:26:19 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id OAA11542; Fri, 22 Sep 2000 14:26:13 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id OAA71131; Fri, 22 Sep 2000 14:26:13 -0600 (MDT) Message-Id: <200009222026.OAA71131@harmony.village.org> To: Bill Fumerola Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Fri, 22 Sep 2000 16:15:45 EDT." <20000922161545.G34501@jade.chc-chimes.com> References: <20000922161545.G34501@jade.chc-chimes.com> <39CB4C42.1A59669C@kew.com> <4.3.2.7.2.20000922121808.00c7cc30@localhost> Date: Fri, 22 Sep 2000 14:26:13 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20000922161545.G34501@jade.chc-chimes.com> Bill Fumerola writes: : rlogin/rsh aren't always insecure. people's usage of them often are. When are they secure? The only case I can think of is when they are used on an isolated network that isn't connected to the outside world and all the users on that isolated network are trusted. Seems like a very limited subset of FreeBSD users in general. The company I currently work for (Timing Solutions) does have systems that we deploy into isolated netowkrs like this, and we find it desirable to have these protocols available, but would accept them being disabled by default. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 13:27: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from scl-ims.phoenix.com (scl-ims.phoenix.com [134.122.1.73]) by hub.freebsd.org (Postfix) with ESMTP id 21EC737B423 for ; Fri, 22 Sep 2000 13:26:57 -0700 (PDT) Received: from allmaui.com (boxster.phoenix.com [134.122.9.179]) by scl-ims.phoenix.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id TB51ZLBW; Fri, 22 Sep 2000 13:26:51 -0700 Message-ID: <39CB5EF6.61A6F958@allmaui.com> Date: Fri, 22 Sep 2000 13:30:30 +0000 From: Craig Cowen X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: "security@FreeBSD.ORG" Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) References: <200009221849.e8MInS116911@orthanc.ab.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lyndon Nerenberg wrote: > >>>>> "Brett" == Brett Glass writes: > > Brett> It should not be. It sends passwords in the clear. This is > Brett> not acceptable on today's Internet. > > In certain situations. There is hardware (e.g. terminal servers, hubs) that > speak only telnet for remote configuration, and will never support > anything but telnet for remote configuration. Remote could mean it's three > feet away but doesn't have a serial console. If these devices are accessed > from secure LANs where packets can't be sniffed then telnet is a > perfectly secure protocol in that context. In other cases, using > telnet in it's default mode is just silly from a security standpoint. > > And you most certainly have options for securing telnet: > > RFC1411: Telnet Authentication: Kerberos Version 4 > > RFC1416: Telnet Authentication Option > > * defines authentication methods for Kerberos IV and 5, and > an RSA based mechanism, among others) > > RFC2289: A One-Time Password System > > * Completely usable over telnet > > Also, I believe Chris Newman is working on a SASL authentication > option for telnet. > > Note that FreeBSD supports Kerberized telnet if you've built with > MAKE_KERBEROS4=yes (which also builds Kerberized rsh/rlogin). > > The correct solution is to make sure we support current authentication > technologies where appropriate (ftp[d] lacks here as well), and provide > knobs to disable/enable the individual authentication mechanisms, and > ship with the insecure ones disabled. Simply throwing out a perfectly > useful tool is absurd. > > --lyndon > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message IMHO getting rid of telnet is more of a pain than the procedures for securing a box. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 14:16:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from orthanc.ab.ca (207-167-15-66.dsl.worldgate.ca [207.167.15.66]) by hub.freebsd.org (Postfix) with ESMTP id AEED537B422 for ; Fri, 22 Sep 2000 14:16:06 -0700 (PDT) Received: from orthanc.ab.ca (localhost [127.0.0.1]) by orthanc.ab.ca (8.11.0.Beta3/8.11.0.Beta3) with ESMTP id e8MLG0117482; Fri, 22 Sep 2000 15:16:00 -0600 (MDT) Message-Id: <200009222116.e8MLG0117482@orthanc.ab.ca> To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) In-reply-to: Your message of "Fri, 22 Sep 2000 14:19:16 MDT." <4.3.2.7.2.20000922141517.00ddf570@localhost> Date: Fri, 22 Sep 2000 15:16:00 -0600 From: Lyndon Nerenberg Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Brett" == Brett Glass writes: Brett> These are special cases, though! I think that you will Brett> agree that by default, on FreeBSD (as opposed to hubs, Brett> etc.), we should leave telnetd off. (The telnet Brett> application, on the other hand, might be run under certain Brett> circumstances.) I have no problem with leaving them disabled. My issue is with removing them altogether. Note that for rsh/rlogin it's very easy to ship a default config where the secure (kerberized) versions are enabled and the insecure ones are not. Brett> As for authentication: Kerberos, S/key, etc. are useful if Brett> one must use Telnet. But they're a lot harder to set up and Brett> use than SSH! (In the case of Kerberos, *much* harder.) Kerberos is not *much* harder to set up. It's actually quite simple, although somewhat tedious. What *is* a pain with Kerberos is the thoroughly obtuse documentation it provides on how to set it up. --lyndon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 14:18:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from orthanc.ab.ca (207-167-15-66.dsl.worldgate.ca [207.167.15.66]) by hub.freebsd.org (Postfix) with ESMTP id EA42037B423 for ; Fri, 22 Sep 2000 14:18:43 -0700 (PDT) Received: from orthanc.ab.ca (localhost [127.0.0.1]) by orthanc.ab.ca (8.11.0.Beta3/8.11.0.Beta3) with ESMTP id e8MLId117503; Fri, 22 Sep 2000 15:18:39 -0600 (MDT) Message-Id: <200009222118.e8MLId117503@orthanc.ab.ca> To: Neil Blakey-Milner Cc: security@FreeBSD.ORG Subject: Re: sendmail default run state In-reply-to: Your message of "Fri, 22 Sep 2000 22:20:26 +0200." <20000922222026.A33410@mithrandr.moria.org> Date: Fri, 22 Sep 2000 15:18:39 -0600 From: Lyndon Nerenberg Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Neil" == Neil Blakey-Milner writes: Neil> The only one I can think of is fetchmail. What other ones Neil> behave like this? It is a good point, though. MH, exmh (I think), pine, mulberry, netscape (may default to "mail" rather than "localhost"). You wouldn't run fetchmail in a configuration like I described. --lyndon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 14:22:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from orthanc.ab.ca (207-167-15-66.dsl.worldgate.ca [207.167.15.66]) by hub.freebsd.org (Postfix) with ESMTP id E108C37B423 for ; Fri, 22 Sep 2000 14:22:18 -0700 (PDT) Received: from orthanc.ab.ca (localhost [127.0.0.1]) by orthanc.ab.ca (8.11.0.Beta3/8.11.0.Beta3) with ESMTP id e8MLMG117534; Fri, 22 Sep 2000 15:22:16 -0600 (MDT) Message-Id: <200009222122.e8MLMG117534@orthanc.ab.ca> To: Warner Losh Cc: freebsd-security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! In-reply-to: Your message of "Fri, 22 Sep 2000 14:26:13 MDT." <200009222026.OAA71131@harmony.village.org> Date: Fri, 22 Sep 2000 15:22:16 -0600 From: Lyndon Nerenberg Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Warner" == Warner Losh writes: Warner> When are they secure? The only case I can think of is Warner> when they are used on an isolated network that isn't Warner> connected to the outside world and all the users on that Warner> isolated network are trusted. Seems like a very limited Warner> subset of FreeBSD users in general. Sounds like most corporate networks sitting behind firewalls. We use rsh/rlogin all over our internal development networks. We just don't let it through the firewall. And since everyone on the development network has root for all the machines, the security limitations in rsh and rlogin are a non-issue. Warner> The company I currently work for (Timing Solutions) does Warner> have systems that we deploy into isolated netowkrs like Warner> this, and we find it desirable to have these protocols Warner> available, but would accept them being disabled by Warner> default. Us too. Just don't remove the binaries themselves. --lyndon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 14:25:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 8521437B422 for ; Fri, 22 Sep 2000 14:25:38 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id PAA11721; Fri, 22 Sep 2000 15:25:37 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id PAA71625; Fri, 22 Sep 2000 15:25:36 -0600 (MDT) Message-Id: <200009222125.PAA71625@harmony.village.org> To: Lyndon Nerenberg Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Fri, 22 Sep 2000 15:22:16 MDT." <200009222122.e8MLMG117534@orthanc.ab.ca> References: <200009222122.e8MLMG117534@orthanc.ab.ca> Date: Fri, 22 Sep 2000 15:25:36 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200009222122.e8MLMG117534@orthanc.ab.ca> Lyndon Nerenberg writes: : >>>>> "Warner" == Warner Losh writes: : : Warner> When are they secure? The only case I can think of is : Warner> when they are used on an isolated network that isn't : Warner> connected to the outside world and all the users on that : Warner> isolated network are trusted. Seems like a very limited : Warner> subset of FreeBSD users in general. : : Sounds like most corporate networks sitting behind firewalls. We use : rsh/rlogin all over our internal development networks. We just don't : let it through the firewall. And since everyone on the development : network has root for all the machines, the security limitations in : rsh and rlogin are a non-issue. That assumes that your firewall is good and that it can't be breached. Once breached, the pentration will spread like wildfire, to mix my metaphores. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 14:30:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id DAF8E37B423 for ; Fri, 22 Sep 2000 14:30:06 -0700 (PDT) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 13caOQ-0008tP-00; Fri, 22 Sep 2000 23:30:02 +0200 Date: Fri, 22 Sep 2000 23:30:02 +0200 From: Neil Blakey-Milner To: Lyndon Nerenberg Cc: security@FreeBSD.ORG Subject: Re: sendmail default run state Message-ID: <20000922233002.A34118@mithrandr.moria.org> References: <20000922222026.A33410@mithrandr.moria.org> <200009222118.e8MLId117503@orthanc.ab.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <200009222118.e8MLId117503@orthanc.ab.ca>; from lyndon@orthanc.ab.ca on Fri, Sep 22, 2000 at 03:18:39PM -0600 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri 2000-09-22 (15:18), Lyndon Nerenberg wrote: > >>>>> "Neil" == Neil Blakey-Milner writes: > > Neil> The only one I can think of is fetchmail. What other ones > Neil> behave like this? It is a good point, though. > > MH, exmh (I think), pine, mulberry, netscape (may default to "mail" rather > than "localhost"). > > You wouldn't run fetchmail in a configuration like I described. Oh, misread you. fetchmail reinserts mail into your local SMTP server when delivering (configurable). Gad, I'm happy I don't use any of those. Do people set their SMTP server to their ISP smtp server? Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 14:32:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from orthanc.ab.ca (207-167-15-66.dsl.worldgate.ca [207.167.15.66]) by hub.freebsd.org (Postfix) with ESMTP id D1DCD37B422 for ; Fri, 22 Sep 2000 14:32:39 -0700 (PDT) Received: from orthanc.ab.ca (localhost [127.0.0.1]) by orthanc.ab.ca (8.11.0.Beta3/8.11.0.Beta3) with ESMTP id e8MLWb117644; Fri, 22 Sep 2000 15:32:37 -0600 (MDT) Message-Id: <200009222132.e8MLWb117644@orthanc.ab.ca> To: Warner Losh Cc: freebsd-security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! In-reply-to: Your message of "Fri, 22 Sep 2000 15:25:36 MDT." <200009222125.PAA71625@harmony.village.org> Date: Fri, 22 Sep 2000 15:32:37 -0600 From: Lyndon Nerenberg Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Warner" == Warner Losh writes: Warner> That assumes that your firewall is good and that it can't Warner> be breached. Correct. But that's true for a lot more than just rsh. --lyndon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 14:33:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id 0B4E337B422 for ; Fri, 22 Sep 2000 14:33:30 -0700 (PDT) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 13caRa-0008u0-00; Fri, 22 Sep 2000 23:33:18 +0200 Date: Fri, 22 Sep 2000 23:33:18 +0200 From: Neil Blakey-Milner To: Lyndon Nerenberg Cc: Warner Losh , freebsd-security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! Message-ID: <20000922233318.A34189@mithrandr.moria.org> References: <200009222026.OAA71131@harmony.village.org> <200009222122.e8MLMG117534@orthanc.ab.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <200009222122.e8MLMG117534@orthanc.ab.ca>; from lyndon@orthanc.ab.ca on Fri, Sep 22, 2000 at 03:22:16PM -0600 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri 2000-09-22 (15:22), Lyndon Nerenberg wrote: > Warner> The company I currently work for (Timing Solutions) does > Warner> have systems that we deploy into isolated netowkrs like > Warner> this, and we find it desirable to have these protocols > Warner> available, but would accept them being disabled by > Warner> default. > > Us too. Just don't remove the binaries themselves. Maybe you can give me some clue - why is rsh and login suid-root? Can they function without it? Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 14:39:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id BBC6537B422 for ; Fri, 22 Sep 2000 14:39:20 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id PAA11874; Fri, 22 Sep 2000 15:39:19 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id PAA71726; Fri, 22 Sep 2000 15:39:19 -0600 (MDT) Message-Id: <200009222139.PAA71726@harmony.village.org> To: Neil Blakey-Milner Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! Cc: Lyndon Nerenberg , freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Fri, 22 Sep 2000 23:33:18 +0200." <20000922233318.A34189@mithrandr.moria.org> References: <20000922233318.A34189@mithrandr.moria.org> <200009222026.OAA71131@harmony.village.org> <200009222122.e8MLMG117534@orthanc.ab.ca> Date: Fri, 22 Sep 2000 15:39:18 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20000922233318.A34189@mithrandr.moria.org> Neil Blakey-Milner writes: : Maybe you can give me some clue - why is rsh and login suid-root? Can : they function without it? No. Well, the kerberos support works, but they need to be suid root to bind to low ports. That's part of what makes the normal protcol so lame. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 14:42:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id 1CB4737B422 for ; Fri, 22 Sep 2000 14:42:33 -0700 (PDT) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 13caaP-0008wP-00; Fri, 22 Sep 2000 23:42:25 +0200 Date: Fri, 22 Sep 2000 23:42:25 +0200 From: Neil Blakey-Milner To: Warner Losh Cc: Lyndon Nerenberg , freebsd-security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! Message-ID: <20000922234224.A34348@mithrandr.moria.org> References: <20000922233318.A34189@mithrandr.moria.org> <200009222026.OAA71131@harmony.village.org> <200009222122.e8MLMG117534@orthanc.ab.ca> <20000922233318.A34189@mithrandr.moria.org> <200009222139.PAA71726@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <200009222139.PAA71726@harmony.village.org>; from imp@village.org on Fri, Sep 22, 2000 at 03:39:18PM -0600 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri 2000-09-22 (15:39), Warner Losh wrote: > In message <20000922233318.A34189@mithrandr.moria.org> Neil Blakey-Milner writes: > : Maybe you can give me some clue - why is rsh and login suid-root? Can > : they function without it? > > No. Well, the kerberos support works, but they need to be suid root > to bind to low ports. That's part of what makes the normal protcol so > lame. Yeah, my brain eventually caught it - it's trying to tell the other system that the user isn't just pretending to be someone else. Ick. Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 15:39:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6]) by hub.freebsd.org (Postfix) with ESMTP id 72AA637B422 for ; Fri, 22 Sep 2000 15:39:47 -0700 (PDT) Received: from dialup-janus.css.qmw.ac.uk ([138.37.11.110]) by zeta.qmw.ac.uk with esmtp (Exim 3.02 #1) id 13cbTC-0001Ed-00; Fri, 22 Sep 2000 23:39:02 +0100 Received: from david by dialup-janus.css.qmw.ac.uk with local (Exim 2.12 #1) id 13cbSC-000Dyf-00; Fri, 22 Sep 2000 23:38:00 +0100 X-Mailer: exmh version 2.0.2 2/24/98 To: Cy Schubert - ITSD Open Systems Group Cc: Neil Blakey-Milner , security@FreeBSD.ORG, Peter Wemm Subject: Re: sendmail default run state In-reply-to: Your message of "Fri, 22 Sep 2000 13:11:51 PDT." <200009222012.e8MKCRF12785@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 22 Sep 2000 23:37:59 +0100 From: David Pick Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > sendmail_enable="YES" # run the sendmail MTA > > > sendmail_outboundonly_enable="YES" # don't listen for messages from the network Hmm. Jumping into this half-way through, does this mean: (1) outbound only (2) not inbound the difference being that in (2) a local MTA woould be running and would be allowed to accept messages from the local machine only. I've implemented this by using IPFW to allow TCP calls to port 25 via the loopback interface but not in from any "real" (real, tunnel, &c) interface. I feel (2) is more useful (but then, I would given what I do), but (1) might be of interest to some people (no need tohave sendmail/exim/qmail listening). > > > sendmail_queuetime="30" # time in minutes between re-trying queued items > > > sendmail_flags="" # additional sendmail flags > > What do others think of this? (orignally Peter's idea) > > > > I personally would really like 'sendmail_outbound_only="YES"' to be the > > default in /etc/defaults/rc.conf, with an option in sysinstall's Network > > Services for turning it on/off. Agreed. On a similar vein, I used to block incoming TCP connections to port 6000 (X) until I found a hint on this list that adding "-nolisten tcp" to the server setup line in /usr/X11R6/lib/X11/xdm/Xservers was a much better way to go. (I use SSH extensivly ;-) In fact (IIRC) it was a message from Cy! -- David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 15:49:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id 05A8F37B424 for ; Fri, 22 Sep 2000 15:49:47 -0700 (PDT) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 13cbdE-00098h-00; Sat, 23 Sep 2000 00:49:24 +0200 Date: Sat, 23 Sep 2000 00:49:24 +0200 From: Neil Blakey-Milner To: David Pick Cc: Cy Schubert - ITSD Open Systems Group , security@FreeBSD.ORG, Peter Wemm Subject: Re: sendmail default run state Message-ID: <20000923004924.A35072@mithrandr.moria.org> References: <200009222012.e8MKCRF12785@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from D.M.Pick@qmw.ac.uk on Fri, Sep 22, 2000 at 11:37:59PM +0100 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri 2000-09-22 (23:37), David Pick wrote: > > > > sendmail_enable="YES" # run the sendmail MTA > > > > sendmail_outboundonly_enable="YES" # don't listen for messages from the network > > Hmm. Jumping into this half-way through, does this mean: > (1) outbound only > (2) not inbound 1. > the difference being that in (2) a local MTA woould be running and would > be allowed to accept messages from the local machine only. I've implemented > this by using IPFW to allow TCP calls to port 25 via the loopback interface > but not in from any "real" (real, tunnel, &c) interface. Yeah, it would be nice to offer this, but we can't assure ipfw/ipfilter rules, and my knowledge of sendmail configuration is dangerous. Is there a way to tell sendmail what IP addresses to bind? If it means rewriting the configuration file, we could investigate the use of sed to allow us to specify smarthost (DS in sendmail, IIRC) and what IP(s) to bind. > I feel (2) is more useful (but then, I would given what I do), but (1) might > be of interest to some people (no need tohave sendmail/exim/qmail listening). My thinking is that people who start firewalling things are quite able to change the option the way they like. > On a similar vein, I used to block incoming TCP connections to port 6000 (X) > until I found a hint on this list that adding "-nolisten tcp" to the server > setup line in /usr/X11R6/lib/X11/xdm/Xservers was a much better way to go. > (I use SSH extensivly ;-) In fact (IIRC) it was a message from Cy! Let me remember that. I'm supposed to be writing the all-encompassing "How to Secure your FreeBSD System" document "sometime soon" (TM). ;) I suppose making that the default might ire some people. Maybe we should ire some people. ;) Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 16:29:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id D703E37B43C for ; Fri, 22 Sep 2000 16:29:40 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id QAA09742; Fri, 22 Sep 2000 16:28:42 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda09740; Fri Sep 22 16:28:40 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id QAA20215; Fri, 22 Sep 2000 16:28:39 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdY20201; Fri Sep 22 16:28:29 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.0/8.9.1) id e8MNSTF13435; Fri, 22 Sep 2000 16:28:29 -0700 (PDT) Message-Id: <200009222328.e8MNSTF13435@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdw13431; Fri Sep 22 23:28:27 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1-RELEASE X-Sender: cy To: Warner Losh Cc: Neil Blakey-Milner , Lyndon Nerenberg , freebsd-security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! In-reply-to: Your message of "Fri, 22 Sep 2000 15:39:18 MDT." <200009222139.PAA71726@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 22 Sep 2000 16:28:27 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200009222139.PAA71726@harmony.village.org>, Warner Losh writes: > In message <20000922233318.A34189@mithrandr.moria.org> Neil Blakey-Milner wri > tes: > : Maybe you can give me some clue - why is rsh and login suid-root? Can > : they function without it? > > No. Well, the kerberos support works, but they need to be suid root > to bind to low ports. That's part of what makes the normal protcol so > lame. The other annoying thing about rsh/krsh is that rshd/kshd open a connection back to the client -- very firewall unfriendly. Not that one would want to allow these protocols across a firewall, however within our network we firewall our desktop systems from our production servers on our network, which themselves behind two other firewalls, to discourage developers and Oracle admins from connecting to our desktop systems. This is a layered onion approach to firewalls where each sysadmin's desktop is protected because of its ability to connect to production servers on our own network that normally cannot talk to each other, e.g. isolated from each other using firewalls or VLAN's, though our desktop systems can talk to each system on our raised floor. So my question is why the second TCP session between rshd/kshd and rsh/krsh? Is it for a full-duplex session? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 16:33: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from orthanc.ab.ca (207-167-15-66.dsl.worldgate.ca [207.167.15.66]) by hub.freebsd.org (Postfix) with ESMTP id 8602F37B424 for ; Fri, 22 Sep 2000 16:33:04 -0700 (PDT) Received: from orthanc.ab.ca (localhost [127.0.0.1]) by orthanc.ab.ca (8.11.0.Beta3/8.11.0.Beta3) with ESMTP id e8MNWt118034; Fri, 22 Sep 2000 17:32:55 -0600 (MDT) Message-Id: <200009222332.e8MNWt118034@orthanc.ab.ca> To: Neil Blakey-Milner Cc: security@FreeBSD.ORG Subject: Re: sendmail default run state In-reply-to: Your message of "Sat, 23 Sep 2000 00:49:24 +0200." <20000923004924.A35072@mithrandr.moria.org> Date: Fri, 22 Sep 2000 17:32:54 -0600 From: Lyndon Nerenberg Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Neil" == Neil Blakey-Milner writes: Neil> Yeah, it would be nice to offer this, but we can't assure Neil> ipfw/ipfilter rules, and my knowledge of sendmail Neil> configuration is dangerous. Is there a way to tell sendmail Neil> what IP addresses to bind? Not right now. I'm working on patches that will let you do this. Hopefully these will be incorporated into the 8.12 release. Meanwhile, FEATURE(nullclient) gets you most of the way there. You still have sendmail listening on all your interfaces, but there isn't a whole lot anyone off the box can do with them. Neil> If it means rewriting the Neil> configuration file, we could investigate the use of sed to Neil> allow us to specify smarthost (DS in sendmail, IIRC) and Neil> what IP(s) to bind. No, generate a custom .mc and build a .cf from that. Editing the .cf directly is akin to patching object decks. (Ya, it's fun, but not very productive :-) If you really need it, build a point-and-shoot-yourself-in-the-head gooey front end. --lyndon (not a gooey fan) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 16:34:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from orthanc.ab.ca (207-167-15-66.dsl.worldgate.ca [207.167.15.66]) by hub.freebsd.org (Postfix) with ESMTP id AF64537B422 for ; Fri, 22 Sep 2000 16:34:33 -0700 (PDT) Received: from orthanc.ab.ca (localhost [127.0.0.1]) by orthanc.ab.ca (8.11.0.Beta3/8.11.0.Beta3) with ESMTP id e8MNYV118058; Fri, 22 Sep 2000 17:34:31 -0600 (MDT) Message-Id: <200009222334.e8MNYV118058@orthanc.ab.ca> To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! In-reply-to: Your message of "Fri, 22 Sep 2000 16:28:27 PDT." <200009222328.e8MNSTF13435@cwsys.cwsent.com> Date: Fri, 22 Sep 2000 17:34:31 -0600 From: Lyndon Nerenberg Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Cy" == Cy Schubert <- ITSD Open Systems Group > writes: Cy> So my question is why the second TCP session between rshd/kshd Cy> and rsh/krsh? Is it for a full-duplex session? rshd opens a back-channel for stderr output. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 16:49:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id A695A37B423 for ; Fri, 22 Sep 2000 16:49:45 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id RAA12267; Fri, 22 Sep 2000 17:49:42 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id RAA72314; Fri, 22 Sep 2000 17:49:42 -0600 (MDT) Message-Id: <200009222349.RAA72314@harmony.village.org> To: Cy Schubert - ITSD Open Systems Group Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Fri, 22 Sep 2000 16:28:27 PDT." <200009222328.e8MNSTF13435@cwsys.cwsent.com> References: <200009222328.e8MNSTF13435@cwsys.cwsent.com> Date: Fri, 22 Sep 2000 17:49:42 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200009222328.e8MNSTF13435@cwsys.cwsent.com> Cy Schubert - ITSD Open Systems Group writes: : So my question is why the second TCP session between rshd/kshd and : rsh/krsh? Is it for a full-duplex session? So that stderr can be connected back to the original person w/o having to have the two fd's multiplexed. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 17: 1:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 8AA3A37B640 for ; Fri, 22 Sep 2000 17:01:46 -0700 (PDT) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id SAA23120; Fri, 22 Sep 2000 18:01:34 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id SAA20358; Fri, 22 Sep 2000 18:01:32 -0600 (MDT) (envelope-from nate) Date: Fri, 22 Sep 2000 18:01:32 -0600 (MDT) Message-Id: <200009230001.SAA20358@nomad.yogotech.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Warner Losh Cc: Neil Blakey-Milner , security@FreeBSD.ORG, Peter Wemm Subject: Re: sendmail default run state In-Reply-To: <200009222012.OAA70984@harmony.village.org> References: <20000922215616.A33103@mithrandr.moria.org> <200009100358.e8A3wUG76071@netplex.com.au> <200009100415.e8A4F4G76156@netplex.com.au> <20000910154357.A78311@mithrandr.moria.org> <200009222012.OAA70984@harmony.village.org> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > : I personally would really like 'sendmail_outbound_only="YES"' to be the > : default in /etc/defaults/rc.conf, with an option in sysinstall's Network > : Services for turning it on/off. > > I like this a lot. We have several machines in the Village that ARE > NOT FOR EMAIL (caps ment to describe the tone of voice we have when we > talk about them). These machiens generate email all the time, but > should never receive email. We solve this problem with a simple cron > job that runs once a day after the daily/weekly/monthly scripts run to > deal with failures to send those right away. I don't understand the issue. I've got machines, and I just never startup sendmail, but it sends email out just fine using the null-client sendmail setup for 'locally' generated email. This limits the sendmail connections to a known server, and doesn't require sendmail to listen on port 25. What am I missing? Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 17:11:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id EF9CE37B423 for ; Fri, 22 Sep 2000 17:11:41 -0700 (PDT) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 13ccuV-0009MB-00; Sat, 23 Sep 2000 02:11:19 +0200 Date: Sat, 23 Sep 2000 02:11:19 +0200 From: Neil Blakey-Milner To: Nate Williams Cc: Warner Losh , security@FreeBSD.ORG, Peter Wemm Subject: Re: sendmail default run state Message-ID: <20000923021119.A35919@mithrandr.moria.org> References: <20000922215616.A33103@mithrandr.moria.org> <200009100358.e8A3wUG76071@netplex.com.au> <200009100415.e8A4F4G76156@netplex.com.au> <20000910154357.A78311@mithrandr.moria.org> <200009222012.OAA70984@harmony.village.org> <200009230001.SAA20358@nomad.yogotech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <200009230001.SAA20358@nomad.yogotech.com>; from nate@yogotech.com on Fri, Sep 22, 2000 at 06:01:32PM -0600 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri 2000-09-22 (18:01), Nate Williams wrote: > > : I personally would really like 'sendmail_outbound_only="YES"' to be the > > : default in /etc/defaults/rc.conf, with an option in sysinstall's Network > > : Services for turning it on/off. > > > > I like this a lot. We have several machines in the Village that ARE > > NOT FOR EMAIL (caps ment to describe the tone of voice we have when we > > talk about them). These machiens generate email all the time, but > > should never receive email. We solve this problem with a simple cron > > job that runs once a day after the daily/weekly/monthly scripts run to > > deal with failures to send those right away. > > I don't understand the issue. I've got machines, and I just never > startup sendmail, but it sends email out just fine using the > null-client sendmail setup for 'locally' generated email. > > This limits the sendmail connections to a known server, and doesn't > require sendmail to listen on port 25. > > What am I missing? How do you enable nullclient from rc.conf? What happens if your smarthost server goes down - when does sendmail check your queue again? Two different issues - sendmail for queueing and delivery, but not listening to network, and sendmail with smarthost. We can emulate the first in the rc system, but not obviously easily the second. Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 17:24:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 4505C37B422 for ; Fri, 22 Sep 2000 17:24:47 -0700 (PDT) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id SAA23509; Fri, 22 Sep 2000 18:24:43 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id SAA20488; Fri, 22 Sep 2000 18:24:42 -0600 (MDT) (envelope-from nate) Date: Fri, 22 Sep 2000 18:24:42 -0600 (MDT) Message-Id: <200009230024.SAA20488@nomad.yogotech.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Neil Blakey-Milner Cc: Nate Williams , Warner Losh , security@FreeBSD.ORG, Peter Wemm Subject: Re: sendmail default run state In-Reply-To: <20000923021119.A35919@mithrandr.moria.org> References: <20000922215616.A33103@mithrandr.moria.org> <200009100358.e8A3wUG76071@netplex.com.au> <200009100415.e8A4F4G76156@netplex.com.au> <20000910154357.A78311@mithrandr.moria.org> <200009222012.OAA70984@harmony.village.org> <200009230001.SAA20358@nomad.yogotech.com> <20000923021119.A35919@mithrandr.moria.org> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > : I personally would really like 'sendmail_outbound_only="YES"' to be the > > > : default in /etc/defaults/rc.conf, with an option in sysinstall's Network > > > : Services for turning it on/off. > > > > > > I like this a lot. We have several machines in the Village that ARE > > > NOT FOR EMAIL (caps ment to describe the tone of voice we have when we > > > talk about them). These machiens generate email all the time, but > > > should never receive email. We solve this problem with a simple cron > > > job that runs once a day after the daily/weekly/monthly scripts run to > > > deal with failures to send those right away. > > > > I don't understand the issue. I've got machines, and I just never > > startup sendmail, but it sends email out just fine using the > > null-client sendmail setup for 'locally' generated email. > > > > This limits the sendmail connections to a known server, and doesn't > > require sendmail to listen on port 25. > > > > What am I missing? > > How do you enable nullclient from rc.conf? > Gotcha. > What happens if your smarthost server goes down - when does sendmail > check your queue again? It doesn't go down. :) > Two different issues - sendmail for queueing and delivery, but not > listening to network, and sendmail with smarthost. We can emulate the > first in the rc system, but not obviously easily the second. True. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 19:15:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id BF05737B424 for ; Fri, 22 Sep 2000 19:15:43 -0700 (PDT) Received: (qmail 9156 invoked by uid 0); 23 Sep 2000 02:15:42 -0000 Received: from p3ee21652.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.82) by mail.gmx.net with SMTP; 23 Sep 2000 02:15:42 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id WAA12931 for security@FreeBSD.ORG; Fri, 22 Sep 2000 22:09:08 +0200 Date: Fri, 22 Sep 2000 22:09:08 +0200 From: Gerhard Sittig To: security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) Message-ID: <20000922220908.D5065@speedy.gsinet> Mail-Followup-To: security@FreeBSD.ORG References: <20000922160123.A29787@mithrandr.moria.org> <200009221435.e8MEZCs11279@cwsys.cwsent.com> <20000922165725.A30364@mithrandr.moria.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000922165725.A30364@mithrandr.moria.org>; from nbm@mithrandr.moria.org on Fri, Sep 22, 2000 at 04:57:25PM +0200 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Sep 22, 2000 at 16:57 +0200, Neil Blakey-Milner wrote: > > I think inetd_enable="YES"/"NO" is mostly sufficient. Anything > beyond that is the realm of the administrator. Perhaps we can > put your scripts in /usr/share/examples/inetd/, along with > example configurations, like inetd.conf.rsh, inetd.conf.ftp, > inetd.conf.full. Then have a mostly-empty /etc/inetd.conf that > isn't self-documenting, with ftp and commented out telnet and > (internal) auth. How about having simply two questions like "do you want to run inetd on your system" and "would you like to edit the conf file now"? This will introduce only one or two question dialogs in the install sequence and provides the ability to absolutely customize every single aspect. The second question could have a hint like "you may as well come back anytime and edit /etc/inetd.conf" or something. Now it's "only" about wording. The editor is known and it works with the ftp greeting message already. > What else do people run out of inetd? (I don't know - I don't > have any systems that run inetd, except one with only internal > auth so I can IRC from it) I'm afraid you never have the idea of what people might want to run from inetd. It's even not always to be understood that they run inetd at all. :) Writing an installer you just cannot think of every wish a user might have. But those with more concrete intensions should always get what they want by using any editor. All the others can be satisfied(?) with a "run inetd at all?" question. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 21:13:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from mercury.ccmr.cornell.edu (mercury.ccmr.cornell.edu [128.84.231.97]) by hub.freebsd.org (Postfix) with ESMTP id 225FB37B422 for ; Fri, 22 Sep 2000 21:13:53 -0700 (PDT) Received: from khitomer.msc.cornell.edu (IDENT:0@khitomer.msc.cornell.edu [128.84.249.245]) by mercury.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id AAA09165; Sat, 23 Sep 2000 00:13:51 -0400 Received: from localhost (mitch@localhost) by khitomer.msc.cornell.edu (8.9.3/8.9.3) with ESMTP id AAA09091; Sat, 23 Sep 2000 00:13:50 -0400 X-Authentication-Warning: khitomer.msc.cornell.edu: mitch owned process doing -bs Date: Sat, 23 Sep 2000 00:13:50 -0400 (EDT) From: Mitch Collinsworth To: Brett Glass Cc: Neil Blakey-Milner , Cy Schubert - ITSD Open Systems Group , Wes Peters , security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) In-Reply-To: <4.3.2.7.2.20000922122414.00c7c420@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 22 Sep 2000, Brett Glass wrote: > No; the LACK of certain things in the default install and in sysinstall > leads to tedious work. It'd be nice to do it once and for all. Which is why I use GNU cfengine. Problem solved. -Mitch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 21:26:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id AB74637B422 for ; Fri, 22 Sep 2000 21:26:55 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id WAA14941; Fri, 22 Sep 2000 22:26:42 -0600 (MDT) Message-Id: <4.3.2.7.2.20000922222550.00c7d100@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 22 Sep 2000 22:26:34 -0600 To: Mitch Collinsworth From: Brett Glass Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) Cc: security@FreeBSD.ORG In-Reply-To: References: <4.3.2.7.2.20000922122414.00c7c420@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:13 PM 9/22/2000, Mitch Collinsworth wrote: >Which is why I use GNU cfengine. Problem solved. It annoys me very much that I ever have to use ANYTHING with "GNU" in its name. But that's another issue. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 21:35: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from mercury.ccmr.cornell.edu (mercury.ccmr.cornell.edu [128.84.231.97]) by hub.freebsd.org (Postfix) with ESMTP id 0C55837B423 for ; Fri, 22 Sep 2000 21:34:58 -0700 (PDT) Received: from khitomer.msc.cornell.edu (IDENT:0@khitomer.msc.cornell.edu [128.84.249.245]) by mercury.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id AAA09266; Sat, 23 Sep 2000 00:34:57 -0400 Received: from localhost (mitch@localhost) by khitomer.msc.cornell.edu (8.9.3/8.9.3) with ESMTP id AAA09134; Sat, 23 Sep 2000 00:34:56 -0400 X-Authentication-Warning: khitomer.msc.cornell.edu: mitch owned process doing -bs Date: Sat, 23 Sep 2000 00:34:56 -0400 (EDT) From: Mitch Collinsworth To: Brett Glass Cc: Mitch Collinsworth , security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) In-Reply-To: <4.3.2.7.2.20000922222550.00c7d100@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 22 Sep 2000, Brett Glass wrote: > It annoys me very much that I ever have to use ANYTHING > with "GNU" in its name. But that's another issue. I didn't say you have to use it. I said I use it and for me it solves the problem you were describing. If the name bothers you that much, don't use it. sheesh. -Mitch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 22: 6:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 8067D37B422 for ; Fri, 22 Sep 2000 22:06:19 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Fri, 22 Sep 2000 22:05:08 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e8N569s42094; Fri, 22 Sep 2000 22:06:09 -0700 (PDT) (envelope-from cjc) Date: Fri, 22 Sep 2000 22:06:03 -0700 From: "Crist J . Clark" To: Neil Blakey-Milner Cc: Nate Williams , Warner Losh , security@FreeBSD.ORG, Peter Wemm Subject: Re: sendmail default run state Message-ID: <20000922220603.E367@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <20000922215616.A33103@mithrandr.moria.org> <200009100358.e8A3wUG76071@netplex.com.au> <200009100415.e8A4F4G76156@netplex.com.au> <20000910154357.A78311@mithrandr.moria.org> <200009222012.OAA70984@harmony.village.org> <200009230001.SAA20358@nomad.yogotech.com> <20000923021119.A35919@mithrandr.moria.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000923021119.A35919@mithrandr.moria.org>; from nbm@mithrandr.moria.org on Sat, Sep 23, 2000 at 02:11:19AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Sep 23, 2000 at 02:11:19AM +0200, Neil Blakey-Milner wrote: > On Fri 2000-09-22 (18:01), Nate Williams wrote: > > > : I personally would really like 'sendmail_outbound_only="YES"' to be the > > > : default in /etc/defaults/rc.conf, with an option in sysinstall's Network > > > : Services for turning it on/off. > > > > > > I like this a lot. We have several machines in the Village that ARE > > > NOT FOR EMAIL (caps ment to describe the tone of voice we have when we > > > talk about them). These machiens generate email all the time, but > > > should never receive email. We solve this problem with a simple cron > > > job that runs once a day after the daily/weekly/monthly scripts run to > > > deal with failures to send those right away. > > > > I don't understand the issue. I've got machines, and I just never > > startup sendmail, but it sends email out just fine using the > > null-client sendmail setup for 'locally' generated email. > > > > This limits the sendmail connections to a known server, and doesn't > > require sendmail to listen on port 25. > > > > What am I missing? > > How do you enable nullclient from rc.conf? You don't need the nullclient setup. sendmail running as a listening daemon has nothing to do with sending mail in any config. Except... > What happens if your smarthost server goes down - when does sendmail > check your queue again? If the mail does not deliver on the first try, if you tell the daemon to, it will try again at a later time. On machines where I don't run a sendmail daemon at all, it checks the queue next time I type 'sendmail -q' or the daily 'sendmail -q' I run from cron. IMHO, all this talk about 'sendmail_outbound_only' and the like is adding an extra level of obscurity. I think that what would be even better would just be good comments on the 'sendmail_flags' variable. How about in /etc/rc.conf or /etc/defaults/rc.conf, #sendmail_flags="-bd -q30m" # Flags tell sendmail to listen for incoming # mail and check outgoing queue every 30 min sendmail_flags="-q30m" # Flag tells sendmail to check outgoing queue # every 30 min, does not listen for incoming Just an example, but I really think these changes are so easy with just tweaking that variable that it is ridiculus to make it more complex. But for anything truly complex, like changing sendmail.cf, we just have to let the user fend for themselves. It is beyond the scope of sysinstall. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 22:10:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 7B02B37B449 for ; Fri, 22 Sep 2000 22:10:25 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Fri, 22 Sep 2000 22:09:15 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e8N5AOi42107; Fri, 22 Sep 2000 22:10:24 -0700 (PDT) (envelope-from cjc) Date: Fri, 22 Sep 2000 22:10:24 -0700 From: "Crist J . Clark" To: Neil Blakey-Milner Cc: Brett Glass , Wes Peters , security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) Message-ID: <20000922221024.F367@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <99016.969437392@winston.osd.bsdi.com> <99016.969437392@winston.osd.bsdi.com> <20000920125405.D22272@149.211.6.64.reflexcom.com> <4.3.2.7.2.20000921113652.053d4960@localhost> <20000921210521.A17973@mithrandr.moria.org> <39CA8E45.7DA45048@softweyr.com> <4.3.2.7.2.20000921182152.046d6ee0@localhost> <20000922103446.A25222@mithrandr.moria.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000922103446.A25222@mithrandr.moria.org>; from nbm@mithrandr.moria.org on Fri, Sep 22, 2000 at 10:34:46AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Sep 22, 2000 at 10:34:46AM +0200, Neil Blakey-Milner wrote: [snip] > email clients use sendmail to send mail. If sendmail isn't running, it > doesn't queue. We'll just lose that mail to a black hole. That isn't > obvious. sendmail does queue unsent mail. It is not lost. The queue can be processed manually (or from a crontab) by running, $ sendmail -q -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 22:20: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 5604237B422 for ; Fri, 22 Sep 2000 22:19:58 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Fri, 22 Sep 2000 22:18:46 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e8N5JtO42172; Fri, 22 Sep 2000 22:19:55 -0700 (PDT) (envelope-from cjc) Date: Fri, 22 Sep 2000 22:19:55 -0700 From: "Crist J . Clark" To: Cy Schubert - ITSD Open Systems Group Cc: Warner Losh , Neil Blakey-Milner , Lyndon Nerenberg , freebsd-security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! Message-ID: <20000922221955.G367@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <200009222139.PAA71726@harmony.village.org> <200009222328.e8MNSTF13435@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200009222328.e8MNSTF13435@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Fri, Sep 22, 2000 at 04:28:27PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Sep 22, 2000 at 04:28:27PM -0700, Cy Schubert - ITSD Open Systems Group wrote: > In message <200009222139.PAA71726@harmony.village.org>, Warner Losh > writes: > > In message <20000922233318.A34189@mithrandr.moria.org> Neil Blakey-Milner wri > > tes: > > : Maybe you can give me some clue - why is rsh and login suid-root? Can > > : they function without it? > > > > No. Well, the kerberos support works, but they need to be suid root > > to bind to low ports. That's part of what makes the normal protcol so > > lame. > > The other annoying thing about rsh/krsh is that rshd/kshd open a > connection back to the client -- very firewall unfriendly. Just like that @#$% ftp. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 22:21:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id D8D0937B422 for ; Fri, 22 Sep 2000 22:21:40 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Fri, 22 Sep 2000 22:20:30 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e8N5LPQ42195; Fri, 22 Sep 2000 22:21:25 -0700 (PDT) (envelope-from cjc) Date: Fri, 22 Sep 2000 22:21:25 -0700 From: "Crist J . Clark" To: Lyndon Nerenberg Cc: Brett Glass , Dave McKay , Wes Peters , nbm@mithrandr.moria.org, security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) Message-ID: <20000922222125.H367@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <4.3.2.7.2.20000922120415.00c7bdc0@localhost> <200009221849.e8MInS116911@orthanc.ab.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200009221849.e8MInS116911@orthanc.ab.ca>; from lyndon@orthanc.ab.ca on Fri, Sep 22, 2000 at 12:49:28PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Sep 22, 2000 at 12:49:28PM -0600, Lyndon Nerenberg wrote: > >>>>> "Brett" == Brett Glass writes: > > Brett> It should not be. It sends passwords in the clear. This is > Brett> not acceptable on today's Internet. > > In certain situations. There is hardware (e.g. terminal servers, hubs) that > speak only telnet for remote configuration, and will never support > anything but telnet for remote configuration. Cisco's latest IOSs support SSH and more and more will in the future. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 22:24:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 441A737B423 for ; Fri, 22 Sep 2000 22:24:30 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Fri, 22 Sep 2000 22:23:20 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e8N5OSZ42209; Fri, 22 Sep 2000 22:24:28 -0700 (PDT) (envelope-from cjc) Date: Fri, 22 Sep 2000 22:24:28 -0700 From: "Crist J . Clark" To: "Ron 'The InSaNe One' Rosson" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kame VPN/IPsec FreeBSD srvr to Win32 VPN clients? Message-ID: <20000922222428.I367@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <5.0.0.25.0.20000921160730.03582040@mail.Go2France.com> <20000921081815.A65154@lunatic.oneinsane.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000921081815.A65154@lunatic.oneinsane.net>; from insane@lunatic.oneinsane.net on Thu, Sep 21, 2000 at 08:18:15AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 21, 2000 at 08:18:15AM -0700, Ron 'The InSaNe One' Rosson wrote: > Len Conrad (lconrad@Go2France.com) wrote: > > What experience does anybody have with the above? > > > > Using which Win32 VPN client? > > > > I am looking for the same thing but I want FreeBSD as a client too. Also > want to know if I can use the private IP space for the VPN addresses on > the VPN server and use NAT to allow them to use the network that they > VPN'd to. > > or am I thinking the impossible? ;-) You can run ESP between any two hosts. NAT all you want. You cannot do AH between two hosts if the address of one has been NAT'ed. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 22 23:25:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 838BF37B424 for ; Fri, 22 Sep 2000 23:25:46 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 13ciBW-0000Sn-00; Fri, 22 Sep 2000 23:49:14 -0600 Message-ID: <39CC445A.5A7C0D07@softweyr.com> Date: Fri, 22 Sep 2000 23:49:14 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 4.1-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Brett Glass Cc: nbm@mithrandr.moria.org, security@freebsd.org Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: watsso special about freeBSD?) References: <99016.969437392@winston.osd.bsdi.com> <99016.969437392@winston.osd.bsdi.com> <20000920125405.D22272@149.211.6.64.reflexcom.com> <4.3.2.7.2.20000921113652.053d4960@localhost> <20000921210521.A17973@mithrandr.moria.org> <4.3.2.7.2.20000921182152.046d6ee0@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass wrote: > > At 04:40 PM 9/21/2000, Wes Peters wrote: > > >Brett, did it ever occur to you THESE ARE THE DEFAULTS because MOST PEOPLE > >WANT THEM THAT WAY? Most people who install FreeBSD just want telnet, mail, > >and NFS to work, > > IMHO: > > Telnet is dangerous and should be disabled now that SSH is in common use > and is not encumbered by patents. sshd should be on unless the user > asks for it not to be. (He or she should still be asked.) > > Mail should be an option that defaults to "on" but lets the user ask that > it not be activated at install time. Many of us like to reconfigure before > turning it on. And others will be using FreeBSD as a workstation and will > be using an e-mail client.... Sendmail doesn't need to be running. > > As for NFS: I would take issue with the assertion that most people > want it on. Also, last time I checked the default install of FreeSBD > turned on /sbin/portmap even if the user explicitly asks for no NFS! > This is unnecessary and is a security breach just waiting to happen. I don't disagree with you on any of these points except the idea of cramming them down the throat of average FreeBSD users. > >they don't want to spend hours agonizing over the configuration > >of every single computer they install. > > I wind up spending hours agonizing over the configuration of every > FreeBSD install I do, because I have to turn off many of the defaults > which could potentially compromise security or waste resources. If you don't simply generate a set of patches and apply them, that's your fault. Most of these can be disabled by simply appending the proper "NO" lines to /etc/rc.conf. > >They rely on firewalls, prayer, or > >abject cluelessness to secure their systems, and that's just fine. > > Windows users do that. FreeBSD users should have it better. No, they shouldn't, unless they really want it. Let them make their own decisions. We're developing their operating system, not wiping their noses and asses. > >Have you considered using OpenBSD? It does install with a more secure (i.e. > >"doesn't work for most people") configuration out of the box. > > I have not only considered it -- I've used it quite a bit. On the table > next to me are machines with the latest releases of FreeBSD, NetBSD, > and OpenBSD. Me too. Well, my NetBSD machine is a bit out of date, but I've ftp'd the latest 1.5 candidate and am hoping for some time to install it someday soon. They all have their warts and beauties, but FreeBSD aims to be the most useful to the largest number of people out of the box. If it doesn't meet your exact needs, that doesn't make it in any way unsuitable for the average unwashed masses. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 0: 4:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id AD25E37B423 for ; Sat, 23 Sep 2000 00:04:12 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 13cjLS-0000V1-00; Sat, 23 Sep 2000 01:03:34 -0600 Message-ID: <39CC55C6.A4507448@softweyr.com> Date: Sat, 23 Sep 2000 01:03:34 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 4.1-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Phil Homewood Cc: Neil Blakey-Milner , security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) References: <99016.969437392@winston.osd.bsdi.com> <99016.969437392@winston.osd.bsdi.com> <20000920125405.D22272@149.211.6.64.reflexcom.com> <4.3.2.7.2.20000921113652.053d4960@localhost> <20000921210521.A17973@mithrandr.moria.org> <39CA8E45.7DA45048@softweyr.com> <4.3.2.7.2.20000921182152.046d6ee0@localhost> <20000922103446.A25222@mithrandr.moria.org> <20000922183836.G27376@atlas.bit.net.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Phil Homewood wrote: > > Neil Blakey-Milner wrote: > > email clients use sendmail to send mail. If sendmail isn't running, it > > doesn't queue. We'll just lose that mail to a black hole. That isn't > > obvious. > > You could default to running sendmail without the "-bd" flag > and have a checkbox to enable "this machine wants to accept > email from the network", maybe? OpenBSD does this by default. Some simple documentation on how to replace sendmail with postfix, qmail, or exim would be handy too. Wokness and I are working on the latter, having both recently coverted to exim on multiple systems. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 0: 9:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 2D32C37B423 for ; Sat, 23 Sep 2000 00:09:15 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 13cjVA-0000VB-00; Sat, 23 Sep 2000 01:13:36 -0600 Message-ID: <39CC5820.27C06E6F@softweyr.com> Date: Sat, 23 Sep 2000 01:13:36 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 4.1-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Drew Derbyshire Cc: freebsd-security@freebsd.org Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! References: <39CB4C42.1A59669C@kew.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Drew Derbyshire wrote: > > > Neil Blakey-Milner wrote: > > Brett, did it ever occur to you THESE ARE THE DEFAULTS because MOST > > PEOPLE WANT THEM THAT WAY? > > Did you take a survey? Yes. The lack of complaints from anybody other than Brett Glass constitutes our unofficial, non-scientific survey. > > Most people who install FreeBSD just want telnet, mail, and NFS to work, > > Most people also want a secure system. Don't even get me started about > rlogin/rsh being on by default in /etc/inetd.conf. Most people wouldn't know a secure system if it bit them in the nose. > IMHO, many people wouldn't know NFS if it bit them in the nose. Funny, every place I've worked for the past 15 years has used NFS quite extensively. Oh, but then, I've been working in UNIX shops for quite some time. > If an NFS startup is enabled and the associated required portmap server is > not, then a improved RC script can override the setting and start portmap > automatically (with a suitable nasty warning to console and/or log). > Turning in portmap by default because someone MAY want NFS is not suitable. You seem to assume nothing in the world other than NFS uses portmapper. > > they don't want to spend hours agonizing over the configuration of every > > single computer they install. They rely on firewalls, prayer, or abject > > cluelessness to secure their systems, and that's just fine. > > God looks after fools and small children. Despise appearances, naive > system admins don't officially qualify for "fool" status, so the OS > developers need to step in for God. No, they don't. I don't suppose you've ever heard the phrase "mechanism, not policy" have you? > Like others, I would prefer mail was left disabled or prompted for: Fine, you and "others" can disable it yourself. If your requirements are really that different, you should learn how to create your own release, but keep out of the default install because it really does work for most people. > In summary, if the install is going to prompt for network services, it > needs to prompt consistently. Prompting for many of the services and not > others makes one feel like that the job is done, and it's not. So put your code where you mouth is and submit some patches. I don't think anyone hold anything against making sysinstall more flexible, just against buggering the default installation into something that doesn't work out of the box for most users. Who DO, by the way, expect telnet and mail to work. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 0:18: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 5BEBB37B422 for ; Sat, 23 Sep 2000 00:17:56 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 13cjiN-0000VZ-00; Sat, 23 Sep 2000 01:27:15 -0600 Message-ID: <39CC5B53.3582C7E1@softweyr.com> Date: Sat, 23 Sep 2000 01:27:15 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 4.1-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Neil Blakey-Milner Cc: Cy Schubert - ITSD Open Systems Group , Brett Glass , security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) References: <20000922160123.A29787@mithrandr.moria.org> <200009221435.e8MEZCs11279@cwsys.cwsent.com> <20000922165725.A30364@mithrandr.moria.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Neil Blakey-Milner wrote: > > What else do people run out of inetd? (I don't know - I don't have any > systems that run inetd, except one with only internal auth so I can IRC > from it) ftpd, pop3 and imap outside the firewall. discard and sprayd on some internal machines, behind the firewall where these can't be used to DOS something. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 3: 8:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from proxy.outblaze.com (proxy.outblaze.com [202.77.223.120]) by hub.freebsd.org (Postfix) with SMTP id AAAF037B423 for ; Sat, 23 Sep 2000 03:08:49 -0700 (PDT) Received: (qmail 45909 invoked from network); 23 Sep 2000 10:08:46 -0000 Received: from unknown (HELO yusufg.portal2.com) (202.77.181.217) by proxy.outblaze.com with SMTP; 23 Sep 2000 10:08:46 -0000 Received: (qmail 26249 invoked by uid 500); 23 Sep 2000 10:08:45 -0000 Date: Sat, 23 Sep 2000 18:08:45 +0800 From: Yusuf Goolamabbas To: freebsd-security@freebsd.org Subject: Is it possible to configure a FreeBSD VPN server to talk to Windows/Linux/BSD clients Message-ID: <20000923180845.A26238@outblaze.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I currently have a FreeBSD 4.1-stable bridging firewall behind my router. I am looking at providing VPN access to road warriors and telecommuters. There are a range of clients I would have to support. Is it possible to configure a BSD boxen to do all this. Can I install it on my existing bridging firewall or the new box has to behind/in front of the firewall If so, any pointers/guidance would be appreciated. I would prefer to use freely available software on all platforms but if you have war stories on how/why commercial stuff worked for you, that is okay with me -- Yusuf Goolamabbas yusufg@outblaze.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 4:19:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 7F3D037B422; Sat, 23 Sep 2000 04:19:43 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id EAA90223; Sat, 23 Sep 2000 04:19:43 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Sat, 23 Sep 2000 04:19:43 -0700 (PDT) From: Kris Kennaway To: Yusuf Goolamabbas Cc: freebsd-security@freebsd.org Subject: Re: Is it possible to configure a FreeBSD VPN server to talk to Windows/Linux/BSD clients In-Reply-To: <20000923180845.A26238@outblaze.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 23 Sep 2000, Yusuf Goolamabbas wrote: > Hi, I currently have a FreeBSD 4.1-stable bridging firewall behind my > router. I am looking at providing VPN access to road warriors and > telecommuters. There are a range of clients I would have to support. > > Is it possible to configure a BSD boxen to do all this. Can I install it > on my existing bridging firewall or the new box has to behind/in front > of the firewall > > If so, any pointers/guidance would be appreciated. I would prefer to use > freely available software on all platforms but if you have war stories > on how/why commercial stuff worked for you, that is okay with me FreeBSD 4.1 includes full IPSEC functionality - see the racoon port for the KAME IKE daemon (as well as the relevant kernel options documented in LINT). I believe racoon interoperates with Windows 2000 and FreeSWAN on Linux (among others) - see www.kame.net and the docs included in the port distfile for more information. General information on ipsec can be found in the freebsd and netbsd handbooks (they use the same ipsec code as us). Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 4:55:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id 1397537B424 for ; Sat, 23 Sep 2000 04:55:36 -0700 (PDT) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 13cnto-000Acu-00; Sat, 23 Sep 2000 13:55:20 +0200 Date: Sat, 23 Sep 2000 13:55:20 +0200 From: Neil Blakey-Milner To: cjclark@alum.mit.edu Cc: Nate Williams , Warner Losh , security@FreeBSD.ORG, Peter Wemm Subject: Re: sendmail default run state Message-ID: <20000923135519.A40815@mithrandr.moria.org> References: <20000922215616.A33103@mithrandr.moria.org> <200009100358.e8A3wUG76071@netplex.com.au> <200009100415.e8A4F4G76156@netplex.com.au> <20000910154357.A78311@mithrandr.moria.org> <200009222012.OAA70984@harmony.village.org> <200009230001.SAA20358@nomad.yogotech.com> <20000923021119.A35919@mithrandr.moria.org> <20000922220603.E367@149.211.6.64.reflexcom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <20000922220603.E367@149.211.6.64.reflexcom.com>; from cjclark@reflexnet.net on Fri, Sep 22, 2000 at 10:06:03PM -0700 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri 2000-09-22 (22:06), Crist J . Clark wrote: > IMHO, all this talk about 'sendmail_outbound_only' and the like is > adding an extra level of obscurity. I think that what would be even > better would just be good comments on the 'sendmail_flags' variable. > How about in /etc/rc.conf or /etc/defaults/rc.conf, > > #sendmail_flags="-bd -q30m" # Flags tell sendmail to listen for incoming > # mail and check outgoing queue every 30 min > sendmail_flags="-q30m" # Flag tells sendmail to check outgoing queue > # every 30 min, does not listen for incoming > > Just an example, but I really think these changes are so easy with > just tweaking that variable that it is ridiculus to make it more > complex. If we do this, we'll be killed by everyone who wants usability by default. If we have 'sendmail_outboundonly_enable' (or a better name), we can toggle the switch in sysinstall, so we can be "secure by default", and "usable from install" at the same time. > But for anything truly complex, like changing sendmail.cf, we > just have to let the user fend for themselves. It is beyond the scope > of sysinstall. Yes, I agree. Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 5:13:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from kendra.ne.mediaone.net (kendra.ne.mediaone.net [24.218.227.234]) by hub.freebsd.org (Postfix) with ESMTP id 4919E37B43C for ; Sat, 23 Sep 2000 05:13:17 -0700 (PDT) Received: from kew.com (xena.hh.kew.com [192.168.203.148]) by kendra.ne.mediaone.net (Postfix) with ESMTP id 010A78C33 for ; Sat, 23 Sep 2000 08:13:10 -0400 (EDT) Message-ID: <39CC9E56.EC4FDD44@kew.com> Date: Sat, 23 Sep 2000 08:13:10 -0400 From: Drew Derbyshire Organization: Kendra Electronic Wonderworks, Stoneham MA 02180 (http://www.kew.com) X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: rsh/rlogin (was Re: sysinstall DOESN'T ASK, dangerous defaults!) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Warner> That assumes that your firewall is good and that it can't > Warner> be breached. Working Assumption: Some day, some how, the firewall *will* get breached. > Correct. But that's true for a lot more than just rsh. Good practice dictates security in depth. If for example, ssh is as easy for the end-user to use as rsh (if for example installed as a straight replacement), it reduces your number of holes. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 5:44:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id E3FA837B42C for ; Sat, 23 Sep 2000 05:44:12 -0700 (PDT) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 13cof1-000Ahk-00; Sat, 23 Sep 2000 14:44:07 +0200 Date: Sat, 23 Sep 2000 14:44:07 +0200 From: Neil Blakey-Milner To: Drew Derbyshire Cc: freebsd-security@freebsd.org Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! Message-ID: <20000923144407.A41138@mithrandr.moria.org> References: <39CB4C42.1A59669C@kew.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <39CB4C42.1A59669C@kew.com>; from ahd@kew.com on Fri, Sep 22, 2000 at 08:10:42AM -0400 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri 2000-09-22 (08:10), Drew Derbyshire wrote: > > Neil Blakey-Milner wrote: > > Brett, did it ever occur to you THESE ARE THE DEFAULTS because MOST > > PEOPLE WANT THEM THAT WAY? Please note that I didn't write that. I can't guess who did, but it's a quoting mistake. Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 6:15:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 01E2437B43E for ; Sat, 23 Sep 2000 06:15:48 -0700 (PDT) Received: (qmail 20033 invoked by uid 0); 23 Sep 2000 13:15:46 -0000 Received: from p3ee20a92.dip.t-dialin.net (HELO speedy.gsinet) (62.226.10.146) by mail.gmx.net with SMTP; 23 Sep 2000 13:15:46 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id OAA13959 for security@FreeBSD.ORG; Sat, 23 Sep 2000 14:29:22 +0200 Date: Sat, 23 Sep 2000 14:29:22 +0200 From: Gerhard Sittig To: security@FreeBSD.ORG Subject: Re: sendmail default run state Message-ID: <20000923142922.F5065@speedy.gsinet> Mail-Followup-To: security@FreeBSD.ORG References: <200009222012.e8MKCRF12785@cwsys.cwsent.com> <20000923004924.A35072@mithrandr.moria.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000923004924.A35072@mithrandr.moria.org>; from nbm@mithrandr.moria.org on Sat, Sep 23, 2000 at 12:49:24AM +0200 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Sep 23, 2000 at 00:49 +0200, Neil Blakey-Milner wrote: > On Fri 2000-09-22 (23:37), David Pick wrote: > > > > [ ... ] > > Is there a way to tell sendmail what IP addresses to bind? Put a wrapper around it. Have per interface instances of inetd running (there are options for specifying the IP as well as the conf file). Or wrap your (TCP) services in the ucspi-tcp package. This will provide you fine grained control over accessibility, rate limits, memory consumption, env var controllable features, etc. > My thinking is that people who start firewalling things are > quite able to change the option the way they like. Unless there's a recent(?) development towards the urban legend that "firewall functionality can be bought". More and more (new) sysadmins believe in distributors to provide a working firewall they just have to set two or three variables for - but not more, since this would stress them more than they could bear. I hope I'm wrong with this imression, but experience makes me think I'm not. :( virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 6:16: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id C90B637B440 for ; Sat, 23 Sep 2000 06:15:48 -0700 (PDT) Received: (qmail 20057 invoked by uid 0); 23 Sep 2000 13:15:47 -0000 Received: from p3ee20a92.dip.t-dialin.net (HELO speedy.gsinet) (62.226.10.146) by mail.gmx.net with SMTP; 23 Sep 2000 13:15:47 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id OAA13963 for security@FreeBSD.ORG; Sat, 23 Sep 2000 14:55:57 +0200 Date: Sat, 23 Sep 2000 14:55:57 +0200 From: Gerhard Sittig To: security@FreeBSD.ORG Subject: Re: sendmail default run state Message-ID: <20000923145557.G5065@speedy.gsinet> Mail-Followup-To: security@FreeBSD.ORG References: <20000922222026.A33410@mithrandr.moria.org> <200009222118.e8MLId117503@orthanc.ab.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200009222118.e8MLId117503@orthanc.ab.ca>; from lyndon@orthanc.ab.ca on Fri, Sep 22, 2000 at 03:18:39PM -0600 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Sep 22, 2000 at 15:18 -0600, Lyndon Nerenberg wrote: > >>>>> "Neil" == Neil Blakey-Milner writes: > > [ ... talking to SMTP servers ... ] > > Neil> The only one I can think of is fetchmail. What other ones > Neil> behave like this? It is a good point, though. > > MH, exmh (I think), pine, mulberry, netscape (may default to > "mail" rather than "localhost"). > > You wouldn't run fetchmail in a configuration like I described. Are you sure of the above facts? IIRC _any_ UNIX MUA will use the sendmail command line interface (/usr/sbin/sendmail) for outgoing mail. Only MTAs talk SMTP. This means that you just have to _install_ sendmail (or some lookalike) for the machine to be able to *send* mail. You have to _run_ sendmail (or some lookalike) to be able to _receive_ mail from the network. That's why almost no machine in a network needs sendmail_enable set to YES. And for the ones to need it (mail relays and local servers) you're better aware of this fact when installing the OS. To talk about those clients: pine reads from a local (or network fs mounted) mailbox and delivers to the sendmail command via stdin. I would expect MH and exmh to do the same. The same holds for mail(1) and elm. And mutt. And any traditional UNIX mail user agent. fetchmail delivers by default to a SMTP server. But it could be run as well in MDA mode -- although I never used it this way. And nobody said the SMTP machine fetchmail delivers to had to be a user's workstation. This wouldn't be a good idea at all. Usually you fetch from an external machine (e.g. your ISP) and shove the mail to your LAN's mail server. Netscape is an exception here. It does have some MUA functionality, but it tries to be a MTA, too. It's not a "normal" program in this respect. It doesn't focus on one aspect to make this one right. It's the bloat usually found in other areas. I wouldn't confuse this clumsy thing with an easy to use and capable mail frontend. :) I even dare to say its wide spread use comes mostly from all the (former?) Windows users who want some clickable frontend not yet realizing that specialized programs are way more capable since they only have this one goal in mind. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 7:54:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from mercury.ccmr.cornell.edu (mercury.ccmr.cornell.edu [128.84.231.97]) by hub.freebsd.org (Postfix) with ESMTP id 1169937B422 for ; Sat, 23 Sep 2000 07:54:56 -0700 (PDT) Received: from khitomer.msc.cornell.edu (IDENT:0@khitomer.msc.cornell.edu [128.84.249.245]) by mercury.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id KAA12044; Sat, 23 Sep 2000 10:54:55 -0400 Received: from localhost (mitch@localhost) by khitomer.msc.cornell.edu (8.9.3/8.9.3) with ESMTP id KAA10179; Sat, 23 Sep 2000 10:54:54 -0400 X-Authentication-Warning: khitomer.msc.cornell.edu: mitch owned process doing -bs Date: Sat, 23 Sep 2000 10:54:54 -0400 (EDT) From: Mitch Collinsworth To: Gerhard Sittig Cc: security@FreeBSD.ORG Subject: Re: sendmail default run state In-Reply-To: <20000923145557.G5065@speedy.gsinet> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 23 Sep 2000, Gerhard Sittig wrote: > pine reads from a local (or network fs mounted) mailbox and > delivers to the sendmail command via stdin. I would expect MH > and exmh to do the same. The same holds for mail(1) and elm. > And mutt. And any traditional UNIX mail user agent. exmh is just a tk gui that uses traditional mh (or now nmh) underneath. mh can be configured to call sendmail or it can talk smtp directly. > fetchmail delivers by default to a SMTP server. But it could be > run as well in MDA mode -- although I never used it this way. We do. -Mitch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 8:24:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 3393B37B422 for ; Sat, 23 Sep 2000 08:24:21 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id IAA12527; Sat, 23 Sep 2000 08:23:31 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda12525; Sat Sep 23 08:23:18 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id IAA52938; Sat, 23 Sep 2000 08:23:18 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdg52936; Sat Sep 23 08:22:50 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.0/8.9.1) id e8NFMn964757; Sat, 23 Sep 2000 08:22:49 -0700 (PDT) Message-Id: <200009231522.e8NFMn964757@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdp64751; Sat Sep 23 15:22:20 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1-RELEASE X-Sender: cy To: Drew Derbyshire Cc: freebsd-security@FreeBSD.ORG Subject: Re: rsh/rlogin (was Re: sysinstall DOESN'T ASK, dangerous defaults!) In-reply-to: Your message of "Sat, 23 Sep 2000 08:13:10 EDT." <39CC9E56.EC4FDD44@kew.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 23 Sep 2000 08:22:17 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <39CC9E56.EC4FDD44@kew.com>, Drew Derbyshire writes: > > Warner> That assumes that your firewall is good and that it can't > > Warner> be breached. > > Working Assumption: Some day, some how, the firewall *will* get breached. Agreed. That's why you use an onion ring approach to firewalls. You have firewalls protecting rings which contain machines with increasingly more sensitive data. > > > Correct. But that's true for a lot more than just rsh. > > Good practice dictates security in depth. If for example, ssh is as easy > for the end-user to use as rsh (if for example installed as a straight > replacement), it reduces your number of holes. I fought for the banishment of insecure protocols ("r" commands, telnet, and ftp) along with Will Andrews in -arch. However it was pointed out that most FreeBSD users use FreeBSD along side of vendor equipment that does not support SSH out of the box. I think that a broader, meaning larger than FreeBSD, solution, at least in my case, is what is required. An application that will disable certain services on a generic UNIX system and install SSH if not already there. Having said that and taking my security officer hat off and putting my manager hat on. Most organisations that use SSH are using it illegally. With recent licensing changes and the fact that OpenSSH doesn't install all that cleanly on non-BSD platforms, e.g. no /dev/random, compile errors, and my customers report that OpenSSH sometimes hangs on Solaris 2.6 systems (probably related to the entropy gathering daemon that substitutes /dev/random on non-BSD systems), the quick and dirty solutions are: 1. Run the "r" commands behind a firewall on a network of closely related systems, or 2. Use Kerberos -- less secure than SSH IMO but better than "r" commands but still not firewall friendly when accessing a secured network from a management workstation on the outside of the firewll. Thinking about this whole issue further is to give the FreeBSD installer the options at installation or mergemaster time of: 1. An open (insecure) or closed (secure) inetd.conf. 2. NFS or no NFS. 3. Sendmail or no sendmail. 4. An open or closed firewall. 5. IPFW or IPF. 6. Turning off or turning on of setuid bits of most setuid apps. Instead of 64 questions we can have five questions or one question, which will choose the more secure or less secure of the above options. Alternatively all of this could be put into a port, when installed would make the necessary changes to secure a system. If the FreeBSD specific parts of the port are separate from the generic UNIX parts of the port, the generic pieces could be run on non-FreeBSD systems to affect the same changes there as well. The short of it is that the issues discussed here don't just affect FreeBSD. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 8:43:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.numachi.com (numachi.numachi.com [198.175.254.2]) by hub.freebsd.org (Postfix) with SMTP id DB41437B43E for ; Sat, 23 Sep 2000 08:43:13 -0700 (PDT) Received: (qmail 19164 invoked by uid 1001); 23 Sep 2000 15:43:07 -0000 Date: Sat, 23 Sep 2000 11:43:07 -0400 From: Brian Reichert To: Yusuf Goolamabbas Cc: freebsd-security@freebsd.org Subject: Re: Is it possible to configure a FreeBSD VPN server to talk to Windows/Linux/BSD clients Message-ID: <20000923114306.A19115@numachi.com> References: <20000923180845.A26238@outblaze.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre4i In-Reply-To: <20000923180845.A26238@outblaze.com>; from yusufg@outblaze.com on Sat, Sep 23, 2000 at 06:08:45PM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Sep 23, 2000 at 06:08:45PM +0800, Yusuf Goolamabbas wrote: > Hi, I currently have a FreeBSD 4.1-stable bridging firewall behind my > router. I am looking at providing VPN access to road warriors and > telecommuters. There are a range of clients I would have to support. Do you mean a PPTP-based Microsoft-flavored VPN? I'm curious myself. -- Brian 'you Bastard' Reichert reichert@numachi.com 37 Crystal Ave. #303 Daytime number: (603) 434-6842 Derry NH 03038-1713 USA Intel architecture: the left-hand path To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 9:14:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from green.dyndns.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 8BAF737B624; Sat, 23 Sep 2000 09:14:09 -0700 (PDT) Received: from localhost (42hpw3@localhost [127.0.0.1] (may be forged)) by green.dyndns.org (8.11.0/8.11.0) with ESMTP id e8NGDh560434; Sat, 23 Sep 2000 12:13:44 -0400 (EDT) (envelope-from green@FreeBSD.org) Message-Id: <200009231613.e8NGDh560434@green.dyndns.org> X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 To: Cy Schubert - ITSD Open Systems Group Cc: Drew Derbyshire , freebsd-security@FreeBSD.org Subject: Re: rsh/rlogin (was Re: sysinstall DOESN'T ASK, dangerous defaults!) In-Reply-To: Message from Cy Schubert - ITSD Open Systems Group of "Sat, 23 Sep 2000 08:22:17 PDT." <200009231522.e8NFMn964757@cwsys.cwsent.com> From: "Brian F. Feldman" Date: Sat, 23 Sep 2000 12:13:43 -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Having said that and taking my security officer hat off and putting my > manager hat on. Most organisations that use SSH are using it > illegally. With recent licensing changes and the fact that OpenSSH > doesn't install all that cleanly on non-BSD platforms, e.g. no > /dev/random, compile errors, and my customers report that OpenSSH > sometimes hangs on Solaris 2.6 systems (probably related to the entropy > gathering daemon that substitutes /dev/random on non-BSD systems), the > quick and dirty solutions are: Or possibly related to Solaris 2.6 being increasingly ancient and buggy... > 6. Turning off or turning on of setuid bits of most setuid apps. Hopefully, this won't be useful soon because things will not be setuid and just have the right capabilities :) Anything left suid will need to have its architecture thought out a bit more -- most uses of it are very suboptimal. -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 9:14:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from green.dyndns.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 3BE8737B59E; Sat, 23 Sep 2000 09:14:07 -0700 (PDT) Received: from localhost (o4yum1@localhost [127.0.0.1] (may be forged)) by green.dyndns.org (8.11.0/8.11.0) with ESMTP id e8NG9n560420; Sat, 23 Sep 2000 12:09:50 -0400 (EDT) (envelope-from green@FreeBSD.org) Message-Id: <200009231609.e8NG9n560420@green.dyndns.org> X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 To: Mitch Collinsworth Cc: Gerhard Sittig , security@FreeBSD.org Subject: Re: sendmail default run state In-Reply-To: Message from Mitch Collinsworth of "Sat, 23 Sep 2000 10:54:54 EDT." From: "Brian F. Feldman" Date: Sat, 23 Sep 2000 12:09:49 -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Sat, 23 Sep 2000, Gerhard Sittig wrote: > > > pine reads from a local (or network fs mounted) mailbox and > > delivers to the sendmail command via stdin. I would expect MH > > and exmh to do the same. The same holds for mail(1) and elm. > > And mutt. And any traditional UNIX mail user agent. > > exmh is just a tk gui that uses traditional mh (or now nmh) underneath. > mh can be configured to call sendmail or it can talk smtp directly. More specifically, mh's send calls mh's post which uses whatever is in mts.conf to send mail :) It defaults to talking SMTP with localhost. -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 9:24:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id 5713537B422 for ; Sat, 23 Sep 2000 09:24:19 -0700 (PDT) Received: from algroup.co.uk (socks-fw.aldigital.co.uk [192.168.254.10]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id QAA13671; Sat, 23 Sep 2000 16:23:38 GMT Message-ID: <39CCD8B4.80CDF9F5@algroup.co.uk> Date: Sat, 23 Sep 2000 17:22:12 +0100 From: Adam Laurie Organization: A.L. Group plc X-Mailer: Mozilla 4.74 [en] (X11; U; FreeBSD 3.4-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Gerhard Sittig Cc: security@FreeBSD.ORG Subject: Re: sendmail default run state References: <200009222012.e8MKCRF12785@cwsys.cwsent.com> <20000923004924.A35072@mithrandr.moria.org> <20000923142922.F5065@speedy.gsinet> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Gerhard Sittig wrote: > > On Sat, Sep 23, 2000 at 00:49 +0200, Neil Blakey-Milner wrote: > > On Fri 2000-09-22 (23:37), David Pick wrote: > > > > > > [ ... ] > > > > Is there a way to tell sendmail what IP addresses to bind? Yep: bash$ grep -i addr /etc/sendmail.cf OOAddr=10.1.1.1 cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 10: 1:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 5809437B43C; Sat, 23 Sep 2000 10:01:50 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id KAA12720; Sat, 23 Sep 2000 10:01:49 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda12718; Sat Sep 23 10:01:41 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id KAA53314; Sat, 23 Sep 2000 10:01:40 -0700 (PDT) Message-Id: <200009231701.KAA53314@passer.osg.gov.bc.ca> Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost.osg.gov.bc.ca, id smtpdo53310; Sat Sep 23 10:01:36 2000 Reply-To: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.0-STABLE X-Mailer: nmh 1.0.4, Exmh 2.1.1 X-Sender: cschuber To: "Brian F. Feldman" Cc: Cy Schubert - ITSD Open Systems Group , Drew Derbyshire , freebsd-security@FreeBSD.ORG Subject: Re: rsh/rlogin (was Re: sysinstall DOESN'T ASK, dangerous defaults!) In-reply-to: Your message of "Sat, 23 Sep 2000 12:13:43 EDT." <200009231613.e8NGDh560434@green.dyndns.org> Date: Sat, 23 Sep 2000 10:01:36 -0700 From: Cy Schubert Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200009231613.e8NGDh560434@green.dyndns.org>, "Brian F. Feldman" wri tes: > > > Having said that and taking my security officer hat off and putting my > > manager hat on. Most organisations that use SSH are using it > > illegally. With recent licensing changes and the fact that OpenSSH > > doesn't install all that cleanly on non-BSD platforms, e.g. no > > /dev/random, compile errors, and my customers report that OpenSSH > > sometimes hangs on Solaris 2.6 systems (probably related to the entropy > > gathering daemon that substitutes /dev/random on non-BSD systems), the > > quick and dirty solutions are: > > Or possibly related to Solaris 2.6 being increasingly ancient and buggy... > > > 6. Turning off or turning on of setuid bits of most setuid apps. > > Hopefully, this won't be useful soon because things will not be setuid and > just have the right capabilities :) Anything left suid will need to have > its architecture thought out a bit more -- most uses of it are very > suboptimal. More on capabilities. To do capabilities right apps like su, sudo, and ksu would need to be replaced by an admin application that would only allow the admin to manage the system, nothing more. I suppose one could have an su application that would have all the capabilities in the world but then again what would be the point? It would be a gaping security hole just waiting to be exploited. I think capabilities are a long way off right now until someone writes an interaface application to actually do sysadmin. Having said all that, I don't see the average sysadmin today wanting to go to a Microsoft-style model of system administration. So we'll be left with an su-like application that would be a gaping hole. Even though many of the risks posed by setuid applications would be mitigated. Even in the mainframe (MVS) world where they've separated the function of operations, security officer, and auditor so they can each watch each other gives each class of the above users broad god-like powers because you cannot predict the kinds of problems you'll be solving. Ideally we want a world where there are no setuid applications and no applications that will hand out god-like powers. I'm not convinced we will reach the ideal of no su and have applications that will proxy sysadmin for us because of the two points I made above. Thinking out loud here, coupling capabilities with some kind of authentication mechanism like PKI or single-signon across an organisation, where a central security officer would hand out distributed privileges on various systems to various principals might be a solution to my concern. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 10:12:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id 21DB637B43C; Sat, 23 Sep 2000 10:12:13 -0700 (PDT) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id LAA11575; Sat, 23 Sep 2000 11:12:04 -0600 (MDT) Message-Id: <200009231712.LAA11575@faith.cs.utah.edu> Subject: Re: rsh/rlogin (was Re: sysinstall DOESN'T ASK, dangerous defaults!) To: Cy.Schubert@uumail.gov.bc.ca Date: Sat, 23 Sep 2000 11:12:04 -0600 (MDT) Cc: green@FreeBSD.ORG (Brian F. Feldman), ahd@kew.com (Drew Derbyshire), freebsd-security@FreeBSD.ORG In-Reply-To: <200009231701.KAA53314@passer.osg.gov.bc.ca> from "Cy Schubert" at Sep 23, 2000 10:01:36 AM From: "David G. Andersen" X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lo and behold, Cy Schubert once said: > > More on capabilities. To do capabilities right apps like su, sudo, and > ksu would need to be replaced by an admin application that would only > allow the admin to manage the system, nothing more. I suppose one could > have an su application that would have all the capabilities in the world > but then again what would be the point? It would be a gaping security > hole just waiting to be exploited. Boggle. You yourself state later: > application that would be a gaping hole. Even though many of the risks > posed by setuid applications would be mitigated. There you go. Even if you still have the "administrator-as-god-after-authentication" routine (which, I think, is to some degree an intractable problem), capabilities still take you vastly farther down the road of least privilege than ordinary *nix all-or-none style permissions. Without least-privilege administration tools, a capability-based system isn't complete -- but it's still MUCH, MUCH better than what we have now! Don't torpedo a good thing because it's not perfect. It never will be; a system where I can 'chmod a-s /usr/sbin/sendmail' makes me a lot happier already. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 11: 5:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 45EEF37B422; Sat, 23 Sep 2000 11:05:15 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id LAA12815; Sat, 23 Sep 2000 11:05:11 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda12807; Sat Sep 23 11:04:51 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id LAA53496; Sat, 23 Sep 2000 11:04:51 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdz53494; Sat Sep 23 11:03:54 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.0/8.9.1) id e8NI3rV65692; Sat, 23 Sep 2000 11:03:53 -0700 (PDT) Message-Id: <200009231803.e8NI3rV65692@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdG65677; Sat Sep 23 18:03:04 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1-RELEASE X-Sender: cy To: "David G. Andersen" Cc: Cy.Schubert@uumail.gov.bc.ca, green@FreeBSD.ORG (Brian F. Feldman), ahd@kew.com (Drew Derbyshire), freebsd-security@FreeBSD.ORG Subject: Re: rsh/rlogin (was Re: sysinstall DOESN'T ASK, dangerous defaults!) In-reply-to: Your message of "Sat, 23 Sep 2000 11:12:04 MDT." <200009231712.LAA11575@faith.cs.utah.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 23 Sep 2000 11:03:04 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200009231712.LAA11575@faith.cs.utah.edu>, "David G. Andersen" write s: > Lo and behold, Cy Schubert once said: > > > > More on capabilities. To do capabilities right apps like su, sudo, and > > ksu would need to be replaced by an admin application that would only > > allow the admin to manage the system, nothing more. I suppose one could > > have an su application that would have all the capabilities in the world > > but then again what would be the point? It would be a gaping security > > hole just waiting to be exploited. > > Boggle. You yourself state later: I'll give you the benefit of the doubt and agree I am somewhat undecided (confused) about what form the tools will look like. No one from the capabilities camp has shared their ideas about tools yet. If you're saying I've embarrassed myself. I think not. I thought I was opening up the discussion. > > > application that would be a gaping hole. Even though many of the risks > > posed by setuid applications would be mitigated. > > There you go. Even if you still have the > "administrator-as-god-after-authentication" routine (which, I think, is to > some degree an intractable problem), capabilities still take you vastly > farther down the road of least privilege than ordinary *nix all-or-none > style permissions. > > Without least-privilege administration tools, a capability-based system > isn't complete -- but it's still MUCH, MUCH better than what we have > now! Don't torpedo a good thing because it's not perfect. It never will > be; a system where I can 'chmod a-s /usr/sbin/sendmail' makes me a lot > happier already. In other words you agree with me after all. I have not seen any discussion about what the administration tools in a capabilities environment will look like and how will I as a manager be able to delegate responsibility and restrict access to certain functions to certain members of my team or to other individuals in an organisation. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 11:24:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (Postfix) with ESMTP id 2A07537B422 for ; Sat, 23 Sep 2000 11:24:29 -0700 (PDT) Received: (from smap@localhost) by whistle.com (8.10.0/8.10.0) id e8NINcb06813; Sat, 23 Sep 2000 11:23:38 -0700 (PDT) Received: from bubba.whistle.com( 207.76.205.7) by whistle.com via smap (V2.0) id xma006811; Sat, 23 Sep 2000 11:23:21 -0700 Received: (from archie@localhost) by bubba.whistle.com (8.9.3/8.9.3) id LAA06269; Sat, 23 Sep 2000 11:23:21 -0700 (PDT) (envelope-from archie) From: Archie Cobbs Message-Id: <200009231823.LAA06269@bubba.whistle.com> Subject: Re: Is it possible to configure a FreeBSD VPN server to talk to Windows/Linux/BSD clients In-Reply-To: <20000923114306.A19115@numachi.com> "from Brian Reichert at Sep 23, 2000 11:43:07 am" To: Brian Reichert Date: Sat, 23 Sep 2000 11:23:21 -0700 (PDT) Cc: Yusuf Goolamabbas , freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brian Reichert writes: > > Hi, I currently have a FreeBSD 4.1-stable bridging firewall behind my > > router. I am looking at providing VPN access to road warriors and > > telecommuters. There are a range of clients I would have to support. > > Do you mean a PPTP-based Microsoft-flavored VPN? I'm curious myself. The net/mpd-netgraph port support PPTP, including Microsoft VPN adapter clients. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 12:41:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from orthanc.ab.ca (207-167-15-66.dsl.worldgate.ca [207.167.15.66]) by hub.freebsd.org (Postfix) with ESMTP id 24D5037B422 for ; Sat, 23 Sep 2000 12:41:49 -0700 (PDT) Received: from orthanc.ab.ca (localhost [127.0.0.1]) by orthanc.ab.ca (8.11.0.Beta3/8.11.0.Beta3) with ESMTP id e8NJfV143262; Sat, 23 Sep 2000 13:41:31 -0600 (MDT) Message-Id: <200009231941.e8NJfV143262@orthanc.ab.ca> To: Neil Blakey-Milner Cc: Nate Williams , Warner Losh , security@FreeBSD.ORG, Peter Wemm Subject: Re: sendmail default run state In-reply-to: Your message of "Sat, 23 Sep 2000 02:11:19 +0200." <20000923021119.A35919@mithrandr.moria.org> Date: Sat, 23 Sep 2000 13:41:31 -0600 From: Lyndon Nerenberg Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Neil" == Neil Blakey-Milner writes: Neil> How do you enable nullclient from rc.conf? Ship the system with two pre-built sendmail configuration files: /etc/mail/sendmail.cf.{full,nullclient} In rc.conf: sendmail_config="full" # Set to "nullclient" if you want to # forward all local mail to a central # mail hub. Set sendmail_smarthost # to the name of your mail hub. sendmail_smarthost="mail.example.com" Change the code fragment in /etc/rc where sendmail is started to: rm -f /etc/mail/smarthost if [ -n "${sendmail_smarthost} ] ; then echo "${sendmail_smarthost" > /etc/mail/smarthost fi if [ -r /etc/mail/sendmail.cf.${sendmail_config} ] ; then echo -n ' sendmail' /usr/sbin/sendmail ${sendmail_flags} -C/etc/mail/sendmail.cf.${sendmail_config} fi sendmail.cf.nullclient would have an entry that picked up the smarthost from the contents of /etc/mail/smarthost. Neil> What happens if your smarthost server goes down - when does Neil> sendmail check your queue again? Whenever you tell it to via the -q parameter. E.g.: /usr/sbin/sendmail -q20m will start sendmail, not listen on port 25 (or 587), and run the outbound queue every 20 minutes. Neil> Two different issues - sendmail for queueing and delivery, Neil> but not listening to network, and sendmail with smarthost. Neil> We can emulate the first in the rc system, but not obviously Neil> easily the second. It's not that hard. In fact there are quite a few things we could do to allow for things like a SUBMIT only configuration (listen to port 587, but not port 25), etc. The problem is they would be very specific to sendmail. --lyndon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 12:49:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from orthanc.ab.ca (207-167-15-66.dsl.worldgate.ca [207.167.15.66]) by hub.freebsd.org (Postfix) with ESMTP id A5C8A37B422 for ; Sat, 23 Sep 2000 12:49:41 -0700 (PDT) Received: from orthanc.ab.ca (localhost [127.0.0.1]) by orthanc.ab.ca (8.11.0.Beta3/8.11.0.Beta3) with ESMTP id e8NJnX143291; Sat, 23 Sep 2000 13:49:33 -0600 (MDT) Message-Id: <200009231949.e8NJnX143291@orthanc.ab.ca> To: Gerhard Sittig Cc: security@FreeBSD.ORG Subject: Re: sendmail default run state In-reply-to: Your message of "Sat, 23 Sep 2000 14:55:57 +0200." <20000923145557.G5065@speedy.gsinet> Date: Sat, 23 Sep 2000 13:49:32 -0600 From: Lyndon Nerenberg Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Gerhard" == Gerhard Sittig writes: Gerhard> Are you sure of the above facts? Yes. Gerhard> IIRC _any_ UNIX MUA Gerhard> will use the sendmail command line interface Gerhard> (/usr/sbin/sendmail) for outgoing mail. Only MTAs talk Gerhard> SMTP. Nope. Most MUAs these days talk SMTP for submission. And SMTP submission will become even more common. If you need DNSs or message tracking you must inject using SMTP. With the introduction of the SUBMIT profile for SMTP you'll see most sites eventually migrate to requiring message injection via port 587. Gerhard> Netscape is an exception here. It does have some MUA Gerhard> functionality, but it tries to be a MTA, too. Netscape doesn't provide any MTA functionality. --lyndon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 12:52:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 60F6337B422; Sat, 23 Sep 2000 12:52:54 -0700 (PDT) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id PAA32269; Sat, 23 Sep 2000 15:52:53 -0400 (EDT) (envelope-from wollman) Date: Sat, 23 Sep 2000 15:52:53 -0400 (EDT) From: Garrett Wollman Message-Id: <200009231952.PAA32269@khavrinen.lcs.mit.edu> To: Kris Kennaway Cc: freebsd-security@FreeBSD.ORG Subject: Re: Is it possible to configure a FreeBSD VPN server to talk to Windows/Linux/BSD clients In-Reply-To: References: <20000923180845.A26238@outblaze.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Linux (among others) - see www.kame.net and the docs included in the port > distfile for more information. General information on ipsec can be found The racoon documentation is almost totally unintelligible, especially for new users. Perhaps the Japanese documentation is better, but most FreeBSD users outside of Japan don't understand Japanese. I ended up reading the parser source code and still wasn't sufficiently enlightened. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 12:55:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id 7DF3D37B43E for ; Sat, 23 Sep 2000 12:55:05 -0700 (PDT) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 13cvNo-000BTq-00; Sat, 23 Sep 2000 21:54:48 +0200 Date: Sat, 23 Sep 2000 21:54:48 +0200 From: Neil Blakey-Milner To: Lyndon Nerenberg Cc: Nate Williams , Warner Losh , security@FreeBSD.ORG, Peter Wemm Subject: Re: sendmail default run state Message-ID: <20000923215447.A44016@mithrandr.moria.org> References: <20000923021119.A35919@mithrandr.moria.org> <200009231941.e8NJfV143262@orthanc.ab.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <200009231941.e8NJfV143262@orthanc.ab.ca>; from lyndon@orthanc.ab.ca on Sat, Sep 23, 2000 at 01:41:31PM -0600 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat 2000-09-23 (13:41), Lyndon Nerenberg wrote: > Neil> How do you enable nullclient from rc.conf? > > Ship the system with two pre-built sendmail configuration files: > > /etc/mail/sendmail.cf.{full,nullclient} > > In rc.conf: > > sendmail_config="full" # Set to "nullclient" if you want to > # forward all local mail to a central > # mail hub. Set sendmail_smarthost > # to the name of your mail hub. > sendmail_smarthost="mail.example.com" > > Change the code fragment in /etc/rc where sendmail is started to: > > rm -f /etc/mail/smarthost > if [ -n "${sendmail_smarthost} ] ; then > echo "${sendmail_smarthost" > /etc/mail/smarthost > fi > if [ -r /etc/mail/sendmail.cf.${sendmail_config} ] ; then > echo -n ' sendmail' > /usr/sbin/sendmail ${sendmail_flags} -C/etc/mail/sendmail.cf.${sendmail_config} > fi > > sendmail.cf.nullclient would have an entry that picked up the smarthost > from the contents of /etc/mail/smarthost. Brilliant! Is that with 'DS-o /etc/mail/smarthost'? Now, if we could make that 'listen' thing (OOAddr=10.1.1.1) take a file, we're set. I'm not so sure about /etc/rc deleting and recreating files in /etc/mail, though, but that's another issue. > Neil> What happens if your smarthost server goes down - when does > Neil> sendmail check your queue again? > > Whenever you tell it to via the -q parameter. E.g.: > > /usr/sbin/sendmail -q20m Yeah - I was commenting on why you want sendmail running with queue running. > It's not that hard. In fact there are quite a few things we could do > to allow for things like a SUBMIT only configuration (listen to port > 587, but not port 25), etc. The problem is they would be very specific > to sendmail. I don't use sendmail for "mail servers" personally, but it makes sense if they're standalone machines that just need to send mail from the machine to a central server. If we can offer this ability in the base system and easy-to-use from rc.conf, that's cool. More complex stuff requires direct sendmail configuration, or installing another MTA. Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 12:56:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from orthanc.ab.ca (207-167-15-66.dsl.worldgate.ca [207.167.15.66]) by hub.freebsd.org (Postfix) with ESMTP id 190FA37B424 for ; Sat, 23 Sep 2000 12:56:50 -0700 (PDT) Received: from orthanc.ab.ca (localhost [127.0.0.1]) by orthanc.ab.ca (8.11.0.Beta3/8.11.0.Beta3) with ESMTP id e8NJul143400; Sat, 23 Sep 2000 13:56:47 -0600 (MDT) Message-Id: <200009231956.e8NJul143400@orthanc.ab.ca> To: Gerhard Sittig Cc: security@FreeBSD.ORG Subject: Re: sendmail default run state In-reply-to: Your message of "Sat, 23 Sep 2000 13:49:32 MDT." <200009231949.e8NJnX143291@orthanc.ab.ca> Date: Sat, 23 Sep 2000 13:56:45 -0600 From: Lyndon Nerenberg Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Lyndon" == Lyndon Nerenberg writes: Lyndon> Nope. Most MUAs these days talk SMTP for submission. And Lyndon> If you need Lyndon> DNSs or message tracking you must inject using SMTP. s/DNSs/DSNs/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 13:17:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id 08CBB37B424; Sat, 23 Sep 2000 13:17:39 -0700 (PDT) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 13cvjs-0003QV-00; Sat, 23 Sep 2000 22:17:36 +0200 Date: Sat, 23 Sep 2000 22:17:36 +0200 (IST) From: Roman Shterenzon To: "Brian F. Feldman" Cc: freebsd-security@FreeBSD.org Subject: Re: rsh/rlogin (was Re: sysinstall DOESN'T ASK, dangerous defaults!) In-Reply-To: <200009231613.e8NGDh560434@green.dyndns.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 23 Sep 2000, Brian F. Feldman wrote: > > > Having said that and taking my security officer hat off and putting my > > manager hat on. Most organisations that use SSH are using it > > illegally. With recent licensing changes and the fact that OpenSSH > > doesn't install all that cleanly on non-BSD platforms, e.g. no > > /dev/random, compile errors, and my customers report that OpenSSH > > sometimes hangs on Solaris 2.6 systems (probably related to the entropy > > gathering daemon that substitutes /dev/random on non-BSD systems), the > > quick and dirty solutions are: > > Or possibly related to Solaris 2.6 being increasingly ancient and buggy... There's a port of Linux' /dev/random for Solaris I use myself on a 2.6 system. It works for me. I can send an url if anyone is interested. --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 13:26:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id 241CC37B422 for ; Sat, 23 Sep 2000 13:26:17 -0700 (PDT) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 13cvs6-0003S1-00; Sat, 23 Sep 2000 22:26:06 +0200 Date: Sat, 23 Sep 2000 22:26:06 +0200 (IST) From: Roman Shterenzon To: Christian Kuhtz Cc: freebsd-security@freebsd.org Subject: [url] /dev/random for Solaris In-Reply-To: <20000923162217.A27118@ns1.arch.bellsouth.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 23 Sep 2000, Christian Kuhtz wrote: > > Yeah, please send me the URL. Thanks.. http://www.cosy.sbg.ac.at/~andi/ Enjoy! > On Sat, Sep 23, 2000 at 10:17:36PM +0200, Roman Shterenzon wrote: > > On Sat, 23 Sep 2000, Brian F. Feldman wrote: > > > > > > > > > Having said that and taking my security officer hat off and putting my > > > > manager hat on. Most organisations that use SSH are using it > > > > illegally. With recent licensing changes and the fact that OpenSSH > > > > doesn't install all that cleanly on non-BSD platforms, e.g. no > > > > /dev/random, compile errors, and my customers report that OpenSSH > > > > sometimes hangs on Solaris 2.6 systems (probably related to the entropy > > > > gathering daemon that substitutes /dev/random on non-BSD systems), the > > > > quick and dirty solutions are: > > > > > > Or possibly related to Solaris 2.6 being increasingly ancient and buggy... > > There's a port of Linux' /dev/random for Solaris I use myself on a 2.6 > > system. It works for me. > > I can send an url if anyone is interested. > > > > --Roman Shterenzon, UNIX System Administrator and Consultant > > [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > Christian Kuhtz Architecture, BellSouth.net > -wk, -hm Atlanta, GA > "Speaking for myself only." > --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 14: 1:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id E18A537B42C; Sat, 23 Sep 2000 14:01:24 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id OAA51337; Sat, 23 Sep 2000 14:01:24 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Sat, 23 Sep 2000 14:01:24 -0700 (PDT) From: Kris Kennaway To: Garrett Wollman Cc: freebsd-security@FreeBSD.ORG Subject: Re: Is it possible to configure a FreeBSD VPN server to talk to Windows/Linux/BSD clients In-Reply-To: <200009231952.PAA32269@khavrinen.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 23 Sep 2000, Garrett Wollman wrote: > < said: > > > Linux (among others) - see www.kame.net and the docs included in the port > > distfile for more information. General information on ipsec can be found > > The racoon documentation is almost totally unintelligible, especially > for new users. Perhaps the Japanese documentation is better, but most > FreeBSD users outside of Japan don't understand Japanese. I ended up > reading the parser source code and still wasn't sufficiently > enlightened. Yeah, it's a problem. I've had one offer from someone who's figured it out on her own including interoperability, but havent got anything from her yet. I'll bug her until I get something :-) Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 14: 4: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from orthanc.ab.ca (207-167-15-66.dsl.worldgate.ca [207.167.15.66]) by hub.freebsd.org (Postfix) with ESMTP id 4128C37B422 for ; Sat, 23 Sep 2000 14:04:04 -0700 (PDT) Received: from orthanc.ab.ca (localhost [127.0.0.1]) by orthanc.ab.ca (8.11.0.Beta3/8.11.0.Beta3) with ESMTP id e8NL43121256 for ; Sat, 23 Sep 2000 15:04:03 -0600 (MDT) Message-Id: <200009232104.e8NL43121256@orthanc.ab.ca> To: freebsd-security@freebsd.org Subject: Importing SASL to the base system Organization: The Frobozz Magic Homing Pigeon Company Date: Sat, 23 Sep 2000 15:04:03 -0600 From: Lyndon Nerenberg Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Since we're talking about increasing security, I think it's time to consider importing SASL functionality into the base OS. SASL is already widely used in IMAP, and its use is increasing in POP3 and SMTP/LMTP. The following protocols currently support SASL authentication: RFC2060 IMAP4 Rev 1 RFC2229 A Dictionary Server Protocol RFC2244 ACAP -- Application Configuration Access Protocol RFC2251 LDAP v3 RFC2449 POP3 Extensions RFC2554 SMTP Service Extension for Authentication RFC2645 On-Demand Mail Relay RFC2829 Authentication Methods for LDAP (also RFC2830 and RFC2831) In addition, SASL is proposed for the following protocols and services: Internet Messaging and Calendaring, BEEP, PPP, SIEVE, Secure remote password change, FTP, and others I've forgotten. With the IETF requiring secure authentication (when authentication is applicable) in future protocols, the use of SASL will only increase. The use of SASL in email right now is (I think) sufficient justification to import it. We should be able to ship MTAs that support SASL out-of- the-box. We can't do that right now as the base tools can't rely on a port. Sendmail could use this immediately if it was in the base. The CMU SASL code has proved to be stable, and is a candidate for inclusion, although it would certainly need a work-over before being imported. And we would need a good architecture/design plan before doing anything. I'm willing to do the work to make this happen if there is a committer who would volunteer to work with me on this. --lyndon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 14:45:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id 0342A37B422 for ; Sat, 23 Sep 2000 14:45:29 -0700 (PDT) Received: (qmail 35839 invoked by uid 1000); 23 Sep 2000 21:46:39 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 23 Sep 2000 21:46:39 -0000 Date: Sat, 23 Sep 2000 16:46:39 -0500 (CDT) From: Mike Silbersack To: Kris Kennaway Cc: Garrett Wollman , freebsd-security@FreeBSD.ORG Subject: Re: Is it possible to configure a FreeBSD VPN server to talk to Windows/Linux/BSD clients In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 23 Sep 2000, Kris Kennaway wrote: > On Sat, 23 Sep 2000, Garrett Wollman wrote: > > > The racoon documentation is almost totally unintelligible, especially > > for new users. Perhaps the Japanese documentation is better, but most > > FreeBSD users outside of Japan don't understand Japanese. I ended up > > reading the parser source code and still wasn't sufficiently > > enlightened. > > Yeah, it's a problem. I've had one offer from someone who's figured it out > on her own including interoperability, but havent got anything from her > yet. I'll bug her until I get something :-) > > Kris Well, since you guys got me thinking about it, I decided to try setting up PGPNet so I could start playing with IPSec. However, it seems just as cryptic. Are there any good references about how to setup IPSec in general that anyone is aware of? (My problem in this case is that I need to generate a X.509 certificate to get anywhere, which I suspect they make easy with some extremely expensive piece of software. I know OpenSSL can generate them, but importing doesn't seem to be an option.) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 15:22:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.kyx.net (cr95838-b.crdva1.bc.wave.home.com [24.113.50.147]) by hub.freebsd.org (Postfix) with ESMTP id 8981F37B424 for ; Sat, 23 Sep 2000 15:22:40 -0700 (PDT) Received: from smp.kyx.net (unknown [10.22.22.45]) by mail.kyx.net (Postfix) with SMTP id AD9811DC03; Sat, 23 Sep 2000 15:22:03 -0700 (PDT) From: Dragos Ruiu Organization: kyx.net To: Lyndon Nerenberg , Gerhard Sittig Subject: Re: sendmail default run state Date: Sat, 23 Sep 2000 15:21:07 -0700 X-Mailer: KYX-CP/M [version core00-mail-92] Content-Type: text/plain Cc: security@FreeBSD.ORG References: <200009231949.e8NJnX143291@orthanc.ab.ca> In-Reply-To: <200009231949.e8NJnX143291@orthanc.ab.ca> MIME-Version: 1.0 Message-Id: <0009231524220Y.00325@smp.kyx.net> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 23 Sep 2000, Lyndon Nerenberg wrote: > Nope. Most MUAs these days talk SMTP for submission. And SMTP submission > will become even more common. If you need DNSs or message tracking you > must inject using SMTP. I think Lyndon is right on this. I've been doing a survey of mailling list processor software trying to get some gpg based mailing lists up and all of the ones that I looked at that had code available used SMTP injection even on the local machine. It's just one mileage point but it supports his assertion. > With the introduction of the SUBMIT profile for SMTP you'll see > most sites eventually migrate to requiring message injection via port > 587. > Do you have a ref for this? cheers, --dr -- Dragos Ruiu dursec.com ltd. / kyx.net - we're from the future gpg/pgp key on file at wwwkeys.pgp.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 16:21:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from orthanc.ab.ca (207-167-15-66.dsl.worldgate.ca [207.167.15.66]) by hub.freebsd.org (Postfix) with ESMTP id 2A9F137B424 for ; Sat, 23 Sep 2000 16:21:26 -0700 (PDT) Received: from orthanc.ab.ca (localhost [127.0.0.1]) by orthanc.ab.ca (8.11.0.Beta3/8.11.0.Beta3) with ESMTP id e8NNLL121837; Sat, 23 Sep 2000 17:21:21 -0600 (MDT) Message-Id: <200009232321.e8NNLL121837@orthanc.ab.ca> To: Dragos Ruiu Cc: Gerhard Sittig , security@FreeBSD.ORG Subject: Re: sendmail default run state In-reply-to: Your message of "Sat, 23 Sep 2000 15:21:07 PDT." <0009231524220Y.00325@smp.kyx.net> Date: Sat, 23 Sep 2000 17:21:21 -0600 From: Lyndon Nerenberg Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Dragos" == Dragos Ruiu writes: >> With the introduction of the SUBMIT profile for SMTP you'll see >> most sites eventually migrate to requiring message injection >> via port 587. Dragos> Do you have a ref for this? Message Submission: RFC2476 --lyndon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 18: 8: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 3A79F37B422; Sat, 23 Sep 2000 18:07:11 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id SAA02297; Sat, 23 Sep 2000 18:07:11 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Sat, 23 Sep 2000 18:07:10 -0700 (PDT) From: Kris Kennaway To: ports@freebsd.org Cc: jmz@freebsd.org, security@freebsd.org Subject: XFree86 3.x DoS patch Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1221069748-969757205=:99058" Content-ID: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-1221069748-969757205=:99058 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: Please test this patch for the XFree86 port - it addresses a number of denial of service/crash conditions in the X code (libraries used by client programs, as well as parts of the server itself). These were reported on bugtraq several months ago but never publically acknowledged by the XFree86 developers, nor did they release a patch against 3.x. They did however fix the problem silently in XFree86 4.x - this patch comes from OpenBSD who tracked down and extracted the relevant patches from the XFree86 CVS repo. I'm not really sure of the impact of the vulnerabilities, but I think they allow users who can connect remotely to an X application using the vulnerable libraries to crash it without authenticating. Bad. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe --0-1221069748-969757205=:99058 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME=patch-sec1 Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: ATTACHMENT; FILENAME=patch-sec1 U29tZSBwcm9ibGVtcyB3ZXJlIGRpc2NvdmVyZWQgaW4gWDExIGxpYnJhcmll cyB3aGljaCBjYW4gY2F1c2UgRG9TIGluDQpsaWJJQ0UgYW5kIHhkbS4gQWxz byBzb21lIHBvdGllbnRpYWwgYnVmZmVyIG92ZXJmbG93IG1heSBvY2N1ciBp biBYS0INCm9wdGlvbnMgcGFyc2luZyAoYWx0aG91Z2ggdGhleSBjYW4ndCBi ZSBleHBsb2l0ZWQgaW4gT3BlbkJTRCdzIGRlZmF1bHQNCnNldHVwIHdoZXJl IHRoZSBYIHNlcnZlcnMgYXJlIG5vdCBzZXR1aWQpLiBUaGlzIHBhdGNoIGZp eGVzIGFsbCB0aGVzZQ0KcHJvYmxlbXM6DQoNCkFwcGx5IGJ5IGRvaW5nOg0K CWNkICJ0aGUgZGlyZWN0b3J5IGNvbnRhaW5pbmcgeW91ciBYMTEgc291cmNl IGRpciINCglwYXRjaCAtcDAgPCAwMjFfWDExX2xpYnMucGF0Y2gNCg0KQW5k IHRoZW4gcmVidWlsZCB5b3VyIFgxMSB0cmVlOg0KCWNkIFgxMQ0KCW1ha2Ug YWxsDQoJbWFrZSBpbnN0YWxsDQoNCkluZGV4OiBsaWIvSUNFL0lDRWxpYmlu dC5oDQpkaWZmIC11IGxpYi9JQ0UvSUNFbGliaW50Lmg6MS4xIFgxMS94Yy9s aWIvSUNFL0lDRWxpYmludC5oOjEuMg0KLS0tIGxpYi9JQ0UvSUNFbGliaW50 Lmg6MS4xCUZyaSBTZXAgIDUgMDI6NTg6MzIgMTk5Nw0KKysrIGxpYi9JQ0Uv SUNFbGliaW50LmgJTW9uIEp1bCAxMCAxNToxNzowOSAyMDAwDQpAQCAtMjg4 LDIwICsyODgsMjEgQEANCiB9DQogDQogDQotI2RlZmluZSBTS0lQX1NUUklO RyhfcEJ1ZiwgX3N3YXApIFwNCisjZGVmaW5lIFNLSVBfU1RSSU5HKF9wQnVm LCBfc3dhcCwgX2VuZCwgX2JhaWwpIFwNCiB7IFwNCiAgICAgQ0FSRDE2IF9s ZW47IFwNCiAgICAgRVhUUkFDVF9DQVJEMTYgKF9wQnVmLCBfc3dhcCwgX2xl bik7IFwNCi0gICAgX3BCdWYgKz0gX2xlbjsgXA0KLSAgICBpZiAoUEFEMzIg KDIgKyBfbGVuKSkgXA0KLSAgICAgICAgX3BCdWYgKz0gUEFEMzIgKDIgKyBf bGVuKTsgXA0KLX0NCisgICAgX3BCdWYgKz0gX2xlbiArIFBBRDMyKDIrX2xl bik7IFwNCisgICAgaWYgKF9wQnVmID4gX2VuZCkgeyBcDQorCV9iYWlsOyBc DQorICAgIH0gXA0KK30gDQogDQotI2RlZmluZSBTS0lQX0xJU1RPRl9TVFJJ TkcoX3BCdWYsIF9zd2FwLCBfY291bnQpIFwNCisjZGVmaW5lIFNLSVBfTElT VE9GX1NUUklORyhfcEJ1ZiwgX3N3YXAsIF9jb3VudCwgX2VuZCwgX2JhaWwp IFwNCiB7IFwNCiAgICAgaW50IF9pOyBcDQogICAgIGZvciAoX2kgPSAwOyBf aSA8IF9jb3VudDsgX2krKykgXA0KLSAgICAgICAgU0tJUF9TVFJJTkcgKF9w QnVmLCBfc3dhcCk7IFwNCisgICAgICAgIFNLSVBfU1RSSU5HIChfcEJ1Ziwg X3N3YXAsIF9lbmQsIF9iYWlsKTsgXA0KIH0NCiANCiANCkluZGV4OiBsaWIv SUNFL3Byb2Nlc3MuYw0KZGlmZiAtdSBsaWIvSUNFL3Byb2Nlc3MuYzoxLjEg WDExL3hjL2xpYi9JQ0UvcHJvY2Vzcy5jOjEuMg0KLS0tIGxpYi9JQ0UvcHJv Y2Vzcy5jOjEuMQlGcmkgU2VwICA1IDAyOjU4OjMyIDE5OTcNCisrKyBsaWIv SUNFL3Byb2Nlc3MuYwlNb24gSnVsIDEwIDE1OjE3OjEwIDIwMDANCkBAIC02 Myw3ICs2MywxMSBAQA0KICAgICAgICByZXR1cm4gKDApOyBcDQogICAgIH0N CiANCi0NCisjZGVmaW5lIEJBSUxfU1RSSU5HKF9pY2VDb25uLCBfb3Bjb2Rl LCBfcFN0YXJ0KSB7XA0KKyAgICBfSWNlRXJyb3JCYWRMZW5ndGggKF9pY2VD b25uLCAwLCBfb3Bjb2RlLCBJY2VGYXRhbFRvQ29ubmVjdGlvbik7XA0KKyAg ICBJY2VEaXNwb3NlQ29tcGxldGVNZXNzYWdlIChfaWNlQ29ubiwgX3BTdGFy dCk7XA0KKyAgICByZXR1cm4gKDApO1wNCit9DQogDA0KIC8qDQogICogSWNl UHJvY2Vzc01lc3NhZ2VzOg0KQEAgLTgxOSw3ICs4MjMsNyBAQA0KICAgICBp bnQJIG15QXV0aENvdW50LCBoaXNBdXRoQ291bnQ7DQogICAgIGludAkgZm91 bmQsIGksIGo7DQogICAgIGNoYXIgKm15QXV0aE5hbWUsICoqaGlzQXV0aE5h bWVzOw0KLSAgICBjaGFyICpwRGF0YSwgKnBTdGFydDsNCisgICAgY2hhciAq cERhdGEsICpwU3RhcnQsICpwRW5kOw0KICAgICBjaGFyICp2ZW5kb3IgPSBO VUxMOw0KICAgICBjaGFyICpyZWxlYXNlID0gTlVMTDsNCiAgICAgaW50IG15 QXV0aEluZGV4ID0gMDsNCkBAIC04NDMsMTAgKzg0NywxOCBAQA0KICAgICB9 DQogDQogICAgIHBEYXRhID0gcFN0YXJ0Ow0KLQ0KLSAgICBTS0lQX1NUUklO RyAocERhdGEsIHN3YXApOwkJCQkgICAgICAgLyogdmVuZG9yICovDQotICAg IFNLSVBfU1RSSU5HIChwRGF0YSwgc3dhcCk7CQkJCSAgICAgICAvKiByZWxl YXNlICovDQotICAgIFNLSVBfTElTVE9GX1NUUklORyAocERhdGEsIHN3YXAs IChpbnQpIG1lc3NhZ2UtPmF1dGhDb3VudCk7LyogYXV0aCBuYW1lcyAqLw0K KyAgICBwRW5kID0gcFN0YXJ0ICsgKGxlbmd0aCA8PCAzKTsNCisgICAgDQor ICAgIFNLSVBfU1RSSU5HIChwRGF0YSwgc3dhcCwgcEVuZCwgDQorCQkgQkFJ TF9TVFJJTkcoaWNlQ29ubiwgSUNFX0Nvbm5lY3Rpb25TZXR1cCwNCisJCQkg ICAgIHBTdGFydCkpOwkJCSAgICAgICAvKiB2ZW5kb3IgKi8NCisgICAgU0tJ UF9TVFJJTkcgKHBEYXRhLCBzd2FwLCBwRW5kLCANCisJCSBCQUlMX1NUUklO RyhpY2VDb25uLCBJQ0VfQ29ubmVjdGlvblNldHVwLA0KKwkJCSAgICBwU3Rh cnQpKTsJICAgICAgICAJICAgICAgIC8qIHJlbGVhc2UgKi8NCisgICAgU0tJ UF9MSVNUT0ZfU1RSSU5HIChwRGF0YSwgc3dhcCwgKGludCkgbWVzc2FnZS0+ YXV0aENvdW50LCBwRW5kLCANCisJCQlCQUlMX1NUUklORyhpY2VDb25uLCBJ Q0VfQ29ubmVjdGlvblNldHVwLA0KKwkJCQkgICBwU3RhcnQpKTsJCSAgICAg ICAvKiBhdXRoIG5hbWVzICovDQorICAgIA0KICAgICBwRGF0YSArPSAobWVz c2FnZS0+dmVyc2lvbkNvdW50ICogNCk7CQkgICAgICAgLyogdmVyc2lvbnMg Ki8NCiANCiAgICAgQ0hFQ0tfQ09NUExFVEVfU0laRSAoaWNlQ29ubiwgSUNF X0Nvbm5lY3Rpb25TZXR1cCwNCkBAIC0xNjg1LDcgKzE2OTcsNyBAQA0KIA0K IHsNCiAgICAgaWNlQ29ubmVjdGlvblJlcGx5TXNnIAkqbWVzc2FnZTsNCi0g ICAgY2hhciAJCQkqcERhdGEsICpwU3RhcnQ7DQorICAgIGNoYXIgCQkJKnBE YXRhLCAqcFN0YXJ0LCAqcEVuZDsNCiAgICAgQm9vbAkJCXJlcGx5UmVhZHk7 DQogDQogICAgIENIRUNLX0FUX0xFQVNUX1NJWkUgKGljZUNvbm4sIElDRV9D b25uZWN0aW9uUmVwbHksDQpAQCAtMTcwMSw5ICsxNzEzLDE0IEBADQogICAg IH0NCiANCiAgICAgcERhdGEgPSBwU3RhcnQ7DQorICAgIHBFbmQgPSBwU3Rh cnQgKyAobGVuZ3RoIDw8IDMpOw0KIA0KLSAgICBTS0lQX1NUUklORyAocERh dGEsIHN3YXApOwkJCQkgICAgIC8qIHZlbmRvciAqLw0KLSAgICBTS0lQX1NU UklORyAocERhdGEsIHN3YXApOwkJCQkgICAgIC8qIHJlbGVhc2UgKi8NCisg ICAgU0tJUF9TVFJJTkcgKHBEYXRhLCBzd2FwLCBwRW5kLA0KKwkJIEJBSUxf U1RSSU5HIChpY2VDb25uLCBJQ0VfQ29ubmVjdGlvblJlcGx5LA0KKwkJCSAg ICAgIHBTdGFydCkpOwkJICAgIAkgICAgIC8qIHZlbmRvciAqLw0KKyAgICBT S0lQX1NUUklORyAocERhdGEsIHN3YXAsIHBFbmQsDQorCQkgQkFJTF9TVFJJ TkcgKGljZUNvbm4sIElDRV9Db25uZWN0aW9uUmVwbHksDQorCQkJICAgICAg cFN0YXJ0KSk7CQkJICAgICAvKiByZWxlYXNlICovDQogDQogICAgIENIRUNL X0NPTVBMRVRFX1NJWkUgKGljZUNvbm4sIElDRV9Db25uZWN0aW9uUmVwbHks DQogCWxlbmd0aCwgcERhdGEgLSBwU3RhcnQgKyBTSVpFT0YgKGljZUNvbm5l Y3Rpb25SZXBseU1zZyksDQpAQCAtMTc4OSw3ICsxODA2LDcgQEANCiAgICAg aW50CSAJICAgICAgCWZvdW5kLCBpLCBqOw0KICAgICBjaGFyCSAgICAgIAkq bXlBdXRoTmFtZSwgKipoaXNBdXRoTmFtZXM7DQogICAgIGNoYXIgCSAgICAg IAkqcHJvdG9jb2xOYW1lOw0KLSAgICBjaGFyIAkJKnBEYXRhLCAqcFN0YXJ0 Ow0KKyAgICBjaGFyIAkJKnBEYXRhLCAqcFN0YXJ0LCAqcEVuZDsNCiAgICAg Y2hhciAJICAgICAgCSp2ZW5kb3IgPSBOVUxMOw0KICAgICBjaGFyIAkgICAg ICAJKnJlbGVhc2UgPSBOVUxMOw0KICAgICBpbnQgIAkgICAgICAJYWNjZXB0 X3NldHVwX25vdyA9IDA7DQpAQCAtMTgyNCwxMSArMTg0MSwyMCBAQA0KICAg ICB9DQogDQogICAgIHBEYXRhID0gcFN0YXJ0Ow0KKyAgICBwRW5kID0gcFN0 YXJ0ICsgKGxlbmd0aCA8PCAzKTsNCiANCi0gICAgU0tJUF9TVFJJTkcgKHBE YXRhLCBzd2FwKTsJCQkJICAgICAgIC8qIHByb3RvIG5hbWUgKi8NCi0gICAg U0tJUF9TVFJJTkcgKHBEYXRhLCBzd2FwKTsJCQkJICAgICAgIC8qIHZlbmRv ciAqLw0KLSAgICBTS0lQX1NUUklORyAocERhdGEsIHN3YXApOwkJCQkgICAg ICAgLyogcmVsZWFzZSAqLw0KLSAgICBTS0lQX0xJU1RPRl9TVFJJTkcgKHBE YXRhLCBzd2FwLCAoaW50KSBtZXNzYWdlLT5hdXRoQ291bnQpOy8qIGF1dGgg bmFtZXMgKi8NCisgICAgU0tJUF9TVFJJTkcgKHBEYXRhLCBzd2FwLCBwRW5k LA0KKwkJIEJBSUxfU1RSSU5HKGljZUNvbm4sIElDRV9Qcm90b2NvbFNldHVw LCANCisJCQkgICAgIHBTdGFydCkpOwkJCSAgICAgICAvKiBwcm90byBuYW1l ICovDQorICAgIFNLSVBfU1RSSU5HIChwRGF0YSwgc3dhcCwgcEVuZCwNCisJ CSBCQUlMX1NUUklORyhpY2VDb25uLCBJQ0VfUHJvdG9jb2xTZXR1cCwgDQor CQkJICAgICBwU3RhcnQpKTsJCQkgICAgICAgLyogdmVuZG9yICovDQorICAg IFNLSVBfU1RSSU5HIChwRGF0YSwgc3dhcCwgcEVuZCwNCisJCSBCQUlMX1NU UklORyhpY2VDb25uLCBJQ0VfUHJvdG9jb2xTZXR1cCwgDQorCQkJICAgICBw U3RhcnQpKTsJCQkgICAgICAgLyogcmVsZWFzZSAqLw0KKyAgICBTS0lQX0xJ U1RPRl9TVFJJTkcgKHBEYXRhLCBzd2FwLCAoaW50KSBtZXNzYWdlLT5hdXRo Q291bnQsIHBFbmQsDQorCQkJQkFJTF9TVFJJTkcoaWNlQ29ubiwgSUNFX1By b3RvY29sU2V0dXAsIA0KKwkJCQkgICAgcFN0YXJ0KSk7CQkgICAgICAgLyog YXV0aCBuYW1lcyAqLw0KICAgICBwRGF0YSArPSAobWVzc2FnZS0+dmVyc2lv bkNvdW50ICogNCk7CQkgICAgICAgLyogdmVyc2lvbnMgKi8NCiANCiAgICAg Q0hFQ0tfQ09NUExFVEVfU0laRSAoaWNlQ29ubiwgSUNFX1Byb3RvY29sU2V0 dXAsDQpAQCAtMjE3MCw3ICsyMTk2LDcgQEANCiANCiB7DQogICAgIGljZVBy b3RvY29sUmVwbHlNc2cgKm1lc3NhZ2U7DQotICAgIGNoYXIJCSpwRGF0YSwg KnBTdGFydDsNCisgICAgY2hhcgkJKnBEYXRhLCAqcFN0YXJ0LCAqcEVuZDsN CiAgICAgQm9vbAkJcmVwbHlSZWFkeTsNCiANCiAgICAgQ0hFQ0tfQVRfTEVB U1RfU0laRSAoaWNlQ29ubiwgSUNFX1Byb3RvY29sUmVwbHksDQpAQCAtMjE4 Niw5ICsyMjEyLDE0IEBADQogICAgIH0NCiANCiAgICAgcERhdGEgPSBwU3Rh cnQ7DQorICAgIHBFbmQgPSBwU3RhcnQgKyAobGVuZ3RoIDw8IDMpOw0KIA0K LSAgICBTS0lQX1NUUklORyAocERhdGEsIHN3YXApOwkJCQkgICAgIC8qIHZl bmRvciAqLw0KLSAgICBTS0lQX1NUUklORyAocERhdGEsIHN3YXApOwkJCQkg ICAgIC8qIHJlbGVhc2UgKi8NCisgICAgU0tJUF9TVFJJTkcgKHBEYXRhLCBz d2FwLCBwRW5kLA0KKwkJIEJBSUxfU1RSSU5HKGljZUNvbm4sIElDRV9Qcm90 b2NvbFJlcGx5LA0KKwkJCSAgICAgcFN0YXJ0KSk7CQkJICAgICAvKiB2ZW5k b3IgKi8NCisgICAgU0tJUF9TVFJJTkcgKHBEYXRhLCBzd2FwLCBwRW5kLA0K KwkJIEJBSUxfU1RSSU5HKGljZUNvbm4sIElDRV9Qcm90b2NvbFJlcGx5LA0K KwkJCSAgICAgcFN0YXJ0KSk7CQkJICAgICAvKiByZWxlYXNlICovDQogDQog ICAgIENIRUNLX0NPTVBMRVRFX1NJWkUgKGljZUNvbm4sIElDRV9Qcm90b2Nv bFJlcGx5LA0KIAlsZW5ndGgsIHBEYXRhIC0gcFN0YXJ0ICsgU0laRU9GIChp Y2VQcm90b2NvbFJlcGx5TXNnKSwNCkluZGV4OiBsaWIvWDExL0dldFByb3Au Yw0KZGlmZiAtdSBsaWIvWDExL0dldFByb3AuYzoxLjEgWDExL3hjL2xpYi9Y MTEvR2V0UHJvcC5jOjEuMg0KLS0tIGxpYi9YMTEvR2V0UHJvcC5jOjEuMQlG cmkgU2VwICA1IDAyOjU4OjQ0IDE5OTcNCisrKyBsaWIvWDExL0dldFByb3Au YwlNb24gSnVsIDEwIDE1OjIwOjM1IDIwMDANCkBAIC03NiwyMSArNzYsMjQg QEANCiAgICAgICAgKi8NCiAJICBjYXNlIDg6DQogCSAgICBuYnl0ZXMgPSBu ZXRieXRlcyA9IHJlcGx5Lm5JdGVtczsNCi0JICAgIGlmICgqcHJvcCA9ICh1 bnNpZ25lZCBjaGFyICopIFhtYWxsb2MgKCh1bnNpZ25lZCluYnl0ZXMgKyAx KSkNCisgICAgICAgICAgICBpZiAobmJ5dGVzICsgMSA+IDAgJiYNCisgICAg ICAgICAgICAgICAgKCpwcm9wID0gKHVuc2lnbmVkIGNoYXIgKikgWG1hbGxv YyAoKHVuc2lnbmVkKW5ieXRlcyArIDEpKSkNCiAJCV9YUmVhZFBhZCAoZHB5 LCAoY2hhciAqKSAqcHJvcCwgbmV0Ynl0ZXMpOw0KIAkgICAgYnJlYWs7DQog DQogCSAgY2FzZSAxNjoNCiAJICAgIG5ieXRlcyA9IHJlcGx5Lm5JdGVtcyAq IHNpemVvZiAoc2hvcnQpOw0KIAkgICAgbmV0Ynl0ZXMgPSByZXBseS5uSXRl bXMgPDwgMTsNCi0JICAgIGlmICgqcHJvcCA9ICh1bnNpZ25lZCBjaGFyICop IFhtYWxsb2MgKCh1bnNpZ25lZCluYnl0ZXMgKyAxKSkNCisgICAgICAgICAg ICBpZiAobmJ5dGVzICsgMSA+IDAgJiYNCisgICAgICAgICAgICAgICAgKCpw cm9wID0gKHVuc2lnbmVkIGNoYXIgKikgWG1hbGxvYyAoKHVuc2lnbmVkKW5i eXRlcyArIDEpKSkNCiAJCV9YUmVhZDE2UGFkIChkcHksIChzaG9ydCAqKSAq cHJvcCwgbmV0Ynl0ZXMpOw0KIAkgICAgYnJlYWs7DQogDQogCSAgY2FzZSAz MjoNCiAJICAgIG5ieXRlcyA9IHJlcGx5Lm5JdGVtcyAqIHNpemVvZiAobG9u Zyk7DQogCSAgICBuZXRieXRlcyA9IHJlcGx5Lm5JdGVtcyA8PCAyOw0KLQkg ICAgaWYgKCpwcm9wID0gKHVuc2lnbmVkIGNoYXIgKikgWG1hbGxvYyAoKHVu c2lnbmVkKW5ieXRlcyArIDEpKQ0KKyAgICAgICAgICAgIGlmIChuYnl0ZXMg KyAxID4gMCAmJg0KKyAgICAgICAgICAgICAgICAoKnByb3AgPSAodW5zaWdu ZWQgY2hhciAqKSBYbWFsbG9jICgodW5zaWduZWQpbmJ5dGVzICsgMSkpKQ0K IAkJX1hSZWFkMzIgKGRweSwgKGxvbmcgKikgKnByb3AsIG5ldGJ5dGVzKTsN CiAJICAgIGJyZWFrOw0KIA0KSW5kZXg6IGxpYi9YMTEvT3BlbkRpcy5jDQpk aWZmIC11IGxpYi9YMTEvT3BlbkRpcy5jOjEuMSBYMTEveGMvbGliL1gxMS9P cGVuRGlzLmM6MS4yDQotLS0gbGliL1gxMS9PcGVuRGlzLmM6MS4xCUZyaSBT ZXAgIDUgMDI6NTg6NDggMTk5Nw0KKysrIGxpYi9YMTEvT3BlbkRpcy5jCU1v biBKdWwgMTAgMTU6MjA6MzUgMjAwMA0KQEAgLTM3MSw2ICszNzEsMTQgQEAN CiAJZHB5LT5tYXhfcmVxdWVzdF9zaXplCT0gdS5zZXR1cC0+bWF4UmVxdWVz dFNpemU7DQogCW1hc2sgPSBkcHktPnJlc291cmNlX21hc2s7DQogCWRweS0+ cmVzb3VyY2Vfc2hpZnQJPSAwOw0KKwlpZiAoIW1hc2spDQorCXsNCisJICAg IGZwcmludGYgKHN0ZGVyciwgIlhsaWI6IGNvbm5lY3Rpb24gdG8gXCIlc1wi IGludmFsaWQgc2V0dXBcbiIsDQorCQkgICAgIGZ1bGxuYW1lKTsNCisJICAg IE91dE9mTWVtb3J5KGRweSwgc2V0dXApOw0KKwkgICAgcmV0dXJuIChOVUxM KTsNCisJfQ0KKyAgICANCiAJd2hpbGUgKCEobWFzayAmIDEpKSB7DQogCSAg ICBkcHktPnJlc291cmNlX3NoaWZ0Kys7DQogCSAgICBtYXNrID0gbWFzayA+ PiAxOw0KQEAgLTM5MCw2ICszOTgsMTMgQEANCiAgIAkodm9pZCkgc3RybmNw eShkcHktPnZlbmRvciwgdS52ZW5kb3IsIHZlbmRvcmxlbik7DQogCWRweS0+ dmVuZG9yW3ZlbmRvcmxlbl0gPSAnXDAnOw0KICAJdmVuZG9ybGVuID0gKHZl bmRvcmxlbiArIDMpICYgfjM7CS8qIHJvdW5kIHVwICovDQorLyoNCisgKiB2 YWxpZGF0ZSBzZXR1cCBsZW5ndGgNCisgKi8NCisJaWYgKChpbnQpIHNldHVw bGVuZ3RoIC0gc3pfeENvbm5TZXR1cCAtIHZlbmRvcmxlbiA8IDApIHsNCisJ ICAgIE91dE9mTWVtb3J5KGRweSwgc2V0dXApOw0KKwkgICAgcmV0dXJuIChO VUxMKTsNCisJfQ0KIAltZW1tb3ZlIChzZXR1cCwgdS52ZW5kb3IgKyB2ZW5k b3JsZW4sDQogCQkgKGludCkgc2V0dXBsZW5ndGggLSBzel94Q29ublNldHVw IC0gdmVuZG9ybGVuKTsNCiAgCXUudmVuZG9yID0gc2V0dXA7DQpAQCAtNTY4 LDYgKzU4Myw4IEBADQogDQogCSAgICBpZiAoX1hSZXBseSAoZHB5LCAoeFJl cGx5ICopICZyZXBseSwgMCwgeEZhbHNlKSkgew0KIAkJaWYgKHJlcGx5LmZv cm1hdCA9PSA4ICYmIHJlcGx5LnByb3BlcnR5VHlwZSA9PSBYQV9TVFJJTkcg JiYNCisJCSAgICAocmVwbHkubkl0ZW1zICsgMSA+IDApICYmDQorCQkgICAg KHJlcGx5Lm5JdGVtcyA8PSByZXEtPmxvbmdMZW5ndGggKiA0KSAmJg0KIAkJ ICAgIChkcHktPnhkZWZhdWx0cyA9IFhtYWxsb2MgKHJlcGx5Lm5JdGVtcyAr IDEpKSkgew0KIAkJICAgIF9YUmVhZFBhZCAoZHB5LCBkcHktPnhkZWZhdWx0 cywgcmVwbHkubkl0ZW1zKTsNCiAJCSAgICBkcHktPnhkZWZhdWx0c1tyZXBs eS5uSXRlbXNdID0gJ1wwJzsNCkluZGV4OiBsaWIvWDExL1hsaWJJbnQuYw0K ZGlmZiAtdSBsaWIvWDExL1hsaWJJbnQuYzoxLjMgWDExL3hjL2xpYi9YMTEv WGxpYkludC5jOjEuNA0KLS0tIGxpYi9YMTEvWGxpYkludC5jOjEuMwlUdWUg QXVnIDI0IDEyOjExOjE5IDE5OTkNCisrKyBsaWIvWDExL1hsaWJJbnQuYwlN b24gSnVsIDEwIDE1OjIwOjM1IDIwMDANCkBAIC0zOCw2ICszOCw4IEBADQog I2RlZmluZSBORUVEX0VWRU5UUw0KICNkZWZpbmUgTkVFRF9SRVBMSUVTDQog DQorI2RlZmluZSBHRU5FUklDX0xFTkdUSF9MSU1JVCAoMSA8PCAyOSkNCisN CiAjaW5jbHVkZSAiWGxpYmludC5oIg0KICNpbmNsdWRlIDxYMTEvWHBvbGwu aD4NCiAjaW5jbHVkZSA8WDExL1h0cmFucy5oPg0KQEAgLTE2ODksNiArMTY5 MSwxNyBAQA0KIAkJCSE9IChjaGFyICopcmVwKQ0KIAkJCWNvbnRpbnVlOw0K IAkJfQ0KKyAgICAgICAgICAgICAgICAvKg0KKyAgICAgICAgICAgICAgICAg KiBEb24ndCBhY2NlcHQgcmlkaWN1bG91c2x5IGxhcmdlIHZhbHVlcyBmb3IN CisgICAgICAgICAgICAgICAgICogZ2VuZXJpYy5sZW5ndGg7IGRvaW5nIHNv IGNvdWxkIGNhdXNlIHN0YWNrLXNjcmliYmxpbmcNCisgICAgICAgICAgICAg ICAgICogcHJvYmxlbXMgZWxzZXdoZXJlLg0KKyAgICAgICAgICAgICAgICAg Ki8NCisgICAgICAgICAgICAgICAgaWYgKHJlcC0+Z2VuZXJpYy5sZW5ndGgg PiBHRU5FUklDX0xFTkdUSF9MSU1JVCkgew0KKyAgICAgICAgICAgICAgICAg ICAgcmVwLT5nZW5lcmljLmxlbmd0aCA9IEdFTkVSSUNfTEVOR1RIX0xJTUlU Ow0KKyAgICAgICAgICAgICAgICAgICAgKHZvaWQpIGZwcmludGYoc3RkZXJy LA0KKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhsaWI6 IHN1c3BpY2lvdXNseSBsb25nIHJlcGx5IGxlbmd0aCAlZCBzZXQgdG8gJWQi LA0KKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcmVwLT5n ZW5lcmljLmxlbmd0aCwgR0VORVJJQ19MRU5HVEhfTElNSVQpOw0KKwkJfQ0K IAkJaWYgKGV4dHJhIDw9IHJlcC0+Z2VuZXJpYy5sZW5ndGgpIHsNCiAJCSAg ICBpZiAoZXh0cmEgPiAwKQ0KIAkJCS8qIA0KQEAgLTE4MjcsNiArMTg0MCwx MyBAQA0KICNlbmRpZg0KIAlpZiAobGVuID4gKmxlbnApDQogCSAgICBfWEVh dERhdGEoZHB5LCBsZW4gLSAqbGVucCk7DQorICAgIH0NCisgICAgaWYgKGxl biA8IFNJWkVPRih4UmVwbHkpKQ0KKyAgICB7DQorCV9YSU9FcnJvciAoZHB5 KTsNCisJYnVmICs9ICpsZW5wOw0KKwkqbGVucCA9IDA7DQorCXJldHVybiBi dWY7DQogICAgIH0NCiAgICAgaWYgKGxlbiA+PSAqbGVucCkgew0KIAlidWYg Kz0gKmxlbnA7DQpJbmRleDogcHJvZ3JhbXMvWHNlcnZlci9vcy9zZWNhdXRo LmMNCmRpZmYgLXUgcHJvZ3JhbXMvWHNlcnZlci9vcy9zZWNhdXRoLmM6MS4x IFgxMS94Yy9wcm9ncmFtcy9Yc2VydmVyL29zL3NlY2F1dGguYzoxLjMNCi0t LSBwcm9ncmFtcy9Yc2VydmVyL29zL3NlY2F1dGguYzoxLjEJRnJpIFNlcCAg NSAwMzoxNToxNCAxOTk3DQorKysgcHJvZ3JhbXMvWHNlcnZlci9vcy9zZWNh dXRoLmMJTW9uIEp1bCAxMCAxNToyMzoyNiAyMDAwDQpAQCAtNDcsNyArNDcs NyBAQA0KICAgICBDbGllbnRQdHIJY2xpZW50Ow0KICAgICBjaGFyCSoqcmVh c29uOw0KIHsNCi0gICAgY2hhcgkqcG9saWN5ID0gKmRhdGFQOw0KKyAgICBD QVJEOAkqcG9saWN5ID0gKihDQVJEOCAqKilkYXRhUDsNCiAgICAgaW50CQls ZW5ndGg7DQogICAgIEJvb2wJcGVybWl0Ow0KICAgICBpbnQJCW5Qb2xpY2ll czsNCkBAIC02MSwxMyArNjEsMTMgQEANCiAgICAgfQ0KIA0KICAgICBwZXJt aXQgPSAoKnBvbGljeSsrID09IDApOw0KLSAgICBuUG9saWNpZXMgPSAqcG9s aWN5Kys7DQorICAgIG5Qb2xpY2llcyA9IChDQVJEOCkgKnBvbGljeSsrOw0K IA0KICAgICBsZW5ndGggLT0gMjsNCiANCiAgICAgc2l0ZVBvbGljaWVzID0g U2VjdXJpdHlHZXRTaXRlUG9saWN5U3RyaW5ncygmblNpdGVQb2xpY2llcyk7 DQogDQotICAgIHdoaWxlIChuUG9saWNpZXMpIHsNCisgICAgd2hpbGUgKG5Q b2xpY2llcyA+IDApIHsNCiAJaW50IHN0ckxlbiwgc2l0ZVBvbGljeTsNCiAN CiAJaWYgKGxlbmd0aCA9PSAwKSB7DQpAQCAtNzUsNyArNzUsNyBAQA0KIAkg ICAgcmV0dXJuIEZBTFNFOw0KIAl9DQogDQotCXN0ckxlbiA9ICpwb2xpY3kr KzsNCisJc3RyTGVuID0gKENBUkQ4KSAqcG9saWN5Kys7DQogCWlmICgtLWxl bmd0aCA8IHN0ckxlbikgew0KIAkgICAgKnJlYXNvbiA9IEludmFsaWRQb2xp Y3lSZWFzb247DQogCSAgICByZXR1cm4gRkFMU0U7DQpAQCAtODcsNyArODcs NyBAQA0KIAkgICAgew0KIAkJY2hhciAqdGVzdFBvbGljeSA9IHNpdGVQb2xp Y2llc1tzaXRlUG9saWN5XTsNCiAJCWlmICgoc3RyTGVuID09IHN0cmxlbih0 ZXN0UG9saWN5KSkgJiYNCi0JCSAgICAoc3RybmNtcChwb2xpY3ksIHRlc3RQ b2xpY3ksIHN0ckxlbikgPT0gMCkpDQorCQkgICAgKHN0cm5jbXAoKGNoYXIg Kilwb2xpY3ksIHRlc3RQb2xpY3ksIHN0ckxlbikgPT0gMCkpDQogCQl7DQog CQkgICAgZm91bmQgPSBUUlVFOyAvKiBuZWVkIHRvIGNvbnRpbnVlIHBhcnNp bmcgdGhlIHBvbGljeS4uLiAqLw0KIAkJICAgIGJyZWFrOw0KQEAgLTEwNyw3 ICsxMDcsNyBAQA0KICAgICB9DQogDQogICAgICpkYXRhX2xlbmd0aFAgPSBs ZW5ndGg7DQotICAgICpkYXRhUCA9IHBvbGljeTsNCisgICAgKmRhdGFQID0g KGNoYXIgKilwb2xpY3k7DQogICAgIHJldHVybiBUUlVFOw0KIH0NCiANCklu ZGV4OiBwcm9ncmFtcy9Yc2VydmVyL29zL3hkbWNwLmMNCmRpZmYgLXUgcHJv Z3JhbXMvWHNlcnZlci9vcy94ZG1jcC5jOjEuMS4xLjIgWDExL3hjL3Byb2dy YW1zL1hzZXJ2ZXIvb3MveGRtY3AuYzoxLjINCi0tLSBwcm9ncmFtcy9Yc2Vy dmVyL29zL3hkbWNwLmM6MS4xLjEuMglGcmkgSmFuICA4IDEwOjU2OjQ4IDE5 OTkNCisrKyBwcm9ncmFtcy9Yc2VydmVyL29zL3hkbWNwLmMJTW9uIEp1bCAx MCAxNToyNjowNyAyMDAwDQpAQCAtMSw1ICsxLDUgQEANCiAvKiAkWENvbnNv cnRpdW06IHhkbWNwLmMgL21haW4vMzQgMTk5Ni8xMi8wMiAxMDoyMzoyOSBs ZWhvcnMgJCAqLw0KLS8qICRYRnJlZTg2OiB4Yy9wcm9ncmFtcy9Yc2VydmVy L29zL3hkbWNwLmMsdiAzLjkuMi4xIDE5OTgvMTIvMTggMTE6NTY6MzQgZGF3 ZXMgRXhwICQgKi8NCisvKiAkWEZyZWU4NjogeGMvcHJvZ3JhbXMvWHNlcnZl ci9vcy94ZG1jcC5jLHYgMy45LjIuMiAyMDAwLzAyLzA4IDIwOjMyOjEyIGRh d2VzIEV4cCAkICovDQogLyoNCiAgKiBDb3B5cmlnaHQgMTk4OSBOZXR3b3Jr IENvbXB1dGluZyBEZXZpY2VzLCBJbmMuLCBNb3VudGFpbiBWaWV3LCBDYWxp Zm9ybmlhLg0KICAqDQpAQCAtMjkwLDcgKzI5MCwxMCBAQA0KIAlyZXR1cm4g KGkgKyAxKTsNCiAgICAgfQ0KICAgICBpZiAoc3RyY21wKGFyZ3ZbaV0sICIt cG9ydCIpID09IDApIHsNCi0JKytpOw0KKyAgICAgICAgaWYgKCsraSA9PSBh cmdjKSAgew0KKwkgICAgRXJyb3JGKCJYc2VydmVyOiBtaXNzaW5nIHBvcnQg bnVtYmVyIGluIGNvbW1hbmQgbGluZVxuIik7DQorCSAgICBleGl0KDEpOw0K Kwl9DQogCXhkbV91ZHBfcG9ydCA9IGF0b2koYXJndltpXSk7DQogCXJldHVy biAoaSArIDEpOw0KICAgICB9DQpAQCAtMzAwLDE4ICszMDMsMjggQEANCiAg ICAgfQ0KICAgICBpZiAoc3RyY21wKGFyZ3ZbaV0sICItY2xhc3MiKSA9PSAw KSB7DQogCSsraTsNCisgICAgICAgIGlmICgrK2kgPT0gYXJnYykgIHsNCisJ ICAgIEVycm9yRigiWHNlcnZlcjogbWlzc2luZyBjbGFzcyBuYW1lIGluIGNv bW1hbmQgbGluZVxuIik7DQorCSAgICBleGl0KDEpOw0KKwl9DQogCWRlZmF1 bHREaXNwbGF5Q2xhc3MgPSBhcmd2W2ldOw0KIAlyZXR1cm4gKGkgKyAxKTsN CiAgICAgfQ0KICNpZmRlZiBIQVNYRE1BVVRIDQogICAgIGlmIChzdHJjbXAo YXJndltpXSwgIi1jb29raWUiKSA9PSAwKSB7DQotCSsraTsNCisgICAgICAg IGlmICgrK2kgPT0gYXJnYykgIHsNCisJICAgIEVycm9yRigiWHNlcnZlcjog bWlzc2luZyBjb29raWUgZGF0YSBpbiBjb21tYW5kIGxpbmVcbiIpOw0KKwkg ICAgZXhpdCgxKTsNCisJfQ0KIAl4ZG1BdXRoQ29va2llID0gYXJndltpXTsN CiAJcmV0dXJuIChpICsgMSk7DQogICAgIH0NCiAjZW5kaWYNCiAgICAgaWYg KHN0cmNtcChhcmd2W2ldLCAiLWRpc3BsYXlJRCIpID09IDApIHsNCi0JKytp Ow0KKyAgICAgICAgaWYgKCsraSA9PSBhcmdjKSAgew0KKwkgICAgRXJyb3JG KCJYc2VydmVyOiBtaXNzaW5nIGRpc3BsYXlJRCBpbiBjb21tYW5kIGxpbmVc biIpOw0KKwkgICAgZXhpdCgxKTsNCisJfQ0KIAlYZG1jcFJlZ2lzdGVyTWFu dWZhY3R1cmVyRGlzcGxheUlEIChhcmd2W2ldLCBzdHJsZW4gKGFyZ3ZbaV0p KTsNCiAJcmV0dXJuIChpICsgMSk7DQogICAgIH0NCkluZGV4OiBwcm9ncmFt cy9Yc2VydmVyL3hrYi9kZHhMb2FkLmMNCmRpZmYgLXUgcHJvZ3JhbXMvWHNl cnZlci94a2IvZGR4TG9hZC5jOjEuMS4xLjMgWDExL3hjL3Byb2dyYW1zL1hz ZXJ2ZXIveGtiL2RkeExvYWQuYzoxLjINCi0tLSBwcm9ncmFtcy9Yc2VydmVy L3hrYi9kZHhMb2FkLmM6MS4xLjEuMwlTYXQgTm92IDI4IDAxOjQ5OjEzIDE5 OTgNCisrKyBwcm9ncmFtcy9Yc2VydmVyL3hrYi9kZHhMb2FkLmMJTW9uIEp1 bCAxMCAxNToyODoxMCAyMDAwDQpAQCAtMjQsNyArMjQsNyBAQA0KIFRIRSBV U0UgT1IgUEVSRk9STUFOQ0UgT0YgVEhJUyBTT0ZUV0FSRS4NCiANCiAqKioq KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKi8NCi0vKiAkWEZyZWU4NjogeGMvcHJvZ3JhbXMvWHNlcnZlci94 a2IvZGR4TG9hZC5jLHYgMy4xOS4yLjMgMTk5OC8wOS8yNyAxMjo1OToyOSBo b2huZGVsIEV4cCAkICovDQorLyogJFhGcmVlODY6IHhjL3Byb2dyYW1zL1hz ZXJ2ZXIveGtiL2RkeExvYWQuYyx2IDMuMTkuMi40IDIwMDAvMDYvMTUgMjM6 MjQ6MDcgZGF3ZXMgRXhwICQgKi8NCiANCiAjaW5jbHVkZSA8c3RkaW8uaD4N CiAjaW5jbHVkZSA8Y3R5cGUuaD4NCkBAIC0xMzksMTAgKzEzOSw4IEBADQog CQkrc3RybGVuKGZpbGUpK3N0cmxlbih4a21fb3V0cHV0X2RpcikNCiAJCStz dHJsZW4ob3V0RmlsZSkrNTMgPiBQQVRIX01BWCkNCiAJew0KLSNpZmRlZiBE RUJVRw0KIAkgICAgRXJyb3JGKCJjb21waWxlciBjb21tYW5kIGZvciBrZXlt YXAgKCVzKSBleGNlZWRzIG1heCBsZW5ndGhcbiIsDQogCQkJCQkJCQluYW1l cy0+a2V5bWFwKTsNCi0jZW5kaWYNCiAJICAgIHJldHVybiBGYWxzZTsNCiAJ fQ0KICNpZm5kZWYgX19FTVhfXw0KQEAgLTE2OSwxMCArMTY3LDggQEANCiAJ CStzdHJsZW4oZmlsZSkrc3RybGVuKHhrbV9vdXRwdXRfZGlyKQ0KIAkJK3N0 cmxlbihvdXRGaWxlKSs0OSA+IFBBVEhfTUFYKQ0KIAl7DQotI2lmZGVmIERF QlVHDQogICAgICAgICAgICAgRXJyb3JGKCJjb21waWxlciBjb21tYW5kIGZv ciBrZXltYXAgKCVzKSBleGNlZWRzIG1heCBsZW5ndGhcbiIsDQogCQkJCQkJ CW5hbWVzLT5rZXltYXApOw0KLSNlbmRpZg0KIAkgICAgcmV0dXJuIEZhbHNl Ow0KIAl9DQogCXNwcmludGYoY21kLCJ4a2Jjb21wIC13ICVkIC14a20gJXMl cyAtZW0xICVzIC1lbXAgJXMgLWVtbCAlcyBrZXltYXAvJXMgJXMlcy54a20i LA0KQEAgLTIzNiw2ICsyMzIsMTAgQEANCiAJc3ByaW50ZihrZXltYXAsInNl cnZlci0lcyIsZGlzcGxheSk7DQogICAgIH0NCiAgICAgZWxzZSB7DQorCWlm IChzdHJsZW4obmFtZXMtPmtleW1hcCkgPiBQQVRIX01BWCAtIDEpIHsNCisJ ICAgIEVycm9yRigibmFtZSBvZiBrZXltYXAgKCVzKSBleGNlZWRzIG1heCBs ZW5ndGhcbiIsIG5hbWVzLT5rZXltYXApOw0KKwkgICAgcmV0dXJuIEZhbHNl Ow0KKwl9DQogCXN0cmNweShrZXltYXAsbmFtZXMtPmtleW1hcCk7DQogICAg IH0NCiANCkBAIC0yNTQsMTAgKzI1NCw4IEBADQogCQkrc3RybGVuKFBPU1Rf RVJST1JfTVNHMSkrc3RybGVuKHhrbV9vdXRwdXRfZGlyKQ0KIAkJK3N0cmxl bihrZXltYXApKzQ4ID4gUEFUSF9NQVgpDQogCXsNCi0jaWZkZWYgREVCVUcN CiAgICAgICAgICAgICBFcnJvckYoImNvbXBpbGVyIGNvbW1hbmQgZm9yIGtl eW1hcCAoJXMpIGV4Y2VlZHMgbWF4IGxlbmd0aFxuIiwNCiAJCQkJCQkJbmFt ZXMtPmtleW1hcCk7DQotI2VuZGlmDQogCSAgICByZXR1cm4gRmFsc2U7DQog CX0NCiAjaWZuZGVmIFdJTjMyDQpAQCAtMjk0LDEwICsyOTIsOCBAQA0KIAkJ K3N0cmxlbihFUlJPUl9QUkVGSVgpK3N0cmxlbihQT1NUX0VSUk9SX01TRzEp DQogCQkrc3RybGVuKHhrbV9vdXRwdXRfZGlyKStzdHJsZW4oa2V5bWFwKSs0 NCA+IFBBVEhfTUFYKQ0KIAl7DQotI2lmZGVmIERFQlVHDQogICAgICAgICAg ICAgRXJyb3JGKCJjb21waWxlciBjb21tYW5kIGZvciBrZXltYXAgKCVzKSBl eGNlZWRzIG1heCBsZW5ndGhcbiIsDQogCQkJCQkJCW5hbWVzLT5rZXltYXAp Ow0KLSNlbmRpZg0KIAkgICAgcmV0dXJuIEZhbHNlOw0KIAl9DQogI2lmbmRl ZiBXSU4zMg0KSW5kZXg6IHByb2dyYW1zL1hzZXJ2ZXIveGtiL3hrYkluaXQu Yw0KZGlmZiAtdSBwcm9ncmFtcy9Yc2VydmVyL3hrYi94a2JJbml0LmM6MS4x LjEuMiBYMTEveGMvcHJvZ3JhbXMvWHNlcnZlci94a2IveGtiSW5pdC5jOjEu Mw0KLS0tIHByb2dyYW1zL1hzZXJ2ZXIveGtiL3hrYkluaXQuYzoxLjEuMS4y CVNhdCBNYXIgIDcgMDk6MjE6NTUgMTk5OA0KKysrIHByb2dyYW1zL1hzZXJ2 ZXIveGtiL3hrYkluaXQuYwlNb24gSnVsIDEwIDE1OjI4OjEwIDIwMDANCkBA IC0yNCw3ICsyNCw3IEBADQogVEhFIFVTRSBPUiBQRVJGT1JNQU5DRSBPRiBU SElTIFNPRlRXQVJFLg0KIA0KICoqKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqLw0KLS8qICRYRnJlZTg2 OiB4Yy9wcm9ncmFtcy9Yc2VydmVyL3hrYi94a2JJbml0LmMsdiAzLjEyLjIu MiAxOTk4LzAyLzI0IDEzOjIwOjA3IGRhd2VzIEV4cCAkICovDQorLyogJFhG cmVlODY6IHhjL3Byb2dyYW1zL1hzZXJ2ZXIveGtiL3hrYkluaXQuYyx2IDMu MTIuMi4zIDIwMDAvMDYvMTUgMjE6NTg6MzQgZGF3ZXMgRXhwICQgKi8NCiAN CiAjaW5jbHVkZSA8c3RkaW8uaD4NCiAjaW5jbHVkZSA8c3RkbGliLmg+DQpA QCAtOTE1LDggKzkxNSwxMyBAQA0KICNlbmRpZg0KICAgICBlbHNlIGlmIChz dHJuY21wKGFyZ3ZbaV0sICIteGtibWFwIiwgNykgPT0gMCkgew0KIAlpZigr K2kgPCBhcmdjKSB7DQotCSAgICBYa2JJbml0aWFsTWFwPSBhcmd2W2ldOw0K LQkgICAgcmV0dXJuIDI7DQorCSAgICBpZiAoc3RybGVuKGFyZ3ZbaV0pIDwg UEFUSF9NQVgpIHsNCisJCVhrYkluaXRpYWxNYXA9IGFyZ3ZbaV07DQorCQly ZXR1cm4gMjsNCisJICAgIH0gZWxzZSB7DQorCQlFcnJvckYoIi14a2JtYXAg cGF0aG5hbWUgdG9vIGxvbmdcbiIpOw0KKwkJcmV0dXJuIC0xOw0KKwkgICAg fQ0KIAl9DQogCWVsc2Ugew0KIAkgICAgcmV0dXJuIC0xOw0KQEAgLTkyNCw4 ICs5MjksMTMgQEANCiAgICAgfQ0KICAgICBlbHNlIGlmIChzdHJuY21wKGFy Z3ZbaV0sICIteGtiZGIiLCA3KSA9PSAwKSB7DQogCWlmKCsraSA8IGFyZ2Mp IHsNCi0JICAgIFhrYkRCPSBhcmd2W2ldOw0KLQkgICAgcmV0dXJuIDI7DQor CSAgICBpZiAoc3RybGVuKGFyZ3ZbaV0pIDwgUEFUSF9NQVgpIHsNCisJCVhr YkRCPSBhcmd2W2ldOw0KKwkJcmV0dXJuIDI7DQorCSAgICB9IGVsc2Ugew0K KwkJRXJyb3JGKCIteGtiZGIgcGF0aG5hbWUgdG9vIGxvbmdcbiIpOw0KKwkJ cmV0dXJuIC0xOw0KKwkgICAgfQ0KIAl9DQogCWVsc2Ugew0KIAkgICAgcmV0 dXJuIC0xOw0KSW5kZXg6IHByb2dyYW1zL3hmcy9vcy93YWl0Zm9yLmMNCmRp ZmYgLXUgcHJvZ3JhbXMveGZzL29zL3dhaXRmb3IuYzoxLjEgWDExL3hjL3By b2dyYW1zL3hmcy9vcy93YWl0Zm9yLmM6MS4yDQotLS0gcHJvZ3JhbXMveGZz L29zL3dhaXRmb3IuYzoxLjEJRnJpIFNlcCAgNSAwMzoxNjowNyAxOTk3DQor KysgcHJvZ3JhbXMveGZzL29zL3dhaXRmb3IuYwlNb24gSnVsIDEwIDE1OjMy OjM4IDIwMDANCkBAIC0xLDUgKzEsNSBAQA0KIC8qICRYQ29uc29ydGl1bTog d2FpdGZvci5jIC9tYWluLzE1IDE5OTYvMDgvMzAgMTQ6MjI6MzQga2FsZWIg JCAqLw0KLS8qICRYRnJlZTg2OiB4Yy9wcm9ncmFtcy94ZnMvb3Mvd2FpdGZv ci5jLHYgMy41IDE5OTcvMDEvMTggMDc6MDI6NDggZGF3ZXMgRXhwICQgKi8N CisvKiAkWEZyZWU4NjogeGMvcHJvZ3JhbXMveGZzL29zL3dhaXRmb3IuYyx2 IDMuNS4yLjEgMjAwMC8wNi8xNSAyMTo1ODozNSBkYXdlcyBFeHAgJCAqLw0K IC8qDQogICogd2FpdHMgZm9yIGlucHV0DQogICovDQpAQCAtMjEyLDcgKzIx Miw3IEBADQogCSAgICB3aGlsZSAoY2xpZW50c1JlYWRhYmxlLmZkc19iaXRz W2ldKSB7DQogCQljdXJjbGllbnQgPSBmZnMoY2xpZW50c1JlYWRhYmxlLmZk c19iaXRzW2ldKSAtIDE7DQogCQljb25uID0gQ29ubmVjdGlvblRyYW5zbGF0 aW9uW2N1cmNsaWVudCArIChpIDw8IDUpXTsNCi0JCUZEX0NMUiAoY3VyY2xp ZW50LCAmY2xpZW50c1JlYWRhYmxlKTsNCisJCWNsaWVudHNSZWFkYWJsZS5m ZHNfYml0c1tpXSAmPSB+KCgoZmRfbWFzaykxTCkgPDwgY3VyY2xpZW50KTsN CiAJCWNsaWVudCA9IGNsaWVudHNbY29ubl07DQogCQlpZiAoIWNsaWVudCkN CiAJCSAgICBjb250aW51ZTsNCi0tLSBwcm9ncmFtcy94YXV0aC9wcm9jZXNz LmMub3JpZwlGcmkgSnVsIDIzIDA2OjUwOjUwIDE5OTkNCisrKyBwcm9ncmFt cy94YXV0aC9wcm9jZXNzLmMJU2F0IFNlcCAyMyAxNTozMToyNyAyMDAwDQpA QCAtNzY5LDcgKzc2OSw3IEBADQogc3RhdGljIGludCB3cml0ZV9hdXRoX2Zp bGUgKHRtcF9uYW0pDQogICAgIGNoYXIgKnRtcF9uYW07DQogew0KLSAgICBG SUxFICpmcDsNCisgICAgRklMRSAqZnAgPSBOVUxMOw0KICAgICBBdXRoTGlz dCAqbGlzdDsNCiANCiAgICAgLyoNCkBAIC03NzgsMTIgKzc3OCw5IEBADQog ICAgIHN0cmNweSAodG1wX25hbSwgeGF1dGhfZmlsZW5hbWUpOw0KICAgICBz dHJjYXQgKHRtcF9uYW0sICItbiIpOwkJLyogZm9yIG5ldyAqLw0KICAgICAo dm9pZCkgdW5saW5rICh0bXBfbmFtKTsNCi0gICAgZnAgPSBmb3BlbiAodG1w X25hbSwgIndiIik7CQkvKiB1bWFzayBpcyBzdGlsbCBzZXQgdG8gMDA3NyAq Lw0KLSAgICBpZiAoIWZwKSB7DQotCWZwcmludGYgKHN0ZGVyciwgIiVzOiAg dW5hYmxlIHRvIG9wZW4gdG1wIGZpbGUgXCIlc1wiXG4iLA0KLQkJIFByb2dy YW1OYW1lLCB0bXBfbmFtKTsNCi0JcmV0dXJuIC0xOw0KLSAgICB9IA0KKyAg ICAvKiBDUGhpcHBzIDIwMDAvMDIvMTIgLSBmaXggZmlsZSB1bmxpbmsvZm9w ZW4gcmFjZSAqLw0KKyAgICBmZCA9IG9wZW4odG1wX25hbSwgT19XUk9OTFl8 T19DUkVBVHxPX0VYQ0wsIDA2MDApOw0KKyAgICBpZiAoZmQgIT0gLTEpIGZw ID0gZmRvcGVuKGZkLCAid2IiKTsNCiANCiAgICAgLyoNCiAgICAgICogV3Jp dGUgTUlULU1BR0lDLUNPT0tJRS0xIGZpcnN0LCBiZWNhdXNlIFI0IFhsaWIg a25vd3MNCg== --0-1221069748-969757205=:99058-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 20:43:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 50B6537B422 for ; Sat, 23 Sep 2000 20:43:26 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sat, 23 Sep 2000 20:42:11 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e8O3hJw54045; Sat, 23 Sep 2000 20:43:19 -0700 (PDT) (envelope-from cjc) Date: Sat, 23 Sep 2000 20:43:19 -0700 From: "Crist J . Clark" To: Mitch Collinsworth Cc: Gerhard Sittig , security@FreeBSD.ORG Subject: Re: sendmail default run state Message-ID: <20000923204319.D42636@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <20000923145557.G5065@speedy.gsinet> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from mitch@ccmr.cornell.edu on Sat, Sep 23, 2000 at 10:54:54AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Sep 23, 2000 at 10:54:54AM -0400, Mitch Collinsworth wrote: > On Sat, 23 Sep 2000, Gerhard Sittig wrote: [snip] > > fetchmail delivers by default to a SMTP server. But it could be > > run as well in MDA mode -- although I never used it this way. > > We do. Me too. Errr, well, I have. I have a listener on right now. On the notebook when I dialup, I grab mail with fetchmail and send it straight to procmail. Here's the line in the .fetchmailrc, # Go straight to procmail(1), do not use sendmail(8) mda "/usr/local/bin/procmail -d %T" -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 21:29:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 23E3B37B43E for ; Sat, 23 Sep 2000 21:29:53 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id WAA25743; Sat, 23 Sep 2000 22:27:56 -0600 (MDT) Message-Id: <4.3.2.7.2.20000923222349.04919900@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sat, 23 Sep 2000 22:27:54 -0600 To: Wes Peters , Drew Derbyshire From: Brett Glass Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <39CC5820.27C06E6F@softweyr.com> References: <39CB4C42.1A59669C@kew.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:13 AM 9/23/2000, Wes Peters wrote: >Drew Derbyshire wrote: > > > > > Neil Blakey-Milner wrote: > > > Brett, did it ever occur to you THESE ARE THE DEFAULTS because MOST > > > PEOPLE WANT THEM THAT WAY? > > > > Did you take a survey? > >Yes. The lack of complaints from anybody other than Brett Glass constitutes >our unofficial, non-scientific survey. You forget: I wasn't the one who started this thread. I merely indicated my agreement. > > Most people also want a secure system. Don't even get me started about > > rlogin/rsh being on by default in /etc/inetd.conf. > >Most people wouldn't know a secure system if it bit them in the nose. It's sad how many arguments for NOT improving FreeBSD are based on what I can only call hacker elitism. Of COURSE a super-experienced hacker can deal with a user-hostile install, secure the system manually, etc. given lots of time and knowledge. So? > > IMHO, many people wouldn't know NFS if it bit them in the nose. > >Funny, every place I've worked for the past 15 years has used NFS quite >extensively. Oh, but then, I've been working in UNIX shops for quite >some time. I have worked with UNIX since 1977, and rarely use NFS. At least in part because it stands for "No File Security...." --Brett Glass SOCIAL SECURITY: I say we scrap the current system and replace it with a system wherein you add your name to the bottom of a list, and then you send some money to the person at the top of the list, and then you.... Oh, wait, that IS our current system. -- Dave Barry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 21:34:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 6390737B424 for ; Sat, 23 Sep 2000 21:34:46 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id WAA25794; Sat, 23 Sep 2000 22:34:29 -0600 (MDT) Message-Id: <4.3.2.7.2.20000923223152.04470e70@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sat, 23 Sep 2000 22:34:23 -0600 To: Gerhard Sittig , security@FreeBSD.ORG From: Brett Glass Subject: Re: sendmail default run state In-Reply-To: <20000923145557.G5065@speedy.gsinet> References: <200009222118.e8MLId117503@orthanc.ab.ca> <20000922222026.A33410@mithrandr.moria.org> <200009222118.e8MLId117503@orthanc.ab.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 06:55 AM 9/23/2000, Gerhard Sittig wrote: >Are you sure of the above facts? IIRC _any_ UNIX MUA will use >the sendmail command line interface (/usr/sbin/sendmail) for >outgoing mail. Only MTAs talk SMTP. Many -- in fact most -- MUAs talk SMTP. And for good reason: it's universal. You can talk to either the local machine OR a remote machine that way, while going through local sendmail requires extra code. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 22:14:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id E509637B42C for ; Sat, 23 Sep 2000 22:14:34 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id XAA18501; Sat, 23 Sep 2000 23:14:33 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id XAA09239; Sat, 23 Sep 2000 23:14:32 -0600 (MDT) Message-Id: <200009240514.XAA09239@harmony.village.org> To: Gerhard Sittig Subject: Re: sendmail default run state Cc: security@FreeBSD.ORG In-reply-to: Your message of "Sat, 23 Sep 2000 14:55:57 +0200." <20000923145557.G5065@speedy.gsinet> References: <20000923145557.G5065@speedy.gsinet> <20000922222026.A33410@mithrandr.moria.org> <200009222118.e8MLId117503@orthanc.ab.ca> Date: Sat, 23 Sep 2000 23:14:32 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20000923145557.G5065@speedy.gsinet> Gerhard Sittig writes: : Are you sure of the above facts? IIRC _any_ UNIX MUA will use : the sendmail command line interface (/usr/sbin/sendmail) for : outgoing mail. Only MTAs talk SMTP. MH talks directly to the smtp port when sending mail and bad things happen if no SMTP daemon is running. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 23 22:40:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 496DA37B424 for ; Sat, 23 Sep 2000 22:40:22 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 13d4am-0000oK-00; Sat, 23 Sep 2000 23:44:48 -0600 Message-ID: <39CD94D0.693C453C@softweyr.com> Date: Sat, 23 Sep 2000 23:44:48 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 4.1-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: cjclark@alum.mit.edu Cc: Neil Blakey-Milner , Brett Glass , security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) References: <99016.969437392@winston.osd.bsdi.com> <99016.969437392@winston.osd.bsdi.com> <20000920125405.D22272@149.211.6.64.reflexcom.com> <4.3.2.7.2.20000921113652.053d4960@localhost> <20000921210521.A17973@mithrandr.moria.org> <39CA8E45.7DA45048@softweyr.com> <4.3.2.7.2.20000921182152.046d6ee0@localhost> <20000922103446.A25222@mithrandr.moria.org> <20000922221024.F367@149.211.6.64.reflexcom.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Crist J . Clark" wrote: > > On Fri, Sep 22, 2000 at 10:34:46AM +0200, Neil Blakey-Milner wrote: > [snip] > > > email clients use sendmail to send mail. If sendmail isn't running, it > > doesn't queue. We'll just lose that mail to a black hole. That isn't > > obvious. > > sendmail does queue unsent mail. It is not lost. The queue can be > processed manually (or from a crontab) by running, > > $ sendmail -q And periodically, without accepting incoming mail, with -q30m. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message